CN113315747A - Computer network anomaly detection method - Google Patents

Abstract

The invention relates to the technical field of computers, in particular to a computer network anomaly detection method, which comprises the following steps: s1, preprocessing, S2, zero averaging, S3, fitting an AR model, S4, detecting abnormity, establishing a normal behavior mode of flow through a variance analysis method, eliminating the influence of work and rest time on network flow, establishing an AR (2) model in a sliding window, and detecting abnormity in the form of the sliding window.

Description

Computer network anomaly detection method

Technical Field

The invention relates to the technical field of computers, in particular to a computer network anomaly detection method.

Background

With the rapid development of computer networks, there are increasing network threats and other network-related problems, such as network attacks, data theft, viruses, worms, malicious port scanning activities, etc., which are more quickly applied, faster in change rate, and more complex. Currently, despite peripheral defense, cyber threats are directly submerged through a computer network, and thus many threat detection tools have emerged, and thus a computer network anomaly detection method has been proposed.

Disclosure of Invention

The present invention is directed to a method for detecting network anomaly in a computer, so as to solve the problems mentioned in the background art.

In order to achieve the purpose, the invention provides the following technical scheme:

a computer network anomaly detection method comprises the following steps:

s1, preProcessing, collecting network force data with time of 8 weeks in advance, collecting data with interval time of 5min, 5 working days per week (not considering rest days), 24h per day, taking week as unit, averaging the data of 8 weeks, deleting some bad values due to influence of uncertain factors, and eliminating bad values according to Grabbs criterion, specifically, if the network force data is collected in advance for 8 weeks, specifically, if the network force data is collected in 5 working days per week (not considering rest days), the network force data is collected in 24 hours per day, taking week as unit, the data of 8 weeks is averaged, and the bad values are eliminated according to Grabbs criterion

Denotes x₁， x₂，……x₈V represents their standard deviation, i.e.

If x_iSatisfy | x_i|＞kv，

X is then_iFor bad value, it should be eliminated and used x₁，x₂，……x₈Wherein k is a grabbs criterion coefficient, k corresponding to a confidence interval of 95% being 2.03;

the 1440 data obtained above are the average of 8-week-history data and can be represented as S_ij(j 1,2,3, 4, 5; i 1,2, … …, 288), which is called the normal behavior pattern of the flow parameter at the ith moment of the jth working day of a week, and intuitively considered that if the current observation value has a significant deviation from the current observation value, the current observation value is considered as abnormal;

the overall mean of the observations over the week is denoted by μ, α i represents the deviation of the mean from the overall mean μ at the ith time of day, β j is the deviation of the mean from the overall mean μ on the jth day of the week, i.e.

Then

Then observing the value S for each time_ijDecomposing S as follows_ijDivided into four parts, i.e.

s_ij＝μ+αi+βj+y_ij，

That is, y_ij＝s_ij-μ-αi-βj。

I.e. converting the original observation sequence into y_ijThe conditions of different working days and different time of the same day when the network is used are greatly different, and the influence of different working days in a week and different time of each day can be all observed from the original observed value S through the processing_ijWhere similarly, for those networks that are constantly changing, the converted sequence y is represented for ease of representation_ijArranged in chronological order, denoted as y_iIn practical applications, μ, α i (i ═ 1,2, …, 288), β j (j ═ 1,2,3, 4, 5) can be updated once a week.

S2, zero-averaging, for sliding window zero-averaging, although the observed value sequence of the network flow is not stable in general, we can regard its local part as statistically approximate stability, the local part is taken as a sliding time window, the window size is set as N +1, each time, N +1 number is taken out, the N +1 number of the sliding window is expressed as y₁,y₂...,y_N,y_N+1Establishing an Autoregressive (AR) model by using the first N numbers to judge whether the (N + 1) th number is abnormal (in real-time application, a time window is continuously slid once); to establish an AR model, the first N numbers are zero-averaged, and

denotes y₁,y₂...,y_NAverage value of (i), i.e.

Then x₁,x₂,...x_N,x_N+1Is a zero mean time series.

S3, fitting the AR model, and firstly selecting a proper model order rho due to the observation value sequence { x_iGenerally speaking, t (1, 2,3, …) is unstable, but it is assumed that the sliding time window is approximately stable, so the size N of the window should not be too large, on the other hand, when the autoregressive model AR (ρ) fits the time series, its accuracy can be measured by Akaike's FPE (final Prediction error), and the order ρ of the AR corresponding to the minimum FPE is the best model order, but there is a constraint condition about N and ρ: p is more than or equal to 0 and less than or equal to 0.1N.

Further, since the order of the autoregressive model AR (ρ) is too large, which results in a large amount of calculation, and since real-time detection is desired, an excessively large value of ρ should not be selected, the second-order autoregressive model AR (2) and N satisfying the above condition are generally taken as 20 in our algorithm.

By time series x₁,x₂,...x_N,x_NFitting a second order auto-regressive model AR (2) has a linear formula calculated directly the model of AR (2) is:

here, the

And

coefficient representing AR (2), e_tIs white noise which is a Gaussian random variable with independent and same distribution, the mean value is zero, and the variance is

By x₁,x₂,...x_NTo estimate the parameters of AR (2) model

i is 1,2 and

the specific calculation process is given as follows

T represents the transpose of the matrix, then the coefficients

The following estimate is given:

white noise e_tVariance of (2)

Is composed of

Furthermore, it is possible to provide a liquid crystal display device,

the above equations (1) and (2) are the estimation of the AR (2) parameter, and as can be seen from the above equations, the AR (2) parameter can be obtained from the linear estimation of the time series data.

S4, abnormality detection, and in the last step, detection is performed by using an AR (2) model, wherein the AR (2) model is,

namely, it is

If B is a step-back operator, i.e. x_t-1As long as Bxt is satisfied,

wherein the content of the first and second substances,

thus, it is possible to provide

Order to

And define

Preferably, the S4 sigma²Is a residual e representing N corresponding residuals backward from the current time in the time series_tMean of the sum of squares, λ represents the residual to σ ratio of the current observation, then λ is taken as the detection x_N+1Whether the measurement is abnormal; when lambda is<-L or λ>When U is, x_N+1Are outliers where L and U are preset constants greater than zero>The condition of U means that the abnormal value is larger than the normal value, and the size of the statistic lambda marks the deviation of the abnormal point from the normal value, namely, the larger lambda is, the larger the deviation of the abnormal value from the normal range is; for lambda<The case of-L means that the abnormal value is smaller than the normal value, and the smaller λ indicates that the abnormal value deviates from the normal range.

The invention establishes a normal behavior mode of flow through a variance analysis method, eliminates the influence of work and rest time on network flow, establishes an AR (2) model in a sliding window, detects abnormity in the form of the sliding window, applies the algorithm to the detection of non-unicast packet number in an actual network, detects broadcast data generated by experiments in the network, also applies to the detection of 3 different flow parameter abnormity in a simulation experiment network, detects the abnormity of flow when a server fails, and has high detection rate.

Detailed Description

The technical solutions in the embodiments of the present invention will be described below clearly and completely with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, rather than all embodiments, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts based on the embodiments of the present invention belong to the protection scope of the present invention.

The invention provides a technical scheme that:

a computer network anomaly detection method comprises the following steps:

s1, preprocessing, collecting network force data with 8 weeks in advance, averaging the data of the 8 weeks with the interval time of 5min, 5 working days per week (without considering rest days) and 24h per day in units of weeks, deleting some bad values due to the influence of uncertain factors, and removing the bad values according to the Grabbs criterion, specifically, if the bad values are not deleted, the network force data is collected in advance for 8 weeks

Denotes x₁， x₂，……x₈V represents their standard deviation, i.e.

If x_iSatisfy | x_i|＞kv，

X is then_iFor bad value, it should be eliminated and used x₁，x₂，……x₈Wherein k is a grabbs criterion coefficient, k corresponding to a confidence interval of 95% being 2.03;

the 1440 data obtained above are the average of 8-week-history data and can be represented as S_ij(j 1,2,3, 4, 5; i 1,2, … …, 288), which is called the normal behavior pattern of the flow parameter at the ith moment of the jth working day of a week, and intuitively considered that if the current observation value has a significant deviation from the current observation value, the current observation value is considered as abnormal;

the overall mean of the observations over the week is denoted by μ, α i represents the deviation of the mean from the overall mean μ at the ith time of day, β j is the deviation of the mean from the overall mean μ on the jth day of the week, i.e.

Then

Then observing the value S for each time_ijDecomposing S as follows_ijDivided into four parts, i.e.

s_ij＝μ+αi+βj+y_ij，

That is, y_ij＝s_ij-μ-αi-βj。

I.e. converting the original observation sequence into y_ijDifferent toolsThe conditions of the network used at different working days and different moments of the same day are greatly different, and the influences of the different working days in the same week and the different moments of the day are all observed from the original observed value S through the processing_ijWhere similarly, for those networks that are constantly changing, the converted sequence y is represented for ease of representation_ijArranged in chronological order, denoted as y_iIn practical applications, μ, α i (i ═ 1,2, …, 288), β j (j ═ 1,2,3, 4, 5) can be updated once a week.

S2, zero-averaging, for sliding window zero-averaging, although the observed value sequence of the network flow is not stable in general, we can regard its local part as statistically approximate stability, the local part is taken as a sliding time window, the window size is set as N +1, each time, N +1 number is taken out, the N +1 number of the sliding window is expressed as y₁,y₂...,y_N,y_N+1Establishing an Autoregressive (AR) model by using the first N numbers to judge whether the (N + 1) th number is abnormal (in real-time application, a time window is continuously slid once); to establish an AR model, the first N numbers are zero-averaged, and

denotes y₁,y₂...,y_NAverage value of (i), i.e.

Then x₁,x₂,...x_N,x_N+1Is a zero mean time series.

S3, fitting the AR model, and firstly selecting a proper model order rho due to the observation value sequence { x_iGenerally speaking, but assuming that the sliding time window is approximately stationary, the window size N should not be too large, but on the other hand, when the autoregressive model AR (ρ) fits the time series, it is accurateThe performance can be measured by Akaike's FPE (final Prediction error), and the order p of AR corresponding to the minimum FPE is the optimal model order, but there are constraints on N and p: p is more than or equal to 0 and less than or equal to 0.1N.

Further, since the order of the autoregressive model AR (ρ) is too large, which results in a large amount of calculation, and since real-time detection is desired, an excessively large value of ρ should not be selected, the second-order autoregressive model AR (2) and N satisfying the above condition are generally taken as 20 in our algorithm.

By time series x₁,x₂,...x_N,x_NFitting a second order auto-regressive model AR (2) has a linear formula calculated directly the model of AR (2) is:

here, the

And

coefficient representing AR (2), e_tIs white noise which is a Gaussian random variable with independent and same distribution, the mean value is zero, and the variance is

By x₁,x₂,...x_NTo estimate the parameters of AR (2) model

i is 1,2 and

the specific calculation process is given as follows

T represents the transpose of the matrix, then the coefficients

The following estimate is given:

white noise e_tVariance of (2)

Is composed of

Furthermore, it is possible to provide a liquid crystal display device,

the above equations (1) and (2) are the estimation of the AR (2) parameter, and as can be seen from the above equations, the AR (2) parameter can be obtained from the linear estimation of the time series data.

S4, abnormality detection, and in the last step, detection is performed by using an AR (2) model, wherein the AR (2) model is,

namely, it is

If B is a step-back operator, i.e. x_t-1As long as Bxt is satisfied,

wherein the content of the first and second substances,

thus, it is possible to provide

Order to

And define

The S4 sigma²Is a residual e representing N corresponding residuals backward from the current time in the time series_tMean of the sum of squares, λ represents the residual to σ ratio of the current observation, then λ is taken as the detection x_N+1Whether the measurement is abnormal; when lambda is<-L or λ>When U is, x_N+1Are outliers where L and U are preset constants greater than zero>The condition of U means that the abnormal value is larger than the normal value, and the size of the statistic lambda marks the size of the abnormal point deviating from the normal value, namely, the larger lambda is, the larger the abnormal value deviates from the normal range is; for lambda<The case of-L means that the abnormal value is smaller than the normal value, and the smaller λ indicates the larger the abnormal value deviates from the normal range.

Example (b): preprocessing, collecting network force data with time of 8 weeks in advance, collecting data with interval time of 5min, and working 5 times per weekAveraging the data of 8 weeks every day (without considering rest day) 24h every day in week, deleting some bad values due to uncertain factors, and eliminating the bad values according to Grabbs criterion, specifically, if the bad values are not deleted

Denotes x₁，x₂，……x₈V represents their standard deviation, i.e.

If x_iSatisfy | x_i|＞kv，

X is then_iFor bad value, it should be eliminated and used x₁，x₂，……x₈Wherein k is a grabbs criterion coefficient, k corresponding to a confidence interval of 95% being 2.03;

the 1440 data obtained above are the average of 8-week-history data and can be represented as S_ij(j 1,2,3, 4, 5; i 1,2, … …, 288), which is called the normal behavior pattern of the flow parameter at the ith moment of the jth working day of a week, and intuitively considered that if the current observation value has a significant deviation from the current observation value, the current observation value is considered as abnormal;

the overall mean of the observations over the week is denoted by μ, α i represents the deviation of the mean from the overall mean μ at the ith time of day, β j is the deviation of the mean from the overall mean μ on the jth day of the week, i.e.

Then

Then observing the value S for each time_ijIs carried out as followsLower decomposition, S_ijDivided into four parts, i.e.

s_ij＝μ+αi+βj+y_ij，

That is, y_ij＝s_ij-μ-αi-βj。

I.e. converting the original observation sequence into y_ijThe conditions of different working days and different time of the same day when the network is used are greatly different, and the influence of different working days in a week and different time of each day can be all observed from the original observed value S through the processing_ijWhere similarly, for those networks that are constantly changing, the converted sequence y is represented for ease of representation_ijArranged in chronological order, denoted as y_iIn practical applications, μ, α i (i ═ 1,2, …, 288), β j (j ═ 1,2,3, 4, 5) can be updated once a week.

Zero-averaging, for sliding window zero-averaging, although the observed value sequence of the network traffic is not stable as a whole, we can regard its local part as a statistically approximate stability, the local part is taken as a sliding time window, the window size is set to N +1, N +1 numbers are taken out each time, the N +1 numbers of the sliding window are represented as y₁,y₂...,y_N,y_N+1Establishing an auto-regression (AR) model by using the first N numbers to judge whether the (N + 1) th number is abnormal (in the real-time application, the time window is continuously slid forward once); to establish the AR model, the first N numbers are zero-averaged, and

denotes y₁,y₂...,y_NAverage value of (i), i.e.

Then x₁,x₂,...x_N,x_N+1Is a zero mean time series.

Fitting the AR model by first selecting the appropriate model order ρ due to the observation sequence { x }_iGenerally speaking, t (1, 2,3, …) is unstable, but it is assumed that the sliding time window is approximately stable, so the size N of the window should not be too large, on the other hand, when the autoregressive model AR (ρ) fits the time series, its accuracy can be measured by Akaike's FPE (final Prediction error), and the order ρ of the AR corresponding to the minimum FPE is the best model order, but there is a constraint condition about N and ρ: p is more than or equal to 0 and less than or equal to 0.1N.

Further, since the order of the autoregressive model AR (ρ) is too large, which results in a large amount of calculation, and since real-time detection is desired, an excessively large value of ρ should not be selected, the second-order autoregressive model AR (2) and N satisfying the above condition are generally taken as 20 in our algorithm.

By time series x₁,x₂,...x_N,x_NFitting a second order auto-regressive model AR (2) has a linear formula calculated directly the model of AR (2) is:

here, the

And

coefficient representing AR (2), e_tIs white noise which is a Gaussian random variable with independent and same distribution, the mean value is zero, and the variance is

By x₁,x₂,...x_NTo estimate the parameters of AR (2) model

i is 1,2 and

the specific calculation process is given as follows

T represents the transpose of the matrix, then the coefficients

The following estimate is given:

white noise e_tVariance of (2)

Is composed of

Furthermore, it is possible to provide a liquid crystal display device,

the above equations (1) and (2) are the estimation of the AR (2) parameter, and as can be seen from the above equations, the AR (2) parameter can be obtained from the linear estimation of the time series data.

S4, abnormality detection, and in the last step, detection is performed by using an AR (2) model, wherein the AR (2) model is,

namely, it is

If B is a step-back operator, i.e. x_t-1As long as Bxt is satisfied,

wherein the content of the first and second substances,

thus, it is possible to provide

Order to

And define

S4σ²Is a residual e representing N corresponding residuals backward from the current time in the time series_tSum of squares

When lambda is<-L or λ>When U is, x_N+1Are outliers where L and U are preset constants greater than zero>The case of U means that the abnormal value is larger than the normal value, and the magnitude of the statistic λ indicates the magnitude of the abnormal point deviating from the normal range, that is, the larger λ is, the more the abnormal value deviates from the normal rangeLarge; for lambda<The case of-L means that the abnormal value is smaller than the normal value, and the smaller λ indicates the larger the abnormal value deviates from the normal range.

The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the scope of the present invention, and the technical solutions and the inventive concepts of the present invention are equivalent to or changed within the technical scope of the present invention.

Claims (2)

1. A computer network anomaly detection method is characterized by comprising the following steps:

s1, preprocessing, collecting network force data with time of 8 weeks in advance, averaging the data of 8 weeks with the interval time of 5min, 5 working days per week (without considering rest days) and 24h per day in units of weeks, deleting some bad values due to influence of uncertain factors, and removing the bad values according to the Grabbs criterion, specifically, if the network force data is collected in advance for 8 weeks

Denotes x₁，x₂，……x₈V represents their standard deviation, i.e.

If x_iSatisfy | x_i|＞kv，

X is then_iFor bad value, it should be eliminated and used x₁，x₂，……x₈Wherein k is a grabbs criterion coefficient, k corresponding to a confidence interval of 95% being 2.03;

the 1440 data obtained above were the average of 8-week-history data and can be expressedIs S_ij(j 1,2,3, 4, 5; i 1,2, … …, 288), which is called the normal behavior pattern of the flow parameter at the ith moment of the jth working day of the week, and intuitively considers that if the current observation value has a significant deviation from the current observation value, the current observation value is considered as abnormal;

the overall mean of the observations over the week is denoted by μ, α i represents the deviation of the mean from the overall mean μ at the ith time of day, β j is the deviation of the mean from the overall mean μ on the jth day of the week, i.e.

Then

∑_jβj＝0，

Then observing the value S for each time_ijDecomposing S as follows_ijDivided into four parts, i.e.

s_ij＝μ+αi+βj+y_ij，

That is, y_ij＝s_ij-μ-αi-βj。

I.e. converting the original observation sequence into y_ijThe conditions of the networks used on different working days and at different times of the same day are greatly different, and the influences of the different working days in a week and the different times of the day are all obtained from the original observed value S through the processing_ijWhere similarly, for those networks that are constantly changing, the converted sequence y is represented for ease of representation_ijArranged in chronological order, denoted as y_iIn practical applications, μ, α i (i ═ 1,2, …, 288), β j (j ═ 1,2,3, 4, 5) can be updated once a week.

S2, zero-averaging, for sliding window zero-averaging, although the observed sequence of network traffic is not stationary in general, we can consider its local part as a statistically similar stationary partMaking a sliding time window, setting the size of the window as N +1, taking out N +1 numbers each time, and expressing the N +1 number of the sliding window as y₁,y₂...,y_N,y_N+1Establishing an Autoregressive (AR) model by using the first N numbers to judge whether the (N + 1) th number is abnormal (in the real-time application, the time window is continuously slid once); to establish the AR model, the first N numbers are zero-averaged, and

denotes y₁,y₂...,y_NAverage value of (i), i.e.

Then x₁,x₂,...x_N,x_N+1Is a zero mean time series.

S3, fitting the AR model, and firstly selecting a proper model order rho due to the observation value sequence { x }_iGenerally speaking, t (1, 2,3, …) is unstable, but it is assumed that the sliding time window is approximately stable, so the size N of the window should not be too large, on the other hand, when the autoregressive model AR (ρ) fits the time series, its accuracy can be measured by Akaike's FPE (final Prediction error), and the order ρ of AR corresponding to the minimum FPE is the optimal model order, but there are constraints on N and ρ: p is more than or equal to 0 and less than or equal to 0.1N.

Further, since the order of the autoregressive model AR (ρ) is too large, which results in a large amount of calculation, and since real-time detection is desired, an excessively large value of ρ should not be selected, the second-order autoregressive model AR (2) commonly used and N satisfying the above condition are taken as 20 in our algorithm.

By time series x₁,x₂,...x_N,x_NFitting a second order auto-regressive model AR (2) has a linear formula that is calculated directly, the model of AR (2) is:

here, the

And

coefficient representing AR (2), e_tIs white noise which is an independent and identically distributed Gaussian random variable with a mean value of zero and a variance of

By x₁,x₂,...x_NTo estimate the parameters of AR (2) model

And

the specific calculation process is given as follows

T represents the transpose of the matrix, then the coefficients

The following estimate is given:

white noise e_tVariance of (2)

Is composed of

Furthermore, it is possible to provide a liquid crystal display device,

the above equations (1) and (2) are the estimation of the AR (2) parameter, and it can be seen from the above equations that the AR (2) parameter can be obtained from the linear estimation of the time series data.

S4, abnormality detection, and in the last step, detection is performed by using an AR (2) model, wherein the AR (2) model is,

namely, it is

If B is a step-back operator, i.e. x_t-1As long as Bxt is satisfied,

wherein the content of the first and second substances,

thus, it is possible to provide

Order to

And define

2. The method according to claim 1, wherein said S4 σ is detected²Is a residual e representing N corresponding residuals backward from the current time in the time series_tMean of the sum of squares, λ represents the residual to σ ratio of the current observation, then λ is taken as the detection x_N+1Whether the measurement is abnormal; when lambda is<-L or λ>When U is, x_N+1Are outliers where L and U are preset constants greater than zero>The condition of U means that the abnormal value is larger than the normal value, and the size of the statistic lambda marks the deviation of the abnormal point from the normal value, namely, the larger lambda is, the larger the deviation of the abnormal value from the normal range is; for lambda<The case of-L means that the abnormal value is smaller than the normal value, and the smaller λ indicates the larger the abnormal value deviates from the normal range.