CN102324007A - Method for detecting abnormality based on data mining - Google Patents

Method for detecting abnormality based on data mining Download PDF

Info

Publication number
CN102324007A
CN102324007A CN201110283015A CN201110283015A CN102324007A CN 102324007 A CN102324007 A CN 102324007A CN 201110283015 A CN201110283015 A CN 201110283015A CN 201110283015 A CN201110283015 A CN 201110283015A CN 102324007 A CN102324007 A CN 102324007A
Authority
CN
China
Prior art keywords
training
observational variable
weak classifier
matrix
separation matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201110283015A
Other languages
Chinese (zh)
Other versions
CN102324007B (en
Inventor
唐朝伟
时豪
严鸣
张雪臻
李超群
杨磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University
Original Assignee
Chongqing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University filed Critical Chongqing University
Priority to CN201110283015XA priority Critical patent/CN102324007B/en
Publication of CN102324007A publication Critical patent/CN102324007A/en
Application granted granted Critical
Publication of CN102324007B publication Critical patent/CN102324007B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Complex Calculations (AREA)

Abstract

The invention discloses a kind of method for detecting abnormality, belong to the network security technology field based on data mining.This method for detecting abnormality at first carries out feature extraction with the Fast-ICA algorithm based on independent component analysis and Adaboost method, to eliminate redundant attributes, reduces the data dimension.The AdaBoost method is trained one group of Weak Classifier successively, and they are integrated into a strong classifier.Through the present invention, eliminate the redundant attributes information in the network data effectively, reduced the operand of the training and the detection of sorter; Also improved simultaneously the precision that detects, the probability that reduces the sample wrong report and fail to report.

Description

Method for detecting abnormality based on data mining
Technical field
The present invention relates to the computing machine method for detecting abnormality, especially a kind of method for detecting abnormality based on data mining.
Background technology
Intrusion detection is the detection to the computer system attack, provide to internal attack, the real-time guard of external attack and maloperation.For can the accurate recognition attack type; Collect related data information in several key events in the network system of the log record file of intrusion detection through from the computing machine local system, computing machine etc.; And, whether the result of behavior generation of violating security strategy or the sign that whether is subjected to attack is arranged in computing machine local system that obtains detecting or the computer network system through analysis for these data.Intrusion detection can monitoring and the current entry of analysis user and system is movable, the existing known attack of integrality, identification of the keystone resources of the security breaches in the check system configuration, evaluates calculation machine system and data file or user's abuse, statistics and analyze abnormal behaviour, write down for system journal and administer and maintain; Promptly under computer system performance can't affected situation, computer system network is carried out real-time monitoring and control.
Because in the existing Intrusion Detection Technique; The mass data that collects is as the data source of intruding detection system; It is carried out analyzing and processing to judge whether to take place intrusion event, and lot of data has also increased the difficulty of effectively utilizing these data when the quantity of information that can supply utilize is provided; Useful information may be submerged among a large amount of redundant datas on the contrary, has increased the difficulty of feature extraction.
Summary of the invention
The purpose of this invention is to provide a kind of method for detecting abnormality,, eliminated the redundant attributes in the network data, improved the precision that detects through extracting useful network data characteristic in the network data based on data mining, and the probability that has reduced wrong report and failed to report.
To achieve these goals, the invention provides a kind of method for detecting abnormality, it is characterized in that: form by following steps based on data mining:
S1, with network data as observational variable, adopt the Fast-ICA method from said observational variable, to extract the observational variable characteristic, constitute observational variable characteristic set Z, promptly obtain to eliminate the network data characteristic of redundant attributes and reduction data dimension;
S2, employing AdaBoost method training observation characteristics of variables: with the observational variable feature set is training set; Each observational variable characteristic is as training text; Give weights to each training text; Wherein said weights are used to represent that said training text is selected into the probability of training set by Weak Classifier, after the Weak Classifier training finishes, and the weight of regulating each training text according to the classification results of training set: if said training sample is by said Weak Classifier precise classification; Then the weight of said Weak Classifier reduces, and then it is reduced by the probability that next Weak Classifier is selected into training set; If said training sample is not by said Weak Classifier precise classification, then it is promoted by the probability that next Weak Classifier is selected into training set, finally obtains strong classifier;
S3, unusual network data is detected according to said strong classifier.
In said step S1, form by following steps:
S10, setting N observational variable
Figure 505410DEST_PATH_IMAGE002
; Constitute the linear combination that observational variable set and each observational variable all are expressed as M isolated component
Figure 379563DEST_PATH_IMAGE004
; Wherein M isolated component
Figure 800180DEST_PATH_IMAGE004
constitutes the isolated component set; I=1; N; J=1; M and N, M are the integer greater than 1; Ask for the transposed matrix X=
Figure 210433DEST_PATH_IMAGE006
of observational variable set and the transposed matrix S=
Figure 323882DEST_PATH_IMAGE008
of isolated component set; And set X=A*S, wherein A
Figure 186796DEST_PATH_IMAGE010
is unknown hybrid matrix;
S11, said observational variable is carried out albefaction handle;
The generalized inverse of S12, setting hybrid matrix A is separation matrix W; Regulate said separation matrix W according to formula through gradient method at random; Ask for the optimal estimation
Figure 410284DEST_PATH_IMAGE014
of said transposed matrix S, thus the network data characteristic that obtains to eliminate redundant attributes and reduce the data dimension.
Regulating separation matrix W through gradient method at random among the said step S12 is made up of following steps:
(1) according to formula
Figure 694635DEST_PATH_IMAGE016
said separation matrix W is carried out iterative processing with behavior unit; Wherein after k iteration of expression among the said separation matrix W with the observational variable set in the corresponding delegation of i observational variable
Figure 574309DEST_PATH_IMAGE020
vectorial; After k+1 iteration of
Figure 755891DEST_PATH_IMAGE022
expression among the separation matrix W with the observational variable set in the corresponding delegation of i observational variable
Figure 883247DEST_PATH_IMAGE020
vectorial; After k iteration of expression among the separation matrix W with the observational variable set in the vectorial transposed matrix of the corresponding delegation of i observational variable
Figure 286864DEST_PATH_IMAGE020
; E is the expectation operational symbol; G is the gaussian distribution calculation symbol, and i, k are the integer greater than 1;
Whether absolute value≤the ξ that (2), judges
Figure 588532DEST_PATH_IMAGE022
- sets up; If set up then the finishing iteration processing; Obtain final separation matrix W (n); Execution in step (3); If be false then repeated execution of steps (1), wherein ξ gets any number between 0~1;
(3), said final separation matrix W (n) being carried out normalization with behavior unit handles; I.e.
Figure 273908DEST_PATH_IMAGE026
, wherein norm is asked in
Figure 643710DEST_PATH_IMAGE028
expression;
(4) with the optimal estimation
Figure 767578DEST_PATH_IMAGE014
of trying to achieve said transposed matrix S in final separation matrix W (n) the substitution formula
Figure 970524DEST_PATH_IMAGE030
, thus the network data characteristic that obtains to eliminate redundant attributes and reduce the data dimension.
In said step S2, form by following steps:
S20, setting training set are G= ;
Figure 487590DEST_PATH_IMAGE034
;
Figure 498271DEST_PATH_IMAGE036
; Wherein y is the optimal estimation of transposed matrix S; I=1; M+n, m+n are the integer greater than 1;
Figure 403910DEST_PATH_IMAGE038
type of being label;
Figure 500042DEST_PATH_IMAGE038
=+ 1 o'clock is minority class;
Figure 149329DEST_PATH_IMAGE038
=-1 o'clock is most types; The number of minority class sample is m; The number of most type samples is n, and m < < n;
S21, the said training set of initialization: the weight of each
Figure 14517DEST_PATH_IMAGE040
among the training set G all is initialized as 1/n;
S22, be Weak Classifier, call Weaklearn and carry out T iteration training that wherein each iteration training obtains one group of Weak Classifier function with BP;
S23, before each iteration training, judge whether iterations >=T sets up, if set up then, if be false then adjust weight, repeated execution of steps S22 by T group Weak Classifier combination of function acquisition strong classifier.
In sum, owing to adopted technique scheme, the invention has the beneficial effects as follows:
Through the present invention, eliminate the redundant attributes information in the network data effectively, reduced the operand of the training and the detection of sorter; Also improved simultaneously the precision that detects, the probability that reduces the sample wrong report and fail to report.
 
Description of drawings
The present invention will explain through example and with reference to the mode of accompanying drawing, wherein:
Fig. 1 is a process flow diagram of the present invention;
Fig. 2 is the process flow diagram that the Fast-ICA method is extracted characteristic;
Fig. 3 is the process flow diagram of AdaBoost method;
Fig. 4 is the experiment test design sketch.
Embodiment
Disclosed all characteristics in this instructions, or the step in disclosed all methods or the process except mutually exclusive characteristic and/or the step, all can make up by any way.
Disclosed arbitrary characteristic in this instructions (comprising any accessory claim, summary and accompanying drawing) is only if special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, only if special narration, each characteristic is an example in a series of equivalences or the similar characteristics.
Shown in Fig. 1, should form by three steps based on the method for detecting abnormality of data mining.
Step 1, with network data as observational variable, adopt the Fast-ICA method from this observational variable, to extract the observational variable characteristic, constitute the observational variable characteristic set, promptly obtain to eliminate the network data characteristic of redundant attributes and reduction data dimension.
The Fast-ICA algorithm is called fix point method (Fixed-point) again, and its thinking is to regulate separation matrix W through gradient method at random to make the independence between source signal the strongest.
As shown in Figure 2; The process that adopts the Fast-ICA method to extract the observational variable characteristic specifically is made up of following steps: S10, setting N observational variable ; Constitute the linear combination that observational variable set and each observational variable all are expressed as M isolated component
Figure 170091DEST_PATH_IMAGE004
; Wherein M isolated component
Figure 419807DEST_PATH_IMAGE004
constitutes the isolated component set; I=1; N; J=1; M and N, M are the integer greater than 1; Ask for the transposed matrix X=
Figure 342764DEST_PATH_IMAGE006
of observational variable set and the transposed matrix S=
Figure 652522DEST_PATH_IMAGE008
of isolated component set; And set X=A*S, wherein A
Figure 723246DEST_PATH_IMAGE010
is unknown hybrid matrix;
S11, said observational variable is carried out albefaction handle;
The generalized inverse of S12, setting hybrid matrix A is separation matrix W; Regulate said separation matrix W according to formula
Figure 714336DEST_PATH_IMAGE012
through gradient method at random; Ask for the optimal estimation
Figure 554116DEST_PATH_IMAGE014
of said transposed matrix S; Thereby the network data characteristic that obtains to eliminate redundant attributes and reduce the data dimension, i.e. observational variable set characteristic.
The Fast-ICA method is to be the basis with the maximum criterion principle of negentropy.The principle of the maximum criterion of negentropy is: can be known by central limit theorem; Stochastic variable
Figure 972459DEST_PATH_IMAGE042
is made up of many mutually independent random variables
Figure 264900DEST_PATH_IMAGE044
in the observational variable set; As long as each independent random variables
Figure 121998DEST_PATH_IMAGE044
has limited average and variance; No matter then how it distributes, stochastic variable
Figure 252503DEST_PATH_IMAGE042
must be near Gaussian distribution.Therefore, in detachment process, measure non-Gauss's property of optimal estimation y, when non-Gauss's property tolerance reaches maximum, then show the separation of having accomplished each isolated component, the definition negentropy is following:
Figure 904064DEST_PATH_IMAGE046
Wherein
Figure 887063DEST_PATH_IMAGE048
representes to have with optimal estimation y the random quantity of mutually homoscedastic Gaussian distribution, and
Figure 282273DEST_PATH_IMAGE050
is the information entropy of stochastic variable.Can find out by above-mentioned formula; When optimal estimation y has Gaussian distribution
Figure 768749DEST_PATH_IMAGE052
; When non-Gauss's property of optimal estimation y is strong more, the value of
Figure 856790DEST_PATH_IMAGE054
is big more.
Therefore; Gradient method adopts
Figure 123824DEST_PATH_IMAGE056
at random, and (promptly is proportional to
Figure 663706DEST_PATH_IMAGE058
; Wherein E is the expectation operational symbol; G is a gaussian distribution calculation symbol) the maximum criterion of negentropy separation matrix W is carried out iterative processing, form by following steps:
(1) according to formula
Figure 361797DEST_PATH_IMAGE016
said separation matrix W is carried out iterative processing with behavior unit; Wherein after k iteration of
Figure 116127DEST_PATH_IMAGE018
expression among the said separation matrix W with the observational variable set in the corresponding delegation of i observational variable vectorial; After k+1 iteration of
Figure 314207DEST_PATH_IMAGE022
expression among the separation matrix W with the observational variable set in the corresponding delegation of i observational variable
Figure 744051DEST_PATH_IMAGE020
vectorial; After k iteration of
Figure 657781DEST_PATH_IMAGE024
expression among the separation matrix W with the observational variable set in the vectorial transposed matrix of the corresponding delegation of i observational variable
Figure 198483DEST_PATH_IMAGE020
; E is the expectation operational symbol; G is the gaussian distribution calculation symbol, and i, k are the integer greater than 1;
Whether absolute value≤the ξ that (2), judges
Figure 841954DEST_PATH_IMAGE022
-
Figure 114804DEST_PATH_IMAGE018
sets up; If set up then the finishing iteration processing; Obtain final separation matrix W (n); Execution in step (3); If be false then repeated execution of steps (1), wherein ξ gets any number between 0~1;
(3), said final separation matrix W (n) being carried out normalization with behavior unit handles; I.e.
Figure 843726DEST_PATH_IMAGE026
, wherein norm is asked in
Figure 358758DEST_PATH_IMAGE028
expression;
(4) with the optimal estimation
Figure 362803DEST_PATH_IMAGE014
of trying to achieve said transposed matrix S in final separation matrix W (n) the substitution formula
Figure 856736DEST_PATH_IMAGE030
, thus the network data characteristic that obtains to eliminate redundant attributes and reduce the data dimension.
Step 2, employing AdaBoost method training observation characteristics of variables: with the observational variable feature set is training set; Each observational variable characteristic is as training text; Give weights to each training text; Wherein said weights are used to represent that said training text is selected into the probability of training set by Weak Classifier, after the Weak Classifier training finishes, and the weight of regulating each training text according to the classification results of training set: if said training sample is by said Weak Classifier precise classification; Then the weight of said Weak Classifier reduces, and then it is reduced by the probability that next Weak Classifier is selected into training set; If said training sample is not by said Weak Classifier precise classification, then it is promoted by the probability that next Weak Classifier is selected into training set, finally obtains strong classifier;
Step 3, unusual network data is detected according to said strong classifier.
As shown in Figure 3, in AdaBoost method training process with the BP network as Weak Classifier, form by following steps:
S20, setting training set are G=
Figure 516704DEST_PATH_IMAGE032
;
Figure 399209DEST_PATH_IMAGE034
;
Figure 689377DEST_PATH_IMAGE036
; Wherein y is the optimal estimation of transposed matrix S; I=1; M+n, m+n are the integer greater than 1;
Figure 631925DEST_PATH_IMAGE038
type of being label;
Figure 69859DEST_PATH_IMAGE038
=+ 1 o'clock is minority class;
Figure 428159DEST_PATH_IMAGE038
=-1 o'clock is most types; The number of minority class sample is m; The number of most type samples is n, and m < < n;
S21, initialization training set: the weight of each
Figure 900729DEST_PATH_IMAGE040
among the training set G all is initialized as 1/n;
S22, be Weak Classifier, call Weaklearn and carry out T iteration training that wherein each iteration training obtains one group of Weak Classifier function with BP;
S23, before each iteration, judging whether iterations >=T sets up, if set up then obtain strong classifier, if be false then adjust weight, repeated execution of steps S22 by T group Weak Classifier combination of function.Because training of the iteration of AdaBoost method and weight adjustment process are mature technology, will not tire out at this and state.
Test and Selection KDD99 data set, this data set are the test data set of being set up by Massachusetts Institute of Technology (MIT) Lincoln laboratory in 1998.Wherein every data recording all comprises 41 property values.These property values can be divided into four parts, the base attribute that promptly connects, the contents attribute of connection and time-based flow attribution, Host Based flow attribution.Experimental data is made up of training set and test set two parts.
Introduced the FASTICA feature extraction step in feature extraction step; Before to the network data classification; Use the FASTICA algorithm that data are carried out feature extraction earlier; Eliminated the redundant attributes in the data, significantly reduced the operand of the training and the detection of sorter, it is independent to utilize independent component analysis method to find between each attribute of new feature space sample in this space.Training dataset comprises 4000 records in the experiment, and test data set comprises 800 records.
Emulation platform: programming simulation under the matlab7.6, the test design sketch is as shown in Figure 4:
Strong classifier error in classification rate
ans?=?0.0063;
Weak Classifier error in classification rate
ans?=?0.0142。
Experimental analysis:
Experiment through verification and measurement ratio (detection rate, DR) and rate of false alarm (false positive rate FPR) weighs the performance of intruding detection system.Their define as follows:
Verification and measurement ratio (DR)=detected invasion sample number/invasion total sample number
The normal sample given figure of error rate (FPR)=be mistaken as invasion/normal total sample number
In experimentation, use training data set pair system to train earlier, to set up an inbreak detection rule storehouse; After training was accomplished, the use test data set was tested system.
Can find out that from experimental data what this patent proposed has than higher verification and measurement ratio and low rate of false alarm based on visible intrusion detection method through the dimension-reduction treatment of FASTICA characteristic.
Table one error in classification statistics
Figure DEST_PATH_IMAGE060A
Table two detection statistics
Figure DEST_PATH_IMAGE062A
Through the present invention; Adopt the FASTICA algorithm that data are carried out feature extraction and carry out the data pre-service; Redundant attributes in the data is eliminated; Significantly reduced the operand of sorter training and context of detection, aspect sorter, made Weak Classifier simultaneously and form the Adaboost strong classifier, removed to train the Adaboost sorter with 4000 training samples in the test with BP.From above table, can see; Through the pretreated Adaboost strong classifier of Fast-ICA data the higher detection rate is arranged; Simultaneously strong error in classification rate is lower than Weak Classifier error in classification rate, and the verification and measurement ratio of Adaboost strong classifier will be higher than Weak Classifier classification and Detection rate.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.

Claims (4)

1. method for detecting abnormality based on data mining is characterized in that: be made up of following steps:
S1, with network data as observational variable, adopt the Fast-ICA method from said observational variable, to extract the observational variable characteristic, constitute observational variable characteristic set Z, promptly obtain to eliminate the network data characteristic of redundant attributes and reduction data dimension;
S2, employing AdaBoost method training observation characteristics of variables: with the observational variable feature set is training set; Each observational variable characteristic is as training text; Give weights to each training text; Wherein said weights are used to represent that said training text is selected into the probability of training set by Weak Classifier, after the Weak Classifier training finishes, and the weight of regulating each training text according to the classification results of training set: if said training sample is by said Weak Classifier precise classification; Then the weight of said Weak Classifier reduces, and then it is reduced by the probability that next Weak Classifier is selected into training set; If said training sample is not by said Weak Classifier precise classification, then it is promoted by the probability that next Weak Classifier is selected into training set, finally obtains strong classifier;
S3, unusual network data is detected according to said strong classifier.
2. the method for detecting abnormality based on data mining according to claim 1 is characterized in that: in said step S1, be made up of following steps:
S10, setting N observational variable
Figure 521801DEST_PATH_IMAGE002
; Constitute the linear combination that observational variable set and each observational variable all are expressed as M isolated component
Figure 376625DEST_PATH_IMAGE004
; Wherein M isolated component constitutes the isolated component set; I=1; N; J=1; M and N, M are the integer greater than 1; Ask for the transposed matrix X=
Figure 489254DEST_PATH_IMAGE006
of observational variable set and the transposed matrix S=
Figure 303626DEST_PATH_IMAGE008
of isolated component set; And set X=A*S, wherein A
Figure 63772DEST_PATH_IMAGE010
is unknown hybrid matrix;
S11, said observational variable is carried out albefaction handle;
The generalized inverse of S12, setting hybrid matrix A is separation matrix W; Regulate said separation matrix W according to formula
Figure 330805DEST_PATH_IMAGE012
through gradient method at random; Ask for the optimal estimation
Figure 965924DEST_PATH_IMAGE014
of said transposed matrix S, thus the network data characteristic that obtains to eliminate redundant attributes and reduce the data dimension.
3. the method for detecting abnormality based on data mining according to claim 2 is characterized in that: regulate separation matrix W through gradient method at random among the said step S12 and be made up of following steps:
(1) according to formula
Figure 634803DEST_PATH_IMAGE016
said separation matrix W is carried out iterative processing with behavior unit; Wherein after k iteration of
Figure 628166DEST_PATH_IMAGE018
expression among the said separation matrix W with the observational variable set in the corresponding delegation of i observational variable
Figure 320179DEST_PATH_IMAGE020
vectorial; After k+1 iteration of
Figure 57191DEST_PATH_IMAGE022
expression among the separation matrix W with the observational variable set in the corresponding delegation of i observational variable
Figure 518259DEST_PATH_IMAGE020
vectorial; After k iteration of
Figure 948103DEST_PATH_IMAGE024
expression among the separation matrix W with the observational variable set in the vectorial transposed matrix of the corresponding delegation of i observational variable
Figure 189729DEST_PATH_IMAGE020
; E is the expectation operational symbol; G is the gaussian distribution calculation symbol, and i, k are the integer greater than 1;
Whether absolute value≤the ξ that (2), judges
Figure 402535DEST_PATH_IMAGE022
-
Figure 46006DEST_PATH_IMAGE018
sets up; If set up then the finishing iteration processing; Obtain final separation matrix W (n); Execution in step (3); If be false then repeated execution of steps (1), wherein ξ gets any number between 0~1;
(3), said final separation matrix W (n) being carried out normalization with behavior unit handles; I.e.
Figure 820321DEST_PATH_IMAGE026
, wherein norm is asked in
Figure 549242DEST_PATH_IMAGE028
expression;
(4) with the optimal estimation
Figure 63717DEST_PATH_IMAGE014
of trying to achieve said transposed matrix S in final separation matrix W (n) the substitution formula
Figure 565740DEST_PATH_IMAGE030
, thus the network data characteristic that obtains to eliminate redundant attributes and reduce the data dimension.
4. the method for detecting abnormality based on data mining according to claim 1 is characterized in that: in said step S2, be made up of following steps:
S20, setting training set are G= ; ;
Figure 201110283015X100001DEST_PATH_IMAGE036
; Wherein y is the optimal estimation of transposed matrix S; I=1; M+n, m+n are the integer greater than 1;
Figure 201110283015X100001DEST_PATH_IMAGE038
type of being label;
Figure 543874DEST_PATH_IMAGE038
=+ 1 o'clock is minority class;
Figure 896358DEST_PATH_IMAGE038
=-1 o'clock is most types; The number of minority class sample is m; The number of most type samples is n, and m < < n;
S21, the said training set of initialization: the weight of each
Figure 201110283015X100001DEST_PATH_IMAGE040
among the training set G all is initialized as 1/n;
S22, be Weak Classifier, call Weaklearn and carry out T iteration training that wherein each iteration training obtains one group of Weak Classifier function with BP;
S23, before each iteration training, judge whether iterations >=T sets up, if set up then, if be false then adjust weight, repeated execution of steps S22 by T group Weak Classifier combination of function acquisition strong classifier.
CN201110283015XA 2011-09-22 2011-09-22 Abnormal detection method based on data mining Expired - Fee Related CN102324007B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110283015XA CN102324007B (en) 2011-09-22 2011-09-22 Abnormal detection method based on data mining

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110283015XA CN102324007B (en) 2011-09-22 2011-09-22 Abnormal detection method based on data mining

Publications (2)

Publication Number Publication Date
CN102324007A true CN102324007A (en) 2012-01-18
CN102324007B CN102324007B (en) 2013-11-27

Family

ID=45451748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110283015XA Expired - Fee Related CN102324007B (en) 2011-09-22 2011-09-22 Abnormal detection method based on data mining

Country Status (1)

Country Link
CN (1) CN102324007B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102879823A (en) * 2012-09-28 2013-01-16 电子科技大学 Method for fusing seismic attributes on basis of fast independent component analysis
CN103536282A (en) * 2013-11-06 2014-01-29 中国人民解放军第三军医大学 Magnetic induction cardiopulmonary activity signal separation method based on Fast-ICA method
CN106950945A (en) * 2017-04-28 2017-07-14 宁波大学 A kind of fault detection method based on dimension changeable type independent component analysis model
CN107231348A (en) * 2017-05-17 2017-10-03 桂林电子科技大学 A kind of network flow abnormal detecting method based on relative entropy theory
CN107615275A (en) * 2015-05-29 2018-01-19 国际商业机器公司 Estimate to excavate the computing resource serviced for service data
CN108319883A (en) * 2017-01-16 2018-07-24 广东精点数据科技股份有限公司 A kind of fingerprint identification technology based on Fast Independent Component Analysis
CN112055007A (en) * 2020-08-28 2020-12-08 东南大学 Software and hardware combined threat situation perception method based on programmable nodes
WO2022037130A1 (en) * 2020-08-21 2022-02-24 杭州安恒信息技术股份有限公司 Network traffic anomaly detection method and apparatus, and electronic apparatus and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张磊: "基于独立分量分析的入侵检测系统研究", 《西安电子科技大学硕士论文》 *
郭红刚等: "Adaboost方法在入侵检测技术上的应用", 《计算机应用》 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102879823A (en) * 2012-09-28 2013-01-16 电子科技大学 Method for fusing seismic attributes on basis of fast independent component analysis
CN103536282A (en) * 2013-11-06 2014-01-29 中国人民解放军第三军医大学 Magnetic induction cardiopulmonary activity signal separation method based on Fast-ICA method
CN103536282B (en) * 2013-11-06 2015-02-04 中国人民解放军第三军医大学 Magnetic induction cardiopulmonary activity signal separation method based on Fast-ICA method
CN107615275B (en) * 2015-05-29 2022-02-11 国际商业机器公司 Method and system for estimating computing resources for running data mining services
US11138193B2 (en) 2015-05-29 2021-10-05 International Business Machines Corporation Estimating the cost of data-mining services
CN107615275A (en) * 2015-05-29 2018-01-19 国际商业机器公司 Estimate to excavate the computing resource serviced for service data
CN108319883B (en) * 2017-01-16 2020-11-06 广东精点数据科技股份有限公司 Fingerprint identification method based on rapid independent component analysis
CN108319883A (en) * 2017-01-16 2018-07-24 广东精点数据科技股份有限公司 A kind of fingerprint identification technology based on Fast Independent Component Analysis
CN106950945B (en) * 2017-04-28 2019-04-09 宁波大学 A kind of fault detection method based on dimension changeable type independent component analysis model
CN106950945A (en) * 2017-04-28 2017-07-14 宁波大学 A kind of fault detection method based on dimension changeable type independent component analysis model
CN107231348B (en) * 2017-05-17 2020-07-28 桂林电子科技大学 Network flow abnormity detection method based on relative entropy theory
CN107231348A (en) * 2017-05-17 2017-10-03 桂林电子科技大学 A kind of network flow abnormal detecting method based on relative entropy theory
WO2022037130A1 (en) * 2020-08-21 2022-02-24 杭州安恒信息技术股份有限公司 Network traffic anomaly detection method and apparatus, and electronic apparatus and storage medium
CN112055007A (en) * 2020-08-28 2020-12-08 东南大学 Software and hardware combined threat situation perception method based on programmable nodes
CN112055007B (en) * 2020-08-28 2022-11-15 东南大学 Programmable node-based software and hardware combined threat situation awareness method

Also Published As

Publication number Publication date
CN102324007B (en) 2013-11-27

Similar Documents

Publication Publication Date Title
CN102324007B (en) Abnormal detection method based on data mining
Roffo et al. Infinite latent feature selection: A probabilistic latent graph-based ranking approach
CN104598813B (en) Computer intrusion detection method based on integrated study and semi-supervised SVM
Liang et al. Failure prediction in ibm bluegene/l event logs
CN104169909B (en) Context resolution device and context resolution method
CN110381079B (en) Method for detecting network log abnormity by combining GRU and SVDD
CN109582003A (en) Based on pseudo label semi-supervised kernel part Fei Sheer discriminant analysis bearing failure diagnosis
CN109729091A (en) A kind of LDoS attack detection method based on multiple features fusion and CNN algorithm
CN102291392A (en) Hybrid intrusion detection method based on bagging algorithm
CN109886284B (en) Fraud detection method and system based on hierarchical clustering
CN108647707B (en) Probabilistic neural network creation method, failure diagnosis method and apparatus, and storage medium
Shah et al. Virus detection using artificial neural networks
CN106792883A (en) Sensor network abnormal deviation data examination method and system
CN113918367A (en) Large-scale system log anomaly detection method based on attention mechanism
CN107679069A (en) Method is found based on a kind of special group of news data and related commentary information
CN111598179A (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN111126820A (en) Electricity stealing prevention method and system
Guo et al. Fault diagnosis for power system transmission line based on PCA and SVMs
CN110334510A (en) A kind of malicious file detection technique based on random forests algorithm
Yongli et al. An improved feature selection algorithm based on MAHALANOBIS distance for network intrusion detection
Egri et al. Cross-correlation based clustering and dimension reduction of multivariate time series
CN109918901A (en) The method that real-time detection is attacked based on Cache
Yan et al. A new method of transductive svm-based network intrusion detection
Ismaili et al. A supervised methodology to measure the variables contribution to a clustering
CN112465397A (en) Audit data analysis method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20131127

Termination date: 20190922

CF01 Termination of patent right due to non-payment of annual fee