TWI721693B - Network behavior anomaly detection system and method based on mobile internet of things - Google Patents

Network behavior anomaly detection system and method based on mobile internet of things Download PDF

Info

Publication number
TWI721693B
TWI721693B TW108144919A TW108144919A TWI721693B TW I721693 B TWI721693 B TW I721693B TW 108144919 A TW108144919 A TW 108144919A TW 108144919 A TW108144919 A TW 108144919A TW I721693 B TWI721693 B TW I721693B
Authority
TW
Taiwan
Prior art keywords
network
data
anomaly detection
abnormal
terminal
Prior art date
Application number
TW108144919A
Other languages
Chinese (zh)
Other versions
TW202123654A (en
Inventor
王柏崴
陳俊廷
梁原誠
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108144919A priority Critical patent/TWI721693B/en
Application granted granted Critical
Publication of TWI721693B publication Critical patent/TWI721693B/en
Publication of TW202123654A publication Critical patent/TW202123654A/en

Links

Images

Abstract

The invention discloses network behavior anomaly detection system and method based on mobile internet of things (IoT). The system includes a network terminal anomaly detection module and a network topology anomaly detection module. The network terminal anomaly detection module has a signaling anomaly detection mechanism, a traffic anomaly detection mechanism and a connection state anomaly detection mechanism to respectively detect abnormalities of the signaling, the traffic and the connection state of the network terminal. The network topology anomaly detection module has a cell data analysis mechanism and an IoT terminal group data analysis mechanism to detect abnormalities of the cell and the IoT terminal group.

Description

基於行動物聯網之網路行為異常偵測系統及方法 Network behavior abnormal detection system and method based on mobile internet of things

本發明是關於一種網路行為異常偵測技術,詳而言之,是有關於一種基於行動物聯網之網路行為異常偵測系統及方法。 The present invention relates to a network behavior anomaly detection technology. Specifically, it relates to a network behavior anomaly detection system and method based on the mobile Internet of Things.

近年來,隨著行動物聯網之業務的持續成長,物聯網終端數大量增加,使得各家行動網路業者皆積極佈建物聯網監測系統,以求能迅速掌握物聯網終端的連線狀況並優化自家網路品質。 In recent years, with the continuous growth of the mobile Internet of Things business, the number of Internet of Things terminals has increased significantly, and various mobile network operators are actively deploying Internet of Things monitoring systems in order to quickly grasp the connection status of the Internet of Things terminals and optimize them. Own network quality.

習知物聯網之網路行為異常偵測技術需在物聯網終端上進行分析,或是在部分終端加上額外裝置。然而,此習知技術除了取樣數量有限外,也會導致成本的急劇增加。特別是,由於物聯網終端的數量龐大且散佈在各地,因此透過人力進行監測與維運之效率明顯欠佳,也難以掌握各個終端的確實狀態。又,因為難以判定終端是否真的發生異常,所以無法對異常終端的網路行為進行貼標。再者,由於缺乏判斷物聯網終端異常之自動化機制,加上偵測方式不夠全面,精準率不高,導致行動業者難以掌握大量物聯網終端的運作狀況。 The conventional network behavior abnormal detection technology of the Internet of Things requires analysis on the Internet of Things terminal, or additional devices are added to some terminals. However, in addition to the limited number of samples, this conventional technique also causes a sharp increase in cost. In particular, because the number of IoT terminals is huge and scattered in various places, the efficiency of monitoring and maintenance through manpower is obviously not good, and it is difficult to grasp the exact status of each terminal. In addition, because it is difficult to determine whether the terminal is really abnormal, it is impossible to label the network behavior of the abnormal terminal. Furthermore, due to the lack of an automated mechanism for judging the abnormalities of the IoT terminals, the detection methods are not comprehensive enough, and the accuracy rate is not high, making it difficult for mobile operators to grasp the operation status of a large number of IoT terminals.

因此,如何提供一種新穎或創新之基於行動物聯網之網路行為異常偵測技術,實已成為本領域技術人員之一大研究課題。 Therefore, how to provide a novel or innovative network behavior anomaly detection technology based on the Internet of Mobile Things has actually become a major research topic for those skilled in the art.

本發明提供一種基於行動物聯網之網路行為異常偵測系統,包括:網路終端異常偵測模組,係具有信令面異常偵測機制、訊務面異常偵測機制與連線狀態異常偵測機制,以分別偵測網路終端之信令面、訊務面與連線狀態三者之異常;以及網路拓樸異常偵測模組,係具有細胞面資料分析機制與物聯網終端群組面資料分析機制,以分別偵測細胞與物聯網終端群組二者之異常。 The present invention provides a network behavior abnormality detection system based on mobile Internet of Things, including: a network terminal abnormality detection module, which has a signaling surface abnormality detection mechanism, a traffic surface abnormality detection mechanism, and an abnormal connection state Detection mechanism to separately detect the abnormalities of the signaling side, traffic side and connection status of the network terminal; and the network topology anomaly detection module, which has a cellular data analysis mechanism and an Internet of Things terminal Group surface data analysis mechanism to detect abnormalities of both cell and IoT terminal groups respectively.

在一實施例中,網路行為異常偵測系統係包括一網路特徵收集模組,用以收集行動網路之信令面資料、訊務面資料與連線狀態資料,並對信令面資料、訊務面資料與連線狀態資料進行彙整與預處理。 In one embodiment, the network behavior anomaly detection system includes a network feature collection module for collecting signaling plane data, traffic plane data, and connection status data of the mobile network, and monitoring the signaling plane Data, communication face data, and connection status data are compiled and preprocessed.

在一實施例中,網路特徵收集模組係執行下列程序:判斷是否有網路終端之歷史資料,若無歷史資料,則進行歷史分時資料收集,以取得預定期間內行動網路之信令面資料、訊務面資料與網路終端之離線時間;收集最新分時資料,以取得行動網路之信令面資料與訊務面資料;以及對歷史分時資料與最新分時資料進行彙整與預處理,且更新歷史資料。 In one embodiment, the network feature collection module executes the following process: determine whether there is historical data of the network terminal, and if there is no historical data, collect historical time-sharing data to obtain the information of the mobile network within a predetermined period. Make face data, communication face data and offline time of the network terminal; collect the latest time-sharing data to obtain the signal face data and communication face data of the mobile network; and perform the historical time-sharing data and the latest time-sharing data Consolidation and preprocessing, and update historical data.

在一實施例中,網路終端異常偵測模組之信令面異常偵測機制係包括下列程序:定期匯入網路終端的信令面歷史資料,根據信令面歷史資料重新訓練信令面異常判定模型以更新模型參數;匯入網路終端的信令面最新分時資料;使用信令面異常判定模型進行異常判定;以及匯出異常網路終端清單。 In one embodiment, the signaling plane anomaly detection mechanism of the network terminal anomaly detection module includes the following procedures: periodically import the signaling plane history data of the network terminal, and retrain the signaling based on the signaling plane history data To update the model parameters, import the latest time-sharing data of the signalling surface of the network terminal; use the signalling surface anomaly determination model for abnormality determination; and export the list of abnormal network terminals.

在一實施例中,信令面異常判定模型係用以進行異常樣本認定與異常肇因推測,其中,異常樣本認定是透過離群值判定演算法來認定,而異常肇因推測是彙整與記錄導致離群的行為特徵。 In one embodiment, the signaling plane abnormality determination model is used for abnormal sample identification and abnormal cause estimation, wherein the abnormal sample identification is determined by an outlier determination algorithm, and the abnormal cause estimation is aggregated and recorded Behavioral characteristics that lead to outliers.

在一實施例中,網路終端異常偵測模組之訊務面異常偵測機制係包括下列程序:定期匯入網路終端的訊務面歷史資料;根據訊務面歷史資料重新訓練訊務面異常判定模型;使用訊務面異常判定模型預測網路終端當日的運作軌跡;匯入網路終端的訊務面最新分時資料;偵測網路終端是否異常;以及匯出異常網路終端清單。 In one embodiment, the network terminal anomaly detection module's traffic surface anomaly detection mechanism includes the following procedures: regularly importing the network terminal’s historical data of the traffic surface; retraining the traffic based on the historical data of the network terminal Surface anomaly determination model; use the traffic surface anomaly determination model to predict the operation trajectory of the network terminal on the day; import the latest time-sharing data of the network terminal's traffic surface; detect whether the network terminal is abnormal; and export the abnormal network terminal List.

在一實施例中,訊務面異常判定模型為一時間序列模型,例如整合移動平均自迴歸(Autoregressive Integrated Moving Average;ARIMA)模型,所述預測網路終端當日的運作軌跡包括預測值與信賴區間,且所述偵測網路終端是否異常係透過比較預測值與實際值而判定。 In one embodiment, the traffic surface abnormality determination model is a time series model, such as an Autoregressive Integrated Moving Average (ARIMA) model. The prediction network terminal's daily operation trajectory includes a predicted value and a confidence interval And the detection of whether the network terminal is abnormal is determined by comparing the predicted value with the actual value.

在一實施例中,網路終端異常偵測模組之連線狀態異常偵測機制係包括下列程序:匯入各物聯網終端群組的離線時間歷史資料;使用一離線時間門檻值認定模型決定各物聯網終端群組的離線門檻;即時判定各物聯網終端群組中網路終端的連線狀態,若判定連線狀態為離線,則根據離線門檻判定網路終端的離線期間是否過長;以及匯出有離線期間過長之網路終端及其離線時間。 In one embodiment, the connection status anomaly detection mechanism of the network terminal anomaly detection module includes the following procedures: import offline time history data of each IoT terminal group; use an offline time threshold identification model to determine The offline threshold of each IoT terminal group; real-time determine the connection status of the network terminal in each IoT terminal group, if it is determined that the connection status is offline, determine whether the offline period of the network terminal is too long according to the offline threshold; And export the network terminal with too long offline period and its offline time.

在一實施例中,離線時間門檻值認定模型係透過單變量分群演算法來決定離線門檻。 In one embodiment, the offline time threshold determination model uses a univariate clustering algorithm to determine the offline threshold.

在一實施例中,網路拓樸異常偵測模組之細胞面資料分析機制係包括下列程序:進行駐留細胞判定,其中,透過選取網路終端連線最頻繁之細胞,且細胞在最近一段期間內所連線之網路終端數目超過一預定門檻而認定細胞為駐留細胞;匯入行動網路之信令面資料、訊務面資料及各網路終端之連線狀態資料,並篩選與駐留細胞相關的資料;以及分別由信令面、訊務面與連線狀態來判定各駐留細胞是否異常。 In one embodiment, the cell surface data analysis mechanism of the network topology anomaly detection module includes the following procedures: the determination of resident cells is performed by selecting the cell with the most frequently connected network terminal, and the cell is in the most recent period. The number of network terminals connected during the period exceeds a predetermined threshold and the cell is recognized as a resident cell; the signalling surface data, the traffic surface data and the connection status data of each network terminal are imported into the mobile network, and the data is filtered and Resident cell-related data; and determine whether each resident cell is abnormal from the signaling plane, the communication plane, and the connection status.

在一實施例中,網路拓樸異常偵測模組之物聯網終端群組面 資料分析機制係包括下列程序:將各物聯網終端群組中最近一段期間內曾上線之網路終端設定為活躍網路終端;匯入行動網路之信令面資料、訊務面資料及各網路終端之連線狀態資料,並篩選與活躍網路終端相關的資料;以及分別由信令面、訊務面與連線狀態來判斷各物聯網終端群組是否異常。 In one embodiment, the IoT terminal group surface of the network topology anomaly detection module The data analysis mechanism includes the following procedures: set the network terminal that has been online in the most recent period in each IoT terminal group as the active network terminal; The connection status data of the network terminal, and the data related to the active network terminal are filtered; and the signaling surface, the communication surface and the connection status are used to determine whether each IoT terminal group is abnormal.

本發明亦提供一種行基於動物聯網之網路行為異常偵測方法,包括:擷取行動網路之信令面資料、訊務面資料與連線狀態資料;使用離群值演算法處理信令面資料,以偵測行動網路之信令面是否異常;使用時間序列模型處理訊務面資料並進行預測,以判定行動網路之訊務面是否異常;以及使用單變量分群演算法處理連線狀態資料,以偵測行動網路連線狀態是否異常。 The present invention also provides a method for detecting abnormal network behavior based on the Internet of Animals, including: capturing signaling plane data, traffic plane data, and connection status data of a mobile network; using outlier algorithm to process signaling Surface data to detect whether the signaling surface of the mobile network is abnormal; use the time series model to process the signal surface data and make predictions to determine whether the signal surface of the mobile network is abnormal; and use a univariate clustering algorithm to process the connection Online status data to detect whether the mobile network connection status is abnormal.

在一實施例中,網路行為異常偵測方法更包括:進行駐留細胞判定;篩選屬於駐留細胞的信令面資料、訊務面資料與連線狀態資料;以及分別由信令面、訊務面與連線狀態來判定駐留細胞是否異常。 In one embodiment, the method for detecting abnormal network behavior further includes: determining resident cells; screening signaling plane data, communication plane data, and connection status data belonging to resident cells; The surface and connection status are used to determine whether the resident cells are abnormal.

在一實施例中,網路行為異常偵測方法更包括:從各物聯網終端群組中找出近期曾連線之網路終端;篩選與網路終端相關的信令面資料、訊務面資料與連線狀態資料;以及分別由信令面、訊務面與連線狀態來判斷各物聯網終端群組是否異常。 In one embodiment, the method for detecting abnormal network behavior further includes: finding recently connected network terminals from each IoT terminal group; filtering the signaling plane data and communication planes related to the network terminal Data and connection status data; and determine whether each IoT terminal group is abnormal from the signaling plane, traffic plane, and connection state respectively.

本發明之基於行動物聯網之網路行為異常偵測系統及方法係至少具有下列優點或技術功效。 The network behavior anomaly detection system and method based on the mobile Internet of Things of the present invention have at least the following advantages or technical effects.

首先,透過收集行動網路資料,將終端與局端之間的連線行為,以時間序列、離群值等人工智慧演算法建構出物聯網終端異常行為偵測模型,因此能有效的分析行動物聯網之全體終端的實際使用狀況,且可以無須如習知技術般在各終端進行觀測。又,即使當任意的物聯網終端損壞而斷線失聯,亦能透過本發明之偵測模型在第一時間偵測發現異常,不 影響運作性能。 First, by collecting mobile network data, the connection behavior between the terminal and the central office is constructed using artificial intelligence algorithms such as time series and outliers to construct an abnormal behavior detection model for the Internet of Things terminal, so it can effectively analyze the behavior. The actual usage status of all terminals of the animal network can be observed at each terminal without the need for conventional technology. In addition, even when any IoT terminal is damaged and disconnected, the abnormality can be detected in the first time through the detection model of the present invention. Affect operational performance.

再者,本發明的信令面異常偵測機制、訊務面異常偵測機制與連線狀態異常偵測機制,可分別針對信令、流量與連線狀態進行全面的異常行為偵測,且相關的偵測機制全程自動化,因此能有效提升維運大量物聯網終端的效率。 Furthermore, the signaling plane anomaly detection mechanism, traffic plane anomaly detection mechanism, and connection status anomaly detection mechanism of the present invention can perform comprehensive abnormal behavior detection for signaling, traffic, and connection status, respectively, and The related detection mechanism is fully automated, so it can effectively improve the efficiency of maintaining a large number of IoT terminals.

另外,由於本發明的訓練模型導入了移動窗格的概念,可定期(例如每日或每小時)依照最新收集到的資料來調整偵測模型,因此能充分且有效的因應物聯網終端行為的變化趨勢。 In addition, since the training model of the present invention introduces the concept of moving panes, the detection model can be adjusted regularly (for example, daily or hourly) according to the latest collected data, so it can fully and effectively respond to the behavior of the IoT terminal Trend.

1‧‧‧網路行為異常偵測系統 1‧‧‧Network behavior anomaly detection system

10‧‧‧網路特徵收集模組 10‧‧‧Network Feature Collection Module

101‧‧‧信令面資料 101‧‧‧Signaling plane data

102‧‧‧訊務面資料 102‧‧‧Communication information

103‧‧‧連線狀態資料 103‧‧‧Connection status data

11‧‧‧網路終端異常偵測模組 11‧‧‧Network terminal anomaly detection module

111‧‧‧信令面異常偵測機制 111‧‧‧Signaling plane anomaly detection mechanism

112‧‧‧訊務面異常偵測機制 112‧‧‧Traffic surface anomaly detection mechanism

113‧‧‧連線狀態異常偵測機制 113‧‧‧Connection status abnormal detection mechanism

12‧‧‧網路拓樸異常偵測模組 12‧‧‧Network topology anomaly detection module

121‧‧‧細胞面資料分析機制 121‧‧‧Cell surface data analysis mechanism

122‧‧‧物聯網終端群組面資料分析機制 122‧‧‧IOT terminal group data analysis mechanism

13‧‧‧維運查詢介面 13‧‧‧Maintenance query interface

14‧‧‧維運端 14‧‧‧Maintenance terminal

S21至S26、S31至S35‧‧‧步驟 Steps S21 to S26, S31 to S35‧‧‧

S41至S46、S51至S55‧‧‧步驟 Steps S41 to S46, S51 to S55‧‧‧

S61至S65、S651至S659‧‧‧步驟 Steps S61 to S65, S651 to S659‧‧‧

S71至S75、S751至S758‧‧‧步驟 Steps S71 to S75, S751 to S758‧‧‧

S81至S84、S851至S853‧‧‧步驟 Steps S81 to S84, S851 to S853‧‧‧

S861至S863‧‧‧步驟 Steps S861 to S863‧‧‧

第1圖顯示本發明之基於行動物聯網之網路行為異常偵測系統的示意方塊圖; Figure 1 shows a schematic block diagram of the mobile Internet of Things-based network behavior anomaly detection system of the present invention;

第2圖顯示本發明之網路特徵收集模組的運作流程圖; Figure 2 shows the operation flow chart of the network feature collection module of the present invention;

第3圖顯示本發明之信令面異常偵測機制的流程圖; Figure 3 shows a flowchart of the signaling plane anomaly detection mechanism of the present invention;

第4圖顯示本發明之訊務面異常偵測機制的流程圖; Figure 4 shows a flow chart of the traffic surface anomaly detection mechanism of the invention;

第5圖顯示本發明之連線狀態異常偵測機制的流程圖; Figure 5 shows a flow chart of the connection status abnormal detection mechanism of the present invention;

第6圖顯示本發明之細胞面資料分析機制的流程圖; Figure 6 shows a flow chart of the cell surface data analysis mechanism of the present invention;

第7圖顯示本發明之物聯網終端群組面資料分析機制的流程圖;以及 Figure 7 shows a flowchart of the data analysis mechanism of the IoT terminal group plane of the present invention; and

第8圖顯示本發明之基於行動物聯網之網路行為異常偵測方法的流程圖。 Figure 8 shows a flow chart of the method for detecting abnormal network behavior based on the mobile Internet of Things of the present invention.

以下藉由特定的具體實施例說明本發明之實施方式,熟悉此 技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點及功效。 The following specific examples illustrate the implementation of the present invention, familiar with this Those skilled in the art can easily understand the advantages and effects of the present invention from the contents disclosed in this specification.

第1圖顯示本發明之基於行動物聯網之網路行為異常偵測系統1的示意方塊圖,此網路行為異常偵測系統1的主要元件包括一網路終端異常偵測模組11與一網路拓樸異常偵測模組12,例如網路終端異常偵測模組11或網路拓樸異常偵測模組12可為硬體之偵測器或軟體之偵測程式等。網路終端異常偵測模組11包括一信令面異常偵測機制111、一訊務面異常偵測機制112與一連線狀態異常偵測機制113,以分別偵測網路終端之信令面、訊務面與連線狀態三者之異常。網路拓樸異常偵測模組12包括一細胞面資料分析機制121與一物聯網終端群組面資料分析機制122,以分別偵測細胞與物聯網終端群組二者之異常。此處所稱細胞係指行動網路之基地台。 Figure 1 shows a schematic block diagram of the network behavior anomaly detection system 1 based on the mobile Internet of Things of the present invention. The main components of the network behavior anomaly detection system 1 include a network terminal anomaly detection module 11 and a The network topology anomaly detection module 12, for example, the network terminal anomaly detection module 11 or the network topology anomaly detection module 12 can be a hardware detector or a software detection program. The network terminal anomaly detection module 11 includes a signaling plane anomaly detection mechanism 111, a communication plane anomaly detection mechanism 112, and a connection status anomaly detection mechanism 113 to detect the signaling of the network terminal separately Abnormalities in the three aspects of the interface, communication interface, and connection status. The network topology anomaly detection module 12 includes a cell surface data analysis mechanism 121 and an IoT terminal group data analysis mechanism 122 to detect abnormalities of both the cell and the IoT terminal group respectively. The cell referred to here refers to the base station of the mobile network.

如第1圖所示,網路行為異常偵測系統1可包括一網路特徵收集模組10,例如硬體之收集器或軟體之收集程式等。網路特徵收集模組10可以收集網路終端之信令面資料101、訊務面資料102與連線狀態資料103,並對信令面資料101、訊務面資料102與連線狀態資料103進行彙整與預處理。網路特徵收集模組10所收集彙整之行動網路資料可提供給網路終端異常偵測模組11與網路拓樸異常偵測模組12,以供網路終端異常偵測模組11與網路拓樸異常偵測模組12根據這些行動網路資料進行異常偵測及判定。 As shown in Figure 1, the network behavior anomaly detection system 1 may include a network feature collection module 10, such as a hardware collector or a software collection program. The network feature collection module 10 can collect the signaling plane data 101, the communication plane data 102, and the connection state data 103 of the network terminal, and the signaling plane data 101, the communication plane data 102 and the connection state data 103 Perform aggregation and preprocessing. The aggregated mobile network data collected by the network feature collection module 10 can be provided to the network terminal anomaly detection module 11 and the network topology anomaly detection module 12 for the network terminal anomaly detection module 11 The network topology anomaly detection module 12 performs anomaly detection and determination based on these mobile network data.

在一實施例中,網路特徵收集模組10可利用一訊號擷取單元,以自動且定時擷取網路終端在網路上跨介面的信令與訊務資料,並從信令面進行網路終端的上網連線行為及離線資訊分析,且從訊務面進行網路終端的應用服務的上網資訊分析。因此,網路特徵收集模組10能定期彙整特定物聯網之網路終端的資料,並同時進行資料預處理,再將預處理的 結果儲存於一資料庫中,以提供後續網路終端異常偵測模組11與網路拓樸異常偵測模組12所需之模型訓練及自動化偵測機制來使用。 In one embodiment, the network feature collection module 10 can use a signal capture unit to automatically and regularly capture the cross-interface signaling and traffic data of the network terminal on the network, and perform the network from the signaling plane. The online connection behavior and offline information analysis of the road terminal, and the online information analysis of the application service of the network terminal from the communication side. Therefore, the network feature collection module 10 can regularly aggregate the data of a specific Internet of Things network terminal, and perform data preprocessing at the same time, and then the preprocessed data The results are stored in a database to provide model training and automatic detection mechanisms required by the subsequent network terminal anomaly detection module 11 and network topology anomaly detection module 12 for use.

根據網路特徵收集模組10所生成各面向資料,網路終端異常偵測模組11可執行信令面異常偵測機制111、訊務面異常偵測機制112與連線狀態異常偵測機制113,透過離群值演算法與時間序列分析等方法對網路終端進行各面向的異常偵測,並將異常偵測的結果儲存於資料庫中,以供維運查詢介面13及網路拓樸異常偵測模組12後續分析來使用。同時,網路終端異常偵測模組11亦會根據維運端14於偵測驗證結果及回饋來修正演算法與模型參數。此外,維運人員也可經由維運端14提供欲收集網路終端的門號清單給網路特徵收集模組10。 According to the various aspects of data generated by the network feature collection module 10, the network terminal anomaly detection module 11 can execute the signaling plane anomaly detection mechanism 111, the traffic plane anomaly detection mechanism 112, and the connection status anomaly detection mechanism 113. Use methods such as outlier algorithm and time series analysis to detect abnormalities in various aspects of the network terminal, and store the abnormal detection results in the database for maintenance and operation query interface 13 and network topology The Park anomaly detection module 12 is used for subsequent analysis. At the same time, the network terminal anomaly detection module 11 will also modify the algorithm and model parameters based on the detection and verification results and feedback of the maintenance terminal 14. In addition, the maintenance personnel can also provide the network feature collection module 10 with a list of door numbers of the network terminals to be collected via the maintenance terminal 14.

所述網路拓樸異常偵測模組12負責針對各種網路拓樸的偵測基準進行分析。可套用的網路拓樸,除了上述提到的細胞與物聯網終端群組外,尚可套用至存取點名稱(Access Point Name;APN)等,或延伸至各種行動網路元件(如封包閘道器(Packet Gateway))等。在本實施例中,以細胞及物聯網終端群組為例,網路拓樸異常偵測模組12可包括細胞面資料分析機制121與物聯網終端群組面資料分析機制122,利用網路特徵收集模組10與網路終端異常偵測模組11所產出之統計資料及異常清單對資料進一步整合,並利用所設定的網路拓樸分析邏輯來偵測異常狀態,可將結果寫入資料庫或任何儲存媒介以供維運人員存取使用。 The network topology anomaly detection module 12 is responsible for analyzing various network topology detection benchmarks. The applicable network topology, in addition to the cell and IoT terminal groups mentioned above, can also be applied to Access Point Name (APN), etc., or extended to various mobile network components (such as packet Packet Gateway) and so on. In this embodiment, taking the cell and IoT terminal group as an example, the network topology anomaly detection module 12 may include a cell surface data analysis mechanism 121 and an IoT terminal group surface data analysis mechanism 122, using the network The statistical data and anomaly list produced by the feature collection module 10 and the network terminal anomaly detection module 11 are further integrated, and the set network topology analysis logic is used to detect the abnormal state, and the result can be written Into the database or any storage medium for the maintenance personnel to access and use.

值得注意的是,所述網路特徵收集模組10、網路終端異常偵測模組11與網路拓樸異常偵測模組12等多個模組可部署於同一硬體平台,且多個模組之間的通訊藉由程式介面來進行;或者,也可部署於不同硬體平台,多個模組之間的通訊藉由IP(Internet Protocol;網際網路協定)基礎之通訊協定來進行。例如,本發明可實施之行動網路包括UMTS(通用移動通 訊系統)行動網路、LTE(長期演進技術)行動網路、5G行動網路等,但不以此為限。 It is worth noting that multiple modules, such as the network feature collection module 10, the network terminal anomaly detection module 11, and the network topology anomaly detection module 12, can be deployed on the same hardware platform, and more The communication between the two modules is carried out through the program interface; or, it can also be deployed on different hardware platforms, and the communication between multiple modules is through the IP (Internet Protocol; Internet Protocol)-based communication protocol. get on. For example, the mobile network to which the present invention can be implemented includes UMTS (Universal Mobile Communication) Communication system) mobile network, LTE (Long Term Evolution Technology) mobile network, 5G mobile network, etc., but not limited to this.

第2圖顯示本發明之網路特徵收集模組10的運作流程圖並包括下列步驟,且參照第1圖予以說明。首先,網路特徵收集模組10可定期(例如每日)判斷是否有網路終端之歷史資料(步驟S21)。亦即,判斷維運人員列於門號清單中關注的網路終端是否有歷史資料可提供模型訓練。若無歷史資料,則重新收集歷史分時資料(步驟S22),以取得預定期間內行動網路之信令面資料101、訊務面資料102與網路終端之離線時間。若有歷史資料,則可直接讀取歷史資料(步驟S23)。另一方面,定期(例如每小時)收集最新分時資料(步驟S24),以取得行動網路最新的信令面資料101與訊務面資料102。隨後,對所取得的歷史分時資料與最新分時資料進行資料彙整與預處理(步驟S25),再更新歷史資料且匯出最新資料(步驟S26)。 FIG. 2 shows the operation flow chart of the network feature collection module 10 of the present invention and includes the following steps, and is described with reference to FIG. 1. First, the network feature collection module 10 can periodically (for example, daily) determine whether there is historical data of the network terminal (step S21). That is, it is determined whether the network terminal that the maintenance personnel pays attention to in the door number list has historical data that can provide model training. If there is no historical data, then re-collect historical time-sharing data (step S22) to obtain the mobile network signaling surface data 101, communication surface data 102 and offline time of the network terminal within a predetermined period. If there is historical data, the historical data can be directly read (step S23). On the other hand, the latest time-sharing data is collected regularly (for example, every hour) (step S24) to obtain the latest signaling plane data 101 and traffic plane data 102 of the mobile network. Subsequently, the acquired historical time-sharing data and the latest time-sharing data are collected and preprocessed (step S25), and then the historical data is updated and the latest data is exported (step S26).

在一實施例中,若以LTE行動網路為例,上述信令面資料101可包括各網路終端於每小時之控制信令數(例如,Attach、Track Area Update、Handover、Path Switch、Service Request(正常)、Service Request(異常)、Control Plane Service Request、ESM data transport)、駐留細胞數,且訊務面資料102可包括網路終端的下載傳輸量、上載傳輸量、下行吞吐量、上行吞吐量、LTE封包數比率等資訊。此外,也可從行動網路之計費信令(如Radius accounting)資料中彙整網路終端的離線資訊。 In one embodiment, if the LTE mobile network is taken as an example, the above-mentioned signaling plane data 101 may include the number of control signaling of each network terminal per hour (for example, Attach, Track Area Update, Handover, Path Switch, Service Request (normal), Service Request (abnormal), Control Plane Service Request, ESM data transport), the number of resident cells, and the traffic data 102 can include the download transmission volume, upload transmission volume, downlink throughput, and uplink of the network terminal Information such as throughput and LTE packet ratio. In addition, the offline information of the network terminal can also be aggregated from the accounting signaling (such as Radius accounting) data of the mobile network.

第3圖顯示本發明之信令面異常偵測機制的流程圖並包括下列步驟。首先,可定期(例如每日)匯入網路終端的信令面歷史資料(步驟S31)。接著,根據信令面歷史資料訓練信令面異常判定模型(步驟S32),以更新模型參數。另一方面,可匯入網路終端的信令面最新分時資料(步驟S33),並使用更新後的信令面異常判定模型進行異常判定(步驟S34)。在完成異常判 定後,可匯出異常網路終端清單(步驟S35)。 Figure 3 shows the flow chart of the signaling plane anomaly detection mechanism of the present invention and includes the following steps. First, the historical data of the signaling plane of the network terminal can be imported regularly (for example, daily) (step S31). Next, the signaling plane abnormality determination model is trained based on the historical data of the signaling plane (step S32) to update the model parameters. On the other hand, it is possible to import the latest time-sharing data of the signaling plane of the network terminal (step S33), and use the updated signaling plane abnormality determination model for abnormality determination (step S34). After completing the anomaly After setting, the list of abnormal network terminals can be exported (step S35).

所述信令面異常判定模型主要用以進行異常樣本認定與異常肇因推測,其中異常樣本認定是透過離群值判定演算法(例如,孤立森林(Isolation Forest)及/或局部異常因子(Local Outlier Factor))來進行,目的是為了辨別行為特殊之離群值樣本,並將離群值樣本視為異常。在設定離群值比率與訓練資料後,可判定同樣分佈資料是否為離群。同時,異常肇因推測是彙整與記錄導致離群的行為特徵,例如因為某個特徵值過多而導致離群。如此一來,維運人員可觀察各特徵歷史資料的極端值(例如第99百分位數),並將極端值視為離群值異常之判斷基準。 The signaling plane abnormality determination model is mainly used for abnormal sample identification and abnormal cause estimation. The abnormal sample identification is determined by an outlier determination algorithm (for example, isolation forest and/or local anomaly factor). Outlier Factor)), the purpose is to identify outlier samples with special behavior, and treat the outlier samples as abnormal. After setting the outlier ratio and training data, it can be determined whether the data with the same distribution is an outlier. At the same time, the cause of the anomaly is speculated to be the behavioral characteristics that lead to outliers, such as outliers caused by too many characteristic values. In this way, the maintenance personnel can observe the extreme values (such as the 99th percentile) of each characteristic historical data, and regard the extreme values as the criterion for judging abnormal outliers.

另外,要特別指出的是,由於信令面異常偵測機制於每小時都會匯入最新分時資料,並透過前述流程而獲得當天離群值等判定模型參數及各特徵極端值,因此在進行異常判定比對後,可立刻得到異常門號清單及其肇因。具體而言,透過上述異常樣本認定可由離群值演算法計算各特徵值的離群門檻;接著,逐一判定各特徵值是否高於離群門檻,並將符合條件之特徵列入肇因(現象)欄位中。 In addition, it should be pointed out that because the signaling plane anomaly detection mechanism imports the latest time-sharing data every hour, and obtains the judgment model parameters such as outliers of the day and the extreme values of each feature through the aforementioned process, it is in progress. After the abnormality judgment is compared, a list of abnormal door numbers and their causes can be immediately obtained. Specifically, the outlier threshold of each eigenvalue can be calculated by the outlier algorithm through the above abnormal sample identification; then, it is determined whether each eigenvalue is higher than the outlier threshold one by one, and the eligible features are listed as the cause (phenomenon) ) Field.

第4圖顯示本發明之訊務面異常偵測機制的流程圖。首先,定期(例如每日)匯入網路終端的訊務面歷史資料(步驟S41)。接著,根據訊務面歷史資料重新訓練訊務面異常判定模型(步驟S42)。繼之,使用訊務面異常判定模型預測網路終端當日的運作軌跡(步驟S43)。另一方面,定期(例如每小時)匯入網路終端的訊務面最新分時資料(步驟S44)。再者,透過比對預測的運作軌跡與訊務面最新分時資料,偵測網路終端是否異常(步驟S45)。最後,可匯出異常網路終端清單(例如異常網路終端的門號清單)(步驟S46)。 Figure 4 shows a flow chart of the traffic plane anomaly detection mechanism of the present invention. First, periodically (for example, daily) import the historical data of the network terminal's traffic face (step S41). Then, retrain the abnormality determination model of the traffic plane according to the historical data of the traffic plane (step S42). Then, the traffic surface abnormality determination model is used to predict the operation trajectory of the network terminal on that day (step S43). On the other hand, import the latest time-sharing data of the network terminal's communication surface regularly (for example, every hour) (step S44). Furthermore, by comparing the predicted operation trajectory with the latest time-sharing data of the communication surface, it is detected whether the network terminal is abnormal (step S45). Finally, a list of abnormal network terminals (for example, a list of door numbers of abnormal network terminals) can be exported (step S46).

在一實施例中,考慮到訊務面資料具明顯週期性及前後期相 關性,所述訊務面異常判定模型可選擇一時間序列模型,例如整合移動平均自迴歸(ARIMA)模型。此時間序列模型能依時間變化而計算出時間點的合理訊務量,例如部分網路終端於夜間訊務量會遠低於日間訊務量,透過此時間序列模型便可分別針對不同時間點計算出適當的訊務變化。所述預測網路終端當日的運作軌跡包括預測值與信賴區間,因此,在偵測網路終端是否異常時,可透過比較預測值與實際值來加以判定。亦即,在異常偵測方面,會藉由當日預測值與最新分時資料比較的結果來判定。若實際值落於信賴區間外,則認定在此時間點之網路終端的訊務面發生異常。 In one embodiment, it is considered that the traffic data has obvious periodicity and the front and back phases. Relatedly, the traffic surface abnormality determination model may select a time series model, such as an integrated moving average autoregressive (ARIMA) model. This time series model can calculate the reasonable traffic volume at the time point according to the change of time. For example, the traffic volume of some network terminals at night is much lower than the day traffic volume. This time series model can be used to target different time points. Calculate the appropriate traffic changes. The predicted operation trajectory of the network terminal on the day includes the predicted value and the confidence interval. Therefore, when detecting whether the network terminal is abnormal, it can be judged by comparing the predicted value with the actual value. That is, in the aspect of anomaly detection, the judgment will be made by comparing the forecast value of the day with the latest time-sharing data. If the actual value falls outside the confidence interval, it is determined that the communication surface of the network terminal at this point in time is abnormal.

第5圖顯示本發明之連線狀態異常偵測機制的流程圖。首先,定期(例如每日)匯入各物聯網終端群組的離線時間歷史資料(步驟S51)。接著,使用離線時間門檻值認定模型,以決定各物聯網終端群組的離線門檻(步驟S52)。另一方面,即時判定各物聯網終端群組中網路終端的連線狀態(步驟S53),若判定連線狀態為離線,則根據離線門檻判定網路終端的離線期間是否過長(步驟S54)。最後,可匯出有離線期間過長的網路終端及離線時間之清單(步驟S55)。 Figure 5 shows a flow chart of the connection status abnormal detection mechanism of the present invention. First, import the offline time history data of each IoT terminal group regularly (for example, daily) (step S51). Next, the offline time threshold identification model is used to determine the offline threshold of each IoT terminal group (step S52). On the other hand, the connection status of the network terminal in each IoT terminal group is determined in real time (step S53). If it is determined that the connection status is offline, it is determined whether the offline period of the network terminal is too long according to the offline threshold (step S54). ). Finally, a list of network terminals with too long offline period and offline time can be exported (step S55).

在一實施例中,上述離線時間門檻值認定模型係透過單變量分群演算法(例如Jenks Break)來決定離線門檻。 In one embodiment, the above-mentioned offline time threshold determination model determines the offline threshold through a univariate grouping algorithm (such as Jenks Break).

要特別說明的是,由於各物聯網終端群組的網路終端可能存在特定短期離線或進入休眠機制的情形,因此在判定網路終端是否異常時,除了擷取其中處於離線狀態者,還要進一步從中篩選離線時間異常的網路終端。連線狀態異常偵測機制透過單變量分群演算法尋找最適切割點,並以此視為各物聯網終端群組之網路終端之離線時間門檻。這些斷點值可將離線時間分佈合理切割,並將離線時間分別為不同群聚,再從群聚之離線時間中選擇一者作為合理的離線時間門檻值。獲得離線時間門檻值後,即 時偵測到離線的網路終端,便可透過此機制進行篩選。亦即,有離線時間大於離線時間門檻值(例如300分鐘)的網路終端,將被視為連線狀態異常。 It should be noted that, because the network terminals of each IoT terminal group may have specific short-term offline or enter the dormant mechanism, when determining whether the network terminal is abnormal, in addition to capturing the offline ones, Further filter the network terminals with abnormal offline time. The connection status anomaly detection mechanism finds the most suitable cutting point through the univariate grouping algorithm, which is regarded as the offline time threshold of the network terminal of each IoT terminal group. These breakpoint values can reasonably cut the offline time distribution, divide the offline time into different clusters, and then select one of the offline time of the clusters as a reasonable offline time threshold. After obtaining the offline time threshold, that is When an offline network terminal is detected, it can be filtered through this mechanism. That is, a network terminal whose offline time is greater than the offline time threshold (for example, 300 minutes) will be regarded as an abnormal connection status.

第6圖顯示本發明之細胞面資料分析機制的流程圖。首先,定期(例如每日)進行駐留細胞判定(步驟S61),其中透過選取網路終端連線最頻繁之細胞,且細胞在最近一段期間內(例如最近數日)所連線之網路終端數目超過一預定門檻將被認定為駐留細胞,並產生駐留細胞清單(步驟S62)。亦即,透過分析細胞連線數,以將連線人數過少之細胞濾除。另一方面,定期(例如每小時)匯入行動網路之信令面資料、訊務面資料及各網路終端之連線狀態資料(步驟S63),並篩選與駐留細胞相關的資料(步驟S64)。接著,可分別由信令面、訊務面與連線狀態來判定各駐留細胞是否異常(步驟S65)。 Figure 6 shows the flow chart of the cell surface data analysis mechanism of the present invention. First, determine the resident cells on a regular basis (e.g. daily) (step S61), in which the cell with the most frequent connection to the network terminal is selected, and the network terminal that the cell is connected to in the most recent period (such as the last few days) If the number exceeds a predetermined threshold, it will be recognized as resident cells, and a list of resident cells will be generated (step S62). That is, by analyzing the number of cell connections, the cells with too few connections can be filtered out. On the other hand, periodically (e.g. every hour) import the signalling surface data, the traffic surface data and the connection status data of each network terminal of the mobile network (step S63), and filter the data related to the resident cells (step S63). S64). Then, it can be determined whether each resident cell is abnormal from the signaling plane, the traffic plane and the connection status (step S65).

要特別說明的是,由信令面、訊務面與連線狀態來判定各駐留細胞是否異常時,可採用前述信令面異常偵測機制、訊務面異常偵測機制與連線狀態異常偵測機制所揭示的相關流程來進行。如第6圖所示,可對篩選後與駐留細胞相關的資料,依細胞、時間加總信令面資料(步驟S651),而得到各駐留細胞的信令面資料;或是取各細胞之分時訊務面資料之中位數或百分位數為代表(步驟S652),而得到各駐留細胞之訊務面資料之分時趨勢估計。接著,分別對信令面資料、訊務面資料及各駐留細胞連線相關之網路終端之狀態資料,執行信令面異常偵測機制、訊務面異常偵測機制與連線狀態異常偵測機制的相關流程。又,執行信令面異常偵測機制(步驟S653),可產生異常細胞清單(步驟S654);執行訊務面異常偵測機制(步驟S655),可產生細胞特徵軌跡及相關告警(步驟S656);執行連線狀態異常偵測機制(步驟S657),可產生異常細胞之離線門檻(步驟S658),並產生離線細胞、離線時間之清單(步驟S659)。 In particular, when determining whether each resident cell is abnormal from the signaling plane, the traffic plane, and the connection status, the aforementioned signaling plane anomaly detection mechanism, the traffic plane anomaly detection mechanism, and the connection status are abnormal. The relevant processes revealed by the detection mechanism are carried out. As shown in Figure 6, for the data related to the resident cells after screening, the signaling surface data can be summed by cell and time (step S651) to obtain the signaling surface data of each resident cell; or take the data of each cell The median or percentile of the time-sharing communication surface data is represented (step S652), and the time-sharing trend estimation of the communication surface data of each resident cell is obtained. Then, perform signaling plane anomaly detection mechanism, traffic plane anomaly detection mechanism, and connection status anomaly detection mechanism for signaling plane data, traffic plane data, and network terminal status data related to each resident cell connection. Related procedures of the testing mechanism. In addition, executing the signaling plane abnormality detection mechanism (step S653) can generate a list of abnormal cells (step S654); executing the signaling plane abnormality detection mechanism (step S655) can generate cell characteristic trajectories and related alarms (step S656) Execute the connection status abnormal detection mechanism (step S657), which can generate an offline threshold for abnormal cells (step S658), and generate a list of offline cells and offline time (step S659).

第7圖顯示本發明之物聯網終端群組面資料分析機制的流程圖。首先,定期(例如每日)進行活躍門號判定(步驟S71),以將各物聯網終端群組中最近一段期間內(例如最近數日)曾上線之網路終端設定為活躍網路終端,再根據活躍網路終端產生活躍門號清單(步驟S72)。亦即,透過篩選最近數日內曾上線的網路終端來進行分析,可避免物聯網終端群組的總體指標受到下線的網路終端所影響。另一方面,定期(例如每小時)匯入行動網路之信令面資料、訊務面資料及各網路終端之連線狀態資料(步驟S73),並篩選與活躍網路終端相關的資料(步驟S74)。接著,可分別由信令面、訊務面與連線狀態來判斷各物聯網終端群組是否異常(步驟S75)。 Figure 7 shows a flow chart of the data analysis mechanism of the IoT terminal group plane of the present invention. First, determine the active door number regularly (for example, daily) (step S71) to set the network terminal that has been online in the most recent period (for example, the last few days) in each IoT terminal group as the active network terminal. Then, a list of active door numbers is generated according to the active network terminal (step S72). That is, by filtering the network terminals that have been online in the last few days for analysis, the overall indicators of the IoT terminal group can be prevented from being affected by the offline network terminals. On the other hand, periodically (e.g. every hour) import the signalling surface data, the communication surface data and the connection status data of each network terminal of the mobile network (step S73), and filter the data related to the active network terminal (Step S74). Then, it can be determined whether each IoT terminal group is abnormal from the signaling plane, the traffic plane, and the connection status (step S75).

同樣的,由信令面、訊務面與連線狀態來判定各物聯網終端群組是否異常時,亦可採用前述信令面異常偵測機制與訊務面異常偵測機制的相關流程來進行。如第7圖所示,可對篩選後活躍網路終端的相關資料,依物聯網終端群組、時間加總信令面資料(步驟S751),而得到各活躍網路終端的信令面資料;或是取各物聯網終端群組之分時訊務面資料之中位數或百分位數為代表(步驟S752),而得到各活躍網路終端之訊務面資料之分時趨勢估計。接著,分別對所得到之信令面資料、訊務面資料之分時趨勢估計及各活躍網路終端之連線狀態資料,執行信令面異常偵測機制與訊務面異常偵測機制等相關流程。又,執行信令面異常偵測機制(步驟S753),可產生異常物聯網終端群組清單(步驟S754);執行訊務面異常偵測機制(步驟S755),可產生物聯網終端群組之特徵軌跡及相關告警(步驟S756);透過時間序列模型分析各物聯網終端群組之連線數趨勢,以判斷連線數是否異常(步驟S757),並產生有連線異常之物聯網終端群組之時間點(步驟S758)。 Similarly, when determining whether each IoT terminal group is abnormal from the signaling plane, the traffic plane, and the connection status, the aforementioned signaling plane anomaly detection mechanism and the traffic plane anomaly detection mechanism can also be used to determine whether they are abnormal. get on. As shown in Figure 7, the relevant data of the active network terminals after screening can be added to the signaling plane data according to the IoT terminal group and time (step S751) to obtain the signaling plane data of each active network terminal ; Or take the median or percentile of the time-sharing data of each IoT terminal group as a representative (step S752), and get the time-sharing trend estimation of the data of each active network terminal . Then, perform the signaling plane anomaly detection mechanism and the traffic plane anomaly detection mechanism on the obtained signaling plane data, the time-sharing trend estimation of the traffic plane data, and the connection status data of each active network terminal. Related processes. In addition, executing the signaling plane anomaly detection mechanism (step S753) can generate a list of abnormal IoT terminal groups (step S754); executing the traffic plane anomaly detection mechanism (step S755) can generate a list of IoT terminal groups Characteristic trajectory and related alarms (step S756); analyze the connection number trend of each IoT terminal group through the time series model to determine whether the number of connections is abnormal (step S757), and generate an IoT terminal group with abnormal connection The time point of the group (step S758).

值得注意的是,針對物聯網終端群組之連線狀態的偵測,可 透過定時紀錄各物聯網終端群組之網路終端的上線門號數,並嘗試針對上線門號過少之時間點提出告警。由於各物聯網終端群組存在不同上線行為,且具一定程度周期性、前後期相關性,因此本發明採用訊務面異常偵測機制,透過時間序列模型估計各物聯網終端群組之時間點合理上線數範圍,並以此作為物聯網終端群組之各時段連線數異常值的認定基準。 It is worth noting that the detection of the connection status of the IoT terminal group can be By regularly recording the online door numbers of the network terminals of each IoT terminal group, and try to raise an alarm at the time when the online door numbers are too few. Since each Internet of Things terminal group has different online behaviors, and has a certain degree of periodicity, front-end correlation, the present invention adopts a traffic surface anomaly detection mechanism to estimate the time point of each Internet of Things terminal group through a time series model Reasonable range of online number, and use this as the basis for determining the abnormal value of the number of connections in each period of the Internet of Things terminal group.

第8圖顯示本發明之基於行動物聯網之網路行為異常偵測方法的流程圖,且此方法主要包括下列步驟,其餘內容相同於上述第1圖至第7圖之說明,於此不再重覆敘述。首先,擷取行動網路之信令面資料、訊務面資料與連線狀態資料(步驟S81)。接著,使用離群值演算法處理信令面資料,以偵測行動網路之信令面是否異常(步驟S82)。繼之,使用時間序列模型處理訊務面資料並進行預測,以判定行動網路之訊務面是否異常(步驟S83)。然後,使用單變量分群演算法處理連線狀態資料,以偵測行動網路之連線狀態是否異常(步驟S84)。 Figure 8 shows the flow chart of the method for detecting abnormal network behaviors based on the mobile Internet of Things of the present invention, and this method mainly includes the following steps. The rest of the content is the same as the description of Figures 1 to 7 above, and will not be omitted here. Repeat the narrative. First, retrieve the signaling plane data, traffic plane data, and connection status data of the mobile network (step S81). Then, the outlier algorithm is used to process the signaling plane data to detect whether the signaling plane of the mobile network is abnormal (step S82). Then, the time series model is used to process the traffic surface data and make predictions to determine whether the traffic surface of the mobile network is abnormal (step S83). Then, a univariate grouping algorithm is used to process the connection status data to detect whether the connection status of the mobile network is abnormal (step S84).

在一實施例中,上述網路行為異常偵測方法更包括下列步驟。首先,進行駐留細胞判定(步驟S851)。接著,篩選屬於駐留細胞的信令面資料、訊務面資料與連線狀態資料(步驟S852)。最後,分別由信令面、訊務面與連線狀態來判定駐留細胞是否異常(步驟S853)。 In one embodiment, the above-mentioned method for detecting abnormal network behavior further includes the following steps. First, the resident cell determination is performed (step S851). Then, the signaling plane data, the traffic plane data and the connection status data belonging to the resident cell are screened (step S852). Finally, it is determined whether the resident cell is abnormal from the signaling plane, the traffic plane and the connection status (step S853).

在一實施例中,上述網路行為異常偵測方法更包括下列步驟。首先,從各物聯網終端群組中找出近期曾連線之網路終端(步驟S861)。接著,篩選與網路終端相關的信令面資料、訊務面資料與連線狀態資料(步驟S862)。最後,分別由信令面、訊務面與連線狀態來判斷各物聯網終端群組是否異常(步驟S863)。 In one embodiment, the above-mentioned method for detecting abnormal network behavior further includes the following steps. First, find the recently connected network terminal from each IoT terminal group (step S861). Then, the signaling plane data, traffic plane data, and connection status data related to the network terminal are filtered (step S862). Finally, the signaling plane, the traffic plane and the connection status are used to determine whether each IoT terminal group is abnormal (step S863).

本發明之基於行動物聯網之網路行為異常偵測系統及方法係至少具有下列優點或技術功效。 The network behavior anomaly detection system and method based on the mobile Internet of Things of the present invention have at least the following advantages or technical effects.

首先,透過收集行動網路資料,將終端與局端之間的連線行為,以時間序列、離群值等人工智慧演算法建構出物聯網終端異常行為偵測模型,因此能有效的分析行動物聯網之全體終端的實際使用狀況,且可以無須如習知技術般在各終端進行觀測。又,即使當任意的物聯網終端損壞而斷線失聯,亦能透過本發明之偵測模型在第一時間偵測發現異常,不影響運作性能。 First, by collecting mobile network data, the connection behavior between the terminal and the central office is constructed using artificial intelligence algorithms such as time series and outliers to construct an abnormal behavior detection model for the Internet of Things terminal, so it can effectively analyze the behavior. The actual usage status of all terminals of the animal network can be observed at each terminal without the need for conventional technology. Moreover, even when any IoT terminal is damaged and disconnected, the abnormality can be detected in the first time through the detection model of the present invention, without affecting the operating performance.

再者,本發明的信令面異常偵測機制、訊務面異常偵測機制與連線狀態異常偵測機制,可分別針對信令、流量與連線狀態進行全面的異常行為偵測,且相關的偵測機制全程自動化,因此能有效提升維運大量物聯網終端的效率。 Furthermore, the signaling plane anomaly detection mechanism, traffic plane anomaly detection mechanism, and connection status anomaly detection mechanism of the present invention can perform comprehensive abnormal behavior detection for signaling, traffic, and connection status, respectively, and The related detection mechanism is fully automated, so it can effectively improve the efficiency of maintaining a large number of IoT terminals.

另外,由於本發明的訓練模型導入了移動窗格的概念,可定期(例如日或每小時)依照最新收集到的資料來調整偵測模型,因此能充分且有效的因應物聯網終端行為的變化趨勢。 In addition, because the training model of the present invention introduces the concept of moving panes, the detection model can be adjusted regularly (for example, daily or hourly) according to the latest collected data, so it can fully and effectively respond to changes in the behavior of IoT terminals trend.

上述實施例僅為例示性說明本發明之技術原理、特點及其功效,並非用以限制本發明之可實施範疇,任何熟習此技術之人士均可在不違背本發明之精神與範疇下,對上述實施形態進行修飾與改變。然任何運用本發明所教示內容而完成之等效修飾及改變,均仍應為所附之申請專利範圍所涵蓋。而本發明之權利保護範圍,應如所附之申請專利範圍所列。 The above-mentioned embodiments are only illustrative to illustrate the technical principles, features and effects of the present invention, and are not intended to limit the scope of the present invention. Anyone familiar with this technology can do the same without departing from the spirit and scope of the present invention. The above embodiments are modified and changed. However, any equivalent modifications and changes made by using the teachings of the present invention should still be covered by the scope of the attached patent application. The scope of protection of the rights of the present invention shall be as listed in the scope of the attached patent application.

1‧‧‧網路行為異常偵測系統 1‧‧‧Network behavior anomaly detection system

10‧‧‧網路特徵收集模組 10‧‧‧Network Feature Collection Module

101‧‧‧信令面資料 101‧‧‧Signaling plane data

102‧‧‧訊務面資料 102‧‧‧Communication information

103‧‧‧連線狀態資料 103‧‧‧Connection status data

11‧‧‧網路終端異常偵測模組 11‧‧‧Network terminal anomaly detection module

111‧‧‧信令面異常偵測機制 111‧‧‧Signaling plane anomaly detection mechanism

112‧‧‧訊務面異常偵測機制 112‧‧‧Traffic surface anomaly detection mechanism

113‧‧‧連線狀態異常偵測機制 113‧‧‧Connection status abnormal detection mechanism

12‧‧‧網路拓樸異常偵測模組 12‧‧‧Network topology anomaly detection module

121‧‧‧細胞面資料分析機制 121‧‧‧Cell surface data analysis mechanism

122‧‧‧物聯網終端群組面資料分析機制 122‧‧‧IOT terminal group data analysis mechanism

13‧‧‧維運查詢介面 13‧‧‧Maintenance query interface

14‧‧‧維運端 14‧‧‧Maintenance terminal

Claims (14)

一種基於行動物聯網之網路行為異常偵測系統,包括:網路終端異常偵測模組,係具有信令面異常偵測機制、訊務面異常偵測機制與連線狀態異常偵測機制,以分別偵測網路終端之信令面、訊務面與連線狀態三者之異常;以及網路拓樸異常偵測模組,係具有細胞面資料分析機制與物聯網終端群組面資料分析機制,以分別偵測細胞與物聯網終端群組二者之異常,其中,該網路行為異常偵測系統使用離群值演算法處理行動網路之信令面資料以偵測該行動網路之信令面是否異常,使用整合移動平均自迴歸(ARIMA)模型處理該行動網路之訊務面資料並進行預測以判定該行動網路之訊務面是否異常,且使用單變量分群演算法處理該行動網路之連線狀態資料以偵測該行動網路之連線狀態是否異常。 A network behavior anomaly detection system based on the mobile Internet of Things, including: a network terminal anomaly detection module, which has a signaling plane anomaly detection mechanism, a traffic plane anomaly detection mechanism, and a connection status anomaly detection mechanism , To detect the abnormalities of the signaling side, the communication side and the connection status of the network terminal separately; and the network topology anomaly detection module, which has the cell surface data analysis mechanism and the IoT terminal group surface Data analysis mechanism to detect abnormalities of both cells and IoT terminal groups respectively. Among them, the network behavior abnormality detection system uses an outlier algorithm to process the signaling surface data of the mobile network to detect the movement Whether the signaling surface of the network is abnormal, use the integrated moving average autoregressive (ARIMA) model to process the mobile network’s traffic surface data and make predictions to determine whether the mobile network’s traffic surface is abnormal, and use univariate grouping The algorithm processes the connection status data of the mobile network to detect whether the connection status of the mobile network is abnormal. 如申請專利範圍第1項所述之網路行為異常偵測系統,更包括一網路特徵收集模組,用以收集該行動網路之信令面資料、訊務面資料與連線狀態資料,並對該信令面資料、該訊務面資料與該連線狀態資料進行彙整與預處理。 For example, the network behavior anomaly detection system described in item 1 of the scope of the patent application further includes a network feature collection module for collecting signaling surface data, communication surface data, and connection status data of the mobile network , And perform aggregation and preprocessing on the signaling plane data, the communication plane data, and the connection status data. 如申請專利範圍第2項所述之網路行為異常偵測系統,其中,該網路特徵收集模組係執行下列程序:判斷是否有該網路終端之歷史資料,若無該歷史資料,則進行歷史分時資料收集,以取得預定期間內該行動網路之該信令面資料、該訊務面資料與網路終端離線時間; 收集最新分時資料,以取得該行動網路之該信令面資料與該訊務面資料;以及對該歷史分時資料與該最新分時資料進行彙整與預處理,且更新該歷史資料。 For example, the network behavior anomaly detection system described in item 2 of the scope of patent application, wherein the network feature collection module executes the following process: determine whether there is historical data of the network terminal, if there is no historical data, then Collect historical time-sharing data to obtain the signalling surface data, the communication surface data and the offline time of the network terminal of the mobile network within a predetermined period; Collect the latest time-sharing data to obtain the signaling plane data and the communication plane data of the mobile network; and perform aggregation and preprocessing on the historical time-sharing data and the latest time-sharing data, and update the historical data. 如申請專利範圍第1項所述之網路行為異常偵測系統,其中,該網路終端異常偵測模組之該信令面異常偵測機制係包括下列程序:定期匯入該網路終端的信令面歷史資料,根據該信令面歷史資料重新訓練信令面異常判定模型以更新模型參數;匯入該網路終端的信令面最新分時資料;使用該信令面異常判定模型進行異常判定;以及匯出異常網路終端清單。 For example, the network behavior anomaly detection system described in item 1 of the scope of patent application, wherein the signaling surface anomaly detection mechanism of the network terminal anomaly detection module includes the following procedures: regularly importing the network terminal Based on the historical data of the signaling plane, retrain the signaling plane abnormality determination model to update the model parameters; import the latest time-sharing data of the signaling plane of the network terminal; use the signaling plane abnormality determination model Perform abnormal judgment; and export a list of abnormal network terminals. 如申請專利範圍第4項所述之網路行為異常偵測系統,其中,該信令面異常判定模型係用以進行異常樣本認定與異常肇因推測,且其中,該異常樣本認定是透過離群值判定演算法來認定,而該異常肇因推測是彙整與記錄導致離群的行為特徵。 For example, the network behavior abnormality detection system described in item 4 of the scope of patent application, wherein the signaling plane abnormality determination model is used for abnormal sample identification and abnormal cause estimation, and wherein the abnormal sample identification is based on separation The group value is determined by the algorithm, and the cause of the abnormality is presumed to be the behavioral characteristics of outliers caused by the aggregation and recording. 如申請專利範圍第1項所述之網路行為異常偵測系統,其中,該網路終端異常偵測模組之該訊務面異常偵測機制包括下列程序:定期匯入該網路終端的訊務面歷史資料;根據該訊務面歷史資料重新訓練為該整合移動平均自迴歸(ARIMA)模型之訊務面異常判定模型;使用該訊務面異常判定模型,預測該網路終端當日的運作軌跡;匯入該網路終端的訊務面最新分時資料; 偵測該網路終端是否異常;以及匯出異常網路終端清單。 For example, the network behavior anomaly detection system described in item 1 of the scope of patent application, wherein the traffic surface anomaly detection mechanism of the network terminal anomaly detection module includes the following procedures: regularly import the network terminal's Historical data of the traffic plane; based on the historical data of the traffic plane, it is retrained as the traffic plane anomaly determination model of the integrated moving average autoregressive (ARIMA) model; the traffic plane anomaly determination model is used to predict the network terminal's current Operation track; import the latest time-sharing data of the network terminal's communication surface; Detect whether the network terminal is abnormal; and export a list of abnormal network terminals. 如申請專利範圍第6項所述之網路行為異常偵測系統,其中,所述預測該網路終端當日的運作軌跡包括預測值與信賴區間,且所述偵測該網路終端是否異常係透過比較該預測值與實際值而判定。 For example, the network behavior abnormality detection system described in item 6 of the scope of patent application, wherein the prediction of the network terminal's operation trajectory on the day includes a prediction value and a confidence interval, and the detection of whether the network terminal is abnormal is It is determined by comparing the predicted value with the actual value. 如申請專利範圍第1項所述之網路行為異常偵測系統,其中,該網路終端異常偵測模組之該連線狀態異常偵測機制係包括下列程序:匯入各物聯網終端群組的離線時間歷史資料;使用一離線時間門檻值認定模型決定各該物聯網終端群組的離線門檻;即時判定各該物聯網終端群組中該網路終端的連線狀態,若判定該連線狀態為離線,則根據該離線門檻判定該網路終端的離線期間是否過長;以及匯出有離線期間過長之該網路終端及其離線時間。 For example, the network behavior anomaly detection system described in item 1 of the scope of patent application, wherein the connection status anomaly detection mechanism of the network terminal anomaly detection module includes the following procedures: import each IoT terminal group The offline time history data of the group; use an offline time threshold recognition model to determine the offline threshold of each IoT terminal group; determine the connection status of the network terminal in each IoT terminal group in real time, and if the connection is determined When the online status is offline, it is determined whether the offline period of the network terminal is too long according to the offline threshold; and the network terminal with too long offline period and its offline time are exported. 如申請專利範圍第8項所述之網路行為異常偵測系統,其中,該離線時間門檻值認定模型係透過該單變量分群演算法來決定該離線門檻。 For example, the network behavior abnormality detection system described in item 8 of the scope of patent application, wherein the offline time threshold determination model determines the offline threshold through the univariate clustering algorithm. 如申請專利範圍第1項所述之網路行為異常偵測系統,其中,該網路拓樸異常偵測模組之該細胞面資料分析機制包括下列程序:進行駐留細胞判定,其中,透過選取該網路終端連線最頻繁之細胞,且該細胞在最近一段期間內所連線之該網路終端數目超過一預定門檻而認定該細胞為駐留細胞;匯入該行動網路之信令面資料、訊務面資料及各該網路終端之連線狀態資料,並篩選與該駐留細胞相關的資料;以及 分別由信令面、訊務面與連線狀態來判定各該駐留細胞是否異常。 For example, the network behavior anomaly detection system described in item 1 of the scope of patent application, wherein the cell surface data analysis mechanism of the network topology anomaly detection module includes the following procedures: resident cell determination, wherein, by selecting The cell with which the network terminal connects most frequently, and the number of the network terminal connected by the cell in the most recent period exceeds a predetermined threshold, and the cell is recognized as a resident cell; it is connected to the signaling surface of the mobile network Data, communication surface data, and connection status data of each network terminal, and filter data related to the resident cell; and The signaling plane, the communication plane, and the connection status are used to determine whether each resident cell is abnormal. 如申請專利範圍第1項所述之網路行為異常偵測系統,其中,該網路拓樸異常偵測模組之該物聯網終端群組面資料分析機制包括下列程序:將各該物聯網終端群組中最近一段期間內曾上線之該網路終端設定為活躍網路終端;匯入該行動網路之信令面資料、訊務面資料及各該網路終端之連線狀態資料,並篩選與該活躍網路終端相關的資料;以及分別由信令面、訊務面與連線狀態來判斷各該物聯網終端群組是否異常。 For example, in the network behavior anomaly detection system described in item 1 of the scope of patent application, the network topology anomaly detection module's IoT terminal group data analysis mechanism includes the following procedures: The network terminal that has been online in the most recent period in the terminal group is set as the active network terminal; the signaling surface data, the communication surface data and the connection status data of each network terminal are imported into the mobile network, And filter the data related to the active network terminal; and determine whether each of the IoT terminal groups is abnormal from the signaling plane, the communication plane, and the connection status. 一種基於行動物聯網之網路行為異常偵測方法,包括:擷取行動網路之信令面資料、訊務面資料與連線狀態資料;使用離群值演算法處理該行動網路之信令面資料,以偵測該行動網路之信令面是否異常;使用整合移動平均自迴歸(ARIMA)模型處理該行動網路之訊務面資料並進行預測,以判定該行動網路之訊務面是否異常;以及使用單變量分群演算法處理該行動網路之連線狀態資料,以偵測該行動網路之連線狀態是否異常。 A method for detecting abnormal network behavior based on the mobile Internet of Things, including: capturing signaling plane data, communication plane data, and connection status data of a mobile network; using outlier algorithm to process the information of the mobile network Make surface data to detect whether the signaling surface of the mobile network is abnormal; use an integrated moving average autoregressive (ARIMA) model to process the mobile network’s traffic surface data and make predictions to determine the signal of the mobile network Whether the business surface is abnormal; and using a single variable clustering algorithm to process the connection status data of the mobile network to detect whether the connection status of the mobile network is abnormal. 如申請專利範圍第12項所述之網路行為異常偵測方法,更包括:進行駐留細胞判定; 篩選屬於該駐留細胞的該信令面資料、該訊務面資料與該連線狀態資料;以及分別由信令面、訊務面與連線狀態來判定該駐留細胞是否異常。 The network behavior abnormal detection method described in item 12 of the scope of the patent application further includes: determining the resident cells; Screen the signaling plane data, the communication plane data and the connection state data belonging to the resident cell; and determine whether the resident cell is abnormal from the signaling plane, the communication plane and the connection state respectively. 如申請專利範圍第12項所述之網路行為異常偵測方法,更包括:從各物聯網終端群組中找出近期曾連線之網路終端;篩選與該網路終端相關的該信令面資料、該訊務面資料與該連線狀態資料;以及分別由信令面、訊務面與連線狀態來判斷各該物聯網終端群組是否異常。 For example, the method for detecting abnormal network behavior described in item 12 of the scope of the patent application further includes: finding the recently connected network terminal from each IoT terminal group; filtering the information related to the network terminal Make the surface data, the communication surface data and the connection status data; and determine whether each of the IoT terminal groups is abnormal from the signaling surface, the communication surface, and the connection status, respectively.
TW108144919A 2019-12-09 2019-12-09 Network behavior anomaly detection system and method based on mobile internet of things TWI721693B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108144919A TWI721693B (en) 2019-12-09 2019-12-09 Network behavior anomaly detection system and method based on mobile internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108144919A TWI721693B (en) 2019-12-09 2019-12-09 Network behavior anomaly detection system and method based on mobile internet of things

Publications (2)

Publication Number Publication Date
TWI721693B true TWI721693B (en) 2021-03-11
TW202123654A TW202123654A (en) 2021-06-16

Family

ID=76035946

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108144919A TWI721693B (en) 2019-12-09 2019-12-09 Network behavior anomaly detection system and method based on mobile internet of things

Country Status (1)

Country Link
TW (1) TWI721693B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI751090B (en) * 2021-07-13 2021-12-21 中華電信股份有限公司 Dynamic detection system, method and computer-readable medium for networked device
TWI782645B (en) * 2021-07-29 2022-11-01 中華電信股份有限公司 System and method for evaluating network component quality degradation based on mobile network
TWI789003B (en) * 2021-09-10 2023-01-01 伊雲谷數位科技股份有限公司 Service anomaly detection and alerting method, apparatus using the same, storage media for storing the same, and computer software program for generating service anomaly alert
TWI802413B (en) * 2022-05-17 2023-05-11 中華電信股份有限公司 Electronic device and method of detecting abnormal equipment in telecommunication network

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI821058B (en) * 2022-12-01 2023-11-01 中華電信股份有限公司 System and method for root cause analysis of abnormal phone number

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018513457A (en) * 2015-03-04 2018-05-24 クアルコム,インコーポレイテッド Behavior analysis to automate direct and indirect local monitoring of the health of Internet of Things devices

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018513457A (en) * 2015-03-04 2018-05-24 クアルコム,インコーポレイテッド Behavior analysis to automate direct and indirect local monitoring of the health of Internet of Things devices

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI751090B (en) * 2021-07-13 2021-12-21 中華電信股份有限公司 Dynamic detection system, method and computer-readable medium for networked device
TWI782645B (en) * 2021-07-29 2022-11-01 中華電信股份有限公司 System and method for evaluating network component quality degradation based on mobile network
TWI789003B (en) * 2021-09-10 2023-01-01 伊雲谷數位科技股份有限公司 Service anomaly detection and alerting method, apparatus using the same, storage media for storing the same, and computer software program for generating service anomaly alert
TWI802413B (en) * 2022-05-17 2023-05-11 中華電信股份有限公司 Electronic device and method of detecting abnormal equipment in telecommunication network

Also Published As

Publication number Publication date
TW202123654A (en) 2021-06-16

Similar Documents

Publication Publication Date Title
TWI721693B (en) Network behavior anomaly detection system and method based on mobile internet of things
CN108415789B (en) Node fault prediction system and method for large-scale hybrid heterogeneous storage system
CN108418841B (en) Next-generation key message infrastructure network Security Situation Awareness Systems based on AI
JP6184270B2 (en) System and method for creating index profiles related to attacks by correlating various indices with past attack cases in order to detect and predict future network attacks
CN102957579B (en) A kind of exception flow of network monitoring method and device
CN103596208B (en) Method and system for judging fault of network element
CN108123849B (en) Method, device, equipment and storage medium for determining threshold value for detecting network flow
CN110891283A (en) Small base station monitoring device and method based on edge calculation model
CN104301895A (en) Double-layer trigger intrusion detection method based on flow prediction
CN111401582B (en) Abnormity identification method and monitoring platform for domestic sewage treatment facility
CN112543465B (en) Abnormity detection method, abnormity detection device, terminal and storage medium
CN106452931A (en) Monitoring index, domain value discovery method, domain value adjusting method and automatic monitoring system
CN104574219A (en) System and method for monitoring and early warning of operation conditions of power grid service information system
Li et al. A machine learning based intrusion detection system for software defined 5G network
CN105634796A (en) Network device failure prediction and diagnosis method
CN109491339B (en) Big data-based substation equipment running state early warning system
CN113807678A (en) Platform safety door energy efficiency management method and device, computer equipment and storage medium
CN105515888A (en) Intelligent substation communication network anomaly detection method based on multi-dimensional entropy sequence classification
CN111666978B (en) Intelligent fault early warning system for IT system operation and maintenance big data
CN110647086B (en) Intelligent operation and maintenance monitoring system based on operation big data analysis
CN116863723A (en) Use method of digital twin base
CN113297194B (en) Method for identifying and cleaning false data of spare capacity of electric automobile aggregator
CN112131069B (en) Equipment operation monitoring method and system based on clustering
EP3836599B1 (en) Method for detecting permanent failures in mobile telecommunication networks
CN106849867A (en) A kind of photovoltaic plant voltage flicker detecting system and method