CN116186503A - Industrial control system-oriented malicious flow detection method and device and computer storage medium - Google Patents
Industrial control system-oriented malicious flow detection method and device and computer storage medium Download PDFInfo
- Publication number
- CN116186503A CN116186503A CN202211546950.5A CN202211546950A CN116186503A CN 116186503 A CN116186503 A CN 116186503A CN 202211546950 A CN202211546950 A CN 202211546950A CN 116186503 A CN116186503 A CN 116186503A
- Authority
- CN
- China
- Prior art keywords
- flow
- control system
- industrial control
- characteristic
- grouping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 44
- 238000003860 storage Methods 0.000 title claims description 10
- 238000000034 method Methods 0.000 claims abstract description 44
- 238000004590 computer program Methods 0.000 claims description 19
- 238000004422 calculation algorithm Methods 0.000 claims description 10
- 230000000694 effects Effects 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 4
- 230000006872 improvement Effects 0.000 claims description 4
- 238000005457 optimization Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 239000000523 sample Substances 0.000 description 7
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000012549 training Methods 0.000 description 5
- 238000000605 extraction Methods 0.000 description 3
- 238000012216 screening Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000013142 basic testing Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention provides a K-means-based industrial control system malicious flow detection characteristic enhancement method, which comprises the steps of analyzing the deviation degree of the mean value, variance and skewness of the industrial control system label flow characteristics, calculating characteristic grouping coefficients by combining the quartiles of the label flow characteristic statistical variables, and grouping original flow characteristics according to the characteristic grouping coefficients; and clustering the original flow characteristics of different groups to generate cluster characteristics, wherein the cluster characteristics are used as data input of a detection model. According to the method, the original flow characteristics are grouped, screened and clustered according to the labels, so that the clustering characteristics of diversity are generated, and the problem that the difference between the normal flow and the malicious flow of the industrial control system is difficult to describe by the traditional characteristic enhancement method is solved.
Description
Technical Field
The invention relates to the field of malicious traffic detection, in particular to a method and a device for detecting malicious traffic for an industrial control system and a computer storage medium.
Background
The malicious flow detection method based on the model utilizes the historical flow sample and the established rule to train the detection model to realize the identification of normal flow and malicious flow. However, for the industrial control system, as the number of malicious flow samples available in the actual running system is small, the characteristic difference between the malicious flow and the normal flow is not obvious, so that the traditional detection model is over-fitted and has low detection rate, and the novel and unknown network flow attack in the actual industrial control system is difficult to detect. The network flow characteristic dimension of the industrial control system is high, the correlation is strong, the training time cost of the malicious flow detection model is high, and the detection rate is low. Therefore, the processing of the original flow characteristics in the industrial control system is necessary, and the common characteristic processing method comprises two modes of characteristic selection and characteristic extraction. Patent CN112910866B proposes a feature selection method for network intrusion detection, which performs preliminary screening on features according to the correlation between features, and then selects main features as input data of a detection model by adopting random forest and genetic algorithm. Patent CN113254925a proposes a network intrusion detection system based on PCA and SVM, which adopts a principal component analysis (Principal component analysis, PCA) method to extract principal features of original data that are not related to each other, so as to effectively remove the correlation between features while reducing feature dimensions, and avoid the input of redundant features. Although the feature selection and feature extraction method can reduce feature dimension and eliminate or reduce correlation among features, the processing process is only screening and converting original features, so that the diversity of features is difficult to increase, and therefore, the improvement effect on the accuracy of the malicious flow detection result of the industrial control system is not obvious.
The feature enhancement method is an emerging feature processing method, and is characterized in that the key points of feature extraction and feature selection are that the type of method is based on the existing features to mine or generate new features, the diversity description of the features is enhanced, and the new features are used as input data of a detection model, so that the accuracy of the detection model is improved.
The feature enhancement algorithm based on clustering utilizes clustering results or distances to increase feature diversity, but ignores feature differences before different labels (normal flow and malicious flow), and is incapable of processing a data set with unobvious feature differences, so that the feature enhancement algorithm is difficult to be applied to detection of small sample malicious flow.
Disclosure of Invention
The invention aims to provide a malicious flow detection method, a malicious flow detection device and a computer storage medium for an industrial control system, which are used for generating various clustering features by grouping, screening and clustering original flow features according to labels, so that the problem that the difference between normal flow and malicious flow is difficult to describe by the traditional feature enhancement method is solved.
In order to achieve the above object, in a first aspect of the present invention, a malicious traffic detection method for an industrial control system is provided, where the method includes:
s1, analyzing the deviation degree of the mean value, variance and skewness of the flow characteristics of the tag, calculating characteristic grouping coefficients by combining the quartiles of the statistical variables of the flow characteristics of the tag, and grouping the original flow characteristics according to the characteristic grouping coefficients;
s2, clustering the original flow characteristics of different groups to generate clustering characteristics, wherein the clustering characteristics are used as data input of a detection model;
s3, analyzing the improvement effects of the detection rate and the false alarm rate.
The traffic includes normal traffic and malicious traffic.
Further, the specific step of S1 includes:
s101, orderThe jth feature representing the ith flow, where l=1, 2, …, L represents the flow label type, i=1, 2, …, M, i represents the flow number, j=1, 2, …, N, j represents the feature number, let F represent the original flow feature, f= { F 1 ,f 2 ,…,f N };
S102, calculating a triplet of each label flow characteristic, wherein the triplet comprises a mean valueVariance->And deviation->
S103, counting standard deviation of triples and according to quartile q of flow characteristics j,t ,q j,t =[q j,1 ,q j,2 ,q j,3 ]Calculating the characteristic grouping coefficient g j ;
S104, grouping the coefficients g according to the characteristics j Obtaining the final packet of the original flow characteristic F, wherein F= [ F ] 1 ,F 2 ,…,F g ]。
further, the grouping coefficient g j The calculation formula of (2) is as follows:
wherein t ε {1,2,3},1 represents the mean coefficient, 2 represents the variance coefficient, and 3 represents the bias coefficient; std j,t Representing standard deviation of the jth feature jth tuple; g j,t Grouping coefficients representing the j-th feature and the t-th tuple;
the grouping coefficientCalculate g j The value is 0 to 3, and T represents the number of components.
Further, the S2 is realized by adopting a K-means algorithm, so that k=1, 2, …, K, K represents the clustering grouping quantity,a kth cluster center representing the feature group g;
the optimization process of the k-means algorithm is as follows:
wherein the method comprises the steps ofRepresentation feature->To the cluster center->J represents the loss function.
In a second aspect of the present invention, there is provided a K-means-based industrial control system malicious traffic detection feature enhancement device, the device comprising:
the grouping module is used for analyzing the deviation degree of the mean value, the variance and the deflection of the label flow characteristics, calculating characteristic grouping coefficients by combining the quartiles of the label flow characteristic statistical variables, and grouping the original flow characteristics according to the characteristic grouping coefficients;
and the clustering module is used for clustering the original flow characteristics of different groups to generate clustering characteristics.
Further, the original flow is characterized by f= [ F 1 ,F 2 ,…,F g ]The clustering module is specifically configured to obtain clustering results of different original flow characteristic packets as input data of a detection model.
In a third aspect the invention provides a computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
In a fourth aspect the present invention provides a computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor realizes the steps of the method of any of claims 1 to 6.
The beneficial technical effects of the invention are at least as follows:
(1) The method can enhance the difference between the flow characteristic groups: the invention designs a K-means-based industrial control system malicious flow detection feature enhancement method, which is used for solving the problem that the feature difference is not obvious due to the fact that the traditional feature enhancement method ignores the feature difference of different label flows.
(2) The method can enhance the difference between the flow characteristic groups: the invention designs a K-means-based industrial control system malicious flow detection feature enhancement method, which is used for solving the problem that the feature difference is not obvious due to the fact that the traditional feature enhancement method ignores the feature difference of different label flows.
Drawings
The invention will be further described with reference to the accompanying drawings, in which embodiments do not constitute any limitation of the invention, and other drawings can be obtained by one of ordinary skill in the art without inventive effort from the following drawings.
FIG. 1 is a diagram of an enhancement method of malicious flow detection characteristics of an industrial control system based on K-means.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention.
In one embodiment:
as shown in FIG. 1, the invention discloses a K-means-based method for enhancing malicious flow detection characteristics of an industrial control system. The specific implementation process is as follows:
s101, collecting a KDD Cup 1999 flow data set as basic test data, removing repeated data and performing data coding on discrete features to obtain 39 effective features.
S102, dividing the training set and the testing set data according to the proportion of 7:3, randomly extracting malicious flow in the training set according to the proportion of 10%, constructing a training data set for detecting the malicious flow of a small sample, testing the effect of the proposed method on detecting the malicious flow of the small sample, and constructing the data set as shown in a table 1.
Table 1 malicious flow detection data set of small sample industrial control system constructed based on KDD Cup 1999 data set
S103, setting the value of the clustering quantity as 30, and respectively adopting a traditional k-means algorithm and a characteristic enhancement method proposed herein to obtain the generation characteristics of the flow characteristics.
S104, calculating Euclidean distance between malicious flow and normal flow samples according to the original characteristics and the generated characteristics, and analyzing the action effect of characteristic enhancement.
TABLE 2 Euclidean distance of malicious traffic from normal traffic
S105, according to the results of the table 2, compared with the original data, the Euclidean distance between the malicious flow and the normal flow is reduced to different degrees except U2R after the k-means clustering algorithm is adopted; compared with the original data, the Euclidean distance between DOS and PROBE is reduced by 0.121 and 0.075, and R2L and U2R are respectively improved by 0.012 and 0.126. It can be seen that, for R2L (58) and U2R (4) with smaller numbers of samples, the feature enhancement method can increase the difference between features compared to the K-means algorithm, increasing the euclidean distance of malicious traffic to normal traffic samples.
S106, constructing a three-layer neural network detection model (ANN), and setting the number of three layers of neurons as follows: 50 30, 10; and inputting the generated characteristics into a neural network model training model parameter, detecting by using test set data, and analyzing the detection rate and false alarm rate improvement effect of the characteristic enhancement method on the malicious flow detection model.
TABLE 3 malicious traffic detection results
S107, as can be seen from Table 3, after the k-means method is adopted, the malicious traffic detection rate is reduced by 0.53%, and the false alarm rate is improved by 0.01%; after the characteristic enhancement method is adopted, the detection rate of the ANN model is improved by 3.01%, and the false alarm rate is kept unchanged. Therefore, it can be seen that the feature enhancement method provided by the invention can effectively improve the malicious flow detection rate under the condition that the false alarm rate is unchanged for the problem of detecting the malicious flow of a small sample.
In one embodiment, a K-means-based industrial control system malicious traffic detection feature enhancement device, the device comprising:
the grouping module is used for grouping the original flow characteristics;
and the class aggregation module is used for generating the characteristics after the class aggregation of the original characteristic flow.
The grouping of the original flow characteristics is f= [ F 1 ,F 2 ,…,F g ]The clustering module is specifically configured to obtain clustering results of different original flow characteristic packets as input data of a detection model.
In an embodiment, a computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
In an embodiment, a computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The solutions in the embodiments of the present application may be implemented in various computer languages, for example, object-oriented programming language Java, and an transliterated scripting language JavaScript, etc.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (9)
1. The method for detecting malicious traffic oriented to the industrial control system is characterized by comprising the following steps:
s1, analyzing the deviation degree of the mean value, variance and skewness of the label flow characteristics of an industrial control system, calculating characteristic grouping coefficients by combining the quartiles of the label flow characteristic statistical variables, and grouping the original flow characteristics according to the characteristic grouping coefficients;
s2, clustering the original flow characteristics of different groups to generate clustering characteristics, wherein the clustering characteristics are used as data input of a detection model;
s3, analyzing the improvement effects of the detection rate and the false alarm rate.
The traffic includes normal traffic and malicious traffic.
2. The method for detecting malicious traffic towards an industrial control system according to claim 1, wherein the specific step of S1 includes:
s101, orderThe jth feature representing the ith flow, where l=1, 2, …, L represents the flow label type, i=1, 2, …, M, i represents the flow number, j=1, 2, …, N, j represents the feature number, let F represent the original flow feature, f= { F 1 ,f 2 ,…,f N };
S102, calculating a triplet of each label flow characteristic, wherein the triplet comprises a mean valueVariance->And deviation->S103, counting standard deviation of triples and according to quartile q of flow characteristics j,t ,q j,t =[q j,1 ,q j,2 ,q j,3 ]Calculating the characteristic grouping coefficient g j ;
S104, grouping the coefficients g according to the characteristics j Obtaining the final packet of the original flow characteristic F, wherein F= [ F ] 1 ,F 2 ,…,F g ]。
4. the method for detecting malicious traffic towards an industrial control system according to claim 3, wherein the packet coefficient g j The calculation formula of (2) is as follows:
std j,t =[std j,1 ,std j,2 ,std j,3 ] (4)
wherein t ε {1,2,3},1 represents the mean coefficient, 2 represents the variance coefficient, and 3 represents the bias coefficient; std j,t Representing standard deviation of the jth feature jth tuple; g j, Grouping coefficients representing the j-th feature and the t-th tuple;
5. The method for detecting malicious traffic towards an industrial control system according to claim 1, wherein S2 is implemented by using a K-means algorithm, such that k=1, 2, …, K represents the number of clustered packets,a kth cluster center representing the feature group g;
the optimization process of the k-means algorithm is as follows:
6. A malicious traffic detection device for an industrial control system, the device comprising:
the grouping module is used for analyzing the deviation degree of the mean value, the variance and the skewness of the label flow characteristics of the industrial control system, calculating characteristic grouping coefficients by combining the quartiles of the label flow characteristic statistical variables, and grouping the original flow characteristics according to the characteristic grouping coefficients;
and the clustering module is used for clustering the original flow characteristics of different groups to generate clustering characteristics.
7. The industrial control system-oriented malicious flow detection device according to claim 7, wherein the original flow characteristic is f= [ F ] 1 ,F 2 ,…,F g ]The aggregation-like module is particularly used forAnd obtaining clustering results of different original flow characteristic groups as input data of a detection model.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211546950.5A CN116186503A (en) | 2022-12-05 | 2022-12-05 | Industrial control system-oriented malicious flow detection method and device and computer storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211546950.5A CN116186503A (en) | 2022-12-05 | 2022-12-05 | Industrial control system-oriented malicious flow detection method and device and computer storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116186503A true CN116186503A (en) | 2023-05-30 |
Family
ID=86444978
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211546950.5A Pending CN116186503A (en) | 2022-12-05 | 2022-12-05 | Industrial control system-oriented malicious flow detection method and device and computer storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116186503A (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140321448A1 (en) * | 2013-04-30 | 2014-10-30 | Seven Networks, Inc. | Detection and reporting of keepalive messages for optimization of keepalive traffic in a mobile network |
WO2018178028A1 (en) * | 2017-03-28 | 2018-10-04 | British Telecommunications Public Limited Company | Initialisation vector identification for encrypted malware traffic detection |
US20180332058A1 (en) * | 2017-05-09 | 2018-11-15 | Aol Inc. | Systems and methods for network traffic analysis |
CN108985361A (en) * | 2018-07-02 | 2018-12-11 | 北京金睛云华科技有限公司 | A kind of malicious traffic stream detection implementation method and device based on deep learning |
CN110572382A (en) * | 2019-09-02 | 2019-12-13 | 西安电子科技大学 | Malicious flow detection method based on SMOTE algorithm and ensemble learning |
US20200410398A1 (en) * | 2018-03-23 | 2020-12-31 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and Devices for Chunk Based IoT Service Inspection |
CN112911627A (en) * | 2019-11-19 | 2021-06-04 | 中国电信股份有限公司 | Wireless network performance detection method, device and storage medium |
CN112989710A (en) * | 2021-04-22 | 2021-06-18 | 苏州联电能源发展有限公司 | Industrial control sensor numerical value abnormity detection method and device |
CN114443338A (en) * | 2022-01-28 | 2022-05-06 | 北京轩宇空间科技有限公司 | Sparse negative sample-oriented anomaly detection method, model construction method and device |
CN115051863A (en) * | 2022-06-21 | 2022-09-13 | 四维创智(北京)科技发展有限公司 | Abnormal flow detection method and device, electronic equipment and readable storage medium |
-
2022
- 2022-12-05 CN CN202211546950.5A patent/CN116186503A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140321448A1 (en) * | 2013-04-30 | 2014-10-30 | Seven Networks, Inc. | Detection and reporting of keepalive messages for optimization of keepalive traffic in a mobile network |
WO2018178028A1 (en) * | 2017-03-28 | 2018-10-04 | British Telecommunications Public Limited Company | Initialisation vector identification for encrypted malware traffic detection |
US20180332058A1 (en) * | 2017-05-09 | 2018-11-15 | Aol Inc. | Systems and methods for network traffic analysis |
US20200410398A1 (en) * | 2018-03-23 | 2020-12-31 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and Devices for Chunk Based IoT Service Inspection |
CN108985361A (en) * | 2018-07-02 | 2018-12-11 | 北京金睛云华科技有限公司 | A kind of malicious traffic stream detection implementation method and device based on deep learning |
CN110572382A (en) * | 2019-09-02 | 2019-12-13 | 西安电子科技大学 | Malicious flow detection method based on SMOTE algorithm and ensemble learning |
CN112911627A (en) * | 2019-11-19 | 2021-06-04 | 中国电信股份有限公司 | Wireless network performance detection method, device and storage medium |
CN112989710A (en) * | 2021-04-22 | 2021-06-18 | 苏州联电能源发展有限公司 | Industrial control sensor numerical value abnormity detection method and device |
CN114443338A (en) * | 2022-01-28 | 2022-05-06 | 北京轩宇空间科技有限公司 | Sparse negative sample-oriented anomaly detection method, model construction method and device |
CN115051863A (en) * | 2022-06-21 | 2022-09-13 | 四维创智(北京)科技发展有限公司 | Abnormal flow detection method and device, electronic equipment and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109768985B (en) | Intrusion detection method based on flow visualization and machine learning algorithm | |
CN110351301B (en) | HTTP request double-layer progressive anomaly detection method | |
CN111901340B (en) | Intrusion detection system and method for energy Internet | |
WO2013062738A1 (en) | Anomaly detection in images and videos | |
CN106817248A (en) | A kind of APT attack detection methods | |
CN109309675A (en) | A kind of network inbreak detection method based on convolutional neural networks | |
CN112528277A (en) | Hybrid intrusion detection method based on recurrent neural network | |
CN111191720B (en) | Service scene identification method and device and electronic equipment | |
CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
CN113469366A (en) | Encrypted flow identification method, device and equipment | |
CN113762377B (en) | Network traffic identification method, device, equipment and storage medium | |
CN104836805A (en) | Network intrusion detection method based on fuzzy immune theory | |
CN114399029A (en) | Malicious traffic detection method based on GAN sample enhancement | |
CN111143838A (en) | Database user abnormal behavior detection method | |
CN111786951A (en) | Traffic data feature extraction method, malicious traffic identification method and network system | |
CN110097120B (en) | Network flow data classification method, equipment and computer storage medium | |
CN112134906B (en) | Network flow sensitive data identification and dynamic management and control method | |
CN111431884B (en) | Host computer defect detection method and device based on DNS analysis | |
CN113705604A (en) | Botnet flow classification detection method and device, electronic equipment and storage medium | |
CN112422546A (en) | Network anomaly detection method based on variable neighborhood algorithm and fuzzy clustering | |
CN116186503A (en) | Industrial control system-oriented malicious flow detection method and device and computer storage medium | |
CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
WO2023093100A1 (en) | Method and apparatus for identifying abnormal calling of api gateway, device, and product | |
CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
CN108121912B (en) | Malicious cloud tenant identification method and device based on neural network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |