CN112134847A - Attack detection method based on user flow behavior baseline - Google Patents

Attack detection method based on user flow behavior baseline Download PDF

Info

Publication number
CN112134847A
CN112134847A CN202010867932.1A CN202010867932A CN112134847A CN 112134847 A CN112134847 A CN 112134847A CN 202010867932 A CN202010867932 A CN 202010867932A CN 112134847 A CN112134847 A CN 112134847A
Authority
CN
China
Prior art keywords
flow
user
training
data
baseline
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010867932.1A
Other languages
Chinese (zh)
Inventor
王文冰
孙剑文
陈明
毛艳芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou University of Light Industry
Original Assignee
Zhengzhou University of Light Industry
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou University of Light Industry filed Critical Zhengzhou University of Light Industry
Priority to CN202010867932.1A priority Critical patent/CN112134847A/en
Publication of CN112134847A publication Critical patent/CN112134847A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of attack detection methods, and particularly relates to an attack detection method based on a user flow behavior baseline. The method comprises the steps of extracting a flow level characteristic set of network flow behaviors of a user; inputting the feature set into an improved model for training to obtain a user behavior baseline, and carrying out attack detection on the new access flow by taking the baseline as a judgment standard. The method only uses the normal behavior flow of the user during training, and the improved bidirectional generation countermeasure network algorithm can perform stable training on the flow characteristics at high latitude, is suitable for detection of unknown attacks, and is high in detection speed and accuracy.

Description

Attack detection method based on user flow behavior baseline
Technical Field
The invention belongs to the technical field of attack detection methods, and particularly relates to an attack detection method based on a user flow behavior baseline.
Background
With the development of machine learning technology in practical application, the machine learning technology is also widely applied in the field of anomaly detection of flow. Researchers select a small amount of flow characteristics, only aim at specific attack scenes, and use classical decision tree algorithm, clustering algorithm, genetic algorithm and the like in a machine learning model to distinguish normal flow and intrusion flow, so that a good detection effect is achieved. However, these methods have poor performance and high time overhead for the traffic data which is complex and high-dimensional. The occurrence of the deep learning model solves the training problem of high-dimensional complex data, however, attack samples are difficult to obtain, when the space of attack flow samples is insufficient, the existing method is difficult to make the detection model be fully trained, and is difficult to generate a good detection effect on unknown attacks.
Disclosure of Invention
Aiming at the defects and problems in the prior art, the invention provides an attack detection method based on a user flow behavior baseline, which defines the behavior characteristics of a user through network flow metadata, describes the behavior pattern of a specific user, and only uses the flow data of a normal user in the training process, thereby detecting abnormal behavior flow generated by a non-user, not only detecting known attack behaviors, but also early warning unknown behaviors.
The technical scheme adopted by the invention for solving the technical problems is as follows: an attack detection method based on a user flow behavior baseline comprises the following steps:
(1) capturing network card gateway access and incoming flow data of a specific user for at least one week, carrying out IP address filtering on the access flow data to generate all flow data related to the user, filtering the flow data, and discarding overtime, disorder and retransmission flows; acquiring complete bidirectional TCP session flow and UDP session flow in user behavior flow, wherein the flow direction is calibrated by the direction of a first data packet, the TCP session flow takes SYN as the start, FIN is sent by any end and the number of FIN is less than 2 as the end, the UDP session flow takes 120 seconds as a timeout time threshold, and quintuple < source IP, destination IP, source port, destination port and protocol type > is marked as the session ID of the UDP session flow; extracting metadata features in the conversation flow according to the determined feature set dimension, performing statistical feature calculation, transforming category features in the extracted features to enable the features of the input model to belong to the same dimension, performing standard deviation calculation on the statistical features related to time, and integrating the statistical features into a feature set with a specific dimension according to ID integration of the conversation flow;
(2) selecting a part of flow characteristic set of a user as a training set, carrying out normalization processing on numerical data in the training set, and carrying out dummy coding on class type data in the training set so that the class type data can be used for model training;
(3) initializing parameters of a bidirectional generation countermeasure network model, determining the parameters of the model, training a discriminator in the model, then training a generator and an encoder, and then alternately training until a loss function of the discriminator presents an oscillation trend; respectively obtaining a training loss value of the discriminator part and training loss values of the generator and the encoder part after training is finished, respectively calculating loss scores of the discriminator part and the generator and the encoder part through an L1 norm, and then calculating a base line of user data through an abnormal score formula;
(4) performing behavior characteristic integration on the flow behavior of the test sample, performing normalization processing on continuous parameters in the characteristic parameters of the test sample, and performing dummy coding on the characteristic of the type; inputting each conversation flow in the test sample into a bidirectional confrontation network model for calculation to obtain a feature distribution score of each conversation flow in the test sample; and comparing the feature distribution score of each conversation flow in the test sample with the baseline, judging the sample as an attack sample when the feature distribution score is larger than the baseline, and judging the sample as a normal sample when the feature distribution score is not larger than the baseline.
In the attack detection method for the user traffic behavior baseline, in the first step, the network communication session flow generated by the user and the network communication session flow generated by the attack behavior are as follows: the data packets are considered to belong to the same session flow when the following conditions are met:
TCP session flow:
flow direction ^ SrcIP1=SrcIP2∩DstIP1=DstIP2∩Prot1
=Prot2N-tcp flag bit
UDP session flow:
flow direction ^ SrcIP1=SrcIP2∩DstIP1=DstIP2∩Prot1=Prot2∩Tudp
In the formula: SrcIP represents a source IP address, DstIP represents a destination IP address, and Prot represents a port number; t isudpDenotes a timeout threshold value of the UDP stream, and ∈ denotes that the condition is satisfied at the same time.
In the attack detection method for the user traffic behavior baseline, in the step one, the traffic data of the gateway of the network card is the traffic data of the user for at least one week.
In the attack detection method for the user traffic behavior baseline, the training set is a normal behavior traffic characteristic set of the user.
In the attack detection method for the user traffic behavior baseline, the test sample includes the normal behavior traffic feature set of the user and the feature sets of the various attack traffic except the training set.
The invention has the beneficial effects that: according to the invention, only the flow behavior characteristics of the user are used in the baseline model training process, and the data is easy to collect, so that the model can be fully trained; the behavior mode of the user is defined by using high-dimensional network flow metadata, and the behavior baseline of the user is comprehensively depicted, so that the attack detection model does not need to point to a set attack scene and is a universal attack detection model; the invention improves the bidirectional generation confrontation network model, applies WGAN-GP in the bidirectional GAN framework, replaces the loss function of the original model discriminator, leads the model training to be fast converged and has high detection efficiency.
Drawings
FIG. 1 is a flow chart of an attack detection method based on a user traffic behavior baseline.
Fig. 2 is a flowchart of user traffic behavior feature set extraction.
FIG. 3 is a flow chart of user traffic behavior baseline model training.
FIG. 4 is a flow chart of the detection model for detection of an attack behavior based on a baseline.
Detailed Description
Aiming at the problems that the existing attack detection method only aims at a specific attack scene, the performance of complex and high-dimensional flow data is poor, the time cost is large, and when the space of an attack flow sample is insufficient, the existing method is difficult to fully train a detection model and generate a good detection effect on unknown attacks, the invention provides the attack detection method based on the flow behavior baseline of a user.
Example 1: the embodiment provides an attack detection method based on a user traffic behavior baseline, and a specific flow of the method is shown in fig. 1.
Firstly, extracting a network traffic behavior feature set of a user, and the flow is shown in fig. 2.
And acquiring network card gateway access and input flow data of a specific user for at least one week, filtering all IP addresses of the flow data, and reserving all flow data related to the user. Filtering the flow data again, discarding overtime, disorder and retransmission flows, and acquiring complete bidirectional TCP session flow and UDP session flow in user behavior flow, wherein when the network communication session flow generated by the user and the network communication session flow generated by the attack behavior meet the following conditions, the data packet is considered to belong to the same session flow:
TCP session flow:
flow direction ^ SrcIP1=SrcIP2∩DstIP1=DstIP2∩Prot1
=Prot2N-tcp flag bit
UDP session flow:
flow direction ^ SrcIP1=SrcIP2∩DstIP1=DstIP2∩Prot1=Prot2∩Tudp
The flow direction is marked by the direction of a first data packet, SrcIP represents a source IP address, DstIP represents a destination IP address, Prot represents a port number, and TCP flag bits in TCP session flow represent that SYN is used as the starting point and is arbitraryEnd sends FIN and the number is less than 2, T in UDP conversation flowudpRepresents a timeout threshold for UDP flows, set here to TudpN is 120s, and the condition is satisfied at the same time.
Generating basic information of the session flow from the data packet, wherein the basic information comprises a source IP address, a destination IP address, a source port, a destination port, a protocol type, a timestamp, a load length, a Flag identification, a time window and a packet header length; the complete session flow is labeled as its ID with a five-tuple < source IP, destination IP, source port, destination port, protocol type >.
And extracting metadata features in the conversation flow according to the determined feature dimension, performing statistical feature calculation, and transforming category features in the extracted features, wherein the category features in the data need to be preprocessed, such as a destination port type and a protocol type. The purpose of the transformation is to make the features of the input model belong to the same dimension; and calculating standard deviation of the statistical characteristics related to the time to reflect the dispersion degree of the data, and integrating the statistical characteristics into a characteristic set with a specific dimension according to the ID integration of the conversation flow.
Then, selecting a part of normal behavior flow characteristic sets of a specific user as a training set, and carrying out normalization processing on numerical data in the training set, wherein the numerical characteristics of the embodiment are 30-dimensional original statistical characteristics and 22-dimensional calculation statistical characteristics; carrying out dummy coding on the class type data in the training set, wherein the dummy coding is to arbitrarily remove one state, namely if four states exist, three state bits are needed, wherein the state bit value of the three states is 1 when the three states are activated, and the fourth state can be represented by [0,0,0 ]; the coding is to regard any one of the discrete features as a state, and a dummy variable coding mode is adopted, and the coding effect is as shown in table 1, so that the coding effect can be used for model training.
Table 1 dummy coding results
Figure BDA0002650290750000061
Secondly, performing baseline learning on the session features through a generation countermeasure algorithm, and the process is as shown in fig. 3 and specifically as follows.
Initializing parameters of a bidirectional generation countermeasure network model, determining model parameters, training a discriminator in the model, mapping and splicing a training sample X and a hidden layer thereof, mapping and splicing a hidden variable Z and a feature map of a true space thereof, inputting two pairs of data into the discriminator, outputting 64-dimensional data through a first layer of full connection, outputting 1-dimensional data through a 1 layer of full connection, and connecting each neuron to each output neuron through a last layer of full connection.
And then training a generator and an encoder, wherein the generator adopts a 4-layer neural network, the input is a 16-dimensional hidden space variable, 32-dimensional data is output through full connection of a first layer, ReLU activation is adopted, 64-dimensional data is output through full connection of a second layer, ReLU activation is adopted again, 57-dimensional data is output through full connection of a third layer, a real space characteristic representation is obtained, and original input data, namely G (E (x)), is tried to be reconstructed.
The encoder adopts a 3-layer neural network, inputs 57-dimensional original data, outputs 32-dimensional data through a first layer of full connection, adopts Leaky ReLU activation, outputs 16-dimensional data through a second layer of full connection, and outputs a hidden layer feature representation, namely E (x).
Mapping the training sample x from the real space to the hidden space to obtain the distribution difference between the training sample and the hidden variable, Losse=-Ex~px[D(x,E(x))](ii) a Then mapping the hidden variable z from the hidden layer space to the real space to obtain the distribution difference of the known noise z and the reconstructed variable G (z), Lossg=Ez~pz[D(G(z),z)](ii) a Calculating the distribution difference, Loss, of the reconstructed sample (G (E (x))) and the original sample xd=Losse+Lossg(ii) a Calculating the distribution difference, Loss, of the reconstructed sample (G (E (x))) and the original sample xd=Losse+Lossg(ii) a Obtaining a target loss function of a discriminator
Figure BDA0002650290750000081
Training a discriminator, updating gradient and transmitting parameters to a generator and an encoder in the bidirectional generation countermeasure network, and simultaneously training the training generator and the encoder in the bidirectional generation countermeasure network. The data output from the generator and the encoder are spliced and then sent to the discriminator, so that the process is alternately trained until the target loss function of the discriminator presents an oscillation trend; the discriminator finally outputs 1-dimensional data, the 1-dimensional data is output to obtain the feature matching of the hidden layer space, the features can be extracted by utilizing local correlation, the data processing amount is reduced, meanwhile, useful features are reserved, and the second last layer of the useful features is used as feature output.
Calculating a score L of the discriminatorf,LfL is determined from | fD (x, e (x)) -fD (e (x)), G (e (x)) |, andfthe L1 norm of (2) calculates the loss score S of the discriminatorf=‖Lf1
Obtaining the loss of G (E (x)) obtained by coding and generating the training sample x, namely Lx
Lx=||x-G(E(x))||,
Calculating LxThe loss score S of the generator and encoder portion of the L1 normx,Sx=‖Lx1
Loss score S according to generator and encoderxAnd the loss score S of the discriminator sectionfCalculate the anomaly Score (1-weight) Sx+weight*SfI.e. as a baseline.
Thirdly, carrying out attack detection on the test sample, wherein the process is shown in fig. 4 and specifically comprises the following steps: performing behavior feature integration on flow behaviors of a test sample, wherein the test sample comprises normal behavior flow feature sets of users except a training set and feature sets of various attack flows, performing normalization processing on continuous parameters in feature parameters of the test sample, and performing dummy coding on class-type features; inputting each conversation flow in the test sample into a bidirectional confrontation network model for calculation to obtain a feature distribution score of each conversation flow in the test sample; and comparing the feature distribution score of each conversation flow in the test sample with the baseline, judging the sample as an attack sample when the feature distribution score is larger than the baseline, and judging the sample as a normal sample when the feature distribution score is not larger than the baseline.
243703 test specimens were tested as described in this example and the results are shown in Table 2.
Table 2 detection results of the attack detection method of the present invention
Attack type Precision(%) Recall(%) Accuracy(%) F1(%)
DoS 100 100 100 100
DDoS 100 100 100 100
Web attack 90.89 91.34 96.67 91.53
Infiltration 100 100 100 100
The detection result data in table 2 show that the Precision (Precision), Recall (Recall), Accuracy (Accuracy) and F1 values of the detection method of the invention on three attack types, namely DoS, DDoS and infilteration, are all 100%, which shows that the detection method of the invention has better detection effect.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and scope of the present invention are intended to be covered thereby.

Claims (5)

1. An attack detection method based on a user flow behavior baseline is characterized in that: the method comprises the following steps:
the method comprises the steps that firstly, network card gateway access flow data of a user are captured, IP address filtering is carried out on the access flow data, and all flow data related to the user are reserved; filtering the flow data, discarding overtime, disorder and retransmitted flows, acquiring complete bidirectional TCP session flow and UDP session flow in user behavior flow, and marking quintuple as ID thereof; extracting metadata features in the conversation flow according to the determined feature dimension, performing statistical feature calculation, transforming category features in the extracted features to enable the features of the input model to belong to the same dimension, performing standard deviation calculation on the statistical features related to time, and integrating the statistical features into a feature set with a specific dimension according to ID integration of the conversation flow;
secondly, selecting a part of flow characteristic set of a user as a training set, carrying out normalization processing on numerical data in the training set, and carrying out dummy coding on class type data in the training set so that the class type data can be used for model training;
initializing parameters of a bidirectional generation countermeasure network model, determining model parameters, training a discriminator in the model, then training a generator and an encoder, and then performing alternate training until a loss function of the discriminator presents an oscillation trend; respectively obtaining a training loss value of the discriminator part and training loss values of the generator and the encoder part after training is finished, respectively calculating loss scores of the discriminator part and the generator and the encoder part through an L1 norm, and then calculating a base line of user data through an abnormal score formula;
fourthly, performing behavior characteristic integration on the flow behaviors of the test samples, performing normalization processing on continuous parameters in the characteristic parameters of the test samples, and performing dummy coding on the characteristics of the type; inputting each conversation flow in the test sample into a bidirectional confrontation network model for calculation to obtain a feature distribution score of each conversation flow in the test sample; and comparing the feature distribution score of each conversation flow in the test sample with the baseline, judging the sample as an attack sample when the feature distribution score is larger than the baseline, and judging the sample as a normal sample when the feature distribution score is not larger than the baseline.
2. The user traffic behavior baseline-based attack detection method according to claim 1, wherein: in the first step, the network communication session flow generated by the user and the network communication session flow generated by the attack behavior are as follows: the data packets are considered to belong to the same session flow when the following conditions are met:
TCP session flow:
flow direction ^ SrcIP1=SrcIP2∩DstIP1=DstIP2∩Prot1=Prot2N-tcp flag bit
UDP session flow:
flow direction ^ SrcIP1=SrcIP2∩DstIP1=DstIP2∩Prot1=Prot2∩Tudp
In the formula: SrcIP represents a source IP address, DstIP represents a destination IP address, and Prot represents a port number; t isudpDenotes a timeout threshold value of the UDP stream, and ∈ denotes that the condition is satisfied at the same time.
3. The user traffic behavior baseline-based attack detection method according to claim 1, wherein: in the first step, the gateway entrance and exit traffic data of the network card is the traffic data of at least one week of the user.
4. The user traffic behavior baseline-based attack detection method according to claim 1, wherein: the training set is a normal behavior flow characteristic set of the user.
5. The user traffic behavior baseline-based attack detection method according to claim 1, wherein: the test sample comprises a normal behavior traffic feature set of the user and feature sets of various attack traffic except the training set.
CN202010867932.1A 2020-08-26 2020-08-26 Attack detection method based on user flow behavior baseline Pending CN112134847A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010867932.1A CN112134847A (en) 2020-08-26 2020-08-26 Attack detection method based on user flow behavior baseline

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010867932.1A CN112134847A (en) 2020-08-26 2020-08-26 Attack detection method based on user flow behavior baseline

Publications (1)

Publication Number Publication Date
CN112134847A true CN112134847A (en) 2020-12-25

Family

ID=73848374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010867932.1A Pending CN112134847A (en) 2020-08-26 2020-08-26 Attack detection method based on user flow behavior baseline

Country Status (1)

Country Link
CN (1) CN112134847A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113011476A (en) * 2021-03-05 2021-06-22 桂林电子科技大学 User behavior safety detection method based on self-adaptive sliding window GAN
CN113037784A (en) * 2021-05-25 2021-06-25 金锐同创(北京)科技股份有限公司 Flow guiding method and device and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018067304A (en) * 2016-10-21 2018-04-26 ニューソフト コーポレーションNeusoft Corporation Method and device for detecting network intrusion
CN108154430A (en) * 2017-12-28 2018-06-12 上海氪信信息技术有限公司 A kind of credit scoring construction method based on machine learning and big data technology
CN110659266A (en) * 2018-11-16 2020-01-07 创新奇智(南京)科技有限公司 Data processing method of model
CN110677437A (en) * 2019-11-14 2020-01-10 国网江苏省电力有限公司苏州供电分公司 User disguised attack detection method and system based on potential space countermeasure clustering
CN110691100A (en) * 2019-10-28 2020-01-14 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning
CN111310802A (en) * 2020-01-20 2020-06-19 星汉智能科技股份有限公司 Anti-attack defense training method based on generation of anti-network
WO2020159439A1 (en) * 2019-01-29 2020-08-06 Singapore Telecommunications Limited System and method for network anomaly detection and analysis

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018067304A (en) * 2016-10-21 2018-04-26 ニューソフト コーポレーションNeusoft Corporation Method and device for detecting network intrusion
CN108154430A (en) * 2017-12-28 2018-06-12 上海氪信信息技术有限公司 A kind of credit scoring construction method based on machine learning and big data technology
CN110659266A (en) * 2018-11-16 2020-01-07 创新奇智(南京)科技有限公司 Data processing method of model
WO2020159439A1 (en) * 2019-01-29 2020-08-06 Singapore Telecommunications Limited System and method for network anomaly detection and analysis
CN110691100A (en) * 2019-10-28 2020-01-14 中国科学技术大学 Hierarchical network attack identification and unknown attack detection method based on deep learning
CN110677437A (en) * 2019-11-14 2020-01-10 国网江苏省电力有限公司苏州供电分公司 User disguised attack detection method and system based on potential space countermeasure clustering
CN111310802A (en) * 2020-01-20 2020-06-19 星汉智能科技股份有限公司 Anti-attack defense training method based on generation of anti-network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙剑文、等: "面向用户流量行为分析的多攻击检测", 《信息工程大学学报》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113011476A (en) * 2021-03-05 2021-06-22 桂林电子科技大学 User behavior safety detection method based on self-adaptive sliding window GAN
CN113037784A (en) * 2021-05-25 2021-06-25 金锐同创(北京)科技股份有限公司 Flow guiding method and device and electronic equipment
CN113037784B (en) * 2021-05-25 2021-09-21 金锐同创(北京)科技股份有限公司 Flow guiding method and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN111988277A (en) Attack detection method based on bidirectional generation counternetwork
CN112085039A (en) ICMP hidden channel detection method based on random forest
CN111953669B (en) Tor flow tracing and application type identification method and system suitable for SDN
CN112434298B (en) Network threat detection system based on self-encoder integration
CN111817982A (en) Encrypted flow identification method for category imbalance
CN112003869B (en) Vulnerability identification method based on flow
CN113364787B (en) Botnet flow detection method based on parallel neural network
CN112769752B (en) Network intrusion detection method based on machine learning integration model
Alshammari et al. Investigating two different approaches for encrypted traffic classification
CN112134847A (en) Attack detection method based on user flow behavior baseline
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN111835763B (en) DNS tunnel traffic detection method and device and electronic equipment
CN112583852A (en) Abnormal flow detection method
CN111611280A (en) Encrypted traffic identification method based on CNN and SAE
CN112491894A (en) Internet of things network attack flow monitoring system based on space-time feature learning
CN111478921A (en) Method, device and equipment for detecting communication of hidden channel
CN110995713A (en) Botnet detection system and method based on convolutional neural network
KR102526935B1 (en) Network intrusion detection system and network intrusion detection method
CN101022403B (en) State application blind identifying method
CN118233199A (en) Data packet identification method, device, equipment and storage medium
CN117650935A (en) Interference flow identification method based on service application classification model
CN116170237B (en) Intrusion detection method fusing GNN and ACGAN
CN113726809B (en) Internet of things equipment identification method based on flow data
CN113904841B (en) Network attack detection method applied to IPv6 network environment
CN116248530A (en) Encryption flow identification method based on long-short-time neural network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201225

RJ01 Rejection of invention patent application after publication