CN106789912A - Router data plane anomaly detection method based on classification regression tree - Google Patents
Router data plane anomaly detection method based on classification regression tree Download PDFInfo
- Publication number
- CN106789912A CN106789912A CN201611050332.6A CN201611050332A CN106789912A CN 106789912 A CN106789912 A CN 106789912A CN 201611050332 A CN201611050332 A CN 201611050332A CN 106789912 A CN106789912 A CN 106789912A
- Authority
- CN
- China
- Prior art keywords
- data
- regression tree
- classification regression
- router
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of router data plane anomaly detection method based on classification regression tree, including:According to data transfer demands and the multiple attributes of application scenarios demand selection, the consistent attribute vector data acquisition system and flag data collection of data with existing scale is built according to multiple attributes, flag data concentrates each to mark includes normal or abnormal two values;Classification regression tree is built according to attribute vector data acquisition system and flag data collection;The detection of abnormal behaviour is carried out to new data according to classification regression tree.The invention has the advantages that:Relative to existing router data plane method for detecting abnormality, possess that detection error is small, autgmentability strong, steady performance.
Description
Technical field
The present invention relates to Next Generation Internet security technology area, and in particular to a kind of road based on classification regression tree
By device datum plane anomaly detection method.
Background technology
Next Generation Internet, will undoubtedly face the challenge of all things on earth interconnection.While Internet of Things (IoT) is developed rapidly, net
The event of the datum plane abnormal behavior of network router happens occasionally, and not only species is various for abnormal behaviour, and different things
Working application scene may be inconsistent to the judgement of abnormal behaviour, therefore Next Generation Internet exposes new peace in datum plane
Full problem, it would be highly desirable to solve.And, even existing legacy network, with the continuous development of network technology, network size is not
Disconnected to expand, enrich, the abnormal behaviour of router data plane frequently occurs, and the network security problem for bringing is to users and state
Family brings huge security threat, it is also desirable to one it is strong, stability is high, expansible router data plane exception row
For detection method.
Anomaly detection method on router data plane is mainly right with artificial by existing historical data
Data are marked to recognize whether unknown data is abnormal behaviour, so as to reach the Detection results of abnormal behaviour.It is existing at present
Router data plane anomaly detection method be difficult to while meeting ageing and accuracy.With the hair of machine learning
Exhibition, classificating thought and Clustering have obtained universal application in the unusual checking of router data plane.Relative to
The thought of classification, does not require to be marked data with existing using the method for Clustering, can self study arrive abnormal behaviour
Feature, but the method computing overhead is larger, and also easily there is error for the detection of abnormal behaviour in cluster, it is difficult to ensure road
By the security of device.And the thought classified is used, and can be offline completion mark although requiring the data of tape label, will not
The detection efficiency of abnormal behaviour in influence router, while computing cost is low, can reach preferable ageing requirement, Er Qie
The datum plane of router is based on the precision of the anomaly detection method of classification generally better than the abnormal behaviour inspection based on cluster
The precision of survey method.
The content of the invention
It is contemplated that at least solving one of above-mentioned technical problem.
Therefore, it is an object of the invention to propose a kind of router data plane exception row based on classification regression tree
It is detection method, solves exception of the Next Generation Internet caused by the complicated behavior species that all things on earth interconnection is brought
Behavior is difficult to the problem of accurate detection.
To achieve these goals, embodiment of the invention discloses that a kind of router number based on classification regression tree
According to plane anomaly detection method, comprise the following steps:
Router data plane anomaly detection method based on classification regression tree according to embodiments of the present invention,
Comprise the following steps:S1:According to data transfer demands and the multiple attributes of application scenarios demand selection, according to the multiple attribute structure
Data with existing scale consistent attribute vector data acquisition system and flag data collection are built, the flag data collection is according to router
What history log was labeled, the flag data concentrates each mark to include normal labeled or abnormal marking;S2:According to
The attribute vector data acquisition system and flag data collection build classification regression tree offline;S3:Determined according to the classification recurrence
Plan tree carries out the detection of abnormal behaviour to new data.
Can accurately detect known abnormal behaviour, and can utilize cache pool thought will between normal behaviour with it is different
Uncertain behavior caching outside Chang Hangwei, whether self-defined according to different application scenarios demands is abnormal behaviour, is enhanced
The security of Next Generation Internet.Importantly, this technology is relative to existing router data plane method for detecting abnormality,
Possess that detection error is small, autgmentability strong, steady performance.
In addition, the router data plane abnormal behaviour based on classification regression tree according to the above embodiment of the present invention
Detection method, can also have following additional technical characteristic:
Further, the data transfer demands include source address, destination address, source port number, destination slogan sum
According to transport-type.
Further, the application scenarios demand includes that data type, size of data, data arrive and depart from the time.
Further, step S1 is further included:S101:The attribute that length is tieed up for N+M is set up according to history data log
Vector v=(l1,…,lN,lN+1,…,lN+M), wherein, N is the number of attributes of the data transfer demands, and M is the applied field
The number of attributes of scape demand, it is determined that per the attribute vector of number evidence, constituting the attribute vector data consistent with data with existing scale
Set omega={ v1,…,vn, wherein n is the size of data set;S102:According to history router ruuning situation, artificially by two
Whether tuple h=(h', h ") flag data behavior is abnormal, and wherein h' is normal labeled or abnormal marking, h " represent different different
Chang Hangwei is corresponding ID yards, and each attribute vector corresponds to a mark respectively in the attribute vector data acquisition system, so as to constitute
Flag data collection Θ={ h1,h2,…,hn-1,hn}。
Further, step S2 is further included:S201:Computational methods according to default Thessaloniki value embody data set Ω
Purity;S202:Purity according to data set Ω calculates the Thessaloniki index of each involved attribute;S203:Thessaloniki is chosen to refer to
The minimum attribute of number builds the classification regression tree as attribute is divided.
Further, also include after step S203:S204:After the classification regression tree is built, according to non-
Whether leaf node is beneficial to the enhancing of the generalization ability of the classification regression tree to decide whether to merge nonleaf node
It is leaf node.
Further, step S3 is further included:S301:Each property value of the new data is extracted, it is top-down to hold
The determination flow of the row classification regression tree, to recognize the abnormal behaviour with prominent features.
Further, also include after step S301:S302:Cannot judge not for the classification regression tree
Knowing and doing carries out off-line training to be cached when the unknown behavior reaches predetermined quantity, is updated according to off-line training result
The classification regression tree.
Additional aspect of the invention and advantage will be set forth in part in the description, and will partly become from the following description
Obtain substantially, or recognized by practice of the invention.
Brief description of the drawings
Of the invention above-mentioned and/or additional aspect and advantage will become from description of the accompanying drawings below to embodiment is combined
Substantially and be readily appreciated that, wherein:
Fig. 1 is the router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention
Flow chart;
Fig. 2 is after the classification regression tree is built in one embodiment of the invention, to need what is performed in the router
The unknown behavioral value caching process schematic diagram of router data plane;
Fig. 3 is the router data plane unusual checking based on classification regression tree in one embodiment of the invention
The detail flowchart of method.
Specific embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, below with reference to
The embodiment of Description of Drawings is exemplary, is only used for explaining the present invention, and is not considered as limiting the invention.
In the description of the invention, it is to be understood that term " first ", " second " are only used for describing purpose, and can not
It is interpreted as indicating or implying relative importance.
With reference to following description and accompanying drawing, it will be clear that these and other aspect of embodiments of the invention.In these descriptions
In accompanying drawing, specifically disclose some particular implementations in embodiments of the invention to represent implementation implementation of the invention
Some modes of the principle of example, but it is to be understood that the scope of embodiments of the invention is not limited.Conversely, of the invention
Embodiment includes all changes, modification and the equivalent that fall into the range of the spiritual and intension of attached claims.
The present inventor is had found by a large amount of creative researches:The method application of the unusual checking based on classification
It is limited to the method in the unusual checking of router data plane.It is primarily due to the sorting technique in conventional machines study
It is primarily adapted for use in image or video data, it is difficult to find suitable characteristic attribute in router data plane.And this method from
The network application consideration of the complicated IoT equipment of the Internet of things era and various different pieces of information demands, have chosen appropriate data
Association attributes in plane, while allowing according to the self-defined abnormal behaviour of application scenarios demand and association attributes.Use therewith
Behavior of the relatively stable classification regression tree to datum plane carries out detection judgement, while being ensured using the thought of cache pool
The stability of decision tree, can not only distinguish clear and definite normal behaviour and abnormal behaviour, additionally it is possible to according to different applied fields
Scape demand processes middle behavior (neither normal behaviour is nor behavior of abnormal behaviour).
Below in conjunction with the Description of Drawings present invention.
Fig. 1 is the router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention
Flow chart.As shown in figure 1, a kind of router data plane anomaly detection method based on classification regression tree, bag
Include following steps:
S1:According to data transfer demands and the multiple attributes of application scenarios demand selection, built according to multiple attributes several
According to attribute vector data acquisition system and flag data collection that scale is consistent, flag data collection is the history log according to router
It is labeled, flag data concentrates each mark to include normal labeled or abnormal marking.
Specifically, it is determined that necessary N number of data transfer demands attribute and selecting optional according to specific application scenarios demand
M attribute.In one embodiment of the invention, data transfer needs to include source address, destination address, source port number, mesh
Port numbers and data transmission in one or more.The corresponding attribute of application scenarios demand be it is customized, such as it is right
Certain application scenarios selection data type, size of data, data arrive and depart from the attributes such as time.
In one embodiment of the invention, step S1 is further included:
S101:For convenience of the establishment of regression tree of classifying, the attribute that length is tieed up for N+M is set up according to history data log
Vector v=(l1,…,lN,lN+1,…,lN+M), wherein, N is the number of attributes of the data transfer demands, and M is the applied field
The number of attributes of scape demand, it is determined that per the attribute vector of number evidence, constituting the attribute vector data consistent with data with existing scale
Set omega={ v1,…,vn, wherein n is the size of data set.
S102:According to history router ruuning situation, whether artificial flag data behavior is abnormal.Mark content is binary
Group, h=(h', h "), wherein h' can only be normal or abnormal two kinds of values (1 represents normal, and 0 represents abnormal), h " represent
Different abnormal behaviours are corresponding ID yards, h " it is supplement to h', illustrate that specific behavior classification (sweep by such as dos attack, port
Retouch).H " can be null value, and subsequent offline renewal is according to concrete application scene demand by the object of uncertain concrete behavior type
H' assignment representing whether normal (self-defined whether normal).The corresponding mark of each attribute vector, so that constitute
Flag data collection Θ={ h1,h2,…,hn-1,hn}。
S2:Classification regression tree is built according to attribute vector data acquisition system and flag data collection offline.
S201:Before categorical attribute is chosen according to Thessaloniki index, the purity of data set Ω, Thessaloniki are embodied using Thessaloniki value
Index is smaller, and purity is higher, and the computational methods of Thessaloniki value are as follows:
Wherein, pkRepresent the shared ratio in sample set of kth class sample, tnAnd tuThe kind number of normal category is represented respectively
With the kind number of abnormal classification.
S202:The Thessaloniki index of each involved attribute is calculated according to below equation:
Wherein, liIt is certain attribute, ViRepresent attribute liPossibility value number.
S203:It is preferential to choose Thessaloniki index minimum after for the Thessaloniki index of whole sample data calculating all properties
Attribute as divide attribute, start build classification regression tree.For classification regression tree, each is not reaching to purity
It is required that point calculate the Thessaloniki index a of each attribute successivelyi={ a1,a2,…,aN+M, choose Thessaloniki index minimum min { ai
One attribute as present node division attribute:min{ai}→i.The division attribute of selection isSo as to by the node
It is divided intoIndividual child node, judges the purity (ratio shared by the behavior of correct classification) of each child node, if pure successively
Threshold epsilon (such as ε >=0.85) required for degree cannot be improved or purity reaches concrete application scene, then stop drawing node
Point;Otherwise, continue to divide the node according to step S203.
S204:In order to avoid there is over-fitting situation in decision tree, decision tree set up after, according to non-leaf nodes whether
It is to the enhancing of the generalization ability of decision tree beneficial to decide whether for nonleaf node to merge into leaf node.
S3:The detection of abnormal behaviour is carried out to new data according to classification regression tree.
S301:Each property value of new data is extracted, top-down execution classification regression tree determination flow can be direct
Recognize that some have the abnormal behaviour of prominent features, such as the Common Abnormity behavior such as port scan, Denial of Service attack.
S302:Cached for the unknown behavior that classification regression tree cannot judge, application cache pond thought, when slow
Depositing when attribute vector (having the details of data) reaches predetermined quantity carries out off-line training, is updated according to off-line training result
Decision tree, improves the scalability of decision tree.
Fig. 2 is after classification regression tree is built in one embodiment of the invention, the route for performing to be needed in the router
The unknown behavioral value caching process schematic diagram of device datum plane.As shown in Fig. 2 top-down first perform classification regression tree
Determination flow, with recognize with prominent features abnormal behaviour.Cache pool is put into for unknown classification behavior set to deposit
Storage.After certain amount being reached for the unknown classification behavior set in cache pool, the offline property value for extracting data, using poly-
Unknown behavior is divided into some colonies by the method for class, it is determined whether there is new abnormal behaviour, while artificially giving these colonies
The new classification of name, so as to be marked.These new classifications are then added into data set, and then updates decision tree, make decision-making
Tree is more stable, more extensive.
To make those skilled in the art further understand the present invention, will be described in detail by following examples.
As shown in figure 3, according to history data log, the classification that selected data transmission demand and application scenarios demand are set up is returned
Return decision tree, wherein classification regression tree preferentially chooses the minimum attribute of Thessaloniki index existing as attribute, same attribute is divided
At most occur once in same path.
Assuming that classification regression tree 6 data transfer demands attributes of needs that the present embodiment builds, respectively source address,
Destination address, source port number, destination slogan, data transmission, data type, i.e. N=6;2 application scenarios are needed simultaneously
Whether demand properties, respectively size of data, source address are consistent with destination address, i.e. M=2.Then, the extraction of data is carried out,
For substantial amounts of historical data, above-mentioned M+N=6+2=8 attribute is extracted, so that the attribute vector that length is 8 is built,
Such as v=(102.51.130.23,99.6.130.4,1,4, u, v, s, 0).For the accuracy of decision tree, data set can not be too
It is small, present embodiment assumes that data set size n is 5.It is each attribute vector marking behavior classification after attribute vector is extracted,
Such as h=(0,1) one irregularities of expression, specific category h " are abnormal behaviour classification --- the dos attack corresponding to 1.
Here for different abnormal behaviour classifications encodes respective ID, such as 2 represent LandAttack, constitute data set such as table 1, its
Middle u represents upload, and d represents download, and v represents video, and m represents mail, and r represents request, and s represents small documents, and b represents big file.
The training dataset of table 1
After possessing with markd training dataset, classification regression tree is created.During establishment, for every
The division of one minor node, is all the division attribute for choosing a minimum attribute of gini index as the node.First, based on whole
(data set size is only recorded for 5 individual data set during illustration, and 10000) size of real data collection should be more than counts successively
Calculate 8 Thessaloniki indexes of attribute, wherein l8Corresponding Thessaloniki index minimum η (Ω, l8)=0, therefore selection " source address and purpose
Whether address consistent " this attribute as divide attribute, due to l8Value only have two kinds of possibility, therefore two son sections will be produced
Point, and two child nodes just reach the maximum 100% of purity, are naturally larger than threshold epsilon (suggestion value is more than 0.85), because
This need not continue to divide, and decision tree training is completed.It should be noted that:Data set is fairly simple in the present embodiment, actually used
During data set be at least greater than 10000, therefore off-line training process is also long, but because be off-line training, no
Detection efficiency can be influenceed, actual decision tree structure is also much more complex than in illustrating and only contains three decision trees of node.
(illustrated according to the decision tree of actual capabilities, mentioned rather than above citing after decision tree creates successfully
Only three decision trees of node), behavioral value is carried out to the data come successively.For an abnormal behaviour of LandAttack
Data, successively decline in decision tree, first 2 layers possibly cannot determine whether to be abnormal behaviour, when reaching use " source and purpose
Whether address consistent " this attribute as divide attribute where the 3rd layer when, decision tree perform property value for "Yes" branch,
So as to reach leaf node, to two tuples (0,2) of behavior distribution, it is abnormal behaviour that wherein Section 10 is represented, and Section 2
The ID yards of specific abnormal behaviour classification for identifying.Successive router may perform certain behavior early warning or directly take
Safety measure.
For a normal behaviour, if performed after dried layer judges in decision tree reaching a leaf section for normal behaviour
Point, so as to distribute two tuples (1,0), wherein Section 11 represents normal behaviour, and 0 is meaningless.
For a behavior for unknown specific category, cannot be true if reaching one after execution dried layer judgement in decision tree
Determine the child node of behavior classification, distribute two tuples for (0,0), wherein Section 10 represents abnormal behaviour, and Section 20 represents different
Chang Hangwei unclassifieds are, it is necessary to further human intervention.That is, for safety, this method can by it is all be clearly normal
It is abnormal behaviour that behavior outside behavior is fixed tentatively, but can be cached for the abnormal behaviour of unclassified, reaches a fixed number
After amount, human intervention is marked, so that it is determined that abnormal behaviour classification, it is also possible to be referred to normal behaviour.Then, using mark
Good data cached offline renewal decision tree, so as to improve the adaptability of decision tree.
The router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention, classification
Regression tree is carried out offline according to historical data, will not be increased calculating to the unusual checking of router data plane and be opened
Pin.And, after complete decision tree is set up, router interior only need to be according to the top-down execution abnormal behaviour of decision tree
Judge, the small and complete decision tree of computing cost ensure that accuracy of detection higher, so ensureing while guaranteed efficiency
Precision.For the behavior that some cannot temporarily judge, based on the thought of cache pool, every trade is entered after certain amount is cached to
For analysis judge, can not only effectively improve the robustness of decision tree, and will not continually update decision tree, it is ensured that
The stabilization of decision tree, while also improving the scalability of decision tree.
In addition, the router data plane anomaly detection method based on classification regression tree of the embodiment of the present invention
Other constitute and effect be all for a person skilled in the art known, in order to reduce redundancy, do not repeat.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means to combine specific features, structure, material or spy that the embodiment or example are described
Point is contained at least one embodiment of the invention or example.In this manual, to the schematic representation of above-mentioned term not
Necessarily refer to identical embodiment or example.And, the specific features of description, structure, material or feature can be any
One or more embodiments or example in combine in an appropriate manner.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that:Not
Can these embodiments be carried out with various changes, modification, replacement and modification in the case of departing from principle of the invention and objective, this
The scope of invention is by claim and its equivalent limits.
Claims (8)
1. it is a kind of based on classification regression tree router data plane anomaly detection method, it is characterised in that including
Following steps:
S1:According to data transfer demands and the multiple attributes of application scenarios demand selection, built according to the multiple attribute several
According to attribute vector data acquisition system and flag data collection that scale is consistent, the flag data collection is the history run according to router
Record is labeled, and the flag data concentrates each mark to include normal labeled or abnormal marking;
S2:Classification regression tree is built according to the attribute vector data acquisition system and flag data collection offline;
S3:The detection of abnormal behaviour is carried out to new data according to the classification regression tree.
2. it is according to claim 1 based on classification regression tree router data plane anomaly detection method,
Characterized in that, the data transfer demands include source address, destination address, source port number, destination slogan and data transfer
Type.
3. it is according to claim 1 based on classification regression tree router data plane anomaly detection method,
Characterized in that, the application scenarios demand includes that data type, size of data, data arrive and depart from the time.
4. the router data plane abnormal behaviour inspection based on classification regression tree according to claim any one of 1-3
Survey method, it is characterised in that step S1 is further included:
S101:Attribute vector v=(the l that length is tieed up for N+M are set up according to history data log1,…,lN,lN+1,…,lN+M), its
In, N is the number of attributes of the data transfer demands, and M is the number of attributes of the application scenarios demand, it is determined that per number evidence
Attribute vector, constitutes the attribute vector data acquisition system Ω={ v consistent with data with existing scale1,…,vn, wherein n is data set
Size;
S102:It is artificially whether abnormal by two tuple h=(h', h ") flag data behavior according to history router ruuning situation,
Wherein h' is normal labeled or abnormal marking, h " represent that different abnormal behaviours are corresponding ID yards, the attribute vector data set
Each attribute vector corresponds to a mark respectively in conjunction, so that the flag data collection Θ={ h for constituting1,h2,…,hn-1,hn}。
5. it is according to claim 4 based on classification regression tree router data plane anomaly detection method,
Characterized in that, step S2 is further included:
S201:Computational methods according to default Thessaloniki value embody the purity of data set Ω;
S202:Purity according to data set Ω calculates the Thessaloniki index of each involved attribute;
S203:The minimum attribute of Thessaloniki index is chosen as attribute is divided, the classification regression tree is built.
6. it is according to claim 5 based on classification regression tree router data plane anomaly detection method,
Characterized in that, also including after step S203:
S204:After the classification regression tree is built, according to non-leaf nodes whether to the classification regression tree
The enhancing of generalization ability is beneficial to be decided whether for nonleaf node to merge into leaf node.
7. it is according to claim 1 based on classification regression tree router data plane anomaly detection method,
Characterized in that, step S3 is further included:
S301:Extract each property value of the new data, the determination flow of the top-down execution classification regression tree,
To recognize the abnormal behaviour with prominent features.
8. it is according to claim 7 based on classification regression tree router data plane anomaly detection method,
Characterized in that, also including after step S301:
S302:For the unknown behavior cache attribute vector that the classification regression tree cannot judge, when the unknown behavior
Off-line training is carried out when reaching predetermined quantity, the classification regression tree is updated according to off-line training result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611050332.6A CN106789912B (en) | 2016-11-22 | 2016-11-22 | Router data plane abnormal behavior detection method based on classification regression decision tree |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611050332.6A CN106789912B (en) | 2016-11-22 | 2016-11-22 | Router data plane abnormal behavior detection method based on classification regression decision tree |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106789912A true CN106789912A (en) | 2017-05-31 |
CN106789912B CN106789912B (en) | 2020-02-21 |
Family
ID=58910800
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611050332.6A Active CN106789912B (en) | 2016-11-22 | 2016-11-22 | Router data plane abnormal behavior detection method based on classification regression decision tree |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789912B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220921A (en) * | 2017-05-26 | 2017-09-29 | 西安木牛能源技术服务有限公司 | A kind of verification method to energy consumption on-line monitoring system institute gathered data |
CN107612876A (en) * | 2017-07-18 | 2018-01-19 | 北京交通大学 | The detection method of service request bag extensive aggression in wisdom contract network |
CN108229573A (en) * | 2018-01-17 | 2018-06-29 | 北京中星微人工智能芯片技术有限公司 | Classified calculating method and apparatus based on decision tree |
CN108256550A (en) * | 2017-12-14 | 2018-07-06 | 北京木业邦科技有限公司 | A kind of timber classification update method and device |
CN108737410A (en) * | 2018-05-14 | 2018-11-02 | 辽宁大学 | A kind of feature based is associated limited to know industrial communication protocol anomaly detection method |
CN109635056A (en) * | 2018-11-16 | 2019-04-16 | 海南电网有限责任公司信息通信分公司 | Electricity consumption address date processing method, device, computer equipment and storage medium |
CN110019074A (en) * | 2017-12-30 | 2019-07-16 | 中国移动通信集团河北有限公司 | Analysis method, device, equipment and the medium of access path |
CN111787594A (en) * | 2020-08-13 | 2020-10-16 | 桂林电子科技大学 | Decision tree algorithm-based unmanned aerial vehicle ad hoc network DSR protocol implementation method |
CN112669274A (en) * | 2020-12-23 | 2021-04-16 | 山东大学 | Multi-task detection method for pixel-level segmentation of surface abnormal region |
CN114757468A (en) * | 2022-02-18 | 2022-07-15 | 北京凡得科技有限公司 | Root cause analysis method for flow execution abnormity in flow mining |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
US8997227B1 (en) * | 2012-02-27 | 2015-03-31 | Amazon Technologies, Inc. | Attack traffic signature generation using statistical pattern recognition |
CN104794192A (en) * | 2015-04-17 | 2015-07-22 | 南京大学 | Multi-level anomaly detection method based on exponential smoothing and integrated learning model |
CN104809125A (en) * | 2014-01-24 | 2015-07-29 | 腾讯科技(深圳)有限公司 | Method and device for identifying webpage categories |
CN105024877A (en) * | 2015-06-01 | 2015-11-04 | 北京理工大学 | Hadoop malicious node detection system based on network behavior analysis |
CN105279691A (en) * | 2014-07-25 | 2016-01-27 | 中国银联股份有限公司 | Financial transaction detection method and equipment based on random forest model |
CN105930723A (en) * | 2016-04-20 | 2016-09-07 | 福州大学 | Intrusion detection method based on feature selection |
-
2016
- 2016-11-22 CN CN201611050332.6A patent/CN106789912B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
US8997227B1 (en) * | 2012-02-27 | 2015-03-31 | Amazon Technologies, Inc. | Attack traffic signature generation using statistical pattern recognition |
CN104809125A (en) * | 2014-01-24 | 2015-07-29 | 腾讯科技(深圳)有限公司 | Method and device for identifying webpage categories |
CN105279691A (en) * | 2014-07-25 | 2016-01-27 | 中国银联股份有限公司 | Financial transaction detection method and equipment based on random forest model |
CN104794192A (en) * | 2015-04-17 | 2015-07-22 | 南京大学 | Multi-level anomaly detection method based on exponential smoothing and integrated learning model |
CN105024877A (en) * | 2015-06-01 | 2015-11-04 | 北京理工大学 | Hadoop malicious node detection system based on network behavior analysis |
CN105930723A (en) * | 2016-04-20 | 2016-09-07 | 福州大学 | Intrusion detection method based on feature selection |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220921B (en) * | 2017-05-26 | 2020-09-29 | 西安木牛能源技术服务有限公司 | Verification method for data collected by energy consumption online monitoring system |
CN107220921A (en) * | 2017-05-26 | 2017-09-29 | 西安木牛能源技术服务有限公司 | A kind of verification method to energy consumption on-line monitoring system institute gathered data |
CN107612876A (en) * | 2017-07-18 | 2018-01-19 | 北京交通大学 | The detection method of service request bag extensive aggression in wisdom contract network |
CN108256550A (en) * | 2017-12-14 | 2018-07-06 | 北京木业邦科技有限公司 | A kind of timber classification update method and device |
CN110019074A (en) * | 2017-12-30 | 2019-07-16 | 中国移动通信集团河北有限公司 | Analysis method, device, equipment and the medium of access path |
CN110019074B (en) * | 2017-12-30 | 2021-03-23 | 中国移动通信集团河北有限公司 | Access path analysis method, device, equipment and medium |
CN108229573B (en) * | 2018-01-17 | 2021-05-25 | 北京中星微人工智能芯片技术有限公司 | Classification calculation method and device based on decision tree |
CN108229573A (en) * | 2018-01-17 | 2018-06-29 | 北京中星微人工智能芯片技术有限公司 | Classified calculating method and apparatus based on decision tree |
CN108737410A (en) * | 2018-05-14 | 2018-11-02 | 辽宁大学 | A kind of feature based is associated limited to know industrial communication protocol anomaly detection method |
CN108737410B (en) * | 2018-05-14 | 2021-04-13 | 辽宁大学 | Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association |
CN109635056A (en) * | 2018-11-16 | 2019-04-16 | 海南电网有限责任公司信息通信分公司 | Electricity consumption address date processing method, device, computer equipment and storage medium |
CN109635056B (en) * | 2018-11-16 | 2021-01-22 | 海南电网有限责任公司信息通信分公司 | Power utilization address data processing method and device, computer equipment and storage medium |
CN111787594A (en) * | 2020-08-13 | 2020-10-16 | 桂林电子科技大学 | Decision tree algorithm-based unmanned aerial vehicle ad hoc network DSR protocol implementation method |
CN112669274A (en) * | 2020-12-23 | 2021-04-16 | 山东大学 | Multi-task detection method for pixel-level segmentation of surface abnormal region |
CN114757468A (en) * | 2022-02-18 | 2022-07-15 | 北京凡得科技有限公司 | Root cause analysis method for flow execution abnormity in flow mining |
CN114757468B (en) * | 2022-02-18 | 2023-09-29 | 北京凡得科技有限公司 | Root cause analysis method for process execution abnormality in process mining |
Also Published As
Publication number | Publication date |
---|---|
CN106789912B (en) | 2020-02-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106789912A (en) | Router data plane anomaly detection method based on classification regression tree | |
CN104765733B (en) | A kind of method and apparatus of social networks event analysis | |
CN110334264B (en) | Community detection method and device for heterogeneous dynamic information network | |
CN105138601B (en) | A kind of graphic mode matching method for supporting fuzzy constraint relationship | |
CN106355188A (en) | Image detection method and device | |
CN108833139B (en) | OSSEC alarm data aggregation method based on category attribute division | |
CN108595544A (en) | A kind of document picture classification method | |
Da Silva et al. | Online clustering of trajectory data stream | |
Comber et al. | Community detection in spatial networks: Inferring land use from a planar graph of land cover objects | |
CN108304851A (en) | A kind of High Dimensional Data Streams Identifying Outliers method | |
CN107786388A (en) | A kind of abnormality detection system based on large scale network flow data | |
CN106919957A (en) | Method and device for processing data | |
CN114153980A (en) | Knowledge graph construction method and device, inspection method and storage medium | |
CN109271546A (en) | The foundation of image retrieval Feature Selection Model, Database and search method | |
CN110830291B (en) | Node classification method of heterogeneous information network based on meta-path | |
CN111026917A (en) | Data packet classification method and system based on convolutional neural network | |
CN117221087A (en) | Alarm root cause positioning method, device and medium | |
CN110751076A (en) | Vehicle detection method | |
CN115033591B (en) | Intelligent detection method, system, storage medium and computer equipment for electric charge data abnormality | |
CN108804635A (en) | A kind of method for measuring similarity based on Attributions selection | |
CN116956190A (en) | Malicious information detection method and device, electronic equipment and storage medium | |
CN106940711A (en) | A kind of URL detection methods and detection means | |
CN107423319B (en) | Junk web page detection method | |
CN117009613A (en) | Picture data classification method, system, device and medium | |
CN116150401A (en) | Strong robustness knowledge graph triplet quality inspection network model training method and quality inspection method based on noisy data set |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |