CN110062011A - Ddos attack detection method and device based on V-SVM - Google Patents

Ddos attack detection method and device based on V-SVM Download PDF

Info

Publication number
CN110062011A
CN110062011A CN201910461918.9A CN201910461918A CN110062011A CN 110062011 A CN110062011 A CN 110062011A CN 201910461918 A CN201910461918 A CN 201910461918A CN 110062011 A CN110062011 A CN 110062011A
Authority
CN
China
Prior art keywords
feature
svm
nsaf
ratio
ddos attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910461918.9A
Other languages
Chinese (zh)
Inventor
唐湘滟
程杰仁
黄梦醒
曹瑞
段玉聪
涂文轩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hainan University
Original Assignee
Hainan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hainan University filed Critical Hainan University
Priority to CN201910461918.9A priority Critical patent/CN110062011A/en
Publication of CN110062011A publication Critical patent/CN110062011A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of ddos attack detection method and device based on V-SVM, belongs to field of communication technology.Wherein, method includes: the multiple web-based history data on flows samples of acquisition, calculates each nine tuple NSAF features based on V-SVM network flow data sample;It is normalized to based on nine tuple NSAF feature of V-SVM, and dimensionality reduction is carried out based on nine tuple NSAF feature of V-SVM to by normalized according to PCA technology, obtain training set;V-SVM disaggregated model is constructed, and using being trained based on V-SVM training set to the disaggregated model based on V-SVM, obtains optimal Lagrange multiplier;Decision function is acquired according to based on the optimal Lagrange multiplier of V-SVM, and judges whether current network occurs ddos attack using based on V-SVM decision function.The method that the present invention detects ddos attack compared to the prior art improves accuracy rate, reduces rate of false alarm, while also improving the stability and timeliness of attack detecting.

Description

Ddos attack detection method and device based on V-SVM
Technical field
The present invention relates to field of communication technology, in particular to a kind of ddos attack detection method and device based on V-SVM.
Background technique
DDoS (Distributed Denial of Service, distributed denial of service) attack is that current hacker is frequent Using and be difficult to the attack means taken precautions against.Ddos attack can initiate large-scale network attack by Botnet, one Interior send to goal systems of fixing time largely requests to cause network security to double up the power of Denial of Service attack Huge threat.
In the prior art, Ferreira et al. proposed the attribution selecting party based on Renyi and Tsallis entropy in 2012 Method, by comparing with Shannon entropy come the superiority and inferiority for the Renyi and Tsallis entropy assessed, to obtain best attributes subset to distinguish Normal stream or attack stream;Karnwal et al. 2012 by one-dimensional timing sequence conversion at the AR model parameter timing of multidimensional, use Support vector machines is learnt and is classified to data stream;Arabia Latif et al. is when being directed to sensor generated data in 2015 Influence of the noise to accuracy, proposes a kind of decision Tree algorithms of enhancing, to detect the generation of ddos attack in cloud auxiliary; Park et al. utilized the method based on Probability Analysis anomaly data detection in 2016, proposed a kind of for the attack of flow flood Detection method.
The present inventor has found ddos attack detection side in the prior art when studying ddos attack detection method Method rate of false alarm and rate of failing to report height, poor in timeliness.
Summary of the invention
The application's is designed to provide a kind of ddos attack detection method and device based on V-SVM, existing to solve Technology some or all of there are problems that.
To achieve the above object, on the one hand the application provides a kind of ddos attack detection method based on V-SVM, described Method includes: the multiple web-based history data on flows samples of acquisition, calculates nine tuples of each network flow data sample NSAF feature;The nine tuples NSAF feature is normalized, and according to PCA technology to the institute Jing Guo normalized It states nine tuple NSAF features and carries out dimensionality reduction, obtain training set;V-SVM disaggregated model is constructed, and using the training set to described V-SVM disaggregated model is trained, and obtains optimal Lagrange multiplier;Decision letter is acquired according to the optimal Lagrange multiplier Number, and judge whether current network occurs ddos attack using the decision function.
In one embodiment, nine tuple NSAF features of the network flow data sample are as follows:
NSAF=(A, S, L, N, J, R, P, Y, C)
Wherein, feature A is indicated and is currently connect the connection number with same target host;Feature S is indicated and is currently connect Connection number with same services;Feature L indicates the ratio between " SYN " incorrect link number and feature A of same target host;Feature N Indicate the ratio between " SYN " incorrect link number and the feature S of same services;" REJ " incorrect link of feature J expression same target host The ratio between several and feature A;Feature R indicates the ratio between " REJ " incorrect link number and feature S of same services;Feature P is indicated and is currently connected Meet the ratio between connection number and feature A with same services;Characteristic Y expression has connection number and the spy of different services from current connection Levy the ratio between A;Feature C is indicated and is currently connect the ratio between connection number and feature S with different target host.
In one embodiment, the nine tuples NSAF feature is normalized, and according to PCA technology to process The nine tuples NSAF feature of normalized carries out dimensionality reduction, and obtaining m tuple overall target as the step of training set includes: First, the nine tuples NSAF feature is normalized using the standardized mode of Min-Max;Second, it establishes and passes through The covariance matrix of the nine tuples NSAF feature of normalized;Third calculates the feature for calculating covariance matrix Value and feature vector;4th, the variance contribution ratio of each characteristic value is calculated, all variance contribution ratios are arranged in descending order Column calculate accumulative variance contribution ratio;When the accumulative variance contribution ratio of 5th, the current m characteristic values is greater than 85%, M feature of corresponding selection in the nine tuples NSAF feature obtains m tuple overall target as training set;Wherein, m < 9 and m ∈N+
In one embodiment, the building V-SVM disaggregated model, and classified using the training set to the V-SVM The step of model is trained, and obtains optimal Lagrange multiplier includes: first, constructs V-SVM preliminary classification model;Second, V-SVM antithesis disaggregated model is constructed based on KKT condition;Third acquires optimal glug according to parameter preset V and default kernel function Bright day multiplier.
In one embodiment, the step of acquiring decision function according to the optimal Lagrange multiplier includes: according to institute Optimal Lagrange multiplier is stated, idealization maximum class interval and the constant term of the decision function are calculated;By described maximum point Class interval and the constant term substitute into the V-SVM preliminary classification model, acquire the decision function.
To achieve the above object, on the other hand the application provides a kind of ddos attack detection device based on V-SVM, institute Stating device includes memory and processor, and the memory is for storing computer program, and the computer program is by the place When managing device execution, the above-mentioned ddos attack detection method based on V-SVM is realized.
Therefore the present invention solves existing by providing a kind of ddos attack detection method and device based on V-SVM With the presence of the part or all of problem of technology, the present invention compared to the prior art in detection ddos attack method, it is accurate to improve Rate reduces rate of false alarm, while also improving the stability and timeliness of attack detecting.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the flow chart of the ddos attack detection method provided in an embodiment of the present invention based on V-SVM;
Fig. 2 is the structural schematic diagram of the ddos attack detection device provided in an embodiment of the present invention based on V-SVM.
Specific embodiment
Below in conjunction with attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that institute The embodiment of description is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, originally Field those of ordinary skill every other embodiment obtained without creative efforts, belongs to the present invention The range of protection.
Fig. 1 is the flow chart of the ddos attack detection method provided in an embodiment of the present invention based on V-SVM.
S101 acquires multiple web-based history data on flows samples, calculates nine tuples of each network flow data sample NSAF feature.
In the present embodiment, web-based history data on flows sample from the acquisition of Massachusetts science and engineering laboratory (MIT) 1999 9 All network flows, the present invention choose first 7 weeks and randomly select 5 samples in the web-based history data on flows containing normal stream and attack stream This, sample size successively records for 1000,2500,5000,10000 and 20000.
Nine tuple NSAF features of network flow data sample are as follows:
NSAF=(A, S, L, N, J, R, P, Y, C)
Wherein, feature A is indicated and is currently connect the connection number with same target host;Feature S is indicated and is currently connect Connection number with same services;Feature L indicates the ratio between " SYN " incorrect link number and feature A of same target host;Feature N Indicate the ratio between " SYN " incorrect link number and the feature S of same services;" REJ " incorrect link of feature J expression same target host The ratio between several and feature A;Feature R indicates the ratio between " REJ " incorrect link number and feature S of same services;Feature P is indicated and is currently connected Meet the ratio between connection number and feature A with same services;Characteristic Y expression has connection number and the spy of different services from current connection Levy the ratio between A;Feature C is indicated and is currently connect the ratio between connection number and feature S with different target host.
No matter attacker, using IoT Botnet or traditional Botnet initiation ddos attack, attacker is in order to reach Purpose is attacked, the connection number S of the host connection number T and service that are sent to target of attack is necessarily increased, results in a feature that T, S, P, Y With the abnormal state of C.If attacker is attacked using TCP Flood or HTTP Flood, in addition to leading to feature T, S, P, Y and C Outside abnormal state, it can also make the abnormal state of feature L, N, J and R.Therefore, it invention defines nine tuple of NSAF, is based on NSAF establishes V-SVM disaggregated model to detect ddos attack, is somebody's turn to do the ddos attack detection method based on V-SVM and is difficult to by attacker It gets around.
It should be noted that the present embodiment is based on MATLAB R2014a platform, in conjunction with the tool box LIBSVM and MATLAB language Speech, in 2.60GHz, the computer of Intel Core i5-3230M processor and 4G memory realizes that the DDoS based on V-SVM is attacked Hit detection method.
Nine tuple NSAF features are normalized in S102, and according to PCA technology to nine Jing Guo normalized Tuple NSAF feature carries out dimensionality reduction, obtains training set.
Since there may be the interference of default value, singular point or noise in sample, this will affect the classification accuracy of model. Therefore, the present invention is first normalized data, solves the influence of dimension between data target, is asked with accelerating gradient decline The speed of optimal solution.Further, for the process for analyzing data, the present invention is according to PCA technology to by normalizing The sample characteristics for changing nine dimensions of processing have carried out dimension-reduction treatment, have both reached the mesh for reconstructing corresponding original high dimension vector , also obtain more scientific and effective data.Specific step is as follows by S102:
First, nine tuple NSAF features are normalized using the standardized mode of Min-Max.
The present invention carries out linear transformation to initial data using Min-Max standardization (deviation standardization), reflects end value It is mapped between [0,1] or [- 1,1].Transfer function is as follows:
Wherein, max and min is respectively the maxima and minima of training set or test set.
Min-Max standardizes the complexity for simplifying comparativity between indices, comments convenient for carrying out synthesis to data Valence.
Second, establish the covariance matrix of the nine tuple NSAF features Jing Guo normalized.
Third calculates the characteristic value and feature vector of covariance matrix.
4th, the variance contribution ratio of each characteristic value is calculated, all variance contribution ratios are arranged in descending order, calculates accumulative side Poor contribution rate.
5th, when the accumulative variance contribution ratio of current m characteristic value is greater than 85%, the corresponding choosing in nine tuple NSAF features M feature is selected, obtains m tuple overall target as training set T;Wherein, m < 9 and m ∈ N+
T={ (x1,y1),...,(xl,yl)}∈(X×Y)l
Wherein, xn∈ X=RD, indicate that n-th of sample is normal stream or attack stream;yn∈ Y={ 1, -1 }, n=1 ..., l, Indicate that the true tag of n-th of sample point, l indicate the size of training set.
S103 is constructed V-SVM disaggregated model, and is trained using training set to V-SVM disaggregated model, and optimal drawing is obtained Ge Lang multiplier.
In the present embodiment, after being acquired to network flow, NSAF feature vector can be calculated using 2s as unit time interval To indicate the variation of network flow front and back state.V-SVM expression increases the ginseng that can control supporting vector and error vector number The SVM (Support Vector Machine, support vector machines) of number V.Specific step is as follows by S103:
First, construct V-SVM preliminary classification model.
The training set T preliminary classification model for substituting into V-SVM may be expressed as:
s.t.yn((w·xn)+b)≥ρ-ξnn≥0
N=1,2 ..., ρ >=0 l
Wherein,To idealize maximum class interval,For the upper limit number of outlier, ξnFor class interval error, b For decision function constant term.
Second, V-SVM antithesis disaggregated model is constructed based on KKT condition.
Under the premise of meeting KKT (Karush-Kuhn-Tucker) condition, initial problem is equivalent to its dual problem. Therefore V-SVM antithesis disaggregated model can be constructed:
Wherein, λnIt is Lagrange multiplier, K (xn,Xm) it is default kernel function, v is parameter preset.
Third acquires optimal Lagrange multiplier according to parameter preset V and default kernel function.
Wherein, the value of parameter preset V be in training set the upper bound of the ratio between error sample point number and total sample point number and Support the lower bound of the ratio between sample point number and total sample point number.In the present embodiment, presetting optimized parameter is V=0.2, kernel function For gaussian kernel function (Radial Basis Function, RBF).
Acquire optimal Lagrange multiplier λ*:
λ*=(λ1 *,...,λl *)T
S104 acquires decision function according to optimal Lagrange multiplier, and whether judges current network using decision function Ddos attack occurs.
In the present embodiment, the optimal Lagrange multiplier λ that is acquired according to step S103*, calculate the ideal of decision function Change the parameter and constant term of maximum class interval, specific calculation formula is as follows:
Further, by maximum class interval parameter w*With constant term b*The preliminary classification model for substituting into V-SVM, is acquired certainly Plan function (optimal hyperlane i.e. in high-dimensional feature space):
Further, it can use decision function f (z) and judge whether current network occurs ddos attack.
In the present embodiment, the present invention has chosen from 9 weeks network flows of Massachusetts science and engineering laboratory (MIT) acquisition in 1999 2 weeks containing normal, known attack and unknown attack mixed traffic afterwards, therefrom randomly selected size be followed successively by 200,500, 1000, the sample of 2000,4000 records is as test set, according to decision function provided by the invention to the data in test set It is classified, classification results are referring to table 1.
V-SVM classification results of the table 1 based on RBF kernel function
In addition, can use identical data point to fully demonstrate the progress that the present invention has compared to the prior art It is other that the C-SVM disaggregated model based on RBF kernel function C-SVM disaggregated model and based on grid search that the prior art provides is carried out Training and test, for test set classification results respectively referring to table 2 and table 3.The present invention and be based on other two kinds of disaggregated models Performance summarize can be found in table 4.
Table 2 is based on RBF kernel function C-SVM classification results
C-SVM classification results of the table 3 based on grid search
The performance of 4 three kinds of disaggregated models of table is summarized
Therefore the present invention solves existing by providing a kind of ddos attack detection method and device based on V-SVM With the presence of the part or all of problem of technology, the present invention compared to the prior art in detection ddos attack method, it is accurate to improve Rate reduces rate of false alarm, while compared with other two methods, has not only avoided the overlong time problem based on grid search, but also Improving verification and measurement ratio reduces rate of false alarm, improves the stability and timeliness of ddos attack detection.
Fig. 2 is the structural schematic diagram of the ddos attack detection device provided in an embodiment of the present invention based on V-SVM.
In the present embodiment, the ddos attack detection device based on V-SVM includes memory and processor, and memory is for depositing Computer program is stored up, when computer program is executed by processor, realizes the above-mentioned ddos attack detection method based on V-SVM. Its realization principle and technical effect to be achieved above have discussion, and details are not described herein.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to be realized by hardware.Based on such Understand, substantially the part that contributes to existing technology can embody above-mentioned technical proposal in the form of software products in other words Out, it should be can store in server readable storage medium storing program for executing based on the software product of V-SVM detection ddos attack, such as ROM/ RAM, magnetic disk, CD etc., including storage some instructions with so that a server executes each embodiment or embodiment Method described in certain parts.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (6)

1. a kind of ddos attack detection method based on V-SVM, which is characterized in that the described method includes:
Multiple web-based history data on flows samples are acquired, the nine tuple NSAF for calculating each network flow data sample are special Sign;
The nine tuples NSAF feature is normalized, and according to PCA technology to described nine Jing Guo normalized Tuple NSAF feature carries out dimensionality reduction, obtains training set;
V-SVM disaggregated model is constructed, and the V-SVM disaggregated model is trained using the training set, obtains optimal drawing Ge Lang multiplier;
Decision function is acquired according to the optimal Lagrange multiplier, and judges whether current network is sent out using the decision function Raw ddos attack.
2. the method as described in claim 1, which is characterized in that nine tuple NSAF features of the network flow data sample Are as follows:
NSAF=(A, S, L, N, J, R, P, Y, C)
Wherein, feature A is indicated and is currently connect the connection number with same target host;Feature S indicates have with current connect The connection number of same services;Feature L indicates the ratio between " SYN " incorrect link number and feature A of same target host;Feature N is indicated The ratio between " SYN " incorrect link number and feature S of same services;Feature J indicate same target host " REJ " incorrect link number with The ratio between feature A;Feature R indicates the ratio between " REJ " incorrect link number and feature S of same services;Feature P is indicated and is currently connect tool There are the ratio between connection number and the feature A of same services;Characteristic Y indicates the connection number and feature A that have different services from current connection The ratio between;Feature C is indicated and is currently connect the ratio between connection number and feature S with different target host.
3. the method as described in claim 1, which is characterized in that described that place is normalized to the nine tuples NSAF feature Reason, and dimensionality reduction is carried out to the nine tuples NSAF feature Jing Guo normalized according to PCA technology, it obtains m tuple synthesis and refers to Be denoted as include: for the step of training set
First, the nine tuples NSAF feature is normalized using the standardized mode of Min-Max;
Second, establish the covariance matrix of the nine tuples NSAF feature Jing Guo normalized;
Third calculates the characteristic value and feature vector for calculating covariance matrix;
4th, the variance contribution ratio of each characteristic value is calculated, all variance contribution ratios are arranged in descending order, is calculated tired Count variance contribution ratio;
When the accumulative variance contribution ratio of 5th, the current m characteristic values is greater than 85%, in the nine tuples NSAF feature M feature of middle corresponding selection obtains m tuple overall target as training set;Wherein, m < 9 and m ∈ N+
4. the method as described in claim 1, which is characterized in that the building V-SVM disaggregated model, and utilize the training set The step of being trained to the V-SVM disaggregated model, obtain optimal Lagrange multiplier include:
First, construct V-SVM preliminary classification model;
Second, V-SVM antithesis disaggregated model is constructed based on KKT condition;
Third acquires optimal Lagrange multiplier according to parameter preset V and default kernel function.
5. the method as described in claim 1, which is characterized in that described to acquire decision letter according to the optimal Lagrange multiplier Several steps include:
According to the optimal Lagrange multiplier, the idealization maximum class interval parameter and constant of the decision function are calculated ?;
The maximum class interval and the constant term are substituted into the V-SVM preliminary classification model, acquire the decision function.
6. a kind of ddos attack detection device based on V-SVM, which is characterized in that described device includes memory and processor, The memory is for storing computer program, when the computer program is executed by the processor, realizes such as claim 1 To the ddos attack detection method described in any one of 5 based on V-SVM.
CN201910461918.9A 2019-05-30 2019-05-30 Ddos attack detection method and device based on V-SVM Pending CN110062011A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910461918.9A CN110062011A (en) 2019-05-30 2019-05-30 Ddos attack detection method and device based on V-SVM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910461918.9A CN110062011A (en) 2019-05-30 2019-05-30 Ddos attack detection method and device based on V-SVM

Publications (1)

Publication Number Publication Date
CN110062011A true CN110062011A (en) 2019-07-26

Family

ID=67325137

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910461918.9A Pending CN110062011A (en) 2019-05-30 2019-05-30 Ddos attack detection method and device based on V-SVM

Country Status (1)

Country Link
CN (1) CN110062011A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111062488A (en) * 2019-12-09 2020-04-24 北京国网富达科技发展有限责任公司 Method and system for early warning of waving track
CN111107077A (en) * 2019-12-16 2020-05-05 中国电子科技网络信息安全有限公司 SVM-based attack flow classification method
CN111756719A (en) * 2020-06-17 2020-10-09 哈尔滨工业大学 DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture
CN114285651A (en) * 2021-12-27 2022-04-05 电子科技大学 DDoS attack detection method under industrial control environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107508831A (en) * 2017-09-21 2017-12-22 华东师范大学 A kind of intrusion detection method based on bus
CN108093406A (en) * 2017-11-29 2018-05-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on integrated study
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN108632278A (en) * 2018-05-08 2018-10-09 北京理工大学 A kind of network inbreak detection method being combined with Bayes based on PCA
CN109034087A (en) * 2018-08-06 2018-12-18 河海大学 A kind of hybrid machine learning signal classification method based on PCA dimensionality reduction

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
CN107508831A (en) * 2017-09-21 2017-12-22 华东师范大学 A kind of intrusion detection method based on bus
CN108093406A (en) * 2017-11-29 2018-05-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on integrated study
CN108632278A (en) * 2018-05-08 2018-10-09 北京理工大学 A kind of network inbreak detection method being combined with Bayes based on PCA
CN109034087A (en) * 2018-08-06 2018-12-18 河海大学 A kind of hybrid machine learning signal classification method based on PCA dimensionality reduction

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张义荣等: "一种基于粗糙集属性约简的支持向量异常入侵检测方法", 《计算机科学》 *
李丹玲等: "基于线性ν-支持向量回归机的异常数据检测", 《数理统计与管理》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111062488A (en) * 2019-12-09 2020-04-24 北京国网富达科技发展有限责任公司 Method and system for early warning of waving track
CN111107077A (en) * 2019-12-16 2020-05-05 中国电子科技网络信息安全有限公司 SVM-based attack flow classification method
CN111107077B (en) * 2019-12-16 2021-12-21 中国电子科技网络信息安全有限公司 SVM-based attack flow classification method
CN111756719A (en) * 2020-06-17 2020-10-09 哈尔滨工业大学 DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture
CN114285651A (en) * 2021-12-27 2022-04-05 电子科技大学 DDoS attack detection method under industrial control environment

Similar Documents

Publication Publication Date Title
CN110062011A (en) Ddos attack detection method and device based on V-SVM
Yu et al. PBCNN: Packet bytes-based convolutional neural network for network intrusion detection
Du et al. Network traffic anomaly detection based on wavelet analysis
CN113469366B (en) Encrypted traffic identification method, device and equipment
WO2018053511A1 (en) Threat scoring system and method
Ding et al. HYBRID‐CNN: An Efficient Scheme for Abnormal Flow Detection in the SDN‐Based Smart Grid
CN109257383B (en) BGP anomaly detection method and system
CN111786951B (en) Traffic data feature extraction method, malicious traffic identification method and network system
Elsayed et al. Detecting abnormal traffic in large-scale networks
Manganiello et al. Multistep attack detection and alert correlation in intrusion detection systems
CN112788007A (en) DDoS attack detection method based on convolutional neural network
Lu et al. An efficient communication intrusion detection scheme in AMI combining feature dimensionality reduction and improved LSTM
Ahmad et al. Analysis of classification techniques for intrusion detection
CN113225209A (en) Network monitoring real-time early warning method based on time series similarity retrieval
CN117220920A (en) Firewall policy management method based on artificial intelligence
Chen et al. A deep learning based fast-flux and CDN domain names recognition method
Zhang et al. A scalable network intrusion detection system towards detecting, discovering, and learning unknown attacks
Chen et al. Real-time network intrusion detection via decision transformers
CN115022038A (en) Power grid network anomaly detection method, device, equipment and storage medium
CN112583847B (en) Method for network security event complex analysis for medium and small enterprises
CN110097120A (en) Network flow data classification method, equipment and computer storage medium
Tang et al. DDoS attack detection method based on V-support vector machine
Gu et al. Network intrusion detection with nonsymmetric deep autoencoding feature extraction
Long et al. Deep encrypted traffic detection: An anomaly detection framework for encryption traffic based on parallel automatic feature extraction
Gopalan Towards Effective Detection of Botnet Attacks Using BoT-IoT Dataset

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190726

RJ01 Rejection of invention patent application after publication