CN105468995A - Data mining based invasion detection system with Oracle as core - Google Patents

Data mining based invasion detection system with Oracle as core Download PDF

Info

Publication number
CN105468995A
CN105468995A CN201510937871.0A CN201510937871A CN105468995A CN 105468995 A CN105468995 A CN 105468995A CN 201510937871 A CN201510937871 A CN 201510937871A CN 105468995 A CN105468995 A CN 105468995A
Authority
CN
China
Prior art keywords
data
module
oracle
model
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510937871.0A
Other languages
Chinese (zh)
Inventor
张帆
冉祥金
尚燕京
魏昌兴
张丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jilin University
Original Assignee
Jilin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jilin University filed Critical Jilin University
Priority to CN201510937871.0A priority Critical patent/CN105468995A/en
Publication of CN105468995A publication Critical patent/CN105468995A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/211Schema design and management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/254Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to an invasion detection system, in particular to a data mining based invasion detection system with Oracle as a core. The system comprises a data sensor module, an ETL module, a data warehouse module, a model generation and distribution module, an invasion detection module and a data visualization module. According to the system, data conversion and storage, model generation and release as well as invasion detection and alarming are all realized in an Oracle database, and real-time detection and offline detection are unified, so that the security and homogeneity of data and the system response time are ensured, the integration of model generation, model storage, model updating and detection alarming is realized, the problem in a system without a database as a core at present is solved, and the security of the whole network is improved.

Description

With Oracle be core based on data mining intruding detection system
Technical field
The present invention relates to intruding detection system, be specifically related to a kind of with Oracle be core based on data mining intruding detection system.
Background technology
Network security has become the important component part of social safety, Network Intrusion Detection System (IntrusionDetectionSystem, hereinafter referred to as IDS) in protection Government and enterprise information security, play critical effect, the world today's various attack frequency is frequent, new attack pattern emerges in an endless stream, the investigation that B2BInternational in 2013 and Card Buskie laboratory carry out shows: in the past year, the interviewed enterprise of 91% once suffered network attack at least one times, the enterprise of 9% suffered well-designed targeted attacks, to have occurred with Icfog attack be representative, and guerrilla warfare formula is attacked.Society improves constantly the requirement of Network Intrusion Detection System.
In recent years, the IDS based on data mining (machine learning) is proved has high accuracy in attack identification, has good generalization ability, have certain robustness to change of network environment for unknown attack type.Current, design realizes high-quality application system and is faced with huge challenge, and data conversion, model realization and Distributed Detection all face complicated engineering problem, is difficult to inventory analysis as detected data and needs to add extra database facility.
In order to solve the problem, need a kind of novel IDS, system must can have reliability, extensibility, autonomous learning, and is easy to management, has the advantages such as lower maintenance cost.
Summary of the invention
The present invention mainly for the deficiencies in the prior art, provide a kind of with Oracle be core based on data mining intruding detection system, the security of IDS, reliability, extensibility, autonomous learning can be improved, make whole system more easily implement and manage.
The present invention adopts following technical scheme:
A kind of with Oracle be core based on data mining intruding detection system, comprise data perception device module, ETL module, data warehouse module, model generation and distribution module, intrusion detection module and data visualization module, data perception device module comprises network data perceptron and host information perceptron, for collecting various types of traffic flow information; The data that ETL module is used for data perceptron is submitted to carry out pre-service, the extraction of proper vector and the conversion of data; Data warehouse module comprises detection data database and model database, detects data database for storing the data from various data source, and model database is mainly used in storing detection model; Model generation and distribution module, for carrying out abnormality detection and misuse detection; Intrusion detection module, is divided into and detects in real time and offline inspection; Data visualization module, be divided into Realtime Alerts module and statement analysis module, Realtime Alerts module realizes the Realtime Alerts of malicious act and abnormal behaviour, and statement analysis module realizes interpretation of result, statistics, form and figure table function.
Preferably, traffic flow information comprises network flow data, host computer system daily record, system process call, the service condition of CPU and internal memory.
Preferably, ETL module realizes primarily of SQL and user-defined function,
Preferably, detect in real time and detected by ETL real time data in oracle database, by SQL, data are directly consigned to model and detect.
Preferably, offline inspection detects the data analysis of the storage in data warehouse, and abnormal behaviour pattern is analyzed in implementation model Performance Evaluation, malicious act quantity and type analysis and help.
Preferably, Realtime Alerts module utilizes oracle database trigger to excite various predefined alarm, the relevant information such as intrusion behavior type, time, address be detected is committed in the table of specifying, and in browser GUI, carry out real-time informing, or automatically processes according to prediction scheme.
Preferably, statement analysis module utilizes Discoverer, Oraclereport instrument to inquire about and the Visual Implementation model and testing result.
Compared with prior art, the present invention has following beneficial effect:
1, building with oracle database be the intruding detection system of core is pioneering, according to the architecture that Oracle proposes, independently realizes prototype and application system.
2, achieve data conversion-data store set one-tenthization first, data conversion and data store and are all realized by OracleDBMS, ensure that the security of data, homogeney and system response time.
3, achieve the integrated of model generation-model storage-model modification, generate at the implementation model of Oracle and associated component thereof and store, Oracle platform is developed autonomous learning and the more New function of implementation model.
4, achieve the distributed treatment of model very easily, utilize OracleRAC to realize server cluster, realize resource sharing and increase substantially the dirigibility of system, extensibility and performance.
5, realize detecting in real time and offline inspection integration, the data storage capacities powerful by Oracle realizes offline inspection, and we analyze abnormal behaviour pattern to complete model performance assessment, malicious act quantity and type analysis and help.
6, alarm mechanism and analytical statement realize visual, utilize Oracle associated component can realize visualization function easily.
7, can lay the foundation for carrying out large data analysis in the future, thus solve non-be at present core system Problems existing with database, contribute to the security promoting whole network.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is present system composition schematic diagram;
Fig. 2 is present system composition partial enlarged drawing;
Fig. 3 is data perception device modular system overall flow figure of the present invention;
Fig. 4 is dimensionality reduction of the present invention and the data processing schematic diagram not having dimensionality reduction;
Fig. 5 is the present invention amended KDD ' 99 data plot;
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
A kind of with Oracle be core based on data mining intruding detection system, as shown in Figure 1, comprise data perception device module, ETL module, data warehouse module, model generation and distribution module, intrusion detection module and data visualization module, data perception device module comprises network data perceptron and host information perceptron, for collecting various types of traffic flow information; The data that ETL module is used for data perceptron is submitted to carry out pre-service, the extraction of proper vector and the conversion of data; Data warehouse module comprises detection data database and model database, detects data database for storing the data from various data source, and model database is mainly used in storing detection model; Model generation and distribution module, for carrying out abnormality detection and misuse detection; Intrusion detection module, is divided into and detects in real time and offline inspection; Data visualization module, be divided into Realtime Alerts module and statement analysis module, Realtime Alerts module realizes the Realtime Alerts of malicious act and abnormal behaviour, and statement analysis module realizes interpretation of result, statistics, form and figure table function.
Principle of work: first data perception device collects various types of traffic flow information by the C++ program of independently writing, comprise network flow data, host computer system daily record, system process call, the service condition of CPU and internal memory, and data are submitted to OracleDBMS process further, ETL module carries out pre-service, the extraction of proper vector and the conversion (data normalizing) of data to the data that data perceptron is submitted to, so that data mining model judges its classification, the data of data warehouse, after ETL resume module, can be directly used in model analysis, comprise model bank, Test database, utilize data base view and materialized view composition data warehouse, detection model is the nucleus module of whole system, the detection model based on data mining technology is utilized to carry out abnormality detection and misuse detection, main technology comprises correlation rule, collection kmeans cluster, support vector machine and decision tree, utilize the Data Mining Tools of efficient stable integrated in Oracle to the data genaration model in data warehouse and utilize SVM, DecisionTree realizes detection model, DARPA intrusion detection data set (KDD ' 99) is as training sample, pass through Genetic Algorithms, neural network ANN etc. are optimized model, simultaneously, the inner integrated data-mining module of oracle database can ensure security and the homogeney of data, the distribution of model and upgrading are realized by the inner Automatic dispatching mechanism of Oracle and trigger.Intrusion detection module realizes detecting in real time and offline inspection two kinds of functions, detects in real time and is detected by ETL real time data in oracle database, by SQL, data are directly consigned to model and detect; Offline inspection detects the data analysis of the storage in data warehouse, implementation model Performance Evaluation, malicious act quantity and type analysis and help we analyze abnormal behaviour pattern; Data visualization module is divided into Realtime Alerts module and statement analysis module, Realtime Alerts module utilizes oracle database trigger to excite various predefined alarm, the relevant information such as intrusion behavior type, time, address be detected is committed in the table of specifying, and real-time informing is carried out in browser GUI, or automatically process according to prediction scheme, statement analysis module realizes interpretation of result, statistics, form and figure table function, namely utilizes Discoverer, Oraclereport instrument to inquire about and the Visual Implementation model and testing result.
It is specific as follows that system forms each module:
1, data perception device module
Data perception device comprises network data perceptron and host information perceptron, for collecting various types of traffic flow information, comprise network flow data, host computer system daily record, system process call, the service condition of CPU and internal memory, and data are submitted to OracleDBMS process further.Data perception device module need to develop software realize network data packet capturing, parsing and structuring, need real-time and accuracy rate, in this module, data perception device, based on Windows operating system, realizes catching network packet by WinPCap.
Preliminary work:
WinPCap: first download and install WinPCap, is then configured to use WinPCap storehouse in developing instrument.
OCILib: at present, coding carries out operation to oracle database three kinds of methods, and the API namely operate database based on ADO, provided based on oracle database directly operates database and realizes the operation to database based on the storehouse that third party encapsulates OCI.Third party library popular at present has OraLib, OCILib, OCL etc., this module have employed the third method, namely encapsulate the operation of storehouse realization to database of OCI based on third party, select most popular OCILib to realize the fast access to oracle database simultaneously.
1.1 data perception device modular system frameworks
1.1.1WinPCap relevant knowledge
WinPCap kit provides numerous easy to operate function, and when carrying out design data perceptron modular system framework, the conventional function mainly used has:
For obtaining the pcap_findalldevs_ex function of local equipment list
For opening the pcap_open function of equipment, promiscuous mode can be appointed as and open
For compiling the pcap_compile function of packet filtering
For the pcap_setfilter function of setting data IP filter
For the pcap_netx_ex function from equipment read data packet
For the pcap_close function (parameter is pcap_open rreturn value) of closing device.
Network adapter has four kinds of mode of operations, respectively:
Broadcast (Broadcast) pattern: for receiving broadcasting data messages.
Multicast (Multicast) pattern: transmit frame for receiving all multicasts.
Clean culture (Unicast) pattern is also general mode: receive only the frame that destination address is oneself MAC Address.
Mix (Promiscuous) pattern: receive all frames flowing through network interface card.
In the present system, in order to the flow of All hosts in network can be monitored, need the mode of operation of network adapter to be set to promiscuous mode.
1.1.2 entire system framework
This part system overall flow figure, as shown in Figure 3.
In figure 3, system is specified and carry out data perception from certain block network adapter, first WinPCap function pcap_findalldevs_ex is called, list all network informations to select for user, after user selects network adapter and selects to start capture command, system opens CapThread thread dispatching pcap_open function opens selection network adapter with promiscuous mode, specific as follows:
Pcap_open function the 3rd parameter is used to specify the mode of operation of network adapter, is set to PCAP_OPENFLAG_PROMISCUOUS here, and namely 1.Attention: even if the mode of operation of network adapter is set to general mode (i.e. unicast mode), if there are other application programs that network adapter is set to promiscuous mode, then remain promiscuous mode in present procedure.
Next, system settings data packet filtering item, by the compiled filter of pcap_compile function, and uses pcap_setfilter function to arrange filtrator, reaches the object of only catching specified type packet with this.After completing, systemic circulation calls pcap_next_ex function, read the packet that network adapter receives, and call StorePacket overall situation function and packet is kept in global variable g_vPacketChain chain, call StorePacketIntoOracle overall situation function simultaneously and packet is remained in oracle database.Before preservation warehouse-in, the interface function OCI_IsConnected (con) utilizing OCILib to provide judges whether connection data storehouse, if function returns vacation, then function StorePacketIntoOracle directly returns, and does not carry out in-stockroom operation.
After user have selected " stopping is caught " order, system call pcap_close function closes the network adapter opened, and what stop packet catches operation.
2, ETL module
ETL module is divided into three parts, and the data for submitting to perceptron carry out pre-service, the extraction of proper vector and the conversion (data normalizing) of data, so that data mining model judges its classification.ETL module realizes primarily of SQL and user-defined function, the dirigibility of answering tool certain and high efficiency.
3, data warehouse
Data warehouse mainly comprises detection data database and model database, detects data database for storing the data from various data source; Model database is mainly used in storing detection model.The data of data warehouse, through ETL process, can be directly used in model analysis, comprise model bank, Test database, utilize data base view and materialized view composition data warehouse.The data warehouse realized by Oracle should possess security, high availability, high-mechanic and response time faster.
4, model generation and distribution module
Detection model is the nucleus module of whole system, utilizes the detection model based on data mining technology to carry out abnormality detection and misuse detection.Main technology comprises correlation rule, collection kmeans cluster, support vector machine and decision tree, utilizes the Data Mining Tools of efficient stable integrated in Oracle to the data genaration model in data warehouse.Utilize SVM, DecisionTree to realize detection model, DARPA intrusion detection data set (KDD ' 99), as training sample, is optimized model by Genetic Algorithms, neural network ANN etc.The inner integrated data-mining module of oracle database can ensure security and the homogeney of data.
Detailed process is as follows:
(1) model training data set
Adopting conventional KDD ' 99 data set, for saving the model training time, in experimentation, adopting 10% sample set.In addition, given play to application in order to data set can be allowed and be worth, needed to carry out suitable transformation to data set and increasing changes.
01 respond quickly in order to allow detection system, the partial data value of data centralization is deleted, to U2L, U2R two the invasion sample of type delete, namely the invasion of these two kinds of forms is not detected, only DDOS and PROBING two kinds of invasion forms is detected.
02 lighten the burden to allow data statistics process, are deleted by the 10th of data centralization the row to the 23rd row feature.These row just for U2L, U2R two the invasion of type detect.This two class attacks form needs the content carried of being wrapped by TCP to analyze, and analytic process needs to carry out comparatively complicated Packet analyzing behavior, influential system operational efficiency, therefore the data that this two class is attacked is deleted.
03 in order to ensure validity and the analysis speed of data analysis, and needing increases ID primary key column, and each row is named according to the eigenwert of its reaction.Data set through transformation comprises 32 row, and comprise target data row, 492843 row data, next step needs to optimize further data, and the non-numeric type by KDD ' 99 data centralization converts numeric type to, and convenient calculating, improves arithmetic speed.
Then, utilize SQLDeveloper instrument to carry out data processing, utilize SQL*PLUS instrument that file transform is become SQL script, import to (time is longer, lasts 3 hours) in database.The laggard line number Data preprocess of data importing, carry out data normalization operation, through comparative analysis, Oracle is utilized to carry out data mining less demanding to data normalization, whether data normalization does not have essential distinction with forecast result and training time, is not normalized when therefore finally training.After data carry out pre-service, the type of the row of different characteristic is rejudged, processing by analyzing every class data characteristics, according to statistics, continuous type and discrete type two kinds being divided into characteristic series.
(2) data mining model is set up
01 principal component analysis (PCA)s
Utilizing nonnegative matrix factorial analysis to extract proper vector, realizing dimensionality reduction operation by analyzing the larger proper vector of acquisition and objective result relation.The value of coefficient more than 0.6 remains, but in order to keeping characteristics as much as possible, is retained by the characteristic series of coefficient more than 0.3 simultaneously.Totally 8 row are as proper vector.
In order to ensure the integrality of data characteristics vector further, playing Oracle platform data processing power simultaneously, the data of not carrying out dimensionality reduction are carried out data analysis simultaneously, therefore this system processes with two kinds of result sets when carrying out data training.
Dimensionality reduction and do not have the data processing schematic diagram of dimensionality reduction, is shown in Fig. 4.
02 disaggregated models are set up
Native system have employed three kinds of sorting algorithms and trains, and is support vector machine, decision-tree model and natural bayesian algorithm respectively.Can be known by a series of model contrast, because data remain higher eigenwert, the predictablity rate that use decision-tree model carries out data mining is the highest.
The application of 03 models and deployment
The data extracted can be detected after model training success, carry out analytic statistics based on the TCP link that every bar is complete after data being processed, the result after statistics is predicted.
Model overall schematic, as shown in Figure 5.
Model is the core that system realizes, and this module can carry out the analysis based on TCP or UDP according to the data extracted, data are converted to the data model meeting KDD ' 99 that can be applied to this system.Trained by data set, utilize different disaggregated models to predict, determine whether according to predicting the outcome to invade data and be the invasion of which kind of form.
In addition, the distribution of model and upgrading are by the inner Automatic dispatching mechanism of Oracle and trigger realization.By building OracleRAC grid service server cluster, set up example separately on each server, each node fulfillment database in RAC and internal memory are shared.Distributed system architecture contributes to the resistance to overturning of raising system, extendability and performance.
5, intrusion detection module
Intrusion detection module realizes two kinds of functions, detects in real time and offline inspection.Real-time detection is detected by ETL real time data in oracle database, by SQL, data is directly consigned to model and detects; Offline inspection function detects the data analysis of the storage in data warehouse, implementation model Performance Evaluation, malicious act quantity and type analysis and help we analyze abnormal behaviour pattern.
6, data visualization module
Be divided into Realtime Alerts module and statement analysis module, Realtime Alerts module realizes the Realtime Alerts of malicious act and abnormal behaviour.Utilize oracle database trigger to excite various predefined alarm, the relevant information such as intrusion behavior type, time, address be detected is committed in the table of specifying, and in browser GUI, carry out real-time informing, or automatically processes according to prediction scheme.Statement analysis module realizes interpretation of result, statistics, form and figure table function.Discoverer, Oraclereport instrument is utilized to inquire about and the Visual Implementation model and testing result.All visualization result are obtained by SQL query or realize self-defined according to user's demand.
Above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (7)

1. one kind with Oracle be core based on data mining intruding detection system, it is characterized in that: comprise data perception device module, ETL module, data warehouse module, model generation and distribution module, intrusion detection module and data visualization module, described data perception device module comprises network data perceptron and host information perceptron, for collecting various types of traffic flow information; The data that described ETL module is used for data perceptron is submitted to carry out pre-service, the extraction of proper vector and the conversion of data; Described data warehouse module comprises detection data database and model database, detects data database for storing the data from various data source, and model database is mainly used in storing detection model; Described model generation and distribution module, for carrying out abnormality detection and misuse detection; Described intrusion detection module, is divided into and detects in real time and offline inspection; Described data visualization module, be divided into Realtime Alerts module and statement analysis module, Realtime Alerts module realizes the Realtime Alerts of malicious act and abnormal behaviour, and statement analysis module realizes interpretation of result, statistics, form and figure table function.
2. according to claim 1 with Oracle be core based on data mining intruding detection system, it is characterized in that: described traffic flow information comprises network flow data, host computer system daily record, system process call, the service condition of CPU and internal memory.
3. according to claim 1 with Oracle be core based on data mining intruding detection system, it is characterized in that: described ETL module realizes primarily of SQL and user-defined function.
4. according to claim 1 with Oracle be core based on data mining intruding detection system, it is characterized in that: described real-time detection is detected by ETL real time data in oracle database, by SQL, data are directly consigned to model and detect.
5. according to claim 1-4 arbitrary described with Oracle be core based on data mining intruding detection system, it is characterized in that: described offline inspection detects the data analysis of the storage in data warehouse, abnormal behaviour pattern is analyzed in implementation model Performance Evaluation, malicious act quantity and type analysis and help.
6. according to claim 1 with Oracle be core based on data mining intruding detection system, it is characterized in that: described Realtime Alerts module utilizes oracle database trigger to excite various predefined alarm, the relevant information such as intrusion behavior type, time, address be detected is committed in the table of specifying, and carry out real-time informing in browser GUI, or automatically process according to prediction scheme.
7. according to claim 1 with Oracle be core based on data mining intruding detection system, it is characterized in that: described statement analysis module utilizes Discoverer, and Oraclereport instrument is inquired about and the Visual Implementation model and testing result.
CN201510937871.0A 2015-12-15 2015-12-15 Data mining based invasion detection system with Oracle as core Pending CN105468995A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510937871.0A CN105468995A (en) 2015-12-15 2015-12-15 Data mining based invasion detection system with Oracle as core

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510937871.0A CN105468995A (en) 2015-12-15 2015-12-15 Data mining based invasion detection system with Oracle as core

Publications (1)

Publication Number Publication Date
CN105468995A true CN105468995A (en) 2016-04-06

Family

ID=55606677

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510937871.0A Pending CN105468995A (en) 2015-12-15 2015-12-15 Data mining based invasion detection system with Oracle as core

Country Status (1)

Country Link
CN (1) CN105468995A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106649034A (en) * 2016-11-22 2017-05-10 北京锐安科技有限公司 Visual intelligent operation and maintenance method and platform
CN107104951A (en) * 2017-03-29 2017-08-29 国家电网公司 The detection method and device of Attack Source
CN107992746A (en) * 2017-12-14 2018-05-04 华中师范大学 Malicious act method for digging and device
CN108574609A (en) * 2017-12-29 2018-09-25 北京视联动力国际信息技术有限公司 A kind of transmitting, monitoring method and apparatus
CN110995815A (en) * 2019-11-27 2020-04-10 大连民族大学 Information transmission method based on Gaia big data analysis system
CN111935072A (en) * 2020-06-19 2020-11-13 河海大学常州校区 Distributed intrusion detection method based on alarm correlation in cloud environment
CN112262387A (en) * 2018-06-13 2021-01-22 日本电信电话株式会社 Detection device and detection method
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388010A (en) * 2007-09-12 2009-03-18 北京启明星辰信息技术有限公司 Oracle database audit method and system
CN101630351A (en) * 2009-06-04 2010-01-20 中国人民解放军理工大学指挥自动化学院 Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis
CN104301413A (en) * 2014-10-17 2015-01-21 国云科技股份有限公司 Oracle distributed real-time monitoring method orienting cloud databases

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388010A (en) * 2007-09-12 2009-03-18 北京启明星辰信息技术有限公司 Oracle database audit method and system
CN101630351A (en) * 2009-06-04 2010-01-20 中国人民解放军理工大学指挥自动化学院 Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis
CN104301413A (en) * 2014-10-17 2015-01-21 国云科技股份有限公司 Oracle distributed real-time monitoring method orienting cloud databases

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
段西强: "基于数据挖掘的数据库入侵检测研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106649034A (en) * 2016-11-22 2017-05-10 北京锐安科技有限公司 Visual intelligent operation and maintenance method and platform
CN106649034B (en) * 2016-11-22 2020-08-28 北京锐安科技有限公司 Visual intelligent operation and maintenance method and platform
CN107104951A (en) * 2017-03-29 2017-08-29 国家电网公司 The detection method and device of Attack Source
CN107992746A (en) * 2017-12-14 2018-05-04 华中师范大学 Malicious act method for digging and device
CN107992746B (en) * 2017-12-14 2021-06-25 华中师范大学 Malicious behavior mining method and device
CN108574609A (en) * 2017-12-29 2018-09-25 北京视联动力国际信息技术有限公司 A kind of transmitting, monitoring method and apparatus
CN112262387A (en) * 2018-06-13 2021-01-22 日本电信电话株式会社 Detection device and detection method
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications
CN110995815A (en) * 2019-11-27 2020-04-10 大连民族大学 Information transmission method based on Gaia big data analysis system
CN110995815B (en) * 2019-11-27 2022-08-05 大连民族大学 Information transmission method based on Gaia big data analysis system
CN111935072A (en) * 2020-06-19 2020-11-13 河海大学常州校区 Distributed intrusion detection method based on alarm correlation in cloud environment
CN111935072B (en) * 2020-06-19 2023-11-07 河海大学常州校区 Distributed intrusion detection method based on alarm association in cloud environment

Similar Documents

Publication Publication Date Title
CN105468995A (en) Data mining based invasion detection system with Oracle as core
CN111475804B (en) Alarm prediction method and system
CN112738126B (en) Attack tracing method based on threat intelligence and ATT & CK
CN106778259B (en) Abnormal behavior discovery method and system based on big data machine learning
CN105471882A (en) Behavior characteristics-based network attack detection method and device
Gwon et al. Network intrusion detection based on LSTM and feature embedding
CN105637519A (en) Cognitive information security using a behavior recognition system
CN113313421A (en) Security risk state analysis method and system for power Internet of things sensing layer
CN112989332B (en) Abnormal user behavior detection method and device
CN116662989B (en) Security data analysis method and system
Al-mamory et al. On the designing of two grains levels network intrusion detection system
Ajdani et al. Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm
CN114090406A (en) Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium
CN115001934A (en) Industrial control safety risk analysis system and method
CN110908957A (en) Network security log audit analysis method in power industry
Gonaygunta Machine learning algorithms for detection of cyber threats using logistic regression
CN114528457A (en) Web fingerprint detection method and related equipment
TWM622216U (en) Apparatuses for service anomaly detection and alerting
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
CN117411703A (en) Modbus protocol-oriented industrial control network abnormal flow detection method
CN114070642A (en) Network security detection method, system, device and storage medium
CN110166422A (en) Domain name Activity recognition method, apparatus, readable storage medium storing program for executing and computer equipment
CN116956282B (en) Abnormality detection system based on network asset memory time sequence multi-feature data
Acharya et al. Efficacy of CNN-bidirectional LSTM hybrid model for network-based anomaly detection
EP4272474A1 (en) Method and network node for detecting anomalous access behaviours

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160406