CN109167753A - A kind of detection method and device of network intrusions flow - Google Patents
A kind of detection method and device of network intrusions flow Download PDFInfo
- Publication number
- CN109167753A CN109167753A CN201810809707.5A CN201810809707A CN109167753A CN 109167753 A CN109167753 A CN 109167753A CN 201810809707 A CN201810809707 A CN 201810809707A CN 109167753 A CN109167753 A CN 109167753A
- Authority
- CN
- China
- Prior art keywords
- data
- classification
- abnormal flow
- sample
- flow data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The present invention provides a kind of detection method and device of network intrusions flow, wherein the described method includes: obtaining training sample set, the training sample concentrates the abnormal flow data including normal discharge data and plurality of classes;It determines that data volume ratio is lower than the target abnormal flow data of designated ratio threshold value in the abnormal flow data of the plurality of classes, and expands the data sample in the target abnormal flow data;Based on the normal discharge data and the abnormal flow data for expanding data sample, training obtains the corresponding classifier of the other abnormal flow data of every type;The multiple classifiers obtained using training, are treated detection flows data and are detected, whether belong to abnormal flow data with the determination data on flows to be detected.Technical solution provided by the present application can be improved the detection accuracy of abnormal data flow.
Description
Technical field
The present invention relates to Internet technical field, in particular to a kind of detection method and device of network intrusions flow.
Background technique
Current network flow intrusion detection method is based on two classification and Detections, by normal discharge data and exception stream mostly
It measures data to separate, does not consider the classification inside abnormal flow data under normal conditions.
However, in practical applications, the internal structure similarity degree of normal discharge data is higher, but it is different classes of different
Normal flow data, such as DOS, Probe, U2R etc., internal data characteristics distributional difference is very big, if by all different
Normal flow data regard an entirety as, will be unable to all features for learning abnormal flow data well.
Also, the data volume of certain abnormal class is seldom in abnormal flow data, then the entirety of abnormal flow data point
Cloth will be dominated by the more classification of data volume, and the feature distribution of the less classification of data volume will be unable to study and arrive.
Therefore, the method for current network flow invasion is not high to the detection accuracy of abnormal data flow.
Summary of the invention
A kind of detection method and device for being designed to provide network intrusions flow of the application, can be improved abnormal data
The detection accuracy of flow.
To achieve the above object, the application provides a kind of detection method of network intrusions flow, which comprises obtains
Training sample set, the training sample concentrate the abnormal flow data including normal discharge data and plurality of classes;Described more
It determines that data volume ratio is lower than the target abnormal flow data of designated ratio threshold value in the other abnormal flow data of type, and expands
Data sample in the target abnormal flow data;Based on the normal discharge data and the exception stream for expanding data sample
Data are measured, training obtains the corresponding classifier of the other abnormal flow data of every type;The multiple classification obtained using training
Device is treated detection flows data and is detected, and whether belongs to abnormal flow data with the determination data on flows to be detected.
Further, the data sample expanded in the target abnormal flow data includes: to the target abnormal flow
Data sample in data carries out over-sampling, to synthesize new data sample, and the new data sample is added to described
In target abnormal flow data.
Further, treating detection flows data and carrying out detection includes: to calculate separately normal discharge data and various
The cluster centre of the abnormal flow data of classification;Calculate between the data on flows to be detected and each cluster centre away from
From, and determination is the smallest apart from corresponding abnormal flow data;Call point to match with the abnormal flow data determined
Class device, and classified using classification of the classifier of calling to the data on flows to be detected.
Further, based on the normal discharge data and the abnormal flow data for expanding data sample, training is obtained
The corresponding classifier of every other abnormal flow data of type includes: current data sample to be inputted preliminary classification device, and obtain
Classification results of the preliminary classification device for the current data sample prediction;Calculate the classification of the classification results characterization
With the error between classification belonging to the current data sample reality, and using the error in the preliminary classification device
Parameter be corrected so that by the current data sample again input correction after classifier in after, obtain point
The classification of class result characterization is consistent with classification belonging to the current data sample reality.
Further, classification belonging to the classification and the current data sample reality of the classification results characterization is calculated
Between error, and being corrected to the parameter in the preliminary classification device using the error includes: according to described initial point
Classification belonging to the classification and the current data sample reality of the classification results characterization of class device, determines the classification results pair
The loss function answered;The gradient of the loss function is calculated, and using the gradient of the loss function as error, to described initial
Parameter in classifier is corrected.
To achieve the above object, the application also provides a kind of detection device of network intrusions flow, and described device includes: instruction
Practice sample set acquiring unit, for obtaining training sample set, it includes normal discharge data and multiple types that the training sample, which is concentrated,
Other abnormal flow data;Sample expansion unit, for determining data volume ratio in the abnormal flow data of the plurality of classes
Example is lower than the target abnormal flow data of designated ratio threshold value, and expands the data sample in the target abnormal flow data;
Classifier training unit, for based on the normal discharge data and the abnormal flow data for expanding data sample, trained
To the corresponding classifier of the other abnormal flow data of every type;Flow detection unit, it is multiple described for being obtained using training
Classifier is treated detection flows data and is detected, and whether belongs to abnormal flow data with the determination data on flows to be detected.
Further, the sample expansion unit includes: over-sampling module, for in the target abnormal flow data
Data sample carry out over-sampling, to synthesize new data sample, and it is different that the new data sample is added to the target
In normal flow data.
Further, the flow detection unit includes: cluster centre computing module, for calculating separately the normal stream
Measure the cluster centre of data and various types of other abnormal flow data;Range estimation module, for calculating the measurement of discharge to be checked
The distance between data and each cluster centre, and determination is the smallest apart from corresponding abnormal flow data;Classifier tune
The classifier to be matched with module, the abnormal flow data for calling with determining, and utilize the classifier called
Classify to the classification of the data on flows to be detected.
Further, classifier training unit includes: initial predicted module, initial for inputting current data sample
Classifier, and the preliminary classification device is obtained for the classification results of the current data sample prediction;Correction module is used for
The error between classification belonging to the classification and the current data sample reality of the classification results characterization is calculated, and is utilized
The error is corrected the parameter in the preliminary classification device, so that the current data sample is inputted school again
After in classifier after just, the classification and classification phase belonging to the current data sample reality of obtained classification results characterization
Unanimously.
Further, the correction module includes: loss function determining module, for point according to the preliminary classification device
Classification belonging to the classification and the current data sample reality of class result characterization, determines the corresponding loss of the classification results
Function;Gradient calibration module, for calculating the gradient of the loss function, and using the gradient of the loss function as error,
Parameter in the preliminary classification device is corrected.
Therefore technical solution provided by the present application, for the less abnormal flow data of data volume, Ke Yikuo
Its data sample is filled, so that subsequent can train the higher classifier of precision.In training classifier, every one kind can be directed to
Abnormal flow data train a kind of classifier.It is respectively corresponded in this way, may finally train to obtain with all kinds of abnormal flow data
Multiple classifiers.When needing to treat detection flows data and being detected, the data on flows institute to be detected can be primarily determined
Then the classification of category can call the classifier of corresponding classification to detect it, so as to improve abnormal data flow
Detection accuracy.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention
It applies example to be used to explain the present invention together, not be construed as limiting the invention.
In the accompanying drawings:
Fig. 1 is the flow chart of the detection method of network intrusions flow in the embodiment of the present invention;
Fig. 2 is the functional block diagram of the detection device of network intrusions flow in the embodiment of the present invention.
Specific embodiment
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings, it should be understood that preferred reality described herein
Apply example only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention.
Referring to Fig. 1, the application provides a kind of detection method of network intrusions flow, which comprises
S1: obtaining training sample set, and the training sample concentrates the exception stream including normal discharge data and plurality of classes
Measure data;
S2: determine that data volume ratio is lower than the target of designated ratio threshold value in the abnormal flow data of the plurality of classes
Abnormal flow data, and expand the data sample in the target abnormal flow data;
S3: based on the normal discharge data and the abnormal flow data for expanding data sample, training obtains every type
The corresponding classifier of other abnormal flow data;
S4: using the obtained multiple classifiers of training, treating detection flows data and detected, with determine it is described to
Whether detection flows data belong to abnormal flow data.
In the present embodiment, for the abnormal flow data of plurality of classes, all kinds of abnormal flow numbers can be calculated separately
According to shared ratio in total data volume.It is then possible to which ratio to be lower than to the target abnormal flow data of designated ratio threshold value
It screens.All kinds of target abnormal flow data filtered out need just to can be carried out after exptended sample due to sample rareness
The training process of classifier.In the present embodiment, SMOTE (Synthetic Minority Oversampling can be used
Technique synthesizes minority class over-sampling) technology, based on already existing data sample in target abnormal flow data, synthesis
New data sample, and the new data sample is added in the target abnormal flow data, to be expanded
The abnormal flow data of data sample.
It, can be by the way of over-sampling pair in this way, for the abnormal flow data of Different categories of samples negligible amounts
Its expanding data sample.Abnormal flow data after having expanded data sample can be together with normal discharge data, composing training
Sample set.
In the present embodiment, corresponding classifier can be respectively trained for every a kind of abnormal flow data.Specifically
Every a kind of abnormal flow data and normal discharge data can be constituted the training sample for being directed to such abnormal flow data by ground,
And the classifier of such abnormal flow data is obtained using the training of the training sample of composition.It specifically, can be by current data
Sample inputs preliminary classification device, and obtains the preliminary classification device for the classification results of the current data sample prediction.
Since the parameter in preliminary classification device may be inaccurate, it will lead to the classification results for predicting to obtain and actual result not
Symbol.At this point it is possible to calculate between classification belonging to the classification and the current data sample reality of the classification results characterization
Error, and the parameter in the preliminary classification device is corrected using the error, so that by the current data
After sample is inputted again in the classifier after correction, the classification of obtained classification results characterization and the current data sample are real
Classification belonging to border is consistent.In this way, correction can be iterated to preliminary classification device by way of error correction, thus
The available higher classifier of precision.
In practical applications, can using gradient promoted decision tree (Gradient Boosting Decision Tree,
GBDT) algorithm is corrected preliminary classification device.Specifically, the class that can be characterized according to the classification results of the preliminary classification device
Not with classification belonging to the current data sample reality, the corresponding loss function (Loss of the classification results is determined
Function), the gradient of the loss function then can be calculated, and using the gradient of the loss function as error, to institute
The parameter stated in preliminary classification device is corrected.In such manner, it is possible to the number of corrections of classifier be reduced, so as to be more quickly completed
Training process.
In the present embodiment, it when treating detection flows data and being detected, can calculate separately first described normal
The cluster centre of data on flows and various types of other abnormal flow data.It is then possible to calculate the data on flows to be detected with
The distance between each described cluster centre, and determination is the smallest apart from corresponding abnormal flow data.Minimum range is corresponding
Abnormal flow data can be used as the preliminary categorization results of data on flows to be detected.It is then possible to call described different with determination
The classifier that normal flow data match, and carried out using classification of the classifier called to the data on flows to be detected
Further classification, finally to determine whether the data on flows to be detected belongs to such abnormal flow data.
In a concrete application example, the detection method of above-mentioned network intrusions flow be may comprise steps of:
1. the cluster centre of normal discharge data and every kind of abnormal flow data is found out, in detection-phase, according to pre-
The distance between measured data and each cluster centre are tentatively assigned in some classification.
2. the classifier training stage finds out the classification that proportion is less in abnormal data first, then uses for it
Over-sampling algorithm carries out sample synthesis to it, the sample of synthesis is added in corresponding abnormal class, then with normal stream
Amount data together constitute with training set and carry out classifier training.
3. one classifier of training between each abnormal class data and normal discharge data, in order to improve each point
The Generalization Capability of class device, all classifiers are all made of gradient and promote tree-model.In detection-phase, according to the preliminary class of step 1
Not, targetedly calling classification device is classified.
Referring to Fig. 2, the application also provides a kind of detection device of network intrusions flow, described device includes:
Training sample set acquiring unit, for obtaining training sample set, it includes normal discharge number that the training sample, which is concentrated,
According to the abnormal flow data with plurality of classes;
Sample expansion unit, for determining data volume ratio lower than specified in the abnormal flow data of the plurality of classes
The target abnormal flow data of proportion threshold value, and expand the data sample in the target abnormal flow data;
Classifier training unit, for based on the normal discharge data and the abnormal flow number for expanding data sample
According to training obtains the corresponding classifier of the other abnormal flow data of every type;
Flow detection unit, multiple classifiers for being obtained using training, is treated detection flows data and is examined
It surveys, whether abnormal flow data is belonged to the determination data on flows to be detected.
In one embodiment, the sample expansion unit includes:
Over-sampling module is new to synthesize for carrying out over-sampling to the data sample in the target abnormal flow data
Data sample, and the new data sample is added in the target abnormal flow data.
In one embodiment, the flow detection unit includes:
Cluster centre computing module, for calculating separately the normal discharge data and various types of other abnormal flow data
Cluster centre;
Range estimation module, for calculating the distance between the data on flows to be detected and each cluster centre,
And determination is the smallest apart from corresponding abnormal flow data;
Classifier calling module, the classifier that the abnormal flow data for calling with determining match, and utilize
The classifier called classifies to the classification of the data on flows to be detected.
In one embodiment, classifier training unit includes:
Initial predicted module for current data sample to be inputted preliminary classification device, and obtains the preliminary classification device
For the classification results of the current data sample prediction;
Correction module, for calculating belonging to the classification and the current data sample reality of the classification results characterization
Error between classification, and the parameter in the preliminary classification device is corrected using the error, so that working as by described in
After preceding data sample is inputted again in the classifier after correction, the classification of obtained classification results characterization and the current number
It is consistent according to classification belonging to sample reality.
In one embodiment, the correction module includes:
Loss function determining module, classification for being characterized according to the classification results of the preliminary classification device and described current
Data sample reality belonging to classification, determine the corresponding loss function of the classification results;
Gradient calibration module, for calculating the gradient of the loss function, and using the gradient of the loss function as mistake
Difference is corrected the parameter in the preliminary classification device.
Therefore technical solution provided by the present application, for the less abnormal flow data of data volume, Ke Yikuo
Its data sample is filled, so that subsequent can train the higher classifier of precision.In training classifier, every one kind can be directed to
Abnormal flow data train a kind of classifier.It is respectively corresponded in this way, may finally train to obtain with all kinds of abnormal flow data
Multiple classifiers.When needing to treat detection flows data and being detected, the data on flows institute to be detected can be primarily determined
Then the classification of category can call the classifier of corresponding classification to detect it, so as to improve abnormal data flow
Detection accuracy.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (10)
1. a kind of detection method of network intrusions flow, which is characterized in that the described method includes:
Training sample set is obtained, the training sample concentrates the abnormal flow data including normal discharge data and plurality of classes;
Determine that data volume ratio is lower than the target exception stream of designated ratio threshold value in the abnormal flow data of the plurality of classes
Data are measured, and expand the data sample in the target abnormal flow data;
Based on the normal discharge data and the abnormal flow data for expanding data sample, training obtains the other exception of every type
The corresponding classifier of data on flows;
The multiple classifiers obtained using training, are treated detection flows data and are detected, with the determination flow measurement to be checked
Whether amount data belong to abnormal flow data.
2. the method according to claim 1, wherein expanding the data sample in the target abnormal flow data
Include:
Over-sampling is carried out to the data sample in the target abnormal flow data, to synthesize new data sample, and will be described
New data sample is added in the target abnormal flow data.
3. the method according to claim 1, wherein treat detection flows data carry out detection include:
Calculate separately the cluster centre of the normal discharge data and various types of other abnormal flow data;
The distance between the data on flows to be detected and each cluster centre are calculated, and determination is the smallest apart from corresponding
Abnormal flow data;
The classifier that matches of the abnormal flow data for calling and determining, and using the classifier called to it is described to
The classification of detection flows data is classified.
4. the method according to claim 1, wherein based on the normal discharge data and expanding data sample
Abnormal flow data, training obtains the corresponding classifier of the other abnormal flow data of every type and includes:
Current data sample is inputted into preliminary classification device, and obtains the preliminary classification device for the current data sample
The classification results of prediction;
The error between classification belonging to the classification and the current data sample reality of the classification results characterization is calculated, and
The parameter in the preliminary classification device is corrected using the error, so that the current data sample is defeated again
After in classifier after entering correction, class belonging to the classification and the current data sample reality of obtained classification results characterization
It is not consistent.
5. according to the method described in claim 4, it is characterized in that, calculating the classification of classification results characterization and described current
Data sample reality belonging to error between classification, and the parameter in the preliminary classification device is carried out using the error
Correction includes:
Classification belonging to the classification and the current data sample reality characterized according to the classification results of the preliminary classification device,
Determine the corresponding loss function of the classification results;
The gradient of the loss function is calculated, and using the gradient of the loss function as error, in the preliminary classification device
Parameter be corrected.
6. a kind of detection device of network intrusions flow, which is characterized in that described device includes:
Training sample set acquiring unit, for obtaining training sample set, the training sample concentrate include normal discharge data and
The abnormal flow data of plurality of classes;
Sample expansion unit, for determining that data volume ratio is lower than designated ratio in the abnormal flow data of the plurality of classes
The target abnormal flow data of threshold value, and expand the data sample in the target abnormal flow data;
Classifier training unit, for based on the normal discharge data and the abnormal flow data for expanding data sample, instruction
Get the corresponding classifier of the other abnormal flow data of every type;
Flow detection unit, multiple classifiers for being obtained using training, is treated detection flows data and is detected, with
Determine whether the data on flows to be detected belongs to abnormal flow data.
7. device according to claim 6, which is characterized in that the sample expansion unit includes:
Over-sampling module, for carrying out over-sampling to the data sample in the target abnormal flow data, to synthesize new number
It is added in the target abnormal flow data according to sample, and by the new data sample.
8. device according to claim 6, which is characterized in that the flow detection unit includes:
Cluster centre computing module, for calculating separately the poly- of the normal discharge data and various types of other abnormal flow data
Class center;
Range estimation module, for calculating the distance between the data on flows to be detected and each cluster centre, and really
It is fixed the smallest apart from corresponding abnormal flow data;
Classifier calling module, the classifier that the abnormal flow data for calling with determining match, and utilize calling
The classifier classify to the classification of the data on flows to be detected.
9. device according to claim 6, which is characterized in that classifier training unit includes:
Initial predicted module for current data sample to be inputted preliminary classification device, and obtains the preliminary classification device and is directed to
The classification results of the current data sample prediction;
Correction module, for calculating classification belonging to the classification and the current data sample reality of the classification results characterization
Between error, and the parameter in the preliminary classification device is corrected using the error, so that by described current
After data sample is inputted again in the classifier after correction, the classification of obtained classification results characterization and the current data sample
Classification belonging to this reality is consistent.
10. device according to claim 9, which is characterized in that the correction module includes:
Loss function determining module, classification and the current number for being characterized according to the classification results of the preliminary classification device
According to classification belonging to sample reality, the corresponding loss function of the classification results is determined;
Gradient calibration module is right for calculating the gradient of the loss function, and using the gradient of the loss function as error
Parameter in the preliminary classification device is corrected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810809707.5A CN109167753A (en) | 2018-07-23 | 2018-07-23 | A kind of detection method and device of network intrusions flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810809707.5A CN109167753A (en) | 2018-07-23 | 2018-07-23 | A kind of detection method and device of network intrusions flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109167753A true CN109167753A (en) | 2019-01-08 |
Family
ID=64898044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810809707.5A Pending CN109167753A (en) | 2018-07-23 | 2018-07-23 | A kind of detection method and device of network intrusions flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109167753A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981624A (en) * | 2019-03-18 | 2019-07-05 | 中国科学院计算机网络信息中心 | Intrusion detection method, device and storage medium |
| CN110011931A (en) * | 2019-01-25 | 2019-07-12 | 中国科学院信息工程研究所 | A kind of encryption traffic classes detection method and system |
| CN110138786A (en) * | 2019-05-20 | 2019-08-16 | 福州大学 | Web method for detecting abnormality and system based on SMOTETomek and LightGBM |
| CN110149310A (en) * | 2019-04-09 | 2019-08-20 | 中国科学院计算机网络信息中心 | Flow intrusion detection method, device and storage medium |
| CN112153000A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for detecting network flow abnormity, electronic device and storage medium |
| CN112468452A (en) * | 2020-11-10 | 2021-03-09 | 深圳市欢太科技有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050152588A1 (en) * | 2003-10-28 | 2005-07-14 | University Of Chicago | Method for virtual endoscopic visualization of the colon by shape-scale signatures, centerlining, and computerized detection of masses |
| US7426497B2 (en) * | 2004-08-31 | 2008-09-16 | Microsoft Corporation | Method and apparatus for analysis and decomposition of classifier data anomalies |
| CN103716204A (en) * | 2013-12-20 | 2014-04-09 | 中国科学院信息工程研究所 | Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process |
| WO2014078739A1 (en) * | 2012-11-15 | 2014-05-22 | The General Hospital Corporation | Methods and systems for diagnosing prenatal abnormalities |
| CN104091035A (en) * | 2014-07-30 | 2014-10-08 | 中国科学院空间应用工程与技术中心 | Health monitoring method for effective loads of space station based on data-driven algorithm |
| CN104598813A (en) * | 2014-12-09 | 2015-05-06 | 西安电子科技大学 | Computer intrusion detection method based on integrated study and semi-supervised SVM |
| CN105487526A (en) * | 2016-01-04 | 2016-04-13 | 华南理工大学 | FastRVM (fast relevance vector machine) wastewater treatment fault diagnosis method |
| US20160226894A1 (en) * | 2015-02-04 | 2016-08-04 | Electronics And Telecommunications Research Institute | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model |
| CN106060043A (en) * | 2016-05-31 | 2016-10-26 | 北京邮电大学 | Abnormal flow detection method and device |
| CN106249599A (en) * | 2016-09-28 | 2016-12-21 | 河南理工大学 | A kind of network control system fault detection method based on neural network prediction |
| CN106713324A (en) * | 2016-12-28 | 2017-05-24 | 北京奇艺世纪科技有限公司 | Flow detection method and device |
| CN107220732A (en) * | 2017-05-31 | 2017-09-29 | 福州大学 | A kind of power failure complaint risk Forecasting Methodology based on gradient boosted tree |
| CN107294993A (en) * | 2017-07-05 | 2017-10-24 | 重庆邮电大学 | A kind of WEB abnormal flow monitoring methods based on integrated study |
| US20170346827A1 (en) * | 2014-12-30 | 2017-11-30 | Juniper Networks, Inc. | Using a probability-based model to detect random content in a protocol field associated with network traffic |
| CN107423156A (en) * | 2017-07-29 | 2017-12-01 | 合肥千奴信息科技有限公司 | Fault pre-alarming algorithm based on taxonomic clustering |
| CN107682317A (en) * | 2017-09-06 | 2018-02-09 | 中国科学院计算机网络信息中心 | Establish method, data detection method and the equipment of Data Detection model |
| CN108269012A (en) * | 2018-01-12 | 2018-07-10 | 中国平安人寿保险股份有限公司 | Construction method, device, storage medium and the terminal of risk score model |
| CN108280350A (en) * | 2018-02-05 | 2018-07-13 | 南京航空航天大学 | A kind of mobile network's terminal Malware multiple features detection method towards Android |
-
2018
- 2018-07-23 CN CN201810809707.5A patent/CN109167753A/en active Pending
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050152588A1 (en) * | 2003-10-28 | 2005-07-14 | University Of Chicago | Method for virtual endoscopic visualization of the colon by shape-scale signatures, centerlining, and computerized detection of masses |
| US7426497B2 (en) * | 2004-08-31 | 2008-09-16 | Microsoft Corporation | Method and apparatus for analysis and decomposition of classifier data anomalies |
| WO2014078739A1 (en) * | 2012-11-15 | 2014-05-22 | The General Hospital Corporation | Methods and systems for diagnosing prenatal abnormalities |
| CN103716204A (en) * | 2013-12-20 | 2014-04-09 | 中国科学院信息工程研究所 | Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process |
| CN104091035A (en) * | 2014-07-30 | 2014-10-08 | 中国科学院空间应用工程与技术中心 | Health monitoring method for effective loads of space station based on data-driven algorithm |
| CN104598813A (en) * | 2014-12-09 | 2015-05-06 | 西安电子科技大学 | Computer intrusion detection method based on integrated study and semi-supervised SVM |
| US20170346827A1 (en) * | 2014-12-30 | 2017-11-30 | Juniper Networks, Inc. | Using a probability-based model to detect random content in a protocol field associated with network traffic |
| US20160226894A1 (en) * | 2015-02-04 | 2016-08-04 | Electronics And Telecommunications Research Institute | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type model |
| CN105487526A (en) * | 2016-01-04 | 2016-04-13 | 华南理工大学 | FastRVM (fast relevance vector machine) wastewater treatment fault diagnosis method |
| CN106060043A (en) * | 2016-05-31 | 2016-10-26 | 北京邮电大学 | Abnormal flow detection method and device |
| CN106249599A (en) * | 2016-09-28 | 2016-12-21 | 河南理工大学 | A kind of network control system fault detection method based on neural network prediction |
| CN106713324A (en) * | 2016-12-28 | 2017-05-24 | 北京奇艺世纪科技有限公司 | Flow detection method and device |
| CN107220732A (en) * | 2017-05-31 | 2017-09-29 | 福州大学 | A kind of power failure complaint risk Forecasting Methodology based on gradient boosted tree |
| CN107294993A (en) * | 2017-07-05 | 2017-10-24 | 重庆邮电大学 | A kind of WEB abnormal flow monitoring methods based on integrated study |
| CN107423156A (en) * | 2017-07-29 | 2017-12-01 | 合肥千奴信息科技有限公司 | Fault pre-alarming algorithm based on taxonomic clustering |
| CN107682317A (en) * | 2017-09-06 | 2018-02-09 | 中国科学院计算机网络信息中心 | Establish method, data detection method and the equipment of Data Detection model |
| CN108269012A (en) * | 2018-01-12 | 2018-07-10 | 中国平安人寿保险股份有限公司 | Construction method, device, storage medium and the terminal of risk score model |
| CN108280350A (en) * | 2018-02-05 | 2018-07-13 | 南京航空航天大学 | A kind of mobile network's terminal Malware multiple features detection method towards Android |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011931A (en) * | 2019-01-25 | 2019-07-12 | 中国科学院信息工程研究所 | A kind of encryption traffic classes detection method and system |
| CN109981624A (en) * | 2019-03-18 | 2019-07-05 | 中国科学院计算机网络信息中心 | Intrusion detection method, device and storage medium |
| CN109981624B (en) * | 2019-03-18 | 2021-07-16 | 中国科学院计算机网络信息中心 | Intrusion detection method, device and storage medium |
| CN110149310A (en) * | 2019-04-09 | 2019-08-20 | 中国科学院计算机网络信息中心 | Flow intrusion detection method, device and storage medium |
| CN110149310B (en) * | 2019-04-09 | 2021-11-16 | 中国科学院计算机网络信息中心 | Flow intrusion detection method, device and storage medium |
| CN110138786A (en) * | 2019-05-20 | 2019-08-16 | 福州大学 | Web method for detecting abnormality and system based on SMOTETomek and LightGBM |
| CN112153000A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for detecting network flow abnormity, electronic device and storage medium |
| CN112153000B (en) * | 2020-08-21 | 2023-04-18 | 杭州安恒信息技术股份有限公司 | Method and device for detecting network flow abnormity, electronic device and storage medium |
| CN112468452A (en) * | 2020-11-10 | 2021-03-09 | 深圳市欢太科技有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167753A (en) | A kind of detection method and device of network intrusions flow | |
| CN109873812B (en) | Anomaly detection method and device and computer equipment | |
| Fayyaz et al. | Sct: Set constrained temporal transformer for set supervised action segmentation | |
| CN110796154B (en) | Method, device and equipment for training object detection model | |
| CN111860236B (en) | Small sample remote sensing target detection method and system based on transfer learning | |
| TW201926949A (en) | Network anomaly analysis apparatus, method, and computer program product thereof | |
| CN106204083B (en) | Target user classification method, device and system | |
| CN109816043B (en) | Method and device for determining user identification model, electronic equipment and storage medium | |
| CN105718937B (en) | Multi-class object classification method and system | |
| CN109189876B (en) | Data processing method and device | |
| CN110443159A (en) | Digit recognition method, device, electronic equipment and storage medium | |
| CN110956255A (en) | Difficult sample mining method and device, electronic equipment and computer readable storage medium | |
| CN110346514A (en) | Mixed gas identification method, apparatus, computer equipment and storage medium | |
| CN108470194B (en) | Feature screening method and device | |
| CN109684302A (en) | Data predication method, device, equipment and computer readable storage medium | |
| US20220036208A1 (en) | Conjoining malware detection models for detection performance aggregation | |
| CN111783812A (en) | Method and device for identifying forbidden images and computer readable storage medium | |
| CN105224954B (en) | It is a kind of to remove the topic discovery method that small topic influences based on Single-pass | |
| CN111178347B (en) | Ambiguity detection method, ambiguity detection device, ambiguity detection equipment and ambiguity detection storage medium for certificate image | |
| CN110768929A (en) | Domain name detection method and device and computer readable storage medium | |
| CN112801155A (en) | Business big data analysis method based on artificial intelligence and server | |
| CN110728229A (en) | Image processing method, device, equipment and storage medium | |
| CN107508764B (en) | Network data traffic type identification method and device | |
| CN113874888A (en) | Information processing apparatus, generation method, and generation program | |
| Hashemi et al. | Runtime monitoring for out-of-distribution detection in object detection neural networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190108 |