CN110581834A - communication capability opening abnormity detection method and device - Google Patents

communication capability opening abnormity detection method and device Download PDF

Info

Publication number
CN110581834A
CN110581834A CN201810595921.5A CN201810595921A CN110581834A CN 110581834 A CN110581834 A CN 110581834A CN 201810595921 A CN201810595921 A CN 201810595921A CN 110581834 A CN110581834 A CN 110581834A
Authority
CN
China
Prior art keywords
operation parameters
anomaly detection
detected
communication capability
neural network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810595921.5A
Other languages
Chinese (zh)
Inventor
邢彪
郑屹峰
张卷卷
凌啼
章淑敏
徐昊帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Zhejiang Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Zhejiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Zhejiang Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201810595921.5A priority Critical patent/CN110581834A/en
Publication of CN110581834A publication Critical patent/CN110581834A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a communication capacity opening abnormity detection method and a device, wherein the method comprises the following steps: inputting the operation parameters of the communication capacity opening platform to be detected into an anomaly detection model, and outputting an anomaly detection result of the communication capacity opening platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters. According to the method and the device provided by the embodiment of the invention, the operation parameters are input into the anomaly detection model to obtain the anomaly detection result, so that the online real-time detection of the communication capacity open platform is realized, the accuracy of the anomaly detection is improved, the early detection and early warning of the anomaly are realized, precious time is gained for dealing with the abnormal event, the risk prevention level of the communication capacity opening of an operator is improved, and conditions are provided for dealing with the application requirement of the mobile internet which is instantaneously changeable.

Description

communication capability opening abnormity detection method and device
Technical Field
the embodiment of the invention relates to the technical field of communication core networks, in particular to a communication capacity opening abnormity detection method and device.
Background
the communication capability opening means that a telecommunication operator opens the traditional telecommunication capability to a third-party application through a standard restful API (application programming interface) so as to be convenient for a third-party application developer to call. The open communication capability enables application developers to realize the emergence of traditional telecommunication capabilities such as short messages and one-way and two-way calls and the excavation of new potential without knowing the complex communication protocol of the bottom layer of an operator, realizes the fusion of a traditional telecommunication network and a mobile internet, and fills the traditional short messages and voice pipelines with gradually shrinking flow. The communication capability open platform integrates various capabilities of a southbound network element, namely a capability provider, encapsulates various communication protocol interfaces, converts the capabilities into a uniform general API (application program interface) protocol and provides the uniform API protocol for northbound application calling.
With the increase of communication capacity open traffic, the increase of northbound applications and the uncontrollable characteristic of northbound application behaviors, the complexity of the services is multiplied, and accurate anomaly detection is particularly necessary.
The existing method for detecting the open anomaly of the communication network capability mainly adopts a mode of respectively setting threshold values for various operation parameters. The simple and extensive mode with one cutting has the problems of high false alarm rate and low accuracy.
Disclosure of Invention
the embodiment of the invention provides a communication capacity open anomaly detection method and a communication capacity open anomaly detection device, which are used for solving the problems of high false alarm rate and low accuracy of anomaly detection in the conventional communication network capacity open anomaly detection method.
in one aspect, an embodiment of the present invention provides a method for detecting an open anomaly of a communication capability, including: inputting the operation parameters of the communication capacity opening platform to be detected into an anomaly detection model, and outputting an anomaly detection result of the communication capacity opening platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters.
In another aspect, an embodiment of the present invention provides a device for detecting an open communication capability anomaly, including: the anomaly detection unit is used for inputting the operation parameters of the communication capacity opening platform to be detected into the anomaly detection model and outputting an anomaly detection result of the communication capacity opening platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters.
In another aspect, an embodiment of the present invention provides a device for detecting open communication capability exception, including a processor, a communication interface, a memory, and a bus, where the processor and the communication interface complete communication between the processor and the memory through the bus, and the processor may call a logic instruction in the memory to execute the method for detecting open communication capability exception as described above.
In still another aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the communication capability opening anomaly detection method as described above.
According to the method and the device for detecting the open abnormity of the communication capability, provided by the embodiment of the invention, the operation parameters are input into the abnormity detection model to obtain the abnormity detection result, so that the online real-time detection of the open platform of the communication capability is realized, the abnormity detection precision is improved, the early discovery and early warning of the abnormity are realized, precious time is gained for responding to the abnormal event, the risk prevention level of the open communication capability of an operator is improved, and conditions are provided for responding to the application requirement of the mobile internet which is instantaneously changeable.
drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for detecting an open communication capability anomaly according to an embodiment of the present invention;
Fig. 2 is a schematic structural diagram of an open platform for communication capability according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a self-coding neural network according to an embodiment of the present invention;
FIG. 4 is a PR graph according to an embodiment of the present invention;
Fig. 5 is a flowchart illustrating a method for detecting an open communication capability anomaly according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an apparatus for detecting open communication capability anomaly according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a communication capability opening anomaly detection device according to an embodiment of the present invention.
Detailed Description
in order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, the method for detecting the open anomaly of the communication capability mainly adopts a mode of respectively setting threshold values for various operation parameters. The simple and extensive one-cutting mode has the problems of high false alarm rate and low accuracy, and can not meet the operation and maintenance requirements of the existing communication capability opening. In view of the above situation, an embodiment of the present invention provides a method for detecting an open communication capability anomaly, and fig. 1 is a schematic flow chart of the method for detecting an open communication capability anomaly according to the embodiment of the present invention, as shown in fig. 1, the method includes:
And 101, inputting the operation parameters of the communication capacity opening platform to be detected into the anomaly detection model, and outputting the anomaly detection result of the communication capacity opening platform to be detected.
Wherein the operation parameter comprises at least one of API call data, concurrent transaction data and module delay data. The API call data refers to data related to the interface of the communication capability open platform to be detected called by the northbound application or the southbound component, such as the number of calls, the number of call success times, the number of call failure times, and the like. The concurrent transaction data refers to the quantity of API call requests received and processed by the communication capability open platform to be detected per second, and is an important index for measuring the performance of the communication capability open platform to be detected. The module delay data refers to delay data of each module of the communication capability open platform to be detected, and referring to fig. 2, the module here may be a service capability access module (E-SA), an open service orchestration module (E-SO), an operation management service orchestration module (M-SO), or a message BUS module (BUS-SO), and may also be a northbound application or a southbound component. The embodiment of the invention does not specifically limit the selection of the operation parameters.
and the abnormal detection result is used for representing the running state of the communication capacity open platform to be detected, and can be normal or abnormal. The abnormal condition refers to a condition that the running state of the communication capability open platform to be detected is greatly deviated from the normal state.
In addition, before the above process is executed, the abnormality detection model may be trained in advance, and may be specifically trained in the following manner: first, a large number of sample operating parameters are collected. And training the initial model based on the sample operation parameters to obtain an anomaly detection model. The initial model may be a single neural network model or a combination of a plurality of neural network models, and the embodiment of the present invention does not specifically limit the type and structure of the initial model.
According to the method provided by the embodiment of the invention, the operation parameters are input into the anomaly detection model to obtain the anomaly detection result, so that the online real-time detection of the communication capacity open platform is realized, and the accuracy of the anomaly detection is improved, thereby realizing the early discovery and early warning of the anomaly, gaining precious time for responding to the abnormal event, improving the risk prevention level of the communication capacity opening of an operator, and providing conditions for responding to the application requirement of the mobile internet with immense variation.
based on the above embodiment, a method for detecting an open communication capability anomaly 101 inputs an operation parameter of an open communication capability platform to be detected into an anomaly detection model, and outputs an anomaly detection result of the open communication capability platform to be detected, which specifically includes:
And 1011, inputting the operation parameters into a self-coding neural network of the anomaly detection model, and outputting reconstruction parameters corresponding to the operation parameters.
the self-coding neural network is an unsupervised learning method and has the functions of compressing input samples to a hidden layer and reconstructing the samples at an output end. That is, the output x' of the self-encoding neural network has the following relationship with the input x: x' ≈ x. Therefore, in the embodiment of the invention, the operation parameters are input into the self-coding neural network, and the reconstruction parameters of the operation parameters can be obtained through the compression and reconstruction of the self-coding neural network.
For example, when the operation parameters contain 14 parameters, a prediction function automatic decoder prediction (X _ test) in a keras model is called, the real-time operation parameter data of the platform is input into the prediction function, and then the reconstructed reconstruction parameters are output.
And (3) reconstructing parameters:
S’={X1’,X2’,X3’,X4’,X5’,X6’,X7’,X8’,X9’,X10’,X11’,X12’,X13’,X14’}
Operating parameters (input data):
S={X1,X2,X3,X4,X5,X6,X7,X8,X9,X10,X11,X12,X13,X14}
1012, a reconstruction error between the operating parameter and the reconstruction parameter is calculated.
the reconstruction error is used for measuring the difference between the operation parameter and the reconstruction parameter, and generally, the larger the reconstruction error is, the larger the difference between the corresponding operation parameter and the normal parameter is. There are various methods for calculating the reconstruction error, for example, an absolute value of a difference between the operating parameter and the reconstruction parameter is used as the reconstruction error, or a mean square error of a difference between the operating parameter and the reconstruction parameter is used as the reconstruction error, which is not specifically limited in the embodiment of the present invention.
Preferably, the reconstruction error is determined as the square of the difference between the operating parameter and the reconstruction parameter according to the following equation:
L(x,x′)=||x-x′||2
Where x is an operating parameter, x 'is a reconstruction parameter, and L (x, x') is a reconstruction error.
1013, if the reconstruction error is larger than a preset threshold, setting the abnormal detection result of the communication capacity open platform to be detected as abnormal. Here, the preset threshold is a threshold preset according to a specific application scenario and a service requirement.
In the embodiment of the invention, the reconstruction parameters are obtained through the self-coding neural network, and the reconstruction errors between the operation parameters and the reconstruction parameters are used as the basis for measuring the abnormal state of the communication capacity open platform to be detected, so that the accuracy rate of the communication capacity open abnormality detection is effectively improved, and the stability of the communication capacity open operation is improved.
based on any one of the embodiments, the method for detecting the open anomaly of the communication capability comprises the steps that API calling data comprise at least one of total API calling amount, API calling failure amount, API calling success rate, API calling maximum response time delay and API calling minimum response time delay; the concurrent transaction data comprises a peak concurrent transaction number and/or an average concurrent transaction number; the module time delay data comprises at least one of average time delay of the south-oriented module, average time delay of the north-oriented module, average processing time delay of the E-SA service capability access module, average processing time delay of the E-SO service arrangement module, average processing time delay of the M-SO operation management arrangement module and average processing time delay of the BUS-SO message BUS module.
specifically, the operating parameters are shown in the following table:
TABLE 1 table of operating parameters
Based on any of the above embodiments, a communication capability open anomaly detection method inputs an operation parameter to a self-coding neural network of an anomaly detection model, and outputs a reconstruction parameter corresponding to the operation parameter, which specifically includes: inputting the operation parameters into an encoder of a self-encoding neural network, and outputting the characteristic vectors of the operation parameters; the encoder is used for compressing and reducing the dimension of the operation parameters; inputting the characteristic vector into a decoder of the self-coding neural network, and outputting a reconstruction parameter corresponding to the operation parameter; the decoder is used for restoring and reconstructing the characteristic vector.
In particular, a self-encoding neural network includes an encoder and a decoder. The self-coding neural network gradually improves the accuracy of the self-coding neural network by compressing the operation parameters and then decompressing, solving the reconstruction error by comparing the operation parameters with the decompressed reconstruction parameters and carrying out reverse transmission. The self-coding neural network only applies the operation parameters from beginning to end without data labels corresponding to the operation parameters, so that the self-coding neural network is an unsupervised learning process, namely, a process of compressing and decompressing the input operation parameters.
The encoder is used for compressing and reducing the dimension of the operation parameters, extracting the characteristic vectors representing the operation parameters, the decoder is used for restoring and reconstructing the operation parameters, and the operation parameters input into the encoder are reconstructed according to the extracted characteristic vectors.
fig. 3 is a schematic structural diagram of a self-coding neural network according to an embodiment of the present invention, each circle in fig. 3 represents a neuron, each hidden layer is a fully connected layer, that is, each neuron is connected in pairs, each line has different weights, and the self-coding neural network obtains a weight value through training and autonomous learning. As shown in fig. 3, the self-coding neural network includes 1 input layer, N hidden layers (N fully-connected layers in fig. 3), and 1 output layer. Assuming that the number of the operation parameters input to the self-coding neural network is 14, the input layer contains 14 neurons and the output layer contains 14 neurons correspondingly. The first N/2 layers of the N hidden layers belong to an encoder, and the last N/2 layers belong to a decoder.
The structure of the self-coding neural network is described below by taking an operating parameter of 14 and taking N-6 as an example: in the encoder, 14 neurons are arranged in a first layer, tanh is selected as an activation function, 7 neurons are arranged in a second layer, relu is selected as the activation function, 3 neurons are arranged in a third layer, and relu is selected as the activation function; in the decoder, the first layer sets 3 neurons, selects "tanh" as an activation function, the second layer sets 7 neurons, selects "tanh" as an activation function, the third layer sets 14 neurons, and selects "relu" as an activation function. It should be noted that, the number of the operation parameters input into the self-coding neural network, the number of fully-connected layers of the self-coding neural network encoder and the encoder, and the number of neurons in each fully-connected layer are not specifically limited in the embodiments of the present invention.
based on any of the above embodiments, a method for detecting an open communication capability anomaly, where if a reconstruction error is greater than a preset threshold, an anomaly detection result of a platform with an open communication capability to be detected is set as an anomaly, and the method further includes: and determining a preset threshold according to at least one of the accuracy, the recall rate and the F-Measure of the abnormality detection model.
Specifically, in the anomaly detection problem, most of the sample operation parameters are data of the communication capability open platform in a normal state, so that the normal and abnormal samples are seriously unbalanced, and the performance of the anomaly detection model at this time cannot be described simply by using the classification error rate or the accuracy rate. The data detected by the abnormity belongs to a skew data set, namely the number of the positive samples and the negative samples is quite unbalanced, the negative samples (the communication capacity open platform is in a normal state) are many, and the positive samples (the communication capacity open platform is in a normal state) are few. It is necessary for such skewed datasets to be measured with the concepts of precision (precision), recall (recall), F-Measure, etc.
Wherein, the calculation formula of the accuracy rate is as follows:
the recall ratio is calculated as follows:
In the formula, P is the precision rate, R is the recall rate, TP is the number of abnormal points accurately identified by the abnormality detection model, FP is the number of abnormal points erroneously identified by the abnormality detection model, and FN is the number of abnormal points erroneously identified by the abnormality detection model.
Since there may be contradictory conditions in the accuracy and recall indexes, both need to be considered comprehensively according to the model scenario. Therefore, the selection of the preset threshold needs to be combined with specific application scenarios and service requirements, and it is assumed that in an anomaly detection scenario of the communication capability open platform, each anomaly is expected to be detected, so that a higher recall rate can be obtained by sacrificing a certain accuracy rate. Since the PRC curve can reflect the quality of the model more effectively than the ROC curve under the condition that the positive and negative samples are distributed extremely unevenly, a PR curve (precision call curve) can be drawn by using a sketch, metrics, precision call, and a call back rate as axes, referring to fig. 4, and the curve is drawn by taking different thresholds. The larger the area under the curve (AUC) or the closer the curve is to the upper right corner (precision 1, recall 1), the more desirable the model is. And taking the highest recall rate as an optimal threshold point according to the curve under the condition of setting reasonable accuracy, thereby finding the threshold corresponding to the point as a preset threshold.
Based on any of the above embodiments, a method for detecting communication capability openness abnormality inputs an operation parameter of a communication capability openness platform to be detected to an abnormality detection model, and outputs an abnormality detection result of the communication capability openness platform to be detected, which further includes: based on the sample operation parameters, taking the mean square error of the sample operation parameters and reconstruction parameters output by the self-coding neural network as an objective function to train the self-coding neural network; the sample operation parameters are the operation parameters of the communication capacity open platform in a normal state.
For example, the training time is set to 100(epochs is 100), the batch size is set to 32(batch _ size is 32), the mean square error mse (mean squared error) of the sample operation parameter and the sample reconstruction parameter output from the encoding neural network is selected as a loss function, i.e., an objective function (loss is 'mean squared error'), and an adam optimizer is selected to improve the learning speed of the conventional gradient descent (optimizer is 'adam'). The self-coding neural network can find the optimal weight value which enables the target function to be minimum through gradient descent, so that the operation parameters are reconstructed to the maximum degree, and the reconstructed parameters obtained through reconstruction contain compressed representations of richest information. The self-coding neural network model is trained by calling a model () function, and training is carried out based on sample operation parameters (the operation parameters only containing the communication capacity open platform in a normal state), so that the closer the reconstruction parameters and the operation parameters, the better.
in addition, the verification model can be evaluated by testing the operation parameters (including the operation parameters when the communication capability open platform is in a normal state and the operation parameters when the communication capability open platform is in an abnormal state).
With the increase of the number of training rounds, the training error also gradually decreases, the model gradually converges, the converged model is tested on a test set, the operation parameters in the test set are input into the trained self-coding neural network, the reconstructed value of the operation parameters in the test set is output, and the performance of the model is evaluated by calculating the mean square error MSE (mean squared error) between the reconstructed value and the real value of the test set.
Based on any of the above embodiments, a communication capability open anomaly detection method trains a self-coding neural network by using a mean square error of a sample operation parameter and a sample reconstruction parameter output by the self-coding neural network as an objective function based on the sample operation parameter, and before, further includes: and carrying out standardization processing on the sample operation parameters. Correspondingly, the method includes the steps of inputting the operation parameters of the communication capacity open platform to be detected into the anomaly detection model, and outputting the anomaly detection result of the communication capacity open platform to be detected, and also includes the following steps: and standardizing the operation parameters.
Specifically, the normalization process of the sample operating parameters or the operating parameters includes: the function preprocessing in sklern is used to normalize each sample run parameter or the parameter of each attribute contained in the run parameter, and the normalization formula is (X-mean)/std. During calculation, each attribute is respectively calculated, and the average value of the sample running parameter or the running parameter is subtracted according to the attribute of the sample running parameter or the running parameter, and is divided by the variance of the sample running parameter or the running parameter. After normalization, all data are clustered around 0 for each attribute with a variance of 1. The normalization processing can increase the convergence rate of the anomaly detection model and improve the accuracy of the anomaly detection model.
In addition, for the sample operation parameters, before the self-coding neural network is trained based on the sample operation parameters, the state of the communication capacity open platform corresponding to the operation parameters in the data set is also required to be selected, and the operation parameters of the communication capacity open platform in the normal state are selected as the sample operation parameters.
For example, in the data set, 4842 operation parameters of the communication capability openness platform in the normal state, 126 operation parameters of the communication capability openness platform in the abnormal state, and the number of the two types of samples is greatly unbalanced. The total length of the data set was 4968, taking 80% of the entire data set as training data, i.e., as sample operating parameters, and the remaining 20% as test data, i.e., as test operating parameters. In addition, the operation parameters of the communication capacity open platform in the abnormal state in the sample operation parameters are removed, so that the sample operation parameters are all the operation parameters of the communication capacity open platform in the abnormal state, and meanwhile, labels marked with the communication capacity open platform state in the sample operation parameters and the test operation parameters are removed. This results in the length X _ train _ shape of the sample operating parameter being (3974,14) and the length X _ test _ shape of the test operating parameter being (994, 14). The self-coding neural network is trained by using the sample training parameters, and then the testing operation parameters are used for checking the quality of the self-coding neural network.
in order to better understand and apply a communication capability open anomaly detection method proposed by the present invention, the present invention makes the following examples, and the present invention is not limited to the following examples.
Fig. 5 is a flowchart illustrating a method for detecting an open communication capability anomaly according to an embodiment of the present invention, as shown in fig. 5,
Firstly, historical operating parameters of the communication capacity open platform are obtained, and a data set is constructed. The data set in the example is multidimensional operating parameters of each hour from 0 point of 7/month 1/day 2017 to 8 point of 1/month 24/day 2018, which are acquired from an operator communication capacity open platform, and the total number is 4968. Here, the operation data includes total API call amount, API call failure amount, API call success rate, maximum API call response delay, minimum API call response delay, peak concurrent transaction number, average southward component delay, average northbound component delay, average E-SA service capability access module processing delay, average E-SO service orchestration module processing delay, average M-SO operation management orchestration module processing delay, and average BUS-SO message BUS module processing delay, which are 14 types in total.
second, the data set is preprocessed. And marking the communication capacity open platform state corresponding to the operation parameters in the data set. The number of the operating parameters in the normal state is 4842, and the number of the operating parameters in the abnormal state is 126. Then, the data set is normalized, and parameters of each attribute contained in each sample operation parameter are respectively normalized by using a function preprocessing. During calculation, each attribute is respectively calculated, and the average value of the running parameters of the samples is subtracted from the attributes of the running parameters of the samples and is divided by the variance of the running parameters of the samples. After normalization, all data are clustered around 0 for each attribute with a variance of 1. And finally, dividing the sample operation parameters and the training operation parameters. The total length of the data set was 4968, taking 80% of the entire data set as training data, i.e., as sample operating parameters, and the remaining 20% as test data, i.e., as test operating parameters. In addition, the operation parameters of the communication capacity open platform in the abnormal state in the sample operation parameters are removed, so that the sample operation parameters are all the operation parameters of the communication capacity open platform in the abnormal state, and meanwhile, labels marked with the communication capacity open platform state in the sample operation parameters and the test operation parameters are removed. This results in the length X _ train _ shape of the sample operating parameter being (3974,14) and the length X _ test _ shape of the test operating parameter being (994, 14). The self-coding neural network is trained by using the sample training parameters, and then the testing operation parameters are used for checking the quality of the self-coding neural network.
subsequently, a self-encoding neural network is constructed. Here, the self-coding neural network contains 1 input layer, 6 hidden layers (fully-connected layers), and 1 output layer. The ground input layer contains 14 neurons, and the output layer contains 14 neurons. The first 3 layers of the 6 hidden layers belong to the encoder and the last 3 layers belong to the decoder. In the encoder, 14 neurons are arranged in a first layer, tanh is selected as an activation function, 7 neurons are arranged in a second layer, relu is selected as the activation function, 3 neurons are arranged in a third layer, and relu is selected as the activation function; in the decoder, the first layer sets 3 neurons, selects "tanh" as an activation function, the second layer sets 7 neurons, selects "tanh" as an activation function, the third layer sets 14 neurons, and selects "relu" as an activation function.
The training times are set to be 100(epochs is 100), the batch processing size is set to be 32(batch _ size is 32), the sample operation parameters and the mean square error MSE (mean squared error) of the sample reconstruction parameters output by the self-coding neural network are selected as a loss function, namely an objective function (loss is 'mean _ squared _ error'), and an adam optimizer is selected to be used for improving the learning speed of the traditional gradient descent. The self-coding neural network can find the optimal weight value which enables the target function to be minimum through gradient descent, so that the operation parameters are reconstructed to the maximum degree, and the reconstructed parameters obtained through reconstruction contain compressed representations of richest information. The self-coding neural network model is trained by calling a model () function, and training is carried out based on sample operation parameters (the operation parameters only containing the communication capacity open platform in a normal state), so that the closer the reconstruction parameters and the operation parameters, the better.
once the off-line training is completed, the calculated self-coding neural network weight is derived, and when the on-line detection is needed, the stored weight is directly loaded, so that the trained self-coding neural network can be used for carrying out on-line abnormality detection according to the operation parameters. And calling a predict function autoencode (X _ test) in the keras model, inputting the real-time operation parameter data of the platform into the predict function, and then outputting the reconstructed parameters.
and (3) reconstructing parameters:
S’={X1’,X2’,X3’,X4’,X5’,X6’,X7’,X8’,X9’,X10’,X11’,X12’,X13’,X14’}
Operating parameters (input data):
S={X1,X2,X3,X4,X5,X6,X7,X8,X9,X10,X11,X12,X13,X14}
the square of the difference between the operating parameter and the reconstruction parameter is then taken as the reconstruction error according to:
L(x,x′)=||x-x′||2
Where x is an operating parameter, x 'is a reconstruction parameter, and L (x, x') is a reconstruction error.
And if the reconstruction error is larger than a preset threshold value, setting the abnormal detection result of the communication capacity open platform to be detected as abnormal. .
in the example, the operation parameters are input into the anomaly detection model, the anomaly detection result is obtained, the online real-time detection of the communication capacity open platform is realized, and the accuracy of the anomaly detection is improved, so that the anomaly is found in advance and early warning is realized, precious time is gained for dealing with the anomaly events, the risk prevention level of the opening of the communication capacity of an operator is improved, and conditions are provided for dealing with the application requirements of the mobile internet which is instantaneously changeable.
In addition, the reconstruction parameters are obtained through the self-coding neural network, and the reconstruction errors between the operation parameters and the reconstruction parameters are used as a basis for measuring the abnormal state of the communication capacity open platform to be detected, so that the accuracy rate of the communication capacity open abnormality detection is effectively improved, and the stability of the communication capacity open operation is improved.
Based on any of the above method embodiments, fig. 6 is a schematic structural diagram of a communication capability opening anomaly detection apparatus according to an embodiment of the present invention, and as shown in fig. 6, the communication capability opening anomaly detection apparatus includes:
The anomaly detection unit 601 is used for inputting the operation parameters of the communication capability open platform to be detected into the anomaly detection model and outputting the anomaly detection result of the communication capability open platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters.
It should be noted that the anomaly detection unit 601 is configured to execute a communication capability openness anomaly detection method in the foregoing embodiments, and specific functions of the system refer to the foregoing embodiments of the communication capability openness anomaly detection method, which are not described herein again.
According to the device provided by the embodiment of the invention, the operation parameters are input into the anomaly detection model to obtain the anomaly detection result, so that the online real-time detection of the communication capacity open platform is realized, and the accuracy of the anomaly detection is improved, thereby realizing the early discovery and early warning of the anomaly, gaining precious time for responding to the abnormal event, improving the risk prevention level of the communication capacity opening of an operator, and providing conditions for responding to the application requirement of the mobile internet with immense variation.
Based on any of the above embodiments, an apparatus for detecting an open communication capability abnormality includes:
The reconstruction parameter subunit is used for inputting the operation parameters into a self-coding neural network of the anomaly detection model and outputting reconstruction parameters corresponding to the operation parameters;
the reconstruction error subunit is used for calculating a reconstruction error between the operation parameter and the reconstruction parameter;
and the anomaly detection subunit is used for setting the anomaly detection result of the communication capability open platform to be detected as an anomaly if the reconstruction error is greater than a preset threshold.
based on any one of the embodiments, the device for detecting the open anomaly of the communication capability comprises API calling data, wherein the API calling data comprises at least one of an API total calling quantity, an API calling failure quantity, an API calling success rate, an API calling maximum response time delay and an API calling minimum response time delay; the concurrent transaction data comprises a peak concurrent transaction number and/or an average concurrent transaction number; the module time delay data comprises at least one of average time delay of the south-oriented module, average time delay of the north-oriented module, average processing time delay of the E-SA service capability access module, average processing time delay of the E-SO service arrangement module, average processing time delay of the M-SO operation management arrangement module and average processing time delay of the BUS-SO message BUS module.
Based on any of the above embodiments, a communication capability opening anomaly detection apparatus, a reconfiguration parameter subunit, specifically includes:
The encoding module is used for inputting the operation parameters to an encoder of the self-encoding neural network and outputting the characteristic vectors of the operation parameters; the encoder is used for compressing and reducing the dimension of the operation parameters;
The decoding module is used for inputting the characteristic vector to a decoder of the self-coding neural network and outputting a reconstruction parameter corresponding to the operation parameter; the decoder is used for restoring and reconstructing the characteristic vector.
Based on any of the above embodiments, an apparatus for detecting communication capability openness abnormality, the abnormality detecting unit 601 further includes:
And the threshold acquisition subunit is used for determining a preset threshold according to at least one of the accuracy, the recall rate and the F-Measure of the abnormality detection model.
Based on any of the above embodiments, an apparatus for detecting communication capability openness abnormality, the abnormality detecting unit 601 further includes:
The training subunit is used for training the self-coding neural network by taking the mean square error of the sample operation parameters and the sample reconstruction parameters output by the self-coding neural network as an objective function based on the sample operation parameters; the sample operation parameters are the operation parameters of the communication capacity open platform in a normal state.
based on any of the above embodiments, an apparatus for detecting communication capability openness abnormality, the abnormality detecting unit 601 further includes:
the sample standardization subunit is used for carrying out standardization processing on the sample operation parameters;
and the parameter standardization subunit is used for carrying out standardization processing on the operation parameters.
Fig. 7 is a schematic structural diagram of a communication capability opening anomaly detection device according to an embodiment of the present invention, and as shown in fig. 7, the device includes: a processor (processor)701, a communication Interface (Communications Interface)702, a memory (memory)703 and a bus 704, wherein the processor 701, the communication Interface 702 and the memory 703 complete communication with each other through the bus 704. The processor 701 may call logic instructions in the memory 703 to perform the following method: inputting the operation parameters of the communication capacity opening platform to be detected into an anomaly detection model, and outputting an anomaly detection result of the communication capacity opening platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters.
An embodiment of the present invention discloses a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the method provided by the above method embodiments, for example, the method includes: inputting the operation parameters of the communication capacity opening platform to be detected into an anomaly detection model, and outputting an anomaly detection result of the communication capacity opening platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters.
the present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the methods provided by the above method embodiments, for example, including: inputting the operation parameters of the communication capacity opening platform to be detected into an anomaly detection model, and outputting an anomaly detection result of the communication capacity opening platform to be detected; the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained by training based on sample operation parameters.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
the above-described embodiments of the communication device and the like are merely illustrative, and units illustrated as separate components may or may not be physically separate, and components displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A communication capability opening abnormality detection method is characterized by comprising the following steps:
Inputting the operation parameters of the communication capacity opening platform to be detected into an anomaly detection model, and outputting an anomaly detection result of the communication capacity opening platform to be detected;
The operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained based on sample operation parameter training.
2. the method according to claim 1, wherein the inputting the operation parameters of the communication capability open platform to be detected into the anomaly detection model and outputting the anomaly detection result of the communication capability open platform to be detected specifically comprises:
Inputting the operation parameters into a self-coding neural network of the anomaly detection model, and outputting reconstruction parameters corresponding to the operation parameters;
Calculating a reconstruction error between the operating parameter and the reconstruction parameter;
And if the reconstruction error is larger than a preset threshold value, setting the abnormal detection result of the communication capacity open platform to be detected as abnormal.
3. The method of claim 1, wherein the API call data includes at least one of an API total call amount, an API call failure amount, an API call success rate, an API call maximum response delay, and an API call minimum response delay;
The concurrent transaction data comprises a peak concurrent transaction number and/or an average concurrent transaction number;
The module time delay data comprises at least one of average time delay of a south-oriented component, average time delay of a north-oriented component, average processing time delay of an E-SA service capability access module, average processing time delay of an E-SO service arrangement module, average processing time delay of an M-SO operation management arrangement module and average processing time delay of a BUS-SO message BUS module.
4. the method according to claim 2, wherein the inputting the operation parameters into a self-coding neural network of the anomaly detection model and outputting reconstruction parameters corresponding to the operation parameters specifically comprises:
Inputting the operation parameters to an encoder of the self-coding neural network, and outputting the feature vectors of the operation parameters; the encoder is used for carrying out compression dimensionality reduction on the operation parameters;
inputting the feature vector to a decoder of the self-coding neural network, and outputting a reconstruction parameter corresponding to the operation parameter; the decoder is used for restoring and reconstructing the characteristic vector.
5. The method according to claim 2, wherein if the reconstruction error is greater than a preset threshold, the setting of the abnormal detection result of the to-be-detected communication capability open platform as abnormal further comprises:
and determining the preset threshold according to at least one of the precision, the recall rate and the F-Measure of the abnormality detection model.
6. The method according to claim 2, wherein the inputting the operation parameters of the communication capability open platform to be detected into the anomaly detection model and outputting the anomaly detection result of the communication capability open platform to be detected further comprises:
based on the sample operation parameters, training the self-coding neural network by taking the mean square error of the sample operation parameters and sample reconstruction parameters output by the self-coding neural network as an objective function; the sample operation parameters are the operation parameters of the communication capacity open platform in a normal state.
7. The method of claim 6, wherein the training the self-coding neural network based on the sample operation parameters and a mean square error of a sample reconstruction parameter output by the self-coding neural network as an objective function further comprises:
carrying out standardization processing on the sample operation parameters;
Correspondingly, the inputting the operation parameters of the communication capability open platform to be detected into the anomaly detection model and outputting the anomaly detection result of the communication capability open platform to be detected also includes:
and carrying out standardization processing on the operation parameters.
8. An open communication capability abnormality detection device, comprising:
The anomaly detection unit is used for inputting the operation parameters of the communication capacity opening platform to be detected into the anomaly detection model and outputting the anomaly detection result of the communication capacity opening platform to be detected;
the operation parameters comprise at least one of API call data, concurrent transaction data and module delay data; the anomaly detection model is obtained based on sample operation parameter training.
9. A communication capability open anomaly detection device, comprising a processor, a communication interface, a memory and a bus, wherein the processor, the communication interface and the memory communicate with each other through the bus, and the processor can call logic instructions in the memory to execute the communication capability open anomaly detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the communication capability opening abnormality detection method according to any one of claims 1 to 7.
CN201810595921.5A 2018-06-11 2018-06-11 communication capability opening abnormity detection method and device Pending CN110581834A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810595921.5A CN110581834A (en) 2018-06-11 2018-06-11 communication capability opening abnormity detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810595921.5A CN110581834A (en) 2018-06-11 2018-06-11 communication capability opening abnormity detection method and device

Publications (1)

Publication Number Publication Date
CN110581834A true CN110581834A (en) 2019-12-17

Family

ID=68810309

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810595921.5A Pending CN110581834A (en) 2018-06-11 2018-06-11 communication capability opening abnormity detection method and device

Country Status (1)

Country Link
CN (1) CN110581834A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111367781A (en) * 2020-05-26 2020-07-03 浙江大学 Instance processing method and device
CN112148577A (en) * 2020-10-09 2020-12-29 平安科技(深圳)有限公司 Data anomaly detection method and device, electronic equipment and storage medium
CN112364939A (en) * 2020-12-04 2021-02-12 中信银行股份有限公司 Abnormal value detection method, device, equipment and storage medium
CN112491806A (en) * 2020-11-04 2021-03-12 深圳供电局有限公司 Cloud platform flow security analysis system and method
CN113468519A (en) * 2020-03-30 2021-10-01 ***通信集团浙江有限公司 Plug-in operation identification method, device and equipment
CN113625681A (en) * 2021-07-19 2021-11-09 湖南大学 CAN bus abnormality detection method, system and storage medium
US20220167188A1 (en) * 2020-11-23 2022-05-26 Verizon Patent And Licensing Inc. Systems and methods for autonomous network management using deep reinforcement learning

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105160310A (en) * 2015-08-25 2015-12-16 西安电子科技大学 3D (three-dimensional) convolutional neural network based human body behavior recognition method
CN106447039A (en) * 2016-09-28 2017-02-22 西安交通大学 Non-supervision feature extraction method based on self-coding neural network
US20180039861A1 (en) * 2016-08-03 2018-02-08 Canon Kabushiki Kaisha Information processing apparatus, information processing method, and storage medium
CN107798243A (en) * 2017-11-25 2018-03-13 国网河南省电力公司电力科学研究院 The detection method and device of terminal applies
CN107886091A (en) * 2017-12-19 2018-04-06 南京航空航天大学 A kind of mechanical breakdown fast diagnosis method based on deep neural network
CN107967941A (en) * 2017-11-24 2018-04-27 中南大学 A kind of unmanned plane health monitoring method and system based on intelligent vision reconstruct

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105160310A (en) * 2015-08-25 2015-12-16 西安电子科技大学 3D (three-dimensional) convolutional neural network based human body behavior recognition method
US20180039861A1 (en) * 2016-08-03 2018-02-08 Canon Kabushiki Kaisha Information processing apparatus, information processing method, and storage medium
CN106447039A (en) * 2016-09-28 2017-02-22 西安交通大学 Non-supervision feature extraction method based on self-coding neural network
CN107967941A (en) * 2017-11-24 2018-04-27 中南大学 A kind of unmanned plane health monitoring method and system based on intelligent vision reconstruct
CN107798243A (en) * 2017-11-25 2018-03-13 国网河南省电力公司电力科学研究院 The detection method and device of terminal applies
CN107886091A (en) * 2017-12-19 2018-04-06 南京航空航天大学 A kind of mechanical breakdown fast diagnosis method based on deep neural network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
AN J,CHO S: "Variational Autoencoder based Anomaly Detection using Reconstruction Probability", 《2015-2 SPECIAL LECTURE ON IE》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113468519A (en) * 2020-03-30 2021-10-01 ***通信集团浙江有限公司 Plug-in operation identification method, device and equipment
CN111367781A (en) * 2020-05-26 2020-07-03 浙江大学 Instance processing method and device
CN112148577A (en) * 2020-10-09 2020-12-29 平安科技(深圳)有限公司 Data anomaly detection method and device, electronic equipment and storage medium
CN112148577B (en) * 2020-10-09 2024-05-07 平安科技(深圳)有限公司 Data anomaly detection method and device, electronic equipment and storage medium
CN112491806A (en) * 2020-11-04 2021-03-12 深圳供电局有限公司 Cloud platform flow security analysis system and method
US20220167188A1 (en) * 2020-11-23 2022-05-26 Verizon Patent And Licensing Inc. Systems and methods for autonomous network management using deep reinforcement learning
US11601830B2 (en) * 2020-11-23 2023-03-07 Verizon Patent And Licensing Inc. Systems and methods for autonomous network management using deep reinforcement learning
US11985527B2 (en) 2020-11-23 2024-05-14 Verizon Patent And Licensing Inc. Systems and methods for autonomous network management using deep reinforcement learning
CN112364939A (en) * 2020-12-04 2021-02-12 中信银行股份有限公司 Abnormal value detection method, device, equipment and storage medium
CN113625681A (en) * 2021-07-19 2021-11-09 湖南大学 CAN bus abnormality detection method, system and storage medium
CN113625681B (en) * 2021-07-19 2022-12-13 湖南大学 CAN bus abnormality detection method, system and storage medium

Similar Documents

Publication Publication Date Title
CN110581834A (en) communication capability opening abnormity detection method and device
CN111124840B (en) Method and device for predicting alarm in business operation and maintenance and electronic equipment
JP7242101B2 (en) Engine surge failure prediction system and method based on fusion neural network model
US20220255817A1 (en) Machine learning-based vnf anomaly detection system and method for virtual network management
CN111242171B (en) Model training and diagnosis prediction method and device for network faults and electronic equipment
CN111091278B (en) Edge detection model construction method and device for mechanical equipment anomaly detection
CN110858812B (en) Network element cutover and watching method and device
WO2022001125A1 (en) Method, system and device for predicting storage failure in storage system
CN113705981B (en) Big data based anomaly monitoring method and device
CN115145812B (en) Test case generation method and device, electronic equipment and storage medium
WO2023169274A1 (en) Data processing method and device, and storage medium and processor
CN113240510B (en) Abnormal user prediction method, device, equipment and storage medium
CN114490065A (en) Load prediction method, device and equipment
US20220415046A1 (en) Method for determining video coding test sequence, electronic device and computer storage medium
CN116090544A (en) Compression method, training method, processing method and device of neural network model
CN113221104A (en) User abnormal behavior detection method and user behavior reconstruction model training method
US11863398B2 (en) Centralized management of distributed data sources
CN110855474B (en) Network feature extraction method, device, equipment and storage medium of KQI data
CN115603955B (en) Abnormal access object identification method, device, equipment and medium
CN116155541A (en) Automatic machine learning platform and method for network security application
CN116258167A (en) Data detection method, device, electronic equipment and medium
CN114548307A (en) Classification model training method and device, and classification method and device
CN110838925B (en) High-risk network element operation instruction identification method and device
KR20230087268A (en) Method for operating credit scoring model using autoencoder
CN113676377A (en) Online user number evaluation method, device, equipment and medium based on big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191217