CN112217792A - Encrypted malicious flow detection device and method supporting variable-length input - Google Patents

Encrypted malicious flow detection device and method supporting variable-length input Download PDF

Info

Publication number
CN112217792A
CN112217792A CN202010919830.XA CN202010919830A CN112217792A CN 112217792 A CN112217792 A CN 112217792A CN 202010919830 A CN202010919830 A CN 202010919830A CN 112217792 A CN112217792 A CN 112217792A
Authority
CN
China
Prior art keywords
module
data
network
flow
length
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010919830.XA
Other languages
Chinese (zh)
Inventor
赵博
翟明芳
刘勤让
吕平
沈剑良
陈艇
高彦钊
虎艳宾
张文建
张霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202010919830.XA priority Critical patent/CN112217792A/en
Publication of CN112217792A publication Critical patent/CN112217792A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention belongs to the technical field of network security, and discloses a device and a method for detecting encrypted malicious flow supporting variable-length input, wherein the device comprises the following components: the system comprises a network traffic capturing module, a data preprocessing module, a 1-dimensional convolutional neural network module, a pyramid pooling layer module, a full-connection layer module, a classifier module and a malicious traffic processing module. By introducing the pyramid pooling mechanism, the detection mechanism has the capability of processing variable-length network traffic data, namely, the network traffic data of any dimensionality can be input into the detection model to implement effective detection; because the invention does not need to process the flow data additionally, and the adopted data is the original flow data, the invention has more complete and accurate reflection of the flow data and does not have the problems of damage and loss of the flow characteristics of the network data.

Description

Encrypted malicious flow detection device and method supporting variable-length input
Technical Field
The invention belongs to the technical field of network security, and particularly relates to an encrypted malicious flow detection device and method supporting variable-length input.
Background
With the rapid development of information communication technology, the network security problem is increasingly highlighted. To protect the security of communication, various encryption techniques are widely used in the communication process. However, the traffic encryption also gives a negligence opportunity, and an attacker uses the encryption technology to hide malicious attempts, avoid a detection system and implement hidden attacks.
Due to the requirement of privacy protection, at present, the processing method for encrypted traffic focuses on malicious traffic detection without decryption, and methods such as machine learning and deep learning are favored by more and more enterprises and technicians due to their excellent classification and identification performance. The known network Security company Cisco (BLAKE A, DAVID M. identification encrypted malicious traffic data [ C ]// ACM works hop on Intelligent identification and Security (AISec)2016:35-46.), and the inventor technology (GUANCHENG TECHNOLOGY. A report on the counter's first detection in for encrypted malicious traffic EB) respectively adopt methods of logistic regression and random forest, etc. to detect the encrypted malicious traffic.
The existing detection method generally requires input data to be in a fixed dimension, so additional preprocessing needs to be performed on flow data, and two methods are mainly adopted. One is to apply the characteristic engineering to extract the data traffic characteristics, and then to utilize the characteristic data to perform encryption malicious traffic detection (TORROLEDO I, CAMACHO L D, BAHNSEN AC. Hunting magic TLS certificates with deep neural networks [ C ]//11th ACM Workshop Artif. Intell. Secur.2018: 64-73.); the other method is to cut the original data into slices, intercept the fixed input dimension (the deficiency is filled with zero), and then detect the encrypted malicious traffic by adopting a deep learning algorithm (WANG W, ZHU M, WANG J, et al. end-to-end encrypted traffic classification with one-dimensional coherent traffic networks [ C ]// IEEE int. conf. inner. security information.2017: 43-48.).
The extraction of data flow characteristics by applying characteristic engineering requires the analysis of the completeness and redundancy of the characteristics, consumes considerable manpower and is relatively complex; although the method for slicing the original traffic dispenses with complex feature engineering, the original data needs to be cut off or zero-filled in the slicing process, so that the initial features of the network traffic data are damaged to a certain extent. The core of the two methods is to transform the variable-length network traffic data into a fixed length to match the input dimension requirement of the detection model, and some traffic characteristics are inevitably lost in the process, so that the detection precision of the encrypted malicious traffic is influenced.
Disclosure of Invention
The invention provides an encrypted malicious flow detection device and method supporting variable length input, aiming at the problem that the core of a method for extracting data flow characteristics and slicing original flow by applying characteristic engineering is to convert variable length network flow data into fixed length so as to match the input dimension requirement of a detection model, and inevitably lose some flow characteristics in the process so as to influence the detection precision of encrypted malicious flow.
In order to achieve the purpose, the invention adopts the following technical scheme:
an encrypted malicious traffic detection device supporting variable-length input, comprising: the system comprises a network traffic capturing module, a data preprocessing module, a 1-dimensional convolutional neural network module, a pyramid pooling layer module, a full-connection layer module, a classifier module and a malicious traffic processing module;
the network flow capturing module is used for collecting original network flow at the network card node; the data length of the original network flow is not fixed;
the data preprocessing module is used for cleaning original network flow data, eliminating invalid flow data, dividing the flow data according to the dimension of bytes, and converting the data into a data format suitable for input of a 1-dimensional convolutional neural network to obtain variable length network flow data;
the 1-dimensional convolutional neural network module is used for receiving variable-length network flow data sent by the data preprocessing module, automatically learning and extracting network flow data characteristics to obtain a corresponding variable-length characteristic diagram;
the pyramid pooling layer module is used for converting the variable-length characteristic diagram sent by the 1-dimensional convolution network module into a characteristic diagram with fixed dimensionality and sending the characteristic diagram to the full-connection module;
the full connection layer module is used for merging the fixed dimension characteristic graphs of the pyramid pooling layer module into one-dimensional output data and sending the one-dimensional output data to the classifier module;
the classifier module is used for detecting the network flow according to the network flow data characteristics sent by the full connection layer module and identifying the encrypted malicious flow;
and the malicious flow processing module is used for processing the malicious flow according to the detection result.
Further, the 1-dimensional convolutional neural network module is composed of a plurality of layers of 1-dimensional convolutional layers and 1 layer of maximum pooling layer, and outputs feature maps of different dimensions according to input of different dimensions.
Further, the pyramid pooling layer module is a 1-dimensional pyramid pooling layer and comprises a plurality of pooling cores, and each pooling core extracts network traffic data characteristics of fixed dimensionality.
Further, the full-connection layer module is 1 full-connection layer.
Further, the classifier module consists of a layer 1 fully connected layer and a layer 1 Softmax layer.
An encrypted malicious traffic detection method supporting variable-length input comprises the following steps:
step 1: collecting original network flow at the network card by a network flow capturing module; the data length of the original network flow is not fixed;
step 2: preprocessing the original network flow through a data preprocessing module, including data cleaning, removing invalid flow data, and performing dimensionality division on the flow data according to bytes to convert the flow data into a data format suitable for input of a 1-dimensional convolutional neural network;
and step 3: extracting the characteristics of the network flow data through a 1-dimensional convolutional neural network, and outputting characteristic graphs with different dimensions according to the input of different dimensions;
and 4, step 4: aiming at the feature maps output by the 1-dimensional convolutional neural network, a pyramid pooling layer module is applied to each feature map to extract fixed dimension features, and variable-length input data is converted into fixed-length output data;
and 5: merging the data after the pyramid pooling layer module into one-dimensional output data through a full connection layer module, and sending the one-dimensional output data to a classifier module;
step 6: the classifier module classifies the traffic according to the input network traffic data characteristics, identifies malicious traffic, and simultaneously transmits the malicious traffic to the malicious traffic processing module;
and 7: and the malicious traffic processing module performs malicious traffic processing according to the classification result.
Compared with the prior art, the invention has the following beneficial effects:
by introducing the pyramid pooling mechanism, the detection mechanism has the capability of processing variable-length network traffic data, namely, the network traffic data of any dimensionality is input into the detection model, and effective detection can be implemented. Because the invention does not need to process the flow data additionally, and the adopted data is the original flow data, the invention has more complete and accurate reflection of the flow data and does not have the problems of damage and loss of the flow characteristics of the network data. In addition, byte precision is adopted in specific processing, namely, one byte is used as one-dimensional input, so that the granularity is finer, the flow characteristics are further displayed finely, and the detection precision is improved.
Drawings
Fig. 1 is a schematic structural diagram of an encrypted malicious traffic detection apparatus supporting variable-length input according to an embodiment of the present invention;
fig. 2 is a basic flowchart of an encrypted malicious traffic detection method supporting variable-length input according to an embodiment of the present invention;
fig. 3 is a second schematic structural diagram of an encrypted malicious traffic detection apparatus supporting variable-length input according to a second embodiment of the present invention;
fig. 4 is a schematic diagram of a pyramid pooling layer structure of an encrypted malicious traffic detection apparatus supporting variable-length input according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
as shown in fig. 1, an encrypted malicious traffic detection apparatus supporting variable-length input includes: the system comprises a network traffic capturing module, a data preprocessing module, a 1-dimensional convolutional neural network (1D-CNN) module, a pyramid pooling layer (PP) module, a full connection layer module, a classifier module and a malicious traffic processing module.
The network flow capturing module is used for collecting original network flow at the network card node; the data length of the original network traffic is not fixed.
The data preprocessing module is used for cleaning original network flow data, eliminating invalid flow data, dividing the flow data according to the dimension of bytes, and converting the data into a data format suitable for input of a 1-dimensional convolutional neural network to obtain variable-length network flow data.
The 1-dimensional convolution neural network module is used for receiving the variable-length network flow data sent by the data preprocessing module, automatically learning and extracting the network flow data characteristics, and obtaining a corresponding variable-length characteristic diagram.
And the pyramid pooling layer module is used for converting the variable-length characteristic diagram sent by the 1-dimensional convolution network module into a characteristic diagram with fixed dimensionality and sending the characteristic diagram to the full-connection module.
And the full connection layer module is used for merging the fixed-dimension feature maps of the pyramid pooling layer module into one-dimensional output data and sending the one-dimensional output data to the classifier module.
The classifier module is used for detecting the network flow according to the network flow data characteristics sent by the full connection layer module and identifying the encrypted malicious flow.
And the malicious flow processing module is used for processing the malicious flow according to the detection result.
Specifically, the data preprocessing module preprocesses original network traffic; let the length of a certain flow packet sample be len (x), then convert it into input data of 1 × len (x), let m samples in the flow packet be mxlen (x), note that len (x) is longer and not fixed length, therefore, the above formula is not a true matrix.
Further, the 1-dimensional convolutional neural network module is composed of a plurality of layers of 1-dimensional convolutional layers and 1 layer of maximum pooling layer, and outputs feature maps of different dimensions according to input of different dimensions. Specifically, for sample data input as 1 × len (x), each convolution kernel of the convolution layer performs convolution operation with the input sample data, a feature map of 1 × len (x) is output, then the feature map is sent to the maximum pooling layer to perform maximum pooling operation, dimension reduction is performed on the data, and a feature map with dimensions of 1 × len (x)/std is output, wherein std represents the dimension of the maximum pooling kernel. If a certain layer of convolution layer has n convolution kernels, n characteristic graphs are output.
Further, the pyramid pooling layer module is a 1-dimensional pyramid pooling layer and comprises a plurality of pooling cores, and each pooling core extracts network traffic data characteristics of fixed dimensionality. In particular, different pooling cores extract data features at different levels to reflect features at different levels of the data. Unlike the normal pooling approach, pyramid pooling is the segmentation of the input feature map data according to output dimensions. The pyramid pooling layer module is provided with i pooling cores, and the output dimensionality of each pooling core is { l }1,l2,…liAnd the output dimension of the pyramid pooling layer is
Figure BDA0002666334960000051
If the input feature map received by the pyramid pooling layer module is 1 Xlen (x)/std dimension, since len (x) can be lengthened, i.e. the feature mapIs variable-length, in which case the jth pooling core slices the variable-length profile into ljExtracting 1 characteristic value of each part, and co-extracting ljA characteristic i.e. output is ljDimension, thereby enabling conversion of variable length input to fixed length output.
Further, the full-connection layer module is 1 full-connection layer. Specifically, the full-connection layer module merges n k-dimensional data output by n convolution kernels of the last convolution layer in the 1-dimensional convolution neural network module into 1 × (n × k) 1-dimensional output data, and sends the 1 × (n × k) 1-dimensional output data to the classifier module.
Further, the classifier module consists of a layer 1 fully connected layer and a layer 1 Softmax layer.
On the basis of the above embodiment, as shown in fig. 2, the present invention further discloses a method for detecting encrypted malicious traffic supporting variable-length input, including:
step S101: collecting original network flow at the network card by a network flow capturing module; the data length of the original network flow is not fixed;
step S102: preprocessing the original network flow through a data preprocessing module, including data cleaning, removing invalid flow data, and performing dimensionality division on the flow data according to bytes to convert the flow data into a data format suitable for input of a 1-dimensional convolutional neural network;
step S103: extracting the characteristics of the network flow data through a 1-dimensional convolutional neural network, and outputting characteristic graphs with different dimensions according to the input of different dimensions;
step S104: aiming at the feature maps output by the 1-dimensional convolutional neural network, a pyramid pooling layer module is applied to each feature map to extract fixed dimension features, and variable-length input data is converted into fixed-length output data;
step S105: merging the data after the pyramid pooling layer module into one-dimensional output data through a full connection layer module, and sending the one-dimensional output data to a classifier module;
step S106: the classifier module classifies the traffic according to the input network traffic data characteristics, identifies malicious traffic, and simultaneously transmits the malicious traffic to the malicious traffic processing module;
step S107: and the malicious traffic processing module performs malicious traffic processing according to the classification result.
As a specific possible embodiment, as shown in fig. 3, the 1-dimensional convolutional neural network (1D-CNN) module comprises 4 layers of 1-dimensional convolutional layers (Conv1D-1, Conv1D-2, Conv1D-3, Conv1D-4) and 1 layer of max Pooling layer (Pooling1D-1), and the last layer of convolutional layers (Conv1D-4) has 256 convolutional cores, i.e. 256 channels (channels); the full-connection layer module consists of 1 full-connection layer (Dense 1); the classifier module consists of a 1-layer full connection layer (Dense2) and a 1-layer Softmax layer; as shown in fig. 4, the pyramid pooling layer module has 3 pooling cores, and the 1 st pooling core divides the input variable length feature map into 1 part and extracts 1 feature; dividing the variable length feature map into 2 parts by the 2 nd pooling kernel, and extracting 2 features; the 3 rd pooling kernel divides the variable length feature map into 4 parts and extracts 4 features, so that 7 features are extracted in the pyramid pooling layer, namely the output data dimension is 7 dimensions. The same operation is performed for each channel of the convolutional layer, because the last convolutional layer has 256 convolutional kernels, i.e., 256 channels, each channel outputs 7 eigenvalues, and the dimension of the finally output data is 256 times 7, i.e., 1792 dimensions. And then 1792 data is sent to a full connection layer module for processing, and the classifier module is used for detecting encrypted malicious traffic.
Based on the specific encrypted malicious traffic detection device supporting variable-length input, the specific implementation steps are as follows:
firstly, a network flow capture module collects a network flow pcap file at a network card;
secondly, preprocessing a pcap file, mainly cleaning data, eliminating invalid flow data, and performing dimensionality division on the flow data according to bytes to convert the flow data into a data format suitable for input of a 1-dimensional convolutional neural network (1D-CNN) module;
and thirdly, extracting the characteristics of the network flow data by the 1D-CNN network, wherein the 1D-CNN network comprises 4 layers of 1-dimensional convolutional layers and 1 layer of the maximum pooling layer, and outputting characteristic graphs of different dimensions according to the input of different dimensions. For each input, one convolution kernel of the convolution layer is a channel, one feature map is output, and 256 convolution kernels output 256 feature maps;
fourthly, for 256 feature maps output by 256 convolution kernels of the last layer of convolution layer of the 1D-CNN network, extracting fixed dimension features, namely 7-dimensional features, of each feature map through a pyramid pooling layer module, and converting variable-length input data into fixed-length 7-dimensional output data;
fifthly, combining the 256 pieces of 7-dimensional data subjected to pyramid pooling into one-dimensional output data through a full connection layer module, namely outputting 1 x 1792-dimensional data;
sixthly, the full connection layer of the classifier module receives the 1 x 1792 dimensional feature data output in the fifth step, and performs feature extraction operation again to classify the network traffic; the Softmax layer of the classifier module identifies encrypted malicious traffic according to an output result of the full connection layer;
and seventhly, processing the identified malicious traffic by a malicious traffic processing module.
In summary, the pyramid pooling mechanism is introduced, so that the detection mechanism has the capability of processing variable-length network traffic data, that is, network traffic data of any dimension can be input into the detection model, and effective detection can be implemented. Because the invention does not need to process the flow data additionally, and the adopted data is the original flow data, the invention has more complete and accurate reflection of the flow data and does not have the problems of damage and loss of the flow characteristics of the network data. In addition, byte precision is adopted in the specific processing, namely one byte is used as one-dimensional input, 500-dimensional network data of 500 bytes is 500-dimensional, the granularity is finer, the flow characteristics are further displayed finely, and the detection precision is improved.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (6)

1. An encrypted malicious traffic detection device supporting variable-length input, comprising: the system comprises a network traffic capturing module, a data preprocessing module, a 1-dimensional convolutional neural network module, a pyramid pooling layer module, a full-connection layer module, a classifier module and a malicious traffic processing module;
the network flow capturing module is used for collecting original network flow at the network card node; the data length of the original network flow is not fixed;
the data preprocessing module is used for cleaning original network flow data, eliminating invalid flow data, dividing the flow data according to the dimension of bytes, and converting the data into a data format suitable for input of a 1-dimensional convolutional neural network to obtain variable length network flow data;
the 1-dimensional convolutional neural network module is used for receiving variable-length network flow data sent by the data preprocessing module, automatically learning and extracting network flow data characteristics to obtain a corresponding variable-length characteristic diagram;
the pyramid pooling layer module is used for converting the variable-length characteristic diagram sent by the 1-dimensional convolution network module into a characteristic diagram with fixed dimensionality and sending the characteristic diagram to the full-connection module;
the full connection layer module is used for merging the fixed dimension characteristic graphs of the pyramid pooling layer module into one-dimensional output data and sending the one-dimensional output data to the classifier module;
the classifier module is used for detecting the network flow according to the network flow data characteristics sent by the full connection layer module and identifying the encrypted malicious flow;
and the malicious flow processing module is used for processing the malicious flow according to the detection result.
2. The encrypted malicious traffic detection device supporting variable-length input according to claim 1, wherein the 1-dimensional convolutional neural network module is composed of multiple layers of 1-dimensional convolutional layers and 1 maximum pooling layer, and outputs feature maps of different dimensions for inputs of different dimensions.
3. The encrypted malicious traffic detection device supporting variable-length input according to claim 1, wherein the pyramid pooling layer module is a 1-dimensional pyramid pooling layer and includes a plurality of pooling cores, and each pooling core extracts network traffic data characteristics of a fixed dimension.
4. The encrypted malicious traffic detection device supporting variable-length input according to claim 1, wherein the full-connection layer module is a 1-layer full-connection layer.
5. The encrypted malicious traffic detection apparatus supporting variable-length input according to claim 1, wherein the classifier module is composed of a full connection layer 1 and a Softmax layer 1.
6. An encrypted malicious traffic detection method supporting variable-length input is characterized by comprising the following steps:
step 1: collecting original network flow at the network card by a network flow capturing module; the data length of the original network flow is not fixed;
step 2: preprocessing the original network flow through a data preprocessing module, including data cleaning, removing invalid flow data, and performing dimensionality division on the flow data according to bytes to convert the flow data into a data format suitable for input of a 1-dimensional convolutional neural network;
and step 3: extracting the characteristics of the network flow data through a 1-dimensional convolutional neural network, and outputting characteristic graphs with different dimensions according to the input of different dimensions;
and 4, step 4: aiming at the feature maps output by the 1-dimensional convolutional neural network, a pyramid pooling layer module is applied to each feature map to extract fixed dimension features, and variable-length input data is converted into fixed-length output data;
and 5: merging the data after the pyramid pooling layer module into one-dimensional output data through a full connection layer module, and sending the one-dimensional output data to a classifier module;
step 6: the classifier module classifies the traffic according to the input network traffic data characteristics, identifies malicious traffic, and simultaneously transmits the malicious traffic to the malicious traffic processing module;
and 7: and the malicious traffic processing module performs malicious traffic processing according to the classification result.
CN202010919830.XA 2020-09-04 2020-09-04 Encrypted malicious flow detection device and method supporting variable-length input Withdrawn CN112217792A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010919830.XA CN112217792A (en) 2020-09-04 2020-09-04 Encrypted malicious flow detection device and method supporting variable-length input

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010919830.XA CN112217792A (en) 2020-09-04 2020-09-04 Encrypted malicious flow detection device and method supporting variable-length input

Publications (1)

Publication Number Publication Date
CN112217792A true CN112217792A (en) 2021-01-12

Family

ID=74050298

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010919830.XA Withdrawn CN112217792A (en) 2020-09-04 2020-09-04 Encrypted malicious flow detection device and method supporting variable-length input

Country Status (1)

Country Link
CN (1) CN112217792A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115641177A (en) * 2022-10-20 2023-01-24 北京力尊信通科技股份有限公司 Prevent second and kill prejudgement system based on machine learning

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105894045A (en) * 2016-05-06 2016-08-24 电子科技大学 Vehicle type recognition method with deep network model based on spatial pyramid pooling
CN106462940A (en) * 2014-10-09 2017-02-22 微软技术许可有限责任公司 Generic object detection in images
CN106897714A (en) * 2017-03-23 2017-06-27 北京大学深圳研究生院 A kind of video actions detection method based on convolutional neural networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106462940A (en) * 2014-10-09 2017-02-22 微软技术许可有限责任公司 Generic object detection in images
CN105894045A (en) * 2016-05-06 2016-08-24 电子科技大学 Vehicle type recognition method with deep network model based on spatial pyramid pooling
CN106897714A (en) * 2017-03-23 2017-06-27 北京大学深圳研究生院 A kind of video actions detection method based on convolutional neural networks

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WEI WANG等: "End-to-end Encrypted Traffic Classification with One-dimensional Convolution Neural Networks", 《IEEE》 *
翟明芳等: "基于深度学习的加密恶意流量检测研究", 《网络与信息安全学报》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115641177A (en) * 2022-10-20 2023-01-24 北京力尊信通科技股份有限公司 Prevent second and kill prejudgement system based on machine learning
CN115641177B (en) * 2022-10-20 2023-05-30 北京力尊信通科技股份有限公司 Second-prevention killing pre-judging system based on machine learning

Similar Documents

Publication Publication Date Title
CN112804123B (en) Network protocol identification method and system for scheduling data network
CN112367273B (en) Flow classification method and device of deep neural network model based on knowledge distillation
CN112804253B (en) Network flow classification detection method, system and storage medium
CN110046568B (en) Video action recognition method based on time perception structure
CN114972836A (en) Encrypted flow classification method based on multi-module fusion
CN116129353B (en) Method and system for intelligent monitoring based on image recognition
CN112528920A (en) Pet image emotion recognition method based on depth residual error network
CN112019500A (en) Encrypted traffic identification method based on deep learning and electronic device
CN112217792A (en) Encrypted malicious flow detection device and method supporting variable-length input
CN113726561A (en) Business type recognition method for training convolutional neural network by using federal learning
CN111461135B (en) Digital image local filtering evidence obtaining method integrated by convolutional neural network
CN110580915B (en) Sound source target identification system based on wearable equipment
CN112766201A (en) Behavior cross-domain identification model establishing and identifying method and system based on CSI data
WO2024077785A1 (en) Image recognition method and apparatus based on convolutional neural network model, and terminal device
CN117115675A (en) Cross-time-phase light-weight spatial spectrum feature fusion hyperspectral change detection method, system, equipment and medium
CN116915450A (en) Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction
CN116506210A (en) Network intrusion detection method and system based on flow characteristic fusion
CN116092503A (en) Fake voice detection method, device, equipment and medium combining time domain and frequency domain
Liu An abnormal network traffic detection method on MAWILab dataset based on convolutional neural network
CN116094971A (en) Industrial control protocol identification method and device, electronic equipment and storage medium
CN113347175B (en) Method and system for fingerprint feature extraction and equipment identity identification of optical communication equipment
CN113850284B (en) Multi-operation detection method based on multi-scale feature fusion and multi-branch prediction
CN112801910B (en) Channel state information image denoising method and indoor positioning model
Zheng et al. Embedded Radio Frequency Fingerprint Recognition Based on A Lightweight Network
CN109194622A (en) A kind of encryption flow analysis feature selection approach based on feature efficiency

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210112