CN111490992B - Intrusion detection method and device based on data flow detection and time sequence feature extraction - Google Patents

Intrusion detection method and device based on data flow detection and time sequence feature extraction Download PDF

Info

Publication number
CN111490992B
CN111490992B CN202010281870.6A CN202010281870A CN111490992B CN 111490992 B CN111490992 B CN 111490992B CN 202010281870 A CN202010281870 A CN 202010281870A CN 111490992 B CN111490992 B CN 111490992B
Authority
CN
China
Prior art keywords
data
information
data flow
list
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010281870.6A
Other languages
Chinese (zh)
Other versions
CN111490992A (en
Inventor
吴媛媛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
JIANGSU ZHENGCAI DATA TECHNOLOGY Co.,Ltd.
Original Assignee
Jiangsu Zhengcai Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Zhengcai Data Technology Co ltd filed Critical Jiangsu Zhengcai Data Technology Co ltd
Priority to CN202011329596.1A priority Critical patent/CN112491865A/en
Priority to CN202010281870.6A priority patent/CN111490992B/en
Priority to CN202011332519.1A priority patent/CN112491866A/en
Publication of CN111490992A publication Critical patent/CN111490992A/en
Application granted granted Critical
Publication of CN111490992B publication Critical patent/CN111490992B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

When the intrusion detection method and the intrusion detection equipment based on data flow detection and time sequence feature extraction are used, the intrusion detection equipment can be deployed at the front end of a service server to intercept data flow information when the presence of the data flow information uploaded to the service server by a service terminal is detected in the current time period, and then the first time sequence feature, the second time sequence feature and the data flow value of each group of data flow information are determined. And then carrying out intrusion detection on the data flow value corresponding to each group of data flow information according to the first time sequence characteristic and the second time sequence characteristic of each group of data flow information, and judging whether each group of data flow information has intrusion behavior. Therefore, intrusion behavior detection can be performed on each group of data stream information based on the time sequence characteristics and the data flow values of the data stream information, and the safety of the data stream information uploaded to the service server is ensured.

Description

Intrusion detection method and device based on data flow detection and time sequence feature extraction
Technical Field
The present application relates to the field of data security technologies, and in particular, to an intrusion detection method and device based on data traffic detection and time-series feature extraction.
Background
With the development of communication technology, the operation, development and management of various industries can be realized by digital and intelligent electronic equipment. After various services are networked, the safe and stable operation of the service server is the key for ensuring that various services can be normally developed. Taking the network service as an example, if the service server is maliciously invaded by a third party, a long time delay of the service server may be caused, and even a crash of the service server may be caused, resulting in a large amount of data loss and leakage. However, the existing service server needs to be connected to a plurality of service terminals, and it is difficult to verify each piece of data one by one to realize intrusion detection.
Disclosure of Invention
The application provides an intrusion detection method and equipment based on data flow detection and time sequence feature extraction, which aim to solve the problem that the existing service server is difficult to verify each section of data one by one to realize intrusion detection.
In a first aspect, an intrusion detection method based on data traffic detection and timing feature extraction is provided, which is applied to an intrusion detection device deployed at a front end of a service server and communicating with a plurality of service terminals, and the method includes: intercepting data stream information when the data stream information uploaded to a service server by a service terminal is detected to exist in the current time period; each service terminal uploads data stream information to the service server at any time interval in the current time interval; extracting a first time sequence characteristic of each group of data flow information in a current time period and acquiring a second time sequence characteristic of historical data flow information of a service terminal corresponding to each group of data flow information in the last time period from the service server; acquiring a data flow value of each group of data flow information in the current time period; and carrying out intrusion detection on the data flow value corresponding to each group of data flow information according to the first time sequence characteristic and the second time sequence characteristic of each group of data flow information, and judging whether each group of data flow information has intrusion behavior.
Optionally, the method further comprises: and when judging that the data stream information has intrusion behavior, intercepting the data stream information by adopting a preset interception mechanism.
Optionally, the method further comprises: and when judging that the data stream information has no intrusion behavior, transmitting the data stream information to the service server and enabling the service server to perform feature extraction and associated storage on the data stream information.
Optionally, before detecting data stream information uploaded to the service server by the service terminal in the current time period, the method includes: sending check characters to each service terminal; obtaining a verification result returned by each service terminal based on the check character; the service terminal performs teaching and research on the check character by adopting a CRC (Cyclic redundancy check) algorithm to obtain the verification result; determining the service terminal with the verification result consistent with the preset result as a target service terminal with effective communication; and determining the time length value of the current time period according to the number of the target service terminals.
Optionally, the extracting a first timing characteristic of each group of data stream information in a current time period includes:
acquiring message header information of each data message frame of each group of data stream information in the current time period, and establishing a message statistical list based on the message header information; the message statistical list is a segmented list, each segment of the list corresponds to one message header type, message header information of at least one data message frame is distributed under each message header type, and each segment of the message statistical list has message priority sequencing from small to large;
reading a first time parameter of each data message frame of each group of data stream information in the current time period, and determining a message header type and a message priority corresponding to message header information corresponding to each first time parameter from the message statistical list; the first time parameter is used for representing the time when the intrusion detection equipment receives each data message frame;
establishing a conversion relation between the first time parameter and the message statistical list according to the message header category and the message priority corresponding to the first time parameter, and generating a feature extraction logic according to the conversion relation;
comparing the message header information of the data message frame corresponding to each first time parameter with the message header information of other data message frames except the message header information of the data message frame corresponding to the first time parameter in the message statistical list one by one to obtain a target coefficient for representing the continuity of the message header information; and extracting first data characteristics from the data message frames of each group of data flow information by adopting the characteristic extraction logic according to the size sequence of the target coefficient, and integrating the first data characteristics and first time parameters corresponding to the data message frames to obtain first time sequence characteristics corresponding to each group of data flow information.
Optionally, the obtaining, from the service server, a second time series characteristic of historical data flow information of the service terminal in a previous time period, where the historical data flow information corresponds to each group of data flow information, includes:
sending a request instruction for acquiring a second time sequence characteristic to the service server according to a characteristic integration mode of a first data characteristic and a first time parameter corresponding to the first time sequence characteristic; the request instruction carries time information of the current time period;
the service server analyzes the request instruction to obtain the time information and the characteristic integration mode;
enabling the service server to extract a second data characteristic of the historical data flow information in a previous period corresponding to the time information and determine a second time parameter of the historical data flow information;
integrating the second data characteristic and the second time parameter by the service server according to the characteristic integration mode to obtain a second time sequence characteristic;
and acquiring a second time sequence characteristic fed back by the service server based on the request instruction.
Optionally, the step of obtaining the data flow value of each set of data flow information in the current time period includes: acquiring message data information of each data message frame of each group of data stream information in the current time period; determining a data coding string corresponding to the message data information; counting the character digit number of the data coding string; and determining the data flow value sequence of each group of data flow information according to the character bit number.
Optionally, the performing intrusion detection on the data flow value corresponding to each group of data flow information according to the first timing characteristic and the second timing characteristic of each group of data flow information, and determining whether each group of data flow information has an intrusion behavior includes:
constructing a first feature list corresponding to the first timing feature and a second feature list corresponding to the second timing feature; wherein the first feature list and the second feature list respectively include a plurality of list units of different feature values;
extracting a first list position of the first time sequence feature in any list unit of the first feature list, and determining a list unit with a minimum feature value in the second feature list as a target list unit;
mapping the first list position to the target list unit according to the time length value of the current time period corresponding to the first time sequence characteristic and the time length value of the last time period corresponding to the second time sequence characteristic, and obtaining a second list position in the target list unit; determining a correlation comparison path between the first timing characteristic and the second timing characteristic according to the first list position and the second list position; wherein the correlation comparison path is used for indicating that list units in the first feature list are compared with list units in the second feature list one by one;
comparing the list units in the first characteristic list with the list units in the second characteristic list one by one based on the correlation comparison path to obtain a plurality of comparison results; determining the proportion of the target comparison result with the consistent comparison result from the plurality of comparison results; when the proportion reaches a set proportion, determining a flow change track corresponding to the data flow information according to a data flow value sequence corresponding to the data flow information; and judging whether each group of data stream information has intrusion behavior according to the flow change track.
