CN106375156A - Power network traffic anomaly detection method and device - Google Patents

Power network traffic anomaly detection method and device Download PDF

Info

Publication number
CN106375156A
CN106375156A CN201610874427.3A CN201610874427A CN106375156A CN 106375156 A CN106375156 A CN 106375156A CN 201610874427 A CN201610874427 A CN 201610874427A CN 106375156 A CN106375156 A CN 106375156A
Authority
CN
China
Prior art keywords
bag
data traffic
electric power
distance
power networks
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610874427.3A
Other languages
Chinese (zh)
Inventor
邢宁哲
纪雨彤
赵庆凯
张宁池
刘识
王宇
段寒硕
闫中平
马跃
彭柏
聂正璞
李信
申昉
叶青
田宇
常海娇
徐鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Beijing Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Beijing Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Beijing Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201610874427.3A priority Critical patent/CN106375156A/en
Publication of CN106375156A publication Critical patent/CN106375156A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a power network traffic anomaly detection method and device. The power network traffic anomaly detection method comprises the steps of collecting a data traffic packet of a power network, wherein the data traffic packet is composed of data of multiple fields; and establishing a k-d tree based on the data traffic packet, and carrying out anomaly detection on the data traffic packet. According to the method and the device, specific classification does not need to be carried out on power network traffic when detection is carried out; the detection difficulty is reduced; the method and device can be well adapted to various newly occurring anomalies; and after improvement is carried out through utilization of the k-d tree, the detection time complexity is reduced, and the time cost is clearly reduced.

Description

Electric power networks Traffic anomaly detection method and device
Technical field
The application is related to electric power data network service traffics abnormality detection technology, different especially with regard to a kind of electric power networks flow Often detection method and device.
Background technology
With the construction of intelligent grid, the operation system of electric power data network and its carrying obtains fast development, all can daily Substantial amounts of network traffics are had to produce.Some abnormal flows occur, abnormal flow is mingled in normal discharge, right in network traffics Network causes greatly to damage, and network service quality can be made drastically to decline, and this is for the high electric power data network of reliability requirement For be very serious problem.Therefore, detection abnormal flow is the importance of electric power data network operation maintenance work.
Several correlative flow abnormality detection schemes are described below;
Scheme 1: paper " the group's Traffic anomaly detection based on wavelet decomposition " (electronic surveying and instrument journal, 2010, For problem that large scale network mass data processing and abnormality detection rate relatively low, by group concept pp.24 (4): 365-370.) Introduce abnormality detection field, propose a kind of three layers of detection method decomposed with deviation value combination of small echo.
Scheme 2: paper " the exception flow of network detection method based on enlivening entropy " (communication journal, 2013, pp.34 (z2): 51-57.) the network flow analysis method based on entropy theory, using the flow long correlation properties that spatially information unit exists, right Entropy theory improves it is proposed that comentropy, conditional entropy, enlivening multiple method such as entropy and carry out Traffic anomaly detection.
Scheme 3: patent No. cn201210560973.1 proposes a kind of method for detecting abnormality based on network traffic analysis. Key step includes: (1) carries out data prediction first: obtains main frame surfing flow, then according to initial characteristicses collection and in advance The time window length setting carries out data prediction to main frame surfing flow, extracts main frame surfing flow in each time interval Interior initial characteristic values, form sample set.And then carry out feature selection (2).(3) finally carry out abnormality detection: using selecting Character subset and Bayesian Classification Arithmetic unknown sample is classified, if classification results are abnormal, pointed out.
Scheme 4: patent No. cn201010224404.0 proposes a kind of rapid detection method for network flow anomaly, technical side Case judges abnormal generation using the hurst index of description network traffics point shape feature, and key step includes: by sampling New data on flows, and utilize these data iterative hurst indexes, by the change of hurst index, set up abnormal judgement Threshold value, directly carries out Traffic anomaly detection, real-time detection exception of network traffic.
Scheme 5: patent No. cn201510513055.7 proposes the network flow that a kind of Dynamic Baseline and fixed threshold combine Amount method for detecting abnormality.Key step includes: receives message;Record the quantity of described message;According to current message quantity and in advance If the difference between the history message amount before historical period, calculate the current unit interval quantity of described message;According to institute State unit interval quantity, in conjunction with Dynamic Baseline and fixed threshold, judge whether network traffics occur exception.
Inventor, in realizing process of the present invention, finds that at least there are the following problems for above-mentioned prior art:
Although the method for detecting abnormality of such scheme 1 optimizes detection target with group's concept, in concrete detection rank Section, the slip deviation value of the relatively simple fixation being still used as threshold value it is difficult to adapt to abnormal flow feature complexity and Polytropy, the method has higher loss and false drop rate.
The method for detecting abnormality of such scheme 2 unitizes to all flows and processes, and the flow not accounting for different periods divides Cloth state, differentiated process is not done in the judgement to peak period and offpeak period, is difficult to meet both simultaneously, lacks self adaptation Property.The flow detection effect that method based on entropy changes greatly to distribution is poor.
The method for detecting abnormality of such scheme 3 make use of the thought of data mining to carry out abnormality detection to network traffics, but It is that the Bayesian Classification Arithmetic chosen needs the support of prior probability, its prior probability cannot be studied to unknown exception so this side Method is inapplicable;Bayesian model is assumed independent mutually between each attribute, but is difficult in practice accomplish, lead to final performance with There is gap in theory;And Bayesian model there is also certain categorised decision error rate in the ideal case in time.
Self-similarity and long range dependent that the method for detecting abnormality of such scheme 4 using network traffics generally existing, make Carry out Traffic anomaly detection with hurst index, its threshold determination is relatively easy, reached quick purpose, but also sacrificed simultaneously Accuracy rate is it is difficult to apply to electric power data network.
Dynamic Baseline and fixed threshold are combined by the method for detecting abnormality of such scheme 5, improve adaptivity, but Only the quantity of message is analyzed, ignore many key messages it is difficult to find deeper abnormal it is impossible to meet electric power The requirement to reliability for the data network.
It would therefore be highly desirable to a kind of network flow abnormal detecting method, to solve problems of the prior art, reduce flow The abnormal infringement that network is caused, and the decline of network service quality.
Content of the invention
The embodiment of the present application provides a kind of electric power networks Traffic anomaly detection method and device, to reduce detection difficulty and inspection The survey time, and adapt to emerging various Traffic Anomaly.
To achieve these goals, a kind of electric power networks Traffic anomaly detection method, this electricity are embodiments provided Power network flow abnormal detecting method includes:
The data traffic bag of collection electric power networks, described data traffic bag is made up of the data of multiple fields;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag.
In one embodiment, before k-d tree is set up based on described data traffic bag, this electric power networks Traffic anomaly detection side Method also includes: chooses at least one field related to the uninterrupted of described data traffic bag from described data traffic bag Data, as data available;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag, comprising: based at least wrapping K-d tree set up by the data traffic bag including described data available, carries out abnormality detection to described data traffic bag.
In one embodiment, the data traffic bag of collection electric power networks, comprising: gathered from router or switch by probe Described data traffic bag, and store described data traffic bag.
In one embodiment, k-d tree is set up based on the described data traffic bag chosen after data available, data traffic bag is entered Row abnormality detection, comprising:
With each data traffic bag for an object, set up k-d tree, calculate the local outlier factor of each described object;
The described local outlier factor of each object is compared with preset value, detects the corresponding data traffic of this object Whether bag is abnormal.
In one embodiment, calculate the local outlier factor of each described object, comprising:
Calculate the k- distance of each object;
Corresponding k- is calculated apart from neighborhood according to the k- distance of each object;
Calculate the reach distance of each object and object in neighborhood for its k-;
Reach distance according to each object object in neighborhood with its k- calculates corresponding local reachability density;
Local reachability density according to each object calculates corresponding local outlier factor.
In one embodiment, for an object p, the k- of this object p is right less than this with the distance of this object p apart from neighborhood The set of the object of k- distance of elephant, the k- of this object p is apart from neighborhood nk-disP () is:
nk-dis(p)=and q | d (p, q)≤k-dis (p) }
Wherein, q is the object of the k- distance being less than this object with the distance of this object p, and d (p, q) is object p and object The distance of q, k-dis (p) is the k- distance of object p.
In one embodiment, described object p is with respect to the reach distance r-dis of the object o in its neighborhoodk(p, o) is:
r-disk(p, o)=max { k-dis (o), d (p, o) }
Wherein, k-dis (o) is the k- distance of object o, and d (p, o) is the distance of object p and object o.
In one embodiment, the local reachability density lrd of object pk-disP () is object p and its k- averagely may be used apart from neighborhood Reach the inverse of distance:
lrd k - d i s ( p ) = 1 σ o &element; n k - d i s ( p ) r - d i s k ( p , o ) | n k - d i s ( p ) | .
In one embodiment, local outlier factor lof (p) of described object p is:
l o f ( p ) = σ o &element; n k - d i s ( p ) lrd k - d i s ( o ) lrd k - d i s ( p ) | n k - d i s ( p ) | .
To achieve these goals, the embodiment of the present invention additionally provides a kind of electric power networks Traffic anomaly detection device, should Electric power networks Traffic anomaly detection device includes:
Flow bag collecting unit, for gathering the data traffic bag of electric power networks, described data traffic bag is by multiple fields Data composition;
Abnormality detecting unit, for setting up k-d tree based on described data traffic bag, carries out abnormal inspection to data traffic bag Survey.
In one embodiment, this electric power networks Traffic anomaly detection device also includes: field chooses unit: for from described number According to the data choosing at least one field related to the uninterrupted of described data traffic bag in flow bag, as available number According to;
Described abnormality detecting unit specifically for: k-d is set up based on the data traffic bag at least including described data available Tree, carries out abnormality detection to described data traffic bag.
In one embodiment, flow bag collecting unit specifically for: described number is gathered from router or switch by probe According to flow bag, and store described data traffic bag.
In one embodiment, abnormality detecting unit includes:
Local outlier factor computing module, for each data traffic bag for an object, setting up k-d tree, calculates every The local outlier factor of object described in;
Abnormality detection module, for being compared the described local outlier factor of each object with preset value, detection should Whether object corresponding data traffic bag is abnormal.
In one embodiment, described local outlier factor computing module includes:
K- apart from calculating sub module, for calculating the k- distance of each object;
K-, apart from neighborhood submodule, calculates corresponding k- apart from neighborhood for the k- distance according to each object;
Reach distance calculating sub module, for calculating the reach distance of each object and object in neighborhood for its k-;
Local reachability density calculating sub module, for according to each object and object in neighborhood for its k- up to away from From the corresponding local reachability density of calculating;
Local outlier factor calculating sub module, calculates corresponding local for the local reachability density according to each object different Constant factor.
The present invention specifically need not be classified to electric power networks flow in detection, reduces detection difficulty, and to each Plant emerging exception and there is good adaptability;After improving, reduce the time complexity of detection using k-d tree, when Between cost substantially reduce.
Brief description
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to embodiment or existing Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this Some embodiments of application, for those of ordinary skill in the art, on the premise of not paying creative work, acceptable Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the electric power networks Traffic anomaly detection method flow diagram of the embodiment of the present application;
Fig. 2 is the configuration diagram of the electric power networks Traffic anomaly detection method of the embodiment of the present invention;
Fig. 3 carries out the method flow diagram of abnormality detection for the embodiment of the present invention to data traffic bag;
Fig. 4 calculates the method flow diagram of the local outlier factor of each described object for the embodiment of the present invention;
Fig. 5 is the testing result schematic diagram of one embodiment of the invention;
Fig. 6 is the testing result schematic diagram of another embodiment of the present invention;
Fig. 7 is the testing result schematic diagram of further embodiment of this invention;
Fig. 8 takes comparison diagram during different value for the present invention for k;
Fig. 9 a is the structured flowchart of the electric power networks Traffic anomaly detection device of one embodiment of the invention;
Fig. 9 b is the structured flowchart of the electric power networks Traffic anomaly detection device of another embodiment of the present invention;
Figure 10 is the structured flowchart of the abnormality detecting unit of the embodiment of the present invention;
Figure 11 is the structured flowchart of the local outlier factor computing module of the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete Site preparation describes it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on Embodiment in the application, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work Embodiment, broadly falls into the scope of the application protection.
Fig. 1 is the electric power networks Traffic anomaly detection method of the embodiment of the present invention, as shown in figure 1, this electric power networks flow Method for detecting abnormality includes:
S101: the data traffic bag of collection electric power networks, described data traffic bag is made up of the data of multiple fields;
S102: k-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag.
The executive agent of this electric power networks Traffic anomaly detection method can be server, and flow process as shown in Figure 1 understands, The present invention gathers the data traffic bag of electric power networks first, sets up k-d tree based on the data traffic bag of collection, to data traffic bag Carry out abnormality detection, detect abnormal data traffic bag.The method specifically need not be classified to electric power networks flow, reduces Detection difficulty, and to various emerging exceptions, there is good adaptability;After being improved using k-d tree, reduce The time complexity of detection, time cost substantially reduces.
Fig. 2 is the configuration diagram of the electric power networks Traffic anomaly detection method of the embodiment of the present invention, as shown in Fig. 2 adopting During the data traffic bag of collection electric power networks, can from router or switch, (number of router and switch be equal by probe Can be multiple) gathered data flow bag, and the data traffic bag of collection is sent to enter to data base's (can be in the server) Row storage.
In one embodiment, after collecting the data traffic bag of electric power networks, this data traffic bag can be carried out as Lower pretreatment, chooses at least one field related to the uninterrupted of described data traffic bag from described data traffic bag Data, as data available.For example, described data traffic bag includes the uninterrupted of a field and described data traffic bag Related data, can choose the data of b field, 1≤b≤a.
After pretreatment obtains this data available, k- can be set up based on the data traffic bag at least including this data available D tree, carries out abnormality detection to described data traffic bag.By pretreatment is carried out to data traffic bag, it is possible to reduce set up k-d tree Complexity, improve detection efficiency.
Based on the data traffic bag of the s101 collection shown in Fig. 1, or based at least including the data flow of this data available Amount bag, can set up k-d tree, carry out abnormality detection to data traffic bag.
In one embodiment, as shown in figure 3, abnormality detection is carried out to data traffic bag, comprising:
S301: with each data traffic bag for an object, set up k-d tree, calculate the local anomaly of each described object The factor;
S302: described local outlier factor and the preset value of each object are compared, detect the corresponding number of this object Whether abnormal according to flow bag.This preset value can be set according to concrete detection operating mode.
From the figure 3, it may be seen that in the present embodiment, abnormality detection being carried out to data traffic bag, being properly termed as local outlier factor (local outlier factor, abbreviation lof) detects, as shown in Figure 2.
In one embodiment, as shown in figure 4, calculating the local outlier factor of each described object, comprising:
S401: calculate the k- distance of each object;
K-d tree is a kind of data structure in segmentation k dimension data space, the implication of k refer to k-th nearest.K-d tree can be fast Speed finds out k-th neighbouring point, and next step can be facilitated to calculate k- distance, simultaneously because record k is neighbouring in calculating process Point, therefore can easily draw subsequently required k- apart from neighborhood.
K-d tree essence is a binary tree, and each node represents a spatial dimension, represents electric power data in the present invention One data traffic bag of net.The foundation of k-d tree is a recursive procedure launching step by step to divide.One node is one point Knick point (split_point), can be split into left son (left_son) and right son (right_son), and that is, split point is y-bend The father node of tree, left son and right son are respectively the left and right child node of binary tree, the divisional mode (split- of split point Method) it is the determinant attribute setting up k-d tree.
The fission process of k-d tree is as follows: calculates the variance of each dimension (i.e. field) first, finds out maximum dimension a of variance, Each node is sorted from small to large according in dimension a, intermediate value point is set to split_point, less than intermediate value is all Point recurrence above-mentioned steps obtain left_son, and all node recurrence above-mentioned steps bigger than intermediate value can obtain right_son. In the present embodiment, why judgment basis take variance, are because that variance shows greatly to disperse along the data on this change in coordinate axis direction Relatively open, carrying out data segmentation in this direction has preferable resolution.
Calculate k- apart from when, the embodiment of the present invention by abstract for data traffic bag be an object p.To arbitrary nature Number k, the k- defining object p is the distance between object p and certain object o apart from k-dis (p), and object o needs here are full Foot:
At least there is k object o ' ∈ d { p } (d is the set including p) so that object p to object o ' apart from d (p, O ') with object p to object o apart from d (p, o) satisfaction: d (p, o ')≤d (p, o), and at most exist k-1 object q ∈ d { p } (d { p } represent that set d does not include p) so that d (p, q) < d (p, o), wherein, d (p, q) is the distance of object p and object q.
According to built k-d tree, can easily inquire the nearest-neighbors of certain object, and inquire about k-th arest neighbors Can record whether a node can be used to update k-th low coverage with an array (front (k-1) individual minimum distance) when occupying From inquiry can get k- distance after obtaining k-th nearest-neighbors.
S402: corresponding k- is calculated apart from neighborhood according to the k- distance of each object.
In one embodiment, for an object p (this object can correspond to any data flow bag of collection), this object p's The set of the object that k- is the k- distance being less than this object with the distance of this object p apart from neighborhood, the k- distance of this object p is adjacent Domain nk-disP () is:
nk-dis(p)=and q | d (p, q)≤k-dis (p) } (1)
Wherein, q is the object of the k- distance being less than this object with the distance of this object p, and k-dis (p) is the k- of object p Distance.
S403: calculate the reach distance of each object and object in neighborhood for its k-.
In one embodiment, the reach distance r-dis of given natural number k, object p object o in neighborhood with respect to itk (p, o) is:
r-disk(p, o)=max { k-dis (o), d (p, o) } (2)
Wherein, k-dis (o) is the k- distance of object o, and d (p, o) is the distance of object p and object o.
S404: the reach distance according to each object object in neighborhood with its k- calculates corresponding local up to close Degree.
In one embodiment, the local reachability density lrd of object pk-disP () is object p and its k- averagely may be used apart from neighborhood Reach the inverse of distance:
lrd k - d i s ( p ) = 1 &sigma; o &element; n k - d i s ( p ) r - d i s k ( p , o ) | n k - d i s ( p ) | - - - ( 3 )
Wherein,For object p and its k- apart from neighborhood average reach distance.
S405: the local reachability density according to each object calculates corresponding local outlier factor.
In one embodiment, local outlier factor lof (p) of object p is:
l o f ( p ) = &sigma; o &element; n k - d i s ( p ) lrd k - d i s ( o ) lrd k - d i s ( p ) | n k - d i s ( p ) | - - - ( 4 )
In formula (4), lrdk-disO () is the local reachability density of object o.
The intensity of anomaly of object p can be represented by local outlier factor, Outlier factor, close to 1 point, shows it and surrounding The consistent in density of point, can determine that as normal;The density difference of local outlier factor bigger explanation it and surrounding point is bigger, when exceeding Abnormity point is become, the setting of threshold value can rule of thumb or different application scenario is setting, and the present invention is not during certain threshold value It is limited to this.
Using the electric power networks Traffic anomaly detection method of the present invention, electric power networks flow need not be had in detection Body is classified, and reduces detection difficulty, and has good adaptability to various emerging exceptions;Changed using k-d tree After entering, reduce the time complexity of detection, time cost substantially reduces.
In order to be better understood from the present invention, illustrate with reference to specific example:
Taking the detection of continuous data flow bag in certain Utilities Electric Co.'s data network in March, 2016 as a example, concrete detecting step is such as Under:
1) pass through the flow collection equipment (as probe) that is deployed on electric power data network network node of bypass gather original Data traffic bag, obtains the data of totally 25 fields;
2) data prediction is carried out to the data traffic bag collecting, draw the data available of totally 4 fields, such as table 1 below Shown:
The field that table 1 finally gives
packetsin packetsout bytesin bytesout
In table 1, packetsin is download package number, and packetsout is to upload bag number, and bytesin is to download byte number, Bytesout is to upload byte number.
The data of 4 fields of table 1 is the field related to the uninterrupted of data traffic bag, referred to as data available.This The data available that invention can choose at least one field from aforementioned four field sets up k-d tree, only to select in the present embodiment The data available taking 4 fields is set up k-d tree and is illustrated.
3) k-d tree, for an object, is set up with each data traffic bag (including the data available of 4 fields);
4) to each calculation and object k- distance with k- apart from neighborhood;
5) calculate the reach distance of each object and object in neighborhood for its k-;
6) local reachability density and the local outlier factor of each object are calculated;
7) threshold value is set up according to result of calculation, local outlier factor is compared with this threshold value, if result of calculation is big In this threshold value, that is, judge that this local outlier factor corresponding data traffic bag is abnormal.
It should be noted that the 2nd) step is to select step, when the present invention is embodied as, can remove this step, directly Carry out the 3rd) step, with each data traffic bag of collecting for an object, set up k-d tree.
Example 1
Randomly select 400 continuous data traffic bags, testing result such as Fig. 5, wherein lof value are more than 3.2 for exception Flow bag.
Example 2
Randomly select 3000 continuous data traffic bags, testing result such as Fig. 6, wherein lof value are more than 2.7 for exception Flow bag.
Example 3
Randomly select 10000 continuous data traffic bags, testing result such as Fig. 7, wherein lof value are more than 2.5 for different Normal flow bag.
The present invention is compared with the prior art and is analyzed as follows:
Calculate k- apart from when, if using the existing method enumerating traversal, will travel through when calculating nearest-neighbors All of object, during the lof value of calculating single object, time complexity will at least o (n).The present invention uses the data of k-d tree Structure, to be optimized, due to establishing binary tree, although the Unknown Distribution of concrete sample during inquiry, was inquired about Cheng Keneng directly quickly finds it is also possible to need repeatedly to inquire about each subtree from first-selected child node, there is uncertainty, but energy Enough time complexity is reduced toEven if when efficiency is worst it is also possible to reduced time cost it is adaptable to To the ageing electric power data network having high demands.Simultaneously this uncertain just for time loss, to electric power data network Reliability does not result in impact.
In experiment, take k value to be 5 respectively, 10,15,20, identical sample is analyzed, the time comparison diagram of drawing is such as Fig. 8.
It is based on and above-mentioned electric power networks Traffic anomaly detection method identical inventive concept, the application provides a kind of power network Network Traffic anomaly detection, as described in example below.Principle due to this electric power networks Traffic anomaly detection device solve problem Similar to electric power networks Traffic anomaly detection method, the enforcement of therefore this electric power networks Traffic anomaly detection device may refer to electricity The enforcement of power network flow abnormal detecting method, repeats no more in place of repetition.
Fig. 9 a additionally provides a kind of electric power networks Traffic anomaly detection device, this electric power networks flow for the embodiment of the present invention Abnormal detector includes: flow bag collecting unit 901 and abnormality detecting unit 903.
Flow bag collecting unit 901 is used for gathering the data traffic bag of electric power networks, and described data traffic bag is by multiple words The data composition of section;
Abnormality detecting unit 903 is used for setting up k-d tree based on described data traffic bag, carries out abnormal inspection to data traffic bag Survey.
In one embodiment, flow bag collecting unit 901 is described specifically for being gathered from router or switch by probe Data traffic bag, and store described data traffic bag.
In one embodiment, as shown in figure 9b, this electric power networks Traffic anomaly detection device also includes: field chooses unit 902, for choosing at least one field related to the uninterrupted of described data traffic bag from described data traffic bag Data, as data available.Abnormality detecting unit 902 can be set up based on the data traffic bag at least including described data available K-d tree, carries out abnormality detection to described data traffic bag.
In one embodiment, as shown in Figure 10, abnormality detecting unit 903 includes:
Local outlier factor computing module 1001, for each data traffic bag for an object, setting up k-d tree, meter Calculate the local outlier factor of each described object.
Abnormality detection module 1002, for the described local outlier factor of each object is compared with preset value, inspection Whether abnormal survey this object corresponding data traffic bag.
In one embodiment, as shown in figure 11, described local outlier factor computing module 1001 includes: k- distance calculates submodule Block 1101, k- is apart from neighborhood submodule 1102, reach distance calculating sub module 1103, local reachability density calculating sub module 1104 And local outlier factor calculating sub module 1105.
K- is used for calculating the k- distance of each object apart from calculating sub module 1101.
K-d tree is a kind of data structure in segmentation k dimension data space, the implication of k refer to k-th nearest.K-d tree can be fast Speed finds out k-th neighbouring point, and next step can be facilitated to calculate k- distance, simultaneously because record k is neighbouring in calculating process Point, therefore can easily draw subsequently required k- apart from neighborhood.
K-d tree essence is a binary tree, and each node represents a spatial dimension, represents electric power data in the present invention One data traffic bag of net.The foundation of k-d tree is a recursive procedure launching step by step to divide.One node is one point Knick point (split_point), can be split into left son (left_son) and right son (right_son), and that is, split point is y-bend The father node of tree, left son and right son are respectively the left and right child node of binary tree, the divisional mode (split- of split point Method) it is the determinant attribute setting up k-d tree.
The fission process of k-d tree is as follows: calculates the variance of each dimension (i.e. field) first, finds out maximum dimension a of variance, Each node is sorted from small to large according in dimension a, intermediate value point is set to split_point, less than intermediate value is all Point recurrence above-mentioned steps obtain left_son, and all node recurrence above-mentioned steps bigger than intermediate value can obtain right_son. In the present embodiment, why judgment basis take variance, are because that variance shows greatly to disperse along the data on this change in coordinate axis direction Relatively open, carrying out data segmentation in this direction has preferable resolution.
Calculate k- apart from when, the embodiment of the present invention by abstract for data traffic bag be an object p.To arbitrary nature Number k, the k- defining object p is the distance between object p and certain object o apart from k-dis (p), and object o needs here are full Foot:
At least there is k object o ' ∈ d { p } (d is the set including p) so that object p to object o ' apart from d (p, O ') with object p to object o apart from d (p, o) satisfaction: d (p, o ')≤d (p, o), and at most exist k-1 object q ∈ d { p } (d { p } represent that set d does not include p) so that d (p, q) < d (p, o), wherein, d (p, q) is the distance of object p and object q.
According to built k-d tree, can easily inquire the nearest-neighbors of certain object, and inquire about k-th arest neighbors Can record whether a node can be used to update k-th low coverage with an array (front (k-1) individual minimum distance) when occupying From inquiry can get k- distance after obtaining k-th nearest-neighbors.
K- is used for calculating corresponding k- apart from neighborhood according to the k- distance of each object apart from neighborhood submodule 1102.
In one embodiment, for an object p (this object can correspond to any data flow bag of collection), this object p's The set of the object that k- is the k- distance being less than this object with the distance of this object p apart from neighborhood, the k- distance of this object p is adjacent Domain nk-disP () is as shown in formula (1).
Reach distance calculating sub module 1103 be used for calculating each object and object in neighborhood for its k- up to away from From.
In one embodiment, the reach distance r-dis of given natural number k, object p object o in neighborhood with respect to itk (p, o) is as shown in formula (2).
Local reachability density calculating sub module 1104 be used for according to each object and object in neighborhood for its k- can Reach distance and calculate corresponding local reachability density.
In one embodiment, the local reachability density lrd of object pk-disP () is object p and its k- averagely may be used apart from neighborhood Reach the inverse of distance, such as shown in formula (3).
The local reachability density that local outlier factor calculating sub module 1105 is used for according to each object calculates corresponding office Portion's Outlier factor.
In one embodiment, local outlier factor lof (p) of object p is as shown in formula (4).
Using the electric power networks Traffic anomaly detection device of the present invention, electric power networks flow need not be had in detection Body is classified, and reduces detection difficulty, and has good adaptability to various emerging exceptions;Changed using k-d tree After entering, reduce the time complexity of detection, time cost substantially reduces.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program Product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or the reality combining software and hardware aspect Apply the form of example.And, the application can be using in one or more computers wherein including computer usable program code The upper computer program implemented of usable storage medium (including but not limited to disk memory, cd-rom, optical memory etc.) produces The form of product.
The application is the flow process with reference to method, equipment (system) and computer program according to the embodiment of the present application Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor instructing general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one The step of the function of specifying in individual square frame or multiple square frame.
Apply specific embodiment in the application the principle of the application and embodiment are set forth, above example Explanation be only intended to help and understand the present processes and its core concept;Simultaneously for one of ordinary skill in the art, According to the thought of the application, all will change in specific embodiments and applications, in sum, in this specification Hold and should not be construed as the restriction to the application.

Claims (14)

1. a kind of electric power networks Traffic anomaly detection method is it is characterised in that include:
The data traffic bag of collection electric power networks, described data traffic bag is made up of the data of multiple fields;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag.
2. electric power networks Traffic anomaly detection method according to claim 1 is it is characterised in that based on described data flow Before k-d tree set up by amount bag, also include: choose related to the uninterrupted of described data traffic bag from described data traffic bag At least one field data, as data available;
K-d tree is set up based on described data traffic bag, abnormality detection is carried out to data traffic bag, comprising: based at least including institute K-d tree set up by the data traffic bag stating data available, carries out abnormality detection to described data traffic bag.
3. electric power networks Traffic anomaly detection method according to claim 1 is it is characterised in that described collection electric power networks Data traffic bag, comprising: described data traffic bag is gathered from router or switch by probe, and stores described data flow Amount bag.
4. electric power networks Traffic anomaly detection method according to claim 1 and 2 is it is characterised in that be based on described data K-d tree set up by flow bag, carries out abnormality detection to data traffic bag, comprising:
With each data traffic bag for an object, set up k-d tree, calculate the local outlier factor of each described object;
The described local outlier factor of each object is compared with preset value, detects that this object corresponding data traffic bag is No exception.
5. electric power networks Traffic anomaly detection method according to claim 4 is it is characterised in that calculate each described object Local outlier factor, comprising:
Calculate the k- distance of each object;
Corresponding k- is calculated apart from neighborhood according to the k- distance of each object;
Calculate the reach distance of each object and object in neighborhood for its k-;
Reach distance according to each object object in neighborhood with its k- calculates corresponding local reachability density;
Local reachability density according to each object calculates corresponding local outlier factor.
6. electric power networks Traffic anomaly detection method according to claim 5 is it is characterised in that for an object p, this is right As the set of the object that the k- of p is the k- distance being less than this object with the distance of this object p apart from neighborhood, the k- of this object p Apart from neighborhood nk-disP () is:
nk-dis(p)=and q | d (p, q)≤k-dis (p) }
Wherein, q is the object of the k- distance being less than this object with the distance of this object p, and d (p, q) is object p and object q's Distance, k-dis (p) is the k- distance of object p.
7. electric power networks Traffic anomaly detection method according to claim 6 it is characterised in that described object p with respect to The reach distance r-dis of object o in neighborhood for its k-k(p, o) is:
r-disk(p, o)=max { k-dis (o), d (p, o) }
Wherein, k-dis (o) is the k- distance of object o, and d (p, o) is the distance of object p and object o.
8. electric power networks Traffic anomaly detection method according to claim 7 it is characterised in that object p local up to Density lrdk-disP () is the inverse apart from the average reach distance of neighborhood for object p and its k-:
lrd k - d i s ( p ) = 1 &sigma; o &element; n k - d i s ( p ) r - dis k ( p , o ) | n k - d i s ( p ) | .
9. electric power networks Traffic anomaly detection method according to claim 8 is it is characterised in that the local of described object p Outlier factor lof (p) is:
l o f ( p ) = &sigma; o &element; n k - d i s ( p ) lrd k - d i s ( o ) lrd k - d i s ( p ) | n k - d i s ( p ) | .
10. a kind of electric power networks Traffic anomaly detection device is it is characterised in that include:
Flow bag collecting unit, for gathering the data traffic bag of electric power networks, described data traffic bag is by the number of multiple fields According to composition;
Abnormality detecting unit, sets up k-d tree for described data traffic bag, carries out abnormality detection to data traffic bag.
11. electric power networks Traffic anomaly detection devices according to claim 10 are it is characterised in that also include: field choosing Take unit, for choosing at least one field related to the uninterrupted of described data traffic bag from described data traffic bag Data, as data available;
Described abnormality detecting unit specifically for: k-d tree is set up based on the data traffic bag at least including described data available, right Described data traffic bag carries out abnormality detection.
12. electric power networks Traffic anomaly detection devices according to claim 10 are it is characterised in that flow bag collecting unit Specifically for: described data traffic bag is gathered from router or switch by probe, and stores described data traffic bag.
13. electric power networks Traffic anomaly detection devices according to claim 10 are it is characterised in that abnormality detecting unit bag Include:
Local outlier factor computing module, for each data traffic bag for an object, setting up k-d tree, calculates each institute State the local outlier factor of object;
Abnormality detection module, for being compared the described local outlier factor of each object with preset value, detects this object Whether corresponding data traffic bag is abnormal.
14. electric power networks Traffic anomaly detection devices according to claim 13 it is characterised in that described local anomaly because Sub- computing module includes:
K- apart from calculating sub module, for calculating the k- distance of each object;
K-, apart from neighborhood submodule, calculates corresponding k- apart from neighborhood for the k- distance according to each object;
Reach distance calculating sub module, for calculating the reach distance of each object and object in neighborhood for its k-;
Local reachability density calculating sub module, by according to each object and its k- based on the reach distance of the object in neighborhood Calculate corresponding local reachability density;
Local outlier factor calculating sub module, for according to the local reachability density of each object calculate corresponding local anomaly because Son.
CN201610874427.3A 2016-09-30 2016-09-30 Power network traffic anomaly detection method and device Pending CN106375156A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610874427.3A CN106375156A (en) 2016-09-30 2016-09-30 Power network traffic anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610874427.3A CN106375156A (en) 2016-09-30 2016-09-30 Power network traffic anomaly detection method and device

Publications (1)

Publication Number Publication Date
CN106375156A true CN106375156A (en) 2017-02-01

Family

ID=57894731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610874427.3A Pending CN106375156A (en) 2016-09-30 2016-09-30 Power network traffic anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN106375156A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107257351A (en) * 2017-07-28 2017-10-17 广东电网有限责任公司云浮供电局 One kind is based on grey LOF Traffic anomaly detections system and its detection method
CN107454097A (en) * 2017-08-24 2017-12-08 深圳中兴网信科技有限公司 The detection method of abnormal access, system, computer equipment, readable storage medium storing program for executing
CN109660517A (en) * 2018-11-19 2019-04-19 北京天融信网络安全技术有限公司 Anomaly detection method, device and equipment
CN110098983A (en) * 2019-05-28 2019-08-06 上海优扬新媒信息技术有限公司 A kind of detection method and device of abnormal flow
CN113806204A (en) * 2020-06-11 2021-12-17 北京威努特技术有限公司 Method, device, system and storage medium for evaluating message field correlation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101556601A (en) * 2009-03-12 2009-10-14 华为技术有限公司 Method and device for searching k neighbor

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101556601A (en) * 2009-03-12 2009-10-14 华为技术有限公司 Method and device for searching k neighbor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
应斐昊,邢宁哲,纪雨彤,李文璟: "基于LOF的电力数据网业务流量异常检测", 《2016年全国通信软件学术会议程序册与交流文集》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107257351A (en) * 2017-07-28 2017-10-17 广东电网有限责任公司云浮供电局 One kind is based on grey LOF Traffic anomaly detections system and its detection method
CN107257351B (en) * 2017-07-28 2020-08-04 广东电网有限责任公司云浮供电局 OF flow anomaly detection system based on gray L and detection method thereof
CN107454097A (en) * 2017-08-24 2017-12-08 深圳中兴网信科技有限公司 The detection method of abnormal access, system, computer equipment, readable storage medium storing program for executing
CN109660517A (en) * 2018-11-19 2019-04-19 北京天融信网络安全技术有限公司 Anomaly detection method, device and equipment
CN109660517B (en) * 2018-11-19 2021-05-07 北京天融信网络安全技术有限公司 Abnormal behavior detection method, device and equipment
CN110098983A (en) * 2019-05-28 2019-08-06 上海优扬新媒信息技术有限公司 A kind of detection method and device of abnormal flow
CN110098983B (en) * 2019-05-28 2021-06-04 上海优扬新媒信息技术有限公司 Abnormal flow detection method and device
CN113806204A (en) * 2020-06-11 2021-12-17 北京威努特技术有限公司 Method, device, system and storage medium for evaluating message field correlation
CN113806204B (en) * 2020-06-11 2023-07-25 北京威努特技术有限公司 Method, device, system and storage medium for evaluating message segment correlation

Similar Documents

Publication Publication Date Title
CN106375156A (en) Power network traffic anomaly detection method and device
d’Argent et al. Amplitude analyses of D 0→ π+ π− π+ π− and D 0→ K+ K− π+ π− decays
US8869276B2 (en) Method and apparatus for whole-network anomaly diagnosis and method to detect and classify network anomalies using traffic feature distributions
Sierant et al. Measurement-induced phase transitions in (d+ 1)-dimensional stabilizer circuits
Kocaguneli et al. When to use data from other projects for effort estimation
CN104155519B (en) Harmonic source positioning method with harmonic wave sequence relation analysis and electric power calculation being combined
CN108197837A (en) Photovoltaic generation Forecasting Methodology based on KMeans clusters
Sahlberg et al. Topological phase transitions in glassy quantum matter
Wu et al. 3D spectrum mapping based on ROI-driven UAV deployment
Zhang et al. Phase changes in the evolution of the IPv4 and IPv6 AS-Level Internet topologies
He et al. Random forests based path loss prediction in mobile communication systems
Liao et al. Visual analysis of large-scale network anomalies
CN109193703A (en) Consider the electric power system transient stability key feature selection method of classification lack of uniformity
CN103905276A (en) Fast network topology detecting method
Wu et al. Online detection of false data injection attacks to synchrophasor measurements: A data-driven approach
Murata Modularity for heterogeneous networks
Arvani et al. Detection and protection against intrusions on smart grid systems
CN110348657A (en) A kind of power grid typhoon disaster feature correlation analysis method and system
Xiao et al. Design and implementation of a data-driven approach to visualizing power quality
CN107276093B (en) Power system probability load flow calculation method based on scene reduction
CN104714964B (en) A kind of physiological data Outliers Detection method and device
Cui et al. Authenticating source information of distribution synchrophasors at intra-state locations for cyber-physical resilient power networks
Dolberg et al. Efficient multidimensional aggregation for large scale monitoring
CN101930398B (en) Software vulnerability analysis method of variant multi-dimensional input based on Fuzzing technology
Fathnia et al. Detection of anomalies in smart meter data: A density-based approach

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170201

RJ01 Rejection of invention patent application after publication