CN116760583B - Enhanced graph node behavior characterization and abnormal graph node detection method - Google Patents
Enhanced graph node behavior characterization and abnormal graph node detection method Download PDFInfo
- Publication number
- CN116760583B CN116760583B CN202310652286.0A CN202310652286A CN116760583B CN 116760583 B CN116760583 B CN 116760583B CN 202310652286 A CN202310652286 A CN 202310652286A CN 116760583 B CN116760583 B CN 116760583B
- Authority
- CN
- China
- Prior art keywords
- graph
- node
- graph node
- abnormal
- representing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 92
- 238000001514 detection method Methods 0.000 title claims abstract description 46
- 238000012512 characterization method Methods 0.000 title claims abstract description 39
- 238000000605 extraction Methods 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000004364 calculation method Methods 0.000 claims abstract description 24
- 239000011159 matrix material Substances 0.000 claims abstract description 18
- 238000012549 training Methods 0.000 claims abstract description 15
- 239000013598 vector Substances 0.000 claims description 86
- 230000006399 behavior Effects 0.000 claims description 74
- 238000013528 artificial neural network Methods 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 10
- 230000002708 enhancing effect Effects 0.000 claims description 7
- 238000005457 optimization Methods 0.000 claims description 6
- 238000009827 uniform distribution Methods 0.000 claims description 6
- 238000009826 distribution Methods 0.000 claims description 4
- 230000004913 activation Effects 0.000 claims description 3
- 238000005070 sampling Methods 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 19
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 238000002372 labelling Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/042—Knowledge-based neural networks; Logical representations of neural networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Signal Processing (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an enhanced graph node behavior characterization and an abnormal graph node detection method thereof, which relate to the technical field of network security and comprise the following steps: constructing and training an abnormal graph node detection model of graph node behavior characterization to obtain a corresponding trained abnormal graph node detection model; inputting all node attribute lists of the graph structure and an adjacency matrix representing the graph structure into a trained abnormal graph node detection model to obtain an abnormal score calculation result of a node to be detected in the graph; if the abnormal score of the node to be detected in the graph is greater than a threshold value, judging the node to be an abnormal graph node; otherwise, the node is judged to be a normal graph node. According to the method, the characteristic expression of the graph node behavior can be enhanced through the double random node behavior expression, the robust and effective expression of the graph node behavior is realized, and the capability of the characteristic extraction network for representing the graph node behavior is improved; the difference between the normal graph nodes and the abnormal graph nodes can be fully utilized, and an excellent abnormal detection effect is ensured.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an enhanced graph node behavior characterization and an abnormal graph node detection method thereof.
Background
Attribute graph anomaly graph node detection is an important research content in the field of network security. The graph structure data widely exist in the Internet of things system, and the abnormal graph nodes in the graph correspond to hosts with abnormal behaviors in the Internet of things. When detecting the abnormal graph nodes in the attribute graph, the abnormal graph nodes can be directly detected according to the attribute characteristics of the node graph nodes, and the deeper characteristics can be extracted by combining the association between the abnormal graph nodes and other graph nodes to detect. Because the graph nodes of the attribute graph have higher common attribute dimension and have more complex intrinsic behavior patterns, a machine learning model is usually required to be constructed in an actual scene to complete the task of detecting the abnormal graph nodes, so that abnormal behaviors are timely discovered and timely processed to reduce or avoid loss. Existing systems are typically built based on either supervised or unsupervised methods. The system based on the supervision method generally requires more abnormal labels, the system performance can be drastically reduced under the condition that only a small number of abnormal graph nodes with labels exist in an actual scene, the number of the label graph nodes is too small, and the abnormal graph nodes are easily subjected to over-fitting in the learning process, so that the detection effect of the system is not ideal; the system based on the unsupervised method only learns normal graph nodes, detects abnormal graph nodes according to differences between the nodes of the graph to be detected and the node characteristics of the normal graph, does not fully utilize known abnormal samples with labels, and has low system performance based on the unsupervised method when processing actual abnormal detection data sets due to lack of corresponding label information.
Disclosure of Invention
Aiming at the defects in the prior art, the enhanced graph node behavior characterization and the abnormal graph node detection method thereof solve the problems that extremely small amount of marked abnormal graph node data and a large amount of unmarked graph node data are not fully utilized and the system detection effect is not ideal in the prior art.
In order to achieve the aim of the invention, the invention adopts the following technical scheme:
the method for enhancing the node behavior characterization of the graph and detecting the abnormal graph thereof comprises the following steps:
s1, constructing and training an abnormal graph node detection model of graph node behavior characterization, and obtaining the trained abnormal graph node detection model of graph node behavior characterization;
s2, inputting all node attribute lists of the graph structure and an adjacency matrix representing the graph structure into an abnormal graph node detection model of the trained graph node behavior characterization, and obtaining an abnormal score calculation result of the nodes to be detected in the graph;
s3, if the abnormal score of the node to be detected in the graph is greater than a threshold value, judging that the node is an abnormal graph node; otherwise, the node is judged to be a normal graph node.
Further, the abnormal graph node detection model of the graph node behavior characterization in the step S1 comprises a feature extraction network and an abnormal score calculation network; the feature extraction network comprises a node behavior expression enhancement module, a feature information and position information precoding module and a feature extraction module based on a graph self-encoder; the node behavior expression enhancement module comprises a random node selection operator, a random attribute selection operator and a disturbance adding operator; the characteristic information and position information precoding module comprises a characteristic information precoder and a position information precoder; the characteristic information precoder comprises a fully connected neural network; the position information precoder comprises a fully connected neural network; the feature extraction module based on the graph self-encoder comprises a graph convolution-based encoder and a graph convolution-based decoder; the graph convolution-based encoder includes a multi-layer graph convolution structure; the graph convolution-based decoder includes a multi-layer graph convolution structure; the graph convolution structure comprises a full connection layer and a matrix multiplier; the anomaly score computing network comprises a fully connected neural network; the fully-connected neural network comprises an input layer, an output layer and a plurality of hidden layers.
Further, the specific operation of the abnormal graph node detection model for training the graph node behavior characterization in step S1 is as follows:
s1-1, taking an attribute list X of all nodes in a graph structure and an adjacent matrix A formed among the graph nodes as training data; inputting training data to a node behavior expression enhancement module; randomly extracting normal graph nodes in the attribute list X to obtain graph nodes with a percent, wherein the selection probability of each graph node is subject to uniform distribution; randomly selecting all the attributes of each selected graph node to obtain b% of attributes, wherein the selection probability of each attribute is subject to uniform distribution; counting the average value of each selected attribute of all input normal unlabeled graph nodes, adding random disturbance obeying the normal distribution of the statistical average value with average value mu and standard deviation sigma to the value corresponding to the attribute of the selected graph node, and creating an indication vector with the dimension identical to the attribute dimension of the graph node to obtain a graph node attribute list X' with enhanced behavior expression and an indication vector list V corresponding to the graph node attribute list; wherein, a is 20 by default, b is 20 by default, μ is 0 by default, and σ is 0.1 by default;
s1-2, inputting an indication vector list V corresponding to the graph node attribute list X 'and the graph node attribute list after the behavior expression is enhanced into a characteristic information and position information precoding module, and respectively calculating the indication vector list V corresponding to the graph node attribute list X' after the behavior expression is enhanced through a forward propagation algorithm to obtain corresponding characteristic information precodingAnd position information precoding->According to the formula:
obtaining a spliced precoding result H output by the characteristic information and position information precoding module 0 The method comprises the steps of carrying out a first treatment on the surface of the Wherein Concat (-) represents the vector splice operator;
s1-3, pre-coding result H after splicing 0 The adjacency matrix A formed between the graph nodes is input to a feature extraction module based on a graph self-encoder for reconstruction, and a reconstructed graph node attribute list is obtainedCharacteristic vector H of graph node in hidden space, reconstruction error vector R and characteristic obtained by splicing one-norm value and two-norm value of reconstruction error vector REncoding r;
s1-4, inputting a characteristic vector H and a characteristic code r of the graph node in the hidden space into an anomaly score calculation network, and according to the formula:
H 1 l+1 =ReLu(H 1 l )
obtaining an output characteristic vector H of the first hidden layer of the anomaly score computing network 1 l+1 The method comprises the steps of carrying out a first treatment on the surface of the Wherein H is 1 l An input feature vector representing the first hidden layer of the anomaly score computation network,weight representing the first hidden layer of the anomaly score computing network,/->Representing the bias of the first hidden layer of the anomaly score computing network, wherein Concat (-) represents a vector splicing operator, and ReLu (-) represents a nonlinear activation function;
s1-5, according to the formula:
res=H 1 ×W+b
obtaining an anomaly score calculation result res of the graph node; wherein H is 1 The output characteristic vector of the last hidden layer of the abnormal score calculating network is represented, W represents the weight of the output layer of the abnormal score calculating network, and b represents the bias of the output layer of the abnormal score calculating network;
s1-6, according to the graph node attribute list X and the reconstructed graph node attribute listConstructing a first loss function; constructing a second loss function according to the abnormal score calculation result res of the graph node and the actual label of the graph node; adding the first loss function and the second loss function based on the respective corresponding preset weights to obtain a third loss function, and passing through the third loss functionTraining an abnormal graph node detection model of graph node behavior characterization; obtaining an abnormal graph node detection model of the trained graph node behavior characterization; the actual label of the normal graph node is 0, and the actual label of the abnormal graph node is 1.
Further, the specific operation of step S1-3 is as follows:
s1-3-1, pre-coding result H after splicing 0 Mapping to a low-dimensional hidden space, according to the formula:
obtaining a characteristic vector H of a graph node in a hidden space; wherein H is 0 ' represents the pre-coding result H after splicing 0 Or the output of the last fully connected layer,encoder parameters representing full connection layer, f ce (. Cndot.) represents the full-connection layer function of the encoder, H 0 "means the output of the fully connected layer, H 2 Representing the output of the last fully-connected layer, MM (·) representing the matrix multiplier;
s1-3-2, according to the formula:
r=Concat(||R|| 1 ,||R|| 2 )
obtaining a reconstructed graph node attribute listThe reconstruction error vector R and a characteristic code R obtained by splicing a first norm value and a second norm value of the reconstruction error vector; wherein H 'represents the feature vector H of the graph node in the hidden space or the feature vector of the last full-connection layer, H' represents the feature vector of the full-connection layer, < >>Decoder parameters representing full connection layer, f cd (. Cndot.) represents the full-connection layer function of the decoder, H _out Representing the feature vector of the last fully connected layer, I R I 1 A norm value representing the reconstructed error vector R, I R I 2 Representing the two normals of the reconstructed error vector R.
Further, the specific operations of steps S1-6 are as follows:
s1-6-1, taking the difference between the output of the minimum feature extraction network and the node attribute of the input graph as an optimization target, and according to the formula:
obtaining a first loss functionWherein MSE (·) represents the calculated mean square error;
s1-6-2, performing end-to-end joint optimization on the feature extraction network and the anomaly score calculation network by minimizing the comprehensive loss based on the reconstruction error and the anomaly score calculation error according to the formula:
loss c (res,y;t)=(1-y)|res|+ymax(0,t-res)
obtaining a third loss functionWherein loss is c (res, y; t) represents a second loss function, y represents an actual label, t represents a set scaling factor, α represents a constant, |·| represents an absolute value, and max (·) represents a maximum value;
s1-6-3 by a third loss functionAnd carrying out parameter updating on the abnormal graph node detection model of the graph node behavior characterization.
The beneficial effects of the invention are as follows:
1. according to the invention, the graph node behavior feature expression in the normal mode can be enriched in a double-random node behavior expression enhancement mode, and a feature expression hidden space which is convenient for distinguishing normal graph nodes from abnormal graph nodes is constructed based on the trained feature extraction network, so that the robust and effective expression of the graph node behavior is realized.
2. The method and the device can learn the differences between the attribute characteristics and the connection behavior characteristics of the normal graph nodes and the abnormal graph nodes under the condition of fully utilizing the labeling information of the abnormal graph nodes, and ensure excellent abnormal detection effect.
3. The invention can obtain the prompt information of the specific implementation mode of enhancing the graph node behavior expression through the feature information and position information precoding module, is favorable for obtaining robust and effective graph node behavior characterization, and improves the capability of the feature extraction network for the graph node behavior characterization.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a self-monitoring network anomaly graph node detection model graph based on node behavior characterization of the present invention;
fig. 3 is a block diagram of the anomaly score calculation network of the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
As shown in FIG. 1, the method for enhancing the node behavior characterization of the graph and detecting the nodes of the abnormal graph comprises the following steps:
s1, constructing and training an abnormal graph node detection model of graph node behavior characterization, and obtaining the trained abnormal graph node detection model of graph node behavior characterization;
s2, inputting all node attribute lists of the graph structure and an adjacency matrix representing the graph structure into an abnormal graph node detection model of the trained graph node behavior characterization, and obtaining an abnormal score calculation result of the nodes to be detected in the graph;
s3, if the abnormal score of the node to be detected in the graph is greater than a threshold value, judging that the node is an abnormal graph node; otherwise, the node is judged to be a normal graph node.
As shown in fig. 2, the abnormal graph node detection model of the graph node behavior characterization in step S1 includes a feature extraction network and an abnormal score calculation network; the feature extraction network comprises a node behavior expression enhancement module, a feature information and position information precoding module and a feature extraction module based on a graph self-encoder; the node behavior expression enhancement module comprises a random node selection operator, a random attribute selection operator and a disturbance adding operator; the characteristic information and position information precoding module comprises a characteristic information precoder and a position information precoder; the characteristic information precoder comprises a fully connected neural network; the position information precoder comprises a fully connected neural network; the feature extraction module based on the graph self-encoder comprises a graph convolution-based encoder and a graph convolution-based decoder; the graph convolution-based encoder includes a multi-layer graph convolution structure; the graph convolution-based decoder includes a multi-layer graph convolution structure; the graph convolution structure includes a full join layer and a matrix multiplier.
As shown in fig. 3, the anomaly score computation network includes a fully connected neural network; the fully-connected neural network comprises an input layer, an output layer and a plurality of hidden layers, wherein the characteristic vector H of the graph node in the hidden space is input through the input layer, and the characteristic code r is directly input into each hidden layer.
In step S1, the specific operation of the abnormal graph node detection model for training the graph node behavior characterization is as follows:
s1-1, taking an attribute list X of all nodes in a graph structure and an adjacent matrix A formed among the graph nodes as training data; inputting training data to a node behavior expression enhancement module; randomly extracting normal graph nodes in the attribute list X to obtain graph nodes with a percent, wherein the selection probability of each graph node is subject to uniform distribution; randomly selecting all the attributes of each selected graph node to obtain b% of attributes, wherein the selection probability of each attribute is subject to uniform distribution; counting the average value of each selected attribute of all input normal unlabeled graph nodes, adding random disturbance obeying the normal distribution of the statistical average value with average value mu and standard deviation sigma to the value corresponding to the attribute of the selected graph node, and creating an indication vector with the dimension identical to the attribute dimension of the graph node to obtain a graph node attribute list X' with enhanced behavior expression and an indication vector list V corresponding to the graph node attribute list; wherein, a is 20 by default, b is 20 by default, μ is 0 by default, and σ is 0.1 by default;
s1-2, inputting an indication vector list V corresponding to the graph node attribute list X 'and the graph node attribute list after the behavior expression is enhanced into a characteristic information and position information precoding module, and respectively calculating the indication vector list V corresponding to the graph node attribute list X' after the behavior expression is enhanced through a forward propagation algorithm to obtain corresponding characteristic information precodingAnd position information precoding->According to the formula:
obtaining a spliced precoding result H output by the characteristic information and position information precoding module 0 The method comprises the steps of carrying out a first treatment on the surface of the Wherein Concat (-) represents the vector splice operator;
s1-3, pre-coding result H after splicing 0 The adjacency matrix A formed between the graph nodes is input to a feature extraction module based on a graph self-encoder for reconstruction, and a reconstructed graph node attribute list is obtainedThe characteristic vector H of the graph node in the hidden space, the reconstruction error vector R and the characteristic code R obtained by splicing a first norm value and a second norm value of the reconstruction error vector R;
s1-4, inputting a characteristic vector H and a characteristic code r of the graph node in the hidden space into an anomaly score calculation network, and according to the formula:
H 1 l+1 =ReLu(H 1 l )
obtaining an output characteristic vector H of the first hidden layer of the anomaly score computing network 1 l+1 The method comprises the steps of carrying out a first treatment on the surface of the Wherein H is 1 l An input feature vector representing the first hidden layer of the anomaly score computation network,weight representing the first hidden layer of the anomaly score computing network,/->Representing the bias of the first hidden layer of the anomaly score computation network, concat (-) representing the vector splice operator, reLu (-) representing non-anomalyA linear activation function;
s1-5, according to the formula:
res=H 1 ×W+b
obtaining an anomaly score calculation result res of the graph node; wherein H is 1 The output characteristic vector of the last hidden layer of the abnormal score calculating network is represented, W represents the weight of the output layer of the abnormal score calculating network, and b represents the bias of the output layer of the abnormal score calculating network;
s1-6, according to the graph node attribute list X and the reconstructed graph node attribute listConstructing a first loss function; constructing a second loss function according to the abnormal score calculation result res of the graph node and the actual label of the graph node; adding the first loss function and the second loss function based on the corresponding preset weights to obtain a third loss function, and training an abnormal graph node detection model represented by graph node behaviors through the third loss function; obtaining an abnormal graph node detection model of the trained graph node behavior characterization; the actual label of the normal graph node is 0, and the actual label of the abnormal graph node is 1.
The specific operation of step S1-3 is as follows:
s1-3-1 pre-coding result H after splicing 0 Mapping to a low-dimensional hidden space, according to the formula:
obtaining a characteristic vector H of a graph node in a hidden space; wherein H is 0 ' represents the pre-coding result H after splicing 0 Or the output of the last fully connected layer,encoder parameters representing full connection layer, f ce (. Cndot.) represents the full-connection layer function of the encoder, H 0 "means the output of the fully connected layer, H 2 Representing the output of the last fully-connected layer, MM (·) representing the matrix multiplier;
s1-3-2, according to the formula:
r=Concat(||R|| 1 ,||R|| 2 )
obtaining a reconstructed graph node attribute listThe reconstruction error vector R and a characteristic code R obtained by splicing a first norm value and a second norm value of the reconstruction error vector; wherein H 'represents the feature vector H of the graph node in the hidden space or the feature vector of the last full-connection layer, H' represents the feature vector of the full-connection layer, < >>Decoder parameters representing full connection layer, f cd (. Cndot.) represents the full-connection layer function of the decoder, H _out Representing the feature vector of the last fully connected layer, I R I 1 A norm value representing the reconstructed error vector R, I R I 2 Representing the two normals of the reconstructed error vector R.
The specific operation of steps S1-6 is as follows:
s1-6-1, taking the difference between the output of the minimum feature extraction network and the node attribute of the input graph as an optimization target, and according to the formula:
obtaining a first loss functionWherein MSE (·) represents the calculated mean square error;
s1-6-2, performing end-to-end joint optimization on the feature extraction network and the anomaly score calculation network by minimizing the comprehensive loss based on the reconstruction error and the anomaly score calculation error according to the formula:
loss c (res,y;t)=(1-y)|res|+ymax(0,t-res)
obtaining a third loss functionWherein loss is c (res, y; t) represents a second loss function, y represents an actual label, t represents a set scaling factor, α represents a constant, |·| represents an absolute value, and max (·) represents a maximum value;
s1-6-3 by a third loss functionAnd carrying out parameter updating on the abnormal graph node detection model of the graph node behavior characterization.
In one embodiment of the invention, an anomaly graph node detection model for graph node behavior characterization is constructed and trained, the model comprising a feature extraction network and an anomaly score computation network. The feature extraction network comprises a node behavior expression enhancement module, a feature information and position information precoding module and a feature extraction module based on a graph self-encoder; the node behavior expression enhancement module comprises a random node selection operator, a random attribute selection operator and a disturbance adding operator; the characteristic information and position information precoding module comprises a characteristic information precoder and a position information precoder; the anomaly score computation network comprises a fully connected neural network.
And (3) the node attribute list of the graph to be tested and the adjacency matrix representing the graph structure are sent to a trained self-supervision network abnormal graph node detection model based on node behavior characterization. In the node behavior expression enhancement module, a random node selection operator and a random attribute selection operator sequentially sample a node attribute list of the graph to be tested randomly; the disturbance adding operator adds random disturbance of normal distribution of statistical mean to the value corresponding to the extracted graph node attribute, and creates a corresponding indication vector to obtain a graph node attribute list with enhanced behavior expression and an indication vector list corresponding to the graph node attribute list.
In a feature information and position information precoding module, mapping the graph node attribute subjected to behavior expression enhancement to a lower dimension by a feature information precoder to obtain a preliminary attribute feature; the position information precoder maps the indication vector to a lower dimension to obtain a preliminary indication vector, wherein the dimension is the same as the dimension of the preliminary attribute feature; vector splicing is carried out on the preliminary attribute characteristics and the preliminary indication vectors to obtain a spliced precoding result, wherein the spliced precoding result is the output of the characteristic information and position information precoding module.
In the feature extraction module, mapping the spliced pre-coding result to a low-dimensional hidden space through an encoder; obtaining a low-dimensional representation of the spliced precoding result; and mapping the low-dimensional representation of the spliced pre-coding result back to the original graph node attribute space through a decoder to obtain a reconstructed graph node attribute list, a characteristic vector of the graph node in the hidden space, a reconstruction error vector and a characteristic code obtained by splicing a first norm value and a second norm value of the reconstruction error vector, which are all the output of the characteristic extraction module. Wherein the encoder and decoder each comprise a multi-layer picture convolution structure, each layer of picture convolution structure comprising a fully concatenated layer and a matrix multiplier.
In an anomaly score computing network, computing feature vectors of the graph nodes in a hidden space, a reconstruction error vector, and feature codes obtained by splicing a first norm value and a second norm value of the reconstruction error vector to obtain an anomaly score result of each graph node; comparing the abnormal score result of each graph node with a set threshold value, and when the abnormal score result of each graph node is greater than the threshold value, determining that the graph node is an abnormal graph node; and when the abnormal score result of the graph node is smaller than the threshold value, the graph node is a normal graph node, and the detection of the network abnormal graph node is completed.
In summary, the graph node behavior feature expression in the normal mode can be enriched in a mode of enhancing the dual random node behavior expression, and a feature expression hidden space which is convenient for distinguishing normal graph nodes from abnormal graph nodes is constructed based on the trained feature extraction network, so that the robust and effective expression of the graph node behavior is realized, and the capability of the feature extraction network for representing the graph node behavior is improved; the method can learn the differences between the attribute characteristics and the connection behavior characteristics of the normal graph nodes and the abnormal graph nodes under the condition of fully utilizing the labeling information of the abnormal graph nodes, and ensures excellent abnormal detection effect.
Claims (4)
1. The method for enhancing the behavior characterization of the graph nodes and detecting the abnormal graph nodes is characterized by comprising the following steps of: the method comprises the following steps:
s1, constructing and training an abnormal graph node detection model of graph node behavior characterization, and obtaining the trained abnormal graph node detection model of graph node behavior characterization;
s2, inputting all node attribute lists of the graph structure and an adjacency matrix representing the graph structure into an abnormal graph node detection model of the trained graph node behavior characterization, and obtaining an abnormal score calculation result of the nodes to be detected in the graph;
s3, if the abnormal score of the node to be detected in the graph is greater than a threshold value, judging that the node is an abnormal graph node; otherwise, judging the node as a normal graph node;
the abnormal graph node detection model of the graph node behavior characterization in the step S1 comprises a feature extraction network and an abnormal score calculation network; the feature extraction network comprises a node behavior expression enhancement module, a feature information and position information precoding module and a feature extraction module based on a graph self-encoder; the node behavior expression enhancement module comprises a random node selection operator, a random attribute selection operator and a disturbance adding operator; the characteristic information and position information precoding module comprises a characteristic information precoder and a position information precoder; the characteristic information precoder comprises a fully connected neural network; the position information precoder comprises a fully connected neural network; the feature extraction module based on the graph self-encoder comprises a graph convolution-based encoder and a graph convolution-based decoder; the graph convolution-based encoder includes a multi-layer graph convolution structure; the graph convolution-based decoder includes a multi-layer graph convolution structure; the graph convolution structure comprises a full connection layer and a matrix multiplier; the anomaly score computing network comprises a fully connected neural network; the fully-connected neural network comprises an input layer, an output layer and a plurality of hidden layers;
the random node selection operator and the random attribute selection operator are used for sequentially randomly sampling the node attribute list of the graph to be tested; the disturbance adding operator is used for adding normal distributed random disturbance of statistical mean values to the values corresponding to the extracted graph node attributes, creating corresponding indication vectors, and obtaining a graph node attribute list with enhanced behavior expression and an indication vector list corresponding to the graph node attribute list;
the characteristic information and position information precoding module is used for mapping the graph node attribute subjected to behavior expression enhancement to a lower dimension to obtain characteristic information precoding; mapping the indication vector to a lower dimension to obtain position information precoding; splicing the characteristic information precoding and the position information precoding to obtain a spliced precoding result;
the feature extraction module based on the graph self-encoder is used for mapping the spliced pre-coding result to a low-dimensional hidden space and then mapping the low-dimensional hidden space back to an original graph node attribute space to obtain a reconstructed graph node attribute list, a feature vector of a graph node in the hidden space, a reconstruction error vector and a feature code obtained by splicing a first norm value and a second norm value of the reconstruction error vector;
the anomaly score computing network is used for computing the feature vectors of the graph nodes in the hidden space, the reconstruction error vectors and feature codes obtained by splicing the first norm value and the second norm value of the reconstruction error vectors, and obtaining an anomaly score computing result of each graph node.
2. The enhancement map node behavior characterization and anomaly map node detection method according to claim 1, wherein: the specific operation of the abnormal graph node detection model for training graph node behavior characterization in the step S1 is as follows:
s1-1, list the attributes of all nodes in the graph structureAnd an adjacency matrix formed between nodes>As training data; inputting training data to a node behavior expression enhancement module; for attribute list->The normal graph nodes in the tree are randomly extracted to obtain +.>The selection probability of each graph node obeys uniform distribution; randomly selecting all the attributes of each selected graph node to obtain +.>The selection probability of each attribute is subject to uniform distribution; counting the average value of each selected attribute of all the normal input label-free graph nodes, and adding obeying average value to the value corresponding to the attribute of the selected graph node>Standard deviation of->Normal to the statistical mean of (a)Random disturbance of distribution, creating an indication vector with the dimension identical to the attribute dimension of the graph node, and obtaining a graph node attribute list +_ after behavior expression enhancement>An indication vector list corresponding to the graph node attribute list +.>The method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Default value of 20, ">Default value of 20, ">Default value of 0, < >>Is 0.1;
s1-2, enhancing behavior expression and then obtaining a graph node attribute listIndication vector list corresponding to graph node attribute listThe characteristic information and position information pre-coding module is input to the graph node attribute list which is obtained by enhancing the behavior expression through a forward propagation algorithm>Indication vector list corresponding to graph node attribute list +.>Calculating to obtain corresponding characteristic information precoding +.>And position information precoding->The method comprises the steps of carrying out a first treatment on the surface of the According to the formula:
obtaining spliced precoding results output by the characteristic information and position information precoding modulesThe method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Representing a vector concatenation operator;
s1-3, pre-coding results after splicingAnd an adjacency matrix formed between the picture nodes>Inputting the reconstructed image node attribute list into a feature extraction module based on an image self-encoder for reconstruction to obtain the reconstructed image node attribute list +.>Feature vector of graph node in hidden space +.>Reconstruction error vector->And reconstruction error vector +.>Feature code obtained by splicing one-norm value and two-norm value of (a);
S1-4, feature vectors of graph nodes in hidden spaceAnd feature code->Inputting the abnormal score to an abnormal score calculation network, and according to the formula:
obtaining anomaly score calculation networkOutput feature vector of the respective hidden layer +.>The method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Representing anomaly score computing network->Input feature vector of each hidden layer, +.>Representing anomaly score computing network->Weights of the hidden layers,/>Representing anomaly score computing network->Bias of the hidden layers->Representing vector concatenation operator,>representing a nonlinear activation function;
s1-5, according to the formula:
obtaining the abnormal score calculation result of the graph nodeThe method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Output feature vector representing last hidden layer of anomaly score computing network,/->Weights representing the output layers of the anomaly score computation network, +.>A bias representing an output layer of the anomaly score computation network;
s1-6, according to the attribute list of the graph nodesAnd reconstructed graph node attribute list +.>Constructing a first loss function; exception from graph nodesScore calculation result->And constructing a second loss function by the actual labels of the graph nodes; adding the first loss function and the second loss function based on the corresponding preset weights to obtain a third loss function, and training an abnormal graph node detection model represented by graph node behaviors through the third loss function; obtaining an abnormal graph node detection model of the trained graph node behavior characterization; the actual label of the normal graph node is 0, and the actual label of the abnormal graph node is 1.
3. The enhancement map node behavior characterization and anomaly map node detection method according to claim 2, wherein: the specific operation of the step S1-3 is as follows:
s1-3-1, pre-coding result after splicingMapping to a low-dimensional hidden space, according to the formula:
obtaining the characteristic vector of the graph node in the hidden spaceThe method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Representing the pre-coding result after splicing +.>Or the output of the last fully connected layer, < >>Encoder parameters representing full connection layer, +.>Representing the full-connection layer function of the encoder, +.>Representing the output of the fully connected layer, +.>Represents the output of the last fully connected layer, +.>Representing a matrix multiplier;
s1-3-2, according to the formula:
obtaining a reconstructed graph node attribute listReconstruction error vector->And the first norm value and the second norm value of the reconstruction error vector are spliced to obtainFeature code of arrival->The method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Feature vector representing graph node in hidden space +.>Or the feature vector of the last full connection layer, < >>Feature vector representing the fully connected layer, +.>Decoder parameters representing full connection layer, +.>Representing the full connection layer function of the decoder, +.>Feature vector representing last full connection layer, +.>Representing reconstruction error vector +.>Is a range of values,/->Representing reconstruction error vector +.>Is a binary norm value of (2).
4. The enhancement map node behavior characterization and anomaly map node detection method according to claim 2, wherein: the specific operation of the step S1-6 is as follows:
s1-6-1, taking the difference between the output of the minimum feature extraction network and the node attribute of the input graph as an optimization target, and according to the formula:
obtaining a first loss functionThe method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Representing a calculated mean square error;
s1-6-2, performing end-to-end joint optimization on the feature extraction network and the anomaly score calculation network by minimizing the comprehensive loss based on the reconstruction error and the anomaly score calculation error according to the formula:
obtaining a third loss functionThe method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Representing a second loss function, ">Representing the actual label +_>Represents the set zoom ratio, +.>Representing a constant->Representing absolute value +.>Indicating that the maximum value is taken;
s1-6-3 by a third loss functionAnd carrying out parameter updating on the abnormal graph node detection model of the graph node behavior characterization.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310652286.0A CN116760583B (en) | 2023-06-02 | 2023-06-02 | Enhanced graph node behavior characterization and abnormal graph node detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310652286.0A CN116760583B (en) | 2023-06-02 | 2023-06-02 | Enhanced graph node behavior characterization and abnormal graph node detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116760583A CN116760583A (en) | 2023-09-15 |
| CN116760583B true CN116760583B (en) | 2024-02-13 |
Family
ID=87954440
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310652286.0A Active CN116760583B (en) | 2023-06-02 | 2023-06-02 | Enhanced graph node behavior characterization and abnormal graph node detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116760583B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117312350B (en) * | 2023-11-28 | 2024-02-27 | 本溪钢铁(集团)信息自动化有限责任公司 | Steel industry carbon emission data management method and device |
| CN117407697B (en) * | 2023-12-14 | 2024-04-02 | 南昌科晨电力试验研究有限公司 | Graph anomaly detection method and system based on automatic encoder and attention mechanism |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020042024A1 (en) * | 2018-08-29 | 2020-03-05 | 区链通网络有限公司 | Node abnormality detection method and device based on graph algorithm and storage device |
| CN111669373A (en) * | 2020-05-25 | 2020-09-15 | 山东理工大学 | Network anomaly detection method and system based on space-time convolutional network and topology perception |
| CN116192477A (en) * | 2023-02-06 | 2023-05-30 | 复旦大学 | APT attack detection method and device based on mask pattern self-encoder |
-
2023
- 2023-06-02 CN CN202310652286.0A patent/CN116760583B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020042024A1 (en) * | 2018-08-29 | 2020-03-05 | 区链通网络有限公司 | Node abnormality detection method and device based on graph algorithm and storage device |
| CN111669373A (en) * | 2020-05-25 | 2020-09-15 | 山东理工大学 | Network anomaly detection method and system based on space-time convolutional network and topology perception |
| CN116192477A (en) * | 2023-02-06 | 2023-05-30 | 复旦大学 | APT attack detection method and device based on mask pattern self-encoder |
Non-Patent Citations (1)
| Title |
|---|
| 基于图神经网络的工控网络异常检测算法;刘杰,李喜旺;计算机系统应用;第29卷(第12期);234-238 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116760583A (en) | 2023-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116760583B (en) | Enhanced graph node behavior characterization and abnormal graph node detection method | |
| CN109949317B (en) | Semi-supervised image example segmentation method based on gradual confrontation learning | |
| CN112561910B (en) | Industrial surface defect detection method based on multi-scale feature fusion | |
| CN111126386B (en) | Sequence domain adaptation method based on countermeasure learning in scene text recognition | |
| CN114724043B (en) | Self-encoder anomaly detection method based on contrast learning | |
| CN111079539B (en) | Video abnormal behavior detection method based on abnormal tracking | |
| CN113344826B (en) | Image processing method, device, electronic equipment and storage medium | |
| CN114419323B (en) | Cross-modal learning and domain self-adaptive RGBD image semantic segmentation method | |
| CN110674673A (en) | Key video frame extraction method, device and storage medium | |
| CN111666842A (en) | Shadow detection method based on double-current-cavity convolution neural network | |
| CN115205689A (en) | Improved unsupervised remote sensing image anomaly detection method | |
| CN114663392A (en) | Knowledge distillation-based industrial image defect detection method | |
| CN116258990A (en) | Cross-modal affinity-based small sample reference video target segmentation method | |
| CN112364747A (en) | Target detection method under limited sample | |
| CN111275025A (en) | Parking space detection method based on deep learning | |
| CN116596851A (en) | Industrial flaw detection method based on knowledge distillation and anomaly simulation | |
| CN116385935A (en) | Abnormal event detection algorithm based on unsupervised domain self-adaption | |
| CN117011219A (en) | Method, apparatus, device, storage medium and program product for detecting quality of article | |
| CN113469977B (en) | Flaw detection device, method and storage medium based on distillation learning mechanism | |
| CN116089944A (en) | Cross-platform application program abnormality detection method and system based on transfer learning | |
| CN114998587A (en) | Remote sensing image building semantic segmentation method and system | |
| CN114529517A (en) | Industrial product defect detection method based on single sample learning | |
| CN111797732A (en) | Video motion identification anti-attack method insensitive to sampling | |
| CN117557775B (en) | Substation power equipment detection method and system based on infrared and visible light fusion | |
| CN117809169B (en) | Small-sample underwater sonar image classification method and model building method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |