CN-120342685-B - Space-time factor driven complex network anomaly detection method, device and medium

Abstract

The invention discloses a space-time factor driven complex network anomaly detection method, a space-time factor driven complex network anomaly detection device and a space-time factor driven complex network anomaly detection medium, and relates to the technical field of complex network analysis and network security. The method comprises the steps of constructing a network security industry chain network, encoding time features and space neighborhood features based on a time attenuation function to obtain space-time factors, calculating dynamic relation weights according to the space-time factors, sampling and comparing window learning based on a time sequence sliding window to obtain characteristic vectors of all nodes, determining node level characteristic deviations of all nodes based on the characteristic vectors of all nodes, calculating scores of all nodes based on the node level characteristic deviations, the structure evolution rate and the cross-network alignment anomaly degree of all nodes, and determining that abnormal behaviors exist in the nodes if the scores of the nodes exceed the set score threshold based on a dynamically set score threshold. The invention can improve the accuracy of complex network anomaly detection.

Inventors

• LIU YANFEI
• WANG WENJUN
• WANG JUN

Assignees

• 天津大学

Dates

Publication Date

20260512

Application Date

20250417

Claims (10)

1. 1. A method for detecting anomalies in a complex network driven by a space-time factor, the method comprising: constructing a network security industry chain network, wherein the network security industry chain network is represented as G= (V, E T ,A S ), V is a node set and comprises a plurality of nodes, each node respectively represents one entity in an industry chain, E T is a temporal edge set and is used for describing dynamic interaction relations among the nodes, E T ＝{E supply ,E compete ,E coop }×T,E supply ,E compete ,E coop respectively represents a supply relation, a competition relation and a cooperation relation, T represents a timestamp set, A S is a space-time attribute matrix, A S ＝(X t ,S k ),X t ∈R n ×d represents a time feature, n and d represent dimensions, R represents a real space, S k ＝A k -X represents a k-order space neighborhood feature, A represents an adjacency matrix, k represents an order, X represents a node feature, A k represents that k times of graph convolution operation is performed, the time feature is used for recording dynamic behavior indexes of each node, the space neighborhood is used for capturing topological association of the industry chain network, and the weight of the supply relation, the competition relation and the cooperation relation is determined through the adjacency matrix; encoding the time feature and the space neighborhood feature based on a time decay function to obtain a space-time factor, and calculating a dynamic relation weight according to the space-time factor, wherein the dynamic relation weight is used for quantifying abnormal contribution degrees of different types of temporal edges; based on time sequence sliding window sampling, extracting network states containing tau time steps from the network security industry chain network; Extracting feature vectors of the same node in different time windows as positive samples and feature vectors of different nodes in the same time windows as negative samples based on the network state containing tau time steps, wherein the feature vectors are dynamic relation weights, and performing contrast learning on the positive samples and the negative samples based on a contrast loss function to obtain feature vectors of all nodes; determining node level feature deviation of each node based on the feature vector of each node, and calculating the score of each node based on the node level feature deviation, the structure evolution rate and the cross-network alignment anomaly degree of each node; and based on the dynamically set scoring threshold, if the score of the node exceeds the set scoring threshold, determining that the node has abnormal behavior.
2. 2. The method for detecting anomalies in a complex network driven by a space-time factor according to claim 1, wherein the time features and the spatial neighborhood features are encoded based on a time decay function by the following formula to obtain the space-time factor: Z=σ([X t ||S k ]·W z +b z ) Where Z represents a space-time factor, ||represents feature stitching, W z represents a weight matrix, b z represents a bias term, and σ represents a time decay function.
3. 3. The space-time factor driven complex network anomaly detection method of claim 2, wherein the time decay function is expressed as: σ(t)=e -λΔt where e represents a natural constant, Δt represents a time interval, and λ represents an attenuation coefficient.
4. 4. The method for detecting anomalies in a complex network driven by a space-time factor according to claim 1, characterized in that, according to the space-time factor, dynamic relation weights are calculated by the following formula: α ij ＝softmax(LeakyReLu(a T [Z i ||Z j ])) Where α ij represents the dynamic relationship weight of the ith node and the jth node, softmax represents the normalization operation, leakyReLu represents the activation function, Z i and Z j represent the space-time factors of the ith node and the jth node, respectively, and l represents the feature concatenation.
5. 5. The method of claim 1, wherein the network state extracted from the network security industry chain network containing τ time steps is denoted as W t ＝[G t-τ ,G t-τ+1 ,…,G t based on time-series sliding window sampling, and wherein G t-τ 、G t-τ+1 and G t represent the network states at time steps t- τ, - τ+1 and t, respectively.
6. 6. The space-time factor driven complex network anomaly detection method of claim 1, wherein the contrast loss function is expressed as: where L c denotes contrast loss, e denotes natural constant, A negative sample is represented and is shown, Representing positive samples, sim represents similarity, τ is the sliding window length, M is the number of negative samples, and c i is the eigenvector of the i-th node.
7. 7. The space-time factor driven complex network anomaly detection method of claim 6, wherein the score of each node is calculated based on node level feature bias, structural evolution rate and cross-network alignment anomaly of each node by the following formula: Score(v i )＝α·||c i -μ W ||+β·ΔD(v i )+γ·Φ(v i ) Where Score (v i ) represents the Score of node v i , and alpha, beta, and gamma represent node-level feature bias, structural evolution rate, and weight to align anomalies across the network, respectively, i c i -μ W i represents node level feature bias, μ W represents sliding window feature mean, Δd (v i ) represents the rate of temporal change of node degree centrality, and Φ (v i ) represents the alignment anomaly across the network.
8. 8. The space-time factor driven complex network anomaly detection method of claim 1, wherein the scoring threshold is dynamically set according to average score and standard deviation of nodes.
9. 9. A space-time factor driven complex network anomaly detection device, the device comprising: A network construction module configured to construct a network security industry chain network, wherein the network security industry chain network is represented as g= (V, E T ,A S ), V is a node set, and includes a plurality of nodes, each node represents an entity in an industry chain, E T is a temporal edge set, and is used for describing a dynamic interaction relationship among nodes, E T ＝{E supply ,E compete ,E coop }×T,E supply ,E compete ,E coop represents a supply relationship, a competition relationship and a collaboration relationship, T represents a timestamp set, a S is a space-time attribute matrix, a S ＝(X t ,S k ),X t ∈R n×d represents a time feature, n and d represent dimensions, R represents a real space, S k ＝A k ·x represents a k-order spatial neighborhood feature, a represents an adjacency matrix, k represents an order, X represents a node feature, a k represents performing a k-order graph convolution operation, the temporal feature is used for recording a dynamic behavior index of each node, and the spatial feature neighborhood is used for capturing a topological association of the industry chain network, and weights of the supply relationship, the competition relationship and the collaboration relationship are determined by the adjacency matrix; the dynamic relation weight calculation module is configured to encode the time feature and the space neighborhood feature based on a time attenuation function to obtain a space-time factor, and calculate dynamic relation weights according to the space-time factor, wherein the dynamic relation weights are used for quantifying abnormal contribution degrees of different types of temporal edges; the time sequence sampling module is configured to sample based on a time sequence sliding window, and extract network states containing tau time steps from the network safety industry chain network; The contrast learning module is configured to extract feature vectors of the same node in different time windows as positive samples and feature vectors of different nodes in the same time windows as negative samples based on the network state containing tau time steps, wherein the feature vectors are dynamic relation weights, and contrast learning is performed on the positive samples and the negative samples based on a contrast loss function to obtain feature vectors of all the nodes; The scoring calculation module is configured to determine node level feature deviation of each node based on the feature vector of each node, and calculate the score of each node based on the node level feature deviation, the structure evolution rate and the cross-network alignment anomaly of each node; the abnormal identification module is configured to determine that abnormal behaviors exist in the node based on the dynamically set scoring threshold value if the score of the node exceeds the set scoring threshold value.
10. 10. A non-transitory computer readable storage medium storing instructions which, when executed by a processor, perform the method of any one of claims 1 to 8.

Description

Space-time factor driven complex network anomaly detection method, device and medium Technical Field The invention relates to the technical field of complex network analysis and network security, in particular to a space-time factor-driven complex network anomaly detection method, a space-time factor-driven complex network anomaly detection device and a space-time factor-driven complex network anomaly detection medium. Background With the rapid development of digital economies, the complexity and dynamics of the industry chain network grows exponentially. The traditional graph structure-based anomaly detection technology has obvious technical bottlenecks when dealing with modern industrial chain networks, firstly, the traditional method is based on static topological structure analysis in the aspect of space-time feature modeling, the time evolution rule and the space distribution characteristic of the industrial chain networks cannot be effectively fused, so that misjudgment risks exist when identifying space-time coupling anomalies such as trans-regional industrial transfer and sudden supply chain breakage, secondly, in the network relation processing dimension, the traditional network alignment technology adopts a homogeneous side weight processing mechanism, so that semantic distortion phenomenon is generated when the heterogeneous characteristics of multi-modal relationships such as competition, collaboration and supply among enterprises are difficult to accurately represent, and the trans-industrial chain knowledge migration is caused, and furthermore, in the dynamic behavior capturing layer, the main flow static network analysis method only can capture the instantaneous state of enterprise nodes, lacks continuous tracking capability on node behavior mode dynamic evolution (such as cooperative relation reconstruction caused by strategic transformation, demand change caused by market fluctuation and the like), and causes insufficient early warning timeliness on potential risks. The technical defects seriously restrict the intelligent upgrading of the industrial chain risk prevention and control system. Disclosure of Invention In order to solve the technical problems, the invention provides a space-time factor driven complex network anomaly detection method, a space-time factor driven complex network anomaly detection device and a space-time factor driven complex network anomaly detection medium, which are used for improving the accuracy of complex network anomaly detection by considering the space-time evolution characteristic of an industrial chain network, processing the isomerism of a multidimensional relation (competition/collaboration/supply) and capturing the dynamic behavior mode of enterprise nodes. In a first aspect, the present invention provides a space-time factor driven complex network anomaly detection method, the method comprising: Constructing a network security industry chain network, wherein the network security industry chain network is represented as G= (V, E T,AS), V is a node set and comprises a plurality of nodes, each node respectively represents one entity in an industry chain, E T is a temporal edge set and is used for describing dynamic interaction relations among the nodes, E T＝{Esupply,Ecompete,Ecoop}×T,Esupply,Ecompete,Ecoop respectively represents a supply relation, a competition relation and a cooperation relation, T represents a timestamp set, A S is a space-time attribute matrix, A S＝(Xt,Sk),Xt∈Rn×d represents a time feature, n and d represent dimensions, R represents a real space, S k＝Ak -X represents a k-order space neighborhood feature, A represents an adjacency matrix, k represents an order, X represents a node feature, A k represents that k times of graph convolution operation is performed, the time feature is used for recording dynamic behavior indexes of each node, the space neighborhood is used for capturing topological association of the industry chain network, and the weight of the supply relation, the competition relation and the cooperation relation is determined through the adjacency matrix; encoding the time feature and the space neighborhood feature based on a time decay function to obtain a space-time factor, and calculating a dynamic relation weight according to the space-time factor, wherein the dynamic relation weight is used for quantifying abnormal contribution degrees of different types of temporal edges; based on time sequence sliding window sampling, extracting network states containing tau time steps from the network security industry chain network; Extracting feature vectors of the same node in different time windows as positive samples and feature vectors of different nodes in the same time windows as negative samples based on the network state containing tau time steps, wherein the feature vectors are dynamic relation weights, and performing contrast learning on the positive samples and the negative samples based on a contrast loss function