CN109766229A - A kind of method for detecting abnormality towards Integrated Electronic System - Google Patents
A kind of method for detecting abnormality towards Integrated Electronic System Download PDFInfo
- Publication number
- CN109766229A CN109766229A CN201811477152.5A CN201811477152A CN109766229A CN 109766229 A CN109766229 A CN 109766229A CN 201811477152 A CN201811477152 A CN 201811477152A CN 109766229 A CN109766229 A CN 109766229A
- Authority
- CN
- China
- Prior art keywords
- message
- electronic system
- sequence
- integrated electronic
- aperiodicity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a kind of method for detecting abnormality towards Integrated Electronic System, propose a kind of method combined based on Instruction Word Sequence specification and time series.Wherein, whether Instruction Word Sequence method for normalizing is abnormal for detection cycle message, and Time Series Method selects Markov model, for predicting whether aperiodicity message is abnormal.Method includes the following steps: 1) to collect data: collecting bus transfer data;2) detector is generated: according to log information, self-generating periodicity Instruction Word Sequence specification, and training Markov model;3) intrusion detection: message to be detected is detected according to Instruction Word Sequence specification, when the command word of message does not meet sequence specification, aperiodicity message is identified as, carries out aperiodicity message detection, do not pass through if still detecting, alert.The present invention can detect that the attack between bus control unit and subsystem, can effectively resist the various attacks such as Replay Attack, forgery attack, refusal service.
Description
Technical field
It is the invention belongs to Integrated Electronic System field of information security technology, in particular to a kind of towards Integrated Electronic System
Lightweight misapplies detection method.
Background technique
Integrated Electronic System is widely used in the fields such as aircarrier aircraft, opportunity of combat, panzer, rocket and spacecraft, due to
Integrated Electronic System is in physical isolation network, and safety problem carries no weight always.Since shake net virus after the advent of, people by
Security study gradually is carried out to physical isolation network.Typical physical isolation network has industrial control system, in recent years, Industry Control
System security study is more, generallys use the means such as white list mechanism, industrial protocol deep analysis and vulnerability scanning to ensure work
The safe operation of industry control system.
For industrial control system, the security study of Integrated Electronic System is fewer.Integrated Electronic System is by hard
The limitation of part, power consumption, size, memory and CPU frequency all very littles, and since usage scenario is special, different integrated electronics
System can use different non-universal CPU.Complexity, the diversity of hardware device will lead to system and frequently malfunction, most of
Integrated Electronic System can make full use of limited hardware resource, it is made to meet system reliability Demand Design, and less consideration is pacified
Full property design.
In face of the security threat of Integrated Electronic System, intrusion detection safe practice only resting on using upper in satellite at present
The intrusion detection of network level, due to the limitation etc. in the resources such as the particularity of Integrated Electronic System application range and hardware memory,
It is less for the Intrusion Detection Technique towards Integrated Electronic System of built-in system grade, Integrated Electronic System cannot be improved from basic
Safety.Only find Stan et al. in method for detecting abnormality of the proposition based on Markov model in 2017 at present.Stan etc.
Memory space needed for the feature that people proposes is 137bit, and in the case of data volume is huge, the space occupied should not be underestimated;Simultaneously
The method for detecting abnormality still deposits defect, since Markov model can not solve that there are the abnormality detections of ABA sequence, i.e., if training
There are ABA sequences for concentration, then command word B is forged in insertion after command word A, then the command word can not be identified, although Stan et al.
The Markov model of proposition has the time cycle, if but the forgery command word B of insertion follows the period of AB sequence, the forgery
Command word can be identified as normal command word.
Summary of the invention
The object of the present invention is to provide a kind of method for detecting abnormality towards Integrated Electronic System, this method can be resisted effectively
Integrated Electronic System is internaled attack, and guarantees the integrality and availability of Integrated Electronic System data transfer inside.
Realizing the specific technical solution of the object of the invention is:
A kind of method for detecting abnormality towards Integrated Electronic System, this method comprising the following specific steps
Step 1: monitoring Integrated Electronic System bus, collect a large amount of bus log informations conducts and be subsequently generated for periodically
Data set needed for the periodical Instruction Word Sequence and aperiodicity detector of detection;
Step 2: according to bus log information, generating periodical Instruction Word Sequence using self-generating algorithm;
Step 3: according to bus log information, aperiodicity message detector being generated based on Time Series Method;Wherein, institute
Stating Time Series Method includes but is not limited to Markov (Markov) model;
Step 4: bus is monitored in real time, by the command word incoming command word sequence specification detector in each message,
Carry out the detection of Instruction Word Sequence specification;Wherein, the Instruction Word Sequence specification detector includes periodical Instruction Word Sequence and non-
Periodic message detector.
Periodical Instruction Word Sequence is generated using self-generating algorithm described in step 2, is specifically included:
Step A1: extracting periodic message all in message logging, extracts feature, generates periodical command word set;
Step A2: periodical command word set is generated as again by periodical order according to the message sequence in message logging
Word sequence specification;
Step A3: the sequence specification retrieved based on hash algorithm is generated according to the list of periodical Instruction Word Sequence specification.
Extract feature described in step A1, specifically include: according to bus protocol, periodic message characterizing definition is by 6 tuples
Indicate to be terminal address, subaddressing/terminal address, transmission/reception, data word number, channel A/B and minimum interval.
Sequence based on hash algorithm retrieval described in step A3 is tieed up using including but not limited to one-way circulation chained list
Shield.
Aperiodicity message detector is generated based on Time Series Method described in step 3, is specifically included:
Step B1: the legitimate messages in bus log are formed into training set, are extracted according to extracting cycle command word algorithm
Then periodic message out extracts the difference set of periodic message from training set, obtain aperiodicity message;It extracts simultaneously
Previous periodic message when aperiodicity message occurs, to form new training set, and extracts all in training set disappear
The feature of breath obtains training set TS;
Step B2: it after the training set TS for obtaining trained aperiodicity message, by the iteration training set, calculates state and turns
Move probability, training Markov Parameters.
The feature of all message, specifically includes: according to bus protocol, the characteristic information in extraction training set described in step B1
By 5 element group representations, that is, terminal address, subaddressing/terminal address, transmission/reception, data word number and channel A/B.
Every kind of message in training set TS described in step B1 is a state state of Markov modelj。
The detection of Instruction Word Sequence specification is carried out described in step 4, is specifically included:
Step C1: the command word of prediction is obtained with previous command word according to the sequence of single-track link table, uses the prediction
Command word be compared with the command word currently obtained, to detect whether message to be detected follows sequence specification, if prediction
Command word be consistent with the command word currently obtained, that is, meet sequence specification, be then identified as periodic message, then detect the life
It enables the time cycle of word whether normal, executes step C2;If not meeting sequence specification, it is identified as aperiodicity message, is executed
Step C3;
Step C2: whether the time cycle for comparing message is correct, if the time cycle is greater than or equal to minimum interval
Then be identified as legal periodic message, allow flow normal through;It is different if the time cycle is less than minimum interval
Often, abnormality processing is carried out;
Step C3: using previous command word and command word to be detected as input, two are obtained according to Markov model
The state transition probability of message;The probability is compared with outlier threshold, if the likelihood ratio outlier threshold is low, for exception,
Carry out abnormality processing.
Outlier threshold is defined as the periodic message observed in training set to aperiodicity message in the step C3
Minimum probability;State transition probability of the calculating cycle message to aperiodicity message are as follows: stateProbj*transProdj→l;
Wherein stateProbjIt is statejThe probability of generation, transProbj→lIt is statejTo statelThe probability of state transfer.This
Advantageous effect of the invention is:
The present invention is a kind of intrusion detection method suitable for inside Integrated Electronic System, can effectively resist integrated electronics system
System is internaled attack, and sexual assault, specially Denial of Service attack, puppet can be used by internaling attack mainly to destroy complete sexual assault and destroy
Attack, Tampering attack, Replay Attack are made, to guarantee the integrality and availability of Integrated Electronic System data transfer inside.
It can effectively prevent unknown attack: by studying Integrated Electronic System the characteristic information, in conjunction with periodic message sequence
Column, temporal characteristics and the prediction to aperiodicity message, this method have the potentiality of detection unknown attack.
By the effective use of the feature to total Thread Message, the characteristic quantity extracted needed for significantly reducing is reduced
Space hold amount ensure that the light weight of method for detecting abnormality;Meanwhile Instruction Word Sequence specification and time series method for normalizing
In conjunction with solving the problems, such as to effectively improve accuracy rate and verification and measurement ratio there are legal ABA sequence in Markov model.
Detailed description of the invention
Fig. 1 is flow chart of the invention;
Fig. 2 is periodic message feature schematic diagram;
Fig. 3 is aperiodicity the characteristic information schematic diagram;
Fig. 4 is message logging schematic diagram.
Specific embodiment
In conjunction with following specific embodiments and attached drawing, the present invention is described in further detail.Implement process of the invention,
Condition, experimental method etc. are in addition to what is specifically mentioned below the universal knowledege and public common sense of this field, this hair
It is bright that there are no special restrictions to content.
Integrated Electronic System of the invention includes but is not limited to the application to telecommunication satellite, aircarrier aircraft, tank and armored vehicle.
Embodiment
By taking the Integrated Electronic System suitable for telecommunication satellite platform based on 1553B bus as an example, to towards integrated electronics
The anomalies detecting step of system illustrates:
Flow obtains:
There are three types of device types for Integrated Electronic System: bus control unit (BC), remote terminal (RT) and bus monitor
(BM), in 1553B equipment, whole flows in the available bus of only BM, so obtaining mould for BM as flow bus
The message is passed to the characteristic extracting module of intrusion detection after the complete message transmission that BM is got by block.
Characterizing definition: feature extraction only is carried out to Instruction Word Sequence.By periodic message characterizing definition by < terminal address,
Subaddressing/terminal address, transmission/reception, data word number, channel A/B, minimum interval > 6 element group representations, aperiodicity
Message is by<terminal address, subaddressing/terminal address, transmission/reception, data word number, the element group representation of channel A/B>5.
Generate detector:
Periodical Instruction Word Sequence specification is generated using self-generating algorithm according to bus log, then by order to be detected
Word is detected according to Instruction Word Sequence specification, when detecting Instruction Word Sequence not in Instruction Word Sequence specification, is identified as
Aperiodicity message is not passed through with aperiodicity message detection if still detecting, and is alerted.
Periodic message anomaly detector generates:
1) by the feature of message in analysis data set, according to the lightweight clustering algorithm extracting cycle command word of proposition
Test data is concentrated, and the number that each command word occurs is counted, and message number is most during analyzing week according to data
It is only possible to difference 1 more.As shown in Fig. 2, for any period message, if to quantitative range ± 1 of one of periodic messages,
All pairs of periodic messages can all fall in this section, and the total amount accounting of periodic message is most, calculate and periodically disappear
Behind the section of breath, there is into number addition in all message for belonging to this section, the most section of quantity is as periodic message
Then the message in entire section is classified as periodic message by section.
Wherein extracting cycle command word algorithm is as follows:
2) periodic message sequence specification is regenerated according to the message sequence in message logging
The Instruction Word Sequence in message logging is traversed, if it find that then should when the message of traversal is periodic message
Message is added in Instruction Word Sequence specification, until generating when Instruction Word Sequence specification is all added in the periodic message proposed
Periodic message sequence specification.
3) it is carried out abnormality detection with the sequence specification retrieved based on hash algorithm
In order to realize the command word specification search efficiency of O (1), the present invention proposes based on Hash lookup and uses one-way circulation
A kind of lightweight detection sequence canonical algorithm of linked list maintenance sequence.In the case that hash-collision is fewer arrive, Hash is stored in
The data of this feature can be searched within the time of O (1).
It is as follows to generate the sequence canonical algorithm retrieved based on hash algorithm:
Aperiodicity message detector generates:
1) initialization data set
Legitimate messages in bus log are formed into training set, periodicity is extracted according to extracting cycle command word algorithm
Then message extracts the difference set of periodic message from training set, obtain aperiodicity message.Aperiodicity is extracted simultaneously
Previous periodic message when message occurs, to form new training set TS, training set TS is for training aperiodicity
The Markov model parameter of message, wherein every kind of message in TS is a state state of Markov modelj。
2) training Markov parameter
After the training set TS for obtaining trained aperiodicity message, by repetitive exercise collection, state transition probability, instruction are calculated
Practice Markov parameter.
Training Markov parameter algorithm is as follows:
Intrusion detection:
It is based on Hash lookup sequence specification, according to the suitable of chained list using one-way circulation linked list maintenance sequence in detection-phase
Sequence detects whether message to be detected follows sequence specification.If meeting sequence specification, then whether just to compare the time cycle of message
Really, the message normal transmission if correct;If incorrect, for exception.It is identified as if not meeting sequence specification aperiodic
Property message, carry out aperiodicity message abnormality detection.
Detection for aperiodicity message, a piece of news and aperiodicity message, obtain according to Markov model before inputting
The state transition probability of two message out.The probability is compared with outlier threshold, if the likelihood ratio outlier threshold is low, for
It is abnormal.Outlier threshold is defined as the minimum probability of observe in training set two sequences.Calculate the state transfer of two message
Probability is as follows: stateProbj*transProbj→l。
Instruction Word Sequence specification detection algorithm and the Outlier Detection Algorithm of aperiodicity message difference are as follows:
Instruction Word Sequence specification detection algorithm
The Outlier Detection Algorithm of aperiodicity message
Claims (9)
1. a kind of method for detecting abnormality towards Integrated Electronic System, which is characterized in that this method comprising the following specific steps
Step 1: monitoring Integrated Electronic System bus, collect a large amount of bus log informations conducts and be subsequently generated for being periodically detected
Periodical Instruction Word Sequence and aperiodicity detector needed for data set;
Step 2: according to bus log information, generating periodical Instruction Word Sequence using self-generating algorithm;
Step 3: according to bus log information, aperiodicity message detector being generated based on Time Series Method;Wherein, when described
Between sequence method include but is not limited to Markov model;
Step 4: monitoring bus in real time, by the command word incoming command word sequence specification detector in each message, carry out
The detection of Instruction Word Sequence specification;Wherein, the Instruction Word Sequence specification detector includes periodical Instruction Word Sequence and aperiodic
Property message detector.
2. the method for detecting abnormality according to claim 1 towards Integrated Electronic System, which is characterized in that described in step 2
Periodical Instruction Word Sequence is generated using self-generating algorithm, is specifically included:
Step A1: extracting periodic message all in message logging, extracts feature, generates periodical command word set;
Step A2: periodical command word set is generated as again by periodical command word sequence according to the message sequence in message logging
Column specification;
Step A3: the sequence specification retrieved based on hash algorithm is generated according to the list of periodical Instruction Word Sequence specification.
3. the method for detecting abnormality according to claim 2 towards Integrated Electronic System, which is characterized in that institute in step A1
State extraction feature, specifically include: according to bus protocol, periodic message characterizing definition is by 6 element group representations, that is, terminal address, son ground
Location/terminal address, transmission/reception, data word number, channel A/B and minimum interval.
4. the method for detecting abnormality according to claim 2 towards Integrated Electronic System, which is characterized in that institute in step A3
The sequence based on hash algorithm retrieval is stated to be safeguarded using including but not limited to one-way circulation chained list.
5. the method for detecting abnormality according to claim 1 towards Integrated Electronic System, which is characterized in that institute in step 3
It states and aperiodicity message detector is generated based on Time Series Method, specifically include:
Step B1: the legitimate messages in bus log are formed into training set, week is extracted according to extracting cycle command word algorithm
Then phase property message extracts the difference set of periodic message from training set, obtain aperiodicity message;Non- week is extracted simultaneously
Previous periodic message when phase property message occurs, to form new training set, and extracts all message in training set
Feature obtains training set TS;
Step B2: after the training set TS for obtaining trained aperiodicity message, by the iteration training set, it is general to calculate state transfer
Rate, training Markov Parameters.
6. the method for detecting abnormality according to claim 5 towards Integrated Electronic System, which is characterized in that institute in step B1
The feature for extracting all message in training set is stated, specifically include: according to bus protocol, the characteristic information is by 5 element group representations, that is, terminal
Address, subaddressing/terminal address, transmission/reception, data word number and channel A/B.
7. the method for detecting abnormality according to claim 5 towards Integrated Electronic System, which is characterized in that institute in step B1
State the state state that every kind of message in training set TS is Markov modelj。
8. the method for detecting abnormality according to claim 1 towards Integrated Electronic System, which is characterized in that institute in step 4
It states and carries out the detection of Instruction Word Sequence specification, specifically include:
Step C1: the command word of prediction is obtained with previous command word according to the sequence of single-track link table, uses the life of the prediction
Word is enabled to be compared with the command word currently obtained, to detect whether message to be detected follows sequence specification, if the life of prediction
It enables word be consistent with the command word currently obtained, that is, meets sequence specification, be then identified as periodic message, then detect the command word
Time cycle it is whether normal, execute step C2;If not meeting sequence specification, it is identified as aperiodicity message, executes step
C3;
Step C2: whether the time cycle for comparing message is correct, will if the time cycle is greater than or equal to minimum interval
It is identified as legal periodic message, allow flow normal through;If the time cycle is less than minimum interval, for exception,
Carry out abnormality processing;
Step C3: using previous command word and command word to be detected as input, two message are obtained according to Markov model
State transition probability;The probability is compared with outlier threshold, if the likelihood ratio outlier threshold is low, for exception, is carried out
Abnormality processing.
9. the method for detecting abnormality according to claim 8 towards Integrated Electronic System, which is characterized in that the step C3
Middle outlier threshold is defined as the periodic message observed in training set to the minimum probability of aperiodicity message;Calculating cycle
State transition probability of the message to aperiodicity message are as follows: stateProbj*transProbj→l;Wherein stateProbjIt is
statejThe probability of generation, transProbj→lIt is statejTo statelThe probability of state transfer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811477152.5A CN109766229B (en) | 2018-12-05 | 2018-12-05 | Anomaly detection method for integrated electronic system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811477152.5A CN109766229B (en) | 2018-12-05 | 2018-12-05 | Anomaly detection method for integrated electronic system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109766229A true CN109766229A (en) | 2019-05-17 |
CN109766229B CN109766229B (en) | 2022-02-11 |
Family
ID=66451138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811477152.5A Active CN109766229B (en) | 2018-12-05 | 2018-12-05 | Anomaly detection method for integrated electronic system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109766229B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111428235A (en) * | 2020-02-21 | 2020-07-17 | 华东师范大学 | Bus controller decision protection method facing MI L-STD-1553B |
CN114051710A (en) * | 2019-08-07 | 2022-02-15 | 株式会社日立制作所 | Information processing apparatus and method for determining authorized communication |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110191129A1 (en) * | 2010-02-04 | 2011-08-04 | Netzer Moriya | Random Number Generator Generating Random Numbers According to an Arbitrary Probability Density Function |
CN102831096A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院空间科学与应用研究中心 | 1553B bus protocol IP (Intellectual Property) core |
CN103259686A (en) * | 2013-05-31 | 2013-08-21 | 浙江大学 | CAN bus network fault diagnosis method based on disperse error events |
CN103645947A (en) * | 2013-11-25 | 2014-03-19 | 北京航空航天大学 | MIL-STD-1553B bus monitoring and data analysis system |
CN105137214A (en) * | 2015-06-23 | 2015-12-09 | 中国空间技术研究院 | Satellite bus data analysis system |
CN106502811A (en) * | 2016-10-12 | 2017-03-15 | 北京精密机电控制设备研究所 | A kind of 1553B bus communications fault handling method |
CN107153584A (en) * | 2016-03-03 | 2017-09-12 | 中兴通讯股份有限公司 | Method for detecting abnormality and device |
CN107844406A (en) * | 2017-10-25 | 2018-03-27 | 千寻位置网络有限公司 | Method for detecting abnormality and system, service terminal, the memory of distributed system |
US20180150125A1 (en) * | 2016-11-28 | 2018-05-31 | Qualcomm Incorporated | Wifi memory power minimization |
CN108632351A (en) * | 2018-03-23 | 2018-10-09 | 山东昭元信息科技有限公司 | A kind of Information Exchange System |
CN108847879A (en) * | 2018-06-14 | 2018-11-20 | 上海卫星工程研究所 | Two-shipper fault detection and restoration methods based on bus control unit |
-
2018
- 2018-12-05 CN CN201811477152.5A patent/CN109766229B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110191129A1 (en) * | 2010-02-04 | 2011-08-04 | Netzer Moriya | Random Number Generator Generating Random Numbers According to an Arbitrary Probability Density Function |
CN102831096A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院空间科学与应用研究中心 | 1553B bus protocol IP (Intellectual Property) core |
CN103259686A (en) * | 2013-05-31 | 2013-08-21 | 浙江大学 | CAN bus network fault diagnosis method based on disperse error events |
CN103645947A (en) * | 2013-11-25 | 2014-03-19 | 北京航空航天大学 | MIL-STD-1553B bus monitoring and data analysis system |
CN105137214A (en) * | 2015-06-23 | 2015-12-09 | 中国空间技术研究院 | Satellite bus data analysis system |
CN107153584A (en) * | 2016-03-03 | 2017-09-12 | 中兴通讯股份有限公司 | Method for detecting abnormality and device |
CN106502811A (en) * | 2016-10-12 | 2017-03-15 | 北京精密机电控制设备研究所 | A kind of 1553B bus communications fault handling method |
US20180150125A1 (en) * | 2016-11-28 | 2018-05-31 | Qualcomm Incorporated | Wifi memory power minimization |
CN107844406A (en) * | 2017-10-25 | 2018-03-27 | 千寻位置网络有限公司 | Method for detecting abnormality and system, service terminal, the memory of distributed system |
CN108632351A (en) * | 2018-03-23 | 2018-10-09 | 山东昭元信息科技有限公司 | A kind of Information Exchange System |
CN108847879A (en) * | 2018-06-14 | 2018-11-20 | 上海卫星工程研究所 | Two-shipper fault detection and restoration methods based on bus control unit |
Non-Patent Citations (2)
Title |
---|
ORLY STAN: "Protecting Military Avionics Platforms from Attacks on MIL-STD-1553 Communication Bus", 《HTTPS://ARXIV.ORG/ABS/1707.05032》 * |
何道敬: "环境感知应用系统的数据传输与安全", 《南京信息工程大学学报》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114051710A (en) * | 2019-08-07 | 2022-02-15 | 株式会社日立制作所 | Information processing apparatus and method for determining authorized communication |
CN114051710B (en) * | 2019-08-07 | 2023-05-09 | 株式会社日立制作所 | Information processing apparatus and regular communication determination method |
CN111428235A (en) * | 2020-02-21 | 2020-07-17 | 华东师范大学 | Bus controller decision protection method facing MI L-STD-1553B |
Also Published As
Publication number | Publication date |
---|---|
CN109766229B (en) | 2022-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10735438B2 (en) | System, method and computer-accessible medium for network intrusion detection | |
CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
CN106534195B (en) | A kind of network attack person's behavior analysis method based on attack graph | |
Li et al. | Detection of low-frequency and multi-stage attacks in industrial internet of things | |
CN105208000B (en) | The method and Network Security Device of network analysis attack backtracking | |
Kuznetsov et al. | The statistical analysis of a network traffic for the intrusion detection and prevention systems | |
WO2016082284A1 (en) | Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model | |
Cui et al. | A unified evaluation of textual backdoor learning: Frameworks and benchmarks | |
Sayegh et al. | SCADA intrusion detection system based on temporal behavior of frequent patterns | |
CN105208037A (en) | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection | |
CN109525567A (en) | A kind of detection method and system for implementing parameter injection attacks for website | |
Gómez et al. | Design of a snort-based hybrid intrusion detection system | |
CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
CN110213226A (en) | Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor | |
CN103957203A (en) | Network security defense system | |
CN113079150B (en) | Intrusion detection method for power terminal equipment | |
CN105119919A (en) | Attack behavior detection method based on flow abnormity and feature analysis | |
Marchetti et al. | Identification of correlated network intrusion alerts | |
CN109766229A (en) | A kind of method for detecting abnormality towards Integrated Electronic System | |
Zhang et al. | Cross-site scripting (XSS) detection integrating evidences in multiple stages | |
CN115086029A (en) | Network intrusion detection method based on two-channel space-time feature fusion | |
CN110086829A (en) | A method of Internet of Things unusual checking is carried out based on machine learning techniques | |
Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |