CN104519031A - Method and device for detecting malicious network behaviors - Google Patents

Method and device for detecting malicious network behaviors Download PDF

Info

Publication number
CN104519031A
CN104519031A CN201310461795.1A CN201310461795A CN104519031A CN 104519031 A CN104519031 A CN 104519031A CN 201310461795 A CN201310461795 A CN 201310461795A CN 104519031 A CN104519031 A CN 104519031A
Authority
CN
China
Prior art keywords
behavior
network
correlation degree
detected
degree value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310461795.1A
Other languages
Chinese (zh)
Other versions
CN104519031B (en
Inventor
郭代飞
隋爱芬
林冠洲
郭涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Priority to CN201310461795.1A priority Critical patent/CN104519031B/en
Publication of CN104519031A publication Critical patent/CN104519031A/en
Application granted granted Critical
Publication of CN104519031B publication Critical patent/CN104519031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method and a device for detecting malicious network behaviors. The device comprises a calculation module and a determination module; the calculation module is used for calculating a correlation degree value of to-be-detected network behaviors and each of multiple behavior classes according to characteristic parameters of each behavior class so as to obtain multiple correlation degree values, the behavior classes include a normal behavior class and at least one network behavior class, and the characteristic parameters of the behavior classes are obtained by means of training by taking the known malicious network behaviors and normal network behaviors as training samples; the determination module is used for determining that the to-be-detected behaviors belong to normal network behaviors or malicious network behaviors according to that the maximum correlation degree value in the correlation degree values is the correlation degree value of the to-be-detected network behaviors and the normal behavior class or the correlation degree value of the to-be-detected network behaviors and one of the malicious behavior classes. By the method and the device, accuracy in malicious network behavior detection can be improved.

Description

A kind of method and apparatus for hostile network behavioral value
Technical field
The present invention relates to network safety filed, particularly relate to a kind of method and apparatus for hostile network behavioral value.
Background technology
Along with the progress of mobile communication technology, mobile Internet obtains broad development.Concomitantly, also occurred many network attacks for mobile Internet, this creates great threat to mobile Internet and mobile terminal.
Traditionally, the matching technique based on signature is used to detect hostile network behavior in mobile Internet.But, hostile network behavior is not changeless, usual assailant can make some little changes to hostile network behavior thus produce hostile network behavior that is polymorphic and distortion, but, use the matching technique based on signature effectively can not detect hostile network behavior that is polymorphic and distortion.
For this reason, there has been proposed many data mining technologies to detect hostile network behavior that is polymorphic and distortion.Although relative to the matching technique based on signature, current data mining technology more effectively can detect hostile network behavior that is polymorphic and distortion, and the accuracy detected is still not high enough, often there will be the situation of flase drop.
Summary of the invention
Consider the problems referred to above of prior art, the embodiment of the present invention proposes a kind of method and apparatus for hostile network behavioral value, and it can improve the accuracy to hostile network behavioral value.
According to a kind of method for hostile network behavioral value of the embodiment of the present invention, comprise: according to multiple behavior classifications characteristic parameter separately, calculate the correlation degree value of each of network behavior to be detected and described multiple behavior classification, obtain multiple correlation degree value, wherein, described multiple behavior classification comprises normal behaviour classification and at least one malicious act classification, and described multiple behavior classification characteristic parameter separately utilizes known hostile network behavior and proper network behavior to obtain as training sample training in advance; And, be the correlation degree value of described network behavior to be detected and described normal behaviour classification or the correlation degree value of one of them of described network behavior to be detected and at least one malicious act classification described according to the maximal correlation degree value in described multiple correlation degree value, determine that described behavior to be detected belongs to proper network behavior or hostile network behavior.
Wherein, described method also comprises: according to the behavioral characteristic of described network behavior to be detected, judges the behavior kind belonging to described network behavior to be detected; And, from the multiple Activity recognition models corresponding respectively to different behavior kinds, select the Activity recognition model corresponding with judged behavior kind, wherein, each of described multiple Activity recognition model comprises described multiple behavior classifications characteristic parameter separately, wherein, described calculating comprises further: the described multiple behavior classifications characteristic parameter separately comprised according to selected Activity recognition model, calculate the correlation degree value of each of described behavior to be detected and described multiple behavior classification, obtain described multiple correlation degree value.
Wherein, described method also comprises: be divided into multiple behavior group using as the described known hostile network behavior of described training sample and proper network behavior, the network behavior wherein in each behavior group belongs to identical behavior kind; Utilizing clustering algorithm to be multiple sub-line by the network behavior cluster included by each the behavior group in described multiple behavior group is group, and the network behavior of each sub-line included by group belongs to one of them of described multiple behavior classification; And, utilize multi-categorizer training algorithm respectively to each sub-line included by each the behavior group in described multiple behavior group for the network behavior in group is trained, obtain described multiple Activity recognition model.
Wherein, described network behavior to be detected is determined that affiliated behavior is not identical with the behavior belonging to described network behavior reality to be detected, and described method also comprises: the product calculating other correlation degree value in described multiple correlation degree value except described maximal correlation degree value; Check whether described maximal correlation degree value is greater than assign thresholds with the ratio of the product calculated; And, if check result is affirmative, then utilize Incremental Learning Algorithm to use described network behavior to be detected to carry out self study training, to upgrade described multiple Activity recognition model.
Wherein, described behavior kind comprises dissemination, Long-distance Control behavior, attack.
According to a kind of device for hostile network behavioral value of the embodiment of the present invention, comprise: computing module, for according to multiple behavior classifications characteristic parameter separately, calculate the correlation degree value of each of network behavior to be detected and described multiple behavior classification, obtain multiple correlation degree value, wherein, described multiple behavior classification comprises normal behaviour classification and at least one malicious act classification, and described multiple behavior classification characteristic parameter separately utilizes known hostile network behavior and proper network behavior to obtain as training sample training in advance; And, determination module, for being the correlation degree value of described network behavior to be detected and described normal behaviour classification or the correlation degree value of one of them of described network behavior to be detected and at least one malicious act classification described according to the maximal correlation degree value in described multiple correlation degree value, determine that described behavior to be detected belongs to proper network behavior or hostile network behavior.
Wherein, described device also comprises: determination module, for the behavioral characteristic according to described network behavior to be detected, judges the behavior kind belonging to described network behavior to be detected, and, select module, for from the multiple Activity recognition models corresponding respectively to different behavior kinds, select the Activity recognition model corresponding with judged behavior kind, wherein, each of described multiple Activity recognition model comprises described multiple behavior classifications characteristic parameter separately, wherein, described computing module is further used for: the described multiple behavior classifications characteristic parameter separately comprised according to selected Activity recognition model, calculate the correlation degree value of each of described behavior to be detected and described multiple behavior classification, obtain described multiple correlation degree value.
Wherein, described device also comprises: divide module, and for being divided into multiple behavior group using as the described known hostile network behavior of described training sample and proper network behavior, the network behavior wherein in each behavior group belongs to identical behavior kind; Network behavior cluster included by each behavior group in described multiple behavior group is multiple sub-line for utilizing clustering algorithm by cluster module is group, and the network behavior of each sub-line included by group belongs to one of them of described multiple behavior classification; And, training module, for utilize multi-categorizer training algorithm respectively to each sub-line included by each the behavior group in described multiple behavior group for the network behavior in group is trained, obtain described multiple Activity recognition model.
Wherein, described network behavior to be detected is determined that affiliated behavior is not identical with the behavior belonging to described network behavior reality to be detected, and described device also comprises:
Be multiplied module, for calculating the product of other correlation degree value in described multiple correlation degree value except described maximal correlation degree value; Checking module, for checking whether described maximal correlation degree value is greater than assign thresholds with the ratio of the product calculated; And update module, if be affirmative for check result, then utilizes Incremental Learning Algorithm to use described network behavior to be detected to carry out self study training, to upgrade described multiple Activity recognition model.
As can be seen from description above, the category division of network behavior is the two or more behavior classification comprising normal behaviour classification and some malicious act classifications by the scheme of the embodiment of the present invention, instead of two the behavior classifications classification of network behavior being only divided into normal behaviour classification and malicious act classification as prior art.Network behavior category division is thinner, and just can reduce the interference between different classes of behavior, more accurate to the detection of behavior to be detected, therefore, compared with prior art, the scheme of the embodiment of the present invention can improve the accuracy to hostile network behavioral value.
Accompanying drawing explanation
Further feature of the present invention, feature, advantage and benefit will become more apparent by the detailed description below in conjunction with accompanying drawing.
Fig. 1 shows the schematic diagram of the multi-categorizer training process according to one embodiment of the invention.
Fig. 2 shows the schematic diagram of the behavioural analysis process according to one embodiment of the invention.
Fig. 3 shows the schematic diagram of the self study process according to one embodiment of the invention.
Fig. 4 shows the schematic diagram of the device for hostile network behavioral value according to one embodiment of the invention.
Fig. 5 shows the schematic diagram of the equipment for hostile network behavioral value according to one embodiment of the invention.
Embodiment
Below, each embodiment of the present invention in detail is by reference to the accompanying drawings incited somebody to action.
In an embodiment of the present invention, usage data tuple X={x 1, x 2..., x k(k is integer) carry out characterizing network behavior, and wherein, x 1, x 2..., x kbe respectively used to the different characteristic attribute describing network behavior, it can obtain based on the grouping relevant to network behavior.Such as, x 1, x 2..., x kit can be the keyword etc. in critical field, the demographic information (such as, the frequency) of grouping of being correlated with network behavior and the main part of the grouping relevant to network behavior in the TCP/IP head of the grouping relevant to network behavior and application layer protocol head.The grouping relevant to network behavior can from the gateway device mobile terminal, mobile Internet (such as, Gateway GPRS Support Node (GGSN) in general packet radio service technology (GPRS) system or GPRS serving GPRS support node (SGSN) etc.) or mobile Internet in the place such as data transmission interface (gn interface etc. such as, between GGSN and SGSN) catch.Each network behavior uses a data tuple X to represent.
Comprise multi-categorizer training process, behavioural analysis process and self study process according to the method for hostile network behavioral value of one embodiment of the invention, these processes can realize on any equipment.
Referring now to Fig. 1, it illustrates the schematic diagram of the multi-categorizer training process according to one embodiment of the invention.Before the multi-categorizer training process performing the present embodiment, need to collect the known hostile network behavior of sufficient amount and proper network behavior as training sample D.
As shown in Figure 1, at square frame 100, according to the different behavioral characteristics of network behavior, training sample D is divided into three behavior group D1, D2, D3.Wherein, the included separately behavior of behavior group D1, D2, D3 belongs to this three behaviors kind of dissemination, Long-distance Control behavior and attack respectively.
Wherein, dissemination refers to but is not limited to following behavior: malice or legal program are placed on website, the short message including the network linking pointing to this malice or legal program is sent to mobile terminal and uses this network linking (such as via http protocol, File Transfer Protocol or Email) to download this malice or legal software from website to make user, and initiatively sends rogue program etc. to targeted customer by multimedia message.
Long-distance Control behavior refers to but is not limited to following behavior: the server in mobile terminal connection mobile Internet is to upgrade or to download legal or program maliciously, download target of attack information and attack instruction etc.
Attack refers to but is not limited to following behavior: mobile terminal accesses other mobile terminal via various communication ports such as such as SMS, MMS, bluetooth or mobile Internets.The attack of malice comprises privacy theft, privacy is propagated, the value-added service of access charge, automatically contact other mobile terminals, consumption, for the DoS of other terminal or network or ddos attack etc.
At square frame 110, use clustering algorithm by the behavior cluster included by each behavior group of behavior group D1, D2, D3 for m+1(m be greater than zero integer) individual sub-behavior group, the behavior of each sub-line included by group belongs to one of them of m+1 behavior classification.This m+1 behavior classification comprises normal behaviour classification C 0with m malicious act classification C 1, C 2..., C m.Here, each malicious act classification can be such as belong to the behavior of similar rogue program or belong to the similar malicious act etc. of same rogue program family.
After cluster, behavior group D1 comprises sub-line for group D 1 0, D 1 1, D 1 2..., D 1 m, their behaviors included separately belong to behavior classification C respectively 0, C 1, C 2..., C m; Behavior group D2 comprises sub-line for group D 2 0, D 2 1, D 2 2..., D 2 m, their behaviors included separately belong to behavior classification C respectively 0, C 1, C 2..., C m; And behavior group D3 comprises sub-line for group D 3 0, D 3 1, D 3 2..., D 3 m, their behaviors included separately belong to behavior classification C respectively 0, C 1, C 2..., C m.Here, each behavior included by behavior kind is divided into the behavior classification of equal number, i.e. m+1 behavior classification, but, the present invention is not limited thereto, in some other embodiment of the present invention, the quantity of the behavior classification that each behavior included by behavior kind is divided can be different.
Here, clustering algorithm can be but be not limited to and utilize representative point clustering algorithm (CURE:Clustering using Representatives), equilibrium iteration to cut down clustering algorithm method (BIRCH), density-based algorithms (DBSCAN), K-means clustering algorithm, K-medoids HFC clustering algorithm, K-pototypes algorithm, random search clustering algorithm (CLARANS), automatically subspace clustering algorithm (CLIQUE9) etc.
At square frame 120, multi-categorizer training algorithm is used to train for organizing included behavior each sub-line in each behavior group of behavior group D1, D2, D3, obtain Activity recognition model M 1, M2 and M3 that three correspond respectively to dissemination, Long-distance Control behavior and attack, wherein, each in Activity recognition model M 1, M2 and M3 comprises behavior classification C 0, C 1, C 2..., C mrespective characteristic parameter.Wherein, the characteristic parameter of each behavior type is for describing the behavioural trait belonging to behavior type.Here, multi-categorizer training algorithm can be but be not limited to multi-categorizer NB Algorithm, polymorphic type SVMs (SVM:Support Vector Machine) algorithm, decision tree, K nearest neighbor algorithm (KNN), vector space model method (VSM), neural network classification algorithm etc.
Below, describe how to obtain Activity recognition model M 1, M2 and M3 in detail for multi-categorizer NB Algorithm.
Multi-categorizer NB Algorithm utilizes following equation (1) to calculate network behavior X to be detected d={ x 1 d, x 2 d..., x k dbelong to behavior classification C i(i=0,1,2 ..., probability P (C m) i| X d).
P ( C i | X D ) = P ( X D | C i ) P ( C i ) P ( X D ) - - - ( 1 )
If P is (C f| X d)=max{P (C 1| X d), P (C 2| X d) ..., P (C m| X d), then decision network behavior X dbelong to behavior classification C f.
Due to P (X d) to all behavior classification C ibe all identical, therefore, conveniently calculate, can think P (C i| X d)=P (X d| C i) P (C i).
Usually, each characteristic attribute x of network behavior X 1, x 2..., x kseparate, therefore, P (X d| C i) P (C i) can calculate with such as the following formula (2).
P ( X D | C i ) P ( C i ) = P ( x 1 D | C i ) P ( x 2 D | C i ) . . . P ( x k D | C i ) P ( C i ) = P ( C i ) Π j = 1 k P ( x j D | C i ) - - - ( 2 )
In order to calculate P (x 1 d| C i), P (x 2 d| C i) ..., P (x k d| C i), can by each characteristic attribute x of network behavior X j(j=1,2 ..., k) be divided into multiple interval x ' j 1, x ' j 2..., x ' j z, z is integer and z>1(notes, the characteristic attribute x of X 1, x 2..., x kthe number of the interval divided separately can be identical or different), and utilize in advance training sample calculate P (x ' j 1| C i), P (x ' j 2| C i) ..., P (x ' j z| C i) and P (C i).Utilize training sample to calculate P (x ' j 1| C i), P (x ' j 2| C i) ..., P (x ' j z| C i) and P (C i) be known to those skilled in the art, repeat no more here.
Owing to working as network behavior X to be detected dcharacteristic attribute x j dvalue be positioned at interval x ' j u(1<=u<=z) time, P (x j d| C i)=P (x ' j u| C i), therefore, P (X d| C i) P (C i) following equation (3) can be utilized to calculate.
P ( X D | C i ) P ( C i ) = P ( C i ) &Pi; j = 1 k P ( x j D | C i ) = P ( C i ) &Pi; j = 1 k P ( x , j u | C i ) - - - ( 3 )
In sum, P (C i| X d) following equation (4) can be utilized to calculate.
P ( C i | X D ) = P ( C i ) &Pi; j = 1 k P ( x , j u | C i ) - - - ( 4 )
In equation (4), x ' j unetwork behavior X to be detected dcharacteristic attribute x j dthe interval that is positioned at of value.
Wherein, P (C i| X d) be exactly network behavior X to be detected dwith behavior classification C icorrelation degree value, P (x ' j 1| C i), P (x ' j 2| C i) ..., P (x ' j z| C i) and P (C i) be exactly behavior classification C icharacteristic parameter.
It will be appreciated by those skilled in the art that if use other multi-categorizer training algorithm different from multi-categorizer NB Algorithm, then network behavior X to be detected dwith behavior classification C icorrelation degree value can not be probability P (C i| X d), such as, can be network behavior X to be detected dwith behavior classification C idistance as network behavior X to be detected dwith behavior classification C icorrelation degree value, in this case, network behavior X to be detected dwith behavior classification C idistance nearer, network behavior X to be detected dwith behavior classification C imore relevant.
For Activity recognition model M 1, the sub-line in usage behavior group D1 is group D 1 0, D 1 1, D 1 2..., D 1 mincluded behavior, as training sample, calculates the behavior classification C in Activity recognition model M 1 0, C 1, C 2..., C mrespective characteristic parameter.
For Activity recognition model M 2, the sub-line in usage behavior group D2 is group D 2 0, D 2 1, D 2 2..., D 2 mincluded behavior, as training sample, calculates the behavior classification C in Activity recognition model M 2 0, C 1, C 2..., C mrespective characteristic parameter.
For Activity recognition model M 3, the sub-line in usage behavior group D3 is group D 3 0, D 3 1, D 3 2..., D 3 mincluded behavior, as training sample, calculates the behavior classification C in Activity recognition model M 3 0, C 1, C 2..., C mrespective characteristic parameter.
Referring now to Fig. 2, it illustrates the schematic diagram of the behavioural analysis process according to one embodiment of the invention.The behavioural analysis process of the present embodiment is for analyzing network behavior X to be detected d={ x 1 d, x 2 d..., x k dhostile network behavior or proper network behavior.
As shown in Figure 2, at square frame 200, check network behavior X to be detected dwhether be included in white list list.Wherein, the legal network behavior of white list list records.If network behavior X to be detected dbe included in white list list, then show network behavior X to be detected dit is proper network behavior.
If the check result of square frame 200 is affirmative, that is: network behavior X to be detected dbe included in white list list, then network behavior X to be detected dbe proper network behavior, flow process terminates.
At square frame 204, if the check result of square frame 200 is negative, that is: network behavior X to be detected dbe not included in white list list, then utilize the virus scan method based on signature to check network behavior X to be detected dwhether be hostile network behavior.
If the check result of square frame 204 is affirmative, that is: checks and find network behavior X to be detected dbe hostile network behavior, then flow process terminates.
At square frame 208, if the check result of square frame 204 is negative, that is: checks and find network behavior X to be detected dnot hostile network behavior, then according to network behavior X to be detected dbehavioral characteristic, determine network behavior X to be detected daffiliated behavior kind.Here, behavior kind can be dissemination, Long-distance Control behavior or attack.
At square frame 212, select and network behavior X to be detected dthe Activity recognition model that affiliated behavior kind is corresponding.Wherein, if network behavior X to be detected daffiliated behavior kind is dissemination, then housing choice behavior model of cognition M1; If network behavior X to be detected daffiliated behavior kind is Long-distance Control behavior, then housing choice behavior model of cognition M2; And, if network behavior X to be detected daffiliated behavior kind is attack, then housing choice behavior model of cognition M3.
At square frame 216, based on the behavior classification C in selected Activity recognition model 0, C 1, C 2..., C mrespective characteristic parameter, calculates network behavior X to be detected dbelong to behavior classification C respectively 0, C 1, C 2..., C mcorrelation degree value, obtain multiple correlation degree value.Wherein, C 0normal behaviour classification, and C 1, C 2..., C mit is malicious act classification.
Here, if the behavior classification C in selected Activity recognition model 0, C 1, C 2..., C mrespective characteristic parameter utilizes multi-categorizer NB Algorithm to train and obtains, then previous equations (4) can be utilized to calculate network behavior X to be detected drespectively with behavior classification C 0, C 1, C 2..., C mcorrelation degree value.
At square frame 220, from the plurality of correlation degree value, retrieve maximal correlation degree value.
At square frame 224, be network behavior X to be detected according to this maximal correlation degree value dwith behavior classification C 0correlation degree value or network behavior X to be detected dwith malicious act classification C 1, C 2..., C mthe correlation degree value of one of them, determine network behavior X to be detected dbelong to proper network behavior or hostile network behavior.Wherein, if this maximal correlation degree value is network behavior X to be detected dwith behavior classification C 0correlation degree value, then determine network behavior X to be detected dproper network behavior, and, if this maximal correlation degree value is network behavior X to be detected dwith malicious act classification C 1, C 2..., C mthe correlation degree value of one of them, then determine network behavior X to be detected dit is hostile network behavior.
Referring now to Fig. 3, it illustrates the schematic diagram of the self study process according to one embodiment of the invention.As shown in Figure 3, at square frame 300, according to network behavior X ebehavioral characteristic, determine network behavior X eaffiliated behavior classification.Here, behavior classification can be dissemination, Long-distance Control behavior or attack.Network behavior X ethe known proper network behavior determined based on white list list or the hostile network behavior determined based on the virus scan method of signature, i.e. network behavior X eactually belong to proper network behavior or hostile network behavior.
At square frame 304, select and network behavior X ethe Activity recognition model that affiliated behavior kind is corresponding.Wherein, if network behavior X eaffiliated behavior kind is dissemination, then housing choice behavior model of cognition M1; If network behavior X eaffiliated behavior kind is Long-distance Control behavior, then housing choice behavior model of cognition M2; And, if network behavior X eaffiliated behavior kind is attack, then housing choice behavior model of cognition M3.
At square frame 308, based on the behavior classification C in selected Activity recognition model 0, C 1, C 2..., C mrespective characteristic parameter, computing network behavior X erespectively with behavior classification C 0, C 1, C 2..., C mcorrelation degree value, obtain multiple correlation degree value G.Wherein, C 0normal behaviour classification, and C 1, C 2..., C mit is malicious act classification.
At square frame 312, from the plurality of correlation degree value G, retrieve maximal correlation degree value G max.
At square frame 316, according to this maximal correlation degree value G maxnetwork behavior X ewith behavior classification C 0correlation degree value or network behavior X ewith malicious act classification C 1, C 2..., C mthe correlation degree value of one of them, determine network behavior X ebelong to proper network behavior or hostile network behavior.
At square frame 320, judge network behavior X edetermined affiliated behavior and network behavior X in block 316 ewhether the behavior belonging to reality is identical.
If the judged result of square frame 320 is affirmative, i.e. network behavior X edetermined affiliated behavior and network behavior X ebehavior belonging to reality is identical, then flow process terminates.
At square frame 324, if the judged result of square frame 320 is negative, i.e. network behavior X edetermined affiliated behavior and network behavior X ebehavior belonging to reality is not identical, then calculate in the plurality of correlation degree value G except this maximal correlation degree value G maxoutside the product CJ of residual correlation degree value.
At square frame 328, calculate this maximal correlation degree value G maxwith the ratio R of product CJ
At square frame 332, judge whether this ratio R is greater than assign thresholds Th.
If the judged result of square frame 332 is negative, namely this ratio R is not more than assign thresholds Th, then flow process terminates.
At square frame 336, if the judged result of square frame 332 is affirmative, namely this ratio R is greater than assign thresholds Th, then utilize Incremental Learning Algorithm to use network behavior X ecarry out self study training, with regeneration behavior model of cognition M1, M2 and M3.Incremental Learning Algorithm can be but be not limited to naive Bayesian Incremental Learning Algorithm.Network behavior X is used owing to utilizing Incremental Learning Algorithm ecarrying out self study training is known with regeneration behavior model of cognition M1, M2 and M3 to those skilled in the art, does not repeat them here.
As can be seen from the above description, the category division of network behavior is the two or more behavior classification comprising normal behaviour classification and some malicious act classifications by the scheme of the embodiment of the present invention, instead of two the behavior classifications classification of network behavior being only divided into normal behaviour classification and malicious act classification as prior art.Network behavior category division is thinner, and just can reduce the interference between different classes of behavior, more accurate to the detection of behavior to be detected, therefore, the scheme of the embodiment of the present invention can improve the accuracy to hostile network behavioral value.
In addition, network behavior is also divided into different behavior kind by the scheme of the embodiment of the present invention, and this also just can reduce the mutual interference between different types of behavior, thus also can improve detection accuracy.
Other modification
Although it will be appreciated by those skilled in the art that in the above embodiments, behavior kind is dissemination, Long-distance Control behavior and attack, but the present invention is not limited thereto.In some other embodiment of the present invention, behavior kind also can be dissemination, Long-distance Control behavior and attack wherein two, or, behavior kind also comprising outside one in dissemination, Long-distance Control behavior and attack, two or all, can also comprise the behavior kind of other form.Or, the behavior included separately due to dissemination, Long-distance Control behavior and attack can be divided into multiple kind subclass, therefore, also the behavior kind subclass that dissemination, Long-distance Control behavior and attack are included separately can be treated as behavior kind, thus behavior can be divided into more behavior kind.
Although it will be appreciated by those skilled in the art that in the above embodiments, network behavior is divided into different behavior kinds, and sets up the Activity recognition model corresponding from different behavior kinds, but the present invention is not limited thereto.In some other embodiment of the present invention, also network behavior can not be divided into multiple different behavior kind thus set up multiple Activity recognition model, but only set up an Activity recognition model, the behavior model of cognition comprise each behavior classification characteristic parameter separately.
Those skilled in the art are to be understood that, although in the above embodiments, behavioural analysis process comprises and uses white list list and check that whether network behavior to be detected is the operation of hostile network behavior based on the virus scan method of signature, but the present invention is not limited thereto.In some other embodiment of the present invention, behavioural analysis process also can not comprise and uses white list list and/or check that whether network behavior to be detected is the operation of hostile network behavior based on the virus scan method of signature.Although it will be appreciated by those skilled in the art that in the above embodiments, the method for hostile network behavioral value comprises multi-categorizer training process to obtain Activity recognition model, but the present invention is not limited thereto.In some other embodiment of the present invention, the method for hostile network behavioral value also can not comprise multi-categorizer training process, in this case, provides Activity recognition model by other approach.
Although it will be appreciated by those skilled in the art that in the above embodiments, the method for hostile network behavioral value comprises self study process, but the present invention is not limited thereto.In some other embodiment of the present invention, the method for hostile network behavioral value also can not comprise self study process.
It will be appreciated by those skilled in the art that the method for hostile network behavioral value of the present invention not only goes for mobile Internet, the network of other type can also be applicable to.
Referring now to Fig. 4, it illustrates the schematic diagram of the device for hostile network behavioral value according to one embodiment of the invention.The mode that device shown in Fig. 4 can be combined by hardware, software or soft or hard realizes.
As shown in Figure 4, the device 400 for hostile network behavioral value can comprise computing module 404 and determination module 408.Wherein, computing module 404 is for according to multiple behavior classifications characteristic parameter separately, calculate the correlation degree value of each of network behavior to be detected and described multiple behavior classification, obtain multiple correlation degree value, wherein, described multiple behavior classification comprises normal behaviour classification and some malicious act classifications, described multiple behavior classification characteristic parameter separately utilizes known hostile network behavior and proper network behavior to obtain as training sample training in advance, and, determination module 408 is for according to the maximal correlation degree value in described multiple correlation degree value being the correlation degree value of described network behavior to be detected and described normal behaviour classification or the correlation degree value of one of them of described network behavior to be detected and described some malicious act classifications, determine that described network behavior to be detected belongs to proper network behavior or hostile network behavior.
In one implementation, device 400 can also comprise determination module 412 and select module 416, wherein, determination module 412 is for the behavioral characteristic according to described network behavior to be detected, judge the behavior kind belonging to described network behavior to be detected, select module 416 for from the multiple Activity recognition models corresponding respectively to different behavior kinds, select the Activity recognition model corresponding with judged behavior kind, wherein, each of described multiple Activity recognition model comprises described multiple behavior classifications characteristic parameter separately, wherein, computing module 404 is further used for: the described multiple behavior classifications characteristic parameter separately comprised according to selected Activity recognition model, calculate the correlation degree value of each of described network behavior to be detected and described multiple behavior classification, obtain described multiple correlation degree value.
In another kind of implementation, device 400 can also comprise division module 420, cluster module 424 and training module 428.Wherein, divide module 420 for being divided into multiple behavior group using as the described known hostile network behavior of described training sample and proper network behavior, network behavior wherein in each behavior group belongs to identical behavior kind, cluster module 424 is group for utilizing clustering algorithm to be multiple sub-line by the network behavior cluster included by each the behavior group in described multiple behavior group, the network behavior of each sub-line included by group belongs to one of them of described multiple behavior classification, and, training module 428 for utilize multi-categorizer training algorithm respectively to each sub-line included by each the behavior group in described multiple behavior group for the network behavior in group is trained, obtain described multiple Activity recognition model.
In another implementation, described network behavior to be detected is determined that affiliated behavior is not identical with the behavior belonging to described network behavior reality to be detected, and, device 400 can also comprise the module 432 that is multiplied, checking module 436 and update module 440, wherein, the module that is multiplied 432 is for calculating the product of other probability in described multiple correlation degree value except described maximal correlation degree value, checking module 436 is for checking whether described maximal correlation degree value is greater than assign thresholds with the ratio of the product calculated, and, if update module 440 is affirmative for check result, Incremental Learning Algorithm is then utilized to use described network behavior to be detected to carry out self study training, to upgrade described multiple Activity recognition model.
Referring now to Fig. 5, it illustrates the schematic diagram of the equipment for hostile network behavioral value according to one embodiment of the invention.As shown in Figure 5, equipment 500 processor 520 that can comprise memory 510 and be connected with memory 510.Processor 520 can perform the operation performed by the modules in aforementioned means 400.
The embodiment of the present invention also provides a kind of machine readable media, stores executable instructions on it, when this executable instruction is performed, makes the operation that machine realizes performed by processor 520.
Above it will be appreciated by those skilled in the art that, each embodiment disclosed can make various changes and modifications when not departing from invention essence.Therefore, protection scope of the present invention should be limited by appending claims.

Claims (11)

1., for a method for hostile network behavioral value, comprising:
According to multiple behavior classifications characteristic parameter separately, calculate the correlation degree value of each of network behavior to be detected and described multiple behavior classification, obtain multiple correlation degree value, wherein, described multiple behavior classification comprises normal behaviour classification and at least one malicious act classification, and described multiple behavior classification characteristic parameter separately utilizes known hostile network behavior and proper network behavior to obtain as training sample training in advance; And
Be the correlation degree value of described network behavior to be detected and described normal behaviour classification or the correlation degree value of one of them of described network behavior to be detected and at least one malicious act classification described according to the maximal correlation degree value in described multiple correlation degree value, determine that described behavior to be detected belongs to proper network behavior or hostile network behavior.
2. the method for claim 1, wherein also comprise:
According to the behavioral characteristic of described network behavior to be detected, judge the behavior kind belonging to described network behavior to be detected; And
From the multiple Activity recognition models corresponding respectively to different behavior kinds, select the Activity recognition model corresponding with judged behavior kind, wherein, each of described multiple Activity recognition model comprises described multiple behavior classifications characteristic parameter separately,
Wherein, described calculating comprises further: the described multiple behavior classifications characteristic parameter separately comprised according to selected Activity recognition model, calculate the correlation degree value of each of described behavior to be detected and described multiple behavior classification, obtain described multiple correlation degree value.
3. method as claimed in claim 2, wherein, also comprises:
Be divided into multiple behavior group using as the described known hostile network behavior of described training sample and proper network behavior, the network behavior wherein in each behavior group belongs to identical behavior kind;
Utilizing clustering algorithm to be multiple sub-line by the network behavior cluster included by each the behavior group in described multiple behavior group is group, and the network behavior of each sub-line included by group belongs to one of them of described multiple behavior classification; And
Utilize multi-categorizer training algorithm respectively to each sub-line included by each the behavior group in described multiple behavior group for the network behavior in group is trained, obtain described multiple Activity recognition model.
4. method as claimed in claim 3, wherein,
Described network behavior to be detected is determined that affiliated behavior is not identical with the behavior belonging to described network behavior reality to be detected, and
Described method also comprises:
Calculate the product of other correlation degree value in described multiple correlation degree value except described maximal correlation degree value;
Check whether described maximal correlation degree value is greater than assign thresholds with the ratio of the product calculated; And
If check result is affirmative, then Incremental Learning Algorithm is utilized to use described network behavior to be detected to carry out self study training, to upgrade described multiple Activity recognition model.
5. method as claimed in claim 2, wherein, described behavior kind comprises dissemination, Long-distance Control behavior, attack.
6., for a device for hostile network behavioral value, comprising:
Computing module, for according to multiple behavior classifications characteristic parameter separately, calculate the correlation degree value of each of network behavior to be detected and described multiple behavior classification, obtain multiple correlation degree value, wherein, described multiple behavior classification comprises normal behaviour classification and at least one malicious act classification, and described multiple behavior classification characteristic parameter separately utilizes known hostile network behavior and proper network behavior to obtain as training sample training in advance; And
Determination module, for being the correlation degree value of described network behavior to be detected and described normal behaviour classification or the correlation degree value of one of them of described network behavior to be detected and at least one malicious act classification described according to the maximal correlation degree value in described multiple correlation degree value, determine that described behavior to be detected belongs to proper network behavior or hostile network behavior.
7. device as claimed in claim 6, wherein, also comprises:
Determination module, for the behavioral characteristic according to described network behavior to be detected, judges the behavior kind belonging to described network behavior to be detected; And
Select module, for from the multiple Activity recognition models corresponding respectively to different behavior kinds, select the Activity recognition model corresponding with judged behavior kind, wherein, each of described multiple Activity recognition model comprises described multiple behavior classifications characteristic parameter separately
Wherein, described computing module is further used for: the described multiple behavior classifications characteristic parameter separately comprised according to selected Activity recognition model, calculate the correlation degree value of each of described behavior to be detected and described multiple behavior classification, obtain described multiple correlation degree value.
8. device as claimed in claim 7, wherein, also comprises:
Divide module, for being divided into multiple behavior group using as the described known hostile network behavior of described training sample and proper network behavior, the network behavior wherein in each behavior group belongs to identical behavior kind;
Network behavior cluster included by each behavior group in described multiple behavior group is multiple sub-line for utilizing clustering algorithm by cluster module is group, and the network behavior of each sub-line included by group belongs to one of them of described multiple behavior classification; And
Training module, for utilize multi-categorizer training algorithm respectively to each sub-line included by each the behavior group in described multiple behavior group for the network behavior in group is trained, obtain described multiple Activity recognition model.
9. device as claimed in claim 8, wherein,
Described network behavior to be detected is determined that affiliated behavior is not identical with the behavior belonging to described network behavior reality to be detected, and
Described device also comprises:
Be multiplied module, for calculating the product of other correlation degree value in described multiple correlation degree value except described maximal correlation degree value;
Checking module, for checking whether described maximal correlation degree value is greater than assign thresholds with the ratio of the product calculated; And
Update module, if be affirmative for check result, then utilizes Incremental Learning Algorithm to use described network behavior to be detected to carry out self study training, to upgrade described multiple Activity recognition model.
10., for an equipment for hostile network behavioral value, comprising:
Memory; And
The processor be connected with described memory, for the operation included by any one in enforcement of rights requirement 1-5.
11. 1 kinds of machine readable medias, it stores executable instruction, when this executable instruction is performed, makes the operation performed by processor in machine enforcement of rights requirement 10.
CN201310461795.1A 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value Active CN104519031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310461795.1A CN104519031B (en) 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310461795.1A CN104519031B (en) 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value

Publications (2)

Publication Number Publication Date
CN104519031A true CN104519031A (en) 2015-04-15
CN104519031B CN104519031B (en) 2018-03-09

Family

ID=52793768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310461795.1A Active CN104519031B (en) 2013-09-30 2013-09-30 A kind of method and apparatus for hostile network behavioral value

Country Status (1)

Country Link
CN (1) CN104519031B (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105760897A (en) * 2016-03-21 2016-07-13 合肥赛猊腾龙信息技术有限公司 Method and device for classifying files by using credibility classifier
CN105847302A (en) * 2016-05-31 2016-08-10 北京奇艺世纪科技有限公司 Abnormity detection method and device
CN106209845A (en) * 2016-07-12 2016-12-07 国家计算机网络与信息安全管理中心 A kind of malicious HTTP based on Bayesian Learning Theory request decision method
CN106469276A (en) * 2015-08-19 2017-03-01 阿里巴巴集团控股有限公司 The kind identification method of data sample and device
CN106777024A (en) * 2016-12-08 2017-05-31 北京小米移动软件有限公司 Recognize the method and device of malicious user
WO2017206499A1 (en) * 2016-05-31 2017-12-07 华为技术有限公司 Network attack detection method and attack detection apparatus
CN107528859A (en) * 2017-09-29 2017-12-29 北京神州绿盟信息安全科技股份有限公司 The defence method and equipment of a kind of ddos attack
CN107707547A (en) * 2017-09-29 2018-02-16 北京神州绿盟信息安全科技股份有限公司 The detection method and equipment of a kind of ddos attack
CN107832413A (en) * 2017-11-07 2018-03-23 电子科技大学 A kind of detection method of microblogging inactive users
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108540472A (en) * 2018-04-08 2018-09-14 南京邮电大学 Android beats again packet malicious application detection device
CN108769079A (en) * 2018-07-09 2018-11-06 四川大学 A kind of Web Intrusion Detection Techniques based on machine learning
CN109067722A (en) * 2018-07-24 2018-12-21 湖南大学 A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm
CN109460784A (en) * 2018-10-22 2019-03-12 武汉极意网络科技有限公司 Access behavioural characteristic method for establishing model, equipment, storage medium and device
CN109587248A (en) * 2018-12-06 2019-04-05 腾讯科技(深圳)有限公司 User identification method, device, server and storage medium
CN109936525A (en) * 2017-12-15 2019-06-25 阿里巴巴集团控股有限公司 A kind of abnormal account preventing control method, device and equipment based on graph structure model
CN110532773A (en) * 2018-05-25 2019-12-03 阿里巴巴集团控股有限公司 Malicious access Activity recognition method, data processing method, device and equipment
WO2020010461A1 (en) * 2018-07-12 2020-01-16 Cyber Defence Qcd Corporation Systems and methods of cyber-monitoring which utilizes a knowledge database
WO2020062731A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Method and apparatus for updating white list based on cost function, and electronic device
CN110955890A (en) * 2018-09-26 2020-04-03 瑞数信息技术(上海)有限公司 Method and device for detecting malicious batch access behaviors and computer storage medium
CN111918280A (en) * 2019-05-07 2020-11-10 华为技术有限公司 Terminal information processing method, device and system
CN116341824A (en) * 2023-02-01 2023-06-27 江苏瑞莫德电气科技有限公司 Intelligent power grid transformer substation management system and method based on cloud computing

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060037077A1 (en) * 2004-08-16 2006-02-16 Cisco Technology, Inc. Network intrusion detection system having application inspection and anomaly detection characteristics
CN102571486A (en) * 2011-12-14 2012-07-11 上海交通大学 Traffic identification method based on bag of word (BOW) model and statistic features
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060037077A1 (en) * 2004-08-16 2006-02-16 Cisco Technology, Inc. Network intrusion detection system having application inspection and anomaly detection characteristics
CN102821002A (en) * 2011-06-09 2012-12-12 中国移动通信集团河南有限公司信阳分公司 Method and system for network flow anomaly detection
CN102571486A (en) * 2011-12-14 2012-07-11 上海交通大学 Traffic identification method based on bag of word (BOW) model and statistic features

Cited By (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106469276B (en) * 2015-08-19 2020-04-07 阿里巴巴集团控股有限公司 Type identification method and device of data sample
CN106469276A (en) * 2015-08-19 2017-03-01 阿里巴巴集团控股有限公司 The kind identification method of data sample and device
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105760897A (en) * 2016-03-21 2016-07-13 合肥赛猊腾龙信息技术有限公司 Method and device for classifying files by using credibility classifier
CN105760897B (en) * 2016-03-21 2019-08-20 合肥赛猊腾龙信息技术有限公司 A kind of method and device carrying out document classification using confidence level classifier
WO2017206499A1 (en) * 2016-05-31 2017-12-07 华为技术有限公司 Network attack detection method and attack detection apparatus
CN105847302B (en) * 2016-05-31 2019-04-12 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN105847302A (en) * 2016-05-31 2016-08-10 北京奇艺世纪科技有限公司 Abnormity detection method and device
CN106209845A (en) * 2016-07-12 2016-12-07 国家计算机网络与信息安全管理中心 A kind of malicious HTTP based on Bayesian Learning Theory request decision method
CN106777024A (en) * 2016-12-08 2017-05-31 北京小米移动软件有限公司 Recognize the method and device of malicious user
CN107528859A (en) * 2017-09-29 2017-12-29 北京神州绿盟信息安全科技股份有限公司 The defence method and equipment of a kind of ddos attack
CN107707547A (en) * 2017-09-29 2018-02-16 北京神州绿盟信息安全科技股份有限公司 The detection method and equipment of a kind of ddos attack
CN107528859B (en) * 2017-09-29 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Defense method and device for DDoS attack
CN107832413A (en) * 2017-11-07 2018-03-23 电子科技大学 A kind of detection method of microblogging inactive users
CN109936525A (en) * 2017-12-15 2019-06-25 阿里巴巴集团控股有限公司 A kind of abnormal account preventing control method, device and equipment based on graph structure model
US11223644B2 (en) 2017-12-15 2022-01-11 Advanced New Technologies Co., Ltd. Graphical structure model-based prevention and control of abnormal accounts
US11102230B2 (en) 2017-12-15 2021-08-24 Advanced New Technologies Co., Ltd. Graphical structure model-based prevention and control of abnormal accounts
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108540472A (en) * 2018-04-08 2018-09-14 南京邮电大学 Android beats again packet malicious application detection device
CN110532773A (en) * 2018-05-25 2019-12-03 阿里巴巴集团控股有限公司 Malicious access Activity recognition method, data processing method, device and equipment
CN110532773B (en) * 2018-05-25 2023-04-07 阿里巴巴集团控股有限公司 Malicious access behavior identification method, data processing method, device and equipment
CN108769079A (en) * 2018-07-09 2018-11-06 四川大学 A kind of Web Intrusion Detection Techniques based on machine learning
WO2020010461A1 (en) * 2018-07-12 2020-01-16 Cyber Defence Qcd Corporation Systems and methods of cyber-monitoring which utilizes a knowledge database
US12003515B2 (en) 2018-07-12 2024-06-04 Cyber Defence Qcd Corporation Systems and method of cyber-monitoring which utilizes a knowledge database
CN109067722B (en) * 2018-07-24 2020-10-27 湖南大学 LDoS detection method based on two-step clustering and detection piece analysis combined algorithm
CN109067722A (en) * 2018-07-24 2018-12-21 湖南大学 A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm
WO2020062731A1 (en) * 2018-09-25 2020-04-02 平安科技(深圳)有限公司 Method and apparatus for updating white list based on cost function, and electronic device
CN110955890A (en) * 2018-09-26 2020-04-03 瑞数信息技术(上海)有限公司 Method and device for detecting malicious batch access behaviors and computer storage medium
CN110955890B (en) * 2018-09-26 2021-08-17 瑞数信息技术(上海)有限公司 Method and device for detecting malicious batch access behaviors and computer storage medium
CN109460784A (en) * 2018-10-22 2019-03-12 武汉极意网络科技有限公司 Access behavioural characteristic method for establishing model, equipment, storage medium and device
CN109587248A (en) * 2018-12-06 2019-04-05 腾讯科技(深圳)有限公司 User identification method, device, server and storage medium
CN109587248B (en) * 2018-12-06 2023-08-29 腾讯科技(深圳)有限公司 User identification method, device, server and storage medium
CN111918280B (en) * 2019-05-07 2022-07-22 华为技术有限公司 Terminal information processing method, device and system
WO2020224509A1 (en) * 2019-05-07 2020-11-12 华为技术有限公司 Method, device and system for processing terminal information
CN111918280A (en) * 2019-05-07 2020-11-10 华为技术有限公司 Terminal information processing method, device and system
CN116341824A (en) * 2023-02-01 2023-06-27 江苏瑞莫德电气科技有限公司 Intelligent power grid transformer substation management system and method based on cloud computing

Also Published As

Publication number Publication date
CN104519031B (en) 2018-03-09

Similar Documents

Publication Publication Date Title
CN104519031A (en) Method and device for detecting malicious network behaviors
US12041064B2 (en) Method and system for classifying data objects based on their network footprint
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
Cao et al. Aiding the detection of fake accounts in large scale social online services
Kolias et al. TermID: A distributed swarm intelligence-based approach for wireless intrusion detection
Singh et al. An edge based hybrid intrusion detection framework for mobile edge computing
US11516240B2 (en) Detection of anomalies associated with fraudulent access to a service platform
Alheeti et al. Hybrid intrusion detection in connected self-driving vehicles
Goncalves et al. A systematic review on intelligent intrusion detection systems for VANETs
CN103944887B (en) Intrusion event detection method based on hidden conditional random fields
US10419449B1 (en) Aggregating network sessions into meta-sessions for ranking and classification
Mohammadpour et al. A mean convolutional layer for intrusion detection system
Wang et al. Network anomaly detection: A survey and comparative analysis of stochastic and deterministic methods
Wang et al. An intrusion detection method based on log sequence clustering of honeypot for modbus tcp protocol
Juárez et al. WTF-PAD: toward an efficient website fingerprinting defense for tor
Lazar et al. IMDoC: identification of malicious domain campaigns via DNS and communicating files
CN110598794A (en) Classified countermeasure network attack detection method and system
Mustafa et al. Feature selection for phishing website by using naive bayes classifier
Drozdenko et al. Utilizing Deep Learning Techniques to Detect Zero Day Exploits in Network Traffic Flows
Anil A zero-trust security framework for granular insight on blind spot and comprehensive device protection in the enterprise of internet of things (e-iot)
CN110912933B (en) Equipment identification method based on passive measurement
Bhuyan et al. Towards an unsupervised method for network anomaly detection in large datasets
He et al. Identifying mobile applications for encrypted network traffic
Shukla et al. Analysis and detection of outliers due to data falsification attacks in vehicular traffic prediction application
Habeeb et al. Enhancing Security and Performance in Vehicular Adhoc Networks: A Machine Learning Approach to Combat Adversarial Attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant