CN106789912B - Router data plane abnormal behavior detection method based on classification regression decision tree - Google Patents

Router data plane abnormal behavior detection method based on classification regression decision tree Download PDF

Info

Publication number
CN106789912B
CN106789912B CN201611050332.6A CN201611050332A CN106789912B CN 106789912 B CN106789912 B CN 106789912B CN 201611050332 A CN201611050332 A CN 201611050332A CN 106789912 B CN106789912 B CN 106789912B
Authority
CN
China
Prior art keywords
data
decision tree
data set
classification regression
regression decision
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611050332.6A
Other languages
Chinese (zh)
Other versions
CN106789912A (en
Inventor
徐恪
赵乙
沈蒙
谭崎
吕亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201611050332.6A priority Critical patent/CN106789912B/en
Publication of CN106789912A publication Critical patent/CN106789912A/en
Application granted granted Critical
Publication of CN106789912B publication Critical patent/CN106789912B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a router data plane abnormal behavior detection method based on a classification regression decision tree, which comprises the following steps: selecting a plurality of attributes according to data transmission requirements and application scene requirements, constructing an attribute vector data set and a mark data set with the same data scale according to the attributes, wherein each mark in the mark data set comprises a normal value or an abnormal value; constructing a classification regression decision tree according to the attribute vector data set and the marking data set; and detecting abnormal behaviors of the new data according to the classification regression decision tree. The invention has the following advantages: compared with the existing router data plane anomaly detection method, the method has the advantages of small detection error, strong expansibility, stable performance and the like.

Description

Router data plane abnormal behavior detection method based on classification regression decision tree
Technical Field
The invention relates to the technical field of next generation internet security, in particular to a router data plane abnormal behavior detection method based on a classification regression decision tree.
Background
The next generation internet will certainly face the challenge of interconnection of everything. When the internet of things (IoT) is rapidly developed, an abnormal data plane behavior event of a network router occurs frequently, abnormal behaviors are not only various, but also different application scenarios of the internet of things may be inconsistent in judgment of the abnormal behaviors, so that the next generation internet exposes a new security problem on the data plane, and a solution is urgently needed. Moreover, even in the existing traditional network, with the continuous development of network technology, the scale of the network is continuously enlarged and enriched, and the abnormal behavior of the router data plane occurs frequently, so that the network security problem brings huge security threat to users and countries, and a powerful, high-stability and extensible method for detecting the abnormal behavior of the router data plane is also needed.
The abnormal behavior detection method for the router data plane mainly depends on the existing historical data and artificially marks the data to identify whether unknown data are abnormal behaviors or not, so that the detection effect of the abnormal behaviors is achieved. The existing method for detecting the abnormal behavior of the router data plane is difficult to meet the requirements of timeliness and accuracy at the same time. With the development of machine learning, classification ideas and clustering ideas are generally applied to abnormal behavior detection of a router data plane. Compared with the classification idea, the clustering idea is adopted, the existing data are not required to be marked, the characteristics of the abnormal behaviors can be learned by self, the method is high in operation cost, errors are prone to occur in the detection of the abnormal behaviors through clustering, and the safety of the router is difficult to guarantee. By adopting the classification idea, although the labeled data is required, the labeling can be completed off line, the detection efficiency of the abnormal behavior in the router is not influenced, meanwhile, the calculation cost is low, the ideal timeliness requirement can be met, and the precision of the abnormal behavior detection method based on the classification on the data plane of the router is generally superior to that of the abnormal behavior detection method based on the clustering.
Disclosure of Invention
The present invention is directed to solving at least one of the above problems.
Therefore, the invention aims to provide a router data plane abnormal behavior detection method based on a classification regression decision tree, and solves the problem that the abnormal behavior of the next generation of internet is difficult to accurately detect due to the complicated behavior types caused by the interconnection of everything.
In order to achieve the above object, an embodiment of the present invention discloses a method for detecting abnormal behavior of a router data plane based on a classification regression decision tree, which includes the following steps:
the router data plane abnormal behavior detection method based on the classification regression decision tree comprises the following steps: s1: selecting a plurality of attributes according to data transmission requirements and application scene requirements, and constructing an attribute vector data set and a marked data set with consistent data sizes according to the attributes, wherein the marked data set is marked according to historical operating records of a router, and each mark in the marked data set comprises a normal mark or an abnormal mark; s2: constructing a classification regression decision tree according to the attribute vector data set and the marking data set in an off-line manner; s3: and detecting abnormal behaviors of the new data according to the classification regression decision tree.
The method can accurately detect the known abnormal behaviors, and can utilize the thought of the cache pool to cache the uncertain behaviors except the normal behaviors and the abnormal behaviors, and self-define whether the behaviors are the abnormal behaviors according to different application scene requirements, so that the safety of the next generation of internet is enhanced. More importantly, compared with the existing router data plane anomaly detection method, the method has the advantages of small detection error, strong expansibility, stable performance and the like.
In addition, the method for detecting abnormal behavior of a router data plane based on a classification regression decision tree according to the above embodiment of the present invention may further have the following additional technical features:
further, the data transfer requirements include a source address, a destination address, a source port number, a destination port number, and a data transfer type.
Further, the application scenario requirements include data type, data size, data arrival and departure time.
Further, step S1 further includes: s101: establishing an attribute vector v ═ l with the length of N + M dimensions according to the historical data log1,…,lN,lN+1,…,lN+M) Wherein, N is the number of attributes required by the data transmission, M is the number of attributes required by the application scenario, the attribute vector of each data is determined, and an attribute vector data set Ω ═ { v ═ with the same scale as the existing data is formed1,…,vnWhere n is the size of the data set; s102: according to the operation condition of a historical router, artificially marking whether data behaviors are abnormal or not through a binary group h- (h ', h '), wherein h ' is a normal mark or an abnormal mark, h ' represents ID codes corresponding to different abnormal behaviors, each attribute vector in the attribute vector data set corresponds to a mark respectively, and therefore a marking data set theta- (h ') -h is formed1,h2,…,hn-1,hn}。
Further, step S2 further includes: s201: reflecting the purity of the data set omega according to a preset calculation method of the Nyquist value; s202: calculating the Niyl index of each attribute involved according to the purity of the data set omega; s203: and selecting the attribute with the minimum niki index as a partition attribute, and constructing the classification regression decision tree.
Further, after step S203, the method further includes: s204: after the classification regression decision tree is constructed, whether non-leaf nodes are merged into leaf nodes is determined according to whether the non-leaf nodes are beneficial to enhancing the generalization ability of the classification regression decision tree.
Further, step S3 further includes: s301: and extracting each attribute value of the new data, and executing a judgment process of the classification regression decision tree from top to bottom so as to identify abnormal behaviors with prominent features.
Further, after step S301, the method further includes: s302: and caching unknown behaviors which cannot be judged by the classification regression decision tree, performing off-line training when the unknown behaviors reach a preset number, and updating the classification regression decision tree according to an off-line training result.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flowchart of a method for detecting abnormal behavior of a router data plane based on a classification regression decision tree according to an embodiment of the present invention;
fig. 2 is a schematic diagram of the router data plane unknown behavior detection caching process that needs to be executed in the router after the classification regression decision tree is constructed in an embodiment of the present invention;
fig. 3 is a detailed flowchart of a method for detecting abnormal behavior of a router data plane based on a classification regression decision tree according to an embodiment of the present invention.
Detailed Description
The embodiments of the invention will be described in detail hereinafter, examples of which are illustrated in the accompanying drawings, and the embodiments described hereinafter with reference to the drawings are illustrative only and are not to be construed as limiting the invention.
In the description of the present invention, it is to be understood that the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
These and other aspects of embodiments of the invention will be apparent with reference to the following description and attached drawings. In the description and drawings, particular embodiments of the invention have been disclosed in detail as being indicative of some of the ways in which the principles of the embodiments of the invention may be practiced, but it is understood that the scope of the embodiments of the invention is not limited correspondingly. On the contrary, the embodiments of the invention include all changes, modifications and equivalents coming within the spirit and terms of the claims appended hereto.
The inventors of the present invention found through a large number of inventive studies that: the method of abnormal behavior detection based on classification is limited in the method applied to abnormal behavior detection of the router data plane. Mainly because the classification method in the traditional machine learning is mainly suitable for image or video data, it is difficult to find suitable characteristic attributes in the router data plane. In the method, relevant attributes in a proper data plane are selected from the consideration of complicated IoT equipment and various network applications with different data requirements in the time of the Internet of things, and simultaneously, the customization of abnormal behaviors and relevant attributes according to the requirements of application scenes is allowed. And then, a stable classification regression decision tree is adopted to detect and judge the behaviors of the data plane, and the idea of a cache pool is adopted to ensure the stability of the decision tree, so that not only can clear normal behaviors and abnormal behaviors be distinguished, but also intermediate behaviors (behaviors which are neither normal behaviors nor abnormal behaviors) can be processed according to different application scene requirements.
The invention is described below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a method for detecting abnormal behavior of a router data plane based on a classification regression decision tree according to an embodiment of the present invention. As shown in fig. 1, a method for detecting abnormal behavior of a router data plane based on a classification regression decision tree includes the following steps:
s1: selecting a plurality of attributes according to data transmission requirements and application scene requirements, constructing an attribute vector data set and a marking data set with consistent data scale according to the attributes, marking the marking data set according to the historical operation record of the router, wherein each mark in the marking data set comprises a normal mark or an abnormal mark.
Specifically, N necessary data transmission requirement attributes are determined and M optional attributes are selected according to specific application scenario requirements. In one embodiment of the invention, the data transfer needs to include one or more of a source address, a destination address, a source port number, a destination port number, and a data transfer type. The attributes corresponding to the application scenario requirements are customized, for example, for a certain application scenario, attributes such as data type, data size, data arrival and departure time are selected.
In one embodiment of the present invention, step S1 further includes:
s101: to facilitate the creation of a classification regression decision tree, an attribute vector v with the length of N + M dimension is established according to a historical data log (l)1,…,lN,lN+1,…,lN+M) Wherein, N is the number of attributes required by the data transmission, M is the number of attributes required by the application scenario, the attribute vector of each data is determined, and an attribute vector data set Ω ═ { v ═ with the same scale as the existing data is formed1,…,vnWhere n is the size of the data set.
S102: and manually marking whether the data behaviors are abnormal or not according to the operation condition of the historical router. The marked content is a binary group, h is (h ', h "), wherein h ' can only be a normal value or an abnormal value (1 indicates normal, 0 indicates abnormal), h" indicates the ID codes corresponding to different abnormal behaviors, and h "is a supplement to h ' and indicates specific behavior categories (such as DOS attacks and port scans). h 'can be a null value, and then the subsequent off-line updating assigns h' of the object without determining the specific behavior type according to the specific application scene requirement to represent the normality or not (the self-defined normality or not). Each attribute vector corresponds to a token, and a token data set Θ ═ h is formed thereby1,h2,…,hn-1,hn}。
S2: and constructing a classification regression decision tree offline according to the attribute vector data set and the marking data set.
S201: before selecting classification attributes according to the Nib index, the purity of the data set omega is embodied by using the Nib value, the smaller the Nib index is, the higher the purity is, and the calculation method of the Nib value is as follows:
wherein p iskRepresents the ratio of the kth sample in the sample set, tnAnd tuIndicating the number of normal classes and the number of abnormal classes, respectively.
S202: the niche index for each attribute involved is calculated according to the following formula:
Figure BDA0001158916160000052
wherein liFor a certain attribute, ViRepresenting an attribute liIs measured in the same manner as (2).
S203: and after the Niji indexes of all the attributes are calculated for the whole sample data, preferentially selecting the attribute with the minimum Niji index as a partition attribute, and starting to construct a classification regression decision tree. Sequentially calculating the Niyl index a of each attribute for each point which does not meet the purity requirement of the classification regression decision treei={a1,a2,…,aN+MSelecting the minimum min { a } of the Niki indexiOne attribute of } is taken as the partition attribute of the current node: min { a }i→ i. The selected division attribute isThereby dividing the node intoAnd the child nodes sequentially judge the purity (proportion of correctly classified behaviors) of each child node, and if the purity cannot be improved or reaches the specific application sceneStopping dividing the nodes if a required threshold value epsilon (for example, epsilon is more than or equal to 0.85); otherwise, the node is continuously divided according to step S203.
S204: in order to avoid the decision tree from being over-fitted, whether to merge non-leaf nodes into leaf nodes is determined according to whether the non-leaf nodes are beneficial to the enhancement of the generalization capability of the decision tree after the decision tree is established.
S3: and detecting abnormal behaviors of the new data according to the classification regression decision tree.
S301: extracting each attribute value of the new data, executing a classification regression decision tree judgment process from top to bottom, and directly identifying some abnormal behaviors with outstanding characteristics, such as common abnormal behaviors of port scanning, denial of service attack and the like.
S302: caching unknown behaviors which cannot be judged by the classification regression decision tree, applying a cache pool idea, performing offline training when cache attribute vectors (with detailed information of data) reach a preset number, updating the decision tree according to an offline training result, and improving the expandability of the decision tree.
Fig. 2 is a schematic diagram of a router data plane unknown behavior detection caching process that needs to be executed in a router after a classification regression decision tree is constructed in an embodiment of the present invention. As shown in fig. 2, the decision process of classifying the regression decision tree is first performed from top to bottom to identify the abnormal behavior with the prominent features. And putting the unknown category behavior set into a cache pool for storage. After the unknown category behavior sets in the cache pool reach a certain number, extracting attribute values of data in an off-line mode, dividing the unknown behaviors into a plurality of groups by adopting a clustering method, determining whether new abnormal behaviors exist, and naming the groups by people to carry out marking. And then, adding the new categories into the data set, and further updating the decision tree, so that the decision tree is more stable and more generalized.
In order that those skilled in the art will further understand the present invention, the following examples are given for illustration and description.
As shown in fig. 3, a classification regression decision tree established by data transmission requirements and application scene requirements is selected according to the historical data log, wherein the classification regression decision tree preferentially selects an attribute with the minimum niki index as a partition attribute, and the same attribute appears in the same path at most once.
It is assumed that the classification regression decision tree constructed in this embodiment needs 6 data transmission requirement attributes, which are respectively a source address, a destination address, a source port number, a destination port number, a data transmission type, and a data type, that is, N is 6; meanwhile, 2 application scene requirement attributes are required, which are respectively whether the data size, the source address and the destination address are consistent, that is, M is 2. Subsequently, data extraction is performed, and for a large amount of history data, the aforementioned M + N + 6+ 2-8 attributes are extracted, thereby constructing an attribute vector of length 8, such as v ═ 8 (102.51.130.23,99.6.130.4,1,4, u, v, s, 0). For the accuracy of the decision tree, the data set cannot be too small, and the present embodiment assumes a data set size n of 5. After the attribute vectors are extracted, a behavior class is marked for each attribute vector, for example, h ═ 0,1 indicates an abnormal behavior, and a specific class h "is a DOS attack which is an abnormal behavior class corresponding to 1. Here, respective IDs are encoded for different abnormal behavior categories, for example, 2 denotes landattach, and the data set is configured as in table 1, where u denotes upload, d denotes download, v denotes video, m denotes mail, r denotes request, s denotes small file, and b denotes large file.
Figure BDA0001158916160000061
TABLE 1 training data set
After having a training data set with labels, a classification regression decision tree is created. In the process of creating, for each division of the node, one attribute with the minimum Gini index is selected as the division attribute of the node. First, sequentially compute the Nyquist indices for 8 attributes, where l is based on the entire dataset (e.g., the dataset size is only 5 records, the actual dataset size should be greater than 10000), and8corresponding minimum Niyl index of η (omega, l)8) When the address is 0, the attribute "whether the source address and the destination address coincide" is selected as the division attribute, and l is a value of8Take on values of onlyTwo possibilities are generated, and therefore two child nodes are generated, and both of the two child nodes just reach the maximum value of the purity of 100% and are necessarily larger than the threshold epsilon (the suggested value is larger than 0.85), so that the decision tree training is completed without continuously dividing. It should be noted that: in this embodiment, the data set is simple, and the data set is at least greater than 10000 in the actual use process, so the offline training process is also long, but the detection efficiency is not affected due to the offline training, and the actual decision tree structure is also far more complicated than the decision tree that only contains three nodes in the example.
After the decision tree creation is successful (illustrated in terms of actual possible decision trees rather than the decision tree of only three nodes mentioned in the foregoing example), the incoming data is sequentially subjected to behavior detection. For the data of the abnormal behavior of the LandAttack, descending layer by layer in the decision tree, the first 2 layers may not be able to determine whether the behavior is the abnormal behavior, when reaching the layer 3 where the attribute of "whether the source address is consistent with the destination address" is used as the partition attribute, the decision tree executes the branch with the attribute value of "yes", thereby reaching the leaf node, and allocating a binary group (0, 2) to the behavior, wherein the first item 0 represents the abnormal behavior, and the second item ID code identifies the specific abnormal behavior category. Subsequent routers may perform some behavioral pre-warning or take security measures directly.
For a normal behavior, the leaf nodes of a normal behavior are reached after performing several levels of decision in the decision tree, thereby assigning a binary (1, 0), where the first term 1 represents normal behavior and 0 is meaningless.
For a behavior of unknown specific category, after a plurality of layers of judgment are performed in the decision tree, a child node which cannot determine the behavior category is reached, the distributed binary group is (0,0), wherein the first item 0 represents abnormal behavior, the second item 0 represents that the abnormal behavior category is unknown, and further human intervention is needed. That is, for safety, the method will temporarily set all behaviors except the normal behavior as abnormal behaviors, but buffer the abnormal behaviors whose categories are unknown, and after reaching a certain number, mark the abnormal behaviors through human intervention, thereby determining the categories of the abnormal behaviors, and possibly classifying the abnormal behaviors into the normal behaviors. And then, the decision tree is updated offline by using the marked cache data, so that the adaptability of the decision tree is improved.
According to the router data plane abnormal behavior detection method based on the classification regression decision tree, the classification regression decision tree is performed offline according to historical data, and calculation cost cannot be increased for abnormal behavior detection of the router data plane. Moreover, after the complete decision tree is established, the router only needs to judge abnormal behaviors from top to bottom according to the decision tree, the calculation cost is low, and the complete decision tree can ensure higher detection precision, so that the precision is ensured while the efficiency is ensured. For some behaviors which cannot be judged temporarily, based on the thought of a cache pool, when the behaviors are analyzed and judged after a certain amount of cache is achieved, the robustness of the decision tree can be effectively improved, the decision tree cannot be updated frequently, the stability of the decision tree is guaranteed, and meanwhile the expandability of the decision tree is improved.
In addition, other configurations and functions of the method for detecting abnormal behavior of a router data plane based on a classification regression decision tree according to the embodiment of the present invention are known to those skilled in the art, and are not described in detail for reducing redundancy.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.

Claims (5)

1. A router data plane abnormal behavior detection method based on a classification regression decision tree is characterized by comprising the following steps:
s1: selecting a plurality of attributes according to data transmission requirements and application scene requirements, and constructing an attribute vector data set and a marked data set which are consistent with the existing data size according to the attributes, wherein the marked data set is marked according to the historical operating record of the router, and each mark in the marked data set comprises a normal mark or an abnormal mark;
step S1 further includes:
s101: establishing an attribute vector v ═ l with the length of N + M dimensions according to the historical data log1,…,lN,lN+1,…,lN+M) Wherein, N is the number of attributes required by the data transmission, M is the number of attributes required by the application scenario, the attribute vector of each data is determined, and an attribute vector data set Ω ═ { v ═ with the same scale as the existing data is formed1,…,vnWhere n is the size of the data set;
s102: according to the operation condition of a historical router, artificially marking whether data behaviors are abnormal or not through a binary group h- (h ', h '), wherein h ' is 1 to represent normal marks or 0 to represent abnormal marks, h ' represents ID codes corresponding to different abnormal behaviors, 0 represents that behavior types are unknown, 0 does not represent that behavior types are known, each attribute vector in the attribute vector data set corresponds to a mark respectively, and therefore a formed marking data set theta- (h ') is formed1,h2,…,hn-1,hn};
S2: constructing a classification regression decision tree according to the attribute vector data set and the marking data set in an off-line manner;
s3: detecting abnormal behaviors of the new data according to the classification regression decision tree;
step S3 further includes:
s301: extracting each attribute value of the new data, and executing a judgment process of the classification regression decision tree from top to bottom so as to identify abnormal behaviors with prominent features;
further included after step S301 is:
s302: and for the unknown behavior cache attribute vectors which cannot be judged by the classification regression decision tree, performing offline training when the unknown behaviors reach a preset number, and updating the classification regression decision tree according to an offline training result, wherein the labeled data corresponding to the unknown behaviors which cannot be judged is h ═ 0, 0.
2. The method of claim 1, wherein the data transmission requirements comprise a source address, a destination address, a source port number, a destination port number, and a data transmission type.
3. The method of claim 1, wherein the application scenario requirements include data type, data size, data arrival and departure time.
4. The method for detecting abnormal behavior of router data plane based on classification regression decision tree as claimed in claim 1, wherein step S2 further comprises:
s201: reflecting the purity of the data set omega according to a calculation method of a preset kiney value;
s202: calculating a kini index for each attribute involved from the purity of the dataset Ω;
s203: and selecting the attribute with the minimum Gini index as a partition attribute, and constructing the classification regression decision tree.
5. The method for detecting abnormal behaviors of data plane of router based on classification regression decision tree as claimed in claim 4, further comprising after step S203:
s204: after the classification regression decision tree is constructed, whether non-leaf nodes are merged into leaf nodes is determined according to whether the non-leaf nodes are beneficial to enhancing the generalization ability of the classification regression decision tree.
CN201611050332.6A 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree Active CN106789912B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611050332.6A CN106789912B (en) 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611050332.6A CN106789912B (en) 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree

Publications (2)

Publication Number Publication Date
CN106789912A CN106789912A (en) 2017-05-31
CN106789912B true CN106789912B (en) 2020-02-21

Family

ID=58910800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611050332.6A Active CN106789912B (en) 2016-11-22 2016-11-22 Router data plane abnormal behavior detection method based on classification regression decision tree

Country Status (1)

Country Link
CN (1) CN106789912B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220921B (en) * 2017-05-26 2020-09-29 西安木牛能源技术服务有限公司 Verification method for data collected by energy consumption online monitoring system
CN107612876B (en) * 2017-07-18 2020-06-19 北京交通大学 Method for detecting service request packet flooding attack in intelligent cooperative network
CN108256550A (en) * 2017-12-14 2018-07-06 北京木业邦科技有限公司 A kind of timber classification update method and device
CN110019074B (en) * 2017-12-30 2021-03-23 中国移动通信集团河北有限公司 Access path analysis method, device, equipment and medium
CN108229573B (en) * 2018-01-17 2021-05-25 北京中星微人工智能芯片技术有限公司 Classification calculation method and device based on decision tree
CN108737410B (en) * 2018-05-14 2021-04-13 辽宁大学 Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN109635056B (en) * 2018-11-16 2021-01-22 海南电网有限责任公司信息通信分公司 Power utilization address data processing method and device, computer equipment and storage medium
CN111787594A (en) * 2020-08-13 2020-10-16 桂林电子科技大学 Decision tree algorithm-based unmanned aerial vehicle ad hoc network DSR protocol implementation method
CN112669274B (en) * 2020-12-23 2022-06-17 山东大学 Multi-task detection method for pixel-level segmentation of surface abnormal region
CN114757468B (en) * 2022-02-18 2023-09-29 北京凡得科技有限公司 Root cause analysis method for process execution abnormality in process mining

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
US8997227B1 (en) * 2012-02-27 2015-03-31 Amazon Technologies, Inc. Attack traffic signature generation using statistical pattern recognition
CN104809125A (en) * 2014-01-24 2015-07-29 腾讯科技(深圳)有限公司 Method and device for identifying webpage categories
CN105024877A (en) * 2015-06-01 2015-11-04 北京理工大学 Hadoop malicious node detection system based on network behavior analysis
CN105279691A (en) * 2014-07-25 2016-01-27 中国银联股份有限公司 Financial transaction detection method and equipment based on random forest model
CN105930723A (en) * 2016-04-20 2016-09-07 福州大学 Intrusion detection method based on feature selection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104794192B (en) * 2015-04-17 2018-06-08 南京大学 Multistage method for detecting abnormality based on exponential smoothing, integrated study model

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
US8997227B1 (en) * 2012-02-27 2015-03-31 Amazon Technologies, Inc. Attack traffic signature generation using statistical pattern recognition
CN104809125A (en) * 2014-01-24 2015-07-29 腾讯科技(深圳)有限公司 Method and device for identifying webpage categories
CN105279691A (en) * 2014-07-25 2016-01-27 中国银联股份有限公司 Financial transaction detection method and equipment based on random forest model
CN105024877A (en) * 2015-06-01 2015-11-04 北京理工大学 Hadoop malicious node detection system based on network behavior analysis
CN105930723A (en) * 2016-04-20 2016-09-07 福州大学 Intrusion detection method based on feature selection

Also Published As

Publication number Publication date
CN106789912A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN106789912B (en) Router data plane abnormal behavior detection method based on classification regression decision tree
CN111191767B (en) Vectorization-based malicious traffic attack type judging method
CN109697451B (en) Similar image clustering method and device, storage medium and electronic equipment
US20160124965A1 (en) Biased Users Detection
EP3040880A1 (en) Identifying and categorizing contextual data for media
CN103942308A (en) Method and device for detecting large-scale social network communities
CN114153980A (en) Knowledge graph construction method and device, inspection method and storage medium
WO2016082156A1 (en) Metadata recovery method and apparatus
CN104679769A (en) Method and device for classifying usage scenario of product
CN109460220A (en) The predefined code generating method of message, device, electronic equipment and storage medium
CN112052413B (en) URL fuzzy matching method, device and system
TW201730757A (en) Character string distance calculation method and device
CN115829058B (en) Training sample processing method, cross-modal matching method, device, equipment and medium
CN108900554A (en) Http protocol asset detecting method, system, equipment and computer media
CN111144117B (en) Method for disambiguating Chinese address of knowledge graph
CN104463864B (en) Multistage parallel key frame cloud extracting method and system
CN109861863B (en) Method and device for determining connection fault of data center, electronic equipment and medium
CN114201199B (en) Protection upgrading method based on big data of information security and information security system
CN110298113A (en) A kind of comprehensive wiring knot removal method based on multi-fork tree algorithm
CN106209420B (en) A kind of method and electronic equipment of location data forwarding service failure
US9697276B2 (en) Large taxonomy categorization
CN108009233B (en) Image restoration method and device, computer equipment and storage medium
CN109412866B (en) Active detection method for multi-tenant cloud platform security isolation
WO2015080564A1 (en) A system and method for detecting anomalies in computing resources
US11895199B2 (en) User profile creation for social networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant