CN109672666A - A kind of network attack detecting method and device - Google Patents
A kind of network attack detecting method and device Download PDFInfo
- Publication number
- CN109672666A CN109672666A CN201811410148.7A CN201811410148A CN109672666A CN 109672666 A CN109672666 A CN 109672666A CN 201811410148 A CN201811410148 A CN 201811410148A CN 109672666 A CN109672666 A CN 109672666A
- Authority
- CN
- China
- Prior art keywords
- web site
- sample set
- site requests
- participle
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000010801 machine learning Methods 0.000 claims abstract description 77
- 238000013526 transfer learning Methods 0.000 claims abstract description 17
- 238000012549 training Methods 0.000 claims description 42
- 238000001514 detection method Methods 0.000 claims description 40
- 230000000903 blocking effect Effects 0.000 claims description 2
- 230000009471 action Effects 0.000 abstract description 3
- 238000012545 processing Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 9
- 238000005520 cutting process Methods 0.000 description 8
- 238000002347 injection Methods 0.000 description 8
- 239000007924 injection Substances 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 5
- 230000002265 prevention Effects 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 230000000712 assembly Effects 0.000 description 2
- 238000000429 assembly Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011017 operating method Methods 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000001764 infiltration Methods 0.000 description 1
- 230000008595 infiltration Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000012092 media component Substances 0.000 description 1
- 230000036544 posture Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Biology (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure is directed to a kind of network attack detecting method and devices.It include: acquisition web site requests;Determine whether the web site requests belong to the first attack type using machine learning model component;The machine learning model component is obtained using the first web site requests sample set for belonging to first attack type of the first quantity from the second web site requests sample set transfer learning for belonging to the second attack type of the second quantity.The embodiment method passed through using the disclosure, the partial parameters being calculated by the second web site requests sample set can have correcting action to the first web site requests sample set, with the accuracy of hoisting machine learning model component.
Description
Technical field
This disclosure relates to field of information security technology more particularly to a kind of network attack detecting method and device.
Background technique
With the continuous development of internet and big data, network is deep into the every field of people's life, is become gradually
One role that can not replace.The data that magnanimity, changeable, blowout increase can continue through network incorporate it is daily to people
Life, brings huge convenience to people's lives.But at the same time, in the case where interests drive, some network attack persons are often
It is played one's own game using network, causes economic loss to the network user, influence the normal operation of company, or even cause social management mixed
Disorderly.Therefore, important the arranging for being detected when user submits and requests and the malicious requests of attacker being prevented to have become guarding website safety
It applies.
Network attack detecting method in the related technology mainly includes Hole Detection and Web defence.Hole Detection be prior to
The mode that attacker finds the loophole of website and repaired carries out Hole Detection to website generally by penetration testing.It seeps
Test combines various technologies thoroughly, is generally divided into information collection, vulnerability scanning, vulnerability exploit, obtains permission, log audit
With infiltration report.Penetration testing has imperfection, it is impossible to ensure that each webpage of website is arrived in test, and very
Difficulty detects emerging attack pattern.Web defence is to carry out a series of detection in legitimacy of the URL transmission stage to URL
Method, to take precautions against bad input.Web mean of defense generally comprises filtering, Meaning transfer encryption, mask information, detection prevention mould
Type etc..Detection prevention model refers to the testing mechanism established between user and server, and the URL submitted to user is examined
It surveys, Intrusion prevention attack.Traditional detection prevention model is mainly based upon the pattern match of regular expression, but relies solely on quick
Sense word matching has been difficult to resist the Network Intrusion of continuous renewal, and the detection prevention mode constantly more renewed is for Website development people
Larger workload for member, and be difficult to protect plan according to the detection that emerging attack method makes reply in time in time
Slightly.
Therefore, a kind of net that higher identification accuracy also may be implemented based on less sample data is needed in the related technology
It stands detection method.
Summary of the invention
To overcome the problems in correlation technique, the disclosure provides a kind of network attack detecting method and device.
According to the first aspect of the embodiments of the present disclosure, a kind of network attack detecting method is provided, comprising:
Obtain web site requests;
Determine whether the web site requests belong to the first attack type using machine learning model component;The machine learning
Model component is using the first web site requests sample set for belonging to first attack type of the first quantity from the category of the second quantity
It is obtained in the second web site requests sample set transfer learning of the second attack type.
According to the second aspect of an embodiment of the present disclosure, a kind of network attack detecting method is provided, comprising:
Obtain web site requests;
The web site requests are separately input into multiple machine learning model components, determine the attack of the web site requests
Type, the multiple machine learning model component are respectively used to identify different website attack types, the multiple machine learning
At least one of model component detects the web site requests using network attack detecting method described in above-described embodiment.
According to the third aspect of an embodiment of the present disclosure, a kind of network attack detection device is provided, comprising:
Module is obtained, for obtaining web site requests;
Detection module, for determining whether the web site requests belong to the first attack class using machine learning model component
Type;The machine learning model component using the first quantity the first web site requests sample set for belonging to first attack type
It is obtained from the second web site requests sample set transfer learning for belonging to the second attack type of the second quantity.
According to a fourth aspect of embodiments of the present disclosure, a kind of network attack detection device is provided, comprising:
Module is obtained, for obtaining web site requests;
Detection module, for the web site requests to be separately input into multiple machine learning model components, described in determination
The attack type of web site requests, the multiple machine learning model component are respectively used to identify different website attack types, institute
At least one of multiple machine learning model components are stated to examine using network attack described in any one of claim 1-11
Survey method detects the web site requests.
According to a fifth aspect of the embodiments of the present disclosure, a kind of network attack detection device is provided, comprising:
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
Obtain web site requests;
Determine whether the web site requests belong to the first attack type using machine learning model component;The machine learning
Model component is using the first web site requests sample set for belonging to first attack type of the first quantity from the category of the second quantity
It is obtained in the second web site requests sample set transfer learning of the second attack type.
According to a sixth aspect of an embodiment of the present disclosure, a kind of non-transitorycomputer readable storage medium is provided, when described
When instruction in storage medium is executed by processor, enable a processor to execute the above method.
The network attack detecting method and device that each embodiment of the disclosure provides, can use machine learning model component
Determine whether web site requests belong to the first attack type, wherein the machine learning model component, which can use, belongs to described
First web site requests sample set of one attack type is subordinated to the second web site requests sample set transfer learning of the second attack type
It obtains.In the case that sample size is not enough in the first web site requests sample set, it is difficult to utilize the first web site requests sample
Training obtains more accurately machine learning model component.It therefore, can be from described second in each embodiment of the disclosure
Transfer learning in second web site requests sample set of attack type, since sample size is sufficient in the second web site requests sample set,
The accuracy that all kinds of parameters are calculated is higher, therefore, is joined by the part that the second web site requests sample set is calculated
Number can have correcting action to the first web site requests sample set, with the accuracy of hoisting machine learning model component.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
The disclosure can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the disclosure
Example, and together with specification for explaining the principles of this disclosure.
Fig. 1 is a kind of method flow diagram of network attack detection shown according to an exemplary embodiment.
Fig. 2 is a kind of method flow diagram of network attack detection shown according to an exemplary embodiment.
Fig. 3 is a kind of method flow diagram of network attack detection shown according to an exemplary embodiment.
Fig. 4 is a kind of method flow diagram of network attack detection shown according to an exemplary embodiment.
Fig. 5 is a kind of block diagram of network attack detection device shown according to an exemplary embodiment.
Fig. 6 is a kind of block diagram of device shown according to an exemplary embodiment.
Fig. 7 is a kind of block diagram of device shown according to an exemplary embodiment.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all implementations consistent with this disclosure.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the disclosure.
For convenience those skilled in the art understand that technical solution provided by the embodiments of the present application, below first to technical solution
The technological accumulation and inheritance of realization is illustrated.
In actual network environment, attacker is also being arranged by constantly variation attack pattern with breaking through existing defence
It applies.According in recent years about the statistical number of major networks attack type it has been found that almost annual attack type can all become
Change.Therefore, when occurring new attack mode on network, can establish in time can accurately identify this new attack mode
Machine learning model be a kind of than stronger technical need.But the accuracy of machine learning model is often based upon training
The quantity of the quantity of sample, training sample is more, and the machine learning model that training obtains is often more accurate.But for network
Rigid incipient new attack mode in environment, it tends to be difficult to obtain sufficient training sample, therefore, it is difficult to training to obtain than calibrated
The true machine learning model for being used to detect this new attack mode.
Based on actual techniques demand similarly as described above, the network attack detecting method that the disclosure provides will be a large amount of
Information transfer in the training sample of other attack types is into the training sample of a small amount of new attack mode, to described new
The training sample of attack pattern is modified, the accuracy to improve corresponding training sample in a manner of new attack, to obtain more
Add accurately for detecting the machine learning model of the new network attack mode.
The network attack detecting method described in the disclosure is described in detail with reference to the accompanying drawing.Fig. 1 is the disclosure
A kind of method flow diagram of embodiment of the network attack detecting method of offer.Although present disclose provides as the following examples or
Method operating procedure shown in the drawings, but based on routine or in the method may include more without creative labor
Or less operating procedure.In the step of there is no necessary causalities in logicality, the execution sequence of these steps is not
Be limited to embodiment of the present disclosure offer executes sequence.
A kind of embodiment of the network attack detecting method that the specific disclosure provides is as shown in Figure 1, the method can be with
Include:
S101: web site requests are obtained;
S103: determine whether the web site requests belong to the first attack type using machine learning model component;The machine
Device learning model component belongs to the first web site requests sample set of first attack type to the second quantity using the first quantity
The second web site requests sample set transfer learning of the second attack type obtain.
In the present embodiment, the web site requests may include the character string generated in client based on network protocol, pass through
After web site requests are sent to server, required data can be got from server.Typical web site requests for example may be used
To include HTTP request, file request, mailto request, FTP request etc..In one example, the web site requests can be with
Such as " http://www.bupt.edu.cn/content/content.php? p=2_27_2300 " as HTTP request.
After getting the web site requests, it can use machine learning model component and determine whether the web site requests belong to first
Attack type.Wherein, the machine learning model component can use belong to first attack type of the first quantity
One web site requests sample set is obtained from the second web site requests sample set transfer learning for belonging to the second attack type of the second quantity.
In an illustrative application scenarios, when occurring a kind of new website attack pattern on network, and the website is attacked
The mode of hitting is known as the first attack type.Since the time of occurrence of the first attack type is shorter, belonging to for capable of obtaining is described
Sample data limited amount in first web site requests sample set of the first attack type.And machine learning model component is accurate
Property be generally basede on sufficient sample size, therefore, in one embodiment of the present disclosure, can be from having sufficient sample size
The corresponding second web site requests sample set of the second attack type in carry out transfer learning, to correct first attack type pair
Problem of the first web site requests sample set answered due to training result inaccuracy caused by limited sample size.Based on this,
In one embodiment of the disclosure, second quantity can be far longer than first quantity, second quantity with it is described
The ratio of first quantity is more than or equal to 1000.In some instances, the ratio of second quantity and first quantity can be with
Including 1000:1,4000:1,5000:1 etc..
As shown in Fig. 2, in one embodiment of the present disclosure, the machine learning model component can be set to according to
Following manner training obtains:
S201: the first web site requests sample set and the second web site requests sample set are obtained.
S203: determine the first web site requests sample set in the second web site requests sample set have it is identical important
The participle of degree.
S205: by probability of occurrence of the participle with identical significance level in sample set from the second web site requests sample
This concentration is migrated into the first web site requests sample set.
S207: according to probability of occurrence of the participle in the first web site requests sample set in sample set, training is obtained
For detecting the machine learning model component of first attack type.
In the present embodiment, the first web site requests sample set and the second web site requests sample set may include number
Measure more black sample data and white sample data, wherein the corresponding web site requests of black sample data belong to the first attack type
Or second attack type, the corresponding web site requests of white sample data belong to safe web site requests.Second web site requests
The black sample data of sample set can be obtained from such existing database such as github, for example, can in github database
To include cross site scripting abundant (Cross site scripting, XSS) attack, structured query language (Structured
Query Language, SQL) injection equal samples data.The white sample data can be obtained from such database such as SecRepo
It takes.Certainly, the second web site requests sample set can also obtain by other means, such as artificial to collect or authenticate from having
The third party of qualification obtains, and the disclosure is unlimited for the acquisition modes of the second web site requests sample set.The one of the disclosure
In a embodiment, in order to guarantee the accuracy of transfer learning, it is available have with the first web site requests sample set it is identical
Second web site requests sample set of classification.For example, passing through in the attack pattern classification for injecting malice character string in the request, mainly
There are a types such as XSS attack and SQL injection, but both types have a variety of subtypes again respectively, for example, XSS attack can be with
Including more seeds such as reflection-type XSS, storage-type XSS, DOM Document Object Model (Document Object Model, DOM) type XSS
Type, SQL injection may include forcing to generate injection, the injection based on deduction, the injection using spcial character, benefit of mistake again
With a variety of subtypes such as the injection of storing process, the injections for avoiding input filtering technique.Based on this, when determine it is described first attack
After the fundamental type of type, such as belong to XSS attack or SQL attack, available and the first web site requests sample set
The second web site requests sample set with the same category.Certainly, it is attacked above with respect to website, the division of type is pertaining only to wherein one
Kind of mode, the present embodiment are intended to get the be more nearly on the attack type of website with the first web site requests sample set
Two web site requests sample sets, to promote the phase between the first web site requests sample set and the second web site requests sample set
Like degree.
In the embodiment of the present disclosure, the first web site requests sample set and the second web site requests sample set are being got
Later, can determine has identical significance level in the first web site requests sample set and the second web site requests sample set
Participle.In one embodiment of the present disclosure, during determining the participle with identical significance level, Ke Yifen
Indescribably take the participle of sample data in the first web site requests sample set and the second web site requests sample set.In this process
In, sample data in the first web site requests sample set and the second web site requests sample set can be segmented respectively
Processing.Specifically, since the sample data is the web site requests that format is character string, can to the character string into
Row cutting process, for example, the character string is cut according to unit Cutting Length for 5, i.e., by every 5 words of the character string
Symbol cutting is primary.But in practical situations, there are the character string or character of many general formats in web site requests, such as
" http: // ", " www. ", " .edu ", " .com ", " .cn ", "/", " " etc..For above-mentioned character or character string, for
It is often worth lower on identification website attack type, influences the effect of machine learning.It therefore, can be corresponding to the sample data
Character string carry out data cleansing in one example can be to sample data " http://www.bupt.edu.cn/
Content/content.php? p=2_27_2300 " is cleaned and after being cut, obtain " conte ", " nt/co ", " ntent ",
" .php? " multiple participles such as " p=2_2 ", " 7_230 ".Certainly, above-mentioned cutting mode only extracts the web site requests and is divided
A kind of mode of word, such as in the examples described above, unit Cutting Length and cutting step-length are 5, can also be cut according to unit
The mode that length is 5, cutting step-length is 2 is cut, then available " conte ", " ntent ", " ent/c ", " t/con ",
" conte ", " ntent. ", " ent.p ", " t.php ", " php? p ", " p? p=2 ", " p=2_2 ", " 2_27_ ", " 27_23 ", " _
Multiple participles such as 2300 ".Participle extracting mode in the present embodiment can be adapted for the second web site requests biggish to data volume
The participle of sample set extracts, and which can be applicable for the web site requests of encryption and the web site requests that do not encrypt.
In some cases, web site requests may be encrypted, if URL is encoded, base64 encryption etc..Certainly
There are also some malice cipher modes, can be filtered in web site requests it is some there is attack word so that the net after encrypted
Request of standing can filter around simple black and white lists.It, in one embodiment of the present disclosure, can be to the website based on this
Request is decrypted, and often format is clear for the web site requests after decryption processing, has between different keywords clear
Separator, the separator such as " // ", " " "? " etc..It therefore, can be to the web site requests after decryption according to separation
Symbol carries out participle extraction.In one example, for web site requests " the http://www.bupt.edu.cn/ after decryption
Content/content.php? p=2_27_2300 " can extract " http " in the way of separator cutting, "
Www ", " bupt ", " edu ", " cn ", " content ", " content ", " php ", " multiple participles such as p=2_27_2300 ".It needs
It is noted that can also include other various ways, such as machine learning mode, the disclosure for the mode that participle extracts
It is unlimited for extracting the mode segmented in the sample data.
In one embodiment of the present disclosure, the first web site requests sample set and second website are being extracted respectively
It requests that word weighted value of the participle in the sample set of place after the participle of sample data, can be calculated separately in sample set.
That is, in the present embodiment, the word weighted value that can use participle indicates that the participle is important in the sample set of place
Degree.In another embodiment of the disclosure, institute's predicate weighted value may include that the inverse text frequency of word frequency-of the participle refers to
The TF-IDF index of number (T F-IDF index), the participle can be as the participle be in the first web site requests sample set
In black sample the directly proportional increase of frequency of occurrence, but simultaneously also with the participle in the entire first web site requests sample set
The number of appearance is inversely proportional decline.In the present embodiment, the TF-IDF index can more accurately express participle in sample set
In significance level.After the TF-IDF index of participle is calculated, a sparse square can be arranged to each sample data
Battle array segments corresponding TF-IDF index for indicating each in the sample data.The sparse matrix may include multiple three
Tuple can indicate its TF-IDF index that is, for individually segmenting by the way of triple, such as the triple can be with table
It is shown as { (0,37) 0.138 }, wherein (0,37) indicate position of the participle in sample data, 0.138 indicates the TF- of the participle
IDF index.
During carrying out machine learning to the first web site requests sample set, first website is often related to
Probability of occurrence of the participle in sample set in the first web site requests sample set is requested, appearance of the word w in sample set is general
Rate p's (w) can be indicated with following formula (1):
Wherein, the accuracy of p (w) tends to rely on the comprehensive of sample in sample size and sample set, therefore, in sample
Often accuracy is lower by p (w) in the sample set of this negligible amounts, has bigger difference with its true horizon.Based on this, at this
In disclosed embodiment, the p (w) of participle can be migrated into the sample less to sample size from the more sample set of sample size
This concentration, to optimize the p (w) segmented in the less sample set of sample size.According to the law of large numbers, can determine for the first net
It stands and requests word representative in word and the second web site requests sample set representative in sample set by TF-IDF
All there is normal distribution law after conversion, the second web site requests sample set is then neutralized to the word w of the first web site requests sample set
The probability of occurrence p (z) of word z with identical significance level is migrated to p (w).In this way, the first web site requests sample set can be promoted
The middle accuracy for segmenting the corresponding p (w) of w.In one embodiment of the present disclosure, the participle of the first web site requests sample set
It may include that participle w is asked in the first website that participle z in w and the second web site requests sample set, which has identical significance level,
Ask the difference of word weighted value and participle z between the word weighted value in the second web site requests sample set in sample set in default model
Within enclosing.In one example, it is 5% that the preset range is arranged, which is error amount, if participle w is in the first web site requests sample set
In TF-IDF index be 0.138, segmenting TF-IDF index of the z in the second web site requests sample set is 0.136, then error amount
It can then determine participle w in the first web site requests since 1.45% less than 5% for (0.138-0.136)/0.138=1.45%
There is identical significance level in the second web site requests sample set with participle z in sample set.It therefore, can be by participle z second
Probability of occurrence p (z) in web site requests sample set is assigned to probability of occurrence p of the participle w in the first web site requests sample set
(w)。
It in the embodiments of the present disclosure, can be with after determining the probability of occurrence segmented in the first web site requests sample set
According to probability of occurrence of the participle in the first web site requests sample set in sample set, training is obtained for detecting described the
The machine learning model component of one attack type.In one embodiment of the present disclosure, the machine learning model component can be with
The classifier obtained including the use of NB Algorithm training.Based on this, as shown in figure 3, constructing the classifier can wrap
It includes:
S301: building classifier, by the first web site requests sample set sample data, in the sample data point
Input of the probability of occurrence of word as the classifier, using the classification results of the sample data as the defeated of the classifier
Out;
S303: by the probability of occurrence of first attack type and in the case where being known to be first attack type
There is training parameter of the conditional probability of the participle as the classifier, using NB Algorithm to the classifier
It is trained, adjusts the training parameter, until the classifier reaches preset requirement.
Illustrate above-described embodiment method below by following formula (2), sets the first attack type as X1, determine that website asks
Asking can be with string representation, which can be cut into n participle, respectively word 1, word 2 ..., word n, then the character
The conditional probability that string belongs to X1 can the expression of the naive Bayesian formula shown in formula (2).According to NB Algorithm
Independence assumption is independent from each other relationship between each participle, therefore, p (character string | X1)=p (word 1 | X1) p (word 2 |
X1) ... p (word n | X1), p (character string)=p (word 1) p (word 2) ... p (word n), and p (word 1), p (word 2) ..., (word n) can be with by p
It migrates from the second web site requests sample set by way of transfer learning, therefore, in the present embodiment, described point of training
Class device aim at by p (word 1 | X1), p (word 2 | X1) ..., p (word n | X1), training parameter of the p (X1) as classifier, no
The value of disconnected adjusting training parameter, until the classifier reaches preset requirement.Described preset will go for example including the classifier
Error rate is less than preset value etc..After the classifier reaches preset requirement, can store the value of the training parameter, when
When the subsequent applications classifier, the value of the training parameter in classifier can be called directly.
In the application stage to the classifier, the corresponding character string of web site requests can be input to the classifier, obtained
The web site requests are the probability of the first attack type.In one embodiment, if the probability is more than or equal to probability threshold value,
Determine that the web site requests belong to attack type.The probability threshold value for example can be set to 0.6,0.7,0.8 etc..Determining
Web site requests are stated as the web site requests can be intercepted after the first attack type.Conversely, when the probability is less than the probability threshold
When value, then it can determine that the web site requests belong to security request.
It is obtained it should be noted that the machine learning model component is not limited to above-mentioned utilization NB Algorithm training
Classifier, the machine learning model component can also include logistic regression classifier, support vector machine classifier, based on mind
Classifier etc. through network, the disclosure for machine learning model component mode of learning with no restrictions.
The network attack detecting method that each embodiment of the disclosure provides, can use machine learning model component and determines net
Whether request of standing belongs to the first attack type, wherein the machine learning model component, which can use, belongs to first attack
The second web site requests sample set transfer learning that first web site requests sample set of type is subordinated to the second attack type obtains.?
In the case that sample size is not enough in first web site requests sample set, it is difficult to be obtained using the first web site requests sample training
More accurately machine learning model component.It therefore, can be from second attack type in each embodiment of the disclosure
The second web site requests sample set in transfer learning be calculated since sample size is sufficient in the second web site requests sample set
The accuracy of all kinds of parameters is higher, therefore, can be right by the partial parameters that the second web site requests sample set is calculated
The first web site requests sample set has correcting action, with the accuracy of hoisting machine learning model component.
On the other hand the disclosure also provides a kind of network attack detecting method, as shown in Figure 4, which comprises
S401: web site requests are obtained;
S403: the web site requests are separately input into multiple machine learning model components, determine the web site requests
Attack type, the multiple machine learning model component is respectively used to identify different website attack types, the multiple machine
At least one of device learning model component detects the net using network attack detecting method described in any of the above-described embodiment
It stands request.
In the embodiment of the present disclosure, it can use multiple machine learning model Assembly calculation web site requests and belong to different attack classes
The probability of type.Wherein, at least one of the multiple machine learning model component utilizes net described in any of the above-described embodiment
Network attack detection method detects the web site requests.For example, being respectively used to identification first there are four machine learning model component and attacking
Hit type, the second attack type, third attack type, the 4th attack type.For calculated result, if at least one machine learning
Model component is calculated the web site requests and belongs to the probability value of attack type greater than secure threshold, it is determined that the website asks
It asks and belongs to harmful request.And using the maximum attack type of probability value as the attack type of the web site requests.If four components
Calculated result is without departing from set secure threshold, then it is assumed that the web site requests are security request, and server is allowed to respond the website
Request.If the calculated result of one and only one component exceeds set secure threshold, the attack type is reported and to the request
It is intercepted.Using the method for the embodiment of the present disclosure, attack type belonging to web site requests can be accurately determined, further
Ground can contribute to the security postures that each website obtains our station, and pointedly strengthen the defense measure.
On the other hand the disclosure also provides a kind of website attack detecting device, Fig. 5 is shown according to an exemplary embodiment
Website attack detecting device 500 block diagram.Referring to Fig. 5, which includes that application obtains module 501, detection module 503,
In,
Module 501 is obtained, for obtaining web site requests;
Detection module 503, for determining whether the web site requests belong to the first attack using machine learning model component
Type;The machine learning model component using the first quantity the first web site requests sample for belonging to first attack type
Collection is obtained from the second web site requests sample set transfer learning for belonging to the second attack type of the second quantity.
Optionally, in one embodiment of the present disclosure, the ratio of second quantity and first quantity is greater than etc.
In 1000.
Optionally, in one embodiment of the present disclosure, the machine learning model component is arranged to following sides
Formula training obtains:
Obtain the first web site requests sample set and the second web site requests sample set;
Determining has identical significance level in the first web site requests sample set and the second web site requests sample set
Participle;
By probability of occurrence of the participle with identical significance level in sample set from the second web site requests sample set
In migrate into the first web site requests sample set;
According to probability of occurrence of the participle in the first web site requests sample set in sample set, training is obtained for examining
Survey the machine learning model component of first attack type.
Optionally, in one embodiment of the present disclosure, the determination the first web site requests sample set and described
Include: with the participle of identical significance level in two web site requests sample sets
Point of sample data in the first web site requests sample set and the second web site requests sample set is extracted respectively
Word;
Calculate separately word weighted value of the participle in the sample set of place;
According to institute's predicate weighted value, determine in the first web site requests sample set and the second web site requests sample set
Participle with identical significance level.
Optionally, in one embodiment of the present disclosure, described according to institute's predicate weighted value, determine that first website asks
It asks in sample set and the second web site requests sample set and includes: with the participle of identical significance level
The word power of two participles in determining the first web site requests sample set and the second web site requests sample set
In the case that the difference of weight values is within preset range, determine that described two participles have identical significance level.
Optionally, in one embodiment of the present disclosure, institute's predicate weighted value includes word frequency-inverse document frequency.
Optionally, in one embodiment of the present disclosure, it is described by the participle with identical significance level in sample set
Probability of occurrence migrated from the second web site requests sample set and include: into the first web site requests sample set
Obtain appearance of each participle in the second web site requests sample set in the second web site requests sample set
Probability;
The probability of occurrence segmented in the second web site requests sample set is assigned to the first web site requests sample set
In with identical significance level participle.
Optionally, in one embodiment of the present disclosure, the machine learning model component is including the use of naive Bayesian
The classifier that algorithm training obtains.
Optionally, in one embodiment of the present disclosure, the participle according in the first web site requests sample set
Probability of occurrence in sample set, training obtain include: for the machine learning model component for detecting first attack type
Construct classifier, by the first web site requests sample set sample data, segment in the sample data
Input of the probability of occurrence as the classifier, using the classification results of the sample data as the output of the classifier;
Occur by the probability of occurrence of first attack type and in the case where being known to be first attack type
Training parameter of the conditional probability of the participle as the classifier carries out the classifier using NB Algorithm
Training, adjusts the training parameter, until the classifier reaches preset requirement.
Optionally, in one embodiment of the present disclosure, further includes:
Blocking module, in the case where determining that the web site requests belong to first attack type, described in interception
Web site requests.
On the other hand the disclosure also provides a kind of website attack detecting device, comprising:
Module is obtained, for obtaining web site requests;
Detection module, for the web site requests to be separately input into multiple machine learning model components, described in determination
The attack type of web site requests, the multiple machine learning model component are respectively used to identify different website attack types, institute
At least one of multiple machine learning model components are stated to examine using network attack described in any one of claim 1-10
Survey method detects the web site requests.
Fig. 6 is a kind of block diagram of device 700 for resource distribution instruction shown according to an exemplary embodiment.Example
Such as, device 700 can be mobile phone, computer, digital broadcasting terminal, messaging device, game console, and plate is set
It is standby, Medical Devices, body-building equipment, personal digital assistant etc..
Referring to Fig. 6, device 700 may include following one or more components: processing component 702, memory 704, power supply
Component 706, multimedia component 708, audio component 710, the interface 712 of input/output (I/O), sensor module 714, and
Communication component 716.
The integrated operation of the usual control device 700 of processing component 702, such as with display, telephone call, data communication, phase
Machine operation and record operate associated operation.Processing component 702 may include that one or more processors 720 refer to execute
It enables, to perform all or part of the steps of the methods described above.In addition, processing component 702 may include one or more modules, just
Interaction between processing component 702 and other assemblies.For example, processing component 702 may include multi-media module, it is more to facilitate
Interaction between media component 708 and processing component 702.
Memory 704 is configured as storing various types of data to support the operation in device 700.These data are shown
Example includes the instruction of any application or method for operating on device 700, contact data, and telephone book data disappears
Breath, picture, video etc..Memory 704 can be by any kind of volatibility or non-volatile memory device or their group
It closes and realizes, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM) is erasable to compile
Journey read-only memory (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash
Device, disk or CD.
Power supply module 706 provides electric power for the various assemblies of device 700.Power supply module 706 may include power management system
System, one or more power supplys and other with for device 700 generate, manage, and distribute the associated component of electric power.
Multimedia component 708 includes the screen of one output interface of offer between described device 700 and user.One
In a little embodiments, screen may include liquid crystal display (LCD) and touch panel (TP).If screen includes touch panel, screen
Curtain may be implemented as touch-sensitive display, to transmit input signal from the user.Touch panel includes one or more touches
Sensor is to sense the gesture on touch, slide, and touch panel.The touch sensor can not only sense touch or sliding
The boundary of movement, but also detect duration and pressure associated with the touch or slide operation.In some embodiments,
Multimedia component 708 includes a front camera and/or rear camera.When device 700 is in operation mode, as shot mould
When formula or video mode, front camera and/or rear camera can transmit external multi-medium data.Each preposition camera shooting
Head and rear camera can be a fixed optical lens system or have focusing and optical zoom capabilities.
Audio component 710 is configured as output and/or input audio signal.For example, audio component 710 includes a Mike
Wind (MIC), when device 700 is in operation mode, when such as call mode, recording mode, and voice recognition mode, microphone is matched
It is set to transmission external audio signal.The audio signal transmitted can be further stored in memory 704 or via communication set
Part 716 is sent.In some embodiments, audio component 710 further includes a loudspeaker, is used for output audio signal.
I/O interface 712 provides interface between processing component 702 and peripheral interface module, and above-mentioned peripheral interface module can
To be keyboard, click wheel, button etc..These buttons may include, but are not limited to: home button, volume button, start button and lock
Determine button.
Sensor module 714 includes one or more sensors, and the state for providing various aspects for device 700 is commented
Estimate.For example, sensor module 714 can detecte the state that opens/closes of device 700, and the relative positioning of component, for example, it is described
Component is the display and keypad of device 700, and sensor module 714 can be with 700 1 components of detection device 700 or device
Position change, the existence or non-existence that user contacts with device 700,700 orientation of device or acceleration/deceleration and device 700
Temperature change.Sensor module 714 may include proximity sensor, be configured to detect without any physical contact
Presence of nearby objects.Sensor module 714 can also include optical sensor, such as CMOS or ccd image sensor, at
As being used in application.In some embodiments, which can also include acceleration transducer, gyro sensors
Device, Magnetic Sensor, pressure sensor or temperature sensor.
Communication component 716 is configured to facilitate the communication of wired or wireless way between device 700 and other equipment.Device
700 can access the wireless network based on communication standard, such as WiFi, 2G or 3G or their combination.In an exemplary implementation
In example, broadcast singal or broadcast related information of the communication component 716 via broadcast channel transmission from external broadcasting management system.
In one exemplary embodiment, the communication component 716 further includes near-field communication (NFC) module, to promote short range communication.Example
Such as, NFC module can be based on radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) technology,
Bluetooth (BT) technology and other technologies are realized.
In the exemplary embodiment, device 700 can be believed by one or more application specific integrated circuit (ASIC), number
Number processor (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), field programmable gate array
(FPGA), controller, microcontroller, microprocessor or other electronic components are realized, for executing the above method.
In the exemplary embodiment, a kind of non-transitorycomputer readable storage medium including instruction, example are additionally provided
It such as include the memory 704 of instruction, above-metioned instruction can be executed by the processor 720 of device 700 to complete the above method.For example,
The non-transitorycomputer readable storage medium can be ROM, random access memory (RAM), CD-ROM, tape, floppy disk
With optical data storage devices etc..
Fig. 7 is a kind of block diagram of device 800 for information processing shown according to an exemplary embodiment.For example, dress
Setting 800 may be provided as a server.Referring to Fig. 7, device 800 includes processing component 822, further comprises one or more
A processor, and the memory resource as representated by memory 832, can be by the finger of the execution of processing component 822 for storing
It enables, such as application program.The application program stored in memory 832 may include it is one or more each correspond to
The module of one group of instruction.In addition, processing component 822 is configured as executing instruction, to execute side described in any of the above-described embodiment
Method.
Device 800 can also include the power management that a power supply module 826 is configured as executive device 800, and one has
Line or radio network interface 850 are configured as device 800 being connected to network and input and output (I/O) interface 858.Dress
Setting 800 can operate based on the operating system for being stored in memory 832, such as Windows ServerTM, Mac OS XTM,
UnixTM, LinuxTM, FreeBSDTM or similar.
In the exemplary embodiment, a kind of non-transitorycomputer readable storage medium including instruction, example are additionally provided
It such as include the memory 832 of instruction, above-metioned instruction can be executed by the processing component 822 of device 800 to complete the above method.Example
Such as, the non-transitorycomputer readable storage medium can be ROM, random access memory (RAM), CD-ROM, tape, soft
Disk and optical data storage devices etc..
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the disclosure
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the disclosure, these modifications, purposes or
Person's adaptive change follows the general principles of this disclosure and including the undocumented common knowledge in the art of the disclosure
Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the disclosure are by following
Claim is pointed out.
It should be understood that the present disclosure is not limited to the precise structures that have been described above and shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present disclosure is only limited by the accompanying claims.
Claims (24)
1. a kind of network attack detecting method characterized by comprising
Obtain web site requests;
Determine whether the web site requests belong to the first attack type using machine learning model component;The machine learning model
Component belongs to from the second quantity using the first web site requests sample set for belonging to first attack type of the first quantity
Second web site requests sample set transfer learning of two attack types obtains.
2. network attack detecting method according to claim 1, which is characterized in that second quantity and first number
The ratio of amount is more than or equal to 1000.
3. network attack detecting method according to claim 1, which is characterized in that the machine learning model component is set
Training in the following manner is set to obtain:
Obtain the first web site requests sample set and the second web site requests sample set;
Determine point in the first web site requests sample set and the second web site requests sample set with identical significance level
Word;
Probability of occurrence of the participle with identical significance level in sample set is moved from the second web site requests sample set
It moves in the first web site requests sample set;
According to probability of occurrence of the participle in the first web site requests sample set in sample set, training is obtained for detecting
State the machine learning model component of the first attack type.
4. network attack detecting method according to claim 3, which is characterized in that determination first web site requests
Include: with the participle of identical significance level in sample set and the second web site requests sample set
The participle of sample data in the first web site requests sample set and the second web site requests sample set is extracted respectively;
Calculate separately word weighted value of the participle in the sample set of place;
According to institute's predicate weighted value, determining has in the first web site requests sample set and the second web site requests sample set
The participle of identical significance level.
5. network attack detecting method according to claim 4, which is characterized in that it is described according to institute's predicate weighted value, really
Determining the participle in the first web site requests sample set and the second web site requests sample set with identical significance level includes:
The word weighted value of two participles in determining the first web site requests sample set and the second web site requests sample set
Difference within preset range in the case where, determine it is described two participle have identical significance level.
6. network attack detecting method according to claim 4 or 5, which is characterized in that institute's predicate weighted value includes word frequency-
Inverse document frequency.
7. network attack detecting method according to claim 3, which is characterized in that it is described will be with identical significance level
The probability of occurrence segmented in sample set is migrated from the second web site requests sample set to the first web site requests sample set
In include:
Obtain probability of occurrence of each participle in the second web site requests sample set in the second web site requests sample set;
The probability of occurrence segmented in the second web site requests sample set is assigned in the first web site requests sample set and is had
There is the participle of identical significance level.
8. the network attack detecting method according to shown in claim 3, which is characterized in that the machine learning model component includes
The classifier obtained using NB Algorithm training.
9. the network attack detecting method according to shown in claim 8, which is characterized in that described according to first web site requests
Probability of occurrence of the participle in sample set in sample set, training obtain the machine learning for detecting first attack type
Model component includes:
Classifier is constructed, by the sample data in the first web site requests sample set, the appearance that segments in the sample data
Input of the probability as the classifier, using the classification results of the sample data as the output of the classifier;
Described in occurring by the probability of occurrence of first attack type and in the case where being known to be first attack type
Training parameter of the conditional probability of participle as the classifier instructs the classifier using NB Algorithm
Practice, adjust the training parameter, until the classifier reaches preset requirement.
10. network attack detecting method according to claim 1, which is characterized in that utilize machine learning model described
Component determines whether the web site requests belong to after the first attack type, further includes:
In the case where determining that the web site requests belong to first attack type, the web site requests are intercepted.
11. a kind of network attack detecting method characterized by comprising
Obtain web site requests;
The web site requests are separately input into multiple machine learning model components, determine the attack class of the web site requests
Type, the multiple machine learning model component are respectively used to identify different website attack types, the multiple machine learning mould
At least one of type component detects the net using network attack detecting method described in any one of claim 1-10
It stands request.
12. a kind of network attack detection device characterized by comprising
Module is obtained, for obtaining web site requests;
Detection module, for determining whether the web site requests belong to the first attack type using machine learning model component;Institute
Machine learning model component is stated using the first web site requests sample set for belonging to first attack type of the first quantity from
The the second web site requests sample set transfer learning for belonging to the second attack type of two quantity obtains.
13. network attack detection device according to claim 12, which is characterized in that second quantity and described first
The ratio of quantity is more than or equal to 1000.
14. network attack detection device according to claim 12, which is characterized in that the machine learning model component quilt
It is set as trained in the following manner to obtain:
Obtain the first web site requests sample set and the second web site requests sample set;
Determine point in the first web site requests sample set and the second web site requests sample set with identical significance level
Word;
Probability of occurrence of the participle with identical significance level in sample set is moved from the second web site requests sample set
It moves in the first web site requests sample set;
According to probability of occurrence of the participle in the first web site requests sample set in sample set, training is obtained for detecting
State the machine learning model component of the first attack type.
15. network attack detection device according to claim 14, which is characterized in that determination first website asks
It asks in sample set and the second web site requests sample set and includes: with the participle of identical significance level
The participle of sample data in the first web site requests sample set and the second web site requests sample set is extracted respectively;
Calculate separately word weighted value of the participle in the sample set of place;
According to institute's predicate weighted value, determining has in the first web site requests sample set and the second web site requests sample set
The participle of identical significance level.
16. network attack detection device according to claim 15, which is characterized in that it is described according to institute's predicate weighted value,
Determine the participle packet in the first web site requests sample set and the second web site requests sample set with identical significance level
It includes:
The word weighted value of two participles in determining the first web site requests sample set and the second web site requests sample set
Difference within preset range in the case where, determine it is described two participle have identical significance level.
17. network attack detection device according to claim 15 or 16, which is characterized in that institute's predicate weighted value includes word
Frequently-inverse document frequency.
18. network attack detection device according to claim 14, which is characterized in that described to have identical significance level
Probability of occurrence of the participle in sample set migrate from the second web site requests sample set to the first web site requests sample
Concentration includes:
Obtain probability of occurrence of each participle in the second web site requests sample set in the second web site requests sample set;
The probability of occurrence segmented in the second web site requests sample set is assigned in the first web site requests sample set and is had
There is the participle of identical significance level.
19. network attack detection device shown in 4 according to claim 1, which is characterized in that the machine learning model component packet
Include the classifier obtained using NB Algorithm training.
20. network attack detection device shown in 9 according to claim 1, which is characterized in that described to be asked according to first website
Probability of occurrence of the participle in sample set in sample set is sought, training obtains the engineering for detecting first attack type
Practising model component includes:
Classifier is constructed, by the sample data in the first web site requests sample set, the appearance that segments in the sample data
Input of the probability as the classifier, using the classification results of the sample data as the output of the classifier;
Described in occurring by the probability of occurrence of first attack type and in the case where being known to be first attack type
Training parameter of the conditional probability of participle as the classifier instructs the classifier using NB Algorithm
Practice, adjust the training parameter, until the classifier reaches preset requirement.
21. network attack detection device according to claim 12, which is characterized in that further include:
Blocking module, for intercepting the website in the case where determining that the web site requests belong to first attack type
Request.
22. a kind of network attack detection device characterized by comprising
Module is obtained, for obtaining web site requests;
Detection module determines the website for the web site requests to be separately input into multiple machine learning model components
The attack type of request, the multiple machine learning model component is respectively used to identify different website attack types, described more
At least one of a machine learning model component utilizes network attack detection side described in any one of claim 1-10
Method detects the web site requests.
23. a kind of network attack detection device characterized by comprising
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
Obtain web site requests;
Determine whether the web site requests belong to the first attack type using machine learning model component;The machine learning model
Component belongs to from the second quantity using the first web site requests sample set for belonging to first attack type of the first quantity
Second web site requests sample set transfer learning of two attack types obtains.
24. a kind of non-transitorycomputer readable storage medium makes when the instruction in the storage medium is executed by processor
It obtains processor and is able to carry out method described in claim 1-10 any one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811410148.7A CN109672666B (en) | 2018-11-23 | 2018-11-23 | Network attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811410148.7A CN109672666B (en) | 2018-11-23 | 2018-11-23 | Network attack detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109672666A true CN109672666A (en) | 2019-04-23 |
CN109672666B CN109672666B (en) | 2021-12-14 |
Family
ID=66142257
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811410148.7A Active CN109672666B (en) | 2018-11-23 | 2018-11-23 | Network attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109672666B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110417751A (en) * | 2019-07-10 | 2019-11-05 | 腾讯科技(深圳)有限公司 | A kind of network safety pre-warning method, device and storage medium |
CN110942109A (en) * | 2019-12-17 | 2020-03-31 | 浙江大学 | PMU false data injection attack prevention method based on machine learning |
CN111131248A (en) * | 2019-12-24 | 2020-05-08 | 广东电科院能源技术有限责任公司 | Website application security defect detection model modeling method and defect detection method |
CN113259303A (en) * | 2020-02-12 | 2021-08-13 | 网宿科技股份有限公司 | White list self-learning method and device based on machine learning technology |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582813A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | Distributed migration network learning-based intrusion detection system and method thereof |
US20160187354A1 (en) * | 2013-08-15 | 2016-06-30 | Steven E. Schutzer | Diagnostic markers for multiple sclerosis |
CN107145778A (en) * | 2017-05-04 | 2017-09-08 | 北京邮电大学 | A kind of intrusion detection method and device |
CN108023876A (en) * | 2017-11-20 | 2018-05-11 | 西安电子科技大学 | Intrusion detection method and intruding detection system based on sustainability integrated study |
CN108322445A (en) * | 2018-01-02 | 2018-07-24 | 华东电力试验研究院有限公司 | A kind of network inbreak detection method based on transfer learning and integrated study |
CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
CN108494772A (en) * | 2018-03-25 | 2018-09-04 | 上饶市中科院云计算中心大数据研究院 | Model optimization, network inbreak detection method and device and computer storage media |
-
2018
- 2018-11-23 CN CN201811410148.7A patent/CN109672666B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582813A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | Distributed migration network learning-based intrusion detection system and method thereof |
US20160187354A1 (en) * | 2013-08-15 | 2016-06-30 | Steven E. Schutzer | Diagnostic markers for multiple sclerosis |
CN107145778A (en) * | 2017-05-04 | 2017-09-08 | 北京邮电大学 | A kind of intrusion detection method and device |
CN108023876A (en) * | 2017-11-20 | 2018-05-11 | 西安电子科技大学 | Intrusion detection method and intruding detection system based on sustainability integrated study |
CN108322445A (en) * | 2018-01-02 | 2018-07-24 | 华东电力试验研究院有限公司 | A kind of network inbreak detection method based on transfer learning and integrated study |
CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
CN108494772A (en) * | 2018-03-25 | 2018-09-04 | 上饶市中科院云计算中心大数据研究院 | Model optimization, network inbreak detection method and device and computer storage media |
Non-Patent Citations (1)
Title |
---|
王东东: "基于迁移学习的入侵检测技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110417751A (en) * | 2019-07-10 | 2019-11-05 | 腾讯科技(深圳)有限公司 | A kind of network safety pre-warning method, device and storage medium |
CN110417751B (en) * | 2019-07-10 | 2021-07-02 | 腾讯科技(深圳)有限公司 | Network security early warning method, device and storage medium |
CN110942109A (en) * | 2019-12-17 | 2020-03-31 | 浙江大学 | PMU false data injection attack prevention method based on machine learning |
CN111131248A (en) * | 2019-12-24 | 2020-05-08 | 广东电科院能源技术有限责任公司 | Website application security defect detection model modeling method and defect detection method |
CN111131248B (en) * | 2019-12-24 | 2021-09-24 | 南方电网电力科技股份有限公司 | Website application security defect detection model modeling method and defect detection method |
CN113259303A (en) * | 2020-02-12 | 2021-08-13 | 网宿科技股份有限公司 | White list self-learning method and device based on machine learning technology |
Also Published As
Publication number | Publication date |
---|---|
CN109672666B (en) | 2021-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Chatterjee et al. | The spyware used in intimate partner violence | |
US20210110014A1 (en) | System, Device, and Method of Determining Personal Characteristics of a User | |
US10754935B2 (en) | Intrusion detection on computing devices | |
Schmidt et al. | Monitoring smartphones for anomaly detection | |
Peng et al. | User profiling in intrusion detection: A review | |
Weichbroth et al. | Mobile security: Threats and best practices | |
Li et al. | Detecting malware for android platform: An svm-based approach | |
Spreitzer | Pin skimming: exploiting the ambient-light sensor in mobile devices | |
CN109672666A (en) | A kind of network attack detecting method and device | |
US9684775B2 (en) | Methods and systems for using behavioral analysis towards efficient continuous authentication | |
Li et al. | Behaviour profiling for transparent authentication for mobile devices | |
US20130247187A1 (en) | Computing device to detect malware | |
US11004163B2 (en) | Terminal-implemented method, server-implemented method and terminal for acquiring certification document | |
Riad et al. | Roughdroid: operative scheme for functional android malware detection | |
Shezan et al. | Read between the lines: An empirical measurement of sensitive applications of voice personal assistant systems | |
Alzubaidi | Recent advances in android mobile malware detection: A systematic literature review | |
Zhang et al. | Using AI to attack VA: a stealthy spyware against voice assistances in smart phones | |
Hassan et al. | Digital Privacy and Security Using Windows: A Practical Guide | |
US20220067139A1 (en) | Loss prevention of devices | |
Orjiude et al. | A multilateral privacy impact analysis method for android applications | |
Balakrishnan et al. | An analysis on Keylogger Attack and Detection based on Machine Learning | |
Varshney et al. | Detecting spying and fraud browser extensions: Short paper | |
US20220159030A1 (en) | Ip-based security control method and system thereof | |
Iorliam | Cybersecurity in Nigeria: A Case Study of Surveillance and Prevention of Digital Crime | |
US20200007565A1 (en) | Passive automated content entry detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20190412 Address after: Room B1010, 1st floor, Jiali Hotel, No. 21 Jiuxianqiao, Chaoyang District, Beijing Applicant after: Beijing Ding Niu Technology Co., Ltd. Address before: Room B1010, 1st floor, Jiali Hotel, No. 21 Jiuxianqiao, Chaoyang District, Beijing Applicant before: Beijing Ding Niu Technology Co., Ltd. Applicant before: Beijing Dingniu Hetian Technology Co., Ltd. |
|
TA01 | Transfer of patent application right | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |