CN102176698A - Method for detecting abnormal behaviors of user based on transfer learning - Google Patents
Method for detecting abnormal behaviors of user based on transfer learning Download PDFInfo
- Publication number
- CN102176698A CN102176698A CN2010106137457A CN201010613745A CN102176698A CN 102176698 A CN102176698 A CN 102176698A CN 2010106137457 A CN2010106137457 A CN 2010106137457A CN 201010613745 A CN201010613745 A CN 201010613745A CN 102176698 A CN102176698 A CN 102176698A
- Authority
- CN
- China
- Prior art keywords
- user
- behavior
- sample
- training
- sample set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for detecting abnormal behaviors of a user based on transfer learning, comprising the following steps: (1) acquiring network data and carrying out corresponding characteristic extraction on network behaviors of an current user; (2) detecting coarse abnormal behaviors based on extracted characteristics; and (3) firstly adopting an off-line training mode to establish a normal behavior model of the user based on a transfer learning method, and then using an on-line detection mode to judge whether the behaviors of the exiting user are abnormal events in accordance with the trained normal behavior model.
Description
Technical field
The present invention relates to a kind of user's abnormal behaviour detection method, exactly, relate to a kind of network user's abnormal behaviour detection method, belong to the user behavior analysis of the network information and the field of information security technology of application thereof based on transfer learning.
Background technology
Along with the develop rapidly of network technology and application, the Internet presents characteristics such as complexity, isomery day by day, and current network architecture exposes serious deficiency, and network is being faced with significant challenge such as severe information security and service quality guarantee.Assess and guarantee that the internet security problem has become the common recognition of domestic and international research circle by user behavior being analyzed and being audited, wherein, how user's abnormal behaviour is judged it is a research focus in this field.
User's abnormal behaviour analytical method is divided into two big classes substantially.Wherein a class is based on the method that static parameter is concluded, and at first extracts the characteristic parameter of each behavior constantly of user, then setting field in these features and corresponding threshold value is compared, thereby judges whether the behavior is unusual.The another kind of method that is based on the dynamic behaviour analysis at first needs to choose a large amount of samples various user behaviors is trained respectively, determines model parameter, utilizes the model of having set up that user behavior is classified then and finally determines whether to be abnormal behaviour.
The method of concluding based on static parameter has advantage simply and intuitively.In these class methods, characteristic parameter with and the comparison parameter choose particularly important.In recent years, detect this problem at user's abnormal behaviour, researchers have proposed multiple behavior comparison parameter and combined result thereof.All be applied to gradually in the abnormal behaviour detection technique as normal chained library, regular traffic storehouse, normal discharge threshold value etc.In addition, also have part work to judge, the judgement of user behavior is also developed into polynary coupling by original single coupling by several features are combined.
But the method that is based on the static parameter conclusion needs selected different threshold range, thereby does not possess generality for different objects.In addition, the determination methods of concluding based on static parameter can only realize the thick level identification of user behavior, is not easy to dynamically adjust according to user's behavioural habits.
Be similar to the judgement based on statistical model of area of pattern recognition based on the method for dynamic behaviour analysis.The method of analyzing based on dynamic behaviour requires to provide in advance a collection of training sample with class mark, generates the behavioural analysis device by the directed learning training is arranged, and then the classification samples for the treatment of in the test sample book set is classified.
But, the completeness that depends on training sample of the very big degree of analyzing based on dynamic behaviour of method.Along with the continuous development of network technology, and the continual renovation of Network, number of users constantly increases, and user behavior also constantly changes along with the release of new business.The growth of number of users and the variation of user behavior can not have been satisfied in existing sample storehouse.How to utilize existing sample fully, promptly utilize existing behavior sample that initiate user behavior is carried out accurate modeling, perhaps utilizing the historical behavior sample of known users to set up its behavior model after changing, is urgent problem in user's abnormality detection process.
Typical at present dynamic behaviour parser mainly comprises minimum parameter detection method, traditional decision-tree, HMM method and support vector machine method etc.
The advantage of minimum parameter spacing method is that notion is directly perceived, method is simple, helps setting up the geometrical concept of hyperspace sorting technique.The minimum parameter spacing classification of using in behavior classification mainly contains k near neighbor method (k-Nearest Neighbor, k-NN) and recently characteristic line method (Nearest Feature Line) etc.
The thought of k near neighbor method is to judge the classification of X according to the classification of most points in k the sample of unknown sample X arest neighbors.Need to calculate the distance of X and all sample Xi for this reason, and therefrom select k minimum sample of distance as neighbour's sample set k-NN, calculating wherein all belong to classification Wj apart from sum, and classify according to following rule:
Wherein, C is classification set C=(W
1, W
2..., W
n).
When k=1, the k near neighbor method just deteriorates to the arest neighbors method.Because the k near neighbor method has utilized more sample information to determine classification, some help reducing The noise greatly so k gets.But because the k near neighbor method need calculate the distance of all samples, therefore, when number of samples was very big, its amount of calculation was just considerable.
Decision tree is a kind of simple in structure, grader that search efficiency is high in essence in fact.The decision tree classification method is selected important feature based on information theory to a large amount of examples, sets up decision tree.
But traditional decision-tree exists in a plurality of category regions and covers phenomenons, and especially at the classification number very for a long time, its storage and calculation cost can be excessive, and the classification error meeting on upper strata is accumulated to down one deck, thus formation " snowball " effect.
HMM originates from the later stage sixties 20th century, belongs to the signal statistics theoretical model, can handle random sequence data identification and prediction well.HMM is a kind of dual random process finite-state automata in essence, and one of dual random process wherein is meant and satisfies the state exchange Markov chain that Markov distributes that this is basic random process, mainly describes state transitions; Another random process is described the statistics corresponding relation between each state and the observed value, i.e. the observation output probability density function of state.
SVMs (Support Vector Machine, SVM) come from processing at first to the two-value classification problem, promptly in sample space, seeking one can be with positive example in the training set and the separated hyperplane of counter-example sample, and makes the interval maximum of its both sides.SVM utilizes QUADRATIC PROGRAMMING METHOD FOR will import data and is mapped to more higher dimensional space by kernel function, thereby has solved linear inseparable problem.
When the user behavior parameter more for a long time, we can expand the SVMs method, take QUADRATIC PROGRAMMING METHOD FOR that the behavioral data of input is mapped to more higher dimensional space by kernel function, solve linear inseparable problem when the user characteristics dimension is low.
But the training time of SVMs method is long, and will constantly adjust to choose suitable kernel function and parameter.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of user's abnormal behaviour detection method based on transfer learning, when using this method to detect user's abnormal behaviour, we only need utilize less instant sample, under the prerequisite of not wasting a large amount of historical sample, just can obtain quite good detecting effectiveness, so when using this methods analyst user abnormal behaviour, more comprehensively and effectively.
In order to achieve the above object, the invention provides a kind of method that detects based on user's abnormal behaviour of transfer learning, it is characterized in that described method comprises following operating procedure:
(1) carries out network data acquisition, active user's network behavior is carried out corresponding characteristic extraction;
(2) abnormal behaviour of carrying out coarseness on the basis of the feature of being extracted detects;
(3) adopt the off-line training mode earlier, use based on the method for transfer learning and set up user's normal behaviour model,, judge with the mode of on-line testing whether current user behavior is anomalous event according to the normal behaviour model that trains.
Wherein, described step (1) further comprises following content of operation:
(11) traffic capture: obtain data traffic from system hardware platform network interface card, flow is carried out shaping handle, and then carry out next step operation;
(12) (Deep Packet Inspection DPI) extracts the five-tuple information of the flow caught, and wherein, five-tuple information comprises: source address, destination address, source port number, destination slogan, protocol type to utilize deep packet inspection technical;
(13) on the basis of five-tuple sequence, extract the user behavior feature.Wherein, the user behavior Feature Extraction is the method that industry often relates to, and the present invention does not carry out independent innovation in this feature extraction.
Described step (2), principal character is:
At present, there is user's abnormal behaviour detection method of multiple coarseness this area, for example: according to access links the behavior of user capture specific website is judged to be abnormal behaviour; According to data traffic, the behavior that flow is exceeded certain threshold value is judged to be abnormal behaviour etc.Detect this on the one hand at the coarseness user behavior, the present invention does not carry out independent innovation.
Described step (3) specifically comprises following content of operation
(31) adopt the mode of off-line training, gather training sample, the composing training sample set is divided into two classes with training sample, promptly with test sample book distribute different classes and with the test sample book identical class that distributes;
Specifically comprise following operation:
If being expressed as, the sample set of collecting mixes T={ (x
i, c (x
i)).
Among the present invention, the training sample set is made of two sample sets that are labeled, and these two sample sets are designated as T respectively
dAnd T
s
Hence one can see that,
Following formula Chinese style n and m represent sample set T respectively
dAnd T
sSize, c (x) has pointed out the classification of sample
(32) mode of employing off-line training based on the training sample set, utilizes Weak Classifier (the Weak Classifier type is not added qualification) as basic grader, makes each user characteristics corresponding to a basic grader.
(33) mode of employing off-line training is utilized the TrAdaBoost method, calculates the weight coefficient of Weak Classifier, forms the TrAdaBoost grader.
(331) training weights initialization
Wherein,
Represent i the weighted value size of basic grader when the first round;
(332) weighted value iterative computation is established common needs and is carried out N wheel iteration, and then iterative process is:
(34) mode of employing on-line testing is input to the TrAdaboost grader that trains with the user behavior characteristic parameter, judges whether active user's behavior is abnormal behaviour.
The present invention is a kind of user's abnormal behaviour detection method based on transfer learning, and its innovation technically mainly is the angle from historical sample and test sample book different distributions, sets up model by less instant sample and existing historical sample.Remedied in the past set up model the time the instant sample size not enough undertrained comprehensive problem that causes, be described in detail below.
Existing technology in carrying out the process that user's abnormal behaviour detects, suppose usually test sample book with historical sample with distribution.But, along with the continuous development of network technology, and the continual renovation of Network, number of users constantly increases, and user behavior also constantly changes along with the release of new business.The growth of number of users and the variation of user behavior can not have been satisfied in existing sample storehouse.How to utilize existing sample fully, promptly utilize existing behavior sample that initiate user behavior is carried out accurate modeling, perhaps utilizing the historical behavior sample of known users to set up its behavior model after changing, is urgent problem in user's abnormality detection process.
Description of drawings
Fig. 1 is the operating procedure flow chart that the present invention is based on user's abnormal behaviour detection of transfer learning.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with the test situation of drawings and Examples.
The present invention is a kind of user's abnormal behaviour detection method based on transfer learning, and this method operating procedure is as follows: (1) carries out network data acquisition, and active user's network behavior is carried out corresponding characteristic extraction; (2) abnormal behaviour of carrying out coarseness on the basis of the feature of being extracted detects; (3) adopt the off-line training mode earlier, use based on the method for transfer learning and set up user's normal behaviour model,, judge with the mode of on-line testing whether current user behavior is anomalous event according to the normal behaviour model that trains.
When whether the present invention has user's abnormal behaviour to take place in analysis, can overcome the weak point that requires test sample book and historical sample to distribute together in the prior art.
Referring to Fig. 1, operating procedure of the present invention and embodiments of the invention and simulation scenarios are described:
(1) carries out network data acquisition, active user's network behavior is carried out corresponding characteristic extraction;
(2) abnormal behaviour of carrying out coarseness on the basis of the feature of being extracted detects;
(3) adopt the off-line training mode earlier, use based on the method for transfer learning and set up user's normal behaviour model,, judge with the mode of on-line testing whether current user behavior is anomalous event according to the normal behaviour model that trains.
Wherein, described step (1) further comprises following content of operation:
(11) traffic capture: obtain data traffic from system hardware platform network interface card, flow is carried out shaping handle, and then carry out next step operation;
(12) (Deep Packet Inspection DPI) extracts the five-tuple information of the flow caught, and wherein, five-tuple information comprises: source address, destination address, source port number, destination slogan, protocol type to utilize deep packet inspection technical;
(13) on the basis of five-tuple sequence, extract the user behavior feature.Wherein, the user behavior Feature Extraction is the method that industry often relates to, and the present invention does not carry out independent innovation in this feature extraction.
Described step (2), principal character is:
At present, there is user's abnormal behaviour detection method of multiple coarseness this area, for example: according to access links the behavior of user capture specific website is judged to be abnormal behaviour; According to data traffic, the behavior that flow is exceeded certain threshold value is judged to be abnormal behaviour etc.Detect this on the one hand at the coarseness user behavior, the present invention does not carry out independent innovation.
Described step (3) specifically comprises following content of operation
(31) adopt the mode of off-line training, gather training sample, the composing training sample set is divided into two classes with training sample, promptly with test sample book distribute different classes and with the test sample book identical class that distributes;
Specifically comprise following operation:
If being expressed as, the sample set of collecting mixes T={x
i, c (x
i)).
Among the present invention, the training sample set is made of two sample sets that are labeled, and these two sample sets are designated as T respectively
dAnd T
s
Represent instant sample set, promptly with the sample set of test data with distribution.
Hence one can see that,
Following formula Chinese style n and m represent sample set T respectively
dAnd T
sSize, c (x) has pointed out the classification of sample
(32) mode of employing off-line training based on the training sample set, utilizes Weak Classifier (the Weak Classifier type is not added qualification) as basic grader, makes each user characteristics corresponding to a basic grader.
(33) mode of employing off-line training is utilized the TrAdaBoost method, calculates the weight coefficient of Weak Classifier, forms the TrAdaBoost grader.
(331) training weights initialization
Wherein,
Represent i the weighted value size of basic grader when the first round;
(332) weighted value iterative computation is established common needs and is carried out N wheel iteration, and then iterative process is:
(34) mode of employing on-line testing is input to the TrAdaboost grader that trains with the user behavior characteristic parameter, judges whether active user's behavior is abnormal behaviour.
In a word, the test of emulation embodiment of the present invention is successful, has realized goal of the invention.
Claims (7)
1. user's method for detecting abnormality based on transfer learning is characterized in that described method comprises following operating procedure:
(1) carries out network data acquisition, active user's network behavior is carried out corresponding characteristic extraction;
(2) abnormal behaviour of carrying out coarseness on the basis of the feature of being extracted detects;
(3) adopt the off-line training mode earlier, use based on the method for transfer learning and set up user's normal behaviour model,, judge with the mode of on-line testing whether current user behavior is anomalous event according to the normal behaviour model that trains.
2. method according to claim 1 is characterized in that:
Described step (1) further comprises following content of operation:
(11) traffic capture: obtain data traffic from system hardware platform network interface card, flow is carried out shaping handle, and then carry out next step operation;
(12) (Deep Packet Inspection DPI) extracts the five-tuple information of the flow caught, and wherein, five-tuple information comprises: source address, destination address, source port number, destination slogan, protocol type to utilize deep packet inspection technical;
(13) on the basis of five-tuple sequence, extract the user behavior feature.Wherein, the user behavior Feature Extraction is the method that industry often relates to, and the present invention does not carry out independent innovation in this feature extraction.
3. method according to claim 1 is characterized in that:
Described step (2), user's abnormal behaviour of coarseness detects, and its principal character is:
At present, there is user's abnormal behaviour detection method of multiple coarseness this area, for example: according to access links the behavior of user capture specific website is judged to be abnormal behaviour; According to data traffic, the behavior that flow is exceeded certain threshold value is judged to be abnormal behaviour etc.Detect this on the one hand at the coarseness user behavior, the present invention does not carry out independent innovation.
4. method according to claim 1 is characterized in that
Described step (3) specifically comprises following content of operation
(31) adopt the mode of off-line training, gather training sample, the composing training sample set is divided into two classes with training sample, promptly with test sample book distribute different classes and with the test sample book identical class that distributes;
(32) mode of employing off-line training based on the training sample set, utilizes Weak Classifier (the Weak Classifier type is not added qualification) as basic grader, makes each user characteristics corresponding to a basic grader.
(33) mode of employing off-line training is utilized the TrAdaBoost method, calculates the weight coefficient of Weak Classifier, forms the TrAdaBoost grader.
(34) mode of employing on-line testing is input to the TrAdaboost grader that trains with the user behavior characteristic parameter, judges whether active user's behavior is abnormal behaviour.
5. according to the described method of claim 4, it is characterized in that
Described step (31) specifically comprises following operation:
If being expressed as, the sample set of collecting mixes T={ (x
i, c (x
i)).
Among the present invention, the training sample set is made of two sample sets that are labeled, and these two sample sets are designated as T respectively
dAnd T
s
Represent instant sample set, promptly with the sample set of test data with distribution.
Hence one can see that,
Following formula Chinese style n and m represent sample set T respectively
dAnd T
sSize, c (x) has pointed out the classification of sample
6. according to the described method of claim 4, it is characterized in that:
Described step (33) is utilized the TrAdaBoost method, calculates the weight coefficient of Weak Classifier, forms the TrAdaBoost grader, and its concrete operations comprise the steps:
(331) training weights initialization
Wherein,
Represent i the weighted value size of basic grader when the first round;
(332) weighted value iterative computation is established common needs and is carried out N wheel iteration, and then iterative process is:
7. according to the described method of claim 4, it is characterized in that:
Described step (34), the mode of employing on-line testing is input to the TrAdaboost grader that trains with the user behavior characteristic parameter, judges whether active user's behavior is abnormal behaviour, and its concrete operations are:
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106137457A CN102176698A (en) | 2010-12-20 | 2010-12-20 | Method for detecting abnormal behaviors of user based on transfer learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106137457A CN102176698A (en) | 2010-12-20 | 2010-12-20 | Method for detecting abnormal behaviors of user based on transfer learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102176698A true CN102176698A (en) | 2011-09-07 |
Family
ID=44519803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010106137457A Pending CN102176698A (en) | 2010-12-20 | 2010-12-20 | Method for detecting abnormal behaviors of user based on transfer learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102176698A (en) |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793484A (en) * | 2014-01-17 | 2014-05-14 | 五八同城信息技术有限公司 | Fraudulent conduct identification system based on machine learning in classified information website |
| CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
| CN103886068A (en) * | 2014-03-20 | 2014-06-25 | 北京国双科技有限公司 | Data processing method and device for Internet user behavior analysis |
| CN105300693A (en) * | 2015-09-25 | 2016-02-03 | 东南大学 | Bearing fault diagnosis method based on transfer learning |
| CN105915960A (en) * | 2016-03-31 | 2016-08-31 | 广州华多网络科技有限公司 | User type determination method and device |
| CN105939340A (en) * | 2016-01-22 | 2016-09-14 | 北京匡恩网络科技有限责任公司 | Method and system for discovering hidden conficker |
| CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
| CN106097024A (en) * | 2016-08-18 | 2016-11-09 | 北京京东尚科信息技术有限公司 | Data digging method, device and system |
| CN106095099A (en) * | 2016-06-12 | 2016-11-09 | 南京邮电大学 | A kind of user behavior motion detection recognition methods |
| CN106453404A (en) * | 2016-11-23 | 2017-02-22 | 北京邮电大学 | Network intrusion detection method and device |
| CN106485188A (en) * | 2015-08-27 | 2017-03-08 | 桂林信通科技有限公司 | A kind of industrial exchanger user anomaly detection method |
| CN106603546A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | IOT invasion monitoring method and device |
| CN106919579A (en) * | 2015-12-24 | 2017-07-04 | 腾讯科技(深圳)有限公司 | A kind of information processing method and device, equipment |
| CN106934462A (en) * | 2017-02-09 | 2017-07-07 | 华南理工大学 | Defence under antagonism environment based on migration poisons the learning method of attack |
| CN106971200A (en) * | 2017-03-13 | 2017-07-21 | 天津大学 | A kind of iconic memory degree Forecasting Methodology learnt based on adaptive-migration |
| CN106998334A (en) * | 2017-05-25 | 2017-08-01 | 北京计算机技术及应用研究所 | A kind of computer user's abnormal behavior detection method |
| CN107016387A (en) * | 2016-01-28 | 2017-08-04 | 苏宁云商集团股份有限公司 | A kind of method and device for recognizing label |
| WO2017148314A1 (en) * | 2016-03-04 | 2017-09-08 | 阿里巴巴集团控股有限公司 | Method of training machine learning system, and training system |
| CN107276983A (en) * | 2017-05-12 | 2017-10-20 | 西安电子科技大学 | A kind of the traffic security control method and system synchronous with cloud based on DPI |
| CN108022589A (en) * | 2017-10-31 | 2018-05-11 | 努比亚技术有限公司 | Aiming field classifier training method, specimen discerning method, terminal and storage medium |
| CN108256573A (en) * | 2018-01-16 | 2018-07-06 | 成都寻道科技有限公司 | A kind of Web Service user terminals falseness application recognition methods |
| CN108512815A (en) * | 2017-02-28 | 2018-09-07 | 腾讯科技(北京)有限公司 | Door chain detection method, door chain detection device and server |
| CN108616491A (en) * | 2016-12-13 | 2018-10-02 | 北京酷智科技有限公司 | A kind of recognition methods of malicious user and system |
| WO2018228428A1 (en) * | 2017-06-16 | 2018-12-20 | 阿里巴巴集团控股有限公司 | Data type identification, model training, and risk identification method and apparatus, and device |
| CN109347853A (en) * | 2018-11-07 | 2019-02-15 | 华东师范大学 | The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing |
| CN109462610A (en) * | 2018-12-24 | 2019-03-12 | 哈尔滨工程大学 | A kind of network inbreak detection method based on Active Learning and transfer learning |
| CN109639526A (en) * | 2018-12-14 | 2019-04-16 | 中国移动通信集团福建有限公司 | Network Data Control method, apparatus, equipment and medium |
| WO2019109743A1 (en) * | 2017-12-07 | 2019-06-13 | 阿里巴巴集团控股有限公司 | Url attack detection method and apparatus, and electronic device |
| WO2020078385A1 (en) * | 2018-10-18 | 2020-04-23 | 杭州海康威视数字技术股份有限公司 | Data collecting method and apparatus, and storage medium and system |
| CN111131248A (en) * | 2019-12-24 | 2020-05-08 | 广东电科院能源技术有限责任公司 | Website application security defect detection model modeling method and defect detection method |
| CN112001443A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Network behavior data monitoring method and device, storage medium and electronic equipment |
| CN112275438A (en) * | 2020-10-13 | 2021-01-29 | 成都智叟智能科技有限公司 | Dry and wet garbage separation and crushing control method and system based on data analysis |
| CN112597493A (en) * | 2020-12-25 | 2021-04-02 | 北京通付盾人工智能技术有限公司 | Method and system for detecting man-machine operation of mobile equipment |
| CN113421122A (en) * | 2021-06-25 | 2021-09-21 | 创络(上海)数据科技有限公司 | First-purchase user refined loss prediction method under improved transfer learning framework |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060443A (en) * | 2006-04-17 | 2007-10-24 | 中国科学院自动化研究所 | An improved adaptive boosting algorithm based Internet intrusion detection method |
| US20070289013A1 (en) * | 2006-06-08 | 2007-12-13 | Keng Leng Albert Lim | Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms |
| CN101582813A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | Distributed migration network learning-based intrusion detection system and method thereof |
-
2010
- 2010-12-20 CN CN2010106137457A patent/CN102176698A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060443A (en) * | 2006-04-17 | 2007-10-24 | 中国科学院自动化研究所 | An improved adaptive boosting algorithm based Internet intrusion detection method |
| US20070289013A1 (en) * | 2006-06-08 | 2007-12-13 | Keng Leng Albert Lim | Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms |
| CN101582813A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | Distributed migration network learning-based intrusion detection system and method thereof |
Non-Patent Citations (4)
| Title |
|---|
| WENYUAN DAI, QIANG YAN,GUI-RONG XUE,YONG YU: "Boosting for Transfer Learning", 《PROCEEDING OF THE 24TH INTERNATIONAL CONFERENCE ON MACHINE LEARNING》 * |
| 中华人民共和国工业和信息化部: "《中华人民共和国通信行业标准》", 15 June 2009 * |
| 田新广 等: "基于机器学习的用户行为异常检测模型", 《计算机工程与应用》 * |
| 谢勍: "计算机网络入侵检测技术探讨", 《科学技术与工程》 * |
Cited By (51)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793484A (en) * | 2014-01-17 | 2014-05-14 | 五八同城信息技术有限公司 | Fraudulent conduct identification system based on machine learning in classified information website |
| CN103793484B (en) * | 2014-01-17 | 2017-03-15 | 五八同城信息技术有限公司 | The fraud identifying system based on machine learning in classification information website |
| CN103853841A (en) * | 2014-03-19 | 2014-06-11 | 北京邮电大学 | Method for analyzing abnormal behavior of user in social networking site |
| CN103886068A (en) * | 2014-03-20 | 2014-06-25 | 北京国双科技有限公司 | Data processing method and device for Internet user behavior analysis |
| CN103886068B (en) * | 2014-03-20 | 2018-04-03 | 北京国双科技有限公司 | Data processing method and device for Internet user's behavioural analysis |
| CN106485188A (en) * | 2015-08-27 | 2017-03-08 | 桂林信通科技有限公司 | A kind of industrial exchanger user anomaly detection method |
| CN105300693B (en) * | 2015-09-25 | 2016-10-12 | 东南大学 | A kind of Method for Bearing Fault Diagnosis based on transfer learning |
| CN105300693A (en) * | 2015-09-25 | 2016-02-03 | 东南大学 | Bearing fault diagnosis method based on transfer learning |
| CN106919579A (en) * | 2015-12-24 | 2017-07-04 | 腾讯科技(深圳)有限公司 | A kind of information processing method and device, equipment |
| CN105939340A (en) * | 2016-01-22 | 2016-09-14 | 北京匡恩网络科技有限责任公司 | Method and system for discovering hidden conficker |
| CN107016387B (en) * | 2016-01-28 | 2020-02-28 | 苏宁云计算有限公司 | Method and device for identifying label |
| CN107016387A (en) * | 2016-01-28 | 2017-08-04 | 苏宁云商集团股份有限公司 | A kind of method and device for recognizing label |
| US11257005B2 (en) | 2016-03-04 | 2022-02-22 | Alibaba Group Holding Limited | Training method and training system for machine learning system |
| WO2017148314A1 (en) * | 2016-03-04 | 2017-09-08 | 阿里巴巴集团控股有限公司 | Method of training machine learning system, and training system |
| CN105915960A (en) * | 2016-03-31 | 2016-08-31 | 广州华多网络科技有限公司 | User type determination method and device |
| CN106095099B (en) * | 2016-06-12 | 2018-11-02 | 南京邮电大学 | A kind of user behavior motion detection recognition methods |
| CN106095099A (en) * | 2016-06-12 | 2016-11-09 | 南京邮电大学 | A kind of user behavior motion detection recognition methods |
| CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
| CN106027577B (en) * | 2016-08-04 | 2019-04-30 | 四川无声信息技术有限公司 | A kind of abnormal access behavioral value method and device |
| CN106097024B (en) * | 2016-08-18 | 2021-11-02 | 北京京东尚科信息技术有限公司 | Data mining method, device and system |
| CN106097024A (en) * | 2016-08-18 | 2016-11-09 | 北京京东尚科信息技术有限公司 | Data digging method, device and system |
| CN106453404A (en) * | 2016-11-23 | 2017-02-22 | 北京邮电大学 | Network intrusion detection method and device |
| CN106453404B (en) * | 2016-11-23 | 2019-09-10 | 北京邮电大学 | A kind of network inbreak detection method and device |
| CN108616491A (en) * | 2016-12-13 | 2018-10-02 | 北京酷智科技有限公司 | A kind of recognition methods of malicious user and system |
| CN106603546A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | IOT invasion monitoring method and device |
| CN106934462A (en) * | 2017-02-09 | 2017-07-07 | 华南理工大学 | Defence under antagonism environment based on migration poisons the learning method of attack |
| CN108512815A (en) * | 2017-02-28 | 2018-09-07 | 腾讯科技(北京)有限公司 | Door chain detection method, door chain detection device and server |
| CN108512815B (en) * | 2017-02-28 | 2021-12-10 | 腾讯科技(北京)有限公司 | Anti-theft chain detection method, anti-theft chain detection device and server |
| CN106971200A (en) * | 2017-03-13 | 2017-07-21 | 天津大学 | A kind of iconic memory degree Forecasting Methodology learnt based on adaptive-migration |
| CN107276983A (en) * | 2017-05-12 | 2017-10-20 | 西安电子科技大学 | A kind of the traffic security control method and system synchronous with cloud based on DPI |
| CN106998334A (en) * | 2017-05-25 | 2017-08-01 | 北京计算机技术及应用研究所 | A kind of computer user's abnormal behavior detection method |
| CN106998334B (en) * | 2017-05-25 | 2021-04-06 | 北京计算机技术及应用研究所 | Computer user behavior abnormity detection method |
| WO2018228428A1 (en) * | 2017-06-16 | 2018-12-20 | 阿里巴巴集团控股有限公司 | Data type identification, model training, and risk identification method and apparatus, and device |
| US11113394B2 (en) | 2017-06-16 | 2021-09-07 | Advanced New Technologies Co., Ltd. | Data type recognition, model training and risk recognition methods, apparatuses and devices |
| US11100220B2 (en) | 2017-06-16 | 2021-08-24 | Advanced New Technologies Co., Ltd. | Data type recognition, model training and risk recognition methods, apparatuses and devices |
| CN108022589A (en) * | 2017-10-31 | 2018-05-11 | 努比亚技术有限公司 | Aiming field classifier training method, specimen discerning method, terminal and storage medium |
| WO2019109743A1 (en) * | 2017-12-07 | 2019-06-13 | 阿里巴巴集团控股有限公司 | Url attack detection method and apparatus, and electronic device |
| CN108256573B (en) * | 2018-01-16 | 2021-06-25 | 成都寻道科技有限公司 | Web Service client false application identification method |
| CN108256573A (en) * | 2018-01-16 | 2018-07-06 | 成都寻道科技有限公司 | A kind of Web Service user terminals falseness application recognition methods |
| WO2020078385A1 (en) * | 2018-10-18 | 2020-04-23 | 杭州海康威视数字技术股份有限公司 | Data collecting method and apparatus, and storage medium and system |
| CN109347853B (en) * | 2018-11-07 | 2020-10-30 | 华东师范大学 | Deep packet analysis-based anomaly detection method for integrated electronic system |
| CN109347853A (en) * | 2018-11-07 | 2019-02-15 | 华东师范大学 | The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing |
| CN109639526A (en) * | 2018-12-14 | 2019-04-16 | 中国移动通信集团福建有限公司 | Network Data Control method, apparatus, equipment and medium |
| CN109462610A (en) * | 2018-12-24 | 2019-03-12 | 哈尔滨工程大学 | A kind of network inbreak detection method based on Active Learning and transfer learning |
| CN111131248A (en) * | 2019-12-24 | 2020-05-08 | 广东电科院能源技术有限责任公司 | Website application security defect detection model modeling method and defect detection method |
| CN111131248B (en) * | 2019-12-24 | 2021-09-24 | 南方电网电力科技股份有限公司 | Website application security defect detection model modeling method and defect detection method |
| CN112001443A (en) * | 2020-08-24 | 2020-11-27 | 成都卫士通信息产业股份有限公司 | Network behavior data monitoring method and device, storage medium and electronic equipment |
| CN112275438A (en) * | 2020-10-13 | 2021-01-29 | 成都智叟智能科技有限公司 | Dry and wet garbage separation and crushing control method and system based on data analysis |
| CN112275438B (en) * | 2020-10-13 | 2022-03-01 | 成都智叟智能科技有限公司 | Dry and wet garbage separation and crushing control method and system based on data analysis |
| CN112597493A (en) * | 2020-12-25 | 2021-04-02 | 北京通付盾人工智能技术有限公司 | Method and system for detecting man-machine operation of mobile equipment |
| CN113421122A (en) * | 2021-06-25 | 2021-09-21 | 创络(上海)数据科技有限公司 | First-purchase user refined loss prediction method under improved transfer learning framework |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102176698A (en) | Method for detecting abnormal behaviors of user based on transfer learning | |
| CN103780588A (en) | User abnormal behavior detection method in digital home network | |
| Ren et al. | Selection-based resampling ensemble algorithm for nonstationary imbalanced stream data learning | |
| US7630950B2 (en) | System and method for learning models from scarce and skewed training data | |
| US7724784B2 (en) | System and method for classifying data streams using high-order models | |
| CN110147321A (en) | A kind of recognition methods of the defect high risk module based on software network | |
| CN102420723A (en) | Anomaly detection method for various kinds of intrusion | |
| CN104767692A (en) | Network traffic classification method | |
| CN107579846B (en) | Cloud computing fault data detection method and system | |
| CN111478904B (en) | Method and device for detecting communication anomaly of Internet of things equipment based on concept drift | |
| Lu et al. | Telecom fraud identification based on ADASYN and random forest | |
| CN108388929A (en) | Client segmentation method and device based on cost-sensitive and semisupervised classification | |
| Ahmed et al. | Network sampling designs for relational classification | |
| CN112101420A (en) | Abnormal electricity user identification method for Stacking integration algorithm under dissimilar model | |
| Chung et al. | Automated machine learning for Internet of Things | |
| CN104850868A (en) | Customer segmentation method based on k-means and neural network cluster | |
| CN111145027A (en) | Suspected money laundering transaction identification method and device | |
| Gu et al. | Application of fuzzy decision tree algorithm based on mobile computing in sports fitness member management | |
| Ramlie et al. | Optimal feature selection of taguchi character recognition in the mahalanobis-taguchi system using bees algorithm | |
| Chu et al. | Co-training based on semi-supervised ensemble classification approach for multi-label data stream | |
| CN116633601A (en) | Detection method based on network traffic situation awareness | |
| CN114707571A (en) | Credit data anomaly detection method based on enhanced isolation forest | |
| Yuan et al. | Intrusion detection model based on improved support vector machine | |
| Rani et al. | Design of an intrusion detection model for IoT-enabled smart home | |
| Zhang | Financial data anomaly detection method based on decision tree and random forest algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110907 |