CN106850658B - The network malicious act detection method of real-time online study - Google Patents

The network malicious act detection method of real-time online study Download PDF

Info

Publication number
CN106850658B
CN106850658B CN201710110112.6A CN201710110112A CN106850658B CN 106850658 B CN106850658 B CN 106850658B CN 201710110112 A CN201710110112 A CN 201710110112A CN 106850658 B CN106850658 B CN 106850658B
Authority
CN
China
Prior art keywords
user
network
inconsistency
feature vector
network behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710110112.6A
Other languages
Chinese (zh)
Other versions
CN106850658A (en
Inventor
王志
田美琦
秦枚林
贾春福
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Yunan Technology Development Co Ltd
Nankai University
Original Assignee
Tianjin Yunan Technology Development Co Ltd
Nankai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Yunan Technology Development Co Ltd, Nankai University filed Critical Tianjin Yunan Technology Development Co Ltd
Priority to CN201710110112.6A priority Critical patent/CN106850658B/en
Publication of CN106850658A publication Critical patent/CN106850658A/en
Application granted granted Critical
Publication of CN106850658B publication Critical patent/CN106850658B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The network malicious act detection method of real-time online study.The present invention does not need to train a malicious act detection model in advance, by analyzing the network behavior of user in real time, absorbs the behavioural habits of user, is based on confidence level set by user, real-time detection network malicious act.The characteristic point of network behavior, the feature vector of network consisting behavior are extracted first.The feature vector composition characteristic matrix of a large amount of user's proper network behavior.Secondly it determines inconsistency metric function, calculates the inconsistency score of all feature vectors and the matrix in an eigenmatrix, the statistic p-value of each feature vector is calculated according to calculated result.The size relation of the p-value of the confidence level and network behavior that are given according to user judges the property of the behavior.Finally, being repeated the above process to each newfound unknown behavior, if being judged as malice, report to user;Otherwise user's normal behaviour set will be absorbed into the behavior, as the input detected next time.

Description

The network malicious act detection method of real-time online study
[technical field]: the invention belongs to computer virus-resisting technique fields.
[background technique]: showing according to the statistical report of nearest 1 year AV-Test, average to have more than 380,000 new evils daily Meaning sample is found, considerably beyond manual analysis ability.Currently, machine learning has been acknowledged as magnanimity malicious code point The main method of analysis, identification.But malicious act is in continuous evolution and variation.In Malicious Code Detection field, machine learning The degenerate problem of model is than more serious.After a period of time, in order to guarantee that verification and measurement ratio, malicious act detection model must not be without weights New training, redefines threshold value.Therefore, it is necessary to one kind can real-time update, the detection method of the newfound knowledge of Dynamic Absorption, Can be according to the knowledge base of user behavior, the acceptable error probability of user, analysis in real time and detection malicious act.
[summary of the invention]: object of the present invention is to solve the problems, such as that existing machine learning model degeneration is more serious, one is proposed The network malicious act detection method of kind real-time online study.This method absorbs new discovery according to the real-time behavior of user in real time Knowledge, improve user behavior knowledge base, real-time update detection model, and in the acceptable error probability of user, to network Malicious act is detected.
Technical solution of the present invention
The network malicious act detection method of real-time online study, comprising:
Step 1, basic concepts of the present invention:
(1) network malicious act: the network malicious act in the present invention refers to, using data packet as carrier, is being not known In the case where prompting user or permitting without user, subscriber computer or other terminals are carried out by network, infringement user The malicious act of legitimate rights and interests.
(2) inconsistency function: the inconsistency of description one sample and one group of sample, input is one group of sample and one Test sample, output are a numerical value, also referred to as inconsistency score.The inconsistency score of different samples and same group of sample Between can compare, score is higher, illustrates that sample and this group of sample are more inconsistent, score is lower, illustrates sample and this group of sample It is more consistent.
(3) statistic p-value: percentile of the inconsistency score of one sample of description in one group of sample, value Range portrays the similitude of a sample and one group of sample from the angle of statistics between 0 to 1.
The extraction of step 2, network behavior feature
2.1st, the expression granularity for determining network behavior, including: packet-level granularity, each data packet indicate one Network behavior;The all-network data of NetFlow grades of granularities, a network connection process indicate a network behavior;Application layer All data packets of granularity, an application process indicate a network behavior.
2.2nd, the characteristic point f of network behavior is extracted.According to different data sets, it is special to can choose different network behaviors Point f is levied, for example, with having time stamp, duration, interval time, period and the frequency of time correlation etc., it is relevant to volume to have Number-of-packet, received data packet number are sent, byte number is sent, receives byte number and data entropy etc.;With it is protocol-dependent have TCP, UDP, HTTP, DNS and SSH etc.;Source IP address relevant to topological structure, purpose IP address, source port number, destination port Number, the distribution of port numbers and the entropy of port numbers set etc..
2.3rd, characteristic point is selected, network behavior is abstracted into feature vector V.In optional network behavior characteristic point, choosing N feature point group is selected into feature vector V (f1,f2,...fn), use the network behavior characteristic point that selects as the pumping of network behavior As indicate, by binary network data be mapped to feature point group at feature vector;
2.4th, the eigenmatrix of user's normal behaviour set indicates.N number of behavior is contained in user's normal behaviour set, Each behavior indicates that 1≤i≤N, this N number of combination of eigenvectors is at the normal row of user using mutually isostructural feature vector Vi It is characterized Matrix C.Each column of eigenmatrix indicate that a characteristic point, every a line indicate the feature vector of a network behavior;
Step 3, network behavior and user's normal behaviour consistency metric
3.1st, inconsistency metric function A (V, C) is determined.The input of inconsistency metric function is network behavior feature Vector V, user normal behaviour eigenmatrix C, return value are the inconsistent score s of V and C.Inconsistency metric function A can be Any function that can indicate inconsistency, such as common distance function calculate feature vector V and user's normal behaviour feature The distance of Matrix C is as inconsistent score;
3.2nd, the inconsistency for calculating vector in network behavior feature vector V and user's normal behaviour eigenmatrix C obtains Point.Detected network behavior feature vector V is put into user's normal behaviour eigenmatrix C as the last one vector, group The Matrix C of Cheng Xin ';Feature vector V is successively taken out from C'i, 1≤i≤N+1, use inconsistency metric function calculate vector Vi With taking-up ViThe inconsistency score s of matrix afterwardsi.Finally, N+1 all vectors all calculates inconsistency score, wherein The inconsistency of feature vector V and eigenmatrix C is scored at sn+1
3.3rd, statistic p- of the network behavior feature vector V relative to user's normal behaviour eigenmatrix C is calculated value.In the calculating of the 3.2nd step, the inconsistency of feature vector V and eigenmatrix C are scored at sn+1.When inconsistency degree When flow function is distance function, inconsistency score indicates that feature vector V at a distance from eigenmatrix C, is counted all inconsistent Property score be more than or equal to sn+1Feature vector number M=| { j:sj<sn+1}|;When inconsistency metric function is similitude letter When number, inconsistency score indicates the similarity degree of feature vector V and eigenmatrix C, counts all inconsistency scores and is less than sn+1Feature vector number M=| { j:sj<sn+1}|.Statistic p-value=of the feature vector V relative to eigenmatrix C M/(N+1);
Step 4, the network malicious act of real-time online study detect
4.1st, user provides acceptable confidence level Conf, and user only receives detection knot of the accuracy rate on Conf Fruit;
4.2nd, calculating acceptable maximum error rate is ε=1-Conf;
If the 4.3rd, network behavior feature vector V is less than or equal to the p-value of user's normal behaviour eigenmatrix C ε then has the confidence level of Conf, predicts that the network behavior is network malicious act, can choose processing method set by user into Row processing, such as block the connection of the network behavior;
If the 4.4th, testing result is shown, which is not malicious act, then the feature vector V of the network behavior By automatic absorption into user's normal behaviour eigenmatrix C, updated user's normal behaviour eigenmatrix, original spy are generated Levying matrix will be expired, and subsequent detection will not be used original matrix, but use newest Matrix C.
4.5th, each newfound unknown network behavior is repeated the above process, judging result be malicious act then Specially treated is carried out, judging result is that normal behaviour is then absorbed into user's normal behaviour set.To user's normal behaviour set New normal behaviour is constantly absorbed in the detection process, is gradually updated, and reflects newest normal behaviour mode.It is unknown to each The detection of behavior is also based on newest user's normal behaviour set, and there is no the degenerate problems of traditional detection model, to mention The precision of high network malicious act detection.
The advantages and positive effects of the present invention:
In face of the continuous variation of network malicious act, and the degenerate problem of the detection model based on machine learning, this hair The bright network malicious act detection model for proposing real-time online study.The advantages of this method and good effect are embodied in real-time online Study just carries out model modification after needing not wait for detection model generation de-ization and threshold value recalculates, the normal behaviour of user Be absorbed into normal behaviour eigenmatrix in real time, find that normal behaviour, eigenmatrix can all update every time, and user can In the maximum error probability of receiving, network malicious act is detected.
[Detailed description of the invention]:
The flow chart of the hostile network behavioral value method of Fig. 1 real-time online study.
Fig. 2 indicates that granularity is the network behavior of trace.
Fig. 3 is network behavior sample S1
Fig. 4 is " time interval " feature.
Fig. 5 is " duration " feature.
Fig. 6 is " sending byte number " feature.
Fig. 7 is " receiving byte number " feature.
Fig. 8 is " fft " feature.
[specific embodiment]:
1, user's history normal behaviour and network malicious act 1.1, public data collection CTU-13 (http: // mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-botnet-normal-and- Background-traffic.html) altogether comprising data collected under 13 true environments, each is monitored executes in environment Different Malwares.A large amount of user's normal data and a small amount of malicious data are contained in the data of acquisition, in CTU-13 The expression granularity of data is Netflow.The user's history normal behaviour and network malicious act of this experiment are therefrom chosen.
2, the extraction of network behavior feature
2.1, the expression granularity for determining network behavior is application layer granularity.It is higher by being polymerize in 1.1 Netflow data The other trace of level-one, chooses the trace composition set B of 100 user's proper network behaviors, trace format it is as shown in Figure 2 (with For one of them).Optional one is used as network behavior sample S from remaining trace1, as shown in figure 3, all data in figure Indicate a network behavior.
2.2, five different network behavior characteristic point f, respectively duration average value, time-interval averaging are selected Value sends byte number average value, receives byte number average value and fft value.
2.3, characteristic point is extracted, uses 5 selected network behavior characteristic points as the abstract representation of network behavior, through counting It calculates, by sample S1It is mapped to feature vector V, V (f1,f2,...f5)=(159.1333,8.648573,1443.438, 8294.438,2388).
2.4, each network behavior in proper network behavior set B use in the 2.3rd step mutually isostructural feature to Amount indicates that the identical combination of eigenvectors of structure is at eigenmatrix C.It is computed, obtains C=
Proper network behavior is integrated into the distribution situation in five features as shown in Fig. 4~Fig. 8.
3, network behavior and user's normal behaviour consistency metric
3.1, BotFinder (http://www.cs.ucsb.edu/~vigna//publications/2012_ is selected CoNEXT_BotFinder.pdf metric function) is as inconsistency metric function A (V, C).It is calculated due to BotFinder It is the similarity degree between vector and matrix, so it is similarity score that the inconsistency score s returned is practical, score is higher, Illustrate more consistent, score is lower, illustrates more inconsistent.
3.2, the inconsistency score of vector in network behavior feature vector V and proper network behavioural characteristic Matrix C is calculated; Detected network behavior feature vector V is put into proper network behavioural matrix C as the last one vector, new square is formed Battle array C'.Feature vector V is successively taken out from C'i(i=1,2, ... ... 100,101), vector V is calculated using inconsistency functioni With taking-up ViThe inconsistency score s of matrix afterwardsi.Finally, N+1 all vectors all calculates inconsistency score.Through counting It calculates, si=(0.3353,0.47060.1579,0.2291,0.1741,0.2707,0.2651,0.2485,0.1998,0.1922, 0.1309,0.3786,0.2053,0.8115,0.4625 ... ..., 0.551,0.1699,0.3368,0.2438,0.1254, 0.2248,0.3103,0.2739,0.162,0.9564,1.0372,0.2953,0.2772).
3.3, statistic p-value of the network behavior feature vector V relative to normal behaviour eigenmatrix C is calculated. In the calculating of 3.2 steps, the inconsistency of feature vector V and eigenmatrix C are scored at s101=0.2772.Since BotFinder is Similarity function, return is similarity score, so statistics is less than s20Feature vector number, number 97.Vector V phase For the statistic p-value=97/101=0.9604 of eigenmatrix.
4, the network malicious act detection of real-time online study
4.1, assume that user provides acceptable confidence level Conf=80%.
4.2, calculating acceptable maximum error rate is ε=1-Conf=0.2.
4.3, network behavior feature vector V is greater than ε for the p-value=0.9604 of user's normal behaviour eigenmatrix C =0.2, so there is Conf=80% to think that the network behavior is not malicious act.
4.4, the feature vector V=(159.1333,8.648573,1443.438,8294.438,2388) of the network behavior Automatic absorption updates C into user's normal behaviour eigenmatrix C.
5, the detection after next unknown network behavior is found
5.1, the input using newest user's normal behaviour eigenmatrix C as V' statistic p-value solution procedure Amount.It repeats the above process.For example, it was discovered that next unknown network behavior feature vector be V=(1159.092, 0.028872,74.7,357,336.5161), as procedure described above, with the new calculated p-value=50/102=of Matrix C 0.49020, with a calculated p-value=51/101=0.50495 of Geju City matrix.
5.2, absorb as can be seen from the above results new user's normal behaviour model can obtain it is different from the past Score.If confidence level set by user is 50%, the detection meeting of the old matrix at this time based on no real-time online learning ability Report that the behavior is malicious act, and the detection based on the new matrix for having learnt new normal behaviour can report that the behavior is normal Behavior.This accuracy rate that user's normal behaviour is learnt precisely, in real time to promote detection.

Claims (3)

1. the network malicious act detection method of real-time online study, it is characterised in that this method comprises the following steps:
Step 1, basic conception:
(1) network malicious act: network malicious act refers to, using data packet as carrier, be not known prompt user or without In the case that user permits, malice that subscriber computer or other terminals are carried out by network, invading user's legitimate rights and interests Behavior;
(2) inconsistency function: the inconsistency of description one sample and one group of sample, input are one group of sample and a test Sample, output are a numerical value, also referred to as inconsistency score;Between different samples and the inconsistency score of same group of sample It can compare, score is higher, illustrates that sample and this group of sample are more inconsistent, and score is lower, illustrates that sample and this group of sample get over one It causes;
(3) statistic p-value: percentile of the inconsistency score of one sample of description in one group of sample, value range Between 0 to 1, the similitude of a sample and one group of sample is portrayed from the angle of statistics;
The extraction of step 2, network behavior feature
2.1st, the expression granularity for determining network behavior, including: packet-level granularity, each data packet indicate a network Behavior;The all-network data of NetFlow grades of granularities, a network connection process indicate a network behavior;Application layer granularity, All data packets of one application process indicate a network behavior;
2.2nd, the characteristic point f of network behavior is extracted;According to different data sets, different network behavior characteristic points can choose f;
2.3rd, characteristic point is selected, network behavior is abstracted into feature vector V;In optional network behavior characteristic point, n is selected A feature point group uses the network behavior characteristic point that selects as the abstract of network behavior at feature vector V (f1, f2 ... fn) Indicate, by binary network data be mapped to feature point group at feature vector;
2.4th, the eigenmatrix of user's normal behaviour set indicates;N number of behavior is contained in user's normal behaviour set, each Behavior all indicates that 1≤i≤N, this N number of feature vector forms user's normal behaviour feature using mutually isostructural feature vector Vi Matrix C;Each column of eigenmatrix indicate that a characteristic point, every a line indicate the feature vector of a network behavior;
Step 3, network behavior and user's normal behaviour consistency metric
3.1st, inconsistency metric function A (V, C) is determined;The input of inconsistency metric function is network behavior feature vector V, user normal behaviour eigenmatrix C, return value are the inconsistent score s of V and C;Inconsistency metric function A be it is any can Indicate the function of inconsistency;
3.2nd, the inconsistency score of vector in network behavior feature vector V and user's normal behaviour eigenmatrix C is calculated;It will Detected network behavior feature vector V is put into user's normal behaviour eigenmatrix C as the last one vector, is formed new Matrix C ';Feature vector Vi, 1≤i≤N+1 are successively taken out from C', calculate vector V using inconsistency metric functioniWith take V outiThe inconsistency score s of matrix afterwardsi;Finally, N+1 all vectors all calculates inconsistency score, wherein feature The inconsistency of vector V and eigenmatrix C is scored at sn+1
3.3rd, statistic p-value of the network behavior feature vector V relative to user's normal behaviour eigenmatrix C is calculated;In In the calculating of 3.2nd step, the inconsistency of feature vector V and eigenmatrix C are scored at sn+1;When inconsistency metric function is When distance function, inconsistency score indicates that at a distance from eigenmatrix C, it is big to count all inconsistency scores by feature vector V In equal to sn+1Feature vector number M=| { j:sj≥sn+1}|;When inconsistency metric function is similarity function, no Consistency score indicates the similarity degree of feature vector V and eigenmatrix C, counts all inconsistency scores less than sn+1Spy Levy the number M=of vector | { j:sj<sn+1}|;Statistic p-value=M/ (N+1) of the feature vector V relative to eigenmatrix C;
Step 4, the network malicious act of real-time online study detect
4.1st, user provides acceptable confidence level Conf, and user only receives testing result of the accuracy rate on Conf;
4.2nd, calculating acceptable maximum error rate is ε=1-Conf;
If the 4.3rd, network behavior feature vector V is less than or equal to ε for the p-value of user's normal behaviour eigenmatrix C, There is the confidence level of Conf, judges that the network behavior is network malicious act;
If it is malicious act that the 4.4th, testing result, which judges the network behavior not, the feature vector V of the network behavior will be certainly It is dynamic to be absorbed into user's normal behaviour eigenmatrix C, generate updated user's normal behaviour eigenmatrix, original feature square Battle array will be expired, and subsequent detection will not be used original matrix, but use newest matrix;
4.5th step repeats the above process each newfound unknown network behavior, judging result be malicious act then into Row specially treated, judging result are that normal behaviour is then absorbed into user's normal behaviour set;To which user's normal behaviour is integrated into New normal behaviour is constantly absorbed in detection process, is gradually updated, reflects newest normal behaviour mode, to each non-knowing and doing For detection also based on newest user's normal behaviour set, there is no the degenerate problems of traditional detection model, to improve The precision of network malicious act detection.
2. according to the method described in claim 1, it is characterized in that the network behavior characteristic point f includes: and time correlation Timestamp, duration, interval time, period and frequency;Transmission number-of-packet relevant to volume, received data packet number, It sends byte number, receive byte number and data entropy;With protocol-dependent TCP, UDP, HTTP, DNS and SSH;With topological structure phase The source IP address of pass, purpose IP address, source port number, destination slogan, the distribution of port numbers and port numbers set entropy.
3. according to the method described in claim 1, it is characterized in that the metric function of the inconsistency is distance function, meter Feature vector V is calculated at a distance from user's normal behaviour eigenmatrix C as inconsistent score;Or similarity function, it calculates special The similarity degree of vector V and user's normal behaviour eigenmatrix C are levied as inconsistent score.
CN201710110112.6A 2017-02-28 2017-02-28 The network malicious act detection method of real-time online study Active CN106850658B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710110112.6A CN106850658B (en) 2017-02-28 2017-02-28 The network malicious act detection method of real-time online study

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710110112.6A CN106850658B (en) 2017-02-28 2017-02-28 The network malicious act detection method of real-time online study

Publications (2)

Publication Number Publication Date
CN106850658A CN106850658A (en) 2017-06-13
CN106850658B true CN106850658B (en) 2019-12-03

Family

ID=59134063

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710110112.6A Active CN106850658B (en) 2017-02-28 2017-02-28 The network malicious act detection method of real-time online study

Country Status (1)

Country Link
CN (1) CN106850658B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196953B (en) * 2017-06-14 2020-05-08 上海境领信息科技有限公司 Abnormal behavior detection method based on user behavior analysis
CN108629183B (en) * 2018-05-14 2021-07-20 南开大学 Multi-model malicious code detection method based on credibility probability interval
CN109033836B (en) * 2018-07-24 2021-07-20 南开大学 Statistical learning-based multi-model cross detection method for malicious codes
CN110011990B (en) * 2019-03-22 2022-03-04 南开大学 Intelligent analysis method for intranet security threats

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731310A (en) * 2005-08-04 2006-02-08 西安交通大学 Intrusion detection method for host under Windows environment
CN103914652A (en) * 2013-01-09 2014-07-09 腾讯科技(深圳)有限公司 Malice program control instruction recognition method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7953814B1 (en) * 2005-02-28 2011-05-31 Mcafee, Inc. Stopping and remediating outbound messaging abuse

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731310A (en) * 2005-08-04 2006-02-08 西安交通大学 Intrusion detection method for host under Windows environment
CN103914652A (en) * 2013-01-09 2014-07-09 腾讯科技(深圳)有限公司 Malice program control instruction recognition method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Online Behavior Classification for Anomaly Detection in Self-X Real-Time Systems;Franz Rammig 等;《2014 IEEE 17th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing》;20140918;全文 *
基于行为特征的恶意程序动态分析与检测方法研究;曹莹;《中国博士学位论文全文数据库 信息科技辑》;20160315;全文 *

Also Published As

Publication number Publication date
CN106850658A (en) 2017-06-13

Similar Documents

Publication Publication Date Title
CN106850658B (en) The network malicious act detection method of real-time online study
CN106657160B (en) Network malicious act detection method towards big flow based on confidence level
CN105429977B (en) Deep packet inspection device abnormal flow monitoring method based on comentropy measurement
CN106878314B (en) Network malicious behavior detection method based on credibility
US9781427B2 (en) Methods and systems for estimating entropy
CN102035698B (en) HTTP tunnel detection method based on decision tree classification algorithm
US8352393B2 (en) Method and system for evaluating tests used in operating system fingerprinting
Mahmood et al. Critical infrastructure protection: Resource efficient sampling to improve detection of less frequent patterns in network traffic
CN106209861B (en) One kind being based on broad sense Jie Kade similarity factor Web application layer ddos attack detection method and device
CN111478904B (en) Method and device for detecting communication anomaly of Internet of things equipment based on concept drift
CN107493277A (en) The online method for detecting abnormality of big data platform based on maximum information coefficient
CN108900513B (en) DDOS effect evaluation method based on BP neural network
CN110351291A (en) Ddos attack detection method and device based on multiple dimensioned convolutional neural networks
CN106330611A (en) Anonymous protocol classification method based on statistical feature classification
CN107391373A (en) Automatic performance method of testing based on AutoIT
CN107733886A (en) The application layer ddos attack detection method that a kind of logic-based returns
CN105227689A (en) Based on the Target IP location algorithm of local time delay distribution similarity tolerance
CN109359234B (en) Multi-dimensional network security event grading device
CN108683564A (en) A kind of network (WSN) emulation system credibility evaluation method based on Multidimensional decision-making attribute
CN110933080A (en) IP group identification method and device for user login abnormity
CN116760649B (en) Data security protection and early warning method based on big data
CN110995770B (en) Fuzzy test application effect comparison method
Yan et al. Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy
CN111310796A (en) Web user click identification method facing encrypted network flow
Ádám et al. Methods of the data mining and machine learning in computer security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant