CN112187820B - Power distribution terminal DTU intrusion detection method and system based on machine learning - Google Patents
Power distribution terminal DTU intrusion detection method and system based on machine learning Download PDFInfo
- Publication number
- CN112187820B CN112187820B CN202011073339.6A CN202011073339A CN112187820B CN 112187820 B CN112187820 B CN 112187820B CN 202011073339 A CN202011073339 A CN 202011073339A CN 112187820 B CN112187820 B CN 112187820B
- Authority
- CN
- China
- Prior art keywords
- classifier
- dtu
- training
- power distribution
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000009826 distribution Methods 0.000 title claims abstract description 96
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000010801 machine learning Methods 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000013528 artificial neural network Methods 0.000 claims abstract description 22
- 238000012843 least square support vector machine Methods 0.000 claims abstract description 18
- 238000012847 principal component analysis method Methods 0.000 claims abstract description 9
- 238000012795 verification Methods 0.000 claims abstract description 9
- 238000012549 training Methods 0.000 claims description 82
- 230000006870 function Effects 0.000 claims description 41
- 230000002159 abnormal effect Effects 0.000 claims description 17
- 238000003062 neural network model Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 15
- 230000004913 activation Effects 0.000 claims description 11
- 238000013480 data collection Methods 0.000 claims description 11
- 238000007781 pre-processing Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 claims description 9
- 238000005457 optimization Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 6
- 238000012216 screening Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 5
- 238000012706 support-vector machine Methods 0.000 claims description 4
- 238000000354 decomposition reaction Methods 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 206010048669 Terminal state Diseases 0.000 claims description 2
- 238000002790 cross-validation Methods 0.000 claims description 2
- 238000011478 gradient descent method Methods 0.000 claims description 2
- 210000002569 neuron Anatomy 0.000 claims description 2
- 238000011897 real-time detection Methods 0.000 claims description 2
- 235000009508 confectionery Nutrition 0.000 claims 1
- 230000009467 reduction Effects 0.000 abstract description 4
- 238000013461 design Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
- G06F18/2135—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on approximation criteria, e.g. principal component analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Evolutionary Biology (AREA)
- Computing Systems (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Biomedical Technology (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a power distribution terminal DTU intrusion detection method and system based on machine learning, which belong to the field of intelligent power grid safety. The method adopts a principal component analysis method to reduce high-dimensional characteristic data, and then utilizes the characteristic after dimensional reduction to establish a model; secondly, double verification is carried out by adopting a least square support vector machine and a neural network algorithm so as to improve the detection accuracy and reduce the false alarm rate; finally, the intrusion detection system framework adopts a modular design, is suitable for intrusion detection in the field of smart power grids, and has good portability and universality.
Description
Technical Field
The invention belongs to the field of intelligent power grid safety, and particularly relates to a power distribution terminal DTU intrusion detection method and system based on machine learning.
Background
The automation and intellectualization of the power distribution network can be used for optimizing the allocation of national energy resources, ensuring the safe and stable operation of an electric power system and promoting the development of the national strategic emerging industry. In recent years, as the combination of an electric power system and a communication network is more and more compact, the security threats from the internet are more complex and diversified, the information security problem of a power distribution network becomes more and more prominent, and especially, the microgrid controller device of a power distribution terminal is frequently attacked by the network, so that the normal production and operation of the electric power system are seriously hindered. An intelligent power Distribution Terminal DTU (Distribution Terminal Unit) is used as a core device in a power Distribution network and is used for monitoring the operation state of a transformer area in real time to ensure that a power Distribution system can operate safely and reliably. With the high-speed development of the intelligent power distribution network, the network environment and the network attack types are more and more complex and changeable, and the vulnerability of the security defense mechanism for the distribution transformer terminal is more and more prominent at present. The intelligent power distribution terminal in the power engineering control system is subjected to intrusion detection, so that network attacks can be timely discovered and processed, the current situation of passive defense of a power distribution network system is changed, and the power utilization safety risk and the economic loss are reduced.
At present, an intrusion detection system mainly detects hacker attacks and network viruses by analyzing network data packets in an industrial control system environment, and triggers an alarm system once an anomaly is detected, and generally consists of three modules, namely a data collection module, a transmission module and a processing module. However, in the field of smart power grids, with the increase of the number of power distribution terminals, more and more data are required to be processed by computers, the traditional intrusion detection system is difficult to meet the requirements, and it is necessary to ensure the safety of a power grid system and improve the response speed and accuracy of the intrusion detection system.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a DTU intrusion detection method and a DTU intrusion detection system based on machine learning, wherein the network flow and related network information of a power distribution terminal are utilized to carry out intrusion detection on the electric power industrial control attack, and an evolutionary algorithm combining a neural network algorithm and a least square support vector machine algorithm is used, so that the defect of local optimization of the traditional neural network algorithm is overcome, and meanwhile, the accuracy of DTU intrusion detection is greatly improved. The system consists of three subsystems of data collection, data transmission and data processing, each submodule in each subsystem has better independence, and the system has better universality and mobility in the field of electric power industrial control.
In order to achieve the purpose, the invention adopts the following technical scheme:
a power distribution terminal DTU intrusion detection method based on machine learning comprises the following steps:
step 1: establishing a C/S communication framework of a server-client, creating a socket object, and collecting DTU information data of a power distribution terminal;
step 2: preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
and step 3: building a neural network model composed of an input layer, a hidden layer and an output layer as a first classifier, wherein the input layer is responsible for receiving the screened final characteristics, the hidden layer is used for processing characteristic values, the hidden layer comprises initial weights, network objective functions and activation functions of the characteristic values, and the output layer is responsible for outputting neural network results;
and 4, step 4: building a least square support vector machine model as a second classifier, mapping the screened final features to a high-dimensional feature space through nonlinear mapping, then constructing an optimal decision function in the high-dimensional feature space based on a structural risk minimization principle, replacing dot product operation in the high-dimensional feature space with a kernel function of an original space, and outputting a result of the least square support vector machine;
and 5: performing ensemble learning on the first classifier and the second classifier to form a strong classifier evolution model; in ensemble learning, firstly, training and verifying a first classifier in an 8-fold cross verification mode by using a training sample set to obtain a classification error rate of the first classifier, and further calculating a weight coefficient of the first classifier in a strong classifier evolution model;
then updating the weight distribution of the training sample set to increase the weight of the sample with wrong prediction in the first classifier and decrease the weight with correct prediction, and then normalizing all weights; training and verifying the second classifier by using the training sample set with the updated weight distribution in an 8-fold cross verification mode to obtain a classification error rate of the second classifier, and further calculating a weight coefficient of the second classifier in a strong classifier evolution model;
finally, forming a trained strong classifier evolution model;
step 6: and (3) acquiring DTU information data of the power distribution terminal in real time through a C/S communication framework of a server-client, extracting features according to the screening result of the step (3), carrying out real-time intrusion detection on the DTU feature data by using a trained strong classifier evolution model, judging whether the DTU of the power distribution terminal is in a normal working state or in an abnormal working state suffering from attack, and giving an alarm if the DTU is in the abnormal working state.
Further, in step 1, if the acquired numerical characteristic variable has a default value, the characteristic is complemented by using a linear difference method, that is, the characteristic is complemented by using a linear difference methodIn the formula y 0 And x 0 Respectively record the characteristic value of the previous strip of the dataAnd the number of rows of the corresponding feature, y 1 And x 1 The characteristic value and the line number of the corresponding characteristic are recorded for the next piece of the data respectively.
Further, obtaining original feature samples of DTU feature data, performing eigenvalue decomposition on covariance matrixes of the collected original feature samples of the DTU feature data through a principal component analysis method, solving eigenvectors, selecting the first q principal component features as final features according to the magnitude of the eigenvalue, and obtaining a training sample set.
Further, the step 5 specifically includes:
step 5.1: dividing the training sample set into 8 parts in equal proportion; using 7 of the samples for training, 1 sample for testing, the classification error rate e is obtained i (x) (ii) a Go through a round of training to obtain 8 times of prediction output results in total, willThe classification error rate as the first classifier is denoted as e NN ;
Step 5.2: calculating the weight coefficient alpha of the first classifier in the strong classifier evolution model NN ,
Step 5.3: the weight distribution of the training sample set is updated,
D 2 =(w 2,1 ,…,w 2,i ,…,w 2,N )
wherein N refers to the number of samples; d 2 Representing the updated weight set; w is a 2,i Represents the weight of the updated ith sample data,w 1,i weight of ith sample data to initialize, w 1,i =1/N, i =1,2, …, N; z is a normalization factor for ensuring D 2 The sum of the total weights is 1,y i To true value, G 1 (x i ) Is the predicted value of the first classifier, when the prediction is correct, y i G 1 (x i ) =1, when prediction error, y i G 1 (x i ) = -1; alpha is a weight parameter, 0<α<1, the larger alpha, w 2,i The more obvious the updating effect is;
step 5.4: dividing the training sample set after updating weight distribution into 8 parts in equal proportion, using 7 parts of the training samples to train, using 1 part of the testing samples to train and verify the second classifier, traversing one round of training to obtain the classification error rate of the second classifier, and marking as e LSSVM ;
Step 5.5: calculating the weight coefficient alpha of the second classifier in the strong classifier evolution model LSSVM ,
Step 5.6: constructing a trained strong classifier evolution model, and expressing as follows:
G(x)=sign(f(x))
f(x)=α NN G NN (x)+α LSSVM G LSSVM (x)
wherein G (x) represents the evolution model of the strong classifier, f (x) represents the linear combination of the two classifiers, and alpha NN And alpha LSSVM A weight coefficient representing the degree of importance of the first classifier and the second classifier; sign (·) indicates that the system is judged to be normal as 1, and the system is judged to be abnormal as-1, so as to finally achieve the purpose of classification.
Another objective of the present invention is to provide a power distribution terminal DTU intrusion detection system based on the above method, including:
the data collection subsystem is used for collecting DTU information data of the power distribution terminal;
the data transmission subsystem is used for transmitting the data collected by the data collection subsystem to the data processing subsystem;
and the data processing subsystem is used for preprocessing the DTU information data, extracting the characteristic value, constructing and training a strong classifier evolution model, detecting the working state of the DTU of the power distribution terminal in real time by using the trained strong classifier evolution model, and sending an alarm if the state is abnormal.
Compared with the prior art, the invention has the beneficial effects that:
(1) The invention discloses a power distribution terminal intrusion detection process which comprises the following steps: the method comprises the steps of data collection, preprocessing, feature extraction, establishment of an evolution model combining a neural network algorithm and a least square support vector machine algorithm, a training model and intrusion detection of a power distribution terminal. The neural network is simple in structure and high in operation speed, and the problem that the neural network is easy to fall into a local minimum value exists when an optimized solution is solved at a high speed. Therefore, the quadratic programming problem in the support vector machine is changed into a solution equation set by further adopting a least square support vector machine, so that the great workload is simplified, the calculation speed is high under the condition of large-scale data, and the local optimization can be avoided.
(2) According to the invention, the network information of the power distribution network core device power distribution terminal is collected and the characteristics of the power distribution network core device power distribution terminal are extracted by the high-performance host computer through constructing the C/S communication architecture, and besides, the characteristic dimension is reduced in the characteristic selection by adopting the principal component analysis, so that the method is beneficial to extracting important information and discarding useless information.
(3) The intrusion detection system adopts a frame type design, each submodule has better independence, and the system has better universality and mobility in the field of electric power industrial control.
(4) The machine learning algorithm in the invention uses an evolutionary algorithm combining a neural network algorithm and a least square support vector machine algorithm, and introduces weight distribution in a training data set based on a training result of a first classifier, thereby realizing large weight for a basic classifier with small classification error rate and small weight for a basic classifier with large classification error rate, breaking through the defect of local optimum of the traditional neural network algorithm, and simultaneously greatly improving the accuracy of DTU intrusion detection.
Drawings
FIG. 1 is a block diagram of an intrusion detection system according to the present invention;
FIG. 2 is a flow chart of a method of the present invention;
FIG. 3 is a model cross-validation flow diagram;
fig. 4 is an overall operation block diagram of the intrusion detection system facing the power distribution terminal.
Detailed Description
The invention is further explained below with reference to the figures and examples.
The invention provides a DTU intrusion detection method and a DTU intrusion detection system based on machine learning, as shown in figure 2, the DTU intrusion detection system is composed of three subsystems of data collection, data transmission and data processing, intrusion detection is carried out on power industrial control attacks by utilizing network flow and related network information of a power distribution terminal, and a working flow chart of the intrusion detection system is shown in figure 2.
The specific working method of the system is as follows:
step 1: aiming at the requirements in the application of a power grid system, an intrusion detection system framework based on machine learning is constructed. The method comprises the following specific steps:
step 1.1: and establishing a data collection subsystem with the DTU as a client.
Step 1.2: a data transmission subsystem based on a socket interface technology is established.
Step 1.3: and establishing a data processing subsystem taking a high-performance PC as a server side.
And 2, step: and establishing a C/S communication framework of a server-client, creating a socket object, and collecting DTU information data of the power distribution terminal. The method comprises the following specific steps:
step 2.1: respectively creating socket objects of the DTU and the host;
step 2.2: binding a server address to realize communication between the power distribution terminal and the host;
step 2.3: the method comprises the steps that a host periodically collects DTU information data of a power distribution terminal;
step 2.4: recording the collected data as D; for the collected DTU information data of the power distribution terminal, the method comprises the following steps:
send _ byte: the number of bits of data transmitted from the power distribution terminal;
receive _ byte: the number of bits received by the power distribution terminal;
memory _ use: memory occupancy rate;
cpu _ use: the CPU utilization rate;
real _ time: a time stamp;
rcv _ des: a packet destination address;
src _ des: a packet source address;
length: a packet length;
pow _ csp: power consumption;
temp: (ii) temperature;
link _ flag: a connected normal or wrong state;
and (2) land: whether a connection is from/to the same host/port), if there is a default value for the numerical characteristic variable, the characteristic is complemented using a linear difference method, i.e. the connection is from/to the same host/port)In the formula y 0 And x 0 Respectively record the feature value for the previous strip of the data and the number of rows, y, of the corresponding feature 1 And x 1 The feature value and the number of rows for the corresponding feature are recorded for the next piece of data, respectively.
And step 3: and constructing characteristics capable of representing attack characteristics according to the priori knowledge of the electric power industrial control message. The method comprises the following specific steps:
step 3.1: calculating the connection duration of the DTU and the host of the power distribution terminal, wherein t link Indicating the duration of the connection, t, at which data was collected cls Time stamp indicating disconnection, t str A time stamp indicating when the connection is started;
t link =t cls -t str
step 3.2: calculating the average received data byte number of the DTU of the power distribution terminal, wherein d receive_bit Represents t link Number of bits of received data in time, d receive_byte To representThe average number of received bytes in the period of time;
step 3.3: calculating the average sending data byte number of the DTU of the power distribution terminal, wherein d send_bit Represents t link Number of bits of data transmitted in time, d send_byte Indicating the average number of transmitted bytes in the period of time;
step 3.4: calculating an average network flow of the DTU of the power distribution terminal, wherein d flow Is shown at t link Average network flow of a power distribution terminal DTU within time;
d flow =|d send_byte -d save_byte |
and 4, step 4: and reducing the characteristic dimension of the high latitude of the safety data in the intrusion detection system by using a principal component analysis method. Firstly, eigenvalue decomposition is carried out on a covariance matrix of an acquired DTU data sample, eigenvectors are solved, and the first 3 principal component characteristics are selected according to the magnitude of the eigenvalue value, so that the purpose of reducing data dimensionality is achieved. The principal component characteristics finally obtained are: memory occupancy rate memory _ usage; CPU utilization CPU _ usage, DTU average network traffic d flow ;
And 5: and building a neural network model by using a library in Python. The neural network model consists of an input layer, a hidden layer and an output layer, wherein the input layer is responsible for receiving and inputting characteristic values of the power distribution terminal after dimensionality reduction: memory _ use, cpu _ use, d flow The output layer is responsible for outputting the neural network result, namely the output of the terminal state tag state _ flag, and the hidden layer comprises the initial weight of each characteristic value, a network target function, an activation function and the like.
Step 5.1: and initializing parameters. Since the number of features in the neural network model is 3, the number of initialized weights is also 3, and random sampling is adoptedThe way of generating the initialization weight, the first time according to the weight of each neuronAnd offset value b 0 Initialized to a random number close to zero and continuously updated during later training.
Step 5.2: and calculating a neural network activation value. The activation value of the neural network is the output of the first layer:
where n denotes the number of iterations and i (i =1,2,3) denotes the number of DTU network feature information, where X 1 Representing the memory occupancy rate memory _ usage; x 2 Denotes CPU _ usage, X, CPU usage 3 Mean network traffic d representing DTU flow 。Representing the weight of the ith eigenvalue at the nth iteration, b n Representing a neural network bias value.
Step 5.3: an activation function is set. A Logistic function is taken as an activation function, also called a Sigmoid function, and is used for hidden layer neuron output, the value range of the Logistic function is (0,1), any real number can be mapped into a (0,1) interval, the Logistic function is usually used for binary classification, and the derivative function can be represented by the Logistic function. The expression of the Sigmoid function and its derivative function is as follows:
step 5.4: a loss function is defined. The loss function is used for measuring the deviation between the actual DTU state and the predicted DTU state, and generally, the larger the loss function value is, the larger the error of the neural network model is, and the worse the robustness is, so that the neural network takes the minimum loss function as the optimal target in the training process. In the present invention, the loss function is defined as:
step 5.5: and optimizing parameters by adopting a gradient descent method. The weights and bias values in the neural network model are solved, usually in an iterative fashion:
step 5.6: and judging the state of the power distribution terminal. The output value of the neural network model is a numerical value in the (0,1) interval, when the output value is higher than the threshold value, the state of the power distribution terminal is safe and does not suffer from malicious network attacks, otherwise, the system is abnormal.
Step 6: and building a least square support vector machine model by using Python. The LSSVM maps an input vector to a high-dimensional feature space by realizing selected nonlinear mapping, then constructs an optimal decision function in the feature space based on a structure risk minimization principle, and replaces dot product operation in the high-dimensional feature space with a kernel function of an original space. The method comprises the following specific steps:
step 6.1: and determining a classification surface and an optimal hyperplane equation of the DTU state. The classification surface and the hyperplane satisfy the following conditions:
H:w·x+b=0
where i (i =1,2,3) denotes the serial number of DTU network feature information, where X 1 Express memory occupancy memory_usage;X 2 Denotes the CPU usage rate CPU _ usage, X 3 Mean network traffic d representing DTU flow 。w i Represents the weight of the ith feature value, and b represents the offset value of the plane.
Step 6.2: the LSSVM model converts non-equality constraints in the SVM optimization problem into equality constraints, and meanwhile, error variables are introduced into each sample in order to solve the situation that partial special points exist. And if the regular term of the error variable is supposed in the function, the optimization problem of the LSSVM is converted into the following steps:
step 6.3: firstly, the LSSVM optimization problem is converted into a Lagrange function of the optimization problem. Wherein alpha is i Represents a correspondence x i Lagrange multiplier.
The Lagrange function is then derived for each variable and its derivative is zero:
finally, writing the equation set into a block matrix equation form, and solving Lagrange multiplier alpha = [ alpha ] by utilizing a kernel function 1 ,α 2 ,...,α N ] T And b.
Step 6.4: and outputting the state of the power distribution terminal. The output result of the least square support vector machine is a numerical value in the (-1,1) interval, and when the output of the LSSVM model is less than 0, the system is abnormal, otherwise, the system is normal.
And 7: and performing integrated learning on the neural network model and the minimum quadratic support vector machine model by adopting an Adaboost algorithm, thereby forming a strong classifier for judging the state of the DTU of the power distribution terminal.
Step 7.1: as shown in fig. 3. And the model parameters are adjusted through the training results, so that the performance of the model is optimal in the classification of the industrial power control attack, and the intrusion detection of the DTU of the power distribution terminal is realized. The method comprises the following specific steps:
the sample data is divided into 8 parts in equal proportion and recorded as a sample S1, a sample S2, a sample S3, a sample S4, a sample S5, a sample S6, a sample S7 and a sample S8.
Training was performed using 7 samples, and 1 sample was tested. Specifically, firstly, samples S2, S3, S4, S5, S6, S7 and S8 are used for training a classifier model, a sample S1 is used for testing an evolution model, and an output model of the evolution model is marked as H1; training a classifier model by using samples S1, S3, S4, S5, S6, S7 and S8, testing the two models by using a sample S2, and marking an output model as H2; and in the same way, the rest samples (S3, S4, S5, S6, S7 and S8) are used as the test data set, and the rest samples are used as the training data set to obtain output models H3, H4, H5, H6, H7 and H8.
In conclusion, 8 times of prediction output results are obtained through one round of training, and the result is to be obtainedThe classification error rate as the first classifier is denoted as e NN ;
And 7.2: calculating the weight coefficient alpha of the first classifier in the strong classifier evolution model NN ,
Step 7.3: the weight distribution of the training sample set is updated,
D 2 =(w 2,1 ,…,w 2,i ,…,w 2,N )
wherein N refers to the number of samples; d 2 Representing the updated weight set; w is a 2,i Weight, w, representing updated ith sample data 1,i Weight of ith sample data to initialize, w 1,i =1/N, i =1,2, …, N; z is a normalization factor for ensuring D 2 The sum of the total weights is 1,y i To true value, G 1 (x i ) Is the predicted value of the first classifier, when the prediction is correct, y i G 1 (x i ) =1, when prediction error, y i G 1 (x i ) = -1; alpha is weight parameter, 0 < alpha < 1, alpha is larger, w is 2,i The more obvious the updating effect is;
step 7.4: dividing the training sample set with updated weight distribution into 8 parts in equal proportion, training 7 parts of the training samples, testing 1 part of the samples, training and verifying the second classifier, traversing one round of training to obtain the classification error rate of the second classifier, and recording as e LSSVM ;
Step 7.5: calculating the weight coefficient alpha of the second classifier in the strong classifier evolution model LSSVM ,
Step 7.6: constructing a trained strong classifier evolution model, and expressing as follows:
G(x)=sign(f(x))
f(x)=α NN G NN (x)+α LSSVM G LSSVM (x)
wherein G (x) represents a strong classifier evolution model, f (x) represents a linear combination of two classifiers, and alpha NN And alpha LSSVM A weight coefficient representing the degree of importance of the first classifier and the second classifier; sign (·) indicates that the system is judged to be normal as 1 and the system is judged to be abnormal as-1, so as to achieve the purpose of classification finally.
The above classification error rate (weighted error function) is calculated by:
wherein N refers to the number of samples; g NN (x i ) And G LSSVM (x i ) Respectively representing NN and LSSVM models with respect to a sample x i (x i1 ,x i2 ,x i3 ) An output of (d); y is i A label (normal is 1, abnormal is-1) indicating the actual state of the sample; p (G) NN (x i )≠y i ) And P (G) LSSVM (x i )≠y i ) Representing two models versus sample x i (x i1 ,x i2 ,x i3 ) The probability of a false positive; w is a NNi And w LSSVMi Representing the DTU sample x of the current round i (x i1 ,x i2 ,x i3 ) The weight distribution of the data set, rather than the parameters internal to the classifier.
And 8: a working block diagram of the intrusion detection system facing the DTU is shown in fig. 4, and the specific method is to perform intrusion detection on DT U data by using an evolution model, determine whether a power distribution terminal is in a normal working state or in an abnormal state subject to attack, and send an alarm if the state is abnormal, thereby implementing intrusion detection and active defense for the power distribution terminal.
In one embodiment of the present invention, a machine learning based DTU intrusion detection system for a power distribution terminal is further described. The method comprises the following steps:
the data collection subsystem is used for collecting DTU information data of the power distribution terminal;
the data transmission subsystem is used for transmitting the data collected by the data collection subsystem to the data processing subsystem;
and the data processing subsystem is used for preprocessing the DTU information data, extracting the characteristic value, constructing and training a strong classifier evolution model, detecting the working state of the DTU of the power distribution terminal in real time by using the trained strong classifier evolution model, and sending an alarm if the state is abnormal.
Wherein, the data processing subsystem includes:
the data preprocessing module is used for preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
the first classifier module is configured with a neural network model consisting of an input layer, a hidden layer and an output layer;
a second classifier module configured with a least squares support vector machine model;
the classifier training model is used for respectively training the first classifier module and the second classifier module, and the training process is as follows:
in the training process of a first classifier module, an original training sample set is used as training data, training and verification are carried out on a first classifier in an 8-fold cross verification mode, a first classifier weight coefficient is obtained, and a trained first classifier model file is stored;
then, updating weight distribution of an original training sample set according to the training effect of the first classifier, training and verifying a second classifier by using the updated training sample set as training data in an 8-fold cross verification mode to obtain a weight coefficient of the second classifier, and storing a trained model file of the second classifier;
and the strong classifier evolution model building module is used for loading the trained first classifier model file and the trained second classifier model file and building a strong classifier evolution model according to the weight coefficients of the two classifiers so as to carry out real-time detection on the working state of the DTU of the power distribution terminal.
The DTU intrusion detection system for the power distribution terminal based on the machine learning specifically comprises port identification, data acquisition, transmission, data processing and dimension reduction of the power distribution terminal, construction of a classifier based on a neural network and a least square support vector machine, intrusion behavior detection experiments of the power distribution terminal, and timely alarming when abnormality occurs. The method adopts a principal component analysis method to reduce high-dimensional characteristic data, and then utilizes the characteristic after dimensional reduction to establish a model; secondly, a strong classifier is constructed by adopting a least square support vector machine and a neural network algorithm so as to improve the detection accuracy and reduce the false alarm rate; finally, the intrusion detection system framework adopts a modular design, is suitable for intrusion detection in the field of smart power grids, and has good portability and universality.
The foregoing lists merely illustrate specific embodiments of the invention. It is obvious that the invention is not limited to the above embodiments, but that many variations are possible. All modifications which can be derived or suggested by a person skilled in the art from the disclosure of the present invention are to be considered within the scope of the invention.
Claims (8)
1. A DTU intrusion detection method of a power distribution terminal based on machine learning is characterized by comprising the following steps:
step 1: establishing a C/S communication framework of a server-client, creating a socket object, and collecting DTU information data of a power distribution terminal;
step 2: preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
and step 3: building a neural network model composed of an input layer, a hidden layer and an output layer as a first classifier, wherein the input layer is responsible for receiving the screened final characteristics, the hidden layer is used for processing characteristic values and comprises initial weights, network objective functions and activation functions of the characteristic values, and the output layer is responsible for outputting neural network results;
and 4, step 4: building a least square support vector machine model as a second classifier, mapping the screened final features to a high-dimensional feature space through nonlinear mapping, then constructing an optimal decision function in the high-dimensional feature space based on a structural risk minimization principle, replacing dot product operation in the high-dimensional feature space with a kernel function of an original space, and outputting a result of the least square support vector machine;
and 5: performing ensemble learning on the first classifier and the second classifier to form a strong classifier evolution model; in ensemble learning, firstly, training and verifying a first classifier in an 8-fold cross verification mode by using a training sample set to obtain a classification error rate of the first classifier, and further calculating a weight coefficient of the first classifier in a strong classifier evolution model; then updating the weight distribution of the training sample set to increase the weight of the sample with wrong prediction in the first classifier and decrease the weight with correct prediction, and then normalizing all weights; training and verifying the second classifier by using the training sample set with the updated weight distribution in an 8-fold cross verification mode to obtain a classification error rate of the second classifier, and further calculating a weight coefficient of the second classifier in a strong classifier evolution model; finally, forming a trained strong classifier evolution model;
step 6: acquiring DTU information data of the power distribution terminal in real time through a C/S communication framework of a server-client, extracting features according to the screening result of the step 3, carrying out real-time intrusion detection on the DTU feature data by using a trained strong classifier evolution model, judging whether the DTU of the power distribution terminal is in a normal working state or in an abnormal working state suffering from attack, and giving an alarm if the DTU is in the abnormal working state.
2. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 1 specifically comprises:
step 1.1: respectively creating socket objects of the DTU and the host;
step 1.2: binding a server address to realize communication between the power distribution terminal and the host;
step 1.3: the method comprises the steps that a host periodically collects DTU information data of a power distribution terminal;
if the acquired numerical characteristic variable has a default value, the characteristic is complemented by using a linear difference method, namelyIn the formula y 0 And x 0 Respectively the previous note of DTU characteristic dataRecording the characteristic values and the number of lines, y, of the corresponding characteristic 1 And x 1 Respectively, the characteristic value of the next record of the DTU characteristic data and the line number of the corresponding characteristic.
3. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 2 specifically comprises:
step 2.1: calculating the connection duration t of the DTU and the host of the power distribution terminal link ,
t link =t cls -t str
Wherein, t cls Time stamp indicating disconnection, t str A time stamp indicating when the connection is started;
step 2.2: calculating the average received data byte number d of the DTU of the power distribution terminal receive_byte ,
Wherein d is receive_bit Represents t link The number of bits of the received data in time;
step 2.3: calculating the average sending data byte number d of the DTU of the power distribution terminal send_byte ,
Wherein d is send_bit Represents t link The number of bits of the transmitted data in time;
step 2.4: calculating average network flow d of DTU of power distribution terminal flow ,
d flow =|d send_byte -d receive_byte |
Wherein d is flow Is shown at t link Average network flow of a power distribution terminal DTU within time;
step 2.5: taking the memory occupancy rate, the CPU utilization rate, the destination address of the data packet, the source address of the data packet, the length of the data packet, the power consumption, the temperature, the continuous duration, the number of bytes of average received data, the number of bytes of average sent data and the average network flow as original characteristics; and (3) performing eigenvalue decomposition on the covariance matrix of the acquired DTU characteristic data original characteristic sample by a principal component analysis method, solving an eigenvector, selecting the first q principal component characteristics as final characteristics according to the magnitude of the eigenvector value, and acquiring a training sample set.
4. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 3 specifically comprises:
step 3.1: building a neural network model composed of an input layer, a hidden layer and an output layer as a first classifier;
step 3.2: initializing parameters of the neural network model, wherein the weight of each neuron is randomly generated to generate initialization weightsAnd an offset value b 0 Initializing the random number; setting an activation function and a loss function;
step 3.3: pre-training a neural network model using a first sample set, first computing a neural network activation value,
wherein n represents the number of iterations, X i Representing the ith feature in the training sample set, q is the total number of features in the training sample set,representing the weight of the ith eigenvalue at the nth iteration, b n Representing a neural network bias value; the range of the activation value is (1, -1), when the final output neural network result is higher than the threshold value,the power distribution terminal is in a safe state, otherwise, the power distribution terminal is abnormal;
step 3.4: performing iterative training on the neural network model according to the loss function value, optimizing parameters by adopting a gradient descent method,
wherein, w n+1 Is the weight at the n +1 th iteration, w n Is the weight at the nth iteration, x represents the feature data vector of a sample, J n (w, b) represents a loss function, i.e. the square of the difference between the predicted value and the actual value,an output value representing the neural network model,representing a predicted value of the terminal state by the activation function; b n+1 Is the neural network bias value at the n +1 th iteration, b n Is the neural network bias value at the nth iteration.
5. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 4 specifically comprises:
step 4.1: building a least square support vector machine model as a second classifier;
step 4.2: determining a classification surface and an optimal hyperplane equation of the DTU state, wherein the classification surface and the optimal hyperplane satisfy the following conditions:
H:w·x+b=0
wherein, X i Representing the ith feature in the training sample set, q being the total number of features in the training sample set, w i Representing the weight of the ith characteristic value, b representing the offset value of the plane, x representing the characteristic data vector of a sample, and w representing the hyperplane parameter;
step 4.3: the least square support vector machine model converts non-equality constraint in SVM optimization problem into equality constraint, introduces error variable aiming at each sample, adds regular item of the error variable in function, and converts the optimization problem into:
wherein | · | purple sweet 2 Denotes the L2 norm, λ denotes the regularized norm, N denotes the number of samples, e i An error variable representing the sample is determined,representing the geometric spacing of the samples, y i Representing the true value of the ith sample;
step 4.4: pre-training a least square support vector machine model by using a first sample set;
firstly, the optimization problem is firstly converted into Lagrange function, wherein alpha i Represents a correspondence x i The Lagrange multiplier of (a) is,
the Lagrange function is then derived for each variable and its derivative is zero:
finally, the equation set is written into block momentsIn the form of an array equation, solving Lagrange multiplier alpha = [ alpha ] by using a kernel function 1 ,α 2 ,...,α N ] T And b;
step 4.5: the output result of the least square support vector machine model is a numerical value in the (-1,1) interval, when the final output result of the least square support vector machine is higher than 0, the power distribution terminal is in a safe state, otherwise, the power distribution terminal is abnormal.
6. The machine learning-based DTU intrusion detection method for the power distribution terminal according to claim 1, wherein the step 5 specifically comprises:
step 5.1: dividing the training sample set into 8 parts in equal proportion; using 7 of the samples for training, 1 sample for testing, the classification error rate e is obtained i (x) (ii) a Go through a round of training to obtain 8 times of prediction output results in total, willThe classification error rate as the first classifier is denoted as e NN ;
Step 5.2: calculating the weight coefficient alpha of the first classifier in the strong classifier evolution model NN ,
Step 5.3: the weight distribution of the training sample set is updated,
D 2 =(w 2,1 ,…,w 2,i ,…,w 2,N )
wherein, N refers to the number of samples;D 2 representing the updated weight set; w is a 2,i Weight, w, representing updated ith sample data 1,i Weight of ith sample data to initialize, w 1,i =1/N, i =1,2, …, N; z is a normalization factor for ensuring D 2 The sum of the total weights is 1,y i To true value, G 1 (x i ) Is the predicted value of the first classifier, when the prediction is correct, y i G 1 (x i ) =1, when prediction error, y i G 1 (x i ) = -1; alpha is weight parameter, alpha is more than 0 and less than 1, alpha is larger, w is 2,i The more obvious the updating effect is;
step 5.4: dividing the training sample set with updated weight distribution into 8 parts in equal proportion, training 7 parts of the training samples, testing 1 part of the samples, training and verifying the second classifier, traversing one round of training to obtain the classification error rate of the second classifier, and recording as e LSSVM ;
Step 5.5: calculating the weight coefficient alpha of the second classifier in the strong classifier evolution model LSSVM ,
Step 5.6: constructing a trained strong classifier evolution model, and expressing as follows:
G(x)=sign(f(x))
f(x)=α NN G NN (x)+α LSSVM G LSSVM (x)
wherein G (x) represents the evolution model of the strong classifier, f (x) represents the linear combination of the two classifiers, G NN (x) And G LSSVM (x) Respectively representing the output of the NN model and the output of the LSSVM model; alpha (alpha) ("alpha") NN And alpha LSSVM A weight coefficient representing the degree of importance of the first classifier and the second classifier; sign (·) indicates that the system is judged to be normal as 1, and the system is judged to be abnormal as-1, so as to finally achieve the purpose of classification.
7. A DTU intrusion detection system for a power distribution terminal based on machine learning based on the method of claim 1, comprising:
the data collection subsystem is used for collecting DTU information data of the power distribution terminal;
the data transmission subsystem is used for transmitting the data collected by the data collection subsystem to the data processing subsystem;
and the data processing subsystem is used for preprocessing the DTU information data, extracting the characteristic value, constructing and training a strong classifier evolution model, detecting the working state of the DTU of the power distribution terminal in real time by using the trained strong classifier evolution model, and sending an alarm if the state is abnormal.
8. The DTU intrusion detection system according to claim 7, wherein the data processing subsystem comprises:
the data preprocessing module is used for preprocessing DTU information data to obtain an original feature set, screening out a preset number of features from the original feature set through a principal component analysis method to serve as final features, and obtaining a training sample set;
the first classifier module is configured with a neural network model consisting of an input layer, a hidden layer and an output layer;
a second classifier module configured with a least squares support vector machine model;
the classifier training model is used for respectively training the first classifier module and the second classifier module, and the training process is as follows:
in the training process of a first classifier module, an original training sample set is used as training data, a first classifier is trained and verified in an 8-fold cross validation mode, a first classifier weight coefficient is obtained, and a trained first classifier model file is stored;
then, updating weight distribution of an original training sample set according to the training effect of the first classifier, training and verifying a second classifier by using the updated training sample set as training data in an 8-fold cross verification mode to obtain a weight coefficient of the second classifier, and storing a trained model file of the second classifier;
and the strong classifier evolution model building module is used for loading the trained first classifier model file and the trained second classifier model file and building a strong classifier evolution model according to the weight coefficients of the two classifiers so as to carry out real-time detection on the working state of the DTU of the power distribution terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011073339.6A CN112187820B (en) | 2020-10-09 | 2020-10-09 | Power distribution terminal DTU intrusion detection method and system based on machine learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011073339.6A CN112187820B (en) | 2020-10-09 | 2020-10-09 | Power distribution terminal DTU intrusion detection method and system based on machine learning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112187820A CN112187820A (en) | 2021-01-05 |
CN112187820B true CN112187820B (en) | 2022-10-21 |
Family
ID=73948595
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011073339.6A Active CN112187820B (en) | 2020-10-09 | 2020-10-09 | Power distribution terminal DTU intrusion detection method and system based on machine learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112187820B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113671287B (en) * | 2021-08-16 | 2024-02-02 | 广东电力通信科技有限公司 | Intelligent detection method, system and readable storage medium for power grid automation terminal |
CN114114910B (en) * | 2021-11-12 | 2023-10-27 | 浙江大学 | Model-data hybrid drive-based dynamic anomaly detection method for electric power industrial control system |
CN114358970A (en) * | 2021-12-21 | 2022-04-15 | 南京千智电气科技有限公司 | Safety monitoring method for source network load storage intelligent control terminal |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108712404A (en) * | 2018-05-04 | 2018-10-26 | 重庆邮电大学 | A kind of Internet of Things intrusion detection method based on machine learning |
CN109886232A (en) * | 2019-02-28 | 2019-06-14 | 燊赛(上海)智能科技有限公司 | A kind of power grid image identification system neural network based |
WO2020020088A1 (en) * | 2018-07-23 | 2020-01-30 | 第四范式(北京)技术有限公司 | Neural network model training method and system, and prediction method and system |
CN110889111A (en) * | 2019-10-23 | 2020-03-17 | 广东工业大学 | Power grid virtual data injection attack detection method based on deep belief network |
CN111353153A (en) * | 2020-03-04 | 2020-06-30 | 南京邮电大学 | GEP-CNN-based power grid malicious data injection detection method |
-
2020
- 2020-10-09 CN CN202011073339.6A patent/CN112187820B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108712404A (en) * | 2018-05-04 | 2018-10-26 | 重庆邮电大学 | A kind of Internet of Things intrusion detection method based on machine learning |
WO2020020088A1 (en) * | 2018-07-23 | 2020-01-30 | 第四范式(北京)技术有限公司 | Neural network model training method and system, and prediction method and system |
CN109886232A (en) * | 2019-02-28 | 2019-06-14 | 燊赛(上海)智能科技有限公司 | A kind of power grid image identification system neural network based |
CN110889111A (en) * | 2019-10-23 | 2020-03-17 | 广东工业大学 | Power grid virtual data injection attack detection method based on deep belief network |
CN111353153A (en) * | 2020-03-04 | 2020-06-30 | 南京邮电大学 | GEP-CNN-based power grid malicious data injection detection method |
Non-Patent Citations (2)
Title |
---|
考虑不平衡案例样本的电力变压器故障诊断方法;崔宇等;《高电压技术》;20200131;第46卷(第01期);第33-40页 * |
针对电力系统的物联网需求攻击研究进展与发展趋势;吕志宁等;《南方电网技术》;20200120;第14卷(第1期);第24-29页 * |
Also Published As
Publication number | Publication date |
---|---|
CN112187820A (en) | 2021-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112187820B (en) | Power distribution terminal DTU intrusion detection method and system based on machine learning | |
CN108520272B (en) | Semi-supervised intrusion detection method for improving Cantonese algorithm | |
CN104601565B (en) | A kind of network invasion monitoring sorting technique of intelligent optimization rule | |
Jongsuebsuk et al. | Network intrusion detection with fuzzy genetic algorithm for unknown attacks | |
Jia et al. | Network intrusion detection based on IE-DBN model | |
CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
Bodström et al. | State of the art literature review on network anomaly detection with deep learning | |
CN111901340A (en) | Intrusion detection system and method for energy Internet | |
CN112418361A (en) | Industrial control system anomaly detection method and device based on deep learning | |
CN114124482A (en) | Access flow abnormity detection method and device based on LOF and isolated forest | |
CN114528547A (en) | ICPS (information storage and protection System) unsupervised online attack detection method and device based on community feature selection | |
CN113067798A (en) | ICS intrusion detection method and device, electronic equipment and storage medium | |
Bebeshko et al. | Use of Neural Networks for Predicting Cyberattacks. | |
Yang et al. | Cloud-edge coordinated traffic anomaly detection for industrial cyber-physical systems | |
Saheed et al. | Autoencoder via DCNN and LSTM models for intrusion detection in industrial control systems of critical infrastructures | |
Zhang et al. | Network Traffic Anomaly Detection Based on ML‐ESN for Power Metering System | |
Arshed et al. | Machine learning with data balancing technique for IoT attack and anomalies detection | |
Zhang et al. | A Step-Based Deep Learning Approach for Network Intrusion Detection. | |
CN116738354A (en) | Method and system for detecting abnormal behavior of electric power Internet of things terminal | |
Du et al. | A Few-Shot Class-Incremental Learning Method for Network Intrusion Detection | |
CN112651422B (en) | Space-time sensing network flow abnormal behavior detection method and electronic device | |
Xu et al. | Cyber Intrusion Detection Based on a Mutative Scale Chaotic Bat Algorithm with Backpropagation Neural Network | |
Fahad et al. | Applying one-class classification techniques to ip flow records for intrusion detection | |
CN113516180B (en) | Method for identifying Z-Wave intelligent equipment | |
Liu | Multivariate Network Intrusion Detection Methods Based on Machine Learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |