IBNAD:一种基于交互的5G核心网网络功能异常检测模型

现有 5G(5th Generation Mobile Communication Technology)核心网异常检测主要基于信令流量深度解析, 但较少利用核心网网络功能交互关系的作用。针对上述问题, 提出一种基于交互的 5G 核心网网络功能异常检测模型。首先, 该模型以行为分析为驱动, 基于信令流量和网络功能注册数据提取多维属性, 通过行为画像来表征网络功能行为模式, 并采用集成学习算法RFECV(Recursive Feature Elimination with Cross-Validation)进行属性特征选择, 降低特征维度的同时筛选出与区分网络功能行为模式高度相关的属性特征。然后, 模型基于网络功能交互关系对核心网进行图建模, 建模后的图数据融合了网络功能属性信息和交互信息。最后, 模型通过基于空间域的图卷积网络聚合邻域节点属性信息和结构信息来融合行为模式特征, 新生成的节点表示用于分类, 从而将核心网网络功能异常检测问题转化为图节点分类问题。通过在 free5GC 仿真平台上采集数据, 并在搭建的异常检测系统中的实验表明, 该模型的异常检测性能优于基于属性特征分析的传统机器学习模型、基于结构特征分析的图嵌入模型及部分 5G 核心网异常检测模型。10%数据集作为训练集时, 所提模型的准确率比支持向量机模型提高 6.6%, 比Struc2vec 模型提高 13%, 比深度神经网络模型提高 8%。

IBNAD: An Interaction-based Model for Anomaly Detection of Network Function in 5G Core Network

The existing 5G (5th Generation Mobile Communication Technology) core network anomaly detection is mainly based on the deep analysis of signaling traffic. However, the existing researches seldom consider the interaction of core network functions. Aiming at the above problems, an interaction-based model for anomaly detection of network function in 5G core network is proposed. First of all, driven by behavior analysis, this model extracts multidimensional attributes based on signaling traffic and network function registration data, and characterizes the network function behavior mode through behavior portraits. In addition, the model also uses the integrated learning algorithm RFECV (Recursive Feature Elimination with Cross Validation) to select attribute features, so as to reduce the feature dimension and screen out the attribute features highly related to the differentiated network function behavior mode. Then, the core network is modeled as a graph based on the network function interaction relationship, and the graph structure data after modeling integrates the network function attribute information and interaction information. Finally, this model uses graph convolution network based on spatial domain to aggregate attribute information and structure information of neighborhood nodes to fuse behavior pattern features. The newly generated node representation is used for classification, thereby transforming the core network function anomaly detection problem into the graph node classification problem. Through the data collection on the free5GC simulation platform and the experiments in the built anomaly detection system, it is shown that the anomaly detection performance of this model is superior to the traditional machine learning model based on attribute feature analysis, graph embedding model based on structural feature analysis and some 5G core network anomaly detection models. When 10% of the data set is used as the training set, the accuracy of the proposed model is higher than that of support vector. The machine model is improved by 6.6%, 13% higher than the Struc2vec model, and 8% higher than the deep neural network model.