CN102487293A - Satellite communication network abnormity detection method based on network control - Google Patents
Satellite communication network abnormity detection method based on network control Download PDFInfo
- Publication number
- CN102487293A CN102487293A CN201010574056XA CN201010574056A CN102487293A CN 102487293 A CN102487293 A CN 102487293A CN 201010574056X A CN201010574056X A CN 201010574056XA CN 201010574056 A CN201010574056 A CN 201010574056A CN 102487293 A CN102487293 A CN 102487293A
- Authority
- CN
- China
- Prior art keywords
- signaling
- data
- detection
- sequence
- satellite communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 83
- 238000004891 communication Methods 0.000 title claims abstract description 75
- 230000011664 signaling Effects 0.000 claims abstract description 75
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000012550 audit Methods 0.000 claims abstract description 29
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 19
- 238000004458 analytical method Methods 0.000 claims abstract description 10
- 230000007246 mechanism Effects 0.000 claims abstract description 7
- 230000005856 abnormality Effects 0.000 claims description 58
- 238000012360 testing method Methods 0.000 claims description 23
- 238000012549 training Methods 0.000 claims description 20
- 238000005516 engineering process Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 11
- 238000007621 cluster analysis Methods 0.000 claims description 9
- 238000007418 data mining Methods 0.000 claims description 6
- 230000001681 protective effect Effects 0.000 claims description 5
- 241001269238 Data Species 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 238000011897 real-time detection Methods 0.000 abstract description 4
- 230000036632 reaction speed Effects 0.000 abstract description 2
- 230000002159 abnormal effect Effects 0.000 abstract 2
- 230000006399 behavior Effects 0.000 description 29
- 230000006870 function Effects 0.000 description 12
- 230000000694 effects Effects 0.000 description 8
- 206010000117 Abnormal behaviour Diseases 0.000 description 5
- 239000011159 matrix material Substances 0.000 description 5
- 230000007704 transition Effects 0.000 description 4
- 206010010947 Coordination abnormal Diseases 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000036039 immunity Effects 0.000 description 3
- 230000001939 inductive effect Effects 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000001537 neural effect Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 210000000987 immune system Anatomy 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 108010022579 ATP dependent 26S protease Proteins 0.000 description 1
- 238000007476 Maximum Likelihood Methods 0.000 description 1
- 239000000427 antigen Substances 0.000 description 1
- 102000036639 antigens Human genes 0.000 description 1
- 108091007433 antigens Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Radio Relay Systems (AREA)
Abstract
The invention discloses a satellite communication network abnormity detection method based on network control. A fuzzy C-means clustering algorithm is utilized to study normal audit data and an abnormity detection mechanism is established, so that a post analysis on an abnormal event is realized; a support vector data description single classifier is utilized to summarize a normal short sequence and an abnormal short sequence as well as a hidden Markov model is used to carry out abnormity detection on communication signalings of all earth stations in a whole time slot, so that real-time detection based on the communication signalings can be realized; and by utilizing the above-mentioned methods of the post analysis and the real-time detection, a satellite communication network abnormity detection prototype system based on network control is realized. According to the invention, the post analysis method is suitable for large-scale data as well as a declaration omission rate and a misdeclaration rate are low; and the real-time detection method has a good detection performance as well as signaling detection time is short and the reaction speed is fast; therefore, an on-line detection object can be realized and safety of a signaling system can be enhanced.
Description
Technical field
The invention belongs to satellite communication network abnormality detection technology, particularly a kind of satellite communication network method for detecting abnormality based on network control.
Background technology
Along with the continuous development of the computer and the communication technology, it is more and more serious to use unknown new method that computer and network are invaded, and this just makes all the more important of status of abnormality detection.Abnormality detection is a branch of intrusion detection, and invasion is meant any active set of attempting to endanger resource integrity, confidentiality and availability.The prerequisite of abnormality detection hypothesis is that the activity of invador's activity and normal main body is different, can differentiate each other, then with this " different ", " difference each other " as judging whether it is the foundation of intrusion behavior.Conventional method is to set up the system of a correspondence " normal activity " or user's normal epitome; When detecting the invasion activity; The abnormality detection program produces current activity epitome and compares with normal epitome; Promptly think invasion if comparative result generation departure degree surpasses certain threshold value, thereby trigger corresponding mechanism.The correlation of abnormality detection and system is less, so its versatility is good, and biggest advantage is exactly to detect current also unknown intrusion behavior.
The abnormality detection technology mainly can be divided into four big types:
(1) technological based on the abnormality detection of statistics
This technology is to observe the activity of main body according to anomaly detector, produces the profile of these movable behaviors of portrayal then.Each profile keeping records main body current behavior, and periodically the profile of current profile and storage is merged.Judge abnormal behaviour through more current profile and the profile of having stored.This technical development also is ripe with the most practical abnormality detection technology the earliest.But should technology also have some shortcomings: threshold value is difficult to confirm, too low or too high false-alarm or the false dismissal of occurring easily; The attack that utilizes the event sequence relation is difficult to detect.
(2) based on predictive mode abnormality detection technology
The assumed condition of this method be sequence of events be not at random but follow recognizable pattern, the characteristics of this detection method are to have considered the sequence of incident and connect each other.Teng and Chen provide time-based inductive method TIM (the Time-based Inductive Machine), utilize time rule to discern the characteristic of user behavior normal mode.Produce these rule sets through inductive learning, and these rules in the dynamically modification system, make it to have higher predictability, accuracy and confidence level.If the rule most of the time is correct, and can successfully use the observed data of forecasting institute, rule just has high confidence level so.The shortcoming of the method is that amount of calculation is bigger, also causes high false alarm rate easily.
(3) technological based on the abnormality detection of system call
People such as Forrest think that the normal behaviour of a program can be characterized by its local mode (short sequence) of carrying out track, can think with departing from of these patterns unusually.Two characteristics when method is carried out based on program: it was carried out to produce when mark has locally coherence with unusual the generation and is different from local mode just often when a program was normally carried out.The typical method that adopts this technology is to embed sequence method by the time delay that people such as Forrest propose; Be exactly in advance given length be that the continuous sequence of K is come constructor normal behaviour profile; Sequence with program execution mark to be detected and normal profile during detection compares; When unmatched execution mark sequence number surpasses threshold value, just think unusual.This methods analyst modeling is fairly simple, but major defect is to detect cooperation attack and appropriator.
(4) technological based on the abnormality detection of artificial intelligence
Artificial intelligence technology is applied in the abnormality detection, can improve the performance of abnormality detection.Mainly comprise artificial neural network technology, data mining technology and artificial immunity technology.
Based on artificial neural network technology: each neuronic 26S Proteasome Structure and Function is simple relatively and limited in the artificial neural net; But these numerous simple in structure, neuronic " microcosmic " activities that function is limited have just constituted complicated " macroeffect "---can accomplish the information Recognition and the task processing of various complicacies.At present, the existing multiple model of neural net is used in IDS.As long as audit mark (Audit traces) data of system are provided; Neural net just can therefrom be extracted the feature mode of normal user or system activity through self study, and need not obtain the Distribution Statistics of describing user behavior feature set and user behavior characteristic measurement.But amount of calculation is bigger.
Based on data mining technology: Wenke Lee and Salvatore.J.Stolfo are applied to data mining technology in the Study of Intrusion Detection field.The target of its research is to reduce as much as possible setting up a craft and an experience composition in the intruding detection system.Here adopt data-centered viewpoint, regard the intrusion detection problem as the process of a data analysis.But, then also have problems for real-time intrusion detection, need develop active data mining algorithm and the distributed system that adapts.
Technological based on artificial immunity: the intruding detection system Study of model for based on artificial immune system has both direction.The one, call the immune model of carrying out the sequence monitoring to the host computer system key; Another is the immune model to network data.Because immune system has characteristics such as distributed, diversity, Memorability, expandability, can utilize these characteristics to set up the intrusion detection model of distributed, efficient and self-organizing.Its shortcoming is the theoretical system that does not also have the perfect artificial immunity of a cover at present, also not than the effective antigens recognizer.
Satellite communication network is the integrated system of a complicacy.As the node in the satellite communication network, the normal operation of earth station is directly connected to the quality height and the security performance of whole network.Earth station comprises many aspects unusually, except the fault of earth station, also comprise earth station by counterfeit, lose, used or captured or the like by the enemy wartime by the disabled user.Because the various data of earth station and the signaling of transmission are the direct embodiments of user behavior, mainly be detection to earth station to the abnormality detection of satellite communication network.Attack to abnormal behaviour is difficult to detect with traditional detection mode.At present, the satellite webmaster does not also propose effective abnormality detection mechanism and solution scheme to this problem.
Summary of the invention
The object of the present invention is to provide and a kind ofly can detect the abnormal behavior of earth station the satellite communication network and send the method for abnormality alarming, thereby realize abnormality detection based on the satellite communication network of network control from ex-post analysis and real-time two aspects to the user.
The technical solution that realizes the object of the invention is: a kind of satellite communication network method for detecting abnormality based on network control; Be arranged in the overall framework of satellite communication net safety protective; Realize the unusual and unusual detection of signaling sequence of Audit data; Comprise data obtain pretreatment module, the audit detection module, based on communication signaling modeling, the detection of HMM model, the modeling of pattern matching knowledge base, pattern matching knowledge base detection module and graphical user interface module; Data are obtained pretreatment module and are obtained the detection data from data acquisition interface, and the line data preliminary treatment of going forward side by side is exported to other each modules and used; The audit detection module uses typical clustering algorithm FCM that a large amount of Audit datas are carried out cluster analysis, realizes ex-post analysis; Based on the communication signaling modeling signaling is extracted coding,, set up HMM detection model based on normal signaling sequence through the study of Hidden Markov algorithm; HMM model detection module through network interface, obtains the communication signaling sequence of certain earth station in one period operating time in real time on the model basis of having set up based on normal signaling sequence; Through the data preliminary treatment; Obtain with grader short sequence being detected, obtain testing result through the short sequence of the signaling of simple coding; The tablet pattern subscriber interface module is handled, and realizes detecting in real time; The modeling of pattern matching knowledge base is according to the regularity and the certainty of earth station user behavior; Count earth station user behavior simple mode, be stored as knowledge base, when pattern matching knowledge base detection module detects through real-time obtaining communication data; Carry out matching ratio with the earth station user behavior; Discovery is different from the behavior pattern in the knowledge base, then thinks unusually, the result is input to graphical user interface module handles.
The present invention compared with prior art, its remarkable advantage: (1) can protect satellite communication network to avoid various " Signaling attack " of initiating from earth station effectively; (2) combine field priori and utilization machine learning techniques, it is efficient, accurately to utilize Audit data to carry out the detection method of earth station abnormal behaviour, can adapt to large-scale data, fails to report with rate of false alarm low; (3) with what machine learning method was used for the satellite communication signaling innovation arranged analytically; HMM method for detecting abnormality based on the short time sequence has been proposed; This method not only has good detection performance, and it is very short to detect the signaling time, and reaction speed is very fast; Can realize the target of online detection, strengthen the safety of signaling system; (4) improve security personnel's efficient on duty, alleviate security personnel's operating pressure.
Below in conjunction with accompanying drawing the present invention is described in further detail.
Description of drawings
Fig. 1 is the general frame figure of satellite communication net safety protective.
Fig. 2 is based on the satellite communication network abnormality detection nucleus module figure of network control.
Fig. 3 is based on the satellite communication network abnormality detection workflow diagram of network control.
Fig. 4 is that grader is selected and training process figure.
Fig. 5 is based on the abnormality detection illustraton of model of Hidden Markov.
Embodiment
1, the present invention carries out abnormality detection in the general frame of satellite communication net safety protective, is used for all kinds of satellite network control system, in time finds abnormal behaviour in the satellite communication system.Fig. 1 has provided the general frame figure of satellite communication net safety protective.This shielded frame comprises network control center server security guard system, the detection of earth station abnormal behaviour, satellite communication control channel safety, four aspects of general signaling system design.
(a) security protection system of network control center server has comprised access control mechanisms, authentication, encryption system and intruding detection system.Utilize the safety of general diverse network safety protection technique protection network control central server, particularly the long-distance user is attacked these two big types of strick precautions of attacking of U2R to local unauthorized access R2L and unauthorized acquisition superuser right.
(b) earth station abnormal behaviour detection subsystem has realized the satellite communication network method for detecting abnormality based on network control, mainly comprises the abnormality detection of Audit data and the abnormality detection of the signaling sequence that each earth station sends.This subsystem is primarily aimed at the various attack that counterfeit legal earth station is initiated the network control center.The assailant stays assailant's attack vestige in the record of the audit of system after having attacked the network control center, through the clustering method behavior that from the Audit data of magnanimity, notes abnormalities, this method belongs to " ex-post analysis "; The behavior at signaling sequence abnormality detection model learning normal earth station, any signaling sequence that departs from normal earth station " profile " will be considered to unusually, realize the abnormality detection based on the earth station signaling sequence.Because model is the signaling sequence that all earth stations of monitoring send, and detects, belong to " monitoring in real time ".
(c) satellite communication control channel safety has comprised two parts, and promptly single channel encryption and channel are anti-interference.
(d) safety Design of signaling has been given prominence in the general signaling system design of satellite communication network; Security threat and existing safety measure to satellite communication network meets with are analyzed; Characteristics in conjunction with satellite communication network self; Designed the signaling system of safety general, and formalization analysis has been carried out in fail safe with the method for protocol verification.
2, the satellite communication network method for detecting abnormality that the present invention is based on network control can detect the abnormal behavior of earth station the satellite communication network and send abnormality alarming to the user from ex-post analysis and real-time two aspects.System comprises two interfaces: data acquisition interface and graphical interface of user interface.Data acquisition interface comprises database interface and UDP frame interface, is responsible for obtaining the confession training and detecting data from ORACLE database and UDP frame; User graphical interface is the visual man-machine interface that system offers the user, and the user can monitor system through this interface in real time, can change the system parameters configuration simultaneously.The satellite communication network method for detecting abnormality that the present invention is based on network control is implemented by following seven nucleus modules, and is as shown in Figure 2:
(a) data are obtained pretreatment module; Obtain the detection data from data acquisition interface; And it is carried out standardization, normalized data preliminary treatment; The formation standard, can be detected the data of handling by cluster analysis and training in real time, select according to the user then, can the normal data that produce be stored in file or the database;
(b) pattern matching knowledge base modeling according to the regularity and the certainty of earth station user behavior, counts some simple modes of earth station user behavior, is stored as knowledge base;
(c) the pattern matching knowledge base detects, and the obtaining communication data are carried out matching ratio with the earth station user behavior in real time, finds to be different from the behavior pattern in the pattern matching knowledge base, then thinks unusually, the result is input to graphical user interface module handles;
(d) the audit detection module uses typical clustering algorithm FCM that a large amount of Audit datas that write down in the database of network control center are carried out cluster analysis, and behavior notes abnormalities;
(e) HMM modeling; Through with the interface of satellite communication system, obtain the signaling that earth station is communicated by letter with the network control center in real time, learn through the Hidden Markov algorithm; Obtain state-transition matrix and the visible transfer matrix that meets, set up HMM detection model based on normal signaling sequence.
(f) the HMM model detects, on the model basis of having set up based on normal signaling sequence, through network interface; Obtain the communication signaling sequence of certain earth station in one period operating time in real time; Through the data preliminary treatment, obtain with grader short sequence being detected through the short sequence of the signaling of simple coding; Obtain testing result, the tablet pattern subscriber interface module is handled.
(g) graphic user interface; The testing result of receiving mode coupling, audit detection and the real-time detection module of HMM; Through visual and understandable graph-based modes such as charts each testing result is shown then; The interface that provides the user that system parameters is set, and provide and accept manual intervention and will intervene the result and feed back to the interface in the system.
The satellite communication network method for detecting abnormality that the present invention is based on network control is from record of the audit and two aspects of signaling sequence in real time, and the auxiliary mode coupling detects system, and its workflow is as shown in Figure 3.System extracts record of the audit on the one hand from the database of network control center, through obtaining being used for the data that quantize of cluster analysis after the data preliminary treatment, through cluster analysis, obtain the testing result to the historical auditing data; Through collection,, set up library through the study of pattern matching algorithm to data in the database; Through the interface of system and NMS, obtain Frame then, corresponding data field and library in the Frame are mated; If do not match, showing has unusual generation, if erroneous judgement; The operator can interfering system, lets this erroneous judgement record be increased in the library; On the other hand, abnormality detection system through with the network management system interface, obtain the signaling that earth station is communicated by letter with network control; Be used for the normal signaling sequence of training classifier and the short sequence of signaling to be detected through obtaining after the data preliminary treatment, adopt the Hidden Markov algorithm, normal signaling sequence is learnt; Obtain one-class classifier based on normal signaling sequence; After obtaining grader, the short sequence of the signaling of obtaining is in real time detected, wrong if the operator finds testing result; Can emerging sequence be added in the training sequence and grader be trained again the training aids after obtaining upgrading.
3, the present invention is based on abnormality detection in the satellite communication network method for detecting abnormality of network control based on Audit data
From the network control database, extract the record of the audit of describing the earth station behavior; After the data preliminary treatment, obtain being used for the data that quantize of cluster analysis, utilize Fuzzy C average (FCM) clustering algorithm in the data mining technology; The normal Audit data of satellite communication network is learnt; Depart from the degree of each normal sample cluster pattern through the computation history Audit data, obtain testing result, set up abnormality detection mechanism the historical auditing data.Belong to " ex-post analysis " through the behavior of noting abnormalities from the Audit data of magnanimity of machine learning methods such as cluster analysis.
Fuzzy c mean cluster (FCM) supposes that each sample all is that " bluring " is under the jurisdiction of a certain type, both can belong to one type, also can belong to another kind of.Order
(wherein Rs is a data set), and u={u
Ik}
C * n∈ M
Fcn(M wherein
FcnFor dividing matrix), cluster centre v={v
1, v
2..., v
c, v
i∈ R
s1<m<+∞, 2≤c<n, then the definition of the global objective function of FCM is as follows:
Wherein m is a free parameter that is used for controlling different classes of degree of mixing, is called fuzzy index;
(1) constraints of formula is:
Can find out, work as u
Ik=0 o'clock, this target function just equaled the target function of k-means; Work as u
Ik, allow each sample to belong to a plurality of types at>0 o'clock; When finding the solution target function hour, solve:
As each cluster centre u
IkNear those belong to his classification over-evaluate probability point the time, J
mWill minimize, owing to find the analytic solutions of formula (3), (4) relatively more difficult, so adopt iterative estimation cluster average and some probability method, algorithm steps is following:
(a) input n, c, m, parameters such as u;
(b) by constraints normalization u
Ik
(c) do recomputates u by formula (3) formula
Ik
(d) recomputate v by formula (4) formula
i
(e) until u
IkWith v
iChange very little;
(f)return?u。
4, the present invention is based on abnormality detection in the satellite communication network method for detecting abnormality of network control based on communication signaling
(a) adopt typical one-class classifier detection method-Support Vector data description, the small number of samples of gathering is carried out single classification, sum up normal and unusual short sequence library, it is unusual to instruct the network management personnel to handle network signal.
With the model training of normal signaling training sequence to choosing, the sorter model that obtains training is tested the sorter model that trains with the test signaling sequence, if the grader precision reaches requirement, then training finishes; Otherwise grader is carried out parameter adjustment, test again.Fig. 4 is that grader is selected and training process.
Its basic thought of Support Vector data description (SVDD) is to utilize gaussian kernel function to be mapped to nuclear space to sample space, finds a spheroid that can comprise all training datas at nuclear space.When differentiating,, so just think normal, otherwise just think unusual if test sample book is arranged in this higher-dimension spheroid.Hypothesized model f (x; W) represent one type of bounded data set closely, by a suprasphere ε
Struct(R a) goes to comprise and describe it.This spheroid is represented with center a and radius R, and all samples of training set is all dropped in this spheroid.In order to improve result's robustness, copy SVM to introduce slack variable
to control of the influence of wild value to separating for each sample.Therefore, minimization problem becomes following form:
ε
struct(R,a)=R
2
Its constraints is:
Parameters C is similar to the control variables among the SVM.
Utilize the Lagrange function to find the solution the minimization problem under the above-mentioned constraint, can get:
Be constrained to:
Suppose that z is a test sample book, satisfied when following formula so, promptly declaring z is normal type, otherwise is exception class.Be equivalent to z and drop on this suprasphere inside.
Wherein, R is any support vector x
kDistance to centre of sphere a:
When the discontented football shaped of the sample point of the input space distributes, be mapped to higher dimensional space to the input space earlier through the nuclear skill, find the solution in the higher dimensional space after mapping then.Inner product form in the above-mentioned formula all is transformed into the kernel function form:
x
i·x
j→φ(x
i)·φ(x
j)=K(x
i,x
j)
After introducing kernel function, formula has originally become following form:
Retrain constantly, and decision function becomes:
Here indicator function I is defined as:
(b) because the communication sequence that the normal users behavior produces exists continuity and regularity, therefore the discrete series that becomes when being a group adopts HMM to handle the data sample sequence of discrete time.Through earth station normal users signaling that behavior produces is simplified encoding process; Obtain the signaling sequence of symbolism; Estimate to obtain the parameter of model then with the Baum-Welch algorithm; Completion uses this HMM that whole earth station communication signalings of whole time period are carried out abnormality detection to the modeling of HMM, has realized the abnormality detection based on communication signaling.
As shown in Figure 5; HMM is a dual random process; Promptly include the random process of sightless (a hiding) subordinate random process, this sightless subordinate random process can only be observed through the random process of another set of generation observation sequence and obtained.
Suppose that certain earth station user behavior is normal in the satellite communication network,, be designated as: V the long communication signaling symbolism sequence that can be observed for producing in the period of T
T={ v
1, v
2..., v
X, the corresponding implicit communications status sequence of this visicode sequence is designated as: ω
T={ ω
1, ω
2..., ω
Y.The mechanism that latent status switch produces is through state transition probability, and this probability is designated as: P (ω
j(t+1) | ω
i(t))=a
Ij, represent that some moment are in state ω
iSituation under, the next state ω that constantly converts into
jProbability.And under some state ω (t), the symbol v (t) that can be observed has corresponding probability equally, is designated as: P (v
k(t) | ω
j(t))=b
JkModel can only observe visible symbol sebolic addressing, and can not directly know inner ω
jBe in states such as talking state or call state.HMM is paid close attention to following 3 key problems:
Valuation problem: suppose to have a transition probability a
IjAnd b
JkAll known HMM calculates this model and produces some specific observation sequence V
TProbability;
Decoding problem: suppose to have an observation sequence an of HMM and its generation, the most possible latent status switch ω that produces this visible sequence of decision
T
Problem concerning study: suppose only to know the general configuration (such as latent state and visicode quantity) of a HMM, but a
IjAnd b
JkAll unknown, how from the training sequence of one group of visicode, determine these parameters.
Model representation be following form: λ=(A, B, π), A={a
IjThe expression state transition probability matrix, B={b
JkExpression may observe symbol probability matrix, π={ π
l, 1≤l≤N representes initial state distribution, and P={p
1, p
2... p
MM observation of expression assemble of symbol, Q={q
1, q
2..., q
NN latent state set of expression.Here at first to solve problem concerning study, promptly confirm the transition probability a of model through proper communication signaling sequence training sample
IjAnd b
Jk, the present invention adopts famous Baum-Welch algorithm, and visicode quantity M=9, latent number of states N value respectively are 10,15 and 20 to carry out parameter Estimation, obtain 3 HMMs respectively.Then, communication signaling sequence to be tested is detected through model, see the probability of this signaling sequence and Model Matching, solve the valuation problem.Latent state can be talking state, hook state etc. in the satellite communication, and the visicode sequence is the sequence after the communication signaling symbolism, shape as: 2,5,1,8,7,6,4 ...
The Baum-Welch algorithm is only to know observation sequence and do not know under the situation of corresponding status switch, the computation model parameter A, and B, π is a kind of realization of maximum likelihood algorithm (EM):
Algorithm is brought into use rough in other words conj.or perhaps arbitrarily about a
IjAnd b
JkEstimation, progressively revise according to following formula (5) and formula (6) then, till reaching convergence.
Wherein, formula
Be defined as from state ω
i(t-1) transfer to state ω
j(t) probability, P (V
T| be that model produces sequence V with concealing the path arbitrarily λ)
TProbability.α
i(t) and β
i(t) provide by formula (7) and (8) respectively:
Computation model is positioned at latent state ω constantly at t respectively
j, and produced visible sequence V
TPreceding t symbol probability and be positioned at state ω constantly at t
i, and will produce the probability of the target sequence of t after constantly.
The process that HMM detects is as shown in Figure 5.After the modelling, read proper communication signaling and exceptional communication signaling again from the network control center, after the coded identificationization, use length as the sliding window of K signaling sequence to be cut apart, the sliding window stepping is moved one backward.Suppose the long T of being of cycle tests, then short sequence sets comprises (T-K+1) individual long short sequence of K that is, tries to achieve the output probability of the short sequence of each test with model; (this threshold value characterizes the matching degree or the similarity of short sequence and model if the output probability of the short sequence of test is less than given threshold value θ; Then think short sequences match model greater than this value, explain that it is normal signaling sequence, because model is only to use the training of proper communication signaling to obtain); Then should lack the sequence demarcation and be " not matching "; Counter adds 1, and unmatched short sequence number is defined as abnormality degree with the ratio of total short sequence number in the data of test, when abnormality degree surpasses another given threshold epsilon; Think that then communication signaling is unusual, provide warning message.K is value 4,8,12,16 and 20 (because need 4 signalings just can accomplish normal course of communications one time at least, so the K stepping is 4) successively.
Claims (4)
1. satellite communication network method for detecting abnormality based on network control; It is characterized in that being arranged in the overall framework of satellite communication net safety protective; Realize the unusual and unusual detection of signaling sequence of Audit data; Comprise data obtain pretreatment module, the audit detection module, based on communication signaling MBM, HMM model detection module, pattern matching knowledge base MBM, pattern matching knowledge base detection module and graphical user interface module; Wherein data are obtained pretreatment module and are obtained the detection data from data acquisition interface, and carry out preliminary treatment, export to other each modules and use; The audit detection module uses typical clustering algorithm FCM that a large amount of Audit datas are carried out cluster analysis, realizes ex-post analysis; Based on the communication signaling modeling signaling is extracted, encodes,, set up HMM detection model based on normal signaling sequence through the study of Hidden Markov algorithm; HMM model detection module through network interface, obtains the communication signaling sequence of certain earth station in one period operating time in real time on the model basis of having set up based on normal signaling sequence; Through the data preliminary treatment; Obtain with grader short sequence being detected, obtain testing result through the short sequence of the signaling of simple coding; The tablet pattern subscriber interface module is handled, and realizes detecting in real time; The modeling of pattern matching knowledge base is according to the regularity and the certainty of earth station user behavior; Count earth station user behavior simple mode, be stored as knowledge base, when pattern matching knowledge base detection module detects through real-time obtaining communication data; Carry out matching ratio with the earth station user behavior; Discovery is different from the behavior pattern in the knowledge base, then thinks unusually, the result is input to graphical user interface module handles.
2. the satellite communication network method for detecting abnormality based on network control according to claim 1; It is characterized in that abnormality detection, from the network control database, extract the record of the audit of describing the earth station behavior, after the data preliminary treatment based on Audit data; Obtain being used for the data that quantize of cluster analysis; Utilize fuzzy C-means clustering algorithm in the data mining technology, the normal Audit data of satellite communication network is learnt, depart from the degree of each normal sample cluster pattern through the computation history Audit data; Obtain testing result, set up abnormality detection mechanism the historical auditing data.
3. the satellite communication network method for detecting abnormality based on network control according to claim 1; It is characterized in that adopting typical one-class classifier detection method-Support Vector data description based on the abnormality detection of communication signaling; With the model training of normal signaling training sequence to choosing, the sorter model that obtains training is tested the sorter model that trains with the test signaling sequence; If the grader precision reaches requirement, then training finishes; Otherwise grader is carried out parameter adjustment, test again.
4. the satellite communication network method for detecting abnormality based on network control according to claim 1 is characterized in that adopting HMM based on the abnormality detection of communication signaling, through to earth station normal users signaling that behavior produces; Through simplifying encoding process, obtain the signaling sequence of symbolism, the Baum-Welch algorithm estimates to obtain the parameter of model then; Completion after the modelling, is read proper communication signaling and exceptional communication signaling to the modeling of HMM again from the network control center; After the coded identificationization, use length as the sliding window of K signaling sequence to be cut apart, the sliding window stepping is moved one backward; Suppose the long T of being of cycle tests, then short sequence sets comprises (T-K+1) individual long short sequence of K that is, tries to achieve the output probability of the short sequence of each test with HMM; Be " not matching " if the output probability of the short sequence of test, then should be lacked the sequence demarcation less than given threshold value θ, counter adds 1; Unmatched short sequence number is defined as abnormality degree with the ratio of total short sequence number in the data of test; When abnormality degree surpasses another given threshold epsilon, think that then communication signaling is unusual, provide warning message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010574056.XA CN102487293B (en) | 2010-12-06 | 2010-12-06 | Satellite communication network abnormity detection method based on network control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010574056.XA CN102487293B (en) | 2010-12-06 | 2010-12-06 | Satellite communication network abnormity detection method based on network control |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102487293A true CN102487293A (en) | 2012-06-06 |
CN102487293B CN102487293B (en) | 2014-09-03 |
Family
ID=46152750
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010574056.XA Expired - Fee Related CN102487293B (en) | 2010-12-06 | 2010-12-06 | Satellite communication network abnormity detection method based on network control |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102487293B (en) |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103095711A (en) * | 2013-01-18 | 2013-05-08 | 重庆邮电大学 | Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website |
CN103326903A (en) * | 2013-07-05 | 2013-09-25 | 华北电力大学 | Hidden-Markov-based Internet network delay forecasting method |
CN103577905A (en) * | 2012-07-23 | 2014-02-12 | 深圳中兴网信科技有限公司 | Audit method and system for information safety |
CN103793599A (en) * | 2014-01-17 | 2014-05-14 | 浙江远图智控***有限公司 | Travel anomaly detection method based on hidden Markov model |
CN106485188A (en) * | 2015-08-27 | 2017-03-08 | 桂林信通科技有限公司 | A kind of industrial exchanger user anomaly detection method |
CN106792523A (en) * | 2016-12-10 | 2017-05-31 | 武汉白虹软件科技有限公司 | A kind of anomaly detection method based on extensive WiFi event traces |
CN107298485A (en) * | 2017-07-27 | 2017-10-27 | 华东理工大学 | It is a kind of based on method of the data model to the fault detection and diagnosis of During Industrial Wastewater Treatment Process |
CN108055228A (en) * | 2017-10-09 | 2018-05-18 | 全球能源互联网研究院有限公司 | A kind of intelligent grid intruding detection system and method |
CN108121642A (en) * | 2017-12-20 | 2018-06-05 | 维沃移动通信有限公司 | A kind of failure solves method, server and mobile terminal |
CN109361447A (en) * | 2018-09-10 | 2019-02-19 | 清华大学 | Telemetry elastic transport method and device based on machine learning |
CN109635995A (en) * | 2018-10-25 | 2019-04-16 | 中国电子科技集团公司电子科学研究院 | A kind of social security events anomaly method and device based on multidimensional data |
CN109715936A (en) * | 2016-09-13 | 2019-05-03 | 福斯4X股份有限公司 | For monitoring the method and apparatus and computer program product of the state of at least one wind turbine |
CN109948649A (en) * | 2019-02-04 | 2019-06-28 | 复旦大学 | The softward interview behavioral data character representation method of data-oriented opening and shares |
CN109993185A (en) * | 2017-12-31 | 2019-07-09 | ***通信集团贵州有限公司 | Wireless signaling analysis method, calculates equipment and storage medium at device |
CN110213287A (en) * | 2019-06-12 | 2019-09-06 | 北京理工大学 | A kind of double mode invasion detecting device based on ensemble machine learning algorithm |
CN110320894A (en) * | 2019-08-01 | 2019-10-11 | 陕西工业职业技术学院 | A kind of accurate Coal Pulverizing System of Thermal Power Plant fault detection method for dividing overlapping area data category |
US10594027B1 (en) | 2018-08-31 | 2020-03-17 | Hughes Networks Systems, Llc | Machine learning models for detecting the causes of conditions of a satellite communication system |
CN111026631A (en) * | 2018-10-09 | 2020-04-17 | 顺丰科技有限公司 | Automatic interface detection method and device and server |
US10740656B2 (en) | 2018-09-19 | 2020-08-11 | Hughes Network Systems, Llc | Machine learning clustering models for determining the condition of a communication system |
CN111641535A (en) * | 2020-05-28 | 2020-09-08 | 中国工商银行股份有限公司 | Network monitoring method, network monitoring device, electronic equipment and medium |
US11153162B2 (en) | 2019-05-31 | 2021-10-19 | Raytheon Company | Communications network including intelligent network service manager |
CN113590392A (en) * | 2021-06-30 | 2021-11-02 | 中国南方电网有限责任公司超高压输电公司昆明局 | Converter station equipment abnormality detection method and device, computer equipment and storage medium |
CN115665286A (en) * | 2022-12-26 | 2023-01-31 | 深圳红途科技有限公司 | Interface clustering method and device, computer equipment and storage medium |
CN116647268A (en) * | 2023-06-26 | 2023-08-25 | 深圳领航北斗信息技术有限公司 | Communication security intelligent detection system and method based on satellite Internet of things technology |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101334845A (en) * | 2007-06-27 | 2008-12-31 | 中国科学院自动化研究所 | Video frequency behaviors recognition method based on track sequence analysis and rule induction |
CN101753992A (en) * | 2008-12-17 | 2010-06-23 | 深圳市先进智能技术研究所 | Multi-mode intelligent monitoring system and method |
-
2010
- 2010-12-06 CN CN201010574056.XA patent/CN102487293B/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101334845A (en) * | 2007-06-27 | 2008-12-31 | 中国科学院自动化研究所 | Video frequency behaviors recognition method based on track sequence analysis and rule induction |
CN101753992A (en) * | 2008-12-17 | 2010-06-23 | 深圳市先进智能技术研究所 | Multi-mode intelligent monitoring system and method |
Non-Patent Citations (5)
Title |
---|
朱义鑫: ""基于网络的隐马尔可夫异常检测技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》, 15 December 2005 (2005-12-15) * |
蒋可可,潘志松,官昕,陈宁军: ""基于通信信令序列的卫星通信网异常检测研究"", 《电脑科学与技术》, vol. 4, no. 8, 30 December 2008 (2008-12-30) * |
邬书跃,田新广: ""基于隐马尔可夫模型的用户行为异常检测新方法"", 《通信学报》, vol. 28, no. 4, 30 April 2007 (2007-04-30) * |
陈宁军,倪桂强,罗隽,潘志松: ""基于正常行为聚类的卫星通信网异常检测方法"", 《解放军理工大学学报(自然科学版)》, vol. 9, no. 5, 31 October 2008 (2008-10-31) * |
陈宁军,罗隽,肖佳: ""一种地球站异常检测***的设计与实现"", 《计算机工程与应用》, vol. 25, no. 17, 31 December 2009 (2009-12-31) * |
Cited By (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103577905B (en) * | 2012-07-23 | 2018-06-19 | 深圳中兴网信科技有限公司 | The auditing method and system of a kind of information security |
CN103577905A (en) * | 2012-07-23 | 2014-02-12 | 深圳中兴网信科技有限公司 | Audit method and system for information safety |
CN103095711B (en) * | 2013-01-18 | 2016-10-26 | 重庆邮电大学 | A kind of application layer ddos attack detection method for website and system of defense |
CN103095711A (en) * | 2013-01-18 | 2013-05-08 | 重庆邮电大学 | Application layer distributed denial of service (DDoS) attack detection method and defensive system aimed at website |
CN103326903A (en) * | 2013-07-05 | 2013-09-25 | 华北电力大学 | Hidden-Markov-based Internet network delay forecasting method |
CN103326903B (en) * | 2013-07-05 | 2016-01-20 | 华北电力大学 | Based on the Internet network latency prediction method of Hidden Markov |
CN103793599A (en) * | 2014-01-17 | 2014-05-14 | 浙江远图智控***有限公司 | Travel anomaly detection method based on hidden Markov model |
CN106485188A (en) * | 2015-08-27 | 2017-03-08 | 桂林信通科技有限公司 | A kind of industrial exchanger user anomaly detection method |
CN109715936A (en) * | 2016-09-13 | 2019-05-03 | 福斯4X股份有限公司 | For monitoring the method and apparatus and computer program product of the state of at least one wind turbine |
CN106792523A (en) * | 2016-12-10 | 2017-05-31 | 武汉白虹软件科技有限公司 | A kind of anomaly detection method based on extensive WiFi event traces |
CN107298485A (en) * | 2017-07-27 | 2017-10-27 | 华东理工大学 | It is a kind of based on method of the data model to the fault detection and diagnosis of During Industrial Wastewater Treatment Process |
CN108055228A (en) * | 2017-10-09 | 2018-05-18 | 全球能源互联网研究院有限公司 | A kind of intelligent grid intruding detection system and method |
CN108121642A (en) * | 2017-12-20 | 2018-06-05 | 维沃移动通信有限公司 | A kind of failure solves method, server and mobile terminal |
CN109993185A (en) * | 2017-12-31 | 2019-07-09 | ***通信集团贵州有限公司 | Wireless signaling analysis method, calculates equipment and storage medium at device |
US11335996B2 (en) | 2018-08-31 | 2022-05-17 | Hughes Network Systems, Llc | Machine learning models for detecting the causes of conditions of a satellite communication system |
US10594027B1 (en) | 2018-08-31 | 2020-03-17 | Hughes Networks Systems, Llc | Machine learning models for detecting the causes of conditions of a satellite communication system |
US10903554B2 (en) | 2018-08-31 | 2021-01-26 | Hughes Network Systems, Llc | Machine learning models for detecting the causes of conditions of a satellite communication system |
CN109361447A (en) * | 2018-09-10 | 2019-02-19 | 清华大学 | Telemetry elastic transport method and device based on machine learning |
US10740656B2 (en) | 2018-09-19 | 2020-08-11 | Hughes Network Systems, Llc | Machine learning clustering models for determining the condition of a communication system |
US11429821B2 (en) | 2018-09-19 | 2022-08-30 | Hughes Network Systems, Llc | Machine learning clustering models for determining the condition of a communication system |
CN111026631A (en) * | 2018-10-09 | 2020-04-17 | 顺丰科技有限公司 | Automatic interface detection method and device and server |
CN111026631B (en) * | 2018-10-09 | 2024-03-26 | 顺丰科技有限公司 | Automatic interface detection method, device and server |
CN109635995A (en) * | 2018-10-25 | 2019-04-16 | 中国电子科技集团公司电子科学研究院 | A kind of social security events anomaly method and device based on multidimensional data |
CN109948649A (en) * | 2019-02-04 | 2019-06-28 | 复旦大学 | The softward interview behavioral data character representation method of data-oriented opening and shares |
CN109948649B (en) * | 2019-02-04 | 2023-03-24 | 复旦大学 | Data open sharing-oriented software access behavior data characteristic representation method |
US11153162B2 (en) | 2019-05-31 | 2021-10-19 | Raytheon Company | Communications network including intelligent network service manager |
CN110213287A (en) * | 2019-06-12 | 2019-09-06 | 北京理工大学 | A kind of double mode invasion detecting device based on ensemble machine learning algorithm |
CN110213287B (en) * | 2019-06-12 | 2020-07-10 | 北京理工大学 | Dual-mode intrusion detection device based on integrated machine learning algorithm |
CN110320894A (en) * | 2019-08-01 | 2019-10-11 | 陕西工业职业技术学院 | A kind of accurate Coal Pulverizing System of Thermal Power Plant fault detection method for dividing overlapping area data category |
CN110320894B (en) * | 2019-08-01 | 2022-04-15 | 陕西工业职业技术学院 | Thermal power plant pulverizing system fault detection method capable of accurately dividing aliasing area data categories |
CN111641535B (en) * | 2020-05-28 | 2021-10-29 | 中国工商银行股份有限公司 | Network monitoring method, network monitoring device, electronic equipment and medium |
CN111641535A (en) * | 2020-05-28 | 2020-09-08 | 中国工商银行股份有限公司 | Network monitoring method, network monitoring device, electronic equipment and medium |
CN113590392A (en) * | 2021-06-30 | 2021-11-02 | 中国南方电网有限责任公司超高压输电公司昆明局 | Converter station equipment abnormality detection method and device, computer equipment and storage medium |
CN113590392B (en) * | 2021-06-30 | 2024-04-02 | 中国南方电网有限责任公司超高压输电公司昆明局 | Converter station equipment abnormality detection method, device, computer equipment and storage medium |
CN115665286A (en) * | 2022-12-26 | 2023-01-31 | 深圳红途科技有限公司 | Interface clustering method and device, computer equipment and storage medium |
CN116647268A (en) * | 2023-06-26 | 2023-08-25 | 深圳领航北斗信息技术有限公司 | Communication security intelligent detection system and method based on satellite Internet of things technology |
CN116647268B (en) * | 2023-06-26 | 2024-01-26 | 深圳领航北斗信息技术有限公司 | Communication security intelligent detection system and method based on satellite Internet of things technology |
Also Published As
Publication number | Publication date |
---|---|
CN102487293B (en) | 2014-09-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102487293B (en) | Satellite communication network abnormity detection method based on network control | |
Cao et al. | A novel false data injection attack detection model of the cyber-physical power system | |
CN110263846A (en) | The method for diagnosing faults for being excavated and being learnt based on fault data depth | |
CN107436597B (en) | A kind of chemical process fault detection method based on sparse filtering and logistic regression | |
Qu et al. | An intrusion detection model based on deep belief network | |
CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
CN112015153B (en) | System and method for detecting abnormity of sterile filling production line | |
CN111126820B (en) | Method and system for preventing electricity stealing | |
CN111563524A (en) | Multi-station fusion system operation situation abnormity monitoring and alarm combining method | |
CN104299115B (en) | Secondary system of intelligent substation state analysis method based on Fuzzy C-Means Cluster Algorithm | |
Mao et al. | Anomaly detection for power consumption data based on isolated forest | |
CN103077347A (en) | Combined type intrusion detecting method on basis of data fusion of improved core vector machine | |
CN106792883A (en) | Sensor network abnormal deviation data examination method and system | |
Varun Kumar et al. | Credit card fraud detection using machine learning algorithms | |
CN114760098A (en) | CNN-GRU-based power grid false data injection detection method and device | |
Zheng | Intrusion detection based on convolutional neural network | |
CN104836805A (en) | Network intrusion detection method based on fuzzy immune theory | |
CN112345858A (en) | Power grid fault diagnosis method for measuring false faults caused by tampering attack | |
CN110580213A (en) | Database anomaly detection method based on cyclic marking time point process | |
Navya et al. | Intrusion detection system using deep neural networks (DNN) | |
CN113780432B (en) | Intelligent detection method for operation and maintenance abnormity of network information system based on reinforcement learning | |
CN107992902A (en) | A kind of routine bus system based on supervised learning steals individual automatic testing method | |
CN118037047A (en) | Mine safety monitoring system based on AI | |
CN115659189A (en) | Anomaly detection method of large-scale software system based on generation countermeasure network | |
CN114915496B (en) | Network intrusion detection method and device based on time weight and deep neural network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140903 |
|
CF01 | Termination of patent right due to non-payment of annual fee |