CN106375156A - Power network traffic anomaly detection method and device - Google Patents
Power network traffic anomaly detection method and device Download PDFInfo
- Publication number
- CN106375156A CN106375156A CN201610874427.3A CN201610874427A CN106375156A CN 106375156 A CN106375156 A CN 106375156A CN 201610874427 A CN201610874427 A CN 201610874427A CN 106375156 A CN106375156 A CN 106375156A
- Authority
- CN
- China
- Prior art keywords
- bag
- data traffic
- electric power
- distance
- power networks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a power network traffic anomaly detection method and device. The power network traffic anomaly detection method comprises the steps of collecting a data traffic packet of a power network, wherein the data traffic packet is composed of data of multiple fields; and establishing a k-d tree based on the data traffic packet, and carrying out anomaly detection on the data traffic packet. According to the method and the device, specific classification does not need to be carried out on power network traffic when detection is carried out; the detection difficulty is reduced; the method and device can be well adapted to various newly occurring anomalies; and after improvement is carried out through utilization of the k-d tree, the detection time complexity is reduced, and the time cost is clearly reduced.
Description
Technical field
The application is related to electric power data network service traffics abnormality detection technology, different especially with regard to a kind of electric power networks flow
Often detection method and device.
Background technology
With the construction of intelligent grid, the operation system of electric power data network and its carrying obtains fast development, all can daily
Substantial amounts of network traffics are had to produce.Some abnormal flows occur, abnormal flow is mingled in normal discharge, right in network traffics
Network causes greatly to damage, and network service quality can be made drastically to decline, and this is for the high electric power data network of reliability requirement
For be very serious problem.Therefore, detection abnormal flow is the importance of electric power data network operation maintenance work.
Several correlative flow abnormality detection schemes are described below;
Scheme 1: paper " the group's Traffic anomaly detection based on wavelet decomposition " (electronic surveying and instrument journal, 2010,
For problem that large scale network mass data processing and abnormality detection rate relatively low, by group concept pp.24 (4): 365-370.)
Introduce abnormality detection field, propose a kind of three layers of detection method decomposed with deviation value combination of small echo.
Scheme 2: paper " the exception flow of network detection method based on enlivening entropy " (communication journal, 2013, pp.34 (z2):
51-57.) the network flow analysis method based on entropy theory, using the flow long correlation properties that spatially information unit exists, right
Entropy theory improves it is proposed that comentropy, conditional entropy, enlivening multiple method such as entropy and carry out Traffic anomaly detection.
Scheme 3: patent No. cn201210560973.1 proposes a kind of method for detecting abnormality based on network traffic analysis.
Key step includes: (1) carries out data prediction first: obtains main frame surfing flow, then according to initial characteristicses collection and in advance
The time window length setting carries out data prediction to main frame surfing flow, extracts main frame surfing flow in each time interval
Interior initial characteristic values, form sample set.And then carry out feature selection (2).(3) finally carry out abnormality detection: using selecting
Character subset and Bayesian Classification Arithmetic unknown sample is classified, if classification results are abnormal, pointed out.
Scheme 4: patent No. cn201010224404.0 proposes a kind of rapid detection method for network flow anomaly, technical side
Case judges abnormal generation using the hurst index of description network traffics point shape feature, and key step includes: by sampling
New data on flows, and utilize these data iterative hurst indexes, by the change of hurst index, set up abnormal judgement
Threshold value, directly carries out Traffic anomaly detection, real-time detection exception of network traffic.
Scheme 5: patent No. cn201510513055.7 proposes the network flow that a kind of Dynamic Baseline and fixed threshold combine
Amount method for detecting abnormality.Key step includes: receives message;Record the quantity of described message;According to current message quantity and in advance
If the difference between the history message amount before historical period, calculate the current unit interval quantity of described message;According to institute
State unit interval quantity, in conjunction with Dynamic Baseline and fixed threshold, judge whether network traffics occur exception.
Inventor, in realizing process of the present invention, finds that at least there are the following problems for above-mentioned prior art:
Although the method for detecting abnormality of such scheme 1 optimizes detection target with group's concept, in concrete detection rank
Section, the slip deviation value of the relatively simple fixation being still used as threshold value it is difficult to adapt to abnormal flow feature complexity and
Polytropy, the method has higher loss and false drop rate.
The method for detecting abnormality of such scheme 2 unitizes to all flows and processes, and the flow not accounting for different periods divides
Cloth state, differentiated process is not done in the judgement to peak period and offpeak period, is difficult to meet both simultaneously, lacks self adaptation
Property.The flow detection effect that method based on entropy changes greatly to distribution is poor.
The method for detecting abnormality of such scheme 3 make use of the thought of data mining to carry out abnormality detection to network traffics, but
It is that the Bayesian Classification Arithmetic chosen needs the support of prior probability, its prior probability cannot be studied to unknown exception so this side
Method is inapplicable;Bayesian model is assumed independent mutually between each attribute, but is difficult in practice accomplish, lead to final performance with
There is gap in theory;And Bayesian model there is also certain categorised decision error rate in the ideal case in time.
Self-similarity and long range dependent that the method for detecting abnormality of such scheme 4 using network traffics generally existing, make
Carry out Traffic anomaly detection with hurst index, its threshold determination is relatively easy, reached quick purpose, but also sacrificed simultaneously
Accuracy rate is it is difficult to apply to electric power data network.
Dynamic Baseline and fixed threshold are combined by the method for detecting abnormality of such scheme 5, improve adaptivity, but
Only the quantity of message is analyzed, ignore many key messages it is difficult to find deeper abnormal it is impossible to meet electric power
The requirement to reliability for the data network.
It would therefore be highly desirable to a kind of network flow abnormal detecting method, to solve problems of the prior art, reduce flow
The abnormal infringement that network is caused, and the decline of network service quality.
Content of the invention
The embodiment of the present application provides a kind of electric power networks Traffic anomaly detection method and device, to reduce detection difficulty and inspection
The survey time, and adapt to emerging various Traffic Anomaly.
To achieve these goals, a kind of electric power networks Traffic anomaly detection method, this electricity are embodiments provided
Power network flow abnormal detecting method includes:
The data traffic bag of collection electric power networks, described data traffic bag is made up of the data of multiple fields;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag.
In one embodiment, before k-d tree is set up based on described data traffic bag, this electric power networks Traffic anomaly detection side
Method also includes: chooses at least one field related to the uninterrupted of described data traffic bag from described data traffic bag
Data, as data available;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag, comprising: based at least wrapping
K-d tree set up by the data traffic bag including described data available, carries out abnormality detection to described data traffic bag.
In one embodiment, the data traffic bag of collection electric power networks, comprising: gathered from router or switch by probe
Described data traffic bag, and store described data traffic bag.
In one embodiment, k-d tree is set up based on the described data traffic bag chosen after data available, data traffic bag is entered
Row abnormality detection, comprising:
With each data traffic bag for an object, set up k-d tree, calculate the local outlier factor of each described object;
The described local outlier factor of each object is compared with preset value, detects the corresponding data traffic of this object
Whether bag is abnormal.
In one embodiment, calculate the local outlier factor of each described object, comprising:
Calculate the k- distance of each object;
Corresponding k- is calculated apart from neighborhood according to the k- distance of each object;
Calculate the reach distance of each object and object in neighborhood for its k-;
Reach distance according to each object object in neighborhood with its k- calculates corresponding local reachability density;
Local reachability density according to each object calculates corresponding local outlier factor.
In one embodiment, for an object p, the k- of this object p is right less than this with the distance of this object p apart from neighborhood
The set of the object of k- distance of elephant, the k- of this object p is apart from neighborhood nk-disP () is:
nk-dis(p)=and q | d (p, q)≤k-dis (p) }
Wherein, q is the object of the k- distance being less than this object with the distance of this object p, and d (p, q) is object p and object
The distance of q, k-dis (p) is the k- distance of object p.
In one embodiment, described object p is with respect to the reach distance r-dis of the object o in its neighborhoodk(p, o) is:
r-disk(p, o)=max { k-dis (o), d (p, o) }
Wherein, k-dis (o) is the k- distance of object o, and d (p, o) is the distance of object p and object o.
In one embodiment, the local reachability density lrd of object pk-disP () is object p and its k- averagely may be used apart from neighborhood
Reach the inverse of distance:
In one embodiment, local outlier factor lof (p) of described object p is:
To achieve these goals, the embodiment of the present invention additionally provides a kind of electric power networks Traffic anomaly detection device, should
Electric power networks Traffic anomaly detection device includes:
Flow bag collecting unit, for gathering the data traffic bag of electric power networks, described data traffic bag is by multiple fields
Data composition;
Abnormality detecting unit, for setting up k-d tree based on described data traffic bag, carries out abnormal inspection to data traffic bag
Survey.
In one embodiment, this electric power networks Traffic anomaly detection device also includes: field chooses unit: for from described number
According to the data choosing at least one field related to the uninterrupted of described data traffic bag in flow bag, as available number
According to;
Described abnormality detecting unit specifically for: k-d is set up based on the data traffic bag at least including described data available
Tree, carries out abnormality detection to described data traffic bag.
In one embodiment, flow bag collecting unit specifically for: described number is gathered from router or switch by probe
According to flow bag, and store described data traffic bag.
In one embodiment, abnormality detecting unit includes:
Local outlier factor computing module, for each data traffic bag for an object, setting up k-d tree, calculates every
The local outlier factor of object described in;
Abnormality detection module, for being compared the described local outlier factor of each object with preset value, detection should
Whether object corresponding data traffic bag is abnormal.
In one embodiment, described local outlier factor computing module includes:
K- apart from calculating sub module, for calculating the k- distance of each object;
K-, apart from neighborhood submodule, calculates corresponding k- apart from neighborhood for the k- distance according to each object;
Reach distance calculating sub module, for calculating the reach distance of each object and object in neighborhood for its k-;
Local reachability density calculating sub module, for according to each object and object in neighborhood for its k- up to away from
From the corresponding local reachability density of calculating;
Local outlier factor calculating sub module, calculates corresponding local for the local reachability density according to each object different
Constant factor.
The present invention specifically need not be classified to electric power networks flow in detection, reduces detection difficulty, and to each
Plant emerging exception and there is good adaptability;After improving, reduce the time complexity of detection using k-d tree, when
Between cost substantially reduce.
Brief description
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to embodiment or existing
Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this
Some embodiments of application, for those of ordinary skill in the art, on the premise of not paying creative work, acceptable
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the electric power networks Traffic anomaly detection method flow diagram of the embodiment of the present application;
Fig. 2 is the configuration diagram of the electric power networks Traffic anomaly detection method of the embodiment of the present invention;
Fig. 3 carries out the method flow diagram of abnormality detection for the embodiment of the present invention to data traffic bag;
Fig. 4 calculates the method flow diagram of the local outlier factor of each described object for the embodiment of the present invention;
Fig. 5 is the testing result schematic diagram of one embodiment of the invention;
Fig. 6 is the testing result schematic diagram of another embodiment of the present invention;
Fig. 7 is the testing result schematic diagram of further embodiment of this invention;
Fig. 8 takes comparison diagram during different value for the present invention for k;
Fig. 9 a is the structured flowchart of the electric power networks Traffic anomaly detection device of one embodiment of the invention;
Fig. 9 b is the structured flowchart of the electric power networks Traffic anomaly detection device of another embodiment of the present invention;
Figure 10 is the structured flowchart of the abnormality detecting unit of the embodiment of the present invention;
Figure 11 is the structured flowchart of the local outlier factor computing module of the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete
Site preparation describes it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on
Embodiment in the application, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of the application protection.
Fig. 1 is the electric power networks Traffic anomaly detection method of the embodiment of the present invention, as shown in figure 1, this electric power networks flow
Method for detecting abnormality includes:
S101: the data traffic bag of collection electric power networks, described data traffic bag is made up of the data of multiple fields;
S102: k-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag.
The executive agent of this electric power networks Traffic anomaly detection method can be server, and flow process as shown in Figure 1 understands,
The present invention gathers the data traffic bag of electric power networks first, sets up k-d tree based on the data traffic bag of collection, to data traffic bag
Carry out abnormality detection, detect abnormal data traffic bag.The method specifically need not be classified to electric power networks flow, reduces
Detection difficulty, and to various emerging exceptions, there is good adaptability;After being improved using k-d tree, reduce
The time complexity of detection, time cost substantially reduces.
Fig. 2 is the configuration diagram of the electric power networks Traffic anomaly detection method of the embodiment of the present invention, as shown in Fig. 2 adopting
During the data traffic bag of collection electric power networks, can from router or switch, (number of router and switch be equal by probe
Can be multiple) gathered data flow bag, and the data traffic bag of collection is sent to enter to data base's (can be in the server)
Row storage.
In one embodiment, after collecting the data traffic bag of electric power networks, this data traffic bag can be carried out as
Lower pretreatment, chooses at least one field related to the uninterrupted of described data traffic bag from described data traffic bag
Data, as data available.For example, described data traffic bag includes the uninterrupted of a field and described data traffic bag
Related data, can choose the data of b field, 1≤b≤a.
After pretreatment obtains this data available, k- can be set up based on the data traffic bag at least including this data available
D tree, carries out abnormality detection to described data traffic bag.By pretreatment is carried out to data traffic bag, it is possible to reduce set up k-d tree
Complexity, improve detection efficiency.
Based on the data traffic bag of the s101 collection shown in Fig. 1, or based at least including the data flow of this data available
Amount bag, can set up k-d tree, carry out abnormality detection to data traffic bag.
In one embodiment, as shown in figure 3, abnormality detection is carried out to data traffic bag, comprising:
S301: with each data traffic bag for an object, set up k-d tree, calculate the local anomaly of each described object
The factor;
S302: described local outlier factor and the preset value of each object are compared, detect the corresponding number of this object
Whether abnormal according to flow bag.This preset value can be set according to concrete detection operating mode.
From the figure 3, it may be seen that in the present embodiment, abnormality detection being carried out to data traffic bag, being properly termed as local outlier factor
(local outlier factor, abbreviation lof) detects, as shown in Figure 2.
In one embodiment, as shown in figure 4, calculating the local outlier factor of each described object, comprising:
S401: calculate the k- distance of each object;
K-d tree is a kind of data structure in segmentation k dimension data space, the implication of k refer to k-th nearest.K-d tree can be fast
Speed finds out k-th neighbouring point, and next step can be facilitated to calculate k- distance, simultaneously because record k is neighbouring in calculating process
Point, therefore can easily draw subsequently required k- apart from neighborhood.
K-d tree essence is a binary tree, and each node represents a spatial dimension, represents electric power data in the present invention
One data traffic bag of net.The foundation of k-d tree is a recursive procedure launching step by step to divide.One node is one point
Knick point (split_point), can be split into left son (left_son) and right son (right_son), and that is, split point is y-bend
The father node of tree, left son and right son are respectively the left and right child node of binary tree, the divisional mode (split- of split point
Method) it is the determinant attribute setting up k-d tree.
The fission process of k-d tree is as follows: calculates the variance of each dimension (i.e. field) first, finds out maximum dimension a of variance,
Each node is sorted from small to large according in dimension a, intermediate value point is set to split_point, less than intermediate value is all
Point recurrence above-mentioned steps obtain left_son, and all node recurrence above-mentioned steps bigger than intermediate value can obtain right_son.
In the present embodiment, why judgment basis take variance, are because that variance shows greatly to disperse along the data on this change in coordinate axis direction
Relatively open, carrying out data segmentation in this direction has preferable resolution.
Calculate k- apart from when, the embodiment of the present invention by abstract for data traffic bag be an object p.To arbitrary nature
Number k, the k- defining object p is the distance between object p and certain object o apart from k-dis (p), and object o needs here are full
Foot:
At least there is k object o ' ∈ d { p } (d is the set including p) so that object p to object o ' apart from d (p,
O ') with object p to object o apart from d (p, o) satisfaction: d (p, o ')≤d (p, o), and at most exist k-1 object q ∈ d { p }
(d { p } represent that set d does not include p) so that d (p, q) < d (p, o), wherein, d (p, q) is the distance of object p and object q.
According to built k-d tree, can easily inquire the nearest-neighbors of certain object, and inquire about k-th arest neighbors
Can record whether a node can be used to update k-th low coverage with an array (front (k-1) individual minimum distance) when occupying
From inquiry can get k- distance after obtaining k-th nearest-neighbors.
S402: corresponding k- is calculated apart from neighborhood according to the k- distance of each object.
In one embodiment, for an object p (this object can correspond to any data flow bag of collection), this object p's
The set of the object that k- is the k- distance being less than this object with the distance of this object p apart from neighborhood, the k- distance of this object p is adjacent
Domain nk-disP () is:
nk-dis(p)=and q | d (p, q)≤k-dis (p) } (1)
Wherein, q is the object of the k- distance being less than this object with the distance of this object p, and k-dis (p) is the k- of object p
Distance.
S403: calculate the reach distance of each object and object in neighborhood for its k-.
In one embodiment, the reach distance r-dis of given natural number k, object p object o in neighborhood with respect to itk
(p, o) is:
r-disk(p, o)=max { k-dis (o), d (p, o) } (2)
Wherein, k-dis (o) is the k- distance of object o, and d (p, o) is the distance of object p and object o.
S404: the reach distance according to each object object in neighborhood with its k- calculates corresponding local up to close
Degree.
In one embodiment, the local reachability density lrd of object pk-disP () is object p and its k- averagely may be used apart from neighborhood
Reach the inverse of distance:
Wherein,For object p and its k- apart from neighborhood average reach distance.
S405: the local reachability density according to each object calculates corresponding local outlier factor.
In one embodiment, local outlier factor lof (p) of object p is:
In formula (4), lrdk-disO () is the local reachability density of object o.
The intensity of anomaly of object p can be represented by local outlier factor, Outlier factor, close to 1 point, shows it and surrounding
The consistent in density of point, can determine that as normal;The density difference of local outlier factor bigger explanation it and surrounding point is bigger, when exceeding
Abnormity point is become, the setting of threshold value can rule of thumb or different application scenario is setting, and the present invention is not during certain threshold value
It is limited to this.
Using the electric power networks Traffic anomaly detection method of the present invention, electric power networks flow need not be had in detection
Body is classified, and reduces detection difficulty, and has good adaptability to various emerging exceptions;Changed using k-d tree
After entering, reduce the time complexity of detection, time cost substantially reduces.
In order to be better understood from the present invention, illustrate with reference to specific example:
Taking the detection of continuous data flow bag in certain Utilities Electric Co.'s data network in March, 2016 as a example, concrete detecting step is such as
Under:
1) pass through the flow collection equipment (as probe) that is deployed on electric power data network network node of bypass gather original
Data traffic bag, obtains the data of totally 25 fields;
2) data prediction is carried out to the data traffic bag collecting, draw the data available of totally 4 fields, such as table 1 below
Shown:
The field that table 1 finally gives
packetsin | packetsout | bytesin | bytesout |
In table 1, packetsin is download package number, and packetsout is to upload bag number, and bytesin is to download byte number,
Bytesout is to upload byte number.
The data of 4 fields of table 1 is the field related to the uninterrupted of data traffic bag, referred to as data available.This
The data available that invention can choose at least one field from aforementioned four field sets up k-d tree, only to select in the present embodiment
The data available taking 4 fields is set up k-d tree and is illustrated.
3) k-d tree, for an object, is set up with each data traffic bag (including the data available of 4 fields);
4) to each calculation and object k- distance with k- apart from neighborhood;
5) calculate the reach distance of each object and object in neighborhood for its k-;
6) local reachability density and the local outlier factor of each object are calculated;
7) threshold value is set up according to result of calculation, local outlier factor is compared with this threshold value, if result of calculation is big
In this threshold value, that is, judge that this local outlier factor corresponding data traffic bag is abnormal.
It should be noted that the 2nd) step is to select step, when the present invention is embodied as, can remove this step, directly
Carry out the 3rd) step, with each data traffic bag of collecting for an object, set up k-d tree.
Example 1
Randomly select 400 continuous data traffic bags, testing result such as Fig. 5, wherein lof value are more than 3.2 for exception
Flow bag.
Example 2
Randomly select 3000 continuous data traffic bags, testing result such as Fig. 6, wherein lof value are more than 2.7 for exception
Flow bag.
Example 3
Randomly select 10000 continuous data traffic bags, testing result such as Fig. 7, wherein lof value are more than 2.5 for different
Normal flow bag.
The present invention is compared with the prior art and is analyzed as follows:
Calculate k- apart from when, if using the existing method enumerating traversal, will travel through when calculating nearest-neighbors
All of object, during the lof value of calculating single object, time complexity will at least o (n).The present invention uses the data of k-d tree
Structure, to be optimized, due to establishing binary tree, although the Unknown Distribution of concrete sample during inquiry, was inquired about
Cheng Keneng directly quickly finds it is also possible to need repeatedly to inquire about each subtree from first-selected child node, there is uncertainty, but energy
Enough time complexity is reduced toEven if when efficiency is worst it is also possible to reduced time cost it is adaptable to
To the ageing electric power data network having high demands.Simultaneously this uncertain just for time loss, to electric power data network
Reliability does not result in impact.
In experiment, take k value to be 5 respectively, 10,15,20, identical sample is analyzed, the time comparison diagram of drawing is such as
Fig. 8.
It is based on and above-mentioned electric power networks Traffic anomaly detection method identical inventive concept, the application provides a kind of power network
Network Traffic anomaly detection, as described in example below.Principle due to this electric power networks Traffic anomaly detection device solve problem
Similar to electric power networks Traffic anomaly detection method, the enforcement of therefore this electric power networks Traffic anomaly detection device may refer to electricity
The enforcement of power network flow abnormal detecting method, repeats no more in place of repetition.
Fig. 9 a additionally provides a kind of electric power networks Traffic anomaly detection device, this electric power networks flow for the embodiment of the present invention
Abnormal detector includes: flow bag collecting unit 901 and abnormality detecting unit 903.
Flow bag collecting unit 901 is used for gathering the data traffic bag of electric power networks, and described data traffic bag is by multiple words
The data composition of section;
Abnormality detecting unit 903 is used for setting up k-d tree based on described data traffic bag, carries out abnormal inspection to data traffic bag
Survey.
In one embodiment, flow bag collecting unit 901 is described specifically for being gathered from router or switch by probe
Data traffic bag, and store described data traffic bag.
In one embodiment, as shown in figure 9b, this electric power networks Traffic anomaly detection device also includes: field chooses unit
902, for choosing at least one field related to the uninterrupted of described data traffic bag from described data traffic bag
Data, as data available.Abnormality detecting unit 902 can be set up based on the data traffic bag at least including described data available
K-d tree, carries out abnormality detection to described data traffic bag.
In one embodiment, as shown in Figure 10, abnormality detecting unit 903 includes:
Local outlier factor computing module 1001, for each data traffic bag for an object, setting up k-d tree, meter
Calculate the local outlier factor of each described object.
Abnormality detection module 1002, for the described local outlier factor of each object is compared with preset value, inspection
Whether abnormal survey this object corresponding data traffic bag.
In one embodiment, as shown in figure 11, described local outlier factor computing module 1001 includes: k- distance calculates submodule
Block 1101, k- is apart from neighborhood submodule 1102, reach distance calculating sub module 1103, local reachability density calculating sub module 1104
And local outlier factor calculating sub module 1105.
K- is used for calculating the k- distance of each object apart from calculating sub module 1101.
K-d tree is a kind of data structure in segmentation k dimension data space, the implication of k refer to k-th nearest.K-d tree can be fast
Speed finds out k-th neighbouring point, and next step can be facilitated to calculate k- distance, simultaneously because record k is neighbouring in calculating process
Point, therefore can easily draw subsequently required k- apart from neighborhood.
K-d tree essence is a binary tree, and each node represents a spatial dimension, represents electric power data in the present invention
One data traffic bag of net.The foundation of k-d tree is a recursive procedure launching step by step to divide.One node is one point
Knick point (split_point), can be split into left son (left_son) and right son (right_son), and that is, split point is y-bend
The father node of tree, left son and right son are respectively the left and right child node of binary tree, the divisional mode (split- of split point
Method) it is the determinant attribute setting up k-d tree.
The fission process of k-d tree is as follows: calculates the variance of each dimension (i.e. field) first, finds out maximum dimension a of variance,
Each node is sorted from small to large according in dimension a, intermediate value point is set to split_point, less than intermediate value is all
Point recurrence above-mentioned steps obtain left_son, and all node recurrence above-mentioned steps bigger than intermediate value can obtain right_son.
In the present embodiment, why judgment basis take variance, are because that variance shows greatly to disperse along the data on this change in coordinate axis direction
Relatively open, carrying out data segmentation in this direction has preferable resolution.
Calculate k- apart from when, the embodiment of the present invention by abstract for data traffic bag be an object p.To arbitrary nature
Number k, the k- defining object p is the distance between object p and certain object o apart from k-dis (p), and object o needs here are full
Foot:
At least there is k object o ' ∈ d { p } (d is the set including p) so that object p to object o ' apart from d (p,
O ') with object p to object o apart from d (p, o) satisfaction: d (p, o ')≤d (p, o), and at most exist k-1 object q ∈ d { p }
(d { p } represent that set d does not include p) so that d (p, q) < d (p, o), wherein, d (p, q) is the distance of object p and object q.
According to built k-d tree, can easily inquire the nearest-neighbors of certain object, and inquire about k-th arest neighbors
Can record whether a node can be used to update k-th low coverage with an array (front (k-1) individual minimum distance) when occupying
From inquiry can get k- distance after obtaining k-th nearest-neighbors.
K- is used for calculating corresponding k- apart from neighborhood according to the k- distance of each object apart from neighborhood submodule 1102.
In one embodiment, for an object p (this object can correspond to any data flow bag of collection), this object p's
The set of the object that k- is the k- distance being less than this object with the distance of this object p apart from neighborhood, the k- distance of this object p is adjacent
Domain nk-disP () is as shown in formula (1).
Reach distance calculating sub module 1103 be used for calculating each object and object in neighborhood for its k- up to away from
From.
In one embodiment, the reach distance r-dis of given natural number k, object p object o in neighborhood with respect to itk
(p, o) is as shown in formula (2).
Local reachability density calculating sub module 1104 be used for according to each object and object in neighborhood for its k- can
Reach distance and calculate corresponding local reachability density.
In one embodiment, the local reachability density lrd of object pk-disP () is object p and its k- averagely may be used apart from neighborhood
Reach the inverse of distance, such as shown in formula (3).
The local reachability density that local outlier factor calculating sub module 1105 is used for according to each object calculates corresponding office
Portion's Outlier factor.
In one embodiment, local outlier factor lof (p) of object p is as shown in formula (4).
Using the electric power networks Traffic anomaly detection device of the present invention, electric power networks flow need not be had in detection
Body is classified, and reduces detection difficulty, and has good adaptability to various emerging exceptions;Changed using k-d tree
After entering, reduce the time complexity of detection, time cost substantially reduces.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or the reality combining software and hardware aspect
Apply the form of example.And, the application can be using in one or more computers wherein including computer usable program code
The upper computer program implemented of usable storage medium (including but not limited to disk memory, cd-rom, optical memory etc.) produces
The form of product.
The application is the flow process with reference to method, equipment (system) and computer program according to the embodiment of the present application
Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor instructing general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce
A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device
The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy
Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to
Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or
The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting
On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or
On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one
The step of the function of specifying in individual square frame or multiple square frame.
Apply specific embodiment in the application the principle of the application and embodiment are set forth, above example
Explanation be only intended to help and understand the present processes and its core concept;Simultaneously for one of ordinary skill in the art,
According to the thought of the application, all will change in specific embodiments and applications, in sum, in this specification
Hold and should not be construed as the restriction to the application.
Claims (14)
1. a kind of electric power networks Traffic anomaly detection method is it is characterised in that include:
The data traffic bag of collection electric power networks, described data traffic bag is made up of the data of multiple fields;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag.
2. electric power networks Traffic anomaly detection method according to claim 1 is it is characterised in that based on described data flow
Before k-d tree set up by amount bag, also include: choose related to the uninterrupted of described data traffic bag from described data traffic bag
At least one field data, as data available;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag, comprising: based at least including institute
K-d tree set up by the data traffic bag stating data available, carries out abnormality detection to described data traffic bag.
3. electric power networks Traffic anomaly detection method according to claim 1 is it is characterised in that described collection electric power networks
Data traffic bag, comprising: described data traffic bag is gathered from router or switch by probe, and stores described data flow
Amount bag.
4. electric power networks Traffic anomaly detection method according to claim 1 and 2 is it is characterised in that be based on described data
K-d tree set up by flow bag, carries out abnormality detection to data traffic bag, comprising:
With each data traffic bag for an object, set up k-d tree, calculate the local outlier factor of each described object;
The described local outlier factor of each object is compared with preset value, detects that this object corresponding data traffic bag is
No exception.
5. electric power networks Traffic anomaly detection method according to claim 4 is it is characterised in that calculate each described object
Local outlier factor, comprising:
Calculate the k- distance of each object;
Corresponding k- is calculated apart from neighborhood according to the k- distance of each object;
Calculate the reach distance of each object and object in neighborhood for its k-;
Reach distance according to each object object in neighborhood with its k- calculates corresponding local reachability density;
Local reachability density according to each object calculates corresponding local outlier factor.
6. electric power networks Traffic anomaly detection method according to claim 5 is it is characterised in that for an object p, this is right
As the set of the object that the k- of p is the k- distance being less than this object with the distance of this object p apart from neighborhood, the k- of this object p
Apart from neighborhood nk-disP () is:
nk-dis(p)=and q | d (p, q)≤k-dis (p) }
Wherein, q is the object of the k- distance being less than this object with the distance of this object p, and d (p, q) is object p and object q's
Distance, k-dis (p) is the k- distance of object p.
7. electric power networks Traffic anomaly detection method according to claim 6 it is characterised in that described object p with respect to
The reach distance r-dis of object o in neighborhood for its k-k(p, o) is:
r-disk(p, o)=max { k-dis (o), d (p, o) }
Wherein, k-dis (o) is the k- distance of object o, and d (p, o) is the distance of object p and object o.
8. electric power networks Traffic anomaly detection method according to claim 7 it is characterised in that object p local up to
Density lrdk-disP () is the inverse apart from the average reach distance of neighborhood for object p and its k-:
9. electric power networks Traffic anomaly detection method according to claim 8 is it is characterised in that the local of described object p
Outlier factor lof (p) is:
10. a kind of electric power networks Traffic anomaly detection device is it is characterised in that include:
Flow bag collecting unit, for gathering the data traffic bag of electric power networks, described data traffic bag is by the number of multiple fields
According to composition;
Abnormality detecting unit, sets up k-d tree for described data traffic bag, carries out abnormality detection to data traffic bag.
11. electric power networks Traffic anomaly detection devices according to claim 10 are it is characterised in that also include: field choosing
Take unit, for choosing at least one field related to the uninterrupted of described data traffic bag from described data traffic bag
Data, as data available;
Described abnormality detecting unit specifically for: k-d tree is set up based on the data traffic bag at least including described data available, right
Described data traffic bag carries out abnormality detection.
12. electric power networks Traffic anomaly detection devices according to claim 10 are it is characterised in that flow bag collecting unit
Specifically for: described data traffic bag is gathered from router or switch by probe, and stores described data traffic bag.
13. electric power networks Traffic anomaly detection devices according to claim 10 are it is characterised in that abnormality detecting unit bag
Include:
Local outlier factor computing module, for each data traffic bag for an object, setting up k-d tree, calculates each institute
State the local outlier factor of object;
Abnormality detection module, for being compared the described local outlier factor of each object with preset value, detects this object
Whether corresponding data traffic bag is abnormal.
14. electric power networks Traffic anomaly detection devices according to claim 13 it is characterised in that described local anomaly because
Sub- computing module includes:
K- apart from calculating sub module, for calculating the k- distance of each object;
K-, apart from neighborhood submodule, calculates corresponding k- apart from neighborhood for the k- distance according to each object;
Reach distance calculating sub module, for calculating the reach distance of each object and object in neighborhood for its k-;
Local reachability density calculating sub module, by according to each object and its k- based on the reach distance of the object in neighborhood
Calculate corresponding local reachability density;
Local outlier factor calculating sub module, for according to the local reachability density of each object calculate corresponding local anomaly because
Son.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610874427.3A CN106375156A (en) | 2016-09-30 | 2016-09-30 | Power network traffic anomaly detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610874427.3A CN106375156A (en) | 2016-09-30 | 2016-09-30 | Power network traffic anomaly detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106375156A true CN106375156A (en) | 2017-02-01 |
Family
ID=57894731
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610874427.3A Pending CN106375156A (en) | 2016-09-30 | 2016-09-30 | Power network traffic anomaly detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106375156A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107257351A (en) * | 2017-07-28 | 2017-10-17 | 广东电网有限责任公司云浮供电局 | One kind is based on grey LOF Traffic anomaly detections system and its detection method |
CN107454097A (en) * | 2017-08-24 | 2017-12-08 | 深圳中兴网信科技有限公司 | The detection method of abnormal access, system, computer equipment, readable storage medium storing program for executing |
CN109660517A (en) * | 2018-11-19 | 2019-04-19 | 北京天融信网络安全技术有限公司 | Anomaly detection method, device and equipment |
CN110098983A (en) * | 2019-05-28 | 2019-08-06 | 上海优扬新媒信息技术有限公司 | A kind of detection method and device of abnormal flow |
CN113806204A (en) * | 2020-06-11 | 2021-12-17 | 北京威努特技术有限公司 | Method, device, system and storage medium for evaluating message field correlation |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101556601A (en) * | 2009-03-12 | 2009-10-14 | 华为技术有限公司 | Method and device for searching k neighbor |
-
2016
- 2016-09-30 CN CN201610874427.3A patent/CN106375156A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101556601A (en) * | 2009-03-12 | 2009-10-14 | 华为技术有限公司 | Method and device for searching k neighbor |
Non-Patent Citations (1)
Title |
---|
应斐昊,邢宁哲,纪雨彤,李文璟: "基于LOF的电力数据网业务流量异常检测", 《2016年全国通信软件学术会议程序册与交流文集》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107257351A (en) * | 2017-07-28 | 2017-10-17 | 广东电网有限责任公司云浮供电局 | One kind is based on grey LOF Traffic anomaly detections system and its detection method |
CN107257351B (en) * | 2017-07-28 | 2020-08-04 | 广东电网有限责任公司云浮供电局 | OF flow anomaly detection system based on gray L and detection method thereof |
CN107454097A (en) * | 2017-08-24 | 2017-12-08 | 深圳中兴网信科技有限公司 | The detection method of abnormal access, system, computer equipment, readable storage medium storing program for executing |
CN109660517A (en) * | 2018-11-19 | 2019-04-19 | 北京天融信网络安全技术有限公司 | Anomaly detection method, device and equipment |
CN109660517B (en) * | 2018-11-19 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Abnormal behavior detection method, device and equipment |
CN110098983A (en) * | 2019-05-28 | 2019-08-06 | 上海优扬新媒信息技术有限公司 | A kind of detection method and device of abnormal flow |
CN110098983B (en) * | 2019-05-28 | 2021-06-04 | 上海优扬新媒信息技术有限公司 | Abnormal flow detection method and device |
CN113806204A (en) * | 2020-06-11 | 2021-12-17 | 北京威努特技术有限公司 | Method, device, system and storage medium for evaluating message field correlation |
CN113806204B (en) * | 2020-06-11 | 2023-07-25 | 北京威努特技术有限公司 | Method, device, system and storage medium for evaluating message segment correlation |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106375156A (en) | Power network traffic anomaly detection method and device | |
d’Argent et al. | Amplitude analyses of D 0→ π+ π− π+ π− and D 0→ K+ K− π+ π− decays | |
US8869276B2 (en) | Method and apparatus for whole-network anomaly diagnosis and method to detect and classify network anomalies using traffic feature distributions | |
Sierant et al. | Measurement-induced phase transitions in (d+ 1)-dimensional stabilizer circuits | |
Kocaguneli et al. | When to use data from other projects for effort estimation | |
CN104155519B (en) | Harmonic source positioning method with harmonic wave sequence relation analysis and electric power calculation being combined | |
CN108197837A (en) | Photovoltaic generation Forecasting Methodology based on KMeans clusters | |
Sahlberg et al. | Topological phase transitions in glassy quantum matter | |
Wu et al. | 3D spectrum mapping based on ROI-driven UAV deployment | |
Zhang et al. | Phase changes in the evolution of the IPv4 and IPv6 AS-Level Internet topologies | |
He et al. | Random forests based path loss prediction in mobile communication systems | |
Liao et al. | Visual analysis of large-scale network anomalies | |
CN109193703A (en) | Consider the electric power system transient stability key feature selection method of classification lack of uniformity | |
CN103905276A (en) | Fast network topology detecting method | |
Wu et al. | Online detection of false data injection attacks to synchrophasor measurements: A data-driven approach | |
Murata | Modularity for heterogeneous networks | |
Arvani et al. | Detection and protection against intrusions on smart grid systems | |
CN110348657A (en) | A kind of power grid typhoon disaster feature correlation analysis method and system | |
Xiao et al. | Design and implementation of a data-driven approach to visualizing power quality | |
CN107276093B (en) | Power system probability load flow calculation method based on scene reduction | |
CN104714964B (en) | A kind of physiological data Outliers Detection method and device | |
Cui et al. | Authenticating source information of distribution synchrophasors at intra-state locations for cyber-physical resilient power networks | |
Dolberg et al. | Efficient multidimensional aggregation for large scale monitoring | |
CN101930398B (en) | Software vulnerability analysis method of variant multi-dimensional input based on Fuzzing technology | |
Fathnia et al. | Detection of anomalies in smart meter data: A density-based approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170201 |
|
RJ01 | Rejection of invention patent application after publication |