CN117708738A - Sensor time sequence anomaly detection method and system based on multi-modal variable correlation - Google Patents
Sensor time sequence anomaly detection method and system based on multi-modal variable correlation Download PDFInfo
- Publication number
- CN117708738A CN117708738A CN202311732146.0A CN202311732146A CN117708738A CN 117708738 A CN117708738 A CN 117708738A CN 202311732146 A CN202311732146 A CN 202311732146A CN 117708738 A CN117708738 A CN 117708738A
- Authority
- CN
- China
- Prior art keywords
- sensor
- target
- time sequence
- time
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 57
- 239000013598 vector Substances 0.000 claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 37
- 230000002146 bilateral effect Effects 0.000 claims abstract description 24
- 230000005856 abnormality Effects 0.000 claims abstract description 20
- 230000002159 abnormal effect Effects 0.000 claims abstract description 17
- 230000007246 mechanism Effects 0.000 claims abstract description 17
- 239000011159 matrix material Substances 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 12
- 230000009466 transformation Effects 0.000 claims description 10
- 238000010606 normalization Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 6
- 101100481876 Danio rerio pbk gene Proteins 0.000 claims description 5
- 101100481878 Mus musculus Pbk gene Proteins 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 5
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 3
- 230000004913 activation Effects 0.000 claims description 3
- 230000004931 aggregating effect Effects 0.000 claims description 3
- 230000002776 aggregation Effects 0.000 claims description 3
- 238000004220 aggregation Methods 0.000 claims description 3
- 238000003860 storage Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims 3
- 238000012544 monitoring process Methods 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 10
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 6
- 238000002474 experimental method Methods 0.000 description 6
- 238000012360 testing method Methods 0.000 description 6
- 238000011282 treatment Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 4
- 238000002679 ablation Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000007788 liquid Substances 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 102000010553 ALAD Human genes 0.000 description 1
- 101150082527 ALAD gene Proteins 0.000 description 1
- 241001076939 Artines Species 0.000 description 1
- 241000965478 Darksidea epsilon Species 0.000 description 1
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 239000003086 colorant Substances 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 101150055960 hemB gene Proteins 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000742 single-metal deposition Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000036962 time dependent Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention relates to the technical field of industrial control information safety, in particular to a method and a system for detecting sensor time sequence abnormality based on multi-mode variable correlation, which are used for collecting time sequence data corresponding to each module sensor in business scenes at two ends of a target moment through a bilateral sliding window, and acquiring feature vectors with association relation structure information of each module sensor by using a graph attention mechanism based on the time sequence data; and obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observed value, so as to judge the abnormal detection result of each sensor time sequence according to the predicted error. According to the invention, the time sequence data to be detected abnormally is obtained through the target moment bilateral sliding window, and the expected and actual observation of each sensor are compared by using the multi-mode variable correlation, so that the abnormal sensor behavior and abnormal points of the time sequence can be accurately judged, and the application deployment in service scenes such as actual intelligent monitoring is facilitated.
Description
Technical Field
The invention relates to the technical field of industrial control information safety, in particular to a sensor time sequence abnormality detection method and system based on multi-mode variable correlation.
Background
At present, anomaly detection for multivariate time series is widely applied to various aspects, such as medicine, water treatment plants, spacecrafts, robot auxiliary systems, engines, servers and the like, so as to realize intelligent monitoring control of related business scenes by utilizing sensor data characterization of each module terminal. In a given time series data set, when the system is under attack or fails, there are significant differences in part of the time from most of the time in the overall data set, and these significantly different points in time may be referred to as outliers.
Most of the existing multivariate time sequence anomaly detection methods are based on predictive models for anomaly evaluation, such as telemetry data sent back by a spacecraft is monitored by establishing an automatic anomaly detection system, real-time anomaly detection algorithms based on Hierarchical Temporal Memory (HTM) and Bayesian Networks (BN), time sequence modeling is performed by an end-to-end learning framework and combining a non-time dimension reduction technology and a periodic automatic encoder, and time-independent multivariate data anomaly detection is focused. However, when predicting the time sequence, the method often adopts a unilateral sliding window as input, and cannot fully capture local time dependency relationship, and does not explicitly learn the relationship between different time sequences, thereby affecting the accuracy of abnormal detection of the time sequence data.
Disclosure of Invention
Therefore, the invention provides a sensor time sequence abnormality detection method and system based on multi-modal variable correlation, which solves the problem that the existing time sequence data abnormality detection precision is not ideal, obtains time sequence data to be detected abnormally through a target moment bilateral sliding window, compares the expected and actual observation of each sensor by using the multi-modal variable correlation, further can accurately judge abnormal sensor behaviors and abnormal time points, and is convenient for application deployment in business scenes such as actual intelligent monitoring.
According to the design scheme provided by the invention, on one hand, a sensor time sequence abnormality detection method based on multi-mode variable correlation is provided, which comprises the following steps:
collecting time sequence data corresponding to each module sensor in service scenes at two ends of a target moment through a bilateral sliding window, and acquiring feature vectors with association relation structure information of each module sensor based on the time sequence data by using a graph attention mechanism;
and obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observed value, so as to judge the abnormal detection result of each sensor time sequence according to the predicted error.
As the sensor time sequence abnormality detection method based on multi-mode variable correlation, the invention further collects time sequence data corresponding to each module sensor at two ends of a target moment through a bilateral sliding window, and comprises the following steps:
firstly, collecting historical time sequence data of sensors of each module in a business scene;
and then, acquiring time sequence data of each module sensor under preset time lengths at the front end and the rear end of the target moment based on the historical time sequence data.
The method for detecting the sensor time sequence abnormality based on the multi-mode variable correlation further comprises the steps of obtaining a feature vector with sensor association relation structure information of each module based on time sequence data by using a graph attention mechanism, wherein the feature vector comprises the following components:
firstly, selecting a sensor as a target sensor of an abnormal behavior detection object, using other sensors in a business scene as candidate sensors, and representing a directed graph between the candidate sensors with a dependency relationship with the target sensor by using an adjacency matrix;
then, respectively acquiring the time domain feature similarity and the frequency domain feature similarity of the target sensor and the candidate sensor based on the time sequence data, and acquiring the correlation between the target sensor and the candidate sensor according to the time domain feature similarity and the frequency domain feature similarity;
and then, obtaining an adjacent matrix representation of the target sensor according to a topK method, taking the adjacent matrix representation as a learned graph structure, fusing time domain data features of the target sensor and the candidate sensor nodes based on a graph attention mechanism, and obtaining a final feature vector with the association relation structure information of the sensor of each module according to the fused features.
As the sensor time sequence anomaly detection method based on multi-mode variable correlation, the invention further respectively obtains the time domain feature similarity and the frequency domain feature similarity of the target sensor and the candidate sensor based on time sequence data, and comprises the following steps:
firstly, time domain feature embedded vectors of all sensors are obtained by utilizing time sequence data, and the similarity of a target sensor and a candidate sensor on time domain features is calculated based on the time domain feature embedded vectors;
then, each time domain feature embedded vector is transformed to a frequency domain according to wavelet transformation to obtain a corresponding frequency domain feature vector; and calculating the similarity of the target sensor and the candidate sensor on the frequency domain feature based on the frequency domain feature vector.
As the sensor time sequence abnormality detection method based on the multi-modal variable correlation, the invention further provides a correlation e between the target sensor i and the candidate sensor j ij The calculation process of (1) is expressed as follows:wherein,and respectively representing the time domain feature similarity and the frequency domain feature similarity between the target sensor node i and the candidate sensor node j.
As the sensor time sequence anomaly detection method based on multi-modal variable correlation of the invention, further, the process of fusing time domain data features of both the target sensor and the candidate sensor node based on a graph attention mechanism is expressed as follows:wherein (1)>Feature vector fused by target sensor node i at target time t, reLU () represents activation function, alpha i,j Representing the attention coefficient between a target sensor node i and its candidate sensor neighbor node j, W is a trainable weight matrix with each node sharing a linear transformation,/for each node>Time sequence data characteristics of a target sensor node i and a candidate sensor neighbor node j at a target moment t are respectively represented, and N (i) represents a candidate sensor neighbor node set of the target sensor node i.
The method for detecting sensor time sequence abnormality based on multi-modal variable correlation of the present invention further comprises the steps of:
firstly, carrying out robust normalization on the prediction error of each sensor by combining the median and the quartile of a time step interval of a prediction error target moment;
and then, aggregating the prediction errors after robust normalization of the target time by using a max function, and marking the target time as an abnormal time step and outputting when the aggregation result exceeds a preset threshold value.
Further, the present invention also provides a sensor timing anomaly detection system based on multi-modal variable correlation, comprising: a feature extraction module and an abnormality detection module, wherein,
the feature extraction module is used for collecting time sequence data corresponding to each module sensor in the service scene at the two ends of the target moment through the bilateral sliding window, and acquiring feature vectors with the association relation structure information of each module sensor based on the time sequence data by using a graph attention mechanism;
the anomaly detection module is used for obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observation value so as to judge the time sequence anomaly detection result of each sensor according to the predicted error.
The invention has the beneficial effects that:
according to the method, the time dependence at two ends of the time step can be fully considered through the bilateral sliding window, and the local data change trend can be better captured; and the association relation of the actual sensor is obtained based on the variable correlation, so that the node characteristics with the structural information are obtained, the prediction and the anomaly detection can be more accurately carried out, and the method has a good application prospect.
Description of the drawings:
FIG. 1 is a schematic diagram of a sensor timing anomaly detection flow in an embodiment;
FIG. 2 is a schematic diagram of a timing anomaly detection model framework in an embodiment;
FIG. 3 is a schematic diagram of Window Size parameter sensitivity experiment (parameter W) in the example;
FIG. 4 is a schematic of the Dim parameter sensitivity test (parameter D) in the examples;
FIG. 5 is a visual illustration of SwaT dataset embedding in an embodiment;
fig. 6 is a visual illustration of WADI dataset embedding in an embodiment.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
In the conventional time series prediction using the prediction method, a single-sided sliding window is often used as a model input, and local time-dependent relationships cannot be sufficiently captured, and relationships between different time series are not explicitly learned, but the relationships between sensors are significant for abnormality detection, and for example, abnormality can be diagnosed by recognizing deviations in these relationships. For this reason, referring to fig. 1, an embodiment of the present invention provides a method for detecting a sensor timing anomaly based on multi-modal variable correlation, including the following steps:
s101, collecting time sequence data corresponding to each module sensor in service scenes at two ends of a target moment through a bilateral sliding window, and acquiring feature vectors with association relation structure information of each module sensor by using a graph attention mechanism based on the time sequence data.
The time sequence data corresponding to the sensors of each module at two ends of the target moment is collected through the bilateral sliding window, and the time sequence data can be designed to comprise the following contents:
firstly, collecting historical time sequence data of sensors of each module in a business scene;
and then, acquiring time sequence data of each module sensor under preset time lengths at the front end and the rear end of the target moment based on the historical time sequence data.
In order to better capture local time dependency, unlike the past unilateral sliding window, in the embodiment, a bilateral window-based method is used to predict each sensor behavior according to local bilateral information, specifically, at time t, the bilateral window sliding window x (t) may be expressed as:
X (t) =[s t-w ,s t-w+1 ···,s t-1 ,s t+1 ,s t+2 ,···,s t+w ] (1)
using a double sided sliding window allows users to easily identify sensors that deviate significantly from their intended behavior. Further, the user may compare the expected and observed behavior of each sensor to understand why one sensor is considered abnormal.
The feature vector with the sensor association relation structure information of each module is acquired based on the time sequence data and by using a graph attention mechanism, and can be designed to comprise the following contents:
firstly, selecting a sensor as a target sensor of an abnormal behavior detection object, using other sensors in a business scene as candidate sensors, and representing a directed graph between the candidate sensors with a dependency relationship with the target sensor by using an adjacency matrix;
then, respectively acquiring the time domain feature similarity and the frequency domain feature similarity of the target sensor and the candidate sensor based on the time sequence data, and acquiring the correlation between the target sensor and the candidate sensor according to the time domain feature similarity and the frequency domain feature similarity;
and then, obtaining an adjacent matrix representation of the target sensor according to a topK method, taking the adjacent matrix representation as a learned graph structure, fusing time domain data features of the target sensor and the candidate sensor nodes based on a graph attention mechanism, and obtaining a final feature vector with the association relation structure information of the sensor of each module according to the fused features.
Specifically, respectively acquiring the feature similarity of the target sensor and the candidate sensor in the time domain and the feature similarity of the candidate sensor in the frequency domain based on the time sequence data may include:
firstly, time domain feature embedded vectors of all sensors are obtained by utilizing time sequence data, and the similarity of a target sensor and a candidate sensor on time domain features is calculated based on the time domain feature embedded vectors;
then, each time domain feature embedded vector is transformed to a frequency domain according to wavelet transformation to obtain a corresponding frequency domain feature vector; and calculating the similarity of the target sensor and the candidate sensor on the frequency domain feature based on the frequency domain feature vector.
Time domain data between modalities of the multi-modalities can be converted by waveletTransform to the frequency domain +.>Such a transformation may decompose a discrete-time signal into a discrete wavelet representation. Formally, a given time sequence x= (t 0 ,t 1 ,···,t N-1 ) T Which represents a length ofDiscrete time series of N, basis function +.>Sum ψ= (ψ) 0 ,ψ 1 ,···,ψ N-1 ) T Then each scale layer (j 0 Or j) the coefficient of each translation (indexed by k) is the projection of the signal on each basis function:
in the formulas (2) and (3),is approximately coefficient omega ψ [j,k]Is a detail coefficient. The detail coefficients at different levels reflect the variance of the signal at different scales, while the approximation coefficients reflect the smoothed average of the signal at that scale. An important property of discrete wavelet transform is that the detail coefficients of each layer are orthogonal, and for any pair of detail coefficients that are not at the same layer, the inner product is 0 as in equation (4):
ω ψ [j,★]·ω ψ [j',★]=0 (4)
thus, the detail coefficients can be interpreted as additive decomposition of the signal, i.e. multi-resolution analysis. The wavelet transformation can perform time-frequency analysis on the non-stationary time sequence by utilizing the multi-resolution characteristic, so that the time sequence anomaly detection has high-efficiency detection capability on the non-stationary time sequence information.
Representing a directed graph in the association relation of the sensor of each module by using an adjacent matrix A, wherein A ij Indicating that there is a directed edge from node i to node j. For the case of partial prior information, this prior information can be expressed as a candidate relationship C for each sensor i i Refers to the set of sensors on which it can depend. Without prior artIn the case of verification information, the candidate relationship of the sensor i is all sensors except itself, and the candidate sensor node set can be expressed as:
C i ={1,2,3,...,N}\{i} (5)
in order to select the dependency of the sensor i among the candidate nodes, in this embodiment, first, an embedding vector X of the time domain of the node i is calculated T With its candidate node j e C i Is the time domain embedded vector Y of (2) T Similarity between
Then calculating the frequency domain characteristic X of the node i after wavelet transformation F Frequency domain features Y with its candidate node j F Similarity between
Then, correlation e of node i and node j ij Is a combination of time domain feature correlation and frequency domain feature correlation, and can be specifically expressed as:
using top K method to obtain adjacent matrix A as learned graph structure:
A ji =1{j∈TopK({e ki :k∈C i })} (9)
e ij it can also be obtained by a normalized dot product of the embedded vector of the sensor i and the candidate relationship j. The highest k normalized dot products are selected. TopK represents rootThe highest k values are indexed according to the input. The value of k may be selected by the user according to the desired degree of sparseness.
In order to capture the relationship between sensors, in the embodiment of the present disclosure, a feature extractor is designed based on graph attention, and the information of the nodes and the adjacent nodes is fused based on the learned graph structure. Unlike existing ideographic mechanisms, the feature extractor integrates a sensor-embedded vector v i To describe different behavior of different types of sensors. To this end, the aggregate representation z of node i i The calculation process of (2) can be expressed as follows:
wherein,is the input feature of node i, N (i) = { j|a ji > 0 is the neighbor set of node i obtained in the learned adjacency matrix A, W ε R d×w Is a trainable weight matrix for carrying out shared linear transformation on each node, and attention coefficient alpha is calculated i,j Can be expressed as:
wherein,represents a connection, thus->Embedding a sensor v i And the corresponding transformed features->In connection, a is a learning coefficient vector of the attention mechanism. The attention coefficient may be calculated using LeekyReLU as a nonlinear activation, normalized using the softmax function in equation (13).
S102, obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observation value, so as to judge the abnormal detection result of each sensor time sequence according to the predicted error.
A time series anomaly detection model (Time series anomaly detection based on multi-modal variable correlation, MMVC-MTAD) based on multi-modal variable correlation can be shown in fig. 2, where the target output that the model needs to predict is sensor data at the current time, by employing a bilateral sliding window as the input of the model and learning the relationship between different time series using multi-modal variable correlation to diagnose anomalies by identifying relationship deviations. In the figure, the feature extractor obtains a time domain feature vector and a frequency domain feature vector based on embedding and wavelet transformation of original time sequence features, obtains feature vectors with sensor association relation structure information of each module based on adjacency matrix and graph meaning force learning, and the feature vectors of all N sensor nodes can be expressed asIn the output layer of the model, for each +.>Embedding it with a corresponding time sequence into v i Element-by-element multiplication (denoted +.>) The result of all nodes is used as the input of a stacked full-connection layer, the output dimension of the full-connection layer is N, and the sensor vector value at the time t is predicted, namely s' (t) :
Model predictive output is denoted s' (t) . Available predicted output s' (t) And observed data s (t) The mean square error (Mean Squared Error) is used as a minimum loss function, training optimization is carried out on the model based on the minimum loss function, and deployment application is carried out in a service scene by utilizing the trained target model, wherein the minimum loss function can be expressed as:
wherein, determining the abnormal detection result of each sensor time sequence according to the prediction error can comprise:
firstly, carrying out robust normalization on the prediction error of each sensor by combining the median and the quartile of a time step interval of a prediction error target moment;
and then, aggregating the prediction errors after robust normalization of the target time by using a max function, and marking the target time as an abnormal time step and outputting when the aggregation result exceeds a preset threshold value.
In the abnormality detection section, the model calculates an error value by comparing the expected behavior with the actually observed behavior at time t as a prediction error, and considers the data at time t to be abnormal when the prediction error exceeds a set threshold. Since multivariate data corresponds to multiple sensors, it is desirable to be able to locate which sensors are abnormal based on learning the graph structure, so the model needs to calculate a separate anomaly score for each sensor, and the prediction error calculation process at time t for sensor i can be expressed as follows:
because different sensors have different characteristics, their bias values may also have different dimensions. In order to prevent the deviation of any one sensor from excessively affecting other sensors, in the embodiment, the error value of each sensor is subjected to robust normalization:
mu and sigma are Err respectively i The median and quartile of the time step interval of the (t) value. In the present embodiment, median and IQR are used instead of mean and standard deviation because they are more robust to anomalies.
To calculate the overall anomaly at time t, in this case the sensors are also aggregated using the max function (max is used because anomalies affect only a small fraction of sensors, even a single sensor is reasonable):
if A (t) exceeds a fixed threshold, the time step t is marked as abnormal.
Further, based on the above method, the embodiment of the present invention further provides a sensor timing anomaly detection system based on multi-modal variable correlation, including: a feature extraction module and an abnormality detection module, wherein,
the feature extraction module is used for collecting time sequence data corresponding to each module sensor in the service scene at the two ends of the target moment through the bilateral sliding window, and acquiring feature vectors with the association relation structure information of each module sensor based on the time sequence data by using a graph attention mechanism;
the anomaly detection module is used for obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observation value so as to judge the time sequence anomaly detection result of each sensor according to the predicted error.
To verify the validity of this protocol, the following is further explained in connection with experimental data:
the multivariate time series data set used in the experiment included:
1) SWaT and WADI datasets. Because real world data sets with real anomaly markers are very scarce, especially for large plants and factories, two sensor data sets based on water treatment physical test platform systems can be used in experiments: SWaT and WADI, operators simulate the attack scenario of a real water treatment plant and record it as a real anomaly. SWaT (Secure Water Treatment) data set comes from a water treatment bench. It represents a small-scale version of a realistic modern information physical system, integrating digital and physical elements to control and monitor system behavior. Such systems are increasingly being used in critical areas, including power plants and the internet of things, which require protection against potential attacks from malicious attackers. As an extension of SWaT, WADI (Water Distribution) is a distribution system consisting of a large number of water distribution pipes. Thus, a more complete and more realistic water treatment, storage and distribution network is formed. The dataset contains two weeks of data from normal operation, which are used as training data for the respective model. During the next few days, some controlled physical attacks will be performed at different time intervals, corresponding to anomalies in the test set.
2) An SMD data set. SMD is a new data set collected and published from a large internet company for 5 weeks. It contains data from 28 servers, each monitored by m=33 metrics. SMDs are divided into two equal-sized subsets: the first half is the training set and the second half is the test set. The relevant dataset statistics are shown in table 1:
table 1 data set statistics
1. Abnormality detection analysis
The MMVC-MTAD proposed in the present embodiment is evaluated by comparison with other models for anomaly detection. The experimental results are shown in table 1. The performance of the protocol and baseline model can be evaluated specifically using precision (Prec), recovery (Rec), F1-Score (F1) and AUC versus test dataset and its true tag values: f1 =2×prec×rec/prec+rec, where prec=tp/tp+fp, rec=tp/tp+fn, TP, TN, FP, FN are the number of true positives, true negatives, false positives, and false negatives. Note that the dataset is unbalanced, which justifies the selection of these indicators for unbalanced data. To detect anomalies, a threshold is set using the maximum anomaly score on the validation dataset. During testing, any step in time when the anomaly score exceeds a threshold will be considered an anomaly.
TABLE 2 abnormality detection results
It can be seen from table 1 that the MMVC-MTAD model proposed in the present example exceeds the baseline model on most of the metrics on SwaT, WADI and SMD datasets. For example, on SWaT dataset, MMVC-MTAD increased 34.77% over AnoGAN by Pre, 3.73% by Recall by 17.1% by F1 and 4.13% by AUC, demonstrating that MMVC-MTAD can better predict and anomaly detect surrounding neighbor information by considering variable correlation for models such as AnoGAN and ALAD that do not consider variable correlation.
Compared with GDN, MMVC-MTAD is improved by 0.76% on Pre, 3.27% on Recall, 2.58% on F1 and 0.46% on AUC, which proves that the MMVC-MTAD can fully utilize local time dependence by adopting a bilateral sliding window as input for GDN and further realize more efficient prediction and anomaly detection; and furthermore, the graph structure learning is carried out by only considering the single-mode characteristics for the GDN, the MMVC-MTAD carries out the graph structure learning by combining the time domain and the frequency domain characteristic space, so that more reasonable graph structures can be obtained by fully utilizing the informatics of a plurality of characteristic spaces, further, the more efficient anomaly detection is realized, and the defect that the traditional single-mode method can only utilize a single data space for learning is overcome.
Experimental results show that the MMVC-MTAD model provided in the embodiment of the scheme is generally superior to the traditional GAN-based model, AE-based model and GNN-based model, and the scheme uses a bilateral sliding window as input, so that local dependency relationship of a time sequence can be better utilized, graph structure learning is conducted by combining time domain and frequency domain feature spaces, more reasonable graph structures can be obtained by utilizing informatics of a plurality of modal spaces, further, higher-efficiency anomaly detection is achieved, and the defect that a traditional single-modal method can only utilize a single data space for learning is overcome.
2. Ablation experimental analysis
In order to verify the effective type of each part in the model, the invention carries out an MMVC-MTAD ablation experiment, and the model structures in 4 are respectively as follows:
1) GNN model. And using a unilateral sliding window as input, and learning the graph structure by using a single-mode characteristic.
2) MMVC-MTAD w/o (without) BSW model. A bilateral sliding window is not used in the MMVC-MTAD model.
3) MMVC-MTAD w/o (without) Multi (Multimodal) model. The multi-modal features are not used in the MMVC-MTAD model for graph structure learning.
4) MMVC-MTAD model. The model proposed in the embodiment of the present application uses a bilateral sliding window as a model input, and uses a spearman correlation coefficient to perform similarity calculation and multi-mode features to perform graph structure learning.
Table 3 ablation experiments
As can be seen from Table 2, compared with a model only using single-mode characteristics, the addition of the multi-mode structure learning graph structure (MMVC-MTAD w/o BSW) improves the highest of the model by 1.75%, 10.56% and 3.67% on AUC, recall, F1, and proves that the multi-mode characteristics can jointly learn the characteristic relation of a plurality of characteristic spaces. Compared with a model using only a single-side sliding window, the model added with the double-side sliding window method (MMVC-MTAD w/o Multi) is improved by 1.34%, 7.23% and 4.87% at the highest on AUC, pre, reacll, F1. The final model was improved by 1.89%, 0.76%, 6.63%, 6.82% at AUC, pre, recall, F, respectively, as compared to the model without the use of the bilateral sliding window and the multi-modal features and the spearman coefficients. The bilateral sliding window can better capture local time dependency, the multi-modal features can jointly learn the feature relation of a plurality of feature spaces, and a better graph structure can be learned, so that time sequence prediction and anomaly detection are better carried out, and the exceeding of detection performance is realized.
3. Parameter analysis
Effect of different parameters on model MMVC-MTAD performance, all experiments were done using the SwaT dataset.
Parameters W (window size): is the response of the model to different window sizes of the input data. The window size may affect the extent to which the local information is utilized, affecting the effect of the prediction. The experimental results are shown in FIG. 3, which gives the results of five different window sizes w.epsilon. 5,10,20,50,100, from which it can be seen that at different W values, the F1-Score stabilized within the [78.00%,81.00% ] range, with the float range remaining within 3.0%. This indicates that MMVC-MTAD is insensitive to the setting of parameter W.
Parameter D: is the dimension dim of the sensor embedding V. As shown in FIG. 4, the results of five different sizes of d.epsilon. 16,32,64,128,256 are given, from which it can be seen that F1-Score stabilizes at different D values
[78.00%,81.00% ] range, the floating range is kept within 3.0%. This indicates that MMVC-MTAD is insensitive to the setting of parameter D.
4. Sensor visual analysis
To interpret the learned model, its sensor embedding vectors may be visualized, for example, using t-SNE, as shown in FIG. 5 for the SWaT dataset and FIG. 6 for the WADI dataset, the similarity of the embedding spaces represents the similarity between the sensor behaviors, so examining the visualized graphs can allow the user to infer a set of sensors that behave similarly.
To verify this, different kinds of nodes are colored by using different kinds of colors, such as various sensors and actuators in the WADI system, such as flow indication transmitters, pressure gauges, analyzer indication transmitters, liquid level meters and other sensors, and conveying pumps, valves, liquid level switches and other actuators, so that local clusters in the projection two-dimensional space can be represented, and the effectiveness of the learned feature representation in reflecting the behavior similarity of the local sensors or actuators is further verified.
The experimental data results can show that the scheme can fully consider the time dependence at two ends of the time step through the bilateral sliding window, can better capture local data change trend, and obtain the association relation of the actual sensor by considering the variable correlation, so as to obtain the node characteristics with the structural information, and can predict more accurately. The model is trained on normal data to obtain a potential change rule of the normal data, the trained model is deployed in a target business scene, the data at a certain moment can be predicted by using the learned model, and the time sequence abnormality is judged by comparing a prediction error with a preset threshold value, so that the abnormality detection of the multivariable time sequence is realized, and the method has a good application prospect.
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The elements and method steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or a combination thereof, and the elements and steps of the examples have been generally described in terms of functionality in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those of ordinary skill in the art may implement the described functionality using different methods for each particular application, but such implementation is not considered to be beyond the scope of the present invention.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the above methods may be performed by a program that instructs associated hardware, and that the program may be stored on a computer readable storage medium, such as: read-only memory, magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits, and accordingly, each module/unit in the above embodiments may be implemented in hardware or may be implemented in a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A sensor time sequence abnormality detection method based on multi-modal variable correlation is characterized by comprising the following steps:
collecting time sequence data corresponding to each module sensor in service scenes at two ends of a target moment through a bilateral sliding window, and acquiring feature vectors with association relation structure information of each module sensor based on the time sequence data by using a graph attention mechanism;
and obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observed value, so as to judge the abnormal detection result of each sensor time sequence according to the predicted error.
2. The method for detecting sensor timing anomalies based on multi-modal variable correlation according to claim 1, wherein collecting timing data corresponding to each module sensor at both ends of a target time through a bilateral sliding window includes:
firstly, collecting historical time sequence data of sensors of each module in a business scene;
and then, acquiring time sequence data of each module sensor under preset time lengths at the front end and the rear end of the target moment based on the historical time sequence data.
3. The method for detecting sensor timing anomalies based on multi-modal variable correlation according to claim 1, wherein obtaining feature vectors with sensor association structure information for each module based on the timing data and using a graph attention mechanism includes:
firstly, selecting a sensor as a target sensor of an abnormal behavior detection object, using other sensors in a business scene as candidate sensors, and representing a directed graph between the candidate sensors with a dependency relationship with the target sensor by using an adjacency matrix;
then, respectively acquiring the time domain feature similarity and the frequency domain feature similarity of the target sensor and the candidate sensor based on the time sequence data, and acquiring the correlation between the target sensor and the candidate sensor according to the time domain feature similarity and the frequency domain feature similarity;
and then, obtaining an adjacent matrix representation of the target sensor according to a topK method, taking the adjacent matrix representation as a learned graph structure, fusing time domain data features of the target sensor and the candidate sensor nodes based on a graph attention mechanism, and obtaining a final feature vector with the association relation structure information of the sensor of each module according to the fused features.
4. The method for detecting sensor timing anomalies based on multi-modal variable correlation according to claim 3, wherein the step of acquiring the feature similarities of the target sensor and the candidate sensor in the time domain and the feature similarities in the frequency domain based on the timing data respectively includes:
firstly, time domain feature embedded vectors of all sensors are obtained by utilizing time sequence data, and the similarity of a target sensor and a candidate sensor on time domain features is calculated based on the time domain feature embedded vectors;
then, each time domain feature embedded vector is transformed to a frequency domain according to wavelet transformation to obtain a corresponding frequency domain feature vector; and calculating the similarity of the target sensor and the candidate sensor on the frequency domain feature based on the frequency domain feature vector.
5. The method for detecting sensor timing anomalies based on multi-modal variable correlation as set forth in claim 3, wherein a correlation e between the target sensor i and the candidate sensor j ij The calculation process of (1) is expressed as follows:wherein (1)> And respectively representing the time domain feature similarity and the frequency domain feature similarity between the target sensor node i and the candidate sensor node j.
6. The sensor timing anomaly detection based on multi-modal variable correlation of claim 3The method is characterized in that the process of fusing time domain data characteristics of both the target sensor and the candidate sensor nodes based on a graph attention mechanism is expressed as follows:wherein (1)>Feature vector fused by target sensor node i at target time t, reLU () represents activation function, alpha i,j Representing the attention coefficient between a target sensor node i and its candidate sensor neighbor node j, W is a trainable weight matrix with each node sharing a linear transformation,/for each node>Time sequence data characteristics of a target sensor node i and a candidate sensor neighbor node j at a target moment t are respectively represented, and N (i) represents a candidate sensor neighbor node set of the target sensor node i.
7. The method for detecting sensor timing anomaly based on multi-modal variable correlation according to claim 1, wherein determining each sensor timing anomaly detection result based on a prediction error comprises:
firstly, carrying out robust normalization on the prediction error of each sensor by combining the median and the quartile of a time step interval of a prediction error target moment;
and then, aggregating the prediction errors after robust normalization of the target time by using a max function, and marking the target time as an abnormal time step and outputting when the aggregation result exceeds a preset threshold value.
8. A sensor timing anomaly detection system based on multi-modal variable correlation, comprising: a feature extraction module and an abnormality detection module, wherein,
the feature extraction module is used for collecting time sequence data corresponding to each module sensor in the service scene at the two ends of the target moment through the bilateral sliding window, and acquiring feature vectors with the association relation structure information of each module sensor based on the time sequence data by using a graph attention mechanism;
the anomaly detection module is used for obtaining a predicted value of the sensor at the target moment according to the feature vector, and obtaining a predicted error based on the predicted value and the sensor observation value so as to judge the time sequence anomaly detection result of each sensor according to the predicted error.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 7.
10. An electronic device, comprising:
at least one processor, and a memory coupled to the at least one processor;
wherein the memory stores a computer program executable by the at least one processor to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311732146.0A CN117708738A (en) | 2023-12-16 | 2023-12-16 | Sensor time sequence anomaly detection method and system based on multi-modal variable correlation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311732146.0A CN117708738A (en) | 2023-12-16 | 2023-12-16 | Sensor time sequence anomaly detection method and system based on multi-modal variable correlation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117708738A true CN117708738A (en) | 2024-03-15 |
Family
ID=90147551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311732146.0A Pending CN117708738A (en) | 2023-12-16 | 2023-12-16 | Sensor time sequence anomaly detection method and system based on multi-modal variable correlation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117708738A (en) |
-
2023
- 2023-12-16 CN CN202311732146.0A patent/CN117708738A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Anomaly detection with generative adversarial networks for multivariate time series | |
| US20210334656A1 (en) | Computer-implemented method, computer program product and system for anomaly detection and/or predictive maintenance | |
| JP6740247B2 (en) | Anomaly detection system, anomaly detection method, anomaly detection program and learned model generation method | |
| Khelif et al. | Direct remaining useful life estimation based on support vector regression | |
| JP6609050B2 (en) | Anomalous fusion in temporal causal graphs | |
| Marzat et al. | Worst-case global optimization of black-box functions through Kriging and relaxation | |
| JP6811276B2 (en) | Sparse neural network-based anomaly detection in multidimensional time series | |
| US9245235B2 (en) | Integrated approach to model time series dynamics in complex physical systems | |
| JP2019061565A (en) | Abnormality diagnostic method and abnormality diagnostic device | |
| Cheng et al. | Using cross-validation for model parameter selection of sequential probability ratio test | |
| CN112202726B (en) | System anomaly detection method based on context sensing | |
| CN110138614B (en) | Tensor model-based online network flow anomaly detection method and system | |
| US20230316720A1 (en) | Anomaly detection apparatus, anomaly detection method, and program | |
| Karthik et al. | Data trust model for event detection in wireless sensor networks using data correlation techniques | |
| US11411983B2 (en) | Dynamic, resilient sensing system for automatic cyber-attack neutralization | |
| Khorasgani et al. | A methodology for monitoring smart buildings with incomplete models | |
| CN116402777B (en) | Power equipment detection method and system based on machine vision | |
| Zhou et al. | Performance evaluation method for network monitoring based on separable temporal exponential random graph models with application to the study of autocorrelation effects | |
| CN117708738A (en) | Sensor time sequence anomaly detection method and system based on multi-modal variable correlation | |
| Wang et al. | DVGTformer: A dual-view graph Transformer to fuse multi-sensor signals for remaining useful life prediction | |
| CN114598627A (en) | Abnormal network information detection method based on knowledge graph | |
| Sarkar et al. | Spatiotemporal information fusion for fault detection in shipboard auxiliary systems | |
| Pradhan | A Dynamic Bayesian Network Framework for Data-Driven Fault Diagnosis and Prognosis of Smart Building Systems | |
| CN116541794B (en) | Sensor data anomaly detection method based on self-adaptive graph annotation network | |
| CN115865458B (en) | Network attack behavior detection method, system and terminal based on LSTM and GAT algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |