CN102571444A - Method for detecting network abnormality based on secondary negative selection - Google Patents
Method for detecting network abnormality based on secondary negative selection Download PDFInfo
- Publication number
- CN102571444A CN102571444A CN2012100242730A CN201210024273A CN102571444A CN 102571444 A CN102571444 A CN 102571444A CN 2012100242730 A CN2012100242730 A CN 2012100242730A CN 201210024273 A CN201210024273 A CN 201210024273A CN 102571444 A CN102571444 A CN 102571444A
- Authority
- CN
- China
- Prior art keywords
- detector
- ripe
- network connection
- connection data
- negative selection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for detecting network abnormality based on secondary negative selection, belonging to the technical field of information security. The method comprises: selecting normal network connection data as an autologous set by simulating the immune tolerance process of a biological immune system, using a secondary negative selection algorithm to perform tolerance training on a randomly-generated candidate detector, removing the candidate detectors with unsuccessful tolerance and autologous tolerance of the detector set to generate a mature detector set, utilizing autologous clustering to generate an authentication detector, detecting network connection data to be detected by utilizing the mature detector set, and finally using the authentication detector to confirm the detection result. The method mainly overcomes the defects of redundant detectors, low generation efficiency and high false alarm ratio, effectively reduces the size of the generated mature detector sets, improves the generation efficiency of the mature detector, maintains the stability of the detection rate, reduces the false alarm ratio and guarantees the network security, thereby having a wide application prospect.
Description
Technical field:
The present invention relates to a kind of network abnormality detection technology, belong to field of information security technology.
Background technology:
Along with popularizing and development of computer network, the Internet has become one of indispensable instrument of people's study, work, life, but simultaneously, the opening of the Internet also makes virus and network attack become the disaster of the Internet.Network attack influences network from many aspects, brings harm to network, and these harm mainly comprise: to the harm of computer resource and Internet resources, to the harm of normal service, to economical, politics, society and cultural harm etc.Current, China's network infrastructure is comparatively backward, and strictness is with urgent more for the demand of network security, and the security perimeter of network attacks such as propagation of reply virus and assault is also more fragile.Under this demand background, be badly in need of a kind of instrument that can effectively detect the network intrusions behavior, maintaining network safety.
The network abnormality detection is a kind of important Intrusion Detection Technique, through network connection data being monitored to find the network intrusions data and to produce alarm signal and the network security means of response process.The network abnormality detection is at first set up the normal mode profile of system, if the profile value of system has surpassed the scope of system's normal value of setting up, then explanation has invasion to take place.In the existing network anomaly detection method based on artificial immunity; Like patent publication No. CN1567810, CN1848765, CN101478534 etc.; Utilize Negative Selection Algorithm (connecting the process that detector was trained and generated to data) training antigen data to generate detector according to proper network; The generation of detector adopts a Negative Selection Algorithm to produce, and the detector of generation directly is used for network abnormality detection process.Said method is used for the network abnormality detection and has following deficiency:
(1) detector number is too much.Detector adopts a Negative Selection generation to cause a large amount of couple candidate detection devices to the non-covering that repeats from body (unusual network connection data) space, and reaching the required detector number of equating expections coverage rate significantly increases.
(2) formation efficiency of detector is low.Adopting a Negative Selection to produce detector has caused a large amount of couple candidate detection devices to the non-covering that repeats from body space; A large amount of invalid couple candidate detection devices all experience self-tolerance process consuming time (generating the process that the nonrecognition proper network connects data detector); Cause the detector formation efficiency low, the detector coverage effect is not good.
(3) rate of false alarm is higher.Because of it lacks self study and adaptive ability, cause its rate of false alarm higher when utilizing detector that network connection data is detected.
The present invention proposes a kind of network anomaly detection method based on the secondary Negative Selection; Generate the ripe detector collection that is used for the network connection data abnormality detection through the secondary Negative Selection; And generate the authentication checks device testing result is confirmed to detect quality to improve carry out cluster from the body collection, the present invention has the following advantages:
(1) detector number significantly reduces.Through the first time Negative Selection tolerate ripe detector collection, the couple candidate detection device that repeats to cover is directly removed, and has effectively reduced the quantity of the ripe detector that generates.
(2) the detector formation efficiency significantly improves.Through the first time Negative Selection tolerate ripe detector collection, avoided a large amount of candidate's devices with from the self-tolerance of body collection, significantly improved the formation efficiency of detector.
(3) rate of false alarm significantly reduces.Significantly reduced the quantity of detector based on the detector generation method of secondary Negative Selection, reaffirming of testing result reduced the detection rate of false alarm through the authentication checks device that generates from the body clustering.
Summary of the invention
The present invention proposes a kind of network anomaly detection method based on the secondary Negative Selection; Select proper network to connect data as practicing from the body training; Generate the ripe detector collection that is used for the network abnormality detection through the secondary Negative Selection, and utilize from body clustering generation authentication checks device testing result is reaffirmed.Concrete steps are following: 1) gather proper network and connect the data conduct from the body collection; 2) network connection data is quantized and the normalization preliminary treatment; 3) carry out the Negative Selection first time, the couple candidate detection device is carried out ripe detector collection tolerance generate the half ripe detector; 4) carry out the Negative Selection second time, the half ripe detector is carried out generating ripe detector from the tolerance of body training set, add ripe detector collection; 5) generate the authentication checks device to carrying out based on the cluster of dividing from the body collection; 6) utilize ripe detector set pair network connection data to be detected to detect; 7) utilize the authentication checks device that testing result is reaffirmed.The present invention solves mainly in the prior art that artificial immunity method for detecting abnormality detector generates too much, the detector formation efficiency is crossed low and detect the too high shortcoming of rate of false alarm; Effectively reduced the ripe detector number that generates; Improve the formation efficiency of ripe detector, and when keeping verification and measurement ratio stable, further reduced the detection rate of false alarm; Guarantee network security, have broad application prospects.
Before setting forth the present invention in detail, do following term definition earlier:
(1) all data samples in antigen
the expression network abnormality detection space,
is data dimension.
(2) all normal data samples in the set of body collection
expression antigen; Non-in the set of body collection
expression antigen all abnormal data samples, satisfy
.
(3) priori of training set
expression network abnormality detection; Radius from body in the training set is
, and the size of training set is
.
(4) detector collection
is represented the ripe detectors set that Negative Selection Algorithm generates according to training set; Wherein
representes detector radius,
expression detector collection size.
(5) estimate that the number of times that coverage rate
is represented to drop in the sampling period in the ripe detector collection
accounts for the ratio of counting that adopts; Wherein
expression is adopted and is counted, and
drops on the number of times in the ripe detector collection
in employing cycle of expression.
Description of drawings
Fig. 1 is a fundamental diagram of the present invention.
Fig. 2 reads in from body collection step.
Fig. 3 is the network connection data pre-treatment step.
Fig. 4 is that Negative Selection produces the half ripe detector step for the first time.
Fig. 5 is that Negative Selection produces ripe detector collection step for the second time.
Fig. 6 generates authentication checks device step from the body clustering.
Fig. 7 utilizes ripe detector set pair network connection data to be detected to detect step.
Fig. 8 utilizes the authentication checks device to confirm the testing result step.
Embodiment
Specify concrete grammar of the present invention below in conjunction with accompanying drawing.
Fig. 1 is a fundamental diagram of the present invention.
Fig. 1 is a fundamental diagram of the present invention.A kind of network anomaly detection method that the present invention proposes based on the secondary Negative Selection; At first select proper network to connect the data conduct from the training of body collection; Generate ripe detected set through secondary Negative Selection process then network connection data to be detected is carried out abnormality detection, at last through utilizing the authentication checks device that generates from the body clustering that testing result is confirmed.The present invention is divided into two relatively independent stages; First stage is according to generating ripe detector collection and authentication checks device process from the body collection, comprise read in from body collect step, network connection data pre-treatment step, Negative Selection produces the half ripe detector step for the first time, Negative Selection generates that ripe detector collects step and from body clustering generation authentication checks device step for the second time; Second stage is according to ripe detector collection and authentication checks device network connection data to be detected to be carried out the abnormality detection process, comprises utilizing ripe detector set pair network connection data to be detected to detect step and utilizing the authentication checks device to confirm the testing result step.
