CN110287439A - A kind of network behavior method for detecting abnormality based on LSTM - Google Patents

A kind of network behavior method for detecting abnormality based on LSTM Download PDF

Info

Publication number
CN110287439A
CN110287439A CN201910566453.3A CN201910566453A CN110287439A CN 110287439 A CN110287439 A CN 110287439A CN 201910566453 A CN201910566453 A CN 201910566453A CN 110287439 A CN110287439 A CN 110287439A
Authority
CN
China
Prior art keywords
behavior
network
user
sequence
behavior sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910566453.3A
Other languages
Chinese (zh)
Inventor
邵俊明
刘洋
杨勤丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201910566453.3A priority Critical patent/CN110287439A/en
Publication of CN110287439A publication Critical patent/CN110287439A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Mathematical Physics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Fuzzy Systems (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network behavior method for detecting abnormality based on LSTM, collection network data on flows and user behavior sequence is converted into according to the definition of user behavior first, then in view of the otherness between network user's subject behavior mode, therefore the present invention classifies to user behavior sequence according to k- central point algorithm.Then, using sorted behavior sequence data as the input of LSTM shot and long term memory network, neural network model is trained in conjunction with Attention mechanism.The model completed finally by training predicts to determine its intensity of anomaly behavior sequence to be detected.The angle of subordinate act of the present invention, which is set out, handles network flow data, it can fully consider the incidence relation between internal factor, and it establishes network behavior mode and distinguishes the behavior of user, then traditional network abnormality detection is broken through using the artificial method for extracting feature, exception information is distinguished to the development fitting effect of large scale network behavior sequence data flow in conjunction with LSTM shot and long term memory network, significantly improves the precision and efficiency of Network anomaly detection.

Description

A kind of network behavior method for detecting abnormality based on LSTM
Technical field
The invention belongs to technical field of network security, more specifically, it is different to be related to a kind of network behavior based on LSTM Normal detection method.
Background technique
With the rapid development of global network information industry, various data interactions are more and more frequent, computer increasingly Today of people's life is incorporated, people also increasingly be unable to do without network.The especially rise of mobile Internet, even more handle in recent years People have pulled in the Network Information epoch.However in increasingly complicated network environment, for network entity attack increasingly Frequently, attack pattern also increasingly develops towards diversification with the direction complicated, these network attacks gently then influence to be attacked The service quality of person, it is heavy then cause information leakage, network paralysis, cause huge economic loss.So how by a kind of high It imitates and accurately mode detects Network anomalous behaviors, be all considerable for network service provider and user.
Network security system have passed through the two generation systems development of traditional " non-black i.e. white ", be had evolved at present by looking into The mode of behavior is looked for judge the behavior of user with the presence or absence of abnormal.First generation network security system is the side by " blacklist " Formula to carry out killing to viral wooden horse.Second generation network security system is the behavior that user is judged using the mechanism of " white list " It is whether credible.Third generation networks security system is then with technological means such as big data, artificial intelligence, machine learning to user Behavioral data is acquired, analyzes and studies and judges, and carries out early warning to the abnormal behaviour of user.
LSTM, i.e. Long Short-Term Memory shot and long term memory network are a kind of based on Recognition with Recurrent Neural Network RNN Time recurrent neural network, suitable for time series analysis be fitted.LSTM algorithm machine translation, sentiment analysis, Multiple artificial intelligence fields such as image analysis, documentation summary, speech recognition and recommender system, which have, to be widely applied, be it is a kind of at Ripe machine learning algorithm, but in network behavior abnormality detection field using shot and long term memory network still at an early stage.
Summary of the invention
It is an object of the invention to overcome the deficiencies in the prior art, propose a kind of method for detecting Network anomalous behaviors, By classifying to user behavior pattern, and LSTM neural network model and Attention mechanism are combined, can be obviously improved To the accuracy rate of Network anomalous behaviors detection.
For achieving the above object, the present invention is based on the network behavior method for detecting abnormality of LSTM, which is characterized in that packet Include following steps:
(1), network flow data is collected and cleaning arranges
Data on flows for abnormality detection is collected generally by the distributed agent for being deployed in each host terminal, The data on flows that each distributed agent is collected upward first-level agent's convergence again.Later further according to analysis demand to the stream of collection Amount data are cleaned.Then it is directed to current network data, the definition of clear user behavior in a network, and to network number again Each user crawl in is converted to user behavior track sets.
(2), behavior sequence is classified
It for the action trail sequence of all users, is clustered according to k- central point algorithm, is classified as k inhomogeneity Other behavior sequence.User user i.e. to be detected for needing to carry out network behavior abnormality detection, by its behavior sequence and k The cluster central point of different classes of behavior sequence carries out similarity measurement, and the one kind for taking its most like is as user behavior to be detected The classification of sequence.
(3), LSTM neural network model is established
Using k class behavior sequence data obtained in step 2 as the input data of k LSTM neural network, in conjunction with Attention mechanism is trained LSTM neural network, obtains k LSTM neural network model of training completion.Wherein, often A neural network model corresponds to a kind of user behavior classification.
(4), network behavior abnormality detection
To user to be detected, using its behavior sequence as the input of the LSTM neural network model of corresponding classification, and by mould Intensity of anomaly of the difference as network behavior between the behavior prediction of type and true behavior.
The object of the present invention is achieved like this.
A kind of network behavior method for detecting abnormality based on LSTM of the present invention, first collection network data on flows and according to The definition of family behavior is arranged as user behavior track sets.Simultaneously, it is contemplated that between network user's subject behavior mode Otherness, therefore the present invention classifies to user behavior sequence by k- central point algorithm.Then, by sorted behavior sequence Input of the column data as LSTM shot and long term memory network, is trained neural network model in conjunction with Attention mechanism.Most Behavior sequence to be detected is predicted by the model that training is completed to determine its intensity of anomaly afterwards.The angle of subordinate act of the present invention Degree, which sets out, handles network flow data, can fully consider the incidence relation between internal factor, and establish network row The behavior of user is distinguished for mode, then breaks through traditional network abnormality detection using the artificial method for extracting feature, knot It closes LSTM shot and long term memory network and exception information is distinguished to the development fitting effect of large scale network behavior sequence data flow, show Write the precision and efficiency for improving Network anomaly detection.
Detailed description of the invention
Fig. 1 is a kind of a kind of specific embodiment process of the network behavior method for detecting abnormality based on LSTM of the present invention Figure;
Fig. 2 is the schematic diagram of user behavior sequence in the present invention;
Fig. 3 is a kind of LSTM model schematic of the network behavior method for detecting abnormality based on LSTM of the present invention.
Specific embodiment
A specific embodiment of the invention is described with reference to the accompanying drawing, preferably so as to those skilled in the art Understand the present invention.Requiring particular attention is that in the following description, when known function and the detailed description of design perhaps When can desalinate main contents of the invention, these descriptions will be ignored herein.
Fig. 1 is a kind of a kind of specific embodiment process of the network behavior method for detecting abnormality based on LSTM of the present invention Figure.
In the present embodiment, as shown in Figure 1, a kind of network behavior method for detecting abnormality based on LSTM of the present invention include with Lower step:
S1: network flow data is collected and cleaning arranges
The log information that network flow data, that is, user records when accessing specific network entity, such as access time, IP Address, source port, destination port and operational order etc..
According to the specific network entity that user accesses, being specifically defined for user behavior sequence is specified, by network flow data Arranging is user behavior sequence.User behavior sequence can also be called " user behavior based on time series ", be in certain a period of time Between in section, being engaged in certain movable each walking according to the people that chronological order records is.
Such as shown in Fig. 2, on website, in a period of time, a user is from entering website to during leaving website Each walking record for being, be recorded as a user behavior sequence.
S2: behavior sequence classification
In general, user is usually that a series of movable behavioral agents are carried out on network.Because of everyone identity And the difference of living habit, the behavior pattern between user is discrepant, so needing to be divided user behavior sequence Class improves the accuracy of abnormality detection with this.
Firstly the need of to carrying out similarity measurement between behavior sequence, in order in the description present invention that is more clear User behavior sequence similarity measure provides following several definition:
Definition one: subsequence.If given behavior sequence X=(x1,x2,…xm), then another sequence Z=(Z1,Z2,…Zm) be The subsequence of X refers to that there are a strictly increasing subscript sequence (i1,i2,…im), so that having for all j=1 ..., kIf being designated as 1 under starting.
Definition two: common subsequence.There are given two behavior sequences X and Y, when another sequence Z is both the subsequence of X It is the subsequence of Y again, then Z is sequence X and the common subsequence of Y.Wherein the longest sequence of Z is the public sub- sequence of longest of X and Y Column.
After the definition for having subsequence and common subsequence, so that it may find out two user behaviors by dynamic programming algorithm Longest common subsequence between sequence.X=(x is saved with c [i] [j]1,x2,…xm) and Y=(y1,y2,…yn) longest it is public Subsequence altogether, then:
It is possible thereby to acquire the longest common subsequence between two user behavior sequences.
After the behavior sequence for having each user, so that it may indicate two use by calculating the similarity between user Similarity degree and relationship between the behavior of family.User behavior sequence similarity is realized by user behavior pattern similarity.In order to The similarity of behavior pattern is calculated, first calculating behavior pattern distance.The calculation method of behavior pattern distance is described below.
Behavior pattern needs to calculate the distance between behavior sequence in calculating process, therefore defines behavior sequence first The distance between.In order to make the common subsequence of two behavior sequences is longer, similarity is bigger, between two behavior sequences away from It is from smaller, the distance definition between behavior sequence is as follows:
Wherein | X | and | Y | indicate the length of behavior sequence X and behavior sequence Y, lcs (X, Y) is two behavior sequences X and Y Longest common subsequence.
In fact, the latter half in above formula can be used to measure the similitude of two behavior sequences X and Y.When X and Y are complete When exactly the same, D (X, Y)=0;When X and Y do not have any common subsequence, D (X, Y)=1.
After having the distance definition of behavior pattern, so that it may be clustered to user behavior sequence, thus user behavior mould Formula is distinguished to improve the accuracy of abnormality detection.In order to quickly detect abnormal behaviour, a kind of quick clustering algorithm is needed Cluster task is completed, in clustering algorithm, k- center point method is simple, quickly, is able to satisfy needs, and in face of presence It is healthy and strong when the network data of " noise " and isolated point, therefore select k- center point method.
The elementary tactics of k- center point method is: one arbitrarily, which found, for each cluster first represents behavior sequence object, Other objects then according to them at a distance from these cluster representative objects respectively by they belong to each corresponding cluster centre (according to Distance calculating method in upper step), and if replacing a cluster representative and can improve obtained clustering result quality, it can Old cluster representative object is replaced newly to represent object with one.Iteration continues, so that it may will be so behavior sequence is categorized into k not Same classification.
S3: LSTM neural network model is established
The different LSTM neural network model of k kind is established respectively first against k different classes of user behavior sequences, often The input of a network is the corresponding behavior sequence data of such network.The operational process of the model are as follows: by corresponding behavior sequence The preceding n-1 behavior of column is encoded to input layer of the hidden variable as neural network, using Attention mechanism, by hidden change Divided attention power weight coefficient is measured, hidden variable is generated into the context variable comprising whole behavior sequence traffic flow information;LSTM The shot and long term memory network number of plies is more, stronger to the study predictive ability of behavior sequence.But the number of plies can make model when excessively high Training is difficult to restrain, therefore 3 layers of LSTM network is used in the present invention.Meanwhile in last plus one layer of full articulamentum for exporting As a result dimensionality reduction, as shown in Figure 3.Finally use SOFTMAX function as the output layer of neural network, corresponding label information is The classification of the last one behavior of behavior sequence.Decline backpropagation by gradient and lose training neural network model, and constantly The parameter of model is adjusted, the final LSTM neural network model for obtaining training and completing.
S4: network behavior abnormality detection
To the network flow data to be detected being collected into, first progress data prediction, then according to user's access Specific network entity specifies being specifically defined for user behavior sequence, and pretreated network flow data is arranged as user's row For sequence.
To the user behavior sequence, according to the method in step 2 by k cluster center behavior sequence object of itself and other into Row similarity measurement finds the maximum center behavior sequence object of similitude, centered on user behavior sequence mark to be detected The corresponding classification of behavior sequence object.
It is used as input data after behavior sequence is removed the last one behavior, the corresponding training of the input category is completed LSTM neural network model.This section of behavior sequence is encoded to hidden variable by model, and by Attention mechanism, by hidden variable The context variable comprising whole behavior sequence traffic flow information is generated, predicts that the classification of the next behavior of behavior sequence is simultaneously led to Discrete probability distribution after crossing the output normalization of SOFTMAX function.
The ProbabilityDistribution Vector x for the next behavior that LSTM neural network prediction is gone out1With true next behavior classification One-Hot vector x2Manhatton distance is calculated as follows, for the size of distance as abnormality detection index, distance is bigger, it is believed that The exception of the network behavior may be bigger:
Wherein, d12Indicate vector x1With x2Distance, m be ProbabilityDistribution Vector dimension namely network behavior classification Number.
In the present invention, a kind of network behavior based on LSTM is proposed for the deficiency in traditional network method for detecting abnormality Method for detecting abnormality.Wound is made that in the key technologies such as the classification of network behavior sequence and LSTM Network anomaly detection in the present invention Newly.
Although the illustrative specific embodiment of the present invention is described above, in order to the technology of the art Personnel understand the present invention, it should be apparent that the present invention is not limited to the range of specific embodiment, to the common skill of the art For art personnel, if various change the attached claims limit and determine the spirit and scope of the present invention in, these Variation is it will be apparent that all utilize the innovation and creation of present inventive concept in the column of protection.

Claims (2)

1. a kind of network behavior method for detecting abnormality based on LSTM, which comprises the following steps:
(1), network flow data is collected and cleaning arranges;
By being deployed in the distributed agent collection network data on flows of each host terminal, according to analysis demand to the flow of collection Data are cleaned, and are then directed to current network data, the definition of clear user behavior in a network, and to network data again In each user crawl be converted to user behavior sequence;
(2), behavior sequence is classified;
It for the action trail sequence of all users, is clustered according to k- central point algorithm, it is a different classes of to be classified as k Behavior sequence, the user user i.e. to be detected for needing to carry out network behavior abnormality detection are different from k by its behavior sequence The cluster central point of the behavior sequence of classification carries out similarity measurement, and the one kind for taking its most like is as user behavior sequence to be detected Classification;
(3), LSTM neural network model is established;
Using k class behavior sequence data obtained in step 2 as the input data of k LSTM neural network, in conjunction with Attention mechanism is trained LSTM neural network, obtains k LSTM neural network model of training completion, wherein every A neural network model corresponds to a kind of user behavior classification;
(4), network behavior abnormality detection;
To user to be detected, using its behavior sequence as the input of the LSTM neural network model of corresponding classification, and by model Intensity of anomaly of the difference as network behavior between behavior prediction and true behavior.
2. network behavior method for detecting abnormality according to claim 1, which is characterized in that in step (2), described passes through K- central point algorithm to user behavior sequence classify and step (3) in, described establishes LSTM neural network model:
2.1), for all user behavior sequences to be sorted, step 1: the longest for finding out any two user behavior sequence is public Subsequence LCS altogether;
X=(x is saved with c [i] [j]1,x2,…xm) and Y=(y1,y2,…yn) longest common subsequence, then:
It is possible thereby to acquire the longest common subsequence between two user behavior sequences;
After the behavior sequence for having each user, so that it may indicate two user's rows by calculating the similarity between user Similarity degree and relationship between, in order to make, the common subsequence of two behavior sequences is longer, similarity is bigger, two behaviors The distance between sequence is smaller, and the distance definition between behavior sequence is as follows:
Wherein | X | indicate the length of behavior sequence X, lcs (X, Y) is the longest common subsequence of two behavior sequences X and Y, on Latter half in formula can be used to measure the similitude of two behavior sequences X and Y, when X is identical with Y, D (X, Y)= 0, when X and Y does not have any common subsequence, D (X, Y)=1;
After having the distance definition of behavior pattern, so that it may be clustered by k- central point algorithm user behavior sequence, base This strategy is: arbitrarily finding one first for each cluster and represents behavior sequence object, other objects are then according to them and these They are belonged to each corresponding cluster centre respectively by the distance of cluster representative object, and if one cluster representative of replacement can change If kind obtained clustering result quality, then can newly represent object with one replaces old cluster representative object, iteration continues, so that it may All behavior sequences are categorized into k different classifications, this k classification corresponds respectively to the different user behavior pattern of k kind;
2.2), the different LSTM neural network model of k kind is established respectively first against k different classes of user behavior sequences, The input of each network is the corresponding behavior sequence data of such network;
The operational process of the model are as follows: the preceding n-1 behavior of corresponding behavior sequence is encoded to hidden variable as nerve net The input layer of network, using Attention mechanism, by including by hidden variable generation to hidden variable divided attention power weight coefficient The context variable of whole behavior sequence traffic flow information, then using 3 layers of LSTM shot and long term memory network to improve to row For the study predictive ability of sequence, meanwhile, in last plus one layer of full articulamentum for exporting the dimensionality reduction of result, finally use Output layer of the SOFTMAX function as neural network, corresponding label information are the classification of the last one behavior of behavior sequence;
Decline backpropagation training neural network model by gradient, and constantly the parameter of model is adjusted, it is final to obtain The LSTM neural network model that training is completed.
CN201910566453.3A 2019-06-27 2019-06-27 A kind of network behavior method for detecting abnormality based on LSTM Pending CN110287439A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910566453.3A CN110287439A (en) 2019-06-27 2019-06-27 A kind of network behavior method for detecting abnormality based on LSTM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910566453.3A CN110287439A (en) 2019-06-27 2019-06-27 A kind of network behavior method for detecting abnormality based on LSTM

Publications (1)

Publication Number Publication Date
CN110287439A true CN110287439A (en) 2019-09-27

Family

ID=68007716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910566453.3A Pending CN110287439A (en) 2019-06-27 2019-06-27 A kind of network behavior method for detecting abnormality based on LSTM

Country Status (1)

Country Link
CN (1) CN110287439A (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262849A (en) * 2020-01-13 2020-06-09 东南大学 Method for identifying and blocking network abnormal flow behaviors based on flow table information
CN111600750A (en) * 2020-05-11 2020-08-28 北京庭宇科技有限公司 Speed limit detection method and system for PCDN network node flow
CN111738335A (en) * 2020-06-23 2020-10-02 鲁东大学 Time series data abnormity detection method based on neural network
CN111797978A (en) * 2020-07-08 2020-10-20 北京天融信网络安全技术有限公司 Internal threat detection method and device, electronic equipment and storage medium
CN111970169A (en) * 2020-08-14 2020-11-20 中山大学 Protocol flow identification method based on GRU network
CN111967011A (en) * 2020-07-10 2020-11-20 电子科技大学 Interpretable internal threat assessment method
CN112306982A (en) * 2020-11-16 2021-02-02 杭州海康威视数字技术股份有限公司 Abnormal user detection method and device, computing equipment and storage medium
CN112565183A (en) * 2020-10-29 2021-03-26 中国船舶重工集团公司第七0九研究所 Network flow abnormity detection method and device based on flow dynamic time warping algorithm
CN112631888A (en) * 2020-12-30 2021-04-09 航天信息股份有限公司 Fault prediction method and device of distributed system, storage medium and electronic equipment
CN112671551A (en) * 2020-11-23 2021-04-16 中国船舶重工集团公司第七0九研究所 Network traffic prediction method and system based on event correlation
CN112818868A (en) * 2021-02-03 2021-05-18 招联消费金融有限公司 Behavior sequence characteristic data-based violation user identification method and device
CN113409105A (en) * 2021-06-04 2021-09-17 山西大学 E-commerce network abnormal user detection method and system
CN113472742A (en) * 2021-05-28 2021-10-01 中国科学院信息工程研究所 Internal threat detection method and device based on gated cyclic unit
CN113569879A (en) * 2020-04-28 2021-10-29 中国移动通信集团浙江有限公司 Training method of abnormal recognition model, abnormal account recognition method and related device
CN114221816A (en) * 2021-12-17 2022-03-22 恒安嘉新(北京)科技股份公司 Flow detection method, device, equipment and storage medium
CN115086043A (en) * 2022-06-17 2022-09-20 电子科技大学 Encryption network flow classification and identification method based on minimum public subsequence
CN116232761A (en) * 2023-05-04 2023-06-06 华东交通大学 Method and system for detecting abnormal network traffic based on shapelet
WO2023243036A1 (en) * 2022-06-16 2023-12-21 三菱電機株式会社 Information processing device, program, and information processing method
WO2024009390A1 (en) * 2022-07-05 2024-01-11 三菱電機株式会社 Information processing device, program, and information processing method
CN117573480A (en) * 2023-12-14 2024-02-20 杭州丽冠科技有限公司 Data security monitoring method and device based on artificial intelligence

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657410A (en) * 2017-02-28 2017-05-10 国家电网公司 Detection method for abnormal behaviors based on user access sequence
CN106815639A (en) * 2016-12-27 2017-06-09 东软集团股份有限公司 The abnormal point detecting method and device of flow data
CN107070683A (en) * 2016-12-12 2017-08-18 国网北京市电力公司 The method and apparatus of data prediction
CN108718291A (en) * 2018-02-28 2018-10-30 北京微智信业科技有限公司 A kind of malice URL detection methods based on big data
CN108900546A (en) * 2018-08-13 2018-11-27 杭州安恒信息技术股份有限公司 The method and apparatus of time series Network anomaly detection based on LSTM
CN109615019A (en) * 2018-12-25 2019-04-12 吉林大学 Anomaly detection method based on space-time autocoder
CN109641603A (en) * 2017-07-19 2019-04-16 株式会社东芝 Abnormal detector, method for detecting abnormality and computer program
CN109685376A (en) * 2018-12-26 2019-04-26 国家电网公司华中分部 A kind of power customer abnormal behaviour method for early warning based on similarity analysis theory
CN109871976A (en) * 2018-12-20 2019-06-11 浙江工业大学 A kind of prediction technique of power quality containing distributed power distribution network based on cluster and neural network
CN109886833A (en) * 2019-01-21 2019-06-14 广东电网有限责任公司信息中心 A kind of deep learning method of smart grid-oriented server traffic abnormality detection

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070683A (en) * 2016-12-12 2017-08-18 国网北京市电力公司 The method and apparatus of data prediction
CN106815639A (en) * 2016-12-27 2017-06-09 东软集团股份有限公司 The abnormal point detecting method and device of flow data
CN106657410A (en) * 2017-02-28 2017-05-10 国家电网公司 Detection method for abnormal behaviors based on user access sequence
CN109641603A (en) * 2017-07-19 2019-04-16 株式会社东芝 Abnormal detector, method for detecting abnormality and computer program
CN108718291A (en) * 2018-02-28 2018-10-30 北京微智信业科技有限公司 A kind of malice URL detection methods based on big data
CN108900546A (en) * 2018-08-13 2018-11-27 杭州安恒信息技术股份有限公司 The method and apparatus of time series Network anomaly detection based on LSTM
CN109871976A (en) * 2018-12-20 2019-06-11 浙江工业大学 A kind of prediction technique of power quality containing distributed power distribution network based on cluster and neural network
CN109615019A (en) * 2018-12-25 2019-04-12 吉林大学 Anomaly detection method based on space-time autocoder
CN109685376A (en) * 2018-12-26 2019-04-26 国家电网公司华中分部 A kind of power customer abnormal behaviour method for early warning based on similarity analysis theory
CN109886833A (en) * 2019-01-21 2019-06-14 广东电网有限责任公司信息中心 A kind of deep learning method of smart grid-oriented server traffic abnormality detection

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262849A (en) * 2020-01-13 2020-06-09 东南大学 Method for identifying and blocking network abnormal flow behaviors based on flow table information
CN113569879A (en) * 2020-04-28 2021-10-29 中国移动通信集团浙江有限公司 Training method of abnormal recognition model, abnormal account recognition method and related device
CN113569879B (en) * 2020-04-28 2024-03-19 中国移动通信集团浙江有限公司 Training method of abnormal recognition model, abnormal account recognition method and related device
CN111600750A (en) * 2020-05-11 2020-08-28 北京庭宇科技有限公司 Speed limit detection method and system for PCDN network node flow
CN111600750B (en) * 2020-05-11 2022-10-21 北京庭宇科技有限公司 Speed limit detection method and system for PCDN network node flow
CN111738335A (en) * 2020-06-23 2020-10-02 鲁东大学 Time series data abnormity detection method based on neural network
CN111797978A (en) * 2020-07-08 2020-10-20 北京天融信网络安全技术有限公司 Internal threat detection method and device, electronic equipment and storage medium
CN111967011A (en) * 2020-07-10 2020-11-20 电子科技大学 Interpretable internal threat assessment method
CN111970169A (en) * 2020-08-14 2020-11-20 中山大学 Protocol flow identification method based on GRU network
CN112565183A (en) * 2020-10-29 2021-03-26 中国船舶重工集团公司第七0九研究所 Network flow abnormity detection method and device based on flow dynamic time warping algorithm
CN112306982B (en) * 2020-11-16 2021-07-16 杭州海康威视数字技术股份有限公司 Abnormal user detection method and device, computing equipment and storage medium
CN112306982A (en) * 2020-11-16 2021-02-02 杭州海康威视数字技术股份有限公司 Abnormal user detection method and device, computing equipment and storage medium
CN112671551B (en) * 2020-11-23 2022-11-18 中国船舶重工集团公司第七0九研究所 Network traffic prediction method and system based on event correlation
CN112671551A (en) * 2020-11-23 2021-04-16 中国船舶重工集团公司第七0九研究所 Network traffic prediction method and system based on event correlation
CN112631888A (en) * 2020-12-30 2021-04-09 航天信息股份有限公司 Fault prediction method and device of distributed system, storage medium and electronic equipment
CN112818868B (en) * 2021-02-03 2024-05-28 招联消费金融股份有限公司 Method and device for identifying illegal user based on behavior sequence characteristic data
CN112818868A (en) * 2021-02-03 2021-05-18 招联消费金融有限公司 Behavior sequence characteristic data-based violation user identification method and device
CN113472742B (en) * 2021-05-28 2022-09-27 中国科学院信息工程研究所 Internal threat detection method and device based on gated cyclic unit
CN113472742A (en) * 2021-05-28 2021-10-01 中国科学院信息工程研究所 Internal threat detection method and device based on gated cyclic unit
CN113409105A (en) * 2021-06-04 2021-09-17 山西大学 E-commerce network abnormal user detection method and system
CN113409105B (en) * 2021-06-04 2023-09-26 山西大学 Method and system for detecting abnormal users of e-commerce network
CN114221816A (en) * 2021-12-17 2022-03-22 恒安嘉新(北京)科技股份公司 Flow detection method, device, equipment and storage medium
CN114221816B (en) * 2021-12-17 2024-05-03 恒安嘉新(北京)科技股份公司 Flow detection method, device, equipment and storage medium
WO2023243036A1 (en) * 2022-06-16 2023-12-21 三菱電機株式会社 Information processing device, program, and information processing method
CN115086043B (en) * 2022-06-17 2023-03-21 电子科技大学 Encryption network flow classification and identification method based on minimum public subsequence
CN115086043A (en) * 2022-06-17 2022-09-20 电子科技大学 Encryption network flow classification and identification method based on minimum public subsequence
WO2024009390A1 (en) * 2022-07-05 2024-01-11 三菱電機株式会社 Information processing device, program, and information processing method
CN116232761B (en) * 2023-05-04 2023-07-14 华东交通大学 Method and system for detecting abnormal network traffic based on shapelet
CN116232761A (en) * 2023-05-04 2023-06-06 华东交通大学 Method and system for detecting abnormal network traffic based on shapelet
CN117573480A (en) * 2023-12-14 2024-02-20 杭州丽冠科技有限公司 Data security monitoring method and device based on artificial intelligence

Similar Documents

Publication Publication Date Title
CN110287439A (en) A kind of network behavior method for detecting abnormality based on LSTM
CN112784881B (en) Network abnormal flow detection method, model and system
CN108023876A (en) Intrusion detection method and intruding detection system based on sustainability integrated study
CN112491796A (en) Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network
CN112488716B (en) Abnormal event detection system
CN109218223A (en) A kind of robustness net flow assorted method and system based on Active Learning
Cui et al. Learning global pairwise interactions with Bayesian neural networks
CN112348080A (en) RBF improvement method, device and equipment based on industrial control abnormity detection
CN112700324A (en) User loan default prediction method based on combination of Catboost and restricted Boltzmann machine
WO2019200739A1 (en) Data fraud identification method, apparatus, computer device, and storage medium
Zhu et al. Traffic monitoring and anomaly detection based on simulation of luxembourg road network
CN111343147A (en) Network attack detection device and method based on deep learning
CN109462578A (en) Threat intelligence use and propagation method based on statistical learning
CN113641906A (en) System, method, device, processor and medium for realizing similar target person identification processing based on fund transaction relation data
Yeh et al. Merchant category identification using credit card transactions
CN114897085A (en) Clustering method based on closed subgraph link prediction and computer equipment
Jha et al. Criminal behaviour analysis and segmentation using k-means clustering
Wang et al. Early diagnosis of Parkinson's disease with Speech Pronunciation features based on XGBoost model
CN105930430B (en) Real-time fraud detection method and device based on non-accumulative attribute
Ramya et al. A review of different classification techniques in machine learning using WEKA for plant disease detection
CN113159976B (en) Identification method for important users of microblog network
CN104636636B (en) The long-range homology detection method of protein and device
CN115329838A (en) Attribute graph anomaly detection method considering class imbalance
Shahane et al. A Survey on Classification Techniques to Determine Fake vs. Real Identities on Social Media Platforms
CN114519605A (en) Advertisement click fraud detection method, system, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190927