CN106878314A - Network malicious act detection method based on confidence level - Google Patents
Network malicious act detection method based on confidence level Download PDFInfo
- Publication number
- CN106878314A CN106878314A CN201710110103.7A CN201710110103A CN106878314A CN 106878314 A CN106878314 A CN 106878314A CN 201710110103 A CN201710110103 A CN 201710110103A CN 106878314 A CN106878314 A CN 106878314A
- Authority
- CN
- China
- Prior art keywords
- network
- malicious act
- characteristic vector
- inconsistency
- eigenmatrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Network malicious act detection method based on confidence level.The present invention replaces setting fixed threshold to analyze the confidence level of network behavior, realizes the detection to network malicious act.The feature of network malicious data is extracted first, for example, timestamp, the data packet number for sending, frequency of transmission data etc., characteristic vector is converted into by binary network data.The corresponding characteristic vector composition characteristic matrix of substantial amounts of hostile network data.It is then determined that inconsistency metric function, calculates all characteristic vectors and the inconsistency of the matrix in an eigenmatrix, the statistic p value of each characteristic vector are calculated according to result of calculation.Finally by the confidence level that user sets, the acceptable maximum error probability of user is calculated;After unknown network behavior is found, statistic p value of the network behavior for network malicious act matrix is calculated, if statistic p value are more than the acceptable maximum error probability of user, report that the network behavior is hostile network behavior.
Description
Technical field
The invention belongs to computer virus-resisting technique field.
Background technology
In explosive growth, the statistics of AV-Test shows malicious code quantity within 2015 in network, average new daily
It was found that malice sample size already exceed 300,000.In face of the malice sample of magnanimity, machine learning has become malicious act
The mainstream technology of detection field.But, attacker in order to hide detection, in malicious act of constantly upgrading.Current machine learning
There is degenerate problem in model, fixed threshold value is high in starting stage verification and measurement ratio, and the improvement and change of technology are hidden with attack
Change, verification and measurement ratio is constantly degenerated.So needing a kind of detection method that need not set fixed threshold, be able to can be connect according to user
The error probability received, provides analysis result, tackles the continuous variation of malicious act.
The content of the invention
The present invention seeks to solve the problems, such as that detection model discrimination present in prior art, with time fast degradation, is carried
For a kind of network malicious act detection method based on confidence level.The method in the case where fixed threshold need not be set, root
According to the acceptable error probability of user, by the confidence level of statistical analysis network behavior, the detection to network malicious act is realized.
Technical scheme
Network malicious act detection method based on confidence level, comprises the following steps:
1st step, basic concepts of the present invention:
(1) network malicious act:Network malicious act in the present invention refers to, with packet as carrier, it is being not known
In the case of pointing out user or permitting without user, carried out to subscriber computer or other-end by network, infringement user
The malicious act of legitimate rights and interests;The collection of substantial amounts of network malicious act is combined into network malicious act set.
(2) inconsistency metric function:One test sample of description and one group of inconsistency of sample, input is one group of sample
Originally with a test sample, output is a numerical value, also referred to as inconsistency score.Different test samples and same group of sample
Can be compared between inconsistency score.Score is higher, illustrates that sample is more inconsistent with this group of sample, and score is lower, says
Bright sample is more consistent with this group of sample.
(3) statistic p-value:Hundredths of the one inconsistency score of sample of description in one group of sample, value
Scope portrays the similitude of a sample and one group of sample from the angle of statistics between 0 to 1.
2nd step, the extraction of network behavior feature
2.1st, the expression granularity of network behavior is determined, including:Packet-level granularity, each packet represents one
Network behavior;NetFlow grades of granularity, the all-network data of a network connection process represent a network behavior;Application layer
Granularity, all packets of an application process represent a network behavior.
2.2nd, the characteristic point f of network behavior is selected;According to different data sets, different network behaviors can be selected special
Point f is levied, for example, including with the characteristic point of time correlation:Timestamp, duration, interval time, cycle and frequency etc.;With body
The related characteristic point of product includes:Number-of-packet is sent, number-of-packet is received, is sent byte number, receives byte number and data entropy etc.;
Include with protocol-dependent characteristic point:TCP, UDP, HTTP, DNS and SSH etc.;The characteristic point related to topological structure includes:Source
Entropy of IP address, purpose IP address, source port number, destination slogan, the distribution of port numbers and port numbers set etc..
2.3rd, characteristic point is extracted, network behavior is abstracted into characteristic vector V;In optional network behavior characteristic point, choosing
Select n feature point group into characteristic vector V (f1,f2,...fn), using n selected characteristic point as network behavior abstract table
Show, by binary network data be mapped to feature point group into characteristic vector V (f1,f2,...fn);
2.4th, the eigenmatrix of network malicious act set is represented;N number of network is contained in network malicious act set
Malicious act, each network malicious act represented using mutually isostructural characteristic vector in the 2.3rd step, structure identical feature
Vector Groups synthesis network malicious act eigenmatrix C;Each row of eigenmatrix represent a characteristic point, represent one per a line
The characteristic vector of network malicious act;
3rd step, network behavior and network malicious act consistency metric
3.1st, inconsistency metric function A (V, C) is determined;The input of inconsistency metric function is network behavior feature
Vectorial V and network malicious act eigenmatrix C, return value is the inconsistent score s of V and C.Inconsistency metric function A can be with
It is any function that can represent inconsistency, such as common distance function calculates characteristic vector V special with network malicious act
The distance of Matrix C is levied as inconsistent score;
3.2nd, the inconsistency of vector is obtained in calculating network behavioural characteristic vector V and network malicious act eigenmatrix C
Point;Detected network behavior characteristic vector V is put into network malicious act eigenmatrix C as last vector, group
The eigenmatrix C' of Cheng Xin;Characteristic vector V is taken out from C' successivelyi, characteristic vector V is calculated using inconsistency metric functioniWith
Take out ViThe inconsistency score s of eigenmatrix afterwardsi(i=1,2 ... ..., n+1);Finally, all of N+1 vector is all calculated
Go out inconsistency score;
3.3rd, statistic p-s of the calculating network behavioural characteristic vector V relative to network malicious act eigenmatrix C
value.In the calculating of the 3.2nd step, network behavior characteristic vector V is obtained with the inconsistency of network malicious act eigenmatrix C
It is divided into sn+1.All inconsistency scores are counted more than or equal to sn+1Characteristic vector number, and divided by sum vector number N+1,
Obtain statistic p-values of the network behavior characteristic vector V relative to network malicious act eigenmatrix C;
4th step, the network malicious act detection based on confidence level
4.1st, user provides acceptable confidence level Conf;User only receives detection knot of the accuracy rate on Conf
Really;
4.2nd, acceptable maximum error rate 1-Conf is calculated;
If the 4.3rd, the p-value of network behavior characteristic vector V is more than or equal to 1-Conf, predict that the network behavior is
Network malicious act, the confidence level of this prediction is Conf;Otherwise, report that the network behavior is not malicious act.
Advantages and positive effects of the present invention:
The present invention need not set fixed detection threshold value, and user need to only be input into acceptable Detection accuracy or highest
Detection error rate.The method can be advised according to the statistics of malicious act eigenvectors matrix and detected network behavior characteristic vector
Rule, is given and meets predicting the outcome for User reliability, can effectively alleviate the degeneration of detection model, preferably tackles network maliciously
The variation of behavior, differentiation.
【Brief description of the drawings】
Fig. 1 is based on the network malicious act detection method flow chart of confidence level.
Fig. 2 is NetFlow grades of behavioral data of Rbot Botnets.
Fig. 3 is " duration average value " feature.
Fig. 4 is " time-interval averaging value " feature.
Fig. 5 is " sending byte number average value " feature.
Fig. 6 is " receiving byte number average value " feature.
Fig. 7 is " fft values " feature.
【Specific embodiment】
The present invention is specifically described as a example by detecting Botnet.
1st, network malicious act
1.1 public data collection CTU-13
(http://mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-
Botnet-normal-and-backgro und-traffic.html) altogether comprising the data gathered under 13 true environments,
Different Malwares are performed in each monitors environment.The Malware of RBot families is that current most active Bot programs are soft
Part, can cause various malicious acts such as IRC attacks, DDos.This experiment is soft using the malice for performing Rbot Botnets family
Part, infected number of host are by 20 data of network malicious act gathered in the environment of 10.
2nd, the extracting method of network behavior feature
2.1st, one is randomly selected in the network malicious act from 1.1 as network behavior sample S.The specific data of S
As shown in Figure 2.The expression granularity of network behavior is NetFlow grades.
2.2nd, according to data set, select five different network behavior characteristic point f, respectively duration average value, when
Between interval averages, send byte number average value, receive byte number average value and fft values.
2.3rd, selection characteristic point is extracted, 5 selected network behavior characteristic point taking out as network behavior of selection are used
As represent, by binary network data be mapped to feature point group into characteristic vector V.It is computed, V (f1,f2,...f5)=
(580.5,409.293106,58070449.67,0,105.6363636)。
2.4th, remaining 19 network malicious act constitutes network malicious act set, number N=19.Each network malice row
All to be represented using mutually isostructural characteristic vector in the 2.3rd step, structure identical combination of eigenvectors is into eigenmatrix C.Through
Calculate, obtain C=
Distribution situation of the network malicious act in five features is as shown in Fig. 3~Fig. 7.
3rd, network behavior and network malicious act consistency metric
3.1st, selection BotFinder (http://www.cs.ucsb.edu/~vigna//publications/2012_
CoNEXT_BotFinder.pdf metric function) is special by the network behavior in 2.3 as inconsistency metric function A (V, C)
The network malicious act eigenmatrix C in vectorial V and 2.4 is levied as input.Due to BotFinder calculating is vector and matrix
Between similarity degree, so it is similarity score that the inconsistency score s for returning is actual, score is higher, illustrates more consistent, obtains
Divide lower, illustrate more inconsistent.
3.2nd, inconsistency score vectorial in calculating network behavioural characteristic vector V and network malicious act eigenmatrix C;
Detected network behavior characteristic vector V is put into as last vector in network malicious act eigenmatrix C, composition is new
Eigenmatrix C', be computed, C'=
Characteristic vector V is taken out from C' successivelyi, vector V is calculated using inconsistency functioniWith taking-up ViFeature square afterwards
The inconsistency score s of battle arrayi(i=1,2 ..., 20).It is computed, (s1,s2,……s20)=(1.3151,2.1346,
1.3221,2.1347,1.8376,2.1346,1.3462,2.1345,1.3589,2.1346,1.3585,2.1346,1.3342,
2.1346,1.3307,2.1346,1.8228,2.1346,1.1014,2.0066)。
3.3rd, statistic p-values of the calculating network behavioural characteristic vector V relative to network malicious act eigenmatrix C.
In the calculating of the 3.2nd step, the inconsistency of characteristic vector V and eigenmatrix C is scored at s20=2.0066.Due to
What BotFinder was returned is similarity score, so what is counted is less than equal to s20Characteristic vector number, number is 10.
Divided by sum vector number 20, it is 0.5 to obtain statistic p-values of the characteristic vector V relative to eigenmatrix C.
4th, the network malicious act detection based on confidence level
4.1st, it is 80% to assume that user provides acceptable confidence level Conf.
4.2nd, it is=1-Conf=0.2. to calculate acceptable maximum error rate
4.3rd, because the p-value of network behavior characteristic vector V is more than or equal to the value of 1-Conf in 4.2, prediction should
Network behavior is hostile network behavior, and the confidence level of this prediction is 80%.
Claims (3)
1. the network malicious act detection method of confidence level is based on, it is characterised in that the method comprises the following steps:
1st step, basic conception:
(1) network malicious act:It refer to the situation about permitting in not yet explicitly prompting user or without user with packet as carrier
Under, malicious act being carried out to subscriber computer or other-end by network, invading user's legitimate rights and interests;Substantial amounts of network
The collection of malicious act is combined into network malicious act set;
(2) inconsistency metric function:Description one sample and one group of inconsistency of sample, input is one group of sample and one
Test sample, output is a numerical value, also referred to as inconsistency score, and score is higher, illustrates that sample is got over this group of sample and differs
Cause, score is lower, illustrates that sample is more consistent with this group of sample;
(3) statistic p-value:Hundredths of the one inconsistency score of sample of description in one group of sample, span
Between 0 to 1, the similitude of a sample and one group of sample is portrayed from the angle of statistics;
2nd step, the extraction of network behavior feature
2.1st, the expression granularity of network behavior is determined, including:Packet-level granularity, NetFlow grades of granularity and application layer
Granularity;
Packet-level granularity, each packet represents a network behavior;NetFlow grades of granularity, network connection process
All-network data represent a network behavior;Application layer granularity, all packets of an application process represent a network
Behavior;
2.2nd, the characteristic point f of network behavior is selected;According to different data sets, different network behavior characteristic point f are selected;
2.3rd, characteristic point is extracted, network behavior is abstracted into characteristic vector V;In optional network behavior characteristic point, selection n
Feature point group is into characteristic vector V (f1,f2,...fn), using n selected characteristic point as the abstract representation of network behavior, incite somebody to action
Binary network data be mapped to feature point group into characteristic vector V (f1,f2,...fn);
2.4th, the eigenmatrix of network malicious act set is represented;N number of network is contained in network malicious act set maliciously
Behavior, each network malicious act represented using mutually isostructural characteristic vector in the 2.3rd step, structure identical characteristic vector
It is combined into network malicious act eigenmatrix C;Each row of eigenmatrix represent a characteristic point, represent a network per a line
The characteristic vector of malicious act;
3rd step, network behavior and network malicious act consistency metric
3.1st, inconsistency metric function A (V, C) is determined;The input of inconsistency metric function is network behavior characteristic vector
V, network malicious act eigenmatrix C, return value are the inconsistent score s of V and C;Inconsistency metric function A for it is any can
Represent the function of inconsistency;
3.2nd, inconsistency score vectorial in calculating network behavioural characteristic vector V and network malicious act eigenmatrix C;Will
Detected network behavior characteristic vector V is put into network malicious act eigenmatrix C as last vector, is constituted new
Eigenmatrix C';Characteristic vector V is taken out from C' successivelyi, characteristic vector V is calculated using inconsistency metric functioniWith taking-up Vi
The inconsistency score s of eigenmatrix afterwardsi, i=1,2 ... ..., n+1;Finally, all of N+1 vector is all calculated not
Uniformity score;
3.3rd, statistic p-values of the calculating network behavioural characteristic vector V relative to network malicious act eigenmatrix C;
In the calculating of the 3.2nd step, the inconsistency of network behavior characteristic vector V and network malicious act eigenmatrix C is scored at sn+1;
All inconsistency scores are counted more than or equal to sn+1Characteristic vector number, and divided by sum vector number N+1, obtain network
Statistic p-values of the behavioural characteristic vector V relative to network malicious act eigenmatrix C;
4th step, the network malicious act detection based on confidence level
4.1st, user provides acceptable confidence level Conf;User only receives testing result of the accuracy rate on Conf;
4.2nd, acceptable maximum error rate 1-Conf is calculated;
If the 4.3rd, the p-value of network behavior characteristic vector V is more than or equal to 1-Conf, predict that the network behavior is network
Malicious act, the confidence level of this prediction is Conf;Otherwise, report that the network behavior is not malicious act.
2. method according to claim 1, it is characterised in that different according to different collection selections described in the 2.2nd step
Network behavior characteristic point f refers to:
Characteristic point with time correlation includes:Timestamp, duration, interval time, cycle and frequency;The spy related to volume
Levying a little includes:Number-of-packet is sent, number-of-packet is received, is sent byte number, receives byte number and data entropy;With it is protocol-dependent
Characteristic point includes:TCP, UDP, HTTP, DNS and SSH;The characteristic point related to topological structure includes:Source IP address, purpose IP ground
The entropy of location, source port number, destination slogan, the distribution of port numbers and port numbers set.
3. method according to claim 1, it is characterised in that inconsistency metric function A (V, C) described in the 3.1st step be away from
From function, the distance of calculating network behavioural characteristic vector V and network malicious act eigenmatrix C is used as inconsistent score.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710110103.7A CN106878314B (en) | 2017-02-28 | 2017-02-28 | Network malicious behavior detection method based on credibility |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710110103.7A CN106878314B (en) | 2017-02-28 | 2017-02-28 | Network malicious behavior detection method based on credibility |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106878314A true CN106878314A (en) | 2017-06-20 |
| CN106878314B CN106878314B (en) | 2019-12-10 |
Family
ID=59168673
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710110103.7A Active CN106878314B (en) | 2017-02-28 | 2017-02-28 | Network malicious behavior detection method based on credibility |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106878314B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679626A (en) * | 2017-10-10 | 2018-02-09 | 上海优刻得信息科技有限公司 | Machine learning method, device, system, storage medium and equipment |
| CN108629183A (en) * | 2018-05-14 | 2018-10-09 | 南开大学 | Multi-model malicious code detecting method based on Credibility probability section |
| CN109033836A (en) * | 2018-07-24 | 2018-12-18 | 南开大学 | Malicious code multi-model crossing detection method based on statistical learning |
| CN110011990A (en) * | 2019-03-22 | 2019-07-12 | 南开大学 | Intranet security threatens intelligent analysis method |
| CN111565192A (en) * | 2020-05-08 | 2020-08-21 | 南开大学 | Credibility-based multi-model cooperative defense method for internal network security threats |
| CN113420777A (en) * | 2021-05-14 | 2021-09-21 | 中国民航大学 | Abnormal log detection method, device storage medium and equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080028468A1 (en) * | 2006-07-28 | 2008-01-31 | Sungwon Yi | Method and apparatus for automatically generating signatures in network security systems |
| CN101350822A (en) * | 2008-09-08 | 2009-01-21 | 南开大学 | Method for discovering and tracing Internet malevolence code |
| CN101626322A (en) * | 2009-08-17 | 2010-01-13 | 中国科学院计算技术研究所 | Method and system of network behavior anomaly detection |
| CN102946606A (en) * | 2012-11-30 | 2013-02-27 | 清华大学 | Method for detecting attack of wireless ad-hoc network |
| CN103500307A (en) * | 2013-09-26 | 2014-01-08 | 北京邮电大学 | Mobile internet malignant application software detection method based on behavior model |
| CN103793599A (en) * | 2014-01-17 | 2014-05-14 | 浙江远图智控系统有限公司 | Travel anomaly detection method based on hidden Markov model |
| CN105024877A (en) * | 2015-06-01 | 2015-11-04 | 北京理工大学 | Hadoop malicious node detection system based on network behavior analysis |
-
2017
- 2017-02-28 CN CN201710110103.7A patent/CN106878314B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080028468A1 (en) * | 2006-07-28 | 2008-01-31 | Sungwon Yi | Method and apparatus for automatically generating signatures in network security systems |
| CN101350822A (en) * | 2008-09-08 | 2009-01-21 | 南开大学 | Method for discovering and tracing Internet malevolence code |
| CN101626322A (en) * | 2009-08-17 | 2010-01-13 | 中国科学院计算技术研究所 | Method and system of network behavior anomaly detection |
| CN102946606A (en) * | 2012-11-30 | 2013-02-27 | 清华大学 | Method for detecting attack of wireless ad-hoc network |
| CN103500307A (en) * | 2013-09-26 | 2014-01-08 | 北京邮电大学 | Mobile internet malignant application software detection method based on behavior model |
| CN103793599A (en) * | 2014-01-17 | 2014-05-14 | 浙江远图智控系统有限公司 | Travel anomaly detection method based on hidden Markov model |
| CN105024877A (en) * | 2015-06-01 | 2015-11-04 | 北京理工大学 | Hadoop malicious node detection system based on network behavior analysis |
Non-Patent Citations (2)
| Title |
|---|
| LIU CAO,ETC.: "Detecting Malicious Behavior and Collusion for Online Rating System", 《2016 IEEE TRUSTCOM/BIGDATASE/ISPA》 * |
| 曹莹: "基于行为特征的恶意程序动态分析与检测方法研究", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679626A (en) * | 2017-10-10 | 2018-02-09 | 上海优刻得信息科技有限公司 | Machine learning method, device, system, storage medium and equipment |
| CN108629183A (en) * | 2018-05-14 | 2018-10-09 | 南开大学 | Multi-model malicious code detecting method based on Credibility probability section |
| CN109033836A (en) * | 2018-07-24 | 2018-12-18 | 南开大学 | Malicious code multi-model crossing detection method based on statistical learning |
| CN109033836B (en) * | 2018-07-24 | 2021-07-20 | 南开大学 | Statistical learning-based multi-model cross detection method for malicious codes |
| CN110011990A (en) * | 2019-03-22 | 2019-07-12 | 南开大学 | Intranet security threatens intelligent analysis method |
| CN111565192A (en) * | 2020-05-08 | 2020-08-21 | 南开大学 | Credibility-based multi-model cooperative defense method for internal network security threats |
| CN113420777A (en) * | 2021-05-14 | 2021-09-21 | 中国民航大学 | Abnormal log detection method, device storage medium and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106878314B (en) | 2019-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106878314A (en) | Network malicious act detection method based on confidence level | |
| US9781427B2 (en) | Methods and systems for estimating entropy | |
| CN108282497B (en) | DDoS attack detection method for SDN control plane | |
| CN105681250B (en) | A kind of Botnet distribution real-time detection method and system | |
| CN108696543B (en) | Distributed reflection denial of service attack detection and defense method based on deep forest | |
| US10440035B2 (en) | Identifying malicious communication channels in network traffic by generating data based on adaptive sampling | |
| CN106657160A (en) | Reliability-based network malicious behavior detection method for large flow | |
| CN113114694A (en) | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene | |
| CN106850658B (en) | The network malicious act detection method of real-time online study | |
| Lu et al. | An HTTP flooding detection method based on browser behavior | |
| Lei et al. | Detecting malicious domains with behavioral modeling and graph embedding | |
| Elekar | Combination of data mining techniques for intrusion detection system | |
| CN113872962B (en) | Low-speed port scanning detection method for high-speed network sampling data acquisition scene | |
| CN106790175A (en) | The detection method and device of a kind of worm event | |
| Oudah et al. | A novel features set for internet traffic classification using burstiness | |
| JP2020022133A (en) | Infection expansion attack detection device, attack source identification method and program | |
| Li et al. | Detecting saturation attacks in software-defined networks | |
| CN113726775B (en) | Attack detection method, device, equipment and storage medium | |
| CN111447169A (en) | Method and system for identifying malicious webpage in real time on gateway | |
| He et al. | PeerSorter: classifying generic P2P traffic in real-time | |
| Lv et al. | Network encrypted traffic classification based on secondary voting enhanced random forest | |
| CN110162969B (en) | Flow analysis method and device | |
| Gojic et al. | Proposal of security architecture in 5G mobile network with DDoS attack detection | |
| CN108347447B (en) | P2P botnet detection method and system based on periodic communication behavior analysis | |
| CN112261004A (en) | Method and device for detecting Domain Flux data stream |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |