Search

CN-122027233-A - Communication network abnormality detection method, device, apparatus, medium, and program product

CN122027233ACN 122027233 ACN122027233 ACN 122027233ACN-122027233-A

Abstract

The application discloses a communication network anomaly detection method, a device, equipment, a medium and a program product. The method comprises the steps of dividing a coverage area of a target communication network into a plurality of subareas, combining the subareas based on the type of each subarea to obtain a first combination and a second combination, predicting first abnormal behavior information and identifiable second abnormal behavior information triggered by the first combination based on user behavior characteristics of the user subareas and equipment behavior characteristics of the equipment subareas in the first combination, predicting third abnormal behavior information and identifiable fourth abnormal behavior information triggered by the second combination based on data flow directions between transmission behavior characteristics of the data subareas in the second combination and the subareas in the second combination, and performing abnormal analysis based on the first abnormal behavior information, the second abnormal behavior information, the third abnormal behavior information and the fourth abnormal behavior information to obtain an abnormal detection result of the target communication network.

Inventors

  • DU PENG
  • QIU MINGLIN
  • ZHANG ZHIGUO
  • WANG ZHENCHAO
  • CHEN WEI

Assignees

  • 中移物联网有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260512
Application Date
20260119

Claims (10)

  1. 1. A communication network anomaly detection method, comprising: Dividing a coverage area of a target communication network into a plurality of subareas, and combining the subareas based on the type of each subarea to obtain a first combination and a second combination, wherein the type of the subareas comprises a user subarea, a device subarea and a data subarea; Predicting first abnormal behavior information triggered by the first combination and second abnormal behavior information identifiable in the first abnormal behavior information based on user behavior characteristics of a user sub-region and equipment behavior characteristics of equipment sub-regions in the first combination; Predicting third abnormal behavior information triggered by the second combination and identifiable fourth abnormal behavior information in the third abnormal behavior information based on transmission behavior characteristics of data subareas in the second combination and data flow directions between subareas in the second combination; And carrying out anomaly analysis based on the first anomaly behavior information, the second anomaly behavior information, the third anomaly behavior information and the fourth anomaly behavior information to obtain an anomaly detection result of the target communication network.
  2. 2. The method of claim 1, wherein predicting the first abnormal behavior information triggered by the first combination and the second abnormal behavior information identifiable in the first abnormal behavior information based on the user behavior features of the user sub-region and the device behavior features of the device sub-region in the first combination comprises: Determining first network condition information of the first combination based on a network transmission rate and a data flow direction of a sub-region in the first combination; Performing association analysis on the first network condition information and the equipment behavior characteristics of the equipment subareas in the first combination to obtain first association information; Predicting the first abnormal behavior information based on the first network condition information and the first association information; and determining the second abnormal behavior information from the first abnormal behavior information based on the user behavior characteristics of the user sub-regions in the first combination.
  3. 3. The method of claim 1, wherein predicting third abnormal behavior information triggered by the second combination and fourth abnormal behavior information identifiable in the third abnormal behavior information based on a transmission behavior characteristic of a data subregion in the second combination and a data flow direction between subregions in the second combination, comprises: determining a first prediction model and a second prediction model matched with the second combination based on the data flow direction, wherein the first prediction model is used for describing the mapping relation between the transmission behavior characteristics and the trigger probability, and the second prediction model is used for describing the mapping relation between the transmission behavior characteristics and the identifiable coefficients; Predicting a first trigger probability corresponding to the second combination based on the transmission behavior characteristics of the data subareas in the second combination and the first prediction model, and predicting the third abnormal behavior information based on the first trigger probability and the behavior information related to the second combination; And predicting a first identifiable coefficient corresponding to the second combination based on the transmission behavior characteristics of the data subareas in the second combination and the second prediction model, and determining the fourth abnormal behavior information from the third abnormal behavior information based on the first identifiable coefficient.
  4. 4. The method of claim 3, wherein the determining a first predictive model and a second predictive model that match the second combination based on the data flow direction comprises: Determining the position relation between the user sub-region and the data sub-region in the second combination based on the data flow direction; acquiring the scale difference between the user sub-region and the data sub-region in the second combination; Based on the data flow direction and the scale difference, a first predictive model and a second predictive model are determined that match the second combination.
  5. 5. The method of claim 4, wherein the first predictive model includes a mapping relationship between risk levels of transmission behavior features, scale differences between associated user sub-regions and data sub-regions, and trigger probabilities; The second prediction model comprises a mapping relation among the identifiable degree of the transmission behavior characteristic, the triggered abnormal behavior scale and the identifiable coefficient.
  6. 6. The method according to claim 1, wherein the performing anomaly analysis based on the first anomaly behavior information, the second anomaly behavior information, the third anomaly behavior information, and the fourth anomaly behavior information to obtain anomaly detection results of the target communication network includes: For each sub-region in the coverage area, determining an abnormal behavior amount triggered in the sub-region based on a behavior feature corresponding to the type of the sub-region, first abnormal behavior information of a first combination related to the sub-region, and third abnormal behavior information of a second combination related to the sub-region; determining an identifiable abnormal behavior amount within the sub-region based on the behavior feature corresponding to the type of the sub-region, the second abnormal behavior information of the first combination related to the sub-region, and the fourth abnormal behavior information of the second combination related to the sub-region; determining an abnormal detection result of the subarea based on the triggered abnormal behavior amount in the subarea and the identifiable abnormal behavior amount in the subarea; And determining an abnormality detection result of the target communication network based on the abnormality detection result of each sub-area in the coverage area.
  7. 7. A communication network abnormality detection apparatus, comprising: The system comprises a combination module, a first combination module and a second combination module, wherein the combination module is used for dividing a coverage area of a target communication network into a plurality of subareas and combining the plurality of subareas based on the type of each subarea to obtain a first combination and a second combination; The first prediction module is used for predicting first abnormal behavior information triggered by the first combination and second abnormal behavior information identifiable in the first abnormal behavior information based on the user behavior characteristics of the user sub-region and the equipment behavior characteristics of the equipment sub-region in the first combination; The second prediction module is used for predicting third abnormal behavior information triggered by the second combination and fourth abnormal behavior information identifiable in the third abnormal behavior information based on the transmission behavior characteristics of the data subareas in the second combination and the data flow direction between the data subareas in the second combination; the detection module is used for carrying out anomaly analysis based on the first anomaly behavior information, the second anomaly behavior information, the third anomaly behavior information and the fourth anomaly behavior information to obtain an anomaly detection result of the target communication network.
  8. 8. An electronic device, characterized by a processor, a memory and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the communication network anomaly detection method according to any one of claims 1 to 6.
  9. 9. A computer readable storage medium, characterized in that instructions in the storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the steps of the communication network anomaly detection method of any one of claims 1 to 6.
  10. 10. A computer program product, characterized in that the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform the steps of the communication network anomaly detection method according to any one of claims 1 to 6.

Description

Communication network abnormality detection method, device, apparatus, medium, and program product Technical Field The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for detecting an anomaly of a communication network. Background Under the tide of digitization, communication networks are facing increasingly complex security threats as digital economic cornerstone. In order to ensure service continuity, effectively defend advanced and hidden attacks, realize accurate root cause positioning and optimize resource utilization, it is especially necessary to perform anomaly detection on the communication network. With the development of 5G and the development of power networks, network architecture is more complex, anomalies generated by multi-equipment and multi-service interaction are explosive, and the traditional detection means are difficult to meet the current demands. Disclosure of Invention The embodiment of the application aims to provide a communication network anomaly detection method, device, equipment, medium and program product, which realize multi-dimensional and cross-regional accurate anomaly detection of a communication network, improve the detection comprehensiveness and accuracy and provide effective support for complex network environment operation and maintenance. In order to achieve the above object, the embodiment of the present application adopts the following technical scheme: in a first aspect, an embodiment of the present application provides a method for detecting an anomaly of a communication network, including: Dividing a coverage area of a target communication network into a plurality of subareas, and combining the subareas based on the type of each subarea to obtain a first combination and a second combination, wherein the type of the subareas comprises a user subarea, a device subarea and a data subarea; Predicting first abnormal behavior information triggered by the first combination and second abnormal behavior information identifiable in the first abnormal behavior information based on user behavior characteristics of a user sub-region and equipment behavior characteristics of equipment sub-regions in the first combination; Predicting third abnormal behavior information triggered by the second combination and identifiable fourth abnormal behavior information in the third abnormal behavior information based on transmission behavior characteristics of data subareas in the second combination and data flow directions between subareas in the second combination; And carrying out anomaly analysis based on the first anomaly behavior information, the second anomaly behavior information, the third anomaly behavior information and the fourth anomaly behavior information to obtain an anomaly detection result of the target communication network. In a second aspect, an embodiment of the present application provides a communication network anomaly detection apparatus, including: The system comprises a combination module, a first combination module and a second combination module, wherein the combination module is used for dividing a coverage area of a target communication network into a plurality of subareas and combining the plurality of subareas based on the type of each subarea to obtain a first combination and a second combination; The first prediction module is used for predicting first abnormal behavior information triggered by the first combination and second abnormal behavior information identifiable in the first abnormal behavior information based on the user behavior characteristics of the user sub-region and the equipment behavior characteristics of the equipment sub-region in the first combination; The second prediction module is used for predicting third abnormal behavior information triggered by the second combination and fourth abnormal behavior information identifiable in the third abnormal behavior information based on the transmission behavior characteristics of the data subareas in the second combination and the data flow direction between the data subareas in the second combination; the detection module is used for carrying out anomaly analysis based on the first anomaly behavior information, the second anomaly behavior information, the third anomaly behavior information and the fourth anomaly behavior information to obtain an anomaly detection result of the target communication network. In a third aspect, an embodiment of the present application provides an electronic device, a processor, a memory, and a computer program stored on the memory and executable on the processor, the computer program implementing the steps of the method for detecting a communication network anomaly as provided in the first aspect when being executed by the processor. In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, which wh