In a second aspect, there is provided an intrusion detection device comprising: the system comprises a processor, a memory and a network interface, wherein the memory and the network interface are connected with the processor; the network interface is connected with a memory in the intrusion detection equipment; when the processor is operated, the processor calls the computer program from the memory through the network interface and operates the computer program through the memory so as to execute the method.
In a third aspect, a readable storage medium applied to a computer is provided, and a computer program is burned on the readable storage medium, and when the computer program runs in a memory of an intrusion detection device, the method is implemented.
When the intrusion detection method and the intrusion detection device based on data flow detection and time sequence feature extraction are applied, the intrusion detection device can be deployed at the front end of the service server to intercept data flow information when the presence of the data flow information uploaded to the service server by the service terminal is detected in the current time period, and then the first time sequence feature, the second time sequence feature and the data flow value of each group of data flow information are determined. And then carrying out intrusion detection on the data flow value corresponding to each group of data flow information according to the first time sequence characteristic and the second time sequence characteristic of each group of data flow information, and judging whether each group of data flow information has intrusion behavior. Therefore, intrusion behavior detection can be performed on each group of data stream information based on the time sequence characteristics and the data flow values of the data stream information, and the safety of the data stream information uploaded to the service server is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a hardware configuration diagram of an intrusion detection device.
Fig. 2 is a communication architecture diagram of an intrusion detection system according to an exemplary embodiment of the present application.
Fig. 3 is a flowchart illustrating steps of an intrusion detection method based on data traffic detection and timing feature extraction according to an exemplary embodiment of the present application.
Fig. 4 is a block diagram of an embodiment of an intrusion detection device based on data traffic detection and timing feature extraction.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In order to solve the problem that the service server is difficult to verify each section of data one by one to realize intrusion detection, the invention provides an intrusion detection method and equipment based on data flow detection and time sequence feature extraction, which are applied to the front end of the service server.
To achieve the above, referring to fig. 1, the present invention first provides an intrusion detection device 100, which includes a processor 110, and a memory 120 and a network interface 130 connected to the processor 110. Wherein the network interface 130 is connected to a memory in the intrusion detection device 100. In fig. 1, the processor 110 retrieves the computer program from the storage 140 through the network interface 130 and runs the computer program through the memory 120 to execute the intrusion detection method.
On the basis, a readable storage medium applied to the computer is further provided, and the readable storage medium is burnt with the computer program. The computer program realizes the above described intrusion detection method when running in the memory 120 of the intrusion detection device 100.
In this embodiment, please refer to the intrusion detection system 400 shown in fig. 2, the intrusion detection device 100 is deployed at the front end of the service server 200 and is used for interfacing with a plurality of service terminals 300. When the service terminal 300 uploads data to the service server 200, the intrusion detection device 100 first performs intrusion analysis on the data, and releases the data when determining that no intrusion behavior exists in the data. Therefore, the data do not need to be directly subjected to intrusion detection analysis by the service server 200, the probability that the service server 200 directly processes the data to be analyzed is greatly reduced, and the probability that the service server 200 is invaded by a third party is reduced.
On the basis, please refer to fig. 3, which is a flowchart of an intrusion detection method based on data traffic detection and time sequence feature extraction according to an embodiment of the present invention, the method may be applied to the intrusion detection apparatus 100 in fig. 1 and/or fig. 2, and may be specifically implemented by the method described in the following steps.
S1, intercepting the data stream information when detecting that the data stream information uploaded to the service server by the service terminal exists in the current time period; and each service terminal uploads data stream information to the service server at any time interval in the current time interval.
In S1, the intrusion detection device 100, as a node for protecting the service server 200 from being intruded by a third-party malicious data stream, needs to intercept and analyze each set of data stream information uploaded to the service server 200.
In this embodiment, the memory resource of the intrusion detection device 100 may be divided into three parts. The first part of memory resources are used for receiving and sending data stream information; the second part of memory resources are used for starting a plurality of parallel detection threads, and the detection threads are used for carrying out intrusion detection analysis on the data stream information; and the third part of memory resources are used for controlling an interception mechanism for intercepting data stream information which does not pass the intrusion detection.
By allocating the memory resources to the intrusion detection device 100 as described above, the memory resource allocation efficiency can be greatly improved, so that the intrusion detection device 100 can perform parallel intrusion detection on multiple sets of data stream information through multiple detection threads in the current time period. In this way, it can be avoided that the data stream information stays in the intrusion detection device 100 for too long time to affect the timeliness of the data interaction between the service terminal 300 and the service server 200.
S2, extracting the first time sequence characteristics of each group of data flow information in the current time period and obtaining the second time sequence characteristics of the historical data flow information of the service terminal corresponding to each group of data flow information in the last time period from the service server; and acquiring the data flow value of each group of data flow information in the current time interval.
In S2, after receiving each set of data stream information for completing intrusion detection, the service server 200 performs timing feature extraction on the data stream information, and then associates and stores the timing feature corresponding to the data stream information and the identification information of the service terminal, so as to facilitate retrieval of subsequent information of the intrusion detection device 100.
And S3, performing intrusion detection on the data flow values corresponding to each group of data flow information according to the first time sequence characteristics and the second time sequence characteristics of each group of data flow information, and judging whether each group of data flow information has intrusion behaviors.
In this embodiment, first, the time sequence characteristics of each group of data flow information are subjected to correlation comparison to obtain comparison results, and then, the distribution of the data flow values corresponding to each group of data flow information in all the data flow values in the current time period is analyzed according to different comparison results, so that whether the data flow values of each group of data flow information deviate from a normal flow change trajectory or not is determined to realize the detection of the intrusion behavior of the data flow information.
Therefore, intrusion behavior detection can be performed on each group of data stream information based on the time sequence characteristics and the data flow values of the data stream information, and the safety of the data stream information uploaded to the service server is ensured.
When the method described in the above-mentioned S1-S3 is applied, the intrusion detection device deployed at the front end of the service server can intercept data flow information when it is detected that there is data flow information uploaded to the service server by a service terminal in the current time period, and then determine the first timing characteristic, the second timing characteristic and the data flow value of each set of data flow information. And then carrying out intrusion detection on the data flow value corresponding to each group of data flow information according to the first time sequence characteristic and the second time sequence characteristic of each group of data flow information, and judging whether each group of data flow information has intrusion behavior. Therefore, intrusion behavior detection can be performed on each group of data stream information based on the time sequence characteristics and the data flow values of the data stream information, and the safety of the data stream information uploaded to the service server is ensured.
Further, on the basis of S1-S3, the method may further include the following steps S4.
And S4, intercepting the data stream information by adopting a preset interception mechanism when judging that the data stream information has intrusion behavior.
In this embodiment, the preset interception mechanism may be an information destruction mechanism, and the interception mechanism may be obtained by a method of writing program codes in advance. The function of the interception mechanism may be: and destroying the data flow information with the intrusion behavior. Therefore, the potential data safety hazard caused by the fact that data stream information flows to the service server 200 due to intrusion behavior can be avoided.
In addition, on the basis of S1-S3, the method may further include the following steps S5.
And S5, when judging that the data flow information has no intrusion behavior, transmitting the data flow information to the service server and enabling the service server to perform feature extraction and associated storage on the data flow information.
It can be understood that, in S5, after receiving each set of data flow information for completing intrusion detection, the service server 200 performs timing feature extraction on the data flow information, and then stores the timing feature corresponding to the data flow information and the identification information of the service terminal in an associated manner, so as to ensure real-time performance of the timing feature acquired from the service server 200 by the intrusion detection device 100 when subsequently entering intrusion detection.
Further, on the basis of the above-mentioned S1-S5, before detecting the data flow information uploaded to the service server by the service terminal in the current time period, the method may further include the following steps.
S61, a check character is sent to each service terminal.
S62, obtaining the verification result returned by each service terminal based on the check character; and the service terminal performs teaching and research on the check character by adopting a CRC (Cyclic redundancy check) algorithm to obtain the verification result.
And S63, determining the service terminal with the verification result consistent with the preset result as a target service terminal with effective communication.
And S64, determining the time length value of the current time period according to the number of the target service terminals.
The service terminal 300 checks by using a Cyclic Redundancy Check (CRC), which can take into account the time continuity of the data stream information sent by the service terminal 300, and further accurately determine whether the service terminal 300 and the intrusion detection device 100 are in effective communication.
Further, the time length value of the current time interval is determined by the number of the target service terminals, and the processing load of the intrusion detection device 100 can be taken into account, so that not only can a plurality of detection threads of the intrusion detection device 100 be avoided from being wasted due to an excessively short current time interval, but also the phenomenon that the intrusion detection device 100 cannot perform intrusion detection on all data stream information in the current time interval in time due to an excessively long current time interval can be avoided. In this way, by setting the time length value of the current period, it can be ensured that the intrusion detection efficiency of the intrusion detection device 100 is maximized.
In a specific example, in S2, the step of extracting the first timing characteristic of each set of data flow information in the current time period may specifically include what is described in the following steps.
S211, acquiring message header information of each data message frame of each group of data flow information in the current time period, and establishing a message statistical list based on the message header information; the message statistical list is a segmented list, each segment of the list corresponds to one message header type, message header information of at least one data message frame is distributed under each message header type, and each segment of the message statistical list has message priority sequencing from small to large.
S212, reading a first time parameter of each data message frame of each group of data flow information in the current time period, and determining a message header type and a message priority corresponding to message header information corresponding to each first time parameter from the message statistical list; the first time parameter is used for representing the time when the intrusion detection equipment receives each data message frame;
s213, establishing a conversion relation between the first time parameter and the message statistical list according to the message header category and the message priority corresponding to the first time parameter, and generating a feature extraction logic according to the conversion relation.
S214, comparing the message header information of the data message frame corresponding to each first time parameter with the message header information of other data message frames in the message statistical list except the message header information of the data message frame corresponding to the first time parameter one by one to obtain a target coefficient for representing the continuity of the message header information; and extracting first data characteristics from the data message frames of each group of data flow information by adopting the characteristic extraction logic according to the size sequence of the target coefficient, and integrating the first data characteristics and first time parameters corresponding to the data message frames to obtain first time sequence characteristics corresponding to each group of data flow information.
When the contents described in S211 to S214 are applied, the header information of each data packet frame of each group of data stream information in the current time period can be analyzed, a packet statistics list is established, and then the first time parameter of each data packet frame is analyzed by combining the packet statistics list, so as to determine the conversion relationship between the first time parameter and the packet statistics list, thereby determining the feature extraction logic. And finally, extracting the first data characteristic of the data message frame by adopting a characteristic extraction logic and determining the time sequence characteristic corresponding to each group of data flow information by combining the first time parameter of the data message frame. In this way, the first data characteristic and the first time parameter of each set of data flow information can be integrated, so that the timeliness and the real-time performance of each set of data flow information are taken into consideration, and the first timing characteristic of each set of data flow information in the current time period is accurately determined.
In an alternative embodiment, in S2, the step of obtaining, from the service server, the second timing characteristic of the historical data flow information of the service terminal corresponding to each set of data flow information in the last time period may specifically include what is described in the following sub-step.
S221, sending a request instruction for acquiring a second time sequence characteristic to the service server according to a characteristic integration mode of a first data characteristic and a first time parameter corresponding to the first time sequence characteristic; and the request instruction carries the time information of the current time interval.
S222, the service server analyzes the request command to obtain the time information and the feature integration manner.
S223, enabling the service server to extract a second data feature of the historical data flow information in the previous time period corresponding to the time information and determine a second time parameter of the historical data flow information.
S224, the service server integrates the second data feature and the second time parameter according to the feature integration manner to obtain the second time sequence feature.
S225, obtaining a second time sequence characteristic fed back by the service server based on the request instruction.
When the contents described in the above S221 to S224 are applied, the service server can determine the second time series characteristic consistent with the characteristic integration manner of the first time series characteristic based on the request instruction, so as to take the heterogeneity of the service server in storing the historical data stream information into consideration. In this way, the confidence of the subsequent correlation comparison of the first timing characteristic and the second timing characteristic can be ensured.
Further, in S2, the step of obtaining the data flow value of each set of data flow information in the current time period specifically includes: the method comprises the steps of obtaining message data information of each data message frame of each group of data stream information in a current time interval, determining a data coding string corresponding to the message data information, counting character digits of the data coding string, and determining a data flow value sequence of each group of data stream information according to the character digits.
In specific implementation, the character digit of the data coding string of the message data information of each data message frame of each group of data flow information is determined, and the data flow value sequence of each group of data flow information can be accurately determined by combining the continuity of the data message frames of each group of data flow information, so that a change basis of data flow can be provided for subsequent intrusion detection.
On the basis, the step of performing intrusion detection on the data flow value corresponding to each group of data flow information according to the first timing characteristic and the second timing characteristic of each group of data flow information and determining whether each group of data flow information has an intrusion behavior, which is described in S3, may be specifically implemented by the method described in the following substeps.
S31, constructing a first feature list corresponding to the first timing feature and a second feature list corresponding to the second timing feature; wherein the first feature list and the second feature list respectively include a plurality of list units of different feature values.
And S32, extracting a first list position of the first time sequence feature in any list unit of the first feature list, and determining the list unit with the minimum feature value in the second feature list as a target list unit.
S33, mapping the first list position to the target list unit according to the duration value of the current time period corresponding to the first timing characteristic and the duration value of the previous time period corresponding to the second timing characteristic, and obtaining a second list position in the target list unit; determining a correlation comparison path between the first timing characteristic and the second timing characteristic according to the first list position and the second list position; the correlation comparison path is used for indicating that list units in the first characteristic list are compared with list units in the second characteristic list one by one.
S34, comparing the list units in the first characteristic list with the list units in the second characteristic list one by one based on the correlation comparison path to obtain a plurality of comparison results; determining the proportion of the target comparison result with the consistent comparison result from the plurality of comparison results; when the proportion reaches a set proportion, determining a flow change track corresponding to the data flow information according to a data flow value sequence corresponding to the data flow information; and judging whether each group of data stream information has intrusion behavior according to the flow change track.
In this embodiment, by determining a correlation comparison path between a first feature list of a first timing feature and a second feature list of a second timing feature, a plurality of comparison results between the first timing feature and the second timing feature can be determined based on the correlation comparison path, and when the proportion of a target comparison result reaches a set proportion, a traffic change trajectory corresponding to each set of data flow information is given to detect an intrusion behavior of each set of data flow information. Therefore, intrusion behavior detection can be performed on each group of data stream information based on the time sequence characteristics and the data flow values of the data stream information, and the safety of the data stream information uploaded to the service server is ensured.
In an alternative embodiment, in S34, whether intrusion behavior exists in each set of data flow information is determined according to the traffic variation trace, which further includes the following steps.
S341, setting a plurality of track nodes for the traffic change track according to the number of target service terminals in the current time period, and determining curve slope information of the traffic change track according to the number of the target comparison results.
In this embodiment, the curve slope information is used to represent the degree of change between two adjacent track nodes of the traffic change track. The curve slope information can be represented by numerical values, and the larger the numerical value is, the larger the change degree between two adjacent track nodes is represented.
And S342, determining the discrete node type and the continuous node type corresponding to the flow change trajectory according to the curve slope information.
And S343, determining a first distance between each track node of the flow change track in the continuous node category and each track node of the flow change track in the discrete node category according to the track node of the flow change track in the discrete node category and the data flow value corresponding to the track node.
And S344, adjusting the track node with the minimum first distance between the track nodes under the continuous node category and the track nodes under the discrete node category of the traffic change track to be under the discrete node category.
S345, when a plurality of track nodes are included in the continuous node category corresponding to the traffic change track, determining a second distance between each track node of the traffic change track in the continuous node category according to the track node of the traffic change track in the discrete node category and the data traffic value corresponding to the track node, and integrating each track node in the continuous node category according to the second distance between each track node to form a node set.
S346, determining node transfer weights of the node set according to the track nodes of the flow change tracks in the discrete node category and the data flow values corresponding to the track nodes, and adjusting part of the track nodes in the node set to be in the discrete node category according to the node transfer weights.
S347, judging whether the number of the track nodes in the discrete node type exceeds the number of target track nodes corresponding to a preset change track; if so, determining that the flow change track is abnormal and determining that the data flow information has an intrusion behavior, otherwise, determining that the flow change track is normal and determining that the data flow information has no intrusion behavior; and the target track node is a discrete track node in the preset change track.
It can be understood that, based on the contents described in S341 to S347 above, the track nodes of the traffic change track can be analyzed, and then the track nodes in the discrete node type and the continuous node type corresponding to the traffic change track are adjusted, and then whether intrusion behavior exists in each group of data flow information is determined by the number of track nodes in the discrete node type, so that intrusion behavior detection on the data flow information can be realized from the level of the data traffic value, and the foresight of intrusion behavior detection is further improved.
In another alternative embodiment, the intercepting the data stream information by using the preset intercepting mechanism described in S4 may specifically include the following steps.
And S41, transferring the data flow information to the interception mechanism.
And S42, after the terminal identifier corresponding to the data flow information is extracted through the interception mechanism, destroying the data flow information through the interception mechanism.
S43, setting effective detection duration for the interception mechanism according to the terminal identification, so that the interception mechanism destroys the data stream information with the terminal identification after detecting the data stream information with the terminal identification in the effective detection duration.
It can be understood that by setting the effective detection duration for the interception mechanism, the workload of intrusion detection can be shared by the intrusion detection device through the interception mechanism, so that when a large amount of data stream information carrying terminal identifiers is received within the effective detection duration, the interception mechanism can directly delete the data stream information, and the intrusion detection device is prevented from detecting the data stream information one by one.
In another alternative embodiment, on the basis of S43, the method may further include the following.
And S44, starting timing by taking the time for setting the effective detection duration as the starting time, and initializing the interception mechanism when the timing duration reaches the effective detection market.
It can be understood that the interception mechanism after initialization does not destroy the data flow information having the terminal identifier after detecting the data flow information having the terminal identifier. In this way, false destruction of normal data flow information can be avoided.
The various technical features in the above embodiments can be arbitrarily combined, so long as there is no conflict or contradiction between the combinations of the features, but the combination is limited by the space and is not described one by one, and therefore, any combination of the various technical features in the above embodiments also belongs to the scope disclosed in the present specification.
In correspondence with the embodiment of the intrusion detection method based on data traffic detection and time sequence feature extraction, please refer to fig. 4, the present application also provides an embodiment of the intrusion detection device 150 based on data traffic detection and time sequence feature extraction.
A1. An intrusion detection device based on data flow detection and time sequence feature extraction is applied to intrusion detection equipment deployed at the front end of a service server and communicated with a plurality of service terminals, and the device comprises:
the information intercepting module 151 is configured to intercept data stream information when it is detected that the data stream information uploaded to a service server by a service terminal exists in a current time period; and each service terminal uploads data stream information to the service server at any time interval in the current time interval.
A characteristic obtaining module 152, configured to extract a first timing characteristic of each group of data flow information in a current time period and obtain, from the service server, a second timing characteristic of historical data flow information of a service terminal corresponding to each group of data flow information in a previous time period; and acquiring the data flow value of each group of data flow information in the current time interval.
And the intrusion detection module 153 is configured to perform intrusion detection on the data flow values corresponding to each group of data flow information according to the first timing characteristic and the second timing characteristic of each group of data flow information, and determine whether each group of data flow information has an intrusion behavior.
A2. The intrusion detection device according to a1, wherein the intrusion detection module 153 is further configured to:
and when judging that the data stream information has intrusion behavior, intercepting the data stream information by adopting a preset interception mechanism.
A3. The intrusion detection device according to a1, wherein the intrusion detection module 153 is further configured to:
and when judging that the data stream information has no intrusion behavior, transmitting the data stream information to the service server and enabling the service server to perform feature extraction and associated storage on the data stream information.
A4. The intrusion detection device according to a2 or A3, the device further comprising a period determination module 154 for:
before detecting data stream information uploaded to a service server by a service terminal in the current time period, sending a check character to each service terminal;
obtaining a verification result returned by each service terminal based on the check character; the service terminal performs teaching and research on the check character by adopting a CRC (Cyclic redundancy check) algorithm to obtain the verification result;
determining the service terminal with the verification result consistent with the preset result as a target service terminal with effective communication;
and determining the time length value of the current time period according to the number of the target service terminals.
A5. The intrusion detection device according to a4, wherein the feature obtaining module 152 is configured to:
acquiring message header information of each data message frame of each group of data stream information in the current time period, and establishing a message statistical list based on the message header information; the message statistical list is a segmented list, each segment of the list corresponds to one message header type, message header information of at least one data message frame is distributed under each message header type, and each segment of the message statistical list has message priority sequencing from small to large;
reading a first time parameter of each data message frame of each group of data stream information in the current time period, and determining a message header type and a message priority corresponding to message header information corresponding to each first time parameter from the message statistical list; the first time parameter is used for representing the time when the intrusion detection equipment receives each data message frame;
establishing a conversion relation between the first time parameter and the message statistical list according to the message header category and the message priority corresponding to the first time parameter, and generating a feature extraction logic according to the conversion relation;
comparing the message header information of the data message frame corresponding to each first time parameter with the message header information of other data message frames except the message header information of the data message frame corresponding to the first time parameter in the message statistical list one by one to obtain a target coefficient for representing the continuity of the message header information; and extracting first data characteristics from the data message frames of each group of data flow information by adopting the characteristic extraction logic according to the size sequence of the target coefficient, and integrating the first data characteristics and first time parameters corresponding to the data message frames to obtain first time sequence characteristics corresponding to each group of data flow information.
A6. The intrusion detection device according to a5, wherein the feature obtaining module 152 is configured to:
sending a request instruction for acquiring a second time sequence characteristic to the service server according to a characteristic integration mode of a first data characteristic and a first time parameter corresponding to the first time sequence characteristic; the request instruction carries time information of the current time period;
the service server analyzes the request instruction to obtain the time information and the characteristic integration mode;
enabling the service server to extract a second data characteristic of the historical data flow information in a previous period corresponding to the time information and determine a second time parameter of the historical data flow information;
integrating the second data characteristic and the second time parameter by the service server according to the characteristic integration mode to obtain a second time sequence characteristic;
and acquiring a second time sequence characteristic fed back by the service server based on the request instruction.
A7. The intrusion detection device according to a5, wherein the feature obtaining module 152 is configured to:
acquiring message data information of each data message frame of each group of data stream information in the current time period;
determining a data coding string corresponding to the message data information;
counting the character digit number of the data coding string;
and determining the data flow value sequence of each group of data flow information according to the character bit number.
A8. According to the intrusion detection device described in a7, the intrusion detection module 153 is specifically configured to:
constructing a first feature list corresponding to the first timing feature and a second feature list corresponding to the second timing feature; wherein the first feature list and the second feature list respectively include a plurality of list units of different feature values;
extracting a first list position of the first time sequence feature in any list unit of the first feature list, and determining a list unit with a minimum feature value in the second feature list as a target list unit;
mapping the first list position to the target list unit according to the time length value of the current time period corresponding to the first time sequence characteristic and the time length value of the last time period corresponding to the second time sequence characteristic, and obtaining a second list position in the target list unit; determining a correlation comparison path between the first timing characteristic and the second timing characteristic according to the first list position and the second list position; wherein the correlation comparison path is used for indicating that list units in the first feature list are compared with list units in the second feature list one by one;
comparing the list units in the first characteristic list with the list units in the second characteristic list one by one based on the correlation comparison path to obtain a plurality of comparison results; determining the proportion of the target comparison result with the consistent comparison result from the plurality of comparison results; when the proportion reaches a set proportion, determining a flow change track corresponding to the data flow information according to a data flow value sequence corresponding to the data flow information; and judging whether each group of data stream information has intrusion behavior according to the flow change track.
A9. The intrusion detection device according to A8, wherein the intrusion detection module 153 is further configured to:
setting a plurality of track nodes for the flow change track according to the number of target service terminals in the current time period and determining curve slope information of the flow change track according to the number of target comparison results;
determining a discrete node type and a continuous node type corresponding to the flow change track according to the curve slope information;
determining a first distance between each track node of the flow change track in the continuous node type and each track node of the flow change track in the discrete node type according to the track node of the flow change track in the discrete node type and the data flow value corresponding to the track node;
adjusting the track node of which the first distance between the track nodes under the continuous node category and the track nodes under the discrete node category is the minimum to the discrete node category;
under the condition that a plurality of track nodes are included in a continuous node category corresponding to the flow change track, determining a second distance between track nodes of the flow change track in the continuous node category according to the track nodes of the flow change track in the discrete node category and data flow values corresponding to the track nodes, and integrating the track nodes in the continuous node category according to the second distance between the track nodes to form a node set;
determining node transfer weights of the node set according to the track nodes of the flow change tracks in the discrete node category and the data flow values corresponding to the track nodes, and adjusting part of the track nodes in the node set to be in the discrete node category according to the node transfer weights;
judging whether the number of the track nodes under the discrete node category exceeds the number of target track nodes corresponding to a preset change track or not; if so, determining that the flow change track is abnormal and determining that the data flow information has an intrusion behavior, otherwise, determining that the flow change track is normal and determining that the data flow information has no intrusion behavior; and the target track node is a discrete track node in the preset change track.
A9. The intrusion detection device according to a2, wherein the intrusion detection module 153 is further configured to:
transferring the data stream information to the interception mechanism;
after the terminal identification corresponding to the data flow information is extracted through the interception mechanism, destroying the data flow information through the interception mechanism;
and setting effective detection duration for the interception mechanism according to the terminal identification so that the interception mechanism destroys the data stream information with the terminal identification after detecting the data stream information with the terminal identification in the effective detection duration.
A10. The intrusion detection device according to a9, wherein the intrusion detection module 153 is further configured to:
and starting timing by taking the time for setting the effective detection duration as an initial time, and initializing the interception mechanism when the timing duration reaches the effective detection market.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (6)

1. An intrusion detection method based on data flow detection and time sequence feature extraction is characterized by being applied to intrusion detection equipment which is deployed at the front end of a service server and is communicated with a plurality of service terminals, and the method comprises the following steps:
intercepting data stream information when the data stream information uploaded to a service server by a service terminal is detected to exist in the current time period; each service terminal uploads data stream information to the service server at any time interval in the current time interval;
extracting a first time sequence characteristic of each group of data flow information in a current time period and acquiring a second time sequence characteristic of historical data flow information of a service terminal corresponding to each group of data flow information in the last time period from the service server; acquiring a data flow value of each group of data flow information in the current time period;
carrying out intrusion detection on the data flow value corresponding to each group of data flow information according to the first time sequence characteristic and the second time sequence characteristic of each group of data flow information, and judging whether each group of data flow information has intrusion behavior;
before detecting data stream information uploaded to a service server by a service terminal in a current time period, the method comprises the following steps: sending check characters to each service terminal; obtaining a verification result returned by each service terminal based on the check character; the service terminal performs teaching and research on the check character by adopting a CRC (Cyclic redundancy check) algorithm to obtain the verification result; determining the service terminal with the verification result consistent with the preset result as a target service terminal with effective communication; determining the time length value of the current time period according to the number of the target service terminals;
the extracting of the first timing feature of each group of data stream information in the current time interval includes: acquiring message header information of each data message frame of each group of data stream information in the current time period, and establishing a message statistical list based on the message header information; the message statistical list is a segmented list, each segment of the list corresponds to one message header type, message header information of at least one data message frame is distributed under each message header type, and each segment of the message statistical list has message priority sequencing from small to large; reading a first time parameter of each data message frame of each group of data stream information in the current time period, and determining a message header type and a message priority corresponding to message header information corresponding to each first time parameter from the message statistical list; the first time parameter is used for representing the time when the intrusion detection equipment receives each data message frame; establishing a conversion relation between the first time parameter and the message statistical list according to the message header category and the message priority corresponding to the first time parameter, and generating a feature extraction logic according to the conversion relation; comparing the message header information of the data message frame corresponding to each first time parameter with the message header information of other data message frames except the message header information of the data message frame corresponding to the first time parameter in the message statistical list one by one to obtain a target coefficient for representing the continuity of the message header information; extracting first data characteristics from data message frames of each group of data flow information by adopting the characteristic extraction logic according to the size sequence of the target coefficient, and integrating the first data characteristics and first time parameters corresponding to the data message frames to obtain first time sequence characteristics corresponding to each group of data flow information;
wherein, the step of obtaining the data flow value of each group of data flow information in the current time interval comprises: acquiring message data information of each data message frame of each group of data stream information in the current time period; determining a data coding string corresponding to the message data information; counting the character digit number of the data coding string; determining a data flow value sequence of each group of data flow information according to the character bit number;
the method includes the steps of carrying out intrusion detection on data flow values corresponding to each group of data flow information according to a first time sequence characteristic and a second time sequence characteristic of each group of data flow information, and judging whether each group of data flow information has intrusion behaviors, and the method includes the following steps: constructing a first feature list corresponding to the first timing feature and a second feature list corresponding to the second timing feature; wherein the first feature list and the second feature list respectively include a plurality of list units of different feature values; extracting a first list position of the first time sequence feature in any list unit of the first feature list, and determining a list unit with a minimum feature value in the second feature list as a target list unit; mapping the first list position to the target list unit according to the time length value of the current time period corresponding to the first time sequence characteristic and the time length value of the last time period corresponding to the second time sequence characteristic, and obtaining a second list position in the target list unit; determining a correlation comparison path between the first timing characteristic and the second timing characteristic according to the first list position and the second list position; wherein the correlation comparison path is used for indicating that list units in the first feature list are compared with list units in the second feature list one by one; comparing the list units in the first characteristic list with the list units in the second characteristic list one by one based on the correlation comparison path to obtain a plurality of comparison results; determining the proportion of the target comparison result with the consistent comparison result from the plurality of comparison results; when the proportion reaches a set proportion, determining a flow change track corresponding to the data flow information according to a data flow value sequence corresponding to the data flow information; and judging whether each group of data stream information has intrusion behavior according to the flow change track.
2. The intrusion detection method according to claim 1, wherein the method further comprises:
and when judging that the data stream information has intrusion behavior, intercepting the data stream information by adopting a preset interception mechanism.
3. The intrusion detection method according to claim 1, wherein the method further comprises:
and when judging that the data stream information has no intrusion behavior, transmitting the data stream information to the service server and enabling the service server to perform feature extraction and associated storage on the data stream information.
4. The intrusion detection method according to claim 1, wherein the obtaining of the second timing characteristics of the historical data flow information of the service terminal corresponding to each set of data flow information in the previous time period from the service server comprises:
sending a request instruction for acquiring a second time sequence characteristic to the service server according to a characteristic integration mode of a first data characteristic and a first time parameter corresponding to the first time sequence characteristic; the request instruction carries time information of the current time period;
the service server analyzes the request instruction to obtain the time information and the characteristic integration mode;
enabling the service server to extract a second data characteristic of the historical data flow information in a previous period corresponding to the time information and determine a second time parameter of the historical data flow information;
integrating the second data characteristic and the second time parameter by the service server according to the characteristic integration mode to obtain a second time sequence characteristic;
and acquiring a second time sequence characteristic fed back by the service server based on the request instruction.
5. An intrusion detection device, comprising:
a processor, and
a memory and a network interface connected with the processor;
the network interface is connected with a memory in the intrusion detection equipment;
the processor, when running, retrieves a computer program from the memory via the network interface and runs the computer program via the memory to perform the method of any of claims 1-4.
6. A readable storage medium for a computer, wherein the readable storage medium is burned with a computer program, and the computer program implements the method of any one of claims 1 to 4 when running in the memory of the intrusion detection device.
CN202010281870.6A 2020-04-11 2020-04-11 Intrusion detection method and device based on data flow detection and time sequence feature extraction Active CN111490992B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202011329596.1A CN112491865A (en) 2020-04-11 2020-04-11 Intrusion detection method and device for data flow detection and time sequence feature extraction
CN202010281870.6A CN111490992B (en) 2020-04-11 2020-04-11 Intrusion detection method and device based on data flow detection and time sequence feature extraction
CN202011332519.1A CN112491866A (en) 2020-04-11 2020-04-11 Intrusion detection method and device combining data flow detection and time sequence feature extraction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010281870.6A CN111490992B (en) 2020-04-11 2020-04-11 Intrusion detection method and device based on data flow detection and time sequence feature extraction

Related Child Applications (2)

Application Number Title Priority Date Filing Date
CN202011329596.1A Division CN112491865A (en) 2020-04-11 2020-04-11 Intrusion detection method and device for data flow detection and time sequence feature extraction
CN202011332519.1A Division CN112491866A (en) 2020-04-11 2020-04-11 Intrusion detection method and device combining data flow detection and time sequence feature extraction

Publications (2)

Publication Number Publication Date
CN111490992A CN111490992A (en) 2020-08-04
CN111490992B true CN111490992B (en) 2021-01-22

Family

ID=71812719

Family Applications (3)

Application Number Title Priority Date Filing Date
CN202010281870.6A Active CN111490992B (en) 2020-04-11 2020-04-11 Intrusion detection method and device based on data flow detection and time sequence feature extraction
CN202011332519.1A Withdrawn CN112491866A (en) 2020-04-11 2020-04-11 Intrusion detection method and device combining data flow detection and time sequence feature extraction
CN202011329596.1A Withdrawn CN112491865A (en) 2020-04-11 2020-04-11 Intrusion detection method and device for data flow detection and time sequence feature extraction

Family Applications After (2)

Application Number Title Priority Date Filing Date
CN202011332519.1A Withdrawn CN112491866A (en) 2020-04-11 2020-04-11 Intrusion detection method and device combining data flow detection and time sequence feature extraction
CN202011329596.1A Withdrawn CN112491865A (en) 2020-04-11 2020-04-11 Intrusion detection method and device for data flow detection and time sequence feature extraction

Country Status (1)

Country Link
CN (3) CN111490992B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866260A (en) * 2020-08-27 2021-05-28 黄天红 Flow detection method combining cloud computing and user behavior analysis and big data center

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104317892A (en) * 2014-10-23 2015-01-28 深圳市腾讯计算机系统有限公司 Portable executable file timing sequence feature processing method and device
CN105592044A (en) * 2015-08-21 2016-05-18 杭州华三通信技术有限公司 Message attack detection method and device
CN107360196A (en) * 2017-09-08 2017-11-17 杭州安恒信息技术有限公司 attack detection method, device and terminal device
CN109859854A (en) * 2018-12-17 2019-06-07 中国科学院深圳先进技术研究院 Prediction Method of Communicable Disease, device, electronic equipment and computer-readable medium
CN110717597A (en) * 2018-06-26 2020-01-21 第四范式(北京)技术有限公司 Method and device for acquiring time sequence characteristics by using machine learning model
CN110995769A (en) * 2020-02-27 2020-04-10 上海飞旗网络技术股份有限公司 Deep data packet detection method and device and readable storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10666671B2 (en) * 2017-04-26 2020-05-26 Cisco Technology, Inc. Data security inspection mechanism for serial networks
US20190089760A1 (en) * 2017-09-20 2019-03-21 Junshan Zhang Systems and methods for real-time content creation and sharing in a decentralized network
CN110233769B (en) * 2018-03-06 2021-09-14 华为技术有限公司 Flow detection method and apparatus, sample training method and apparatus, and medium
CN108989319B (en) * 2018-07-27 2021-09-21 北京梆梆安全科技有限公司 Vehicle intrusion detection method and vehicle intrusion detection device based on CAN bus
CN109547254B (en) * 2018-11-28 2022-03-15 湖北文理学院 Intrusion detection method and device, electronic equipment and storage medium
CN110166418B (en) * 2019-03-04 2020-11-13 腾讯科技(深圳)有限公司 Attack detection method and device, computer equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104317892A (en) * 2014-10-23 2015-01-28 深圳市腾讯计算机系统有限公司 Portable executable file timing sequence feature processing method and device
CN105592044A (en) * 2015-08-21 2016-05-18 杭州华三通信技术有限公司 Message attack detection method and device
CN107360196A (en) * 2017-09-08 2017-11-17 杭州安恒信息技术有限公司 attack detection method, device and terminal device
CN110717597A (en) * 2018-06-26 2020-01-21 第四范式(北京)技术有限公司 Method and device for acquiring time sequence characteristics by using machine learning model
CN109859854A (en) * 2018-12-17 2019-06-07 中国科学院深圳先进技术研究院 Prediction Method of Communicable Disease, device, electronic equipment and computer-readable medium
CN110995769A (en) * 2020-02-27 2020-04-10 上海飞旗网络技术股份有限公司 Deep data packet detection method and device and readable storage medium

Also Published As

Publication number Publication date
CN112491865A (en) 2021-03-12
CN112491866A (en) 2021-03-12
CN111490992A (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN110177108B (en) Abnormal behavior detection method, device and verification system
CN112398779B (en) Network traffic data analysis method and system
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
CN109714322B (en) Method and system for detecting network abnormal flow
CN110209820B (en) User identification detection method, device and storage medium
CN112738039B (en) Malicious encrypted flow detection method, system and equipment based on flow behavior
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
AU770699B2 (en) Computer network intrusion detection
CN108718298B (en) Malicious external connection flow detection method and device
CN111030992B (en) Detection method, server and computer readable storage medium
CN109218321A (en) A kind of network inbreak detection method and system
CN110046297B (en) Operation and maintenance violation identification method and device and storage medium
CN115174231B (en) Network fraud analysis method and server based on AI Knowledge Base
CN112953971A (en) Network security traffic intrusion detection method and system
CN111490992B (en) Intrusion detection method and device based on data flow detection and time sequence feature extraction
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
CN113704772B (en) Safety protection processing method and system based on user behavior big data mining
CN112087450B (en) Abnormal IP identification method, system and computer equipment
CN117336033A (en) Traffic interception method and device, storage medium and electronic equipment
CN111464837B (en) Video terminal access verification method and server of online live broadcast system
CN115603995A (en) Information processing method, device, equipment and computer readable storage medium
KR102609592B1 (en) Method and apparatus for detecting abnormal behavior of IoT system
CN116527378B (en) Cloud mobile phone monitoring management method and system
CN114745148B (en) Vehicle-mounted network CAN bus intrusion detection method and system based on dynamic programming
CN113347021B (en) Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: No.6, Huashan 2nd Road, Xingfu Industrial Park, Miaoshan Development Zone, Jiangxia District, Wuhan City, Hubei Province

Applicant after: Wu Yuanyuan

Address before: 363601, Fujian County, Zhangzhou City, Nanjing Province Jing Town High-tech Industrial Park

Applicant before: Wu Yuanyuan

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210104

Address after: 211100 building 03, Liye Park, qidicheng, No.26, Zhizhi Road, Jiangning District, Nanjing City, Jiangsu Province

Applicant after: JIANGSU ZHENGCAI DATA TECHNOLOGY Co.,Ltd.

Address before: 430200 No.6, Huashan 2nd Road, Xingfu Industrial Park, Miaoshan Development Zone, Jiangxia District, Wuhan City, Hubei Province

Applicant before: Wu Yuanyuan

GR01 Patent grant
GR01 Patent grant