CN112966261A - Lightweight scalable network traffic feature extraction tool and method - Google Patents
Lightweight scalable network traffic feature extraction tool and method Download PDFInfo
- Publication number
- CN112966261A CN112966261A CN202110249037.8A CN202110249037A CN112966261A CN 112966261 A CN112966261 A CN 112966261A CN 202110249037 A CN202110249037 A CN 202110249037A CN 112966261 A CN112966261 A CN 112966261A
- Authority
- CN
- China
- Prior art keywords
- flow
- mode
- file
- feature extraction
- tool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a lightweight scalable network flow feature extraction tool, which comprises an extraction tool body, wherein the extraction tool body comprises two extraction feature modes, the two extraction feature modes are a flow mode extracted according to flow and a file mode extracted according to a pcap file, in the flow mode, input flow is divided according to quintuple flow, feature extraction is respectively carried out according to flow, in the file mode, the tool extracts features of the flow in each pcap file as a whole, in the feature extraction process, the flow can be divided into three types of uplink, downlink and bidirectional according to the direction of a data packet, and the technical field of network flow depth analysis-flow feature extraction is related. The lightweight scalable network traffic feature extraction tool is convenient to install and operate, can automatically extract traffic features, and can dynamically increase and decrease features by compiling feature calculation functions and modifying feature configuration files on the premise of not modifying source codes.
Description
Technical Field
The invention relates to the technical field of deep analysis of network traffic and traffic feature extraction, in particular to a lightweight extensible tool and a method for extracting network traffic features.
Background
With the rapid development of the internet, the amount of network data is rapidly increased, various new protocols are continuously developed, by 10 months in 2019, the proportion of encrypted traffic in the internet to all traffic is over 90%, and with the appearance of more and more malicious software, malicious traffic is identified, and the current network situation is evaluated to become a new challenge.
An automatic flow characteristic extraction tool CICFlowMeter is developed by a Canadian network security research laboratory based on Java, but the tool is not light enough due to the limitation of Java language, and only the well-defined characteristics of the tool can be extracted due to the difficulty in expanding the extracted characteristics, so that the expansibility is not enough.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a lightweight extensible network traffic feature extraction tool, and solves the problems that an automatic traffic feature extraction tool CICFlowMeter is not light enough and has insufficient expansibility.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme: a lightweight scalable network traffic feature extraction tool comprises an extraction tool body, wherein the extraction tool body comprises two extraction feature modes, and the two extraction feature modes are a flow mode extracted according to flow and a file mode extracted according to a pcap file respectively;
under the flow mode, the input flow is divided according to quintuple and the characteristics of the flow are extracted respectively;
in the file mode, taking the flow in each pcap file as a whole by the tool to extract features;
in the process of feature extraction, the data packets can be divided into three types of uplink, downlink and bidirectional according to the directions of the data packets.
Further, packets having the same five tuple belong to the same flow.
Further, in the flow mode, each flow outputs a corresponding signature as a record.
Further, in the file mode, each file will output the feature as a record, and the number of streams will be recorded.
Further, each record is computed only once after the complete flow is last obtained, rather than once for each packet.
Further, the direction of the data packet sent from the client to the server is defined as uplink, and the direction sent from the server to the client is defined as downlink.
Further, the principle of the server and the client is determined, and the party which initiates connection establishment in the TCP stream preferentially is the client; if the captured flow is not complete and the handshake packet is not captured, the party with the private IP address is the client, and the method comprises three types:
a)10.0.0.0-10.255.255.255,
b)172.16.0.0-172.31.255.255,
c)192.168.0.0-192.168.255.255。
further, if the IP of both communication parties is private IP or public IP, the party with the larger port number is the client, and the party with the smaller port number is the server; if the port numbers are the same, the sizes of the domains of the IP addresses of the two parties are sequentially compared, and the larger party is the client.
Further, the five-tuple is respectively a transport layer protocol, a source IP, a source port, a destination IP and a destination port.
A lightweight scalable network traffic feature extraction method comprises the following steps:
s1, when in the file mode, extracting features according to files, allowing the pcap files to be read in batches for analysis in the file mode, and the processing efficiency of processing a large number of files in a single thread is extremely low, so that the tool defaults to start a multi-process mode;
s2 the tool creates a plurality of sub-processes according to the number of the threads of the CPU and analyzes different pcap files at the same time, and finally the main process is responsible for merging the feature results extracted by each sub-process;
s3 the user can choose whether to close the multi-process in the configuration file and set the maximum number of the simultaneously running processes;
s4, when the flow mode is adopted, the characteristics are extracted according to the flow, the mode can read a pcap file in an off-line mode or read the flow of a specified network card in an on-line mode, the flow can be divided according to quintuple, then the characteristics of the flow are extracted, and each flow is used as a record to output a characteristic value;
s5, when a flow is finished or the pcap file is read, the flow is not finished, the tool will output the characteristics of the flow immediately, considering that some flows have longer duration but can acquire the characteristic values according to the existing data packets, so the user is allowed to set the maximum number of packets required for characteristic extraction, the default is infinite, when the flow acquires enough data packets, the characteristics of the flow will be calculated immediately without considering the following data packets;
s6 also, some flows are too short, and the extracted features have no practical meaning, and the user can set the minimum number of packets required for feature extraction to be 1 by default, so as to filter out the traffic having no practical meaning.
(III) advantageous effects
The invention has the following beneficial effects:
this network flow characteristic extraction instrument that lightweight can expand, through developing based on Python, installation and operation are convenient, the characteristic of extraction flow that can automize, present existing characteristic extraction instrument can only extract the characteristic that has set up in advance, if then need modify and recompile the original code when will adding new characteristic, work load is great, and the expansibility of this instrument is stronger, the interface of defining the characteristic has been reserved, can be under the prerequisite of not modifying the source code, through compiling characteristic calculation function and modification feature configuration file, accomplish dynamic increase and decrease characteristic.
Of course, it is not necessary for any product to practice the invention to achieve all of the above-described advantages simultaneously
Drawings
FIG. 1 is a system diagram of a lightweight scalable network traffic feature extraction tool provided by the present invention;
FIG. 2 is a feature computation logic of the lightweight scalable network traffic feature extraction tool provided by the present invention;
fig. 3 is a table of characteristic descriptions provided by the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "opening," "upper," "lower," "thickness," "top," "middle," "length," "inner," "peripheral," and the like are used in an orientation or positional relationship that is merely for convenience in describing and simplifying the description, and do not indicate or imply that the referenced component or element must have a particular orientation, be constructed and operated in a particular orientation, and thus should not be considered as limiting the present invention.
Referring to fig. 1-3, an embodiment of the present invention provides a technical solution:
a lightweight scalable network traffic feature extraction tool comprises an extraction tool body, wherein the extraction tool body comprises two extraction feature modes, and the two extraction feature modes are a flow mode extracted according to flow and a file mode extracted according to a pcap file respectively; under the flow mode, the input flow is divided according to quintuple and the characteristics of the flow are extracted respectively; in the file mode, taking the flow in each pcap file as a whole by the tool to extract features; in the process of feature extraction, the data packets can be divided into three types of uplink, downlink and bidirectional according to the directions of the data packets.
The method has the functions of extracting features from different angles from network flow, a tool is internally provided with a calculation method of 72 common features, an expansion interface is also provided for custom extraction of more features, and the extracted features can be used for deep analysis of network conditions, construction of a data set required by machine learning and the like.
The tool is developed based on a Python's scape library, a user needs to ensure that a Python3 and a third-party library scape are installed in a computer before using the tool, before running the tool, a configuration file needs to be modified to designate a target pcap file or a directory containing the pcap file, the pcap file can be captured on a designated network card through a capturing software such as a wireshark or a tcpdump, a running mode, a file/flow mode and a flow mode are designated in the configuration file, the output of a final program is a file in a csv format, wherein a header is a special certificate name of each characteristic, each column represents a one-dimensional characteristic, and each row represents a record.
The Scapy is a powerful Python-based interactive data packet operation tool and library, supports Python2.7 and Python3(3.3-3.6), can run on different platforms such as Linux, OSX and Windows, and can be used for reading network traffic packets and monitoring network card traffic.
file mode:
according to the file extraction characteristics, at present, a plurality of flow data sets exist, the flow of various types of software is stored as independent pcap files, each pcap file only contains one flow, namely all data packets belong to the same quintuple, at the moment, a large number of pcap files possibly exist in the data set, each pcap file can represent the specific behavior of a certain type of software, in the other situation, each pcap file stores the flow from a certain host, a user needs to analyze the network behavior of each host and extract the flow characteristics, and in the two situations, the file mode needs to be used for carrying out the characteristic extraction on the whole pcap file.
In the file mode, each pcap file is directly used as a target to be analyzed, the tool outputs flow statistical characteristics about the pcap file, and the format of the table header of the csv file is as follows:
| pcap_name | flow_num | feature1 | Feature2 | .... | Characteristic N |
The pcap _ name is the pcap file name, the flow _ num is the number of streams with different quadruples found in the pcap, and the flow _ num is the extracted characteristic value.
Designing a flow mode:
extracting features according to flows, under the actual condition, a pcap file captured by software such as wireshark or tcpdump generally comprises flows generated by different processes of a plurality of hosts, at the moment, the mode is required to be capable of reading the pcap file in an off-line mode or reading the flow of a specified network card in an on-line mode, the flows are divided according to quintuple flows, then, feature extraction is carried out on the flows, each flow is taken as a record output feature value, and the table header in the csv format is as follows:
| protocol | src | sport | dst | dport | feature1 | Feature2 | .... | Characteristic N |
。
The default extracted feature types of the extraction tool body comprise a packet arrival time interval, a packet number, a congestion window size, a packet length, a packet number per second, a rate, a packet header length, a duration, a flag bit count and the like, wherein individual features respectively calculate the sum, the average value, the minimum value, the maximum value and the standard deviation of uplink and downlink flows and bidirectional flows of the individual features, and finally, the total number of the features is 72.
Where the designations in the feature names refer to the content in parentheses, e.g., fpl _, represents fpl _ total, fpl _ mean, fpl _ min, fpl _ max, fpl _ std, respectively, the sum, average, minimum, maximum, standard deviation of the arrival time intervals of the packets in the upstream.
The flag bit count refers to counting the occurrence times of eight flag bits (fin, syn, rst, pst, ack, urg, cwr, ece) in a TCP data packet, wherein eight feature names are fin _ cnt, syn _ cnt, rst _ cnt, pst _ cnt, ack _ cnt, urg _ cnt, cwr _ cnt and ece _ cnt respectively, and are referred to as: _ cnt in a table;
for the upstream and downstream flows, only the times of occurrence of pst and urg flag bit fields are counted, which are four features of fwd _ pst _ cnt, fwd _ urg _ cnt, pwd _ pst _ cnt and pwd _ urg _ cnt, respectively, and the four features are respectively referred to in the table as fwd _ cnt and pwd _ cnt.
Packets with the same five tuple belong to the same flow.
In flow mode, each flow outputs a corresponding signature as a record.
In the file mode, each file will output a signature as a record, and the number of streams will be recorded.
Each record is computed only once after the complete flow is last obtained, rather than once for each packet.
The direction of the data packet sent from the client to the server is defined as uplink, and the direction of the data packet sent from the server to the client is defined as downlink.
Determining the principle of a server and a client, wherein the client is the party which initiates connection establishment in a TCP stream preferentially; if the captured flow is not complete and the handshake packet is not captured, the party with the private IP address is the client, and the method comprises three types:
a)10.0.0.0-10.255.255.255,
b)172.16.0.0-172.31.255.255,
c)192.168.0.0-192.168.255.255。
if the IP of the two communication parties is both private IP or public IP, the party with the larger port number is the client, and the party with the smaller port number is the server; if the port numbers are the same, the sizes of the domains of the IP addresses of the two parties are sequentially compared, and the larger party is the client.
The five-tuple is respectively a transport layer protocol, a source IP, a source port, a destination IP and a destination port.
A lightweight scalable network traffic feature extraction method comprises the following steps:
s1, when in the file mode, extracting features according to files, allowing the pcap files to be read in batches for analysis in the file mode, and the processing efficiency of processing a large number of files in a single thread is extremely low, so that the tool defaults to start a multi-process mode;
s2 the tool creates a plurality of sub-processes according to the number of the threads of the CPU and analyzes different pcap files at the same time, and finally the main process is responsible for merging the feature results extracted by each sub-process;
s3 the user can choose whether to close the multi-process in the configuration file and set the maximum number of the simultaneously running processes;
s4, when the flow mode is adopted, the characteristics are extracted according to the flow, the mode can read a pcap file in an off-line mode or read the flow of a specified network card in an on-line mode, the flow can be divided according to quintuple, then the characteristics of the flow are extracted, and each flow is used as a record to output a characteristic value;
s5, when a flow is finished or the pcap file is read, the flow is not finished, the tool will output the characteristics of the flow immediately, considering that some flows have longer duration but can acquire the characteristic values according to the existing data packets, so the user is allowed to set the maximum number of packets required for characteristic extraction, the default is infinite, when the flow acquires enough data packets, the characteristics of the flow will be calculated immediately without considering the following data packets;
s6 also, some flows are too short, and the extracted features have no practical meaning, and the user can set the minimum number of packets required for feature extraction to be 1 by default, so as to filter out the traffic having no practical meaning.
And (3) dynamic expansion of characteristics:
the tool has certain expansibility, an interface with self-defined characteristics is reserved, only corresponding characteristic calculation functions need to be compiled, the processing rule of each data packet in the functions refers to a third-party open source library scapy, and then new characteristic names, calculation functions to be called, flows required by the functions, serial numbers of uplink flows, downlink flows, bidirectional flows and function return values are added into the characteristic configuration files.
For example, the following is an example of some new feature, and a total of 6 features from three directions are obtained. The input value of the feature computation function is an ordered list of streams, and the return value is the extracted feature.
def get_new_feature(flow):
...
return[feature1,feature2]。
And adding a corresponding record in the feature configuration file.
As shown below, the first parameter is a feature name, which can be arbitrarily defined by the user, and is also a header of the subsequent output csv, and we define six features in total, which are named as f _ feature1, f _ feature2, b _ feature1, b _ feature2, d _ feature1, and d _ feature 2. The second is the function to be called to compute the feature, where all newly defined features call the get _ new _ feature function;
the third parameter is the direction of flow used to calculate the feature, fwd _ flow, bwd _ flow, all _ flow representing upstream, downstream, and bidirectional flow, respectively;
the fourth parameter is to obtain the number 1 and 2 return values of the function, because the get _ new _ feature function returns two feature values, respectively.
f_feature1 get_new_feature fwd_flow1,
f_feature2 get_new_feature fwd_flow2,
b_feature1 get_new_feature bwd_flow1,
b_feature2 get_new_feature bwd_flow 2,
d_feature1 get_new_feature all_flow1,
d_feature2 get_new_feature all_flow 2。
This instrument is based on Python development, and installation and operation are convenient, the characteristic of extraction flow that can automize, and existing characteristic extraction instrument can only extract the characteristic that has set up in advance at present, if need add new characteristic then need modify and compile again the original code, and work load is great, and the expansibility of this instrument is stronger, has reserved the interface of definition characteristic, can be under the prerequisite of not modifying the source code, through compiling characteristic calculation function and modification feature configuration file, accomplish dynamic increase and decrease characteristic.
When in use:
in the file mode, features are extracted according to files, the pcap files are allowed to be read in batches for analysis in the file mode, and the processing efficiency of processing a large number of files in a single thread is extremely low, so that the tool defaults to start a multi-process mode;
the tool creates a plurality of sub-processes according to the thread number of a CPU and analyzes different pcap files at the same time, and finally, a main process is responsible for merging feature results extracted by each sub-process;
the user can select whether to close the multiple processes in the configuration file and set the maximum number of the processes running at the same time;
in the flow mode, extracting features according to flow, wherein the mode can read a pcap file in an off-line mode or read the flow of a specified network card in an on-line mode, the flow can be divided according to quintuple, then extracting the features of the flow, and each flow is used as a record to output a feature value;
when a flow is finished or the reading of the pcap file is finished, the flow is not finished, the tool can immediately output the characteristics of the flow, considering that the duration of some flows is longer, but the characteristic values of the flows can be obtained according to the existing data packets, so that the user is allowed to set the number of the packets with the maximum required characteristic extraction, the default is infinite, when the flow obtains enough data packets, the characteristics of the flow are immediately calculated, and the subsequent data packets are not considered;
similarly, some flows are too short, the extracted features have no practical significance, and a user can set the minimum number of packets required for feature extraction to be 1 by default so as to filter the traffic without practical significance.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (10)
1. A lightweight scalable network traffic feature extraction tool, comprising an extraction tool body, characterized in that: the extraction tool body comprises two extraction characteristic modes, wherein the two extraction characteristic modes are a flow mode extracted according to flow and a file mode extracted according to a pcap file respectively;
under the flow mode, the input flow is divided according to quintuple and the characteristics of the flow are extracted respectively;
in the file mode, taking the flow in each pcap file as a whole by the tool to extract features;
in the process of feature extraction, the data packets can be divided into three types of uplink, downlink and bidirectional according to the directions of the data packets.
2. The lightweight scalable network traffic feature extraction tool of claim 1, wherein: packets with the same five tuple belong to the same flow.
3. The lightweight scalable network traffic feature extraction tool of claim 2, wherein: in flow mode, each flow outputs a corresponding signature as a record.
4. A lightweight scalable network traffic feature extraction tool according to claim 3, characterized by: in the file mode, each file will output a signature as a record, and the number of streams will be recorded.
5. The lightweight scalable network traffic feature extraction tool of claim 4, wherein: each record is computed only once after the complete flow is last obtained, rather than once for each packet.
6. The lightweight scalable network traffic feature extraction tool of claim 1, wherein: the direction of the data packet sent from the client to the server is defined as uplink, and the direction of the data packet sent from the server to the client is defined as downlink.
7. The lightweight scalable network traffic feature extraction tool of claim 1, wherein: determining the principle of a server and a client, wherein the client is the party which initiates connection establishment in a TCP stream preferentially; if the captured flow is not complete and the handshake packet is not captured, the party with the private IP address is the client, and the method comprises three types:
a)10.0.0.0-10.255.255.255,
b)172.16.0.0-172.31.255.255,
c)192.168.0.0-192.168.255.255。
8. the lightweight scalable network traffic feature extraction tool of claim 7, wherein: if the IP of the two communication parties is both private IP or public IP, the party with the larger port number is the client, and the party with the smaller port number is the server; if the port numbers are the same, the sizes of the domains of the IP addresses of the two parties are sequentially compared, and the larger party is the client.
9. The lightweight scalable network traffic feature extraction tool of claim 1, wherein: the five-tuple is respectively a transport layer protocol, a source IP, a source port, a destination IP and a destination port.
10. A lightweight scalable network traffic feature extraction method is characterized by comprising the following steps:
s1, when in the file mode, extracting features according to files, allowing the pcap files to be read in batches for analysis in the file mode, and the processing efficiency of processing a large number of files in a single thread is extremely low, so that the tool defaults to start a multi-process mode;
s2 the tool creates a plurality of sub-processes according to the number of the threads of the CPU and analyzes different pcap files at the same time, and finally the main process is responsible for merging the feature results extracted by each sub-process;
s3 the user can choose whether to close the multi-process in the configuration file and set the maximum number of the simultaneously running processes;
s4, when the flow mode is adopted, the characteristics are extracted according to the flow, the mode can read a pcap file in an off-line mode or read the flow of a specified network card in an on-line mode, the flow can be divided according to quintuple, then the characteristics of the flow are extracted, and each flow is used as a record to output a characteristic value;
s5, when a flow is finished or the pcap file is read, the flow is not finished, the tool will output the characteristics of the flow immediately, considering that some flows have longer duration but can acquire the characteristic values according to the existing data packets, so the user is allowed to set the maximum number of packets required for characteristic extraction, the default is infinite, when the flow acquires enough data packets, the characteristics of the flow will be calculated immediately without considering the following data packets;
s6 also, some flows are too short, and the extracted features have no practical meaning, and the user can set the minimum number of packets required for feature extraction to be 1 by default, so as to filter out the traffic having no practical meaning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110249037.8A CN112966261A (en) | 2021-03-08 | 2021-03-08 | Lightweight scalable network traffic feature extraction tool and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110249037.8A CN112966261A (en) | 2021-03-08 | 2021-03-08 | Lightweight scalable network traffic feature extraction tool and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112966261A true CN112966261A (en) | 2021-06-15 |
Family
ID=76277459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110249037.8A Pending CN112966261A (en) | 2021-03-08 | 2021-03-08 | Lightweight scalable network traffic feature extraction tool and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112966261A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116668085A (en) * | 2023-05-05 | 2023-08-29 | 山东省计算中心(国家超级计算济南中心) | Flow multi-process intrusion detection method and system based on lightGBM |
| CN116776248A (en) * | 2023-06-21 | 2023-09-19 | 哈尔滨工业大学 | Virtual logarithm-based out-of-distribution detection method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351275A (en) * | 2019-07-11 | 2019-10-18 | 北京脉冲星科技有限公司 | A kind of host port flux monitoring method, system, device and storage equipment |
| CN110866553A (en) * | 2019-11-07 | 2020-03-06 | 中国科学院信息工程研究所 | User behavior classification method and system based on encrypted camera flow statistical characteristics |
| CN111614576A (en) * | 2020-06-02 | 2020-09-01 | 国网山西省电力公司电力科学研究院 | Network data traffic identification method and system based on wavelet analysis and support vector machine |
| CN111683108A (en) * | 2020-08-17 | 2020-09-18 | 鹏城实验室 | Method for generating network flow anomaly detection model and computer equipment |
| CN111711545A (en) * | 2020-05-29 | 2020-09-25 | 福州大学 | Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network |
| CN112073255A (en) * | 2020-03-25 | 2020-12-11 | 长扬科技(北京)有限公司 | Industrial control network flow prediction method and device based on deep learning |
| CN112422531A (en) * | 2020-11-05 | 2021-02-26 | 博智安全科技股份有限公司 | CNN and XGboost-based network traffic abnormal behavior detection method |
-
2021
- 2021-03-08 CN CN202110249037.8A patent/CN112966261A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351275A (en) * | 2019-07-11 | 2019-10-18 | 北京脉冲星科技有限公司 | A kind of host port flux monitoring method, system, device and storage equipment |
| CN110866553A (en) * | 2019-11-07 | 2020-03-06 | 中国科学院信息工程研究所 | User behavior classification method and system based on encrypted camera flow statistical characteristics |
| CN112073255A (en) * | 2020-03-25 | 2020-12-11 | 长扬科技(北京)有限公司 | Industrial control network flow prediction method and device based on deep learning |
| CN111711545A (en) * | 2020-05-29 | 2020-09-25 | 福州大学 | Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network |
| CN111614576A (en) * | 2020-06-02 | 2020-09-01 | 国网山西省电力公司电力科学研究院 | Network data traffic identification method and system based on wavelet analysis and support vector machine |
| CN111683108A (en) * | 2020-08-17 | 2020-09-18 | 鹏城实验室 | Method for generating network flow anomaly detection model and computer equipment |
| CN112422531A (en) * | 2020-11-05 | 2021-02-26 | 博智安全科技股份有限公司 | CNN and XGboost-based network traffic abnormal behavior detection method |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116668085A (en) * | 2023-05-05 | 2023-08-29 | 山东省计算中心(国家超级计算济南中心) | Flow multi-process intrusion detection method and system based on lightGBM |
| CN116668085B (en) * | 2023-05-05 | 2024-02-27 | 山东省计算中心(国家超级计算济南中心) | Flow multi-process intrusion detection method and system based on lightGBM |
| CN116776248A (en) * | 2023-06-21 | 2023-09-19 | 哈尔滨工业大学 | Virtual logarithm-based out-of-distribution detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112966261A (en) | Lightweight scalable network traffic feature extraction tool and method | |
| TW202019127A (en) | Abnormal flow detection device and abnormal flow detection method thereof | |
| CN106416171A (en) | Method and device for feature information analysis | |
| CN110166480B (en) | Data packet analysis method and device | |
| CN104079545A (en) | Method, device and system for extracting data package filtering rules | |
| US20170134413A1 (en) | System and method for connection fingerprint generation and stepping-stone traceback based on netflow | |
| CN111222019B (en) | Feature extraction method and device | |
| US11477218B2 (en) | Cluster-based precision mitigation of network attacks | |
| CN113591085A (en) | Android malicious application detection method, device and equipment | |
| CN112800424A (en) | Botnet malicious traffic monitoring method based on random forest | |
| CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
| CN107707549B (en) | Device and method for automatically extracting application characteristics | |
| CN105681265A (en) | Unilateral transmission control protocol acceleration method and device | |
| CN108347359B (en) | Method and device for judging large Network Address Translation (NAT) outlet | |
| WO2016201876A1 (en) | Service identification method and device for encrypted traffic, and computer storage medium | |
| CN113765849B (en) | Abnormal network flow detection method and device | |
| Yang et al. | Modelling Network Traffic and Exploiting Encrypted Packets to Detect Stepping-stone Intrusions. | |
| CN112073364A (en) | DDoS attack identification method, system, equipment and readable storage medium based on DPI | |
| US20230199005A1 (en) | Method and apparatus for detecting network attack based on fusion feature vector | |
| CN114153807A (en) | Message processing method and device, electronic equipment and computer readable storage medium | |
| JP3596478B2 (en) | Traffic classification device and traffic classification method | |
| Tedesco et al. | Data reduction in intrusion alert correlation | |
| Wagener et al. | Towards an estimation of the accuracy of TCP reassembly in network forensics | |
| JP2015076879A (en) | Method and device for classifying encrypted data flow, computer program and information storage means | |
| Perhác et al. | Coalgebraic specification of network intrusion signatures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210615 |