CN108566364A - Intrusion detection method based on neural network - Google Patents

Intrusion detection method based on neural network Download PDF

Info

Publication number
CN108566364A
CN108566364A CN201810036362.4A CN201810036362A CN108566364A CN 108566364 A CN108566364 A CN 108566364A CN 201810036362 A CN201810036362 A CN 201810036362A CN 108566364 A CN108566364 A CN 108566364A
Authority
CN
China
Prior art keywords
neural network
feature
detection method
attack
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810036362.4A
Other languages
Chinese (zh)
Other versions
CN108566364B (en
Inventor
马凯
江荣
贾焰
周斌
李爱平
杨树强
韩伟红
李润恒
徐镜湖
安伦
亓玉璐
杨行
王伟
林佳
尚怀军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Yilan Situation Technology Co ltd
National University of Defense Technology
Original Assignee
Sichuan Yilan Situation Technology Co ltd
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Yilan Situation Technology Co ltd, National University of Defense Technology filed Critical Sichuan Yilan Situation Technology Co ltd
Priority to CN201810036362.4A priority Critical patent/CN108566364B/en
Publication of CN108566364A publication Critical patent/CN108566364A/en
Application granted granted Critical
Publication of CN108566364B publication Critical patent/CN108566364B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses an intrusion detection method based on a neural network, which comprises the following steps: step 1) a detection step comprising: sniffing to acquire flow information of a connected host, judging which ports are opened or closed and which programs are running, and judging whether the system receives an attack or is about to receive the attack according to the information; step 2) a data preprocessing step, which comprises: giving a large number of training samples, selecting characteristics, preprocessing data, and identifying abnormality; step 3), an attack classification step comprises: classifying various attacks by using a neural network algorithm through a decision tree model, a support vector machine or a neural network model; and 4) an alarm step, which comprises the step of notifying the detected attack event so that a network administrator can make a decision in time and the loss caused by the attack behavior is reduced.

Description

A kind of intrusion detection method based on neural network
Technical field
The invention belongs to a kind of intrusion detection methods based on neural network.
Background technology
With the development of internet, internet greatly facilitates people’s lives, more and more personal, corporations Or government organs all rely on internet to commence business, some of which is the information or secret for being unwilling to be disclosed.By In having some our enemies or competitor that can get the information with mandate without approval by means, one dangerous System often personal, company or government organs is given to bring loss.Network intrusions behavior has greatly threatened secure internet connection And secret protection.Due to the complexity of network, the diversity of attack means, attacker's is purposive, this all exacerbates network The difficulty of intrusion detection.There are many methods currently on the market to ensure system safety, such as install fire wall, and encryption technology enters Invade detecting system etc..The present invention mainly has found even to reduce intrusion behavior in terms of intruding detection system.
Intruding detection system (Intrusion Detection Systems), commonly referred to as IDS are that one kind passing through collection The various information of sensory perceptual system and network, come analysis system and network activity, for preventing unwarranted attack.Deployment The target of IDS is monitoring system activity, finds and prevent possible intrusion behavior in time, reduces property loss or prevents privacy from letting out Dew etc..One intruding detection system mainly provides three functions:Monitoring system detects suspicious actions and generates safe police Report.It is to allow network administrator to carry out security decision in time to generate safety alarm.The area of intruding detection system and fire wall It is not:Fire wall according to certain rule is filtered the flow passed in and out just as a hedge, to prevent invading, This is a passive process;And intruding detection system is to go detection and analysis system behavior to active, or to having worn long The behavior of saturating fire wall is analyzed, to report goods network security.In practical applications, it often combines both, Xiang get Benefit is evident, resists exotic invasive jointly.
Current intruding detection system both domestic and external can go to classify in terms of following three:
1. data source:The IDS of IDS and the two mixing of IDS, Intrusion Detection based on host based on flow analysis
2. IDS Framework:Misuse detection (misuse detection) and abnormality detection (anomaly detection)
3. deployment way:Centralized detecting system and distributed detection system
The core concept of detecting system (anomaly based detection system) based on misuse is right first Known abnormal behaviour carries out modeling analysis, obtains their some behavioural characteristics, then pre-defines these in systems Characteristic information if meeting these features pre-defined in system, is judged as all behaviors in network Otherwise attack is judged as normal access behavior.For example, snort, as soon as the intruding detection system of the lightweight increased income, It is typical such IDS.It is this that known attack can be carried out well based on the detecting system of misuse It prevents, but for new unknown attack, often seems helpless, therefore, this system needs a large amount of expert continuous Ground goes the new attack method that analysis emerges one after another, for having deployed the user of this system, it is also desirable to often update him Rule.
Core concept based on abnormal intruding detection system (anomaly based detection system) is logical It crosses and modeling analysis is carried out to normal behaviour, in network activity, for alreading exceed the threshold value of normal behaviour, be determined as It is abnormal.This abnormality detection system, also need not be a large amount of different by analyzing it can be found that unknown attacks before some Chang Hangwei to define a rule for each attack, greatly reduces human activities.But this system needs just True distinguishes normal behaviour and abnormal behaviour, and the boundary of theirs between the two is that comparison is fuzzy, compares and is difficult to accurately carve It draws, so this system often will produce some false alarms.Although it is this " would rather mistake kill 1,000, be also reluctant to let off one It is a " way it is somewhat extreme, but in network safety filed, when more particularly to great privacy or property, this is also one Kind salvo, therefore the method based on abnormality detection is widely studied.
Invention content
Technical problem to be solved by the invention is to provide a kind of intrusion detection methods based on neural network, for solving Problem of the existing technology.
It is as follows that the present invention solves the technical solution that above-mentioned technical problem is taken:
After said program,
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification It obtains it is clear that understand through the implementation of the invention.The purpose of the present invention and other advantages can be by the explanations write Specifically noted structure is realized and is obtained in book, claims and attached drawing.
Description of the drawings
The present invention is described in detail below in conjunction with the accompanying drawings, so that the above-mentioned advantage of the present invention is definitely.Its In,
Fig. 1 is the frame diagram of intruding detection system in the present invention
Fig. 2 is neural network in the present invention --- multi-layer perception (MLP) structure chart.
Specific implementation mode
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and examples, how to be applied to the present invention whereby Technological means solves technical problem, and the realization process for reaching technique effect can fully understand and implement.It needs to illustrate As long as not constituting conflict, each embodiment in the present invention and each feature in each embodiment can be combined with each other, It is formed by technical solution within protection scope of the present invention.
In addition, step shown in the flowchart of the accompanying drawings can be in the department of computer science of such as a group of computer-executable instructions It is executed in system, although also, logical order is shown in flow charts, and it in some cases, can be to be different from herein Sequence execute shown or described step.
The purpose of the invention is to overcome to be based on the shortcomings that misuse detection system can not find new attack behavior in time, And the problems such as overcoming, hyper parameter computationally intensive for traditional neural network selection and new attack behavior emerge one after another Problem, it is proposed that a kind of adaptive intruding detection system to be feedback based on neural network, the system include mainly following Several steps:
Step 1) detects
Which port detection has open or close, which has primarily to being responsible for detecting system, such as flow sniff Program is currently running, the important information in collection system, and by these information come judge system whether have received attack or i.e. Attack will be received.The present invention is a kind of intruding detection system based on data on flows packet, so inside this module mainly The flow information of sniff capture connection host.
Step 2) data prediction
The step is to detect exception.For given a large amount of training sample, which determines from feature selecting, To data prediction, then arrive this abnormal process of identification.
Step 3) is classified
Sorting algorithm can be decision-tree model, support vector machines or neural network model etc..It is used in the present invention Neural network algorithm is come various attacks of classifying.
Step 4) alarm
Alarm is in order to be notified for the attack that IDS has been detected by, so that network administrator can be in time It makes a policy, reduces the loss that attack is brought.
Module 5) feedback
Network administrator can make a series of operation according to the alarm that system generates to current system;However, for Normal access behavior is judged as that attack is judged as normal row by attack and false alarm by false-alarm report, that is, system For the case where, the error that this system generates can be fed back to system by system manager, allow it constantly to learn, so as to after Encountering such case can correctly make a policy.
Step 2) and following basic sub-step can be divided into above-mentioned technical proposal:
Step 2-1) feature selecting
A large amount of feature is contained inside collected data packet flow information, but in practical application, is not All enough can obtain, some can even influence detection result, and feature can increase the scale of neural network too much, increase Add computing cost, so present invention employs the methods of feature based engineering to carry out feature selecting, does not reduce accuracy of detection In the case of, feature quantity can be reduced.
Step 2-2) feature coding
There is something Nominal Attribute in feature, needs to be converted into numerical attribute by using the mode of pseudo-coding 's.
Step 2-3) feature vector standardization
For the column data in eigenmatrix, there is the very poor bigger of some numerical value, and dimension also disunity, for this purpose, Numerical value is standardized using z-score methods.
Neural network needs a large amount of sample set and is trained before really being able to classification, and the present invention uses KDD 99 data sets are trained.
Compared to the intruding detection system based on misuse, the present invention can be effectively found not based on abnormal detection The new attack behavior known;Inspection can be improved by its powerful nonlinear fitting ability using the disaggregated model of neural network The precision of survey.The difficult problem that hyper parameter selects when for neural metwork training, the present invention use Grid Search methods, can Efficiently to select one group of hyper parameter for being suitble to current task;Using Feature Engineering, a large amount of network characterization is screened, Input size can be reduced, computing cost is reduced;Using the mechanism of feedback, being system becomes a closed loop, can be in use Constantly promote detection attacking ability.
1. the feature selecting based on SVM;
2. the IDS Framework based on MLP;
3. feedback mechanism makes system become a closed loop, model is continued to optimize in actual combat;
Hyper parameter selection based on Grid Search;
Step 1) captures data packet using open source software Winpcap, collected data packet format should be set as with Format in training set KDD Cup 1999 is the same.
Step 2), data prediction part include mainly three sub-steps of feature selecting, data encoding and data normalization:
Step 2-1), select the upper limit of the direct precision for determining algorithm classification of feature, weight of the feature for testing result The property wanted sequence is the basic norm of feature selecting.In a large amount of feature, it is thus necessary to determine which feature is important, which weight The property wanted is general, which is useless.By the method for feature selecting, a part of useless or even harmful feature letter can be eliminated Breath, this has great role for improving system detectio precision;In addition it is also possible to which eliminating some influences result smaller spy Sign, can reduce the detection time of system in this way.It is most comprehensive that feature selection approach is exactly to combine the subset for selecting all features, Then test is trained for each subset, sees which effect is best and time overhead is relatively low.If there is n feature, Then have 2nA subset, this is practical for small-scale characteristic set, but for this packet of network data package informatin Containing being less suitable for a large amount of attributive character.Therefore it is important to carry out feature that present invention employs another " elimination methods " Property sequence.Specific algorithm is as follows:
Feature selecting algorithm based on SVM:
Input:41 all features of KDD Cup 1999 and required Characteristic Number k
Output:Subcharacter set
Algorithm:
1. building training set and test set
For each feature in characteristic set
2. deleting one of feature from training set and test set
3. training grader using remaining feature
4. analyzing the performance of grader, including accuracy of detection and predicted time expense
The importance for all features that sort, k feature feature the most final before taking
The present invention mainly uses two standards of whole accuracy of detection and predicted time expense to evaluate.According to general SVM is compared applied to 40 data sets after one feature of the original data set for carrying 41 features and deletion, each A characteristic attribute can all be labeled as " important ", " secondary " and " general " three grades.Define following rule:
Note:All it is that the data set containing 40 features is compared with the data set containing 41 features above.
Because being finally to select k characteristic value from 41 features, according to from " important " to " secondary important " again to " one As " sequence, inside look for the preceding k of precision minimum.
Step 2-2), feature coding is primarily directed to Nominal Attribute.The input of neural network is that requirement is entirely numerical value, And Nominal Attribute is a series of classification, so needing to convert them.It is main herein to be known as pseudo-coding using a kind of The mode of (dummy code).Be exactly specifically, if a feature have 5 in classification, for some sample in this feature Value is cls_2 on attribute, then this feature is finally expressed as { 0,1,0,0,0 }, 5 features are extended to by a feature.
Step 2-3), standardization is standardized for row of training data, and the characteristic value of sample is transformed into together Under one dimension, data fit after treatment is just distributed very much.Z-score methods are used herein:
Wherein, μ is the mean value of all sample datas, and σ is the standard deviation of all sample datas.
Step 3), classification are the core components of intrusion detection.The present invention uses the god with powerful nonlinear fitting ability Through network as sorting algorithm, multi-layer perception (MLP) (MLP) is a kind of common neural network algorithm.Multi-layer perception (MLP) is by a series of Cascade neural unit and nonlinear activation function composition, including input layer, hidden layer and output layer, such as 2 institute of Figure of description Show, behind one layer of input be one layer of front output result.MLP is a supervised learning algorithm, including propagated forward and mistake Two processes of poor backpropagation.In the forward propagation process,
z(l+1)=W(l)a(l)+b(l)
a(l+1)=f (z(l+1)), for l=0,1,2 ..., n
Wherein, a0It is input, Wo MenyongTo indicate j-th of neural unit of connection l and i-th of nerve of l+1 Parameter between unit,It is to be initialized with the random number between -0.01 and 0.01;
Likewise, withTo indicate, in the amount of bias of i-th of neural unit of l+1, to be initialized as zero;F (z) is sharp Function living, as sigmoid or tanh etc..
Wherein e is indicated with natural number.
We train our neural network by gradient decline.More formalization representation, for a training sample (x, y), the cost function about this training sample are defined as:
Wherein hW,b(x) given input x is indicated, by the result of neural computing.
In back-propagation process, we update our parameter using following formula.
Wherein α is learning rate, and J (W, b) indicates loss function.
Step 4), generating alarm is notified in time to work as when intruding detection system has detected abnormal access behavior Network administrator.
Step 5), the intruding detection system based on abnormality detection usually has higher empty alarm rate, in order to reduce false Alert rate, using feedback mechanism.The concrete operations of feedback mechanism be when system produces alarm, but it is practical do not attack, At this time system can be synchronous with newly arriving data center by this initial data and the classification results of mistake.It then regularly can be again Training neural network algorithm, updates the parameter of the inside.By feedback mechanism, system is formed into a closed loop, system can be allowed to exist Constantly become " clever " during use, classification results are more accurate.
Described above is the operational process of whole system, but before sorting algorithm can be classified, it is also necessary to it is right MLP is trained.
The present invention is trained using Grid Search (lattice search) methods.Grid Search concrete operations are exactly first A series of hyper parameters for needing to optimize are defined, include herein the number of plies of hidden layer and the number of each layer of neural unit, The selection sigmoid or tanh of activation primitive, if L2 regularizations are added }, then again by way of permutation and combination, combination Go out all possible form, the setting for being finally directed to each group of hyper parameter is trained, and highest one group of selection sort precision is super Parameter is as final parameter setting.
It should be noted that for above method embodiment, for simple description, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because According to the application, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily the application It is necessary.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.
It can be used in the computer that one or more wherein includes computer usable program code moreover, the application can be used The computer program product implemented on storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Form.
Finally it should be noted that:The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, Although the present invention is described in detail referring to the foregoing embodiments, for those skilled in the art, still may be used With technical scheme described in the above embodiments is modified or equivalent replacement of some of the technical features. All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in the present invention's Within protection domain.

Claims (11)

1. a kind of intrusion detection method based on neural network, which is characterized in that including:
Step 1) detecting step, including:Which port the flow information of sniff capture connection host, judgement have beat on or off It closes, there is which program to be currently running, and attack is attacked or will receive to judge whether system has received by these information;
Step 2) data prediction step, including:A large amount of training sample is given, and selects feature, then carries out data prediction, And identify exception;
Step 3) Attack Classification step, including:By decision-tree model, support vector machines or neural network model, god is used Classify through network algorithm various attacks;
Step 4) alarm step, including:The attack having been detected by is notified, so that network administrator can be timely Ground makes a policy, and reduces the loss that attack is brought.
2. the intrusion detection method according to claim 1 based on neural network, which is characterized in that further comprise:Mould Block 5) feedback step, including:The alarm that network administrator generates according to system makes a series of operation to current system;
Attack and false alarm, which judge attack, to be judged as by normal access behavior for false-alarm report, that is, system For normal behaviour the case where, the error that this system generates is fed back to system by system manager, it is allowed constantly to learn, so as to Encountering such case later can correctly make a policy.
3. the intrusion detection method according to claim 1 based on neural network, which is characterized in that in step 2), specifically Including following sub-step:
Step 2-1) feature selecting sub-step, including:The method of feature based engineering carries out feature selecting, is not thus reducing In the case of accuracy of detection, feature quantity can be reduced;
Step 2-2) feature coding sub-step, including:There to be something Nominal Attribute in feature, by using the mode of pseudo-coding It is converted into numerical attribute;
Step 2-3) feature vector normalizer step, including:It is for the column data in eigenmatrix, numerical value is very poor bigger Or dimension also skimble-scamble data, numerical value is standardized using z-score methods.
4. the intrusion detection method according to claim 1 based on neural network, which is characterized in that in step 2), also wrap It includes:In neural network before really being able to classification, it is trained using 99 data sets of KDD.
5. the intrusion detection method according to claim 1 based on neural network, which is characterized in that in step 1), use Open source software Winpcap captures data packet, and collected data packet format should be set as with training set KDD Cup 1999 In format it is the same.
6. the intrusion detection method according to claim 3 based on neural network, which is characterized in that step 2-1) in, tool Body includes:
Feature selecting algorithm based on SVM, wherein input as 41 all features of KDD Cup 1999 and required feature Number k exports as subcharacter set;
Including:Structure training set and test set delete each feature in characteristic set from training set and test set One of feature trains grader using remaining feature, analyzes the performance of grader, including when accuracy of detection and prediction Between expense, the importance for all features that sort, the most final feature of k feature before taking.
7. the intrusion detection method according to claim 3 based on neural network, which is characterized in that step 2-2) in, tool Body includes:
Feature coding is carried out in such a way that one kind being known as pseudo-coding (dummy code).
8. the intrusion detection method according to claim 3 based on neural network, which is characterized in that step 2-3) in, tool Body includes:Standardization is standardized for row of training data, and the characteristic value of sample is transformed under the same dimension, Data fit after treatment is just distributed very much, and uses z-score methods:
Wherein, μ is the mean value of all sample datas, and σ is the standard deviation of all sample datas.
9. the intrusion detection method according to claim 1 based on neural network, which is characterized in that in step 3), specifically Including:
Using multi-layer perception (MLP) (MLP) neural network algorithm with powerful nonlinear fitting ability as sorting algorithm;
Multi-layer perception (MLP) is made of a series of cascade neural units and nonlinear activation function, including input layer, hidden layer and Output layer, behind one layer of input be one layer of front output result;
MLP is a supervised learning algorithm, including two processes of propagated forward and error back propagation;
In the forward propagation process,
z(l+1)=W(l)a(l)+b(l)
a(l+1)=f (z(l+1)), for l=0,1,2 ..., n
Wherein, a0It is input, Wo MenyongCome indicate connection l j-th of neural unit and l+1 i-th of neural unit Between parameter,It is to be initialized with the random number between -0.01 and 0.01;
Likewise, withTo indicate, in the amount of bias of i-th of neural unit of l+1, to be initialized as zero;F (z) is activation primitive Sigmoid or tanh;
Wherein e is indicated with natural number;
Our neural network is trained by gradient decline, including:
For a training sample (x, y), the cost function about this training sample is defined as:
Wherein hW,b(x) given input x is indicated, by the result of neural computing;
In back-propagation process, we update our parameter using following formula:
Wherein α is learning rate, and J (W, b) indicates loss function.
10. the intrusion detection method according to claim 2 based on neural network, which is characterized in that in step 5), specifically Including:
When system produces alarm, but reality is not attacked, and at this time system can be by this initial data and mistake Classification results are synchronized with newly arriving data center;
Then regularly can re -training neural network algorithm, update the inside parameter;By feedback mechanism, system is formed one A closed loop.
11. the intrusion detection method according to claim 9 based on neural network, which is characterized in that further include:To MLP It is trained, including:
It is trained using Grid Search (lattice search) methods;
Wherein, Grid Search concrete operations are exactly to define a series of hyper parameters for needing to optimize first, include { hidden herein Hide the number of plies of layer and the number of each layer of neural unit, the selection sigmoid or tanh of activation primitive, if L2 is added Regularization };
Again by way of permutation and combination, it is combined into all possible form;
Finally be directed to each group of hyper parameter setting be trained, the highest one group of hyper parameter of selection sort precision as finally Parameter setting.
CN201810036362.4A 2018-01-15 2018-01-15 Intrusion detection method based on neural network Active CN108566364B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810036362.4A CN108566364B (en) 2018-01-15 2018-01-15 Intrusion detection method based on neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810036362.4A CN108566364B (en) 2018-01-15 2018-01-15 Intrusion detection method based on neural network

Publications (2)

Publication Number Publication Date
CN108566364A true CN108566364A (en) 2018-09-21
CN108566364B CN108566364B (en) 2021-01-12

Family

ID=63530810

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810036362.4A Active CN108566364B (en) 2018-01-15 2018-01-15 Intrusion detection method based on neural network

Country Status (1)

Country Link
CN (1) CN108566364B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379377A (en) * 2018-11-30 2019-02-22 极客信安(北京)科技有限公司 Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium
CN109525548A (en) * 2018-09-25 2019-03-26 平安科技(深圳)有限公司 A kind of white list updating method based on cost function, device and electronic equipment
CN109525577A (en) * 2018-11-09 2019-03-26 四川大学 Malware detection method based on HTTP behavior figure
CN109582724A (en) * 2018-12-07 2019-04-05 厦门铅笔头信息科技有限公司 Distributed automated characterization engineering system framework
CN109948649A (en) * 2019-02-04 2019-06-28 复旦大学 The softward interview behavioral data character representation method of data-oriented opening and shares
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device
CN110213287A (en) * 2019-06-12 2019-09-06 北京理工大学 A kind of double mode invasion detecting device based on ensemble machine learning algorithm
CN110719289A (en) * 2019-10-14 2020-01-21 北京理工大学 Industrial control network intrusion detection method based on multilayer feature fusion neural network
CN110995815A (en) * 2019-11-27 2020-04-10 大连民族大学 Information transmission method based on Gaia big data analysis system
CN111314329A (en) * 2020-02-03 2020-06-19 杭州迪普科技股份有限公司 Traffic intrusion detection system and method
CN112085281A (en) * 2020-09-11 2020-12-15 支付宝(杭州)信息技术有限公司 Method and device for detecting safety of business prediction model
CN112887326A (en) * 2021-02-23 2021-06-01 昆明理工大学 Intrusion detection method based on edge cloud cooperation
CN114500018A (en) * 2022-01-17 2022-05-13 武汉大学 Web application firewall security detection and reinforcement system and method based on neural network
CN114596535A (en) * 2022-03-22 2022-06-07 天目爱视(北京)科技有限公司 Non-contact doorbell visiting processing method and related equipment
CN115174268A (en) * 2022-09-05 2022-10-11 北京金睛云华科技有限公司 Intrusion detection method based on structured regular term
CN115906927A (en) * 2022-11-29 2023-04-04 李星 Data access analysis method and system based on artificial intelligence and cloud platform
CN116232772A (en) * 2023-05-08 2023-06-06 中国人民解放军国防科技大学 Unsupervised network data intrusion detection method based on ensemble learning

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109525548A (en) * 2018-09-25 2019-03-26 平安科技(深圳)有限公司 A kind of white list updating method based on cost function, device and electronic equipment
CN109525548B (en) * 2018-09-25 2021-10-29 平安科技(深圳)有限公司 White list updating method and device based on cost function and electronic equipment
CN109525577B (en) * 2018-11-09 2021-08-20 四川大学 Malicious software detection method based on HTTP behavior diagram
CN109525577A (en) * 2018-11-09 2019-03-26 四川大学 Malware detection method based on HTTP behavior figure
CN109379377A (en) * 2018-11-30 2019-02-22 极客信安(北京)科技有限公司 Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium
CN109379377B (en) * 2018-11-30 2020-12-08 极客信安(北京)科技有限公司 Encrypted malicious traffic detection method and device, electronic equipment and storage medium
CN109582724A (en) * 2018-12-07 2019-04-05 厦门铅笔头信息科技有限公司 Distributed automated characterization engineering system framework
CN109948649A (en) * 2019-02-04 2019-06-28 复旦大学 The softward interview behavioral data character representation method of data-oriented opening and shares
CN109948649B (en) * 2019-02-04 2023-03-24 复旦大学 Data open sharing-oriented software access behavior data characteristic representation method
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device
CN110213287A (en) * 2019-06-12 2019-09-06 北京理工大学 A kind of double mode invasion detecting device based on ensemble machine learning algorithm
CN110213287B (en) * 2019-06-12 2020-07-10 北京理工大学 Dual-mode intrusion detection device based on integrated machine learning algorithm
CN110719289A (en) * 2019-10-14 2020-01-21 北京理工大学 Industrial control network intrusion detection method based on multilayer feature fusion neural network
CN110995815B (en) * 2019-11-27 2022-08-05 大连民族大学 Information transmission method based on Gaia big data analysis system
CN110995815A (en) * 2019-11-27 2020-04-10 大连民族大学 Information transmission method based on Gaia big data analysis system
CN111314329B (en) * 2020-02-03 2022-01-28 杭州迪普科技股份有限公司 Traffic intrusion detection system and method
CN111314329A (en) * 2020-02-03 2020-06-19 杭州迪普科技股份有限公司 Traffic intrusion detection system and method
CN112085281B (en) * 2020-09-11 2023-03-10 支付宝(杭州)信息技术有限公司 Method and device for detecting safety of business prediction model
CN112085281A (en) * 2020-09-11 2020-12-15 支付宝(杭州)信息技术有限公司 Method and device for detecting safety of business prediction model
CN112887326A (en) * 2021-02-23 2021-06-01 昆明理工大学 Intrusion detection method based on edge cloud cooperation
CN114500018A (en) * 2022-01-17 2022-05-13 武汉大学 Web application firewall security detection and reinforcement system and method based on neural network
CN114500018B (en) * 2022-01-17 2022-10-14 武汉大学 Web application firewall security detection and reinforcement system and method based on neural network
CN114596535A (en) * 2022-03-22 2022-06-07 天目爱视(北京)科技有限公司 Non-contact doorbell visiting processing method and related equipment
CN115174268A (en) * 2022-09-05 2022-10-11 北京金睛云华科技有限公司 Intrusion detection method based on structured regular term
CN115906927A (en) * 2022-11-29 2023-04-04 李星 Data access analysis method and system based on artificial intelligence and cloud platform
CN115906927B (en) * 2022-11-29 2023-11-03 北京国联视讯信息技术股份有限公司 Data access analysis method and system based on artificial intelligence and cloud platform
CN116232772A (en) * 2023-05-08 2023-06-06 中国人民解放军国防科技大学 Unsupervised network data intrusion detection method based on ensemble learning
CN116232772B (en) * 2023-05-08 2023-07-07 中国人民解放军国防科技大学 Unsupervised network data intrusion detection method based on ensemble learning

Also Published As

Publication number Publication date
CN108566364B (en) 2021-01-12

Similar Documents

Publication Publication Date Title
CN108566364A (en) Intrusion detection method based on neural network
CN111914256B (en) Defense method for machine learning training data under toxic attack
Khan et al. Malicious insider attack detection in IoTs using data analytics
Ektefa et al. Intrusion detection using data mining techniques
Joo et al. The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors
Lopez-Rojas et al. Money laundering detection using synthetic data
US11699160B2 (en) Method, use thereof, computer program product and system for fraud detection
CN110348528A (en) Method is determined based on the user credit of multidimensional data mining
Savage et al. Detection of money laundering groups: Supervised learning on small networks
CN107846389B (en) Internal threat detection method and system based on user subjective and objective data fusion
Nadiammai et al. A comprehensive analysis and study in intrusion detection system using data mining techniques
Kumar et al. Comprehensive Review on Intrusion Detection System and Techniques
CN115687758A (en) User classification model training method and user detection method
CN110365625A (en) Internet of Things safety detection method, device and storage medium
CN110347669A (en) Risk prevention method based on streaming big data analysis
Zhang et al. A hierarchical clustering strategy of processing class imbalance and its application in fraud detection
Ogunde et al. A decision tree algorithm based system for predicting crime in the university
Herrera-Semenets et al. A framework for intrusion detection based on frequent subgraph mining
Lasky et al. Machine Learning Based Approach to Recommend MITRE ATT&CK Framework for Software Requirements and Design Specifications
Shrivastava et al. Cyber attack detection and classification based on machine learning technique using nsl kdd dataset
Alves et al. Evaluating the behaviour of stream learning algorithms for detecting invasion on wireless networks
Majeed et al. Propose hmnids hybrid multilevel network intrusion detection system
Kai et al. Anomaly detection on dns traffic using big data and machine learning
Zhang et al. An Intelligent Network Intrusion Detector Using Deep Learning Model
Abbas IDS Feature Reduction Using Two Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant