CN-122002335-A - 5G low-altitude slice network abnormal behavior detection and dynamic response method and device

Abstract

The invention relates to a 5G low-altitude slice network abnormal behavior detection and dynamic response method and device, wherein the method comprises the steps of collecting multidimensional network data in a 5G core network and a base station; the method comprises the steps of carrying out feature engineering processing of fusing slice states on multi-dimensional network data to extract slice safety state features, constructing a dynamic slice behavior base line model based on a hybrid machine learning model, learning the slice safety state features to judge whether slice behaviors at the next moment are abnormal or not and identify abnormal types, carrying out abnormal alarm based on service priority, and carrying out slice dynamic response based on safety perception. The invention greatly improves the detection accuracy of the abnormal behavior of the low-altitude dynamic service by establishing the dynamic slice behavior baseline model to pre-judge the abnormality and identify the abnormality type, and realizes the automatic response of slice-level precise isolation, restriction, rerouting and the like of the threat through the linkage with slice management and dynamic routing.

Inventors

• ZHU HUADONG

Assignees

• 北京思特奇信息技术股份有限公司

Dates

Publication Date

20260508

Application Date

20251229

Claims (10)

1. 1. The 5G low-altitude slice network abnormal behavior detection and dynamic response method is characterized by comprising the following steps of: s1, acquiring multidimensional network data related to slicing and low-altitude service in a 5G core network and a base station; s2, carrying out feature engineering processing of fusing slice states on the multidimensional network data to extract slice safety state features; S3, constructing a dynamic slice behavior baseline model based on a hybrid machine learning model, and learning the slice safety state characteristics by utilizing the dynamic slice behavior baseline model so as to pre-judge whether the slice behavior at the next moment is abnormal or not and identify the abnormal type; S4, when abnormality is detected, abnormality alarming is carried out based on the service priority, and slice dynamic response based on safety perception is carried out.
2. 2. The 5G low-altitude slice network anomaly detection and dynamic response method of claim 1, wherein in said S1, said multidimensional network data comprises slice identification data, qoS traffic data, mobility management data, and slice configuration data.
3. 3. The 5G low-altitude slice network anomaly detection and dynamic response method of claim 1, wherein in said S2, said slice security state features include intra-slice behavior features, inter-slice behavior features, qoS deviation features, and UE mobility features; The intra-slice behavior features comprise a flow portrait for representing total bandwidth, protocol distribution and data packet size distribution in the slice and a connection portrait for representing new connection rate, concurrent connection number and average connection duration; the inter-slice behavior features include isolation features for monitoring for inter-slice illegal access attempts.
4. 4. The method for detecting abnormal behaviors and dynamically responding to a 5G low-altitude slice network according to claim 1, wherein S3 specifically is: constructing a dynamic slice behavior baseline model based on a hybrid machine learning model; learning the time characteristics and the space characteristics of the slice safety state characteristics by using the dynamic slice behavior baseline model; and predicting whether the slice behaviors at the next moment are abnormal or not according to the time characteristics and the space characteristics, and identifying the abnormal types.
5. 5. The 5G low-altitude slice network anomaly detection and dynamic response method of claim 4, wherein the hybrid machine learning model comprises a recurrent neural network model and a convolutional neural network model; Learning the time characteristics and the space characteristics of the slice safety state characteristics by using the dynamic slice behavior baseline model, and specifically comprises the following steps: Inputting the slice safety state characteristics into the recurrent neural network model to learn the normal flow mode and QoS deviation fluctuation range of the slice at different times and output the time characteristics; And inputting the slice security state characteristics into the convolutional neural network model to analyze the data packet load or flow matrix of the slice and the fingerprint for identifying the attack mode, and outputting the spatial characteristics.
6. 6. The method for detecting abnormal behavior and dynamically responding to a 5G low-altitude slice network according to claim 5, wherein predicting whether the slice behavior at the next moment is abnormal and identifying the type of the abnormality according to the temporal feature and the spatial feature specifically comprises: Analyzing the time characteristics by using the recurrent neural network model to predict the slicing behavior at the next moment to obtain a predicted result, comparing the predicted result with an actual observed result, and judging that the slicing behavior is abnormal when the difference between the predicted result and the actual observed result exceeds a preset dynamic threshold; And carrying out deep analysis on abnormal slicing behaviors by combining the convolutional neural network model with the spatial features so as to identify the abnormal type.
7. 7. The method for detecting abnormal behavior and dynamically responding to a 5G low-altitude slice network according to claim 1, wherein in S4, performing a slice dynamic response based on security awareness includes a dynamic routing linkage response, and the dynamic routing linkage response specifically includes: When the low-altitude equipment is identified to launch the DDoS attack, the dynamic resource allocation module is informed to adjust the routing weight of the low-altitude equipment or the path where the low-altitude equipment is positioned to be infinity or high-cost in the current slice so as to recalculate the path, and the routing level isolation is realized.
8. 8. The method for detecting abnormal behavior and dynamically responding to a 5G low-altitude slice network according to claim 1, wherein in S4, performing a slice dynamic response based on security awareness includes a slice resource management linkage response, and the slice resource management linkage response specifically includes: When a slice traffic anomaly is identified, the slice resource management module is notified to perform dynamic resource throttling on the slice.
9. 9. The method for detecting abnormal behavior and dynamically responding to a 5G low-altitude slice network according to claim 1, wherein in S4, performing a slice dynamic response based on security awareness comprises a dynamic access control response, and the dynamic access control response is specifically: When a low-altitude device is detected to be scanning between slices, the access and mobility management function module is informed to force the low-altitude device to re-authenticate or temporarily isolate the low-altitude device in a limited network.
10. 10. A 5G low-altitude-slice network anomaly detection and dynamic response device comprising a processor, a memory, and a computer program stored in the memory, which when executed by the processor implements the 5G low-altitude-slice network anomaly detection and dynamic response method of any one of claims 1 to 9.

Description

5G low-altitude slice network abnormal behavior detection and dynamic response method and device Technical Field The invention relates to the technical fields of wireless communication, network security and machine learning, in particular to a 5G low-altitude slice network abnormal behavior detection and dynamic response method and device. Background With the application of the 5G slice private network in the low-altitude communication field, the network can provide customized QoS (quality of service) guarantee for services such as unmanned aerial vehicles, the Internet of things and the like. However, low-altitude devices (UEs) have high mobility and relatively weak security capabilities, making them vulnerable to network attacks. Existing network security detection methods are typically performed at the network edge, lacking awareness of "slice" traffic inside the 5G core network. They cannot distinguish between normal high bandwidth (e.g., video backhaul) within one slice and abnormally high bandwidth (e.g., DDoS attack) within another slice. Meanwhile, although the 5G slicing technology realizes resource isolation, if devices in slices are hijacked, the resources allocated to the slices can be abused, or penetration attack among the slices is attempted, so that the QoS of legal services is reduced. Therefore, a safety mechanism capable of sensing the 5G slice state, identifying the abnormal behavior of the low-altitude dynamic service and performing a fast response in linkage with the network function is needed. Disclosure of Invention The invention provides a 5G low-altitude slice network abnormal behavior detection and dynamic response method and device, which aim to solve at least one technical problem. The technical scheme for solving the technical problems is as follows, the 5G low-altitude slice network abnormal behavior detection and dynamic response method comprises the following steps: s1, acquiring multidimensional network data related to slicing and low-altitude service in a 5G core network and a base station; s2, carrying out feature engineering processing of fusing slice states on the multidimensional network data to extract slice safety state features; S3, constructing a dynamic slice behavior baseline model based on a hybrid machine learning model, and learning the slice safety state characteristics by utilizing the dynamic slice behavior baseline model so as to pre-judge whether the slice behavior at the next moment is abnormal or not and identify the abnormal type; S4, when abnormality is detected, abnormality alarming is carried out based on the service priority, and slice dynamic response based on safety perception is carried out. On the basis of the technical scheme, the invention can be improved as follows. Further, in the S1, the multidimensional network data includes slice identification data, qoS traffic data, mobility management data, and slice configuration data. Further, in the S2, the slice security state features include intra-slice behavior features, inter-slice behavior features, qoS deviation features, and UE mobility features; The intra-slice behavior features comprise a flow portrait for representing total bandwidth, protocol distribution and data packet size distribution in the slice and a connection portrait for representing new connection rate, concurrent connection number and average connection duration; the inter-slice behavior features include isolation features for monitoring for inter-slice illegal access attempts. Further, the step S3 specifically includes: constructing a dynamic slice behavior baseline model based on a hybrid machine learning model; learning the time characteristics and the space characteristics of the slice safety state characteristics by using the dynamic slice behavior baseline model; and predicting whether the slice behaviors at the next moment are abnormal or not according to the time characteristics and the space characteristics, and identifying the abnormal types. Further, the hybrid machine learning model includes a recurrent neural network model and a convolutional neural network model; Learning the time characteristics and the space characteristics of the slice safety state characteristics by using the dynamic slice behavior baseline model, and specifically comprises the following steps: Inputting the slice safety state characteristics into the recurrent neural network model to learn the normal flow mode and QoS deviation fluctuation range of the slice at different times and output the time characteristics; And inputting the slice security state characteristics into the convolutional neural network model to analyze the data packet load or flow matrix of the slice and the fingerprint for identifying the attack mode, and outputting the spatial characteristics. Further, according to the time feature and the space feature, whether the slice behavior at the next moment is abnormal or not is prejudged, and the abnormal type is identified,