CN110166302A - A kind of log analysis method based on decision tree, device and storage equipment - Google Patents
A kind of log analysis method based on decision tree, device and storage equipment Download PDFInfo
- Publication number
- CN110166302A CN110166302A CN201910458665.XA CN201910458665A CN110166302A CN 110166302 A CN110166302 A CN 110166302A CN 201910458665 A CN201910458665 A CN 201910458665A CN 110166302 A CN110166302 A CN 110166302A
- Authority
- CN
- China
- Prior art keywords
- log
- information
- decision tree
- essential information
- gain value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
- H04L41/0636—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis based on a decision tree analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the present invention discloses a kind of log analysis method based on decision tree, device and storage equipment, to solve to waste time in traditional logs analytic process, the high problem of storage resource excess overhead, log rate of false alarm in calculating process.This method comprises: the black log in existing log is extracted, daytime will and grey log, and extract the essential information in log;Calculate the information gain value of each essential information;According to the information gain value of each essential information sequence, the nodal information of decision tree is set;According to the attribute for extracting log, the judgement of leaf node is set as a result, forming decision tree;Essential information in log to be measured is compared with the nodal information in decision tree, and according to the next relatively branch of comparison result selection, determines result until leaf node exports.
Description
Technical field
The present embodiments relate to network safety filed more particularly to a kind of log analysis methods based on decision tree, dress
Set and store equipment.
Background technique
At present in enterprise, Internet company, there are following features for large scale network asset node:
1) networked asset number of nodes is more, and workspace network area divides complexity, disposes log between different segment connection
Acquire equipment;
2) diversity of log: including network monitor log, net by the log that firewall, router, safety equipment report
Network user behaviors log, operation log etc.;
3) high-throughput: the log amount that Network Security Device acquisition reports averagely can reach 2W/s.
Based on the log information feature of the collections such as firewall, router, safety equipment in the above networked asset node, dividing
During analysis personnel carry out vulnerability analysis to concern assets by acquisition log, it is desirable to provide the number of accuracy, real-time
Risk existing for the node and threat are determined according to the node status information for having and can get in time concern assets, and can be in time
Implementing corresponding strategy ensures the safety of assets, and wherein fragility refers to the weakness that assets can be utilized by threat.Fragility is general
Can classify two major classes, it may be assumed that the fragility of assets itself and the deficiency of safety control measures.The former refers generally to operating system leakage
Hole, the inadequate natural endowment of secure context when product design, these loopholes are the strong point and wind of hole scanner currently popular
The problem of dangerous appraiser excessively pays close attention to.And threaten refer to due to human operational error, asset management system and strategy it is not perfect,
Information leakage illegally distorts the originals such as hardware faults, system or the software defects such as network configuration information, storage equipment transmission device
Cause, leading to assets, there are great risk and hidden danger.
From current existing security log analytic process, most of is to match the spy threatened in log with the presence or absence of certain
Reference breath, such as: EternalBlue (eternal indigo plant) loophole is mainly exactly to leak using in Metasploit for ms17-101
The attack load in hole carries out attack and obtains host control authority, scans the windows machine of all 445 file-sharing ports of opening
Device.Therefore when analyzing the security log being collected into, detect whether that the access, the operation that exist to 445 ports are mostly
Whether system is the information such as windows, and then judges assets with the presence or absence of EternalBlue (eternal indigo plant) loophole.
But it is had the following problems by this judgment method:
1) log is judged only by several features, there are biggish rate of false alarms, it is therefore desirable to sentencing black log
Secondary analysis confirmation is carried out, personnel increase workload to analysis;
2) for the security log of high-throughput, carrying out full log matches by the method that similar field is searched, there is one
The consumption of a little unnecessary resource consumptions and time causes analysis result that cannot timely feed back;
3) when there is new malice wooden horse, network attack, analysis personnel will extracting rule and by new rule and peace again
Full-time will is matched.
Summary of the invention
Based on above-mentioned problem, the embodiment of the present invention provides a kind of log analysis method based on decision tree, device
And storage equipment, to solve to waste time in traditional logs analytic process, the excess overhead of storage resource in calculating process,
The high problem of log rate of false alarm.
The embodiment of the present invention discloses a kind of log analysis method based on decision tree, comprising:
The black log in existing log, daytime will and grey log are extracted, and extracts the essential information in log;It calculates each
The information gain value of essential information;According to the information gain value of each essential information sequence, the nodal information of decision tree is set;According to
The judgement of leaf node is arranged as a result, forming decision tree in the attribute for extracting log;Essential information and decision tree in log to be measured
In nodal information be compared, and according to comparison result selection it is next relatively branch, until leaf node export determine result.
Further, the essential information include IP address, access port, transport protocol, behavior label, threat level,
Risk class threatens platform.
Further, the information gain value of each essential information is calculated, specifically: calculate the result information entropy D of existing log;
Calculate separately comentropy D1n and D2n of each essential information in black log and daytime will;According to result information entropy D, comentropy
D1n and D2n calculates the information gain value of each essential information.
Further, the nodal information of decision tree is arranged according to descending sequence for the information gain value of each essential information.
The embodiment of the present invention discloses a kind of log analysis device based on decision tree, including memory and processor, described
Memory is for storing a plurality of instruction, and the processor is for loading the instruction stored in the memory to execute:
The black log in existing log, daytime will and grey log are extracted, and extracts the essential information in log;It calculates each
The information gain value of essential information;According to the information gain value of each essential information sequence, the nodal information of decision tree is set;According to
The judgement of leaf node is arranged as a result, forming decision tree in the attribute for extracting log;Essential information and decision tree in log to be measured
In nodal information be compared, and according to comparison result selection it is next relatively branch, until leaf node export determine result.
Further, the processor is also used to load the instruction stored in the memory to execute:
The essential information include IP address, access port, transport protocol, behavior label, threat level, risk class,
Threaten platform.
Further, the processor is also used to load the instruction stored in the memory to execute:
The information gain value of each essential information is calculated, specifically: calculate the result information entropy D of existing log;It calculates separately
Comentropy D1n and D2n of each essential information in black log and daytime will;It is counted according to result information entropy D, comentropy D1n and D2n
Calculate the information gain value of each essential information.
Further, the processor is also used to load the instruction stored in the memory to execute:
The nodal information of decision tree is arranged according to descending sequence for the information gain value of each essential information.
The embodiment of the present invention discloses a kind of log analysis device based on decision tree simultaneously, comprising:
Information extraction modules: the black log in existing log, daytime will and grey log are extracted, and extracts the base in log
This information;
Gain value computation module: the information gain value of each essential information is calculated;
Nodal information setup module: according to the information gain value of each essential information sequence, the nodal information of decision tree is set;
Decision tree forms module: according to the attribute for extracting log, the judgement of leaf node is arranged as a result, forming decision tree;
Analysis module: the essential information in log to be measured is compared with the nodal information in decision tree, and according to comparing
As a result next relatively branch is selected, determines result until leaf node exports.
The embodiment of the invention provides a kind of storage equipment, a plurality of instruction, described instruction are stored in the storage equipment
Suitable for being loaded by processor and being executed the log analysis method step provided in an embodiment of the present invention based on decision tree.
Compared with prior art, a kind of method for building up of log analysis based on decision tree provided in an embodiment of the present invention,
Device and storage equipment, at least realize it is following the utility model has the advantages that
The black log in existing log, daytime will and grey log are extracted, and extracts the essential information in log;It calculates each
The information gain value of essential information;According to the information gain value of each essential information sequence, the nodal information of decision tree is set;According to
The judgement of leaf node is arranged as a result, forming decision tree in the attribute for extracting log;Essential information and decision tree in log to be measured
In nodal information be compared, and according to comparison result selection it is next relatively branch, until leaf node export determine result.
Method provided in an embodiment of the present invention is based on decision tree, passes through from the extraction for intending rule, constantly by a large amount of black logs, daytime will
Model is calculated, the rate of false alarm for threatening log, the secondary investment for reducing manpower in analytic process are reduced.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is the log analysis method flow chart provided in an embodiment of the present invention based on decision tree;
Fig. 2 is the another log analysis method flow chart based on decision tree provided in an embodiment of the present invention;
Fig. 3 is the essential information chart that existing log provided in an embodiment of the present invention is extracted;
Fig. 4 is the decision tree exemplary diagram of generation provided in an embodiment of the present invention;
Fig. 5 is the log analysis structure drawing of device provided in an embodiment of the present invention based on decision tree;
Fig. 6 is the another log analysis structure drawing of device based on decision tree provided in an embodiment of the present invention.
Specific embodiment
In order to make the purpose of the present invention, the technical scheme and advantages are more clear, with reference to the accompanying drawing, to the embodiment of the present invention
The specific embodiment of the log analysis method based on decision tree provided is described in detail.It should be appreciated that being retouched below
The preferred embodiment stated is only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention.And in the absence of conflict,
The features in the embodiments and the embodiments of the present application can be combined with each other.
Decision tree is a kind of tree construction for applying to classification, and each internal node therein is represented to the primary of a certain attribute
Test, each edge represent a test result, and leaf node represents the distribution of some class or class.Its decision process is needed from decision
The root node of tree starts, and testing data is compared with the characteristic node in decision tree, and selects next ratio according to comparison result
Compared with branch, until leaf node is as the final result of decision.Based on this, the embodiment of the invention provides one kind to be based on decision tree
Log analysis method flow chart, as shown in Figure 1, comprising:
Step 11, the black log in existing log, daytime will and grey log are extracted, and extracts the basic letter in log
Breath;
Wherein, essential information include IP address, access port, transport protocol, behavior label, threat level, risk class,
Threaten platform.
Step 12, the information gain value of each essential information is calculated;
Step 13, according to the information gain value of each essential information sequence, the nodal information of decision tree is set;
Preferably, the nodal information of decision tree is arranged according to descending sequence for the information gain value of each essential information.
Step 14, according to the attribute for extracting log, the judgement of leaf node is set as a result, forming decision tree;
Step 15, the essential information in log to be measured is compared with the nodal information in decision tree, and is tied according to comparing
The next relatively branch of fruit selection, determines result until leaf node exports.
Method provided in an embodiment of the present invention is based on decision tree, passes through by a large amount of black logs, daytime will from quasi- rule
It extracts, constantly model is calculated, reduce the rate of false alarm for threatening log, the secondary throwing for reducing manpower in analytic process
Enter.
The another log analysis method flow chart based on decision tree provided in an embodiment of the present invention, as shown in Figure 2, comprising:
Step 201, the black log in existing log, daytime will and grey log are extracted, and extracts the basic letter in log
Breath;
For example, the essential information chart that existing log provided in an embodiment of the present invention is extracted, as shown in figure 3, information chart
In be extracted essential information in existing 25 logs.
Step 202, the result information entropy D of existing log is calculated;
(existing log is the probability of happening 11/25 of malice, existing log to the existing log essential information provided according to Fig. 3
For the probability of happening 14/25 of non-malicious), the result information entropy D of existing log is calculated, formula is as follows:
Wherein, the probability that a certain event of Pk occurs;Information entropy is smaller, and the accuracy of log analysis result is higher;Information
Entropy is the common counter for measuring sample set purity.
Step 203, comentropy D1n and D2n of each essential information in black log and daytime will are calculated separately;
In the existing log essential information provided with Fig. 3, eternal indigo plant is contained in part behavior label, as example, meter
It is calculated in the comentropy D11 and D21 in black log and daytime will:
The comentropy of other each essential informations is calculated according to the method described above.
Step 204, the information gain value of each essential information is calculated according to result information entropy D, comentropy D1n and D2n;
Contain the information gain value of eternal indigo plant in above-mentioned part behavior label are as follows:
According to the method for above-mentioned offer, the information gain value for calculating other essential informations is as follows: the letter of port 445
Breath yield value is 0.758171, information gain value of the threat level more than or equal to 3 is 0.831066, risk class is more than or equal to 3
Information gain value be 0.772853, the letter that the information gain value that system is windows is 0.857913, transport protocol is SMB
Ceasing yield value is 0.857913.
Step 205, according to the information gain value of each essential information sequence, the nodal information of decision tree is set;
The information gain value of each essential information is arranged according to descending sequence, the decision tree exemplary diagram of generation, such as Fig. 4
It is shown.
Analysis log needs to update new rule, then can introduce a large amount of logs containing new rule and be trained study, is formed
New decision tree.
Step 206, the essential information in log to be measured is compared with the nodal information in decision tree, and is tied according to comparing
The next relatively branch of fruit selection, determines result until leaf node exports.
Method provided in an embodiment of the present invention analyzes log to be measured, and log analysis process may make relatively to automate
Processing;It further decreases the workload of analysis personnel and reduces the manpower costs of log analysis, promote the work of log analysis judgement
Make efficiency, while reducing the careless omission of massive logs manual analysis, further decreases the rate of false alarm of log analysis;And it utilizes a variety of
The threat active procedure of possibility influences comparative analysis with actual networked asset, so that the threat active topology figure established is more
Add the requirement for meeting real network situation environment.
The embodiment of the invention also provides a kind of log analysis device based on decision tree, as shown in Figure 5, comprising: described
Device includes memory 510 and processor 520, and for storing a plurality of instruction, the processor 520 is used for the memory 510
The instruction stored in the memory 510 is loaded to execute:
The black log in existing log, daytime will and grey log are extracted, and extracts the essential information in log;It calculates each
The information gain value of essential information;According to the information gain value of each essential information sequence, the nodal information of decision tree is set;According to
The judgement of leaf node is arranged as a result, forming decision tree in the attribute for extracting log;Essential information and decision tree in log to be measured
In nodal information be compared, and according to comparison result selection it is next relatively branch, until leaf node export determine result.
The processor 520 is for loading the instruction stored in the memory 510 to execute:
The essential information include IP address, access port, transport protocol, behavior label, threat level, risk class,
Threaten platform.
The processor 520 is for loading the instruction stored in the memory 510 to execute:
The information gain value of each essential information is calculated, specifically: calculate the result information entropy D of existing log;It calculates separately
Comentropy D1n and D2n of each essential information in black log and daytime will;It is counted according to result information entropy D, comentropy D1n and D2n
Calculate the information gain value of each essential information.
The processor 520 is for loading the instruction stored in the memory 510 to execute:
The nodal information of decision tree is arranged according to descending sequence for the information gain value of each essential information.
The embodiment of the present invention provides another log analysis device based on decision tree simultaneously, as shown in Figure 6, comprising:
Information extraction modules 61: the black log in existing log, daytime will and grey log are extracted, and is extracted in log
Essential information;
Gain value computation module 62: the information gain value of each essential information is calculated;
Nodal information setup module 63: according to the information gain value of each essential information sequence, the node letter of decision tree is set
Breath;
Decision tree forms module 64: according to the attribute for extracting log, the judgement of leaf node is arranged as a result, forming decision
Tree;
Analysis module 65: the essential information in log to be measured is compared with the nodal information in decision tree, and according to than
The next relatively branch of relatively result selection, determines result until leaf node exports.
The embodiment of the present invention also provides a kind of storage equipment, is stored with a plurality of instruction, described instruction in the storage equipment
Suitable for the step of being loaded by processor and executing the log analysis method provided in an embodiment of the present invention based on decision tree.
Through the above description of the embodiments, those skilled in the art can be understood that the embodiment of the present invention
The mode of necessary general hardware platform can also be added to realize by software by hardware realization.Based on such reason
Solution, the technical solution of the embodiment of the present invention can be embodied in the form of software products, which can store one
In a non-volatile memory medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions are used so that a meter
It calculates machine equipment (can be personal computer, server or the network equipment etc.) and executes side described in each embodiment of the present invention
Method.
It will be appreciated by those skilled in the art that attached drawing is the schematic diagram of a preferred embodiment, module or stream in attached drawing
Journey is not necessarily implemented necessary to the present invention.
It will be appreciated by those skilled in the art that the module in device in embodiment can describe be divided according to embodiment
It is distributed in the device of embodiment, corresponding change can also be carried out and be located in one or more devices different from the present embodiment.On
The module for stating embodiment can be merged into a module, can also be further split into multiple submodule.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (10)
1. a kind of log analysis method based on decision tree, it is characterised in that:
The black log in existing log, daytime will and grey log are extracted, and extracts the essential information in log;
Calculate the information gain value of each essential information;
According to the information gain value of each essential information sequence, the nodal information of decision tree is set;
According to the attribute for extracting log, the judgement of leaf node is set as a result, forming decision tree;
Essential information in log to be measured is compared with the nodal information in decision tree, and selects next ratio according to comparison result
Compared with branch, result is determined until leaf node exports.
2. the method as described in claim 1, which is characterized in that the essential information includes IP address, access port, transmission association
View, threatens platform at behavior label, threat level, risk class.
3. method according to claim 2 calculates the information gain value of each essential information, specifically:
Calculate the result information entropy D of existing log;
Calculate separately comentropy D1n and D2n of each essential information in black log and daytime will;
The information gain value of each essential information is calculated according to result information entropy D, comentropy D1n and D2n.
4. the method as described in claim 1, which is characterized in that the information gain value of each essential information is according to descending sequence
The nodal information of decision tree is set.
5. a kind of log analysis device based on decision tree, which is characterized in that described device includes memory and processor, described
Memory is for storing a plurality of instruction, and the processor is for loading the instruction stored in the memory to execute:
The black log in existing log, daytime will and grey log are extracted, and extracts the essential information in log;
Calculate the information gain value of each essential information;
According to the information gain value of each essential information sequence, the nodal information of decision tree is set;
According to the attribute for extracting log, the judgement of leaf node is set as a result, forming decision tree;
Essential information in log to be measured is compared with the nodal information in decision tree, and selects next ratio according to comparison result
Compared with branch, result is determined until leaf node exports.
6. device as claimed in claim 5, which is characterized in that the processor, which is also used to load, to be stored in the memory
Instruction is to execute:
The essential information includes IP address, access port, transport protocol, behavior label, threat level, risk class, threat
Platform.
7. device as claimed in claim 6, which is characterized in that the processor, which is also used to load, to be stored in the memory
Instruction is to execute:
The information gain value of each essential information is calculated, specifically:
Calculate the result information entropy D of existing log;
Calculate separately comentropy D1n and D2n of each essential information in black log and daytime will;
The information gain value of each essential information is calculated according to result information entropy D, comentropy D1n and D2n.
8. device as claimed in claim 5, which is characterized in that the processor, which is also used to load, to be stored in the memory
Instruction is to execute:
The nodal information of decision tree is arranged according to descending sequence for the information gain value of each essential information.
9. a kind of log analysis device based on decision tree characterized by comprising
Information extraction modules: the black log in existing log, daytime will and grey log are extracted, and extracts the basic letter in log
Breath;
Gain value computation module: the information gain value of each essential information is calculated;
Nodal information setup module: according to the information gain value of each essential information sequence, the nodal information of decision tree is set;
Decision tree forms module: according to the attribute for extracting log, the judgement of leaf node is arranged as a result, forming decision tree;
Analysis module: the essential information in log to be measured is compared with the nodal information in decision tree, and according to comparison result
Next relatively branch is selected, determines result until leaf node exports.
10. a kind of storage equipment, which is characterized in that be stored with a plurality of instruction in the storage equipment, described instruction be suitable for by
The step of managing device load and right of execution 1-4 any described method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910458665.XA CN110166302A (en) | 2019-05-29 | 2019-05-29 | A kind of log analysis method based on decision tree, device and storage equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910458665.XA CN110166302A (en) | 2019-05-29 | 2019-05-29 | A kind of log analysis method based on decision tree, device and storage equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110166302A true CN110166302A (en) | 2019-08-23 |
Family
ID=67629799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910458665.XA Pending CN110166302A (en) | 2019-05-29 | 2019-05-29 | A kind of log analysis method based on decision tree, device and storage equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110166302A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111611508A (en) * | 2020-05-28 | 2020-09-01 | 江苏易安联网络技术有限公司 | Identification method and device for actual website access of user |
| CN113965448A (en) * | 2021-09-14 | 2022-01-21 | 国科信创科技有限公司 | Network security information analysis method, device and system based on AI search tree |
| CN117762950A (en) * | 2024-02-20 | 2024-03-26 | 北京优特捷信息技术有限公司 | Log data analysis processing method, device and medium based on tree structure |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514398A (en) * | 2013-10-18 | 2014-01-15 | 中国科学院信息工程研究所 | Real-time online log detection method and system |
| CN107809331A (en) * | 2017-10-25 | 2018-03-16 | 北京京东尚科信息技术有限公司 | The method and apparatus for identifying abnormal flow |
-
2019
- 2019-05-29 CN CN201910458665.XA patent/CN110166302A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514398A (en) * | 2013-10-18 | 2014-01-15 | 中国科学院信息工程研究所 | Real-time online log detection method and system |
| CN107809331A (en) * | 2017-10-25 | 2018-03-16 | 北京京东尚科信息技术有限公司 | The method and apparatus for identifying abnormal flow |
Non-Patent Citations (1)
| Title |
|---|
| 黄秀霞: "C4.5决策树算法优化及其应用", 《CNKI》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111611508A (en) * | 2020-05-28 | 2020-09-01 | 江苏易安联网络技术有限公司 | Identification method and device for actual website access of user |
| CN111611508B (en) * | 2020-05-28 | 2020-12-15 | 江苏易安联网络技术有限公司 | Identification method and device for actual website access of user |
| CN113965448A (en) * | 2021-09-14 | 2022-01-21 | 国科信创科技有限公司 | Network security information analysis method, device and system based on AI search tree |
| CN117762950A (en) * | 2024-02-20 | 2024-03-26 | 北京优特捷信息技术有限公司 | Log data analysis processing method, device and medium based on tree structure |
| CN117762950B (en) * | 2024-02-20 | 2024-05-03 | 北京优特捷信息技术有限公司 | Log data analysis processing method, device and medium based on tree structure |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105677791B (en) | For analyzing the method and system of the operation data of wind power generating set | |
| CN110460594A (en) | Threaten information data acquiring and processing method, device and storage medium | |
| CN110166302A (en) | A kind of log analysis method based on decision tree, device and storage equipment | |
| Aljamal et al. | Hybrid intrusion detection system using machine learning techniques in cloud computing environments | |
| CN109587125B (en) | Network security big data analysis method, system and related device | |
| CN117081858B (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
| CN106209817A (en) | Information network security based on big data and trust computing is from system of defense | |
| CN109818961A (en) | A kind of network inbreak detection method, device and equipment | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN115883236A (en) | Power grid intelligent terminal cooperative attack monitoring system | |
| CN107665164A (en) | Secure data detection method and device | |
| CN114742477A (en) | Enterprise order data processing method, device, equipment and storage medium | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| CN117421761A (en) | Database data information security monitoring method | |
| Zuo et al. | Power information network intrusion detection based on data mining algorithm | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| Xu et al. | Research on E-commerce transaction payment system basedf on C4. 5 decision tree data mining algorithm | |
| CN107493275A (en) | The extracted in self-adaptive and analysis method and system of heterogeneous network security log information | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| Panda et al. | Ensembling rule based classifiers for detecting network intrusions | |
| CN109696892A (en) | A kind of Safety Automation System and its control method | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN114024761A (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN110472416A (en) | A kind of web virus detection method and relevant apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190823 |
|
| WD01 | Invention patent application deemed withdrawn after publication |