CN110691073A - Industrial control network brute force cracking flow detection method based on random forest - Google Patents
Industrial control network brute force cracking flow detection method based on random forest Download PDFInfo
- Publication number
- CN110691073A CN110691073A CN201910884654.8A CN201910884654A CN110691073A CN 110691073 A CN110691073 A CN 110691073A CN 201910884654 A CN201910884654 A CN 201910884654A CN 110691073 A CN110691073 A CN 110691073A
- Authority
- CN
- China
- Prior art keywords
- brute force
- force cracking
- flow
- data
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses an industrial control network brute force cracking flow detection method based on random forests, which mainly comprises two parts: firstly, training a brute force cracking detection model based on random forest; secondly, brute force cracking detection is carried out on the real-time network flow data by using the brute force cracking detection model. The brute force cracking detection model is generated based on the random forest algorithm, brute force cracking can be detected in real time, brute force cracking flow can be recognized at the first time, and real-time response is made according to the provided solution.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an industrial control network brute force cracking flow detection method based on random forests.
Background
The challenge of industrial control network security is invasion of novel trojan and worm viruses, for example, the Mirai virus which causes the paralysis of large-scale Internet in the eastern part of the United states fully utilizes hardware coding bugs of existing intelligent terminal equipment such as a network camera and an intelligent switch, and breaks access control authority of related equipment in a brute force cracking mode, so that hundreds of thousands of botnet networks are constructed.
The industrial control network information safety protection has the particularity that firstly, a protection and attack main body is special, and different from the traditional network attack, an industrial invader is not a traditional hacker but is likely to be a terrorist organization or even an organization supported by the strength of enemy countries; secondly, the consequence of attack damage is serious, and if the industrial control key facilities are attacked, the development of national economy and the stability of society can be directly threatened.
In recent years, emerging technologies such as cloud computing and network security protection based on big data theory have been applied to the field of traditional information security, and these new technologies can effectively identify malicious files of a terminal, but these technologies are applied to the field of industrial control systems less.
Disclosure of Invention
The invention aims to: aiming at the technical problems, the invention provides a method for detecting the brute force cracking flow of the industrial control network based on random forests, which is used for generating a brute force cracking detection model based on a random forest algorithm, can detect the brute force cracking in real time, particularly two kinds of SSH brute force cracking and FTP brute force cracking which are more popular in the brute force cracking, and realizes that the brute force cracking flow is recognized at the first time and real-time response is made according to the provided solution.
The technical scheme adopted by the invention for solving the technical problems is as follows: a method for detecting the violent cracking flow of an industrial control network based on random forests comprises the following steps:
step one, training a brute force cracking detection model:
(1) carrying out brute force cracking in a simulated industrial control network environment to generate industrial control simulated flow data;
(2) cleaning the industrial control simulation flow data to remove data from which complete flow characteristics cannot be extracted;
(3) extracting multidimensional flow characteristics from the industrial control simulation flow data after data cleaning;
(4) training a random forest by using the multidimensional flow characteristics of the industrial control simulation flow data as a training set to obtain a brute force cracking detection model; the random forest comprises a plurality of decision trees; one node on the decision tree corresponds to one flow characteristic, the flow characteristic corresponding to the node has a value range, and the value range of each flow characteristic is as follows: representing the value range of network flow data which is violently cracked and normal;
step two, brute force cracking flow detection:
(1) cleaning the real-time network flow data to remove data from which complete flow characteristics cannot be extracted;
(2) extracting multidimensional flow characteristics from real-time network flow data after data cleaning;
(3) inputting the multidimensional flow characteristics of the real-time network flow data into the brute force cracking detection model;
(4) the brute force cracking detection model outputs real-time network flow data as brute force cracking or normal classification results.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. the brute force cracking detection model is generated based on the random forest algorithm, brute force cracking can be detected in real time, particularly two kinds of SSH brute force cracking and FTP brute force cracking which are popular in brute force cracking, brute force cracking flow can be recognized at the first time, and real-time response is made according to the provided solution.
2. The method adopts the brute force cracking detection model obtained by random forests, can process high-latitude data, and only needs to extract the features without selecting the features.
3. The random forest adopted by the invention is easy to realize parallelization because the decision trees in the random forest are mutually independent.
4. The detection method can be completed within 5s from the real-time network flow data to the alarm.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram of a method for detecting traffic of industrial control network brute force cracking based on random forest.
Detailed Description
The invention relates to an industrial control network brute force cracking flow detection method based on random forests, which mainly comprises two parts:
firstly, training a brute force cracking detection model based on random forest;
firstly, a training set needs to be prepared, industrial control network flow data is obtained after brute force cracking is carried out through simulation of an industrial control network environment, data which cannot extract complete flow characteristics are filtered, and then multidimensional flow characteristics are extracted from industrial control simulation flow data after data cleaning to serve as the training set;
secondly, training a random forest by using a training set; and (3) representing the flow characteristics by nodes on a decision tree of the random forest, and representing that the category of the network flow data is brute force cracking or normal through the value range of the flow characteristics. Decision trees in the random forest are mutually independent, and parallelization is easy to realize. The brute force cracking detection model obtained by random forest training can process high-latitude data, and only feature extraction is needed, and feature selection is not needed (the model is randomly selected according to feature importance).
Secondly, brute force cracking detection is carried out on the real-time network flow data by using the brute force cracking detection model;
the data which cannot extract the complete flow characteristics are filtered from the real-time network flow data, then the same multidimensional flow characteristics are extracted as input data, and in a brute force cracking detection model, the detection result of the real-time network flow data is obtained through the value range of each flow characteristic and is brute force cracking or normal.
The following is a detailed description of the method steps of the present invention.
As shown in fig. 1, the method for detecting the industrial control network brute force cracking traffic based on the random forest comprises the following steps:
step one, training a brute force cracking detection model:
(1) carrying out brute force cracking in a simulated industrial control network environment to generate industrial control simulated flow data; since SSH brute force cracking and FTP brute force cracking are popular in brute force cracking, the brute force cracking performed in the simulated industrial control network environment in the embodiment includes SSH brute force cracking and FTP brute force cracking, so that the classification results detected by the trained brute force cracking detection model include SSH brute force cracking, FTP brute force cracking and normality, but the scope of the present invention should not be limited by SSH brute force cracking and FTP brute force cracking. Optionally, a bator brute force cracking tool is used for SSH brute force cracking and FTP brute force cracking in the simulated industrial control network environment to generate industrial control simulated flow data.
(2) Cleaning the industrial control simulation flow data to remove data from which complete flow characteristics cannot be extracted; the data cleansing process may employ conventional data cleansing methods.
(3) Extracting multidimensional flow characteristics from the industrial control simulation flow data after data cleaning; the multi-dimensional flow characteristics include all of the following:
1) flow quintuple: source ip, source port, destination ip, destination port, protocol type;
2) basic flow characteristics: connection duration, number of bytes of data from source host to target host, number of bytes of data from target host to source host, number of packets of data from source host to target host, number of packets of data from target host to source host, and type of network service of target host;
3) flow connection characteristics: the number of connections having the same source ip and destination ip as the current connection, the number of connections having the same source ip and source port as the current connection, the number of connections having the same source ip and different destination ip as the current connection, the number of connections having the same destination ip and destination port as the current connection, the number of connections having the same destination ip and source port as the current connection, the number of connections having the same destination ip and different destination port as the current connection, the number of connections having the same source ip and network service as the current connection, and the number of connections having the same destination ip and network service as the current connection. Generally, the multi-dimensional flow characteristics are collected for statistics by selecting flow connection characteristics within 5 seconds.
The multi-dimensional flow characteristics are a set of flow characteristics, all the characteristics can be extracted only by complete conversation flow, and the data which cannot extract the complete flow characteristics needs to be filtered through a data cleaning process because the key flow characteristics are lost possibly to cause misjudgment or missing judgment by using the incomplete flow characteristics.
(4) Training a random forest by using the multidimensional flow characteristics of the industrial control simulation flow data as a training set to obtain a brute force cracking detection model; the random forest comprises a plurality of decision trees; one node on the decision tree corresponds to one flow characteristic, the flow characteristic corresponding to the node has a value range, and the value range of each flow characteristic is as follows: and representing the value range of brute force cracking and normal value range of the network flow data. That is, the value range of the traffic characteristics corresponding to the nodes on the decision tree may be: according to the characteristic value of the flow characteristic adopted in the process of training the decision tree, the learned representation network flow data is violently cracked and in a normal value range.
Specifically, the method for training the brute force cracking detection model comprises the following steps:
1) inputting multidimensional flow characteristics of industrial control simulation flow data into a random forest as a training set;
2) and performing node segmentation on each decision tree of the random forest according to a training set, determining the corresponding node of each flow characteristic in the decision tree, learning and representing network flow data as brute force cracking and a normal value range in the node segmentation process, and further training to complete the decision tree. When node segmentation is carried out on each decision tree of the random forest according to the training set, the kini index is used as the standard of the node segmentation, and the principle is as follows:
the random forest comprises a plurality of decision trees which are binary CART classification trees, wherein in the classification problem, k classes are assumed, and the probability of the kth class is pkThen the expression of the kini coefficient is:
for a given sample D, assume that there are k classes, the number of k-th classes beingCkThen, the expression of the kini coefficient of sample D is:
in particular, for a given sample D, if D is divided into D according to a certain value a of the characteristic A1And D2In two parts, under the condition that the characteristic a is a, the kuni coefficient expression of the sample D is:
according to the principle, when the CART classification tree is used for node segmentation, the degree of impurity of the brute force cracking detection model is represented by the kini coefficient, and the lower the kini coefficient is, the lower the degree of impurity is, and the better the characteristics are. That is, when node segmentation is performed on each decision tree of the random forest according to the training set, node segmentation is performed with a segmentation point with the minimum kini coefficient.
Step two, brute force cracking flow detection:
(1) extracting multidimensional flow characteristics from real-time network flow data; that is to say, to perform brute force cracking detection on real-time network traffic data by using the brute force cracking detection model, it is necessary to extract, from the real-time network traffic data, traffic features corresponding to nodes on a decision tree in the brute force cracking detection model, that is, multidimensional traffic features extracted during model training.
(2) Inputting the multidimensional flow characteristics of the real-time network flow data into the brute force cracking detection model;
(3) the brute force cracking detection model outputs real-time network flow data as brute force cracking or normal classification results.
As can be seen from the above description, the brute force cracking detection model votes according to the classification result of each decision tree, and the class with the most votes is used as the final classification result. For example, when the random forest has 50 decision trees, if the obtained classification results are SSH brute force cracking, FTP brute force cracking and the number of normal decision trees is 30, 10 and 10, the final classification result of the brute force cracking detection model is SSH brute force cracking.
In order to more intuitively express the detection result of the brute force cracking detection model, when the real-time network flow data output by the brute force cracking detection model is brute force cracking (such as SSH brute force cracking and FTP brute force cracking), alarming is carried out; and when the real-time network traffic data output by the brute force cracking detection model is normal, discarding the real-time network traffic data.
In order to illustrate the beneficial effects of the invention, the brute force cracking detection model based on the random forest is respectively compared with the brute force cracking detection results of the NavieBayes algorithm model and the convolutional neural network algorithm model, and the comparison results are shown in tables 1 and 2. It should be noted that the effect of the test model is mainly evaluated by two indexes, namely a detection rate and a false alarm rate:
wherein, the higher the detection rate, the lower the false alarm rate and the better the model effect.
Table 1, the brute force cracking detection model based on random forest of the present invention is compared with the brute force cracking detection result of the naviebaes algorithm model respectively:
table 2, the brute force cracking detection model based on random forest of the present invention is compared with the brute force cracking detection result of the convolutional neural network algorithm model:
as can be seen from the comparison of the table 1 and the table 2, the brute force cracking detection model based on the random forest has higher detection rate and lower false alarm rate than other algorithm models, and can be completed within 5s from real-time network flow data to alarm, so that the brute force cracking detection model can be used as a detection method for industrial control network brute force cracking.
Claims (8)
1. A method for detecting the violent cracking flow of an industrial control network based on random forests is characterized by comprising the following steps:
step one, training a brute force cracking detection model:
(1) carrying out brute force cracking in a simulated industrial control network environment to generate industrial control simulated flow data;
(2) cleaning the industrial control simulation flow data to remove data from which complete flow characteristics cannot be extracted;
(3) extracting multidimensional flow characteristics from the industrial control simulation flow data after data cleaning;
(4) training a random forest by using the multidimensional flow characteristics of the industrial control simulation flow data as a training set to obtain a brute force cracking detection model; the random forest comprises a plurality of decision trees; one node on the decision tree corresponds to one flow characteristic, the flow characteristic corresponding to the node has a value range, and the value range of each flow characteristic is as follows: representing the value range of network flow data which is violently cracked and normal;
step two, brute force cracking flow detection:
(1) cleaning the real-time network flow data to remove data from which complete flow characteristics cannot be extracted;
(2) extracting multidimensional flow characteristics from real-time network flow data after data cleaning;
(3) inputting the multidimensional flow characteristics of the real-time network flow data into the brute force cracking detection model;
(4) the brute force cracking detection model outputs real-time network flow data as brute force cracking or normal classification results.
2. The industrial control network brute force cracking traffic detection method based on the random forest as claimed in claim 1, wherein the method for training the brute force cracking detection model in the first step is as follows:
(1) inputting multidimensional flow characteristics of industrial control simulation flow data into a random forest as a training set;
(2) and performing node segmentation on each decision tree of the random forest according to a training set, determining the corresponding node of each flow characteristic in the decision tree, learning and representing network flow data as brute force cracking and a normal value range in the node segmentation process, and further training to complete the decision tree.
3. The industrial control network brute force breaking traffic detection method based on the random forest as claimed in claim 2, wherein when node segmentation is performed on each decision tree of the random forest according to the training set, node segmentation is performed with a segmentation point with a minimum kini coefficient.
4. The industrial control network brute force breaking traffic detection method based on the random forest as claimed in claim 1, wherein the multidimensional traffic characteristics include all of the following traffic characteristics:
(1) flow quintuple: source ip, source port, destination ip, destination port, protocol type;
(2) basic flow characteristics: connection duration, number of bytes of data from source host to target host, number of bytes of data from target host to source host, number of packets of data from source host to target host, number of packets of data from target host to source host, and type of network service of target host;
(3) flow connection characteristics: the number of connections having the same source ip and destination ip as the current connection, the number of connections having the same source ip and source port as the current connection, the number of connections having the same source ip and different destination ip as the current connection, the number of connections having the same destination ip and destination port as the current connection, the number of connections having the same destination ip and source port as the current connection, the number of connections having the same destination ip and different destination port as the current connection, the number of connections having the same source ip and network service as the current connection, and the number of connections having the same destination ip and network service as the current connection.
5. The industrial control network brute force cracking flow detection method based on the random forest as claimed in claim 4, wherein the multidimensional flow characteristics are counted by selecting flow connection characteristics within 5 seconds.
6. The industrial control network brute force cracking traffic detection method based on the random forest as claimed in claim 1, wherein the method for outputting real-time network traffic data as a brute force cracking or normal classification result by the brute force cracking detection model in the second step is as follows: and the brute force cracking detection model votes according to the classification result of each decision tree, and the class with the most votes is used as the final classification result.
7. The industrial control network brute force cracking traffic detection method based on the random forest as claimed in claim 1, wherein when real-time network traffic data output by the brute force cracking detection model is brute force cracking, an alarm is given; and when the real-time network traffic data output by the brute force cracking detection model is normal, discarding the real-time network traffic data.
8. The industrial control network brute force cracking flow detection method based on the random forest as claimed in any one of claims 1-6, wherein brute force cracking conducted in the simulated industrial control network environment in the step one comprises SSH brute force cracking and FTP brute force cracking, and classification results obtained by training the brute force cracking detection model to conduct detection comprise SSH brute force cracking, FTP brute force cracking and normal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910884654.8A CN110691073A (en) | 2019-09-19 | 2019-09-19 | Industrial control network brute force cracking flow detection method based on random forest |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910884654.8A CN110691073A (en) | 2019-09-19 | 2019-09-19 | Industrial control network brute force cracking flow detection method based on random forest |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110691073A true CN110691073A (en) | 2020-01-14 |
Family
ID=69109527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910884654.8A Pending CN110691073A (en) | 2019-09-19 | 2019-09-19 | Industrial control network brute force cracking flow detection method based on random forest |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110691073A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111224994A (en) * | 2020-01-15 | 2020-06-02 | 南京邮电大学 | Botnet detection method based on feature selection |
| CN112487033A (en) * | 2020-11-30 | 2021-03-12 | 国网山东省电力公司电力科学研究院 | Service visualization method and system for data flow and network topology construction |
| CN112910918A (en) * | 2021-02-26 | 2021-06-04 | 南方电网科学研究院有限责任公司 | Industrial control network DDoS attack traffic detection method and device based on random forest |
| CN112953948A (en) * | 2021-02-26 | 2021-06-11 | 南方电网科学研究院有限责任公司 | Real-time network transverse worm attack flow detection method and device |
| CN113596065A (en) * | 2021-10-08 | 2021-11-02 | 成都数默科技有限公司 | SSH protocol login state detection method based on machine learning |
| CN113645182A (en) * | 2021-06-21 | 2021-11-12 | 上海电力大学 | Random forest detection method for denial of service attack based on secondary feature screening |
| CN113722445A (en) * | 2021-11-01 | 2021-11-30 | 江苏开博科技有限公司 | Brute force cracking detection method and system based on passive flow analysis |
| CN115001739A (en) * | 2022-04-19 | 2022-09-02 | 中国电子科技网络信息安全有限公司 | Random forest based transverse worm attack detection method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108696543A (en) * | 2018-08-24 | 2018-10-23 | 海南大学 | Distributed reflection Denial of Service attack detection based on depth forest, defence method |
| CN108768883A (en) * | 2018-05-18 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of network flow identification method and device |
| US20190034834A1 (en) * | 2016-03-31 | 2019-01-31 | Alibaba Group Holding Limited | Method and apparatus for training model based on random forest |
| CN109446635A (en) * | 2018-10-23 | 2019-03-08 | 中国电力科学研究院有限公司 | A kind of electric power industry control attack classification and system based on machine learning |
| CN109635564A (en) * | 2018-12-07 | 2019-04-16 | 深圳市联软科技股份有限公司 | A kind of method, apparatus, medium and equipment detecting Brute Force behavior |
| CN109861988A (en) * | 2019-01-07 | 2019-06-07 | 浙江大学 | A kind of industrial control system intrusion detection method based on integrated study |
-
2019
- 2019-09-19 CN CN201910884654.8A patent/CN110691073A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190034834A1 (en) * | 2016-03-31 | 2019-01-31 | Alibaba Group Holding Limited | Method and apparatus for training model based on random forest |
| CN108768883A (en) * | 2018-05-18 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of network flow identification method and device |
| CN108696543A (en) * | 2018-08-24 | 2018-10-23 | 海南大学 | Distributed reflection Denial of Service attack detection based on depth forest, defence method |
| CN109446635A (en) * | 2018-10-23 | 2019-03-08 | 中国电力科学研究院有限公司 | A kind of electric power industry control attack classification and system based on machine learning |
| CN109635564A (en) * | 2018-12-07 | 2019-04-16 | 深圳市联软科技股份有限公司 | A kind of method, apparatus, medium and equipment detecting Brute Force behavior |
| CN109861988A (en) * | 2019-01-07 | 2019-06-07 | 浙江大学 | A kind of industrial control system intrusion detection method based on integrated study |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111224994A (en) * | 2020-01-15 | 2020-06-02 | 南京邮电大学 | Botnet detection method based on feature selection |
| CN112487033A (en) * | 2020-11-30 | 2021-03-12 | 国网山东省电力公司电力科学研究院 | Service visualization method and system for data flow and network topology construction |
| CN112910918A (en) * | 2021-02-26 | 2021-06-04 | 南方电网科学研究院有限责任公司 | Industrial control network DDoS attack traffic detection method and device based on random forest |
| CN112953948A (en) * | 2021-02-26 | 2021-06-11 | 南方电网科学研究院有限责任公司 | Real-time network transverse worm attack flow detection method and device |
| CN113645182A (en) * | 2021-06-21 | 2021-11-12 | 上海电力大学 | Random forest detection method for denial of service attack based on secondary feature screening |
| CN113596065A (en) * | 2021-10-08 | 2021-11-02 | 成都数默科技有限公司 | SSH protocol login state detection method based on machine learning |
| CN113596065B (en) * | 2021-10-08 | 2021-12-07 | 成都数默科技有限公司 | SSH protocol login state detection method based on machine learning |
| CN113722445A (en) * | 2021-11-01 | 2021-11-30 | 江苏开博科技有限公司 | Brute force cracking detection method and system based on passive flow analysis |
| CN115001739A (en) * | 2022-04-19 | 2022-09-02 | 中国电子科技网络信息安全有限公司 | Random forest based transverse worm attack detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110691073A (en) | Industrial control network brute force cracking flow detection method based on random forest | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN107241226B (en) | Fuzzy test method based on industrial control private protocol | |
| CN110213077B (en) | Method, device and system for determining safety event of power monitoring system | |
| Najafabadi et al. | Machine learning for detecting brute force attacks at the network level | |
| CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
| WO2016082284A1 (en) | Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| CN109558729B (en) | Intelligent defense system for network attack | |
| CN107222491B (en) | Intrusion detection rule creating method based on industrial control network variant attack | |
| CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
| Sayegh et al. | SCADA intrusion detection system based on temporal behavior of frequent patterns | |
| CN104660464B (en) | A kind of network anomaly detection method based on non-extension entropy | |
| CN108696543B (en) | Distributed reflection denial of service attack detection and defense method based on deep forest | |
| CN103957203B (en) | A kind of network security protection system | |
| Soe et al. | Rule generation for signature based detection systems of cyber attacks in iot environments | |
| Amoli et al. | Unsupervised network intrusion detection systems for zero-day fast-spreading attacks and botnets | |
| CN112819336A (en) | Power monitoring system network threat-based quantification method and system | |
| CN111600876B (en) | Slow denial of service attack detection method based on MFOPA algorithm | |
| CN108683686A (en) | A kind of Stochastic subspace name ddos attack detection method | |
| CN105827611B (en) | A kind of distributed denial of service network attack detecting method and system based on fuzzy reasoning | |
| Ramadhan et al. | Comparative analysis of K-nearest neighbor and decision tree in detecting distributed denial of service | |
| Zhao | Network intrusion detection system model based on data mining | |
| Tan et al. | DDoS detection method based on Gini impurity and random forest in SDN environment | |
| Guang et al. | Anomaly intrusion detection based on wavelet kernel LS-SVM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200114 |
|
| RJ01 | Rejection of invention patent application after publication |