Particularly, a kind of network anomaly detection method based on the secondary Negative Selection of the present invention's proposition may further comprise the steps:
(1) reads in from body collection step;
(2) network connection data pre-treatment step;
(3) Negative Selection produces the half ripe detector step for the first time;
(4) Negative Selection produces ripe detector collection step for the second time;
(5) generate authentication checks device step from the body clustering;
(6) utilize ripe detector set pair network connection data to be detected to detect step;
(7) utilize the authentication checks device to confirm the testing result step.
Fig. 2 reads in from body collection step.
Fig. 2 has provided and has read in from body collection step.This step is intended to gather proper network and connects packet as from the training of body collection, generates ripe detector collection that is used for the network abnormality detection and the authentication checks device of confirming testing result for the secondary Negative Selection.(network that KDD99 is the senior DARPA of Planning Department of U.S. Department of Defense in 9 time-of-weeks that collect in MIT Lincoln laboratory connects and the system audit data, and the various user types of emulation, various network traffics and attack means comprise the training data 5 of 7 time-of-weeks with the KDD99 data set; 000; More than 000 network linkage record, and the test data 2,000 of 2 time-of-weeks; 000 network linkage record) be example; Select the normal sample of part as from the body training set from data centralization, and it is carried out standardization processing such as uniform format, concrete steps are following:
(1) gathers proper network and connect the packet step: connect packet through network intercepting tool software collection network, and select wherein normal network connection data bag;
(2) standardization network connection data bag step: the proper network of gathering is connected packet carry out standardization processing such as data format is unified.
Fig. 3 is the network connection data pre-treatment step.
Fig. 3 has provided the network connection data pre-treatment step.Connect packet data according to reading in the proper network of being gathered from body collection step, network connection data is quantized and the normalization processing.Network connects the tcp data packet sequence that is defined as in certain time from start to end, and during this period of time, data are (like TCP, UDP) transmission from source IP address to purpose IP address under predefined agreement.Each network connection is marked as normal (normal) or unusual (attack), and Exception Type is subdivided into 4 big classes totally 39 kinds of attack types, and wherein 22 kinds of attack types appear in the training set, and other has 17 kinds of unknown attack types to appear in the test set.Each network connection table is shown 41 data attributes, representes to represent with text and numerical value mode the different characteristic of respective attributes respectively.The present invention is based on real-valued space and produces detector and carry out abnormality detection, need concentrate text and numeric data quantize and the normalization processing to data, and concrete steps are following:
(1) the network connection data treatment step that quantizes: data are concentrated the data dimension of text feature, compose respectively with different integer values, be translated into numerical characteristics by its type;
(2) network connection data normalization treatment step: the network connection data after the logarithm value is carried out normalization by dimension and is handled;
?⑴
Wherein
With
Represent before and after the normalization each dimension the respectively
kThe numerical value of bar data,
With
Minimum value and the maximum of representing the respective dimension data respectively,
Expression network connection data record number.
Fig. 4 is that Negative Selection produces the half ripe detector step for the first time.
Fig. 4 has provided for the first time, and Negative Selection produces the half ripe detector step.At first select the network connection data pre-treatment step to quantize and be connected the packet conduct from the body collection with normalization processing proper network afterwards; Produce the couple candidate detection device then at random; Carry out first time Negative Selection at last and tolerate ripe detector collection and generate the half ripe detector, concrete steps are following:
(1) produce couple candidate detection device step at random: utilize random function to produce couple candidate detection device
, its central point adopts real-valued space representation
;
(2) the couple candidate detection device tolerates ripe detector collection and generates the half ripe detector step, may further comprise the steps:
1) calculated candidate detector and ripe detector affinity step: the Euclidean distance
of trying to achieve each ripe detector
in couple candidate detection device
inspection center
and the existing ripe detector collection
is expressed the affinity of itself and ripe detector, and Euclidean distance is shown in formula (2):
2) judge that the couple candidate detection device is whether by current ripe detector identification step: judge according to formula (3) whether this couple candidate detection device
discerns ripe detector
, if this couple candidate detection device is by any ripe detector identification then remove and generate at random again new couple candidate detection device
;
3) judge whether tolerate ripe detected set step fully: if
all do not satisfy formula (3) with all ripe detectors
; Then this couple candidate detection device becomes half ripe detector
through the tolerance of ripe detector collection, and gets into Negative Selection for the second time and carry out tolerance from the body training set to produce ripe detector
;
Wherein
,
and
represent couple candidate detection device, half ripe detector and ripe detector respectively;
representes the detection radius of ripe detector
, and
representes ripe detector number.
Fig. 5 is that Negative Selection produces ripe detector collection step for the second time.
Fig. 5 has provided for the second time, and Negative Selection produces ripe detector collection step.At first the half ripe detector tolerance that the first time, the Negative Selection process generated is generated ripe detector from the body collection; The ripe detector that will tolerate then successfully adds the detector collection; The end condition that last detector generates is for estimating that coverage rate reaches the expectation coverage rate, and concrete steps are following:
(1) the half ripe detector is carried out training set tolerance training and generates ripe detector step, may further comprise the steps:
1) calculate all minimum distance steps from body in half ripe detector and the training set: the half ripe detector
through the Negative Selection first time is tried to achieve
central point
and all beelines from body
with each tolerates from body in the body training set according to Euclidean distance;
2) judge that the half ripe detector is whether by the training set identification step: if formula (4) is set up; What this half ripe detector
was collected from body discerns from body, removes
also produce new couple candidate detection device
at random and restart Negative Selection process for the first time;
3) generate ripe detector and calculate ripe detector radius step: if half ripe detector
with concentrate all to satisfy formula (5) from body from body; Then this half ripe detector
becomes ripe detector
through the self-tolerance from the body training set, and its detector radius is
;
(3) stop detector according to the expectation coverage rate and generate step: when estimating that coverage rate reaches the expectation coverage rate, stop the generation of detector; Otherwise continue secondary Negative Selection process to produce new detector; Estimate that coverage rate representes to drop in the sampling period ratio that number of times in the ripe detector collection
accounts for sampled point, by formula calculate (6):
Wherein coverage rate is estimated in
expression;
representes sampling number,
represent to drop on the number of times in the ripe detector collection
in a sampling period.
Fig. 6 generates authentication checks device step from the body clustering.
Fig. 6 has provided from the body clustering and has generated authentication checks device step.At first utilize based on the clustering method of dividing carrying out cluster from the body collection; Through the corresponding character of dividing cluster of cluster centre representative; Utilize cluster result to generate the authentication checks device then; The testing result of the ripe detector that the secondary Negative Selection is generated is confirmed, improves the quality that detects, and concrete steps are following:
(1) utilize based on dividing clustering method, may further comprise the steps carrying out the cluster step from the body collection:
1) selects the clustering method step:, select suitable clustering method based on division according to from essential informations such as body collection scales;
2) cluster parameter step is set:, the corresponding cluster parameter of this clustering method is set according to selected clustering method;
3) carry out the cluster step to collecting from body: utilize selected clustering method and set cluster parameter to carrying out cluster from the body collection, cluster centre has been described the character of corresponding division cluster, cluster centre such as formula (7) description;
Wherein
representes
individual division cluster; The cluster centre of
expression cluster
, in
expression cluster
from the number of element of volume;
(2) utilize cluster result to generate authentication checks device step: to utilize Euclidean distance to calculate all maximum distances in each cluster centre and the cluster
from body; With it as detector radius; Cluster centre
generates the authentication checks device as the detector centre point.
Fig. 7 utilizes ripe detector set pair network connection data to be detected to detect step.
Fig. 7 has provided and has utilized ripe detector set pair network connection data to be detected to detect step.At first network connection data to be detected is quantized and the normalization processing; Utilize the ripe detected set that generates that the network connection data after handling is detected; Whether covered to judge whether be unusual, concrete steps are following if detecting data according to detecting data by ripe detectors set:
(1) the network connection data to be detected treatment step that quantizes: to the data dimension of the text feature in the network connection data to be detected, compose respectively with different integer values, be translated into numerical characteristics by its type;
(2) network connection data normalization treatment step to be detected: the network connection data after the logarithm value is carried out the normalization processing by dimension, and normalization by formula (1) is carried out;
(3) utilize the ripe detected set that generates that network connection data to be detected is detected step: to read in the network connection data after normalization is handled; Detect through the detector collection; If by any ripe detector identification; It is unusual then to determine that it is network, and submits to the authentication checks device and reaffirm.
Fig. 8 utilizes the authentication checks device to confirm the testing result step.
Fig. 8 has provided and has utilized the authentication checks device to confirm the testing result step.At first utilize the authentication checks device that is generated from the body clustering that testing result is confirmed, then the unusual network connection data of confirming is carried out isolation processing and alarming processing, concrete steps are following:
(1) utilizes authentication checks device checking testing result step: utilize the authentication checks device that the unusual network connection data of being offered is detected,, think that then it is that proper network connects data if discerned by the authentication checks device; Otherwise it is unusual and submit unusual network connection data to confirm as network;
(2) unusual network connection data isolation step: the unusual network connection data to being submitted to is carried out isolation processing, and submits to and carry out alarming processing;
(3) unusual network connection data alarming processing step: produce warning information to the terminal, and connect situation according to the network of reality, by the network manager corresponding network is connected interrupt, concrete treatment measures such as shielding.
Claims (4)
1. the network anomaly detection method based on the secondary Negative Selection is characterized in that, said method comprising the steps of:
(1) reads in from body collection step;
1) gathers proper network and connect the packet step;
2) standardization network connection data bag step;
(2) network connection data pre-treatment step;
1) the network connection data treatment step that quantizes;
2) network connection data normalization treatment step;
(3) Negative Selection produces the half ripe detector step for the first time;
(4) Negative Selection produces ripe detector collection step for the second time;
(5) generate authentication checks device step from the body clustering;
(6) utilize ripe detector set pair network connection data to be detected to detect step;
1) the network connection data to be detected treatment step that quantizes;
2) network connection data normalization treatment step to be detected;
3) utilize the ripe detected set that generates that network connection data to be detected is detected step;
(7) utilize the authentication checks device to confirm the testing result step;
1) utilizes authentication checks device checking testing result step;
2) unusual network connection data isolation step;
3) unusual network connection data alarming processing step.
2. the described a kind of network anomaly detection method based on the secondary Negative Selection of claim 1 is characterized in that, described Negative Selection generation first time half ripe detector step may further comprise the steps:
(1) produces couple candidate detection device step at random;
(2) the couple candidate detection device tolerates ripe detector collection and generates the half ripe detector step, may further comprise the steps:
1) calculated candidate detector and ripe detector affinity step;
2) judge that whether the couple candidate detection device is by current ripe detector identification step;
3) judge whether tolerate ripe detected set step fully.
3. the described a kind of network anomaly detection method based on the secondary Negative Selection of claim 1 is characterized in that, Negative Selection produced ripe detector collection step and may further comprise the steps described second time:
(1) the half ripe detector is carried out training set tolerance training and generate ripe detector step, may further comprise the steps;
1) calculates all minimum distance steps in half ripe detector and the training set from body;
2) judge that whether the half ripe detector is by the training set identification step;
3) generate ripe detector and calculate ripe detector radius step;
(2) ripe detector adds ripe detector collection step;
(3) stop detector according to the expectation coverage rate and generate step.
4. the described a kind of network anomaly detection method based on the secondary Negative Selection of claim 1 is characterized in that, describedly generates authentication checks device step from the body clustering and may further comprise the steps:
(1) utilize based on dividing clustering method, may further comprise the steps carrying out the cluster step from the body collection:
1) selects the clustering method step;
2) cluster parameter step is set;
3) to carrying out the cluster step from the body collection;
(2) utilize cluster result to generate authentication checks device step;
1) calculates the radius step of each cluster;
2) center and the radius according to each cluster generates authentication checks device step.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210024273.0A CN102571444B (en) | 2012-02-05 | 2012-02-05 | Method for detecting network abnormality based on secondary negative selection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210024273.0A CN102571444B (en) | 2012-02-05 | 2012-02-05 | Method for detecting network abnormality based on secondary negative selection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102571444A true CN102571444A (en) | 2012-07-11 |
CN102571444B CN102571444B (en) | 2015-05-20 |
Family
ID=46415970
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210024273.0A Expired - Fee Related CN102571444B (en) | 2012-02-05 | 2012-02-05 | Method for detecting network abnormality based on secondary negative selection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102571444B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104168152A (en) * | 2014-09-19 | 2014-11-26 | 西南大学 | Network intrusion detection method based on multilayer immunization |
CN104504332A (en) * | 2014-12-29 | 2015-04-08 | 南京大学 | Negative selection intrusion detection method based on secondary mobile node strategy |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1567810A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network security intrusion detecting system and method |
US20090019289A1 (en) * | 2007-07-13 | 2009-01-15 | University Of Memphis Research Foundation | Negative authentication system for a networked computer system |
CN102164140A (en) * | 2011-04-22 | 2011-08-24 | 西安电子科技大学 | Method for intrusion detection based on negative selection and information gain |
-
2012
- 2012-02-05 CN CN201210024273.0A patent/CN102571444B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1567810A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network security intrusion detecting system and method |
US20090019289A1 (en) * | 2007-07-13 | 2009-01-15 | University Of Memphis Research Foundation | Negative authentication system for a networked computer system |
CN102164140A (en) * | 2011-04-22 | 2011-08-24 | 西安电子科技大学 | Method for intrusion detection based on negative selection and information gain |
Non-Patent Citations (3)
Title |
---|
李娜娜等: "一种基于自我聚类的异常检测学习方法", 《计算机应用》, vol. 28, no. 6, 30 June 2008 (2008-06-30), pages 1438 - 1440 * |
肖军弼,季翠翠: "利用聚类改进动态克隆选择算法的自体纯净性问题", 《计算机系统应用》, vol. 19, no. 5, 31 May 2010 (2010-05-31), pages 171 - 173 * |
胡博等: "一种集成点估计的改进否定选择算法", 《计算机应用研究》, vol. 27, no. 8, 30 August 2010 (2010-08-30), pages 2931 - 2932 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104168152A (en) * | 2014-09-19 | 2014-11-26 | 西南大学 | Network intrusion detection method based on multilayer immunization |
CN104504332A (en) * | 2014-12-29 | 2015-04-08 | 南京大学 | Negative selection intrusion detection method based on secondary mobile node strategy |
CN104504332B (en) * | 2014-12-29 | 2017-12-15 | 南京大学 | A kind of Negative Selection intrusion detection method based on secondary transfer point strategy |
Also Published As
Publication number | Publication date |
---|---|
CN102571444B (en) | 2015-05-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108848515B (en) | Internet of things service quality monitoring platform and method based on big data | |
CN108989150B (en) | Login abnormity detection method and device | |
WO2020134867A1 (en) | Method and device for detecting abnormal data of power terminal | |
CN102340485B (en) | Network security situation awareness system and method based on information correlation | |
CN110535702B (en) | Alarm information processing method and device | |
KR101538709B1 (en) | Anomaly detection system and method for industrial control network | |
CN109063486B (en) | Safety penetration testing method and system based on PLC equipment fingerprint identification | |
CN105376193B (en) | The intelligent association analysis method and device of security incident | |
CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
CN114338195B (en) | Web flow anomaly detection method and device based on improved isolated forest algorithm | |
CN115561546A (en) | Abnormity detection and alarm system for power system | |
CN102571444A (en) | Method for detecting network abnormality based on secondary negative selection | |
Rababaah et al. | Electric load monitoring of residential buildings using goodness of fit and multi-layer perceptron neural networks | |
CN112073396A (en) | Method and device for detecting transverse movement attack behavior of intranet | |
CN117117780A (en) | Circuit breaker anti-blocking method and system based on secondary information fusion of transformer substation | |
CN116405261A (en) | Malicious flow detection method, system and storage medium based on deep learning | |
Yan et al. | Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy | |
CN114338187A (en) | Terminal security detection method and device based on decision tree | |
CN110098983B (en) | Abnormal flow detection method and device | |
CN113076355A (en) | Method for sensing data security flow situation | |
CN113452659A (en) | Active defense system based on dynamic technology and method thereof | |
CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
Subbulakshmi et al. | Detection and classification of DDoS attacks using fuzzy inference system | |
CN117149486B (en) | Alarm and root cause positioning method, model training method, device, equipment and medium | |
CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150520 Termination date: 20220205 |
|
CF01 | Termination of patent right due to non-payment of annual fee |