CN108566364B - Intrusion detection method based on neural network - Google Patents
Intrusion detection method based on neural network Download PDFInfo
- Publication number
- CN108566364B CN108566364B CN201810036362.4A CN201810036362A CN108566364B CN 108566364 B CN108566364 B CN 108566364B CN 201810036362 A CN201810036362 A CN 201810036362A CN 108566364 B CN108566364 B CN 108566364B
- Authority
- CN
- China
- Prior art keywords
- neural network
- attack
- training
- data
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intrusion detection method based on a neural network, which comprises the following steps: step 1) a detection step comprising: sniffing to acquire flow information of a connected host, judging which ports are opened or closed and which programs are running, and judging whether the system receives an attack or is about to receive the attack according to the information; step 2) a data preprocessing step, which comprises: giving a large number of training samples, selecting characteristics, preprocessing data, and identifying abnormality; step 3), an attack classification step comprises: classifying various attacks by using a neural network algorithm through a decision tree model, a support vector machine or a neural network model; and 4) an alarm step, which comprises the step of notifying the detected attack event so that a network administrator can make a decision in time and the loss caused by the attack behavior is reduced.
Description
Technical Field
The invention belongs to an intrusion detection method based on a neural network.
Background
With the development of the internet, which greatly facilitates people's lives, more and more individuals, company groups, or government agencies rely on the internet to conduct business, some of which are information or secrets that are unwilling to be disclosed. An insecure system is often a loss to individuals, companies, or government agencies due to the fact that some of our enemies or competitors may have access to unauthorized and authorized information by means. Network intrusion greatly threatens safe internet surfing and privacy protection. The difficulty of network intrusion detection is exacerbated by the complexity of the network, the diversity of attack approaches, and the purposiveness of the attacker. There are many methods currently on the market to secure systems, such as installing firewalls, encryption techniques, intrusion detection systems, and so on. The invention mainly finds and even reduces the intrusion behavior from the aspect of an intrusion detection system.
Intrusion Detection Systems (IDS), commonly referred to as Intrusion Detection Systems, are a method of preventing unauthorized attack by collecting various information about the sensing system and the network to analyze system and network activity. The goal of deploying IDS is to monitor system activity, discover and block possible intrusions in a timely manner, reduce property damage or prevent privacy disclosure, etc. An intrusion detection system provides mainly three functions: a monitoring system to detect suspicious behavior and generate a security alert. Security alarms are generated to allow network administrators to make security decisions in a timely manner. The intrusion detection system differs from a firewall in that: the firewall is like a fence, and filters the inlet flow and the outlet flow according to a certain rule, so as to prevent invasion, which is a passive process; the intrusion detection system actively detects and analyzes the system behavior or analyzes the behavior which penetrates through a firewall so as to report the security of the network. In practical application, the two are often combined to complement each other to resist external invasion together.
At present, the intrusion detection systems at home and abroad can be classified from the following three aspects:
1. the data source is as follows: IDS based on traffic analysis, IDS based on host and IDS mixed with both
2. And (3) intrusion detection model: misuse detection (misdetection) and anomaly detection (anomaly detection)
3. The deployment mode is as follows: centralized detection system and distributed detection system
The core idea of the misuse-based detection system is that known abnormal behaviors are firstly modeled and analyzed to obtain some behavior characteristics of the known abnormal behaviors, then characteristic information is predefined in the system, and for all behaviors in the network, if the characteristics predefined in the system are met, the behaviors are judged to be attack behaviors, otherwise, the behaviors are judged to be normal access behaviors. For example, snort, an open source, lightweight intrusion detection system, is typical of this type of IDS. Such misuse-based detection systems may provide a good deterrent to known attack behaviors, but tend to be stranded for new unknown attacks, and therefore such systems require a large number of experts to continually analyze new attack methods that are ill-developed, and users who have deployed such systems also need to update their rules frequently.
The core idea of an anomaly-based intrusion detection system is to determine that a network activity exceeds a threshold of normal behavior as an anomaly by modeling and analyzing the normal behavior. The anomaly detection system can discover a plurality of previously unknown attack behaviors, and does not need to define a rule for each attack behavior by analyzing a large number of abnormal behaviors, so that the human activity is greatly reduced. However, such systems often generate false alarms because they require proper discrimination between normal and abnormal behavior, and the boundary between the two is relatively fuzzy and difficult to accurately characterize. Although this "one thousand kill by one and one do not want to go" is a bit extreme, it is a protective measure in the field of network security, especially when it concerns important privacy or property, and therefore methods based on anomaly detection are widely studied.
Disclosure of Invention
The invention aims to provide an intrusion detection method based on a neural network, which is used for solving the problems in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows:
after the invention adopts the scheme, the invention,
additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The present invention will be described in detail below with reference to the accompanying drawings so that the above advantages of the present invention will be more apparent. Wherein the content of the first and second substances,
FIG. 1 is a block diagram of an intrusion detection system according to the present invention
FIG. 2 is a diagram of a neural network, a multi-layer perceptron structure, in the present invention.
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
Additionally, the steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions and, although a logical order is illustrated in the flow charts, in some cases, the steps illustrated or described may be performed in an order different than here.
The invention aims to overcome the defects that a detection system based on misuse cannot find new attack behaviors in time, and overcome the problems of large calculation amount, super-parameter selection and the like of the traditional neural network and the problem that new attack behaviors are endless, and provides a self-adaptive intrusion detection system to be fed back based on the neural network, which mainly comprises the following steps:
step 1) detection
The detection is mainly responsible for detecting the system, such as traffic sniffing, which ports are opened or closed, which programs are running, collecting important information in the system, and judging whether the system receives an attack or is about to receive an attack according to the information. The invention relates to an intrusion detection system based on a flow data packet, so that the flow information of a connected host is mainly sniffed and captured in the module.
Step 2) data preprocessing
This step is to detect anomalies. For a given large number of training samples, this step determines the process from feature selection, to data pre-processing, to anomaly identification.
Step 3) Classification
The classification algorithm may be a decision tree model, a support vector machine, a neural network model, or the like. Neural network algorithms are used in the present invention to classify various attacks.
Step 4) alarm
The alarm is used for notifying the attack event detected by the IDS, so that a network administrator can make a decision in time and the loss caused by the attack behavior is reduced.
Module 5) feedback
The network administrator can perform a series of operations on the current system according to the alarm generated by the system; however, for the case of a false alarm, i.e. the system determines the normal access behavior as the attack behavior, and a false alarm, i.e. the attack behavior is determined as the normal behavior, the system administrator can feed back the error generated by the system to the system, so that the system can continuously learn, and then can make a correct decision when encountering the case.
Step 2) in the above technical solution can be further divided into the following basic sub-steps:
step 2-1) feature selection
The collected data packet flow information contains a large number of characteristics, but in practical application, not all the characteristics can be obtained sufficiently, some characteristics even influence the detection effect, too many characteristics increase the scale of a neural network and increase the calculation overhead, so the method adopts a characteristic engineering-based method to select the characteristics, and the number of the characteristics can be reduced under the condition of not reducing the detection precision.
Step 2-2) feature coding
Some of the features are of a nominal nature and need to be converted to numerical attributes by employing pseudo-coding.
Step 2-3) feature vector normalization
For column data in the feature matrix, the range of some values is large, and the dimension is not uniform, so that the values are standardized by adopting a z-score method.
Before the neural network can be classified really, a large number of sample sets are required to be trained, and the KDD 99 data set is adopted for training.
Compared with an intrusion detection system based on misuse, the intrusion detection system based on the abnormity detection can effectively discover unknown new attack behaviors; the classification model of the neural network is adopted, and the detection precision can be improved by means of strong nonlinear fitting capacity of the classification model. Aiming at the problem of difficulty in super-parameter selection during neural network training, the method adopts the Grid Search method, so that a group of super-parameters suitable for the current task can be efficiently selected; by adopting the characteristic engineering to screen a large number of network characteristics, the input scale can be reduced, and the calculation cost is reduced; the feedback mechanism is adopted, so that the system becomes a closed loop, and the attack detection capability can be continuously improved in use.
1. Feature selection based on SVM;
2. an MLP-based intrusion detection model;
3. the feedback mechanism enables the system to become a closed loop, and the model is continuously optimized in actual combat;
selecting a hyper-parameter based on Grid Search;
step 1), capturing a data packet by adopting open source software Winpcap, wherein the format of the acquired data packet is set to be the same as that in a training set KDD Cup 1999.
Step 2), the data preprocessing part mainly comprises three substeps of feature selection, data coding and data standardization:
and 2-1), selecting an upper limit of the accuracy of the feature directly determining the algorithm classification, wherein the importance ranking of the feature on the detection result is a basic criterion for feature selection. Among the large number of features, it is necessary to determine which features are important, which are of general importance, and which are not useful. By the method of feature selection, a part of useless and even harmful feature information can be eliminated, which has great effect on improving the detection precision of the system; in addition, some features which have small influence on the result can be eliminated, so that the detection time of the system can be reduced. The most comprehensive feature selection method is to combine and select subsets of all features, and then perform training tests on each subset to see which is the best and has low time cost. If there are n features, then there is 2nA subset that is practical for small feature sets, but is not suitable for network packet information that contains a large number of attribute features. Thus the invention adoptsAnother "deletion method" is used to sort the feature importance. The specific algorithm is as follows:
SVM-based feature selection algorithm:
inputting: 41 all features of KDD Cup 1999 and the required number of features k
And (3) outputting: set of sub-features
The algorithm is as follows:
1. constructing training and test sets
For each feature in the feature set
2. Deleting one of the features from the training set and the test set
3. Training a classifier using remaining features
4. Analyzing classifier performance, including detection accuracy and prediction time overhead
Ranking the importance of all features, and taking the top k features as the final features
The invention mainly adopts two standards of integral detection precision and prediction time overhead to evaluate. Each feature attribute is labeled as "important", "secondary", and "general" three levels, based on a comparison of SVM applied to the original 41 feature data set and 40 data sets with one feature removed. The following rules are defined:
note: the above is a comparison of a data set containing 40 features with a data set containing 41 features.
Since k feature values are finally selected from the 41 features, the first k features with the minimum precision can be found in the order from "important" to "next important" to "general".
Step 2-2), the feature encoding is mainly for nominal properties. The inputs to the neural network are all required to be numerical values, while the nominal attributes are a series of classes, so they need to be transformed. A scheme called dummy code (dummy code) is mainly used here. Specifically, if a feature has 5 categories, and the value of the feature attribute is cls _2 for a certain sample, the feature is finally represented as {0,1,0,0,0}, and the range from one feature to 5 features is expanded.
And 2-3), standardizing a column of training data, converting the characteristic values of the samples to the same dimension, and enabling the processed data to be in accordance with positive-space distribution. The z-score method is used here:
where μ is the mean of all sample data and σ is the standard deviation of all sample data.
And step 3), classifying the core components of intrusion detection. The invention adopts a neural network with strong nonlinear fitting capability as a classification algorithm, and a multilayer perceptron (MLP) is a commonly used neural network algorithm. The multilayer perceptron is composed of a series of cascaded neural units and nonlinear activation functions and comprises an input layer, a hidden layer and an output layer, wherein the input of the later layer is the output result of the former layer as shown in the figure 2 of the specification. MLP is a supervised learning algorithm that includes two processes, forward propagation and error back propagation. In the course of the forward propagation,
z(l+1)=W(l)a(l)+b(l)
a(l+1)=f(z(l+1)),for l=0,1,2,...,n
wherein, a0Is an input, we use
To represent the parameters between the j-th neural unit connecting the l-th and the i + 1-th neural units,
is initialized with a random number between-0.01 and 0.01;
similarly, use
To represent the offset of the ith neural unit at l +1, initialized to zero; f (z) is an activation function like sigmoid or tanh, etc.
