CN115632887A - Block chain network abnormal data detection method, device and equipment - Google Patents
Block chain network abnormal data detection method, device and equipment Download PDFInfo
- Publication number
- CN115632887A CN115632887A CN202211646606.3A CN202211646606A CN115632887A CN 115632887 A CN115632887 A CN 115632887A CN 202211646606 A CN202211646606 A CN 202211646606A CN 115632887 A CN115632887 A CN 115632887A
- Authority
- CN
- China
- Prior art keywords
- data
- state information
- time
- real
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 134
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 41
- 238000000034 method Methods 0.000 claims abstract description 47
- 230000009467 reduction Effects 0.000 claims description 36
- 230000015654 memory Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 17
- 230000005856 abnormality Effects 0.000 claims description 16
- 238000013135 deep learning Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 7
- 238000012847 principal component analysis method Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 abstract description 9
- 238000010276 construction Methods 0.000 abstract description 6
- 238000013523 data management Methods 0.000 abstract description 3
- 238000012549 training Methods 0.000 description 16
- 238000005457 optimization Methods 0.000 description 13
- 238000004364 calculation method Methods 0.000 description 8
- 210000004027 cell Anatomy 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 210000002569 neuron Anatomy 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 230000006403 short-term memory Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000001186 cumulative effect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008614 cellular interaction Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1044—Group management mechanisms
- H04L67/1046—Joining mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The application discloses a method, a device and equipment for detecting abnormal data of a block chain network, which can be applied to the technical field of computer data management. The method comprises the following steps: acquiring real-time operation data; predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected; acquiring the actual value of the state information of the real-time operation data at the time node to be measured in the future; and comparing the state information prediction value with the state information actual value to obtain a detection result. Therefore, the situation that the power infrastructure cannot effectively cope with network attack in the system construction process can be avoided by predicting the real-time operation data of the system, and the system safety is improved.
Description
Technical Field
The present application relates to the field of computer data management technologies, and in particular, to a method, an apparatus, and a device for detecting abnormal data in a blockchain network.
Background
Blockchain technology is an advanced database mechanism that allows information to be shared transparently in enterprise networks. With the rapid increase of the data types and quantity, the application of the block chain technology is important in enterprises.
The blockchain is essentially a shared, non-tampered ledger, and blockchain technology can enhance transaction records and asset tracking processes in a business network. Distributed, which is intended to eliminate a bottleneck or central point of failure of the system, is a collection of computer programs that utilize computing resources across multiple independent computing nodes to achieve a common goal. When the block chain technology is applied in an electric power scene, powerful encryption protection can be provided for an electric power transaction book and operation by means of cryptography and distributed storage in the block chain. However, in the prior art, in peer-to-peer communication of the power block chain, the security and reliability of the data transmission process of the underlying block chain network are not effectively guaranteed, so that the security of the system cannot be guaranteed.
Therefore, how to improve the security of the system data is an urgent problem to be solved by those skilled in the art.
Disclosure of Invention
Based on the above problems, the application provides a method, a device and equipment for detecting abnormal data of a block chain network, which compare a state information prediction value obtained by predicting real-time operation data with a state information actual value, thereby solving the problem that the safety of a system cannot be guaranteed in the prior art.
In a first aspect, an embodiment of the present application provides a method for detecting abnormal data in a block chain network, including:
acquiring real-time operation data;
predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected;
acquiring the actual value of the state information of the real-time operation data at the time node to be measured in the future;
and comparing the state information prediction value with the state information actual value to obtain a detection result.
Optionally, before the acquiring the real-time operation data, the method further includes:
constructing a basic distributed anomaly detection model;
and optimizing the basic distributed anomaly detection model through time series network data to obtain a distributed anomaly detection model.
Optionally, the optimizing the basic distributed anomaly detection model through the time series network data to obtain a distributed anomaly detection model includes:
performing dimensionality reduction processing on the time series network data to obtain dimensionality reduction data;
and optimizing the basic distributed anomaly detection model according to a direction propagation algorithm by using the dimension reduction data to obtain a distributed anomaly detection model.
Optionally, the performing dimensionality reduction on the time series network data to obtain dimensionality reduction data includes:
determining an abnormal detection node;
acquiring time series network data of the abnormal detection node according to a real-time operation rule of the system;
the real-time operation rule of the system is a time sequence set consisting of the total number of nodes in the system, the total uplink network speed, the total downlink network speed, the occupation of a node central processing unit, the occupation of a node memory, the uplink network speed of the nodes, the downlink network speed of the nodes, the occupation of a node file system and the connection number of peer nodes of the nodes;
and performing data dimension reduction processing on the time series network data by adopting a principal component analysis method to obtain dimension reduction data.
Optionally, the acquiring real-time operation data includes:
and acquiring real-time operation data of the electric power block chain bottom network.
Optionally, the predicting the real-time operation data through the distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected includes:
inputting the real-time operation data into a deep learning prediction model;
the deep learning prediction model predicts at least one state information prediction value of a future time node comprising a future time node to be measured according to the real-time operation data;
and acquiring the state information prediction value of the future time node to be measured from the state information prediction value of the future time node.
Optionally, the comparing the predicted value of the state information with the actual value of the state information to obtain a detection result includes:
comparing the state information prediction value with the state information actual value to obtain an error value;
and inputting the error value into an abnormality judger to obtain a detection result.
Optionally, the inputting the error value into an abnormality judger to obtain a detection result includes:
inputting the error value into an abnormity judger for judgment to obtain a judgment result;
when the judgment result is that the error value is larger than or equal to a set threshold range, obtaining a detection result of data abnormity;
and when the judgment result is that the error value is smaller than a set threshold range, obtaining a detection result that the data is normal.
In a second aspect, an embodiment of the present application provides an apparatus for detecting abnormal data in a blockchain network, including:
the first acquisition module is used for acquiring real-time operation data;
the prediction module is used for predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected;
the second acquisition module is used for acquiring the actual numerical value of the state information of the real-time operation data at the time node to be measured in the future;
and the abnormity detection module is used for comparing the state information prediction value with the state information actual value to obtain a detection result.
In a third aspect, the present application provides a device for detecting abnormal data in a block chain network, including:
a memory for storing a computer program;
a processor, configured to implement the steps of any one of the above methods for detecting abnormal data in a blockchain network when the computer program is executed.
Compared with the prior art, the technical scheme has the following advantages that:
the method comprises the steps of firstly obtaining real-time operation data of the system, then predicting the obtained real-time operation data by using a distributed anomaly detection model to obtain a state information prediction value of a time node to be measured in the future, and obtaining a state information actual value of the real-time operation data at the time node to be measured in the future when the system continuously operates to the time node to be measured in the future. And finally, comparing the state information prediction value with the state information actual value to obtain a detection result. Therefore, the situation that the power infrastructure cannot effectively cope with network attack in the system construction process can be avoided by predicting the real-time operation data of the system, and the system safety is improved.
Drawings
Fig. 1 is a flowchart of a method for detecting abnormal data in a blockchain network according to an embodiment of the present disclosure;
FIG. 2 is a diagram illustrating a distributed anomaly detection architecture for a power blockchain according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a prediction model training and optimization structure based on a long-short term memory network according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an apparatus for detecting abnormal data in a blockchain network according to an embodiment of the present disclosure.
Detailed Description
As described above, it is difficult to ensure the security of system data for the block chain in the power scenario by using the existing detection method. Specifically, in the prior art, a cryptography technology and a distributed storage means in a blockchain are used for providing strong encryption protection for an electric power transaction book and operation in an electric power scene, but in peer-to-peer communication of an electric power blockchain, the security and reliability of a data transmission process of a bottom-layer blockchain network are not effectively guaranteed, so that the security of a system cannot be guaranteed.
In order to solve the above problem, the present invention provides a method for detecting abnormal data in a blockchain network, which comprises: the method comprises the steps of firstly obtaining real-time operation data of a system, then predicting the obtained real-time operation data by using a distributed anomaly detection model to obtain a state information prediction value of a time node to be measured in the future, and obtaining a state information actual value of the real-time operation data at the time node to be measured in the future when the system continuously runs to the time node to be measured in the future. And finally, comparing the state information prediction value with the state information actual value to obtain a detection result.
Therefore, by predicting the real-time operation data of the system, the situation that the power infrastructure cannot effectively cope with network attacks in the system construction process can be avoided, and the system safety is improved.
It should be noted that the method, the device and the equipment for detecting abnormal data of the block chain network provided by the application can be used in the technical field of computer data management. The above description is only an example, and does not limit the application field of the method, device and apparatus for detecting abnormal data in a blockchain network provided by the present invention.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a flowchart of a method for detecting abnormal data in a blockchain network according to an embodiment of the present disclosure. Referring to fig. 1, a method for detecting abnormal data in a blockchain network according to an embodiment of the present disclosure may include:
s101: and acquiring real-time operation data.
In practical applications, in order to realize the anomaly detection of the system, test data needs to be obtained from the system. In the present application, the real-time operation data of the system is obtained.
In addition, the embodiment of the present application is described with respect to how to obtain real-time operation data.
In one case, the real-time operational data is obtained for how. Accordingly, S101: acquiring real-time operation data specifically may include:
and acquiring real-time operation data of the underlying network of the power block chain.
In practical application, due to the application of the blockchain technology in an electric power scene, a powerful encryption protection can be provided for an electric power transaction book and operation by means of cryptography and a distributed storage means in a blockchain, but in peer-to-peer communication of an electric power blockchain, the safety and reliability of the data transmission process of the underlying blockchain network are not effectively guaranteed. Therefore, in the present application, real-time operation data of the underlying network of the power block chain is selected for detection, thereby solving the above-mentioned problems.
S102: and predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected.
In practical application, after acquiring real-time operation data of a required power block chain underlying network, data detection can be started. The method and the device utilize a distributed anomaly detection model for prediction, wherein the distributed anomaly detection model adopts a distributed architecture to adapt to a block chain application scene, and efficient and safe system operation state detection is realized. The distributed anomaly detection model is generally a prediction model based on the LSTM (long short term memory) network, encoding the input information at each instant. The behavior of each memory cell is controlled by a gate (gate), whether information is stored or not is controlled, if the information is stored, the information is 1, otherwise, the information is 0, the LSTM network training has robustness through a multi-gate cooperation mode, and gradient dispersion is avoided. According to the scheme, the LSTM network is adopted to represent and reconstruct the power block chain network operation data described by the time sequence, and then anomaly detection is carried out.
In addition, the embodiment of the present application is described with respect to how to obtain the state information prediction value of the time node to be measured in the future.
In one case, the state information prediction value of the time node to be measured in the future is obtained. Accordingly, S102: predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected, and the method specifically comprises the following steps:
inputting the real-time operation data into a deep learning prediction model;
the deep learning prediction model predicts a state information prediction value of at least one future time node comprising a future time node to be measured according to the real-time operation data;
and acquiring the state information prediction value of the future time node to be measured from the state information prediction value of the future time node.
In practical applications, after acquiring real-time operation data of a required power block chain underlying network, data detection can be started. In the application, input real-time operation data is used as a prediction set, a distributed anomaly detection model is used for analyzing the data of the prediction set, and the data of a time node immediately after the time, namely the future system operation state, is predicted. When the data of the future time node to be measured is predicted by the distributed anomaly detection model, the state information prediction value of the future time node to be measured corresponding to the prediction set is obtained. And finally, acquiring the state information prediction value of the time node to be measured in the future from all prediction results.
S103: and acquiring the actual value of the state information of the real-time operation data in the future time node to be measured.
In practical applications, since the system is in a state of being operated all the time, the real-time operation data acquired at first is continuously updated in the system over time. When the time reaches the time node to be measured in the future, the data operated in the system is the actual value of the future state information corresponding to the initially acquired real-time operation data. And acquiring the actual numerical value, namely acquiring the actual numerical value of the state information of the real-time operation data at the time node to be measured in the future.
S104: and comparing the state information prediction value with the state information actual value to obtain a detection result.
In practical application, after the actual value of the state information of the real-time operation data at the time node to be measured in the future is obtained and the predicted value of the state information of the real-time operation data, the values can be compared, and whether the system is abnormal or not is obtained through comparison of the two values.
In addition, the embodiment of the present application has been described with respect to how to compare the predicted value of the state information with the actual value of the state information.
In one case, a comparison of the predicted value of the state information to the actual value of the state information is made. Accordingly, S104: comparing the predicted value of the state information with the actual value of the state information may specifically include:
comparing the state information prediction value with the state information actual value to obtain an error value;
and inputting the error value into an abnormality judger to obtain a detection result.
In practical application, an abnormality judger can be set, and a user can set the judger to control the error range and the corresponding alarm mode. The same abnormality determiner may also obtain the predicted value of the state information and the actual value of the state information, and after obtaining the predicted value of the state information and the actual value of the state information, compare the two values to obtain an error value. And then comparing the error value with a user set value of an abnormality judger to obtain a detection result. In addition, the output of the detection result can be performed by using a mode of alarming and the like.
In addition, the embodiment of the present application describes how the abnormality determiner performs detection.
In one case, it is checked how the abnormality determiner performs the detection. Correspondingly, the inputting the error value into an abnormality judger to obtain a detection result specifically includes:
inputting the error value into an abnormity judger for judgment to obtain a judgment result;
when the judgment result is that the error value is larger than or equal to a set threshold range, obtaining a detection result of data abnormity;
and when the judgment result is that the error value is smaller than a set threshold range, obtaining a detection result that the data is normal.
In practical applications, the user may control the output of the abnormality determiner by setting a threshold. When the abnormality judger obtains an error value between the state information prediction value and the state information actual value, the error value is compared with a set threshold value, and when the comparison result is that the error value is larger than or equal to the set threshold value range, a detection result of data abnormality is obtained, namely, a time sequence abnormal fault occurs in the system; and when the comparison result is that the error value is smaller than the set threshold range, obtaining a detection result that the data is normal, namely, the system does not have a time sequence abnormal fault.
In summary, the method includes the steps of firstly obtaining real-time operation data of the system, then predicting the obtained real-time operation data by using a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected, and obtaining a state information actual value of the real-time operation data at the future time node to be detected when the system continuously operates to the future time node to be detected. And finally, comparing the state information prediction value with the state information actual value to obtain a detection result. Therefore, by predicting the real-time operation data of the system, the situation that the power infrastructure cannot effectively cope with network attacks in the system construction process can be avoided, and the system safety is improved.
In addition, the application also provides a method for constructing and optimizing the distributed anomaly detection model.
In one case, how to construct and optimize the distributed anomaly detection model specifically includes, before acquiring the real-time operation data:
constructing a basic distributed anomaly detection model;
and optimizing the basic distributed anomaly detection model through time series network data to obtain a distributed anomaly detection model.
In practical applications, generally, only required parameters need to be input as a series of initial values for constructing the basic depth prediction model. And then, continuously inputting the real data into the model for comparison training to obtain the optimal parameter configuration, so that the optimal parameter configuration can be used for subsequent accurate prediction. In the application, the basic distributed anomaly detection model can be optimized through time series network data to obtain the distributed anomaly detection model. The time sequence data refers to a data group which is collected and arranged into a multi-dimensional chronological order through the abnormality detection node.
In addition, the embodiment of the present application is described with respect to how to optimize the basic distributed anomaly detection model by using the time-series network data to obtain the distributed anomaly detection model.
In one case, specifically, for obtaining the distributed anomaly detection model, the optimizing the basic distributed anomaly detection model through the time series network data to obtain the distributed anomaly detection model includes:
performing dimensionality reduction processing on the time series network data to obtain dimensionality reduction data;
and optimizing the basic distributed anomaly detection model according to a direction propagation algorithm by using the dimension reduction data to obtain a distributed anomaly detection model.
In practical application, in order to improve the subsequent data detection efficiency, the collected time series network data needs to be subjected to dimensionality reduction. The originally collected time series network data of n multiple data items can be removed from the data with small influence factors on subsequent operation through preprocessing, and the detection efficiency is improved. And then optimizing the basic distributed anomaly detection model by using the obtained dimension reduction data according to a direction propagation algorithm to obtain a distributed anomaly detection model, and providing an optimization method of the distributed anomaly detection model.
In addition, for how to perform dimensionality reduction processing on the time series network data to obtain dimensionality reduction data, the embodiment of the present application is described.
In one case, the dimensions are reduced for the data. Correspondingly, the performing dimensionality reduction processing on the time series network data to obtain dimensionality reduction data specifically includes:
determining an abnormal detection node;
acquiring time series network data of the abnormal detection node according to a real-time operation rule of the system;
the real-time operation rule of the system is a time sequence set consisting of the total number of nodes in the system, the total uplink network speed, the total downlink network speed, the occupation of a node central processing unit, the occupation of a node memory, the uplink network speed of the nodes, the downlink network speed of the nodes, the occupation of a node file system and the connection number of peer nodes of the nodes;
and performing data dimension reduction processing on the time series network data by adopting a principal component analysis method to obtain dimension reduction data.
In practical application, an abnormal detection node needs to be selected first, and then time series network data of the abnormal detection node is obtained from the abnormal detection node according to a real-time operation rule of a system. The real-time operation rule of the system is a time sequence set consisting of the total number of nodes in the system, the total uplink network speed, the total downlink network speed, the occupation of a node central processing unit, the occupation of a node memory, the node uplink network speed, the node downlink network speed, the occupation of a node file system and the connection number of peer nodes of the nodes, and a method for reducing the dimension of the power block chain time sequence data based on a principal component analysis method is provided later.
In summary, the method includes the steps of firstly obtaining real-time operation data of the system, then predicting the obtained real-time operation data by using a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected, and obtaining a state information actual value of the real-time operation data at the future time node to be detected when the system continuously operates to the future time node to be detected. And finally, comparing the state information prediction value with the state information actual value to obtain a detection result. Therefore, the situation that the power infrastructure cannot effectively cope with network attack in the system construction process can be avoided by predicting the real-time operation data of the system, and the system safety is improved.
In addition, the application provides a method for performing dimensionality reduction on power block chain time sequence data based on a principal component analysis method, which specifically comprises the following steps:
step 1: and collecting and arranging time sequence data when the power block chain runs, and carrying out standardized processing on the time sequence data.
Raw data of the power block chain is X = (X) 1 ,x 2 ,…,x n ) Wherein each dimension contains m time series data, m is a positive integer, then time series data x j Sample mean ofSum standard deviation squared s j 2 The calculation formula of (c) is:
wherein x is ij For time series data, i and j are positive integers, and X is normalized to obtain an n-dimensional random variable Y = (Y) 1 ,y 2 ,…,y n ) Random variable y i =(y 1j ,y 2j ,…,y nj ) T Wherein y is i The calculation formula of (A) is as follows:
step 2: calculating a correlation coefficient matrix R, where R ij N and k are positive integers, which are random variables.
The eigenvalues are arranged in descending orderThe feature vector corresponding to the feature value isCorresponding major component is Z 1 ,Z 2 ,…,Z n 。
Variance contribution ratio of j (j =1,2, \8230;, n) th component:
variance cumulative contribution of the first p components:
in summary, in practical application of the power blockchain, k principal components can be selected to replace the original n-dimensional data, so thatAnd more than 80 percent, thereby realizing the time series data dimension reduction.
In addition, as shown in fig. 2, the present application further provides a schematic diagram of a distributed anomaly detection architecture of a power block chain, which includes three modules of real-time data preprocessing, distributed anomaly detection and authority management, wherein node data C1, C2 and C3 obtained in the real-time data preprocessing module respectively correspond to a first long-short term memory network training and optimization model, a second long-short term memory network training and optimization model and a third long-short term memory network training and optimization model which enter the distributed anomaly detection module, and finally enter an abnormal node authority limitation module in the authority management through a timing anomaly detection classifier. In the distributed anomaly detection architecture, data acquisition and input are formed by an acquisition station node, a telemetering data transmission channel and a control node, wherein the acquisition station node is arranged in a measuring line direction and is responsible for acquiring system operation data of a plurality of surrounding acquired nodes, and the control node is mainly considered to finish data recording and anomaly detection.
In addition, fig. 3 is a schematic diagram of a prediction model training and optimizing structure based on a long-short term memory network according to an embodiment of the present disclosure. The structure comprises an input layer, a hidden layer, an output layer and parameter optimization, wherein dimension-reduced original time sequence data are subjected to data division and cutting to form first data, second data to nth data, then the first data, the second data to the nth data are respectively input into a first long short-term memory neuron cell, a second long short-term memory neuron cell to an nth long short-term memory neuron cell of the hidden layer, and finally first output, the second output to the nth output are correspondingly generated on the output layer and are subjected to comparison test set iteration test. The parameter optimization comprises optimizer optimization, model output, loss calculation and model output. Specifically, in combination with the schematic diagram of the structure for training and optimizing the prediction model based on the long-short term memory network shown in fig. 3, the present application further provides a method for training and optimizing a distributed anomaly detection model, which specifically includes:
step 1: the input layer divides the original time sequence data of the input prediction model into dataTraining set F tr ={f 1 ,f 2 ,f 3 ,…,f p The length is p, the length of a cutting window is set to be L, and the length of a sliding window which can be used in the input layer is p-L;
step 2: when time series data is input, the training set can beL sliding windows are sequentially divided according to the cutting window, and the time sequence data after cutting of the original data is assumed to be I = { I = { (I) } 1 ,i 2 ,i 3 ,…,i L The time-series packet corresponding to each sliding window contains p-L data elements, and the length of the forward or backward sliding between two adjacent time-series data packets is equivalent to one data length;
and step 3: in the hidden layer, L LSTM neuron cells are also provided for the hidden layer corresponding to the received data for L consecutive input data groups, and the output of I input by the input layer after calculation of the chain structure of the training layer is recorded as the output sequence O = { O = 1 ,o 2 ,o 3 ,…,o L Each of the output sequences outputs o i The method is obtained by calculation through a forward calculation method of an LSTM neuron cell interaction structure:
wherein the content of the first and second substances,a fully connected layer representing a tape activation function; tanh represents the use of a tanh function as an activation function; h is a total of t-1 Indicating the hidden state of the previous LSTM cell; i.e. i t Input representing the current LSTM metacell; b is a mixture of f ,b x ,b C ,b o Representing bias parameters of different function calculations; w f ,W x ,W C ,W o Weight parameters representing different function calculations; f. of t Represents a forgetting gate in LSTM metacells; x is the number of t Representing LSTM cellsAn input gate in the cell;represents candidate memory cells in LSTM cells; c t Representing memory cells in LSTM cells; o. o t Represents the output gate in LSTM subcells; h is t Indicating the cryptic state of the current LSTM metacell.
Output o k The total expression of (a) can be written as:
wherein H k-1 And C k-1 Representing the numerical output and cellular state of an LSTM prior to the current neuronal cell, i k Input for the input layer of the current metacell.
And 4, step 4: calculating a loss function, wherein the loss in the current state is represented by calculating a mean square error value, and the loss function loss in the training process of the prediction model can be finally represented as follows:
and 5, obtaining the minimum value of loss by iterating the parameter values of the model. In the cyclic training process of the prediction model, the final purpose of the training is to obtain the parameter combination with the minimum loss value by continuously updating each parameter in the existing model, wherein p is the length of the training set, L is the length of the set cutting window, and o i And y i To output data.
In conclusion, the optimal solution is obtained by continuously updating the parameter value weight loop optimization, and the training and optimization of the distributed anomaly detection model are realized.
Based on the method for detecting the abnormal data of the block chain network provided by the embodiment, the application also provides a device for detecting the abnormal data of the block chain network. The device for detecting abnormal data of the blockchain network is described below with reference to the embodiments and the accompanying drawings.
Fig. 4 is a schematic structural diagram of an apparatus for detecting abnormal data in a block chain network according to an embodiment of the present disclosure. As described in conjunction with fig. 4, an apparatus 200 for detecting abnormal data in a blockchain network provided by an embodiment of the present application may include:
a first obtaining module 201, configured to obtain real-time operation data;
the prediction module 202 is configured to predict the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected;
a second obtaining module 203, configured to obtain an actual value of state information of the real-time operation data at the future time node to be measured;
and the anomaly detection module 204 is configured to compare the state information prediction value with the state information actual value to obtain a detection result.
As an embodiment, for how to obtain the real-time operation data, the first obtaining module 201 is specifically configured to:
and acquiring real-time operation data of the electric power block chain bottom network.
As an implementation method, for how to obtain a predicted value of state information of a future time node to be measured, the prediction module 202 is specifically configured to:
inputting the real-time operation data into a deep learning prediction model;
the deep learning prediction model predicts at least one state information prediction value of a future time node comprising a future time node to be measured according to the real-time operation data;
and acquiring the state information prediction value of the future time node to be measured from the state information prediction value of the future time node.
As an implementation method, for how to compare the predicted value of the state information with the actual value of the state information to obtain a detection result, the anomaly detection module 204 specifically includes:
the comparison module is used for comparing the state information prediction value with the state information actual value to obtain an error value;
and the detection submodule is used for inputting the error value into an abnormality judger to obtain a detection result.
As an embodiment, regarding how to perform the detection by using the anomaly determiner, the detection sub-module is specifically configured to:
inputting the error value into an abnormity judger for judgment to obtain a judgment result;
when the judgment result is that the error value is larger than or equal to a set threshold range, obtaining a detection result of data abnormity;
and when the judgment result is that the error value is smaller than a set threshold range, obtaining a detection result that the data is normal.
As an embodiment, the apparatus 200 for detecting abnormal data in a blockchain network further includes:
the optimization module is used for constructing a basic distributed anomaly detection model; and optimizing the basic distributed anomaly detection model through time series network data to obtain a distributed anomaly detection model.
As an embodiment, for how to optimize the basic distributed anomaly detection model, the optimization module specifically includes:
the dimensionality reduction module is used for carrying out dimensionality reduction on the time series network data to obtain dimensionality reduction data;
and the optimization submodule is used for optimizing the basic distributed anomaly detection model according to a direction propagation algorithm by using the dimension reduction data to obtain a distributed anomaly detection model.
As an embodiment, for how to perform dimensionality reduction processing on the time-series network data to obtain dimensionality reduction data, the dimensionality reduction module is specifically configured to:
determining an abnormal detection node;
acquiring time series network data of the abnormal detection node according to a real-time operation rule of the system;
the real-time operation rule of the system is a time sequence set consisting of the total number of nodes in the system, the total uplink network speed, the total downlink network speed, the occupation of a node central processing unit, the occupation of a node memory, the uplink network speed of the nodes, the downlink network speed of the nodes, the occupation of a node file system and the connection number of peer nodes of the nodes;
and performing data dimension reduction processing on the time series network data by adopting a principal component analysis method to obtain dimension reduction data.
In summary, the real-time operation data of the system is obtained first, then the obtained real-time operation data is predicted by using the distributed anomaly detection model, so as to obtain the state information prediction value of the future time node to be detected, and when the system continuously runs to the future time node to be detected, the actual state information value of the real-time operation data at the future time node to be detected is obtained. And finally, comparing the state information prediction value with the state information actual value to obtain a detection result. Therefore, the situation that the power infrastructure cannot effectively cope with network attack in the system construction process can be avoided by predicting the real-time operation data of the system, and the system safety is improved.
In addition, the present application further provides a device for detecting abnormal data in a block chain network, including: a memory for storing a computer program; a processor, configured to implement the steps of any one of the above block chain network anomaly detection methods when the computer program is executed.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for detecting abnormal data of a block chain network, the method comprising:
acquiring real-time operation data;
predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected;
acquiring the actual value of the state information of the real-time operation data at the time node to be measured in the future;
and comparing the state information prediction value with the state information actual value to obtain a detection result.
2. The method of claim 1, wherein prior to obtaining real-time operational data, further comprising:
constructing a basic distributed anomaly detection model;
and optimizing the basic distributed anomaly detection model through time series network data to obtain a distributed anomaly detection model.
3. The method of claim 2, wherein the optimizing the underlying distributed anomaly detection model by time series network data to obtain a distributed anomaly detection model comprises:
performing dimensionality reduction processing on the time series network data to obtain dimensionality reduction data;
and optimizing the basic distributed anomaly detection model according to a direction propagation algorithm by using the dimension reduction data to obtain a distributed anomaly detection model.
4. The method of claim 3, wherein the dimension reduction processing of the time-series network data to obtain dimension reduction data comprises:
determining an abnormal detection node;
acquiring time series network data of the abnormal detection node according to a real-time operation rule of the system;
the real-time operation rule of the system is a time sequence set consisting of the total number of nodes in the system, the total uplink network speed, the total downlink network speed, the occupation of a node central processing unit, the occupation of a node memory, the uplink network speed of the nodes, the downlink network speed of the nodes, the occupation of a node file system and the connection number of peer nodes of the nodes;
and performing data dimension reduction processing on the time series network data by adopting a principal component analysis method to obtain dimension reduction data.
5. The method of claim 1, wherein the obtaining real-time operational data comprises:
and acquiring real-time operation data of the electric power block chain bottom network.
6. The method of claim 1, wherein the predicting the real-time operation data through the distributed anomaly detection model to obtain a predicted value of state information of a future time node to be tested comprises:
inputting the real-time operation data into a deep learning prediction model;
the deep learning prediction model predicts at least one state information prediction value of a future time node comprising a future time node to be measured according to the real-time operation data;
and acquiring the state information prediction value of the time node to be measured in the future from the state information prediction value of the time node in the future.
7. The method of claim 1, wherein comparing the predicted value of the status information with the actual value of the status information to obtain a detection result comprises:
comparing the state information prediction value with the state information actual value to obtain an error value;
and inputting the error value into an abnormality judger to obtain a detection result.
8. The method of claim 7, wherein inputting the error value to an anomaly determiner to obtain a detection result comprises:
inputting the error value into an abnormity judger for judgment to obtain a judgment result;
when the judgment result is that the error value is larger than or equal to a set threshold range, obtaining a detection result of data abnormity;
and when the judgment result is that the error value is smaller than a set threshold range, obtaining a detection result that the data is normal.
9. An apparatus for detecting abnormal data in a blockchain network, comprising:
the first acquisition module is used for acquiring real-time operation data;
the prediction module is used for predicting the real-time operation data through a distributed anomaly detection model to obtain a state information prediction value of a future time node to be detected;
the second acquisition module is used for acquiring the actual value of the state information of the real-time operation data at the time node to be measured in the future;
and the abnormality detection module is used for comparing the state information prediction value with the state information actual value to obtain a detection result.
10. A blockchain network anomaly data detection device comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method for detecting abnormal data in a blockchain network according to any one of claims 1 to 8 when executing the computer program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211646606.3A CN115632887A (en) | 2022-12-21 | 2022-12-21 | Block chain network abnormal data detection method, device and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211646606.3A CN115632887A (en) | 2022-12-21 | 2022-12-21 | Block chain network abnormal data detection method, device and equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115632887A true CN115632887A (en) | 2023-01-20 |
Family
ID=84909847
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211646606.3A Pending CN115632887A (en) | 2022-12-21 | 2022-12-21 | Block chain network abnormal data detection method, device and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115632887A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117217848A (en) * | 2023-11-08 | 2023-12-12 | 深圳海辰储能科技有限公司 | Energy storage transaction method, device and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004072286A (en) * | 2002-08-05 | 2004-03-04 | Nippon Telegr & Teleph Corp <Ntt> | Method and device for detecting structural change and communication network abnormal state and program |
US20060195201A1 (en) * | 2003-03-31 | 2006-08-31 | Nauck Detlef D | Data analysis system and method |
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
CN109615449A (en) * | 2018-10-25 | 2019-04-12 | 阿里巴巴集团控股有限公司 | A kind of prediction technique and device, a kind of calculating equipment and storage medium |
CN110120935A (en) * | 2018-02-05 | 2019-08-13 | 罗伯特·博世有限公司 | For identifying the abnormal method and apparatus in data flow in a communication network |
CN111027679A (en) * | 2019-12-06 | 2020-04-17 | 深圳鲲云信息科技有限公司 | Abnormal data detection method and system |
-
2022
- 2022-12-21 CN CN202211646606.3A patent/CN115632887A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004072286A (en) * | 2002-08-05 | 2004-03-04 | Nippon Telegr & Teleph Corp <Ntt> | Method and device for detecting structural change and communication network abnormal state and program |
US20060195201A1 (en) * | 2003-03-31 | 2006-08-31 | Nauck Detlef D | Data analysis system and method |
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
CN110120935A (en) * | 2018-02-05 | 2019-08-13 | 罗伯特·博世有限公司 | For identifying the abnormal method and apparatus in data flow in a communication network |
CN109615449A (en) * | 2018-10-25 | 2019-04-12 | 阿里巴巴集团控股有限公司 | A kind of prediction technique and device, a kind of calculating equipment and storage medium |
CN111027679A (en) * | 2019-12-06 | 2020-04-17 | 深圳鲲云信息科技有限公司 | Abnormal data detection method and system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117217848A (en) * | 2023-11-08 | 2023-12-12 | 深圳海辰储能科技有限公司 | Energy storage transaction method, device and storage medium |
CN117217848B (en) * | 2023-11-08 | 2024-01-26 | 深圳海辰储能科技有限公司 | Energy storage transaction method, device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11927949B2 (en) | Method for anomaly classification of industrial control system communication network | |
Wang et al. | Anomaly detection for industrial control system based on autoencoder neural network | |
CN111967571B (en) | Abnormality detection method and device based on MHMA | |
EP3355547B1 (en) | Method and system for learning representations of network flow traffic | |
Palmieri et al. | A distributed approach to network anomaly detection based on independent component analysis | |
Anantharaman et al. | Large scale predictive analytics for hard disk remaining useful life estimation | |
CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
CN112738014B (en) | Industrial control flow anomaly detection method and system based on convolution time sequence network | |
CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
CN112800116A (en) | Method and device for detecting abnormity of service data | |
Oozeer et al. | Cognitive dynamic system for control and cyber-attack detection in smart grid | |
Ntalampiras et al. | A fault diagnosis system for interdependent critical infrastructures based on HMMs | |
CN115063588A (en) | Data processing method, device, equipment and storage medium | |
CN115237717A (en) | Micro-service abnormity detection method and system | |
CN115632887A (en) | Block chain network abnormal data detection method, device and equipment | |
CN113992350A (en) | Smart grid false data injection attack detection system based on deep learning | |
Xia et al. | ETD-ConvLSTM: A deep learning approach for electricity theft detection in smart grids | |
Yang et al. | Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems | |
Laptiev et al. | Algorithm for Recognition of Network Traffic Anomalies Based on Artificial Intelligence | |
CN115033893B (en) | Information vulnerability data analysis method of improved clustering algorithm | |
CN116167370A (en) | Log space-time characteristic analysis-based distributed system anomaly detection method | |
CN115001781A (en) | Terminal network state safety monitoring method | |
CN114006744A (en) | LSTM-based power monitoring system network security situation prediction method and system | |
CN113822337A (en) | Industrial control abnormity detection method based on multi-dimensional sequence | |
Khoei et al. | ACapsule Q-learning based reinforcement model for intrusion detection system on smart grid |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230120 |