CN110598794A - Classified countermeasure network attack detection method and system - Google Patents
Classified countermeasure network attack detection method and system Download PDFInfo
- Publication number
- CN110598794A CN110598794A CN201910874095.2A CN201910874095A CN110598794A CN 110598794 A CN110598794 A CN 110598794A CN 201910874095 A CN201910874095 A CN 201910874095A CN 110598794 A CN110598794 A CN 110598794A
- Authority
- CN
- China
- Prior art keywords
- network attack
- noise simulation
- attack
- generator
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Medical Informatics (AREA)
- Mathematical Physics (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a classified countermeasure network attack detection method and system, which can classify data according to different frequencies based on historical access data, construct different noise simulation network attack models for different classifications, and train the noise simulation network attack models by using real network attack flow, wherein the models have the capability of continuously compounding and varying network attacks. After the noise simulation network attack model is trained, the noise simulation network attack models of different classifications are accessed into the machine learning module to serve as simulation attack sources of the machine learning module, the machine learning module is continuously attacked and trained, and the detection capability of the machine learning module is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting a network attack by a classified countermeasure.
Background
Although the existing statistical analysis and machine learning can detect malicious software, malicious codes, malicious behaviors and the like, the two defects exist: firstly, the attack data in the training process is insufficient and far less than normal data, and especially network attack data with extreme frequency is lacked; secondly, with the development of the technology, the attack means of an attacker is continuously changed, however, the attack data cannot be disclosed in advance, and the attack data cannot be used for model training, so that the unknown attack data cannot be detected by the model. Therefore, a method and a system capable of self-generating usable attack data, enhancing training data and improving detection model performance are urgently needed.
Disclosure of Invention
The invention aims to provide a classified countermeasure network attack detection method and system, which can classify data according to different frequencies based on historical access data, construct different noise simulation network attack models for different classifications, train the noise simulation network attack models by using real network attack flow, and enable the models to have the capability of continuously compounding and varying network attacks. After the noise simulation network attack model is trained, the noise simulation network attack models of different classifications are accessed into the machine learning module to serve as simulation attack sources of the machine learning module, the machine learning module is continuously attacked and trained, and the detection capability of the machine learning module is improved.
In a first aspect, the present application provides a classified countermeasure network attack detection method, including:
acquiring historical access data, and analyzing and extracting a feature vector of attack data in the historical access data according to the known features of the network attack type;
inputting the feature vectors of the attack data in the historical visit data into a classifier, and marking the attack data with the frequency higher than a first threshold value or the frequency lower than a second threshold value by the classifier;
respectively constructing a first noise simulation network attack model and a second noise simulation network attack model based on feature vectors of marked attack data and unmarked attack data, and randomly generating known various types of network attacks and various network attack compounds by applying the two models;
the multiple network attack compounds the characteristics of simultaneously having a plurality of network attacks, or continuously carrying out a plurality of network attacks, or changing the characteristics of the network attacks;
the first noise simulation network attack model and the second noise simulation network attack model are alternately used as generators of the antagonistic network according to a certain strategy, and the output flow of the generators is uninterruptedly sent to the discriminator together with the real network attack flow;
the discriminator obtains a discrimination result according to the output flow of the generator and the real network attack flow input from the two ends; if the judgment result is true, the output flow of the generator is very close to the real network attack flow on the feature vector, and the similarity information is fed back to the generator by the discriminator; if the judgment result is false, the output flow of the generator and the real network attack flow are greatly different on the characteristic vector, and the discriminator feeds back the difference information and the characteristic vector of the real network attack flow to the generator;
the generator adjusts parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the feedback result of the discriminator, and new output flow is generated again;
when the ratio of the true judgment result obtained by the discriminator is within the preset threshold range, the fact that the first noise simulation network attack model and the second noise simulation network attack model are trained is indicated;
the first noise simulation network attack model and the second noise simulation network attack model are alternately accessed to the machine learning module according to a certain strategy, and network attack flow is continuously and randomly generated for the machine learning module to learn by itself;
the machine learning module continuously enriches various network attack characteristic vector samples by means of the first noise simulation network attack model and the second noise simulation network attack model, network attack detection is carried out on real network flow, a detection result is fed back to an administrator, the administrator can adjust parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the detection result at regular time, and an updating mechanism is started.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the variant cyber attack feature includes expanding a known cyber attack feature vector and modifying fields of several attacks.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the classifier may be a random forest classifier.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the updating mechanism is to use a noise simulation network attack model as a generator again, and send output traffic of the generator to the discriminator.
In a second aspect, the present application provides a classified countermeasure network attack detection system, the system comprising:
the acquisition unit is used for acquiring historical access data and analyzing and extracting a feature vector of attack data in the historical access data according to the known features of the network attack type;
the classifier is used for inputting the feature vectors of the attack data in the historical visit data into the classifier, and the classifier marks the attack data with the frequency higher than a first threshold value or lower than a second threshold value;
the construction unit is used for respectively constructing a first noise simulation network attack model and a second noise simulation network attack model based on the marked attack data and the unmarked attack data, and known various types of network attacks and various network attack compounds can be randomly generated by applying the two models; the multiple network attack compounds the characteristics of simultaneously having a plurality of network attacks, or continuously carrying out a plurality of network attacks, or changing the characteristics of the network attacks;
the generator is used for the first noise simulation network attack model and the second noise simulation network attack model and alternately used as a generator of a resistance network according to a certain strategy, and the output flow of the generator is uninterruptedly sent to the discriminator together with the real network attack flow;
the discriminator is used for obtaining a discrimination result according to the output flow of the generator and the real network attack flow input from the two ends; if the judgment result is true, the output flow of the generator is very close to the real network attack flow on the feature vector, and the similarity information is fed back to the generator by the discriminator; if the judgment result is false, the output flow of the generator and the real network attack flow are greatly different on the characteristic vector, and the discriminator feeds back the difference information and the characteristic vector of the real network attack flow to the generator;
the generator adjusts parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the feedback result of the discriminator, and new output flow is generated again;
when the ratio of the true judgment result obtained by the discriminator is within the preset threshold range, the fact that the first noise simulation network attack model and the second noise simulation network attack model are trained is indicated;
the machine learning module is used for alternately accessing the first noise simulation network attack model and the second noise simulation network attack model according to a certain strategy, and continuously and randomly generating network attack flow for the machine learning module to learn by itself; the machine learning module continuously enriches various network attack characteristic vector samples by means of the first noise simulation network attack model and the second noise simulation network attack model, network attack detection is carried out on real network flow, a detection result is fed back to an administrator, the administrator can adjust parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the detection result at regular time, and an updating mechanism is started.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the variant cyber attack features include expanding a known cyber attack feature vector and modifying fields of several attacks.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the classifier may be a random forest classifier.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the updating mechanism is to use a noise simulation network attack model as a generator again, and send output traffic of the generator to the discriminator.
The invention provides a classified countermeasure network attack detection method and system, which can classify data according to different frequencies based on historical access data, construct different noise simulation network attack models for different classifications, and train the noise simulation network attack models by using real network attack flow, wherein the models have the capability of continuously compounding and varying network attacks. After the noise simulation network attack model is trained, the noise simulation network attack models of different classifications are accessed into the machine learning module to serve as simulation attack sources of the machine learning module, the machine learning module is continuously attacked and trained, and the detection capability of the machine learning module is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a classified confrontation network attack detection method of the present invention;
fig. 2 is an architecture diagram of the classified network attack detection system of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a classified-countermeasure network attack detection method provided in the present application, where the method includes:
acquiring historical access data, and analyzing and extracting a feature vector of attack data in the historical access data according to the known features of the network attack type;
inputting the feature vectors of the attack data in the historical visit data into a classifier, and marking the attack data with the frequency higher than a first threshold value or the frequency lower than a second threshold value by the classifier;
respectively constructing a first noise simulation network attack model and a second noise simulation network attack model based on feature vectors of marked attack data and unmarked attack data, and randomly generating known various types of network attacks and various network attack compounds by applying the two models;
the multiple network attack compounds the characteristics of simultaneously having a plurality of network attacks, or continuously carrying out a plurality of network attacks, or changing the characteristics of the network attacks;
the first noise simulation network attack model and the second noise simulation network attack model are alternately used as generators of the antagonistic network according to a certain strategy, and the output flow of the generators is uninterruptedly sent to the discriminator together with the real network attack flow;
the discriminator obtains a discrimination result according to the output flow of the generator and the real network attack flow input from the two ends; if the judgment result is true, the output flow of the generator is very close to the real network attack flow on the feature vector, and the similarity information is fed back to the generator by the discriminator; if the judgment result is false, the output flow of the generator and the real network attack flow are greatly different on the characteristic vector, and the discriminator feeds back the difference information and the characteristic vector of the real network attack flow to the generator;
the generator adjusts parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the feedback result of the discriminator, and new output flow is generated again;
when the ratio of the true judgment result obtained by the discriminator is within the preset threshold range, the fact that the first noise simulation network attack model and the second noise simulation network attack model are trained is indicated;
the first noise simulation network attack model and the second noise simulation network attack model are alternately accessed to the machine learning module according to a certain strategy, and network attack flow is continuously and randomly generated for the machine learning module to learn by itself;
the machine learning module continuously enriches various network attack characteristic vector samples by means of the first noise simulation network attack model and the second noise simulation network attack model, network attack detection is carried out on real network flow, a detection result is fed back to an administrator, the administrator can adjust parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the detection result at regular time, and an updating mechanism is started.
In some preferred embodiments, the variant cyber attack features include expanding a known cyber attack feature vector and modifying fields of several attacks.
In some preferred embodiments, the classifier may be a random forest classifier.
In some preferred embodiments, the updating mechanism refers to taking a noise simulation network attack model as a generator again, and sending output traffic of the generator to the arbiter.
Fig. 2 is an architecture diagram of a classified countermeasure network attack detection system provided in the present application, the system including:
the acquisition unit is used for acquiring historical access data and analyzing and extracting a feature vector of attack data in the historical access data according to the known features of the network attack type;
the classifier is used for inputting the feature vectors of the attack data in the historical visit data into the classifier, and the classifier marks the attack data with the frequency higher than a first threshold value or lower than a second threshold value;
the construction unit is used for respectively constructing a first noise simulation network attack model and a second noise simulation network attack model based on the marked attack data and the unmarked attack data, and known various types of network attacks and various network attack compounds can be randomly generated by applying the two models; the multiple network attack compounds the characteristics of simultaneously having a plurality of network attacks, or continuously carrying out a plurality of network attacks, or changing the characteristics of the network attacks;
the generator is used for the first noise simulation network attack model and the second noise simulation network attack model and alternately used as a generator of a resistance network according to a certain strategy, and the output flow of the generator is uninterruptedly sent to the discriminator together with the real network attack flow;
the discriminator is used for obtaining a discrimination result according to the output flow of the generator and the real network attack flow input from the two ends; if the judgment result is true, the output flow of the generator is very close to the real network attack flow on the feature vector, and the similarity information is fed back to the generator by the discriminator; if the judgment result is false, the output flow of the generator and the real network attack flow are greatly different on the characteristic vector, and the discriminator feeds back the difference information and the characteristic vector of the real network attack flow to the generator;
the generator adjusts parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the feedback result of the discriminator, and new output flow is generated again;
when the ratio of the true judgment result obtained by the discriminator is within the preset threshold range, the fact that the first noise simulation network attack model and the second noise simulation network attack model are trained is indicated;
the machine learning module is used for alternately accessing the first noise simulation network attack model and the second noise simulation network attack model according to a certain strategy, and continuously and randomly generating network attack flow for the machine learning module to learn by itself; the machine learning module continuously enriches various network attack characteristic vector samples by means of the first noise simulation network attack model and the second noise simulation network attack model, network attack detection is carried out on real network flow, a detection result is fed back to an administrator, the administrator can adjust parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the detection result at regular time, and an updating mechanism is started.
In some preferred embodiments, the variant cyber attack features include expanding a known cyber attack feature vector and modifying fields of several attacks.
In some preferred embodiments, the classifier may be a random forest classifier.
In some preferred embodiments, the updating mechanism refers to taking a noise simulation network attack model as a generator again, and sending output traffic of the generator to the arbiter.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (8)
1. A method for detecting classified countermeasures against cyber attacks, the method comprising:
acquiring historical access data, and analyzing and extracting a feature vector of attack data in the historical access data according to the known features of the network attack type;
inputting the feature vectors of the attack data in the historical visit data into a classifier, and marking the attack data with the frequency higher than a first threshold value or the frequency lower than a second threshold value by the classifier;
respectively constructing a first noise simulation network attack model and a second noise simulation network attack model based on feature vectors of marked attack data and unmarked attack data, and randomly generating known various types of network attacks and various network attack compounds by applying the two models;
the multiple network attack compounds the characteristics of simultaneously having a plurality of network attacks, or continuously carrying out a plurality of network attacks, or changing the characteristics of the network attacks;
the first noise simulation network attack model and the second noise simulation network attack model are alternately used as generators of the antagonistic network according to a certain strategy, and the output flow of the generators is uninterruptedly sent to the discriminator together with the real network attack flow;
the discriminator obtains a discrimination result according to the output flow of the generator and the real network attack flow input from the two ends; if the judgment result is true, the output flow of the generator is very close to the real network attack flow on the feature vector, and the similarity information is fed back to the generator by the discriminator; if the judgment result is false, the output flow of the generator and the real network attack flow are greatly different on the characteristic vector, and the discriminator feeds back the difference information and the characteristic vector of the real network attack flow to the generator;
the generator adjusts parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the feedback result of the discriminator, and new output flow is generated again;
when the ratio of the true judgment result obtained by the discriminator is within the preset threshold range, the fact that the first noise simulation network attack model and the second noise simulation network attack model are trained is indicated;
the first noise simulation network attack model and the second noise simulation network attack model are alternately accessed to the machine learning module according to a certain strategy, and network attack flow is continuously and randomly generated for the machine learning module to learn by itself;
the machine learning module continuously enriches various network attack characteristic vector samples by means of the first noise simulation network attack model and the second noise simulation network attack model, network attack detection is carried out on real network flow, a detection result is fed back to an administrator, the administrator can adjust parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the detection result at regular time, and an updating mechanism is started.
2. The method of claim 1, wherein the variant cyber-attack features include expanding a known cyber-attack feature vector and modifying a number of fields of the attack.
3. A method according to any of claims 1-2, characterized in that the classifier can be a random forest classifier.
4. The method according to any one of claims 1 to 3, wherein the updating mechanism is to use a noise simulation network attack model as a generator again, and send the output traffic of the generator to the discriminator.
5. A system for classified countering network attack detection, the system comprising:
the acquisition unit is used for acquiring historical access data and analyzing and extracting a feature vector of attack data in the historical access data according to the known features of the network attack type;
the classifier is used for inputting the feature vectors of the attack data in the historical visit data into the classifier, and the classifier marks the attack data with the frequency higher than a first threshold value or lower than a second threshold value;
the construction unit is used for respectively constructing a first noise simulation network attack model and a second noise simulation network attack model based on the marked attack data and the unmarked attack data, and known various types of network attacks and various network attack compounds can be randomly generated by applying the two models; the multiple network attack compounds the characteristics of simultaneously having a plurality of network attacks, or continuously carrying out a plurality of network attacks, or changing the characteristics of the network attacks;
the generator is used for the first noise simulation network attack model and the second noise simulation network attack model and alternately used as a generator of a resistance network according to a certain strategy, and the output flow of the generator is uninterruptedly sent to the discriminator together with the real network attack flow;
the discriminator is used for obtaining a discrimination result according to the output flow of the generator and the real network attack flow input from the two ends; if the judgment result is true, the output flow of the generator is very close to the real network attack flow on the feature vector, and the similarity information is fed back to the generator by the discriminator; if the judgment result is false, the output flow of the generator and the real network attack flow are greatly different on the characteristic vector, and the discriminator feeds back the difference information and the characteristic vector of the real network attack flow to the generator;
the generator adjusts parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the feedback result of the discriminator, and new output flow is generated again;
when the ratio of the true judgment result obtained by the discriminator is within the preset threshold range, the fact that the first noise simulation network attack model and the second noise simulation network attack model are trained is indicated;
the machine learning module is used for alternately accessing the first noise simulation network attack model and the second noise simulation network attack model according to a certain strategy, and continuously and randomly generating network attack flow for the machine learning module to learn by itself; the machine learning module continuously enriches various network attack characteristic vector samples by means of the first noise simulation network attack model and the second noise simulation network attack model, network attack detection is carried out on real network flow, a detection result is fed back to an administrator, the administrator can adjust parameters of the first noise simulation network attack model and the second noise simulation network attack model according to the detection result at regular time, and an updating mechanism is started.
6. The system of claim 5, wherein the variant cyber-attack features include expanding a known cyber-attack feature vector and modifying a number of fields of the attack.
7. A system according to any of claims 5-6, characterized in that the classifier can be a random forest classifier.
8. The system according to any one of claims 5-7, wherein the updating mechanism is to use a noise simulation network attack model as a generator again, and send the output traffic of the generator to the discriminator.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910874095.2A CN110598794A (en) | 2019-09-17 | 2019-09-17 | Classified countermeasure network attack detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910874095.2A CN110598794A (en) | 2019-09-17 | 2019-09-17 | Classified countermeasure network attack detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110598794A true CN110598794A (en) | 2019-12-20 |
Family
ID=68860134
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910874095.2A Pending CN110598794A (en) | 2019-09-17 | 2019-09-17 | Classified countermeasure network attack detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110598794A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111475810A (en) * | 2020-04-13 | 2020-07-31 | 广州锦行网络科技有限公司 | Malicious software detector training method and system, and detection method and system |
| CN111914488A (en) * | 2020-08-14 | 2020-11-10 | 贵州东方世纪科技股份有限公司 | Data regional hydrological parameter calibration method based on antagonistic neural network |
| CN111970277A (en) * | 2020-08-18 | 2020-11-20 | 中国工商银行股份有限公司 | Flow identification method and device based on federal learning |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107392019A (en) * | 2017-07-05 | 2017-11-24 | 北京金睛云华科技有限公司 | A kind of training of malicious code family and detection method and device |
| US20180314716A1 (en) * | 2017-04-27 | 2018-11-01 | Sk Telecom Co., Ltd. | Method for learning cross-domain relations based on generative adversarial networks |
| US20190215329A1 (en) * | 2018-01-08 | 2019-07-11 | Sophos Limited | Malware detection using machine learning |
-
2019
- 2019-09-17 CN CN201910874095.2A patent/CN110598794A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180314716A1 (en) * | 2017-04-27 | 2018-11-01 | Sk Telecom Co., Ltd. | Method for learning cross-domain relations based on generative adversarial networks |
| CN107392019A (en) * | 2017-07-05 | 2017-11-24 | 北京金睛云华科技有限公司 | A kind of training of malicious code family and detection method and device |
| US20190215329A1 (en) * | 2018-01-08 | 2019-07-11 | Sophos Limited | Malware detection using machine learning |
Non-Patent Citations (2)
| Title |
|---|
| WEIWEI HU 等: "Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN", 《HTTPS://ARXIV.ORG/ABS/1702.05983》 * |
| 武天博: ""基于GAN-LSTM的APT攻击检测技术的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111475810A (en) * | 2020-04-13 | 2020-07-31 | 广州锦行网络科技有限公司 | Malicious software detector training method and system, and detection method and system |
| CN111914488A (en) * | 2020-08-14 | 2020-11-10 | 贵州东方世纪科技股份有限公司 | Data regional hydrological parameter calibration method based on antagonistic neural network |
| CN111914488B (en) * | 2020-08-14 | 2023-09-01 | 贵州东方世纪科技股份有限公司 | Data area hydrologic parameter calibration method based on antagonistic neural network |
| CN111970277A (en) * | 2020-08-18 | 2020-11-20 | 中国工商银行股份有限公司 | Flow identification method and device based on federal learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110505241B (en) | Network attack plane detection method and system | |
| CN110493262B (en) | Classification-improved network attack detection method and system | |
| US10187412B2 (en) | Robust representation of network traffic for detecting malware variations | |
| CN110598794A (en) | Classified countermeasure network attack detection method and system | |
| CN112468487B (en) | Method and device for realizing model training and method and device for realizing node detection | |
| CN110619216B (en) | Malicious software detection method and system for adversarial network | |
| CN110545284A (en) | Domain name detection method and system for antagonistic network | |
| KR20190028880A (en) | Method and appratus for generating machine learning data for botnet detection system | |
| CN111787002B (en) | Method and system for analyzing safety of service data network | |
| Elmasry et al. | Comparative evaluation of different classification techniques for masquerade attack detection | |
| Haas et al. | Efficient attack correlation and identification of attack scenarios based on network-motifs | |
| Kozik et al. | Pattern extraction algorithm for NetFlow‐based botnet activities detection | |
| Evans et al. | Raider: Reinforcement-aided spear phishing detector | |
| CN110581856A (en) | malicious code detection method and system | |
| CN110581857B (en) | Virtual execution malicious software detection method and system | |
| Severi et al. | Poisoning network flow classifiers | |
| CN111885011A (en) | Method and system for analyzing and mining safety of service data network | |
| CN112016088A (en) | Method and device for generating file detection model and method and device for detecting file | |
| CN112532562B (en) | Malicious data flow detection method and system for adversarial network | |
| CN112001424A (en) | Malicious software open set family classification method and device based on countermeasure training | |
| Bui et al. | A clustering-based shrink autoencoder for detecting anomalies in intrusion detection systems | |
| Taylor et al. | A smart system for detecting behavioural botnet attacks using random forest classifier with principal component analysis | |
| CN110458209A (en) | A kind of escape attack method and device for integrated Tree Classifier | |
| Picek et al. | One-class classification of low volume dos attacks with genetic programming | |
| Zolotukhin et al. | Detection of anomalous http requests based on advanced n-gram model and clustering techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191220 |
|
| RJ01 | Rejection of invention patent application after publication |