CN115456075A - Processing system and method for target behavior abnormity early warning - Google Patents
Processing system and method for target behavior abnormity early warning Download PDFInfo
- Publication number
- CN115456075A CN115456075A CN202211116157.1A CN202211116157A CN115456075A CN 115456075 A CN115456075 A CN 115456075A CN 202211116157 A CN202211116157 A CN 202211116157A CN 115456075 A CN115456075 A CN 115456075A
- Authority
- CN
- China
- Prior art keywords
- target
- behavior
- data
- abnormity
- characteristic data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a processing system and a method for early warning of target behavior abnormity, and relates to the technical field of target behavior analysis processing; firstly, data cleaning is carried out on original situation track data; acquiring target abnormal behavior characteristic data through a target abnormal behavior characteristic data model; then, based on the characteristic data of the target abnormal behavior, carrying out reasoning detection on the target abnormal behavior by using an analysis method of multiple analysis dimensions in a target behavior abnormality analysis model; finally, when the target behavior abnormity analysis model detects the target abnormal behavior, early warning prompt is carried out through a behavior abnormity early warning processing module; meanwhile, the design and integration of a processing system are carried out in a service arrangement mode; the invention can exert data efficiency and algorithm efficiency to the maximum extent, detect abnormal behaviors from different dimensions, meet the accurate and refined requirements of complicated and various target behavior abnormal early warning, enhance the safety early warning capability of a sensitive area and a target and effectively prevent the occurrence of safety threat events.
Description
Technical Field
The invention relates to the field of behavior analysis of maneuvering platform targets, in particular to a system and a method for processing target behavior abnormity early warning.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
The method analyzes the target behaviors of the maneuvering platform and completes the abnormal detection, so that the value of the acquired target information can be furthest mined, the safety early warning capability of a sensitive area and the platform is enhanced, and the occurrence of threat events is effectively prevented; meanwhile, the abnormal analysis results are timely and effectively shared among different systems and different units so as to support threat assessment and decision requirements; generally speaking, for the abnormal behavior analysis and early warning processing of battlefield maneuvering platform targets, the following technical difficulties have existed for a long time:
(1) Abnormal values in the original data affect the detection result of abnormal behavior, resulting in high false alarm rate. Due to the fact that the access data sources are complex, the statistical distribution characteristics of the data are inconsistent, the data quality is generally low, and cleaning optimization is difficult; (2) The abnormal behaviors of the mobile platform are different in form, so that the abnormal behaviors are not well defined, summarized and classified at present, and different service requirements are met in the face of different use scenes, different target types and different analysis periods; (3) The requirement of anomaly analysis is diversified, if the traditional fixed analysis flow is used, the realization and deployment processes are complex, the reuse and reconstruction of the core processing flow are not facilitated, the expansion and unified service of the application service are not facilitated, and the research, development and maintenance cost is high; (4) The accuracy of anomaly detection and identification is low, the intelligent level is not high, data adaptation and flexible response can not be conveniently carried out by using abundant anomaly detection algorithms, and the detection capability of abnormal behaviors is improved.
Disclosure of Invention
The invention aims to: aiming at four technical difficulties existing in the process of analyzing and early warning the abnormal behavior of the target of the battlefield maneuvering platform at present, the system and the method for processing the abnormal behavior early warning are provided, the characteristic analysis and the abnormal detection are carried out on the target behavior from multiple dimensions, the processing flow is simplified, the automatic processing level of the abnormal behavior early warning analysis of the target is improved, the intensity of the target intention analysis work is reduced, the accuracy and the reliability of the analysis result are improved, and the operation requirements of fine and personalized analysis of the abnormal behavior of the target are met.
The technical scheme of the invention is as follows:
a processing method for early warning of target behavior abnormity comprises the following steps:
step S1: data cleaning is carried out on the original situation track data, and noise and error interference of numerical value abnormality on target behavior abnormality judgment are reduced;
step S2: further analyzing and calculating the data cleaning result through a target abnormal behavior characteristic data model to obtain target abnormal behavior characteristic data;
and step S3: based on the characteristic data of the target abnormal behavior, carrying out reasoning detection on the target abnormal behavior by using an analysis method of multiple analysis dimensions in a target behavior abnormal analysis model;
and step S4: when the target behavior abnormity analysis model detects the target abnormal behavior, early warning prompt is carried out through the behavior abnormity early warning processing module.
Further, the original situation track data in step S1 includes: spatio-temporal information and identity attribute information;
the spatiotemporal information includes: UTC timestamp, longitude, latitude, altitude, course, speed, geographical grid point, error covariance, relative distance and relative azimuth of the target track point;
the identity attribute information includes: target track number, target type, target model, target country, target civil and military nature, affiliated military species, departure place, destination, whether the target is high-value or not, and compiling into units.
Further, the data cleansing in step S1 includes: wild value elimination and invalid value elimination, numerical value anomaly detection compensation and filtering interpolation correction.
Further, the outlier culling comprises: deleting track points beyond the range of the data element value range;
the invalid value elimination comprises the following steps: if the information in the target identity attribute information exceeds the value range of the enumeration class, the value is nulled but the track point is not deleted;
the numerical value anomaly detection compensation adopts a filtering smoothing method for data with poor measurement accuracy and improves discontinuous updating data through interpolation processing; the numerical value anomaly detection compensation adopts a Hampel filter;
the filtered interpolation correction employs a Savitzky-Golay filter.
Further, the target abnormal behavior feature data in step S2 includes: numerical value abnormality, motion abnormality, distance abnormality, programming abnormality, cycle abnormality, region abnormality, combination abnormality;
the method for analyzing the multiple analysis dimensions comprises the following steps: an anomaly detection operator method based on an anomaly criterion, a target abnormal behavior judgment method based on a business rule and a multi-period comparison method based on behavior characteristic data rule knowledge.
Further, the anomaly detection operator method based on the anomaly criterion is used for encapsulating a general statistical anomaly detection algorithm into an anomaly operator module aiming at anomaly detection of numerical variables and detecting target abnormal behaviors;
the target abnormal behavior judgment method based on the business rules is characterized in that a user specifies a series of behavior abnormal judgment index requirements according to actual requirements of the business field, and the target abnormal behavior is judged.
Further, the multi-period comparison method based on the behavior characteristic data rule knowledge comprises the following steps:
the original situation track data is subjected to persistent storage and stored in an offline storage database for unified data management to form a historical situation database;
cleaning original situation track data in a historical situation database by an original situation track data cleaning module, and then acquiring regular target behavior characteristic data by a target abnormal behavior characteristic data model;
calculating similarity of the target behavior characteristic data by adopting a clustering mode, calculating the behavior characteristic of nearest neighbor, and collecting a plurality of groups of segmented similar target behavior characteristic data as behavior characteristic data rule knowledge;
and finally, comparing the target abnormal behavior characteristic data acquired by the target abnormal behavior characteristic data model with behavior characteristic data rule knowledge, and identifying and detecting the target behavior abnormality of the time-slowly-varying type.
A processing system for target behavior abnormity early warning is based on the processing method for target behavior abnormity early warning, and comprises the following steps:
the system comprises an original situation track data cleaning module, a data acquisition module and a data processing module, wherein the original situation track data cleaning module is used for carrying out data cleaning on original situation track data and reducing noise and error interference of numerical value abnormality on target behavior abnormality judgment;
the target abnormal behavior characteristic data model is used for further analyzing and calculating the data cleaning result through the target abnormal behavior characteristic data model to obtain target abnormal behavior characteristic data;
the target behavior abnormity analysis model is used for carrying out reasoning detection on the target abnormal behavior based on the calculation result of the target abnormal behavior characteristic data model;
and the behavior abnormity early warning processing module is used for carrying out early warning prompt when the target behavior abnormity analysis model detects the target abnormal behavior.
Further, the data cleansing includes: wild value elimination and invalid value elimination, numerical value anomaly detection compensation and filtering interpolation correction;
the numerical value anomaly detection compensation adopts a Hampel filter; the filtered interpolation correction employs a Savitzky-Golay filter.
Further, the target behavior abnormity analysis model comprises analysis methods of multiple analysis dimensions;
the analysis method for multiple analysis dimensions comprises the following steps: an anomaly detection operator method based on an anomaly criterion, a target abnormal behavior judgment method based on a business rule and a multi-period comparison method based on behavior characteristic data rule knowledge.
Compared with the prior art, the invention has the beneficial effects that:
a processing system and a method for target behavior abnormity early warning can detect abnormity of target behavior intention from different dimensions, meet the requirements of accuracy, individuation and refinement of complicated and diversified target behavior abnormity early warning, simultaneously use a system design of service arrangement, adopt assembled arrangement and scheduling for a behavior characteristic model and an abnormity analysis model, reduce the module coupling degree to the maximum extent, have the characteristics of diversified analysis dimensions, flexible response, practicality and operability, and have wide application prospect.
Drawings
FIG. 1 is a flow chart of a method for processing a target behavior anomaly warning;
FIG. 2 is a flow chart of data cleaning in a processing method for early warning of abnormal target behavior;
FIG. 3 is a diagram of a data model of abnormal behavior characteristics of a target in a processing method for early warning of abnormal behavior of the target;
fig. 4 is a schematic diagram of a processing system for early warning of abnormality of target behavior.
Detailed Description
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The features and properties of the present invention are described in further detail below with reference to examples.
Example one
Referring to fig. 1-4, a method for processing an abnormal behavior warning of a target includes the following steps:
step S1: data cleaning is carried out on the original situation track data, and noise and error interference of numerical value abnormality on target behavior abnormality judgment are reduced; preferably, the original situation track data is an original target entity data set formed by real-time maneuvering platform target original situation track data pushed by a front-end sensor acquisition system; the original situation track data cleaning module is used for cleaning dirty data in the original situation track data and reducing the interference of data noise errors and abnormal values on subsequent behavior abnormity detection; data quality can be optimized through data cleaning and preprocessing, ambiguity, uncertainty and intentional or unintentional data noise influence are reduced, interference or misjudgment caused by data abnormity on target behavior abnormity judgment is avoided, and abnormity detection false alarm rate is reduced; meanwhile, the original situation track data can be stored in an off-line mode according to a unified data standard;
step S2: further analyzing and calculating the data cleaning result through a target abnormal behavior characteristic data model to obtain target abnormal behavior characteristic data; it should be noted that step S2 requires unified modeling of the target behavior feature elements of the maneuvering platform; adopting a characteristic model construction method to aggregate and sort the elements in the target original situation information according to different abnormal analysis dimensions; further analyzing and calculating target behavior characteristic data according to the characteristic model based on the data cleaning result, completing conversion and extraction, and finally forming a target abnormal behavior characteristic data model;
and step S3: based on the characteristic data of the target abnormal behavior, carrying out reasoning detection on the target abnormal behavior by using an analysis method of multiple analysis dimensions in a target behavior abnormal analysis model; in step S3, abnormal behaviors of historical slow change and real-time mutation are detected and analyzed by a target behavior abnormality analysis model;
and step S4: when the target behavior abnormity analysis model detects the target abnormal behavior, early warning prompt is carried out through a behavior abnormity early warning processing module; preferably, when the target abnormal behavior is detected, aiming at a target which may have a potential threat target or a sensitive area target, an abnormal behavior early warning message can be immediately generated according to a standard message format from an abnormal analysis result, and the message is distributed to related business personnel for further processing, so that the target threat early warning is realized, and an alarm prompt is provided for the monitoring equipment at the rear end, wherein the alarm prompt can be displayed by using characters or displayed graphically, such as identification, icon flashing and the like.
In this embodiment, specifically, the original situation track data in step S1 includes: spatio-temporal information and identity attribute information;
the spatiotemporal information includes: elements such as UTC timestamp, longitude, latitude, altitude, course, navigational speed, geographical grid points, error covariance, relative distance, relative azimuth and the like of the target track point; the time-space information is continuously and dynamically changed and belongs to dynamic time sequence data;
the identity attribute information includes: the method comprises the following steps of (1) carrying out element editing on a target track number, a target type, a target model, a target country, target civil and military properties, a subordinate military species, a departure place, a destination, whether a high-value target exists or not, and compiling into units; after the target identity attribute information is determined, the target identity attribute information generally does not change greatly and belongs to relatively fixed target basic information.
In this embodiment, specifically, the data cleansing in step S1 includes: wild value elimination and invalid value elimination, numerical value anomaly detection compensation and filtering interpolation correction; the noise and error interference of the numerical value abnormality on the target behavior abnormality are reduced by adopting a three-stage processing method of outlier rejection and invalid value rejection, numerical value abnormality detection compensation and filtering interpolation correction; deleting repeated data after wild value elimination, invalid value elimination and numerical value abnormity detection compensation;
in this embodiment, specifically, the outlier rejection includes: deleting track points beyond the range of the data element value range;
wherein, the outlier is beyond the range of the data element, such as the longitude range is [ -180 ] degree, if one of the data items in the course point is out of range, the course point can be deleted; the value range of other spatio-temporal information data items are respectively as follows: latitude is between 90 and 90 degrees, course is between 0 and 360 degrees, speed is between 0 and 3000 km/h, and height range is between 0 and 20000 m;
the invalid value elimination comprises the following steps: if the information in the target identity attribute information exceeds the value range of the enumeration class, the value is nulled but the track point is not deleted; namely invalid value elimination is to null the value but not delete the track point when the information in the target original identity attribute information exceeds the range of the value range of the enumeration class;
the numerical value anomaly detection compensation adopts a filtering smoothing method for data with poor measurement accuracy and improves discontinuous updating data through interpolation processing; the used flight path data generally changes continuously; therefore, the numerical value anomaly detection compensation is carried out on the data, and the influence of mutation errors can be reduced; if the abnormal data characteristics are met, rejecting the numerical abnormal points; the eliminated numerical value can be replaced by a Hampel default median, and filtering data can be replaced or supplemented in the filtering interpolation step;
preferably, the numerical anomaly detection compensation adopts a Hampel filter; preferably, the Hampel filter has an anomaly detection scale factor ofThe parameters k and n of the Hampel filter σ Defaults are set as 4 and 2 respectively, and dynamic adjustment can be carried out according to actual data statistical characteristics and user requirements;
suppose that at the Tth time instant, a certain sample set of spatio-temporal information data items is X = { X = 0 ,x 1 ,...,x N N is the sample data set length, k is the sliding window width, and the median mean of the samples, i.e. m, is calculated starting from the ith data i =median(x i-k ,x i-k+1 ,x i-k+2 ,…,x i ,…,x i+k-2 ,x i+k-1 ,x i+k ) While calculating the standardDifference sigma i =κ*median(|x i-k -m i |,…,|x i+k -m i |) where κ =1.4826 defines the scaling factor W i If, ifThen the sample point is indicated as a check outlier, and the outlier is replaced with a median value m i (ii) a Wherein n is σ Representing the use of n times sigma check level;
the filtering interpolation correction adopts a Savitzky-Golay filter (SG filter for short), and preferably, the fitting parameter theta is k Is estimated asThe parameters m and n of the SG filter are set to be 7 and 3 by default respectively, and can also be dynamically adjusted according to the statistical characteristics of actual data and user requirements.
It should be noted that the SG filter is a digital filter based on polynomial fitting, and can reduce data noise interference without changing the value trend and width, and also can perform interpolation and completion on missing data values; the SG filter has the advantages that the smoothing filtering can be carried out on non-periodic and non-linear data under the conditions that time series data can be in any position and any sliding window width and the noise distribution characteristic of the data is not known, the data precision requirement is improved, and the adaptability to the noise characteristic of the original track data used in the invention is better.
Similarly, assume that at the tth time, the data sample value in one sliding window is X = { X = { (X) } -m ,...,x 0 ,...,x m The fixed window width k =2m +1, the SG filter function is a linear least square method, and a set of adjacent data points in a sliding window is fitted with a low-order polynomial through a convolution process; assuming the polynomial order is n, the fitting expression isWherein theta is k Are fitting coefficients.
Will plan toThe co-expression is written into a matrix form Y = A X, and then the fitting coefficient in the above formula is determined by the least square method, so that the fitting parameter theta can be obtained k Is estimated as
And when the width m of the unilateral window to be fitted, the order n of the polynomial and the sample set X to be fitted are determined, the parameter estimation of the fitting polynomial can be solved, finally, an estimated filtering result is obtained, and the subsequent sample value is repeatedly calculated by continuously moving the window, so that a complete filtering estimation result can be obtained.
In this embodiment, specifically, the target abnormal behavior feature data in step S2 includes: numerical value abnormity, action abnormity, distance abnormity, programming abnormity, cycle abnormity, region abnormity and combination abnormity; the combined abnormity is a combination which meets various abnormal behavior characteristic data conditions, and corresponding characteristics required by the behavior abnormity are normalized and analyzed respectively; then, performing unified aggregation on elements in the target original situation information according to the abnormal analysis, further performing data calculation analysis, extracting and converting, wherein the characteristic modeling process is to perform unified specification and storage management on the data elements in the original situation information and the processed data elements;
summarizing and summarizing the target abnormal behaviors from elements required by dimension analysis, wherein the target abnormal behaviors can be roughly divided into seven types including numerical value abnormality, action abnormality, distance abnormality, compiled abnormality, cycle abnormality, region abnormality and combined abnormality, and the seven types include corresponding characteristic data description required by realizing identification and detection of the abnormal behaviors, a partial characteristic calculation formula method, an analysis principle and a corresponding abnormal analysis model type; specifically, the target behavior feature data model is shown in table 1:
TABLE 1 target behavior feature data model
It should be noted that, in this embodiment, when the target behavior abnormality detection processing is performed, the calculation of the turning radius of the maneuvering target is an important parameter for the maneuver characteristic analysis; the target turning radius represents the variation of the target maneuvering intensity and the behavior, and has a larger degree of correlation with the abnormal behavior, such as circling and turning behavior.
Minimum turning radius R min Is defined as:
wherein:
v is the target velocity;
g is a constant of the acceleration of gravity,
φ max is the target maximum slope angle.
In the target behavior characteristic data model, the path of a target active air route is matched through a similar time sequence matching algorithm, and the detection of the target yaw behavior is realized;
firstly, defining the similarity of a target track by a similar time sequence matching algorithm: target track and another track E i ={s 1 ,s 2 ,…,s n The similarity is calculated by the following formula:
wherein:
φ(T i ∩E j ) Representing the track T i With track S i Total length of the connected subpaths;
φ(T i ∪E j ) Representing track T i And track S i A total path length;
the rule that two sub-paths are communicated indicates that at least one track point exists on any track point on one track and the distance between the two points is smaller than a threshold value L h (ii) a When the similarity of different tracks is greater than a certain threshold value, the route matching can be judged, otherwise, the route matching can be judgedWhich belongs to the lane departure behavior.
Track path length definition: set path W i =(v 1 ,v 2 ,…,v i ),i∈[0,m]All nodes v of i Belongs to V, and keeps the Euclidean distance between two points as | e i-1,i The total length of the path can be calculated by a Haversene distance formula: i W i ||=|e 1,2 |+|e 2,3 |+…+|e i-1,i |。
In the processing of the distance anomaly analysis dimension, the distance formula between two points in the geographic space is as follows: two points are knownWhereinλ is longitude and latitude, and AB is calculated by using Haversine formula:
the method for determining the region abnormality that the target position point p (x, y) is within the polygonal region may use a ray method, a vector cross-product discrimination method, or an area sum discrimination method.
And judging whether the target position point is in the circular or elliptical area by adopting a calculation formula:
suppose an ellipse parameter (x) 0 ,y 0 ,a,b,θ),p 1 (x 0 ,y 0 ) The central point of the ellipse is a, a and b are respectively the length of a long semi-axis and a short semi-axis, and theta is the inclination angle of the ellipse.
In this embodiment, specifically, the anomaly analysis model of the target behavior of the mobile platform starts from different analysis scenes and different application requirements, induction, summarization and classification are performed on the anomaly analysis method from different dimensions of the target behavior, and three analysis models are used for inference detection of the anomaly behavior; the analysis method for multiple analysis dimensions comprises the following steps: an anomaly detection operator method based on an anomaly criterion, a target abnormal behavior judgment method based on a business rule and a multi-period comparison method based on behavior characteristic data rule knowledge.
In this embodiment, specifically, the anomaly detection operator method based on the anomaly criterion is to encapsulate a general statistics anomaly detection algorithm into an anomaly operator module for anomaly detection of a numerical variable, and detect a target anomaly behavior; aiming at the anomaly detection of numerical variables, universal statistic anomaly detection algorithms are used for development, test and packaging, and each algorithm is issued to a target behavior anomaly analysis model base in an atomic component mode to provide anomaly detection algorithm support; preferably, the user can adaptively change the anomaly detection operator according to different requirements of the actual scene and different statistical characteristics of data to detect the target anomaly and change the final anomaly judgment criterion.
In this embodiment, specifically, the method for determining the target abnormal behavior based on the business rule is that a user specifies a series of requirements of an abnormal behavior determination index according to actual requirements in a business field, and determines the target abnormal behavior; preferably, a user specifies a series of behavior abnormity judgment index requirements according to actual requirements in the service field; it should be noted that, the method for determining the target abnormal behavior based on the service rule is to perform hypothesis testing by combining a calculation formula of condition determination with a preset service rule or a priori knowledge condition according to the actual user service rule, and determine whether a testing conclusion is true; according to different properties of the behavior characteristic data, various anomaly analysis models can be used for reasoning, for example, a general anomaly operator analysis model can be used for detection, and a business rule analysis model can be used for detection, which depends on the selection of a user according to actual conditions; generally, a calculation formula of condition judgment is combined with a preset service rule or a priori knowledge condition to carry out hypothesis testing and judge whether a target abnormal behavior test conclusion is established or not; if the area is abnormal, judging whether the target is in or close to the following type airspace such as: airport airspace, air defense identification areas, cruise areas and the like; airline types such as near border lines, transit airlines, national border lines, and the like; reference points such as gathering points, search and rescue points and the like; the type of the time period, such as determining whether a certain attribute target is active within a certain time period, or determining whether the duration of the target activity is greater than a certain threshold, etc.
In this embodiment, specifically, the processing method for early warning of abnormal target behavior provided in this embodiment substantially includes two data analysis modes, which are respectively: real-time computation and off-line computation.
The specific operation mode of the real-time calculation mode is as described above, and the real-time calculation mode is mainly used for identifying and detecting the target abnormal behaviors of mutation types and completing real-time abnormal early warning; the off-line calculation mode corresponds to the following abnormal analysis method based on multi-period comparison of behavior characteristic data rule knowledge and is mainly used for identifying and detecting time-slowly-varying target abnormal behaviors; in the off-line calculation mode, the characteristic element items in the target behavior characteristic data model are extracted from the regular target behavior knowledge in the historical data, and feature comparison is performed during real-time detection, so that the time-varying target behavior abnormity can be identified and detected.
In the embodiment, the multi-cycle comparison method based on behavior characteristic data rule knowledge is to perform cluster analysis on past target behavior characteristic data by adopting an unsupervised model, summarize to obtain a characteristic data set, and form historical rule knowledge, such as a hot course set, a compiled set, a hot area set and the like; comparing feature sets of different time periods to obtain a time-slowly-varying type target abnormal behavior evolution result; the method adopts a collaborative filtering method principle, and concretely comprises the following steps:
firstly, original situation track data is subjected to persistent storage and stored in an offline storage database for unified data management to form a historical situation database; preferably, each piece of original situation track data is inserted into a database instance table file established in advance as a new record in a data import mode according to a unified standard specification file;
then, cleaning original situation track data in a historical situation database by an original situation track data cleaning module, and acquiring regular target behavior characteristic data by a target abnormal behavior characteristic data model;
calculating similarity of the target behavior characteristic data by adopting a clustering mode, calculating the behavior characteristic of nearest neighbor, and collecting a plurality of groups of segmented similar target behavior characteristic data as behavior characteristic data rule knowledge; the related target abnormal behaviors of a plurality of periods can be identified; preferably, the clustering algorithm adopted in the clustering mode can adopt, for example, LOF, DBSCAN, KNN algorithm, etc.;
and finally, comparing the target abnormal behavior characteristic data acquired by the target abnormal behavior characteristic data model with behavior characteristic data rule knowledge, and identifying and detecting the target behavior abnormality of the time-slowly-varying type.
In this embodiment, specifically, the anomaly operator module is developed, tested, and packaged for numerical anomalies, that is, numerical variables are developed, tested, and packaged according to statistical principles using multi-style basic general anomaly detection algorithms, and each algorithm is uniformly issued to an anomaly detection operator model library in an atomic component form to provide support for the anomaly detection algorithm; and then, performing functional series connection on the abnormal criteria in the characteristic data model, the abnormal operator module and the abnormal analysis model in a service arrangement mode, and arranging the task flow to form the program application of dynamic scheduling.
The general numerical anomaly detection algorithm built in the anomaly operator module is shown in table 2:
TABLE 2 abnormal operator Module
In the general numerical anomaly detection algorithm, the LOF (local density anomaly detection) algorithm principle based on a clustering method is to judge an abnormal value through an outlier factor of neighborhood density, and the specific calculation steps are as follows:
(1) For the numerical value point p, the geometric distance between the numerical value point p and all other points is calculated, and then the nearest k adjacent point o E N of the numerical value point p is found k p,rd(o,p)=max{d k (o),d(o,p)};
(2) Calculate the kth local reachable density of each:
(3) And calculating the LOF index:
if the LOF index is greater than 1, it can be used as a mark for detecting abnormal points, and k =20 is generally set.
In the anomaly analysis model, anomaly criteria include: the numerical value abnormality detection method comprises three types of general indexes, special indexes and user-defined indexes, wherein the numerical value abnormality adopts general numerical values to carry out abnormality detection corresponding to the general indexes, the special indexes refer to judgment conditions which are provided by adopting specific abnormality operators, and in addition, a user can also use the user-defined indexes as abnormality judgment criteria to carry out detection.
General indicators, including: the Leeyda (PaPnaT) criterion, the Grarbs (GurbS) criterion, the Xiaoverer (Chauveent) criterion, the t-test criterion, the Dixon (Dixon) criterion, etc.
Wherein, the laiyida criterion is also called 3 σ criterion, 3 times of standard deviation of the sample data is used as an abnormal selection criterion, and the confidence level α is 99.73%.
Wherein, gurbS criterion adopts a formulaWhere G (n, α) is a coefficient corresponding to the number of measurements n and the confidence level α, and may be obtained by table lookup.
Wherein, the Chauveent criterion also adopts the ratio of the absolute value of the residual error to the standard deviation to perform hypothesis test, and the formulaω (n) can be obtained by table lookup.
Example two
The second embodiment provides a processing system for target behavior abnormity early warning, which is based on a service arrangement method, and simultaneously adds a behavior abnormity early warning processing module, takes a target abnormity behavior characteristic data model and an abnormity analysis model as abstract service resources, arranges a target abnormity behavior analysis work task flow in a modularized service arrangement mode, generates an arrangement configuration file, automatically analyzes and produces data according to preset arrangement, and provides early warning prompts when detecting that target abnormity exists.
In this embodiment, it should be noted that, according to the service analysis requirement of the user, the user may perform individual selection on the feature data model and the anomaly analysis model by using a service arrangement mode, define a call sequence of a workflow, a dependency relationship of a context, data contents of a reference and a reference, a service type, and an execution logic, and generate a service arrangement configuration file described by a DSL in a domain specific language. And finally, arranging files according to user preset, and carrying out automatic data analysis and production.
In the design of a processing system for target behavior abnormity early warning based on service arrangement, according to the scene of target behavior abnormity analysis complex business logic, in order to reconstruct and reuse core data characteristic elements and core processing flows to the maximum extent, processing modules of behavior characteristic element data, multi-style abnormity analysis operators and analysis models are abstracted into service resources in a building block mode among the processing modules, service combination and arrangement are carried out, flexible arrangement of various processing tasks is formed and scheduling execution is carried out, and the development efficiency of data analysis is improved.
In the design of a processing system for target behavior abnormity early warning based on service arrangement:
firstly, analyzing and designing a service scene, selecting newly-built service arrangement and generating a corresponding configuration file, wherein the configuration file is described by using a Domain Specific Language (DSL), and the main purpose of the method is to define the calling sequence, the context dependency, the data content, the service type and the execution logic of a workflow and simultaneously, the method can also use a service arrangement template for quick creation; more extensively, can also use the graphical interface to carry on the service flow to edit, such as users can adopt the way operation of dragging to realize the service arrangement through the visual interface, and finish the running parameter configuration of the relevant node and presume;
then adding one or more workflow task nodes, wherein the relationship between the task nodes is represented by a Directed acyclic graph DAG (Directed acyclic graph), and the operation, working parameters and service calling sequence related to the service are specified; the task nodes of the service can be serial and parallel, and can use the branch condition to carry out flow control;
then, setting the input and output of the service arrangement task node interactive message, and carrying out connection test on the parameter validity before operation; the workflow is visible in the process of task execution, has traceability, and can provide management control instructions of pause, stop, resume and the like.
Finally, after the validity check is carried out on the operation configuration parameters of the task nodes of the workflow and the execution dependency check of the task nodes is completed, normal task scheduling operation can be selected; in the process of task operation, the whole or part of service operation state can be monitored.
After a user analyzes business requirements, the system analysis can be simplified and decomposed in stages through the system design of service arrangement, a system analyst can concentrate on paying attention to and solving only one or a plurality of aspects of the system, the system can be integrated and optimized on different detail levels, and finally the multiplexing and reconstruction of core target behavior characteristic elements, abnormal analysis models and core processing flows are achieved.
In this embodiment, a system for processing a target behavior abnormality warning specifically includes the following structure:
the system comprises an original situation track data cleaning module, a data acquisition module and a data processing module, wherein the original situation track data cleaning module is used for carrying out data cleaning on original situation track data and reducing noise and error interference of numerical value abnormality on target behavior abnormality judgment;
the target abnormal behavior characteristic data model is used for further analyzing and calculating the data cleaning result through the target abnormal behavior characteristic data model to obtain target abnormal behavior characteristic data;
the target behavior abnormity analysis model is used for carrying out reasoning detection on the target abnormal behavior based on the calculation result of the target abnormal behavior characteristic data model;
and the behavior abnormity early warning processing module is used for carrying out early warning prompt when the target behavior abnormity analysis model detects the target abnormal behavior.
In this embodiment, specifically, the data cleansing includes: wild value elimination and invalid value elimination, numerical value anomaly detection compensation and filtering interpolation correction;
the numerical value anomaly detection compensation adopts a Hampel filter; the filtered interpolation correction employs a Savitzky-Golay filter.
In this embodiment, specifically, the target behavior anomaly analysis model includes analysis methods of multiple analysis dimensions;
the method for analyzing the multiple analysis dimensions comprises the following steps: an anomaly detection operator method based on an anomaly criterion, a target abnormal behavior judgment method based on a business rule and a multi-period comparison method based on behavior characteristic data rule knowledge.
The above-mentioned embodiments only express the specific embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for those skilled in the art, without departing from the technical idea of the present application, several changes and modifications can be made, which all belong to the protection scope of the present application.
The background section is provided to present the context of the invention in general, and work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present invention.
Claims (10)
1. A processing method for early warning of abnormal target behaviors is characterized by comprising the following steps:
step S1: data cleaning is carried out on the original situation track data, and noise and error interference of numerical value abnormality on target behavior abnormality judgment are reduced;
step S2: further analyzing and calculating the data cleaning result through a target abnormal behavior characteristic data model to obtain target abnormal behavior characteristic data;
and step S3: based on the characteristic data of the target abnormal behavior, carrying out reasoning detection on the target abnormal behavior by using an analysis method of multiple analysis dimensions in a target behavior abnormal analysis model;
and step S4: when the target behavior abnormity analysis model detects the target abnormal behavior, early warning prompt is carried out through the behavior abnormity early warning processing module.
2. The processing method of the target behavior abnormity warning according to claim 1, wherein the original situation track data in the step S1 comprises: spatio-temporal information and identity attribute information;
the spatiotemporal information includes: UTC timestamp, longitude, latitude, altitude, heading, speed, geographical grid point, error covariance, relative distance and relative azimuth of the target track point;
the identity attribute information includes: target track number, target type, target model, target country, target military and civilian properties, affiliated military category, departure place, destination, whether the target is high-value or not and compiling into units.
3. The processing method of the target behavior abnormity warning according to claim 2, wherein the data cleaning in the step S1 comprises: wild value elimination and invalid value elimination, numerical value anomaly detection compensation and filtering interpolation correction.
4. The method as claimed in claim 3, wherein the outlier elimination comprises: deleting track points beyond the range of the data element value range;
the invalid value elimination comprises the following steps: if the information in the target identity attribute information exceeds the value range of the enumeration class, the value is nulled but the track point is not deleted;
the numerical value anomaly detection compensation adopts a filtering smoothing method for data with poor measurement accuracy and improves discontinuous updating data through interpolation processing; the numerical value abnormity detection compensation adopts a Hampel filter;
the filtered interpolation correction employs a Savitzky-Golay filter.
5. The processing method of the target behavior abnormity warning according to claim 1, wherein the target abnormity behavior characteristic data in the step S2 comprises: numerical value abnormality, motion abnormality, distance abnormality, programming abnormality, cycle abnormality, region abnormality, combination abnormality;
the method for analyzing the multiple analysis dimensions comprises the following steps: an anomaly detection operator method based on an anomaly criterion, a target abnormal behavior judgment method based on a business rule and a multi-period comparison method based on behavior characteristic data rule knowledge.
6. The processing method of the target behavior abnormity early warning according to claim 5, wherein the abnormity detection operator method based on the abnormity criterion is used for carrying out abnormity detection on numerical variables, and a general statistic abnormity detection algorithm is packaged into an abnormity operator module to detect the target abnormal behavior;
the target abnormal behavior judgment method based on the business rules is characterized in that a user specifies a series of behavior abnormal judgment index requirements according to actual requirements of the business field, and the target abnormal behavior is judged.
7. The processing method for the early warning of the abnormity of the target behavior according to claim 5, wherein the multi-period comparison method based on the rule knowledge of the behavior characteristic data comprises the following steps:
the original situation track data is subjected to persistent storage and stored in an offline storage database for unified data management to form a historical situation database;
cleaning original situation track data in a historical situation database by an original situation track data cleaning module, and then acquiring regular target behavior characteristic data by a target abnormal behavior characteristic data model;
calculating similarity of the target behavior characteristic data by adopting a clustering mode, calculating the behavior characteristic of nearest neighbor, and collecting a plurality of groups of segmented similar target behavior characteristic data as behavior characteristic data rule knowledge;
and finally, comparing the target abnormal behavior characteristic data acquired by the target abnormal behavior characteristic data model with behavior characteristic data rule knowledge, and identifying and detecting the target behavior abnormality of the time-slowly-varying type.
8. A processing system for target behavior anomaly early warning, which is based on any one of claims 1 to 7, and comprises:
the system comprises an original situation track data cleaning module, a data acquisition module and a data processing module, wherein the original situation track data cleaning module is used for performing data cleaning on original situation track data and reducing noise and error interference of numerical anomaly in judgment of target behavior anomaly;
the target abnormal behavior characteristic data model is used for further analyzing and calculating the data cleaning result through the target abnormal behavior characteristic data model to obtain target abnormal behavior characteristic data;
the target behavior abnormity analysis model is used for carrying out reasoning detection on the target abnormal behavior based on the calculation result of the target abnormal behavior characteristic data model;
and the behavior abnormity early warning processing module is used for carrying out early warning prompt when the target behavior abnormity analysis model detects abnormal target behaviors.
9. The system for processing target behavior anomaly warning according to claim 8, wherein the data cleansing comprises: wild value elimination and invalid value elimination, numerical value anomaly detection compensation and filtering interpolation correction;
the numerical value anomaly detection compensation adopts a Hampel filter; the filtered interpolation correction employs a Savitzky-Golay filter.
10. The system for processing the early warning of the abnormality of the target behavior according to claim 8, wherein the analysis model of the abnormality of the target behavior comprises analysis methods of a plurality of analysis dimensions;
the method for analyzing the multiple analysis dimensions comprises the following steps: an anomaly detection operator method based on an anomaly criterion, a target abnormal behavior judgment method based on a business rule and a multi-period comparison method based on behavior characteristic data rule knowledge.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211116157.1A CN115456075A (en) | 2022-09-14 | 2022-09-14 | Processing system and method for target behavior abnormity early warning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211116157.1A CN115456075A (en) | 2022-09-14 | 2022-09-14 | Processing system and method for target behavior abnormity early warning |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115456075A true CN115456075A (en) | 2022-12-09 |
Family
ID=84304012
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211116157.1A Pending CN115456075A (en) | 2022-09-14 | 2022-09-14 | Processing system and method for target behavior abnormity early warning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115456075A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117251748A (en) * | 2023-10-10 | 2023-12-19 | 中国船舶集团有限公司第七〇九研究所 | Track prediction method, equipment and storage medium based on historical rule mining |
TWI848481B (en) * | 2022-12-23 | 2024-07-11 | 伊雲谷數位科技股份有限公司 | Predicting and alerting system and method, modeling and training systems and methods of information system operation and computer program products thereof |
-
2022
- 2022-09-14 CN CN202211116157.1A patent/CN115456075A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI848481B (en) * | 2022-12-23 | 2024-07-11 | 伊雲谷數位科技股份有限公司 | Predicting and alerting system and method, modeling and training systems and methods of information system operation and computer program products thereof |
CN117251748A (en) * | 2023-10-10 | 2023-12-19 | 中国船舶集团有限公司第七〇九研究所 | Track prediction method, equipment and storage medium based on historical rule mining |
CN117251748B (en) * | 2023-10-10 | 2024-04-19 | 中国船舶集团有限公司第七〇九研究所 | Track prediction method, equipment and storage medium based on historical rule mining |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10706285B2 (en) | Automatic ship tracking method and system based on deep learning network and mean shift | |
CN115456075A (en) | Processing system and method for target behavior abnormity early warning | |
CN113157800B (en) | Identification method for discovering dynamic target in air in real time | |
CN115578015A (en) | Sewage treatment overall process supervision method and system based on Internet of things and storage medium | |
Vouros et al. | Big Data Analytics for Time Critical Mobility Forecasting: Recent Progress and Research Challenges. | |
Zhao et al. | An incremental clustering method for anomaly detection in flight data | |
WO2023057434A1 (en) | Method and flight data analyzer for identifying anomalous flight data and method of maintaining an aircraft | |
CN111582380A (en) | Ship track density clustering method and device based on space-time characteristics | |
CN105893621A (en) | Method for mining target behavior law based on multi-dimensional track clustering | |
CN113869379A (en) | Data-driven aircraft energy anomaly identification method | |
CN112087316B (en) | Network anomaly root cause positioning method based on anomaly data analysis | |
Toloue et al. | Anomalous behavior detection of marine vessels based on Hidden Markov Model | |
CN113051340B (en) | End-to-end sea-air activity target data rule real-time mining method | |
US20230195712A1 (en) | Updates of Navigation Databases | |
CN117953731A (en) | Incoming flight flow flight plan prediction method for terminal area traffic simulation | |
WANG et al. | Deep neural network pruning based two-stage remote sensing image object detection | |
CN111125925A (en) | Terminal area airspace space-time correlation analysis method driven by aircraft track data | |
Deshmukh | Data-Driven Anomaly and Precursor Detection in Metroplex Airspace Operations | |
Şimşek et al. | Cep rule extraction from unlabeled data in iot | |
CN111667920B (en) | Crowd close contact investigation method based on positioning data | |
CN111881125B (en) | Real-time cleaning method and system for offshore non-combat target | |
Averty et al. | An ordered logit model of air traffic controllers conflict risk judgment | |
Taubenböck et al. | Delimiting central business districts—A physical approach using remote sensing | |
Kuka et al. | Quality matters: supporting quality-aware pervasive applications by probabilistic data stream management | |
AU2020408906A1 (en) | Method and device for supervising a traffic control system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |