CN117640342A - Main body abnormality detection method, device, equipment and medium for power monitoring system - Google Patents
Main body abnormality detection method, device, equipment and medium for power monitoring system Download PDFInfo
- Publication number
- CN117640342A CN117640342A CN202311660918.4A CN202311660918A CN117640342A CN 117640342 A CN117640342 A CN 117640342A CN 202311660918 A CN202311660918 A CN 202311660918A CN 117640342 A CN117640342 A CN 117640342A
- Authority
- CN
- China
- Prior art keywords
- graph
- neural network
- matrix
- nodes
- power monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 64
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 230000005856 abnormality Effects 0.000 title claims abstract description 25
- 239000011159 matrix material Substances 0.000 claims abstract description 70
- 230000003993 interaction Effects 0.000 claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 45
- 238000003062 neural network model Methods 0.000 claims abstract description 35
- 238000012549 training Methods 0.000 claims abstract description 17
- 238000013528 artificial neural network Methods 0.000 claims abstract description 15
- 230000002159 abnormal effect Effects 0.000 claims abstract description 14
- 238000012300 Sequence Analysis Methods 0.000 claims abstract description 9
- 230000006399 behavior Effects 0.000 claims description 27
- 230000006870 function Effects 0.000 claims description 25
- 230000015654 memory Effects 0.000 claims description 12
- 238000004220 aggregation Methods 0.000 claims description 10
- 230000002776 aggregation Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 8
- 239000013598 vector Substances 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 6
- 238000005096 rolling process Methods 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 6
- 230000004913 activation Effects 0.000 claims description 5
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000012916 structural analysis Methods 0.000 claims description 4
- 238000012731 temporal analysis Methods 0.000 claims description 4
- 238000000700 time series analysis Methods 0.000 claims description 4
- 239000003795 chemical substances by application Substances 0.000 claims description 2
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 238000013135 deep learning Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- 238000013178 mathematical model Methods 0.000 description 2
- 230000036962 time dependent Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006116 polymerization reaction Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a main body abnormality detection method, device, equipment and medium of a power monitoring system, wherein the method comprises the following steps: acquiring network flow log data in the power monitoring system, performing time sequence analysis on the network flow log data, and converting the network flow log data into structured data with time sequence characteristics; establishing a graph structure based on the structured log data; acquiring a feature matrix X and an adjacent matrix A according to the graph structure; inputting the feature matrix X and the adjacent matrix A into a graph neural network model, and training the graph neural network model; and judging the edge probability of the graph neural network according to the interaction behavior which is currently required to be performed by the access subject by using the trained graph neural network model, and judging whether the graph neural network is abnormal according to the edge probability. According to the invention, the log of the power monitoring system is converted into the structured data through time sequence analysis, the abnormal behavior in interaction is identified by utilizing the graph convolution neural network, and accurate and reliable main body abnormality detection can be made aiming at complex environments and multiple factors.
Description
Technical Field
The invention relates to a network security access technology of a power monitoring system, in particular to a main body abnormality detection method, device, equipment and medium of the power monitoring system.
Background
The main body abnormality detection method of the power monitoring system is a technical method which can be used for detecting main body equipment abnormality in the power monitoring system. The method realizes real-time monitoring of the state of the main body equipment of the power monitoring system by analyzing and processing the sensor data by utilizing a specific algorithm in an intelligent and automatic mode, timely discovers and identifies abnormal conditions, and improves the safety and reliability of the power system. The method is suitable for various power monitoring systems, including transformer substation monitoring systems, distribution system monitoring systems, transmission line monitoring systems and the like. In the power monitoring system, the abnormality detection is to detect whether interaction between devices in the power monitoring system is abnormal behavior.
The traditional main body abnormality detection method of the power monitoring system mainly comprises the following steps:
(1) Based on a threshold method: the method sets a set of preset thresholds, and when some variables are detected to be out of the threshold range, an alarm is sent out. The method has advantages in the aspects of simple realization, easy understanding, application and the like, but often depends on manual adjustment of the threshold value, is difficult to cope with complex environment and multi-factor influence, and cannot realize fine abnormality detection.
(2) Based on a rule method: the method needs to establish a rule base based on expert experience, and judges whether abnormality occurs or not by carrying out logic analysis on sensor data. This approach has the advantage of high accuracy, but has the disadvantage that the rule base needs to be constructed manually or semi-automatically, requires a lot of expertise and experience, and does not work well in the presence of complex factor interference.
(3) Based on a model method: the method regards the power equipment as a dynamic system, establishes a dynamic mathematical model in an operating state, and judges whether the equipment state is normal or not by comparing the dynamic mathematical model with an actual observed value. The method has the advantages that model parameters can be automatically adjusted according to actual running conditions to predict, and long-time fault prediction can be realized. However, the disadvantage is that a large amount of data and expertise are required for modeling, and when there is a certain degree of change in the detected object, the modeling needs to be re-built, which is costly in time.
The traditional method has the main defects that the method cannot cope with more complex and diversified industrial environments, and the method cannot adapt to the characteristics of frequent state change, poor regional requirements and the like of power system equipment. In addition, these methods often rely on manual experience to adjust and optimize parameters and threshold values, and a large amount of data exists in the power monitoring system, so that effective processing and analysis are difficult to perform, and therefore efficient, accurate and intelligent anomaly detection cannot be achieved.
Disclosure of Invention
The invention aims to: the invention aims to provide a main body abnormality detection method, device, equipment and medium of an electric power monitoring system, which are used for detecting abnormality by using a deep learning method and can accurately and reliably judge complex environments and multiple factors.
The technical scheme is as follows: in order to achieve the above object, the present invention adopts the following technical scheme:
a main body abnormality detection method of a power monitoring system comprises the following steps:
acquiring network flow log data in the power monitoring system, performing time sequence analysis on the network flow log data, and converting the network flow log data into structured data with time sequence characteristics;
establishing a graph structure based on the structured log data, wherein access subjects in the power monitoring system form nodes, and interaction behaviors among the access subjects form edges;
obtaining a feature matrix X and an adjacent matrix A according to the graph structure, wherein the feature matrix X is an N multiplied by D matrix, and the relation between the nodes forms an N multiplied by N adjacent matrix A for a graph structure with N nodes and D dimension features of each node;
inputting the feature matrix X and the adjacent matrix A into a graph neural network model, and training the graph neural network model to obtain a graph neural network model capable of predicting the behavior of an access subject in a power monitoring scene;
and judging the edge probability of the graph neural network according to the interaction behavior which is currently required to be performed by the access subject by using the trained graph neural network model, and judging whether the graph neural network is abnormal according to the edge probability.
Further, performing time series analysis on the web stream log data and converting the web stream log data into structured data with timing characteristics includes:
and forming time sequence data points by clearing repeated and error data, analyzing a time format and standardizing a time stamp operation, enabling each data point to correspond to log information in a time window, enabling each time window to correspond to each time step of the long-short-period memory network LSTM, and outputting the time sequence characteristics of each time window by utilizing the time sequence information and the mode of the LSTM learning data.
Further, the graph neural network model comprises an encoder and a decoder, wherein the encoder adopts a graph convolution network and is used for mapping two node information in a graph to node embedding, and the decoder adopts a multi-layer perceptron and is used for converting the node embedding into related information of an edge between the two nodes;
training the graph neural network model includes: the method comprises the steps of obtaining node characteristic mapping of two interaction sides by using an encoder, converting the node embedding into variable probability between two nodes by using a decoder, comparing the variable probability with real link conditions between the two nodes after obtaining edge probability, calculating a loss function, and then carrying out back propagation to optimize relevant parameters of the encoder and the decoder, so that circulation is carried out until a loss function value is smaller than a specified threshold or a preset circulation is reached.
Further, the propagation manner between the information propagation layers of the graph rolling network is as follows:
wherein: h (l) For the input features of the layer-1 network, f (H (l) A) is the output of the first layer, which is also the input of the next layer,representing an adjacency matrix aggregating node self messages, < >>Wherein I is N Is an N x N-dimensional identity matrix, +.>For the diagonal matrix, the element values on the diagonal are the degree +1, +.>Laplacian matrix normalized for symmetry, W (l) The parameter matrix of the first layer network graph convolution formed by the combination of the parameter vectors of all the nodes in the graph is represented, and sigma (°) is a nonlinear activation function.
Further, the loss function employs a binary cross entropy loss function.
Further, training the graph neural network model further includes: and respectively carrying out information aggregation of neighbor nodes on two nodes participating in interaction by adopting a mean value aggregation method and updating own information.
Further, according to the interaction behavior which needs to be performed by the access subject currently, judging the edge probability of the access subject by the graph neural network comprises: and carrying out structural analysis on the interaction log data of the access subject by using the LSTM to obtain time sequence characteristics, inputting the time sequence characteristics into a trained graph neural network model, calculating respective embedding of two nodes by using an encoder, and obtaining the edge probability between the two nodes by using a decoder.
The invention also provides a main body abnormality detection device of the power monitoring system, which comprises:
the data acquisition and preprocessing module acquires network flow log data in the power monitoring system, performs time sequence analysis on the network flow log data and converts the network flow log data into structured data with time sequence characteristics;
the graph construction module is used for constructing a graph structure based on the structured log data, wherein access subjects in the power monitoring system form nodes, and interaction behaviors among the access subjects form edges;
the feature extraction module acquires a feature matrix X and an adjacent matrix A according to the graph structure, and for the graph structure with N nodes and D-dimensional features of each node, the feature matrix X is an N multiplied by D-dimensional matrix, and the relation between the nodes forms an N multiplied by N-dimensional adjacent matrix A;
the model training module inputs the feature matrix X and the adjacency matrix A into the graph neural network model, trains the graph neural network model, and obtains the graph neural network model capable of predicting the behavior of the access subject in the power monitoring scene;
the anomaly detection module is used for judging the edge probability of the graph neural network according to the interaction behavior of the access subject which is required to be performed currently by using the trained graph neural network model, and judging whether the anomaly behavior is abnormal or not according to the edge probability.
The present invention also provides a computer device comprising: one or more processors; a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, which when executed by the processors implement the steps of the power monitoring system body anomaly detection method as described above.
The present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the power monitoring system main body abnormality detection method as described above.
The beneficial effects are that: aiming at the characteristic that the log data of the electric power monitoring scene are unstructured data, the invention uses LSTM to carry out time sequence analysis on the log data to obtain structured data, uses the data to train a graph embedding model, uses a graph convolution neural network as a graph embedding model encoder, generates time-related embedding for each node of the graph from the structured data, and then obtains the probability of occurrence of abnormal interaction behavior corresponding to the main body through a decoder, so that the main body interaction task can be evaluated in the future, thereby judging whether the main body behavior is abnormal or not, and simultaneously adopts a mean value polymerization method to aggregate neighbor information of equipment and update the state of the equipment.
Drawings
FIG. 1 is a flow chart of a method for detecting anomalies in a power monitoring system body according to the present invention;
FIG. 2 is an illustration of a dynamic diagram constructed from interaction behavior in an embodiment of the invention;
FIG. 3 is a schematic diagram of a time diagram network in accordance with an embodiment of the present invention;
FIG. 4 is a schematic diagram of a graph rolling network in accordance with an embodiment of the present invention.
Detailed Description
The technical scheme of the invention is further described below with reference to the accompanying drawings.
Example 1
The use of deep learning algorithms for power anomaly detection can fully exploit the potential value of data, while solving many of the problems found in conventional approaches. Although the deep learning algorithm needs a certain computing resource and model tuning experience, the reliability and efficiency of the deep learning algorithm are far higher than those of the traditional method. In addition, in the power monitoring system, the abnormality detection is to detect whether interaction between devices in the power monitoring system is abnormal behavior.
The graph-roll network (Graph Convolutional Network, GCN) based approach is expected to exhibit excellent performance in this task and accurately predict the probability of an anomaly for any power monitoring device interaction. Meanwhile, the method has strong expansibility, when a scene is added into new equipment, the node only needs to calculate the similarity degree with the existing nodes in the scene by using the equipment information of the node, the node with the highest similarity is selected, the corresponding graph embedding parameters can be used for forming the graph embedding of the node and then the node is merged into the scene, and the whole anomaly detection method is still effective for the node.
In training the GCN to generate edge probabilities, since the GCN input is structured data with timing characteristics, and in power monitoring scenarios, the data obtained is typically unstructured structured data, this data has the following disadvantages: 1) Lack of well-defined structure: typically without well-defined fields and structures, the format of the log entries may vary depending on the application or system that recorded the event; 2) It is difficult to interpret: analyzing unstructured log data may require more data preprocessing and text analysis techniques to extract useful information and patterns. Thus, a more appropriate preprocessing operation is required to ensure that the log data used for the graph embedding input is of a time sequential nature. However, the power monitoring scene generally adopts an extraction method based on expert experience or priori knowledge, and the scene switching cost is high. The invention extracts time sequence information and mode in data through Long Short-Term Memory (LSTM) network to form serialized log data, and then uses the serialized log data as input of a graph embedded encoder so as to detect abnormal probability of interaction.
Referring to fig. 1, the embodiment provides a main body abnormality detection method of a power monitoring system, which is divided into two steps, an offline training phase and an online detection phase. In an offline training stage, unstructured log data is converted into structured time sequence data through LSTM (least squares) for training GCN, and the GCN model capable of predicting the behavior of an access subject in a power monitoring scene is obtained by generating edge probability. In the online detection stage, when interaction occurs between devices, time sequence analysis is carried out on log data of the interaction through LSTM to obtain time sequence structural data, and after input is converted into edge probability through a coder and decoder, whether the event is abnormal or not is judged according to the edge probability.
In step S1, web flow log data in the power monitoring system is acquired and converted into structured data having a time sequence characteristic.
The network flow log data contains the interaction information between the devices of the power monitoring system, and the invention takes the devices as points and the interactions between the devices as edges (related to time) to form a continuous dynamic time sequence diagram. And analyzing unstructured log data by using the LSTM to obtain structured data with time sequence characteristics.
Firstly, unstructured log data are processed by using LSTM, and time series data points are formed through cleaning, analysis, standardized time stamping and other operations, wherein each data point corresponds to log information in a time window. Each time window is associated with each time step of the LSTM. Specifically, in the power monitoring system, power consumption data is recorded in a power company database in the form of a log. The historical power load data is subjected to time series analysis, and repeated and erroneous data are cleaned. And preprocessing, and converting the data in the character string format into a date and time object. And finally, converting the data with inconsistent time zones into a unified time zone. The data are ready to be loaded in a time series of hourly loads, wherein time steps represent hours. This time sequence will be the input of the LSTM model. The LSTM model is utilized to learn the time sequence information and the mode of the data, and then the time sequence characteristics of each time window are output.
In step S2, a dynamic graph construction method based on the interaction behavior of the network system is designed according to the structured log data obtained by the operation in step S1.
Dynamic graphs may be represented as an ordered list of timed events or asynchronous "streams," such as the addition or deletion of nodes and edges. In the network system, when a subject registration system account is accessed, a new node is created. When a principal accesses a service at a time, an "interactive" edge is created at that time. The node or edge will be updated when the accessing agent changes its own information or interaction behavior. In the power monitoring system, the access subject refers to devices, people, operating systems, application subjects and the like in the system, and the subject access service refers to interaction among subjects. The design idea of the invention is to extract interaction information from log data of equipment to generate a dynamic graph network, and the interaction information refers to whether interaction exists between a node i and a node j at a moment t and an interaction side is established when the interaction exists because the interaction information is in a power monitoring scene access control scene. FIG. 2 shows an example of a dynamic graph with 5 nodes and 7 interacting edges.
In step S3, a graph embedding model is constructed and trained.
The graph embedding model includes an encoder that maps two node information in the graph to a node embedding (low-dimensional vector representation), and a decoder that converts the node embedding into information about edges between the two nodes (e.g., edge probabilities). In the invention, GCN is selected as an encoder, and MLP function is selected as a decoder. The GCN aggregates the information of the neighbor nodes so as to update the representation of the neighbor nodes, and accords with the power monitoring scene (the reliability of power equipment, network data flow communication, memory overhead and the like are all related to the neighbor nodes); the MLP embeds probabilities that are linked together and finally converted to edges.
According to the method for constructing a dynamic graph described above, the encoder generating the time-dependent graph embedment in which the cross-correlation information is put into the GCN structure is extracted from the device log data to construct a dynamic graph, and then this embedment is fed into the decoder. The power monitoring system access subject and interactive services are evaluated by: at time t, what is the probability of having an abnormal edge between nodes i and j.
And after obtaining the edge probability according to the decoder, calculating loss (binary cross entropy loss function) according to the real link condition (1 is indicated by the link edge and 0 is not indicated by the link edge) between the decoder and the two nodes, then carrying out back propagation, optimizing relevant parameters (weight and bias) of the encoder and the decoder, and circulating until loss is smaller than a threshold value and convergence is achieved, thus obtaining the final graph embedding model.
The invention adopts a mean value aggregation method to respectively conduct neighbor node information aggregation on two devices participating in interaction and update own information.
Referring to fig. 3, for a video file having seven visible edges (time stamp t 1 To t 7 ) The purpose of the dynamic graph of (a) is to predict the time t of node 2 and node 4 8 (grey edge t) 8 ) Future abnormal interactions of (a). For this purpose, the time diagram network is at time t 8 Embedding of the compute nodes 2 and 4. These embeddings are then connected and fed to the multi-layer perceptron MLP to output the probability of interaction occurring. The time graph network adjusts the edges of the GCN to time dependent edges, i.e. each edge carries time information. Time graph network encoder creation from node interactionsThe compressed representation of the node and the mean aggregation method is used to collect neighbor node information and update its own information as each event occurs.
Referring to fig. 3, a gcn network generally includes a graph information propagation layer and an MLP, and it is assumed that there is a graph structure in which there are N nodes (nodes), each having its own characteristics. Let the characteristics of these nodes form an N X D-dimensional matrix X, and the relationships between the nodes form an N X N-dimensional matrix a, called adjacency matrix. X and A are inputs to the model. In the power monitoring scene, the characteristics are characteristic matrixes formed by equipment states or network flow sizes and the like which are analyzed from log data, wherein each row corresponds to one node, and each column corresponds to one characteristic. GCN is also a neural network layer, and its layer-to-layer propagation is:
wherein: the input of the layer-I network is H (l) (initial input is H (0) =x), N is the number of nodes in the graph, each node being represented using a feature vector of dimension D. Referring to fig. 4, the yellow part is the current layer l, and the blue part is the next layer l+1 after passing through the GCN convolution network: in the feature propagation process, each node in the graph needs to aggregate own and neighbor information (for example, node a needs to aggregate own and neighbor node BCDE, namely, a broken line connection part), then update the node through an adjustable parameter W (the parameter vector of all nodes in the graph are combined to form a parameter matrix W convolved by the graph), and finally generate the feature vector of the next layer of the node.
The parameters are described as follows:
a is the adjacency matrix of the graph, which contains only 1 or 0, and the diagonal elements are 0; i is an identity matrix>The advantage of this process is that the graph-rolling network layer can aggregate messages from not only other nodes, but also nodes themselves when aggregating messages, which is equivalent to adding self-join to the adjacency matrix of graph G (i.e., each vertex and itself plus one edge).
D is a degree (out degree/in degree) matrix, and the degree of the nodes in the undirected graph is the number of edges connected by the nodes; />The diagonal matrix is the element value on the diagonal is the degree +1 of the node.
H (l) The characteristics of each layer, i.e., the characteristics of the nodes, are represented.
W (l) Is the weight matrix of the first layer, and the dimension is F i ×F i+1 I.e. the size of the second dimension of the weight matrix determines the feature number of the next layer.
Sigma (·) is a nonlinear activation function, e.g., sigmoid, reLu, etc.
f(H (l) A) is the output of the present layer and in the case of a multi-layer GCN, is also the input of the next layer.
Is called: the symmetric normalized Laplace matrix is a symmetric matrix, and can perform characteristic decomposition (spectrum decomposition), and the specific formula is as follows:
taking a two-layer GCN for class edge probability generation as an example, the activation functions respectively adopt a ReLU and a Softmax, and the specific training flow is as follows:
firstly, acquiring a characteristic representation X of a node and calculating a symmetric normalized Laplacian matrix:
then, the prediction result of each edge probability is obtained by inputting the prediction result into a two-layer GCN network:
wherein,the weight matrix is used for mapping the characteristic representation of the node into a corresponding hidden layer state. />The weight matrix of the second layer is used for mapping the hidden layer representation of the node into corresponding output (F corresponds to the number of node labels). And finally, the representation of each node is passed through a softmax function, so that the prediction result of each label can be obtained.
For the problem of edge probability generation, the expected cross entropy on all labeled nodes can be used as a loss function for back propagation, updating the model parameters. The cross entropy loss function is defined as follows:
wherein y is L Representing a labeled set of nodes.
In step S4, abnormal behavior detection is performed using the trained model.
When two devices in the power monitoring system interact, firstly, LSTM is used for carrying out structural analysis on interaction log data to obtain time sequence characteristics, a trained graph embedding model is put in, firstly, the respective embedding of two nodes is calculated through an encoder, then the edge probability between the two devices is obtained through a decoder, if the edge probability is smaller than a set threshold value, the interaction is considered to be abnormal, and otherwise, the interaction is considered to be normal. Meanwhile, the two interactive parties update their own information by means of mean aggregation.
Example 2
Based on the same technical concept as the method embodiment, the embodiment provides a main body abnormality detection device of a power monitoring system, including:
the data acquisition and preprocessing module acquires network flow log data in the power monitoring system, performs time sequence analysis on the network flow log data and converts the network flow log data into structured data with time sequence characteristics;
the graph construction module is used for constructing a graph structure based on the structured log data, wherein access subjects in the power monitoring system form nodes, and interaction behaviors among the access subjects form edges;
the feature extraction module acquires a feature matrix X and an adjacent matrix A according to the graph structure, and for the graph structure with N nodes and D-dimensional features of each node, the feature matrix X is an N multiplied by D-dimensional matrix, and the relation between the nodes forms an N multiplied by N-dimensional adjacent matrix A;
the model training module inputs the feature matrix X and the adjacency matrix A into the graph neural network model, trains the graph neural network model, and obtains the graph neural network model capable of predicting the behavior of the access subject in the power monitoring scene;
the anomaly detection module is used for judging the edge probability of the graph neural network according to the interaction behavior of the access subject which is required to be performed currently by using the trained graph neural network model, and judging whether the anomaly behavior is abnormal or not according to the edge probability.
Wherein the time series analysis of the web stream log data and the conversion thereof into the structured data with the time sequence feature comprises:
and forming time sequence data points by clearing repeated and error data, analyzing a time format and standardizing a time stamp operation, enabling each data point to correspond to log information in a time window, enabling each time window to correspond to each time step of the long-short-period memory network LSTM, and outputting the time sequence characteristics of each time window by utilizing the time sequence information and the mode of the LSTM learning data.
Further, the graph neural network model comprises an encoder and a decoder, wherein the encoder adopts a graph convolution network and is used for mapping two node information in a graph to node embedding, and the decoder adopts a multi-layer perceptron and is used for converting the node embedding into related information of an edge between the two nodes;
training the graph neural network model includes: the method comprises the steps of obtaining node characteristic mapping of two interaction sides by using an encoder, converting the node embedding into variable probability between two nodes by using a decoder, comparing the variable probability with real link conditions between the two nodes after obtaining edge probability, calculating a loss function, and then carrying out back propagation to optimize relevant parameters of the encoder and the decoder, so that circulation is carried out until a loss function value is smaller than a specified threshold or a preset circulation is reached.
Further, the propagation manner between the information propagation layers of the graph rolling network is as follows:
wherein: h (l) For the input features of the layer-1 network, f (H (l) A) is the output of the first layer, which is also the input of the next layer,representing an adjacency matrix aggregating node self messages, < >>Wherein I is N Is an N x N-dimensional identity matrix, +.>For the diagonal matrix, the element values on the diagonal are the degree +1, +.>Draw normalized for symmetryLaplace matrix, W (l) The parameter matrix of the first layer network graph convolution formed by the combination of the parameter vectors of all the nodes in the graph is represented, and sigma (°) is a nonlinear activation function.
Further, the loss function employs a binary cross entropy loss function.
Further, training the graph neural network model further includes: and respectively carrying out information aggregation of neighbor nodes on two nodes participating in interaction by adopting a mean value aggregation method and updating own information.
Further, according to the interaction behavior which needs to be performed by the access subject currently, judging the edge probability of the access subject by the graph neural network comprises: and carrying out structural analysis on the interaction log data of the access subject by using the LSTM to obtain time sequence characteristics, inputting the time sequence characteristics into a trained graph neural network model, calculating respective embedding of two nodes by using an encoder, and obtaining the edge probability between the two nodes by using a decoder.
It should be understood that the main body abnormality detection device of the power monitoring system in the embodiment of the present invention may implement all the technical solutions in the foregoing method embodiments, and a portion of specific implementation processes that are not described in detail may refer to the relevant descriptions in the foregoing embodiments, which are not repeated herein.
Example 3
The present embodiment provides a computer device including: one or more processors; a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, which when executed by the processors implement the steps of the power monitoring system main body abnormality detection method according to the present invention.
Example 4
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the power monitoring system main body abnormality detection method according to the present invention.
It will be appreciated by those skilled in the art that embodiments of the invention may be provided as a method, apparatus (system), computer device, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The invention is described with reference to flow charts of methods according to embodiments of the invention. It will be understood that each flow in the flowchart, and combinations of flows in the flowchart, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows.
Claims (10)
1. The main body abnormality detection method of the power monitoring system is characterized by comprising the following steps of:
acquiring network flow log data in the power monitoring system, performing time sequence analysis on the network flow log data, and converting the network flow log data into structured data with time sequence characteristics;
establishing a graph structure based on the structured log data, wherein access subjects in the power monitoring system form nodes, and interaction behaviors among the access subjects form edges;
obtaining a feature matrix X and an adjacent matrix A according to the graph structure, wherein the feature matrix X is an N multiplied by D matrix, and the relation between the nodes forms an N multiplied by N adjacent matrix A for a graph structure with N nodes and D dimension features of each node;
inputting the feature matrix X and the adjacent matrix A into a graph neural network model, and training the graph neural network model to obtain a graph neural network model capable of predicting the behavior of an access subject in a power monitoring scene;
and judging the edge probability of the graph neural network according to the interaction behavior which is currently required to be performed by the access subject by using the trained graph neural network model, and judging whether the graph neural network is abnormal according to the edge probability.
2. The method of claim 1, wherein performing a time-series analysis of the web stream log data and converting it into structured data having timing characteristics comprises:
and forming time sequence data points by clearing repeated and error data, analyzing a time format and standardizing a time stamp operation, enabling each data point to correspond to log information in a time window, enabling each time window to correspond to each time step of the long-short-period memory network LSTM, and outputting the time sequence characteristics of each time window by utilizing the time sequence information and the mode of the LSTM learning data.
3. The method of claim 1, wherein the graph neural network model includes an encoder and a decoder, the encoder employing a graph rolling network for mapping two node information in the graph to a node embedding, the decoder employing a multi-layer perceptron for converting the node embedding into information about edges between the two nodes;
training the graph neural network model includes: the method comprises the steps of obtaining node characteristic mapping of two interaction sides by using an encoder, converting the node embedding into variable probability between two nodes by using a decoder, comparing the variable probability with real link conditions between the two nodes after obtaining edge probability, calculating a loss function, and then carrying out back propagation to optimize relevant parameters of the encoder and the decoder, so that circulation is carried out until a loss function value is smaller than a specified threshold or a preset circulation is reached.
4. A method according to claim 3, characterized in that the propagation manner between the information propagation layers of the graph rolling network is as follows:
wherein: h (l) For the input features of the layer-1 network, f (H (l) A) is the output of the first layer, which is also the input of the next layer,representing an adjacency matrix aggregating node self messages, < >>Wherein I is N Is an N x N-dimensional identity matrix, +.>For the diagonal matrix, the element values on the diagonal are the degree +1, +.>Laplacian matrix normalized for symmetry, W (l) The parameter matrix of the first layer network graph convolution formed by the combination of the parameter vectors of all the nodes in the graph is represented, and sigma (°) is a nonlinear activation function.
5. A method according to claim 3, wherein the loss function employs a binary cross entropy loss function.
6. The method of claim 5, wherein training the graph neural network model further comprises: and respectively carrying out information aggregation of neighbor nodes on two nodes participating in interaction by adopting a mean value aggregation method and updating own information.
7. The method of claim 6, wherein determining the edge probability by the graph neural network based on the interaction behavior currently required by the accessing agent comprises: and carrying out structural analysis on the interaction log data of the access subject by using the LSTM to obtain time sequence characteristics, inputting the time sequence characteristics into a trained graph neural network model, calculating respective embedding of two nodes by using an encoder, and obtaining the edge probability between the two nodes by using a decoder.
8. An abnormality detection device for a main body of a power monitoring system, comprising:
the data acquisition and preprocessing module acquires network flow log data in the power monitoring system, performs time sequence analysis on the network flow log data and converts the network flow log data into structured data with time sequence characteristics;
the graph construction module is used for constructing a graph structure based on the structured log data, wherein access subjects in the power monitoring system form nodes, and interaction behaviors among the access subjects form edges;
the feature extraction module acquires a feature matrix X and an adjacent matrix A according to the graph structure, and for the graph structure with N nodes and D-dimensional features of each node, the feature matrix X is an N multiplied by D-dimensional matrix, and the relation between the nodes forms an N multiplied by N-dimensional adjacent matrix A;
the model training module inputs the feature matrix X and the adjacency matrix A into the graph neural network model, trains the graph neural network model, and obtains the graph neural network model capable of predicting the behavior of the access subject in the power monitoring scene;
the anomaly detection module is used for judging the edge probability of the graph neural network according to the interaction behavior of the access subject which is required to be performed currently by using the trained graph neural network model, and judging whether the anomaly behavior is abnormal or not according to the edge probability.
9. A computer device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, which when executed by the processors implement the steps of the power monitoring system body anomaly detection method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of the power monitoring system main body abnormality detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311660918.4A CN117640342A (en) | 2023-12-06 | 2023-12-06 | Main body abnormality detection method, device, equipment and medium for power monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311660918.4A CN117640342A (en) | 2023-12-06 | 2023-12-06 | Main body abnormality detection method, device, equipment and medium for power monitoring system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117640342A true CN117640342A (en) | 2024-03-01 |
Family
ID=90023154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311660918.4A Pending CN117640342A (en) | 2023-12-06 | 2023-12-06 | Main body abnormality detection method, device, equipment and medium for power monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117640342A (en) |
-
2023
- 2023-12-06 CN CN202311660918.4A patent/CN117640342A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109872003B (en) | Object state prediction method, object state prediction system, computer device, and storage medium | |
| Li et al. | Fault diagnosis expert system of semiconductor manufacturing equipment using a Bayesian network | |
| CN113746663B (en) | Performance degradation fault root cause positioning method combining mechanism data and dual drives | |
| CN108052092A (en) | A kind of subway electromechanical equipment abnormal state detection method based on big data analysis | |
| CN113033772A (en) | Multi-equipment state monitoring method based on federal learning | |
| CN115168443A (en) | Anomaly detection method and system based on GCN-LSTM and attention mechanism | |
| CN114266301A (en) | Intelligent power equipment fault prediction method based on graph convolution neural network | |
| CN110011990A (en) | Intranet security threatens intelligent analysis method | |
| CN116842379A (en) | Mechanical bearing residual service life prediction method based on DRSN-CS and BiGRU+MLP models | |
| CN116599857A (en) | Digital twin application system suitable for multiple scenes of Internet of things | |
| Rizvi | Leveraging Deep Learning Algorithms for Predicting Power Outages and Detecting Faults: A Review | |
| Javed et al. | Cloud-based collaborative learning (ccl) for the automated condition monitoring of wind farms | |
| Shi et al. | Machine learning-based time-series data analysis in edge-cloud-assisted oil industrial IoT system | |
| Larrinaga et al. | Implementation of a reference architecture for cyber physical systems to support condition based maintenance | |
| CN117640342A (en) | Main body abnormality detection method, device, equipment and medium for power monitoring system | |
| Han et al. | On fault prediction based on industrial big data | |
| CN113807027A (en) | Health state evaluation model, method and system for wind turbine generator | |
| CN113821418A (en) | Fault tracking analysis method and device, storage medium and electronic equipment | |
| Mbuli et al. | Root causes analysis and fault prediction in intelligent transportation systems: coupling unsupervised and supervised learning techniques | |
| Zaitseva et al. | Application of ordered fuzzy decision trees in construction of structure function of multi-state system | |
| Lakshman Narayana et al. | An intelligent IoT framework for handling multidimensional data generated by IoT gadgets | |
| CN115174421B (en) | Network fault prediction method and device based on self-supervision unwrapping hypergraph attention | |
| LIU et al. | A case study on intelligent operation system for wireless networks | |
| CN115392615B (en) | Data missing value completion method and system for generating countermeasure network based on information enhancement | |
| Perederyi et al. | Information technology for decision making support and monitoring in man-machine systems for managing complex technical objects of critical application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |