CN111953712B - Intrusion detection method and device based on feature fusion and density clustering - Google Patents

Intrusion detection method and device based on feature fusion and density clustering Download PDF

Info

Publication number
CN111953712B
CN111953712B CN202010911416.4A CN202010911416A CN111953712B CN 111953712 B CN111953712 B CN 111953712B CN 202010911416 A CN202010911416 A CN 202010911416A CN 111953712 B CN111953712 B CN 111953712B
Authority
CN
China
Prior art keywords
feature extraction
vector
feature
sample
feature vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010911416.4A
Other languages
Chinese (zh)
Other versions
CN111953712A (en
Inventor
董伟
冯志
李致成
赵云飞
许伟
孟贵民
兰培霖
李仕奇
王春霞
胡睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Publication of CN111953712A publication Critical patent/CN111953712A/en
Application granted granted Critical
Publication of CN111953712B publication Critical patent/CN111953712B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/253Fusion techniques of extracted features
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computing Systems (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Burglar Alarm Systems (AREA)

Abstract

The application provides an intrusion detection method and device based on feature fusion and density clustering, wherein the intrusion detection method comprises the following steps: acquiring an initial characteristic vector corresponding to a message to be detected; inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction; and inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion. Therefore, the network intrusion condition is determined by detecting the characteristic vector corresponding to the communication message, the invaded message can be directly positioned and the intrusion type can be determined, the troubleshooting time is reduced, the network intrusion detection efficiency is improved, and the network safety is effectively ensured in time.

Description

Intrusion detection method and device based on feature fusion and density clustering
Technical Field
The present application relates to the field of network security technologies, and in particular, to an intrusion detection method and apparatus based on feature fusion and density clustering.
Background
With the rapid development of internet technology, in the communication process, data packets in the communication network, even the network, may be tampered with and forged by intrusion due to the vulnerability or security defect of the network itself, thereby causing the content of network communication to be leaked, even affecting the normal operation of the whole network.
Most of intrusion detection systems in the present stage predict that an abnormal intrusion condition may exist in a network after monitoring that the network is abnormal, and investigate an intruded message, a network position and an intrusion type according to an intrusion result, so that the investigation efficiency is low, and in an investigation period, the intrusion operation may be ended, and the network security cannot be guaranteed.
Disclosure of Invention
In view of this, an object of the present application is to provide an intrusion detection method and apparatus based on feature fusion and density clustering, which determine a network intrusion situation by detecting a feature vector corresponding to a communication packet, can directly locate an intruded packet and determine an intrusion type, reduce troubleshooting time, help to improve network intrusion detection efficiency, and timely and effectively ensure network security.
The embodiment of the application provides an intrusion detection method based on feature fusion and density clustering, and the intrusion detection method comprises the following steps:
acquiring an initial characteristic vector corresponding to a message to be detected;
inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction;
and inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Further, the feature extraction network includes multiple feature extraction layers connected in sequence, and the step of inputting the initial feature vector into the feature extraction network to obtain a dimension-reduced feature vector after dimension reduction includes:
according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer;
inputting the initial feature vector serving as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector;
and according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as a current feature extraction layer, taking the intermediate feature vector as a current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing feature extraction, stopping feature extraction until preset times are reached, and obtaining the dimension-reduced feature vectors, wherein the preset times are equal to the number of the feature extraction layers.
Further, each layer of feature extraction layer includes at least one feature extraction unit, and the step of inputting the initial feature vector as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector includes:
for each feature extraction unit, multiplying each element included in the current feature vector by a weight coefficient corresponding to the feature extraction unit, and adding the obtained multiple products to obtain an intermediate feature value;
and combining the determined plurality of intermediate characteristic values according to the sequence of the corresponding characteristic extraction units to obtain the intermediate characteristic vector.
Further, the inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion, including:
determining a preset neighborhood radius and a point threshold;
determining the number of elements in the reduced-dimension feature vector within the radius range of each element neighborhood;
for each element, if the number of the elements in the radius range of the element neighborhood is larger than or equal to the point threshold, determining the element as a core element, and directly forming a corresponding temporary cluster based on the density of the element through the element;
combining the temporary clustering clusters with the same core elements aiming at each formed temporary clustering cluster to obtain a plurality of clustering clusters;
and determining the detection result of the network intrusion based on the label of each cluster.
Further, the intrusion detection model is trained by:
obtaining a plurality of sample messages and a sample label corresponding to each sample message;
inputting the sample feature vector of each sample message into a feature extraction network to obtain a reduced-dimension sample vector;
inputting the corresponding sample dimension reduction vector and the corresponding sample label into the constructed density clustering model aiming at each sample message to obtain a prediction label corresponding to the sample characteristic vector;
determining a deviation value between a prediction label of each sample message and a sample label of the sample message;
if the deviation value corresponding to the sample message is larger than a preset deviation threshold value, adjusting parameters in the density clustering model until the deviation value corresponding to each sample message is smaller than or equal to the preset deviation threshold value, determining that the density clustering model is trained, and determining the trained density clustering model as the trained intrusion detection model.
The embodiment of the present application further provides an intrusion detection device based on feature fusion and density clustering, the intrusion detection device includes:
the vector acquisition module is used for acquiring an initial characteristic vector corresponding to the message to be detected;
the vector dimension reduction module is used for inputting the initial feature vector into a feature extraction network to obtain a dimension reduced feature vector after dimension reduction;
and the intrusion detection module is used for inputting the dimensionality reduction characteristic vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Further, the feature extraction network includes a plurality of feature extraction layers connected in sequence, and the vector dimension reduction module is configured to, when the vector dimension reduction module is configured to input the initial feature vector into the feature extraction network and obtain a dimension-reduced feature vector, be configured to:
according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer;
inputting the initial feature vector serving as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector;
and according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as a current feature extraction layer, taking the intermediate feature vector as a current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing feature extraction, stopping feature extraction until preset times are reached, and obtaining the dimension-reduced feature vectors, wherein the preset times are equal to the number of the feature extraction layers.
Further, each layer of feature extraction layer includes at least one feature extraction unit, and when the vector dimension reduction module is configured to input the initial feature vector as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector, the vector dimension reduction module is configured to:
for each feature extraction unit, multiplying each element included in the current feature vector by a weight coefficient corresponding to the feature extraction unit, and adding the obtained multiple products to obtain an intermediate feature value;
and combining the determined plurality of intermediate characteristic values according to the sequence of the corresponding characteristic extraction units to obtain the intermediate characteristic vector.
Further, the intrusion detection module is used for inputting the dimensionality reduction characteristic vector into a trained intrusion detection model, and when a detection result of network intrusion is obtained, the intrusion detection module is used for:
determining a preset neighborhood radius and a point threshold;
determining the number of elements in the reduced-dimension feature vector within the radius range of each element neighborhood;
for each element, if the number of the elements in the radius range of the element neighborhood is larger than or equal to the point threshold, determining the element as a core element, and directly forming a corresponding temporary cluster based on the density of the element through the element;
combining the temporary clustering clusters with the same core elements aiming at each formed temporary clustering cluster to obtain a plurality of clustering clusters;
and determining the detection result of the network intrusion based on the label of each cluster.
Further, the intrusion detection device further comprises a model training module, wherein the model training module is configured to:
obtaining a plurality of sample messages and a sample label corresponding to each sample message;
inputting the sample feature vector of each sample message into a feature extraction network to obtain a reduced-dimension sample vector;
inputting the corresponding sample dimension reduction vector and the corresponding sample label into the constructed density clustering model aiming at each sample message to obtain a prediction label corresponding to the sample characteristic vector;
determining a deviation value between a prediction label of each sample message and a sample label of the sample message;
if the deviation value corresponding to the sample message is larger than a preset deviation threshold value, adjusting parameters in the density clustering model until the deviation value corresponding to each sample message is smaller than or equal to the preset deviation threshold value, determining that the density clustering model is trained, and determining the trained density clustering model as the trained intrusion detection model.
An embodiment of the present application further provides an electronic device, including: the intrusion detection system comprises a processor, a memory and a bus, wherein the memory stores machine readable instructions executable by the processor, the processor and the memory are communicated through the bus when the electronic device runs, and the machine readable instructions are executed by the processor to execute the steps of the intrusion detection method based on feature fusion and density clustering.
The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the intrusion detection method based on feature fusion and density clustering as described above are performed.
The intrusion detection method and device based on feature fusion and density clustering provided by the embodiment of the application acquire an initial feature vector corresponding to a message to be detected; inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction; and inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Therefore, the initial characteristic vector of the message to be detected is input into the characteristic extraction network, the dimension of the initial characteristic vector is reduced to obtain the dimension-reduced characteristic vector, the dimension-reduced characteristic vector is input into the trained intrusion detection model, and the detection result of network intrusion is determined, so that the message to be invaded can be directly positioned, the intrusion type can be determined, the investigation time is reduced, the efficiency of network intrusion detection is improved, and the network safety is effectively ensured in time.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a flowchart of an intrusion detection method based on feature fusion and density clustering according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an intrusion detection method based on feature fusion and density clustering according to another embodiment of the present application;
FIG. 3 is a schematic diagram of a feature extraction network;
fig. 4 is a schematic structural diagram of an intrusion detection device based on feature fusion and density clustering according to an embodiment of the present disclosure;
fig. 5 is a second schematic structural diagram of an intrusion detection device based on feature fusion and density clustering according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. Every other embodiment that can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present application falls within the protection scope of the present application.
First, an application scenario to which the present application is applicable will be described. The method and the device can be applied to the technical field of network security. Cyber Attacks (also known as Cyber Attacks) refer to any type of offensive action directed to a computer information system, infrastructure, computer network, or personal computer device. For computers and computer networks, the destruction, uncovering, modifying, disabling software or services, and stealing or accessing data from any computer without authorization is considered an attack on the computer and computer network, requiring detection of network intrusion on the network to ensure network security.
Research shows that most of intrusion detection systems in the present stage predict the abnormal intrusion condition of the network after monitoring the network abnormality, and the invaded message, the network position and the invasion type are checked according to the intrusion result, so that the checking efficiency is low, and the possible intrusion operation is finished within the checking period, and the network security cannot be guaranteed.
Based on this, the embodiment of the application provides an intrusion detection method based on feature fusion and density clustering, which can directly locate an intruded message and determine an intrusion type, reduce troubleshooting time, contribute to improving network intrusion detection efficiency, and timely and effectively ensure network security.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for intrusion detection based on feature fusion and density clustering in a network according to an embodiment of the present disclosure. As shown in fig. 1, an intrusion detection method based on feature fusion and density clustering provided in an embodiment of the present application includes:
s101, obtaining an initial characteristic vector corresponding to the message to be detected.
In the step, an initial feature vector of the message to be detected is obtained from the network.
Here, the initial feature vector may include an IP address of a corresponding packet, a forwarding router, and a data block carried by the packet, a length of the packet, and authentication information of the packet.
The number of the initial feature vectors of the message to be detected may be one or multiple.
And S102, inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction.
In this step, the initial feature vector corresponding to the message to be detected acquired in step S101 is input into the feature extraction network, so as to obtain a dimension-reduced feature vector after dimension reduction.
Here, the feature extraction network may be a BP (back propagation) neural network, and the BP neural network has the following advantages: the network structure has strong nonlinear mapping capability and flexibility, the number of middle layers of the network and the number of neurons in each layer can be set arbitrarily according to specific situations, and the performance of the network structure is different along with the difference of the structure, specifically:
non-linear mapping capability: the BP neural network essentially realizes the mapping function from input to output, and mathematical theory proves that the neural network with three layers can approximate any nonlinear continuous function with any precision. This makes it particularly suitable for solving problems with complex internal mechanisms.
Self-learning ability: the BP neural network can automatically learn through training, extract 'rules' between input data and output, and the weight of the neural network stores the learning result.
Generalization ability: the detection capability of the model on the unknown type data, namely the BP neural network has the capability of applying the learning result to new knowledge.
Here, the initial feature vector is input into the feature extraction network, so that the input initial feature vector can be well subjected to dimension reduction for subsequent data processing of the feature vector, and the feature vector subjected to dimension reduction is subjected to classification processing, so that a good classification effect can be obtained, and classification is more accurate.
S103, inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a network intrusion detection result.
In this step, the dimensionality reduction feature vector obtained in the step S102 is input into a trained intrusion detection model, the dimensionality reduction feature vector is subjected to cluster classification to obtain a classification to which the message to be detected belongs, and a detection result of network intrusion is determined according to the classification to which the message to be detected belongs.
Here, the trained intrusion detection model may be classified using a representative Density-Based Clustering of Applications with Noise (DBSCAN) model, and the Density-Based Clustering method may find clusters of various shapes and sizes in noisy data, compared to other Clustering methods.
Here, as for the detection result of the network intrusion, the initial feature vectors of the messages to be detected may be classified by the intrusion detection model, and the labels corresponding to the messages to be detected are determined according to the classification result, so as to determine the network intrusion detection result according to the corresponding labels.
The detection result of the network intrusion may include both network attack and non-network attack.
The intrusion detection method based on feature fusion and density clustering provided by the embodiment of the application obtains an initial feature vector corresponding to a message to be detected; inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction; and inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Therefore, the initial characteristic vector of the message to be detected is input into the characteristic extraction network, the dimension of the initial characteristic vector is reduced to obtain the dimension-reduced characteristic vector after dimension reduction, the dimension-reduced characteristic vector is input into the trained intrusion detection model, and the detection result of network intrusion is determined, so that the message to be invaded can be directly positioned, the intrusion type can be determined, the investigation time is reduced, the efficiency of network intrusion detection is improved, and the network safety is effectively ensured in time.
Referring to fig. 2, fig. 2 is a flowchart of an intrusion detection method based on feature fusion and density clustering according to another embodiment of the present application. As shown in fig. 2, an intrusion detection method based on feature fusion and density clustering provided in an embodiment of the present application includes:
s201, obtaining an initial characteristic vector corresponding to the message to be detected.
S202, according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer.
In this step, the arrangement order of the plurality of feature extraction layers connected in sequence in the feature extraction network is set, and the feature extraction layer with the top order is set as the current feature extraction layer.
Here, the feature extraction network includes a plurality of feature extraction layers, and the process of inputting the initial feature vector into the feature extraction network to perform feature extraction is a process of performing multiple times of extraction through the plurality of feature extraction layers in the feature extraction network.
And S203, inputting the initial feature vector serving as the current feature vector into the current feature extraction layer to obtain an intermediate feature vector.
In this step, the initial feature vector acquired in step S201 is input to the current feature extraction layer determined in step S202 as the current feature vector, so as to obtain an intermediate feature vector.
Each layer of feature extraction layer is arranged in a feature extraction network in sequence, initial feature vectors are input into the first layer of feature extraction layer for feature extraction, and each layer outputs an intermediate feature vector after feature extraction.
And S204, according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as the current feature extraction layer, taking the intermediate feature vector as the current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing to perform feature extraction, stopping feature extraction until preset times are reached, and obtaining the dimension-reduced feature vectors, wherein the preset times are equal to the number of the feature extraction layers.
In this step, after the feature extraction of the first feature extraction layer in step S202, according to the arrangement order of the feature extraction layers, the feature extraction layer located behind the current extraction layer is used as the current extraction layer, and the intermediate feature vector output by the first feature extraction layer (current extraction layer) is input to the determined current feature extraction layer as the current feature vector, and feature extraction is continued until the number of extraction times reaches a preset number of times, and the feature extraction is stopped, so that the dimension-reduced feature vector is obtained.
Wherein the preset number of times is equal to the number of the feature extraction layers.
And each layer of feature extraction layer performs feature extraction on the intermediate feature vector obtained by the previous layer, the output of the previous layer of feature extraction layer is used as the input of the next layer of feature extraction layer, and the steps are sequentially circulated until the output of the last layer of feature extraction layer is output, so that the dimension-reduced feature vector is obtained.
S205, inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
The descriptions of S201 and S205 may refer to the descriptions of S101 and S103, and the same technical effect can be achieved, which is not described in detail herein.
Further, each layer of feature extraction layer includes at least one feature extraction unit, and step S203 includes: for each feature extraction unit, multiplying each element included in the current feature vector by a weight coefficient corresponding to the feature extraction unit, and adding the obtained multiple products to obtain an intermediate feature value; and combining the determined plurality of intermediate characteristic values according to the sequence of the corresponding characteristic extraction units to obtain the intermediate characteristic vector.
In the step, each feature extraction layer comprises a plurality of feature extraction units, each element input into the current feature vector of the layer is multiplied by a weight coefficient corresponding to the feature extraction unit, the obtained products are added to obtain an intermediate feature value, and the determined intermediate feature values are combined according to the sequence of the corresponding feature extraction units to obtain the intermediate feature vector.
Here, for the above example, in the case where the feature extraction network is a BP neural network, the feature extraction unit included in each feature extraction layer may be a single neuron structure, and for each neuron, the corresponding mathematical model is:
H(X)=F(ω·x+θ);
wherein F (x) is an activation function; theta is an offset value; ω is the weight.
Referring to fig. 3, fig. 3 is a schematic diagram of a feature extraction network, where the input initial feature vector is (X)1,X2,X3…Xn-2,Xn-1,Xn) Through three feature extraction layers, wherein the last feature extraction layer comprises three feature extraction units, and the output dimension reduction feature vector is (Y)1,Y2,Y3) (ii) a Extracting network initial characteristic vector (X) through characteristics1,X2,X3…Xn-2,Xn-1,Xn) Conversion to three-dimensional reduced dimension feature vector (Y)1,Y2,Y3) The vector is reduced from N dimensions to three dimensions.
Further, step S205 includes: determining a preset neighborhood radius and a point threshold; determining the number of elements in the reduced-dimension feature vector within the radius range of each element neighborhood; for each element, if the number of the elements in the radius range of the element neighborhood is larger than or equal to the point threshold, determining the element as a core element, and directly forming a corresponding temporary cluster based on the density of the element through the element; combining the temporary clustering clusters with the same core elements aiming at each formed temporary clustering cluster to obtain a plurality of clustering clusters; and determining the detection result of the network intrusion based on the label of each cluster.
In the step, a preset neighborhood radius and a point threshold are determined; determining the number of elements in each element neighborhood radius range in the dimension reduction feature vector; for each element, if the number of the elements in the field radius of the element is greater than or equal to a point threshold value, determining the element as a core element, and directly forming a corresponding temporary clustering cluster by the element based on the density of the element; and combining the temporary clusters with the same core elements aiming at each formed temporary cluster to obtain a plurality of clusters, determining the label of each cluster, and determining the network intrusion result of the message to be detected based on the label of the largest cluster.
Here, for the density clustering algorithm, it is necessary to determine a neighborhood and a core element to determine a cluster.
Here, the relationship between elements can be classified into direct density reachable, and density connected, and the definition of direct density is: for sample set D, if sample point q is within the e neighborhood of p, and p is a core object, then object q is directly density-reachable from object p; the density can be defined as: for sample set D, given a string of sample points p1, p2 …, pn, p ═ p1, q ═ pn, object q is reachable from object p density provided that object pi is reachable from pi-1(i is a positive integer greater than or equal to 1 and less than or equal to n) directly; density is bounded by the definition: there is a point o in the sample set D, and if object o to object p and object q are density reachable, then p and q are density linked. In the embodiment of the application, the temporary cluster is determined according to the density direct point of each core element, and then the cluster is determined.
Further, the intrusion detection model is trained by the following steps: obtaining a plurality of sample messages and a sample label corresponding to each sample message; inputting the sample feature vector of each sample message into a feature extraction network to obtain a reduced-dimension sample vector; inputting the corresponding sample dimension reduction vector and the corresponding sample label into the constructed density clustering model aiming at each sample message to obtain a prediction label corresponding to the sample characteristic vector; determining a deviation value between a prediction label of each sample message and a sample label of the sample message; if the deviation value corresponding to the sample message is larger than a preset deviation threshold value, adjusting parameters in the density clustering model until the deviation value corresponding to each sample message is smaller than or equal to the preset deviation threshold value, determining that the density clustering model is trained, and determining the trained density clustering model as the trained intrusion detection model.
The method comprises the steps of obtaining a plurality of sample messages and a sample label corresponding to each sample message, inputting a sample feature vector corresponding to each sample message into a feature extraction network aiming at each sample message to obtain a reduced-dimension sample reduced-dimension vector, inputting the obtained sample reduced-dimension vector of the sample message and the corresponding sample label into a constructed density clustering model to obtain a prediction label corresponding to the sample feature vector, determining a deviation value between the prediction label and the sample label of the sample message based on the sample label, determining whether the deviation value of each sample message is greater than a preset deviation threshold value, if the deviation value of the sample message is greater than the preset deviation threshold value, continuing to adjust parameters in the constructed density clustering model until the deviation value corresponding to each sample message is less than or equal to the preset deviation threshold value, at this time, the density clustering model is determined to be trained, the trained density clustering model is determined to be the trained intrusion detection model, and the model training process is finished.
Here, the sample packet is a communication packet used in a historical communication process, and is a packet that has already been known whether or not it is an intruded packet, that is, each sample packet is a packet with a tag.
Here, when training the model, the selection of the sample packets includes a positive sample and a negative sample, and there are not invaded sample packets and invaded sample packets, so as to ensure the balance of model training.
The intrusion detection method based on feature fusion and density clustering provided by the embodiment of the application obtains an initial feature vector corresponding to a message to be detected; according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer; inputting the initial feature vector serving as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector; according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as a current feature extraction layer, taking the intermediate feature vector as a current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing feature extraction, stopping feature extraction until preset times are reached, and obtaining reduced-dimension feature vectors, wherein the preset times are equal to the number of the feature extraction layers; and inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Therefore, the initial characteristic vector of the message to be detected is input into the characteristic extraction network, the dimension of the initial characteristic vector is reduced to obtain the dimension-reduced characteristic vector after dimension reduction, the dimension-reduced characteristic vector is input into the trained intrusion detection model, and the detection result of network intrusion is determined, so that the message to be invaded can be directly positioned, the intrusion type can be determined, the investigation time is reduced, the efficiency of network intrusion detection is improved, and the network safety is effectively ensured in time.
Referring to fig. 4 and 5, fig. 4 is a first schematic structural diagram of an intrusion detection device based on feature fusion and density clustering according to an embodiment of the present disclosure, and fig. 5 is a second schematic structural diagram of an intrusion detection device based on feature fusion and density clustering according to an embodiment of the present disclosure. As shown in fig. 4, the intrusion detection device 400 includes:
the vector obtaining module 410 is configured to obtain an initial feature vector corresponding to the message to be detected.
And a vector dimension reduction module 420, configured to input the initial feature vector into a feature extraction network, so as to obtain a dimension-reduced feature vector after dimension reduction.
And the intrusion detection module 430 is configured to input the dimension reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Further, as shown in fig. 5, the intrusion detection device 400 further includes a model training module 440, where the model training module 440 is configured to:
obtaining a plurality of sample messages and a sample label corresponding to each sample message;
inputting the sample feature vector of each sample message into a feature extraction network to obtain a reduced-dimension sample vector;
inputting the corresponding sample dimension reduction vector and the corresponding sample label into the constructed density clustering model aiming at each sample message to obtain a prediction label corresponding to the sample characteristic vector;
determining a deviation value between a prediction label of each sample message and a sample label of the sample message;
if the deviation value corresponding to the sample message is larger than a preset deviation threshold value, adjusting parameters in the density clustering model until the deviation value corresponding to each sample message is smaller than or equal to the preset deviation threshold value, determining that the density clustering model is trained, and determining the trained density clustering model as the trained intrusion detection model.
Further, the feature extraction network includes multiple feature extraction layers connected in sequence, and when the vector dimension reduction module 420 is configured to input the initial feature vector into the feature extraction network to obtain a dimension-reduced feature vector, the vector dimension reduction module 420 is configured to:
according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer;
inputting the initial feature vector serving as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector;
and according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as a current feature extraction layer, taking the intermediate feature vector as a current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing feature extraction, stopping feature extraction until preset times are reached, and obtaining the dimension-reduced feature vectors, wherein the preset times are equal to the number of the feature extraction layers.
Further, each layer of feature extraction layer includes at least one feature extraction unit, and when the vector dimension reduction module 420 is configured to input the initial feature vector as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector, the vector dimension reduction module 420 is configured to:
for each feature extraction unit, multiplying each element included in the current feature vector by a weight coefficient corresponding to the feature extraction unit, and adding the obtained multiple products to obtain an intermediate feature value;
and combining the determined plurality of intermediate characteristic values according to the sequence of the corresponding characteristic extraction units to obtain the intermediate characteristic vector.
Further, the intrusion detection module 430 is configured to input the dimension reduction feature vector into a trained intrusion detection model, and when a detection result of network intrusion is obtained, the intrusion detection module 430 is configured to:
determining a preset neighborhood radius and a point threshold;
determining the number of elements in the reduced-dimension feature vector within the radius range of each element neighborhood;
for each element, if the number of the elements in the radius range of the element neighborhood is larger than or equal to the point threshold, determining the element as a core element, and directly forming a corresponding temporary cluster based on the density of the element through the element;
combining the temporary clustering clusters with the same core elements aiming at each formed temporary clustering cluster to obtain a plurality of clustering clusters;
and determining the detection result of the network intrusion based on the label of each cluster.
The intrusion detection device based on feature fusion and density clustering provided by the embodiment of the application obtains an initial feature vector corresponding to a message to be detected; inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction; and inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion.
Therefore, the initial characteristic vector of the message to be detected is input into the characteristic extraction network, the dimension of the initial characteristic vector is reduced to obtain the dimension-reduced characteristic vector after dimension reduction, the dimension-reduced characteristic vector is input into the trained intrusion detection model, and the detection result of network intrusion is determined, so that the message to be invaded can be directly positioned, the intrusion type can be determined, the investigation time is reduced, the efficiency of network intrusion detection is improved, and the network safety is effectively ensured in time.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 6, the electronic device 600 includes a processor 610, a memory 620, and a bus 630.
The memory 620 stores machine-readable instructions executable by the processor 610, when the electronic device 600 runs, the processor 610 communicates with the memory 620 through the bus 630, and when the machine-readable instructions are executed by the processor 610, the steps of the intrusion detection method based on feature fusion and density clustering in the embodiment of the method shown in fig. 1 and fig. 2 may be performed.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the intrusion detection method based on feature fusion and density clustering in the method embodiments shown in fig. 1 and fig. 2 may be executed.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (6)

1. An intrusion detection method based on feature fusion and density clustering is characterized by comprising the following steps:
acquiring an initial characteristic vector corresponding to a message to be detected;
inputting the initial feature vector into a feature extraction network to obtain a dimension-reduced feature vector after dimension reduction;
inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion;
the feature extraction network comprises a plurality of layers of feature extraction layers which are connected in sequence, the initial feature vector is input into the feature extraction network, and the dimension reduction feature vector after dimension reduction is obtained, and the method comprises the following steps:
according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer;
inputting the initial feature vector serving as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector;
according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as a current feature extraction layer, taking the intermediate feature vector as a current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing feature extraction, stopping feature extraction until preset times are reached, and obtaining reduced-dimension feature vectors, wherein the preset times are equal to the number of the feature extraction layers;
each layer of feature extraction layer comprises at least one feature extraction unit, the initial feature vector is used as a current feature vector and is input into the current feature extraction layer to obtain an intermediate feature vector, and the method comprises the following steps:
for each feature extraction unit, multiplying each element included in the current feature vector by a weight coefficient corresponding to the feature extraction unit, and adding the obtained multiple products to obtain an intermediate feature value;
combining the determined multiple intermediate characteristic values according to the sequence of the corresponding characteristic extraction units to obtain the intermediate characteristic vector;
inputting the dimensionality reduction feature vector into a trained intrusion detection model to obtain a detection result of network intrusion, wherein the detection result comprises the following steps:
determining a preset neighborhood radius and a point threshold;
determining the number of elements in the reduced-dimension feature vector within the radius range of each element neighborhood;
for each element, if the number of the elements in the radius range of the element neighborhood is larger than or equal to the point threshold, determining the element as a core element, and directly forming a corresponding temporary cluster based on the density of the element through the element;
combining the temporary clustering clusters with the same core elements aiming at each formed temporary clustering cluster to obtain a plurality of clustering clusters;
and determining the detection result of the network intrusion based on the label of each cluster.
2. The intrusion detection method according to claim 1, wherein the intrusion detection model is trained by:
obtaining a plurality of sample messages and a sample label corresponding to each sample message;
inputting the sample feature vector of each sample message into a feature extraction network to obtain a reduced-dimension sample vector;
inputting the corresponding sample dimension reduction vector and the corresponding sample label into the constructed density clustering model aiming at each sample message to obtain a prediction label corresponding to the sample characteristic vector;
determining a deviation value between a prediction label of each sample message and a sample label of the sample message;
if the deviation value corresponding to the sample message is larger than a preset deviation threshold value, adjusting parameters in the density clustering model until the deviation value corresponding to each sample message is smaller than or equal to the preset deviation threshold value, determining that the density clustering model is trained, and determining the trained density clustering model as the trained intrusion detection model.
3. The utility model provides an intrusion detection device based on feature fusion and density clustering which characterized in that, intrusion detection device includes:
the vector acquisition module is used for acquiring an initial characteristic vector corresponding to the message to be detected;
the vector dimension reduction module is used for inputting the initial feature vector into a feature extraction network to obtain a dimension reduced feature vector after dimension reduction;
the intrusion detection module is used for inputting the dimensionality reduction characteristic vector into a trained intrusion detection model to obtain a detection result of network intrusion;
the feature extraction network comprises a plurality of feature extraction layers which are connected in sequence, the vector dimension reduction module is used for inputting the initial feature vector into the feature extraction network, and when the dimension-reduced feature vector is obtained, the vector dimension reduction module is used for:
according to the arrangement sequence of the multiple layers of feature extraction layers, taking the feature extraction layer at the head as the current feature extraction layer;
inputting the initial feature vector serving as a current feature vector into the current feature extraction layer to obtain an intermediate feature vector;
according to the arrangement sequence, taking a feature extraction layer behind the current feature extraction layer as a current feature extraction layer, taking the intermediate feature vector as a current feature vector, inputting the intermediate feature vector as the current feature vector into the current feature extraction layer, continuing feature extraction, stopping feature extraction until preset times are reached, and obtaining reduced-dimension feature vectors, wherein the preset times are equal to the number of the feature extraction layers;
each layer of feature extraction layer comprises at least one feature extraction unit, and when the vector dimension reduction module is used for inputting the initial feature vector into the current feature extraction layer as a current feature vector to obtain an intermediate feature vector, the vector dimension reduction module is used for:
for each feature extraction unit, multiplying each element included in the current feature vector by a weight coefficient corresponding to the feature extraction unit, and adding the obtained multiple products to obtain an intermediate feature value;
combining the determined multiple intermediate characteristic values according to the sequence of the corresponding characteristic extraction units to obtain the intermediate characteristic vector;
the intrusion detection module is used for inputting the dimensionality reduction characteristic vector into a trained intrusion detection model, and when a detection result of network intrusion is obtained, the intrusion detection module is used for:
determining a preset neighborhood radius and a point threshold;
determining the number of elements in the reduced-dimension feature vector within the radius range of each element neighborhood;
for each element, if the number of the elements in the radius range of the element neighborhood is larger than or equal to the point threshold, determining the element as a core element, and directly forming a corresponding temporary cluster based on the density of the element through the element;
combining the temporary clustering clusters with the same core elements aiming at each formed temporary clustering cluster to obtain a plurality of clustering clusters;
and determining the detection result of the network intrusion based on the label of each cluster.
4. The intrusion detection device of claim 3, further comprising a model training module configured to:
obtaining a plurality of sample messages and a sample label corresponding to each sample message;
inputting the sample feature vector of each sample message into a feature extraction network to obtain a reduced-dimension sample vector;
inputting the corresponding sample dimension reduction vector and the corresponding sample label into the constructed density clustering model aiming at each sample message to obtain a prediction label corresponding to the sample characteristic vector;
determining a deviation value between a prediction label of each sample message and a sample label of the sample message;
if the deviation value corresponding to the sample message is larger than a preset deviation threshold value, adjusting parameters in the density clustering model until the deviation value corresponding to each sample message is smaller than or equal to the preset deviation threshold value, determining that the density clustering model is trained, and determining the trained density clustering model as the trained intrusion detection model.
5. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when an electronic device is running, the machine-readable instructions when executed by the processor performing the steps of the feature fusion and density clustering based intrusion detection method according to any one of claims 1 to 2.
6. A computer-readable storage medium, having stored thereon a computer program for performing, when being executed by a processor, the steps of the method for intrusion detection based on feature fusion and density clustering according to any one of claims 1 to 2.
CN202010911416.4A 2020-08-19 2020-09-02 Intrusion detection method and device based on feature fusion and density clustering Active CN111953712B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2020108380930 2020-08-19
CN202010838093 2020-08-19

Publications (2)

Publication Number Publication Date
CN111953712A CN111953712A (en) 2020-11-17
CN111953712B true CN111953712B (en) 2022-03-29

Family

ID=73367229

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010911416.4A Active CN111953712B (en) 2020-08-19 2020-09-02 Intrusion detection method and device based on feature fusion and density clustering

Country Status (1)

Country Link
CN (1) CN111953712B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839059B (en) * 2021-02-22 2022-08-30 北京六方云信息技术有限公司 WEB intrusion detection self-adaptive alarm filtering processing method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446804A (en) * 2018-09-27 2019-03-08 桂林电子科技大学 A kind of intrusion detection method based on Analysis On Multi-scale Features connection convolutional neural networks
CN110572362A (en) * 2019-08-05 2019-12-13 北京邮电大学 network attack detection method and device for multiple types of unbalanced abnormal traffic
CN110717551A (en) * 2019-10-18 2020-01-21 中国电子信息产业集团有限公司第六研究所 Training method and device of flow identification model and electronic equipment
CN110881037A (en) * 2019-11-19 2020-03-13 北京工业大学 Network intrusion detection method and training method and device of model thereof, and server
CN111275165A (en) * 2020-01-16 2020-06-12 南京邮电大学 Network intrusion detection method based on improved convolutional neural network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170249547A1 (en) * 2016-02-26 2017-08-31 The Board Of Trustees Of The Leland Stanford Junior University Systems and Methods for Holistic Extraction of Features from Neural Networks
RU2701995C2 (en) * 2018-03-23 2019-10-02 Общество с ограниченной ответственностью "Аби Продакшн" Automatic determination of set of categories for document classification
US10965694B2 (en) * 2018-12-11 2021-03-30 Bank Of America Corporation Network security intrusion detection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446804A (en) * 2018-09-27 2019-03-08 桂林电子科技大学 A kind of intrusion detection method based on Analysis On Multi-scale Features connection convolutional neural networks
CN110572362A (en) * 2019-08-05 2019-12-13 北京邮电大学 network attack detection method and device for multiple types of unbalanced abnormal traffic
CN110717551A (en) * 2019-10-18 2020-01-21 中国电子信息产业集团有限公司第六研究所 Training method and device of flow identification model and electronic equipment
CN110881037A (en) * 2019-11-19 2020-03-13 北京工业大学 Network intrusion detection method and training method and device of model thereof, and server
CN111275165A (en) * 2020-01-16 2020-06-12 南京邮电大学 Network intrusion detection method based on improved convolutional neural network

Non-Patent Citations (13)

* Cited by examiner, † Cited by third party
Title
Hybrid Intrusion Detection Method Based on K-Means and CNN for Smart Home;K. Liu, Z. Fan, M. Liu and S. Zhang;《2018 IEEE 8th Annual International Conference on CYBER Technology in Automation, Control, and Intelligent Systems (CYBER)》;20190411;全文 *
Intrusion Detection in IoT Systems Based on Deep Learning Using Convolutional Neural Network;P. V. Huong, L. D. Thuan, L. T. Hong Van and D. V. Hung;《2019 6th NAFOSTED Conference on Information and Computer Science (NICS)》;20200305;全文 *
PCKCI:一种基于特征提取的入侵检测聚类算法的研究;高程等;《激光杂志》;20151225(第12期);全文 *
一种改进的基于密度聚类的入侵检测算法;杨剑;《微计算机信息》;20090125(第03期);全文 *
区域相关融合纹理特征FDPC图书馆文档图像检索;余琨等;《西南师范大学学报(自然科学版)》;20170720(第07期);全文 *
基于CNN-ELM的入侵检测;杨彦荣,宋荣杰,胡国强;《计算机工程与设计》;20191231;第40卷(第12期);全文 *
基于GR-CNN算法的网络入侵检测模型设计与实现;池亚平等;《计算机应用与软件》;20191212(第12期);全文 *
基于优化自组织聚类神经网络的入侵检测方法研究;乔瑞;《计算机与现代化》;20051231(第1期);全文 *
基于层次方法的图像特征提取模型分析与研究;黎明;《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》;20180215;全文 *
基于机器学习的工业控制网络异常检测方法;邵俊杰等;《信息技术与网络安全》;20190610(第06期);全文 *
基于深度学习的入侵检测算法研究与改进;林子隆;《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》;20200630;全文 *
基于语义信息跨层特征融合的细粒度鸟类识别;李国瑞等;《计算机应用与软件》;20200412(第04期);全文 *
模糊网络入侵中多层序列特征自动提取方法研究;朱闻亚;《现代电子技术》;20170515(第10期);全文 *

Also Published As

Publication number Publication date
CN111953712A (en) 2020-11-17

Similar Documents

Publication Publication Date Title
EP3651043B1 (en) Url attack detection method and apparatus, and electronic device
Aouedi et al. Federated semisupervised learning for attack detection in industrial Internet of Things
US10635817B2 (en) Targeted security alerts
CN108881250B (en) Power communication network security situation prediction method, device, equipment and storage medium
CN111600880A (en) Method, system, storage medium and terminal for detecting abnormal access behavior
CN110719250B (en) Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN115396324A (en) Network security situation perception early warning processing system
CN111953712B (en) Intrusion detection method and device based on feature fusion and density clustering
Wu et al. Abnormal detection of wireless power terminals in untrusted environment based on double hidden Markov model
Fayyad et al. Attack scenario prediction methodology
CN113783876A (en) Network security situation perception method based on graph neural network and related equipment
CN112966264A (en) XSS attack detection method, device, equipment and machine-readable storage medium
Archana et al. Auto deep learning-based automated surveillance technique to recognize the activities in the cyber-physical system
CN117391214A (en) Model training method and device and related equipment
Agbaje et al. A Framework for Consistent and Repeatable Controller Area Network IDS Evaluation
CN107251519B (en) Systems, methods, and media for detecting attacks of fake information on a communication network
Dutta et al. Catchall: a robust multivariate intrusion detection system for cyber-physical systems using low rank matrix
Alizadeh et al. An Analysis of Botnet Detection Using Graph Neural Network
WO2022046365A1 (en) Advanced detection of identity-based attacks
CN113127855A (en) Safety protection system and method
KR100961992B1 (en) Method and Apparatus of cyber criminal activity analysis using markov chain and Recording medium using it
CN114816964B (en) Risk model construction method, risk detection device and computer equipment
Avdagić et al. The effects of combined application of SOM, ANFIS and Subtractive Clustering in detecting intrusions in computer networks
CN116668089B (en) Network attack detection method, system and medium based on deep learning
CN114615056B (en) Tor malicious flow detection method based on robust learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant