CN116743646B - An anomaly detection method based on domain-adaptive deep autoencoder tunnel network - Google Patents

Abstract

The invention relates to a tunnel network anomaly detection method based on a domain self-adaptive depth self-encoder, and belongs to the technical field of tunnel network anomaly detection. The method comprises the steps of data acquisition and preprocessing, training and updating of an abnormal detection source domain model, dynamic threshold calculation of abnormal detection, abnormal data detection and the like. The invention can directly perform operations such as preprocessing, abnormality detection and the like on the tunnel network at the edge side, improves the processing speed of the monitoring system and effectively reduces the processing time delay. Meanwhile, based on the normal reference value of the current network state, the abnormal threshold range is reasonably set, and abnormal information missing report, false report and other conditions caused by fixed setting of the threshold are avoided.

Description

A tunnel network anomaly detection method based on domain adaptive deep autoencoder

Technical Field

The present invention belongs to the technical field of tunnel network anomaly detection, and specifically relates to a tunnel network anomaly detection method based on a domain adaptive deep autoencoder, and specifically relates to an edge computing method for completing tunnel network anomaly detection based on a domain adaptive deep autoencoder.

Background Art

The electromechanical system in the tunnel is huge, and the equipment distribution is relatively complex. It is particularly important to monitor and manage the network status of electromechanical equipment in highway tunnels. At present, in a single highway tunnel, a regional controller is set up every 500 meters to control the surrounding field equipment. These control cabinets are interconnected through switches to form a fiber optic ring network in two directions of the tunnel entrance. Ethernet switches not only need to process high-bandwidth data from the video surveillance system, but also need to be configured as redundant fiber optic ring networks to connect regional controllers to control ventilation, lighting, traffic lights and other equipment in the tunnel. With the increase in the number of industrial Ethernet devices, the structure of industrial Ethernet networks has become increasingly complex. In actual applications, problems such as insufficient network topology perception, network storms caused by misoperation, and virus infection have become important factors affecting network stability and reliability. When problems occur in industrial Ethernet, they often spread to the entire network in an instant, affecting a large range. In addition, the regional controllers in the tunnel are usually responsible for executing functions such as digital quantity, analog quantity input and output, and serial port communication, but cannot effectively collect the operating status information of network devices such as switches. In other words, although the tunnel network has actually been established, when network traffic is abnormal, the system cannot accurately locate the fault location, and cannot generate corresponding records.

Therefore, it is of great research significance to introduce edge computing architecture into various electromechanical systems in tunnels. Edge computing technology can process data directly on the tunnel electromechanical equipment side, avoiding the transfer of data to the cloud or other data centers, improving the response speed and reducing the demand for tunnel network bandwidth. Deploying edge computing nodes in the tunnel environment, managing a large number of front-end devices in the environment, and detecting the tunnel network status based on edge computing can avoid failures of electromechanical equipment during operation, which helps to improve the reliability of tunnel electromechanical systems and enhance the level of intelligence.

However, in order to make edge computing play a better role in tunnel network monitoring, it is necessary to design a reasonable edge computing method for tunnel network anomaly detection. Most of the anomaly detection methods currently used in practice still need to rely on manual detection and analysis. The most commonly used theoretical method is the mathematical statistics method. The statistical distribution in statistics is usually used as the standard for anomaly judgment, the statistical characteristics between samples are calculated, and the set threshold is used to achieve anomaly detection. The second type of method is based on the classification model, but model training requires high-quality training data and a large number of labeled data sets for model training. The third type is based on the distance method. Outliers are considered anomalies. This type of algorithm is not suitable for data with large data volume and high dimension. However, due to the complexity and diversity of electromechanical equipment in the tunnel, the network traffic characteristics of the collected network data have high dimensions and highly nonlinear data, making it difficult to establish an effective anomaly detection model. In addition, since the tunnel network operating environment has the characteristics of dynamic changes over time, it is easy to cause false detection problems based on fixed monitoring indicators and fixed anomaly detection models for all running samples. Therefore, how to overcome the shortcomings of the existing technology is an urgent problem to be solved in the field of tunnel network anomaly detection technology.

Summary of the invention

The purpose of the present invention is to solve the deficiencies of the prior art and to provide a tunnel network anomaly detection method based on domain adaptive deep autoencoder.

To achieve the above purpose, the technical solution adopted by the present invention is as follows:

A tunnel network anomaly detection method based on domain adaptive deep autoencoder comprises the following steps:

Step 1: The edge computing nodes deployed in the tunnel collect the historical network traffic data of the equipment in the tunnel electromechanical system equipment layer, parse and obtain the corresponding network raw data stream, and perform data preprocessing to obtain the corresponding network traffic characteristics, that is, the preprocessed network traffic samples;

Step 2: After the collected historical network traffic data is processed in step 1 to obtain the network traffic features corresponding to each network traffic data, it is used as the source domain data set; the source domain data set is used as the training set, and the anomaly detection source domain model is trained based on the deep autoencoder algorithm. After the training is completed, the anomaly detection source domain model is deployed in the tunnel edge computing node;

Step 3: After the real-time collected network traffic data is preprocessed in the manner described in step 1 to obtain the corresponding network traffic features, an adaptive sliding window algorithm is constructed to obtain the target domain data set corresponding to the network traffic; the anomaly detection source domain model obtained in step 2 is updated according to the corresponding target domain data set;

Step 4: Calculate the dynamic threshold for anomaly detection;

Step 5: Input the network traffic features after preprocessing of the real-time collected network traffic data to be tested into the updated anomaly detection source domain model, and calculate its reconstruction error;

Step 6: Based on the dynamic threshold obtained in step 4 and the reconstruction error obtained in step 5, detect whether the network traffic data to be tested collected in real time is abnormal data.

Furthermore, preferably, in step 1, the system architecture for tunnel network anomaly detection using edge computing nodes includes a device layer, an edge computing layer, a network layer, and a cloud platform layer; the device layer, the edge computing layer, the network layer, and the cloud platform layer are connected sequentially; each device system in the device layer includes a broadcast telephone system, a tunnel monitoring system, a tunnel ventilation and lighting system, a tunnel area controller, a tunnel fire protection system, an information release system, and a tunnel traffic signal system; and the edge computing layer is an edge computing node deployed in the tunnel.

Further, preferably, in step 1, the data preprocessing method includes removing abnormal data, removing meaningless features and normalizing data;

The network traffic characteristics include data flow duration, the number of forward packets, the number of reverse packets, the total bytes of forward packets, the total bytes of reverse packets, the total bytes of forward packet headers, the total bytes of reverse packet headers, the total bytes of forward subflows, and the total bytes of reverse subflows.

Further, preferably, in step 2, the anomaly detection source domain model adopts a deep autoencoder, including an encoder and a decoder;

The anomaly detection source domain model has a three-layer neural network, namely, input layer, hidden layer and output layer. , ;in, represents the source domain dataset, Indicates Preprocessed network traffic samples;

The specific training method of the anomaly detection source domain model is as follows:

Step 2.1: Encoder converts source domain data After activation function Mapping gets the hidden layer data:

;

In the formula, represents the hidden layer vector, Indicates The hidden layer vector of the preprocessed network traffic samples;

The encoding process is shown in formula (1):

(1)

In the formula, and Represent the network weights and bias vectors of the encoder respectively, Is the activation function, which is the Sigmoid function in the present invention;

Step 2.2: The decoder passes the activation function The hidden layer data Transform to the output layer to obtain the output variable:

;

In the formula, represents the reconstructed output variable, Indicates reconstructed network traffic samples;

The hidden layer vector The input variables are reconstructed and the decoding process is shown in formula (2);

(2)

In the formula, and Represent the network weights and bias vectors of the decoder respectively, is the activation function;

Step 2.3: Use the gradient descent algorithm to train the anomaly detection source domain model, with the goal of minimizing the reconstruction error and obtaining the optimal network parameters; the objective function is shown in formula (3):

(3)

In the formula, the network parameter set Respectively represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder, and Respectively represent The input and reconstructed output variables of a DAE network; M represents the total number of preprocessed network traffic samples;

Step 2.4: Save the network parameters of the trained anomaly detection source domain model and deploy the model on the tunnel edge computing node.

Furthermore, it is preferred that is the Sigmoid function.

Further, preferably, the specific method of step 3 is:

Step 3.1: Assume that At this moment, the network traffic data collected in real time by the edge computing node is preprocessed as described in step 1 to obtain the corresponding network traffic features, that is, the preprocessed network traffic sample , defined as the sample to be tested; the target domain dataset is constructed using the adaptive sliding window algorithm ; The specific method is:

Step 3.1.1: Preprocessed network traffic sample at time As the right boundary of the sliding window, the network traffic samples pre-processed in the previous order are expanded, and the network traffic samples pre-processed in the adjacent time sequence are attributed to the sliding window. Then the adaptive sliding window data set It is expressed as:

;

In the formula, Indicates the length is The sliding window contains Time has come Preprocessed network traffic samples within time; is the network traffic sample preprocessed at the left edge of the window, that is, the adaptive sliding window is Time forward expansion Preprocessed network traffic samples;

Step 3.1.2: When the adaptive sliding window determines whether to expand the previous sample, it is assumed that the sliding window has been expanded to At time , the sample to be judged whether to be included in the window is Moment; first, the average Euclidean distance between the sample at that moment and all samples in the current window is calculated based on the similarity function shown below:

(4)

The calculation method of ED is:

;

In the formula, Indicates that the current sliding window is from Time has come Any preprocessed network traffic sample within time, is the number of preprocessed network traffic samples in the current window, It is the network traffic sample after pre-processing to be judged whether to be included in the window;

Step 3.1.3: Set the boundary threshold of the adaptive sliding window according to the similarity function of step 3.1.2 ,like , the sliding window will include the preprocessed network traffic sample, that is, the preprocessed network traffic sample at the left boundary of the window is , otherwise the expansion stops, and the left boundary sample is ;

Let the sliding window dataset As The target domain data is represented as:

;

because The CCP has preprocessed network traffic samples, so the target domain dataset It is expressed as:

;

In the formula, Including A dataset of preprocessed network traffic samples Neidi Preprocessed network traffic samples;

Step 3.2: Leverage the target domain dataset Perform domain adaptive update on the anomaly detection source domain model trained in step 2; the specific steps are as follows:

Step 3.2.1: First, the source domain dataset Input it into the trained anomaly detection source domain model, and obtain the hidden layer vector of the source domain data through forward propagation of formula (1) ;

Step 3.2.2: Target domain data The same input is used to the anomaly detection source domain model and the hidden layer vector of the target domain data is obtained by forward propagation through the following formula: :

(5)

Step 3.2.3: Take the maximum average difference distance as the objective function, and the calculation formula is shown in formula (6):

;

(6)

In the formula, They are and The number of samples in To find the minimum upper bound function, In the formula, refers to any index in the data set, that is, and Respectively Middle and samples, and Respectively Middle and samples; is the Gaussian kernel function, The calculation is as follows:

(7)

In the formula, represents bandwidth parameter;

Step 3.2.4: Calculate the difference between the implicit vectors generated by the source domain data and the target domain data according to formulas (6)-(7) to build the DADAE model; the goal is to minimize the DADAE model objective function, which is as follows:

(8)

In the formula, is the loss function shown in formula (3); is the MMD distance loss function; network parameter set They represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder after domain adaptive update, respectively. is the balance parameter;

Step 3.2.5: Save the trained network parameters of the new anomaly detection source domain model and deploy the new anomaly detection source domain model on the tunnel edge computing node.

Furthermore, preferably, in step 4, a dynamic threshold for anomaly detection is calculated, and the upper limit of the dynamic anomaly threshold is recorded as , the lower limit is ; The specific method is:

Step 4.1: First, the target domain dataset Execute it again in the updated anomaly detection source domain model to obtain the output dataset after the encoder and decoder, denoted as ; Then, the reconstruction error of each target domain data is calculated using the following formula:

(9)

In the formula, Included elements, represented by , and Respectively include A target domain dataset of network traffic and its reconstructed output dataset;

Step 4.2: Calculation The mean and standard deviation of are calculated as follows:

(10)

(11)

In the formula, express The average value of for The standard deviation of the dynamic threshold is:

(12)

(13)

In the formula, is the standard deviation coefficient.

Furthermore, it is preferred that is 2.

Further, preferably, in step 5, the calculation method of the reconstruction error is as follows:

;

In the formula, The reconstructed output is obtained by encoding and decoding the pre-processed network traffic sample to be tested through the updated anomaly detection source domain model.

Further, preferably, the detection method in step 6 is:

when When , it is marked as normal; when or , marked as abnormal.

In the present invention, The value of can be selected according to actual conditions, and the present invention does not limit the boundary threshold.

The technical problem to be solved by the present invention is: in view of the difficulty in detecting anomalies in tunnel networks caused by the complexity of Ethernet devices and the high sampling rate of network transmission traffic under the existing technology, edge computing nodes are introduced in the tunnel network to process the network traffic directly on the device side. However, due to the complexity and diversity of electromechanical equipment in the tunnel, the network traffic characteristics of the collected network data have high dimensions and the data is highly nonlinear, making it difficult to establish an effective anomaly detection model. In addition, since the operating environment of the tunnel network has the characteristics of dynamic change over time and instant variability, relying solely on an unchanging model is prone to a continuous decline in detection effect over time. Fixed anomaly thresholds and detection models do not have good robustness for the anomaly detection task of the tunnel network.

In view of the above situation, the present invention proposes a tunnel network anomaly detection method based on Domain Adaptive Deep Autoencoder (DADAE). The method of the present invention introduces the edge computing architecture into the tunnel electromechanical system, and the edge computing node collects and obtains the network traffic characteristics corresponding to different services and completes the anomaly detection task. For the problem of the difficulty in building a tunnel network anomaly detection model, the present invention introduces the idea of transfer learning and designs a domain adaptive deep autoencoder algorithm to realize real-time update of the detection network state. From the perspective of transfer learning, in the present invention, a section of historical network traffic generated by the tunnel electromechanical system is regarded as the source domain. Due to the time-varying characteristics of the data, the distribution of the network traffic to be detected collected in real time does not match the historical network traffic to a certain extent. Considering that the network traffic has a strong correlation in adjacent time periods, for the traffic samples to be detected, the samples within a certain time window are regarded as the target domain. The purpose of the present invention is to directly collect and process the data at the edge of the tunnel, and use the idea of transfer learning to improve the adaptability of the anomaly detection model to time-varying traffic samples, improve the processing speed of the monitoring system, effectively reduce the processing delay, and improve the robustness and accuracy of the anomaly detection model.

Specifically, firstly, considering the high dimension of tunnel network features and the nonlinear characteristics between data, the historical normal network traffic is regarded as the source domain data to establish the source domain autoencoder model, so as to preliminarily construct the nonlinear fitting relationship of the tunnel network. Then, when the network samples to be tested collected by the edge node in real time arrive, the target domain data corresponding to the samples to be tested is determined through the sliding window, and the source domain autoencoder model is domain-adaptively updated with the target domain data. Finally, the samples to be tested are input into the updated model to calculate their reconstruction loss, and the constructed anomaly detection module is used to detect whether the samples to be tested are abnormal network traffic samples.

Compared with the prior art, the present invention has the following beneficial effects:

(1) Through the tunnel network anomaly detection method of a domain adaptive deep autoencoder proposed in the present invention, preprocessing, anomaly detection and other operations can be performed directly on the edge side of the tunnel network, thereby improving the processing speed of the monitoring system and effectively reducing the processing delay.

(2) In view of the fact that the tunnel network environment changes dynamically over time, the domain adaptive deep autoencoder algorithm provided by the present invention can enable the anomaly detection algorithm to adaptively match the network traffic samples to be detected, thereby improving the robustness and accuracy of the anomaly detection algorithm.

(3) The method for dynamically determining the abnormal threshold provided by the present invention reasonably sets the abnormal threshold range based on the normal baseline value of the current network status, thereby avoiding the omission and false alarm of abnormal information caused by the fixed setting of the threshold.

(4) By applying the present invention to the edge computing nodes inside highway tunnels, the robustness and accuracy of network traffic anomaly detection tasks can be improved, and the operation and management costs of highway tunnels can be reduced.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a diagram of each layer architecture of tunnel network anomaly detection based on domain adaptive deep autoencoder of the present invention;

FIG2 is a flow chart of a tunnel network anomaly detection method based on a domain adaptive deep autoencoder according to the present invention;

FIG3 is an algorithm diagram of the tunnel network anomaly detection method based on the domain adaptive deep autoencoder of the present invention.

DETAILED DESCRIPTION

The present invention is further described in detail below in conjunction with embodiments.

Those skilled in the art will appreciate that the following examples are only used to illustrate the present invention and should not be considered to limit the scope of the present invention. If no specific techniques or conditions are specified in the examples, the techniques or conditions described in the literature in the art or the product specifications are used. If the manufacturer of the materials or equipment used is not specified, they are all conventional products that can be purchased.

Embodiment 1 A method for detecting anomalies in a tunnel network based on a domain adaptive deep autoencoder comprises the following steps:

Step 1: The edge computing nodes deployed in the tunnel collect the historical network traffic data of the equipment in the tunnel electromechanical system equipment layer, parse and obtain the corresponding network raw data stream, and perform data preprocessing to obtain the corresponding network traffic characteristics, that is, the preprocessed network traffic samples;

Step 2: After the collected historical network traffic data is processed in step 1 to obtain the network traffic features corresponding to each network traffic data, it is used as the source domain data set; the source domain data set is used as the training set, and the anomaly detection source domain model is trained based on the deep autoencoder algorithm. After the training is completed, the anomaly detection source domain model is deployed in the tunnel edge computing node;

Step 3: After the real-time collected network traffic data is preprocessed in the manner described in step 1 to obtain the corresponding network traffic features, an adaptive sliding window algorithm is constructed to obtain the target domain data set corresponding to the network traffic; the anomaly detection source domain model obtained in step 2 is updated according to the corresponding target domain data set;

Step 4: Calculate the dynamic threshold for anomaly detection;

Step 5: Input the network traffic features after preprocessing of the real-time collected network traffic data to be tested into the updated anomaly detection source domain model, and calculate its reconstruction error;

Step 6: Based on the dynamic threshold obtained in step 4 and the reconstruction error obtained in step 5, detect whether the network traffic data to be tested collected in real time is abnormal data.

Embodiment 2 A method for detecting anomalies in a tunnel network based on a domain adaptive deep autoencoder comprises the following steps:

Step 1: The edge computing nodes deployed in the tunnel collect the historical network traffic data of the equipment in the tunnel electromechanical system equipment layer, parse and obtain the corresponding network raw data stream, and perform data preprocessing to obtain the corresponding network traffic characteristics, that is, the preprocessed network traffic samples;

Step 2: After the collected historical network traffic data is processed in step 1 to obtain the network traffic features corresponding to each network traffic data, it is used as the source domain data set; the source domain data set is used as the training set, and the anomaly detection source domain model is trained based on the deep autoencoder algorithm. After the training is completed, the anomaly detection source domain model is deployed in the tunnel edge computing node;

Step 3: After the real-time collected network traffic data is preprocessed in the manner described in step 1 to obtain the corresponding network traffic features, an adaptive sliding window algorithm is constructed to obtain the target domain data set corresponding to the network traffic; the anomaly detection source domain model obtained in step 2 is updated according to the corresponding target domain data set;

Step 4: Calculate the dynamic threshold for anomaly detection;

Step 5: Input the network traffic features after preprocessing of the real-time collected network traffic data to be tested into the updated anomaly detection source domain model, and calculate its reconstruction error;

Step 6: Based on the dynamic threshold obtained in step 4 and the reconstruction error obtained in step 5, detect whether the network traffic data to be tested collected in real time is abnormal data.

In step 1, the system architecture for tunnel network anomaly detection using edge computing nodes includes a device layer, an edge computing layer, a network layer, and a cloud platform layer; the device layer, the edge computing layer, the network layer, and the cloud platform layer are connected sequentially; the various device systems in the device layer include a broadcast telephone system, a tunnel monitoring system, a tunnel ventilation and lighting system, a tunnel area controller, a tunnel fire protection system, an information release system, and a tunnel traffic signal system; the edge computing layer is an edge computing node deployed in the tunnel.

In step 1, the data preprocessing method includes removing abnormal data, removing meaningless features and normalizing data;

The network traffic characteristics include data flow duration, the number of forward packets, the number of reverse packets, the total bytes of forward packets, the total bytes of reverse packets, the total bytes of forward packet headers, the total bytes of reverse packet headers, the total bytes of forward subflows, and the total bytes of reverse subflows.

In step 2, the anomaly detection source domain model adopts a deep autoencoder, including an encoder and a decoder;

The anomaly detection source domain model has a three-layer neural network, namely, input layer, hidden layer and output layer. , ;in, represents the source domain dataset, Indicates Preprocessed network traffic samples;

The specific training method of the anomaly detection source domain model is as follows:

Step 2.1: Encoder converts source domain data After activation function Mapping gets the hidden layer data:

;

In the formula, represents the hidden layer vector, Indicates The hidden layer vector of the preprocessed network traffic samples;

The encoding process is shown in formula (1):

(1)

In the formula, and Represent the network weights and bias vectors of the encoder respectively, Is the activation function, which is the Sigmoid function in the present invention;

Step 2.2: The decoder passes the activation function The hidden layer data Transform to the output layer to obtain the output variable:

;

In the formula, represents the reconstructed output variable, Indicates reconstructed network traffic samples;

The hidden layer vector The input variables are reconstructed and the decoding process is shown in formula (2);

(2)

In the formula, and Represent the network weights and bias vectors of the decoder respectively, is the activation function;

Step 2.3: Use the gradient descent algorithm to train the anomaly detection source domain model, with the goal of minimizing the reconstruction error and obtaining the optimal network parameters; the objective function is shown in formula (3):

(3)

In the formula, the network parameter set Respectively represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder, and Respectively represent The input and reconstructed output variables of a DAE network; M represents the total number of preprocessed network traffic samples;

Step 2.4: Save the network parameters of the trained anomaly detection source domain model and deploy the model on the tunnel edge computing node.

is the Sigmoid function.

The specific method of step 3 is:

Step 3.1: Assume that At this moment, the network traffic data collected in real time by the edge computing node is preprocessed as described in step 1 to obtain the corresponding network traffic features, that is, the preprocessed network traffic sample , defined as the sample to be tested; the target domain dataset is constructed using the adaptive sliding window algorithm ; The specific method is:

Step 3.1.1: Preprocessed network traffic sample at time As the right boundary of the sliding window, the network traffic samples pre-processed in the previous order are expanded, and the network traffic samples pre-processed in the adjacent time sequence are attributed to the sliding window. Then the adaptive sliding window data set It is expressed as:

;

In the formula, Indicates the length is The sliding window contains Time has come Preprocessed network traffic samples within time; is the network traffic sample preprocessed at the left edge of the window, that is, the adaptive sliding window is Time forward expansion Preprocessed network traffic samples;

Step 3.1.2: When the adaptive sliding window determines whether to expand the previous sample, it is assumed that the sliding window has been expanded to At time , the sample to be judged whether to be included in the window is Moment; first, the average Euclidean distance between the sample at that moment and all samples in the current window is calculated based on the similarity function shown below:

(4)

The calculation method of ED is:

;

In the formula, Indicates that the current sliding window is from Time has come Any preprocessed network traffic sample within time, is the number of preprocessed network traffic samples in the current window, It is the network traffic sample after pre-processing to be judged whether to be included in the window;

Step 3.1.3: Set the boundary threshold of the adaptive sliding window according to the similarity function of step 3.1.2 ,like , the sliding window will include the preprocessed network traffic sample, that is, the preprocessed network traffic sample at the left boundary of the window is , otherwise the expansion stops, and the left boundary sample is ;

Let the sliding window dataset As The target domain data is represented as:

;

because The CCP has preprocessed network traffic samples, so the target domain dataset It is expressed as:

;

In the formula, Including A dataset of preprocessed network traffic samples Neidi Preprocessed network traffic samples;

Step 3.2: Leverage the target domain dataset Perform domain adaptive update on the anomaly detection source domain model trained in step 2; the specific steps are as follows:

Step 3.2.1: First, the source domain dataset Input it into the trained anomaly detection source domain model, and obtain the hidden layer vector of the source domain data through forward propagation of formula (1) ;

Step 3.2.2: Target domain data The same input is used to the anomaly detection source domain model and the hidden layer vector of the target domain data is obtained by forward propagation through the following formula: :

(5)

Step 3.2.3: Take the maximum average difference distance as the objective function, and the calculation formula is shown in formula (6):

;

(6)

In the formula, They are and The number of samples in To find the minimum upper bound function, In the formula, refers to any index in the data set, that is, and Respectively Middle and samples, and Respectively Middle and samples; is the Gaussian kernel function, The calculation is as follows:

(7)

In the formula, represents bandwidth parameter;

Step 3.2.4: Calculate the difference between the implicit vectors generated by the source domain data and the target domain data according to formulas (6)-(7) to build the DADAE model; the goal is to minimize the DADAE model objective function, which is as follows:

(8)

In the formula, is the loss function shown in formula (3); is the MMD distance loss function; network parameter set They represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder after domain adaptive update, respectively. is the balance parameter;

Step 3.2.5: Save the trained network parameters of the new anomaly detection source domain model and deploy the new anomaly detection source domain model on the tunnel edge computing node.

In step 4, the dynamic threshold for anomaly detection is calculated, and the upper limit of the dynamic anomaly threshold is recorded as , the lower limit is ; The specific method is:

Step 4.1: First, the target domain dataset Execute it again in the updated anomaly detection source domain model to obtain the output dataset after the encoder and decoder, denoted as ; Then, the reconstruction error of each target domain data is calculated using the following formula:

(9)

In the formula, Included elements, represented by , and Respectively include A target domain dataset of network traffic and its reconstructed output dataset;

Step 4.2: Calculation The mean and standard deviation of are calculated as follows:

(10)

(11)

In the formula, express The average value of for The standard deviation of the dynamic threshold is:

(12)

(13)

In the formula, is the standard deviation coefficient.

is 2.

In step 5, the reconstruction error is calculated as follows:

;

In the formula, The reconstructed output is obtained by encoding and decoding the pre-processed network traffic sample to be tested through the updated anomaly detection source domain model.

The detection method in step 6 is:

when When , it is marked as normal; when or , marked as abnormal.

Embodiment 3 As shown in Figure 1, due to the difficulty in identifying network traffic anomalies in tunnels and inaccurate positioning, an edge computing architecture is introduced. The present invention proposes a tunnel network anomaly detection method based on a domain adaptive deep autoencoder. The edge computing architecture of the tunnel electromechanical system is divided into a device layer, an edge computing layer, a network layer, and a cloud platform layer. Among them, the device layer mainly includes tunnel sensing devices and control devices, such as broadcast telephone systems, tunnel monitoring systems, tunnel ventilation and lighting systems, tunnel area controllers, tunnel fire protection systems, information release systems, tunnel traffic signal systems, etc. Considering the difficulty in detecting tunnel network anomalies caused by the complexity of Ethernet devices and the high sampling rate of network transmission traffic under the prior art, edge computing nodes are deployed in the tunnel to manage a large number of surrounding front-end devices and perform data collection and processing, including model training, domain adaptive updates, and network anomaly detection functions. Due to the complexity and diversity of electromechanical equipment in the tunnel, the collected network traffic features have high dimensions and are highly nonlinear between data. It is difficult to establish an effective anomaly detection model. The present invention constructs a tunnel network anomaly detection method based on a domain adaptive deep autoencoder.

As shown in the flowchart of FIG2 and the algorithm diagram of FIG3, taking the network traffic anomaly detection of the tunnel monitoring system as an example, this example involves a tunnel network anomaly detection method based on a domain adaptive deep autoencoder, which specifically includes the following steps:

Step 1: Taking the network traffic anomaly detection of the tunnel monitoring system as an example, the historical network traffic data of the tunnel monitoring system is collected by the edge computing nodes deployed in the tunnel, and the corresponding network raw data stream is parsed using the existing conventional methods, and the data is preprocessed to obtain the network traffic characteristics corresponding to the business.

The data preprocessing method includes removing abnormal data, removing meaningless features, and normalizing data. Among them, the operation of removing abnormal data is to retain normal historical data for subsequent modeling after manual judgment in the collected monitoring system network traffic. The operation of removing meaningless features includes removing meaningless features, such as IP addresses, port numbers, timestamps, etc., and converting various feature data of the tunnel network into processable data. The network traffic features include basic features of data streams, content features of protocol connections, time-based traffic statistics features, and connection features. Optionally, several features including but not limited to data stream duration, the number of forward packets, the number of reverse packets, the total number of bytes of forward packets, the total number of bytes of reverse packets, the total number of bytes of forward headers, the total number of bytes of reverse headers, the total number of bytes of forward substreams, and the total number of bytes of reverse substreams are used for modeling and anomaly detection. The data normalization is based on the maximum and minimum values of the traffic features, and the maximum and minimum normalization is applied to the data to ensure that the value range of all data is in the interval [0,1].

Step 2: This step is the offline part. The collected historical network traffic data of the tunnel monitoring system is used as the source domain data set after the features corresponding to each traffic sample are obtained by the preprocessing method described in step 1. The source domain data set is used as the training set, and the anomaly detection source domain model is trained based on the Deep Autoencoder (DAE) algorithm. After the training is completed, the DAE is deployed in the tunnel edge computing node. Among them, the deep autoencoder is an unsupervised neural network model including an encoder and a decoder. It can learn the implicit features of the network traffic input data of the tunnel monitoring system (encoder) and use the learned implicit features to reconstruct the input features (decoder). The principle of DAE is to make the output of the decoder restore the input as much as possible. Assume that the source domain data set used for training is expressed as:

;

in, represents the source domain dataset, Indicates A sample of network traffic after preprocessing.

The present invention does not limit the number of hidden layers and neurons in the hidden layers of the DAE algorithm. As shown in the structure diagram of the autoencoder in the algorithm diagram of FIG3 , taking the network traffic of the tunnel monitoring system as an example, the anomaly detection source domain model based on the DAE algorithm has a three-layer neural network, namely, an input layer, a hidden layer and an output layer. The input is , the specific training method of DAE is as follows:

Step 2.1: Encoder converts source domain data Pass through the activation function one by one Mapping gets the hidden layer data:

;

In the formula, represents the hidden layer vector of DAE, Indicates Hidden layer vector of network traffic samples;

The encoding process is shown in formula (1):

(1)

In the formula, and Represent the network weights and bias vectors of the encoder respectively, is an activation function, which is a Sigmoid function in the present invention.

Step 2.2: The decoder passes the activation function The hidden layer data Transform to the output layer to obtain the output variable:

;

In the formula, represents the reconstructed output variable, Indicates reconstructed network traffic samples; in this step The hidden layer vector The input variables are reconstructed, and the decoding process is shown in formula (2);

(2)

In the formula, and Represent the network weights and bias vectors of the decoder respectively, is an activation function, which is a Sigmoid function in the present invention.

Step 2.3: Use the gradient descent algorithm to train the DAE by minimizing the reconstruction error to obtain the optimal network parameters; the target loss function to be optimized during the training process is shown in formula (3):

(3)

In the formula, the network parameter set Respectively represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder, and Respectively represent The input and reconstructed output variables of a DAE network; M represents the total number of network traffic samples;

Step 2.4: Save the trained DAE network parameters and deploy the model on the tunnel edge computing node as the source domain model for anomaly detection.

It should be noted that the DAE model trained with source domain data in step 2 can perform anomaly detection on the network traffic generated in real time by the tunnel monitoring system. However, in the network environment of terminal equipment in the tunnel, the network traffic changes dynamically over time. Using a fixed model will make the robustness of anomaly detection lower to a certain extent.

Step 3: This step is the online part, and domain adaptive update is performed based on the DAE model deployed on the tunnel edge computing node. In this example, when the edge computing node collects the network traffic generated by the tunnel monitoring system in real time and needs to detect anomalies, the DAE model established in step 2 is updated by the domain adaptive update strategy constructed by the present invention. The algorithm is defined as Domain Adaptive Deep Autoencoder (DADAE). Specifically, the update steps of DADAE are as follows:

Step 3.1: Assume that At this moment, the network traffic sample generated by the tunnel monitoring system collected in real time by the edge computing node is preprocessed as described in step 1 to obtain the corresponding network traffic characteristics. The sample is expressed as , that is to say The preprocessed network traffic samples to be detected for anomalies in the tunnel monitoring system are defined as samples to be tested in this example.

Since domain adaptation requires updating the source domain model using the target domain, and the target domain requires the same ) have high similarity in data structure, characteristics, etc., so that the updated model can match the target. According to the strong correlation characteristics of network traffic in adjacent time periods, in this invention, the concept of sliding window is introduced to construct an adaptive sliding window algorithm to obtain The corresponding target domain dataset, the specific steps are as follows:

Step 3.1.1: Tunnel monitoring system network traffic samples at the moment As the right boundary of the sliding window, expand the pre-processed network traffic samples in the previous order, find the appropriate time sequence of adjacent network traffic to belong to the sliding window, then the adaptive sliding window data set It can be expressed as:

;

In the formula, Indicates the length is The sliding window contains Time has come Network traffic samples within a certain time period; it should be noted that these samples are normal data after anomaly detection. is the network traffic sample preprocessed at the left edge of the window, that is, the adaptive sliding window is Time forward expansion A sample of network traffic.

Step 3.1.2: When the adaptive sliding window determines whether to expand the previous sample, it is assumed that the sliding window has been expanded to At time , the sample to be judged whether to be included in the window is Moment; first, the average Euclidean distance (ED) between the sample at that moment and all samples in the current window is calculated based on the similarity function shown below:

(4)

The calculation method of ED is:

;

In the formula, Indicates that the current sliding window is from Time has come Any network traffic sample within a certain time period, is the number of network traffic samples in the current window, It is the previous sample to be determined whether to be included in the window;

Step 3.1.3: Set the boundary threshold of the adaptive sliding window according to the similarity function of step 3.1.2 ,like , the sliding window will include the network traffic sample, that is, the left boundary sample of the window is , otherwise the expansion stops, and the left boundary sample is .

The network traffic in the adaptive sliding window obtained through step 3.1 is consistent with the sample to be tested. There is a strong correlation between them, making the sliding window dataset As The target domain data is represented as:

;

because The CCP has network traffic samples, so the target domain dataset It can also be expressed as:

;

In the formula, Including Dataset of samples Neidi A sample of network traffic.

Step 3.2: Leverage the target domain dataset Perform domain adaptation update on the DAE trained in step 2. Domain adaptation can be simply described as the inter-domain knowledge transfer of model similarity between the source domain and the target domain, with the purpose of discovering and weakening the differences between the two domains. Therefore, in the dynamically changing network environment of tunnel terminal equipment, the constructed DADAE can adaptively match the network traffic samples to be detected, improving the accuracy and robustness of anomaly detection. The specific steps are as follows:

Step 3.2.1: As shown in Figure 3, first, the source domain dataset Input into the trained DAE, and forward propagate through formula (1) to obtain the hidden layer vector of the source domain data ;

Step 3.2.2: Target domain data The same input is sent to DAE and the hidden layer vector of the target domain data is obtained by forward propagation through the following formula: :

(5)

Step 3.2.3: Introduce the Maximum Mean Difference (MMD) distance into the objective function of DAE to calculate the data difference between the source domain and the target domain. and The MMD calculation between is shown in formula (6):

;

(6)

In the formula, They are and The number of samples in To find the minimum upper bound function, In the formula, it refers to any index in the data set. MMD aims to measure the distance between two domains in the reproducing Kernel Hilbert Space, which is a kernel learning method. The smaller the MMD distance, the higher the similarity between the two data domains. is the Gaussian kernel function, The calculation is as follows:

(7)

In the formula, Represents the bandwidth parameter, whose value is proportional to the width of the Gaussian kernel function and is usually 1.

Step 3.2.4: Target domain dataset Directly input the DAE trained offline in step 2, introduce the MMD distance into the objective function of DAE, and calculate the difference between the implicit vectors generated by the source domain data and the target domain data according to formulas (6)-(7) to build the DADAE model.

Due to the network parameters trained based on the previous steps, only a small number of iterations (i.e., fine-tuning of network weights) are required in this step to achieve domain adaptive update of the model. The objective function of the DADAE model constructed by the present invention (with the goal of minimizing the objective function) is as follows:

(8)

In the formula, the objective function consists of two parts of loss, namely the objective function loss of DAE and the MMD distance loss between the latent vector of the source domain data and the latent vector of the target domain data; the network parameter set They represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder after domain adaptive update, respectively. It is a balance parameter between DAE loss and inter-domain MMD distance loss. Its value is generally 0.5. It can be fine-tuned up or down during implementation. The present invention does not The training method is still the gradient descent algorithm.

Step 3.2.5: Save the trained network parameters of the new anomaly detection source domain model and deploy the new anomaly detection source domain model on the tunnel edge computing node.

It can be seen that the objective function constructed by the present invention not only makes full use of the source domain model information, but also makes the updated network weights and biases tend to the characteristics of the target domain data by minimizing the objective function, which to a certain extent solves the problem that the static model cannot adapt to the dynamically changing network environment of tunnel electromechanical equipment.

In step 4, a dynamic threshold for anomaly detection is calculated based on the target domain data set of the network traffic to be detected. The upper limit of the dynamic anomaly threshold is recorded as , the lower limit is .

Since the network traffic in the tunnel electromechanical system network environment changes dynamically over time, the state of normal traffic will also be continuously updated with relevant factors such as the network environment. Therefore, the judgment of abnormal network traffic of the tunnel monitoring system collected by the edge computing node should be based on the normal baseline value of the current network state. According to step 3.1, the target domain data set determined based on the adaptive sliding window has a strong time correlation, and its network state is less affected by time changes. Therefore, the specific steps for determining the dynamic threshold range based on the target domain data of the network traffic to be detected are as follows:

Step 4.1: First, the target domain dataset Execute it again in the updated DADAE model to get the output data set after the encoder and decoder, denoted as Next, the reconstruction error of each target domain data is calculated using the following formula:

(9)

In the formula, Included elements, which can be expressed as , and Respectively include The target domain dataset of network traffic and its reconstructed output dataset.

Step 4.2: Calculation The mean and standard deviation of are calculated as follows:

(10)

(11)

In the formula, express The average value of for The standard deviation of . Then the dynamic threshold range set by the present invention is:

(12)

(13)

In the formula, is the standard deviation coefficient, and the present invention does not limit The value of, for example It can be 2.

In step 5, the sample to be tested is input into the DADAE model for inference, and its reconstruction error is calculated as follows:

;

In the formula, It is the reconstructed output of the sample to be tested after being encoded by DADAE and then decoded.

Step 6: Reconstruct the error of the sample to be tested and the dynamic error threshold range, to determine whether the network traffic of the real-time tunnel monitoring system to be detected is abnormal data. The judgment criteria are:

when When , it is marked as normal; when or , marked as abnormal.

Step 7: After the anomaly detection of the current sample to be tested is completed, the edge computing node collects new network traffic to be tested at the next moment, and performs data preprocessing according to the above steps, re-determines the sliding window data set, uses the target domain data to perform domain adaptive update on the DAE model, calculates the dynamic threshold range, detects whether it is abnormal, and other operations.

The above shows and describes the basic principles, main features and advantages of the present invention. It should be understood by those skilled in the art that the present invention is not limited to the above embodiments. The above embodiments and descriptions are only for explaining the principles of the present invention. Without departing from the spirit and scope of the present invention, the present invention may have various changes and improvements, which fall within the scope of the present invention. The scope of protection of the present invention is defined by the attached claims and their equivalents.

Claims (8)

1. A tunnel network anomaly detection method based on a domain adaptive deep autoencoder, characterized in that it comprises the following steps: Step 1: The edge computing nodes deployed in the tunnel collect the historical network traffic data of the equipment in the tunnel electromechanical system equipment layer, parse and obtain the corresponding network raw data stream, and perform data preprocessing to obtain the corresponding network traffic characteristics, that is, the preprocessed network traffic samples; Step 2: After the collected historical network traffic data is processed in step 1 to obtain the network traffic features corresponding to each network traffic data, it is used as the source domain data set; the source domain data set is used as the training set, and the anomaly detection source domain model is trained based on the deep autoencoder algorithm. After the training is completed, the anomaly detection source domain model is deployed in the tunnel edge computing node; Step 3: After the real-time collected network traffic data is preprocessed in the manner described in step 1 to obtain the corresponding network traffic features, an adaptive sliding window algorithm is constructed to obtain the target domain data set corresponding to the network traffic; the anomaly detection source domain model obtained in step 2 is updated according to the corresponding target domain data set; Step 4: Calculate the dynamic threshold for anomaly detection; Step 5: Input the network traffic features after preprocessing of the real-time collected network traffic data to be tested into the updated anomaly detection source domain model, and calculate its reconstruction error; Step 6: According to the dynamic threshold obtained in step 4 and the reconstruction error obtained in step 5, whether the network traffic data to be tested collected in real time is abnormal data is detected; The specific method of step 3 is: Step 3.1: Assume that at time q, the network traffic data collected in real time by the edge computing node is preprocessed as described in step 1 to obtain the corresponding network traffic features, that is, the preprocessed network traffic sample _xq is defined as the sample to be tested; the target domain data set _Xt is constructed using the adaptive sliding window algorithm; the specific method is: Step 3.1.1: Take the preprocessed network traffic sample xq-1 at time _q-1 as the right boundary of the sliding window, expand it to the preprocessed network traffic sample in the previous order, and attribute the preprocessed network traffic samples with close time sequence to the sliding window. Then the adaptive sliding window data set _DW is expressed as: D _W = {x _qN , x _t-N+1 ,..., x _q-1 }; Where D _W represents a sliding window of length N, which contains the preprocessed network traffic samples from time qN to time q-1; x _qN is the preprocessed network traffic sample at the left edge of the window, that is, the adaptive sliding window expands N preprocessed network traffic samples from time q-1 to the forward order; Step 3.1.2: When the adaptive sliding window determines whether to expand the previous sample, it is assumed that the sliding window has been expanded to the q-n moment, and the sample to be included in the window is the q-n-1 moment; first, the average Euclidean distance between the sample at that moment and all samples in the current window is calculated according to the similarity function shown below: The calculation method of ED is: ED (x _qn-1 , x _w )=||x _qn-1 -x _w || ² ; In the formula, _xw represents any preprocessed network traffic sample from time qn to time q-1 in the current sliding window, n is the number of preprocessed network traffic samples in the current window, and _xqn-1 is the previous preprocessed network traffic sample to be determined whether to be included in the window; Step 3.1.3: According to the similarity function of step 3.1.2, the boundary threshold δ _w of the adaptive sliding window is set. If S _w ≥ δ _w , the sliding window will include the preprocessed network traffic sample, that is, the left boundary preprocessed network traffic sample of the window is x _qn-1 . Otherwise, the expansion is stopped, and the left boundary sample at this time is x _qn . Let the sliding window dataset D _W be the target domain data of x _q , then the target domain dataset is expressed as: X _t = D _W = {x _qN , x _t-N+1 ,..., x _q-1 }; Since there are N preprocessed network traffic samples in D _W , the target domain dataset X _t is expressed as: Where _xti represents the i-th preprocessed network traffic sample in the data set _Xt containing N preprocessed network traffic samples; Step 3.2: Use the target domain dataset _Xt to perform domain adaptive update on the anomaly detection source domain model trained in step 2; the specific steps are as follows: Step 3.2.1: First, input the source domain data set _Xs into the trained anomaly detection source domain model, and obtain the hidden layer vector _Hs of the source domain data through forward propagation using the following formula; _Hs ＝f( _WXs +b) Where W and b represent the network weight and bias vector of the encoder respectively, and f is the activation function; Step 3.2.2: Input the target domain data _Xt into the anomaly detection source domain model and obtain the hidden layer vector _Ht of the target domain data through the following formula: H _t = f ( WX _t + b ) Step 3.2.3: Take the maximum average difference distance as the objective function, and the calculation formula is as follows: Where N and M are the number of samples in H _t and H _s, respectively. sup{·} is the function for finding the minimum upper bound. i and j in the formula refer to any index in the data set, that is, h _ti and h _tj represent the i-th and j-th samples in H _t, respectively. h _si and h _sj represent the i-th and j-th samples in H _s, respectively. G(·) is the Gaussian kernel function. G(h _si ,h _sj ) is calculated as follows: Where, σ represents the bandwidth parameter; Step 3.2.4: Calculate the difference between the implicit vectors generated by the source domain data and the target domain data according to the formula shown in step 3.2.3 to build the DADAE model; the goal is to minimize the DADAE model objective function, which is as follows: Wherein, _JDAE is the loss function shown in the above formula; λMMD( _Hs , _Ht ) is the MMD distance loss function; the network parameter set is Respectively represent the network weights of the encoder, the bias vector of the encoder, the network weights of the decoder, and the bias vector of the decoder after domain adaptive update, λ is the balance parameter; x _si and They represent the input and reconstructed output variables of the i-th DAE network respectively; M represents the total number of network traffic samples after preprocessing; Step 3.2.5: Save the trained network parameters of the new anomaly detection source domain model, and deploy the new anomaly detection source domain model on the tunnel edge computing node. 2. According to the method for tunnel network anomaly detection based on domain adaptive deep autoencoder according to claim 1, it is characterized in that in step 1, the system architecture of tunnel network anomaly detection using edge computing nodes includes a device layer, an edge computing layer, a network layer and a cloud platform layer; the device layer, the edge computing layer, the network layer and the cloud platform layer are connected sequentially; each device system in the device layer includes a broadcast telephone system, a tunnel monitoring system, a tunnel ventilation and lighting system, a tunnel area controller, a tunnel fire protection system, an information release system and a tunnel traffic signal system; the edge computing layer is an edge computing node deployed in the tunnel. 3. The method for detecting anomalies in a tunnel network based on a domain adaptive deep autoencoder according to claim 1, characterized in that in step 1, the data preprocessing method includes removing abnormal data, removing meaningless features and normalizing data; The network traffic characteristics include data flow duration, the number of forward packets, the number of reverse packets, the total bytes of forward packets, the total bytes of reverse packets, the total bytes of forward packet headers, the total bytes of reverse packet headers, the total bytes of forward subflows, and the total bytes of reverse subflows. 4. The method for tunnel network anomaly detection based on domain adaptive deep autoencoder according to claim 1, characterized in that, in step 2, the anomaly detection source domain model adopts a deep autoencoder, including an encoder and a decoder; The anomaly detection source domain model has a three-layer neural network, which includes an input layer, a hidden layer and an output layer. The input is _Xs , _Xs = { _xs1 , _xs2 , ..., _xsM }; wherein _Xs represents the source domain data set, and _xsM represents the Mth preprocessed network traffic sample; The specific training method of the anomaly detection source domain model is as follows: Step 2.1: The encoder maps the source domain data _Xs through the activation function f to obtain the hidden layer data: H _s = {h _s1 , h _s2 ,..., h _sM }; Where _Hs represents the hidden layer vector, _hsM represents the hidden layer vector of the Mth preprocessed network traffic sample; The encoding process is shown in the following formula: _Hs ＝f( _WXs +b) Wherein, W and b represent the network weight and bias vector of the encoder respectively, and f is the activation function, which is the Sigmoid function in the present invention; Step 2.2: The decoder transforms the hidden layer data _Hs to the output layer through the activation function f to obtain the output variable: In the formula, represents the reconstructed output variable, represents the Mth reconstructed network traffic sample; The input variable is reconstructed by the hidden layer vector _Hs , and the decoding process is shown in the following formula; In the formula, and They represent the network weight and bias vector of the decoder respectively, and f is the activation function; Step 2.3: Use the gradient descent algorithm to train the anomaly detection source domain model, with the goal of minimizing the reconstruction error and obtaining the optimal network parameters; the objective function is shown in the following formula: In the formula, the network parameter set Respectively represent the network weight of the encoder, the bias vector of the encoder, the network weight of the decoder, the bias vector of the decoder, x _si and They represent the input and reconstructed output variables of the i-th DAE network respectively; M represents the total number of network traffic samples after preprocessing; Step 2.4: Save the network parameters of the trained anomaly detection source domain model and deploy the model on the tunnel edge computing node. 5. The method for detecting anomalies in a tunnel network based on a domain adaptive deep autoencoder according to claim 1 is characterized in that, in step 4, a dynamic threshold for anomaly detection is calculated, the upper limit of the dynamic anomaly threshold is denoted as U _e , and the lower limit is denoted as L _e ; the specific method is: Step 4.1: First, the target domain dataset _Xt is re-executed in the updated anomaly detection source domain model to obtain the output dataset after the encoder and decoder, which is recorded as Next, the reconstruction error of each target domain data is calculated using the following formula: In the formula, _Et contains N elements, expressed as _Xt and They represent the target domain dataset containing N network flows and its reconstructed output dataset respectively; Step 4.2: Calculate the mean and standard deviation of E _t as follows: In the formula, represents the average value of E _t , and _St is the standard deviation of E _t ; then the dynamic threshold range is: In the formula, β is the standard deviation coefficient. 6. According to the tunnel network anomaly detection method based on domain adaptive deep autoencoder according to claim 5, it is characterized in that β is 2. 7. The method for detecting anomalies in a tunnel network based on a domain adaptive deep autoencoder according to claim 5, characterized in that in step 5, the calculation method of the reconstruction error is as follows: In the formula, The reconstructed output is obtained by encoding and decoding the pre-processed network traffic sample to be tested through the updated anomaly detection source domain model. 8. The method for detecting anomalies in a tunnel network based on a domain adaptive deep autoencoder according to claim 6, wherein the detection method in step 6 is: When Le _{≤e q} ≤U _e , it is marked as normal; when e _q ＞U _e or e _q ＜L _e , it is marked as abnormal.