CN102571444A - Method for detecting network abnormality based on secondary negative selection - Google Patents

Method for detecting network abnormality based on secondary negative selection Download PDF

Info

Publication number
CN102571444A
CN102571444A CN2012100242730A CN201210024273A CN102571444A CN 102571444 A CN102571444 A CN 102571444A CN 2012100242730 A CN2012100242730 A CN 2012100242730A CN 201210024273 A CN201210024273 A CN 201210024273A CN 102571444 A CN102571444 A CN 102571444A
Authority
CN
China
Prior art keywords
detector
ripe
network connection
connection data
negative selection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100242730A
Other languages
Chinese (zh)
Other versions
CN102571444B (en
Inventor
刘晓洁
李涛
陈文�
赵辉
胡晓勤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan University
Original Assignee
Sichuan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan University filed Critical Sichuan University
Priority to CN201210024273.0A priority Critical patent/CN102571444B/en
Publication of CN102571444A publication Critical patent/CN102571444A/en
Application granted granted Critical
Publication of CN102571444B publication Critical patent/CN102571444B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for detecting network abnormality based on secondary negative selection, belonging to the technical field of information security. The method comprises: selecting normal network connection data as an autologous set by simulating the immune tolerance process of a biological immune system, using a secondary negative selection algorithm to perform tolerance training on a randomly-generated candidate detector, removing the candidate detectors with unsuccessful tolerance and autologous tolerance of the detector set to generate a mature detector set, utilizing autologous clustering to generate an authentication detector, detecting network connection data to be detected by utilizing the mature detector set, and finally using the authentication detector to confirm the detection result. The method mainly overcomes the defects of redundant detectors, low generation efficiency and high false alarm ratio, effectively reduces the size of the generated mature detector sets, improves the generation efficiency of the mature detector, maintains the stability of the detection rate, reduces the false alarm ratio and guarantees the network security, thereby having a wide application prospect.

Description

A kind of network anomaly detection method based on the secondary Negative Selection
Technical field:
The present invention relates to a kind of network abnormality detection technology, belong to field of information security technology.
Background technology:
Along with popularizing and development of computer network, the Internet has become one of indispensable instrument of people's study, work, life, but simultaneously, the opening of the Internet also makes virus and network attack become the disaster of the Internet.Network attack influences network from many aspects, brings harm to network, and these harm mainly comprise: to the harm of computer resource and Internet resources, to the harm of normal service, to economical, politics, society and cultural harm etc.Current, China's network infrastructure is comparatively backward, and strictness is with urgent more for the demand of network security, and the security perimeter of network attacks such as propagation of reply virus and assault is also more fragile.Under this demand background, be badly in need of a kind of instrument that can effectively detect the network intrusions behavior, maintaining network safety.
The network abnormality detection is a kind of important Intrusion Detection Technique, through network connection data being monitored to find the network intrusions data and to produce alarm signal and the network security means of response process.The network abnormality detection is at first set up the normal mode profile of system, if the profile value of system has surpassed the scope of system's normal value of setting up, then explanation has invasion to take place.In the existing network anomaly detection method based on artificial immunity; Like patent publication No. CN1567810, CN1848765, CN101478534 etc.; Utilize Negative Selection Algorithm (connecting the process that detector was trained and generated to data) training antigen data to generate detector according to proper network; The generation of detector adopts a Negative Selection Algorithm to produce, and the detector of generation directly is used for network abnormality detection process.Said method is used for the network abnormality detection and has following deficiency:
(1) detector number is too much.Detector adopts a Negative Selection generation to cause a large amount of couple candidate detection devices to the non-covering that repeats from body (unusual network connection data) space, and reaching the required detector number of equating expections coverage rate significantly increases.
(2) formation efficiency of detector is low.Adopting a Negative Selection to produce detector has caused a large amount of couple candidate detection devices to the non-covering that repeats from body space; A large amount of invalid couple candidate detection devices all experience self-tolerance process consuming time (generating the process that the nonrecognition proper network connects data detector); Cause the detector formation efficiency low, the detector coverage effect is not good.
(3) rate of false alarm is higher.Because of it lacks self study and adaptive ability, cause its rate of false alarm higher when utilizing detector that network connection data is detected.
The present invention proposes a kind of network anomaly detection method based on the secondary Negative Selection; Generate the ripe detector collection that is used for the network connection data abnormality detection through the secondary Negative Selection; And generate the authentication checks device testing result is confirmed to detect quality to improve carry out cluster from the body collection, the present invention has the following advantages:
(1) detector number significantly reduces.Through the first time Negative Selection tolerate ripe detector collection, the couple candidate detection device that repeats to cover is directly removed, and has effectively reduced the quantity of the ripe detector that generates.
(2) the detector formation efficiency significantly improves.Through the first time Negative Selection tolerate ripe detector collection, avoided a large amount of candidate's devices with from the self-tolerance of body collection, significantly improved the formation efficiency of detector.
(3) rate of false alarm significantly reduces.Significantly reduced the quantity of detector based on the detector generation method of secondary Negative Selection, reaffirming of testing result reduced the detection rate of false alarm through the authentication checks device that generates from the body clustering.
Summary of the invention
The present invention proposes a kind of network anomaly detection method based on the secondary Negative Selection; Select proper network to connect data as practicing from the body training; Generate the ripe detector collection that is used for the network abnormality detection through the secondary Negative Selection, and utilize from body clustering generation authentication checks device testing result is reaffirmed.Concrete steps are following: 1) gather proper network and connect the data conduct from the body collection; 2) network connection data is quantized and the normalization preliminary treatment; 3) carry out the Negative Selection first time, the couple candidate detection device is carried out ripe detector collection tolerance generate the half ripe detector; 4) carry out the Negative Selection second time, the half ripe detector is carried out generating ripe detector from the tolerance of body training set, add ripe detector collection; 5) generate the authentication checks device to carrying out based on the cluster of dividing from the body collection; 6) utilize ripe detector set pair network connection data to be detected to detect; 7) utilize the authentication checks device that testing result is reaffirmed.The present invention solves mainly in the prior art that artificial immunity method for detecting abnormality detector generates too much, the detector formation efficiency is crossed low and detect the too high shortcoming of rate of false alarm; Effectively reduced the ripe detector number that generates; Improve the formation efficiency of ripe detector, and when keeping verification and measurement ratio stable, further reduced the detection rate of false alarm; Guarantee network security, have broad application prospects.
Before setting forth the present invention in detail, do following term definition earlier:
(1) all data samples in antigen
Figure 48838DEST_PATH_IMAGE001
the expression network abnormality detection space,
Figure 393232DEST_PATH_IMAGE002
is data dimension.
(2) all normal data samples in the set of body collection
Figure 360051DEST_PATH_IMAGE003
expression antigen; Non-in the set of body collection
Figure 866118DEST_PATH_IMAGE004
expression antigen all abnormal data samples, satisfy
Figure 82336DEST_PATH_IMAGE005
.
(3) priori of training set
Figure 558317DEST_PATH_IMAGE006
expression network abnormality detection; Radius from body in the training set is
Figure 910801DEST_PATH_IMAGE007
, and the size of training set is .
(4) detector collection
Figure 494546DEST_PATH_IMAGE009
is represented the ripe detectors set that Negative Selection Algorithm generates according to training set; Wherein
Figure 180742DEST_PATH_IMAGE010
representes detector radius,
Figure 387732DEST_PATH_IMAGE011
expression detector collection size.
(5) estimate that the number of times that coverage rate
Figure 94657DEST_PATH_IMAGE012
is represented to drop in the sampling period in the ripe detector collection
Figure 19888DEST_PATH_IMAGE013
accounts for the ratio of counting that adopts; Wherein
Figure 244196DEST_PATH_IMAGE014
expression is adopted and is counted, and drops on the number of times in the ripe detector collection
Figure 324464DEST_PATH_IMAGE013
in employing cycle of expression.
Description of drawings
Fig. 1 is a fundamental diagram of the present invention.
Fig. 2 reads in from body collection step.
Fig. 3 is the network connection data pre-treatment step.
Fig. 4 is that Negative Selection produces the half ripe detector step for the first time.
Fig. 5 is that Negative Selection produces ripe detector collection step for the second time.
Fig. 6 generates authentication checks device step from the body clustering.
Fig. 7 utilizes ripe detector set pair network connection data to be detected to detect step.
Fig. 8 utilizes the authentication checks device to confirm the testing result step.
Embodiment
Specify concrete grammar of the present invention below in conjunction with accompanying drawing.
Fig. 1 is a fundamental diagram of the present invention.
Fig. 1 is a fundamental diagram of the present invention.A kind of network anomaly detection method that the present invention proposes based on the secondary Negative Selection; At first select proper network to connect the data conduct from the training of body collection; Generate ripe detected set through secondary Negative Selection process then network connection data to be detected is carried out abnormality detection, at last through utilizing the authentication checks device that generates from the body clustering that testing result is confirmed.The present invention is divided into two relatively independent stages; First stage is according to generating ripe detector collection and authentication checks device process from the body collection, comprise read in from body collect step, network connection data pre-treatment step, Negative Selection produces the half ripe detector step for the first time, Negative Selection generates that ripe detector collects step and from body clustering generation authentication checks device step for the second time; Second stage is according to ripe detector collection and authentication checks device network connection data to be detected to be carried out the abnormality detection process, comprises utilizing ripe detector set pair network connection data to be detected to detect step and utilizing the authentication checks device to confirm the testing result step.
Particularly, a kind of network anomaly detection method based on the secondary Negative Selection of the present invention's proposition may further comprise the steps:
(1) reads in from body collection step;
(2) network connection data pre-treatment step;
(3) Negative Selection produces the half ripe detector step for the first time;
(4) Negative Selection produces ripe detector collection step for the second time;
(5) generate authentication checks device step from the body clustering;
(6) utilize ripe detector set pair network connection data to be detected to detect step;
(7) utilize the authentication checks device to confirm the testing result step.
Fig. 2 reads in from body collection step.
Fig. 2 has provided and has read in from body collection step.This step is intended to gather proper network and connects packet as from the training of body collection, generates ripe detector collection that is used for the network abnormality detection and the authentication checks device of confirming testing result for the secondary Negative Selection.(network that KDD99 is the senior DARPA of Planning Department of U.S. Department of Defense in 9 time-of-weeks that collect in MIT Lincoln laboratory connects and the system audit data, and the various user types of emulation, various network traffics and attack means comprise the training data 5 of 7 time-of-weeks with the KDD99 data set; 000; More than 000 network linkage record, and the test data 2,000 of 2 time-of-weeks; 000 network linkage record) be example; Select the normal sample of part as from the body training set from data centralization, and it is carried out standardization processing such as uniform format, concrete steps are following:
(1) gathers proper network and connect the packet step: connect packet through network intercepting tool software collection network, and select wherein normal network connection data bag;
(2) standardization network connection data bag step: the proper network of gathering is connected packet carry out standardization processing such as data format is unified.
Fig. 3 is the network connection data pre-treatment step.
Fig. 3 has provided the network connection data pre-treatment step.Connect packet data according to reading in the proper network of being gathered from body collection step, network connection data is quantized and the normalization processing.Network connects the tcp data packet sequence that is defined as in certain time from start to end, and during this period of time, data are (like TCP, UDP) transmission from source IP address to purpose IP address under predefined agreement.Each network connection is marked as normal (normal) or unusual (attack), and Exception Type is subdivided into 4 big classes totally 39 kinds of attack types, and wherein 22 kinds of attack types appear in the training set, and other has 17 kinds of unknown attack types to appear in the test set.Each network connection table is shown 41 data attributes, representes to represent with text and numerical value mode the different characteristic of respective attributes respectively.The present invention is based on real-valued space and produces detector and carry out abnormality detection, need concentrate text and numeric data quantize and the normalization processing to data, and concrete steps are following:
(1) the network connection data treatment step that quantizes: data are concentrated the data dimension of text feature, compose respectively with different integer values, be translated into numerical characteristics by its type;
(2) network connection data normalization treatment step: the network connection data after the logarithm value is carried out normalization by dimension and is handled;
?⑴
Wherein
Figure 499411DEST_PATH_IMAGE017
With Represent before and after the normalization each dimension the respectively kThe numerical value of bar data,
Figure 729721DEST_PATH_IMAGE019
With
Figure 629544DEST_PATH_IMAGE020
Minimum value and the maximum of representing the respective dimension data respectively,
Figure 664496DEST_PATH_IMAGE021
Expression network connection data record number.
Fig. 4 is that Negative Selection produces the half ripe detector step for the first time.
Fig. 4 has provided for the first time, and Negative Selection produces the half ripe detector step.At first select the network connection data pre-treatment step to quantize and be connected the packet conduct from the body collection with normalization processing proper network afterwards; Produce the couple candidate detection device then at random; Carry out first time Negative Selection at last and tolerate ripe detector collection and generate the half ripe detector, concrete steps are following:
(1) produce couple candidate detection device step at random: utilize random function to produce couple candidate detection device , its central point adopts real-valued space representation
Figure 326738DEST_PATH_IMAGE023
;
(2) the couple candidate detection device tolerates ripe detector collection and generates the half ripe detector step, may further comprise the steps:
1) calculated candidate detector and ripe detector affinity step: the Euclidean distance of trying to achieve each ripe detector
Figure 364785DEST_PATH_IMAGE025
in couple candidate detection device
Figure 41754DEST_PATH_IMAGE022
inspection center
Figure 411555DEST_PATH_IMAGE024
and the existing ripe detector collection
Figure 567730DEST_PATH_IMAGE013
is expressed the affinity of itself and ripe detector, and Euclidean distance is shown in formula (2):
Figure 350375DEST_PATH_IMAGE027
2) judge that the couple candidate detection device is whether by current ripe detector identification step: judge according to formula (3) whether this couple candidate detection device
Figure 361057DEST_PATH_IMAGE022
discerns ripe detector
Figure 922488DEST_PATH_IMAGE025
, if this couple candidate detection device is by any ripe detector identification then remove and generate at random again new couple candidate detection device
Figure 18620DEST_PATH_IMAGE022
;
Figure 730224DEST_PATH_IMAGE028
3) judge whether tolerate ripe detected set step fully: if
Figure 860991DEST_PATH_IMAGE022
all do not satisfy formula (3) with all ripe detectors
Figure 468690DEST_PATH_IMAGE029
; Then this couple candidate detection device becomes half ripe detector through the tolerance of ripe detector collection, and gets into Negative Selection for the second time and carry out tolerance from the body training set to produce ripe detector
Figure 301834DEST_PATH_IMAGE031
;
Wherein
Figure 880583DEST_PATH_IMAGE022
,
Figure 190341DEST_PATH_IMAGE030
and
Figure 995486DEST_PATH_IMAGE031
represent couple candidate detection device, half ripe detector and ripe detector respectively;
Figure 517734DEST_PATH_IMAGE032
representes the detection radius of ripe detector
Figure 357514DEST_PATH_IMAGE033
, and
Figure 838174DEST_PATH_IMAGE034
representes ripe detector number.
Fig. 5 is that Negative Selection produces ripe detector collection step for the second time.
Fig. 5 has provided for the second time, and Negative Selection produces ripe detector collection step.At first the half ripe detector tolerance that the first time, the Negative Selection process generated is generated ripe detector from the body collection; The ripe detector that will tolerate then successfully adds the detector collection; The end condition that last detector generates is for estimating that coverage rate reaches the expectation coverage rate, and concrete steps are following:
(1) the half ripe detector is carried out training set tolerance training and generates ripe detector step, may further comprise the steps:
1) calculate all minimum distance steps from body in half ripe detector and the training set: the half ripe detector
Figure 396195DEST_PATH_IMAGE030
through the Negative Selection first time is tried to achieve
Figure 581188DEST_PATH_IMAGE030
central point
Figure 541054DEST_PATH_IMAGE035
and all beelines from body
Figure 192615DEST_PATH_IMAGE036
with each tolerates from body in the body training set according to Euclidean distance;
2) judge that the half ripe detector is whether by the training set identification step: if formula (4) is set up; What this half ripe detector
Figure 972352DEST_PATH_IMAGE037
was collected from body discerns from body, removes
Figure 836403DEST_PATH_IMAGE037
also produce new couple candidate detection device
Figure 650775DEST_PATH_IMAGE038
at random and restart Negative Selection process for the first time;
Figure 473238DEST_PATH_IMAGE039
?⑷
3) generate ripe detector and calculate ripe detector radius step: if half ripe detector with concentrate all to satisfy formula (5) from body from body; Then this half ripe detector
Figure 532647DEST_PATH_IMAGE030
becomes ripe detector
Figure 670367DEST_PATH_IMAGE031
through the self-tolerance from the body training set, and its detector radius is
Figure 663731DEST_PATH_IMAGE040
;
Figure 418060DEST_PATH_IMAGE041
(2) ripe detector adds detector collection step: should
Figure 420651DEST_PATH_IMAGE031
add in the ripe detector collection
Figure 537512DEST_PATH_IMAGE042
Figure 701777DEST_PATH_IMAGE043
;
(3) stop detector according to the expectation coverage rate and generate step: when estimating that coverage rate reaches the expectation coverage rate, stop the generation of detector; Otherwise continue secondary Negative Selection process to produce new detector; Estimate that coverage rate representes to drop in the sampling period ratio that number of times in the ripe detector collection
Figure 943402DEST_PATH_IMAGE013
accounts for sampled point, by formula calculate (6):
Figure 952947DEST_PATH_IMAGE044
?⑹
Wherein coverage rate is estimated in expression;
Figure 931584DEST_PATH_IMAGE014
representes sampling number,
Figure 988402DEST_PATH_IMAGE015
represent to drop on the number of times in the ripe detector collection
Figure 332795DEST_PATH_IMAGE013
in a sampling period.
Fig. 6 generates authentication checks device step from the body clustering.
Fig. 6 has provided from the body clustering and has generated authentication checks device step.At first utilize based on the clustering method of dividing carrying out cluster from the body collection; Through the corresponding character of dividing cluster of cluster centre representative; Utilize cluster result to generate the authentication checks device then; The testing result of the ripe detector that the secondary Negative Selection is generated is confirmed, improves the quality that detects, and concrete steps are following:
(1) utilize based on dividing clustering method, may further comprise the steps carrying out the cluster step from the body collection:
1) selects the clustering method step:, select suitable clustering method based on division according to from essential informations such as body collection scales;
2) cluster parameter step is set:, the corresponding cluster parameter of this clustering method is set according to selected clustering method;
3) carry out the cluster step to collecting from body: utilize selected clustering method and set cluster parameter to carrying out cluster from the body collection, cluster centre has been described the character of corresponding division cluster, cluster centre such as formula (7) description;
Figure 565194DEST_PATH_IMAGE046
Wherein
Figure 336841DEST_PATH_IMAGE047
representes individual division cluster; The cluster centre of
Figure 638826DEST_PATH_IMAGE049
expression cluster
Figure 991310DEST_PATH_IMAGE047
, in
Figure 527333DEST_PATH_IMAGE050
expression cluster from the number of element of volume;
(2) utilize cluster result to generate authentication checks device step: to utilize Euclidean distance to calculate all maximum distances in each cluster centre and the cluster
Figure 651464DEST_PATH_IMAGE051
from body; With it as detector radius; Cluster centre
Figure 327296DEST_PATH_IMAGE049
generates the authentication checks device as the detector centre point.
Fig. 7 utilizes ripe detector set pair network connection data to be detected to detect step.
Fig. 7 has provided and has utilized ripe detector set pair network connection data to be detected to detect step.At first network connection data to be detected is quantized and the normalization processing; Utilize the ripe detected set that generates that the network connection data after handling is detected; Whether covered to judge whether be unusual, concrete steps are following if detecting data according to detecting data by ripe detectors set:
(1) the network connection data to be detected treatment step that quantizes: to the data dimension of the text feature in the network connection data to be detected, compose respectively with different integer values, be translated into numerical characteristics by its type;
(2) network connection data normalization treatment step to be detected: the network connection data after the logarithm value is carried out the normalization processing by dimension, and normalization by formula (1) is carried out;
(3) utilize the ripe detected set that generates that network connection data to be detected is detected step: to read in the network connection data after normalization is handled; Detect through the detector collection; If by any ripe detector identification; It is unusual then to determine that it is network, and submits to the authentication checks device and reaffirm.
Fig. 8 utilizes the authentication checks device to confirm the testing result step.
Fig. 8 has provided and has utilized the authentication checks device to confirm the testing result step.At first utilize the authentication checks device that is generated from the body clustering that testing result is confirmed, then the unusual network connection data of confirming is carried out isolation processing and alarming processing, concrete steps are following:
(1) utilizes authentication checks device checking testing result step: utilize the authentication checks device that the unusual network connection data of being offered is detected,, think that then it is that proper network connects data if discerned by the authentication checks device; Otherwise it is unusual and submit unusual network connection data to confirm as network;
(2) unusual network connection data isolation step: the unusual network connection data to being submitted to is carried out isolation processing, and submits to and carry out alarming processing;
(3) unusual network connection data alarming processing step: produce warning information to the terminal, and connect situation according to the network of reality, by the network manager corresponding network is connected interrupt, concrete treatment measures such as shielding.

Claims (4)

1. the network anomaly detection method based on the secondary Negative Selection is characterized in that, said method comprising the steps of:
(1) reads in from body collection step;
1) gathers proper network and connect the packet step;
2) standardization network connection data bag step;
(2) network connection data pre-treatment step;
1) the network connection data treatment step that quantizes;
2) network connection data normalization treatment step;
(3) Negative Selection produces the half ripe detector step for the first time;
(4) Negative Selection produces ripe detector collection step for the second time;
(5) generate authentication checks device step from the body clustering;
(6) utilize ripe detector set pair network connection data to be detected to detect step;
1) the network connection data to be detected treatment step that quantizes;
2) network connection data normalization treatment step to be detected;
3) utilize the ripe detected set that generates that network connection data to be detected is detected step;
(7) utilize the authentication checks device to confirm the testing result step;
1) utilizes authentication checks device checking testing result step;
2) unusual network connection data isolation step;
3) unusual network connection data alarming processing step.
2. the described a kind of network anomaly detection method based on the secondary Negative Selection of claim 1 is characterized in that, described Negative Selection generation first time half ripe detector step may further comprise the steps:
(1) produces couple candidate detection device step at random;
(2) the couple candidate detection device tolerates ripe detector collection and generates the half ripe detector step, may further comprise the steps:
1) calculated candidate detector and ripe detector affinity step;
2) judge that whether the couple candidate detection device is by current ripe detector identification step;
3) judge whether tolerate ripe detected set step fully.
3. the described a kind of network anomaly detection method based on the secondary Negative Selection of claim 1 is characterized in that, Negative Selection produced ripe detector collection step and may further comprise the steps described second time:
(1) the half ripe detector is carried out training set tolerance training and generate ripe detector step, may further comprise the steps;
1) calculates all minimum distance steps in half ripe detector and the training set from body;
2) judge that whether the half ripe detector is by the training set identification step;
3) generate ripe detector and calculate ripe detector radius step;
(2) ripe detector adds ripe detector collection step;
(3) stop detector according to the expectation coverage rate and generate step.
4. the described a kind of network anomaly detection method based on the secondary Negative Selection of claim 1 is characterized in that, describedly generates authentication checks device step from the body clustering and may further comprise the steps:
(1) utilize based on dividing clustering method, may further comprise the steps carrying out the cluster step from the body collection:
1) selects the clustering method step;
2) cluster parameter step is set;
3) to carrying out the cluster step from the body collection;
(2) utilize cluster result to generate authentication checks device step;
1) calculates the radius step of each cluster;
2) center and the radius according to each cluster generates authentication checks device step.
CN201210024273.0A 2012-02-05 2012-02-05 Method for detecting network abnormality based on secondary negative selection Expired - Fee Related CN102571444B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210024273.0A CN102571444B (en) 2012-02-05 2012-02-05 Method for detecting network abnormality based on secondary negative selection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210024273.0A CN102571444B (en) 2012-02-05 2012-02-05 Method for detecting network abnormality based on secondary negative selection

Publications (2)

Publication Number Publication Date
CN102571444A true CN102571444A (en) 2012-07-11
CN102571444B CN102571444B (en) 2015-05-20

Family

ID=46415970

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210024273.0A Expired - Fee Related CN102571444B (en) 2012-02-05 2012-02-05 Method for detecting network abnormality based on secondary negative selection

Country Status (1)

Country Link
CN (1) CN102571444B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104168152A (en) * 2014-09-19 2014-11-26 西南大学 Network intrusion detection method based on multilayer immunization
CN104504332A (en) * 2014-12-29 2015-04-08 南京大学 Negative selection intrusion detection method based on secondary mobile node strategy

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567810A (en) * 2004-03-29 2005-01-19 四川大学 Network security intrusion detecting system and method
US20090019289A1 (en) * 2007-07-13 2009-01-15 University Of Memphis Research Foundation Negative authentication system for a networked computer system
CN102164140A (en) * 2011-04-22 2011-08-24 西安电子科技大学 Method for intrusion detection based on negative selection and information gain

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567810A (en) * 2004-03-29 2005-01-19 四川大学 Network security intrusion detecting system and method
US20090019289A1 (en) * 2007-07-13 2009-01-15 University Of Memphis Research Foundation Negative authentication system for a networked computer system
CN102164140A (en) * 2011-04-22 2011-08-24 西安电子科技大学 Method for intrusion detection based on negative selection and information gain

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
李娜娜等: "一种基于自我聚类的异常检测学习方法", 《计算机应用》, vol. 28, no. 6, 30 June 2008 (2008-06-30), pages 1438 - 1440 *
肖军弼,季翠翠: "利用聚类改进动态克隆选择算法的自体纯净性问题", 《计算机系统应用》, vol. 19, no. 5, 31 May 2010 (2010-05-31), pages 171 - 173 *
胡博等: "一种集成点估计的改进否定选择算法", 《计算机应用研究》, vol. 27, no. 8, 30 August 2010 (2010-08-30), pages 2931 - 2932 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104168152A (en) * 2014-09-19 2014-11-26 西南大学 Network intrusion detection method based on multilayer immunization
CN104504332A (en) * 2014-12-29 2015-04-08 南京大学 Negative selection intrusion detection method based on secondary mobile node strategy
CN104504332B (en) * 2014-12-29 2017-12-15 南京大学 A kind of Negative Selection intrusion detection method based on secondary transfer point strategy

Also Published As

Publication number Publication date
CN102571444B (en) 2015-05-20

Similar Documents

Publication Publication Date Title
CN108848515B (en) Internet of things service quality monitoring platform and method based on big data
CN108989150B (en) Login abnormity detection method and device
WO2020134867A1 (en) Method and device for detecting abnormal data of power terminal
CN102340485B (en) Network security situation awareness system and method based on information correlation
CN110535702B (en) Alarm information processing method and device
KR101538709B1 (en) Anomaly detection system and method for industrial control network
CN109063486B (en) Safety penetration testing method and system based on PLC equipment fingerprint identification
CN105376193B (en) The intelligent association analysis method and device of security incident
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN114338195B (en) Web flow anomaly detection method and device based on improved isolated forest algorithm
CN115561546A (en) Abnormity detection and alarm system for power system
CN102571444A (en) Method for detecting network abnormality based on secondary negative selection
Rababaah et al. Electric load monitoring of residential buildings using goodness of fit and multi-layer perceptron neural networks
CN112073396A (en) Method and device for detecting transverse movement attack behavior of intranet
CN117117780A (en) Circuit breaker anti-blocking method and system based on secondary information fusion of transformer substation
CN116405261A (en) Malicious flow detection method, system and storage medium based on deep learning
Yan et al. Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy
CN114338187A (en) Terminal security detection method and device based on decision tree
CN110098983B (en) Abnormal flow detection method and device
CN113076355A (en) Method for sensing data security flow situation
CN113452659A (en) Active defense system based on dynamic technology and method thereof
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
Subbulakshmi et al. Detection and classification of DDoS attacks using fuzzy inference system
CN117149486B (en) Alarm and root cause positioning method, model training method, device, equipment and medium
CN113055396B (en) Cross-terminal traceability analysis method, device, system and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150520

Termination date: 20220205

CF01 Termination of patent right due to non-payment of annual fee