CN102487293A - Satellite communication network abnormity detection method based on network control - Google Patents

Abstract

The invention discloses a satellite communication network abnormity detection method based on network control. A fuzzy C-means clustering algorithm is utilized to study normal audit data and an abnormity detection mechanism is established, so that a post analysis on an abnormal event is realized; a support vector data description single classifier is utilized to summarize a normal short sequence and an abnormal short sequence as well as a hidden Markov model is used to carry out abnormity detection on communication signalings of all earth stations in a whole time slot, so that real-time detection based on the communication signalings can be realized; and by utilizing the above-mentioned methods of the post analysis and the real-time detection, a satellite communication network abnormity detection prototype system based on network control is realized. According to the invention, the post analysis method is suitable for large-scale data as well as a declaration omission rate and a misdeclaration rate are low; and the real-time detection method has a good detection performance as well as signaling detection time is short and the reaction speed is fast; therefore, an on-line detection object can be realized and safety of a signaling system can be enhanced.

Description

Satellite communication network method for detecting abnormality based on network control

Technical field

The invention belongs to satellite communication network abnormality detection technology, particularly a kind of satellite communication network method for detecting abnormality based on network control.

Background technology

Along with the continuous development of the computer and the communication technology, it is more and more serious to use unknown new method that computer and network are invaded, and this just makes all the more important of status of abnormality detection.Abnormality detection is a branch of intrusion detection, and invasion is meant any active set of attempting to endanger resource integrity, confidentiality and availability.The prerequisite of abnormality detection hypothesis is that the activity of invador's activity and normal main body is different, can differentiate each other, then with this " different ", " difference each other " as judging whether it is the foundation of intrusion behavior.Conventional method is to set up the system of a correspondence " normal activity " or user's normal epitome; When detecting the invasion activity; The abnormality detection program produces current activity epitome and compares with normal epitome; Promptly think invasion if comparative result generation departure degree surpasses certain threshold value, thereby trigger corresponding mechanism.The correlation of abnormality detection and system is less, so its versatility is good, and biggest advantage is exactly to detect current also unknown intrusion behavior.

The abnormality detection technology mainly can be divided into four big types:

(1) technological based on the abnormality detection of statistics

This technology is to observe the activity of main body according to anomaly detector, produces the profile of these movable behaviors of portrayal then.Each profile keeping records main body current behavior, and periodically the profile of current profile and storage is merged.Judge abnormal behaviour through more current profile and the profile of having stored.This technical development also is ripe with the most practical abnormality detection technology the earliest.But should technology also have some shortcomings: threshold value is difficult to confirm, too low or too high false-alarm or the false dismissal of occurring easily; The attack that utilizes the event sequence relation is difficult to detect.

(2) based on predictive mode abnormality detection technology

The assumed condition of this method be sequence of events be not at random but follow recognizable pattern, the characteristics of this detection method are to have considered the sequence of incident and connect each other.Teng and Chen provide time-based inductive method TIM (the Time-based Inductive Machine), utilize time rule to discern the characteristic of user behavior normal mode.Produce these rule sets through inductive learning, and these rules in the dynamically modification system, make it to have higher predictability, accuracy and confidence level.If the rule most of the time is correct, and can successfully use the observed data of forecasting institute, rule just has high confidence level so.The shortcoming of the method is that amount of calculation is bigger, also causes high false alarm rate easily.

(3) technological based on the abnormality detection of system call

People such as Forrest think that the normal behaviour of a program can be characterized by its local mode (short sequence) of carrying out track, can think with departing from of these patterns unusually.Two characteristics when method is carried out based on program: it was carried out to produce when mark has locally coherence with unusual the generation and is different from local mode just often when a program was normally carried out.The typical method that adopts this technology is to embed sequence method by the time delay that people such as Forrest propose; Be exactly in advance given length be that the continuous sequence of K is come constructor normal behaviour profile; Sequence with program execution mark to be detected and normal profile during detection compares; When unmatched execution mark sequence number surpasses threshold value, just think unusual.This methods analyst modeling is fairly simple, but major defect is to detect cooperation attack and appropriator.

(4) technological based on the abnormality detection of artificial intelligence

Artificial intelligence technology is applied in the abnormality detection, can improve the performance of abnormality detection.Mainly comprise artificial neural network technology, data mining technology and artificial immunity technology.

Based on artificial neural network technology: each neuronic 26S Proteasome Structure and Function is simple relatively and limited in the artificial neural net; But these numerous simple in structure, neuronic " microcosmic " activities that function is limited have just constituted complicated " macroeffect "---can accomplish the information Recognition and the task processing of various complicacies.At present, the existing multiple model of neural net is used in IDS.As long as audit mark (Audit traces) data of system are provided; Neural net just can therefrom be extracted the feature mode of normal user or system activity through self study, and need not obtain the Distribution Statistics of describing user behavior feature set and user behavior characteristic measurement.But amount of calculation is bigger.

Based on data mining technology: Wenke Lee and Salvatore.J.Stolfo are applied to data mining technology in the Study of Intrusion Detection field.The target of its research is to reduce as much as possible setting up a craft and an experience composition in the intruding detection system.Here adopt data-centered viewpoint, regard the intrusion detection problem as the process of a data analysis.But, then also have problems for real-time intrusion detection, need develop active data mining algorithm and the distributed system that adapts.

Technological based on artificial immunity: the intruding detection system Study of model for based on artificial immune system has both direction.The one, call the immune model of carrying out the sequence monitoring to the host computer system key; Another is the immune model to network data.Because immune system has characteristics such as distributed, diversity, Memorability, expandability, can utilize these characteristics to set up the intrusion detection model of distributed, efficient and self-organizing.Its shortcoming is the theoretical system that does not also have the perfect artificial immunity of a cover at present, also not than the effective antigens recognizer.

Satellite communication network is the integrated system of a complicacy.As the node in the satellite communication network, the normal operation of earth station is directly connected to the quality height and the security performance of whole network.Earth station comprises many aspects unusually, except the fault of earth station, also comprise earth station by counterfeit, lose, used or captured or the like by the enemy wartime by the disabled user.Because the various data of earth station and the signaling of transmission are the direct embodiments of user behavior, mainly be detection to earth station to the abnormality detection of satellite communication network.Attack to abnormal behaviour is difficult to detect with traditional detection mode.At present, the satellite webmaster does not also propose effective abnormality detection mechanism and solution scheme to this problem.

Summary of the invention

The object of the present invention is to provide and a kind ofly can detect the abnormal behavior of earth station the satellite communication network and send the method for abnormality alarming, thereby realize abnormality detection based on the satellite communication network of network control from ex-post analysis and real-time two aspects to the user.

The technical solution that realizes the object of the invention is: a kind of satellite communication network method for detecting abnormality based on network control; Be arranged in the overall framework of satellite communication net safety protective; Realize the unusual and unusual detection of signaling sequence of Audit data; Comprise data obtain pretreatment module, the audit detection module, based on communication signaling modeling, the detection of HMM model, the modeling of pattern matching knowledge base, pattern matching knowledge base detection module and graphical user interface module; Data are obtained pretreatment module and are obtained the detection data from data acquisition interface, and the line data preliminary treatment of going forward side by side is exported to other each modules and used; The audit detection module uses typical clustering algorithm FCM that a large amount of Audit datas are carried out cluster analysis, realizes ex-post analysis; Based on the communication signaling modeling signaling is extracted coding,, set up HMM detection model based on normal signaling sequence through the study of Hidden Markov algorithm; HMM model detection module through network interface, obtains the communication signaling sequence of certain earth station in one period operating time in real time on the model basis of having set up based on normal signaling sequence; Through the data preliminary treatment; Obtain with grader short sequence being detected, obtain testing result through the short sequence of the signaling of simple coding; The tablet pattern subscriber interface module is handled, and realizes detecting in real time; The modeling of pattern matching knowledge base is according to the regularity and the certainty of earth station user behavior; Count earth station user behavior simple mode, be stored as knowledge base, when pattern matching knowledge base detection module detects through real-time obtaining communication data; Carry out matching ratio with the earth station user behavior; Discovery is different from the behavior pattern in the knowledge base, then thinks unusually, the result is input to graphical user interface module handles.

The present invention compared with prior art, its remarkable advantage: (1) can protect satellite communication network to avoid various " Signaling attack " of initiating from earth station effectively; (2) combine field priori and utilization machine learning techniques, it is efficient, accurately to utilize Audit data to carry out the detection method of earth station abnormal behaviour, can adapt to large-scale data, fails to report with rate of false alarm low; (3) with what machine learning method was used for the satellite communication signaling innovation arranged analytically; HMM method for detecting abnormality based on the short time sequence has been proposed; This method not only has good detection performance, and it is very short to detect the signaling time, and reaction speed is very fast; Can realize the target of online detection, strengthen the safety of signaling system; (4) improve security personnel's efficient on duty, alleviate security personnel's operating pressure.

Below in conjunction with accompanying drawing the present invention is described in further detail.

Description of drawings

Fig. 1 is the general frame figure of satellite communication net safety protective.

Fig. 2 is based on the satellite communication network abnormality detection nucleus module figure of network control.

Fig. 3 is based on the satellite communication network abnormality detection workflow diagram of network control.

Fig. 4 is that grader is selected and training process figure.

Fig. 5 is based on the abnormality detection illustraton of model of Hidden Markov.

Embodiment

1, the present invention carries out abnormality detection in the general frame of satellite communication net safety protective, is used for all kinds of satellite network control system, in time finds abnormal behaviour in the satellite communication system.Fig. 1 has provided the general frame figure of satellite communication net safety protective.This shielded frame comprises network control center server security guard system, the detection of earth station abnormal behaviour, satellite communication control channel safety, four aspects of general signaling system design.

(a) security protection system of network control center server has comprised access control mechanisms, authentication, encryption system and intruding detection system.Utilize the safety of general diverse network safety protection technique protection network control central server, particularly the long-distance user is attacked these two big types of strick precautions of attacking of U2R to local unauthorized access R2L and unauthorized acquisition superuser right.

(b) earth station abnormal behaviour detection subsystem has realized the satellite communication network method for detecting abnormality based on network control, mainly comprises the abnormality detection of Audit data and the abnormality detection of the signaling sequence that each earth station sends.This subsystem is primarily aimed at the various attack that counterfeit legal earth station is initiated the network control center.The assailant stays assailant's attack vestige in the record of the audit of system after having attacked the network control center, through the clustering method behavior that from the Audit data of magnanimity, notes abnormalities, this method belongs to " ex-post analysis "; The behavior at signaling sequence abnormality detection model learning normal earth station, any signaling sequence that departs from normal earth station " profile " will be considered to unusually, realize the abnormality detection based on the earth station signaling sequence.Because model is the signaling sequence that all earth stations of monitoring send, and detects, belong to " monitoring in real time ".

(c) satellite communication control channel safety has comprised two parts, and promptly single channel encryption and channel are anti-interference.

(d) safety Design of signaling has been given prominence in the general signaling system design of satellite communication network; Security threat and existing safety measure to satellite communication network meets with are analyzed; Characteristics in conjunction with satellite communication network self; Designed the signaling system of safety general, and formalization analysis has been carried out in fail safe with the method for protocol verification.

2, the satellite communication network method for detecting abnormality that the present invention is based on network control can detect the abnormal behavior of earth station the satellite communication network and send abnormality alarming to the user from ex-post analysis and real-time two aspects.System comprises two interfaces: data acquisition interface and graphical interface of user interface.Data acquisition interface comprises database interface and UDP frame interface, is responsible for obtaining the confession training and detecting data from ORACLE database and UDP frame; User graphical interface is the visual man-machine interface that system offers the user, and the user can monitor system through this interface in real time, can change the system parameters configuration simultaneously.The satellite communication network method for detecting abnormality that the present invention is based on network control is implemented by following seven nucleus modules, and is as shown in Figure 2:

(a) data are obtained pretreatment module; Obtain the detection data from data acquisition interface; And it is carried out standardization, normalized data preliminary treatment; The formation standard, can be detected the data of handling by cluster analysis and training in real time, select according to the user then, can the normal data that produce be stored in file or the database;

(b) pattern matching knowledge base modeling according to the regularity and the certainty of earth station user behavior, counts some simple modes of earth station user behavior, is stored as knowledge base;

(c) the pattern matching knowledge base detects, and the obtaining communication data are carried out matching ratio with the earth station user behavior in real time, finds to be different from the behavior pattern in the pattern matching knowledge base, then thinks unusually, the result is input to graphical user interface module handles;

(d) the audit detection module uses typical clustering algorithm FCM that a large amount of Audit datas that write down in the database of network control center are carried out cluster analysis, and behavior notes abnormalities;

(e) HMM modeling; Through with the interface of satellite communication system, obtain the signaling that earth station is communicated by letter with the network control center in real time, learn through the Hidden Markov algorithm; Obtain state-transition matrix and the visible transfer matrix that meets, set up HMM detection model based on normal signaling sequence.

(f) the HMM model detects, on the model basis of having set up based on normal signaling sequence, through network interface; Obtain the communication signaling sequence of certain earth station in one period operating time in real time; Through the data preliminary treatment, obtain with grader short sequence being detected through the short sequence of the signaling of simple coding; Obtain testing result, the tablet pattern subscriber interface module is handled.

(g) graphic user interface; The testing result of receiving mode coupling, audit detection and the real-time detection module of HMM; Through visual and understandable graph-based modes such as charts each testing result is shown then; The interface that provides the user that system parameters is set, and provide and accept manual intervention and will intervene the result and feed back to the interface in the system.

The satellite communication network method for detecting abnormality that the present invention is based on network control is from record of the audit and two aspects of signaling sequence in real time, and the auxiliary mode coupling detects system, and its workflow is as shown in Figure 3.System extracts record of the audit on the one hand from the database of network control center, through obtaining being used for the data that quantize of cluster analysis after the data preliminary treatment, through cluster analysis, obtain the testing result to the historical auditing data; Through collection,, set up library through the study of pattern matching algorithm to data in the database; Through the interface of system and NMS, obtain Frame then, corresponding data field and library in the Frame are mated; If do not match, showing has unusual generation, if erroneous judgement; The operator can interfering system, lets this erroneous judgement record be increased in the library; On the other hand, abnormality detection system through with the network management system interface, obtain the signaling that earth station is communicated by letter with network control; Be used for the normal signaling sequence of training classifier and the short sequence of signaling to be detected through obtaining after the data preliminary treatment, adopt the Hidden Markov algorithm, normal signaling sequence is learnt; Obtain one-class classifier based on normal signaling sequence; After obtaining grader, the short sequence of the signaling of obtaining is in real time detected, wrong if the operator finds testing result; Can emerging sequence be added in the training sequence and grader be trained again the training aids after obtaining upgrading.

3, the present invention is based on abnormality detection in the satellite communication network method for detecting abnormality of network control based on Audit data

From the network control database, extract the record of the audit of describing the earth station behavior; After the data preliminary treatment, obtain being used for the data that quantize of cluster analysis, utilize Fuzzy C average (FCM) clustering algorithm in the data mining technology; The normal Audit data of satellite communication network is learnt; Depart from the degree of each normal sample cluster pattern through the computation history Audit data, obtain testing result, set up abnormality detection mechanism the historical auditing data.Belong to " ex-post analysis " through the behavior of noting abnormalities from the Audit data of magnanimity of machine learning methods such as cluster analysis.

Fuzzy c mean cluster (FCM) supposes that each sample all is that " bluring " is under the jurisdiction of a certain type, both can belong to one type, also can belong to another kind of.Order

(wherein Rs is a data set), and u={u _Ik} _{C * n}∈ M _Fcn(M wherein _FcnFor dividing matrix), cluster centre v={v ₁, v ₂..., v _c, v _i∈ R ^s1＜m＜+∞, 2≤c＜n, then the definition of the global objective function of FCM is as follows:

$J_m=\underset{i=1}{\overset{c}{\mathrm{\Σ}}}\underset{k=1}{\overset{n}{\mathrm{\Σ}}}{u}_{\mathrm{ik}}^m{\left|\right|x_k-v_i\left|\right|}^2...\left(1\right)$

Wherein m is a free parameter that is used for controlling different classes of degree of mixing, is called fuzzy index;

(1) constraints of formula is:

$0\≤u_{\mathrm{ik}}\≤1;\underset{i=1}{\overset{c}{\mathrm{\Σ}}}{u}_{\mathrm{ik}}=1,\∀k;\underset{k=1}{\overset{n}{\mathrm{\Σ}}}{u}_{\mathrm{ik}}>0...\left(2\right)$

Can find out, work as u _Ik=0 o'clock, this target function just equaled the target function of k-means; Work as u _Ik, allow each sample to belong to a plurality of types at＞0 o'clock; When finding the solution target function hour, solve:

$u_{\mathrm{ik}}=\frac{{(1/{\left|\right|x_k-v_i\left|\right|}^2)}^{1/(m-1)}}{\underset{j=1}{\overset{c}{\mathrm{\Σ}}}{(1/{\left|\right|x_k-v_j\left|\right|}^2)}^{1/(m-1)}},\∀i...\left(3\right)$

$v_i=\frac{\underset{k=1}{\overset{n}{\mathrm{\Σ}}}{u}_{\mathrm{ik}}^m{x}_k}{\underset{k=1}{\overset{n}{\mathrm{\Σ}}}{u}_{\mathrm{ik}}^m},\∀i...\left(4\right)$

As each cluster centre u _IkNear those belong to his classification over-evaluate probability point the time, J _mWill minimize, owing to find the analytic solutions of formula (3), (4) relatively more difficult, so adopt iterative estimation cluster average and some probability method, algorithm steps is following:

(a) input n, c, m, parameters such as u;

(b) by constraints normalization u _Ik

(c) do recomputates u by formula (3) formula _Ik

(d) recomputate v by formula (4) formula _i

(e) until u _IkWith v _iChange very little;

(f)return?u。

4, the present invention is based on abnormality detection in the satellite communication network method for detecting abnormality of network control based on communication signaling

(a) adopt typical one-class classifier detection method-Support Vector data description, the small number of samples of gathering is carried out single classification, sum up normal and unusual short sequence library, it is unusual to instruct the network management personnel to handle network signal.

With the model training of normal signaling training sequence to choosing, the sorter model that obtains training is tested the sorter model that trains with the test signaling sequence, if the grader precision reaches requirement, then training finishes; Otherwise grader is carried out parameter adjustment, test again.Fig. 4 is that grader is selected and training process.

Its basic thought of Support Vector data description (SVDD) is to utilize gaussian kernel function to be mapped to nuclear space to sample space, finds a spheroid that can comprise all training datas at nuclear space.When differentiating,, so just think normal, otherwise just think unusual if test sample book is arranged in this higher-dimension spheroid.Hypothesized model f (x; W) represent one type of bounded data set closely, by a suprasphere ε _Struct(R a) goes to comprise and describe it.This spheroid is represented with center a and radius R, and all samples of training set is all dropped in this spheroid.In order to improve result's robustness, copy SVM to introduce slack variable

to control of the influence of wild value to separating for each sample.Therefore, minimization problem becomes following form:

ε _struct(R，a)＝R ²

Its constraints is:

${\left|\right|x_i-a\left|\right|}^2\≤R^2+{\mathrm{\ξ}}_i,{\mathrm{\ξ}}_i\≥0,\∀i$

Parameters C is similar to the control variables among the SVM.

Utilize the Lagrange function to find the solution the minimization problem under the above-mentioned constraint, can get:

$l=\underset{i}{\mathrm{\Σ}}{\mathrm{\α}}_i(x_i\·x_i)-\underset{i,j}{\mathrm{\Σ}}{\mathrm{\α}}_i{\mathrm{\α}}_j(x_i\·x_j)$

Be constrained to: $\left(1\right)\underset{i}{\mathrm{\Σ}}{\mathrm{\α}}_i=1,$ $\left(2\right)0\≤{\mathrm{\α}}_i\≤C,\∀i$

Suppose that z is a test sample book, satisfied when following formula so, promptly declaring z is normal type, otherwise is exception class.Be equivalent to z and drop on this suprasphere inside.

${\left|\right|z-a\left|\right|}^2=(z\·z)-2\underset{i}{\mathrm{\Σ}}{\mathrm{\α}}_i(z\·x_i)+\underset{i,j}{\mathrm{\Σ}}{\mathrm{\α}}_i{\mathrm{\α}}_j(x_i\·x_j)\≤R^2$

Wherein, R is any support vector x _kDistance to centre of sphere a:

$R^2=(x_k\·x_k)-2\underset{i}{\mathrm{\Σ}}{\mathrm{\α}}_i(x_i\·x_k)+\underset{i,j}{\mathrm{\Σ}}{\mathrm{\α}}_i{\mathrm{\α}}_j(x_i\·x_j)$

When the discontented football shaped of the sample point of the input space distributes, be mapped to higher dimensional space to the input space earlier through the nuclear skill, find the solution in the higher dimensional space after mapping then.Inner product form in the above-mentioned formula all is transformed into the kernel function form:

x _i·x _j→φ(x _i)·φ(x _j)＝K(x _i，x _j)

After introducing kernel function, formula has originally become following form:

$L=\underset{i}{\mathrm{\Σ}}{\mathrm{\α}}_{i}K(x_i,x_i)-\underset{i,j}{\mathrm{\Σ}}{\mathrm{\α}}_i{\mathrm{\α}}_{j}K(x_i,x_j)$

Retrain constantly, and decision function becomes:

$f_{\mathrm{SVDD}}(z,\mathrm{\α},R)=I({\left|\right|\mathrm{\φ}\left(z\right)-\mathrm{\φ}\left(a\right)\left|\right|}^2\≤R^2)$

$=I(K(z,z)-2\underset{i}{\mathrm{\Σ}}{\mathrm{\α}}_{i}K(z,x_i)+\underset{i,j}{\mathrm{\Σ}}{\mathrm{\α}}_i{\mathrm{\α}}_{j}K(x_i,x_j)\≤R^2)$

Here indicator function I is defined as:

$I\left(A\right)=\left\{\begin{array}{cc}1& \mathrm{if\; A\; is\; true}\\ -1& \mathrm{otherwise}\end{array}\right.$

(b) because the communication sequence that the normal users behavior produces exists continuity and regularity, therefore the discrete series that becomes when being a group adopts HMM to handle the data sample sequence of discrete time.Through earth station normal users signaling that behavior produces is simplified encoding process; Obtain the signaling sequence of symbolism; Estimate to obtain the parameter of model then with the Baum-Welch algorithm; Completion uses this HMM that whole earth station communication signalings of whole time period are carried out abnormality detection to the modeling of HMM, has realized the abnormality detection based on communication signaling.

As shown in Figure 5; HMM is a dual random process; Promptly include the random process of sightless (a hiding) subordinate random process, this sightless subordinate random process can only be observed through the random process of another set of generation observation sequence and obtained.

Suppose that certain earth station user behavior is normal in the satellite communication network,, be designated as: V the long communication signaling symbolism sequence that can be observed for producing in the period of T ^T={ v ₁, v ₂..., v _X, the corresponding implicit communications status sequence of this visicode sequence is designated as: ω ^T={ ω ₁, ω ₂..., ω _Y.The mechanism that latent status switch produces is through state transition probability, and this probability is designated as: P (ω _j(t+1) | ω _i(t))=a _Ij, represent that some moment are in state ω _iSituation under, the next state ω that constantly converts into _jProbability.And under some state ω (t), the symbol v (t) that can be observed has corresponding probability equally, is designated as: P (v _k(t) | ω _j(t))=b _JkModel can only observe visible symbol sebolic addressing, and can not directly know inner ω _jBe in states such as talking state or call state.HMM is paid close attention to following 3 key problems:

Valuation problem: suppose to have a transition probability a _IjAnd b _JkAll known HMM calculates this model and produces some specific observation sequence V ^TProbability;

Decoding problem: suppose to have an observation sequence an of HMM and its generation, the most possible latent status switch ω that produces this visible sequence of decision ^T

Problem concerning study: suppose only to know the general configuration (such as latent state and visicode quantity) of a HMM, but a _IjAnd b _JkAll unknown, how from the training sequence of one group of visicode, determine these parameters.

Model representation be following form: λ=(A, B, π), A={a _IjThe expression state transition probability matrix, B={b _JkExpression may observe symbol probability matrix, π={ π _l, 1≤l≤N representes initial state distribution, and P={p ₁, p ₂... p _MM observation of expression assemble of symbol, Q={q ₁, q ₂..., q _NN latent state set of expression.Here at first to solve problem concerning study, promptly confirm the transition probability a of model through proper communication signaling sequence training sample _IjAnd b _Jk, the present invention adopts famous Baum-Welch algorithm, and visicode quantity M=9, latent number of states N value respectively are 10,15 and 20 to carry out parameter Estimation, obtain 3 HMMs respectively.Then, communication signaling sequence to be tested is detected through model, see the probability of this signaling sequence and Model Matching, solve the valuation problem.Latent state can be talking state, hook state etc. in the satellite communication, and the visicode sequence is the sequence after the communication signaling symbolism, shape as: 2,5,1,8,7,6,4 ...

The Baum-Welch algorithm is only to know observation sequence and do not know under the situation of corresponding status switch, the computation model parameter A, and B, π is a kind of realization of maximum likelihood algorithm (EM):

Algorithm is brought into use rough in other words conj.or perhaps arbitrarily about a _IjAnd b _JkEstimation, progressively revise according to following formula (5) and formula (6) then, till reaching convergence.

${\hat{a}}_{\mathrm{ij}}=\frac{{\mathrm{\Σ}}_{t=1}^T{\mathrm{\γ}}_{\mathrm{ij}}\left(t\right)}{{\mathrm{\Σ}}_{t=1}^T{\mathrm{\Σ}}_k{\mathrm{\γ}}_{\mathrm{jk}}\left(t\right)}...\left(5\right)$

$\widehat{b_{\mathrm{jk}}}=\frac{{\underset{v\left(t\right)=v_k}{\mathrm{\Σ}}}_{i=1}^T\underset{q}{\mathrm{\Σ}}{\mathrm{\γ}}_{\mathrm{jq}}\left(t\right)}{{\mathrm{\Σ}}_{t=1}^T\underset{q}{\mathrm{\Σ}}{\mathrm{\γ}}_{\mathrm{jq}}\left(t\right)}...\left(6\right)$

Wherein, formula Be defined as from state ω _i(t-1) transfer to state ω _j(t) probability, P (V ^T| be that model produces sequence V with concealing the path arbitrarily λ) ^TProbability.α _i(t) and β _i(t) provide by formula (7) and (8) respectively:

Computation model is positioned at latent state ω constantly at t respectively _j, and produced visible sequence V ^TPreceding t symbol probability and be positioned at state ω constantly at t _i, and will produce the probability of the target sequence of t after constantly.

The process that HMM detects is as shown in Figure 5.After the modelling, read proper communication signaling and exceptional communication signaling again from the network control center, after the coded identificationization, use length as the sliding window of K signaling sequence to be cut apart, the sliding window stepping is moved one backward.Suppose the long T of being of cycle tests, then short sequence sets comprises (T-K+1) individual long short sequence of K that is, tries to achieve the output probability of the short sequence of each test with model; (this threshold value characterizes the matching degree or the similarity of short sequence and model if the output probability of the short sequence of test is less than given threshold value θ; Then think short sequences match model greater than this value, explain that it is normal signaling sequence, because model is only to use the training of proper communication signaling to obtain); Then should lack the sequence demarcation and be " not matching "; Counter adds 1, and unmatched short sequence number is defined as abnormality degree with the ratio of total short sequence number in the data of test, when abnormality degree surpasses another given threshold epsilon; Think that then communication signaling is unusual, provide warning message.K is value 4,8,12,16 and 20 (because need 4 signalings just can accomplish normal course of communications one time at least, so the K stepping is 4) successively.

Claims (4)

1. satellite communication network method for detecting abnormality based on network control; It is characterized in that being arranged in the overall framework of satellite communication net safety protective; Realize the unusual and unusual detection of signaling sequence of Audit data; Comprise data obtain pretreatment module, the audit detection module, based on communication signaling MBM, HMM model detection module, pattern matching knowledge base MBM, pattern matching knowledge base detection module and graphical user interface module; Wherein data are obtained pretreatment module and are obtained the detection data from data acquisition interface, and carry out preliminary treatment, export to other each modules and use; The audit detection module uses typical clustering algorithm FCM that a large amount of Audit datas are carried out cluster analysis, realizes ex-post analysis; Based on the communication signaling modeling signaling is extracted, encodes,, set up HMM detection model based on normal signaling sequence through the study of Hidden Markov algorithm; HMM model detection module through network interface, obtains the communication signaling sequence of certain earth station in one period operating time in real time on the model basis of having set up based on normal signaling sequence; Through the data preliminary treatment; Obtain with grader short sequence being detected, obtain testing result through the short sequence of the signaling of simple coding; The tablet pattern subscriber interface module is handled, and realizes detecting in real time; The modeling of pattern matching knowledge base is according to the regularity and the certainty of earth station user behavior; Count earth station user behavior simple mode, be stored as knowledge base, when pattern matching knowledge base detection module detects through real-time obtaining communication data; Carry out matching ratio with the earth station user behavior; Discovery is different from the behavior pattern in the knowledge base, then thinks unusually, the result is input to graphical user interface module handles.

2. the satellite communication network method for detecting abnormality based on network control according to claim 1; It is characterized in that abnormality detection, from the network control database, extract the record of the audit of describing the earth station behavior, after the data preliminary treatment based on Audit data; Obtain being used for the data that quantize of cluster analysis; Utilize fuzzy C-means clustering algorithm in the data mining technology, the normal Audit data of satellite communication network is learnt, depart from the degree of each normal sample cluster pattern through the computation history Audit data; Obtain testing result, set up abnormality detection mechanism the historical auditing data.

3. the satellite communication network method for detecting abnormality based on network control according to claim 1; It is characterized in that adopting typical one-class classifier detection method-Support Vector data description based on the abnormality detection of communication signaling; With the model training of normal signaling training sequence to choosing, the sorter model that obtains training is tested the sorter model that trains with the test signaling sequence; If the grader precision reaches requirement, then training finishes; Otherwise grader is carried out parameter adjustment, test again.

4. the satellite communication network method for detecting abnormality based on network control according to claim 1 is characterized in that adopting HMM based on the abnormality detection of communication signaling, through to earth station normal users signaling that behavior produces; Through simplifying encoding process, obtain the signaling sequence of symbolism, the Baum-Welch algorithm estimates to obtain the parameter of model then; Completion after the modelling, is read proper communication signaling and exceptional communication signaling to the modeling of HMM again from the network control center; After the coded identificationization, use length as the sliding window of K signaling sequence to be cut apart, the sliding window stepping is moved one backward; Suppose the long T of being of cycle tests, then short sequence sets comprises (T-K+1) individual long short sequence of K that is, tries to achieve the output probability of the short sequence of each test with HMM; Be " not matching " if the output probability of the short sequence of test, then should be lacked the sequence demarcation less than given threshold value θ, counter adds 1; Unmatched short sequence number is defined as abnormality degree with the ratio of total short sequence number in the data of test; When abnormality degree surpasses another given threshold epsilon, think that then communication signaling is unusual, provide warning message.

Images