CN109951476A - Attack Prediction method, apparatus and storage medium based on timing - Google Patents

Attack Prediction method, apparatus and storage medium based on timing Download PDF

Info

Publication number
CN109951476A
CN109951476A CN201910201214.8A CN201910201214A CN109951476A CN 109951476 A CN109951476 A CN 109951476A CN 201910201214 A CN201910201214 A CN 201910201214A CN 109951476 A CN109951476 A CN 109951476A
Authority
CN
China
Prior art keywords
data
attack
value
sample
bag data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910201214.8A
Other languages
Chinese (zh)
Other versions
CN109951476B (en
Inventor
万巍
王越
龙春
魏金侠
赵静
杨帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Computer Network Information Center of CAS
Original Assignee
Computer Network Information Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Network Information Center of CAS filed Critical Computer Network Information Center of CAS
Priority to CN201910201214.8A priority Critical patent/CN109951476B/en
Publication of CN109951476A publication Critical patent/CN109951476A/en
Application granted granted Critical
Publication of CN109951476B publication Critical patent/CN109951476B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention discloses a kind of Attack Prediction method, apparatus and storage medium based on timing, are related to network safety filed.The method comprise the steps that carrying out subpackage processing sequentially in time to sample data, and extract the feature of bag data;Sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data;Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data;Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the period forecasting value of the bag data;Sample label value and the period forecasting value based on the bag data, are trained Attack prediction.The present invention can be improved the efficiency of attack detecting.

Description

Attack Prediction method, apparatus and storage medium based on timing
Technical field
The present invention relates to network safety filed more particularly to a kind of Attack Prediction method, apparatus and storage based on timing Medium.
Background technique
With the rapid development of computer networking technology, network technology is all widely used in every field.Meter For calculation machine network while providing convenience to people, bringing benefit, network attack also proposes very big challenge to information security.
For protecting network attack, intruding detection system, current intrusion detection can be increased at network data access System judges whether to generate attack and attack classification using sorting algorithm mainly by modeling network flow characteristic, this Strategy can detecte independent security incident, but in actual conditions, and attack often has sequential correlation, especially short time The Large-scale automatic attack of interior outburst will lead to attack detecting in this case by way of independently carrying out attack detecting Efficiency is lower.
Summary of the invention
The embodiment of the present invention provides a kind of Attack Prediction method, apparatus and storage medium based on timing, can be improved The efficiency of attack detecting.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of Attack Prediction method based on timing, comprising:
Subpackage processing is carried out to sample data sequentially in time, and extracts the feature of bag data;
Sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data;
Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data;
Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the period of the bag data Predicted value;
Sample label value and the period forecasting value based on the bag data, are trained Attack prediction.
With reference to first aspect, in the first possible implementation of the first aspect, the method also includes:
Data to be tested are inputted into the Attack prediction, obtain the Tag Estimation value of the data to be tested, it is described The Tag Estimation value of data to be tested be used for characterize the positive sample in the data to be tested and between negative sample ratio prediction Value.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect In, the method also includes:
Tag Estimation value based on the data to be tested, is adjusted data filtering rule;
In response to meeting data filtering rule adjusted, determine that the data to be tested are attack data, and abandon institute State attack data.
With reference to first aspect, in a third possible implementation of the first aspect, described based on the bag data Sample label value and the period forecasting value, are trained Attack prediction, comprising:
By the difference between the sample label value of the bag data and the period forecasting value, as the Attack Prediction mould The training data of type is iterated training to the Attack prediction;Wherein, the Attack prediction includes that gradient is promoted Decision tree GBDT regression model.
With reference to first aspect, in a fourth possible implementation of the first aspect, it is described to sample data according to when Between sequentially carry out subpackage processing, and extract the feature of bag data, comprising:
By the feature of the sample data by way of prototype cluster, the feature of the bag data is converted to;Wherein, described It includes gauss hybrid models that prototype, which clusters mode,.
Second aspect, the embodiment of the present invention provide a kind of Attack Prediction device based on timing, comprising:
Extraction module for carrying out subpackage processing sequentially in time to sample data, and extracts the feature of bag data;
Label model, for the sample by positive sample in the bag data and the ratio of negative sample, as the bag data Label value;
Analysis module carries out Time-Series analysis for the feature to the bag data, obtains the periodically special of the bag data Sign;
Processing module carries out exponential smoothing at least once for the periodic feature to the bag data and handles, obtains institute State the period forecasting value of bag data;
Training module, for sample label value and the period forecasting value based on the bag data, to Attack Prediction mould Type is trained.
In conjunction with second aspect, in the first possible implementation of the second aspect, described device further include:
Prediction module obtains the mark of the data to be tested for data to be tested to be inputted the Attack prediction Sign predicted value, the Tag Estimation values of the data to be tested be used to characterize positive sample in the data to be tested and negative sample it Between ratio predicted value.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect In, described device further include:
Adjustment module is adjusted data filtering rule for the Tag Estimation value based on the data to be tested;
Discard module, for determining the data to be tested for attack in response to meeting data filtering rule adjusted Data, and abandon the attack data.
In conjunction with second aspect, in the third possible implementation of the second aspect,
The training module is also used to the difference between the sample label value of the bag data and the period forecasting value Value, as the training data of the Attack prediction, is iterated training to the Attack prediction;Wherein, described to attack Hitting prediction model includes that gradient promotes decision tree GBDT regression model.
In conjunction with second aspect, in the fourth possible implementation of the second aspect,
The extraction module is also used to the feature of the sample data by way of prototype cluster, is converted to the packet The feature of data;Wherein, the prototype cluster mode includes gauss hybrid models.
The third aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer journey Sequence, which is characterized in that the step of method that first aspect provides is realized when described program is executed by processor.
Attack Prediction method, apparatus and storage medium provided in an embodiment of the present invention based on timing, by sample number According to progress subpackage processing sequentially in time, and extract the feature of bag data;By positive sample in the bag data and negative sample Ratio, the sample label value as the bag data;Time-Series analysis is carried out to the feature of the bag data, obtains the bag data Periodic feature;Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the bag data Period forecasting value;Sample label value and the period forecasting value based on the bag data, instruct Attack prediction Practice.The subsequent Network Intrusion event or security incident being likely to occur in network can be predicted according to the variation tendency of present flow rate, And defence rule is modified based on prediction result automatically, it can preferably realize the perception of Network Situation, reduce the estimated people of rate of false alarm Work intervenes cost, improves the efficiency of attack detecting.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.
Fig. 1 is the flow diagram of the Attack Prediction method based on timing of the embodiment of the present invention;
Fig. 2 is another flow diagram of the Attack Prediction method based on timing of the embodiment of the present invention;
Fig. 3 is the Attack Prediction apparatus structure schematic diagram based on timing of the embodiment of the present invention;
Fig. 4 is another structural schematic diagram of the Attack Prediction device based on timing of the embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the Attack Prediction device 500 based on timing of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other Embodiment shall fall within the protection scope of the present invention.
One embodiment of the invention provides a kind of Attack Prediction method based on timing, as shown in Figure 1, which comprises
101, subpackage processing is carried out to sample data sequentially in time, and extracts the feature of bag data.
For the embodiment of the present invention, step 101 is specifically as follows: the feature of the sample data is passed through prototype cluster side Formula is converted to the feature of the bag data.Wherein, the prototype cluster mode includes gauss hybrid models.
102, the sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data.
Wherein, the positive sample quantity in bag data and negative sample quantity are exact value, i.e., subject to positive and negative sample size ratio Really value, trains Attack prediction as sample label for the value, is able to ascend the predictablity rate of the model.
103, Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data.
For the embodiment of the present invention, Time-Series analysis is carried out by the feature to bag data, a large amount of attack data can be utilized Sequential correlation between packet, to realize the subsequent assault of situation variation prediction and/or peace according to present flow rate Total event may further be realized before subsequent network attack arrives, adjust defence policies in advance.
104, exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, obtain the bag data Period forecasting value.
105, the sample label value based on the bag data and the period forecasting value, instruct Attack prediction Practice.
It, can be according to the sample label value (i.e. the exact value of sample itself) of bag data and period for the embodiment of the present invention Otherness between predicted value (finger predicted by Attack prediction) is iterated training to Attack prediction, Until meeting preset condition, then using the Attack prediction as final prediction model.In embodiments of the present invention, this is default Condition can be the average value of the difference between the sample label value and Tag Estimation value of each bag data less than the first default threshold Value;And/or the difference between the sample label value and Tag Estimation value of bag data is greater than the bag data quantity of the second preset threshold Less than third predetermined threshold value.
For the embodiment of the present invention, polymerization processing can be carried out to adjacent a plurality of flow and makees trend analysis, to entire Network safety situation has the prediction of macroscopic view, so as to the status that has the initiative when facing continuous network attack, can be directed to Network attack is effectively defendd;Also, after attack in force outburst in short-term, the prior art need it is artificial according to It carries out corresponding rule adjustment to IDS according to expertise to compare, the embodiment of the present invention is capable of changing based on Network Situation for intelligence Rule is adjusted, so as to reduce rate of false alarm, avoids the waste of cost of labor;Meanwhile data estimate model energy in wrapping It is enough accurately to portray the data distribution in a period of time and Network Situation is predicted in real time, reduce answering for Network Situation analysis Miscellaneous degree.
Compared with prior art, the embodiment of the present invention can be predicted subsequent in network according to the variation tendency of present flow rate The Network Intrusion event being likely to occur or security incident, and defence rule is modified based on prediction result automatically, it can be preferably real The perception of existing Network Situation reduces the estimated manual intervention cost of rate of false alarm, improves the efficiency of attack detecting.
Further embodiment of this invention provides a kind of Attack Prediction method based on timing, as shown in Fig. 2, the method packet It includes:
201, by the feature of the sample data by way of prototype cluster, the feature of the bag data is converted to.
Wherein, the prototype cluster mode includes gauss hybrid models.
202, the sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data.
203, Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data.
For the embodiment of the present invention, Time-Series analysis is carried out by the feature to bag data, a large amount of attack data can be utilized Sequential correlation between packet, to realize the subsequent assault of situation variation prediction and/or peace according to present flow rate Total event may further be realized before subsequent network attack arrives, adjust defence policies in advance.
204, exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, obtain the bag data Period forecasting value.
205, pre- as the attack by the difference between the sample label value of the bag data and the period forecasting value The training data for surveying model, is iterated training to the Attack prediction.
Wherein, the Attack prediction includes that gradient promotes decision tree GBDT regression model.
It, can be according to the sample label value (i.e. the exact value of sample itself) of bag data and period for the embodiment of the present invention Difference between predicted value (value obtained by time smoothing model prediction) is iterated training to Attack prediction, directly To preset condition is met, then using the Attack prediction as final prediction model.In embodiments of the present invention, the default item Part can be the average value of the difference between the sample label value and Tag Estimation value of each bag data less than the first preset threshold; And/or the difference between the sample label value and Tag Estimation value of bag data is small greater than the bag data quantity of the second preset threshold In third predetermined threshold value.
206, data to be tested are inputted into the Attack prediction, obtain the Tag Estimation value of the data to be tested, The Tag Estimation value of the data to be tested is for characterizing the positive sample in the data to be tested and ratio between negative sample Predicted value.
207, based on the Tag Estimation value of the data to be tested, data filtering rule is adjusted.
208, in response to meeting data filtering rule adjusted, determine that the data to be tested are attack data, and lose Abandon the attack data.
For the embodiment of the present invention, polymerization processing can be carried out to adjacent a plurality of flow and makees trend analysis, to entire Network safety situation has the prediction of macroscopic view, so as to the status that has the initiative when facing continuous network attack, can be directed to Network attack is effectively defendd;Also, after attack in force outburst in short-term, the prior art need it is artificial according to Corresponding rule adjustment is carried out to IDS according to expertise, the embodiment of the present invention is capable of changing based on Network Situation to rule for intelligence It is then adjusted, so as to reduce rate of false alarm, avoids the waste of cost of labor;Meanwhile data estimation model can be quasi- in wrapping It really portrays data distribution and Network Situation is predicted in real time, reduce the complexity of Network Situation analysis.
Compared with prior art, the embodiment of the present invention can be predicted subsequent in network according to the variation tendency of present flow rate The Network Intrusion event being likely to occur or security incident, and defence rule is modified based on prediction result automatically, it can be preferably real The perception of existing Network Situation reduces the estimated manual intervention cost of rate of false alarm, improves the efficiency of attack detecting.
Further embodiment of this invention provides a kind of Attack Prediction device based on timing, as shown in figure 3, described device packet It includes:
Extraction module 31 for carrying out subpackage processing sequentially in time to sample data, and extracts the feature of bag data;
Label model 32, for the sample by positive sample in the bag data and the ratio of negative sample, as the bag data This label value;
Analysis module 33 carries out Time-Series analysis for the feature to the bag data, obtains the periodicity of the bag data Feature;
Processing module 34 carries out exponential smoothing at least once for the periodic feature to the bag data and handles, obtains The period forecasting value of the bag data;
Training module 35, for sample label value and the period forecasting value based on the bag data, to Attack Prediction Model is trained.
Further, as shown in figure 4, described device further include:
Prediction module 41 obtains the data to be tested for data to be tested to be inputted the Attack prediction Tag Estimation value, the Tag Estimation value of the data to be tested are used to characterize the positive sample and negative sample in the data to be tested Between ratio predicted value.
Adjustment module 42 is adjusted data filtering rule for the Tag Estimation value based on the data to be tested;
Discard module 43, for determining that the data to be tested are to attack in response to meeting data filtering rule adjusted Data are hit, and abandon the attack data.
The training module 35 is also used to the difference between the sample label value of the bag data and the period forecasting value Value, as the training data of the Attack prediction, is iterated training to the Attack prediction;Wherein, described to attack Hitting prediction model includes that gradient promotes decision tree GBDT regression model.
The extraction module 31 is also used to the feature of the sample data by way of prototype cluster, is converted to described The feature of bag data;Wherein, the prototype cluster mode includes gauss hybrid models.
For the embodiment of the present invention, polymerization processing can be carried out to adjacent a plurality of flow and makees trend analysis, to entire Network safety situation has the prediction of macroscopic view, so as to the status that has the initiative when facing continuous network attack, can be directed to Network attack is effectively defendd;Also, after attack in force outburst in short-term, the prior art need it is artificial according to It carries out corresponding rule adjustment to IDS according to expertise to compare, the embodiment of the present invention is capable of changing based on Network Situation for intelligence Rule is adjusted, so as to reduce rate of false alarm, avoids the waste of cost of labor;Meanwhile data estimate model energy in wrapping It is enough accurately to portray data distribution and Network Situation is predicted in real time, reduce the complexity of Network Situation analysis.
Compared with prior art, the embodiment of the present invention can be predicted subsequent in network according to the variation tendency of present flow rate The Network Intrusion event being likely to occur or security incident, and defence rule is modified based on prediction result automatically, it can be preferably real The perception of existing Network Situation reduces the estimated manual intervention cost of rate of false alarm, improves the efficiency of attack detecting.
The embodiment of the present invention also provides another computer readable storage medium, which can be Computer readable storage medium included in memory in above-described embodiment;It is also possible to individualism, eventually without supplying Computer readable storage medium in end.The computer-readable recording medium storage has one or more than one program, institute State that one or more than one program by one or more than one processor are used to execute Fig. 1, embodiment illustrated in fig. 2 provides The Attack Prediction method based on timing.
The embodiment of the method for above-mentioned offer may be implemented in Attack Prediction device provided in an embodiment of the present invention based on timing, Concrete function realizes the explanation referred in embodiment of the method, and details are not described herein.It is provided in an embodiment of the present invention to be based on timing Attack Prediction method, apparatus and storage medium can be adapted for predicting network attack, but be not limited only to this.
As shown in figure 5, the Attack Prediction device 500 based on timing can be mobile phone, computer, digital broadcasting end End, messaging devices, game console, tablet device, personal digital assistant etc..
Referring to Fig. 5, the Attack Prediction device 500 based on timing may include following one or more components: processing component 502, memory 504, power supply module 506, multimedia component 508, audio component 510, the interface 512 of input/output (I/O), Sensor module 514 and communication component 516.
Processing component 502 usually control unmanned aerial vehicle (UAV) control device 500 integrated operation, such as with display, call, number According to communication, camera operation and record operate associated operation.Processing component 502 may include one or more processors 520 To execute instruction.
In addition, processing component 502 may include one or more modules, convenient between processing component 502 and other assemblies Interaction.For example, processing component 502 may include multi-media module, with facilitate multimedia component 508 and processing component 502 it Between interaction.
Memory 504 is configured as storing various types of data to support the operation in unmanned aerial vehicle (UAV) control device 500.This The example of a little data includes the instruction of any application or method for operating on unmanned aerial vehicle (UAV) control device 500, connection Personal data, telephone book data, message, picture, video etc..Memory 504 can be by any kind of volatibility or non-volatile It stores equipment or their combination is realized, such as static random access memory (SRAM), the read-only storage of electrically erasable Device (EEPROM), Erasable Programmable Read Only Memory EPROM (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or CD.
Power supply module 506 provides electric power for the various assemblies of unmanned aerial vehicle (UAV) control device 500.Power supply module 506 may include Power-supply management system, one or more power supplys and other with for unmanned aerial vehicle (UAV) control device 500 generate, manage, and distribute electric power phase Associated component.
Multimedia component 508 includes one output interface of offer between the unmanned aerial vehicle (UAV) control device 500 and user Screen.In some embodiments, screen may include liquid crystal display (LCD) and touch panel (TP).If screen includes Touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one or more A touch sensor is to sense the gesture on touch, slide, and touch panel.The touch sensor can not only sense touch Or the boundary of sliding action, but also detect duration and pressure associated with the touch or slide operation.In some realities It applies in example, multimedia component 508 includes a front camera and/or rear camera.When unmanned aerial vehicle (UAV) control device 500 is in Operation mode, such as in a shooting mode or a video mode, front camera and/or rear camera can receive external multimedia Data.Each front camera and rear camera can be a fixed optical lens system or there is focal length and optics to become Burnt ability.
Audio component 510 is configured as output and/or input audio signal.For example, audio component 510 includes a Mike Wind (MIC), when unmanned aerial vehicle (UAV) control device 500 is in operation mode, when such as call mode, recording mode, and voice recognition mode, Microphone is configured as receiving external audio signal.The received audio signal can be further stored in memory 504 or It is sent via communication component 516.In some embodiments, audio component 510 further includes a loudspeaker, for exporting audio letter Number.
I/O interface 512 provides interface between processing component 502 and peripheral interface module, and above-mentioned peripheral interface module can To be keyboard, click wheel, button etc..These buttons may include, but are not limited to: home button, volume button, start button and lock Determine button.
Sensor module 514 includes one or more sensors, for providing various aspects for unmanned aerial vehicle (UAV) control device 500 Status assessment.For example, sensor module 514 can detecte the state that opens/closes of unmanned aerial vehicle (UAV) control device 500, component Relative positioning, such as the component is the display and keypad of unmanned aerial vehicle (UAV) control device 500, and sensor module 514 may be used also To detect the position change of 500 1 components of unmanned aerial vehicle (UAV) control device 500 or unmanned aerial vehicle (UAV) control device, user and unmanned aerial vehicle (UAV) control The existence or non-existence that device 500 contacts, 500 orientation of unmanned aerial vehicle (UAV) control device or acceleration/deceleration and unmanned aerial vehicle (UAV) control device 500 Temperature change.Sensor module 514 may include proximity sensor, be configured to examine without any physical contact Survey presence of nearby objects.Sensor module 514 can also include that optical sensor is used for such as CMOS or ccd image sensor It is used in imaging applications.In some embodiments, which can also include acceleration transducer, and gyroscope passes Sensor, Magnetic Sensor, pressure sensor or temperature sensor.
Communication component 516 is configured to facilitate wired or wireless way between unmanned aerial vehicle (UAV) control device 500 and other equipment Communication.Unmanned aerial vehicle (UAV) control device 500 can access the wireless network based on communication standard, such as WiFi, 2G or 3G or they Combination.In one exemplary embodiment, communication component 516 is received via broadcast channel from the wide of external broadcasting management system Broadcast signal or broadcast related information.In one exemplary embodiment, the communication component 516 further includes near-field communication (NFC) Module, to promote short range communication.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) can be based in NFC module Technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are realized.
In the exemplary embodiment, unmanned aerial vehicle (UAV) control device 500 can be by one or more application specific integrated circuit (ASIC), digital signal processor (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), scene can Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are programmed to realize.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method Part explanation.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (11)

1. a kind of Attack Prediction method based on timing characterized by comprising
Subpackage processing is carried out to sample data sequentially in time, and extracts the feature of bag data;
Sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data;
Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data;
Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the period forecasting of the bag data Value;
Sample label value and the period forecasting value based on the bag data, are trained Attack prediction.
2. the Attack Prediction method according to claim 1 based on timing, which is characterized in that the method also includes:
Data to be tested are inputted into the Attack prediction, obtain the Tag Estimation value of the data to be tested, it is described to be checked The Tag Estimation value of measured data be used for characterize the positive sample in the data to be tested and between negative sample ratio predicted value.
3. the Attack Prediction method according to claim 2 based on timing, which is characterized in that the method also includes:
Tag Estimation value based on the data to be tested, is adjusted data filtering rule;
In response to meeting data filtering rule adjusted, the data to be tested are determined to attack data, and attack described in discarding Hit data.
4. the Attack Prediction method according to claim 1 based on timing, which is characterized in that described to be based on the bag data Sample label value and the period forecasting value, Attack prediction is trained, comprising:
By the difference between the sample label value of the bag data and the period forecasting value, as the Attack prediction Training data is iterated training to the Attack prediction;Wherein, the Attack prediction includes that gradient promotes decision Set GBDT regression model.
5. the Attack Prediction method according to claim 1 based on timing, which is characterized in that it is described to sample data according to Time sequencing carries out subpackage processing, and extracts the feature of bag data, comprising:
By the feature of the sample data by way of prototype cluster, the feature of the bag data is converted to;Wherein, the prototype Cluster mode includes gauss hybrid models.
6. a kind of Attack Prediction device based on timing characterized by comprising
Extraction module for carrying out subpackage processing sequentially in time to sample data, and extracts the feature of bag data;
Label model, for the sample label by positive sample in the bag data and the ratio of negative sample, as the bag data Value;
Analysis module carries out Time-Series analysis for the feature to the bag data, obtains the periodic feature of the bag data;
Processing module carries out exponential smoothing at least once for the periodic feature to the bag data and handles, obtains the packet The period forecasting value of data;
Training module, for sample label value and the period forecasting value based on the bag data, to Attack prediction into Row training.
7. the Attack Prediction device according to claim 6 based on timing, which is characterized in that described device further include:
Prediction module, for data to be tested to be inputted the Attack prediction, the label for obtaining the data to be tested is pre- Measured value, the Tag Estimation value of the data to be tested is for characterizing the positive sample in the data to be tested and comparing between negative sample The predicted value of value.
8. the Attack Prediction device according to claim 7 based on timing, which is characterized in that described device further include:
Adjustment module is adjusted data filtering rule for the Tag Estimation value based on the data to be tested;
Discard module, in response to meeting data filtering adjusted rule, determine the data to be tested for attack data, And abandon the attack data.
9. the Attack Prediction device according to claim 6 based on timing, which is characterized in that
The training module is also used to make the difference between the sample label value of the bag data and the period forecasting value For the training data of the Attack prediction, training is iterated to the Attack prediction;Wherein, the Attack Prediction Model includes that gradient promotes decision tree GBDT regression model.
10. the Attack Prediction device according to claim 6 based on timing, which is characterized in that
The extraction module is also used to the feature of the sample data by way of prototype cluster, is converted to the bag data Feature;Wherein, the prototype cluster mode includes gauss hybrid models.
11. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed The step of claim 1-5 the method is realized when device executes.
CN201910201214.8A 2019-03-18 2019-03-18 Attack prediction method and device based on time sequence and storage medium Active CN109951476B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910201214.8A CN109951476B (en) 2019-03-18 2019-03-18 Attack prediction method and device based on time sequence and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910201214.8A CN109951476B (en) 2019-03-18 2019-03-18 Attack prediction method and device based on time sequence and storage medium

Publications (2)

Publication Number Publication Date
CN109951476A true CN109951476A (en) 2019-06-28
CN109951476B CN109951476B (en) 2021-06-22

Family

ID=67010035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910201214.8A Active CN109951476B (en) 2019-03-18 2019-03-18 Attack prediction method and device based on time sequence and storage medium

Country Status (1)

Country Link
CN (1) CN109951476B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110732139A (en) * 2019-10-25 2020-01-31 腾讯科技(深圳)有限公司 Training method of detection model and detection method and device of user data
CN111181923A (en) * 2019-12-10 2020-05-19 中移(杭州)信息技术有限公司 Flow detection method and device, electronic equipment and storage medium
CN111277606A (en) * 2020-02-10 2020-06-12 北京邮电大学 Detection model training method, detection method and device, and storage medium
CN111935137A (en) * 2020-08-08 2020-11-13 詹能勇 Communication information processing method based on big data and artificial intelligence and cloud computing platform
CN112650057A (en) * 2020-11-13 2021-04-13 西北工业大学深圳研究院 Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain
CN113691505A (en) * 2021-08-05 2021-11-23 黎阳 Industrial internet intrusion detection method based on big data
CN115695046A (en) * 2022-12-28 2023-02-03 广东工业大学 Network intrusion detection method based on reinforcement ensemble learning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770699A (en) * 2004-11-01 2006-05-10 中兴通讯股份有限公司 Network safety pre-warning method
US20090292215A1 (en) * 2003-05-15 2009-11-26 Widemed Ltd Sleep quality indicators
CN107316198A (en) * 2016-04-26 2017-11-03 阿里巴巴集团控股有限公司 Account risk identification method and device
CN107667505A (en) * 2015-06-05 2018-02-06 思科技术公司 System for monitoring and managing data center
CN108900542A (en) * 2018-08-10 2018-11-27 海南大学 Ddos attack detection method and device based on LSTM prediction model

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090292215A1 (en) * 2003-05-15 2009-11-26 Widemed Ltd Sleep quality indicators
CN1770699A (en) * 2004-11-01 2006-05-10 中兴通讯股份有限公司 Network safety pre-warning method
CN107667505A (en) * 2015-06-05 2018-02-06 思科技术公司 System for monitoring and managing data center
CN107316198A (en) * 2016-04-26 2017-11-03 阿里巴巴集团控股有限公司 Account risk identification method and device
CN108900542A (en) * 2018-08-10 2018-11-27 海南大学 Ddos attack detection method and device based on LSTM prediction model

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈兴蜀等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110732139A (en) * 2019-10-25 2020-01-31 腾讯科技(深圳)有限公司 Training method of detection model and detection method and device of user data
CN110732139B (en) * 2019-10-25 2024-03-05 腾讯科技(深圳)有限公司 Training method of detection model and detection method and device of user data
CN111181923A (en) * 2019-12-10 2020-05-19 中移(杭州)信息技术有限公司 Flow detection method and device, electronic equipment and storage medium
CN111277606A (en) * 2020-02-10 2020-06-12 北京邮电大学 Detection model training method, detection method and device, and storage medium
CN111935137A (en) * 2020-08-08 2020-11-13 詹能勇 Communication information processing method based on big data and artificial intelligence and cloud computing platform
CN111935137B (en) * 2020-08-08 2021-04-30 吕梁市经开区信息化投资建设有限公司 Communication information processing method based on big data and artificial intelligence and cloud computing platform
CN112650057A (en) * 2020-11-13 2021-04-13 西北工业大学深圳研究院 Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain
CN112650057B (en) * 2020-11-13 2022-05-20 西北工业大学深圳研究院 Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain
CN113691505A (en) * 2021-08-05 2021-11-23 黎阳 Industrial internet intrusion detection method based on big data
CN115695046A (en) * 2022-12-28 2023-02-03 广东工业大学 Network intrusion detection method based on reinforcement ensemble learning

Also Published As

Publication number Publication date
CN109951476B (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN109951476A (en) Attack Prediction method, apparatus and storage medium based on timing
KR101932844B1 (en) Device and method of making video calls and method of mediating video calls
CN105491289B (en) Prevent from taking pictures the method and device blocked
CN109446994B (en) Gesture key point detection method and device, electronic equipment and storage medium
CN105426515B (en) video classifying method and device
CN105430262A (en) Photographing control method and photographing control device
CN105224924A (en) Living body faces recognition methods and device
CN104361303A (en) Terminal exception processing method and device and electronic equipment
CN105128814B (en) A kind of method and apparatus for sending warning message
CN105701997A (en) Alarm method and device
CN105093980B (en) Control the method and device of smart machine start and stop
CN106250921A (en) Image processing method and device
CN110191085B (en) Intrusion detection method and device based on multiple classifications and storage medium
CN104298547A (en) Terminal setting method and device
CN106295511A (en) Face tracking method and device
CN111242188B (en) Intrusion detection method, intrusion detection device and storage medium
CN105139033A (en) Classifier construction method and device and image processing method and device
CN108668080A (en) Prompt method and device, the electronic equipment of camera lens degree of fouling
CN106559631A (en) Method for processing video frequency and device
CN107766820A (en) Image classification method and device
CN108898591A (en) Methods of marking and device, electronic equipment, the readable storage medium storing program for executing of picture quality
CN107343087A (en) Smart machine control method and device
CN110222706A (en) Ensemble classifier method, apparatus and storage medium based on feature reduction
CN109842612A (en) Log security analysis method, device and storage medium based on picture library model
CN109598120A (en) Security postures intelligent analysis method, device and the storage medium of mobile terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant