CN112383516A - Graph neural network construction method and abnormal flow detection method based on graph neural network - Google Patents

Graph neural network construction method and abnormal flow detection method based on graph neural network Download PDF

Info

Publication number
CN112383516A
CN112383516A CN202011184585.9A CN202011184585A CN112383516A CN 112383516 A CN112383516 A CN 112383516A CN 202011184585 A CN202011184585 A CN 202011184585A CN 112383516 A CN112383516 A CN 112383516A
Authority
CN
China
Prior art keywords
data
graph
neural network
flow
nerve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011184585.9A
Other languages
Chinese (zh)
Inventor
向鹏
李青山
孙圣力
司华友
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Boya Blockchain Research Institute Co ltd
Boya Chain Beijing Technology Co ltd
Peking University
Original Assignee
Nanjing Boya Blockchain Research Institute Co ltd
Boya Chain Beijing Technology Co ltd
Peking University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Boya Blockchain Research Institute Co ltd, Boya Chain Beijing Technology Co ltd, Peking University filed Critical Nanjing Boya Blockchain Research Institute Co ltd
Priority to CN202011184585.9A priority Critical patent/CN112383516A/en
Publication of CN112383516A publication Critical patent/CN112383516A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biophysics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a graph neural network construction method and an abnormal flow detection method based on the graph neural network, wherein the graph neural network construction method for abnormal flow detection comprises the following steps: s10: acquiring the characteristics of correlation and time sequence in original flow data; s20: converting the features in step S10 into graph structure data; s30: and constructing a depth map neural network model. According to the method, the characteristics with relevance and time sequence in the network flow are deeply mined, the graph neural network model is constructed, the relevant characteristics among the fields in the network flow message section are mined on the basis, and the model with good classification effect on the flow data is finally obtained through pre-training. For unknown network traffic to be identified, only simple session restoration is needed, and the unknown network traffic can be quickly analyzed and judged through the trained model, so that possible abnormalities in traffic data can be quickly found.

Description

Graph neural network construction method and abnormal flow detection method based on graph neural network
Technical Field
The invention relates to the technical field of network security, in particular to a graph neural network construction method and an abnormal flow detection method based on the graph neural network.
Background
With the rapid development of machine learning technology and the rapid rise of artificial intelligence industry, the use of machine learning and deep learning methods for flow anomaly detection becomes a key point of attention in the industry and academia, and in the field of malicious flow analysis, the establishment of an anomaly flow model based on a machine learning method to realize flow classification detection has gradually become a mainstream of research in the industry in recent years. The flow classification detection model constructed based on the deep learning algorithm also has a good effect in flow identification. The deep learning method learns high-level semantic features from original flow data through a deep neural network, compared with a shallow model, the deep model does not depend on feature engineering excessively, has stronger expression capability and can meet various complex tasks. Meanwhile, the deep learning method has the great advantage that the features can be automatically extracted from the data, and the problem of insufficient expression capability of manually designed features is avoided. Some existing abnormal traffic models based on machine learning only focus on the time sequence characteristics of the traffic, and do not consider the relationship between fields of the traffic itself.
Disclosure of Invention
In view of the above, the present invention provides a graph neural network construction method and an abnormal traffic detection method based on a graph neural network, so as to solve the problems in the prior art.
The first aspect of the present invention provides a graph nerve constructing method, including:
s10: acquiring the characteristics of correlation and time sequence in original flow data;
s20: converting the features in step S10 into graph structure data;
s30: and constructing a depth map neural network model.
Preferably, step S10 is preceded by step S00: and processing the original flow data through a conversation restoration technology to form data with a conversation as a basic unit.
Preferably, the processing of the raw traffic data in step S00 is performed from both the time window and the session state.
Preferably, the step S10 of acquiring the characteristics with correlation and time sequence in the original flow data includes:
s101: acquiring characteristics with correlation in original flow data;
s102: and acquiring the characteristic with time sequence in the original flow data.
Preferably, the process of acquiring the characteristics with correlation in the raw flow data comprises:
s1011: selecting data related to flow judgment;
s1012: and performing differentiated feature vectorization processing on the selected data related to the flow judgment according to the expression form of the data.
Preferably, the process of acquiring the time-ordered features in the raw flow data includes: and distinguishing and processing the data in different expression forms, respectively carrying out recurrent neural network training, and learning to obtain the characteristic with time sequence.
Preferably, a bidirectional GRU model is used for processing time series data, and different types of data can be simultaneously processed, and the calculation formula is as follows:
rt=σ(Wr·[ht-1,et|nt|xt])
zt=σ(Wz·[ht-1,et|nt|xt])
Figure BDA0002750159540000021
Figure BDA0002750159540000022
wherein r istAnd ztRespectively representing a reset gate and an update gate,
Figure BDA0002750159540000023
memorizes the state h of the current momenttBelongs to the memory updating stage, and respectively carries out two steps of forgetting and memorizing, etRepresenting a first type of data input, ntRepresenting a second type of data input, xtRepresenting a third type of data input.
Preferably, the graph neural network model comprises:
the graph convolution network is used for aggregating the characteristics of the nodes and the neighbor characteristics to obtain new node representation;
a graph pooling network for further filtering of data; and
and the full connection layer is used for connecting all the characteristics and delivering the connected output values to the classifier so as to classify the data.
Preferably, the graph convolution network comprises three graph convolution layers, the graph pooling network comprising three pooling layers and a global pooling layer.
The invention provides an abnormal flow detection method based on a graph neural network, which is used for detecting abnormal flow through a depth graph neural network model.
The invention has the advantages and positive effects that: the invention provides a graph neural network construction method and an abnormal flow detection method based on the graph neural network.
Furthermore, in the aspect of data processing, the method reserves the time sequence characteristics of the traffic data through a session reduction technology, fully considers the data difference in the traffic field during the characteristic vectorization, adopts a diversified data processing mode and reserves the original characteristics of the data as much as possible.
On the whole, the method uses the machine learning model to solve the limitation that the traditional method can only detect fixed and known malicious flow attack types, can identify unknown malicious attack types, and has expandability; on the other hand, the deep-level related information among the attribute fields of the traffic message segment can be learned, meanwhile, the importance degree of each field is noted, and the information of the more prominent field is reserved.
Drawings
FIG. 1 is a diagram of a process for constructing a neural network model according to the present invention;
FIG. 2 is an exemplary diagram of feature field vectorization provided by the present invention;
FIG. 3 is a diagram illustrating an example of structure data of a conversion diagram of a session data unit according to the present invention;
FIG. 4 is a diagram of a neural network model architecture provided by the present invention.
Detailed Description
For a better understanding of the present invention, reference is made to the following detailed description and accompanying drawings that illustrate the invention.
The invention provides a graph nerve construction method, which comprises the following steps:
s10: acquiring the characteristics of correlation and time sequence in original flow data;
s20: converting the features in step S10 into graph structure data;
s30: and constructing a depth map neural network model.
According to the method, the characteristics with relevance and time sequence in the network flow are deeply mined, the graph neural network model is constructed, the relevant characteristics among the fields in the network flow message section are mined on the basis, and the model with good classification effect on the flow data is finally obtained through pre-training. For unknown network traffic to be identified, only simple session restoration is needed, and the unknown network traffic can be quickly analyzed and judged through the trained model, so that possible abnormalities in traffic data can be quickly found.
Further, in an embodiment of the present invention, step S10 is preceded by step S00: and processing the original flow data through a conversation restoration technology to form data with a conversation as a basic unit.
Specifically, for the input traffic data, the traffic packets under each specific IP pair and specific port pair are processed in sequence, and the processing process is performed from two aspects of a time window and a session state.
On a time window, taking the first appearing message time S as the starting point of the time window, and if the message time of the later appearing flow belonging to the conversation does not exceed the time window of S + T, placing the flow in the conversation unit; if the message time S 'exceeds the time window of S + T, namely the overtime situation appears, the state statistics of the session is immediately finished and processed, the existing flow content is arranged as the content of the session, a new session is established by starting with the current message, and S' is used as the starting point of the time window of the new session.
In a session State, a flag field in each TCP message is taken out, session State transfer processing is carried out in a Finite State Acceptor (FSA) according to the field, and if the transfer is legal, data content corresponding to the message is extracted and stored; if the transfer is illegal, the session statistics of the current IP pair and the current port pair are cancelled.
Finally, all the extracted field contents required in each conversation unit are sorted according to the time sequence, the output is in a uniform and ordered data format, and the result represents all the conversation contents obtained by processing the original flow data. The common fields contained in the data packets in the session unit are shown in table 1:
table 1 data message extraction field in session
Figure BDA0002750159540000051
Figure BDA0002750159540000061
After extracting the relevant fields required by the above table from the original data packet, the JSON format can be formed, and the example part information of one session is roughly as follows:
Figure BDA0002750159540000062
Figure BDA0002750159540000071
Figure BDA0002750159540000081
in the above embodiment, the required data is extracted from the original data packet of the traffic data by the session recovery technique.
Further, the step S10 of acquiring the characteristics with correlation and time sequence in the original flow data includes:
s101: acquiring characteristics with correlation in original flow data;
s102: and acquiring the characteristic with time sequence in the original flow data.
The method extracts the characteristics of the data from the aspects of the relevance and the time sequence of the data, and deeply excavates the characteristics of the flow data field and the relation between the fields.
Further, the process of obtaining the characteristics with correlation in the original flow data includes:
s1011: selecting data related to flow judgment;
s1012: and performing differentiated feature vectorization processing on the selected data related to the flow judgment according to the expression form of the data.
Specifically, the feature fields contained in the session data unit are analyzed, data related to flow discrimination are selected as input of the model, and further feature vectorization is performed on the selected fields in each data segment in the session data unit.
The reason for choosing a partial field as input is that: for the fields shown in table 1, which are difficult to be fully contained in a data segment, and some fields have no particular reference to traffic discrimination, using all fields as input to a graph node only increases overhead and does not yield any benefit. The method comprises the following specific steps:
as shown in FIG. 1, the fields selected by the present invention are divided into enumeration type data, numerical type data, and temporal type data. When feature vectorization processing is performed on these data at the same time, different operations are performed on the data according to their expression forms. Feature encoding includes two stages:
the first stage, encode the field name chosen. In a specific embodiment of the invention, 12 main fields are selected as characteristic fields for input, the field names can be treated as enumeration type data, the names of the fields needing to be input into model training are uniformly treated as an enumeration set, the field names are embedded into an m-dimensional characteristic vector space in a Word Embedding mode, the data can be reduced in dimension by adopting the Word Embedding mode, the problem of overlarge encoding vector dimension caused by a large number of classes is prevented, the relationship among variables of different classes can be shown to a certain extent, and more importantly, the input data dimension meeting the neural network structure can be obtained by the Word Embedding mode;
and in the second stage, different types of different field contents are respectively coded. For enumeration type data, Word Embedding is also adopted for coding, and the method observes the field contents of all enumeration types and finally uniformly maps all the field contents belonging to the enumeration type data to an n-dimensional space; for numerical value type data, directly serving as a characteristic, and carrying out data filling processing on the numerical value type data in order to keep the unification of dimensionality, the method adopts a mode of complementing '0'; for time type data, a min-max standardization method is adopted, each data belonging to the same session is mapped to a [0, 1] interval, and then the data is used as a feature, and '0' is required to be supplemented for processing, so that dimension unification is met.
The input feature vector of each field is obtained by encoding the field and the field content, as shown in fig. 2, which shows an example of a content type (content _ type) field in a data packet.
Further, the process of acquiring the time-sequence features in the original flow data includes: and distinguishing and processing the data in different expression forms, respectively carrying out recurrent neural network training, and learning to obtain the characteristic with time sequence.
Specifically, the conversation is used as basic unit data input, the feature vector of the corresponding field of each data message segment is input to a recurrent neural network for training, the time sequence relation among flow data is learned, the features of more conversation layers are embodied, and the new feature vector is used as the respective feature.
Specifically, the invention adopts a bidirectional GRU model to process time series data, and the calculation process can be expressed by a formula below, so that the calculation process can simultaneously receive enumeration type data, numerical value type data and time type data in session flow:
rt=σ(Wr·[ht-1,et|nt|xt])
zt=σ(Wz·[ht-1,et|nt|xt])
Figure BDA0002750159540000101
Figure BDA0002750159540000102
wherein r istAnd ztRespectively representing a reset gate and an update gate,
Figure BDA0002750159540000103
the state at the current time is remembered, similar to the selective memory phase of LSTM. h istBelongs to the memory updating stage, and two steps of forgetting and memorizing are respectively carried out. e.g. of the typetRepresenting enumerated types of data input, ntData input, x, representing a numerical typetData input representing a time type.
As shown in fig. 1, at each time, each field data of a new traffic packet in the session is input into the GRU model for training. Data in the flow message is firstly distinguished and processed according to an enumeration type, a numerical value type and a time type, and then is respectively input into the GRU. After the GRU processes all the data packets in the traffic session, the feature vector result after processing of each field in each new traffic packet can be obtained.
In the above embodiment, the traffic characteristics are fully extracted through the session reduction technology, the traffic data fields are processed in a differentiated manner, the characteristic vectorization is performed, a deep cycle neural network model is constructed by using the time sequence correlation of the traffic message, the characteristic vectors of the traffic message fields are updated, the traffic data time sequence characteristics are retained through the session reduction technology, and when the characteristic vectorization is performed, the data differences in the traffic fields are fully considered, and the original characteristics of the data are retained as much as possible by adopting a diversified data processing manner.
Further, the features in step S10 are converted into graph structure data;
the sequence data in units of sessions is converted into graph structure data. Specifically, this step is represented in FIG. 1 as a graph build layer. When the graph neural network model is used for detecting abnormal flow, the traditional Euclidean spatial data needs to be converted into non-Euclidean spatial data, and the process involves selection of each node in a graph structure, connection of edges and determination of the direction of the edges.
Specifically, the 'Ssl _ time' field in the data message is taken as a representative of the node of the data message in the graph, the node is connected with other types of fields of the message, and is connected with a representative node of the next data message, so that the data message can be regarded as a central node, and has the function of 'making up and breaking down'. As shown in fig. 3, the data packet nodes represented by the "Ssl _ time" field are connected to each other by bidirectional edges as a whole, taking into account the timing characteristics between the data packets. In addition, the state of the data message node is also related to the characteristic values of each field of the data message node, and the data message node is connected with other types of fields of the data message node by a unidirectional edge so as to update the state of the message node and learn the relationship information and the weight information among the fields.
Further, a depth map neural network model is constructed.
Specifically, the graph data obtained in S20 is input into the graph neural network model for classification detection, and the relevant information between fields in each traffic packet is obtained by using the graph neural network model, but compared with other models, only the field vectors are simply connected as a representation of a packet segment, and the information implicit between fields is not taken into consideration. The invention constructs a directed graph from sequentially encoded traffic data, thereby capturing deep-level relationships between fields and simultaneously learning the weight between nodes.
Specifically, the graph neural network model includes:
the graph convolution network is used for aggregating the characteristics of the nodes and the neighbor characteristics to obtain new node representation;
a graph pooling network for further filtering of data; and
and the full connection layer is used for connecting all the characteristics and delivering the connected output values to the classifier so as to classify the data.
In one embodiment of the present invention, the graph convolution network includes three graph convolution layers, and the graph pooling network includes three pooling layers and a global pooling layer.
Specifically, the graph convolution network can fully integrate the information of the nodes, and new node representation is obtained by aggregating the characteristics of the nodes and the neighbor characteristics. Before the session data is input into the graph neural network, the feature vector of each vertex is independent of other fields, only sequence information in the data message in the session is learned, and the contact information between the fields can be learned through the graph convolution layer.
In the first layer graph convolution layer, information among fields of flow messages of the first layer graph convolution layer is gathered, and new feature vectors are recalculated at each vertex; on the basis of the first layer, exchanging information between adjacent messages on the second layer graph convolution layer, and considering the time sequence relation between flow messages; the third layer of graph convolution layer is to enlarge the aggregation of the relationship and effectively accumulate the characteristics between neighborhoods, namely the relationship information between the flow messages.
The graph pooling network has two main roles: the first is to reduce the size of the feature matrix and simplify the complexity of network calculation; and secondly, filtering and compressing the features, and extracting the main characteristics of the data from a matrix with a certain size. Through the pooling layer, the output data is further filtered, and only the more effective data characteristics are reserved for the next calculation.
The invention adopts a TopKPPooling pooling method, reduces the graph structure after graph convolution layer, retains useful nodes in the graph, and can also prevent overfitting. TopKPPooling considers topology information and node information of the graph at the same time, adds attention to judge the weight of the node, can effectively cut overlong session data, and accelerates the running speed of the model.
After each layer of TopKPPooling, node information representing the whole graph is selected through the global pooling layer to be used as input information of the full connection layer.
The full connection layer is mainly used for connecting all the characteristics and delivering the connected output values to the classifier so as to classify the data. In the fully-connected layer, the neural network does not perform feature extraction any more, and only needs to perform nonlinear combination (for example, using an activation function) on all features which have been extracted previously, activate neurons corresponding to relevant features, and map the previously learned "distributed features" into a sample mark space.
According to the invention, a plurality of global pooling layer output information are cascaded, and are mapped to a 2-dimensional space by using a full-connection layer for classification, so that a final result is obtained.
An abnormal flow detection method based on a graph neural network detects abnormal flow through the depth graph neural network model; in the invention, for unknown network traffic to be identified, only simple session restoration is needed, and the unknown network traffic can be rapidly analyzed and judged through a trained model, so that possible abnormalities in traffic data can be rapidly discovered.
The invention deeply excavates the characteristics of relevance and time sequence in network flow and excavates the relevant characteristics among the fields in the network flow message segment on the basis. And finally obtaining a model with a good classification effect on the flow data through pre-training.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions and scope of the present invention as defined in the appended claims.

Claims (10)

1. A method for constructing a graph nerve is characterized in that: the method comprises the following steps:
s10: acquiring the characteristics of correlation and time sequence in original flow data;
s20: converting the features in step S10 into graph structure data;
s30: and constructing a depth map neural network model.
2. The method of constructing a graph nerve according to claim 1, wherein: step S00 is also included before step S10: and processing the original flow data through a conversation restoration technology to form data with a conversation as a basic unit.
3. The map nerve construction method of claim 2, wherein: the process of processing the raw traffic data in step S00 proceeds from both the time window and the session state.
4. The method of constructing a graph nerve according to claim 1, wherein: the step S10 of obtaining the characteristics of correlation and time sequence in the original flow data includes:
s101: acquiring characteristics with correlation in original flow data;
s102: and acquiring the characteristic with time sequence in the original flow data.
5. The method of constructing a graph nerve according to claim 4, wherein: the process of acquiring the characteristics with correlation in the original flow data comprises the following steps:
s1011: selecting data related to flow judgment;
s1012: and performing differentiated feature vectorization processing on the selected data related to the flow judgment according to the expression form of the data.
6. The map nerve construction method according to claim 4 or 5, characterized in that: the process of acquiring the time-sequence characteristics in the original flow data comprises the following steps: and distinguishing and processing the data in different expression forms, respectively carrying out recurrent neural network training, and learning to obtain the characteristic with time sequence.
7. The map nerve construction method of claim 6, wherein: the bidirectional GRU model is adopted to process time sequence data, different types of data can be simultaneously received, and the calculation formula is as follows:
rt=σ(Wr·[ht-1,et|nt|xt])
zt=σ(Wz·[ht-1,et|nt|xt])
Figure FDA0002750159530000021
Figure FDA0002750159530000022
wherein r istAnd ztRespectively representing a reset gate and an update gate,
Figure FDA0002750159530000023
memorizes the state h of the current momenttBelongs to the memory updating stage, and respectively carries out two steps of forgetting and memorizing, etRepresenting a first type of data input, ntRepresenting a second type of data input, xtRepresenting a third type of data input.
8. The method of constructing a graph nerve according to claim 1, wherein: the graph neural network model comprises:
the graph convolution network is used for aggregating the characteristics of the nodes and the neighbor characteristics to obtain new node representation;
a graph pooling network for further filtering of data; and
and the full connection layer is used for connecting all the characteristics and delivering the connected output values to the classifier so as to classify the data.
9. The map nerve construction method of claim 8, wherein: the graph convolution network comprises three layers of graph convolution layers, and the graph pooling network comprises three pooling layers and a global pooling layer.
10. An abnormal flow detection method based on a graph neural network is characterized in that: the detection of abnormal traffic is performed by the depth map neural network model of any one of claims 1 to 8.
CN202011184585.9A 2020-10-29 2020-10-29 Graph neural network construction method and abnormal flow detection method based on graph neural network Pending CN112383516A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011184585.9A CN112383516A (en) 2020-10-29 2020-10-29 Graph neural network construction method and abnormal flow detection method based on graph neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011184585.9A CN112383516A (en) 2020-10-29 2020-10-29 Graph neural network construction method and abnormal flow detection method based on graph neural network

Publications (1)

Publication Number Publication Date
CN112383516A true CN112383516A (en) 2021-02-19

Family

ID=74577525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011184585.9A Pending CN112383516A (en) 2020-10-29 2020-10-29 Graph neural network construction method and abnormal flow detection method based on graph neural network

Country Status (1)

Country Link
CN (1) CN112383516A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113114541A (en) * 2021-06-15 2021-07-13 上海兴容信息技术有限公司 Method and system for judging whether network connection can be established between network nodes
CN113657577A (en) * 2021-07-21 2021-11-16 阿里巴巴达摩院(杭州)科技有限公司 Model training method and computing system
CN113657896A (en) * 2021-08-20 2021-11-16 成都链安科技有限公司 Block chain transaction topological graph analysis method and device based on graph neural network
CN114172688A (en) * 2021-11-05 2022-03-11 四川大学 Encrypted traffic network threat key node automatic extraction method based on GCN-DL
CN115086006A (en) * 2022-06-13 2022-09-20 安徽工业大学 Distributed application program encrypted flow classification method based on bidirectional gating logic unit
CN115834174A (en) * 2022-11-15 2023-03-21 北京天融信网络安全技术有限公司 Network security situation prediction method and device based on timing diagram neural network
CN116708313A (en) * 2023-08-08 2023-09-05 中国电信股份有限公司 Flow detection method, flow detection device, storage medium and electronic equipment

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411597A (en) * 2016-10-14 2017-02-15 广东工业大学 Network traffic abnormality detection method and system
CN109117634A (en) * 2018-09-05 2019-01-01 济南大学 Malware detection method and system based on network flow multi-view integration
CN109309675A (en) * 2018-09-21 2019-02-05 华南理工大学 A kind of network inbreak detection method based on convolutional neural networks
CN109522716A (en) * 2018-11-15 2019-03-26 中国人民解放军战略支援部队信息工程大学 A kind of network inbreak detection method and device based on timing neural network
CN109816095A (en) * 2019-01-14 2019-05-28 湖南大学 Based on the network flow prediction method for improving gating cycle neural network
CN110177122A (en) * 2019-06-18 2019-08-27 国网电子商务有限公司 A kind of method for establishing model and device identifying network security risk
CN110300127A (en) * 2019-07-31 2019-10-01 广东电网有限责任公司 A kind of network inbreak detection method based on deep learning, device and equipment
US20190312898A1 (en) * 2018-04-10 2019-10-10 Cisco Technology, Inc. SPATIO-TEMPORAL ANOMALY DETECTION IN COMPUTER NETWORKS USING GRAPH CONVOLUTIONAL RECURRENT NEURAL NETWORKS (GCRNNs)
CN110991713A (en) * 2019-11-21 2020-04-10 杭州电子科技大学 Irregular area flow prediction method based on multi-graph convolution sum GRU
CN110995520A (en) * 2020-02-28 2020-04-10 清华大学 Network flow prediction method and device, computer equipment and readable storage medium
CN111200575A (en) * 2018-11-16 2020-05-26 慧盾信息安全科技(苏州)股份有限公司 Machine learning-based method for identifying malicious behaviors of information system
CN111209933A (en) * 2019-12-25 2020-05-29 国网冀北电力有限公司信息通信分公司 Network traffic classification method and device based on neural network and attention mechanism
CN111447190A (en) * 2020-03-20 2020-07-24 北京观成科技有限公司 Encrypted malicious traffic identification method, equipment and device
CN111669373A (en) * 2020-05-25 2020-09-15 山东理工大学 Network anomaly detection method and system based on space-time convolutional network and topology perception
CN111683108A (en) * 2020-08-17 2020-09-18 鹏城实验室 Method for generating network flow anomaly detection model and computer equipment

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411597A (en) * 2016-10-14 2017-02-15 广东工业大学 Network traffic abnormality detection method and system
US20190312898A1 (en) * 2018-04-10 2019-10-10 Cisco Technology, Inc. SPATIO-TEMPORAL ANOMALY DETECTION IN COMPUTER NETWORKS USING GRAPH CONVOLUTIONAL RECURRENT NEURAL NETWORKS (GCRNNs)
CN109117634A (en) * 2018-09-05 2019-01-01 济南大学 Malware detection method and system based on network flow multi-view integration
CN109309675A (en) * 2018-09-21 2019-02-05 华南理工大学 A kind of network inbreak detection method based on convolutional neural networks
CN109522716A (en) * 2018-11-15 2019-03-26 中国人民解放军战略支援部队信息工程大学 A kind of network inbreak detection method and device based on timing neural network
CN111200575A (en) * 2018-11-16 2020-05-26 慧盾信息安全科技(苏州)股份有限公司 Machine learning-based method for identifying malicious behaviors of information system
CN109816095A (en) * 2019-01-14 2019-05-28 湖南大学 Based on the network flow prediction method for improving gating cycle neural network
CN110177122A (en) * 2019-06-18 2019-08-27 国网电子商务有限公司 A kind of method for establishing model and device identifying network security risk
CN110300127A (en) * 2019-07-31 2019-10-01 广东电网有限责任公司 A kind of network inbreak detection method based on deep learning, device and equipment
CN110991713A (en) * 2019-11-21 2020-04-10 杭州电子科技大学 Irregular area flow prediction method based on multi-graph convolution sum GRU
CN111209933A (en) * 2019-12-25 2020-05-29 国网冀北电力有限公司信息通信分公司 Network traffic classification method and device based on neural network and attention mechanism
CN110995520A (en) * 2020-02-28 2020-04-10 清华大学 Network flow prediction method and device, computer equipment and readable storage medium
CN111447190A (en) * 2020-03-20 2020-07-24 北京观成科技有限公司 Encrypted malicious traffic identification method, equipment and device
CN111669373A (en) * 2020-05-25 2020-09-15 山东理工大学 Network anomaly detection method and system based on space-time convolutional network and topology perception
CN111683108A (en) * 2020-08-17 2020-09-18 鹏城实验室 Method for generating network flow anomaly detection model and computer equipment

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113114541A (en) * 2021-06-15 2021-07-13 上海兴容信息技术有限公司 Method and system for judging whether network connection can be established between network nodes
CN113657577A (en) * 2021-07-21 2021-11-16 阿里巴巴达摩院(杭州)科技有限公司 Model training method and computing system
CN113657577B (en) * 2021-07-21 2023-08-18 阿里巴巴达摩院(杭州)科技有限公司 Model training method and computing system
CN113657896A (en) * 2021-08-20 2021-11-16 成都链安科技有限公司 Block chain transaction topological graph analysis method and device based on graph neural network
CN114172688A (en) * 2021-11-05 2022-03-11 四川大学 Encrypted traffic network threat key node automatic extraction method based on GCN-DL
CN115086006A (en) * 2022-06-13 2022-09-20 安徽工业大学 Distributed application program encrypted flow classification method based on bidirectional gating logic unit
CN115086006B (en) * 2022-06-13 2024-02-02 安徽工业大学 Distributed application program encryption traffic classification method based on bidirectional gating logic unit
CN115834174A (en) * 2022-11-15 2023-03-21 北京天融信网络安全技术有限公司 Network security situation prediction method and device based on timing diagram neural network
CN115834174B (en) * 2022-11-15 2023-06-09 北京天融信网络安全技术有限公司 Network security situation prediction method and device based on time sequence diagram neural network
CN116708313A (en) * 2023-08-08 2023-09-05 中国电信股份有限公司 Flow detection method, flow detection device, storage medium and electronic equipment
CN116708313B (en) * 2023-08-08 2023-11-14 中国电信股份有限公司 Flow detection method, flow detection device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN112383516A (en) Graph neural network construction method and abnormal flow detection method based on graph neural network
CN109218223B (en) Robust network traffic classification method and system based on active learning
CN110532564B (en) On-line identification method for application layer protocol based on CNN and LSTM hybrid model
CN113518063B (en) Network intrusion detection method and system based on data enhancement and BilSTM
CN111144470B (en) Unknown network flow identification method and system based on deep self-encoder
CN112381121A (en) Unknown class network flow detection and identification method based on twin network
CN114615093B (en) Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning
CN112990316B (en) Hyperspectral remote sensing image classification method and system based on multi-saliency feature fusion
CN107220540A (en) Intrusion detection method based on intensified learning
CN112949702B (en) Network malicious encryption traffic identification method and system
CN112087447A (en) Rare attack-oriented network intrusion detection method
CN115037805B (en) Unknown network protocol identification method, system and device based on deep clustering and storage medium
CN115643115B (en) Industrial control network security situation prediction method and system based on big data
CN114330541A (en) Road traffic accident risk prediction deep learning algorithm
CN112115957A (en) Data stream identification method and device and computer storage medium
CN112887291A (en) I2P traffic identification method and system based on deep learning
CN115130102A (en) Online adaptive intrusion detection method based on incremental learning
CN114067268A (en) Method and device for detecting safety helmet and identifying identity of electric power operation site
CN111091102B (en) Video analysis device, server, system and method for protecting identity privacy
CN114979017B (en) Deep learning protocol identification method and system based on original flow of industrial control system
CN115277888B (en) Method and system for analyzing message type of mobile application encryption protocol
CN111597411A (en) Method and system for distinguishing and identifying power protocol data frames
CN116628524A (en) Community discovery method based on adaptive graph attention encoder
CN113852605B (en) Protocol format automatic inference method and system based on relation reasoning
CN114092827A (en) Image data set generation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210219

RJ01 Rejection of invention patent application after publication