CN108040053A - A kind of network security threats analysis method and system based on DNS daily record datas - Google Patents

A kind of network security threats analysis method and system based on DNS daily record datas Download PDF

Info

Publication number
CN108040053A
CN108040053A CN201711332857.3A CN201711332857A CN108040053A CN 108040053 A CN108040053 A CN 108040053A CN 201711332857 A CN201711332857 A CN 201711332857A CN 108040053 A CN108040053 A CN 108040053A
Authority
CN
China
Prior art keywords
request data
dns
dns request
document
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711332857.3A
Other languages
Chinese (zh)
Inventor
曾毅
喻波
王志海
董爱华
安鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201711332857.3A priority Critical patent/CN108040053A/en
Publication of CN108040053A publication Critical patent/CN108040053A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network security threats analysis method and system based on DNS daily records, this method comprises the following steps:Image network data on flows is acquired, and the DNS request data of collection are normalized, input document is used as using the DNS data of input, LDA analysis models are trained by a large amount of input documents, obtain convergent result, and trained LDA analysis models are preserved, concurrently set an alarm threshold;The DNS request data newly collected are analyzed by the LDA analysis models to obtain a score value;When judging that score value is less than alarm threshold value, it is suspicious DNS request data to determine freshly harvested DNA data, is shown in front end page, is alerted to user.By technical scheme, the efficiency of data analysis is improved, easy to where user's orientation problem.

Description

A kind of network security threats analysis method and system based on DNS daily record datas
Technical field
The present invention relates to data security arts, and in particular to a kind of network security threats analysis method based on DNS daily records And system.
Background technology
DNS is an infrastructure service in network, by monitoring the dns server in network, can obtain user's initiation The relevant information of domain name request, there is the application of many in terms of network security.
Machine learning LDA models, using supervision and unsupervised machine learning techniques, carry out anomalous event detecting, with identification Network weakness.
With the fast development of information technology, Internet technology has obtained tremendous development, and the production and living of people are brought Profound influence.While network technology is brought convenience to the work and study life of people, huge challenge, network are also faced with Environment Cross slot interference, various forms of abnormal flows, malicious attack are full of network, reduce network performance, influence network service Normal offer.
According to current network safety situation, establish that an energy is quick, the detection of efficient identification analyzing abnormal network flow Model is extremely urgent, so as to protect network environment, trusts that foundation stone is accomplished fluently in safe handling network application for people.
Exist in the prior art a kind of based on abnormal Network Intrusion Detection System (A-NIDS).Such as Fig. 1, A-NIDS frames Mainly include three phases:
1. the stage of parametrization:System will be collected into information and format or pre-process in a predetermined manner.
2. the training stage:Classified according to the performance of normally performed activity feature, then establish corresponding model.
3. detection-phase:System model training is completed and can use, and is contrasted with obtained data on flows, if it find that partially When difference exceedes given threshold values, system will give a warning, and generate examining report.
Such scheme is primarily present following shortcoming:Analysis efficiency is low, and the speed that gives a warning is slow, and user is not easy to fast positioning Where problem.
The content of the invention
Problem to be solved of the present invention includes:The collection of DNS daily record datas and normalized;Machine based on spark Device learns the foundation and application of lda analysis models;The attack map denotation of abnormal flow analysis result.
In order to solve the above technical problems, the present invention provides a kind of network security threats analysis method based on DNS daily records, It is characterized in that, this method comprises the following steps:
1) image network data on flows is acquired, and the DNS request data of collection is normalized, with defeated The DNS data entered is trained LDA analysis models by a large amount of input documents, obtains convergent knot as input document Fruit, and trained LDA analysis models are preserved, concurrently set an alarm threshold;
2) the DNS request data newly collected are analyzed by the LDA analysis models to obtain a score value;
3) when judging that score value is less than alarm threshold value, it is suspicious DNS request data to determine freshly harvested DNA data, preceding End page face is shown, and is alerted to user, is otherwise jumped directly to step 4);
4) terminate.
With the method for the invention it is preferred to, in the step 3) when judging that score value is less than alarm threshold value, determine new The DNA data of collection are suspicious DNS request data, are shown in front end page, after being alerted to user, further include following step Suddenly:
Analyzed for the suspicious DNS request data of definite discovery, find the corresponding source of the suspicious DNS request data IP address and purpose IP address, and associated with corresponding positional information, it is illustrated on map.
With the method for the invention it is preferred to, in the LDA analysis models, by the word after DNS request data processing The document of formation is as collection of document D, using the word formed after DNS request data processing as document set of words W, by DNS Network behavior theme in request data is as document subject matter set T.
With the method for the invention it is preferred to, each word occurs general in collection of document in the DNS request data Rate is identified as:Newly collected according to the determine the probability DNS request data score value.
With the method for the invention it is preferred to, the word after the DNS request data processing is made of following parameter:
The character string of domain name, frame length, request time, request type, response code and subdomain name in DNS request data Length.
In order to solve the above technical problems, the present invention provides a kind of network security threats analysis system based on DNS daily records, It is characterized in that, the system includes:
LDA analysis model training modules, are acquired image network data on flows, and to the DNS request data of collection Be normalized, using the DNS data of input as input document, by a large amount of input documents to LDA analysis models into Row training, obtain it is convergent as a result, and preserve trained LDA analysis models, concurrently set an alarm threshold value;
The DNS request data newly collected analyze by DNS data analysis module by the LDA analysis models To a score value;
Alarm module, when judging that score value is less than alarm threshold value, it is suspicious DNS request number to determine freshly harvested DNA data According to, be shown in front end page, to user alert.
The system according to the present invention, it is preferred that the alarm module includes:
Show submodule, analyzed for the suspicious DNS request data for definite discovery, find the suspicious DNS The corresponding source IP address of request data and purpose IP address, and associated with corresponding positional information, it is illustrated on map.
The system according to the present invention, it is preferred that in the LDA analysis models, by the word after DNS request data processing The document of formation is as collection of document D, using the word formed after DNS request data processing as document set of words W, by DNS Network behavior theme in request data is as document subject matter set T.
The system according to the present invention, it is preferred that each word occurs general in collection of document in the DNS request data Rate is identified as:Newly collected according to the determine the probability DNS request data score value.
In order to solve the above technical problems, the present invention provides a kind of computer-readable recording medium, which has meter Calculation machine programmed instruction, it is characterised in that when performing the computer program instructions, realize such as one of above-mentioned method.
Technical solution using the present invention, achieves following technique effect:
1. Function Extension:Machine learning threat detection method based on DNS daily record datas can be quickly found in network Abnormal DNS request, alarms to user in time, improves processing and threatens discovery treatment effeciency.
2. real-time:The analysis for causing data based on LDA analysis models is completed with intimate speed in real time, enhances system The timeliness of audit function and alarm function.
3. man-machine interface friendly:Whole attack is illustrated in by map by the positional information of IP address with intuitive way On, so as to the place of user's fast positioning to problem.
Brief description of the drawings
Fig. 1 is prior art data analysis flowcharts.
Fig. 2 is the data analysis flowcharts of the present invention.
Fig. 3 is the LDA analysis model probability calculation matrix diagram of the present invention.
Embodiment
LDA (Latent Dirichlet Allocation) is a kind of document subject matter generation model, is also referred to as one three layers Bayesian probability model, includes word, theme and document three-decker.So-called generation model, that is, it is believed that an article Each word be by " with certain probability selection some theme, and from this theme with some word of certain probability selection Such a process of language " obtains.Document obeys multinomial distribution to theme, and theme to word obeys multinomial distribution.[1]
LDA is a kind of non-supervisory machine learning techniques, can be used for identifying extensive document sets (document Collection the subject information) or in corpus (corpus) hidden.The method that it employs bag of words (bag of words), Each document is considered as a word frequency vector by this method, is believed so as to converting text message for ease of the numeral of modeling Breath.But bag of words method does not account for the order between word and word, this simplifies the complex nature of the problem, while also changing for model Into providing opportunity.The probability distribution that some themes of each documents representative are formed, and each theme represents Probability distribution that many words are formed.
LDA generating process
For every document in corpus, LDA defines following generating process (generativeprocess):
1. pair each document, extracts a theme from theme distribution;
2. extract a word from the word distribution corresponding to the above-mentioned theme being pumped to;
3. repeat the above process each word until in traversal document.
One multinomial point of each document in corpus and T (the methods of passing through repetition test gives in advance) a theme Cloth (multinomialdistribution) is corresponding, which is denoted as θ.Each theme and and vocabulary (vocabulary) multinomial distribution of V word in is corresponding, this multinomial distribution is denoted as φ.[1]
LDA overall flows
First define some alphabetical implications:Collection of document D, theme (topic) set T
Each document d regards a word sequence as in D<w1,w2,...,wn>, wi represents i-th of word, if d has n list Word.(being referred to as wordbag inside LDA, the appearance position of actually each word is on LDA algorithm without influencing)
All various words involved in D form a big collection VOCABULARY (abbreviation VOC), and LDA is with collection of document D As input, it is desirable to two result vectors (set and be polymerized to k topic, include m word in VOC altogether) trained:
To the document d in each D, the probability θ d of different Topic are corresponded to<pt1,...,ptk>, wherein, pti represents d pairs Answer the probability of i-th of topic in T.Computational methods are intuitively pti=nti/n, and wherein nti represents i-th corresponding in d The number of the word of topic, n are the sums of all words in d.
To the topict in each T, the probability φ t of various words are generated<pw1,...,pwm>, wherein, pwi represents t lifes The probability of i-th of word into VOC.Computational methods are equally very directly perceived, and pwi=Nwi/N, wherein Nwi represent to correspond to topict VOC in i-th of word number, N represents all total words for corresponding to topict.
The core formula of LDA is as follows:
P (w | d)=p (w | t) * p (t | d)
Intuitively see this formula, be exactly using Topic as intermediate layer, text can be given by current θ d and φ t There is the probability of word w in shelves d.Wherein p (t | d) it is calculated using θ d, p (w | t) it is calculated using φ t.
In fact, using current θ d and φ t, we can be that a word in a document calculates its correspondence arbitrarily P (w | d) during one Topic, then according to these results come update this word should corresponding topic.Then, if this Renewal changes the Topic corresponding to this word, will influence θ d and φ t in turn.[2]
LDA learning processes
When LDA algorithm starts, first randomly give θ d and φ t assignment (to all d and t).Then the above process is constantly heavy Multiple, the result finally converged to is exactly the output of LDA.The specifically once learning process of this iteration again:
, can be with if it is tj to make the corresponding topic of the word 1. for the i-th word wi in specific document ds Above-mentioned formula is rewritten as:
Pj (wi | ds)=p (wi | tj) * p (tj | ds)
2. we can enumerate topic in T now, all pj (wi | ds), wherein 1~k of j values are obtained.Then may be used To select a topic as i-th of word wi in ds according to these probable value results.Simplest idea be take make pj (wi | Ds) maximum tj (note that it is variable there was only j in this formula), i.e. argmax [j] pj (wi | ds)
3., will be to θ then, if i-th of word wi in ds have selected one and original different topic herein D and φ t have an impact and (one can readily appreciate that according to the two aforementioned vectorial calculation formula).Their influence It can influence the calculating to p above-mentioned (w | d) in turn again.All w in d all in D are carried out with p's (w | d) Calculate and reselect topic and regard an iteration as.After so carrying out n loop iteration, it is required LDA will to be converged to As a result.
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further illustrated, but protection scope of the present invention is simultaneously Not limited to this.
<DNS data analysis method>
With reference to Fig. 2, it is necessary to gather DNS data before analyzing DNS data, and it is normalized, and it is fixed The corresponding data structure of justice, then trains LDA analysis models using large volume document data, and abnormal DNS data is alerted, mainly Comprise the following steps:
(1) the image network data on flows of importing is acquired by DNS data acquisition module.And to the data of collection It is normalized.Message field after processing includes:
Capture the time of DNS request data packet
Capture the timestamp of DNS request data packet
The quantity of DNS request data packet
Carry out the client ip address of DNS request
The IP address of dns server
DNS request resource name
DNS request type
Ask resource type
Request returns to conditional code
Request returns the result
(2) established based on LDA (document subject matter model) analysis model, using the DNS data of input as input document, passed through Large volume document data are trained model, obtain convergent result.Trained model is preserved, to what is newly collected DNS data carries out analysis marking, a threshold values is set, when score value is less than threshold values, it is believed that the IP_src addresses please for suspicious DNS Data are sought, are shown in front end page, alarm is made to user.The score value is calculated according to DNS request data Probability come it is definite, and the threshold value be user according to demand with it is empirically determined, be not a fixed value.
(3) the attack chain map displaying of abnormal flow analysis result, analyzes the suspicious data found in second step, The suspicious IP_dst addresses are found, which are associated with corresponding positional information, and this is attacked It is illustrated on map.
DNS log analysis models function is realized:
LDA (LATENT DIRICHLET ALLOCATION) document subject matter model brief introduction
LDA is a kind of non-supervisory machine learning techniques, can be used for identifying extensive document sets (document Collection the subject information) or in corpus (corpus) hidden.The method that it employs bag of words (bag of words), Each document is considered as a word frequency vector by this method, is believed so as to converting text message for ease of the numeral of modeling Breath.The probability distribution that some themes of each documents representative are formed, and each theme represents many words The probability distribution formed.If we will generate a document, the probability that each word inside it occurs is:
This new probability formula can represent as shown in Figure 3 with matrix.
Document subject matter corresponding with LDA models is defined as follows in the present invention:
Model DNS daily records
document The document that word after the processing of DNS records is formed
word The word formed after the processing of DNS records
topic Theme in terms of network behavior
The essence of LDA model trainings is to obtain the probability-distribution function of a word in a document, then general according to this Rate distribution function generates a word every time.Therefore, in order to make the LDA model trainings based on DNS data obtain significant knot Fruit, it is necessary to word segmentation processing is carried out to the DNS data that is collected into because the DNS data of the later data of normalized be by For network addresses and timestamps come what is identified, these data there is no repeatability, directly be counted by these According to significant model can not be trained.
The word segmentation processing of DNS data:
Every DNS log recording is simplified into processing as a client IP (client ip with initiating DNS query request Address) corresponding word (word).The specific establishment rule of Word (word) is as follows:
DNS query name resolving:
Such as:www.baidu.com, it is top level domain com, the entitled baidu of subdomain after the domain name mapping of the url.
Top level domain is given up in analysis, assignment is carried out to the flag according to the condition that subdomain name meets.
If domain name belong to 1,000,000 before Alexa domain name lists in data, be 1 by the home position.
It is 2 by the home position if domain name belongs to User Defined domain name value.
If above-mentioned two situations are not belonging to by the home position be 0.
Frame length (length of frame)
Fallen using field frame_len (frame length) in the numbering corresponding to following size of data section as the mark Value.If frame length is 1026 bytes, then with section (1024,2048] corresponding numbering 12 is corresponding.The numbering value for (0, 1,2,4,8,…2n)
Time of day (time)
The value of the flag is the hourage that frame_time fields correspond to the time in DNS daily records.
DNS query type (DNS request type)
Identified using the value of dns_qry_type fields in data.
DNS query response code (DNS response codes)
Identified using the value of dns_qry_rcord fields in data.
Subdomain length (string length of subdomain name)
Using subdomain name, numbering as corresponding to falling in following size of data section the string length of " baidu " as The value of the mark.If string length is 10 bytes, then with section (8,16] corresponding numbering 5 is corresponding.The numbering value For (0,1,2,4,8 ... 2n)
Word generates example
One DNS data is frame_time:Jul 8 2016 06:02:04.651847000UTC,frame_len: 1026,dns_qry_name:www.baidu.com,dns_qry_type:A,dns_qry_class:Internet(IN), dns_qry_rcord:NoError,IP_dst:172.16.0.183,IP_src:10.0.3.243。
The word of generation is:“1_12_2_A_NoError_5”.
<DNS data analysis system>
The invention discloses a kind of network security threats analysis system based on DNS daily records, it is characterised in that the system bag Include:
LDA analysis model training modules, are acquired image network data on flows, and to the DNS request data of collection Be normalized, using the DNS data of input as input document, by a large amount of input documents to LDA analysis models into Row training, obtain it is convergent as a result, and preserve trained LDA analysis models, concurrently set an alarm threshold value;
The DNS request data newly collected analyze by DNS data analysis module by the LDA analysis models To a score value;
Alarm module, when judging that score value is less than alarm threshold value, it is suspicious DNS request number to determine freshly harvested DNA data According to, be shown in front end page, to user alert.
The alarm module includes:
Show submodule, analyzed for the suspicious DNS request data for definite discovery, finding this can be with DNS The corresponding source IP address in address and purpose IP address, and associated with corresponding positional information, it is illustrated on map.
In the LDA analysis models, using the document formed to the word after DNS request data processing as collection of document D, Using the word formed after DNS request data processing as document set of words W, by the network behavior theme in DNS request data As document subject matter set T.
The probability stamps that each word occurs in collection of document in the DNS request data are:
Newly collected according to the determine the probability The score value of DNS request data.
Word after the DNS request data processing is made of following parameter:
The character string of domain name, frame length, request time, request type, response code and subdomain name in DNS request data Length.
Example of the above example only as protection scheme of the present invention, does not limit the embodiment of the present invention It is fixed.

Claims (10)

1. a kind of network security threats analysis method based on DNS daily record datas, it is characterised in that this method includes following step Suddenly:
1) image network data on flows is acquired, and the DNS request data of collection is normalized, with input DNS request data are trained LDA analysis models by a large amount of input documents, obtain convergent knot as input document Fruit, and trained LDA analysis models are preserved, concurrently set an alarm threshold;
2) the DNS request data newly collected are analyzed by the LDA analysis models to obtain a score value;
3) when judging that score value is less than alarm threshold value, it is suspicious DNS request data to determine freshly harvested DNS request data, preceding End page face is shown, and is alerted to user, is otherwise jumped directly to step 4);
4) terminate.
2. according to the method described in claim 1, in the step 3) when judging that score value is less than alarm threshold value, determine newly to adopt The DNS request data of collection are suspicious DNS request data, are shown in front end page, after being alerted to user, are further included following Step:
Analyzed for the suspicious DNS request data of definite discovery, with finding the corresponding source IP of the suspicious DNS request data Location and purpose IP address, and associated with corresponding positional information, it is illustrated on map.
3. according to the method described in claim 1, in the LDA analysis models, by the word shape after DNS request data processing Into document as collection of document D, please by DNS using the word formed after DNS request data processing as document set of words W The network behavior theme in data is sought as document subject matter set T.
4. the according to the method described in claim 3, probability that each word occurs in collection of document in the DNS request data It is identified as:The DNS newly collected according to the determine the probability The score value of request data.
5. the method according to claim 3 or 4, the word after the DNS request data processing is made of following parameter:
The character string length of domain name, frame length, request time, request type, response code and subdomain name in DNS request data Degree.
6. a kind of network security threats analysis system based on DNS daily record datas, it is characterised in that the system includes:
LDA analysis model training modules, are acquired image network data on flows, and the DNS request data of collection are carried out Normalized, using the DNS request data of input as input document, by a large amount of input documents to LDA analysis models into Row training, obtain it is convergent as a result, and preserve trained LDA analysis models, concurrently set an alarm threshold value;
The DNS request data newly collected are analyzed to obtain one by DNS data analysis module by the LDA analysis models A score value;
Alarm module, when judging that score value is less than alarm threshold value, it is suspicious DNS request number to determine freshly harvested DNS request data According to, be shown in front end page, to user alert.
7. system according to claim 6, the alarm module includes:
Show submodule, analyzed for the suspicious DNS request data for definite discovery, find the suspicious DNS request The corresponding source IP address of data and purpose IP address, and associated with corresponding positional information, it is illustrated on map.
8. system according to claim 6, in the LDA analysis models, by the word shape after DNS request data processing Into document as collection of document D, please by DNS using the word formed after DNS request data processing as document set of words W The network behavior theme in data is sought as document subject matter set T.
9. system according to claim 8, each word occurs in collection of document in the DNS request data probability It is identified as:The DNS newly collected according to the determine the probability The score value of request data.
10. a kind of computer-readable recording medium, which has computer program instructions, it is characterised in that when execution institute When stating computer program instructions, the method as described in one of claim 1-5 is realized.
CN201711332857.3A 2017-12-13 2017-12-13 A kind of network security threats analysis method and system based on DNS daily record datas Pending CN108040053A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711332857.3A CN108040053A (en) 2017-12-13 2017-12-13 A kind of network security threats analysis method and system based on DNS daily record datas

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711332857.3A CN108040053A (en) 2017-12-13 2017-12-13 A kind of network security threats analysis method and system based on DNS daily record datas

Publications (1)

Publication Number Publication Date
CN108040053A true CN108040053A (en) 2018-05-15

Family

ID=62102306

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711332857.3A Pending CN108040053A (en) 2017-12-13 2017-12-13 A kind of network security threats analysis method and system based on DNS daily record datas

Country Status (1)

Country Link
CN (1) CN108040053A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218321A (en) * 2018-09-25 2019-01-15 北京明朝万达科技股份有限公司 A kind of network inbreak detection method and system
CN110378124A (en) * 2019-07-19 2019-10-25 杉树岭网络科技有限公司 A kind of network security threats analysis method and system based on LDA machine learning
CN114866342A (en) * 2022-06-30 2022-08-05 广东睿江云计算股份有限公司 Flow characteristic identification method and device, computer equipment and storage medium
US11843622B1 (en) * 2020-10-16 2023-12-12 Splunk Inc. Providing machine learning models for classifying domain names for malware detection

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103870751A (en) * 2012-12-18 2014-06-18 中国移动通信集团山东有限公司 Method and system for intrusion detection
US20140358745A1 (en) * 2013-06-04 2014-12-04 LedgerPal Inc. Automated accounting method
CN105049232A (en) * 2015-06-19 2015-11-11 成都艾尔普科技有限责任公司 Network information log audit system
CN103001825B (en) * 2012-11-15 2016-03-02 中国科学院计算机网络信息中心 The detection method of DNS Traffic Anomaly and system
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN106657001A (en) * 2016-11-10 2017-05-10 广州赛讯信息技术有限公司 Botnet detection method based on Netflow and DNS blog
CN106713371A (en) * 2016-12-08 2017-05-24 中国电子科技网络信息安全有限公司 Fast Flux botnet detection method based on DNS anomaly mining
CN107071084A (en) * 2017-04-01 2017-08-18 北京神州绿盟信息安全科技股份有限公司 A kind of DNS evaluation method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825B (en) * 2012-11-15 2016-03-02 中国科学院计算机网络信息中心 The detection method of DNS Traffic Anomaly and system
CN103870751A (en) * 2012-12-18 2014-06-18 中国移动通信集团山东有限公司 Method and system for intrusion detection
US20140358745A1 (en) * 2013-06-04 2014-12-04 LedgerPal Inc. Automated accounting method
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN105049232A (en) * 2015-06-19 2015-11-11 成都艾尔普科技有限责任公司 Network information log audit system
CN106657001A (en) * 2016-11-10 2017-05-10 广州赛讯信息技术有限公司 Botnet detection method based on Netflow and DNS blog
CN106713371A (en) * 2016-12-08 2017-05-24 中国电子科技网络信息安全有限公司 Fast Flux botnet detection method based on DNS anomaly mining
CN107071084A (en) * 2017-04-01 2017-08-18 北京神州绿盟信息安全科技股份有限公司 A kind of DNS evaluation method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JINGWEI HUANG, ZBIGNIEW KALBARCZYK, AND DAVID M. NICOL: "Knowledge Discovery from Big Data for Intrusion Detection Using LDA", 《2014 IEEE INTERNATIONAL CONGRESS ON BIG DATA》 *
韩群: "LDA模型下的APT通信日志特征研究", 《中国优秀硕士学位论文全文数据库》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218321A (en) * 2018-09-25 2019-01-15 北京明朝万达科技股份有限公司 A kind of network inbreak detection method and system
CN110378124A (en) * 2019-07-19 2019-10-25 杉树岭网络科技有限公司 A kind of network security threats analysis method and system based on LDA machine learning
US11843622B1 (en) * 2020-10-16 2023-12-12 Splunk Inc. Providing machine learning models for classifying domain names for malware detection
CN114866342A (en) * 2022-06-30 2022-08-05 广东睿江云计算股份有限公司 Flow characteristic identification method and device, computer equipment and storage medium
CN114866342B (en) * 2022-06-30 2023-01-17 广东睿江云计算股份有限公司 Flow characteristic identification method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
Khan et al. Malicious insider attack detection in IoTs using data analytics
Wang et al. HAST-IDS: Learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection
CN107566376B (en) Threat information generation method, device and system
CN108259494B (en) Network attack detection method and device
Muhammad et al. Stacked autoencoder-based intrusion detection system to combat financial fraudulent
CN103559235B (en) A kind of online social networks malicious web pages detection recognition methods
CN108040053A (en) A kind of network security threats analysis method and system based on DNS daily record datas
Zhu et al. A deep learning approach for network anomaly detection based on AMF-LSTM
CN108449342A (en) Malicious requests detection method and device
CN107360152A (en) A kind of Web based on semantic analysis threatens sensory perceptual system
CN108985061B (en) Webshell detection method based on model fusion
CN107241352A (en) A kind of net security accident classificaiton and Forecasting Methodology and system
CN108509793A (en) A kind of user&#39;s anomaly detection method and device based on User action log data
Sadiq et al. An efficient ids using hybrid magnetic swarm optimization in wanets
CN109218321A (en) A kind of network inbreak detection method and system
CN108418835A (en) A kind of Port Scan Attacks detection method and device based on Netflow daily record datas
Alkawaz et al. A comprehensive survey on identification and analysis of phishing website based on machine learning methods
CN113239357B (en) Webshell detection method, storage medium and system
Yong et al. Malicious Web traffic detection for Internet of Things environments
Zhang et al. Cross-site scripting (XSS) detection integrating evidences in multiple stages
CN106169050B (en) A kind of PoC Program extraction method based on webpage Knowledge Discovery
CN108173818A (en) A kind of network security threats analysis method and system based on Proxy daily record datas
Elekar Combination of data mining techniques for intrusion detection system
Muslihi et al. Detecting SQL injection on web application using deep learning techniques: a systematic literature review
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180515

RJ01 Rejection of invention patent application after publication