CN109951476B - Attack prediction method and device based on time sequence and storage medium - Google Patents
Attack prediction method and device based on time sequence and storage medium Download PDFInfo
- Publication number
- CN109951476B CN109951476B CN201910201214.8A CN201910201214A CN109951476B CN 109951476 B CN109951476 B CN 109951476B CN 201910201214 A CN201910201214 A CN 201910201214A CN 109951476 B CN109951476 B CN 109951476B
- Authority
- CN
- China
- Prior art keywords
- data
- packet data
- attack
- value
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The embodiment of the invention discloses an attack prediction method and device based on time sequence and a storage medium, relating to the field of network security. The method of the invention comprises the following steps: performing sub-packet processing on the sample data according to a time sequence, and extracting the characteristics of the packet data; taking the proportion of positive samples and negative samples in the packet data as a sample label value of the packet data; performing time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data; performing at least one exponential smoothing treatment on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data; and training an attack prediction model based on the sample label value and the cycle prediction value of the packet data. The invention can improve the attack detection efficiency.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a time-series-based attack prediction method, apparatus, and storage medium.
Background
With the rapid development of computer network technology, network technology has been widely used in various fields. The computer network provides convenience and benefits for people, and meanwhile, network attacks also provide great challenges for information security.
In order to protect network attacks, an intrusion detection system can be added at a network data access position, the current intrusion detection system mainly utilizes a classification algorithm to judge whether attacks and attack types are generated or not by modeling network flow characteristics, and the strategy can detect independent security events.
Disclosure of Invention
Embodiments of the present invention provide a time sequence-based attack prediction method, apparatus, and storage medium, which can improve attack detection efficiency.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a time-series-based attack prediction method, including:
performing sub-packet processing on the sample data according to a time sequence, and extracting the characteristics of the packet data;
taking the proportion of positive samples and negative samples in the packet data as a sample label value of the packet data;
performing time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data;
performing at least one exponential smoothing treatment on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data;
and training an attack prediction model based on the sample label value and the cycle prediction value of the packet data.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:
and inputting the data to be detected into the attack prediction model to obtain a label prediction value of the data to be detected, wherein the label prediction value of the data to be detected is used for representing a prediction value of a ratio between a positive sample and a negative sample in the data to be detected.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the method further includes:
adjusting a data filtering rule based on the label predicted value of the data to be detected;
and responding to the data filtering rule after the adjustment, determining the data to be detected as attack data, and discarding the attack data.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the training of an attack prediction model based on the sample tag value and the cycle prediction value of the packet data includes:
taking a difference value between the sample label value and the period predicted value of the packet data as training data of the attack prediction model, and performing iterative training on the attack prediction model; wherein the attack prediction model comprises a gradient boosting decision tree GBDT regression model.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the performing packet division processing on the sample data according to a time sequence and extracting features of the packet data includes:
converting the characteristics of the sample data into the characteristics of the packet data in a prototype clustering mode; wherein the prototype clustering means comprises a Gaussian mixture model.
In a second aspect, an embodiment of the present invention provides a time-series-based attack prediction apparatus, including:
the extraction module is used for performing sub-packet processing on the sample data according to the time sequence and extracting the characteristics of the packet data;
the label module is used for taking the proportion of the positive sample and the negative sample in the packet data as a sample label value of the packet data;
the analysis module is used for carrying out time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data;
the processing module is used for performing at least one-time exponential smoothing processing on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data;
and the training module is used for training an attack prediction model based on the sample label value and the cycle prediction value of the packet data.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the apparatus further includes:
and the prediction module is used for inputting the data to be detected into the attack prediction model to obtain the label prediction value of the data to be detected, and the label prediction value of the data to be detected is used for representing the prediction value of the ratio between the positive sample and the negative sample in the data to be detected.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the apparatus further includes:
the adjusting module is used for adjusting the data filtering rule based on the label predicted value of the data to be detected;
and the discarding module is used for responding to the data filtering rule after the adjustment, determining the data to be detected as attack data, and discarding the attack data.
With reference to the second aspect, in a third possible implementation manner of the second aspect,
the training module is further used for taking a difference value between the sample label value and the cycle prediction value of the packet data as training data of the attack prediction model and performing iterative training on the attack prediction model; wherein the attack prediction model comprises a gradient boosting decision tree GBDT regression model.
With reference to the second aspect, in a fourth possible implementation manner of the second aspect,
the extraction module is further configured to convert the characteristics of the sample data into the characteristics of the packet data in a prototype clustering manner; wherein the prototype clustering means comprises a Gaussian mixture model.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the steps of the method provided in the first aspect.
According to the attack prediction method and device based on the time sequence and the storage medium, the packet processing is carried out on the sample data according to the time sequence, and the characteristics of the packet data are extracted; taking the proportion of positive samples and negative samples in the packet data as a sample label value of the packet data; performing time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data; performing at least one exponential smoothing treatment on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data; and training an attack prediction model based on the sample label value and the cycle prediction value of the packet data. The method can predict the intrusion attack event or the security event which possibly occurs in the network subsequently according to the change trend of the current flow, automatically modify the defense rule based on the prediction result, better realize the perception of the network situation, reduce the false alarm rate, predict the manual intervention cost and improve the attack detection efficiency.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a time series based attack prediction method according to an embodiment of the present invention;
FIG. 2 is another flow chart of the time-series based attack prediction method according to the embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an attack prediction apparatus based on time sequence according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of another structure of a time-series-based attack prediction apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an attack prediction apparatus 500 based on time sequence according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a time sequence-based attack prediction method, as shown in fig. 1, the method includes:
101. and performing sub-packet processing on the sample data according to a time sequence, and extracting the characteristics of the packet data.
For the embodiment of the present invention, step 101 may specifically be: and converting the characteristics of the sample data into the characteristics of the packet data in a prototype clustering mode. Wherein the prototype clustering means comprises a Gaussian mixture model.
102. The ratio of positive and negative examples within the package data is taken as the sample label value of the package data.
The number of positive samples and the number of negative samples in the packet data are accurate values, namely the proportion of the number of the positive samples and the number of the negative samples is an accurate value, the value is used as a sample label to train an attack prediction model, and the prediction accuracy of the model can be improved.
103. And performing time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data.
According to the embodiment of the invention, by carrying out time sequence analysis on the characteristics of the packet data, the subsequent network attack event and/or security event can be predicted according to the situation change of the current flow by utilizing the time sequence correlation among a large number of attack data packets, and further the defense strategy can be adjusted in advance before the subsequent network attack comes.
104. And performing at least one time of exponential smoothing treatment on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data.
105. And training an attack prediction model based on the sample label value and the cycle prediction value of the packet data.
For the embodiment of the invention, iterative training can be carried out on the attack prediction model according to the difference between the sample label value (namely the accurate value of the sample) and the cycle prediction value (namely the finger predicted by the attack prediction model) of the packet data until the preset condition is met, and the attack prediction model is taken as the final prediction model. In the embodiment of the present invention, the preset condition may be that an average value of differences between the sample tag values and the tag prediction values of the respective packet data is smaller than a first preset threshold; and/or the number of the packet data of which the difference value between the sample label value and the label prediction value of the packet data is greater than the second preset threshold value is less than a third preset threshold value.
For the embodiment of the invention, the aggregation treatment and trend analysis can be carried out on a plurality of adjacent flows, and the whole network security situation is macroscopically predicted, so that the embodiment of the invention can be in an active position when facing continuous network attacks and can effectively defend against the network attacks; compared with the prior art that the IDS needs to be adjusted manually according to the expert experience after the short-time large-scale attack outbreak, the embodiment of the invention can intelligently adjust the rules based on the network situation change, thereby reducing the false alarm rate and avoiding the waste of labor cost; meanwhile, the data estimation model in the packet can accurately depict data distribution in a period of time and predict the network situation in real time, so that the complexity of network situation analysis is reduced.
Compared with the prior art, the embodiment of the invention can predict the intrusion attack event or the security event which possibly occurs in the network in the follow-up process according to the change trend of the current flow, automatically modify the defense rule based on the prediction result, better realize the perception of the network situation, reduce the false alarm rate, predict the manual intervention cost and improve the attack detection efficiency.
Another embodiment of the present invention provides a time-series-based attack prediction method, as shown in fig. 2, the method includes:
201. and converting the characteristics of the sample data into the characteristics of the packet data in a prototype clustering mode.
Wherein the prototype clustering means comprises a Gaussian mixture model.
202. The ratio of positive and negative examples within the package data is taken as the sample label value of the package data.
203. And performing time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data.
According to the embodiment of the invention, by carrying out time sequence analysis on the characteristics of the packet data, the subsequent network attack event and/or security event can be predicted according to the situation change of the current flow by utilizing the time sequence correlation among a large number of attack data packets, and further the defense strategy can be adjusted in advance before the subsequent network attack comes.
204. And performing at least one time of exponential smoothing treatment on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data.
205. And taking the difference value between the sample label value and the cycle prediction value of the packet data as the training data of the attack prediction model, and performing iterative training on the attack prediction model.
Wherein the attack prediction model comprises a gradient boosting decision tree GBDT regression model.
For the embodiment of the invention, iterative training can be performed on the attack prediction model according to the difference between the sample label value (namely the accurate value of the sample) and the cycle prediction value (namely the value obtained by predicting through the time smoothing model) of the packet data until the preset condition is met, and the attack prediction model is taken as the final prediction model. In the embodiment of the present invention, the preset condition may be that an average value of differences between the sample tag values and the tag prediction values of the respective packet data is smaller than a first preset threshold; and/or the number of the packet data of which the difference value between the sample label value and the label prediction value of the packet data is greater than the second preset threshold value is less than a third preset threshold value.
206. And inputting the data to be detected into the attack prediction model to obtain a label prediction value of the data to be detected, wherein the label prediction value of the data to be detected is used for representing a prediction value of a ratio between a positive sample and a negative sample in the data to be detected.
207. And adjusting a data filtering rule based on the label predicted value of the data to be detected.
208. And responding to the data filtering rule after the adjustment, determining the data to be detected as attack data, and discarding the attack data.
For the embodiment of the invention, the aggregation treatment and trend analysis can be carried out on a plurality of adjacent flows, and the whole network security situation is macroscopically predicted, so that the embodiment of the invention can be in an active position when facing continuous network attacks and can effectively defend against the network attacks; compared with the prior art that the IDS needs to be adjusted manually according to the expert experience after the short-time large-scale attack outbreak, the embodiment of the invention can intelligently adjust the rules based on the network situation change, thereby reducing the false alarm rate and avoiding the waste of labor cost; meanwhile, the data estimation model in the packet can accurately depict data distribution and predict network situation in real time, so that the complexity of network situation analysis is reduced.
Compared with the prior art, the embodiment of the invention can predict the intrusion attack event or the security event which possibly occurs in the network in the follow-up process according to the change trend of the current flow, automatically modify the defense rule based on the prediction result, better realize the perception of the network situation, reduce the false alarm rate, predict the manual intervention cost and improve the attack detection efficiency.
Another embodiment of the present invention provides an attack prediction apparatus based on time sequence, as shown in fig. 3, the apparatus includes:
the extraction module 31 is configured to perform packet processing on the sample data according to a time sequence and extract features of the packet data;
a label module 32, configured to use a ratio of positive samples and negative samples in the packet data as a sample label value of the packet data;
the analysis module 33 is configured to perform timing analysis on the characteristics of the packet data to obtain periodic characteristics of the packet data;
the processing module 34 is configured to perform at least one exponential smoothing process on the periodic characteristics of the packet data to obtain a period prediction value of the packet data;
a training module 35, configured to train an attack prediction model based on the sample label value of the packet data and the cycle prediction value.
Further, as shown in fig. 4, the apparatus further includes:
the prediction module 41 is configured to input the data to be detected into the attack prediction model to obtain a predicted label value of the data to be detected, where the predicted label value of the data to be detected is used to represent a predicted value of a ratio between a positive sample and a negative sample in the data to be detected.
The adjusting module 42 is configured to adjust a data filtering rule based on the tag prediction value of the data to be detected;
and a discarding module 43, configured to determine that the data to be detected is attack data in response to meeting the adjusted data filtering rule, and discard the attack data.
The training module 35 is further configured to perform iterative training on the attack prediction model by using a difference between the sample tag value of the packet data and the cycle prediction value as training data of the attack prediction model; wherein the attack prediction model comprises a gradient boosting decision tree GBDT regression model.
The extraction module 31 is further configured to convert the features of the sample data into the features of the packet data in a prototype clustering manner; wherein the prototype clustering means comprises a Gaussian mixture model.
For the embodiment of the invention, the aggregation treatment and trend analysis can be carried out on a plurality of adjacent flows, and the whole network security situation is macroscopically predicted, so that the embodiment of the invention can be in an active position when facing continuous network attacks and can effectively defend against the network attacks; compared with the prior art that the IDS needs to be adjusted manually according to the expert experience after the short-time large-scale attack outbreak, the embodiment of the invention can intelligently adjust the rules based on the network situation change, thereby reducing the false alarm rate and avoiding the waste of labor cost; meanwhile, the data estimation model in the packet can accurately depict data distribution and predict network situation in real time, so that the complexity of network situation analysis is reduced.
Compared with the prior art, the embodiment of the invention can predict the intrusion attack event or the security event which possibly occurs in the network in the follow-up process according to the change trend of the current flow, automatically modify the defense rule based on the prediction result, better realize the perception of the network situation, reduce the false alarm rate, predict the manual intervention cost and improve the attack detection efficiency.
Another computer-readable storage medium is provided in an embodiment of the present invention, and may be a computer-readable storage medium contained in the memory in the foregoing embodiment; or it may be a separate computer-readable storage medium not incorporated in the terminal. The computer readable storage medium stores one or more programs, and the one or more programs are used by one or more processors to execute the time-series-based attack prediction method provided by the embodiments shown in fig. 1 and fig. 2.
The attack prediction device based on time sequence provided by the embodiment of the invention can realize the method embodiment provided above, and for the specific function realization, please refer to the description in the method embodiment, which is not described herein again. The attack prediction method, device and storage medium based on time sequence provided by the embodiment of the invention can be suitable for predicting network attack, but are not limited to the method and device.
As shown in fig. 5, the time-series-based attack prediction apparatus 500 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a personal digital assistant, or the like.
Referring to fig. 5, a timing-based attack prediction apparatus 500 may include one or more of the following components: processing component 502, memory 504, power component 506, multimedia component 508, audio component 510, input/output (I/O) interface 512, sensor component 514, and communication component 516.
The processing component 502 generally controls the overall operation of the timing based attack prediction apparatus 500, such as operations associated with display, phone calls, data communications, camera operations, and recording operations. The processing component 502 may include one or more processors 520 to execute instructions.
Further, the processing component 502 can include one or more modules that facilitate interaction between the processing component 502 and other components. For example, the processing component 502 can include a multimedia module to facilitate interaction between the multimedia component 508 and the processing component 502.
The memory 504 is configured to store various types of data to support the operation of the timing-based attack prediction apparatus 500. Examples of such data include instructions for any application or method operating on the timing-based attack prediction apparatus 500, contact data, phonebook data, messages, pictures, videos, and the like. The memory 504 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The power component 506 provides power to the various components of the timing-based attack prediction device 500. The power components 506 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the timing-based attack prediction device 500.
The multimedia component 508 includes a screen that provides an output interface between the timing based attack prediction device 500 and the user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 508 includes a front facing camera and/or a rear facing camera. When the time-series based attack prediction apparatus 500 is in an operation mode, such as a photographing mode or a video mode, the front camera and/or the rear camera may receive external multimedia data. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 510 is configured to output and/or input audio signals. For example, audio component 510 includes a Microphone (MIC) configured to receive an external audio signal when time-based attack prediction apparatus 500 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may further be stored in the memory 504 or transmitted via the communication component 516. In some embodiments, audio component 510 further includes a speaker for outputting audio signals.
The I/O interface 512 provides an interface between the processing component 502 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor component 514 includes one or more sensors for providing various aspects of state assessment for the timing-based attack prediction apparatus 500. For example, the sensor component 514 may detect an open/closed state of the timing based attack prediction device 500, a relative positioning of components, such as a display and a keypad of the timing based attack prediction device 500, the sensor component 514 may detect a change in position of the timing based attack prediction device 500 or a component of the timing based attack prediction device 500, a presence or absence of user contact with the timing based attack prediction device 500, an orientation or acceleration/deceleration of the timing based attack prediction device 500, and a change in temperature of the timing based attack prediction device 500. The sensor assembly 514 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 514 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 514 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 516 is configured to facilitate communication between the timing-based attack prediction apparatus 500 and other devices in a wired or wireless manner. The timing based attack prediction apparatus 500 may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 516 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 516 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the timing-based attack prediction apparatus 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors, or other electronic components.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (7)
1. A time sequence-based attack prediction method is characterized by comprising the following steps:
performing sub-packet processing on the sample data according to a time sequence, and extracting the characteristics of the packet data;
taking the proportion of positive samples and negative samples in the packet data as a sample label value of the packet data;
performing time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data;
performing at least one exponential smoothing treatment on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data;
training an attack prediction model based on the sample label value and the cycle prediction value of the packet data;
the method further comprises the following steps:
inputting the data to be detected into the attack prediction model to obtain a label prediction value of the data to be detected, wherein the label prediction value of the data to be detected is used for representing a prediction value of a ratio between a positive sample and a negative sample in the data to be detected;
adjusting a data filtering rule based on the label predicted value of the data to be detected;
and responding to the data filtering rule after the adjustment, determining the data to be detected as attack data, and discarding the attack data.
2. The method of claim 1, wherein training an attack prediction model based on the sample tag values and the cycle prediction values of the packet data comprises:
taking a difference value between the sample label value and the period predicted value of the packet data as training data of the attack prediction model, and performing iterative training on the attack prediction model; wherein the attack prediction model comprises a gradient boosting decision tree GBDT regression model.
3. The method according to claim 1, wherein the packetizing the sample data in a time order and extracting the features of the packet data comprises:
converting the characteristics of the sample data into the characteristics of the packet data in a prototype clustering mode; wherein the prototype clustering means comprises a Gaussian mixture model.
4. A timing-based attack prediction apparatus, comprising:
the extraction module is used for performing sub-packet processing on the sample data according to the time sequence and extracting the characteristics of the packet data;
the label module is used for taking the proportion of the positive sample and the negative sample in the packet data as a sample label value of the packet data;
the analysis module is used for carrying out time sequence analysis on the characteristics of the packet data to obtain the periodic characteristics of the packet data;
the processing module is used for performing at least one-time exponential smoothing processing on the periodic characteristics of the packet data to obtain a periodic predicted value of the packet data;
the training module is used for training an attack prediction model based on the sample label value and the cycle prediction value of the packet data;
the device further comprises:
the prediction module is used for inputting the data to be detected into the attack prediction model to obtain a label prediction value of the data to be detected, and the label prediction value of the data to be detected is used for representing a prediction value of a ratio between a positive sample and a negative sample in the data to be detected;
the adjusting module is used for adjusting the data filtering rule based on the label predicted value of the data to be detected;
and the discarding module is used for responding to the data filtering rule after the adjustment, determining the data to be detected as attack data, and discarding the attack data.
5. The timing-based attack prediction apparatus according to claim 4,
the training module is further used for taking a difference value between the sample label value and the cycle prediction value of the packet data as training data of the attack prediction model and performing iterative training on the attack prediction model; wherein the attack prediction model comprises a gradient boosting decision tree GBDT regression model.
6. The timing-based attack prediction apparatus according to claim 4,
the extraction module is further configured to convert the characteristics of the sample data into the characteristics of the packet data in a prototype clustering manner; wherein the prototype clustering means comprises a Gaussian mixture model.
7. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910201214.8A CN109951476B (en) | 2019-03-18 | 2019-03-18 | Attack prediction method and device based on time sequence and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910201214.8A CN109951476B (en) | 2019-03-18 | 2019-03-18 | Attack prediction method and device based on time sequence and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109951476A CN109951476A (en) | 2019-06-28 |
| CN109951476B true CN109951476B (en) | 2021-06-22 |
Family
ID=67010035
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910201214.8A Active CN109951476B (en) | 2019-03-18 | 2019-03-18 | Attack prediction method and device based on time sequence and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109951476B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110732139B (en) * | 2019-10-25 | 2024-03-05 | 腾讯科技(深圳)有限公司 | Training method of detection model and detection method and device of user data |
| CN111181923A (en) * | 2019-12-10 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN111277606B (en) * | 2020-02-10 | 2022-04-15 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
| CN112929385B (en) * | 2020-08-08 | 2022-07-01 | 广东亿润网络技术有限公司 | Communication information processing method based on big data and communication service and cloud computing platform |
| CN112650057B (en) * | 2020-11-13 | 2022-05-20 | 西北工业大学深圳研究院 | Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain |
| CN113691505B (en) * | 2021-08-05 | 2022-05-24 | 固安聚龙自动化设备有限公司 | Industrial internet intrusion detection method based on big data |
| CN115695046B (en) * | 2022-12-28 | 2023-03-31 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1770699A (en) * | 2004-11-01 | 2006-05-10 | 中兴通讯股份有限公司 | Network safety pre-warning method |
| CN107316198A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Account risk identification method and device |
| CN108900542A (en) * | 2018-08-10 | 2018-11-27 | 海南大学 | Ddos attack detection method and device based on LSTM prediction model |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| IL155955A0 (en) * | 2003-05-15 | 2003-12-23 | Widemed Ltd | Adaptive prediction of changes of physiological/pathological states using processing of biomedical signal |
| US10142353B2 (en) * | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
-
2019
- 2019-03-18 CN CN201910201214.8A patent/CN109951476B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1770699A (en) * | 2004-11-01 | 2006-05-10 | 中兴通讯股份有限公司 | Network safety pre-warning method |
| CN107316198A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Account risk identification method and device |
| CN108900542A (en) * | 2018-08-10 | 2018-11-27 | 海南大学 | Ddos attack detection method and device based on LSTM prediction model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109951476A (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951476B (en) | Attack prediction method and device based on time sequence and storage medium | |
| CN109446994B (en) | Gesture key point detection method and device, electronic equipment and storage medium | |
| WO2017128767A1 (en) | Fingerprint template input method and device | |
| CN104731688B (en) | Point out the method and device of reading progress | |
| CN111274426B (en) | Category labeling method and device, electronic equipment and storage medium | |
| CN110191085B (en) | Intrusion detection method and device based on multiple classifications and storage medium | |
| CN109842612B (en) | Log security analysis method and device based on graph library model and storage medium | |
| CN111242188B (en) | Intrusion detection method, intrusion detection device and storage medium | |
| CN110992979B (en) | Detection method and device and electronic equipment | |
| CN109145679A (en) | A kind of method, apparatus and system issuing warning information | |
| CN111523346B (en) | Image recognition method and device, electronic equipment and storage medium | |
| EP4068119A1 (en) | Model training method and apparatus for information recommendation, electronic device and medium | |
| CN111553372A (en) | Training image recognition network, image recognition searching method and related device | |
| CN111614990B (en) | Method and device for acquiring loading duration and electronic equipment | |
| CN109981624B (en) | Intrusion detection method, device and storage medium | |
| CN110781842A (en) | Image processing method and device, electronic equipment and storage medium | |
| CN109214175B (en) | Method, device and storage medium for training classifier based on sample characteristics | |
| CN107734303B (en) | Video identification method and device | |
| CN107133551B (en) | Fingerprint verification method and device | |
| CN111860552A (en) | Model training method and device based on nuclear self-encoder and storage medium | |
| CN107844257B (en) | Information display method, device, terminal and storage medium | |
| CN114189719B (en) | Video information extraction method and device, electronic equipment and storage medium | |
| CN111698532A (en) | Bullet screen information processing method and device | |
| CN113506325B (en) | Image processing method and device, electronic equipment and storage medium | |
| CN110149310B (en) | Flow intrusion detection method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |