CN106789912A - Router data plane anomaly detection method based on classification regression tree - Google Patents

Router data plane anomaly detection method based on classification regression tree Download PDF

Info

Publication number
CN106789912A
CN106789912A CN201611050332.6A CN201611050332A CN106789912A CN 106789912 A CN106789912 A CN 106789912A CN 201611050332 A CN201611050332 A CN 201611050332A CN 106789912 A CN106789912 A CN 106789912A
Authority
CN
China
Prior art keywords
data
regression tree
classification regression
router
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611050332.6A
Other languages
Chinese (zh)
Other versions
CN106789912B (en
Inventor
徐恪
赵乙
沈蒙
谭崎
吕亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201611050332.6A priority Critical patent/CN106789912B/en
Publication of CN106789912A publication Critical patent/CN106789912A/en
Application granted granted Critical
Publication of CN106789912B publication Critical patent/CN106789912B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of router data plane anomaly detection method based on classification regression tree, including:According to data transfer demands and the multiple attributes of application scenarios demand selection, the consistent attribute vector data acquisition system and flag data collection of data with existing scale is built according to multiple attributes, flag data concentrates each to mark includes normal or abnormal two values;Classification regression tree is built according to attribute vector data acquisition system and flag data collection;The detection of abnormal behaviour is carried out to new data according to classification regression tree.The invention has the advantages that:Relative to existing router data plane method for detecting abnormality, possess that detection error is small, autgmentability strong, steady performance.

Description

Router data plane anomaly detection method based on classification regression tree
Technical field
The present invention relates to Next Generation Internet security technology area, and in particular to a kind of road based on classification regression tree By device datum plane anomaly detection method.
Background technology
Next Generation Internet, will undoubtedly face the challenge of all things on earth interconnection.While Internet of Things (IoT) is developed rapidly, net The event of the datum plane abnormal behavior of network router happens occasionally, and not only species is various for abnormal behaviour, and different things Working application scene may be inconsistent to the judgement of abnormal behaviour, therefore Next Generation Internet exposes new peace in datum plane Full problem, it would be highly desirable to solve.And, even existing legacy network, with the continuous development of network technology, network size is not Disconnected to expand, enrich, the abnormal behaviour of router data plane frequently occurs, and the network security problem for bringing is to users and state Family brings huge security threat, it is also desirable to one it is strong, stability is high, expansible router data plane exception row For detection method.
Anomaly detection method on router data plane is mainly right with artificial by existing historical data Data are marked to recognize whether unknown data is abnormal behaviour, so as to reach the Detection results of abnormal behaviour.It is existing at present Router data plane anomaly detection method be difficult to while meeting ageing and accuracy.With the hair of machine learning Exhibition, classificating thought and Clustering have obtained universal application in the unusual checking of router data plane.Relative to The thought of classification, does not require to be marked data with existing using the method for Clustering, can self study arrive abnormal behaviour Feature, but the method computing overhead is larger, and also easily there is error for the detection of abnormal behaviour in cluster, it is difficult to ensure road By the security of device.And the thought classified is used, and can be offline completion mark although requiring the data of tape label, will not The detection efficiency of abnormal behaviour in influence router, while computing cost is low, can reach preferable ageing requirement, Er Qie The datum plane of router is based on the precision of the anomaly detection method of classification generally better than the abnormal behaviour inspection based on cluster The precision of survey method.
The content of the invention
It is contemplated that at least solving one of above-mentioned technical problem.
Therefore, it is an object of the invention to propose a kind of router data plane exception row based on classification regression tree It is detection method, solves exception of the Next Generation Internet caused by the complicated behavior species that all things on earth interconnection is brought Behavior is difficult to the problem of accurate detection.
To achieve these goals, embodiment of the invention discloses that a kind of router number based on classification regression tree According to plane anomaly detection method, comprise the following steps:
Router data plane anomaly detection method based on classification regression tree according to embodiments of the present invention, Comprise the following steps:S1:According to data transfer demands and the multiple attributes of application scenarios demand selection, according to the multiple attribute structure Data with existing scale consistent attribute vector data acquisition system and flag data collection are built, the flag data collection is according to router What history log was labeled, the flag data concentrates each mark to include normal labeled or abnormal marking;S2:According to The attribute vector data acquisition system and flag data collection build classification regression tree offline;S3:Determined according to the classification recurrence Plan tree carries out the detection of abnormal behaviour to new data.
Can accurately detect known abnormal behaviour, and can utilize cache pool thought will between normal behaviour with it is different Uncertain behavior caching outside Chang Hangwei, whether self-defined according to different application scenarios demands is abnormal behaviour, is enhanced The security of Next Generation Internet.Importantly, this technology is relative to existing router data plane method for detecting abnormality, Possess that detection error is small, autgmentability strong, steady performance.
In addition, the router data plane abnormal behaviour based on classification regression tree according to the above embodiment of the present invention Detection method, can also have following additional technical characteristic:
Further, the data transfer demands include source address, destination address, source port number, destination slogan sum According to transport-type.
Further, the application scenarios demand includes that data type, size of data, data arrive and depart from the time.
Further, step S1 is further included:S101:The attribute that length is tieed up for N+M is set up according to history data log Vector v=(l1,…,lN,lN+1,…,lN+M), wherein, N is the number of attributes of the data transfer demands, and M is the applied field The number of attributes of scape demand, it is determined that per the attribute vector of number evidence, constituting the attribute vector data consistent with data with existing scale Set omega={ v1,…,vn, wherein n is the size of data set;S102:According to history router ruuning situation, artificially by two Whether tuple h=(h', h ") flag data behavior is abnormal, and wherein h' is normal labeled or abnormal marking, h " represent different different Chang Hangwei is corresponding ID yards, and each attribute vector corresponds to a mark respectively in the attribute vector data acquisition system, so as to constitute Flag data collection Θ={ h1,h2,…,hn-1,hn}。
Further, step S2 is further included:S201:Computational methods according to default Thessaloniki value embody data set Ω Purity;S202:Purity according to data set Ω calculates the Thessaloniki index of each involved attribute;S203:Thessaloniki is chosen to refer to The minimum attribute of number builds the classification regression tree as attribute is divided.
Further, also include after step S203:S204:After the classification regression tree is built, according to non- Whether leaf node is beneficial to the enhancing of the generalization ability of the classification regression tree to decide whether to merge nonleaf node It is leaf node.
Further, step S3 is further included:S301:Each property value of the new data is extracted, it is top-down to hold The determination flow of the row classification regression tree, to recognize the abnormal behaviour with prominent features.
Further, also include after step S301:S302:Cannot judge not for the classification regression tree Knowing and doing carries out off-line training to be cached when the unknown behavior reaches predetermined quantity, is updated according to off-line training result The classification regression tree.
Additional aspect of the invention and advantage will be set forth in part in the description, and will partly become from the following description Obtain substantially, or recognized by practice of the invention.
Brief description of the drawings
Of the invention above-mentioned and/or additional aspect and advantage will become from description of the accompanying drawings below to embodiment is combined Substantially and be readily appreciated that, wherein:
Fig. 1 is the router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention Flow chart;
Fig. 2 is after the classification regression tree is built in one embodiment of the invention, to need what is performed in the router The unknown behavioral value caching process schematic diagram of router data plane;
Fig. 3 is the router data plane unusual checking based on classification regression tree in one embodiment of the invention The detail flowchart of method.
Specific embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, below with reference to The embodiment of Description of Drawings is exemplary, is only used for explaining the present invention, and is not considered as limiting the invention.
In the description of the invention, it is to be understood that term " first ", " second " are only used for describing purpose, and can not It is interpreted as indicating or implying relative importance.
With reference to following description and accompanying drawing, it will be clear that these and other aspect of embodiments of the invention.In these descriptions In accompanying drawing, specifically disclose some particular implementations in embodiments of the invention to represent implementation implementation of the invention Some modes of the principle of example, but it is to be understood that the scope of embodiments of the invention is not limited.Conversely, of the invention Embodiment includes all changes, modification and the equivalent that fall into the range of the spiritual and intension of attached claims.
The present inventor is had found by a large amount of creative researches:The method application of the unusual checking based on classification It is limited to the method in the unusual checking of router data plane.It is primarily due to the sorting technique in conventional machines study It is primarily adapted for use in image or video data, it is difficult to find suitable characteristic attribute in router data plane.And this method from The network application consideration of the complicated IoT equipment of the Internet of things era and various different pieces of information demands, have chosen appropriate data Association attributes in plane, while allowing according to the self-defined abnormal behaviour of application scenarios demand and association attributes.Use therewith Behavior of the relatively stable classification regression tree to datum plane carries out detection judgement, while being ensured using the thought of cache pool The stability of decision tree, can not only distinguish clear and definite normal behaviour and abnormal behaviour, additionally it is possible to according to different applied fields Scape demand processes middle behavior (neither normal behaviour is nor behavior of abnormal behaviour).
Below in conjunction with the Description of Drawings present invention.
Fig. 1 is the router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention Flow chart.As shown in figure 1, a kind of router data plane anomaly detection method based on classification regression tree, bag Include following steps:
S1:According to data transfer demands and the multiple attributes of application scenarios demand selection, built according to multiple attributes several According to attribute vector data acquisition system and flag data collection that scale is consistent, flag data collection is the history log according to router It is labeled, flag data concentrates each mark to include normal labeled or abnormal marking.
Specifically, it is determined that necessary N number of data transfer demands attribute and selecting optional according to specific application scenarios demand M attribute.In one embodiment of the invention, data transfer needs to include source address, destination address, source port number, mesh Port numbers and data transmission in one or more.The corresponding attribute of application scenarios demand be it is customized, such as it is right Certain application scenarios selection data type, size of data, data arrive and depart from the attributes such as time.
In one embodiment of the invention, step S1 is further included:
S101:For convenience of the establishment of regression tree of classifying, the attribute that length is tieed up for N+M is set up according to history data log Vector v=(l1,…,lN,lN+1,…,lN+M), wherein, N is the number of attributes of the data transfer demands, and M is the applied field The number of attributes of scape demand, it is determined that per the attribute vector of number evidence, constituting the attribute vector data consistent with data with existing scale Set omega={ v1,…,vn, wherein n is the size of data set.
S102:According to history router ruuning situation, whether artificial flag data behavior is abnormal.Mark content is binary Group, h=(h', h "), wherein h' can only be normal or abnormal two kinds of values (1 represents normal, and 0 represents abnormal), h " represent Different abnormal behaviours are corresponding ID yards, h " it is supplement to h', illustrate that specific behavior classification (sweep by such as dos attack, port Retouch).H " can be null value, and subsequent offline renewal is according to concrete application scene demand by the object of uncertain concrete behavior type H' assignment representing whether normal (self-defined whether normal).The corresponding mark of each attribute vector, so that constitute Flag data collection Θ={ h1,h2,…,hn-1,hn}。
S2:Classification regression tree is built according to attribute vector data acquisition system and flag data collection offline.
S201:Before categorical attribute is chosen according to Thessaloniki index, the purity of data set Ω, Thessaloniki are embodied using Thessaloniki value Index is smaller, and purity is higher, and the computational methods of Thessaloniki value are as follows:
Wherein, pkRepresent the shared ratio in sample set of kth class sample, tnAnd tuThe kind number of normal category is represented respectively With the kind number of abnormal classification.
S202:The Thessaloniki index of each involved attribute is calculated according to below equation:
Wherein, liIt is certain attribute, ViRepresent attribute liPossibility value number.
S203:It is preferential to choose Thessaloniki index minimum after for the Thessaloniki index of whole sample data calculating all properties Attribute as divide attribute, start build classification regression tree.For classification regression tree, each is not reaching to purity It is required that point calculate the Thessaloniki index a of each attribute successivelyi={ a1,a2,…,aN+M, choose Thessaloniki index minimum min { ai One attribute as present node division attribute:min{ai}→i.The division attribute of selection isSo as to by the node It is divided intoIndividual child node, judges the purity (ratio shared by the behavior of correct classification) of each child node, if pure successively Threshold epsilon (such as ε >=0.85) required for degree cannot be improved or purity reaches concrete application scene, then stop drawing node Point;Otherwise, continue to divide the node according to step S203.
S204:In order to avoid there is over-fitting situation in decision tree, decision tree set up after, according to non-leaf nodes whether It is to the enhancing of the generalization ability of decision tree beneficial to decide whether for nonleaf node to merge into leaf node.
S3:The detection of abnormal behaviour is carried out to new data according to classification regression tree.
S301:Each property value of new data is extracted, top-down execution classification regression tree determination flow can be direct Recognize that some have the abnormal behaviour of prominent features, such as the Common Abnormity behavior such as port scan, Denial of Service attack.
S302:Cached for the unknown behavior that classification regression tree cannot judge, application cache pond thought, when slow Depositing when attribute vector (having the details of data) reaches predetermined quantity carries out off-line training, is updated according to off-line training result Decision tree, improves the scalability of decision tree.
Fig. 2 is after classification regression tree is built in one embodiment of the invention, the route for performing to be needed in the router The unknown behavioral value caching process schematic diagram of device datum plane.As shown in Fig. 2 top-down first perform classification regression tree Determination flow, with recognize with prominent features abnormal behaviour.Cache pool is put into for unknown classification behavior set to deposit Storage.After certain amount being reached for the unknown classification behavior set in cache pool, the offline property value for extracting data, using poly- Unknown behavior is divided into some colonies by the method for class, it is determined whether there is new abnormal behaviour, while artificially giving these colonies The new classification of name, so as to be marked.These new classifications are then added into data set, and then updates decision tree, make decision-making Tree is more stable, more extensive.
To make those skilled in the art further understand the present invention, will be described in detail by following examples.
As shown in figure 3, according to history data log, the classification that selected data transmission demand and application scenarios demand are set up is returned Return decision tree, wherein classification regression tree preferentially chooses the minimum attribute of Thessaloniki index existing as attribute, same attribute is divided At most occur once in same path.
Assuming that classification regression tree 6 data transfer demands attributes of needs that the present embodiment builds, respectively source address, Destination address, source port number, destination slogan, data transmission, data type, i.e. N=6;2 application scenarios are needed simultaneously Whether demand properties, respectively size of data, source address are consistent with destination address, i.e. M=2.Then, the extraction of data is carried out, For substantial amounts of historical data, above-mentioned M+N=6+2=8 attribute is extracted, so that the attribute vector that length is 8 is built, Such as v=(102.51.130.23,99.6.130.4,1,4, u, v, s, 0).For the accuracy of decision tree, data set can not be too It is small, present embodiment assumes that data set size n is 5.It is each attribute vector marking behavior classification after attribute vector is extracted, Such as h=(0,1) one irregularities of expression, specific category h " are abnormal behaviour classification --- the dos attack corresponding to 1. Here for different abnormal behaviour classifications encodes respective ID, such as 2 represent LandAttack, constitute data set such as table 1, its Middle u represents upload, and d represents download, and v represents video, and m represents mail, and r represents request, and s represents small documents, and b represents big file.
The training dataset of table 1
After possessing with markd training dataset, classification regression tree is created.During establishment, for every The division of one minor node, is all the division attribute for choosing a minimum attribute of gini index as the node.First, based on whole (data set size is only recorded for 5 individual data set during illustration, and 10000) size of real data collection should be more than counts successively Calculate 8 Thessaloniki indexes of attribute, wherein l8Corresponding Thessaloniki index minimum η (Ω, l8)=0, therefore selection " source address and purpose Whether address consistent " this attribute as divide attribute, due to l8Value only have two kinds of possibility, therefore two son sections will be produced Point, and two child nodes just reach the maximum 100% of purity, are naturally larger than threshold epsilon (suggestion value is more than 0.85), because This need not continue to divide, and decision tree training is completed.It should be noted that:Data set is fairly simple in the present embodiment, actually used During data set be at least greater than 10000, therefore off-line training process is also long, but because be off-line training, no Detection efficiency can be influenceed, actual decision tree structure is also much more complex than in illustrating and only contains three decision trees of node.
(illustrated according to the decision tree of actual capabilities, mentioned rather than above citing after decision tree creates successfully Only three decision trees of node), behavioral value is carried out to the data come successively.For an abnormal behaviour of LandAttack Data, successively decline in decision tree, first 2 layers possibly cannot determine whether to be abnormal behaviour, when reaching use " source and purpose Whether address consistent " this attribute as divide attribute where the 3rd layer when, decision tree perform property value for "Yes" branch, So as to reach leaf node, to two tuples (0,2) of behavior distribution, it is abnormal behaviour that wherein Section 10 is represented, and Section 2 The ID yards of specific abnormal behaviour classification for identifying.Successive router may perform certain behavior early warning or directly take Safety measure.
For a normal behaviour, if performed after dried layer judges in decision tree reaching a leaf section for normal behaviour Point, so as to distribute two tuples (1,0), wherein Section 11 represents normal behaviour, and 0 is meaningless.
For a behavior for unknown specific category, cannot be true if reaching one after execution dried layer judgement in decision tree Determine the child node of behavior classification, distribute two tuples for (0,0), wherein Section 10 represents abnormal behaviour, and Section 20 represents different Chang Hangwei unclassifieds are, it is necessary to further human intervention.That is, for safety, this method can by it is all be clearly normal It is abnormal behaviour that behavior outside behavior is fixed tentatively, but can be cached for the abnormal behaviour of unclassified, reaches a fixed number After amount, human intervention is marked, so that it is determined that abnormal behaviour classification, it is also possible to be referred to normal behaviour.Then, using mark Good data cached offline renewal decision tree, so as to improve the adaptability of decision tree.
The router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention, classification Regression tree is carried out offline according to historical data, will not be increased calculating to the unusual checking of router data plane and be opened Pin.And, after complete decision tree is set up, router interior only need to be according to the top-down execution abnormal behaviour of decision tree Judge, the small and complete decision tree of computing cost ensure that accuracy of detection higher, so ensureing while guaranteed efficiency Precision.For the behavior that some cannot temporarily judge, based on the thought of cache pool, every trade is entered after certain amount is cached to For analysis judge, can not only effectively improve the robustness of decision tree, and will not continually update decision tree, it is ensured that The stabilization of decision tree, while also improving the scalability of decision tree.
In addition, the router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention Other constitute and effect be all for a person skilled in the art known, in order to reduce redundancy, do not repeat.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means to combine specific features, structure, material or spy that the embodiment or example are described Point is contained at least one embodiment of the invention or example.In this manual, to the schematic representation of above-mentioned term not Necessarily refer to identical embodiment or example.And, the specific features of description, structure, material or feature can be any One or more embodiments or example in combine in an appropriate manner.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that:Not Can these embodiments be carried out with various changes, modification, replacement and modification in the case of departing from principle of the invention and objective, this The scope of invention is by claim and its equivalent limits.

Claims (8)

1. it is a kind of based on classification regression tree router data plane anomaly detection method, it is characterised in that including Following steps:
S1:According to data transfer demands and the multiple attributes of application scenarios demand selection, built according to the multiple attribute several According to attribute vector data acquisition system and flag data collection that scale is consistent, the flag data collection is the history run according to router Record is labeled, and the flag data concentrates each mark to include normal labeled or abnormal marking;
S2:Classification regression tree is built according to the attribute vector data acquisition system and flag data collection offline;
S3:The detection of abnormal behaviour is carried out to new data according to the classification regression tree.
2. it is according to claim 1 based on classification regression tree router data plane anomaly detection method, Characterized in that, the data transfer demands include source address, destination address, source port number, destination slogan and data transfer Type.
3. it is according to claim 1 based on classification regression tree router data plane anomaly detection method, Characterized in that, the application scenarios demand includes that data type, size of data, data arrive and depart from the time.
4. the router data plane abnormal behaviour inspection based on classification regression tree according to claim any one of 1-3 Survey method, it is characterised in that step S1 is further included:
S101:Attribute vector v=(the l that length is tieed up for N+M are set up according to history data log1,…,lN,lN+1,…,lN+M), its In, N is the number of attributes of the data transfer demands, and M is the number of attributes of the application scenarios demand, it is determined that per number evidence Attribute vector, constitutes the attribute vector data acquisition system Ω={ v consistent with data with existing scale1,…,vn, wherein n is data set Size;
S102:It is artificially whether abnormal by two tuple h=(h', h ") flag data behavior according to history router ruuning situation, Wherein h' is normal labeled or abnormal marking, h " represent that different abnormal behaviours are corresponding ID yards, the attribute vector data set Each attribute vector corresponds to a mark respectively in conjunction, so that the flag data collection Θ={ h for constituting1,h2,…,hn-1,hn}。
5. it is according to claim 4 based on classification regression tree router data plane anomaly detection method, Characterized in that, step S2 is further included:
S201:Computational methods according to default Thessaloniki value embody the purity of data set Ω;
S202:Purity according to data set Ω calculates the Thessaloniki index of each involved attribute;
S203:The minimum attribute of Thessaloniki index is chosen as attribute is divided, the classification regression tree is built.
6. it is according to claim 5 based on classification regression tree router data plane anomaly detection method, Characterized in that, also including after step S203:
S204:After the classification regression tree is built, according to non-leaf nodes whether to the classification regression tree The enhancing of generalization ability is beneficial to be decided whether for nonleaf node to merge into leaf node.
7. it is according to claim 1 based on classification regression tree router data plane anomaly detection method, Characterized in that, step S3 is further included:
S301:Extract each property value of the new data, the determination flow of the top-down execution classification regression tree, To recognize the abnormal behaviour with prominent features.
8. it is according to claim 7 based on classification regression tree router data plane anomaly detection method, Characterized in that, also including after step S301:
S302:For the unknown behavior cache attribute vector that the classification regression tree cannot judge, when the unknown behavior Off-line training is carried out when reaching predetermined quantity, the classification regression tree is updated according to off-line training result.
CN201611050332.6A 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree Active CN106789912B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611050332.6A CN106789912B (en) 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611050332.6A CN106789912B (en) 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree

Publications (2)

Publication Number Publication Date
CN106789912A true CN106789912A (en) 2017-05-31
CN106789912B CN106789912B (en) 2020-02-21

Family

ID=58910800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611050332.6A Active CN106789912B (en) 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree

Country Status (1)

Country Link
CN (1) CN106789912B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220921A (en) * 2017-05-26 2017-09-29 西安木牛能源技术服务有限公司 A kind of verification method to energy consumption on-line monitoring system institute gathered data
CN107612876A (en) * 2017-07-18 2018-01-19 北京交通大学 The detection method of service request bag extensive aggression in wisdom contract network
CN108229573A (en) * 2018-01-17 2018-06-29 北京中星微人工智能芯片技术有限公司 Classified calculating method and apparatus based on decision tree
CN108256550A (en) * 2017-12-14 2018-07-06 北京木业邦科技有限公司 A kind of timber classification update method and device
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN109635056A (en) * 2018-11-16 2019-04-16 海南电网有限责任公司信息通信分公司 Electricity consumption address date processing method, device, computer equipment and storage medium
CN110019074A (en) * 2017-12-30 2019-07-16 中国移动通信集团河北有限公司 Analysis method, device, equipment and the medium of access path
CN111787594A (en) * 2020-08-13 2020-10-16 桂林电子科技大学 Decision tree algorithm-based unmanned aerial vehicle ad hoc network DSR protocol implementation method
CN112669274A (en) * 2020-12-23 2021-04-16 山东大学 Multi-task detection method for pixel-level segmentation of surface abnormal region
CN114757468A (en) * 2022-02-18 2022-07-15 北京凡得科技有限公司 Root cause analysis method for flow execution abnormity in flow mining

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
US8997227B1 (en) * 2012-02-27 2015-03-31 Amazon Technologies, Inc. Attack traffic signature generation using statistical pattern recognition
CN104794192A (en) * 2015-04-17 2015-07-22 南京大学 Multi-level anomaly detection method based on exponential smoothing and integrated learning model
CN104809125A (en) * 2014-01-24 2015-07-29 腾讯科技(深圳)有限公司 Method and device for identifying webpage categories
CN105024877A (en) * 2015-06-01 2015-11-04 北京理工大学 Hadoop malicious node detection system based on network behavior analysis
CN105279691A (en) * 2014-07-25 2016-01-27 中国银联股份有限公司 Financial transaction detection method and equipment based on random forest model
CN105930723A (en) * 2016-04-20 2016-09-07 福州大学 Intrusion detection method based on feature selection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
US8997227B1 (en) * 2012-02-27 2015-03-31 Amazon Technologies, Inc. Attack traffic signature generation using statistical pattern recognition
CN104809125A (en) * 2014-01-24 2015-07-29 腾讯科技(深圳)有限公司 Method and device for identifying webpage categories
CN105279691A (en) * 2014-07-25 2016-01-27 中国银联股份有限公司 Financial transaction detection method and equipment based on random forest model
CN104794192A (en) * 2015-04-17 2015-07-22 南京大学 Multi-level anomaly detection method based on exponential smoothing and integrated learning model
CN105024877A (en) * 2015-06-01 2015-11-04 北京理工大学 Hadoop malicious node detection system based on network behavior analysis
CN105930723A (en) * 2016-04-20 2016-09-07 福州大学 Intrusion detection method based on feature selection

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220921B (en) * 2017-05-26 2020-09-29 西安木牛能源技术服务有限公司 Verification method for data collected by energy consumption online monitoring system
CN107220921A (en) * 2017-05-26 2017-09-29 西安木牛能源技术服务有限公司 A kind of verification method to energy consumption on-line monitoring system institute gathered data
CN107612876A (en) * 2017-07-18 2018-01-19 北京交通大学 The detection method of service request bag extensive aggression in wisdom contract network
CN108256550A (en) * 2017-12-14 2018-07-06 北京木业邦科技有限公司 A kind of timber classification update method and device
CN110019074A (en) * 2017-12-30 2019-07-16 中国移动通信集团河北有限公司 Analysis method, device, equipment and the medium of access path
CN110019074B (en) * 2017-12-30 2021-03-23 中国移动通信集团河北有限公司 Access path analysis method, device, equipment and medium
CN108229573B (en) * 2018-01-17 2021-05-25 北京中星微人工智能芯片技术有限公司 Classification calculation method and device based on decision tree
CN108229573A (en) * 2018-01-17 2018-06-29 北京中星微人工智能芯片技术有限公司 Classified calculating method and apparatus based on decision tree
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN108737410B (en) * 2018-05-14 2021-04-13 辽宁大学 Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN109635056A (en) * 2018-11-16 2019-04-16 海南电网有限责任公司信息通信分公司 Electricity consumption address date processing method, device, computer equipment and storage medium
CN109635056B (en) * 2018-11-16 2021-01-22 海南电网有限责任公司信息通信分公司 Power utilization address data processing method and device, computer equipment and storage medium
CN111787594A (en) * 2020-08-13 2020-10-16 桂林电子科技大学 Decision tree algorithm-based unmanned aerial vehicle ad hoc network DSR protocol implementation method
CN112669274A (en) * 2020-12-23 2021-04-16 山东大学 Multi-task detection method for pixel-level segmentation of surface abnormal region
CN114757468A (en) * 2022-02-18 2022-07-15 北京凡得科技有限公司 Root cause analysis method for flow execution abnormity in flow mining
CN114757468B (en) * 2022-02-18 2023-09-29 北京凡得科技有限公司 Root cause analysis method for process execution abnormality in process mining

Also Published As

Publication number Publication date
CN106789912B (en) 2020-02-21

Similar Documents

Publication Publication Date Title
CN106789912A (en) Router data plane anomaly detection method based on classification regression tree
CN104765733B (en) A kind of method and apparatus of social networks event analysis
CN110334264B (en) Community detection method and device for heterogeneous dynamic information network
CN105138601B (en) A kind of graphic mode matching method for supporting fuzzy constraint relationship
CN106355188A (en) Image detection method and device
CN108833139B (en) OSSEC alarm data aggregation method based on category attribute division
CN108595544A (en) A kind of document picture classification method
Da Silva et al. Online clustering of trajectory data stream
Comber et al. Community detection in spatial networks: Inferring land use from a planar graph of land cover objects
CN108304851A (en) A kind of High Dimensional Data Streams Identifying Outliers method
CN107786388A (en) A kind of abnormality detection system based on large scale network flow data
CN106919957A (en) Method and device for processing data
CN114153980A (en) Knowledge graph construction method and device, inspection method and storage medium
CN109271546A (en) The foundation of image retrieval Feature Selection Model, Database and search method
CN110830291B (en) Node classification method of heterogeneous information network based on meta-path
CN111026917A (en) Data packet classification method and system based on convolutional neural network
CN117221087A (en) Alarm root cause positioning method, device and medium
CN110751076A (en) Vehicle detection method
CN115033591B (en) Intelligent detection method, system, storage medium and computer equipment for electric charge data abnormality
CN108804635A (en) A kind of method for measuring similarity based on Attributions selection
CN116956190A (en) Malicious information detection method and device, electronic equipment and storage medium
CN106940711A (en) A kind of URL detection methods and detection means
CN107423319B (en) Junk web page detection method
CN117009613A (en) Picture data classification method, system, device and medium
CN116150401A (en) Strong robustness knowledge graph triplet quality inspection network model training method and quality inspection method based on noisy data set

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant