CN110505630A - Wireless network intrusion detection method, device and electronic equipment - Google Patents
Wireless network intrusion detection method, device and electronic equipment Download PDFInfo
- Publication number
- CN110505630A CN110505630A CN201910185364.4A CN201910185364A CN110505630A CN 110505630 A CN110505630 A CN 110505630A CN 201910185364 A CN201910185364 A CN 201910185364A CN 110505630 A CN110505630 A CN 110505630A
- Authority
- CN
- China
- Prior art keywords
- cluster
- current
- characteristic value
- similarity
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 238000004364 calculation method Methods 0.000 claims abstract description 86
- 238000000034 method Methods 0.000 claims abstract description 55
- 238000012549 training Methods 0.000 claims abstract description 37
- 230000009545 invasion Effects 0.000 claims abstract description 28
- 230000002159 abnormal effect Effects 0.000 claims description 33
- 230000008569 process Effects 0.000 claims description 23
- 238000004891 communication Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 8
- 235000013399 edible fruits Nutrition 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 8
- 238000010606 normalization Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 4
- 230000002123 temporal effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computing Systems (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a kind of wireless network intrusion detection method, device and electronic equipment, method includes: to obtain the current characteristic value of the corresponding preset network flow characteristic of current data packet;The characteristic value of the current characteristic value and each cluster classification of training in advance is subjected to similarity calculation, obtains multiple first similarity calculation results for each cluster classification;According to the multiple first similarity calculation as a result, determining cluster classification belonging to the current characteristic value;If cluster classification belonging to the current characteristic value is marked as exception, it is determined that the wireless network is invaded.In the embodiment of the present invention, when invasion mode varies slightly, it can also determine whether wireless network is invaded by the first similarity of current characteristic value and each cluster classification, improve the accuracy of intrusion detection.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of wireless network intrusion detection method, device and
Electronic equipment.
Background technique
With the continuous development of network technology, the usage scenario of wireless network is more and more extensive, and more and more people pass through
Wireless terminal accesses wireless network, since wireless network is the open system for being connected to the network and being transmitted using radio-frequency technique
It unites, the wireless terminal in any wireless signal coverage area can launch a offensive to wireless network, therefore, carry out invasion inspection
It surveys, guarantees that the safety of wireless network is most important.
When carrying out wireless network intrusion detection, usually data packet to be detected is parsed, then by above-mentioned parsing
The feature of data packet and preset abnormal data packet feature database afterwards is matched, if data to be tested packet and exception after parsing
A certain feature exact matching in data packet feature database, i.e., data packet to be detected have abnormal data packet feature, it is determined that should be to
Detection data packet is abnormal data packet.
When carrying out wireless network intrusion detection using the above method, when the mode of invasion varies slightly, can not just it identify
Abnormal data packet out, therefore, the accuracy of wireless invasive detection be not high.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of wireless network intrusion detection method, device and electronic equipment, with
Improve the accuracy of intrusion detection.Specific technical solution is as follows:
In a first aspect, the embodiment of the invention provides a kind of wireless network intrusion detection methods, which comprises
Obtain the current characteristic value of the corresponding preset network flow characteristic of current data packet;
The characteristic value of the current characteristic value and each cluster classification of training in advance is subjected to similarity calculation, obtains needle
To multiple first similarity calculation results of each cluster classification;Each cluster classification is marked as normal or different
Often;The characteristic value of each cluster classification are as follows: the corresponding preset network flow of the cluster classification determined in the training process
The characteristic value of measure feature;
According to the multiple first similarity calculation as a result, determining cluster classification belonging to the current characteristic value;
If cluster classification belonging to the current characteristic value is marked as exception, it is determined that the wireless network is invaded.
Further, the step of the current characteristic value for obtaining the corresponding preset network flow characteristic of current data packet
Suddenly, comprising:
The current data packet is parsed, the characteristic value of the data characteristics of the current data packet itself is obtained;
It obtains in the multiple data packets received in preset time before receiving the current data packet, it is each specified
The statistical information of frame, the characteristic value as time-based first network traffic characteristic;
Obtain the statistics letter that each specified access index in access number is preset before receiving the current data packet
It ceases, and/or in the data packet of the predetermined number received before receiving the current data packet, the statistics of retransmission data packet
Information, the characteristic value as the second network flow characteristic based on quantity;
By the characteristic value of the data characteristics of the current data packet itself, the time-based first network traffic characteristic
Characteristic value and second network flow characteristic based on quantity characteristic value as the current characteristic value.
Further, each cluster classification is obtained using following steps training:
Obtain each sample of the corresponding preset network flow characteristic of each sample data packet in sample data packet set
Characteristic value constitutes sample characteristics value set;
Based on the similarity of each sample characteristics, to each sample characteristics in the sample characteristics value set
It is clustered, obtains the characteristic value of multiple cluster classifications and the corresponding preset network flow characteristic of each cluster classification;
To meet the cluster category label of default normal cluster class condition be it is normal, will not meet and default normally cluster class
The cluster category label of other condition is abnormal.
Further, the corresponding preset network flow of each sample data packet is special in the acquisition sample data packet set
The step of each sample characteristics of sign, composition sample characteristics value set, comprising:
Obtain each sample of the corresponding preset network flow characteristic of each sample data packet in sample data packet set
Characteristic value;
Each sample characteristics is normalized, sample characteristics value set is constituted;
Similarity calculation is carried out in the characteristic value by the current characteristic value and each cluster classification of training in advance
The step of before, further includes:
The current characteristic value is normalized.
Further, the similarity based on each sample characteristics, in the sample characteristics value set
Each sample characteristics is clustered, and multiple cluster classifications and the corresponding preset network flow characteristic of each cluster classification are obtained
Characteristic value the step of, comprising:
A sample characteristics in the sample characteristics value set is selected one by one, respectively as current sample characteristics,
Execute following steps:
Whether the current cluster set of judgement is empty;
If current cluster set is combined into sky, a cluster classification is created, the mass center of the cluster classification is recorded as current sample
The cluster classification is added in the current cluster set eigen value;
It, will be existing each poly- in current sample characteristics and cluster set if current cluster set is not sky
The mass center of class classification carries out similarity calculation, obtains for the multiple of each cluster classification existing in the current cluster set
Second similarity calculation result;
Judge whether each second similarity result meets preset condition of similarity;
It obtains the second similarity calculation result and meets corresponding cluster classification when default condition of similarity, be determined as described current
Cluster belonging to the current sample characteristics is added in the current sample characteristics by cluster classification belonging to sample characteristics
In classification;
If meeting default condition of similarity without the second similarity calculation result, a cluster classification, the cluster are created
The mass center of classification is recorded as current sample characteristics, which is added in the current cluster set;
Recalculate the mass center of each cluster classification in the current cluster set;
After the completion of being clustered to each sample characteristics in the sample characteristics value set, by each of cluster set
The mass center for clustering classification, the characteristic value as the corresponding preset network flow characteristic of each cluster classification.
Further, the mass center by current sample characteristics and each cluster classification existing in the cluster set
Similarity calculation is carried out, multiple second similarity meters for each cluster classification existing in the current cluster set are obtained
The step of calculating result, comprising:
It calculates European between the mass center of existing each cluster classification in current sample characteristics and the cluster set
Distance obtains multiple second Euclidean distance values, as the second similarity result;
It is described that the step of whether each second similarity result meets preset condition of similarity judged, comprising:
Judge whether each second Euclidean distance value is less than preset threshold, if it is less than then determining second similarity knot
Fruit meets preset condition of similarity;Determine that the second similarity result is unsatisfactory for preset condition of similarity if being not less than.
Further, the cluster category label that will meet default normally cluster class condition is normal, will not met
The cluster category label of default normal cluster class condition is abnormal step, comprising:
According to the quantity of sample characteristics in each cluster classification, descending sort is carried out to each cluster classification;
Preset quantity cluster classification before coming, as the cluster category label for meeting default normal cluster class condition
It is normal;Remaining is clustered into classification, is abnormal as the cluster category label for not meeting default normal cluster class condition.
Further, it is described according to the multiple first similarity calculation as a result, determining belonging to the current characteristic value
The step of clustering classification, comprising:
Judge whether each first similarity result meets the preset condition of similarity;
It obtains the first similarity calculation result and meets corresponding cluster classification when the default condition of similarity, be determined as described
Cluster classification belonging to current characteristic value;
The method also includes:
If meeting the preset condition of similarity without the first similarity calculation result, it is determined that the wireless network quilt
Invasion.
Further, described that the current characteristic value is similar to the characteristic value progress of each cluster classification of training in advance
The step of degree calculates, and obtains multiple first similarity calculation results for each cluster classification, comprising:
The Euclidean distance between the current characteristic value and the mass center of each cluster classification of training in advance is calculated, is obtained
Multiple first Euclidean distance values are obtained, as the first similarity result;
It is described that the step of whether each first similarity result meets preset condition of similarity judged, comprising:
Judge whether each first Euclidean distance value is less than preset threshold, it is full if it is less than then determining first similarity result
The preset condition of similarity of foot;Determine that the first similarity result is unsatisfactory for preset condition of similarity if being not less than.
Second aspect, the embodiment of the invention provides a kind of wireless network invasion detecting device, described device includes:
Current characteristic value obtains module, for obtaining the current spy of the corresponding preset network flow characteristic of current data packet
Value indicative;
First similarity calculation module, for each cluster class another characteristic trained by the current characteristic value and in advance
Value carries out similarity calculation, obtains multiple first similarity calculation results for each cluster classification;It is described each poly-
Class classification is marked as normal or abnormal;The characteristic value of each cluster classification are as follows: the cluster determined in the training process
The characteristic value of the corresponding preset network flow characteristic of classification;
Current characteristic value category determination module, for according to the multiple first similarity calculation as a result, determine described in work as
Cluster classification belonging to preceding characteristic value;
First invasion determining module, when the cluster classification belonging to the current characteristic value is marked as abnormal, for true
The fixed wireless network is invaded.
Further, the current characteristic value obtains module, comprising: unique characteristics value acquisition submodule, first network stream
Measure feature value acquisition submodule, the second network flow characteristic value acquisition submodule and current characteristic value acquisition submodule;
The unique characteristics value acquisition submodule obtains the current number for parsing to the current data packet
According to the characteristic value for the data characteristics for wrapping itself;
The first network traffic characteristic value acquisition submodule, it is pre- before receiving the current data packet for obtaining
If in the multiple data packets received in the time, the statistical information of each designated frame, as time-based first network flow
The characteristic value of feature;
The second network flow characteristic value acquisition submodule, it is pre- before receiving the current data packet for obtaining
If accessing the statistical information of each specified access index in number, and/or received before receiving the current data packet
Predetermined number data packet in, the statistical information of retransmission data packet, the spy as the second network flow characteristic based on quantity
Value indicative;
The current characteristic value acquisition submodule, for by the characteristic value of the data characteristics of the current data packet itself,
The spy of the characteristic value of the time-based first network traffic characteristic and second network flow characteristic based on quantity
Value indicative is as the current characteristic value.
Further, further includes:
Sample characteristics value set obtains module, corresponding pre- for obtaining each sample data packet in sample data packet set
If network flow characteristic each sample characteristics, constitute sample characteristics value set;
Classification and characteristic value acquisition module are clustered, for the similarity based on each sample characteristics, to the sample
Each sample characteristics in eigen value set is clustered, and obtains multiple cluster classifications and each cluster classification is corresponding pre-
If network flow characteristic characteristic value;
Cluster category label module, the cluster category label for default normal cluster class condition will to be met be it is normal,
It is abnormal by the cluster category label of default normal cluster class condition is not met.
Further, the sample characteristics value set obtains module, is specifically used for obtaining each in sample data packet set
Each sample characteristics of the corresponding preset network flow characteristic of sample data packet;Each sample characteristics is returned
One changes, and constitutes sample characteristics value set;
Described device further include: current characteristic value normalizes module;
The current characteristic value normalizes module, in the first similarity calculation module by the current characteristic value and pre-
Before first the characteristic value of each cluster classification of training carries out similarity calculation, the current characteristic value is normalized.
Further, the cluster classification and characteristic value acquisition module include: sample characteristics selection submodule, cluster set
Judging submodule, first cluster classification creation submodule, the second similarity calculation submodule, first condition judging submodule, when
Preceding sample characteristics classification determines that submodule, the second cluster classification creation submodule, centroid calculation submodule and cluster classification are special
Value indicative determines submodule;
The sample characteristics selects submodule, for selecting a sample spy in the sample characteristics value set one by one
Value indicative triggers following submodule respectively as current sample characteristics:
The cluster gathers judging submodule, currently clusters whether set is empty for judging;
The first cluster classification creates submodule, when being combined into sky for current cluster set, creates a cluster classification, should
The mass center of cluster classification is recorded as current sample characteristics, which is added in the current cluster set;
When the second similarity calculation submodule for currently clustering set is empty, by current sample characteristics with
The mass center of existing each cluster classification carries out similarity calculation in the cluster set, obtains for the current cluster set
In it is existing it is each cluster classification multiple second similarity calculation results;
The first condition judging submodule, for judging whether each second similarity result meets preset similar item
Part;
The current sample characteristics classification determines submodule, meets default phase for obtaining the second similarity calculation result
Corresponding cluster classification when like condition, is determined as cluster classification belonging to the current sample characteristics, by the current sample
Characteristic value is added in cluster classification belonging to the current sample characteristics;
The second cluster classification creates submodule, if similar for presetting without the second similarity calculation result satisfaction
Condition creates a cluster classification, and the mass center of the cluster classification is recorded as current sample characteristics, which is added institute
It states in current cluster set;
The centroid calculation submodule, for recalculating the mass center of each cluster classification in the current cluster set;
The cluster features of classification determines submodule, for special to each sample in the sample characteristics value set
It is corresponding preset as each cluster classification by the mass center of each cluster classification in cluster set after the completion of value indicative cluster
The characteristic value of network flow characteristic.
Further, the second similarity calculation submodule is specifically used for the current sample characteristics of calculating and gathers with described
Euclidean distance in class set between the mass center of existing each cluster classification, obtains multiple second Euclidean distance values, as the
Two similarity results;
The first condition judging submodule, specifically for judging it is default whether each second Euclidean distance value is less than
Threshold value meets preset condition of similarity if it is less than then determining second similarity result;Determine that second is similar if being not less than
Degree result is unsatisfactory for preset condition of similarity.
Further, the cluster category label module, specifically for according to sample characteristics in each cluster classification
Quantity carries out descending sort to each cluster classification;Preset quantity cluster classification before coming, it is default normal poly- as meeting
The cluster category label of class class condition is normal;Remaining is clustered into classification, presets normal cluster class condition as not meeting
Cluster category label be abnormal.
Further, the current characteristic value category determination module, comprising: second condition judging submodule and current signature
Value classification determines submodule;
The second condition judging submodule, for judging whether each first similarity result meets the preset phase
Like condition;
The current characteristic value classification determines submodule, meets the default phase for obtaining the first similarity calculation result
Corresponding cluster classification when like condition, is determined as cluster classification belonging to the current characteristic value;
Described device further include:
Second invasion determining module is used if meeting the preset condition of similarity without the first similarity calculation result
In determining that the wireless network is invaded.
Further, first similarity calculation module, be specifically used for calculating the current characteristic value and it is described in advance
Euclidean distance between the mass center of trained each cluster classification obtains multiple first Euclidean distance values, as the first similarity
As a result;
The second condition judging submodule, specifically for judging whether each first Euclidean distance value is less than default threshold
Value meets preset condition of similarity if it is less than then determining first similarity result;The first similarity is determined if being not less than
As a result it is unsatisfactory for preset condition of similarity.
The third aspect, the embodiment of the invention provides a kind of electronic equipment, including processor and memory, wherein
The memory, for storing computer program;
The processor when for executing the program stored on the memory, realizes that any of the above-described wireless network enters
Invade detection method.
Fourth aspect, it is described computer-readable to deposit the embodiment of the invention also provides a kind of computer readable storage medium
Instruction is stored in storage media, when run on a computer, so that computer executes any of the above-described wireless network invasion inspection
Survey method.
Wireless network intrusion detection method, device and electronic equipment provided in an embodiment of the present invention obtain current data packet
The current characteristic value of corresponding preset network flow characteristic;By each cluster classification of the current characteristic value and training in advance
Characteristic value carry out similarity calculation, obtain for it is described it is each cluster classification multiple first similarity calculation results;It is described
Each cluster classification, is marked as normal or abnormal in the training process;The characteristic value of each cluster classification are as follows: in training
The characteristic value of the corresponding preset network flow characteristic of the cluster classification determined in the process;According to the multiple first similarity
Calculated result determines cluster classification belonging to the current characteristic value;If cluster classification belonging to the current characteristic value is marked
It is denoted as exception, it is determined that the wireless network is invaded.In the embodiment of the present invention, whether have not according to data packet to be detected
There is abnormal data packet feature to determine whether wireless network is entered power, but first with the current signature of preset network flow characteristic
Value calculates the first similarity with trained cluster classification in advance, determines whether to belong to according to the first similarity and is marked as
Abnormal cluster classification, and then determine whether wireless network is invaded.Therefore, when invasion mode varies slightly, can also lead to
The first similarity for crossing current characteristic value and each cluster classification, determines whether wireless network is invaded, improves intrusion detection
Accuracy.
Certainly, implement any of the products of the present invention or method it is not absolutely required at the same reach all the above excellent
Point.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow diagram of wireless network intrusion detection method provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of each cluster classification training process provided in an embodiment of the present invention;
Fig. 3 is another flow diagram of wireless network intrusion detection method provided in an embodiment of the present invention;
Fig. 4 is another flow diagram of each cluster classification training process provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of wireless network invasion detecting device provided in an embodiment of the present invention;
Fig. 6 is that the internal structure provided in an embodiment of the present invention for carrying out the training module of each cluster classification training is shown
It is intended to;
Fig. 7 is the structural schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
In order to improve the accuracy of intrusion detection, the embodiment of the invention provides a kind of wireless network intrusion detection method,
Device and electronic equipment, are described in detail separately below.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram of wireless network intrusion detection method provided in an embodiment of the present invention,
Specifically comprise the following steps:
Step 101, the current characteristic value of the corresponding preset network flow characteristic of current data packet is obtained.
Since wireless network is after being invaded, it may appear that abnormal network flow, the feature of abnormal network flow with just
The feature of normal network flow has significant difference, therefore, can by the feature of network flow, come determine wireless network whether by
Invasion.Specifically, network flow characteristic may include the wireless network traffic feature determined by wireless network communication protocol and
The network flow characteristic determined by already present wireless network invasion mode.
In the embodiment of the present invention, preset network flow characteristic be can specifically include: the data characteristics of data packet itself and
Time-based first network traffic characteristic before receiving the data packet and the second network flow characteristic based on quantity.
Step 102, the characteristic value of current characteristic value and each cluster classification of training in advance is subjected to similarity calculation, obtained
Obtain multiple first similarity calculation results for each cluster classification.
The characteristic value of each cluster classification are as follows: the corresponding preset network flow of the cluster classification determined in the training process
The characteristic value of measure feature.In addition, each cluster classification is marked as normal or abnormal in the embodiment of the present invention.
Both can be characterized with current characteristic value with the distance between characteristic value of each cluster classification of training in advance
Between similarity, specifically, such as: can for Euclidean distance, mahalanobis distance, Chebyshev distance etc., this is about current spy
The characteristic value of value indicative and each cluster classification of training in advance carries out the mode of similarity, is not construed as limiting herein.
Step 103, according to multiple first similarity calculations as a result, determining cluster classification belonging to current characteristic value.
In this step, current characteristic value can be attributed to by the highest cluster classification of similarity according to the first similarity value, or
Person is attributed to similarity and is not construed as limiting herein more than the cluster classification of a certain preset threshold.
Step 104, if cluster classification belonging to current characteristic value is marked as exception, it is determined that wireless network is invaded.
It, can also be by working as when invasion mode varies slightly by the above embodiments as it can be seen that using the embodiment of the present invention
First similarity of preceding characteristic value and each cluster classification, determines whether wireless network is invaded, this improves intrusion detections
Accuracy.
Referring to fig. 2, each training process for clustering classification in step 102, can specifically include following steps:
Step 201, the corresponding preset network flow characteristic of each sample data packet in sample data packet set is obtained
Each sample characteristics constitutes sample characteristics value set.
The sample data packet for including in sample data packet set is chosen from the web-based history flow of wireless network, obtains
Sample method phase of the method with the current characteristic value for obtaining current data packet in step 101 of the sample characteristics of notebook data packet
Together, distinctive points are: sample characteristics is the characteristic value obtained based on historical sample data packet, rather than is obtained from current data packet
It takes.
Step 202, the similarity based on each sample characteristics, to each sample characteristics in sample characteristics value set
It is clustered, obtains the characteristic value of multiple cluster classifications and the corresponding preset network flow characteristic of each cluster classification.
Identical as step 102, in this step, the similarity of each sample characteristics can be between each sample characteristics
Distance characterize, specifically, such as: can be Euclidean distance, mahalanobis distance, Chebyshev's distance etc., about current signature
The characteristic value of value and each cluster classification of training in advance carries out the mode of similarity, is not construed as limiting herein.
Step 203, will meet the cluster category label of default normal cluster class condition be it is normal, will not meet and preset just
Often the cluster category label of cluster class condition is abnormal.
Specifically, normally the condition of cluster classification can be the quantity or just based on sample data packet in each cluster classification
Often with abnormal ratio value setting, it is also possible to network maintenance staff according to experience and is based on sample number in each cluster classification
It is determined according to certain attribute informations of packet, in this regard, being not construed as limiting.
By the above embodiments as it can be seen that in the embodiment of the present invention, in the training process by the characteristic value of each sample it
Between similarity, each sample characteristics in sample characteristics value set is clustered, and to according to default normal cluster class
The cluster classification obtained after cluster is marked in other condition, and normal cluster classification and exception are included in the cluster classification after label
Cluster classification;When needing to perform intrusion detection, the similarity based on current data packet and each cluster features of classification will be current
Data packet is sorted out, and then whether the cluster classification according to belonging to current data packet is normal, judges whether there is wireless network invasion, can
To improve the accuracy of wireless network intrusion detection.
Compared with traditional cable network based on ICP/IP protocol, the processes such as access, certification and transmission of wireless network
802.11 agreements are all based on, common wireless network invasion mode specifically includes that wireless network sniff, Denial of Service attack
It hits, the refitting of Replay Attack, key and Brute Force etc..Therefore, in the embodiment of the present invention, preset network flow characteristic can be with base
Mode is invaded in the communication protocol of wireless network and already present wireless network to determine.
It is possible, firstly, to it is different with the mode of wireless invasive according to communication protocol, it determines and needs following feature:
One, the feature determined according to the communication protocol of wireless network, can specifically include: whether management frame format is lopsided.
Two, the feature determined according to wireless network sniff, can specifically include:
1, it from the time of receiving current data packet, is pushed forward and explores the number that frame occurs in preset time period;
2, from the time of receiving current data packet, it is pushed forward the number that authentication frame occurs in preset time period;
3, from the time of receiving current data packet, it is pushed forward the number that disassociation frame occurs in preset time period.
Three, the feature determined according to Denial of Service attack, can specifically include:
1, the number that frame occurs is explored from the time of receiving current data packet, in preceding preset time period;
2, from the time of receiving current data packet, the number of authentication frame appearance in preceding preset time period;
3, from the time of receiving current data packet, the number of releases authentication frame appearance in preceding preset time period;
4, from the time of receiving current data packet, the number of disassociation frame appearance in preceding preset time period;
5, from the time of receiving current data packet, the number of disassociation frame appearance in preceding preset time period;
6, from the time of receiving current data packet, in preceding preset quantity time access procedure, and to current data packet pair
The number for answering the identical physical address of the physical address of terminal to occur;
Four, the feature determined according to Replay Attack, can specifically include:
1, whether data packet resets;
2, from the time of receiving current data packet, in preceding preset quantity data packet, belong to of replay data packet
Number;
Five, it according to feature key refitting determining feature and determined according to Brute Force, can specifically include:
1, pair temporal key PTK is reset;
2, group temporary key GTK refitting.
Six, the feature determined according to Brute Force, can specifically include:
1, from the time of receiving current data packet, in preceding preset quantity time access procedure, the number of access failure;
2, the number that frame occurs is explored from the time of receiving current data packet, in preceding preset time period;
3, from the time of receiving current data packet, the number of authentication frame appearance in preceding preset time period;
4, from the time of receiving current data packet, the number of disassociation frame appearance in preceding preset time period.
Then, classify to these above-mentioned features, summarize for three category features: the data characteristics and reception of data packet itself
Time-based first network traffic characteristic before to the data packet and the second network flow characteristic based on quantity.
Referring to Fig. 3, Fig. 3 is that another process of wireless network intrusion detection method provided in an embodiment of the present invention is illustrated
Figure, specific steps may include:
Step 301, current data packet is parsed, obtains the characteristic value of the data characteristics of current data packet itself.
Specifically, the data characteristics of current data packet itself may include:
It is reset with the presence or absence of pair temporal key PTK, discrete type, range [0,1];
With the presence or absence of a group temporary key GTK refitting, discrete type, range [0,1];
It whether is to reset data packet, discrete type, range [0,1];
Whether management frame format is lopsided, discrete type, range [0,1].
For features described above, the determination method of corresponding characteristic value are as follows:
When there are pair temporal key PTK refitting, corresponding to " resetting with the presence or absence of pair temporal key PTK ", this is special
The characteristic value of sign is 1, is otherwise 0;
When there is group temporary key GTK refitting, correspond to this feature " with the presence or absence of group temporary key GTK refitting "
Characteristic value is 1, is otherwise 0;
It is otherwise 0 when being that correspond to the characteristic value of " whether be reset data packet " this feature be 1 to reset data packet;
When management frame format deformity, otherwise it is 0 that the characteristic value for corresponding to " whether management frame format is lopsided ", which is 1,.
Step 302, it obtains in the multiple data packets received in preset time before receiving current data packet, it is each
The statistical information of designated frame, the characteristic value as time-based first network traffic characteristic.
Specifically, first network traffic characteristic may include:
In past 2 seconds, frame frequency of occurrence, discrete type, range [0, ∞] are explored;
In past 2 seconds, authentication frame frequency of occurrence, discrete type, range [0, ∞];
In past 2 seconds, releases authentication frame frequency of occurrence, discrete type, range [0, ∞];
In past 2 seconds, disassociation frame frequency of occurrence, discrete type, range [0, ∞];
In past 2 seconds, disassociation frame frequency of occurrence, discrete type, range [0, ∞].
Step 303, the system that each specified access index in access number is preset before receiving current data packet is obtained
Information is counted, and/or in the data packet of the predetermined number received before receiving current data packet, the statistics of retransmission data packet
Information, the characteristic value as the second network flow characteristic based on quantity.
Specifically, first network traffic characteristic may include:
In preceding 100 accesses, authentification failure number, discrete type, [0,100];
In preceding 100 accesses, connection number identical as current MAC, discrete type [0,100];
In preceding 100 data packets, replay data packet number, discrete type [0,100].
Step 304, by the characteristic value of the data characteristics of current data packet itself, time-based first network traffic characteristic
Characteristic value and the second network flow characteristic based on quantity characteristic value as current characteristic value.
Step 305, current characteristic value is normalized.
Since there may be biggish differences for the corresponding characteristic value of heterogeneous networks traffic characteristic, such as: correspond to " data
Whether packet is reset " this characteristic value of feature is 0 or 1, and corresponds to " preceding from the time of receiving current data packet
The characteristic value maximum of in 100 access procedures, the number of access failure " can be 100, to sentence each feature in intrusion detection
Weight during disconnected is more reasonable, first it can be normalized after obtaining current characteristic value.
Specifically, can be normalized by following formula:
V ' (i)=V (i)-avgvector(i))/stdvector(i)
Wherein: V ' (i) is i-th of element of the characteristic value after normalization;V (i) is the i-th each of the characteristic value before normalization
Element;avgvector(i)For in eigenvalue matrix corresponding with sample data packet set, the average value of the i-th column element;
stdvector(i)For in eigenvalue matrix corresponding with sample data packet set, the variance of the i-th column element.
Step 306, it calculates between the current characteristic value after normalizing and the mass center for each cluster classification trained in advance
Euclidean distance obtains multiple first Euclidean distance values, as the first similarity result.
Step 307, judge whether each first Euclidean distance value is less than preset threshold, it is similar if it is less than then determining first
Degree result meets preset condition of similarity;Determine that the first similarity result is unsatisfactory for preset condition of similarity if being not less than.
Step 308, the first similarity for meeting preset condition is judged whether there is.If it does not exist, step 309 is executed;If
In the presence of execution step 310.
Step 309, determine that wireless network is invaded.
In the present embodiment, when there is no the first similarity for meeting preset condition, show the characteristic value of current data packet
It is all relatively low with the characteristic value similarity degree of each cluster classification, at this point it is possible to determine that wireless network is invaded.
Step 310, it obtains the first similarity calculation result and meets corresponding cluster classification when default condition of similarity, be determined as
Cluster classification belonging to current characteristic value.
Step 311, if cluster classification belonging to current characteristic value is marked as exception, it is determined that wireless network is invaded.
In the present embodiment, current data packet is parsed, obtains the characteristic value of the data characteristics of current data packet itself,
It obtains in the multiple data packets received in preset time before receiving current data packet, the statistics of each designated frame is believed
Breath has also obtained acquisition before receiving current data packet as the characteristic value of time-based first network traffic characteristic
The statistical information of each specified access index in default access number, and/or received before receiving current data packet
In the data packet of predetermined number, the statistical information of retransmission data packet, the feature as the second network flow characteristic based on quantity
Value, after calculating current characteristic value for the first similarity of each cluster classification, according to above-mentioned first similarity, determination is worked as
Cluster classification belonging to preceding characteristic value, and then determine whether wireless network is invaded, it, can also when invasion mode varies slightly
By the first similarity of current characteristic value and each cluster classification, determine whether wireless network is invaded, this improves invasions
The accuracy of detection.
In addition, when there is no the first similarity for meeting preset condition, wireless network can be directly determined in the present embodiment
Network is invaded, and the accuracy of intrusion detection is further improved.
Referring to fig. 4, in wireless network intrusion detection method shown in Fig. 3, the training process of each cluster classification specifically may be used
To include the following steps:
Step 401, the corresponding preset network flow characteristic of each sample data packet in sample data packet set is obtained
Each sample characteristics.
In the specific implementation process, above-mentioned all preset network flow characteristics can be chosen, also can choose wherein
Partial Feature, is trained and intrusion detection.
For example, sharing 5 sample data packets in sample data packet set;There are three preset network flow characteristics, respectively
Are as follows: 1, data packet playback;2, it from receiving the current data packet moment, is pushed forward in 2s, cancels disassociation frame frequency of occurrence;3, from connecing
From receiving the current data packet moment, in preceding 100 accesses of wireless access point, authentification failure number.
For first sample data packet, which is not belonging to replay data packet;From receiving the data packet moment,
It is pushed forward in 2s, cancels disassociation frame and occur 1 time;From receiving the current data packet moment, preceding 100 accesses of wireless access point
In, authentication failed 0 time;For second sample data packet, which is not belonging to replay data packet;From receiving the data
It from wrapping the moment, is pushed forward in 2s, cancels disassociation frame and occur 1 time;From receiving the current data packet moment, before wireless access point
In 100 accesses, authentication failed 0 time;For third sample data packet, which belongs to replay data packet;From reception
It to from the data packet moment, is pushed forward in 2s, cancels disassociation frame and occur 5 times;From receiving the current data packet moment, wirelessly connect
In preceding 100 accesses of access point, authentication failed 0 time;For the 4th sample data packet, which is not belonging to replay data
Packet;It from receiving the data packet moment, is pushed forward in 2s, cancels disassociation frame and occur 6 times;From receiving the current data packet moment
It rises, in preceding 100 accesses of wireless access point, authentication failed 0 time;For the 5th sample data packet, which belongs to
Replay data packet;It from receiving the data packet moment, is pushed forward in 2s, cancels disassociation frame and occur 7 times;From receiving current number
From the packet moment, in preceding 100 accesses of wireless access point, authentication failed 0 time.The available sample data packet set
The sample characteristics of first sample data packet is (0,1,0), and the sample characteristics of second sample data packet is (0,1,0),
The sample characteristics of third sample data packet is (1,5,0), and the sample characteristics of the 4th sample data packet is (0,6,0),
The sample characteristics of first sample data packet is (1,7,0), at this point it is possible to obtain the corresponding characteristic value of sample data packet set
Form the characteristic value collection of 5 rows 3 column:
| Vx(1) | Vx(2) | Vx(3) | |
| V1 | 0 | 1 | 0 |
| V2 | 0 | 1 | 0 |
| V3 | 1 | 5 | 0 |
| V4 | 0 | 6 | 0 |
| V5 | 1 | 7 | 0 |
Step 402, each sample characteristics is normalized, constitutes sample characteristics value set.
Using following formula, the normalization of each sample characteristics is carried out:
avgvector(j)=∑ Vi (j)/N
Vi ' (j)=Vi (j)-avgvector(j))/stdvector(j)
Wherein, avgvector(j)For the average value of jth column element in characteristic value collection before normalization;stdvector(j)To return
One change before in characteristic value collection jth column element variance;I-th each member of row jth in characteristic value collection before Vi (j) is normalization
Element;Vi ' (j) is the i-th row jth each element in characteristic value collection after normalization;N is the number of sample data packet.
By taking the sample data packet in step 401 as an example, after being normalized by above-mentioned formula, obtained sample data packet set
Corresponding characteristic value collection is as follows:
Step 403, the sample characteristics for selecting a unselected mistake in sample characteristics value set, as current sample
Characteristic value.
Step 404, whether the current cluster set of judgement is empty.If so, executing step 405;If it is not, executing step 406.
Step 405, a cluster classification is created, the mass center of the cluster classification is recorded as current sample characteristics, this is gathered
Class classification is added in current cluster set.Execute step 411.
Step 406, it calculates in current sample characteristics and cluster set between the mass center of existing each cluster classification
Euclidean distance obtains multiple second Euclidean distance values, as the second similarity result.
Step 407, judge whether each second Euclidean distance value is less than preset threshold, it is similar if it is less than then determining second
Degree result meets preset condition of similarity;Determine that the second similarity result is unsatisfactory for preset condition of similarity if being not less than.
Step 408, the second similarity for meeting preset condition is judged whether there is.If it does not exist, step 409 is executed;If
In the presence of execution step 410.
Step 409, a cluster classification is created, the mass center of the cluster classification is recorded as current sample characteristics, this is gathered
Class classification is added in current cluster set.Execute step 411.
Specifically, currently clustering each of set S cluster for non-empty, calculates current sample characteristics v and this is poly-
Euclidean distance d between class mass center finds the smallest cluster C of d, if d≤preset threshold W, is added C for v, otherwise, creation
One new cluster { v }, mass center v, S=S ∪ { v }, wherein W is preset cluster width.
Step 410, it obtains the second similarity calculation result and meets corresponding cluster classification when default condition of similarity, be determined as
Cluster classification belonging to current sample characteristics, is added cluster classification belonging to current sample characteristics for current sample characteristics
In.
Step 411, the mass center of each cluster classification in current cluster set is recalculated.
It can be using the average value of the characteristic value for all sample data packets for including in each cluster classification as the cluster class
Other mass center.
Step 412, it whether there is the sample characteristics of unselected mistake in judgement sample characteristic value collection.If it exists, it returns
Receipt row step 403;If it does not exist, step 413 is executed.
It step 413, will be in cluster set after the completion of being clustered to each sample characteristics in sample characteristics value set
The mass center of each cluster classification, the characteristic value as the corresponding preset network flow characteristic of each cluster classification.
Step 414, according to the quantity of sample characteristics in each cluster classification, descending row is carried out to each cluster classification
Sequence.
Step 415, preset quantity cluster classification before coming, as the cluster for meeting default normal cluster class condition
Category label is normal;Remaining is clustered into classification, is as the cluster category label for not meeting default normal cluster class condition
It is abnormal.
Preset quantity in this step can obtain in several ways, such as: it can be after cluster is completed, also
To obtain each cluster classification, and after carrying out descending arrangement to each cluster classification, according to pre-set ratio value and
What the total quantity of cluster classification was calculated, it is also possible to an art technology expert rule of thumb preset numerical value,
For present count method for determination of amount, it is not construed as limiting herein.
By the similarity between the characteristic value of each sample, to each sample characteristics in sample characteristics value set into
Row cluster, and the cluster classification obtained after cluster is marked to according to default normal cluster class condition, it is poly- after label
Comprising normal cluster classification and abnormal cluster classification in class classification, when needing to perform intrusion detection, based on current data packet with
The similarity of each cluster features of classification, current data packet is sorted out, and then whether cluster classification according to belonging to current data packet
Normally, wireless network invasion is judged whether there is, the accuracy of wireless network intrusion detection can be improved.
Based on the same inventive concept, the wireless network intrusion detection method provided according to that above embodiment of the present invention, accordingly
Ground, one embodiment of the invention additionally provide a kind of wireless network invasion detecting device, the structural schematic diagram of the device such as Fig. 5 institute
Show, comprising:
Current characteristic value obtains module 501, for obtaining working as the corresponding preset network flow characteristic of current data packet
Preceding characteristic value;
First similarity calculation module 502, for each cluster class another characteristic trained by current characteristic value and in advance
Value carries out similarity calculation, obtains multiple first similarity calculation results for each cluster classification;Each cluster classification quilt
Labeled as normal or abnormal;The characteristic value of each cluster classification are as follows: the cluster classification determined in the training process is corresponding pre-
If network flow characteristic characteristic value;
Current characteristic value category determination module 503 is used for according to multiple first similarity calculations as a result, determining current signature
Cluster classification belonging to value;
First invasion determining module 504, when the cluster classification belonging to current characteristic value is marked as abnormal, for determining
Wireless network is invaded.
Further, current characteristic value obtains module 501, comprising: unique characteristics value acquisition submodule, first network flow
Characteristic value acquisition submodule, the second network flow characteristic value acquisition submodule and current characteristic value acquisition submodule;
Unique characteristics value acquisition submodule obtains the number of current data packet itself for parsing to current data packet
According to the characteristic value of feature;
First network traffic characteristic value acquisition submodule, for obtaining before receiving current data packet in preset time
In the multiple data packets received, the statistical information of each designated frame, the spy as time-based first network traffic characteristic
Value indicative;
Second network flow characteristic value acquisition submodule presets access time for obtaining before receiving current data packet
The statistical information of each specified access index in number, and/or the predetermined number that is received before receiving current data packet
In data packet, the statistical information of retransmission data packet, the characteristic value as the second network flow characteristic based on quantity;
Current characteristic value acquisition submodule, for by the characteristic value of the data characteristics of current data packet itself, be based on the time
First network traffic characteristic characteristic value and the second network flow characteristic based on quantity characteristic value as current signature
Value.
In the embodiment of the present invention, the first similarity calculation module 502 obtains current characteristic value for each cluster classification
First similarity, current characteristic value category determination module 503 is according to current characteristic value for the first similar of each cluster classification
Calculated result is spent, determines cluster classification belonging to current characteristic value, the cluster classification belonging to current characteristic value is marked as different
Chang Shi, the first invasion determining module 504 determine that wireless network is invaded, can also be by working as when invasion mode varies slightly
First similarity of preceding characteristic value and each cluster classification, determines whether wireless network is invaded, this improves intrusion detections
Accuracy.
Further, referring to Fig. 6, device further includes the following module for carrying out each cluster classification training:
Sample characteristics value set obtains module 601, corresponding for obtaining each sample data packet in sample data packet set
Preset network flow characteristic each sample characteristics, constitute sample characteristics value set;
Classification and characteristic value acquisition module 602 are clustered, for the similarity based on each sample characteristics, to sample characteristics
Each sample characteristics in value set is clustered, and multiple cluster classifications and the corresponding preset net of each cluster classification are obtained
The characteristic value of network traffic characteristic;
Category label module 603 is clustered, for the cluster category label for meeting default normal cluster class condition to be positive
It often, is abnormal by the cluster category label of default normal cluster class condition is not met.
Further, sample characteristics value set obtains module 601, is specifically used for obtaining each sample in sample data packet set
Each sample characteristics of the corresponding preset network flow characteristic of notebook data packet;Each sample characteristics is normalized,
Constitute sample characteristics value set;
Device further include: current characteristic value normalizes module;
Current characteristic value normalizes module, for what is trained in the first similarity calculation module by current characteristic value and in advance
Before the characteristic value of each cluster classification carries out similarity calculation, current characteristic value is normalized.
Further, it clusters classification and characteristic value acquisition module 602 includes: sample characteristics selection submodule, cluster set
Judging submodule, cluster classification create submodule, the second similarity calculation submodule, first condition judging submodule, current sample
Eigen value classification determines submodule, the second cluster classification creation submodule, centroid calculation submodule and cluster features of classification
Determine submodule;
Sample characteristics selects submodule, for selecting a sample characteristics in sample characteristics value set one by one, point
Not Zuo Wei current sample characteristics, trigger following submodule:
Cluster set judgment module currently clusters whether set is empty for judging;
First cluster classification creates submodule, when being combined into sky for current cluster set, creates a cluster classification, the cluster
The mass center of classification is recorded as current sample characteristics, which is added in current cluster set;
Second similarity calculation submodule, for by current sample characteristics and clustering when currently cluster set is not empty
The mass center of existing each cluster classification carries out similarity calculation in set, obtains for existing each in current cluster set
Cluster multiple second similarity calculation results of classification;
First condition judging submodule, for judging whether each second similarity result meets preset condition of similarity;
Current sample characteristics classification determines submodule, presets similar item for obtaining the second similarity calculation result satisfaction
Corresponding cluster classification when part, is determined as cluster classification belonging to current sample characteristics, and the addition of current sample characteristics is worked as
In cluster classification belonging to preceding sample characteristics;
Second cluster classification creates submodule, if for presetting similar item without the second similarity calculation result satisfaction
Part creates a cluster classification, and the mass center of the cluster classification is recorded as current sample characteristics, which is added current
In cluster set;
Centroid calculation submodule, for recalculating the mass center of each cluster classification in current cluster set;
Cluster features of classification determines submodule, for clustering to each sample characteristics in sample characteristics value set
After the completion, by the mass center of each cluster classification in cluster set, as the corresponding preset network flow of each cluster classification
The characteristic value of feature.
Further, the second similarity calculation submodule is specifically used for calculating in current sample characteristics and cluster set
Euclidean distance between the mass center of existing each cluster classification, obtains multiple second Euclidean distance values, as the second similarity
As a result;
First condition judging submodule, specifically for judging whether each second Euclidean distance value is less than preset threshold, such as
Fruit, which is less than, then determines that the second similarity result meets preset condition of similarity;The second similarity result is determined not if being not less than
Meet preset condition of similarity.
Further, category label module 603 is clustered, specifically for the number according to sample characteristics in each cluster classification
Amount carries out descending sort to each cluster classification;Preset quantity cluster classification before coming presets normal cluster as meeting
The cluster category label of class condition is normal;Remaining is clustered into classification, presets normal cluster class condition as not meeting
It is abnormal for clustering category label.
Further, current characteristic value category determination module 503, comprising: second condition judging submodule and current signature
Value classification determines submodule;
Second condition judging submodule, for judging whether each first similarity result meets preset condition of similarity;
Current characteristic value classification determines submodule, when meeting default condition of similarity for obtaining the first similarity calculation result
Corresponding cluster classification is determined as cluster classification belonging to current characteristic value;
Device further include:
Second invasion determining module, if meeting preset condition of similarity without the first similarity calculation result, for true
Determine wireless network to be invaded.
Further, the first similarity calculation module 502, specifically for calculate current characteristic value with it is trained in advance each
The Euclidean distance between the mass center of classification is clustered, multiple first Euclidean distance values are obtained, as the first similarity result;
Second condition judging submodule, specifically for judging whether each first Euclidean distance value is less than preset threshold, such as
Fruit, which is less than, then determines that the first similarity result meets preset condition of similarity;The first similarity result is determined not if being not less than
Meet preset condition of similarity.
In the embodiment of the present invention, cluster between the characteristic value of classification and characteristic value acquisition module 602 by each sample
Similarity clusters each sample characteristics in sample characteristics value set, clusters 603 pairs of category label module according to pre-
If normally the cluster classification obtained after cluster is marked in cluster class condition, comprising normal poly- in the cluster classification after label
Class classification and abnormal cluster classification, when needing to perform intrusion detection, based on current data packet and each cluster features of classification
Similarity sorts out current data packet, and then whether the cluster classification according to belonging to current data packet is normal, judges whether there is nothing
The accuracy of wireless network intrusion detection can be improved in line network intrusions.
Based on the same inventive concept, the wireless network intrusion detection method method provided according to that above embodiment of the present invention,
Correspondingly, the embodiment of the invention also provides a kind of electronic equipment, as shown in fig. 7, comprises processor 701 and memory 702,
In,
Memory 702, for storing computer program;
Processor 701 when for executing the program stored on memory 702, realizes stream provided in an embodiment of the present invention
Index data update method in formula file system.
For example, may include steps of:
Obtain the current characteristic value of the corresponding preset network flow characteristic of current data packet;
The characteristic value of current characteristic value and each cluster classification of training in advance is subjected to similarity calculation, is obtained for each
Multiple first similarity calculation results of a cluster classification;Each cluster classification is marked as normal or different in the training process
Often;The characteristic value of each cluster classification are as follows: the corresponding preset network flow of the cluster classification determined in the training process is special
The characteristic value of sign;
According to multiple first similarity calculations as a result, determining cluster classification belonging to current characteristic value;
If cluster classification belonging to current characteristic value is marked as exception, it is determined that wireless network is invaded.
Further, can also include above-mentioned wireless network intrusion detection method provided in an embodiment of the present invention in other
Process flow is no longer described in detail herein.Memory may include random access memory (English: Random Access
Memory, referred to as: RAM), it also may include nonvolatile memory (English: Non-volatile Memory, abbreviation: NVM),
A for example, at least magnetic disk storage.Further, memory can also be that at least one is located remotely from depositing for aforementioned processor
Storage device.
Above-mentioned processor can be general processor, including central processing unit (English: Central Processing
Unit, referred to as: CPU), network processing unit (English: Network Processor, referred to as: NP) etc.;It can also be digital signal
Processor (English: Digital Signal Processor, abbreviation: DSP), specific integrated circuit (English: Application
Specific Integrated Circuit, referred to as: ASIC), field programmable gate array (English: Field-
Programmable Gate Array, referred to as: FPGA) either other programmable logic device, discrete gate or transistor logic
Device, discrete hardware components.
Above-mentioned processor 701 and memory 702 can pass through the communication bus such as address bus, data/address bus, control bus
Connection, communication bus can be Peripheral Component Interconnect standard (English: Peripheral Component Interconnect, letter
Claim: PCI) bus or expanding the industrial standard structure (English: Extended Industry Standard Architecture, letter
Claim: EISA) bus etc..Electronic equipment can be communicated by communication interface with other external equipments.
Certainly, can also lead between above-mentioned processor 701 and memory 702, between electronic equipment and other external equipments
The radio connection for crossing wireless module is communicated.
In electronic equipment provided in an embodiment of the present invention, according to current characteristic value for the first of each cluster classification
Similarity calculation as a result, determine cluster classification belonging to the current characteristic value, and then determine whether wireless network is invaded, when
When invasion mode varies slightly, wireless network can also be determined by the first similarity of current characteristic value and each cluster classification
Whether invaded, this improves the accuracys of intrusion detection.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can
It reads to be stored with instruction in storage medium, when run on a computer, so that computer executes on any in above-described embodiment
The wireless network intrusion detection method stated.
In computer readable storage medium provided in an embodiment of the present invention, each cluster is directed to according to current characteristic value
First similarity calculation of classification is as a result, determine cluster classification belonging to the current characteristic value, and then determine that wireless network is
It is no to be invaded, it, can also be by the first similarity of current characteristic value and each cluster classification, really when invasion mode varies slightly
Determine whether wireless network is invaded, this improves the accuracys of intrusion detection.
In another embodiment provided by the invention, a kind of computer program product comprising instruction is additionally provided, when it
When running on computers, so that computer executes any above-mentioned wireless network intrusion detection method in above-described embodiment.
In computer program product provided in an embodiment of the present invention comprising instruction, according to current characteristic value for described each
First similarity calculation of a cluster classification is as a result, determine cluster classification belonging to the current characteristic value, and then determine wireless
Whether network is invaded, and when invasion mode varies slightly, can also pass through the first phase of current characteristic value and each cluster classification
Like degree, determine whether wireless network is invaded, this improves the accuracys of intrusion detection.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device and
For electronic equipment embodiment, since it is substantially similar to the method embodiment, so be described relatively simple, related place referring to
The part of embodiment of the method illustrates.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (13)
1. a kind of wireless network intrusion detection method, which is characterized in that the described method includes:
Obtain the current characteristic value of the corresponding preset network flow characteristic of current data packet;
The characteristic value of the current characteristic value and each cluster classification of training in advance is subjected to similarity calculation, obtains and is directed to institute
State multiple first similarity calculation results of each cluster classification;Each cluster classification is marked as normal or abnormal;Institute
State the characteristic value of each cluster classification are as follows: the corresponding preset network flow characteristic of the cluster classification determined in the training process
Characteristic value;
According to the multiple first similarity calculation as a result, determining cluster classification belonging to the current characteristic value;
If cluster classification belonging to the current characteristic value is marked as exception, it is determined that the wireless network is invaded.
2. the method according to claim 1, wherein the corresponding preset network flow of the acquisition current data packet
The step of current characteristic value of measure feature, comprising:
The current data packet is parsed, the characteristic value of the data characteristics of the current data packet itself is obtained;
It obtains in the multiple data packets received in preset time before receiving the current data packet, each designated frame
Statistical information, the characteristic value as time-based first network traffic characteristic;
The statistical information that each specified access index in access number is preset before receiving the current data packet is obtained,
And/or in the data packet of the predetermined number received before receiving the current data packet, the statistics of retransmission data packet is believed
Breath, the characteristic value as the second network flow characteristic based on quantity;
By the characteristic value of the data characteristics of the current data packet itself, the spy of the time-based first network traffic characteristic
Value indicative and the characteristic value of second network flow characteristic based on quantity are as the current characteristic value.
3. the method according to claim 1, wherein each cluster classification, is obtained using following steps training
:
Obtain each sample characteristics of the corresponding preset network flow characteristic of each sample data packet in sample data packet set
Value constitutes sample characteristics value set;
Based on the similarity of each sample characteristics, each sample characteristics in the sample characteristics value set is carried out
Cluster obtains the characteristic value of multiple cluster classifications and the corresponding preset network flow characteristic of each cluster classification;
To meet the cluster category label of default normal cluster class condition be it is normal, will not meet and default normally cluster classification item
The cluster category label of part is abnormal.
4. according to the method described in claim 3, it is characterized in that, each sample data in the acquisition sample data packet set
The step of wrapping each sample characteristics of corresponding preset network flow characteristic, constituting sample characteristics value set, comprising:
Obtain each sample characteristics of the corresponding preset network flow characteristic of each sample data packet in sample data packet set
Value;
Each sample characteristics is normalized, sample characteristics value set is constituted;
The step of similarity calculation is carried out in the characteristic value by the current characteristic value and each cluster classification of training in advance
Before rapid, further includes:
The current characteristic value is normalized.
5. according to the method described in claim 3, it is characterized in that,
The similarity based on each sample characteristics, to each sample characteristics in the sample characteristics value set
It is clustered, obtains the step of the characteristic value of multiple cluster classifications and the corresponding preset network flow characteristic of each cluster classification
Suddenly, comprising:
A sample characteristics in the sample characteristics value set is selected one by one, respectively as current sample characteristics, is executed
Following steps:
Whether the current cluster set of judgement is empty;
If current cluster set is combined into sky, a cluster classification is created, it is special that the mass center of the cluster classification is recorded as current sample
The cluster classification is added in the current cluster set value indicative;
If current cluster set is not sky, by existing each cluster class in current sample characteristics and cluster set
Other mass center carries out similarity calculation, obtains multiple second for each cluster classification existing in the current cluster set
Similarity calculation result;
Judge whether each second similarity result meets preset condition of similarity;
It obtains the second similarity calculation result and meets corresponding cluster classification when default condition of similarity, be determined as the current sample
Cluster classification belonging to the current sample characteristics is added in the current sample characteristics by cluster classification belonging to characteristic value
In;
If meeting default condition of similarity without the second similarity calculation result, a cluster classification, the cluster classification are created
Mass center be recorded as current sample characteristics, which is added during the current cluster gathers;
Recalculate the mass center of each cluster classification in the current cluster set;
After the completion of being clustered to each sample characteristics in the sample characteristics value set, by each cluster in cluster set
The mass center of classification, the characteristic value as the corresponding preset network flow characteristic of each cluster classification.
6. according to the method described in claim 5, it is characterized in that, described will be in current sample characteristics and cluster set
The mass center of existing each cluster classification carries out similarity calculation, obtains for existing each poly- in the current cluster set
The step of multiple second similarity calculation results of class classification, comprising:
The Euclidean distance in current sample characteristics and the cluster set between the mass center of existing each cluster classification is calculated,
Multiple second Euclidean distance values are obtained, as the second similarity result;
It is described that the step of whether each second similarity result meets preset condition of similarity judged, comprising:
Judge whether each second Euclidean distance value is less than preset threshold, it is full if it is less than then determining second similarity result
The preset condition of similarity of foot;Determine that the second similarity result is unsatisfactory for preset condition of similarity if being not less than.
7. according to the method described in claim 5, it is characterized in that, the cluster that default normal cluster class condition will be met
Category label is normal, is abnormal step by the cluster category label of default normal cluster class condition is not met, comprising:
According to the quantity of sample characteristics in each cluster classification, descending sort is carried out to each cluster classification;
Preset quantity cluster classification before coming is positive as the cluster category label for meeting default normal cluster class condition
Often;Remaining is clustered into classification, is abnormal as the cluster category label for not meeting default normal cluster class condition.
8. according to the method described in claim 5, it is characterized in that, it is described according to the multiple first similarity calculation as a result,
The step of determining cluster classification belonging to the current characteristic value, comprising:
Judge whether each first similarity result meets the preset condition of similarity;
It obtains the first similarity calculation result and meets corresponding cluster classification when the default condition of similarity, be determined as described current
Cluster classification belonging to characteristic value;
The method also includes:
If meeting the preset condition of similarity without the first similarity calculation result, it is determined that the wireless network is entered
It invades.
9. according to the method described in claim 8, it is characterized in that, it is described by the current characteristic value in advance training it is each
The characteristic value for clustering classification carries out similarity calculation, obtains multiple first similarity calculation knots for each cluster classification
The step of fruit, comprising:
The Euclidean distance between the current characteristic value and the mass center of each cluster classification of training in advance is calculated, is obtained more
A first Euclidean distance value, as the first similarity result;
It is described that the step of whether each first similarity result meets preset condition of similarity judged, comprising:
Judge whether each first Euclidean distance value is less than preset threshold, it is pre- if it is less than then determining that the first similarity result meets
If condition of similarity;Determine that the first similarity result is unsatisfactory for preset condition of similarity if being not less than.
10. a kind of wireless network invasion detecting device, which is characterized in that described device includes:
Current characteristic value obtains module, for obtaining the current signature of the corresponding preset network flow characteristic of current data packet
Value;
First similarity calculation module, for by the current characteristic value in advance training each cluster classification characteristic value into
Row similarity calculation obtains multiple first similarity calculation results for each cluster classification;Each cluster class
It is not marked as normal or abnormal;The characteristic value of each cluster classification are as follows: the cluster classification determined in the training process
The characteristic value of corresponding preset network flow characteristic;
Current characteristic value category determination module is used for according to the multiple first similarity calculation as a result, determining the current spy
Cluster classification belonging to value indicative;
First invasion determining module, when the cluster classification belonging to the current characteristic value is marked as abnormal, for determining
Wireless network is stated to be invaded.
11. device according to claim 10, which is characterized in that the current characteristic value obtains module, comprising: itself is special
Value indicative acquisition submodule, first network traffic characteristic value acquisition submodule, the second network flow characteristic value acquisition submodule and work as
Preceding characteristic value acquisition submodule;
The unique characteristics value acquisition submodule obtains the current data packet for parsing to the current data packet
The characteristic value of the data characteristics of itself;
The first network traffic characteristic value acquisition submodule, when being preset before receiving the current data packet for obtaining
In the interior multiple data packets received, the statistical information of each designated frame, as time-based first network traffic characteristic
Characteristic value;
The second network flow characteristic value acquisition submodule connects for obtaining to preset before receiving the current data packet
The statistical information of each specified access index in indegree, and/or received before receiving the current data packet pre-
If in the data packet of number, the statistical information of retransmission data packet, the characteristic value as the second network flow characteristic based on quantity;
The current characteristic value acquisition submodule, for by the characteristic value of the data characteristics of the current data packet itself, described
The characteristic value of the characteristic value of time-based first network traffic characteristic and second network flow characteristic based on quantity
As the current characteristic value.
12. device according to claim 10, which is characterized in that further include:
Sample characteristics value set obtains module, corresponding preset for obtaining each sample data packet in sample data packet set
Each sample characteristics of network flow characteristic constitutes sample characteristics value set;
Classification and characteristic value acquisition module are clustered, it is special to the sample for the similarity based on each sample characteristics
Each sample characteristics in value indicative set is clustered, and obtains multiple cluster classifications and each cluster classification is corresponding preset
The characteristic value of network flow characteristic;
Cluster category label module, the cluster category label for default normal cluster class condition will to be met be it is normal, will not
It is abnormal for meeting the cluster category label of default normal cluster class condition.
13. a kind of electronic equipment, which is characterized in that including processor, communication interface, memory and communication bus, wherein processing
Device, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910185364.4A CN110505630A (en) | 2019-03-12 | 2019-03-12 | Wireless network intrusion detection method, device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910185364.4A CN110505630A (en) | 2019-03-12 | 2019-03-12 | Wireless network intrusion detection method, device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110505630A true CN110505630A (en) | 2019-11-26 |
Family
ID=68585200
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910185364.4A Pending CN110505630A (en) | 2019-03-12 | 2019-03-12 | Wireless network intrusion detection method, device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110505630A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110995700A (en) * | 2019-12-02 | 2020-04-10 | 山东超越数控电子股份有限公司 | Malformed IP message detection method, equipment and storage medium |
| CN111046942A (en) * | 2019-12-09 | 2020-04-21 | 交控科技股份有限公司 | Turnout fault judgment method and device |
| CN111556440A (en) * | 2020-05-07 | 2020-08-18 | 之江实验室 | Network anomaly detection method based on traffic pattern |
| CN112565183A (en) * | 2020-10-29 | 2021-03-26 | 中国船舶重工集团公司第七0九研究所 | Network flow abnormity detection method and device based on flow dynamic time warping algorithm |
| CN113055333A (en) * | 2019-12-26 | 2021-06-29 | 国网山西省电力公司信息通信分公司 | Network flow clustering method and device capable of self-adaptively and dynamically adjusting density grids |
| CN113297241A (en) * | 2021-06-11 | 2021-08-24 | 工银科技有限公司 | Method, device, equipment, medium and program product for judging network flow |
| CN113472654A (en) * | 2021-05-31 | 2021-10-01 | 济南浪潮数据技术有限公司 | Network traffic data forwarding method, device, equipment and medium |
| CN114650167A (en) * | 2022-02-08 | 2022-06-21 | 联想(北京)有限公司 | Abnormity detection method, device, equipment and computer readable storage medium |
| CN114866486A (en) * | 2022-03-18 | 2022-08-05 | 广州大学 | Encrypted flow classification system based on data packet |
| CN117395183A (en) * | 2023-12-13 | 2024-01-12 | 成都安美勤信息技术股份有限公司 | Industrial Internet of things abnormal flow classification detection method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572108A (en) * | 2016-11-08 | 2017-04-19 | 杜少波 | Neighborhood distance based intrusion feature selection method |
| CN107528823A (en) * | 2017-07-03 | 2017-12-29 | 中山大学 | A kind of network anomaly detection method based on improved K Means clustering algorithms |
-
2019
- 2019-03-12 CN CN201910185364.4A patent/CN110505630A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572108A (en) * | 2016-11-08 | 2017-04-19 | 杜少波 | Neighborhood distance based intrusion feature selection method |
| CN107528823A (en) * | 2017-07-03 | 2017-12-29 | 中山大学 | A kind of network anomaly detection method based on improved K Means clustering algorithms |
Non-Patent Citations (3)
| Title |
|---|
| 张帅: "《无线传感器网络中基于减法聚类分布的入侵检测研究》", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
| 毛健等: "基于BIRCH的入侵检测算法", 《通信技术》 * |
| 罗敏: "《基于无监督聚类的入侵检测方法》", 《电子学报》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110995700A (en) * | 2019-12-02 | 2020-04-10 | 山东超越数控电子股份有限公司 | Malformed IP message detection method, equipment and storage medium |
| CN111046942A (en) * | 2019-12-09 | 2020-04-21 | 交控科技股份有限公司 | Turnout fault judgment method and device |
| CN113055333B (en) * | 2019-12-26 | 2023-08-08 | 国网山西省电力公司信息通信分公司 | Network flow clustering method and device capable of adaptively and dynamically adjusting density grid |
| CN113055333A (en) * | 2019-12-26 | 2021-06-29 | 国网山西省电力公司信息通信分公司 | Network flow clustering method and device capable of self-adaptively and dynamically adjusting density grids |
| CN111556440A (en) * | 2020-05-07 | 2020-08-18 | 之江实验室 | Network anomaly detection method based on traffic pattern |
| CN112565183B (en) * | 2020-10-29 | 2022-12-09 | 中国船舶重工集团公司第七0九研究所 | Network flow abnormity detection method and device based on flow dynamic time warping algorithm |
| CN112565183A (en) * | 2020-10-29 | 2021-03-26 | 中国船舶重工集团公司第七0九研究所 | Network flow abnormity detection method and device based on flow dynamic time warping algorithm |
| CN113472654A (en) * | 2021-05-31 | 2021-10-01 | 济南浪潮数据技术有限公司 | Network traffic data forwarding method, device, equipment and medium |
| CN113297241A (en) * | 2021-06-11 | 2021-08-24 | 工银科技有限公司 | Method, device, equipment, medium and program product for judging network flow |
| CN114650167A (en) * | 2022-02-08 | 2022-06-21 | 联想(北京)有限公司 | Abnormity detection method, device, equipment and computer readable storage medium |
| CN114866486A (en) * | 2022-03-18 | 2022-08-05 | 广州大学 | Encrypted flow classification system based on data packet |
| CN117395183A (en) * | 2023-12-13 | 2024-01-12 | 成都安美勤信息技术股份有限公司 | Industrial Internet of things abnormal flow classification detection method and system |
| CN117395183B (en) * | 2023-12-13 | 2024-02-27 | 成都安美勤信息技术股份有限公司 | Industrial Internet of things abnormal flow classification detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110505630A (en) | Wireless network intrusion detection method, device and electronic equipment | |
| WO2021189730A1 (en) | Method, apparatus and device for detecting abnormal dense subgraph, and storage medium | |
| Li et al. | Identifying the missing tags in a large RFID system | |
| CN109951491A (en) | Network attack detecting method, device, equipment and storage medium | |
| CN101202652B (en) | Device for classifying and recognizing network application flow quantity and method thereof | |
| CN109784636A (en) | Fraudulent user recognition methods, device, computer equipment and storage medium | |
| CN107341716A (en) | A kind of method, apparatus and electronic equipment of the identification of malice order | |
| CN106357622B (en) | Exception flow of network based on software defined network detects system of defense | |
| US20090037353A1 (en) | Method and system for evaluating tests used in operating system fingerprinting | |
| CN110233769A (en) | A kind of flow rate testing methods and flow detection device | |
| CN106899435A (en) | A kind of complex attack identification technology towards wireless invasive detecting system | |
| CN109067586A (en) | Ddos attack detection method and device | |
| US8876638B2 (en) | Real time pitch classification | |
| CN109872232A (en) | It is related to illicit gain to legalize account-classification method, device, computer equipment and the storage medium of behavior | |
| CN108390856A (en) | A kind of ddos attack detection method, device and electronic equipment | |
| CN107632722A (en) | A kind of various dimensions user ID authentication method and device | |
| CN110430226A (en) | Network attack detecting method, device, computer equipment and storage medium | |
| CN108416891A (en) | Based on IP sections of network voting detection method and device of ballot | |
| CN108243191A (en) | Risk behavior recognition methods, storage medium, equipment and system | |
| CN109218090A (en) | A kind of Internet of things node Trust Values Asses method | |
| US11303736B2 (en) | System and method for identifying devices behind network address translators based on TCP timestamps | |
| CN111652284A (en) | Scanner identification method and device, electronic equipment and storage medium | |
| WO2021212760A1 (en) | Method and apparatus for determining identity type of person, and electronic system | |
| CN109936848A (en) | A kind of detection method, device and the computer readable storage medium of puppet access point | |
| CN110138638A (en) | A kind of processing method and processing device of network flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191126 |
|
| RJ01 | Rejection of invention patent application after publication |