基于OOD技术的网络告警日志高置信度研判方法

doi:10.3969/j.issn.1671-1122.2026.04.010

摘要/Abstract

摘要：

针对网络探针产生的大量误报问题，文章提出一种基于OOD技术的网络告警日志高置信度研判方法。该方法通过构建距离、标签一致性和模型分数多维度置信度区间，结合 BPE 分词与轻量模型优化告警特征提取策略，并设计高可信样本的长短期迭代优化机制，在保障模型研判准确度与可解释性的同时，实现低开销的自动化安全运营支持。实验结果表明，在真实 SQL 注入告警数据集上，该方法的参数量仅为传统深度学习模型的 1%以下，高置信区间内准确率达0.973，此时的样本覆盖率为 66%。此外，由于该方法本身的可迭代优化机制，使得模型仅完成一次迭代，即可在全量数据上实现 0.965 的整体研判准确率，显著补齐了初始状态下高置信区间外的样本研判短板，适用于复杂动态的网络安全运营场景。

关键词: 告警日志, OOD检测, 置信度区间, 攻击研判, 自动化安全运营

Abstract:

To address the issue of a large number of false positives generated by network probes, this paper proposed a high-confidence assessment method for network alarm logs based on OOD technology. This method optimized the alarm feature extraction strategy by constructing a multi-dimensional confidence interval encompassing distance, label consistency, and model score, and combining with BPE tokenization and lightweight models. It also designd a long-short-term iterative optimization mechanism for high-confidence samples to achieve low-overhead automated security operation support while ensuring the accuracy and interpretability of model judgment. Experimental results show that on real SQL injection alarm datasets, the number of parameters of this method is less than 1% of that of traditional deep learning models, the accuracy within the high-confidence interval reaches 0.973, and the sample coverage rate is 66%. Furthermore, the inherent iterative optimization mechanism of the proposed method enables the model to achieve an overall judgment accuracy of 0.965 on the full dataset with only one single iteration. This significantly remedies the deficiency in the judgment of samples falling outside the high-confidence interval in the initial state, and renders the method highly applicable to complex and dynamic cybersecurity operation scenarios.

Key words: alarm logs, OOD detection, confidence interval, attack judgment, automated security operations

中图分类号:

TP309

舒展, 马依兰, 聂凯峰, 李宗鹏. 基于OOD技术的网络告警日志高置信度研判方法[J]. 信息网络安全, 2026, 26(4): 626-641.

SHU Zhan, MA Yilan, NIE Kaifeng, LI Zongpeng. A High-Confidence Assessment Method for Network Alarm Logs Based on OOD Technology[J]. Netinfo Security, 2026, 26(4): 626-641.

图/表 9

图1

表1

表2

图2

表3

图3

表4

表5

表6

参考文献 44

[1]	WANG Tao, PANG Ruowei, WANG Xu, et al. Assessment of Network Security Alerts Based on Expert Experience[J]. IEEE Access, 2025, 13: 64783-64795.
[2]	WANG Jiantao, HE Caifeng, LIU Yijun, et al. Efficient Alarm Behavior Analytics for Telecom Networks[J]. Information Sciences, 2017, 402: 1-14.
[3]	LI Shudong, QIN Danyi, WU Xiaobo, et al. False Alert Detection Based on Deep Learning and Machine Learning[J]. International Journal on Semantic Web and Information Systems, 2022, 18(1): 1-21.
[4]	GUPTA N, JINDAL V, BEDI P. CSE-IDS: Using Cost-Sensitive Deep Learning and Ensemble Algorithms to Handle Class Imbalance in Network-Based Intrusion Detection Systems[EB/OL].(2021-10-17)[2025-08-20]. https://www.sciencedirect.com/science/article/abs/pii/S0167404821003230.
[5]	WU Yirui, WEI Dabao, FENG Jun. Network Attacks Detection Methods Based on Deep Learning Techniques: A Survey[EB/OL].(2020-08-28)[2025-08-20]. https://onlinelibrary.wiley.com/doi/full/10.1155/2020/8872923?msockid=3c0328803ab8642936ab3c6f3bde65aa.
[6]	LI Luning, HERRERA M, MUKHERJEE A, et al. Predictive Alarm Models for Improving Radio Access Network Robustness[EB/OL].(2025-01-01)[2025-08-20]. https://dl.acm.org/doi/10.1016/j.eswa.2024.125312.
[7]	GUAN Lei, HU Guangjun, WANG Zhuan. Research on Network Security Situational Awareness Technology Based on Big Data[J]. Netinfo Security, 2016, 16(9): 45-50.
	管磊, 胡光俊, 王专. 基于大数据的网络安全态势感知技术研究[J]. 信息网络安全, 2016, 16(9):45-50.
[8]	GUO Wei, QIU Han, LIU Zimian, et al. GLD-Net: Deep Learning to Detect DDoS Attack via Topological and Traffic Feature Fusion[EB/OL].(2022-08-16)[2025-08-20]. https://pmc.ncbi.nlm.nih.gov/articles/PMC9398712/.
[9]	WANG Yalu, HAN Zhijie, LI Jie, et al. BS-GAT Behavior Similarity Based Graph Attention Network for Network Intrusion Detection[J].(2023-04-07)[2025-08-20]. https://arxiv.org/abs/2304.07226.
[10]	DONG Boxiang, CHEN Zhengzhang, WANG Hui, et al. GID: Graph-Based Intrusion Detection on Massive Process Traces for Enterprise Security Systems[EB/OL].(2016-08-08)[2025-08-20]. https://arxiv.org/abs/1608.02639.
[11]	WEI Chuyuan, NIU Jianwei, GUO Yanyan. DLGNN: A Double-Layer Graph Neural Network Model Incorporating Shopping Sequence Information for Commodity Recommendation[J]. Sensors and Materials, 2020, 32(12): 4379-4392.
[12]	JIANG Kui, LU Lufan, SU Yaoyang, et al. SHDoS Attack Detection Research Based on Attention-GRU[J]. Netinfo Security, 2024, 24(3): 427-437.
	江魁, 卢橹帆, 苏耀阳, 等. 基于Attention-GRU的SHDoS攻击检测研究[J]. 信息网络安全, 2024, 24(3): 427-437.
[13]	ALTAF T, WANG Xu, NI Wei, et al. NE-GConv: A Lightweight Node Edge Graph Convolutional Network for Intrusion Detection[EB/OL].(2023-05-06)[2025-08-20]. https://www.sciencedirect.com/science/article/abs/pii/S0167404823001955.
[14]	XU Peng, LU Guangyue, LI Yuxin, et al. EE-GCN: A Graph Convolutional Network Based Intrusion Detection Method for IIoT[C]// IEEE. 2023 5th International Conference on Natural Language Processing (ICNLP). New York: IEEE, 2023: 338-344.
[15]	LI Yi, CHEN Guo, DONG Zhaoyang. Multi-View Graph Contrastive Representative Learning for Intrusion Detection in EV Charging Station[EB/OL].(2025-05-01)[2025-08-20]. https://www.sciencedirect.com/science/article/pii/S0306261925001692#sec2.
[16]	WU Yafeng, XIE Yulai, LIAO Xuelong, et al. Paradise: Real-Time, Generalized, and Distributed Provenance-Based Intrusion Detection[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(2): 1624-1640.
[17]	HU Xiaoyan, GAO Wenjie, CHENG Guang, et al. Toward Early and Accurate Network Intrusion Detection Using Graph Embedding[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 5817-5831.
[18]	HU Jianwei, ZHAO Wei, YAN Zheng, et al. Analysis and Implementation of SQL Injection Vulnerability Mining Technology Based on Machine Learning[J]. Netinfo Security, 2019, 19(11): 36-42.
	胡建伟, 赵伟, 闫峥, 等. 基于机器学习的SQL注入漏洞挖掘技术的分析与实现[J]. 信息网络安全, 2019, 19(11):36-42.
[19]	DEMILIE W B, DERIBA F G. Detection and Prevention of SQLI Attacks and Developing Compressive Framework Using Machine Learning and Hybrid Techniques[EB/OL].(2022-12-30)[2025-09-01]. https://doi.org/10.1186/s40537-022-00678-0.
[20]	OUDAH M, MARHUSIN M F. SQL Injection Detection Using Machine Learning: A Review[J]. Malaysian Journal of Science Health & Technology, 2024, 4(10): 39-49.
[21]	PHAM B A, VINITHA H S. An Experimental Setup for Detecting SQLi Attacks Using Machine Learning Algorithms[EB/OL].(2020-12-01)[2025-09-01]. https://cisse.info/journal/index.php/cisse/article/view/124.
[22]	FAROOQ U. Ensemble Machine Learning Approaches for Detection of SQL Injection Attack[J]. Tehnički Glasnik, 2021, 15(1): 112-120.
[23]	OUDAH M A, MOHD F M, ANVAR N. SQL Injection Detection Using Machine Learning with Different TF-IDF Feature Extraction Approaches[C]// Springer. International Conference on Information Systems and Intelligent Applications. Heidelberg: Springer, 2022: 707-720.
[24]	TRILOKA J, HARTONO H, SUTEDI S. Detection of SQL Injection Attack Using Machine Learning Based on Natural Language Processing[EB/OL].(2022-08-25)[2025-09-01]. https://www.researchgate.net/publication/362895356_Detection_of_SQL_Injection_Attack_Using_Machine_Learning_Based_On_Natural_Language_Processing.
[25]	OLALERE M. A Naïve Bayes Based Pattern Recognition Model for Detection and Categorization of Structured Query Language Injection Attack[J]. International Journal of Cyber-Security and Digital Forensics, 2018, 7(2): 189-199.
[26]	AKINSOLA J E T, EFIONG J E, OLAJUBU E A, et al. Artificial Intelligence-Based Model for Data Security and Mitigation against SQL Injection Attacks in Web Applications[C]// IEEE. 2023 International Conference on Electrical, Computer and Energy Technologies (ICECET). New York: IEEE, 2023: 1-7.
[27]	ALKHATHAMI J M, SABAH M A. Detection of SQL Injection Attacks Using Machine Learning in Cloud Computing Platform[EB/OL]. [2025-09-01]. https://www.semanticscholar.org/paper/DETECTION-OF-SQL-INJECTION-ATTACKS-USING-MACHINE-IN-Alkhathami-Alzahrani/8c86ebb40e992f4aedd65f99c8961a76b100d506.
[28]	AZMAN M A, MARHUSIN M F, SULAIMAN R. Machine Learning-Based Technique to Detect SQL Injection Attack[J]. Journal of Computer Science, 2021, 17(3): 296-303.
[29]	ALGHAWAZI M, ALGHAZZAWI D, ALARIFI S. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review[J]. Journal of Cybersecurity and Privacy, 2022, 2(4): 764-777.
[30]	ABDULMALIK Y. An Improved SQL Injection Attack Detection Model Using Machine Learning Techniques[J]. International Journal of Innovative Computing, 2021, 11(1): 53-57.
[31]	HENDRYCKS D, GIMPEL K. A Baseline for Detecting Misclassified and Out-of-Distribution Examples in Neural Networks[EB/OL].(2018-10-03)[2025-09-01]. https://arxiv.org/abs/1610.02136.
[32]	LIANG Shiyu, LI Yixuan, SRIKANT R. Enhancing the Reliability of Out-of-Distribution Image Detection in Neural Networks[EB/OL].(2020-08-30)[2025-09-01]. https://arxiv.org/abs/1706.02690.
[33]	LIU Weitang, WANG Xiaoyun, OWENS J D, et al. Energy-Based Out-of-Distribution Detection[EB/OL].(2021-04-26)[2025-09-01]. https://arxiv.org/abs/2010.03759.
[34]	SUN Yiyou, GUO Chuan, LI Yixuan. ReAct: Out-of-Distribution Detection with Rectified Activations[EB/OL].(2021-11-24)[2025-09-01]. https://arxiv.org/abs/2111.12797.
[35]	DENOUDEN T, SALAY R, CZARNECKI K, et al. Improving Reconstruction Autoencoder Out-of-Distribution Detection with Mahalanobis Distance[EB/OL].(2018-12-06)[2025-09-01]. https://arxiv.org/abs/1812.02765.
[36]	SUN Yiyou, MING Yifei, ZHU Xiaojin, et al. Out-of-Distribution Detection with Deep Nearest Neighbors[C]// PMLR. The 39th International Conference on Machine Learning. New York: PMLR, 2022: 20827-20840.
[37]	PENG Bo, LUO Yadan, ZHANG Yonggang, et al. ConjNorm: Tractable Density Estimation for Out-of-Distribution Detection[EB/OL].(2024-02-27)[2025-09-01]. https://arxiv.org/abs/2402.17888.
[38]	MU Fangzhou, LIANG Yingyu, LI Yin. Gradients as Features for Deep Representation Learning[EB/OL].(2020-04-12)[2025-09-01]. https://arxiv.org/abs/2004.05529.
[39]	HUANG Rui, GENG A, LI Yixuan. On the Importance of Gradients for Detecting Distributional Shifts in the Wild[EB/OL].(2021-10-01)[2025-09-01]. https://arxiv.org/abs/2110.00218.
[40]	MOLCHANOV P, MALLYA A, TYREE S, et al. Importance Estimation for Neural Network Pruning[C]// IEEE. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2019: 11256-11264.
[41]	RAVI V, CHAGANTI R, ALAZAB M. Recurrent Deep Learning-Based Feature Fusion Ensemble Meta-Classifier Approach for Intelligent Network Intrusion Detection System[EB/OL].(2022-06-17)[2025-09-01]. https://www.sciencedirect.com/science/article/abs/pii/S0045790622004037.
[42]	REN Pengzhen, XIAO Yun, CHANG Xiaojun, et al. A Survey of Deep Active Learning[J]. ACM Computing Surveys, 2022, 54(9): 1-40.
[43]	SANH V, DEBUT L, CHAUMOND J, et al. DistilBERT, A Distilled Version of BERT: Smaller, Faster, Cheaper and Lighter[EB/OL].(2020-03-01)[2025-09-01]. https://arxiv.org/abs/1910.01108.
[44]	JOULIN A, GRAVE E, BOJANOWSKI P, et al. Bag of Tricks for Efficient Text Classification[C]// ACL. The 15th Conference of the European Chapter of the Association for Computational Linguistics (EACL). Stroudsburg: ACL, 2017: 427-431.

数据集	SQL 注入类别数 /种	样本数量
数据集	SQL 注入类别数 /种	样本总数/条	黑样本数量/条	白样本数量/条
数据集 1	370	10200	8160	2040
数据集 2	262	3050	2440	610
数据集 3	207	2980	2384	596
数据集 4	318	3020	2416	604
数据集 5	380	2950	2360	590

方法	指标1	指标2	指标3
本文方法	42.00%	8.81%	88.33%
ConjNorm	44.87%	11.10%	82.76%
ODIN	51.31%	10.35%	79.46%
Energy-Based	45.11%	10.29%	75.24%
MSP	82.33%	12.14%	76.28%
马氏距离	85.67%	12.27%	76.56%

采样迭代方法	置信区间内样本占比	区间内准确率	区间内精确率	区间内召回率
无迭代	47.14%	0.945	0.990	0.935
迭代（随机采样100条）	48.24%	0.946	0.991	0.935
迭代（本文方法采样100条）	50.74%	0.948	0.992	0.938
迭代（全部数据2980条）	53.96%	0.952	0.992	0.944

场景	一致性	距离	模型分数	全部数据准确率	置信区间占比	置信区间准确率
木马后门通信	0.4	0.90	0.83/0.27	0.983	96.84%	0.952
远程代码/ 命令执行	0.6	0.54	0.62/0.38	0.933	95.02%	0.954
未授权访问/ 越权访问	0.6	0.68	0.72/0.28	0.892	94.92%	0.937
内网隧道或敏感命令执行	0.6	0.80	0.70/0.30	0.938	96.64%	0.955
全场景	0.4	0.46	0.64/0.36	0.913	89.51%	0.946

方法	置信区间样本占比	区间内准确率	区间内精确率	区间内召回率
整体方法	88.33%	0.951	0.984	0.942
w/o 一致性	96.13%	0.914	0.944	0.921
w/o 距离	88.52%	0.950	0.984	0.940
w/o 模型分数	90.59%	0.949	0.981	0.940