CN102420723A - Anomaly detection method for various kinds of intrusion - Google Patents
Anomaly detection method for various kinds of intrusion Download PDFInfo
- Publication number
- CN102420723A CN102420723A CN2011104186326A CN201110418632A CN102420723A CN 102420723 A CN102420723 A CN 102420723A CN 2011104186326 A CN2011104186326 A CN 2011104186326A CN 201110418632 A CN201110418632 A CN 201110418632A CN 102420723 A CN102420723 A CN 102420723A
- Authority
- CN
- China
- Prior art keywords
- svm
- data
- characteristic
- attribute
- binary tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an anomaly detection method for various kinds of intrusion. The method comprises the following steps of: 1) pre-processing an original data set, identifying a complete request message, and dividing network connection through service type to extract relevant characteristics; 2) by analyzing the characteristics of all kinds of attack by a characteristic extraction unit, and by using application layer information during consideration of relevant fields on the head of a data packet, extracting three characteristics, namely basic characteristics, flow characteristics and content characteristics; 3) by using an attribute reduction algorithm based on a discernibility matrix, processing attributes of a great number of extracted data characteristics, deleting redundant attributes in the attributes to obtain a reduced attribute set, extracting data from original training data according to the reduced attribute set to obtain new training data, and transmitting the new training data to a support vector machine (SVM) module for training and classification; and 4) by using a multi-classification SVM method based on a binary tree, classifying minimum attribute sub-sets after reduction of a rough set to realize a quick classification function of intrusion detection.
Description
Technical field
The present invention is a kind of abnormality detection technical scheme; The diversity of attack Network Based is considered; Head and application layer data that this method is extracted packet utilize rough set attribute reduction and support vector machine technology to carry out abnormality detection, belong to the computer network security technology field.
Background technology
Along with the frequency of network intrusions behavior generation and the kind of network intrusions increase day by day, the intrusion detection scheme of designing becomes the focus of many people's researchs.From the strategy of intrusion detection, the intrusion detection model mainly contains two kinds: i.e. misuse detects and abnormality detection.It is to hope to identify specific intrusion behavior in advance with certain rule or pattern that misuse detects; And on this basis the flow relevant with target to be detected that is captured compared with intrusion rule or pattern, in the hope of can be from flow discovery certain specific intrusion behavior corresponding with rule or pattern.The advantage that misuse detects is to set up intruding detection system efficiently targetedly, and its accuracy is higher, and major defect is to detect unknown invasion, can not detect the mutation of known invasion, therefore possibly fail to report.Unusual invasion produces by user's abnormal behaviour with to the unusual use of computer resource.Whether abnormality detection need be set up goal systems and user's thereof normal activity model, based on this model system and user's actual activity is audited then, system is constituted a threat to the behavior of judging the user.The advantage of abnormality detection is the knowledge that does not need system defect, and stronger adaptability is arranged, and shortcoming is to be difficult to extract complete user's normal behaviour characteristic.
The present abnormality detection current situation of total sight, most of detection methods all are to design to a certain specific attack, can not deal with the diversified day by day demand that is caused of invasion means far away.The minority method for detecting abnormality attempts to detect various types of attacks, aspect feature extraction, has comprised various attributes, the data volume that will handle very big, thereby influence verification and measurement ratio and expend huge.
Rough set theory is as a kind of newer machine learning method; Handling uncertain knowledge, elimination redundant information and finding to have outstanding advantage on the constitutive relations between the sample data attribute; It does not rely on the priori of model; Provide a cover complete conditional attribute yojan and value reduction method, thereby can find the minimum prediction rule set of descriptive system normal model, selected and improve detection speed new approach is provided for accomplishing characteristic attribute.
SVMs (SVM) is as a kind of statistical theory based on limited sample, because of its many distinctive advantages, can be used for solving small sample, non-linear and high dimensional data handling problem etc.Support vector machine method is that the classification that is directed against two classifications proposes at first, and how to expand to two classification methods multi-class is a focus of nowadays studying.At present existent method has one-to-many method, method, linear programming method for solving, directed acyclic graph multiclass SVM algorithm (DAG-SVM), error correction coding SVM (ECC-SVM) etc. one to one; But taking all factors into consideration training speed, distinguishing speed and accuracy rate, more than the optimal design of actual validity and multiclass SVM of these algorithms still need further research.
Summary of the invention
Technical problem: the objective of the invention is diversity, propose a kind of method for detecting abnormality towards the multiclass invasion based on the invasion kind.Through analyzing the characteristics of all kinds of attacks, this method has been extracted essential characteristic, traffic characteristic and content characteristic, and with the rough set theory technology number of characteristics attribute is done yojan, combines a kind of many classification SVM based on binary tree to realize the multiclass abnormality detection again.
Technical scheme: thus realization of the present invention is various features extraction, rough set attribute reduction and SVMs to be combined a kind of method for detecting abnormality towards the multiclass invasion is provided.Feature extraction part considers that simultaneously relevant field and the application layer message of data packet head are with all kinds of attacks of effective detection; Rough set attribute reduction deals with the mass data characteristic attribute that extracts, and eliminates redundant information wherein, obtains minimum attribute set; With the good classification performance of SVM, the minimum attribute set after the Rough Set Reduction is classified at last, realize the Fast Classification performance of intrusion detection.Wherein many classification SVM algorithms have adopted a kind of many classification SVM methods based on binary tree with " one to one " method, linear programming method for solving, directed acyclic graph multiclass SVM algorithm (DAG-SVM), error correction coding SVM on the bases such as (ECC-SVM) in traditional " one-to-many " method.
Realize that method step of the present invention is following:
1). raw data set is carried out preliminary treatment, identify complete request message, divide network with COS again and connect, to extract correlated characteristic;
2). feature extraction unit is through analyzing the characteristics of all kinds of attacks; Combine application layer message when considering the relevant field of packet head; Extraction comprises three kinds of characteristics of essential characteristic, traffic characteristic and content characteristic; Wherein essential characteristic is mainly considered Internet agreement (IP) bag, transmission control protocol (TCP) bag, UDP (UDP) bag, Internet Control Message Protocol (ICMP) bag; Traffic characteristic mainly is the characteristic of interior network traffics of short time and main frame, and content characteristic mainly is the length of connection request and some bytes of connection request load;
3). adopt based on the old attribute reduction algorithms of distinguishing matrix the mass data characteristic attribute that extracts is dealt with; Deletion redundant attributes wherein; Obtain the property set of yojan; From former training data, extract data according to the property set after the yojan then, become new training data, be sent to SVMs SVM module and train and classify;
4). the minimum attribute set after adopting many classification SVM methods based on binary tree to Rough Set Reduction is classified, and realizes the Fast Classification performance of intrusion detection.
The performing step based on the many classification SVM methods of binary tree in the step 4) is following:
1). all categories is divided into two sub-category;
2). subclass further is divided into two secondary subclasses, and so circulation is gone down, and till all nodes all only comprised an independent classification, this node also was the leaf in the binary tree, so just obtains the binary class tree of a handstand;
3). according to the binary tree that generates, utilize the optimum hyperplane of each interior nodes of two-value SVM training algorithm structure binary tree:
A. with n
1The class sample is positive sample set, and other samples are the negative sample collection, utilizes the two-value SVM sub-classifier at SVM training algorithm structure root node place;
B. with n
2The class sample is positive sample set, n
3, L, n
kThe class sample is the negative sample collection, and the two-value SVM sub-classifier of second interior nodes of structure goes down successively, has trained up to all two-value sub-classifiers, thereby can obtain the multi-class svm classifier model based on binary tree.
Fig. 1 is a network abnormality detection general flow on the whole, and feature extraction and characteristic processing are its core cells, and the present invention finally realizes the improvement of method for detecting abnormality through improving these two unit.Characteristic processing unit among this general flow figure just is equivalent to a SVM algorithm flow based on rough set attribute reduction in the present invention, and is specifically as shown in Figure 2.Feature extraction of the present invention and characteristic processing method are applied in the general flow of network abnormality detection and just can obtain system assumption diagram of the present invention as shown in Figure 3.
Be groundwork flow process of the present invention below:
Earlier raw data set is done preliminary treatment, identify complete request message, divide network with COS and connect, from connect, extract correlated characteristic.
Feature extraction unit is in order effectively to detect all kinds of attacks (comprising traffic attack and applied attack); Through analyzing the characteristics of all kinds of attacks; Combine application layer message when considering the relevant field of packet head, extracted essential characteristic, traffic characteristic and content characteristic.
The rough set pre-classifier uses the reduction method of rough set that decision table is carried out yojan.For Reduction of Knowledge is under the constant condition of classification that keeps knowledge base and decision-making capability, to delete uncorrelated or unessential attribute.Therefore through behind rough set and the grader, eliminate redundant information greatly, reduced the SVM training data.The characteristic attribute of data should be handled earlier before passing to this unit again, made data conversion become the treatable data of rough set.
The svm classifier device is used for the data vector after the yojan is classified, and produces to differentiate the result.Differentiate the result can be directly as the output of whole intruding detection system.
Rough set pre-classifier and svm classifier device are as the characteristic processing module, and its flow process is as shown in Figure 2.Training sample set at first produces the characteristic attribute data after handling (the characteristic attribute value that is about to extract quantizes) again.Property value after the quantification forms a two-dimension table, object of each line description, a kind of attribute of each row description object.Attribute branch condition belongs to part and decision attribute.Decision Table Reduction comprises that conditional attribute is simplified and decision rule is simplified.After the former refers to remove a certain attribute, investigate the compatibility of decision table, decision table is compatible behind this attribute if remove, and just removes this attribute, till the letter of decision table.The latter is in the decision table after conditional attribute is simplified, and removes the duplicate message in the sample set, investigates remaining training set, and which property value is redundant in each bar rule, remove redundant information and duplicate message after, just obtain minimum decision making algorithm.Also can simplify each bar decision rule earlier, streamline any further conditional attribute.Thereby obtain the minimal condition property set.The minimal condition property set and the corresponding initial data that adopt yojan to obtain form new training sample set again.This sample set is removed all unnecessary conditional attributes, has only kept the important attribute of impact prediction precision.SVM is learnt and train with the training sample that forms after the yojan.Import the test sample book collection that forms again according to minimal condition property set and corresponding initial data at last, system is tested, prediction of output result.
Beneficial effect: compare with the most of method for detecting abnormality that exist at present, the present invention has effectively overcome additive method can only detect the deficiency that single type is attacked, and has realized the shortening of detection time and the raising of efficient through the reduced data amount.Specifically be:
Through extracting essential characteristic, traffic characteristic and the content characteristic of data, remedied effectively that traditional discharge model only extracts packet head field and defective that application model is only analyzed load, thereby realized effective detection that disparate networks is attacked.
The present invention combines rough set theory method and SVM method provides the characteristic processing module, and this has effectively realized both mutual supplement with each other's advantages.The complementarity of rough set and SVM method is: 1) the SVM process information generally can not be simplified the input information space dimensionality; So when the input information space dimensionality is big; Will cause the SVM training time longer; And the rough set theory method can be removed the redundant information in the data through finding the relation between data, and simplifies the dimension of the data space of input information; 2) rough set method is responsive to noise ratio in actual application, thereby it is just not so good that the result of muting training sample study reasoning is applied in the noisy environment effect, that is to say the extensive poor-performing of rough set method.The SVM method then has the ability of better inhibited noise jamming and good generalization ability.Thereby utilize this complementarity to combine both; Earlier with rough set to the data processing of going ahead of the rest, promptly rough set as front-end system, again according to the pretreated message structure of rough set; Constitute the information prediction system of SVM; This combination possesses following 3 tangible advantages: (1) utilizes rough set method to reduce the characteristic quantity of information representation, and SVM fan-in data bulk is significantly reduced, and has improved the speed of system; (2) utilize rough set method to remove redundant information after, simplified training sample set, also shortened the training time of system; (3) the information processing system of SVM, have fault-tolerant and anti-jamming capacity as postposition.
The present invention adopts and is different from traditional many disaggregated models of the SVM based on binary tree, has the following advantages:
One, keeps the few advantage of grader quantity that the required training SVMs quantity of " one-to-many " method is few and be used to make a strategic decision.Overcome its each the two class support vector machines training sample is many, training speed is slow shortcomings, overcome it and when decision-making, have the shortcoming that belongs to multiclass simultaneously or do not belong to any one type zone.
Two, draw the advantage that each two class support vector machines training sample is few, the training time is short of " one to one " method.
Three, draw the fast advantage of directed acyclic graph SVM method speed of decision, overcome its uncertain shortcoming of result of decision under special circumstances.
Description of drawings
Fig. 1 is network abnormality detection general flow figure.
Fig. 2 is based on the brief SVM algorithm flow chart of rough set attribute.
Fig. 3 is a system assumption diagram of the present invention.
Fig. 4 is the binary tree structure figure of multi-class svm classifier model.
Embodiment
That shown in Figure 1 is the general flow figure of network abnormality detection, and feature extraction and characteristic processing module that the present invention is proposed are embedded among Fig. 1, have just obtained overall framework of the present invention, and be as shown in Figure 3.The execution mode of each modular assembly is specific as follows:
1. preliminary treatment
Data source or raw data set elder generation before being extracted characteristic, divides network with COS again and connects, thereby in connection, extract correlated characteristic to identify complete request message through preliminary treatment, is used for training and detection.Whether the training stage, the general clean data that adopts obtained normal model, and detection-phase adopts the data set that has attack, come decision data unusual through calculating with the deviation size of normal model.
2. feature extraction
Sign is extracted should be complete accurate again, succinct, could improve verification and measurement ratio, reduces rate of false alarm and reach good real-time performance.In order effectively to detect all kinds of attacks (comprising traffic attack and applied attack), through analyzing the characteristics of all kinds of attacks, combine application layer message when considering the relevant field of packet head, extracted essential characteristic, traffic characteristic and content characteristic.Remedied like this that traditional discharge model only extracts packet head field and defective that application model is only analyzed load.
(1) essential characteristic
Because ICP/IP protocol is present most popular network interconnection agreement, the security hole of ICP/IP protocol itself has been given the assailant opportunity, so the present invention mainly considers IP, TCP, UDP, ICMP bag.
A lot of attack meetings are left a trace at data packet head, therefore can extract some effective field in packet header.For the IP packet, can the extraction source address, destination address, protocol type, timestamp, sign.Because some assailant can utilize pseudo-IP to implement to attack, attack (it is identical with purpose IP to attack the source IP that is produced) like Land.Extracting protocol type is because utilize different protocol can implement different attacks.Some attack be through frequent transmission packet exhausting the target machine resource, but therefore extraction time stabs.Can extract TCP flag, source port, destination interface for the TCP bag; But for UDP bag extraction source port, destination interface; Can extract type field, code field for the ICMP bag.
(2) traffic characteristic
During DoS and Probe etc. attacked, the invasion characteristic was mainly reflected in the traffic characteristic of interior network traffics of short time and main frame.Connect number, the linking number of same main frame and destination host like wrong SYN packet in past two seconds; Connection trial that the different port of destination host is carried out etc.
(3) content characteristic
U2R and R2L attack and generally hide the loading section at packet, and do not have what difference from single data packet analysis with normally being connected.The request length variations of particular type is little, and some is attacked request length is obviously increased, and overflows like buffering area.Therefore can be with request length (byte number that sends continuously) as a key character.Can extract some bytes of a connection request load in addition.
3. characteristic processing
Characteristic processing comprises preposition part and rearmounted part, and preposition part reduces the characteristic quantity of information representation with the yojan of the characteristic attribute of rough set theory method realization extraction, and SVM fan-in data bulk is significantly reduced.Rearmounted part is used the classification and Detection that realizes network data based on the multiclass SVM method of binary tree.
(1) rough set attribute reduction
Employing is carried out attribute reduction based on the old attribute reduction algorithms of distinguishing matrix to part or all of data, deletes redundant attributes wherein, obtains the property set of yojan.From former training data, extract data according to the property set after the yojan then, become new training data, be sent to the SVM module and train and classify.When attribute reduction, can not simply bring use to an optimality yojan result, and will keep several groups of optimum or more excellent yojan property sets, and the union of getting them is used as the yojan result according to actual conditions and experience.Take the reason of this way to be; The one, can when reducing computation complexity, improve the reliability of grader; Under the single yojan result's of simple use situation; When running into data noise or part attribute data disappearance, nicety of grading can be had a strong impact on, and adopts a plurality of attribute reduction results' union can not cause classification accuracy significantly to reduce.The 2nd, adopting under the situation of standard SVMs as the propaedeutics algorithm; When using single yojan as a result, because the minimizing of classified information, the number of support vector is far longer than the number when not carrying out yojan under the identical parameters; Because support vector often is retained the training of entering next round; So it is bigger to cause the back to participate in the number of samples of training, and influences efficiency of algorithm, counter increasing do not fall in the training time.When the combination of adopting a plurality of attribute reduction results, when number of attributes reached some, this situation can be avoided.
(2) based on many classification SVM of binary tree
According to the many sorting techniques of normally used SVMs, the present invention adopts a kind of improved multi-category support vector machines training and decision-making technique based on binary tree.It is five types of data that the data set of intrusion detection is divided into, and normal network data and 4 types of attack data are attacked data for these 4 types and are respectively Probing, Denial ofService (DoS), User-to-Root (U2R) and Remote-to-Local (R2L).Can make up 4 two types of svm classifier devices.Following mask body is introduced the selection scheme of training sample and the decision scheme of SVMs.
(a) selection scheme of training sample
Its scheme thought is that k class problem is made up k-1 two types of graders, and first two types of graders serve as positive type with first kind sample, and all the other are negative type; Second two types of grader got rid of first kind sample, serves as positive type with second type of sample, and all the other samples are negative type; The 3rd two types of graders are got rid of preceding two types of samples, serve as positive type with the 3rd type of sample, and all the other samples are negative type; K-1 two types of graders serve as positive type with k-1 class sample, and k class sample is negative type.This programme number of training altogether is approximately the half the of " one-to-many " method and " one to one " method.
(b) decision scheme of SVMs
In order to draw the advantage that grader is few and speed of decision is fast that needs when directed acyclic graph is classified decision-making in the SVM method more, the present invention adopts a kind of decision-making technique that binary tree is combined with SVMs.
Multiclass SVM based on binary tree at first is divided into two sub-category with all categories; Again subclass further is divided into two secondary subclasses; So circulation is gone down; Till all nodes all only comprised an independent classification, this node also was the leaf in the binary tree, so just obtained the binary class tree of a handstand.This method has resolved into a series of two types of classification problems equally with original multiclass problem, and wherein the classification function between two sub-category adopts two-value SVM.The binary tree method can be avoided the inseparable situation of conventional method, only needs k-1 two-value svm classifier device of structure, might not need during test to calculate all grader discriminant functions, thereby can save the testing time.
Concrete flow process is: at first be according to class label ordering n
1, n
2, L, n
k, can generate binary tree as shown in Figure 4, then according to the binary tree that generates, utilize the optimum hyperplane of each interior nodes of two-value SVM training algorithm structure binary tree.With n
1The class sample is positive sample set, and other samples are the negative sample collection, utilizes the two-value SVM sub-classifier at SVM training algorithm structure root node place.With n
2The class sample is positive sample set, n
3, L, n
kThe class sample is the negative sample collection, the two-value SVM sub-classifier of second interior nodes of structure.Go down successively, trained, thereby can obtain multi-class svm classifier model based on binary tree up to all two-value sub-classifiers.
In the middle of directed acyclic graph was classified the SVM method more, all test sample books all must just can obtain its affiliated class through the k-1 subseries.And in the middle of this programme; The 1st type sample if through a subseries just can obtain under it type; The 2nd type sample need only just can obtain the class under it through two subseries, so until k-1 and k class sample must obtain its affiliated class through the k-1 subseries.Therefore see from general effect that required quantity through grader will be less than the directed acyclic graph SVM method of classifying greatly during its decision-making.
Claims (2)
1. method for detecting abnormality towards multiclass invasion is characterized in that realizing that method step is following:
1). raw data set is carried out preliminary treatment, identify complete request message, divide network with COS again and connect, to extract correlated characteristic;
2). feature extraction unit is through analyzing the characteristics of all kinds of attacks; Combine application layer message when considering the relevant field of packet head; Extraction comprises three kinds of characteristics of essential characteristic, traffic characteristic and content characteristic; Wherein essential characteristic is mainly considered Internet protocol IP bag, transmission control protocol TCP bag, UDP UDP bag, Internet Control Message Protocol ICMP bag; Traffic characteristic mainly is the characteristic of interior network traffics of short time and main frame, and content characteristic mainly is the length of connection request and some bytes of connection request load;
3). adopt based on the old attribute reduction algorithms of distinguishing matrix the mass data characteristic attribute that extracts is dealt with; Deletion redundant attributes wherein; Obtain the property set of yojan; From former training data, extract data according to the property set after the yojan then, become new training data, be sent to SVMs SVM module and train and classify;
4). the minimum attribute set after adopting many classification SVM methods based on binary tree to Rough Set Reduction is classified, and realizes the Fast Classification performance of intrusion detection.
2. the method for detecting abnormality towards multiclass invasion according to claim 1 is characterized in that the performing step based on many classification SVM methods of binary tree in the step 4) is following:
1). all categories is divided into two sub-category;
2). subclass further is divided into two secondary subclasses, and so circulation is gone down, and till all nodes all only comprised an independent classification, this node also was the leaf in the binary tree, so just obtains the binary class tree of a handstand;
3). according to the binary tree that generates, utilize the optimum hyperplane of each interior nodes of two-value SVM training algorithm structure binary tree:
A. a type sample is positive sample set with
; Other samples are the negative sample collection, utilize the two-value SVM sub-classifier at SVM training algorithm structure root node place;
B. a type sample is positive sample set with
;
type sample is the negative sample collection; The two-value SVM sub-classifier of second interior nodes of structure; Go down successively; Two-value sub-classifier up to all has been trained, thereby can obtain the multi-class svm classifier model based on binary tree.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011104186326A CN102420723A (en) | 2011-12-14 | 2011-12-14 | Anomaly detection method for various kinds of intrusion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011104186326A CN102420723A (en) | 2011-12-14 | 2011-12-14 | Anomaly detection method for various kinds of intrusion |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102420723A true CN102420723A (en) | 2012-04-18 |
Family
ID=45944970
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2011104186326A Pending CN102420723A (en) | 2011-12-14 | 2011-12-14 | Anomaly detection method for various kinds of intrusion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102420723A (en) |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102752287A (en) * | 2012-06-05 | 2012-10-24 | 广东智华计算机科技有限公司 | Detecting method of network intrusion detector |
CN102891852A (en) * | 2012-10-11 | 2013-01-23 | 中国人民解放军理工大学 | Message analysis-based protocol format automatic inferring method |
CN103067300A (en) * | 2013-01-09 | 2013-04-24 | 清华大学 | Automation feature digging method of network flow |
CN103532940A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Network security detection method and device |
CN104935567A (en) * | 2015-04-20 | 2015-09-23 | 中国电子科技集团公司第二十九研究所 | Unknown protocol message format deduction method |
CN105095492A (en) * | 2015-08-19 | 2015-11-25 | 北京京东尚科信息技术有限公司 | Data processing method and device |
CN105245498A (en) * | 2015-08-28 | 2016-01-13 | 中国航天科工集团第二研究院七〇六所 | Attack digging and detecting method based on rough set |
CN105681339A (en) * | 2016-03-07 | 2016-06-15 | 重庆邮电大学 | Incremental intrusion detection method fusing rough set theory and DS evidence theory |
CN105704103A (en) * | 2014-11-26 | 2016-06-22 | 中国科学院沈阳自动化研究所 | Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model |
CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
CN106559416A (en) * | 2016-10-26 | 2017-04-05 | 华中科技大学 | A kind of wireless sense network intrusion detection method based on SVM |
CN106778252A (en) * | 2016-08-05 | 2017-05-31 | 南京理工大学 | Intrusion detection method based on rough set theory Yu WAODE algorithms |
CN106992965A (en) * | 2017-02-27 | 2017-07-28 | 南京邮电大学 | A kind of Trojan detecting method based on network behavior |
US9806936B2 (en) | 2012-11-26 | 2017-10-31 | Tencent Technology (Shenzhen) Company Limited | Method, apparatus, and system for controlling a computer device through a mobile terminal |
CN108259482A (en) * | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
CN108737332A (en) * | 2017-04-17 | 2018-11-02 | 南京邮电大学 | A kind of man-in-the-middle attack prediction technique based on machine learning |
CN108769079A (en) * | 2018-07-09 | 2018-11-06 | 四川大学 | A kind of Web Intrusion Detection Techniques based on machine learning |
CN108875365A (en) * | 2018-04-22 | 2018-11-23 | 北京光宇之勋科技有限公司 | A kind of intrusion detection method and intrusion detection detection device |
CN109274698A (en) * | 2018-11-26 | 2019-01-25 | 杭州安恒信息技术股份有限公司 | A kind of HTTP accesses recognition methods and the device of behavior |
CN109413016A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of rule-based message detecting method and device |
CN109818961A (en) * | 2019-01-30 | 2019-05-28 | 广东工业大学 | A kind of network inbreak detection method, device and equipment |
CN109981583A (en) * | 2019-02-26 | 2019-07-05 | 重庆邮电大学 | A kind of industry control network method for situation assessment |
CN110943973A (en) * | 2019-11-01 | 2020-03-31 | 华为技术有限公司 | Data flow classification method and device and model training method and device |
CN111061779A (en) * | 2019-12-16 | 2020-04-24 | 延安大学 | Data processing method and device based on big data platform |
US10652255B2 (en) | 2015-03-18 | 2020-05-12 | Fortinet, Inc. | Forensic analysis |
CN111431863A (en) * | 2020-02-28 | 2020-07-17 | 电子科技大学 | Host intrusion detection method based on relational network |
CN112671791A (en) * | 2020-12-30 | 2021-04-16 | 网神信息技术(北京)股份有限公司 | Method, device, computer equipment and readable storage medium for detecting entity abnormity |
CN112926611A (en) * | 2019-12-06 | 2021-06-08 | 京东数字科技控股有限公司 | Feature extraction method, device and computer-readable storage medium |
US11032301B2 (en) | 2017-05-31 | 2021-06-08 | Fortinet, Inc. | Forensic analysis |
CN113010884A (en) * | 2021-02-23 | 2021-06-22 | 重庆邮电大学 | Real-time feature filtering method in intrusion detection system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101329734A (en) * | 2008-07-31 | 2008-12-24 | 重庆大学 | License plate character recognition method based on K-L transform and LS-SVM |
WO2010076832A1 (en) * | 2008-12-31 | 2010-07-08 | Telecom Italia S.P.A. | Anomaly detection for packet-based networks |
-
2011
- 2011-12-14 CN CN2011104186326A patent/CN102420723A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101329734A (en) * | 2008-07-31 | 2008-12-24 | 重庆大学 | License plate character recognition method based on K-L transform and LS-SVM |
WO2010076832A1 (en) * | 2008-12-31 | 2010-07-08 | Telecom Italia S.P.A. | Anomaly detection for packet-based networks |
Non-Patent Citations (4)
Title |
---|
RUNG-CHING CHEN ET.AL: "Using Rough Set and Support Vector Machine for Network Intrusion Detection", 《INTERNATIONAL JOURNAL OF NETWORK SECURITY & ITS APPLICATIONS》, vol. 1, no. 1, 30 April 2009 (2009-04-30), pages 1 - 13 * |
张义荣等: "一种基于粗糙集属性约简的支持向量异常入侵检测方法", 《计算机科学》, vol. 33, no. 6, 30 December 2006 (2006-12-30), pages 64 - 67 * |
杨光等: "基于RS和WSVM的网络入侵检测算法研究", 《计算机仿真》, vol. 28, no. 5, 31 May 2011 (2011-05-31), pages 175 - 178 * |
段丹青等: "使用粗糙集和支持向量机检测入侵", 《小型微型计算机系统》, vol. 29, no. 4, 30 April 2008 (2008-04-30), pages 627 - 630 * |
Cited By (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102752287A (en) * | 2012-06-05 | 2012-10-24 | 广东智华计算机科技有限公司 | Detecting method of network intrusion detector |
CN102891852A (en) * | 2012-10-11 | 2013-01-23 | 中国人民解放军理工大学 | Message analysis-based protocol format automatic inferring method |
CN102891852B (en) * | 2012-10-11 | 2015-07-01 | 中国人民解放军理工大学 | Message analysis-based protocol format automatic inferring method |
US9806936B2 (en) | 2012-11-26 | 2017-10-31 | Tencent Technology (Shenzhen) Company Limited | Method, apparatus, and system for controlling a computer device through a mobile terminal |
CN103067300A (en) * | 2013-01-09 | 2013-04-24 | 清华大学 | Automation feature digging method of network flow |
CN103067300B (en) * | 2013-01-09 | 2016-04-20 | 清华大学 | Network traffics automation feature mining method |
CN103532940A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Network security detection method and device |
CN105704103B (en) * | 2014-11-26 | 2017-05-10 | 中国科学院沈阳自动化研究所 | Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model |
US10261502B2 (en) | 2014-11-26 | 2019-04-16 | Shenyang Institute Of Automation, Chinese Academy Of Sciences | Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model |
CN105704103A (en) * | 2014-11-26 | 2016-06-22 | 中国科学院沈阳自动化研究所 | Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model |
US10652255B2 (en) | 2015-03-18 | 2020-05-12 | Fortinet, Inc. | Forensic analysis |
CN104935567A (en) * | 2015-04-20 | 2015-09-23 | 中国电子科技集团公司第二十九研究所 | Unknown protocol message format deduction method |
CN104935567B (en) * | 2015-04-20 | 2017-11-03 | 中国电子科技集团公司第二十九研究所 | A kind of unknown protocol message format estimating method |
CN105095492B (en) * | 2015-08-19 | 2018-09-04 | 北京京东尚科信息技术有限公司 | A kind of data processing method and device |
CN105095492A (en) * | 2015-08-19 | 2015-11-25 | 北京京东尚科信息技术有限公司 | Data processing method and device |
CN105245498A (en) * | 2015-08-28 | 2016-01-13 | 中国航天科工集团第二研究院七〇六所 | Attack digging and detecting method based on rough set |
CN105681339A (en) * | 2016-03-07 | 2016-06-15 | 重庆邮电大学 | Incremental intrusion detection method fusing rough set theory and DS evidence theory |
CN105681339B (en) * | 2016-03-07 | 2018-11-06 | 重庆邮电大学 | A kind of increment type intrusion detection method of fusion rough set and DS evidence theories |
CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
CN106778252A (en) * | 2016-08-05 | 2017-05-31 | 南京理工大学 | Intrusion detection method based on rough set theory Yu WAODE algorithms |
CN106778252B (en) * | 2016-08-05 | 2020-04-10 | 南京理工大学 | Intrusion detection method based on rough set theory and WAODE algorithm |
CN106559416A (en) * | 2016-10-26 | 2017-04-05 | 华中科技大学 | A kind of wireless sense network intrusion detection method based on SVM |
CN106992965A (en) * | 2017-02-27 | 2017-07-28 | 南京邮电大学 | A kind of Trojan detecting method based on network behavior |
CN108737332A (en) * | 2017-04-17 | 2018-11-02 | 南京邮电大学 | A kind of man-in-the-middle attack prediction technique based on machine learning |
US11032301B2 (en) | 2017-05-31 | 2021-06-08 | Fortinet, Inc. | Forensic analysis |
CN108259482B (en) * | 2018-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
CN108259482A (en) * | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
CN108875365A (en) * | 2018-04-22 | 2018-11-23 | 北京光宇之勋科技有限公司 | A kind of intrusion detection method and intrusion detection detection device |
CN108875365B (en) * | 2018-04-22 | 2023-04-07 | 湖南省金盾信息安全等级保护评估中心有限公司 | Intrusion detection method and intrusion detection device |
CN109413016A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of rule-based message detecting method and device |
CN108769079A (en) * | 2018-07-09 | 2018-11-06 | 四川大学 | A kind of Web Intrusion Detection Techniques based on machine learning |
CN109274698A (en) * | 2018-11-26 | 2019-01-25 | 杭州安恒信息技术股份有限公司 | A kind of HTTP accesses recognition methods and the device of behavior |
CN109818961A (en) * | 2019-01-30 | 2019-05-28 | 广东工业大学 | A kind of network inbreak detection method, device and equipment |
CN109981583A (en) * | 2019-02-26 | 2019-07-05 | 重庆邮电大学 | A kind of industry control network method for situation assessment |
CN109981583B (en) * | 2019-02-26 | 2021-09-24 | 重庆邮电大学 | Industrial control network situation assessment method |
CN110943973A (en) * | 2019-11-01 | 2020-03-31 | 华为技术有限公司 | Data flow classification method and device and model training method and device |
CN112926611A (en) * | 2019-12-06 | 2021-06-08 | 京东数字科技控股有限公司 | Feature extraction method, device and computer-readable storage medium |
CN111061779A (en) * | 2019-12-16 | 2020-04-24 | 延安大学 | Data processing method and device based on big data platform |
CN111431863A (en) * | 2020-02-28 | 2020-07-17 | 电子科技大学 | Host intrusion detection method based on relational network |
CN112671791A (en) * | 2020-12-30 | 2021-04-16 | 网神信息技术(北京)股份有限公司 | Method, device, computer equipment and readable storage medium for detecting entity abnormity |
CN112671791B (en) * | 2020-12-30 | 2022-07-29 | 奇安信网神信息技术(北京)股份有限公司 | Method, device, computer equipment and readable storage medium for detecting entity abnormity |
CN113010884A (en) * | 2021-02-23 | 2021-06-22 | 重庆邮电大学 | Real-time feature filtering method in intrusion detection system |
CN113010884B (en) * | 2021-02-23 | 2022-08-26 | 重庆邮电大学 | Real-time feature filtering method in intrusion detection system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102420723A (en) | Anomaly detection method for various kinds of intrusion | |
CN112398779B (en) | Network traffic data analysis method and system | |
Ektefa et al. | Intrusion detection using data mining techniques | |
Tesfahun et al. | Intrusion detection using random forests classifier with SMOTE and feature reduction | |
Robinson et al. | Ranking of machine learning algorithms based on the performance in classifying DDoS attacks | |
CN112738015A (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
CN107370752B (en) | Efficient remote control Trojan detection method | |
CN110808945A (en) | Network intrusion detection method in small sample scene based on meta-learning | |
Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
CN107483451B (en) | Method and system for processing network security data based on serial-parallel structure and social network | |
CN109639734B (en) | Abnormal flow detection method with computing resource adaptivity | |
CN108199863A (en) | A kind of net flow assorted method and system based on the study of two benches sequence signature | |
CN111523588B (en) | Method for classifying APT attack malicious software traffic based on improved LSTM | |
Iqbal et al. | A classification framework to detect DoS attacks | |
Kong et al. | Identification of abnormal network traffic using support vector machine | |
CN111145027A (en) | Suspected money laundering transaction identification method and device | |
CN113904795A (en) | Rapid and accurate flow detection method based on network security probe | |
Feng et al. | BotFlowMon: Learning-based, content-agnostic identification of social bot traffic flows | |
Silva et al. | A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms | |
CN1223941C (en) | Hierarchial invasion detection system based on related characteristic cluster | |
Yao et al. | Network anomaly detection using random forests and entropy of traffic features | |
CN105429817A (en) | Illegal business identification device and illegal business identification method based on DPI and DFI | |
CN112884121A (en) | Traffic identification method based on generation of confrontation deep convolutional network | |
CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
CN1612135A (en) | Invasion detection (protection) product and firewall product protocol identifying technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120418 |