CN109951476A - Attack Prediction method, apparatus and storage medium based on timing - Google Patents
Attack Prediction method, apparatus and storage medium based on timing Download PDFInfo
- Publication number
- CN109951476A CN109951476A CN201910201214.8A CN201910201214A CN109951476A CN 109951476 A CN109951476 A CN 109951476A CN 201910201214 A CN201910201214 A CN 201910201214A CN 109951476 A CN109951476 A CN 109951476A
- Authority
- CN
- China
- Prior art keywords
- data
- attack
- value
- sample
- bag data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The embodiment of the invention discloses a kind of Attack Prediction method, apparatus and storage medium based on timing, are related to network safety filed.The method comprise the steps that carrying out subpackage processing sequentially in time to sample data, and extract the feature of bag data;Sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data;Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data;Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the period forecasting value of the bag data;Sample label value and the period forecasting value based on the bag data, are trained Attack prediction.The present invention can be improved the efficiency of attack detecting.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of Attack Prediction method, apparatus and storage based on timing
Medium.
Background technique
With the rapid development of computer networking technology, network technology is all widely used in every field.Meter
For calculation machine network while providing convenience to people, bringing benefit, network attack also proposes very big challenge to information security.
For protecting network attack, intruding detection system, current intrusion detection can be increased at network data access
System judges whether to generate attack and attack classification using sorting algorithm mainly by modeling network flow characteristic, this
Strategy can detecte independent security incident, but in actual conditions, and attack often has sequential correlation, especially short time
The Large-scale automatic attack of interior outburst will lead to attack detecting in this case by way of independently carrying out attack detecting
Efficiency is lower.
Summary of the invention
The embodiment of the present invention provides a kind of Attack Prediction method, apparatus and storage medium based on timing, can be improved
The efficiency of attack detecting.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of Attack Prediction method based on timing, comprising:
Subpackage processing is carried out to sample data sequentially in time, and extracts the feature of bag data;
Sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data;
Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data;
Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the period of the bag data
Predicted value;
Sample label value and the period forecasting value based on the bag data, are trained Attack prediction.
With reference to first aspect, in the first possible implementation of the first aspect, the method also includes:
Data to be tested are inputted into the Attack prediction, obtain the Tag Estimation value of the data to be tested, it is described
The Tag Estimation value of data to be tested be used for characterize the positive sample in the data to be tested and between negative sample ratio prediction
Value.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect
In, the method also includes:
Tag Estimation value based on the data to be tested, is adjusted data filtering rule;
In response to meeting data filtering rule adjusted, determine that the data to be tested are attack data, and abandon institute
State attack data.
With reference to first aspect, in a third possible implementation of the first aspect, described based on the bag data
Sample label value and the period forecasting value, are trained Attack prediction, comprising:
By the difference between the sample label value of the bag data and the period forecasting value, as the Attack Prediction mould
The training data of type is iterated training to the Attack prediction;Wherein, the Attack prediction includes that gradient is promoted
Decision tree GBDT regression model.
With reference to first aspect, in a fourth possible implementation of the first aspect, it is described to sample data according to when
Between sequentially carry out subpackage processing, and extract the feature of bag data, comprising:
By the feature of the sample data by way of prototype cluster, the feature of the bag data is converted to;Wherein, described
It includes gauss hybrid models that prototype, which clusters mode,.
Second aspect, the embodiment of the present invention provide a kind of Attack Prediction device based on timing, comprising:
Extraction module for carrying out subpackage processing sequentially in time to sample data, and extracts the feature of bag data;
Label model, for the sample by positive sample in the bag data and the ratio of negative sample, as the bag data
Label value;
Analysis module carries out Time-Series analysis for the feature to the bag data, obtains the periodically special of the bag data
Sign;
Processing module carries out exponential smoothing at least once for the periodic feature to the bag data and handles, obtains institute
State the period forecasting value of bag data;
Training module, for sample label value and the period forecasting value based on the bag data, to Attack Prediction mould
Type is trained.
In conjunction with second aspect, in the first possible implementation of the second aspect, described device further include:
Prediction module obtains the mark of the data to be tested for data to be tested to be inputted the Attack prediction
Sign predicted value, the Tag Estimation values of the data to be tested be used to characterize positive sample in the data to be tested and negative sample it
Between ratio predicted value.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect
In, described device further include:
Adjustment module is adjusted data filtering rule for the Tag Estimation value based on the data to be tested;
Discard module, for determining the data to be tested for attack in response to meeting data filtering rule adjusted
Data, and abandon the attack data.
In conjunction with second aspect, in the third possible implementation of the second aspect,
The training module is also used to the difference between the sample label value of the bag data and the period forecasting value
Value, as the training data of the Attack prediction, is iterated training to the Attack prediction;Wherein, described to attack
Hitting prediction model includes that gradient promotes decision tree GBDT regression model.
In conjunction with second aspect, in the fourth possible implementation of the second aspect,
The extraction module is also used to the feature of the sample data by way of prototype cluster, is converted to the packet
The feature of data;Wherein, the prototype cluster mode includes gauss hybrid models.
The third aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer journey
Sequence, which is characterized in that the step of method that first aspect provides is realized when described program is executed by processor.
Attack Prediction method, apparatus and storage medium provided in an embodiment of the present invention based on timing, by sample number
According to progress subpackage processing sequentially in time, and extract the feature of bag data;By positive sample in the bag data and negative sample
Ratio, the sample label value as the bag data;Time-Series analysis is carried out to the feature of the bag data, obtains the bag data
Periodic feature;Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the bag data
Period forecasting value;Sample label value and the period forecasting value based on the bag data, instruct Attack prediction
Practice.The subsequent Network Intrusion event or security incident being likely to occur in network can be predicted according to the variation tendency of present flow rate,
And defence rule is modified based on prediction result automatically, it can preferably realize the perception of Network Situation, reduce the estimated people of rate of false alarm
Work intervenes cost, improves the efficiency of attack detecting.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability
For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is the flow diagram of the Attack Prediction method based on timing of the embodiment of the present invention;
Fig. 2 is another flow diagram of the Attack Prediction method based on timing of the embodiment of the present invention;
Fig. 3 is the Attack Prediction apparatus structure schematic diagram based on timing of the embodiment of the present invention;
Fig. 4 is another structural schematic diagram of the Attack Prediction device based on timing of the embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the Attack Prediction device 500 based on timing of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other
Embodiment shall fall within the protection scope of the present invention.
One embodiment of the invention provides a kind of Attack Prediction method based on timing, as shown in Figure 1, which comprises
101, subpackage processing is carried out to sample data sequentially in time, and extracts the feature of bag data.
For the embodiment of the present invention, step 101 is specifically as follows: the feature of the sample data is passed through prototype cluster side
Formula is converted to the feature of the bag data.Wherein, the prototype cluster mode includes gauss hybrid models.
102, the sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data.
Wherein, the positive sample quantity in bag data and negative sample quantity are exact value, i.e., subject to positive and negative sample size ratio
Really value, trains Attack prediction as sample label for the value, is able to ascend the predictablity rate of the model.
103, Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data.
For the embodiment of the present invention, Time-Series analysis is carried out by the feature to bag data, a large amount of attack data can be utilized
Sequential correlation between packet, to realize the subsequent assault of situation variation prediction and/or peace according to present flow rate
Total event may further be realized before subsequent network attack arrives, adjust defence policies in advance.
104, exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, obtain the bag data
Period forecasting value.
105, the sample label value based on the bag data and the period forecasting value, instruct Attack prediction
Practice.
It, can be according to the sample label value (i.e. the exact value of sample itself) of bag data and period for the embodiment of the present invention
Otherness between predicted value (finger predicted by Attack prediction) is iterated training to Attack prediction,
Until meeting preset condition, then using the Attack prediction as final prediction model.In embodiments of the present invention, this is default
Condition can be the average value of the difference between the sample label value and Tag Estimation value of each bag data less than the first default threshold
Value;And/or the difference between the sample label value and Tag Estimation value of bag data is greater than the bag data quantity of the second preset threshold
Less than third predetermined threshold value.
For the embodiment of the present invention, polymerization processing can be carried out to adjacent a plurality of flow and makees trend analysis, to entire
Network safety situation has the prediction of macroscopic view, so as to the status that has the initiative when facing continuous network attack, can be directed to
Network attack is effectively defendd;Also, after attack in force outburst in short-term, the prior art need it is artificial according to
It carries out corresponding rule adjustment to IDS according to expertise to compare, the embodiment of the present invention is capable of changing based on Network Situation for intelligence
Rule is adjusted, so as to reduce rate of false alarm, avoids the waste of cost of labor;Meanwhile data estimate model energy in wrapping
It is enough accurately to portray the data distribution in a period of time and Network Situation is predicted in real time, reduce answering for Network Situation analysis
Miscellaneous degree.
Compared with prior art, the embodiment of the present invention can be predicted subsequent in network according to the variation tendency of present flow rate
The Network Intrusion event being likely to occur or security incident, and defence rule is modified based on prediction result automatically, it can be preferably real
The perception of existing Network Situation reduces the estimated manual intervention cost of rate of false alarm, improves the efficiency of attack detecting.
Further embodiment of this invention provides a kind of Attack Prediction method based on timing, as shown in Fig. 2, the method packet
It includes:
201, by the feature of the sample data by way of prototype cluster, the feature of the bag data is converted to.
Wherein, the prototype cluster mode includes gauss hybrid models.
202, the sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data.
203, Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data.
For the embodiment of the present invention, Time-Series analysis is carried out by the feature to bag data, a large amount of attack data can be utilized
Sequential correlation between packet, to realize the subsequent assault of situation variation prediction and/or peace according to present flow rate
Total event may further be realized before subsequent network attack arrives, adjust defence policies in advance.
204, exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, obtain the bag data
Period forecasting value.
205, pre- as the attack by the difference between the sample label value of the bag data and the period forecasting value
The training data for surveying model, is iterated training to the Attack prediction.
Wherein, the Attack prediction includes that gradient promotes decision tree GBDT regression model.
It, can be according to the sample label value (i.e. the exact value of sample itself) of bag data and period for the embodiment of the present invention
Difference between predicted value (value obtained by time smoothing model prediction) is iterated training to Attack prediction, directly
To preset condition is met, then using the Attack prediction as final prediction model.In embodiments of the present invention, the default item
Part can be the average value of the difference between the sample label value and Tag Estimation value of each bag data less than the first preset threshold;
And/or the difference between the sample label value and Tag Estimation value of bag data is small greater than the bag data quantity of the second preset threshold
In third predetermined threshold value.
206, data to be tested are inputted into the Attack prediction, obtain the Tag Estimation value of the data to be tested,
The Tag Estimation value of the data to be tested is for characterizing the positive sample in the data to be tested and ratio between negative sample
Predicted value.
207, based on the Tag Estimation value of the data to be tested, data filtering rule is adjusted.
208, in response to meeting data filtering rule adjusted, determine that the data to be tested are attack data, and lose
Abandon the attack data.
For the embodiment of the present invention, polymerization processing can be carried out to adjacent a plurality of flow and makees trend analysis, to entire
Network safety situation has the prediction of macroscopic view, so as to the status that has the initiative when facing continuous network attack, can be directed to
Network attack is effectively defendd;Also, after attack in force outburst in short-term, the prior art need it is artificial according to
Corresponding rule adjustment is carried out to IDS according to expertise, the embodiment of the present invention is capable of changing based on Network Situation to rule for intelligence
It is then adjusted, so as to reduce rate of false alarm, avoids the waste of cost of labor;Meanwhile data estimation model can be quasi- in wrapping
It really portrays data distribution and Network Situation is predicted in real time, reduce the complexity of Network Situation analysis.
Compared with prior art, the embodiment of the present invention can be predicted subsequent in network according to the variation tendency of present flow rate
The Network Intrusion event being likely to occur or security incident, and defence rule is modified based on prediction result automatically, it can be preferably real
The perception of existing Network Situation reduces the estimated manual intervention cost of rate of false alarm, improves the efficiency of attack detecting.
Further embodiment of this invention provides a kind of Attack Prediction device based on timing, as shown in figure 3, described device packet
It includes:
Extraction module 31 for carrying out subpackage processing sequentially in time to sample data, and extracts the feature of bag data;
Label model 32, for the sample by positive sample in the bag data and the ratio of negative sample, as the bag data
This label value;
Analysis module 33 carries out Time-Series analysis for the feature to the bag data, obtains the periodicity of the bag data
Feature;
Processing module 34 carries out exponential smoothing at least once for the periodic feature to the bag data and handles, obtains
The period forecasting value of the bag data;
Training module 35, for sample label value and the period forecasting value based on the bag data, to Attack Prediction
Model is trained.
Further, as shown in figure 4, described device further include:
Prediction module 41 obtains the data to be tested for data to be tested to be inputted the Attack prediction
Tag Estimation value, the Tag Estimation value of the data to be tested are used to characterize the positive sample and negative sample in the data to be tested
Between ratio predicted value.
Adjustment module 42 is adjusted data filtering rule for the Tag Estimation value based on the data to be tested;
Discard module 43, for determining that the data to be tested are to attack in response to meeting data filtering rule adjusted
Data are hit, and abandon the attack data.
The training module 35 is also used to the difference between the sample label value of the bag data and the period forecasting value
Value, as the training data of the Attack prediction, is iterated training to the Attack prediction;Wherein, described to attack
Hitting prediction model includes that gradient promotes decision tree GBDT regression model.
The extraction module 31 is also used to the feature of the sample data by way of prototype cluster, is converted to described
The feature of bag data;Wherein, the prototype cluster mode includes gauss hybrid models.
For the embodiment of the present invention, polymerization processing can be carried out to adjacent a plurality of flow and makees trend analysis, to entire
Network safety situation has the prediction of macroscopic view, so as to the status that has the initiative when facing continuous network attack, can be directed to
Network attack is effectively defendd;Also, after attack in force outburst in short-term, the prior art need it is artificial according to
It carries out corresponding rule adjustment to IDS according to expertise to compare, the embodiment of the present invention is capable of changing based on Network Situation for intelligence
Rule is adjusted, so as to reduce rate of false alarm, avoids the waste of cost of labor;Meanwhile data estimate model energy in wrapping
It is enough accurately to portray data distribution and Network Situation is predicted in real time, reduce the complexity of Network Situation analysis.
Compared with prior art, the embodiment of the present invention can be predicted subsequent in network according to the variation tendency of present flow rate
The Network Intrusion event being likely to occur or security incident, and defence rule is modified based on prediction result automatically, it can be preferably real
The perception of existing Network Situation reduces the estimated manual intervention cost of rate of false alarm, improves the efficiency of attack detecting.
The embodiment of the present invention also provides another computer readable storage medium, which can be
Computer readable storage medium included in memory in above-described embodiment;It is also possible to individualism, eventually without supplying
Computer readable storage medium in end.The computer-readable recording medium storage has one or more than one program, institute
State that one or more than one program by one or more than one processor are used to execute Fig. 1, embodiment illustrated in fig. 2 provides
The Attack Prediction method based on timing.
The embodiment of the method for above-mentioned offer may be implemented in Attack Prediction device provided in an embodiment of the present invention based on timing,
Concrete function realizes the explanation referred in embodiment of the method, and details are not described herein.It is provided in an embodiment of the present invention to be based on timing
Attack Prediction method, apparatus and storage medium can be adapted for predicting network attack, but be not limited only to this.
As shown in figure 5, the Attack Prediction device 500 based on timing can be mobile phone, computer, digital broadcasting end
End, messaging devices, game console, tablet device, personal digital assistant etc..
Referring to Fig. 5, the Attack Prediction device 500 based on timing may include following one or more components: processing component
502, memory 504, power supply module 506, multimedia component 508, audio component 510, the interface 512 of input/output (I/O),
Sensor module 514 and communication component 516.
Processing component 502 usually control unmanned aerial vehicle (UAV) control device 500 integrated operation, such as with display, call, number
According to communication, camera operation and record operate associated operation.Processing component 502 may include one or more processors 520
To execute instruction.
In addition, processing component 502 may include one or more modules, convenient between processing component 502 and other assemblies
Interaction.For example, processing component 502 may include multi-media module, with facilitate multimedia component 508 and processing component 502 it
Between interaction.
Memory 504 is configured as storing various types of data to support the operation in unmanned aerial vehicle (UAV) control device 500.This
The example of a little data includes the instruction of any application or method for operating on unmanned aerial vehicle (UAV) control device 500, connection
Personal data, telephone book data, message, picture, video etc..Memory 504 can be by any kind of volatibility or non-volatile
It stores equipment or their combination is realized, such as static random access memory (SRAM), the read-only storage of electrically erasable
Device (EEPROM), Erasable Programmable Read Only Memory EPROM (EPROM), programmable read only memory (PROM), read-only memory
(ROM), magnetic memory, flash memory, disk or CD.
Power supply module 506 provides electric power for the various assemblies of unmanned aerial vehicle (UAV) control device 500.Power supply module 506 may include
Power-supply management system, one or more power supplys and other with for unmanned aerial vehicle (UAV) control device 500 generate, manage, and distribute electric power phase
Associated component.
Multimedia component 508 includes one output interface of offer between the unmanned aerial vehicle (UAV) control device 500 and user
Screen.In some embodiments, screen may include liquid crystal display (LCD) and touch panel (TP).If screen includes
Touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one or more
A touch sensor is to sense the gesture on touch, slide, and touch panel.The touch sensor can not only sense touch
Or the boundary of sliding action, but also detect duration and pressure associated with the touch or slide operation.In some realities
It applies in example, multimedia component 508 includes a front camera and/or rear camera.When unmanned aerial vehicle (UAV) control device 500 is in
Operation mode, such as in a shooting mode or a video mode, front camera and/or rear camera can receive external multimedia
Data.Each front camera and rear camera can be a fixed optical lens system or there is focal length and optics to become
Burnt ability.
Audio component 510 is configured as output and/or input audio signal.For example, audio component 510 includes a Mike
Wind (MIC), when unmanned aerial vehicle (UAV) control device 500 is in operation mode, when such as call mode, recording mode, and voice recognition mode,
Microphone is configured as receiving external audio signal.The received audio signal can be further stored in memory 504 or
It is sent via communication component 516.In some embodiments, audio component 510 further includes a loudspeaker, for exporting audio letter
Number.
I/O interface 512 provides interface between processing component 502 and peripheral interface module, and above-mentioned peripheral interface module can
To be keyboard, click wheel, button etc..These buttons may include, but are not limited to: home button, volume button, start button and lock
Determine button.
Sensor module 514 includes one or more sensors, for providing various aspects for unmanned aerial vehicle (UAV) control device 500
Status assessment.For example, sensor module 514 can detecte the state that opens/closes of unmanned aerial vehicle (UAV) control device 500, component
Relative positioning, such as the component is the display and keypad of unmanned aerial vehicle (UAV) control device 500, and sensor module 514 may be used also
To detect the position change of 500 1 components of unmanned aerial vehicle (UAV) control device 500 or unmanned aerial vehicle (UAV) control device, user and unmanned aerial vehicle (UAV) control
The existence or non-existence that device 500 contacts, 500 orientation of unmanned aerial vehicle (UAV) control device or acceleration/deceleration and unmanned aerial vehicle (UAV) control device 500
Temperature change.Sensor module 514 may include proximity sensor, be configured to examine without any physical contact
Survey presence of nearby objects.Sensor module 514 can also include that optical sensor is used for such as CMOS or ccd image sensor
It is used in imaging applications.In some embodiments, which can also include acceleration transducer, and gyroscope passes
Sensor, Magnetic Sensor, pressure sensor or temperature sensor.
Communication component 516 is configured to facilitate wired or wireless way between unmanned aerial vehicle (UAV) control device 500 and other equipment
Communication.Unmanned aerial vehicle (UAV) control device 500 can access the wireless network based on communication standard, such as WiFi, 2G or 3G or they
Combination.In one exemplary embodiment, communication component 516 is received via broadcast channel from the wide of external broadcasting management system
Broadcast signal or broadcast related information.In one exemplary embodiment, the communication component 516 further includes near-field communication (NFC)
Module, to promote short range communication.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) can be based in NFC module
Technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are realized.
In the exemplary embodiment, unmanned aerial vehicle (UAV) control device 500 can be by one or more application specific integrated circuit
(ASIC), digital signal processor (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), scene can
Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are programmed to realize.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality
For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method
Part explanation.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (11)
1. a kind of Attack Prediction method based on timing characterized by comprising
Subpackage processing is carried out to sample data sequentially in time, and extracts the feature of bag data;
Sample label value by positive sample in the bag data and the ratio of negative sample, as the bag data;
Time-Series analysis is carried out to the feature of the bag data, obtains the periodic feature of the bag data;
Exponential smoothing at least once is carried out to the periodic feature of the bag data to handle, and obtains the period forecasting of the bag data
Value;
Sample label value and the period forecasting value based on the bag data, are trained Attack prediction.
2. the Attack Prediction method according to claim 1 based on timing, which is characterized in that the method also includes:
Data to be tested are inputted into the Attack prediction, obtain the Tag Estimation value of the data to be tested, it is described to be checked
The Tag Estimation value of measured data be used for characterize the positive sample in the data to be tested and between negative sample ratio predicted value.
3. the Attack Prediction method according to claim 2 based on timing, which is characterized in that the method also includes:
Tag Estimation value based on the data to be tested, is adjusted data filtering rule;
In response to meeting data filtering rule adjusted, the data to be tested are determined to attack data, and attack described in discarding
Hit data.
4. the Attack Prediction method according to claim 1 based on timing, which is characterized in that described to be based on the bag data
Sample label value and the period forecasting value, Attack prediction is trained, comprising:
By the difference between the sample label value of the bag data and the period forecasting value, as the Attack prediction
Training data is iterated training to the Attack prediction;Wherein, the Attack prediction includes that gradient promotes decision
Set GBDT regression model.
5. the Attack Prediction method according to claim 1 based on timing, which is characterized in that it is described to sample data according to
Time sequencing carries out subpackage processing, and extracts the feature of bag data, comprising:
By the feature of the sample data by way of prototype cluster, the feature of the bag data is converted to;Wherein, the prototype
Cluster mode includes gauss hybrid models.
6. a kind of Attack Prediction device based on timing characterized by comprising
Extraction module for carrying out subpackage processing sequentially in time to sample data, and extracts the feature of bag data;
Label model, for the sample label by positive sample in the bag data and the ratio of negative sample, as the bag data
Value;
Analysis module carries out Time-Series analysis for the feature to the bag data, obtains the periodic feature of the bag data;
Processing module carries out exponential smoothing at least once for the periodic feature to the bag data and handles, obtains the packet
The period forecasting value of data;
Training module, for sample label value and the period forecasting value based on the bag data, to Attack prediction into
Row training.
7. the Attack Prediction device according to claim 6 based on timing, which is characterized in that described device further include:
Prediction module, for data to be tested to be inputted the Attack prediction, the label for obtaining the data to be tested is pre-
Measured value, the Tag Estimation value of the data to be tested is for characterizing the positive sample in the data to be tested and comparing between negative sample
The predicted value of value.
8. the Attack Prediction device according to claim 7 based on timing, which is characterized in that described device further include:
Adjustment module is adjusted data filtering rule for the Tag Estimation value based on the data to be tested;
Discard module, in response to meeting data filtering adjusted rule, determine the data to be tested for attack data,
And abandon the attack data.
9. the Attack Prediction device according to claim 6 based on timing, which is characterized in that
The training module is also used to make the difference between the sample label value of the bag data and the period forecasting value
For the training data of the Attack prediction, training is iterated to the Attack prediction;Wherein, the Attack Prediction
Model includes that gradient promotes decision tree GBDT regression model.
10. the Attack Prediction device according to claim 6 based on timing, which is characterized in that
The extraction module is also used to the feature of the sample data by way of prototype cluster, is converted to the bag data
Feature;Wherein, the prototype cluster mode includes gauss hybrid models.
11. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed
The step of claim 1-5 the method is realized when device executes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910201214.8A CN109951476B (en) | 2019-03-18 | 2019-03-18 | Attack prediction method and device based on time sequence and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910201214.8A CN109951476B (en) | 2019-03-18 | 2019-03-18 | Attack prediction method and device based on time sequence and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109951476A true CN109951476A (en) | 2019-06-28 |
CN109951476B CN109951476B (en) | 2021-06-22 |
Family
ID=67010035
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910201214.8A Active CN109951476B (en) | 2019-03-18 | 2019-03-18 | Attack prediction method and device based on time sequence and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109951476B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110732139A (en) * | 2019-10-25 | 2020-01-31 | 腾讯科技(深圳)有限公司 | Training method of detection model and detection method and device of user data |
CN111181923A (en) * | 2019-12-10 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Flow detection method and device, electronic equipment and storage medium |
CN111277606A (en) * | 2020-02-10 | 2020-06-12 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
CN111935137A (en) * | 2020-08-08 | 2020-11-13 | 詹能勇 | Communication information processing method based on big data and artificial intelligence and cloud computing platform |
CN112650057A (en) * | 2020-11-13 | 2021-04-13 | 西北工业大学深圳研究院 | Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain |
CN113691505A (en) * | 2021-08-05 | 2021-11-23 | 黎阳 | Industrial internet intrusion detection method based on big data |
CN115695046A (en) * | 2022-12-28 | 2023-02-03 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1770699A (en) * | 2004-11-01 | 2006-05-10 | 中兴通讯股份有限公司 | Network safety pre-warning method |
US20090292215A1 (en) * | 2003-05-15 | 2009-11-26 | Widemed Ltd | Sleep quality indicators |
CN107316198A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Account risk identification method and device |
CN107667505A (en) * | 2015-06-05 | 2018-02-06 | 思科技术公司 | System for monitoring and managing data center |
CN108900542A (en) * | 2018-08-10 | 2018-11-27 | 海南大学 | Ddos attack detection method and device based on LSTM prediction model |
-
2019
- 2019-03-18 CN CN201910201214.8A patent/CN109951476B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090292215A1 (en) * | 2003-05-15 | 2009-11-26 | Widemed Ltd | Sleep quality indicators |
CN1770699A (en) * | 2004-11-01 | 2006-05-10 | 中兴通讯股份有限公司 | Network safety pre-warning method |
CN107667505A (en) * | 2015-06-05 | 2018-02-06 | 思科技术公司 | System for monitoring and managing data center |
CN107316198A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Account risk identification method and device |
CN108900542A (en) * | 2018-08-10 | 2018-11-27 | 海南大学 | Ddos attack detection method and device based on LSTM prediction model |
Non-Patent Citations (1)
Title |
---|
陈兴蜀等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110732139A (en) * | 2019-10-25 | 2020-01-31 | 腾讯科技(深圳)有限公司 | Training method of detection model and detection method and device of user data |
CN110732139B (en) * | 2019-10-25 | 2024-03-05 | 腾讯科技(深圳)有限公司 | Training method of detection model and detection method and device of user data |
CN111181923A (en) * | 2019-12-10 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Flow detection method and device, electronic equipment and storage medium |
CN111277606A (en) * | 2020-02-10 | 2020-06-12 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
CN111935137A (en) * | 2020-08-08 | 2020-11-13 | 詹能勇 | Communication information processing method based on big data and artificial intelligence and cloud computing platform |
CN111935137B (en) * | 2020-08-08 | 2021-04-30 | 吕梁市经开区信息化投资建设有限公司 | Communication information processing method based on big data and artificial intelligence and cloud computing platform |
CN112650057A (en) * | 2020-11-13 | 2021-04-13 | 西北工业大学深圳研究院 | Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain |
CN112650057B (en) * | 2020-11-13 | 2022-05-20 | 西北工业大学深圳研究院 | Unmanned aerial vehicle model prediction control method based on anti-spoofing attack security domain |
CN113691505A (en) * | 2021-08-05 | 2021-11-23 | 黎阳 | Industrial internet intrusion detection method based on big data |
CN115695046A (en) * | 2022-12-28 | 2023-02-03 | 广东工业大学 | Network intrusion detection method based on reinforcement ensemble learning |
Also Published As
Publication number | Publication date |
---|---|
CN109951476B (en) | 2021-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109951476A (en) | Attack Prediction method, apparatus and storage medium based on timing | |
KR101932844B1 (en) | Device and method of making video calls and method of mediating video calls | |
CN105491289B (en) | Prevent from taking pictures the method and device blocked | |
CN109446994B (en) | Gesture key point detection method and device, electronic equipment and storage medium | |
CN105426515B (en) | video classifying method and device | |
CN105430262A (en) | Photographing control method and photographing control device | |
CN105224924A (en) | Living body faces recognition methods and device | |
CN104361303A (en) | Terminal exception processing method and device and electronic equipment | |
CN105128814B (en) | A kind of method and apparatus for sending warning message | |
CN105701997A (en) | Alarm method and device | |
CN105093980B (en) | Control the method and device of smart machine start and stop | |
CN106250921A (en) | Image processing method and device | |
CN110191085B (en) | Intrusion detection method and device based on multiple classifications and storage medium | |
CN104298547A (en) | Terminal setting method and device | |
CN106295511A (en) | Face tracking method and device | |
CN111242188B (en) | Intrusion detection method, intrusion detection device and storage medium | |
CN105139033A (en) | Classifier construction method and device and image processing method and device | |
CN108668080A (en) | Prompt method and device, the electronic equipment of camera lens degree of fouling | |
CN106559631A (en) | Method for processing video frequency and device | |
CN107766820A (en) | Image classification method and device | |
CN108898591A (en) | Methods of marking and device, electronic equipment, the readable storage medium storing program for executing of picture quality | |
CN107343087A (en) | Smart machine control method and device | |
CN110222706A (en) | Ensemble classifier method, apparatus and storage medium based on feature reduction | |
CN109842612A (en) | Log security analysis method, device and storage medium based on picture library model | |
CN109598120A (en) | Security postures intelligent analysis method, device and the storage medium of mobile terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |