CN110138787A - A kind of anomalous traffic detection method and system based on hybrid neural networks - Google Patents

A kind of anomalous traffic detection method and system based on hybrid neural networks Download PDF

Info

Publication number
CN110138787A
CN110138787A CN201910416314.2A CN201910416314A CN110138787A CN 110138787 A CN110138787 A CN 110138787A CN 201910416314 A CN201910416314 A CN 201910416314A CN 110138787 A CN110138787 A CN 110138787A
Authority
CN
China
Prior art keywords
data
neural networks
traffic detection
network
network flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910416314.2A
Other languages
Chinese (zh)
Inventor
郭文忠
连鸿飞
张�浩
谢麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou University
Original Assignee
Fuzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuzhou University filed Critical Fuzhou University
Priority to CN201910416314.2A priority Critical patent/CN110138787A/en
Publication of CN110138787A publication Critical patent/CN110138787A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of anomalous traffic detection method and system based on hybrid neural networks, first acquisition network flow data, and be granularity progress feature extraction and data prediction using network flow;Then pass through the space characteristics in convolutional neural networks learning network data on flows;These features for including spatial information are input to two-way length again, and memory network further learns its temporal aspect in short-term;Last output test result.The present invention can preferably excavate high dimensional feature compared to current machine learning and deep learning anomalous traffic detection method, promote the accuracy of IDS Framework.The present invention has rational design, and gained disaggregated model accurate rate, verification and measurement ratio and accuracy rate are higher.

Description

A kind of anomalous traffic detection method and system based on hybrid neural networks
Technical field
The present invention relates to computer network security technology field, especially a kind of abnormal flow based on hybrid neural networks Detection method and system.
Background technique
Exception of network traffic detection can not only detect unknown as a kind of effective ways for realizing network invasion monitoring Network attack can also provide important support for network situation awareness.The abnormal flow of network on network available status influence compared with Greatly, internet can not normally be accessed by even resulting in user.The reason of causing exception of network traffic mainly has: first is that network performance is former Cause refers mainly to abnormal flow caused by design of network topology structure is unreasonable or user's operation is improper, such as network administrator's net Improper, network equipment failure of network strategy setting etc.;Second is that network security reason, refers mainly to different caused by network malicious attack behavior Normal flow, such as Denial of Service attack (Dos), remote access attack (R2L), probe attack (Probe) etc..Network security reason Caused exception of network traffic is the current emphasis studied and detect.
Conventional machines learning method belongs to shallow-layer study, specifically includes that support vector machines, decision tree, random forest, k- Means etc..The high dimensional feature into network flow data can not effectively be learnt, lower, rate of false alarm that there are intrusion detection accuracys rate Higher problem.The Partial Feature in network flow data is only utilized in existing intrusion detection deep learning model, exists certain Limitation.
Summary of the invention
In view of this, the purpose of the present invention is to propose to a kind of anomalous traffic detection method based on hybrid neural networks and being System, combines the space characteristics and temporal characteristics in network flow data, is capable of the verification and measurement ratio of effective lift scheme, and reduces mistake Report rate.
The present invention is realized using following scheme: a kind of anomalous traffic detection method based on hybrid neural networks, including from Line training link and real-time detection link;
The off-line training link specifically: acquisition data on flows simultaneously by network flow be granularity carry out feature extraction, to data into Rower note, generates training set after data prediction, obtains abnormal traffic detection model by multiwheel models training;
The real-time detection link specifically: acquire the data on flows in set time window and be that granularity carries out spy by network flow Sign is extracted, and is entered data into trained abnormal traffic detection model and is detected after progress data prediction, and according to inspection It surveys result and does different processing.
Further, the off-line training link is extracted from network flow with the feature extraction in the real-time detection link Feature include but is not limited to: byte number that byte number that duration of network flow, source IP are sent, destination IP are sent, source IP What the IP layer byte number and destination IP that data packet number, the source IP that data packet number, the destination IP of transmission are sent are sent were sent IP layers of byte number.
Further, the data prediction in the off-line training link and the real-time detection link includes following step It is rapid:
Step S11: by character type feature with attack class switch be corresponding decimal value;
Step S12: to missing values present in each data, polishing is averaged in generic data;
Step S13: max-min method normalization data is used.
Further, the model training specifically includes the following steps:
Step S21: it will be extracted in network flow by (CNN) in pretreated training set data input convolutional neural networks Space characteristics;
Step S22: by the two-way length of the processed data input of step S21 in short-term memory network (LSTM), network flow is extracted In temporal aspect;
Step S23: final detection result will be exported by the processed data input softmax classifier of step S22.
Preferably, the present invention also provides a kind of systems based on anomalous traffic detection method described above, including deposit Reservoir and actuator, the method instruction being stored in the memory in claim 1, the actuator execute at runtime Method instruction in memory.
Specifically, system of the invention specifically includes following functions module:
Network flow data trapping module: data on flows is acquired using tcpdump tool from network link and is stored as PCAP File then extracts the feature in data on flows by granularity of network flow, generates traffic characteristic matrix;
Data preprocessing module: to the feature extracted in network flow data trapping module, symbol attribute conversion and attribute are carried out The pretreatment such as normalization;
Core analysis module: in off-line training link, pretreated traffic characteristic data are inputted to train based on CNN and double To the abnormal traffic detection model of LSTM hybrid neural networks.Wherein the abnormal traffic detection model include: it is normal with it is abnormal Two classification and Detection models, normally with a variety of abnormal more classification and Detection models.In real-time detection link, after input pretreatment Real-time traffic characteristic, be measured in real time using abnormal traffic detection model, generate final detection result;
Emergency response module: receiving the final detection result of core analysis module generation, if testing result is non-abnormal flow, Then informing user's network data flow, there is no abnormal flows;If testing result is abnormal flow, different according to detecting Normal flow type is handled, and such as by the sensitive information in abnormal flow: source IP address, destination IP, payload information Deng being shown to user.
Compared with prior art, the invention has the following beneficial effects: the present invention compared to the prior art in several detections Method all has more preferably verification and measurement ratio and detection accuracy, and algorithm scalability is good, high-efficient, is suitable for network flow sharp increase institute band The detection pressure come has very strong practicability and wide application prospect.
Detailed description of the invention
Fig. 1 is the system framework schematic diagram of the embodiment of the present invention.
Fig. 2 is two disaggregated models of the abnormal traffic detection based on hybrid neural networks of the embodiment of the present invention.
Fig. 3 is more disaggregated models of the abnormal traffic detection based on hybrid neural networks of the embodiment of the present invention.
Fig. 4 is the emergency response module flow diagram of the embodiment of the present invention.
Fig. 5 is the testing result schematic diagram 1 of the embodiment of the present invention.
Fig. 6 is the testing result schematic diagram 2 of the embodiment of the present invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawings and embodiments.
It is noted that described further below be all exemplary, it is intended to provide further instruction to the application.Unless another It indicates, all technical and scientific terms used herein has usual with the application person of an ordinary skill in the technical field The identical meanings of understanding.
It should be noted that term used herein above is merely to describe specific embodiment, and be not intended to restricted root According to the illustrative embodiments of the application.As used herein, unless the context clearly indicates otherwise, otherwise singular Also it is intended to include plural form, additionally, it should be understood that, when in the present specification using term "comprising" and/or " packet Include " when, indicate existing characteristics, step, operation, device, component and/or their combination.
As shown in Figures 1 to 4, a kind of anomalous traffic detection method based on hybrid neural networks is present embodiments provided, Including off-line training link and real-time detection link;
The off-line training link specifically: acquisition data on flows simultaneously by network flow be granularity carry out feature extraction, to data into Rower note, generates training set after data prediction, obtains abnormal traffic detection model by multiwheel models training;
The real-time detection link specifically: acquire the data on flows in set time window and be that granularity carries out spy by network flow Sign is extracted, and is entered data into trained abnormal traffic detection model and is detected after progress data prediction, and according to inspection It surveys result and does different processing.
In the present embodiment, the feature extraction in the off-line training link and the real-time detection link is from network flow The feature of extraction includes but is not limited to: the byte number of byte number, destination IP transmission that the duration of network flow, source IP are sent, Data packet number, the data packet number that destination IP is sent, the IP layer byte number of source IP transmission and the destination IP that source IP is sent are sent out The IP layer byte number sent.
In the present embodiment, the off-line training link and the data prediction in the real-time detection link include following Step:
Step S11: by character type feature with attack class switch be corresponding decimal value;
Step S12: to missing values present in each data, polishing is averaged in generic data;
Step S13: max-min method normalization data is used.
In the present embodiment, the model training specifically includes the following steps:
Step S21: it will be extracted in network flow by (CNN) in pretreated training set data input convolutional neural networks Space characteristics;
Step S22: by the two-way length of the processed data input of step S21 in short-term memory network (LSTM), network flow is extracted In temporal aspect;
Step S23: final detection result will be exported by the processed data input softmax classifier of step S22.
Preferably, the present embodiment additionally provides a kind of system based on anomalous traffic detection method described above, including Memory and actuator, the method instruction being stored in the memory in claim 1, the actuator are held at runtime Method instruction in line storage.
Specifically, the system of the present embodiment specifically includes following functions module:
Network flow data trapping module: data on flows is acquired using tcpdump tool from network link and is stored as PCAP File then extracts the feature in data on flows by granularity of network flow, generates traffic characteristic matrix;
Data preprocessing module: to the feature extracted in network flow data trapping module, symbol attribute conversion and attribute are carried out The pretreatment such as normalization;
Core analysis module: in off-line training link, pretreated traffic characteristic data are inputted to train based on CNN and double To the abnormal traffic detection model of LSTM hybrid neural networks.Wherein the abnormal traffic detection model include: it is normal with it is abnormal Two classification and Detection models (as shown in Figure 2), normally with a variety of abnormal more classification and Detection models (as shown in Figure 3).Real-time In detection, pretreated real-time traffic characteristic is inputted, is measured in real time using abnormal traffic detection model, produced Raw final detection result;
Emergency response module: as shown in figure 4, the final detection result of core analysis module generation is received, if testing result is Non- abnormal flow, then informing user's network data flow, there is no abnormal flows;If testing result is abnormal flow, basis The abnormal flow type detected is handled, and such as by the sensitive information in abnormal flow: source IP address, destination IP, Payload information etc., is shown to user.
Preferably, convolutional neural networks (CNN) are a kind of feedforward neural networks, basic network topology is by input layer, convolution Layer, pond layer, full articulamentum, output layer are constituted.Model can generally be designed to the combination of several convolutional layers Yu pond layer.Entirely Articulamentum is commonly used in last 2 node layer of connection, for exporting final result.Long memory network (LSTM) in short-term is circulation mind A kind of variant through network (RNN) is appointed in numerous natural language processings mainly for the treatment of the data with temporal aspect It is widely applied in business.Long memory network in short-term in processing sequence data, in sequence the output of each element not only with it is current It inputs related and related with state before.Therefore it can be considered as the network of memory memory network in short-term is grown, can incited somebody to action The information of front is remembered, and is applied in the calculating currently exported.
To sum up, the present embodiment acquires network flow data first, and carries out feature extraction and data by granularity of network flow Pretreatment;Then pass through the space characteristics in convolutional neural networks learning network data on flows;It include again spatial information by these Feature be input to two-way length memory network further learn its temporal aspect in short-term;Last output test result.Phase of the present invention Than can preferably excavate high dimensional feature in current machine learning and deep learning anomalous traffic detection method, intrusion detection is promoted The accuracy of model.Rationally, gained disaggregated model accurate rate, verification and measurement ratio and accuracy rate are higher for system design.
The present embodiment solves the problems, such as abnormal traffic detection to existing machine learning, deep learning method and the present embodiment method Effect carried out comparative analysis, referring specifically to shown in the table 1 and table 2 in Fig. 5 and Fig. 6.
The present invention carries out emulation experiment using NSL-KDD data set.In two classification experiments, use KDDTrain+ as Training set, KDDTest+, KDDTest-21 is as test set.Fig. 5 lists the present embodiment and Tavallaee2009 [with reference to text It offers: Tavallaee M, Bagheri E, Lu W, et al. A detailed analysis of the KDD CUP 99 data set[C]// IEEE International Conference on Computational Intelligence For Security & Defense Applications. 2009:53-58.], Kr mer2011 [bibliography: Kr mer, Pavel, Platos J, Snásel, Václav, et al. Fuzzy classification by evolutionary Algorithms [C] // IEEE International Conference on Systems. 2011:313-318.], money 2018 [bibliography: Qian Tieyun, Wang Yi, Zhang Mingming, wait based on deep neural network intrusion detection method [J] China Middle University of Science and Technology's journal: natural science edition, 2018,46 (1): 6-10.], Yin2017 [bibliography: Yin Chuanlong, Zhu Yuefei, Fei Jinlong, et al. A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks[J]. IEEE Access, 2017, 5 (99): 21954-21961. two classification accuracy Comparative results], it can be seen that the accuracy rate (Accuracy) of the method for the present invention Other methods are superior to, than best Yin2017 high 2.96%, 11.65%.In more classification experiments, use KDDTrain+ as Training set, KDDTest+ is as test set.Fig. 6 lists the present invention and other machines the learning method accurate rate in more classification (PR), verification and measurement ratio (DR), the Comparative result of accuracy rate (Accuracy), it can be seen that the present invention is excellent in every Testing index In other methods.
By comparative analysis, every Testing index of the invention is substantially better than current newest several method.From above-mentioned point Analysis is it may be concluded that the present invention is a kind of significantly more efficient abnormal flow intrusion detection method.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The above described is only a preferred embodiment of the present invention, being not that the invention has other forms of limitations, appoint What those skilled in the art changed or be modified as possibly also with the technology contents of the disclosure above equivalent variations etc. Imitate embodiment.But without departing from the technical solutions of the present invention, according to the technical essence of the invention to above embodiments institute Any simple modification, equivalent variations and the remodeling made, still fall within the protection scope of technical solution of the present invention.

Claims (5)

1. a kind of anomalous traffic detection method based on hybrid neural networks, which is characterized in that including off-line training link and reality When detection;
The off-line training link specifically: acquisition data on flows simultaneously by network flow be granularity carry out feature extraction, to data into Rower note, generates training set after data prediction, obtains abnormal traffic detection model by multiwheel models training;
The real-time detection link specifically: acquire the data on flows in set time window and be that granularity carries out spy by network flow Sign is extracted, and is entered data into trained abnormal traffic detection model and is detected after progress data prediction, and according to inspection It surveys result and does different processing.
2. a kind of anomalous traffic detection method based on hybrid neural networks according to claim 1, which is characterized in that institute Stating the feature that off-line training link is extracted from network flow with the feature extraction in the real-time detection link includes but is not limited to: The duration of network flow, the byte number of source IP transmission, the byte number of destination IP transmission, the data packet number of source IP transmission, mesh IP send data packet number, source IP send IP layer byte number and destination IP transmission IP layer byte number.
3. a kind of anomalous traffic detection method based on hybrid neural networks according to claim 1, which is characterized in that institute State the data prediction in off-line training link and the real-time detection link the following steps are included:
Step S11: by character type feature with attack class switch be corresponding decimal value;
Step S12: to missing values present in each data, polishing is averaged in generic data;
Step S13: max-min method normalization data is used.
4. a kind of anomalous traffic detection method based on hybrid neural networks according to claim 1, which is characterized in that institute State model training specifically includes the following steps:
Step S21: the space in network flow will be extracted by pretreated training set data input convolutional neural networks Feature;
Step S22: inputting two-way length in short-term in memory network for the processed data of step S21, extract in network flow when Sequence characteristics;
Step S23: final detection result will be exported by the processed data input softmax classifier of step S22.
5. a kind of system based on the described in any item anomalous traffic detection methods of claim 1-4, which is characterized in that including depositing Reservoir and actuator, the method instruction being stored in the memory in claim 1, the actuator execute at runtime Method instruction in memory.
CN201910416314.2A 2019-05-20 2019-05-20 A kind of anomalous traffic detection method and system based on hybrid neural networks Pending CN110138787A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910416314.2A CN110138787A (en) 2019-05-20 2019-05-20 A kind of anomalous traffic detection method and system based on hybrid neural networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910416314.2A CN110138787A (en) 2019-05-20 2019-05-20 A kind of anomalous traffic detection method and system based on hybrid neural networks

Publications (1)

Publication Number Publication Date
CN110138787A true CN110138787A (en) 2019-08-16

Family

ID=67571517

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910416314.2A Pending CN110138787A (en) 2019-05-20 2019-05-20 A kind of anomalous traffic detection method and system based on hybrid neural networks

Country Status (1)

Country Link
CN (1) CN110138787A (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110619049A (en) * 2019-09-25 2019-12-27 北京工业大学 Message anomaly detection method based on deep learning
CN110830515A (en) * 2019-12-13 2020-02-21 支付宝(杭州)信息技术有限公司 Flow detection method and device and electronic equipment
CN110881037A (en) * 2019-11-19 2020-03-13 北京工业大学 Network intrusion detection method and training method and device of model thereof, and server
CN110896381A (en) * 2019-11-25 2020-03-20 中国科学院深圳先进技术研究院 Deep neural network-based traffic classification method and system and electronic equipment
CN110995700A (en) * 2019-12-02 2020-04-10 山东超越数控电子股份有限公司 Malformed IP message detection method, equipment and storage medium
CN111260029A (en) * 2020-01-13 2020-06-09 北京工业大学 Credibility analysis method for air quality data
CN111428789A (en) * 2020-03-25 2020-07-17 广东技术师范大学 Network traffic anomaly detection method based on deep learning
CN111526144A (en) * 2020-04-21 2020-08-11 福州大学 Abnormal flow detection method and system based on DVAE-Catboost
CN111756584A (en) * 2020-07-14 2020-10-09 济南浪潮高新科技投资发展有限公司 Netflow protocol network flow analysis method and system based on deep learning
CN111835763A (en) * 2020-07-13 2020-10-27 北京邮电大学 DNS tunnel traffic detection method and device and electronic equipment
CN112134862A (en) * 2020-09-11 2020-12-25 国网电力科学研究院有限公司 Coarse-fine granularity mixed network anomaly detection method and device based on machine learning
CN112232570A (en) * 2020-10-19 2021-01-15 国网陕西省电力公司 Forward active total electric quantity prediction method and device and readable storage medium
CN112367334A (en) * 2020-11-23 2021-02-12 中国科学院信息工程研究所 Network traffic identification method and device, electronic equipment and storage medium
CN112491894A (en) * 2020-11-30 2021-03-12 北京航空航天大学 Internet of things network attack flow monitoring system based on space-time feature learning
CN112583852A (en) * 2020-12-28 2021-03-30 华北电力大学 Abnormal flow detection method
CN112637104A (en) * 2019-09-24 2021-04-09 中国电信股份有限公司 Abnormal flow detection method and system
CN112651422A (en) * 2020-11-25 2021-04-13 中国科学院信息工程研究所 Time-space sensing network flow abnormal behavior detection method and electronic device
CN112989540A (en) * 2021-04-12 2021-06-18 福建省海峡信息技术有限公司 Method and system for detecting abnormal traffic based on SRU (sequence recovery Unit) network
CN113114664A (en) * 2021-04-08 2021-07-13 上海电力大学 Abnormal flow detection system and method based on hybrid convolutional neural network
CN113162893A (en) * 2020-09-29 2021-07-23 国网河南省电力公司电力科学研究院 Attention mechanism-based industrial control system network flow abnormity detection method
CN113328986A (en) * 2021-04-09 2021-08-31 国网浙江省电力有限公司金华供电公司 Network flow abnormity detection method based on combination of convolutional neural network and LSTM
CN113762299A (en) * 2020-06-28 2021-12-07 北京沃东天骏信息技术有限公司 Abnormal flow detection method and device
CN114205855A (en) * 2021-10-25 2022-03-18 国网天津市电力公司电力科学研究院 Feeder automation service network anomaly detection method facing 5G slices
CN115811440A (en) * 2023-01-12 2023-03-17 南京众智维信息科技有限公司 Real-time flow detection method based on network situation awareness

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144089A (en) * 2014-08-06 2014-11-12 山东大学 BP-neural-network-based method for performing traffic identification
US20180033144A1 (en) * 2016-09-21 2018-02-01 Realize, Inc. Anomaly detection in volumetric images
CN108200006A (en) * 2017-11-21 2018-06-22 中国科学院声学研究所 A kind of net flow assorted method and device based on the study of stratification space-time characteristic
CN108809974A (en) * 2018-06-07 2018-11-13 深圳先进技术研究院 A kind of Network Abnormal recognition detection method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144089A (en) * 2014-08-06 2014-11-12 山东大学 BP-neural-network-based method for performing traffic identification
US20180033144A1 (en) * 2016-09-21 2018-02-01 Realize, Inc. Anomaly detection in volumetric images
CN108200006A (en) * 2017-11-21 2018-06-22 中国科学院声学研究所 A kind of net flow assorted method and device based on the study of stratification space-time characteristic
CN108809974A (en) * 2018-06-07 2018-11-13 深圳先进技术研究院 A kind of Network Abnormal recognition detection method and device

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637104A (en) * 2019-09-24 2021-04-09 中国电信股份有限公司 Abnormal flow detection method and system
CN112637104B (en) * 2019-09-24 2022-07-05 中国电信股份有限公司 Abnormal flow detection method and system
CN110619049A (en) * 2019-09-25 2019-12-27 北京工业大学 Message anomaly detection method based on deep learning
CN110881037A (en) * 2019-11-19 2020-03-13 北京工业大学 Network intrusion detection method and training method and device of model thereof, and server
CN110896381A (en) * 2019-11-25 2020-03-20 中国科学院深圳先进技术研究院 Deep neural network-based traffic classification method and system and electronic equipment
CN110896381B (en) * 2019-11-25 2021-10-29 中国科学院深圳先进技术研究院 Deep neural network-based traffic classification method and system and electronic equipment
CN110995700A (en) * 2019-12-02 2020-04-10 山东超越数控电子股份有限公司 Malformed IP message detection method, equipment and storage medium
CN110830515A (en) * 2019-12-13 2020-02-21 支付宝(杭州)信息技术有限公司 Flow detection method and device and electronic equipment
CN111260029A (en) * 2020-01-13 2020-06-09 北京工业大学 Credibility analysis method for air quality data
CN111428789A (en) * 2020-03-25 2020-07-17 广东技术师范大学 Network traffic anomaly detection method based on deep learning
CN111526144A (en) * 2020-04-21 2020-08-11 福州大学 Abnormal flow detection method and system based on DVAE-Catboost
CN113762299A (en) * 2020-06-28 2021-12-07 北京沃东天骏信息技术有限公司 Abnormal flow detection method and device
CN111835763A (en) * 2020-07-13 2020-10-27 北京邮电大学 DNS tunnel traffic detection method and device and electronic equipment
CN111835763B (en) * 2020-07-13 2022-03-04 北京邮电大学 DNS tunnel traffic detection method and device and electronic equipment
CN111756584A (en) * 2020-07-14 2020-10-09 济南浪潮高新科技投资发展有限公司 Netflow protocol network flow analysis method and system based on deep learning
CN112134862A (en) * 2020-09-11 2020-12-25 国网电力科学研究院有限公司 Coarse-fine granularity mixed network anomaly detection method and device based on machine learning
CN112134862B (en) * 2020-09-11 2023-09-08 国网电力科学研究院有限公司 Coarse-fine granularity hybrid network anomaly detection method and device based on machine learning
CN113162893B (en) * 2020-09-29 2022-05-24 国网河南省电力公司电力科学研究院 Attention mechanism-based industrial control system network flow abnormity detection method
CN113162893A (en) * 2020-09-29 2021-07-23 国网河南省电力公司电力科学研究院 Attention mechanism-based industrial control system network flow abnormity detection method
CN112232570A (en) * 2020-10-19 2021-01-15 国网陕西省电力公司 Forward active total electric quantity prediction method and device and readable storage medium
CN112367334A (en) * 2020-11-23 2021-02-12 中国科学院信息工程研究所 Network traffic identification method and device, electronic equipment and storage medium
CN112651422A (en) * 2020-11-25 2021-04-13 中国科学院信息工程研究所 Time-space sensing network flow abnormal behavior detection method and electronic device
CN112651422B (en) * 2020-11-25 2023-10-10 中国科学院信息工程研究所 Space-time sensing network flow abnormal behavior detection method and electronic device
CN112491894A (en) * 2020-11-30 2021-03-12 北京航空航天大学 Internet of things network attack flow monitoring system based on space-time feature learning
CN112583852A (en) * 2020-12-28 2021-03-30 华北电力大学 Abnormal flow detection method
CN113114664A (en) * 2021-04-08 2021-07-13 上海电力大学 Abnormal flow detection system and method based on hybrid convolutional neural network
CN113328986A (en) * 2021-04-09 2021-08-31 国网浙江省电力有限公司金华供电公司 Network flow abnormity detection method based on combination of convolutional neural network and LSTM
CN112989540A (en) * 2021-04-12 2021-06-18 福建省海峡信息技术有限公司 Method and system for detecting abnormal traffic based on SRU (sequence recovery Unit) network
CN114205855A (en) * 2021-10-25 2022-03-18 国网天津市电力公司电力科学研究院 Feeder automation service network anomaly detection method facing 5G slices
CN115811440A (en) * 2023-01-12 2023-03-17 南京众智维信息科技有限公司 Real-time flow detection method based on network situation awareness

Similar Documents

Publication Publication Date Title
CN110138787A (en) A kind of anomalous traffic detection method and system based on hybrid neural networks
CN109450842A (en) A kind of network malicious act recognition methods neural network based
CN110909811A (en) OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system
Presekal et al. Attack graph model for cyber-physical power systems using hybrid deep learning
Wan et al. Event-Based Anomaly Detection for Non-Public Industrial Communication Protocols in SDN-Based Control Systems.
CN106936667A (en) A kind of main frame real-time identification method based on application rs traffic distributed analysis
Peraković et al. Artificial neuron network implementation in detection and classification of DDoS traffic
CN113162893B (en) Attention mechanism-based industrial control system network flow abnormity detection method
Sasan et al. Intrusion detection using feature selection and machine learning algorithm with misuse detection
Hoyos Ll et al. Distributed denial of service (DDoS) attacks detection using machine learning prototype
Feizollah et al. Anomaly detection using cooperative fuzzy logic controller
Janabi et al. Convolutional neural network based algorithm for early warning proactive system security in software defined networks
Wang et al. Efficient detection of DDoS attacks with important attributes
CN105827611B (en) A kind of distributed denial of service network attack detecting method and system based on fuzzy reasoning
Xia et al. Intrusion detection system based on principal component analysis and grey neural networks
Thi et al. Federated learning-based cyber threat hunting for apt attack detection in SDN-enabled networks
Abdulla et al. Identify features and parameters to devise an accurate intrusion detection system using artificial neural network
Qi Computer Real-Time Location Forensics Method for Network Intrusion Crimes.
Wang et al. Machine learned real-time traffic classifiers
US9398040B2 (en) Intrusion detection system false positive detection apparatus and method
Sapozhnikova et al. Intrusion detection system based on data mining technics for industrial networks
Premkumar et al. Hybrid Deep Learning Model for Cyber-Attack Detection
Kreimel et al. Neural net-based anomaly detection system in substation networks
Sabri et al. Hybrid of rough set theory and artificial immune recognition system as a solution to decrease false alarm rate in intrusion detection system
Yu et al. Mining anomaly communication patterns for industrial control systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190816

RJ01 Rejection of invention patent application after publication