Where e represents a natural number.
We train our neural network by gradient descent. More formally, for a training sample (x, y), the cost function for this training sample is defined as:
wherein h isW,b(x) Representing the result of a neural network computation given an input x.
In the back propagation process, we update our parameters with the following formula.
Where α is the learning rate and J (W, b) represents the loss function.
And 4), generating an alarm to inform a network administrator in time when the intrusion detection system detects abnormal access behaviors.
And step 5), the intrusion detection system based on the abnormal detection generally has a higher virtual alarm rate, and a feedback mechanism is adopted to reduce the virtual alarm rate. The specific operation of the feedback mechanism is that when the system generates an alarm but there is no attack, the system will synchronously update the original data and the wrong classification result to the data center. And then periodically retraining the neural network algorithm to update the parameters in the neural network algorithm. Through a feedback mechanism, the system forms a closed loop, so that the system can be continuously smart in the use process, and the classification result is more accurate.
The above is the operation of the whole system, but before the classification algorithm can perform classification, the MLP needs to be trained.
The invention adopts Grid Search method to train. The Grid Search specific operation is to firstly define a series of hyper-parameters to be optimized, wherein the hyper-parameters include { the number of hidden layers and the number of nerve units of each layer, and whether sigmoid or tanh is selected for an activation function and L2 regularization is added }, then combine all possible forms in a permutation and combination mode, finally train the setting of each group of hyper-parameters, and select a group of hyper-parameters with the highest classification precision as the final parameter setting.
It should be noted that for simplicity of description, the above method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (4)
1. An intrusion detection method based on a neural network, comprising:
step 1) a detection step comprising: sniffing to acquire flow information of a connected host, judging which ports are opened or closed and which programs are running, and judging whether the system receives an attack or is about to receive the attack according to the information;
step 2) a data preprocessing step, which comprises: giving a large number of training samples, selecting characteristics, preprocessing data, and identifying abnormality;
step 3), an attack classification step comprises: classifying various attacks by using a neural network algorithm through a decision tree model, a support vector machine or a neural network model;
step 4) an alarm step, which comprises the steps of notifying the detected attack event so that a network administrator can make a decision in time and reduce the loss caused by the attack;
step 5) a feedback step, comprising: the network administrator makes a series of operations on the current system according to the alarm generated by the system;
for the situation that the system judges the normal access behavior as the attack behavior and the false alarm is to judge the attack behavior as the normal behavior, the system administrator feeds back the error generated by the system to enable the system to continuously learn so as to make a correct decision when meeting the situation;
step 2-1) a feature selection sub-step comprising: feature selection is performed based on a feature engineering method, so that the number of features can be reduced without reducing detection accuracy;
step 2-2) a feature coding sub-step comprising: converting some nominal attributes in the characteristics into numerical attributes by adopting a pseudo-coding mode;
step 2-3) a feature vector normalization sub-step, comprising: aiming at column data in a characteristic matrix, standardizing the data with larger numerical range or nonuniform dimensions by adopting a z-score method;
in the step 5), the method specifically comprises the following steps:
when the system generates an alarm but does not actually attack, the system can synchronously update the original data and the wrong classification result to the data center;
then, the neural network algorithm is retrained periodically, and the parameters in the neural network algorithm are updated; forming a closed loop of the system through a feedback mechanism;
further comprising: training an MLP, comprising:
training by adopting a Grid Search method;
the Grid Search specific operation is to firstly define a series of hyper-parameters needing to be optimized, wherein the hyper-parameters comprise { the number of hidden layers and the number of nerve units of each layer, and whether sigmoid or tanh is selected and L2 regularization is added };
then all possible forms are combined in a permutation and combination mode;
finally, training is carried out aiming at the setting of each group of hyper-parameters, and a group of hyper-parameters with the highest classification precision is selected as the final parameter setting;
before the neural network can be classified really, a KDD 99 data set is adopted for training;
the characteristic selection algorithm based on the SVM is characterized in that 41 characteristics of KDD Cup 1999 and the required characteristic number k are input, and the input is a sub-characteristic set;
constructing a training set and a testing set, deleting one feature from the training set and the testing set for each feature in the feature set, training a classifier by using the remaining features, analyzing the performance of the classifier, including detection precision and prediction time overhead, sequencing the importance of all the features, and taking the first k features as the final features;
the standardization is to standardize a column of training data, convert the characteristic values of the samples to the same dimension, make the processed data conform to positive-Tailored distribution, and adopt a z-score method:
where μ is the mean of all sample data and σ is the standard deviation of all sample data.
2. The intrusion detection method based on the neural network as claimed in claim 1, wherein in step 1), the open source software Winpcap is used to capture the data packet, and the format of the collected data packet should be set to be the same as that in the training set KDD Cup 1999.
3. The intrusion detection method based on the neural network according to claim 1, wherein the step 2-2) specifically includes:
feature encoding is performed in a manner known as dummy code (dummy code).
4. The intrusion detection method based on the neural network according to claim 1, wherein the step 3) specifically includes:
adopting a multilayer perceptron (MLP) neural network algorithm with strong nonlinear fitting capability as a classification algorithm;
the multilayer perceptron consists of a series of cascaded neural units and nonlinear activation functions, and comprises an input layer, a hidden layer and an output layer, wherein the input of the later layer is the output result of the former layer;
the MLP is a supervised learning algorithm and comprises a forward propagation process and an error backward propagation process;
in the course of the forward propagation,
z(l+1)=W(l)a(l)+b(l)
a(l+1)=f(z(l+1)),for l=0,1,2,...,n
wherein, a0Is an input, we use
To represent the parameters between the j-th neural unit connecting the l-th and the i + 1-th neural units,
is initialized with a random number between-0.01 and 0.01;
similarly, use
To represent the offset of the ith neural unit at l +1, initialized to zero; (z) is the activation function sigmoid or tanh;
wherein e represents a natural number;
training our neural network by gradient descent, comprising:
for a training sample (x, y), the cost function for this training sample is defined as:
wherein h isW,b(x) Representing the result of a neural network computation given an input x;
in the back propagation process, we update our parameters with the following formula;
where α is the learning rate and J (W, b) represents the loss function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810036362.4A CN108566364B (en) | 2018-01-15 | 2018-01-15 | Intrusion detection method based on neural network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810036362.4A CN108566364B (en) | 2018-01-15 | 2018-01-15 | Intrusion detection method based on neural network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108566364A CN108566364A (en) | 2018-09-21 |
| CN108566364B true CN108566364B (en) | 2021-01-12 |
Family
ID=63530810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810036362.4A Active CN108566364B (en) | 2018-01-15 | 2018-01-15 | Intrusion detection method based on neural network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108566364B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109525548B (en) * | 2018-09-25 | 2021-10-29 | 平安科技(深圳)有限公司 | White list updating method and device based on cost function and electronic equipment |
| CN109525577B (en) * | 2018-11-09 | 2021-08-20 | 四川大学 | Malicious software detection method based on HTTP behavior diagram |
| CN109379377B (en) * | 2018-11-30 | 2020-12-08 | 极客信安(北京)科技有限公司 | Encrypted malicious traffic detection method and device, electronic equipment and storage medium |
| CN109582724B (en) * | 2018-12-07 | 2022-04-08 | 厦门铅笔头信息科技有限公司 | Distributed automatic feature engineering system architecture |
| CN109948649B (en) * | 2019-02-04 | 2023-03-24 | 复旦大学 | Data open sharing-oriented software access behavior data characteristic representation method |
| CN109981596B (en) * | 2019-03-05 | 2020-09-04 | 腾讯科技(深圳)有限公司 | Host external connection detection method and device |
| CN110213287B (en) * | 2019-06-12 | 2020-07-10 | 北京理工大学 | Dual-mode intrusion detection device based on integrated machine learning algorithm |
| CN110719289B (en) * | 2019-10-14 | 2020-12-22 | 北京理工大学 | Industrial control network intrusion detection method based on multilayer feature fusion neural network |
| CN110995815B (en) * | 2019-11-27 | 2022-08-05 | 大连民族大学 | Information transmission method based on Gaia big data analysis system |
| CN111314329B (en) * | 2020-02-03 | 2022-01-28 | 杭州迪普科技股份有限公司 | Traffic intrusion detection system and method |
| CN112085281B (en) * | 2020-09-11 | 2023-03-10 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting safety of business prediction model |
| CN112887326A (en) * | 2021-02-23 | 2021-06-01 | 昆明理工大学 | Intrusion detection method based on edge cloud cooperation |
| CN114500018B (en) * | 2022-01-17 | 2022-10-14 | 武汉大学 | Web application firewall security detection and reinforcement system and method based on neural network |
| CN114596535B (en) * | 2022-03-22 | 2023-02-03 | 天目爱视(北京)科技有限公司 | Non-contact doorbell visit processing method and related equipment |
| CN115174268B (en) * | 2022-09-05 | 2022-11-18 | 北京金睛云华科技有限公司 | Intrusion detection method based on structured regular term |
| CN115906927B (en) * | 2022-11-29 | 2023-11-03 | 北京国联视讯信息技术股份有限公司 | Data access analysis method and system based on artificial intelligence and cloud platform |
| CN116232772B (en) * | 2023-05-08 | 2023-07-07 | 中国人民解放军国防科技大学 | Unsupervised network data intrusion detection method based on ensemble learning |
-
2018
- 2018-01-15 CN CN201810036362.4A patent/CN108566364B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| neural network based web log analysis for web intrusion detection;Kai Ma et al;《Internet conference on security,privacy and anonymity in computation,communication and storage SpaCCS:2017》;20171209;正文第3-8页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108566364A (en) | 2018-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108566364B (en) | Intrusion detection method based on neural network | |
| Khan et al. | Malicious insider attack detection in IoTs using data analytics | |
| Anwer et al. | A framework for efficient network anomaly intrusion detection with features selection | |
| Al-Janabi et al. | A neural network based anomaly intrusion detection system | |
| Warzyński et al. | Intrusion detection systems vulnerability on adversarial examples | |
| Alkasassbeh et al. | Machine learning methods for network intrusion detection | |
| CN106973038B (en) | Network intrusion detection method based on genetic algorithm oversampling support vector machine | |
| Repalle et al. | Intrusion detection system using ai and machine learning algorithm | |
| CN116781430B (en) | Network information security system and method for gas pipe network | |
| Yu | A survey of anomaly intrusion detection techniques | |
| CN111641634B (en) | Honey net based active defense system and method for industrial control network | |
| Yu et al. | Anomaly intrusion detection based upon data mining techniques and fuzzy logic | |
| Sakr et al. | Filter versus wrapper feature selection for network intrusion detection system | |
| Senthilnayaki et al. | An intelligent intrusion detection system using genetic based feature selection and Modified J48 decision tree classifier | |
| CN117056951A (en) | Data security management method for digital platform | |
| Hemanth | Intrusion detection system using convolutional neural network on UNSW NB15 data-set | |
| Shao et al. | Deep learning hierarchical representation from heterogeneous flow-level communication data | |
| Kumar et al. | Intrusion detection using artificial neural network with reduced input features | |
| Lee et al. | CoNN-IDS: Intrusion detection system based on collaborative neural networks and agile training | |
| Sekhar | Deep learning algorithms for intrusion detection systems: extensive comparison analysis | |
| Li et al. | Research on intrusion detection based on neural network optimized by genetic algorithm | |
| Amjad et al. | A novel deep learning framework for intrusion detection system | |
| Beghdad | Training all the KDD data set to classify and detect attacks | |
| Alves et al. | Evaluating the behaviour of stream learning algorithms for detecting invasion on wireless networks | |
| Snasel et al. | Matrix factorization approach for feature deduction and design of intrusion detection systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |