CN111049828A - Network attack detection and response method and system - Google Patents
Network attack detection and response method and system Download PDFInfo
- Publication number
- CN111049828A CN111049828A CN201911281692.0A CN201911281692A CN111049828A CN 111049828 A CN111049828 A CN 111049828A CN 201911281692 A CN201911281692 A CN 201911281692A CN 111049828 A CN111049828 A CN 111049828A
- Authority
- CN
- China
- Prior art keywords
- network attack
- data
- attack detection
- abnormal data
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the field of network security, in particular to a network attack detection and response method and a system, which comprises the following steps: extracting features aiming at the abnormal data, and training the extracted features to obtain a network attack detection model; detecting a plurality of key nodes in the network through a network attack detection model; when the network attack detection model detects that abnormal data exists in a key node, judging the type of network attack corresponding to the abnormal data, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located; and generating a corresponding response strategy according to the type of the network attack. The network attack is detected through the network attack detection model based on deep neural network training, so that the network attack detection method has high recognition rate and high recognition efficiency; and the detection result of the network attack detection model is verified by a transverse comparison technology, so that the identification accuracy is improved.
Description
Technical Field
The invention relates to the field of network security, in particular to a network attack detection and response method and system.
Background
In recent years, with the emergence and growth of the black industry chain, network attacks such as APT and the like which are increasingly frequent are leading to the theft of confidential information of the government and enterprise industry, the destruction of industrial systems and the economic loss of financial systems, and the network space becomes a new battlefield for the game of the big country. Various attack events are more and more targeted, targeted and hidden, attack techniques are more and more novel, and the protection difficulty is gradually upgraded. The exposure in 2014 is specially aiming at APT (application program for application) attack events of ' sea lotus ' in maritime departments in China, electric power gate events ' of ' ukrainian ' in 2015, attacks of Shamoon2.0 of Saudi Arabia in 2016, attacks of a persistent blue loophole outbreak in 2017 in the global range and the like, and a plurality of targeted security events refer unknown threat defense topics to unprecedented heights.
Meanwhile, with the rapid development of mobile internet and cloud computing, the distribution of network traffic and service applications is shifted from the traditional network mainly comprising a PC to mobile networks such as mobile phones, tablet computers and intelligent devices with larger scales. The Web and APP of the application service also enable the data to be stored and calculated more and receive the cloud end, and massive information data also shows the trend of diversification and centralization: the network channel of the service is simpler and simpler, but the functions exerted by the service resource center and the terminal boundary at the two ends of the channel are more and more important, and the network channel becomes the main starting point of the development of the IT service. Meanwhile, after data, resources, services and the like are in a highly centralized state, once the data, the resources, the services and the like are threatened by safety, the operation continuity and the reliability of the whole IT system can be seriously influenced, and even disastrous results can be generated on key services; on the other hand, in terms of operation and maintenance cost and simplification of service management, more efficient IT security operation and maintenance is also needed to guarantee service development.
However, the existing intrusion detection system has low efficiency and accuracy in identifying network attacks.
Disclosure of Invention
In order to solve the above problems, the present invention provides a network attack detection and response method and system.
The network attack detection and response method comprises the following steps:
extracting features of abnormal data in the network attack, and training the extracted features to obtain a network attack detection model;
detecting a plurality of key nodes in the network through a network attack detection model;
when the network attack detection model detects that abnormal data exists in a key node, judging the type of network attack corresponding to the abnormal data, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located;
and when the verification is passed, generating a corresponding response strategy according to the type of the network attack.
Preferably, the extracting features of the abnormal data in the network attack, and training the extracted features to obtain the network attack detection model includes:
collecting samples: acquiring abnormal data of a terminal under different network attacks, and determining network attack types corresponding to the different abnormal data;
feature extraction: extracting real-time deconstruction of 16-system original data contained in each information packet in each abnormal data, converting the 16-system original data into structured data units in real time, and converting a plurality of data units into matrix data, wherein the matrix data is a feature vector of the abnormal data;
establishing a model: and carrying out data training on the obtained plurality of characteristic vectors through a deep neural network and establishing a network attack detection model.
Preferably, the detecting a plurality of key nodes in the network through the network attack detection model includes:
extracting interactive data of a plurality of key nodes through features;
inputting the feature vector into a trained network attack detection model;
and judging whether the data is abnormal data according to the output result of the network attack detection module, and if the data is abnormal data, judging the type of the network attack corresponding to the abnormal data.
Preferably, the verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with terminals where other same key nodes are located includes:
when the network attack detection model detects that abnormal data exists in a key node, acquiring the data of the key node which is the same as the terminal of the whole network;
and comparing the abnormal data with data of other key nodes, wherein if the abnormal data is the same as the data of other key nodes, the judgment of the network attack detection module is wrong, and if the abnormal data is different from the data of other key nodes, the judgment of the network attack module is correct.
Preferably, the generating a corresponding response policy according to the type of the network attack when the verification passes includes:
defining response strategies corresponding to different network attack types, wherein the response strategies comprise: and clearing or isolating or blocking or recording abnormal data.
A network attack detection and response system, comprising:
the characteristic extraction module is used for extracting characteristics aiming at abnormal data in the network attack;
the model training module is used for training the extracted features to obtain a network attack detection model, and detecting a plurality of key nodes in the network through the network attack detection model;
the transverse comparison module is used for judging the type of the network attack corresponding to the abnormal data when the network attack detection model detects that the abnormal data exists in a key node, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located;
and the strategy response module is used for generating a corresponding response strategy according to the type of the network attack when the verification is passed.
Preferably, the method further comprises the following steps:
the sample acquisition module is used for acquiring abnormal data of the terminal under different network attacks and determining network attack types corresponding to the different abnormal data;
the characteristic extraction module extracts real-time deconstruction of 16-system original data contained in each information packet in each abnormal data, converts the 16-system original data into structured data units in real time, and converts a plurality of data units into matrix data, wherein the matrix data is a characteristic vector of the abnormal data;
and the model training module performs data training on the obtained plurality of characteristic vectors through a deep neural network and establishes a network attack detection model.
Preferably, the feature extraction module extracts the interactive data of the plurality of key nodes through features, and inputs the feature vectors into the trained network attack detection model;
and the model training module judges whether the data is abnormal data according to the output result of the network attack detection module, and if the data is abnormal data, the model training module judges the type of the network attack corresponding to the abnormal data.
Preferably, when the network attack detection model detects that abnormal data exists in a key node, the transverse comparison module acquires the data of the key node which is the same as the terminal of the whole network;
and comparing the abnormal data with data of other key nodes, wherein if the abnormal data is the same as the data of other key nodes, the judgment of the network attack detection module is wrong, and if the abnormal data is different from the data of other key nodes, the judgment of the network attack module is correct.
Preferably, the policy response module defines response policies corresponding to different network attack types, where the response policies include: and clearing or isolating or blocking or recording abnormal data.
The invention has the following beneficial effects: the network attack is detected through the network attack detection model based on deep neural network training, so that the recognition rate is high, and the recognition efficiency is high; and the detection result of the network attack detection model is verified by a transverse comparison technology, so that the identification accuracy is improved.
Drawings
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
FIG. 1 is a general schematic flow chart diagram of a network attack detection and response method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of step S1 in a network attack detection and response method according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of step S2 in a network attack detection and response method according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of step S3 in a network attack detection and response method according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of step S4 in a network attack detection and response method according to an embodiment of the present invention;
fig. 6 is an overall schematic structural diagram of a network attack detection and response method according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be further described below with reference to the accompanying drawings, but the present invention is not limited to these embodiments.
The basic idea of the embodiment of the invention is to extract the characteristics of abnormal data in the network attack and train the extracted characteristics to obtain a network attack detection model; detecting a plurality of key nodes in the network through a network attack detection model; when the network attack detection model detects that abnormal data exists in a key node, judging the type of network attack corresponding to the abnormal data, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located; and when the verification is passed, generating a corresponding response strategy according to the type of the network attack. The network attack is detected through the network attack detection model based on deep neural network training, so that the network attack detection method has high recognition rate and high recognition efficiency; and the detection result of the network attack detection model is verified by a transverse comparison technology, so that the identification accuracy is improved.
Based on the above thought, as shown in fig. 1, the present embodiment provides a network attack detection and response method, including the following steps:
s1: and (4) extracting the characteristics of the abnormal data in the network attack, and training the extracted characteristics to obtain a network attack detection model.
Specifically, as shown in fig. 2, the method includes the following steps:
s11: collecting samples: acquiring abnormal data of a terminal under different network attacks, and determining network attack types corresponding to the different abnormal data;
s12: feature extraction: extracting real-time deconstruction of 16-system original data contained in each information packet in each abnormal data, converting the 16-system original data into structured data units in real time, and converting a plurality of data units into matrix data, wherein the matrix data is a feature vector of the abnormal data;
s13: establishing a model: and carrying out data training on the obtained plurality of characteristic vectors through a deep neural network and establishing a network attack detection model.
The concept of deep learning is derived from the research of an artificial neural network, and a multi-layer perceptron with multiple hidden layers is a deep learning structure. Deep learning forms a more abstract class or feature of high-level representation properties by combining low-level features to discover a distributed feature representation of the data. Deep learning is a method based on characterization learning of data in machine learning. The observations can be represented in a number of ways, such as a vector of intensity values for each pixel, or more abstractly as a series of edges, a specially shaped region, and so forth. And tasks are easier to learn from the examples using some specific representation methods. In the embodiment, the deep learning technology is used for creatively utilizing the identification of the network attack. When the terminal receives the network attack, the terminal is usually invaded by the abnormal data, so that the program or the file is damaged or modified, the abnormal data is trained through the neural network model to obtain a network attack detection model, and the abnormal data is quickly and accurately identified.
S2: and detecting a plurality of key nodes in the network through a network attack detection model.
The key nodes in this embodiment include: the system comprises a network port opened by the system, a running system service, an existing user account, abnormal modification of key files, illegal authorization of the system and the like.
The key nodes in the network involve more data interaction or information modification, and are therefore the target points of network attacks in general. In the embodiment, the influence of network attack depth is avoided by detecting the key node, namely detecting the source of the network attack.
Specifically, as shown in fig. 3, the method includes the following steps:
s21: extracting interactive data of a plurality of key nodes through features;
s22: inputting the feature vector into a trained network attack detection model;
s23: and judging whether the data is abnormal data according to the output result of the network attack detection module, and if the data is abnormal data, judging the type of the network attack corresponding to the abnormal data.
S3: when the network attack detection model detects that abnormal data exists in a key node, the network attack type corresponding to the abnormal data is judged, and the judgment result of the network attack detection model is verified by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located.
Specifically, as shown in fig. 4, the method includes the following steps:
s31: when the network attack detection model detects that abnormal data exists in a key node, acquiring the data of the key node which is the same as the terminal of the whole network;
s32: and comparing the abnormal data with data of other key nodes, wherein if the abnormal data is the same as the data of other key nodes, the judgment of the network attack detection module is wrong, and if the abnormal data is different from the data of other key nodes, the judgment of the network attack module is correct.
Network attacks are usually difficult to predict, but as long as a terminal is invaded, the internal state or environment of the system is definitely changed, and the change usually corresponds to the existence of abnormal data, including the creation and modification of files, the operation of processes, the calling of system functions and interfaces, the modification of configuration, users and permissions, network connections, the change of system resources and the like.
Transverse comparison is carried out in a server or a host of the same-service virtual machine in the whole network, abnormal data is sensed, an initial intrusion point is found, and deformation escape of various network attack programs is effectively dealt with through fixed-point system entry monitoring and behavior compliance monitoring.
S4: and when the verification is passed, generating a corresponding response strategy according to the type of the network attack.
Specifically, as shown in fig. 5, the method includes the following steps:
s41: defining response strategies corresponding to different network attack types, wherein the response strategies comprise: and clearing or isolating or blocking or recording abnormal data.
Different network attack types have different damages to the system, so in the embodiment, different corresponding strategies are defined for different network attack types, and the network attack with serious damage is processed in priority.
In order to ensure the accuracy and controllability of the detection behaviors, besides an automatic analysis and processing mechanism, the system also provides an interface which is convenient for an administrator to perform manual auxiliary intervention, and can manually define the files and behaviors of trust or threat, thereby finely adjusting the results after automatic judgment and screening. And taking response measures of recording, blocking, isolating, clearing and the like for the actions.
In one embodiment, the network attack is recorded and analyzed, and the whole network attack event can be combed and displayed. Clearly presenting the events from the host related to the events, the related processes, the child/parent processes of the process files, the running time of each process, detailed paths, security attributes, network access relations, mutual calling relations and the like, and tracing back to the root. And a threat analysis center can be formed by defragmentation of the events, the key fields are searched by using the uniform entry, the related event content is quickly associated and presented, and pain points which cannot be started after the security events occur are solved.
Accordingly, in an embodiment, a system for detecting and responding to a network attack is further provided, as shown in fig. 6, including:
the characteristic extraction module is used for extracting characteristics aiming at abnormal data in the network attack;
the model training module is used for training the extracted features to obtain a network attack detection model, and detecting a plurality of key nodes in the network through the network attack detection model;
the transverse comparison module is used for judging the type of the network attack corresponding to the abnormal data when the network attack detection model detects that the abnormal data exists in a key node, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located;
and the strategy response module is used for generating a corresponding response strategy according to the type of the network attack when the verification is passed.
In one embodiment, the system further comprises: the sample acquisition module is used for acquiring abnormal data of the terminal under different network attacks and determining network attack types corresponding to the different abnormal data; the characteristic extraction module extracts real-time deconstruction of 16-system original data contained in each information packet in each abnormal data, converts the 16-system original data into structured data units in real time, and converts a plurality of data units into matrix data, wherein the matrix data is a characteristic vector of the abnormal data; and the model training module performs data training on the obtained plurality of characteristic vectors through a deep neural network and establishes a network attack detection model.
In one embodiment, the feature extraction module performs feature extraction on interactive data of a plurality of key nodes, and inputs feature vectors into a trained network attack detection model; and the model training module judges whether the data is abnormal data according to the output result of the network attack detection module, and if the data is abnormal data, the model training module judges the type of the network attack corresponding to the abnormal data.
In an embodiment, when the network attack detection model detects that abnormal data exists in a key node, the transverse comparison module obtains the data of the key node which is the same as the terminal of the whole network; and comparing the abnormal data with data of other key nodes, wherein if the abnormal data is the same as the data of other key nodes, the judgment of the network attack detection module is wrong, and if the abnormal data is different from the data of other key nodes, the judgment of the network attack module is correct.
In an embodiment, the policy response module defines response policies corresponding to different network attack types, where the response policies include: and clearing or isolating or blocking or recording abnormal data.
The principle and implementation method based on the above modules have been described in the method embodiment, and thus are not described herein again.
Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.
Claims (10)
1. The network attack detection and response method is characterized by comprising the following steps:
extracting features of abnormal data in the network attack, and training the extracted features to obtain a network attack detection model;
detecting a plurality of key nodes in the network through a network attack detection model;
when the network attack detection model detects that abnormal data exists in a key node, judging the type of network attack corresponding to the abnormal data, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located;
and when the verification is passed, generating a corresponding response strategy according to the type of the network attack.
2. The network attack detection and response method according to claim 1, wherein the extracting features of the abnormal data in the network attack, and the training of the extracted features to obtain the network attack detection model comprises:
collecting samples: acquiring abnormal data of a terminal under different network attacks, and determining network attack types corresponding to the different abnormal data;
feature extraction: extracting real-time deconstruction of 16-system original data contained in each information packet in each abnormal data, converting the 16-system original data into structured data units in real time, and converting a plurality of data units into matrix data, wherein the matrix data is a feature vector of the abnormal data;
establishing a model: and carrying out data training on the obtained plurality of characteristic vectors through a deep neural network and establishing a network attack detection model.
3. The network attack detection and response method of claim 1, wherein the detecting a number of key nodes in a network via a network attack detection model comprises:
extracting interactive data of a plurality of key nodes through features;
inputting the feature vector into a trained network attack detection model;
and judging whether the data is abnormal data according to the output result of the network attack detection module, and if the data is abnormal data, judging the type of the network attack corresponding to the abnormal data.
4. The network attack detection and response method according to claim 1, wherein the verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with terminals where other same key nodes are located comprises:
when the network attack detection model detects that abnormal data exists in a key node, acquiring the data of the key node which is the same as the terminal of the whole network;
and comparing the abnormal data with data of other key nodes, wherein if the abnormal data is the same as the data of other key nodes, the judgment of the network attack detection module is wrong, and if the abnormal data is different from the data of other key nodes, the judgment of the network attack module is correct.
5. The network attack detection and response method according to claim 1, wherein the generating a corresponding response policy according to the type of the network attack when the verification passes comprises:
defining response strategies corresponding to different network attack types, wherein the response strategies comprise: and clearing or isolating or blocking or recording abnormal data.
6. A network attack detection and response system, comprising:
the characteristic extraction module is used for extracting characteristics aiming at abnormal data in the network attack;
the model training module is used for training the extracted features to obtain a network attack detection model, and detecting a plurality of key nodes in the network through the network attack detection model;
the transverse comparison module is used for judging the type of the network attack corresponding to the abnormal data when the network attack detection model detects that the abnormal data exists in a key node, and verifying the judgment result of the network attack detection model by transversely comparing the terminal where the key node is located with the terminals where other same key nodes are located;
and the strategy response module is used for generating a corresponding response strategy according to the type of the network attack when the verification is passed.
7. The cyber attack detection and response system according to claim 6, further comprising:
the sample acquisition module is used for acquiring abnormal data of the terminal under different network attacks and determining network attack types corresponding to the different abnormal data;
the characteristic extraction module extracts real-time deconstruction of 16-system original data contained in each information packet in each abnormal data, converts the 16-system original data into structured data units in real time, and converts a plurality of data units into matrix data, wherein the matrix data is a characteristic vector of the abnormal data;
and the model training module performs data training on the obtained plurality of characteristic vectors through a deep neural network and establishes a network attack detection model.
8. The cyber attack detecting and responding system according to claim 6, wherein the feature extraction module performs feature extraction on data interacted with a plurality of key nodes, and inputs feature vectors into a trained cyber attack detecting model;
and the model training module judges whether the data is abnormal data according to the output result of the network attack detection module, and if the data is abnormal data, the model training module judges the type of the network attack corresponding to the abnormal data.
9. The system according to claim 6, wherein when the network attack detection model detects that abnormal data exists in a key node, the transverse comparison module obtains data of the key node which is the same as the terminal of the whole network;
and comparing the abnormal data with data of other key nodes, wherein if the abnormal data is the same as the data of other key nodes, the judgment of the network attack detection module is wrong, and if the abnormal data is different from the data of other key nodes, the judgment of the network attack module is correct.
10. The cyber attack detection and response system according to claim 6, wherein the policy response module defines response policies corresponding to different cyber attack types, the response policies including: and clearing or isolating or blocking or recording abnormal data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911281692.0A CN111049828B (en) | 2019-12-13 | 2019-12-13 | Network attack detection and response method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911281692.0A CN111049828B (en) | 2019-12-13 | 2019-12-13 | Network attack detection and response method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111049828A true CN111049828A (en) | 2020-04-21 |
| CN111049828B CN111049828B (en) | 2021-05-07 |
Family
ID=70236060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911281692.0A Active CN111049828B (en) | 2019-12-13 | 2019-12-13 | Network attack detection and response method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111049828B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866273A (en) * | 2021-02-01 | 2021-05-28 | 广东浩云长盛网络股份有限公司 | Network abnormal behavior detection method based on big data technology |
| CN115208618A (en) * | 2022-05-24 | 2022-10-18 | 华北电力大学 | Novel power system APT attack active defense strategy based on multi-level attack and defense game |
| CN115514519A (en) * | 2022-08-11 | 2022-12-23 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7716329B2 (en) * | 2007-11-26 | 2010-05-11 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting anomalous traffic |
| CN103870751A (en) * | 2012-12-18 | 2014-06-18 | 中国移动通信集团山东有限公司 | Method and system for intrusion detection |
| CN104113544A (en) * | 2014-07-18 | 2014-10-22 | 重庆大学 | Fuzzy hidden conditional random field model based network intrusion detection method and system |
| CN104301895A (en) * | 2014-09-28 | 2015-01-21 | 北京邮电大学 | Double-layer trigger intrusion detection method based on flow prediction |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN104935600A (en) * | 2015-06-19 | 2015-09-23 | 中国电子科技集团公司第五十四研究所 | Mobile ad hoc network intrusion detection method and device based on deep learning |
| US9654485B1 (en) * | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
| CN106982235A (en) * | 2017-06-08 | 2017-07-25 | 江苏省电力试验研究院有限公司 | A kind of power industry control network inbreak detection method and system based on IEC 61850 |
| CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
| CN108809974A (en) * | 2018-06-07 | 2018-11-13 | 深圳先进技术研究院 | A kind of Network Abnormal recognition detection method and device |
| CN109194612A (en) * | 2018-07-26 | 2019-01-11 | 北京计算机技术及应用研究所 | A kind of network attack detecting method based on depth confidence network and SVM |
| CN109309675A (en) * | 2018-09-21 | 2019-02-05 | 华南理工大学 | A kind of network inbreak detection method based on convolutional neural networks |
| CN109388944A (en) * | 2018-11-06 | 2019-02-26 | 吉林大学 | A kind of intrusion detection method based on KPCA and ELM |
-
2019
- 2019-12-13 CN CN201911281692.0A patent/CN111049828B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7716329B2 (en) * | 2007-11-26 | 2010-05-11 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting anomalous traffic |
| CN103870751A (en) * | 2012-12-18 | 2014-06-18 | 中国移动通信集团山东有限公司 | Method and system for intrusion detection |
| CN104113544A (en) * | 2014-07-18 | 2014-10-22 | 重庆大学 | Fuzzy hidden conditional random field model based network intrusion detection method and system |
| CN104301895A (en) * | 2014-09-28 | 2015-01-21 | 北京邮电大学 | Double-layer trigger intrusion detection method based on flow prediction |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| US9654485B1 (en) * | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
| CN104935600A (en) * | 2015-06-19 | 2015-09-23 | 中国电子科技集团公司第五十四研究所 | Mobile ad hoc network intrusion detection method and device based on deep learning |
| CN106982235A (en) * | 2017-06-08 | 2017-07-25 | 江苏省电力试验研究院有限公司 | A kind of power industry control network inbreak detection method and system based on IEC 61850 |
| CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
| CN108289104A (en) * | 2018-02-05 | 2018-07-17 | 重庆邮电大学 | A kind of industry SDN network ddos attack detection with alleviate method |
| CN108809974A (en) * | 2018-06-07 | 2018-11-13 | 深圳先进技术研究院 | A kind of Network Abnormal recognition detection method and device |
| CN109194612A (en) * | 2018-07-26 | 2019-01-11 | 北京计算机技术及应用研究所 | A kind of network attack detecting method based on depth confidence network and SVM |
| CN109309675A (en) * | 2018-09-21 | 2019-02-05 | 华南理工大学 | A kind of network inbreak detection method based on convolutional neural networks |
| CN109388944A (en) * | 2018-11-06 | 2019-02-26 | 吉林大学 | A kind of intrusion detection method based on KPCA and ELM |
Non-Patent Citations (2)
| Title |
|---|
| 张勇东: "《基于深度学习的网络入侵检测研究综述》", 《广州大学学报(自然科学版)》 * |
| 李传煌: "《基于深度学习的实时DDoS攻击检测》", 《电信科学》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866273A (en) * | 2021-02-01 | 2021-05-28 | 广东浩云长盛网络股份有限公司 | Network abnormal behavior detection method based on big data technology |
| CN115208618A (en) * | 2022-05-24 | 2022-10-18 | 华北电力大学 | Novel power system APT attack active defense strategy based on multi-level attack and defense game |
| CN115208618B (en) * | 2022-05-24 | 2024-05-14 | 华北电力大学 | Novel power system APT attack active defense method based on multi-level attack and defense game |
| CN115514519A (en) * | 2022-08-11 | 2022-12-23 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
| CN115514519B (en) * | 2022-08-11 | 2024-08-20 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111049828B (en) | 2021-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Improving one-class SVM for anomaly detection | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| CN104598824B (en) | A kind of malware detection methods and device thereof | |
| CN111049828B (en) | Network attack detection and response method and system | |
| JP7531816B2 (en) | Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same | |
| CN103136476A (en) | Mobile intelligent terminal malicious software analysis system | |
| CN117478403A (en) | Whole scene network security threat association analysis method and system | |
| CN118138361A (en) | Security policy making method and system based on autonomously evolutionary agent | |
| Casolare et al. | On the resilience of shallow machine learning classification in image-based malware detection | |
| KR20160090566A (en) | Apparatus and method for detecting APK malware filter using valid market data | |
| CN112287345A (en) | Credible edge computing system based on intelligent risk detection | |
| CN115987687B (en) | Network attack evidence obtaining method, device, equipment and storage medium | |
| CN115859298A (en) | Dynamic trusted computing environment architecture and method for power master station system | |
| Deepserish et al. | PET-Droid: Android Malware Detection Using Static Analysis | |
| Chakir et al. | A real-time risk assessment model for intrusion detection systems using pattern matching | |
| Wu et al. | IoT malware analysis and new pattern discovery through sequence analysis using meta-feature information | |
| TW202205116A (en) | Method for detecting malicious attacks and network security management device | |
| Wang | Analysis of Computer Virus Defense Strategy Based on Network Security | |
| CN111027052A (en) | Application program version-based virtual machine document discrimination method and device and storage equipment | |
| KR102592624B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using artificial intelligence | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Vanarase | Building Farsighted Intrusion Discovery Employing ML Algorithms | |
| Chen et al. | DCM-GIFT: An Android malware dynamic classification method based on gray-scale image and feature-selection tree | |
| CN115865472A (en) | Request intercepting method and system based on log analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |