CN118487872A - Nuclear power industry-oriented network abnormal behavior detection and analysis method - Google Patents
Nuclear power industry-oriented network abnormal behavior detection and analysis method Download PDFInfo
- Publication number
- CN118487872A CN118487872A CN202410928414.4A CN202410928414A CN118487872A CN 118487872 A CN118487872 A CN 118487872A CN 202410928414 A CN202410928414 A CN 202410928414A CN 118487872 A CN118487872 A CN 118487872A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- target
- nodes
- analysis
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 178
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 62
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000003066 decision tree Methods 0.000 claims abstract description 212
- 230000002159 abnormal effect Effects 0.000 claims abstract description 186
- 230000005856 abnormality Effects 0.000 claims description 51
- 238000012549 training Methods 0.000 claims description 45
- 238000000034 method Methods 0.000 claims description 44
- 230000008569 process Effects 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 24
- 230000006399 behavior Effects 0.000 claims description 11
- 238000000605 extraction Methods 0.000 claims description 2
- 230000002829 reductive effect Effects 0.000 abstract description 5
- 238000012545 processing Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 6
- 230000004044 response Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004140 cleaning Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000670 limiting effect Effects 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001364 causal effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
- H04L41/0636—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis based on a decision tree analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/50—Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The application is applicable to the technical field of network security, and provides a network abnormal behavior detection and analysis method for the nuclear power industry, which comprises the following steps: acquiring nuclear power network data; extracting target abnormal characteristics; inputting the target abnormal characteristics into an early warning tree model to obtain a target abnormal analysis result; the early warning tree model comprises a plurality of decision trees, branch nodes of the decision trees are connected with at least two sub-nodes through sub-paths, and leaf nodes of a first decision tree are connected with branch nodes of a second decision tree with association relation with the leaf nodes of the first decision tree through sub-paths; and dividing the target abnormal characteristics along the sub-paths by the early warning tree model, and finally obtaining a target abnormal analysis result according to the information of the leaf nodes. According to the application, abnormal behavior analysis is performed on the nuclear power network data through the plurality of decision trees, so that various analysis requirements can be met, and different decision trees with association relations are connected, so that analysis results among different decision trees are mutually referred, the analysis workload can be reduced, and the analysis accuracy can be improved.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a network abnormal behavior detection and analysis method for the nuclear power industry.
Background
Currently, due to the huge volume of real-time monitoring data and the diversity of abnormal conditions in the nuclear power industry, network abnormal behavior may be caused by a plurality of different factors, including, but not limited to, human misoperation, network attack, equipment failure and the like. In conducting analysis of abnormal behavior, it is often necessary to go deep into profiling multiple layers of abnormal behavior to determine the root cause behind it. In the operation process of the nuclear power station, if abnormal data appear, staff can only check various possible problem points one by one, the workload is large, and abnormal alarms cannot be responded in time.
Disclosure of Invention
The embodiment of the application provides a network abnormal behavior detection analysis method for the nuclear power industry, which can solve the problem of network abnormal behavior detection in the nuclear power industry.
In a first aspect, an embodiment of the present application provides a method for detecting and analyzing network abnormal behavior in a nuclear power industry, including:
Acquiring nuclear power network data;
extracting target abnormal characteristics from the nuclear power network data;
Inputting the target abnormal characteristics into an early warning tree model to obtain a target abnormal analysis result output by the early warning tree model; the early warning tree model comprises a plurality of decision trees, each decision tree comprises a plurality of nodes, each node comprises a branch node and a leaf node, each branch node is connected with at least two sub-nodes through sub-paths, the at least two sub-nodes are the branch nodes or the leaf nodes, and the leaf nodes of a first decision tree in the decision trees and the branch nodes of a second decision tree in association with the first decision tree are connected through sub-paths; the early warning tree model is used for dividing the target abnormal characteristics along the sub-paths until the target abnormal characteristics reach leaf nodes, and the target abnormal analysis result is obtained according to the information of the reached leaf nodes.
Compared with the prior art, the embodiment of the application has the beneficial effects that:
the abnormal behavior analysis is carried out on the nuclear power network data through the decision trees in the early warning tree model, so that various analysis requirements can be met, and different decision trees with association relations are connected, so that analysis results among different decision trees can be mutually referred, the repeated analysis process can be reduced, the analysis workload is reduced, and the analysis accuracy of the early warning tree model can be improved.
In a possible implementation manner of the first aspect, the plurality of decision trees includes:
the anomaly type analysis decision tree is used for determining a target anomaly type according to the target anomaly characteristic;
The abnormality cause analysis decision tree is connected with the abnormality type analysis decision tree and is used for determining a target abnormality cause according to the target abnormality characteristic and the target abnormality type;
and the exception handling policy analysis decision tree is connected with the exception type analysis decision tree and the exception cause analysis decision tree and is used for determining a target exception handling policy according to the target exception characteristics, the target exception type and the target exception cause.
In the scheme, the types of the abnormal behaviors are sequentially determined through the abnormal type analysis decision tree, the abnormal reason analysis decision tree and the abnormal processing strategy analysis decision tree, the reasons for generating the abnormal behaviors and the processing strategy of the abnormal behaviors, and the abnormal behaviors are timely judged and processed through an integrated automatic flow.
In a possible implementation manner of the first aspect, the step of obtaining a target anomaly type according to the target anomaly characteristic analysis includes:
Searching a target branch node from the branch nodes of the abnormal type analysis decision tree; each branch node corresponds to an abnormal feature, and the abnormal feature corresponding to the target branch node is matched with the target abnormal feature;
Traversing each level of the anomaly type analysis decision tree according to the characteristic value of the target anomaly characteristic, and determining a target sub-node in at least two sub-nodes of the target branch node of the current level;
When the target child node is the target branch node, continuing to determine a new target child node in at least two child nodes of the target child node until the new target child node is the leaf node;
and when the target child node is the leaf node, determining the target abnormal type according to the information of the target child node.
In the above scheme, the branch nodes of the anomaly type analysis decision tree represent anomaly characteristics, the leaf nodes represent anomaly types, the anomaly characteristics and anomaly types are related through the decision tree, the search process of the decision tree is the anomaly type analysis process, and the target anomaly type can be determined by only matching the target anomaly characteristics and characteristic values thereof with the anomaly characteristics and characteristic values of the branch nodes in the anomaly type analysis decision tree from an initial level and determining new target child nodes, and finally reaching the leaf nodes.
In a possible implementation manner of the first aspect, the training process of the decision tree includes:
Acquiring a training sample containing a plurality of abnormal characteristics;
calculating information gain corresponding to each abnormal characteristic in the training sample;
Creating at least two branch nodes for the first abnormal feature with the maximum information gain in the training sample, and dividing the training sample into a first subset corresponding to each branch node according to the first abnormal feature;
when the first subset has multiple abnormal characteristics, at least two branch nodes are created for the second abnormal characteristics with the maximum information gain except the first abnormal characteristics, the first subset is divided into second subsets corresponding to each branch node according to the second abnormal characteristics as sub-nodes of the branch nodes created in the last time until the divided subsets have only one abnormal characteristic;
When the first subset only has one abnormal feature, at least two leaf nodes are created for the abnormal feature and serve as child nodes of the branch node created in the previous time.
In the scheme, the information gain corresponding to each abnormal feature is calculated, the information gain represents the degree of uncertainty reduction of the random variable, the abnormal feature corresponding to the maximum information gain is used as a dividing feature, the training sample corresponding to each branch node is divided, the divided subset is purer, the prediction accuracy of the decision tree is improved, a plurality of sub-nodes are created based on the branch nodes, the process is repeated, and when new dividing features are not generated any more, the training of the decision tree is completed.
In a possible implementation manner of the first aspect, the information gain corresponding to each abnormal feature is calculated by the following formula:
wherein, The information gain of the abnormal feature a in the training sample D is represented,Representing the overall entropy of the training sample D,The feature entropy of the abnormal feature a under the ith feature value is represented,Representing the number of samples of the abnormal feature a at the ith feature value,Representing the number of samples of training sample D.
In a possible implementation manner of the first aspect, the connecting, by a sub-path, each of the branch nodes with at least two sub-nodes includes:
The branch node is connected with the child node through a logic gate; the logic gate comprises at least one of an AND gate, an OR gate, an exclusive OR gate, a priority AND gate, a forbidden gate and a voting gate.
In the scheme, different branch nodes are connected through the logic gate, so that the logic relationship among different nodes is indicated, and the analysis process of abnormal behaviors is facilitated to be understood.
In a possible implementation manner of the first aspect, the step of obtaining the target anomaly analysis result according to the information of the reached leaf node includes:
and determining the information of the leaf nodes reached by each of the decision trees as the target anomaly analysis result.
In the scheme, each decision tree of the early warning tree model is mutually independent, and the decision trees output results under certain abnormal analysis requirements, so that the number of the decision trees can be determined according to actual requirements, and the whole early warning tree model can bear larger data quantity and adapt to various analysis requirements.
In a second aspect, an embodiment of the present application provides a network abnormal behavior detection and analysis device for the nuclear power industry, which is characterized in that the device includes:
the acquisition module is used for acquiring nuclear power network data;
The extraction module is used for extracting target abnormal characteristics from the nuclear power network data;
The analysis module is used for inputting the target abnormal characteristics into the early warning tree model to obtain a target abnormal analysis result output by the early warning tree model; the early warning tree model comprises a plurality of decision trees with association relations, each decision tree comprises a plurality of nodes, each node comprises a branch node and a leaf node, each branch node is connected with at least two sub-nodes through sub-paths, the at least two sub-nodes are the branch nodes or the leaf nodes, and the leaf node of a first decision tree in the plurality of decision trees is connected with the branch node of a second decision tree with association relations through the sub-paths; the early warning tree model is used for dividing the target abnormal characteristics along the sub-paths until the target abnormal characteristics reach leaf nodes, and the target abnormal analysis result is obtained according to the information of the reached leaf nodes.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the network abnormal behavior detection analysis method for the nuclear power industry according to any one of the first aspects when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium, where a computer program is stored, where the computer program when executed by a processor implements the network abnormal behavior detection and analysis method for the nuclear power industry according to any one of the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer program product, when the computer program product runs on a terminal device, so that the terminal device executes the network abnormal behavior detection analysis method for the nuclear power industry according to any one of the first aspect.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments or the description of the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a network abnormal behavior detection and analysis method for the nuclear power industry provided by an embodiment of the application;
FIG. 2 is a schematic diagram of an early warning tree model according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating connection of decision trees of an early warning tree model according to another embodiment of the present application;
FIG. 4 is a schematic flow chart of step S13 in a method for detecting and analyzing abnormal network behavior for nuclear power industry according to an embodiment of the present application;
Fig. 5 is a schematic flow chart of step S131 in step S13 in a network abnormal behavior detection and analysis method for the nuclear power industry according to an embodiment of the present application;
FIG. 6 is a flow chart of a training decision tree according to another embodiment of the present application;
FIG. 7 is a schematic structural diagram of a network abnormal behavior detection and analysis device for nuclear power industry according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in the present description and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
The embodiment of the application provides a schematic flow chart of a network abnormal behavior detection analysis method for the nuclear power industry, wherein the nuclear power industry mainly adopts industrial Internet for interconnection, so that industrial control is realized. With the application of the digital technology in the nuclear power industry, the nuclear power industry is deeply fused with industrialization in informatization, and key operations such as data exchange, remote control, monitoring and early warning and the like in the nuclear power industry are not performed by the internet or a special efficient network system, so that the efficiency and convenience of the operation of the nuclear power industry are greatly improved due to high-speed data transmission and remote control, and meanwhile, the network attack threat is increased due to the fact that the control system of the nuclear power industry is more and more connected with other business information systems. Network attacks can affect the availability, integrity and confidentiality of software and data, thereby adversely affecting the operation of related equipment in the nuclear power industry, even threatening the nuclear security, and the network security problem in the nuclear power industry is worth noting.
The network security problem in the nuclear power industry belongs to a highly specialized field, for most abnormal behavior detection, professional network security personnel are often required to combine experience to manage and maintain, and once the situation of insufficient professional personnel occurs, analysis of partial abnormal behaviors may be not timely and accurate. The nuclear power industry is taken as an important component of modern industry, the development of network technology is very rapid, the traditional network abnormal behavior detection analysis by means of network expert manual mode cannot meet the requirement, and intelligent detection analysis technology is required to realize the automation of the network abnormal behavior detection analysis. According to expert experience with fault analysis and judgment experience in the nuclear power industry, an early warning tree model is established to comprehensively analyze abnormal phenomena occurring in the nuclear power industry.
Of course, the self-application embodiment is not limited to be applied to the nuclear power industry, but can also be applied to important industrial control industries such as traffic industry, water conservancy industry and the like. Fig. 1 shows a network abnormal behavior detection and analysis method for the nuclear power industry, which is provided by the application and is not limited by the example, and may include the following steps:
s11, nuclear power network data are obtained.
The nuclear power network data refer to data related to network abnormal behaviors to be detected and analyzed in the nuclear power industry. Specifically, the nuclear power network data includes at least one of network traffic data, equipment operation data, and log data.
S12, extracting target abnormal characteristics from nuclear power network data.
The target abnormal characteristic refers to a characteristic of network abnormal behavior, and in one possible implementation manner, the network abnormal behavior in the nuclear power network data refers to network behavior corresponding to an attack event, and the target abnormal characteristic includes at least one of attack time, attack source address, victim address, identity information of an attacker, tools used by the attacker, attack route and attack behavior characteristic, wherein the attack behavior characteristic may include data packet byte number, data packet flow, destination port number, data flow source subnet number, source port number, source IP number, flow distribution and the like.
S13, inputting the target abnormal characteristics into the early warning tree model to obtain a target abnormal analysis result output by the early warning tree model.
By way of example and not limitation, FIG. 2 illustrates an early warning tree model that includes a plurality of decision trees, each decision tree including a plurality of nodes. Referring to fig. 2, the nodes of each decision tree include branch nodes and leaf nodes, each branch node is connected with at least two child nodes through sub-paths, and the at least two child nodes are branch nodes or leaf nodes.
Among the decision trees, there are different decision trees having association relations with each other, and the decision trees having association relations can be connected. The association relationship mainly refers to the relationship that the association relationship of information in leaf nodes of different decision trees meets the condition and the conclusion. Specifically, the association relationship may be a causal relationship, and if a causal relationship exists between two decision trees, the decision tree with the leaf node information as a factor is taken as a first decision tree, the decision tree with the leaf node as a result is taken as a second decision tree, and the leaf node of the first decision tree and the branch node of the second decision tree with the association relationship are connected through sub-paths, so that after the information of the leaf node of the first decision tree is obtained, the leaf node information of the first decision tree is transferred to the second decision tree, and the leaf node information of the second decision tree is obtained. The early warning tree model is used for dividing the target abnormal characteristics along the sub-paths until the target abnormal characteristics reach the leaf nodes, and obtaining a target abnormal analysis result according to the information of the reached leaf nodes.
According to the network abnormal behavior detection analysis method for the nuclear power industry, abnormal behavior analysis is conducted on nuclear power network data through the decision trees in the early warning tree model, multiple analysis requirements can be met, different decision trees with association relations are connected, analysis results among the different decision trees can be mutually referred, repeated analysis processes can be reduced, analysis workload is reduced, and analysis accuracy of the early warning tree model can be improved.
In one possible implementation manner of step S13, the association relationship may also be a correlation relationship, that is, it is assumed that there is a correlation relationship between two decision trees, where a different result of any one decision tree may cause a certain rule change in the result of the other decision tree, and then the two decision trees may be a first decision tree and a second decision tree, that is, each decision tree is combined with the current input state, and new output evaluation is performed based on the output of the other decision tree, so as to update leaf node information.
It should be noted that, the number of decision trees having an association relationship may be more than two, as shown in fig. 2, and the middle decision tree may be used as the result of the previous decision tree and the cause of the next decision tree in the three connected decision trees by way of example and not limitation.
Each decision tree in the early warning tree model can be a first decision tree or a second decision tree, and of course, independent decision trees can exist in the early warning tree model. Specifically, the association relation between any two decision trees in the early warning tree model can be sequentially obtained, if the leaf node information of one decision tree and the leaf node information of the other decision tree meet the relation between the condition and the conclusion, the leaf node of one decision tree and the branch node of the other decision tree are connected through a sub-path, and if no association relation exists between one decision tree and the other decision tree, the decision tree is not connected with the other decision tree.
In one possible implementation manner of step S13, the information of each leaf node may represent an analysis result of the exception analysis result at a single level, for example, the exception analysis result includes analysis results of multiple levels such as an exception type, a cause of occurrence of the exception, an influence degree of the exception, a change condition of the exception, and a processing policy of the exception, and the leaf node information of each decision tree corresponds to the analysis result of one of the levels.
In one possible implementation manner of step S13, the leaf node information of the possible existence of different decision trees is the same, the same analysis result may be obtained by different abnormal features and analysis manners, an appropriate decision tree may be selected according to actual requirements to analyze the input abnormal features, the several decision trees may be made to analyze the input abnormal features together, and then the several decision trees are verified reversely according to the leaf node information obtained by each decision tree.
In one possible implementation manner of step S13, information of leaf nodes reached by each of the plurality of decision trees is determined as a target anomaly analysis result. Specifically, the target abnormal feature is input into the branch node of the initial level of each decision tree, for example, if one decision tree has the target abnormal feature and matches with the branch node, the matching can be carried out on other branch nodes of the decision tree until the information of the leaf node is obtained after the information reaches a certain leaf node of the decision tree, if the leaf node of the decision tree is connected with the branch node of another decision tree, the traversing is carried out on the other decision tree to obtain the leaf node information of the other decision tree, and the like, and the target abnormal analysis result is obtained according to the information of the leaf nodes of all the decision trees matched with the target abnormal feature in the early warning tree model.
According to the network abnormal behavior detection analysis method for the nuclear power industry, each decision tree of the early warning tree model is independent, and the result under a certain abnormal analysis requirement is output, so that the number of the decision trees can be determined according to actual requirements, and the whole early warning tree model can bear larger data quantity and adapt to various analysis requirements.
It should be noted that the early warning tree model is regarded as a huge rule analysis library oriented to the nuclear power industry, wherein various abnormal analysis rules related to network abnormal detection analysis in the nuclear power industry are covered, and the automatic matching and the application of the corresponding abnormal analysis rules can be realized through a decision tree algorithm so as to provide accurate and timely abnormal analysis results.
Specifically, the decision tree may be used for knowledge representation, where knowledge representation refers to representing knowledge understood by a person as a data structure that can be processed by a machine, and knowledge in the embodiment of the present application refers to various exception analysis rules that are obtained by sorting according to expert experience in the nuclear power industry, that is, the exception analysis rules in the nuclear power industry are represented in the form of a decision tree.
In one possible implementation of step S13, the branch nodes and sub-paths of the decision tree represent conditional parts of the anomaly analysis rules, and the leaf nodes represent conclusion parts of the anomaly analysis rules. In the process of dividing the target abnormal feature along the sub-path until a certain leaf node is reached, the combination of the passed node and the sub-path represents an abnormal analysis rule.
Optionally, the branch node is connected with the child node through a logic gate; the logic gates include at least one of AND gates, OR gates, exclusive OR gates, priority AND gates, forbidden gates, and voting gates.
Illustratively, the AND gate may be a sum of the branch node A and the branch node B, acting together on the child node C. The or gate may be a or relationship of branch node a and branch node B, satisfying the condition that branch node a or branch node B may act on child node C. The exclusive-or gate may be that both the branch node a and the branch node B satisfy the condition, or may act on the sub-node C when both the branch node a and the branch node B do not satisfy the condition. The priority AND gate may be such that when branch node A and branch node B are in either or both relationship, the priority acts on sub-node C when branch node A and branch node B are in either relationship. The disable gate may be to disable branch node a from acting on child node C. The voting gate may be configured to act on the child node C when a predetermined number of branch nodes satisfying the condition exist among the N branch nodes.
In the scheme, different branch nodes are connected through the logic gate, so that the logic relationship among different nodes is indicated, and the analysis process of abnormal behaviors is facilitated to be understood.
In one possible implementation manner of step S11, the nuclear power network data may refer to related data in terms of a network, equipment, a system, an application program and the like in a period of time before some network abnormal events occur in the nuclear power industry, and by analyzing the nuclear power network data, a network transmission rule, an equipment operation rule or an operation rule and the like before the network abnormal events occur are obtained, and early warning can be performed before the network abnormal events do not occur subsequently, so that potential safety hazards are effectively eliminated.
In a possible implementation manner of step S11, the nuclear power network data may also refer to related data in terms of a network, equipment, a system, an application program and the like in a period of time after some network abnormal events occur in the nuclear power industry, and by analyzing the nuclear power network data, the development trend and the influence degree of the network abnormal events are obtained, so that processing strategies such as processing priorities of various network abnormal events and processing methods of each network abnormal event can be determined subsequently, and timely recovery of the whole nuclear power network is ensured.
Optionally, the implementation of step S11 includes collecting device operating state data using various sensors (e.g., temperature, pressure, vibration, flow, etc.); collecting network traffic data through a network mirror image, wherein the network data comprises communication information between devices; and collecting log files from the device, system or application, the log files recording system operations and abnormal behavior.
Because the nuclear power network data are obtained from different data sources, in one possible implementation manner, the real-time synchronization technology of the data is used for ensuring that the nuclear power network data from the different data sources can be integrated in real time, and the real-time synchronization of the data ensures the timeliness and the integrity of the nuclear power network data, which is particularly important for data analysis in the nuclear power industry.
Optionally, preprocessing the nuclear power network data is further included after step S11. Specifically, the preprocessing operation comprises data cleaning and data standardization, wherein repeated items are removed by data cleaning, error data are corrected, missing values are filled, and the like, so that the data quality is improved by data cleaning, and the accuracy of subsequent analysis is ensured; data normalization refers to scaling data to a uniform range or distribution, such as normalization using Z-score (standard score) or Min-Max (dispersion standard), which normalizes data of different magnitudes and distributions to be comparable.
Optionally, the preprocessing of the nuclear power network data further includes associating data from different sources, by way of example and not limitation, by mining the spatio-temporal characteristics of the nuclear power network data, obtaining the spatio-temporal relationships of the nuclear power network data of different times, different places and different devices, and associating the nuclear power network data from different sources by the spatio-temporal relationships. For example, in the nuclear power industry, the spatiotemporal feature information extracted from the alarm information of the device D may include that the point where the attacker initiates the attack is in the first area, and the spatiotemporal feature information extracted from the alarm information of the device E may include that the point where the attacker initiates the attack is also in the first area, so that the same attacker from which the two attacks are initiated can be presumed through the spatiotemporal feature information, that is, the relevant analysis can be performed on the alarm information of the device D and the alarm information of the device E.
Of course, the present embodiment is not limited to performing association based on space-time characteristics, and may also perform data fusion through a neural network, so as to associate nuclear power network networks of different sources.
Optionally, fig. 3 shows a connection schematic of a plurality of decision trees in an early warning tree model. Specifically, among the plurality of decision trees, an abnormality type analysis decision tree, an abnormality cause analysis decision tree connected to the abnormality type analysis decision tree, and an abnormality processing policy analysis decision tree connected to the abnormality type analysis decision tree and the abnormality cause analysis decision tree are included.
Alternatively, the anomaly type analysis decision tree may utilize Boolean logic to combine low-level events from top to bottom to analyze undesirable conditions in the system. The abnormal behavior detection method based on the early warning tree model learning can also be used for selecting various attribute characteristics of the network from massive logs and flow metadata to learn normal behaviors, constructing a normal behavior baseline model of a user and an entity, analyzing and identifying abnormal behaviors through deviation between normal values and abnormal values, judging the network behaviors exceeding a deviation value threshold as abnormal behavior events, and determining the abnormal types of various abnormal behavior events according to the deviation values of various different attribute characteristics.
Optionally, the decision tree for analysis of abnormal reasons can be deduced from the initial event according to the time sequence of story development, so as to identify the dangerous source, the system represents the logic relationship between a certain accident and each reason causing accident discovery by a tree graph, finds out the main reason of accident occurrence, and provides a reliability basis for determining safety countermeasures, so as to achieve the purposes of guessing and preventing accident occurrence.
Optionally, the decision tree for analyzing the exception handling strategy can qualitatively and quantitatively analyze the security state and weak links of the current network, give out response countermeasures and predict the development trend of the security state of the network. Through early warning of enterprise security threat and risk, asset threat is mastered from a global perspective, equipment faults, network vulnerabilities and the like, flow operation is automatically triggered, a customer is helped to establish a quick response mechanism, and one-key blocking of the security threat is achieved.
In one possible implementation, step S13 is implemented using the early warning tree model shown in fig. 3, and referring to fig. 4, one implementation of step S13 may include:
S131, determining the target abnormality type according to the target abnormality characteristics.
S132, determining a target abnormality reason according to the target abnormality characteristics and the target abnormality type.
S133, determining a target abnormality processing strategy according to the target abnormality characteristics, the target abnormality type and the target abnormality reason.
According to the network abnormal behavior detection analysis method for the nuclear power industry, the types of abnormal behaviors are sequentially determined through the abnormal type analysis decision tree, the abnormal reason analysis decision tree and the abnormal processing strategy analysis decision tree, the reasons for generating the abnormal behaviors and the processing strategies of the abnormal behaviors, and the abnormal behaviors are timely judged and processed through an integrated automatic flow.
It should be noted that, the anomaly type analysis decision tree, the anomaly cause analysis decision tree and the anomaly processing policy analysis decision tree in this embodiment are only a part of a plurality of decision trees in the early warning tree model, and the early warning tree model may further include decision trees for other analysis purposes, such as an anomaly behavior statistical analysis decision tree, which may be used to count an increasing trend and a decreasing trend of an anomaly event corresponding to different anomaly types, an anomaly duration, a ratio of different anomaly causes, and a network anomaly recovery condition after using different anomaly processing policies. The abnormal behavior statistical analysis decision tree is beneficial to protecting and overhauling the network abnormal behavior in advance, and the reliability of the nuclear power network is improved.
Optionally, taking the exception type analysis decision tree as an example to illustrate the analysis process of the decision tree, as shown in fig. 5, one implementation of step S131 may include the following steps:
S1311, searching a target branch node from branch nodes of the abnormal type analysis decision tree.
Each branch node corresponds to an abnormal feature, and the abnormal feature corresponding to the target branch node is matched with the target abnormal feature.
S1312, traversing each level of the anomaly type analysis decision tree according to the characteristic value of the target anomaly characteristic, and determining a target sub-node in at least two sub-nodes of the target branch node of the current level.
S1313, judging whether the target child node is a target branch node, if so, returning to the step S1312; if not, go to step S1314.
S1314, judging whether the target child node is a leaf node, if so, executing a step S1315; if not, outputting prompt information for indicating the search failure.
S1315, determining the target abnormal type according to the information of the target child node.
Referring to the decision tree in fig. 1, each node in the decision tree is located at one of the levels of the tree structure, taking one of the branch nodes as an example, assuming that it is located at one level a of the decision tree, two sub-nodes corresponding to the branch node are located at the next level B of the level a. The hierarchy may be used to represent that the branch nodes are grouped, and the abnormal features corresponding to the branch nodes in one hierarchy belong to the same group, so that the branch nodes in each hierarchy become nodes that can be compared.
According to the network abnormal behavior detection analysis method for the nuclear power industry, branch nodes of an abnormal type analysis decision tree represent abnormal characteristics, leaf nodes represent abnormal types, the abnormal characteristics and the abnormal types are related through the decision tree, the searching process of the decision tree is the analysis process of the abnormal types, and the target abnormal types can be determined only by matching target abnormal characteristics and characteristic values thereof with the abnormal characteristics and characteristic values of the branch nodes in the abnormal type analysis decision tree and finally reaching the leaf nodes from an initial level.
Optionally, an implementation manner of step S1311 may be to start from the first level of the anomaly type analysis decision tree, match the target anomaly characteristic with the anomaly characteristic of each branch node in the current level, take the next level as the current level after the next level can be reached, and repeat the above matching operation, so as to search the branch nodes of each level in turn for the target branch node. The nuclear power network data may detect and analyze a plurality of abnormal behavior events with different abnormal types, and the target branch node searched in each hierarchy may be one or a plurality of target branch nodes.
Optionally, one implementation of step S1312 includes determining, according to the feature value of the target anomaly characteristic, a sub-path for the downward connection of the branch node of the anomaly type analysis decision tree, so as to reach the branch node or the leaf node of the next level through the selected sub-path.
Optionally, after step S1314, when the target child node reached through the selected child path does not belong to the target branch node or the leaf node, the target child node lacks a known condition, and cannot determine which child path it should go to next, and at this time, a prompt message is output to indicate that the path search fails. It should be noted that, this may happen because of an error in the process of extracting the target abnormal feature from the nuclear power network data, so that the abnormal feature corresponding to the target child node is omitted, or an error occurs in the selection of the sub-path, and the direction of the error is changed, or the knowledge of the abnormality type analysis decision tree itself is insufficient, and the abnormality type which cannot be analyzed by the abnormality type analysis decision tree occurs, which may specifically correct the error, for example, recheck and extract the target abnormal feature in the nuclear power network data, recheck the branch node of the abnormality type analysis decision tree or update the abnormality type analysis decision tree, and then determine the target abnormality type in the nuclear power network data according to the target abnormal feature.
Optionally, the analysis processes of the abnormality cause analysis decision tree and the abnormality processing strategy analysis decision tree are basically consistent with the analysis processes of the abnormality type analysis decision tree, and only at the beginning, the abnormality type obtained by the abnormality type analysis decision tree is used as one of the abnormality characteristics of the abnormality cause analysis decision tree and the abnormality processing strategy analysis decision tree, and is input into the abnormality cause analysis decision tree and the abnormality processing strategy analysis decision tree together with the target abnormality characteristics obtained from the original nuclear power network data, and similarly, the abnormality cause obtained by the abnormality cause analysis decision tree is used as one of the abnormality characteristics of the abnormality processing strategy analysis decision tree.
In a possible implementation manner, the method for detecting and analyzing network abnormal behavior for nuclear power industry provided in this embodiment further includes training a decision tree, referring to fig. 6, where the training process of the decision tree includes:
S21, acquiring a training sample containing various abnormal characteristics.
S22, calculating the information gain corresponding to each abnormal characteristic.
S23, creating at least two branch nodes for the first abnormal feature with the maximum information gain in the training sample, and dividing the training sample into a first subset corresponding to each branch node according to the first abnormal feature.
S24, judging whether the first subset has various abnormal characteristics; if yes, go to step S25, then go to step S26; if not, step S26 is performed.
S25, creating at least two branch nodes for the second abnormal feature with the maximum information gain except the first abnormal feature, and dividing the first subset into a second subset corresponding to each branch node according to the second abnormal feature as a child node of the branch node created at the previous time until the divided subset only has one abnormal feature.
S26, creating at least two leaf nodes for the abnormal characteristics, and taking the leaf nodes as child nodes of the branch nodes created in the previous time.
In particular, the training process of the decision tree is essentially a process of continuously dividing the training sample into optimal subsets using criteria that satisfy feature selection, which for each division of the training sample, it is desirable to divide into optimal subsets, thereby optimizing the final resulting decision tree structure. The criteria of feature selection according to the decision tree generation process mainly comprises information gain and information entropy, that is, whether each division of the training sample is optimal or not is measured through the information gain and the information entropy.
Optionally, one implementation of step S22 includes calculating the information gain corresponding to each of the abnormal features by the following formula:
wherein, The information gain of the abnormal feature a in the training sample D is represented,Representing the overall entropy of the training sample D,The feature entropy of the abnormal feature a under the ith feature value is represented,Representing the number of samples of the abnormal feature a at the ith feature value,Representing the number of samples of training sample D.
The information gain is a difference value representing information entropy before and after a training sample is divided by a certain characteristic attribute, if the information entropy before division is expressed as integral entropy and the information entropy after division is expressed as characteristic entropy, the integral entropy is usually constant, the characteristic entropy is indefinite, the smaller the characteristic entropy is, the smaller the uncertainty of a subset obtained by using the current characteristic division is, namely the larger the difference value between the integral entropy and the characteristic entropy is, the smaller the uncertainty of the training sample is, and therefore, the difference value (namely the information gain) of the information entropy of the subset before and after division can be used for measuring the quality of the training sample division effect by using the current characteristic attribute.
In the training process of the decision tree, it is always desirable to achieve the training sample division with smaller uncertainty more quickly, so that the classification effect achieved by the decision tree structure is better, and therefore, the abnormal feature with the largest information gain is usually selected to divide the current training sample.
According to the network abnormal behavior detection analysis method for the nuclear power industry, the information gain corresponding to each abnormal feature is calculated, the information gain represents the degree of random variable uncertainty reduction, the abnormal feature corresponding to the maximum information gain is used as a dividing feature, the training sample corresponding to each branch node is divided, the divided subset is purer, the prediction accuracy of a decision tree is improved, a plurality of sub-nodes are created based on the branch nodes, the process is repeated, and when new dividing features are not generated any more, the training of the decision tree is completed.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
Corresponding to the network abnormal behavior detection and analysis method for the nuclear power industry described in the above embodiments, fig. 7 shows a structural block diagram of the network abnormal behavior detection and analysis device for the nuclear power industry provided by the embodiment of the present application, and for convenience of explanation, only the portion relevant to the embodiment of the present application is shown.
Referring to fig. 7, the network abnormal behavior detection and analysis device for the nuclear power industry includes:
And the acquisition module 31 is used for acquiring nuclear power network data.
And the extracting module 32 is used for extracting the target abnormal characteristics from the nuclear power network data.
And the analysis module 33 is used for inputting the target abnormal characteristics into the early warning tree model to obtain a target abnormal analysis result output by the early warning tree model.
As shown in fig. 2, the early warning tree model includes a plurality of decision trees, each decision tree includes a plurality of nodes, each node includes a branch node and a leaf node, each branch node is connected with at least two sub-nodes through a sub-path, and at least two sub-nodes are branch nodes or leaf nodes, and the leaf node of a first decision tree in the plurality of decision trees is connected with the branch node of a second decision tree in association with the leaf node through a sub-path; the early warning tree model is used for dividing the target abnormal characteristics along the sub-paths until the target abnormal characteristics reach the leaf nodes, and obtaining a target abnormal analysis result according to the information of the reached leaf nodes.
Optionally, as shown in fig. 3, the plurality of decision trees includes:
And the anomaly type analysis decision tree is used for determining the target anomaly type according to the target anomaly characteristic.
The abnormality cause analysis decision tree is connected with the abnormality type analysis decision tree and is used for determining a target abnormality cause according to the target abnormality characteristic and the target abnormality type;
and the exception handling policy analysis decision tree is connected with the exception type analysis decision tree and the exception cause analysis decision tree and is used for determining a target exception handling policy according to the target exception characteristics, the target exception type and the target exception cause.
In some embodiments of the present application, taking an anomaly type analysis decision tree as an example, the analysis module 33 includes: the searching unit is used for searching target branch nodes from branch nodes of the abnormal type analysis decision tree, each branch node corresponds to one abnormal feature, and the abnormal feature corresponding to the target branch node is matched with the target abnormal feature; the matching unit is used for traversing each level of the abnormal type analysis decision tree according to the characteristic value of the target abnormal characteristic, and determining a target sub-node from at least two sub-nodes of the target branch node of the current level; a first determining unit, configured to, when the target child node is a target branch node, continue determining a new target child node in at least two child nodes of the target child node until the new target child node is the leaf node; and the second determining unit is used for determining the target abnormal type according to the information of the target child node when the target child node is a leaf node.
In some embodiments of the present application, the training process of the decision tree comprises: an acquisition unit configured to acquire a training sample including a plurality of abnormal features; the computing unit is used for computing the information gain corresponding to each abnormal characteristic; the first creating unit is used for creating at least two branch nodes for the first abnormal feature with the maximum information gain in the training sample, and dividing the training sample into a first subset corresponding to each branch node according to the first abnormal feature; the second creating unit is used for creating at least two branch nodes for the second abnormal characteristics with the maximum information gain except the first abnormal characteristics when the first subset has a plurality of abnormal characteristics, and dividing the first subset into the second subset corresponding to each branch node according to the second abnormal characteristics until the divided subsets have only one abnormal characteristic as child nodes of the branch nodes created at the previous time; and a third creation unit for creating at least two leaf nodes for the abnormal feature when the first subset has only one abnormal feature, and serving as child nodes of the branch node created in the previous time.
In some embodiments of the present application, the information gain corresponding to each of the anomaly characteristics is calculated by the following formula:
the information gain of the abnormal feature a in the training sample D is represented, the overall entropy of the training sample D is represented, the feature entropy of the abnormal feature a under the ith feature value is represented, the number of samples of the abnormal feature a under the ith feature value is represented, and the number of samples of the training sample D is represented.
Optionally, in the analysis module 33, the branch node is connected to the child node through a logic gate; the logic gates include at least one of AND gates, OR gates, exclusive OR gates, priority AND gates, forbidden gates, and voting gates.
In some embodiments of the present application, the analysis module 33 is further configured to determine, as the target anomaly analysis result, information of leaf nodes reached by each of the plurality of decision trees.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 8, the electronic apparatus 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 8), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the steps in one embodiment of a network anomaly detection and analysis method for the nuclear power industry described above are implemented when the processor 40 executes the computer program 42.
The electronic device 4 may be a computing device such as a desktop computer, a notebook computer, a palm computer, and a cloud server. The electronic device 4 may include, but is not limited to, a processor 40, a memory 41. It will be appreciated by those skilled in the art that fig. 8 is merely an example of the electronic device 4 and is not meant to be limiting of the electronic device 4, and may include more or fewer components than shown, or may combine certain components, or may include different components, such as input-output devices, network access devices, etc.
The Processor 40 may be a central processing unit (Central Processing Unit, CPU), the Processor 40 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may in some embodiments be an internal storage unit of the electronic device 4, such as a hard disk or a memory of the electronic device 4. The memory 41 may also be an external storage device of the electronic device 4 in other embodiments, such as a plug-in hard disk provided on the electronic device 4, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), etc. Further, the memory 41 may also include both an internal storage unit and an external storage device of the electronic device 4. The memory 41 is used to store an operating system, application programs, boot loader (BootLoader), data, and other programs and the like, such as program codes of computer programs and the like. The memory 41 may also be used for temporarily storing data that has been output or is to be output.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the steps in the embodiment of the network abnormal behavior detection and analysis method for the nuclear power industry when being executed by a processor.
The embodiment of the application provides a computer program product, which can realize the steps in the embodiment of the network abnormal behavior detection analysis method oriented to the nuclear power industry when being executed by a mobile terminal when the computer program product runs on the mobile terminal.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. The network abnormal behavior detection and analysis method for the nuclear power industry is characterized by comprising the following steps of:
Acquiring nuclear power network data;
extracting target abnormal characteristics from the nuclear power network data;
Inputting the target abnormal characteristics into an early warning tree model to obtain a target abnormal analysis result output by the early warning tree model; the early warning tree model comprises a plurality of decision trees, each decision tree comprises a plurality of nodes, each node comprises a branch node and a leaf node, each branch node is connected with at least two sub-nodes through sub-paths, the at least two sub-nodes are the branch nodes or the leaf nodes, and the leaf nodes of a first decision tree in the decision trees and the branch nodes of a second decision tree in association with the first decision tree are connected through sub-paths; the early warning tree model is used for dividing the target abnormal characteristics along the sub-paths until the target abnormal characteristics reach leaf nodes, and the target abnormal analysis result is obtained according to the information of the reached leaf nodes.
2. The nuclear power industry oriented network anomaly detection analysis method of claim 1, wherein the plurality of decision trees comprises:
the anomaly type analysis decision tree is used for determining a target anomaly type according to the target anomaly characteristic;
The abnormality cause analysis decision tree is connected with the abnormality type analysis decision tree and is used for determining a target abnormality cause according to the target abnormality characteristic and the target abnormality type;
and the exception handling policy analysis decision tree is connected with the exception type analysis decision tree and the exception cause analysis decision tree and is used for determining a target exception handling policy according to the target exception characteristics, the target exception type and the target exception cause.
3. The method for detecting and analyzing network abnormal behavior oriented to nuclear power industry according to claim 2, wherein the step of obtaining the target abnormal type according to the target abnormal feature analysis comprises the following steps:
Searching a target branch node from the branch nodes of the abnormal type analysis decision tree; each branch node corresponds to an abnormal feature, and the abnormal feature corresponding to the target branch node is matched with the target abnormal feature;
Traversing each level of the anomaly type analysis decision tree according to the characteristic value of the target anomaly characteristic, and determining a target sub-node in at least two sub-nodes of the target branch node of the current level;
When the target child node is the target branch node, continuing to determine a new target child node in at least two child nodes of the target child node until the new target child node is the leaf node;
and when the target child node is the leaf node, determining the target abnormal type according to the information of the target child node.
4. The method for detecting and analyzing abnormal network behaviors towards the nuclear power industry according to claim 1, wherein the training process of the decision tree comprises the following steps:
Acquiring a training sample containing a plurality of abnormal characteristics;
calculating the information gain corresponding to each abnormal feature;
Creating at least two branch nodes for the first abnormal feature with the maximum information gain in the training sample, and dividing the training sample into a first subset corresponding to each branch node according to the first abnormal feature;
when the first subset has multiple abnormal characteristics, at least two branch nodes are created for the second abnormal characteristics with the maximum information gain except the first abnormal characteristics, the first subset is divided into second subsets corresponding to each branch node according to the second abnormal characteristics as sub-nodes of the branch nodes created in the last time until the divided subsets have only one abnormal characteristic;
When the first subset only has one abnormal feature, at least two leaf nodes are created for the abnormal feature and serve as child nodes of the branch node created in the previous time.
5. The nuclear power industry oriented network abnormal behavior detection analysis method according to claim 4, wherein the information gain corresponding to each abnormal feature is calculated by the following formula:
wherein, The information gain of the abnormal feature a in the training sample D is represented,Representing the overall entropy of the training sample D,The feature entropy of the abnormal feature a under the ith feature value is represented,Representing the number of samples of the abnormal feature a at the ith feature value,Representing the number of samples of training sample D.
6. The method for detecting and analyzing abnormal network behavior in the nuclear power industry according to claim 1, wherein the step of connecting each branch node with at least two sub-nodes through sub-paths comprises:
The branch node is connected with the child node through a logic gate; the logic gate comprises at least one of an AND gate, an OR gate, an exclusive OR gate, a priority AND gate, a forbidden gate and a voting gate.
7. The method for detecting and analyzing abnormal network behaviors towards the nuclear power industry according to claim 1, wherein the step of obtaining the target abnormal analysis result according to the information of the reached leaf node comprises the following steps:
and determining the information of the leaf nodes reached by each of the decision trees as the target anomaly analysis result.
8. The utility model provides a network abnormal behavior detection analytical equipment towards nuclear power trade which characterized in that includes:
the acquisition module is used for acquiring nuclear power network data;
The extraction module is used for extracting target abnormal characteristics from the nuclear power network data;
The analysis module is used for inputting the target abnormal characteristics into the early warning tree model to obtain a target abnormal analysis result output by the early warning tree model; the early warning tree model comprises a plurality of decision trees with association relations, each decision tree comprises a plurality of nodes, each node comprises a branch node and a leaf node, each branch node is connected with at least two sub-nodes through sub-paths, the at least two sub-nodes are the branch nodes or the leaf nodes, and the leaf node of a first decision tree in the plurality of decision trees is connected with the branch node of a second decision tree with association relations through the sub-paths; the early warning tree model is used for dividing the target abnormal characteristics along the sub-paths until the target abnormal characteristics reach leaf nodes, and the target abnormal analysis result is obtained according to the information of the reached leaf nodes.
9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the network anomaly detection analysis method for the nuclear power industry of any one of claims 1 to 7 when the computer program is executed.
10. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the network anomaly detection and analysis method for nuclear power industry according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410928414.4A CN118487872B (en) | 2024-07-11 | 2024-07-11 | Nuclear power industry-oriented network abnormal behavior detection and analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410928414.4A CN118487872B (en) | 2024-07-11 | 2024-07-11 | Nuclear power industry-oriented network abnormal behavior detection and analysis method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118487872A true CN118487872A (en) | 2024-08-13 |
| CN118487872B CN118487872B (en) | 2024-10-01 |
Family
ID=92195294
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410928414.4A Active CN118487872B (en) | 2024-07-11 | 2024-07-11 | Nuclear power industry-oriented network abnormal behavior detection and analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118487872B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119052003A (en) * | 2024-11-01 | 2024-11-29 | 湖北能源集团西北新能源发展有限公司 | Data security and network security monitoring system and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100628329B1 (en) * | 2005-07-30 | 2006-09-27 | 한국전자통신연구원 | Apparatus and method for generating attack behavior detection rule for network session characteristic information |
| CN111935063A (en) * | 2020-05-28 | 2020-11-13 | 国网电力科学研究院有限公司 | System and method for monitoring abnormal network access behavior of terminal equipment |
| CN116582417A (en) * | 2023-07-14 | 2023-08-11 | 腾讯科技(深圳)有限公司 | Data processing method, device, computer equipment and storage medium |
-
2024
- 2024-07-11 CN CN202410928414.4A patent/CN118487872B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100628329B1 (en) * | 2005-07-30 | 2006-09-27 | 한국전자통신연구원 | Apparatus and method for generating attack behavior detection rule for network session characteristic information |
| CN111935063A (en) * | 2020-05-28 | 2020-11-13 | 国网电力科学研究院有限公司 | System and method for monitoring abnormal network access behavior of terminal equipment |
| CN116582417A (en) * | 2023-07-14 | 2023-08-11 | 腾讯科技(深圳)有限公司 | Data processing method, device, computer equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119052003A (en) * | 2024-11-01 | 2024-11-29 | 湖北能源集团西北新能源发展有限公司 | Data security and network security monitoring system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118487872B (en) | 2024-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN117544420B (en) | Fusion system safety management method and system based on data analysis | |
| US12206694B2 (en) | Cyberattack identification in a network environment | |
| CN110598180B (en) | Event detection method, device and system based on statistical analysis | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| EP2747365A1 (en) | Network security management | |
| CN118487872B (en) | Nuclear power industry-oriented network abnormal behavior detection and analysis method | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| KR20220116410A (en) | Security compliance automation method | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN117540372B (en) | Database intrusion detection and response system for intelligent learning | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN118041587A (en) | Network security test evaluation system and method | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN113535458B (en) | Abnormal false alarm processing method and device, storage medium and terminal | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN114205146A (en) | Processing method and device for multi-source heterogeneous security log | |
| CN114186232A (en) | Network attack team identification method and device, electronic equipment and storage medium | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| CN118573446B (en) | Information security data defense method and system based on blockchain | |
| US11914461B1 (en) | Organization segmentation for anomaly detection | |
| CN118200022B (en) | Data encryption method and system based on malicious attacks on big data networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |