CN102457525A - Load-based anomaly intrusion detection method and system - Google Patents
Load-based anomaly intrusion detection method and system Download PDFInfo
- Publication number
- CN102457525A CN102457525A CN2011104246134A CN201110424613A CN102457525A CN 102457525 A CN102457525 A CN 102457525A CN 2011104246134 A CN2011104246134 A CN 2011104246134A CN 201110424613 A CN201110424613 A CN 201110424613A CN 102457525 A CN102457525 A CN 102457525A
- Authority
- CN
- China
- Prior art keywords
- feature
- packet
- load
- piecemeal
- cluster
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Abstract
The invention discloses a load-based anomaly intrusion detection method and belongs to the technical field of computing network security. During anomaly intrusion detection, a data packet load to be detected is partitioned into blocks by using a CPP algorithm, and the characteristics of only the first N blocks of data are extracted, so that the data processing quantity is reduced, the detection speed is increased, and the method has higher adaptability to monitoring of a high speed network. In the method, a normal communication outline is constructed by adopting a multiple classifier system, so the detection accuracy is improved. The invention also discloses a load-based anomaly intrusion detection system, which comprises a CPP-based load partitioning module, a characteristic extraction module, a detection module and a response module. Compared with the prior art, the method can be used for detecting anomaly intrusion of the high speed network quickly.
Description
Technical field
The present invention relates to a kind of abnormal intrusion detection method, more particularly to a kind of abnormal intrusion detection method and system based on load, belong to calculating network security technology area.
Background technology
In recent years, continuing to develop with computer technology, the continuous expansion of network size, intrusion behavior oneself through the increasingly severe safety for having threatened computer systems and networks.Invasion is exactly to deliberate to attempt access information without permission, distort information, makes system unreliable or can not use.Because invasion mode is more and more diversified, means are increasingly advanced, and traditional static security technology is such as:Fire wall, data encryption technology etc., own warp can not meet the security requirement of system and network.
Intrusion Detection Technique compensate for the deficiency of static security technology well as a kind of important dynamic security technology.Intrusion Detection Technique is broadly divided into two classes:Misused detection and abnormal intrusion detection.Misused detection refers to detect invasion using the vulnerability attack pattern of known system and application software.Because the technology depends primarily on known system defect and invasion, it is possible to accurately detect known invasion, but the unknown attack of system can not be detected.Abnormal intrusion detection is the invasion for referring to detect according to abnormal behaviour and using computer resource situation.Abnormal intrusion detection attempts to describe acceptable behavioural characteristic with quantitative manner, with distinguish it is improper, potentially invade sexual behaviour.This method can detect unknown intrusion behavior, but be due to description acceptable behavior feature may and the larger accuracy for causing detection of actual conditions deviation it is not high.
It is its real limiting factor there are some researches show false alarm rate is too high in abnormal intrusion detection.Abnormal Intrusion Detection System based on load can accurately detect the network attack being stored in malicious data in data packet load, but using network packet load to carry out abnormality detection when, often be faced with a problem:I.e. the load of network packet is very big sometimes, such as the load of port 21 and the network packet on port 80.If be modeled using the load of network packet 100%, resulting Abnormal Intrusion Detection System is difficult to be adapted to monitor for express network.
Abnormal intrusion detection based on load is a kind of new intrusion detection method that developed recently gets up, and certain progress is had been achieved at present.Wang and Stolfo etc. proposes Network Abnormal intruding detection system PAYL, the PAYL calculating based on load(One kind,Individual continuous byte,When be) occurrence frequency in load, as feature, a proper communication behavior profile is set up to the packet of each different length.PAYL proper communication profile isOccurrence frequency average and standard deviation, when being detected, if the simple mahalanobis distance of data to be tested bag exceeds certain thresholding, decide that the packet is abnormal.PAYL can effectively detect various attacks.Perdisci, Lee et al. propose a scheme (McPAD) that the abnormality detection system verification and measurement ratio based on Payload is improved using multi-classifier system.McPAD improves the verification and measurement ratio of the abnormality detection based on Payload using MCS (Multiple Classifier System, multi-classifier system), and it uses multiple one-class classifiers to build proper communication profile, to improve Detection accuracy.Detection when, by feature extraction, obtain the description spatially to same packet in different characteristic, then using each feature space as the one-class classifier for representing proper communication profile accordingly input, to classify to packet.The output of multiple one-class classifiers is finally integrated, it is whether abnormal to packet to make final judgement.Test result indicates that, McPAD can obtain very high verification and measurement ratio when malicious data is stored in the network attack in data packet load by detection under relatively low false alarm rate;Moreover, when detecting senior attack as such as polymorphic Hybrid Attack, McPAD also can obtain higher verification and measurement ratio under relatively low false alarm rate.Zhang etc. proposes to improve PAYL and McPAD using noise reduction fuzzy support vector machine (noise against fuzzy support vector machine), its mainly solve McPAD etc. detect polymorphic Hybrid Attack when accuracy rate it is relatively low the problem of, obtain more preferable Detection results by means of noise reduction fuzzy support vector machine.But, the above-mentioned abnormality detection system based on load can not be detected effectively in monitoring high speed, the network of high bandwidth in the case where data packet load is larger.
The content of the invention
The technical problems to be solved by the invention are to overcome the shortcomings of that the existing abnormal intrusion detection method based on load is difficult to be used for quickly detecting the packet in express network, a kind of abnormal intrusion detection method based on load is provided, the packet in express network can be used for quickly detecting on the premise of Detection accuracy is ensured.
It is of the invention specific using following technical scheme solution above-mentioned technical problem:
A kind of abnormal intrusion detection method based on load, comprises the following steps:
Step A, training in advance obtain proper communication profile;
Step B, to packet to be detected carry out feature extraction;
Step C, using proper communication profile, detected according to the feature of data to be tested bag, whether judge data to be tested bag is abnormal data bag;
When training obtains proper communication profile, piecemeal is carried out to training data bag first with CPP algorithms;Then only to before after piecemealNBlock carries out feature extraction;Then according to the feature samples extracted, training obtains proper communication profile;
Before feature extraction is carried out to packet to be detected, piecemeal is carried out to packet to be detected first with CPP algorithms, then using only before after piecemealNBlock extracts feature;
Wherein,NFor the integer less than packet piecemeal sum.
Further, the feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained in the feature space corresponding to it.
Further, specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained.
Preferably, it is described to be selected in each cluster away from the nearer feature samples in cluster center, specifically in accordance with the following methods:Judge whether sample number in the cluster is more than a threshold value set in advance, in this way, select before distance center is nearer in the clusterIndividual sample;If not, selecting before distance center is nearer in the clusterIndividual sample;WhereinWithIt is default integer, and。
A kind of Abnormal Intrusion Detection System based on load can also be obtained according to the present invention, the system includes:
Load piecemeal module based on CPP, carries out piecemeal, then by before using CPP algorithms to packet to be detectedNBlock number is handled according to characteristic extracting module is given, wherein,NFor the integer less than packet piecemeal sum;
Characteristic extracting module, for extracting before the data to be tested bag after piecemealNThe feature of block number evidence, and the feature of extraction is sent to detection module;The feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;
Detection module, the feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained on the feature space corresponding to it;Specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained;
Respond module, for being determined as that abnormal packet is responded to detection module, the corresponding information of record data bag sends alarm.
Compared with prior art, the invention has the advantages that:
The present invention carries out piecemeal as a result of CPP algorithms to packet, and is detected using only sub-load, so reducing data processing amount, improves detection speed, has more preferable adaptability to the monitoring of express network;Simultaneously as building proper communication profile using multi-classifier system, the accuracy rate of detection is improved.
Brief description of the drawings
Fig. 1 is the structural representation of the Abnormal Intrusion Detection System of the present invention;
Fig. 2 is CPP algorithm flow charts;
Fig. 3 is the structure schematic diagram of proper communication profile in the present invention;
Fig. 4 is improved ISUC algorithm flow charts.
Embodiment
Technical scheme is described in detail below in conjunction with the accompanying drawings:
The Abnormal Intrusion Detection System based on load of the present invention, as shown in figure 1, including:
Load piecemeal module based on CPP, carries out piecemeal, then by before using CPP algorithms to packet to be detectedNBlock number is handled according to characteristic extracting module is given, wherein,NFor the integer less than packet piecemeal sum;
Characteristic extracting module, for extracting before the data to be tested bag after piecemealNThe feature of block number evidence, and the feature of extraction is sent to detection module;The feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;
Detection module, the feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained on the feature space corresponding to it;Specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained;
Respond module, for being determined as that abnormal packet is responded to detection module, the corresponding information of record data bag sends alarm.
The method for detecting abnormality of the present invention is further described with reference to above-mentioned Abnormal Intrusion Detection System.
Load piecemeal module based on CPP:The purpose for carrying out piecemeal is to reduce the data volume handled by feature extraction phases, just only will can extract feature using part piecemeal after load piecemeal.The present invention carries out piecemeal using CPP algorithms to packet.CPP algorithms are prior art, and detailed content refers to see document(Athicha Muthitacharoen, Benjie Chen and David Mazieres. A low-bandwidth network file system. Symposium on Operating Systems Principles, 2001, 174-187.), its flow is as shown in Figure 4.CPP determines piecemeal border according to the content of load, and it judges the end of a piecemeal using Lay guest fingerprint (Rabin fingerprinting);It is a length of at oneOn the sliding window of byte, CPP calculates a series of Lay guest fingerprint, it is before PayloadByte starts to calculate, and then the afterbody towards load slides a byte every time, with Lay guest's fingerprint of calculated for subsequent.WhenValue be equal to stopping criterion set in advanceWhen, decide that current piecemeal terminates, and start the calculating of next piecemeal.This process can be described as follows, it is assumed that have a byte sequence, then it is for a lengthSubsequence, its Lay guest's fingerprintIt can be calculated by (1) formula:
It is thereinWithAll it is constant, the length of sliding windowNeed to find optimal value by testing, in the methods of the invention,Value when taking 32, experimental result can be preferable.WhenValue in 550 ~ 600 (stopping criterions of selection) when, just terminate current piecemeal, then start a new piecemeal;Otherwise, current bit is just added to current piecemeal, and window is slided backward a bit, to calculate new Lay guest's fingerprint.
Characteristic extracting module:To before the packet that is obtained from the load piecemeal module based on CPPAfter block, with regard to carrying out feature extraction, feature extraction is usedMethod,It is apart in method calculated load(=0,1,2 ...) occurrence frequency of the character pair of byte, in differenceObtained under valueDistributive law, gives the structural informations different on a packet, by merging using differentIt is worth the information extracted, we can reconstruct (or partial reconfiguration) and directly useTechnology existsWhen the information extracted.It is fixed for oneValue,Calculate letter to occurrence frequency when, use the length to beSliding window, but be not relevant between first byte and trail byteThe value of individual byte, thisByte regards blank as.Assuming that there is a data packet load, hereIt isMiddle positionThe byte value at place;Then oneG,()In occurrence frequency can be calculated by (2) formula:
In occurrence number, be by lengthSliding window calculate;It is that window existsOn the number of times that slides altogether,It can be regarded as to probability(In findProbability) estimation;So, Occurrence frequency can just be calculated by (3) formula:
(3) formula can be explained so:In Payload apartByte it is alphabetical rightOccurrence frequency, be withStartWhat is ended up is allOccurrence frequency sum.According toThe difference of value, can obtain to a packet different feature spaces description;Assuming thatValue be respectively, then just obtainTo the description of packet on individual feature space, that is, obtainFeature in individual feature space.
Detection module:The feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out.The proper communication profile of the present invention uses multi-classifier system.When multiple graders of fusion are the graders of " variation ", multi-classifier system is with regard to that can obtain the raising of accuracy rate.A kind of diversified method of generation is each grader for making multi-classifier system based on the description to pattern in different characteristic spatially.The description in different characteristic spatially, i.e. feature extraction to a packet are obtained in the present invention, is to pass throughMethod is realized.UsingAfter progress feature extraction, according toValue is (assuming that haveIndividual different value) difference, can obtain what same packet was describedIndividual different feature space;Training obtains using SVMs in an one-class classifier, present embodiment on each feature space(SVM), thus obtainThe individual proper communication profile spatially described in different characteristic, its principle is as shown in Figure 3.Each one-class classifier wherein in multi-categorizer is obtained by improved ISUC Algorithm for Training.The present invention is to ISUC algorithms(Referring to document Li Xiaoli, Liu Jimin, Shi Zhong plants the Chinese Web page classification device Chinese journal of computers that is combined based on SVMs with Unsupervised clustering, 2001,24 (1):62-68.)Improvement mainly have following two aspects:(1) abandon being detected using two graders, proper communication profile is built using only single class SVM, because false alarm rate higher in abnormal intrusion detection is unacceptable, therefore abandon using the relatively low UC classification of classification accuracy.(2) training sample is clustered using clustering algorithms such as k-means, CURE, fuzzy K-means, clustered in present embodiment using UC algorithms;Then training sample is selected using cluster center, selects away from the nearer sample in cluster center to train single class SVM in each cluster, picking rule is as follows:Selection is trained away from the nearer sample in cluster center;The size of cluster is considered simultaneously, and according to the size of cluster, the number of samples that each cluster of Reasonable adjustment is picked out, larger cluster selects more sample, and less cluster selects less sample.Specifically, when exactly being selected in each cluster away from the nearer feature samples in cluster center, in accordance with the following methods:Judge whether sample number in the cluster is more than a threshold value set in advance, in this way, select before distance center is nearer in the clusterIndividual sample;If not, selecting before distance center is nearer in the clusterIndividual sample;WhereinWithIt is default integer, and.It is of course also possible to use the simpler size for not considering cluster, selects the equal number of feature samples nearer away from cluster center from each cluster.As shown in figure 4, improved ISUC algorithm flows of the invention are as follows:
If Step2., Step6 is performed, whereinFor the Hou Cu centers number that clusters
Step3. in clusterMiddle searching is according to cluster centerNearer all samplesIf, clusterSample number be more than(standard for judging larger cluster specified), then judgement sample away fromNearer standard is, otherwise, criterion is, wherein.
Specifically detection process is:Will be in differenceFeature in the lower feature space extracted of value, give corresponding list class SVM (spatially training obtained proper communication profile in different characteristic) in proper communication profile to be classified, finally merge multiple one-class classifiers and the classification results of packet are made with the whether abnormal final judgement of packet.
Respond module:It is determined as that abnormal packet is responded to detection module, the corresponding information of record data bag, and send alarm.
Claims (6)
1. a kind of abnormal intrusion detection method based on load, comprises the following steps:Step A, training in advance obtain proper communication profile;Step B, to packet to be detected carry out feature extraction;Step C, using proper communication profile, detected according to the feature of data to be tested bag, whether judge data to be tested bag is abnormal data bag;Characterized in that,
When training obtains proper communication profile, piecemeal is carried out to training data bag first with CPP algorithms;Then only to before after piecemealNBlock carries out feature extraction;Then according to the feature samples extracted, training obtains proper communication profile;
Before feature extraction is carried out to packet to be detected, piecemeal is carried out to packet to be detected first with CPP algorithms, then using only before after piecemealNBlock extracts feature;
Wherein,NFor the integer less than packet piecemeal sum.
2. the abnormal intrusion detection method as claimed in claim 1 based on load, it is characterised in that the feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained in the feature space corresponding to it.
3. the abnormal intrusion detection method as claimed in claim 2 based on load, it is characterised in that specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained.
4. the abnormal intrusion detection method based on load as claimed in claim 3, it is characterised in that described to be selected in each cluster away from the nearer feature samples in cluster center, specifically in accordance with the following methods:Judge whether sample number in the cluster is more than a threshold value set in advance, in this way, select before distance center is nearer in the clusterIndividual sample;If not, selecting before distance center is nearer in the clusterIndividual sample;WhereinWithIt is default integer, and。
5. the abnormal intrusion detection method based on load as described in claim any one of 1-4, it is characterised in that when carrying out piecemeal to packet using CPP algorithms, the length value of sliding window is 32.
6. a kind of Abnormal Intrusion Detection System based on load, it is characterised in that the system includes:
Load piecemeal module based on CPP, carries out piecemeal, then by before using CPP algorithms to packet to be detectedNBlock number is handled according to characteristic extracting module is given, wherein,NFor the integer less than packet piecemeal sum;
Characteristic extracting module, for extracting before the data to be tested bag after piecemealNThe feature of block number evidence, and the feature of extraction is sent to detection module;The feature extraction is usedMethod, be specially:According to the integer of one group of changevValue, is calculated in data packet load apartvThe occurrence frequency of the character pair of byte, obtains feature of the packet in multiple feature spaces, onevValue one feature space of correspondence;
Detection module, the feature extracted according to characteristic extracting module, the proper communication behavior profile obtained using training in advance is classified to packet to be detected, if data to be tested bag is categorized as into exception, and the packet is sent to respond module processing;Otherwise, the detection of next packet is carried out;The proper communication profile is made up of multiple with the one-to-one one-class classifier of the feature space, and each one-class classifier is obtained by being trained on the feature space corresponding to it;Specifically training is obtained the one-class classifier in accordance with the following methods:The feature samples extracted from the feature space corresponding to the one-class classifier are clustered first;Then selected in each cluster away from the nearer feature samples in cluster center;Using the feature samples picked out, as training sample set pair, the one-class classifier is trained;
Respond module, for being determined as that abnormal packet is responded to detection module, the corresponding information of record data bag sends alarm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011104246134A CN102457525A (en) | 2011-12-19 | 2011-12-19 | Load-based anomaly intrusion detection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011104246134A CN102457525A (en) | 2011-12-19 | 2011-12-19 | Load-based anomaly intrusion detection method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102457525A true CN102457525A (en) | 2012-05-16 |
Family
ID=46040181
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2011104246134A Withdrawn CN102457525A (en) | 2011-12-19 | 2011-12-19 | Load-based anomaly intrusion detection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102457525A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103490992A (en) * | 2013-10-10 | 2014-01-01 | 沈阳航空航天大学 | Instant messaging worm detection method |
CN106452829A (en) * | 2016-01-21 | 2017-02-22 | 华南师范大学 | Intelligent operation and maintenance method and system for cloud computation center based on BCC-KNN |
CN110351220A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | One kind realizing gateway efficient data scanning technique based on packet filtering |
CN111294362A (en) * | 2020-03-16 | 2020-06-16 | 湖南大学 | LDoS attack real-time detection method based on fractal residual error |
CN113037553A (en) * | 2021-03-11 | 2021-06-25 | 湖南大学 | IEC102 protocol communication behavior abnormity detection method and system based on IA-SVM |
CN113516162A (en) * | 2021-04-26 | 2021-10-19 | 湖南大学 | OCSVM and K-means algorithm based industrial control system flow abnormity detection method and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101789885A (en) * | 2009-01-23 | 2010-07-28 | 英业达股份有限公司 | Network intrusion detection system |
CN102201948A (en) * | 2011-05-27 | 2011-09-28 | 北方工业大学 | Quick matching method for network intrusion detection system |
-
2011
- 2011-12-19 CN CN2011104246134A patent/CN102457525A/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101789885A (en) * | 2009-01-23 | 2010-07-28 | 英业达股份有限公司 | Network intrusion detection system |
CN102201948A (en) * | 2011-05-27 | 2011-09-28 | 北方工业大学 | Quick matching method for network intrusion detection system |
Non-Patent Citations (2)
Title |
---|
ATHICHA MUTHITACHAROEN等: "A Low-bandwidth Network File System", 《SOSP "01 PROCEEDINGS OF THE EIGHTEENTH ACM SYMPOSIUM ON OPERATING SYSTEMS PRINCIPLES 》, 31 December 2001 (2001-12-31), pages 174 - 187 * |
ROBERTO PERDISCI等: "McPAD: A multiple classifier system for accurate payload-based anomaly detection", 《COMPUTER NETWORKS》, vol. 53, no. 6, 31 December 2009 (2009-12-31), pages 864 - 881 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103490992A (en) * | 2013-10-10 | 2014-01-01 | 沈阳航空航天大学 | Instant messaging worm detection method |
CN103490992B (en) * | 2013-10-10 | 2016-10-19 | 沈阳航空航天大学 | Instant messaging Worm detection method |
CN106452829A (en) * | 2016-01-21 | 2017-02-22 | 华南师范大学 | Intelligent operation and maintenance method and system for cloud computation center based on BCC-KNN |
CN106452829B (en) * | 2016-01-21 | 2019-07-19 | 华南师范大学 | A kind of cloud computing center intelligence O&M method and system based on BCC-KNN |
CN110351220A (en) * | 2018-04-02 | 2019-10-18 | 蓝盾信息安全技术有限公司 | One kind realizing gateway efficient data scanning technique based on packet filtering |
CN111294362A (en) * | 2020-03-16 | 2020-06-16 | 湖南大学 | LDoS attack real-time detection method based on fractal residual error |
CN113037553A (en) * | 2021-03-11 | 2021-06-25 | 湖南大学 | IEC102 protocol communication behavior abnormity detection method and system based on IA-SVM |
CN113516162A (en) * | 2021-04-26 | 2021-10-19 | 湖南大学 | OCSVM and K-means algorithm based industrial control system flow abnormity detection method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Meidan et al. | ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis | |
CN107231384B (en) | DDoS attack detection and defense method and system for 5g network slices | |
Moustafa et al. | Big data analytics for intrusion detection system: Statistical decision-making using finite dirichlet mixture models | |
CN102457525A (en) | Load-based anomaly intrusion detection method and system | |
CN106899435B (en) | A kind of complex attack recognition methods towards wireless invasive detection system | |
US7962611B2 (en) | Methods, systems and computer program products for detecting flow-level network traffic anomalies via abstraction levels | |
CN111107102A (en) | Real-time network flow abnormity detection method based on big data | |
CN105553998A (en) | Network attack abnormality detection method | |
Jalili et al. | Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks | |
KR20170056045A (en) | Method and apparatus of fraud detection for analyzing behavior pattern | |
Qiu et al. | Multi-view convolutional neural network for data spoofing cyber-attack detection in distribution synchrophasors | |
KR20150091775A (en) | Method and System of Network Traffic Analysis for Anomalous Behavior Detection | |
CN108322445A (en) | A kind of network inbreak detection method based on transfer learning and integrated study | |
Aminanto et al. | Another fuzzy anomaly detection system based on ant clustering algorithm | |
CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
Song et al. | Unsupervised anomaly detection based on clustering and multiple one-class SVM | |
Ghaleb et al. | Detecting bogus information attack in vehicular ad hoc network: a context-aware approach | |
Mathiyalagan et al. | An efficient intrusion detection system using improved bias based convolutional neural network classifier | |
Maharaj et al. | A comparative analysis of different classification techniques for intrusion detection system | |
Bhuyan et al. | Towards an unsupervised method for network anomaly detection in large datasets | |
Liu et al. | Data source authentication for wide-area synchrophasor measurements based on spatial signature extraction and quadratic kernel SVM | |
Xiao et al. | An anomaly detection scheme based on machine learning for WSN | |
Chen et al. | A wireless multi-step attack pattern recognition method for WLAN | |
Chhikara et al. | Significance of hybrid feature selection technique for intrusion detection systems | |
Wang | Research of intrusion detection based on an improved K-means algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20120516 |
|
WW01 | Invention patent application withdrawn after publication |