CN110830515A - Flow detection method and device and electronic equipment - Google Patents
Flow detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN110830515A CN110830515A CN201911285269.8A CN201911285269A CN110830515A CN 110830515 A CN110830515 A CN 110830515A CN 201911285269 A CN201911285269 A CN 201911285269A CN 110830515 A CN110830515 A CN 110830515A
- Authority
- CN
- China
- Prior art keywords
- flow
- detection
- model
- training
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
Disclosed is a flow detection method applied to a flow detection system, the method comprising: obtaining the training sample flow after privacy desensitization from a butted service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features; inputting the flow characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a flow detection model; and responding to an instruction for carrying out flow detection on the predicted sample flow of the service system, carrying out flow detection on the predicted sample flow based on the flow detection model, and obtaining a detection result corresponding to the predicted sample flow, so that flow detection model modeling is carried out on the multi-dimensional characteristics of the breadth and the depth of the flow, and the real-time performance of flow detection is greatly improved on the premise of ensuring the accuracy of the flow detection.
Description
Technical Field
The application relates to the technical field of machine learning and computer application, in particular to a flow detection method, a flow detection device and electronic equipment.
Background
With the development of the internet and the mobile internet, the service applications based on the internet and the mobile internet are more and more, and the service applications deployed on the public network are often confronted with a mass of malicious traffic attacks.
Machine learning techniques have changed significantly over the past decade, from purely academic research in laboratories to widespread use in various production areas, such as: financial industry, e-commerce retail industry, IT industry, medical industry, and the like. Machine learning models are essentially algorithms that attempt to learn potential patterns and relationships from data, rather than building invariant rules through code.
Disclosure of Invention
The application provides a flow detection method, which is applied to a flow detection system and comprises the following steps:
obtaining the training sample flow after privacy desensitization from a butted service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features;
inputting the flow characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a flow detection model;
and responding to an instruction for carrying out flow detection on the predicted sample flow of the service system, carrying out flow detection on the predicted sample flow based on the flow detection model, and obtaining a detection result corresponding to the predicted sample flow.
Optionally, the flow detection system further includes an offline calculation engine and a real-time calculation engine;
the extracting the features of the training sample flow to obtain the corresponding flow features comprises:
on the basis of the offline calculation engine, performing offline calculation on the training sample flow according to a preset first time granularity to obtain a corresponding offline flow characteristic;
and based on the real-time calculation engine, calculating the flow of the training sample in real time according to a preset second time granularity to obtain corresponding real-time flow characteristics.
Optionally, the inputting the traffic feature training into a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model includes:
acquiring a detection label corresponding to the training sample flow; the detection label is an actual label indicating whether the training sample flow is intercepted or not;
vectorizing and connecting the offline flow characteristics and the real-time flow characteristics in series respectively to obtain a combined flow characteristic vector corresponding to the flow of the training sample after connection in series;
and inputting the combined flow characteristic vector and the detection label into the machine learning model to perform joint training to obtain a flow detection model.
Optionally, the width model corresponding to the width and depth architecture of the machine learning model is a linear model, and the depth model corresponding to the width and depth architecture of the machine learning model is a deep neural network model;
inputting the combined flow characteristic vector and the detection label into the machine learning model for joint training to obtain a flow detection model, wherein the flow detection model comprises:
inputting the combined flow characteristic vector and the detection label to the linear model and the deep neural network model respectively for joint training to obtain the trained linear model and the trained deep neural network model;
outputting the trained linear model and the trained deep neural network model as a flow detection model; and model parameters of the linear model and the deep neural network model after training are optimal model parameters obtained by combined training solution.
Optionally, the detection tag is an actual label from the service system for performing on-line interception on the training sample traffic, or the detection tag is an actual label from a preset behavior detection model for performing behavior detection on the training sample traffic, which is obtained by performing on-line interception on the training sample traffic.
Optionally, the second time granularity is smaller than the first time granularity; the off-line calculation engine is Hive or ODPS, and the real-time calculation engine is any one of Flink, Blink, Spark and Storm.
Optionally, the method further includes:
and outputting a detection result corresponding to the predicted sample flow to the service system in real time, so that the service system performs real-time processing on whether the predicted sample flow is intercepted or not based on the detection result.
The present application further provides a flow detection device, the device is applied to a flow detection system, the device includes:
the extraction module is used for acquiring the training sample flow after privacy desensitization from the butted service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features;
the training module is used for inputting the traffic characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model;
and the detection module responds to an instruction for carrying out flow detection on the predicted sample flow of the service system, carries out flow detection on the predicted sample flow based on the flow detection model and obtains a detection result corresponding to the predicted sample flow.
Optionally, the flow detection system further includes an offline calculation engine and a real-time calculation engine;
the extraction module further:
on the basis of the offline calculation engine, performing offline calculation on the training sample flow according to a preset first time granularity to obtain a corresponding offline flow characteristic;
and based on the real-time calculation engine, calculating the flow of the training sample in real time according to a preset second time granularity to obtain corresponding real-time flow characteristics.
Optionally, the training module further:
acquiring a detection label corresponding to the training sample flow; the detection label is an actual label indicating whether the training sample flow is intercepted or not;
vectorizing and connecting the offline flow characteristics and the real-time flow characteristics in series respectively to obtain a combined flow characteristic vector corresponding to the flow of the training sample after connection in series;
and inputting the combined flow characteristic vector and the detection label into the machine learning model to perform joint training to obtain a flow detection model.
Optionally, the width model corresponding to the width and depth architecture of the machine learning model is a linear model, and the depth model corresponding to the width and depth architecture of the machine learning model is a deep neural network model;
the training module further:
inputting the combined flow characteristic vector and the detection label to the linear model and the deep neural network model respectively for joint training to obtain the trained linear model and the trained deep neural network model;
outputting the trained linear model and the trained deep neural network model as a flow detection model; and model parameters of the linear model and the deep neural network model after training are optimal model parameters obtained by combined training solution.
Optionally, the detection tag is an actual label from the service system for performing on-line interception on the training sample traffic, or the detection tag is an actual label from a preset behavior detection model for performing behavior detection on the training sample traffic, which is obtained by performing on-line interception on the training sample traffic.
Optionally, the second time granularity is smaller than the first time granularity; the off-line calculation engine is Hive or ODPS, and the real-time calculation engine is any one of Flink, Blink, Spark and Storm.
Optionally, the detection module further:
and outputting a detection result corresponding to the predicted sample flow to the service system in real time, so that the service system performs real-time processing on whether the predicted sample flow is intercepted or not based on the detection result.
The application also provides an electronic device, which comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are mutually connected through the bus;
the memory stores machine-readable instructions, and the processor executes the method by calling the machine-readable instructions.
The present application also provides a machine-readable storage medium having stored thereon machine-readable instructions which, when invoked and executed by a processor, implement the above-described method.
Through the embodiment, the corresponding flow characteristics are obtained based on characteristic extraction of the training sample flow; inputting the traffic characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model; furthermore, in response to an instruction for performing flow detection on the predicted sample flow of the service system, flow detection is performed on the predicted sample flow based on the flow detection model to obtain a detection result corresponding to the predicted sample flow, so that flow detection model modeling is performed on the multi-dimensional characteristics of the breadth and the depth of the flow, and the flow detection real-time performance is greatly improved on the premise of ensuring the flow detection accuracy.
Drawings
FIG. 1 is a flow chart of a method for traffic detection provided by an exemplary embodiment;
FIG. 2 is a diagram of a machine learning model of a width and depth architecture provided by an exemplary embodiment;
FIG. 3 is a hardware block diagram of an electronic device provided by an exemplary embodiment;
fig. 4 is a block diagram of a flow detection device according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In order to make those skilled in the art better understand the technical solution in the embodiment of the present disclosure, the following briefly describes the related art of flow detection in the embodiment of the present disclosure.
Generally, the conventional technical solutions for flow detection mainly include the following two types:
scheme A: the flow detection is carried out based on a large number of rules summarized by the manual experience of safety experts, the flow detection real-time performance is high, but the detection accuracy and recall rate cannot be guaranteed, and the problems of a large number of detection missing reports and false reports exist.
Scheme B: the flow detection is carried out by massive offline flow training and machine learning model construction, the accuracy and recall rate of flow detection are high, but the real-time performance of flow detection is low, and the generalization capability of the model is poor.
Based on the above, the present specification aims to provide a method for performing joint training on a traffic detection model based on a machine learning model with a width and depth architecture; and carrying out flow detection based on the flow detection model.
When the method is realized, the flow detection system acquires the training sample flow after privacy desensitization from the butted service system; and carrying out feature extraction on the training sample flow to obtain corresponding flow features.
Further, the flow detection system inputs flow characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a flow detection model with a plurality of mixed models;
further, the flow detection system responds to the instruction for performing flow detection on the predicted sample flow of the service system, and performs flow detection on the predicted sample flow based on the flow detection model to obtain a detection result corresponding to the predicted sample flow.
In the technical scheme, the corresponding flow characteristics are obtained based on characteristic extraction of the training sample flow; inputting the traffic characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model; furthermore, in response to an instruction for performing flow detection on the predicted sample flow of the service system, flow detection is performed on the predicted sample flow based on the flow detection model to obtain a detection result corresponding to the predicted sample flow, so that flow detection model modeling is performed on the multi-dimensional characteristics of the breadth and the depth of the flow, and the flow detection real-time performance is greatly improved on the premise of ensuring the flow detection accuracy.
The present specification is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 1, fig. 1 is a flowchart illustrating a flow detection method applied to a flow detection system according to an embodiment of the present disclosure; the method comprises the following steps:
102, acquiring a training sample flow after privacy desensitization from a butted service system; and carrying out feature extraction on the training sample flow to obtain corresponding flow features.
And 104, inputting the flow characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a flow detection model.
And 106, responding to a command of performing flow detection on the predicted sample flow of the service system, and performing flow detection on the predicted sample flow based on the flow detection model to obtain a detection result corresponding to the predicted sample flow.
In this specification, the business system may include a machine or a machine cluster in any business form. For example, in practical applications, the business system may apply a corresponding business system to panning, tianmao, paypal, alisma, and the like.
In this specification, the traffic detection system may include a machine or a cluster of machines that interface with the service system and detect traffic after desensitization of privacy of the service system online and offline.
For example, in practical applications, the flow detection system may include a machine or a cluster of machines that interfaces with a business system corresponding to an application such as pan, tianmao, pay bao, and airy cloud, and detects real-time flow after online privacy desensitization and historical flow after offline privacy desensitization of the business system corresponding to the application such as pan, tianmao, pay bao, and airy cloud.
In this specification, the machine learning model refers to a machine learning model based on a width and depth architecture that operates on the flow rate detection system to perform flow rate detection;
the machine learning model based on the width and depth architecture is a hybrid machine learning model including a width machine learning model (hereinafter, the "width machine learning model" is simply referred to as "width model") and a depth machine learning model (hereinafter, the "depth machine learning model" is simply referred to as "depth model").
In the present specification, the training sample flow rate is a sample flow rate used for the flow rate detection system to perform model training on the machine learning model mounted thereon.
For example, in practical applications, the training sample traffic may include an online real-time traffic and an offline historical traffic, in which the traffic detection system performs model training on the machine learning model installed in the traffic detection system.
In this specification, the predicted sample traffic refers to sample traffic acquired by the traffic detection system from the service system and input to the machine learning model to perform traffic detection.
For example, in practical applications, the predicted sample traffic may include online real-time traffic and offline historical traffic, which are acquired by the traffic detection system from the business system and input to the machine learning model for traffic detection.
In this specification, the traffic detection system obtains the training sample traffic from the docked service system.
For example, in practical applications, the traffic detection system obtains the training sample traffic from a business system corresponding to the docked naobao, tianmao, paypal, alisma, and the like.
In this specification, the offline calculation engine may include a big data calculation engine that performs offline calculation on the training sample flow and the prediction sample flow.
In an embodiment shown, the offline computing engine may be Hive (an open source offline computing engine based on Hadoop architecture) or ODPS (open data processing service, an offline computing engine based on the developing architecture of arbiba). For the above specific architecture and offline calculation principle of the offline calculation engine, please refer to the technical description related to Hive and ODPS, which is not described herein again.
In this specification, the real-time calculation engine may include a big data calculation engine that performs real-time calculation on the training sample flow and the prediction sample flow.
In one embodiment, the real-time computing engine may be any one of Flink (an open-source real-time computing engine), Blink (a modified open-source based real-time computing engine developed by arizba), Spark (a general parallel framework real-time computing engine of Hadoop MapReduce type), and Storm (a Twitter open-source real-time computing engine). For the above specific architecture and real-time computing principle of the real-time computing engine, please refer to Flink, Blink, Spark and Storm related technical descriptions, which are not repeated herein.
For ease of understanding, the concepts of off-line computation and real-time computation are briefly described herein. The off-line calculation refers to performing calculation analysis on accumulated data, the off-line calculation is usually performed on massive static data, the data accumulation time is long (usually, data on the order of days, weeks, months, years, etc.), a large amount of storage space is required, the calculation order is large, and the calculation time is long (for example, calculation time on the order of hours or more is required). For example, in practical applications, offline computation may be used in scenarios where hundreds of GB of accumulated, even TB, or even PB-level data is computed.
Compared with off-line calculation, the real-time calculation objects are usually a small amount of dynamic data, the dynamic change of the data cannot be predicted, but the data calculation amount is relatively small, and the calculation results are usually required to be output within a short calculation time (for example, within the order of milliseconds, seconds and minutes). For example, in practical applications, the solid line calculation may be used in situations such as killing of seconds by users, promotion of large commodities, and the like, which require a short calculation time.
In this specification, after the training sample flow rate is acquired, the flow rate detection system performs feature extraction on the training sample flow rate to obtain a corresponding flow rate feature.
In an embodiment shown, the flow detection system further includes the offline computation engine and the real-time computation engine; in the process of extracting the features of the training sample flow to obtain corresponding flow features, the flow detection system performs offline calculation on the training sample flow according to a preset first time granularity on the basis of the offline calculation engine to obtain offline flow features corresponding to the training sample flow;
for example, in practical applications, the traffic detection system performs offline calculation on the training sample traffic at a preset first time granularity (for example, any one or combination of time granularities on the order of days, weeks, months, years, and years) based on the offline calculation engine to obtain an offline traffic characteristic corresponding to the training sample traffic.
In this specification, the traffic detection system may further calculate the training sample traffic in real time at a preset second time granularity based on the real-time calculation engine, and obtain a real-time traffic feature corresponding to the training sample traffic.
For example, in practical applications, the flow rate detection system calculates the training sample flow rate in real time according to a preset second time granularity (for example, any one or a combination of time granularities with the order of milliseconds, seconds, minutes, hours and days) based on the real-time calculation engine, so as to obtain a real-time flow rate characteristic corresponding to the training sample flow rate; wherein the second time granularity (e.g., any one or combination of time granularity on the order of milliseconds, seconds, minutes, hours, and days) is smaller than the first time granularity (e.g., any one or combination of time granularity on the order of days, weeks, months, years, and years).
It should be noted that the specific traffic characteristics included in the offline traffic characteristics and the real-time traffic characteristics may include original characteristics obtained by performing data analysis on data content carried in the training sample traffic. For example, in practical applications, the specific traffic characteristics may include user ID information, city information of the user, device information, and IP address information carried in the training sample traffic. User login device type, etc.
Of course, in practical applications, the specific traffic characteristics included in the offline traffic characteristics and the real-time traffic characteristics may also include statistical characteristics obtained by performing statistics on data content carried in the training sample traffic. For example, in practical applications, the specific traffic characteristics may further include the number of login devices, the type and number of service requests, the number of times that service requests are intercepted, and the like in a statistical period of different time granularities, such as minutes, hours, days, and the like, in which each user ID information obtained by counting the data content carried in the training sample traffic logs in the service system.
The detailed type, number, and granularity of the statistical period of the specific flow rate characteristics included in the offline flow rate characteristics and the real-time flow rate characteristics are not specifically limited in this specification. In addition, after the flow rate detection system obtains the specific flow rate characteristics included in the offline flow rate characteristics and the real-time flow rate characteristics, a plurality of characteristics may exist in the specific flow rate characteristics at the same time, and the specific combination mode of the combination characteristics may be combined to generate a new combination characteristic.
In this specification, after extracting and obtaining a flow characteristic corresponding to the training sample flow, the flow detection system inputs the flow characteristic training to the machine learning model based on the width and depth framework and performs joint training to obtain a flow detection model.
For example, in practical applications, the flow rate detection system may store the extracted flow rate characteristics (including the offline flow rate characteristics and the real-time flow rate characteristics) corresponding to the training sample flow rate in a cache database (for example, the cache database may include, but is not limited to, Memcached, Redis, Mongodb, Couchbase, and Hbase); further, the traffic detection system may obtain the traffic feature training input from the buffer database to perform the joint training on the machine learning model based on the width and depth architecture to obtain a traffic detection model, and the model architecture of the machine learning model is shown in fig. 2 and its corresponding description.
Referring to fig. 2, fig. 2 is a schematic diagram of a machine learning model of a width and depth architecture according to an embodiment of the present disclosure.
The flow detection system shown in fig. 2 performs joint training on the width model and the depth model to obtain a hybrid model, that is, the hybrid model is a flow detection model used for the flow detection system to perform flow detection.
For ease of understanding, the following "joint training" concept is introduced here. In general, in training for machine learning models, there are two confusing concepts: "Joint training", "Integrated training"; wherein, the joint training refers to that the same training sample is respectively input to a plurality of machine learning models for training; in the training process, in the process of carrying out optimization solution on the multiple machine learning models, all model parameters of the multiple machine learning models are updated simultaneously, and the outputs of the multiple machine learning models are weighted and added to serve as the output of a mixed model of the multiple machine learning models.
And the integrated training means that the plurality of machine learning models respectively and independently perform model training, model parameters updated by the model training among the plurality of machine learning models are not related to each other, and prediction results corresponding to prediction samples respectively output by the plurality of machine learning models are combined together only when the prediction samples are predicted.
In this specification, the detection label is an actual label indicating whether the training sample traffic is intercepted;
the actual labeled specific value may be a user preset value indicating that the training sample traffic is intercepted or not intercepted.
For example: the actually labeled specific value may be an actually labeled value for performing on-line interception on the training sample traffic, which is 1, or an actually labeled specific value for performing on-line non-interception on the training sample traffic, which is 0.
In an embodiment shown, the detection tag is an actual label from the business system for intercepting the training sample traffic on line.
For example, the detection tag is the actual label from the production environment of the business system on line for intercepting the training sample traffic on line or not.
In another illustrated embodiment, the detection label is an actual label from a preset behavior detection model for detecting whether the training sample traffic is intercepted or not.
For example, the detection label is the actual label from a preset behavior detection model for detecting the behavior of the training sample traffic to obtain whether to intercept the training sample traffic; the behavior detection model may include a machine learning model that analyzes user behavior data in the training sample traffic and predicts whether the user behavior data is a malicious behavior.
In one embodiment, the traffic detection system acquires the detection label corresponding to the training sample traffic in a process of inputting the traffic feature training to the machine learning model based on the width and depth architecture and performing the joint training to obtain the traffic detection model.
For example, in practical applications, the traffic detection system may obtain, as a detection tag corresponding to the training sample traffic, an actual label of whether the training sample traffic is intercepted on-line in an on-line production environment of the business system corresponding to the training sample traffic; the traffic detection system may also obtain, as a detection label corresponding to the training sample traffic, an actual label, which is from a preset behavior detection model and is used for performing behavior detection on the training sample traffic to obtain whether to intercept the actual label, where the actual label corresponds to the training sample traffic.
In this specification, the flow rate detection system may further vectorize and concatenate the offline flow rate features and the real-time flow rate features included in the flow rate features, respectively, to obtain a concatenated combined flow rate feature vector corresponding to the training sample flow rate.
Continuing to exemplify the above example, where the training sample traffic includes an offline traffic feature a and a real-time traffic feature B, and the traffic detection system separately vectorizes the offline traffic feature a and the real-time traffic feature B corresponding to the acquired training sample traffic from the cache database to obtain a vector VA corresponding to the offline traffic feature a and a vector VB corresponding to the real-time traffic feature B; further, the flow detection system is configured to perform the following operations according to preset rules, for example: the offline flow characteristic corresponding vector is in front, the real-time flow characteristic corresponding vector is behind, and the vector VA and the vector VB are connected in series to obtain a combined flow characteristic vector VAB which corresponds to the flow of the training sample and is connected in series.
In this specification, the flow rate detection system may further input the combined flow rate feature vector and the detection label to the machine learning model and perform joint training to obtain a flow rate detection model.
Continuing to illustrate the above example, the traffic detection system inputs the combined traffic feature vector VAB corresponding to the training sample traffic and the detection label corresponding to the combined traffic feature vector VAB to the machine learning model based on the width and depth architecture for joint training to obtain the traffic detection model.
In one embodiment, the width model corresponding to the width and depth structure of the machine learning model is a linear model, and the depth model corresponding to the width and depth structure of the machine learning model is a deep neural network model.
For example, the width model corresponding to the width and depth architecture of the machine learning model shown in fig. 2 is a linear model; the linear model may be an LR model (logistic regression model); the depth model corresponding to the width and depth architecture of the machine learning model is a depth neural network model; the deep neural network model may include models such as an AlexNet model, a ResNet model, a VGG model, a google lenet model, and variations thereof, and the structure and principle of the above-described model are please refer to related technical documents, which are not described herein again.
In this specification, in a process of inputting the combined traffic feature vector and the detection label to the machine learning model and performing the joint training to obtain the traffic detection model, the traffic detection system inputs the combined traffic feature vector and the detection label to the linear model and the deep neural network model, respectively, and performs the joint training to obtain the trained linear model and the trained deep neural network model.
Continuing to illustrate in the above example, the traffic detection system inputs the combined traffic feature vector VAB corresponding to the training sample traffic and the detection label corresponding thereto to the linear model and the deep neural network model respectively for joint training, so as to obtain the trained linear model and deep neural network model.
In this specification, the flow rate detection system outputs the trained linear model and deep neural network model as a flow rate detection model; and model parameters of the trained linear model and the trained deep neural network model are optimal model parameters obtained by combined training solution.
Continuing to exemplify the above example, the traffic detection system weights and adds the model output of the trained linear model and the model output of the deep neural network model to obtain the output of the traffic detection model; and the model parameters of the linear model and the deep neural network model which are subjected to the joint training are optimal model parameters obtained by solving the joint training simultaneously.
In this specification, after the joint training of the flow model is completed, the flow detection may be performed on the predicted sample flow based on the flow model.
In this specification, the flow rate detection system performs flow rate detection on the predicted sample flow rate based on the flow rate detection model in response to an instruction to perform flow rate detection on the predicted sample flow rate, and obtains a detection result corresponding to the predicted sample flow rate.
For example, in practical applications, the flow rate detection system, in response to an instruction for performing flow rate detection on the predicted sample flow rate, extracts a flow rate feature corresponding to the predicted sample flow rate, further obtains a combined flow rate feature vector corresponding to the flow rate feature, and inputs the combined flow rate feature vector to the flow rate detection model for prediction to obtain a detection result corresponding to the predicted sample flow rate; the detection result may be a probability indicating whether the predicted sample traffic includes malicious traffic and a confidence thereof, or may be a detection score indicating whether the predicted sample traffic is intercepted.
Of course, in the process of performing flow detection on the predicted sample flow based on the flow detection model to obtain a detection result corresponding to the predicted sample flow, the flow detection system may further extract a real-time flow feature R corresponding to the predicted sample flow based on the real-time computation engine, and further search for an offline flow feature matching the real-time flow feature in a cache database obtained when the flow detection model performs feature extraction on the training flow, such as: the offline flow characteristic B matched with the real-time flow characteristic corresponding to the predicted sample flow can be searched and obtained based on the user ID or the equipment ID; further, a vector VR corresponding to the real-time flow characteristic R and a vector VB of the matched off-line flow characteristic B are connected in series to obtain a combined flow characteristic vector VRB corresponding to the predicted sample flow after series connection; further, the combined flow rate feature vector VRB corresponding to the predicted sample flow rate is input to the flow rate model, and a detection result corresponding to the predicted sample flow rate is obtained.
It should be noted that, the real-time flow characteristics of the predicted sample flow are extracted in real time by the real-time calculation engine, and are combined with the offline flow characteristics associated and matched with the predicted sample flow, and the combined flow characteristic vector corresponding to the predicted sample flow is input into the flow detection model for prediction, so as to detect whether the predicted sample flow needs to be intercepted, compared with the schemes a and B described above, the accuracy of flow detection is ensured, and the real-time performance of flow detection is greatly improved.
In one embodiment, after obtaining the detection result corresponding to the predicted sample traffic, the traffic detection system outputs the detection result corresponding to the predicted sample traffic to the service system in real time, so that the service system performs real-time processing on whether or not the predicted sample traffic is blocked based on the detection result.
For example, the detection result corresponding to the predicted sample traffic is an inspection result indicating that the predicted sample traffic is intercepted, and the detection result is output by the traffic detection system to the service system in real time, so that the service system performs real-time processing of intercepting the predicted sample traffic based on the detection result.
For another example, the detection result corresponding to the predicted sample traffic is an inspection result indicating that the predicted sample traffic is not blocked, and the detection result is output in real time by the traffic detection system to the service system so that the service system performs real-time processing on the predicted sample traffic based on the detection result.
In the technical scheme, the corresponding flow characteristics are obtained based on characteristic extraction of the training sample flow; inputting the traffic characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model; furthermore, in response to an instruction for performing flow detection on the predicted sample flow of the service system, flow detection is performed on the predicted sample flow based on the flow detection model to obtain a detection result corresponding to the predicted sample flow, so that flow detection model modeling is performed on the multi-dimensional characteristics of the breadth and the depth of the flow, and the flow detection real-time performance is greatly improved on the premise of ensuring the flow detection accuracy.
Corresponding to the embodiment of the method, the application also provides an embodiment of the flow detection device.
Corresponding to the embodiment of the method, the specification also provides an embodiment of a flow detection device. The embodiment of the flow detection device in the present specification can be applied to electronic equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading, by a processor of the electronic device where the device is located, a corresponding computer program instruction in the nonvolatile memory into the memory for operation. In terms of hardware, as shown in fig. 3, the electronic device in which the traffic detection apparatus is located in this specification is a hardware structure diagram, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the electronic device in which the apparatus is located in the embodiment may also include other hardware according to the actual function of the electronic device, which is not described again.
Fig. 4 is a block diagram of a flow rate detection device according to an exemplary embodiment of the present disclosure.
Referring to fig. 4, the flow detection apparatus 40 can be applied to the electronic device shown in fig. 3, and the apparatus is applied to a flow detection system; the device comprises:
the extraction module 401 acquires the training sample flow after privacy desensitization from the docked service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features;
a training module 402, which is used for inputting the traffic characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model;
the detecting module 403, in response to the instruction of performing traffic detection on the predicted sample traffic of the service system, performs traffic detection on the predicted sample traffic based on the traffic detection model, and obtains a detection result corresponding to the predicted sample traffic.
In this embodiment, the flow detection system further includes an offline calculation engine and a real-time calculation engine;
the extraction module 401 further:
on the basis of the offline calculation engine, performing offline calculation on the training sample flow according to a preset first time granularity to obtain a corresponding offline flow characteristic;
and based on the real-time calculation engine, calculating the flow of the training sample in real time according to a preset second time granularity to obtain corresponding real-time flow characteristics.
In this embodiment, the training module 402 further:
acquiring a detection label corresponding to the training sample flow; the detection label is an actual label indicating whether the training sample flow is intercepted or not;
vectorizing and connecting the offline flow characteristics and the real-time flow characteristics in series respectively to obtain a combined flow characteristic vector corresponding to the flow of the training sample after connection in series;
and inputting the combined flow characteristic vector and the detection label into the machine learning model to perform joint training to obtain a flow detection model.
In this embodiment, the width model corresponding to the width and depth architecture of the machine learning model is a linear model, and the depth model corresponding to the width and depth architecture of the machine learning model is a deep neural network model;
the training module 402 further:
inputting the combined flow characteristic vector and the detection label to the linear model and the deep neural network model respectively for joint training to obtain the trained linear model and the trained deep neural network model;
outputting the trained linear model and the trained deep neural network model as a flow detection model; and model parameters of the linear model and the deep neural network model after training are optimal model parameters obtained by combined training solution.
In this embodiment, the detection tag is an actual label from the service system for indicating whether the training sample traffic is intercepted on line, or the detection tag is an actual label from a preset behavior detection model for indicating whether the training sample traffic is intercepted or not.
In this embodiment, the second time granularity is smaller than the first time granularity; the off-line calculation engine is Hive or ODPS, and the real-time calculation engine is any one of Flink, Blink, Spark and Storm.
In this embodiment, the detecting module 403 further:
and outputting a detection result corresponding to the predicted sample flow to the service system in real time, so that the service system performs real-time processing on whether the predicted sample flow is intercepted or not based on the detection result.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The apparatuses, modules or modules illustrated in the above embodiments may be implemented by a computer chip or an entity, or by an article with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
Corresponding to the method embodiment, the present specification also provides an embodiment of an electronic device. The electronic equipment can be applied to a flow detection system; the electronic device includes: a processor and a memory for storing machine executable instructions; wherein the processor and the memory are typically interconnected by an internal bus. In other possible implementations, the device may also include an external interface to enable communication with other devices or components.
In this embodiment, the processor is caused to:
obtaining the training sample flow after privacy desensitization from a butted service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features;
inputting the flow characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a flow detection model;
and responding to an instruction for carrying out flow detection on the predicted sample flow of the service system, carrying out flow detection on the predicted sample flow based on the flow detection model, and obtaining a detection result corresponding to the predicted sample flow.
In this embodiment, the flow detection system further comprises an offline computation engine and a real-time computation engine, the processor being caused to, by reading and executing machine-executable instructions stored by the memory corresponding to control logic for flow detection:
on the basis of the offline calculation engine, performing offline calculation on the training sample flow according to a preset first time granularity to obtain a corresponding offline flow characteristic;
and based on the real-time calculation engine, calculating the flow of the training sample in real time according to a preset second time granularity to obtain corresponding real-time flow characteristics.
In this embodiment, the processor is caused to:
acquiring a detection label corresponding to the training sample flow; the detection label is an actual label indicating whether the training sample flow is intercepted or not;
vectorizing and connecting the offline flow characteristics and the real-time flow characteristics in series respectively to obtain a combined flow characteristic vector corresponding to the flow of the training sample after connection in series;
and inputting the combined flow characteristic vector and the detection label into the machine learning model to perform joint training to obtain a flow detection model.
In this embodiment, the width model corresponding to the width and depth architecture of the machine learning model is a linear model, and the depth model corresponding to the width and depth architecture of the machine learning model is a deep neural network model, and by reading and executing the machine executable instructions stored in the memory and corresponding to the control logic of the traffic detection, the processor is caused to:
inputting the combined flow characteristic vector and the detection label to the linear model and the deep neural network model respectively for joint training to obtain the trained linear model and the trained deep neural network model;
outputting the trained linear model and the trained deep neural network model as a flow detection model; and model parameters of the linear model and the deep neural network model after training are optimal model parameters obtained by combined training solution.
In this embodiment, the detection tag is an actual label from the service system for indicating whether the training sample traffic is intercepted on line, or the detection tag is an actual label from a preset behavior detection model for indicating whether the training sample traffic is intercepted or not.
In this embodiment, the second time granularity is smaller than the first time granularity; the off-line calculation engine is Hive or ODPS, and the real-time calculation engine is any one of Flink, Blink, Spark and Storm.
In this embodiment, the processor is caused to:
and outputting a detection result corresponding to the predicted sample flow to the service system in real time, so that the service system performs real-time processing on whether the predicted sample flow is intercepted or not based on the detection result.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (15)
1. A flow detection method is applied to a flow detection system and comprises the following steps:
obtaining the training sample flow after privacy desensitization from a butted service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features;
inputting the flow characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a flow detection model;
and responding to an instruction for carrying out flow detection on the predicted sample flow of the service system, carrying out flow detection on the predicted sample flow based on the flow detection model, and obtaining a detection result corresponding to the predicted sample flow.
2. The method of claim 1, the flow detection system further comprising an offline computation engine and a real-time computation engine;
the extracting the features of the training sample flow to obtain the corresponding flow features comprises:
on the basis of the offline calculation engine, performing offline calculation on the training sample flow according to a preset first time granularity to obtain a corresponding offline flow characteristic;
and based on the real-time calculation engine, calculating the flow of the training sample in real time according to a preset second time granularity to obtain corresponding real-time flow characteristics.
3. The method of claim 2, wherein the inputting the traffic feature training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model comprises:
acquiring a detection label corresponding to the training sample flow; the detection label is an actual label indicating whether the training sample flow is intercepted or not;
vectorizing and connecting the offline flow characteristics and the real-time flow characteristics in series respectively to obtain a combined flow characteristic vector corresponding to the flow of the training sample after connection in series;
and inputting the combined flow characteristic vector and the detection label into the machine learning model to perform joint training to obtain a flow detection model.
4. The method of claim 3, wherein the width model corresponding to the width and depth architecture of the machine learning model is a linear model, and the depth model corresponding to the width and depth architecture of the machine learning model is a deep neural network model;
inputting the combined flow characteristic vector and the detection label into the machine learning model for joint training to obtain a flow detection model, wherein the flow detection model comprises:
inputting the combined flow characteristic vector and the detection label to the linear model and the deep neural network model respectively for joint training to obtain the trained linear model and the trained deep neural network model;
outputting the trained linear model and the trained deep neural network model as a flow detection model; and model parameters of the linear model and the deep neural network model after training are optimal model parameters obtained by combined training solution.
5. The method according to claim 3, wherein the detection label is an actual label from the service system for intercepting the training sample traffic on-line, or the detection label is an actual label from a preset behavior detection model for detecting the behavior of the training sample traffic to obtain intercepting.
6. The method of claim 2, the second time granularity being less than the first time granularity; the off-line calculation engine is Hive or ODPS, and the real-time calculation engine is any one of Flink, Blink, Spark and Storm.
7. The method of claim 1, further comprising:
and outputting a detection result corresponding to the predicted sample flow to the service system in real time, so that the service system performs real-time processing on whether the predicted sample flow is intercepted or not based on the detection result.
8. A flow detection device, which is applied to a flow detection system, the device comprising:
the extraction module is used for acquiring the training sample flow after privacy desensitization from the butted service system; carrying out feature extraction on the training sample flow to obtain corresponding flow features;
the training module is used for inputting the traffic characteristic training to a machine learning model based on a width and depth architecture for joint training to obtain a traffic detection model;
and the detection module responds to an instruction for carrying out flow detection on the predicted sample flow of the service system, carries out flow detection on the predicted sample flow based on the flow detection model and obtains a detection result corresponding to the predicted sample flow.
9. The apparatus of claim 8, the flow detection system further comprising an offline computation engine and a real-time computation engine;
the extraction module further:
on the basis of the offline calculation engine, performing offline calculation on the training sample flow according to a preset first time granularity to obtain a corresponding offline flow characteristic;
and based on the real-time calculation engine, calculating the flow of the training sample in real time according to a preset second time granularity to obtain corresponding real-time flow characteristics.
10. The apparatus of claim 9, the training module further to:
acquiring a detection label corresponding to the training sample flow; the detection label is an actual label indicating whether the training sample flow is intercepted or not;
vectorizing and connecting the offline flow characteristics and the real-time flow characteristics in series respectively to obtain a combined flow characteristic vector corresponding to the flow of the training sample after connection in series;
and inputting the combined flow characteristic vector and the detection label into the machine learning model to perform joint training to obtain a flow detection model.
11. The apparatus of claim 10, wherein a width model corresponding to a width and depth architecture of the machine learning model is a linear model, and a depth model corresponding to a width and depth architecture of the machine learning model is a deep neural network model;
the training module further:
inputting the combined flow characteristic vector and the detection label to the linear model and the deep neural network model respectively for joint training to obtain the trained linear model and the trained deep neural network model;
outputting the trained linear model and the trained deep neural network model as a flow detection model; and model parameters of the linear model and the deep neural network model after training are optimal model parameters obtained by combined training solution.
12. The apparatus of claim 11, wherein the detection tag is an actual label from the service system for intercepting the training sample traffic on-line, or the detection tag is an actual label from a preset behavior detection model for detecting the behavior of the training sample traffic to obtain intercepting the training sample traffic.
13. The apparatus of claim 9, the second time granularity being less than the first time granularity; the off-line calculation engine is Hive or ODPS, and the real-time calculation engine is any one of Flink, Blink, Spark and Storm.
14. The apparatus of claim 8, the detection module further to:
and outputting a detection result corresponding to the predicted sample flow to the service system in real time, so that the service system performs real-time processing on whether the predicted sample flow is intercepted or not based on the detection result.
15. An electronic device comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory has stored therein machine-readable instructions, the processor executing the method of any of claims 1 to 7 by calling the machine-readable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911285269.8A CN110830515A (en) | 2019-12-13 | 2019-12-13 | Flow detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911285269.8A CN110830515A (en) | 2019-12-13 | 2019-12-13 | Flow detection method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110830515A true CN110830515A (en) | 2020-02-21 |
Family
ID=69545465
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911285269.8A Pending CN110830515A (en) | 2019-12-13 | 2019-12-13 | Flow detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830515A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112367292A (en) * | 2020-10-10 | 2021-02-12 | 浙江大学 | Encrypted flow anomaly detection method based on deep dictionary learning |
| WO2021238992A1 (en) * | 2020-05-26 | 2021-12-02 | 杭州海康威视数字技术股份有限公司 | Neural network training method and apparatus, electronic device, and readable storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682067A (en) * | 2016-11-08 | 2017-05-17 | 浙江邦盛科技有限公司 | Machine learning anti-fraud monitoring system based on transaction data |
| CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
| CN108564376A (en) * | 2018-04-20 | 2018-09-21 | 阿里巴巴集团控股有限公司 | Risk control method, device, server and readable storage medium storing program for executing |
| CN109196527A (en) * | 2016-04-13 | 2019-01-11 | 谷歌有限责任公司 | Breadth and depth machine learning model |
| CN109191136A (en) * | 2018-09-05 | 2019-01-11 | 北京芯盾时代科技有限公司 | A kind of e-bank is counter to cheat method and device |
| CN109379377A (en) * | 2018-11-30 | 2019-02-22 | 极客信安(北京)科技有限公司 | Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium |
| CN109544163A (en) * | 2018-11-30 | 2019-03-29 | 华青融天(北京)软件股份有限公司 | A kind of risk control method, device, equipment and the medium of user's payment behavior |
| CN109684916A (en) * | 2018-11-13 | 2019-04-26 | 恒睿(重庆)人工智能技术研究院有限公司 | Based on path locus data exception detection method, system, equipment and storage medium |
| CN109743311A (en) * | 2018-12-28 | 2019-05-10 | 北京神州绿盟信息安全科技股份有限公司 | A kind of WebShell detection method, device and storage medium |
| CN110033120A (en) * | 2019-03-06 | 2019-07-19 | 阿里巴巴集团控股有限公司 | For providing the method and device that risk profile energizes service for trade company |
| CN110138787A (en) * | 2019-05-20 | 2019-08-16 | 福州大学 | A kind of anomalous traffic detection method and system based on hybrid neural networks |
| CN110298497A (en) * | 2019-06-11 | 2019-10-01 | 武汉蓝智科技有限公司 | Manufacturing forecast maintenance system and its application method based on big data |
-
2019
- 2019-12-13 CN CN201911285269.8A patent/CN110830515A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109196527A (en) * | 2016-04-13 | 2019-01-11 | 谷歌有限责任公司 | Breadth and depth machine learning model |
| CN106682067A (en) * | 2016-11-08 | 2017-05-17 | 浙江邦盛科技有限公司 | Machine learning anti-fraud monitoring system based on transaction data |
| CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
| CN108564376A (en) * | 2018-04-20 | 2018-09-21 | 阿里巴巴集团控股有限公司 | Risk control method, device, server and readable storage medium storing program for executing |
| CN109191136A (en) * | 2018-09-05 | 2019-01-11 | 北京芯盾时代科技有限公司 | A kind of e-bank is counter to cheat method and device |
| CN109684916A (en) * | 2018-11-13 | 2019-04-26 | 恒睿(重庆)人工智能技术研究院有限公司 | Based on path locus data exception detection method, system, equipment and storage medium |
| CN109379377A (en) * | 2018-11-30 | 2019-02-22 | 极客信安(北京)科技有限公司 | Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium |
| CN109544163A (en) * | 2018-11-30 | 2019-03-29 | 华青融天(北京)软件股份有限公司 | A kind of risk control method, device, equipment and the medium of user's payment behavior |
| CN109743311A (en) * | 2018-12-28 | 2019-05-10 | 北京神州绿盟信息安全科技股份有限公司 | A kind of WebShell detection method, device and storage medium |
| CN110033120A (en) * | 2019-03-06 | 2019-07-19 | 阿里巴巴集团控股有限公司 | For providing the method and device that risk profile energizes service for trade company |
| CN110138787A (en) * | 2019-05-20 | 2019-08-16 | 福州大学 | A kind of anomalous traffic detection method and system based on hybrid neural networks |
| CN110298497A (en) * | 2019-06-11 | 2019-10-01 | 武汉蓝智科技有限公司 | Manufacturing forecast maintenance system and its application method based on big data |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021238992A1 (en) * | 2020-05-26 | 2021-12-02 | 杭州海康威视数字技术股份有限公司 | Neural network training method and apparatus, electronic device, and readable storage medium |
| CN112367292A (en) * | 2020-10-10 | 2021-02-12 | 浙江大学 | Encrypted flow anomaly detection method based on deep dictionary learning |
| CN112367292B (en) * | 2020-10-10 | 2021-09-03 | 浙江大学 | Encrypted flow anomaly detection method based on deep dictionary learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108418825B (en) | Risk model training and junk account detection methods, devices and equipment | |
| JP6697584B2 (en) | Method and apparatus for identifying data risk | |
| TW201939917A (en) | Graph structure model training and junk account identification | |
| US11250088B2 (en) | Method and apparatus for processing user interaction sequence data | |
| WO2019114423A1 (en) | Method and apparatus for merging model prediction values, and device | |
| US20210092160A1 (en) | Data set creation with crowd-based reinforcement | |
| US11636487B2 (en) | Graph decomposition for fraudulent transaction analysis | |
| CN110287316A (en) | A kind of Alarm Classification method, apparatus, electronic equipment and storage medium | |
| CN113360580B (en) | Abnormal event detection method, device, equipment and medium based on knowledge graph | |
| CN110119860B (en) | Rubbish account detection method, device and equipment | |
| Chen et al. | Marked self-exciting point process modelling of information diffusion on Twitter | |
| CN110830515A (en) | Flow detection method and device and electronic equipment | |
| CN107256231B (en) | Team member identification device, method and system | |
| CN115545103A (en) | Abnormal data identification method, label identification method and abnormal data identification device | |
| US10896290B2 (en) | Automated pattern template generation system using bulk text messages | |
| CN110751354B (en) | Abnormal user detection method and device | |
| CN113726545B (en) | Network traffic generation method and device for generating countermeasure network based on knowledge enhancement | |
| CN109313541A (en) | For showing and the user interface of comparison attacks telemetering resource | |
| US9438626B1 (en) | Risk scoring for internet protocol networks | |
| CN112541765A (en) | Method and apparatus for detecting suspicious transactions | |
| CN115758271A (en) | Data processing method, data processing device, computer equipment and storage medium | |
| CN115619245A (en) | Portrait construction and classification method and system based on data dimension reduction method | |
| US20180107763A1 (en) | Prediction using fusion of heterogeneous unstructured data | |
| KR102282328B1 (en) | System and Method for Predicting Preference National Using Long Term Short Term Memory | |
| CN111125272B (en) | Regional characteristic acquisition method, regional characteristic acquisition device, computer equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200221 |