CN-121984839-A - Self-adaptive network anomaly detection and policy driving automatic recovery method and device

Abstract

The invention discloses a self-adaptive network anomaly detection and strategy drive automatic recovery method and device, and relates to the technical field of network security and network management. The method comprises the steps of collecting network multi-source indexes, carrying out time sequence decomposition and pseudo data elimination to obtain preprocessing data, constructing a weighted distance model to calculate an anomaly score to realize self-adaptive anomaly detection, constructing an anomaly propagation model based on network topology and node interaction strength after anomaly judgment, determining anomaly source nodes and propagation paths, carrying out anomaly root cause analysis through graph structure similarity matching, constructing a multi-objective optimization model according to anomaly detection and root cause analysis results to generate a differential recovery strategy and execute the differential recovery strategy, and carrying out monitoring and feedback on recovery effects to optimize detection and strategy models. The invention forms a closed loop self-healing process of detection, diagnosis, decision-making, execution and verification through multidimensional feature modeling, anomaly propagation analysis and an optimization decision mechanism, and effectively improves the accuracy and recovery efficiency of network anomaly detection.

Inventors

• WANG LEI
• ZHAN XINYU
• YAO JIMING
• KANG BIN
• XIA ZHIJIE

Assignees

• 南京邮电大学

Dates

Publication Date

20260505

Application Date

20260408

Claims (10)

1. 1. An adaptive network anomaly detection and policy driven automatic recovery method, comprising: Performing time alignment processing on the acquired flow index, connection state index and equipment operation index of the target network to obtain time sequence data; Purifying the time sequence data to obtain pre-processed data; Constructing a current moment characteristic component set based on the preprocessing data, obtaining an abnormal grading value by calculating a weighted distance between a current moment characteristic component and a corresponding historical normal behavior characteristic component in the set, and judging whether a target network is in an abnormal state according to the abnormal grading value; When the target network is in an abnormal state, a network topology model is built based on interaction strength between a network topology structure and nodes, and an abnormal propagation path, an abnormal source node and an abnormal influence range are determined based on the network topology model; Constructing a current abnormal feature set based on the abnormal grading value, the abnormal propagation path, the abnormal source node and the abnormal influence range, and carrying out graph structure similarity matching on the current abnormal feature set and the historical abnormal mode to obtain an abnormal root cause analysis result; constructing a multi-objective optimization model based on the abnormal grading value, the abnormal propagation path, the abnormal source node, the abnormal influence range and the abnormal root cause analysis result to generate a preprocessing strategy scheme, and issuing the preprocessing strategy scheme to a corresponding node for execution; And (3) monitoring the recovery effect of the network state after the preprocessing strategy scheme is executed, outputting an abnormal event closing result if a preset condition is met, and otherwise triggering upgrading processing.
2. 2. The method for detecting abnormal condition of adaptive network and automatically recovering from policy driving according to claim 1, wherein said purifying said time series data to obtain preprocessed data comprises: Decomposing trend items, season items and residual items of the time sequence data through an STL algorithm, comparing the residual items obtained by decomposition with residual items of at least one reference network, defining time sequence data with difference values of the residual items exceeding a preset threshold value as abnormal fluctuation data, eliminating the abnormal fluctuation data, carrying out discrete degree and continuous fluctuation frequency statistics on the residual items of the residual time sequence data after eliminating the abnormal fluctuation data, eliminating time sequence data with the discrete degree exceeding the preset discrete degree threshold value or the continuous fluctuation frequency lower than the preset frequency threshold value, and obtaining preprocessing data; wherein the discrete degree calculation expression is: ; Wherein: To represent the degree of dispersion of the residual term, As the mean value of the residual terms, Is a residual term at the moment of time series data t, Is the time window length; The continuous fluctuation frequency calculation expression is: ; Wherein: For the frequency of the continuous wave motion, Is the number of abnormal fluctuations; when the preset condition is satisfied Or (b) Eliminating the abnormal fluctuation of the time sequence data again to obtain preprocessing data, As a threshold value of the dispersion, Is an anomaly frequency threshold.
3. 3. The adaptive network anomaly detection and policy driven automatic recovery method of claim 1 wherein the anomaly score value calculation expression is: ; Wherein: representing the overall anomaly score value for the target network, Represent the first The weight of the individual index is calculated, The dimensions of the features are represented and, Represent the first The characteristic component of the individual indicators at time t, Represent the first Characteristic components of each index in a history normal state.
4. 4. The method for adaptive network anomaly detection and policy driven automatic recovery according to claim 3, wherein determining an anomaly propagation path, an anomaly source node, and an anomaly impact range based on a network topology model comprises: Constructing a topological structure model based on the connection relation between network nodes to obtain a node connection diagram; on the basis of the node connection diagram, an interaction intensity matrix is constructed for node pairs with connection relations according to traffic transmission quantity, connection establishment frequency, data forwarding paths and link bandwidth occupation conditions among network nodes; Calculating abnormal propagation probability based on the interaction intensity matrix, and constructing an abnormal propagation path through maximum probability path search; Calculating the node anomaly contribution degree based on the node anomaly score and the anomaly propagation probability; and determining an abnormal source node according to the abnormal contribution degree of the node, and determining an abnormal influence range according to the propagation probability of the abnormal propagation path and the contribution degree threshold.
5. 5. The adaptive network anomaly detection and policy driven automatic recovery method of claim 4 wherein the anomaly propagation probability acquisition method is expressed as: ; Wherein: For the probability of an anomaly propagating from node i to node j, For the strength of interaction between node i and node j, The sum of the interaction intensity of the node i and all the neighbor nodes k is obtained; the abnormal propagation path constructing and acquiring method comprises the following expression: ; Wherein: for the probability of path propagation, For the propagation path from node i to node j, As the propagation probability from node i to node j, Representing edges on the path of travel from node i to node j; the abnormal contribution degree obtaining method comprises the following expression: ; Wherein: Abnormal contribution degree for node j; the node j itself is scored for anomalies, Is a node The score of the abnormality itself, Is a propagation influence coefficient; the abnormal source node acquisition method comprises the following steps of: ; Wherein: as an abnormal source node, The node index corresponding to the maximum value is taken; the abnormal influence range obtaining method comprises the following expression: ; Wherein, the The range of influence of the abnormality is indicated, Representing a contribution threshold; For nodes Is included in the range of influence to satisfy the corresponding optimal propagation path The path propagation probability of (a) satisfies: ; Wherein, the Representing a slave source node from an anomaly To the node Is a path of optimum propagation; representing a path propagation probability threshold.
6. 6. The method for self-adaptive network anomaly detection and policy driven automatic recovery according to claim 5, wherein the method for obtaining the result of anomaly root cause analysis specifically comprises: based on the abnormal grading value, the abnormal propagation path, the abnormal source node and the abnormal influence range, a current abnormal feature set is constructed, and the expression is: ; Wherein, the Representing the set of abnormal features, An abnormality score value; is an abnormal influence range; in order for the propagation path to be abnormal, Is an abnormal source node; Constructing a historical abnormal association map comprising index nodes, abnormal type nodes and root cause nodes based on the historical abnormal data, wherein the association strength between the nodes is represented by association weights; the current abnormal feature set is calculated by a graph structure similarity calculation method Correlation map with history abnormality Matching is carried out, and matching similarity of each historical abnormal mode is obtained through calculation, wherein the expression is as follows: ; Wherein: matching similarity between the current abnormal feature set and the historical abnormal mode; selecting a history abnormal mode with highest matching similarity, and outputting a root cause corresponding to the history abnormal mode as a root cause analysis result of the current target network abnormality, wherein the expression is: ; Wherein, the The root cause analysis result of the current target network abnormality is represented; represent the first Correlation maps corresponding to the historical abnormal modes; Representing a graph structure similarity function; And selecting an index corresponding to the history abnormal mode with the maximum similarity.
7. 7. The method for adaptive network anomaly detection and policy driven automatic recovery according to claim 6, wherein the generation of the preprocessing policy scheme is implemented by the following multi-objective optimization model, specifically comprising: ; Wherein: For a preprocessing strategy scheme generated from a multi-objective optimization model, Is a recovery duration; is resource consumption; To perform the risk; is an abnormal influence range; For the value of the abnormality score, The root cause analysis result representing the current target network anomaly, Indexing a processing strategy scheme corresponding to the minimum value; respectively, weight coefficients.
8. 8. The adaptive network anomaly detection and policy driven auto-recovery method of claim 1 wherein, The preprocessing strategy scheme comprises at least one of a flow scheduling strategy, a network configuration adjustment strategy and a resource allocation strategy, an execution node, an execution parameter and an execution sequence are determined according to the generated strategy, and the strategy is issued to an abnormal source node and a key node in an abnormal propagation path for execution.
9. 9. The adaptive network anomaly detection and policy driven auto-recovery method of claim 1 wherein, The recovery effect monitoring includes: Acquiring network index data after strategy execution in real time; Judging whether the abnormality is eliminated if the abnormality grading value of the network index data is smaller than an abnormality judgment threshold value or not by a plurality of continuous sampling points; if the abnormality is eliminated and the recovery effect meets the preset condition, outputting an abnormal event closing result; if the abnormality is not eliminated, re-optimizing the strategy or triggering upgrading treatment; and feeding back the execution result to the abnormality detection and strategy generation model, and updating the index weight and strategy parameters.
10. 10. An adaptive network anomaly detection and policy driven automatic recovery device, comprising: The time sequence data module is used for carrying out time alignment processing on the acquired flow index, connection state index and equipment operation index of the target network to obtain time sequence data; The preprocessing data is used for purifying the time sequence data to obtain preprocessing data; The abnormal scoring module is used for constructing a current moment characteristic component set based on the preprocessing data, obtaining an abnormal scoring value by calculating a weighted distance between a current moment characteristic component and a corresponding historical normal behavior characteristic component in the set, and judging whether a target network is in an abnormal state according to the abnormal scoring value; The abnormal propagation path module is used for constructing a network topology model based on the interaction strength between the network topology and the nodes when the target network is judged to be in an abnormal state, and determining an abnormal propagation path, an abnormal source node and an abnormal influence range based on the network topology model; The abnormal root cause analysis result module is used for constructing a current abnormal feature set based on the abnormal grading value, the abnormal propagation path, the abnormal source node and the abnormal influence range, and carrying out graph structure similarity matching on the current abnormal feature set and the historical abnormal mode to obtain an abnormal root cause analysis result; The processing strategy module is used for constructing a multi-objective optimization model to generate a preprocessing strategy scheme based on the abnormal grading value, the abnormal propagation path, the abnormal source node, the abnormal influence range and the abnormal root cause analysis result, and issuing the scheme to the corresponding node for execution; The monitoring module is used for monitoring the recovery effect of the network state after the preprocessing strategy scheme is executed, outputting an abnormal event closing result if the preset condition is met, and triggering upgrading processing if the abnormal event closing result is not met.

Description

Self-adaptive network anomaly detection and policy driving automatic recovery method and device Technical Field The invention relates to a self-adaptive network anomaly detection and policy driving automatic recovery method and device, belonging to the technical field of network security and network management. Background With the continuous expansion of network scale and the increasing complexity of service types, network abnormal events (such as traffic burst, equipment failure and security attack) frequently occur, which seriously affect the stability of network service and user experience. The traditional network anomaly detection and recovery mechanism mainly has the following problems that the static threshold detection fails, the traditional method judges anomalies (such as the traffic exceeds 1Gbps alarm) based on a fixed threshold, but the network traffic has obvious periodicity and burstiness, and the static threshold is difficult to adapt to dynamic changes, so that missed reports (the threshold is too high) or false reports (the threshold is too low) are frequently generated. The detection response delay is high, the traditional scheme mostly adopts a centralized processing mode of acquisition, reporting, central analysis, decision making and issuing, and a few minutes are often required from the occurrence of an abnormality to the execution of a recovery action, so that the requirements of low-delay services such as uRLLC cannot be met. The recovery mechanism is single and has strong manual dependency, after the abnormality is found, the cause is usually needed to be manually intervened and the recovery operation is executed, so that the efficiency is low, the recovery strategy is stiff (such as unified restarting equipment), and the differentiated processing capability aiming at different abnormality types is lacked. The self-healing closed loop is lacking, the detection and recovery are mutually fractured, the closed loop mechanism of detection, diagnosis, decision-making, execution and verification is lacking, and the self-adaptive self-healing of the network cannot be realized. Disclosure of Invention The invention aims to provide a self-adaptive network anomaly detection and strategy drive automatic recovery method and device, which realize the self-adaptive detection and automatic recovery of network anomalies by combining a timing decomposition and multidimensional data purification treatment with an anomaly detection mechanism, and remarkably improve the accuracy of anomaly detection and the efficiency of recovery work. In order to achieve the above purpose/solve the above technical problems, the present invention is realized by adopting the following technical scheme. In one aspect, the present invention provides a method for detecting an anomaly of a self-adaptive network and automatically recovering a policy driver, including: Performing time alignment processing on the acquired flow index, connection state index and equipment operation index of the target network to obtain time sequence data; Purifying the time sequence data to obtain pre-processed data; Constructing a current moment characteristic component set based on the preprocessing data, obtaining an abnormal grading value by calculating a weighted distance between a current moment characteristic component and a corresponding historical normal behavior characteristic component in the set, and judging whether a target network is in an abnormal state according to the abnormal grading value; When the target network is in an abnormal state, a network topology model is built based on interaction strength between a network topology structure and nodes, and an abnormal propagation path, an abnormal source node and an abnormal influence range are determined based on the network topology model; Constructing a current abnormal feature set based on the abnormal grading value, the abnormal propagation path, the abnormal source node and the abnormal influence range, and carrying out graph structure similarity matching on the current abnormal feature set and the historical abnormal mode to obtain an abnormal root cause analysis result; constructing a multi-objective optimization model based on the abnormal grading value, the abnormal propagation path, the abnormal source node, the abnormal influence range and the abnormal root cause analysis result to generate a preprocessing strategy scheme, and issuing the preprocessing strategy scheme to a corresponding node for execution; And (3) monitoring the recovery effect of the network state after the preprocessing strategy scheme is executed, outputting an abnormal event closing result if a preset condition is met, and otherwise triggering upgrading processing. Further, the purifying the time series data to obtain pre-processed data specifically includes: Decomposing trend items, season items and residual items of the time sequence data through an STL algorithm, comparing the residual items obta