CN113138904A - Edge cloud anomaly detection method based on reliable long-term and short-term memory network - Google Patents

Edge cloud anomaly detection method based on reliable long-term and short-term memory network Download PDF

Info

Publication number
CN113138904A
CN113138904A CN202110500177.8A CN202110500177A CN113138904A CN 113138904 A CN113138904 A CN 113138904A CN 202110500177 A CN202110500177 A CN 202110500177A CN 113138904 A CN113138904 A CN 113138904A
Authority
CN
China
Prior art keywords
layer
cell state
state
edge cloud
new
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110500177.8A
Other languages
Chinese (zh)
Inventor
孙强
刘洪武
杨海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Jiaotong University
Original Assignee
Shandong Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Jiaotong University filed Critical Shandong Jiaotong University
Priority to CN202110500177.8A priority Critical patent/CN113138904A/en
Publication of CN113138904A publication Critical patent/CN113138904A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The invention discloses an edge cloud anomaly detection method based on a reliable long-short term memory networktAdding to the state, providing additional information about unit state comparison, and performing data training of each user in a supervised learning mode; then, through the three gates that the LSTM has, units are retained, added and deleted according to the information requirements; old cell state Ct‑1Updated to a new cell state CtAnd then determines what value will be output. The invention relates to an edge cloud anomaly detection method based on a reliable long-short term memory network, which adds a new layer on the long-short term memory network method,the additional information related to the newly added user is provided, so that the capability of detecting the abnormal access of the edge cloud service is improved under the condition that the user behavior data are less, high-precision attacks can be actively detected, the method is not limited by the state of the configuration file of the user, the error degree caused by insufficient new user data is reduced, and the accuracy of detecting the abnormal access of the edge cloud service is improved.

Description

Edge cloud anomaly detection method based on reliable long-term and short-term memory network
Technical Field
The invention relates to an edge cloud anomaly detection method based on a reliable long-short term memory network, in particular to a method for detecting anomalous access to an edge cloud server under the condition of data deficiency by adding a new layer on a long-short term memory network method, providing additional information of a newly added user, comparing interaction data of the user and an edge cloud server with interaction data of other similar users, analyzing interaction data history records of the user and detecting anomalous access to the edge cloud server under the condition of data deficiency.
Background
In 5G and more advanced network environments, low latency services are one of the important requirements of emerging applications. The data processed by the edge cloud computing is closer to the local server and the edge data center, but not the central position of the whole cloud server, so that the delay is greatly reduced. However, there are huge security holes in distributing data of a large number of users on a large network of the edge data center, which may cause an anomaly in the infrastructure of the edge cloud, such as a slow operation of a server, and even a crash of the entire cloud computing system. An infrastructure anomaly that occurs on one node of an edge cloud may quickly propagate to other edges in the cloud computing system, and thus it is often difficult to track the root cause of the anomaly as it occurs. Typically, access may be controlled through a firewall and with appropriate authentication to mitigate the threat of external attacks. When an attacker impersonates a trusted user or steals a valid user identity, measures need to be taken to defend against internal attacks, such as Machine Learning (ML) methods to reduce risk. It is now common to classify users as normal or malicious using long-term or short-term memory, the former having the problem that it will store irrelevant data, and the latter having the problem that it may not have enough data to perform the proper analysis. To identify anomalous access to edge cloud services, time series data needs to be collected from the monitored edge cloud systems. Currently, Long Short-Term Memory (LSTM) is an effective method for identifying abnormal behaviors in cloud networks. In the document "LSTM for analog-based network intrusion detection" (S.A. Althubi, E.M. Jones, K.Roy, in 201828 th International Telecommunication Networks and Applications Conference (ITNAC), pp: 1-3,2018), experiments were performed using the CIDDS001 dataset and several ML techniques were employed to evaluate system performance. These results indicate that the accuracy of the LSTM method is higher than that of the Support Vector Machine (SVM) method and the naive bayes method, and that the LSTM method is significantly better than the SVM and naive bayes method. In recent years, deep learning and Recurrent Neural Network (RNN) methods have been used to prevent internal attack threats. In the document "Deep learning for unsupervised inductor which detect in structured cybersecurity data streams," (a.tuor, s.kaplan, b.hutchinson, in arXiv preprr, 2017.), it is proposed to detect an internal attack using a Deep neural network and an RNN, train the internal neural network to discover behaviors of functions performed by internal users, thereby classifying the internal users as normal users or abnormal users in real-time applications. When there is enough user behavior information, the exception can be avoided, but when a new user joins the network, there is not enough user behavior information, so the accuracy of LSTM prediction will be low.
Aiming at the condition that user behavior information is less to cause data insufficiency which can be analyzed, the invention provides an edge cloud anomaly detection method based on a trusted Long Short-Term Memory (TLSTM) network, which actively detects anomaly access behaviors and improves the accuracy of anomaly detection and attack prediction. In the method of the invention, the LSTM method is improved by adding a new layer, and aiming at the situation that the data of the new user is insufficient, the new layer provides additional information about the newly added user, the behaviors of similar users belonging to the same domain are compared with the behaviors of the newly added user, and the available data is obtained by training. The method for detecting the edge cloud anomaly based on the reliable long-term and short-term memory network is not limited by the configuration file state of a user, reduces the error degree caused by insufficient new user data, and improves the accuracy of the edge cloud service anomaly access detection.
Disclosure of Invention
The invention provides an edge cloud anomaly detection method based on a reliable long-short term memory network, aiming at overcoming the defects of the conventional long-short term memory network method.
The invention discloses an edge cloud anomaly detection method based on a reliable long-term and short-term memory networkThe measuring method is characterized by comprising the following steps: step one, in the edge cloud, a new layer B is addedtAdding the state into the state, and performing self-training; step two, reserving, adding and deleting units according to information requirements through an S-shaped door of the LSTM; step three, the old unit state Ct-1Updated to a new cell state CtAnd then determining the output value of the network.
The invention discloses an edge cloud anomaly detection method based on a reliable long-term and short-term memory network, which is implemented by the following steps:
a) new layer BtAdded to the state, this layer provides additional information about the cell state contrast, which is used to predict the anomaly; b istThe value of (d) can be expressed as:
Bt=σ(WB·[ht-1,xt]+bB) (1)
in equation (1), σ is the neural network layer, and outputs a number between 0 and 1, describing how much information each component can pass, 0 meaning no information, 1 meaning all passes, WBIs the weight of the added layer, ht-1Is the previous output of the t-th layer, i.e. the output of the t-1 th layer, xtIs the input of the t-th layer, bBIs a bias to add layers;
b) training each user data in a supervised learning mode, wherein the model is trained through prior data, and the model can be dynamically trained in the prior data according to the behaviors of the users in the edge network; in this framework, the model uses Personal User Behavior Data (PUBD) and Comparable User Behavior Data (CUBD) for self-training to identify anomalies and improve prediction accuracy without enough Data for newly added users.
The invention discloses an edge cloud anomaly detection method based on a reliable long-term and short-term memory network, which is implemented by the following steps:
c) determining which information to delete from the cell state; first S-shaped gate in LSTMIs a forgetting door, a forgetting door layer ftCan be expressed as:
ft=σ(Wf·[ht-1,xt]+bf) (2)
in equation (2), σ is the neural network layer, WfIs the weight of the forgotten door, ht-1Is the previous output of the t-th layer, xtIs the input of the t-th layer, bfIs the bias of the forgetting gate; forget door ftIn cell state Ct-1(last state of t layer) outputs a value between 0 and 1, ftThe closer to 1, the more the cell state is required; when the value is 1, it indicates that the cell state is most needed and should be maintained; when the value is 0, it indicates that the cell state is completely deleted;
d) determining which new information should remain in the cell state; setting an input door layer itAnd tan h layer, input gate layer itIt is decided which values are to be updated, and subsequently tanh creates new candidate values that can be added to the cell state
Figure BDA0003055841330000033
Then combining the two components to create an update to the cell state; input gate layer itCan be expressed as:
it=σ(Wi·[ht-1,xt]+bi) (3)
new candidate value
Figure BDA0003055841330000031
Can be expressed as:
Figure BDA0003055841330000032
in the formulae (3) and (4), WiAnd WcWeights of input gate and tanh gate, ht-1Is the previous output of the t-th layer, xtIs the input of the t-th layer, biAnd bcRespectively, the input gate and the tanh gate.
The invention discloses an edge cloud anomaly detection method based on a reliable long-term and short-term memory network, which is realized by the following steps:
e) updating the state of the unit; in order to change the old cell state Ct-1Updated to a new cell state CtMultiply the old state by ftThus, the expected forgetting part is expressed and then the expression is performed
Figure BDA0003055841330000041
Adding to obtain a new cell state; new cell state CtCan be expressed as:
Figure BDA0003055841330000042
f) determining an output value; the output will be based on the cell state, but will be a filtered version, first, running an S-layer to decide which parts of the cell state should be output; the output portion of the cell state can be expressed as:
ot=σ(Wo·[ht-1,xt]+bo) (6)
the cell state is then passed through the tanh gate and multiplied by the output of the S-gate, which outputs an output portion h that is updated through the entire systemtCan be expressed as:
ht=ot*tanh(Ci) (7)
the invention has the beneficial effects that: the invention discloses an edge cloud anomaly detection method based on a reliable long-short term memory network, and provides a new layer added on the long-short term memory network method, and additional information related to a newly added user is provided, so that the capability of the edge cloud server for accessing anomaly detection is improved under the condition of less user behavior data. By utilizing the edge cloud anomaly detection method based on the reliable long-term and short-term memory network, the interaction data of the user is compared with the data of other similar users, and the historical record of the interaction data of the user is analyzed, so that the high-precision attack is actively detected. The method is not limited by the configuration file state of the user, reduces the error degree caused by insufficient new user data, and improves the accuracy of the abnormal access detection of the edge cloud service.
Drawings
FIG. 1 is a schematic diagram of an LSTM framework;
FIG. 2 is a schematic diagram of the TLSTM framework method of the present invention;
FIG. 3 is a graph of the accuracy of the anomaly detection and prediction on the master node of the method of the present invention;
FIG. 4 is a graph of the accuracy of anomaly detection and prediction on a master node for the LSTM method;
FIG. 5 is a graph of the accuracy of anomaly detection and prediction on a work node by the method of the present invention;
FIG. 6 is a graph of the accuracy of anomaly detection and prediction on a working node by the LSTM method;
FIG. 7 is a graph of the accuracy of anomaly detection and prediction on a virtual machine CPU by the method of the present invention;
FIG. 8 is a graph of the accuracy of the exception detection and prediction of the LSTM method on the virtual machine CPU.
Detailed Description
The invention is further described with reference to the following figures and examples.
Long-short term memory networks are a special type of recurrent neural network that is able to learn order dependencies in sequence prediction. An LSTM framework is schematically illustrated in fig. 1, and the LSTM has a gate layer that can retain, add, and delete cells according to information requirements. They consist of an S-type neural network layer and point-by-point multiplication operations. The S-type neural network layer outputs a value between 0 and 1 that describes how much each component is allowed to pass through. A value of 0 indicates that all information is deleted, and a value of 1 indicates that all information is retained.
The first S-gate is a forgetting gate that determines which information is deleted from the cell state. Forgetting gate f in formula (1)tIn cell state Ct-1(last state of t layer) outputs a value between 0 and 1, ftThe closer to 1, the more the cell state is required; when the value is 1, it indicates that the cell state is most needed, andthe cell state should be maintained; when the value is 0, it indicates that the cell state is completely deleted.
ft=σ(Wf·[ht-1,xt]+bf) (1)
The next layer is used to determine which new information should remain in the cell state. Setting an input door layer itAnd tan h layer, input gate layer itIt is decided which values are to be updated, and subsequently tanh creates new candidate values that can be added to the cell state
Figure BDA0003055841330000051
Then combining the two components to create an update to the cell state; input gate layer itCan be expressed as:
it=σ(Wi·[ht-1,xt]+bi) (2)
new candidate value
Figure BDA0003055841330000052
Can be expressed as:
Figure BDA0003055841330000053
in order to change the old cell state Ct-1Updated to a new cell state CtMultiply the old state by ftThus, the expected forgetting part is expressed and then the expression is performed
Figure BDA0003055841330000054
Adding to obtain a new cell state; new cell state CtCan be expressed as:
Figure BDA0003055841330000055
finally, the output value needs to be determined. The output is based on the cell state, but will be a filtered version, first, running an S-layer to decide which parts of the cell state should be output; the output portion of the cell state can be expressed as:
ot=σ(Wo·[ht-1,xt]+bo) (5)
the cell state is then passed through the tanh gate and multiplied by the output of the S-gate, which outputs an output portion h that is updated through the entire systemtCan be expressed as:
ht=ot*tanh(Ci) (6)
in each of the above formulas, Wf、Wi、WcAnd WoWeights for the forget gate, the input gate, the tanh gate, and the output gate, respectively. bf、bi、bcAnd boThe offsets of the forget gate, the input gate, the tanh gate, and the output gate, respectively.
When there is enough data, the current LSTM method can predict the user behavior pattern more accurately. However, the prediction is only accurate if there is a large amount of interactive data. A reliable long-term short-term memory framework is used to actively detect abnormal behavior and improve the accuracy of the abnormal detection. The proposed method detects anomalies based on the behaviour patterns of the user. For this purpose, a new layer B is appliedtAdded to the state, this layer provides additional information about the cell state contrast, which is used to predict the anomaly. B istThe value of (d) can be expressed as:
Bt=σ(WB·[ht-1,xt]+bB) (7)
the method trains data of each user in a supervised learning mode, wherein a model is trained through prior data, and the model can be dynamically trained in the prior data according to the behavior of the user in an edge network; in this framework, the model uses Personal User Behavior Data (PUBD) and Comparable User Behavior Data (CUBD) for self-training to identify anomalies and improve prediction accuracy without enough Data for newly added users. In dynamic behavior monitoring, the learning process is performed automatically, and when user behavior data is insufficient to attract newly joined users, false alarms will be triggered, assuming malicious activity has occurred. Thus, the comparison data of user behavior is used to detect errors in new user behavior.
To distinguish newly added users from malicious users, the newly added layer of the method contains comparable user behavior data. The layer compares the behavior of similar users belonging to the same domain with the newly joined user and their interaction information until the new user generates the necessary personal behavior data. FIG. 2 is a schematic diagram of the TLSTM framework.
The data test collects data from a raspberry pi and a host/virtual machine, wherein the raspberry pi comprises seven HP servers and a pair of respectively simulated edge computing environments and edge devices; the host/virtual machine uses the settings of K8s on the host and virtual machine, respectively. Prometheus is used for monitoring and data collection with host/virtual machine and raspberry pi data collection intervals of 10 seconds and 30 seconds, respectively. The collected data contains information on the network's CPU utilization and packet loss. In the measured data, the data value is replaced by the difference of two consecutive data samples. In nominal data, the data value is replaced with the difference between the current value and the value of the previous time interval divided by the time interval.
First, a cyclic anomaly and a cumulative anomaly are injected in the network. Inject exception 60 seconds and then cool the system for 180 seconds. These steps were repeated again until the experimental time was exceeded. For cumulative exceptions, Stress-ng is used to generate cumulative memory pressure, and TCP flooding and Ping flooding are used for network flooding. The cumulative exception of the host/virtual machine runs in four steps, while the cumulative exception of the raspberry pi runs in two steps, each step lasting 60 seconds. Next, the collected data is tagged according to the anomaly injection timestamp. The data of the frequent exception 0 indicates no exception and 1 indicates the occurrence of an exception. In the accumulated abnormal data, 0 is not abnormal, and 1-4 are four abnormal levels. The data 0 of the cumulative edge device (i.e. raspberry pi) exception is non-exception, and 1-2 are two levels of exceptions. To evaluate the performance of the method, relevant data was collected and compared to LSTM network performance. Fig. 3 to 8 show the accuracy of the anomaly detection of the virtual machine CPU, the work node, and the master node in the LSTM method and the present method. In LSTM, the accuracy of anomaly detection is high. However, the accuracy of the prediction result of the method is not ideal, and the detection and prediction accuracy in the method is higher than that of the LSTM method.
TABLE 1 training data set LSTM method and accuracy comparison of the method
Figure BDA0003055841330000071
TABLE 2 test data set LSTM method and comparison of accuracy of the method
Figure BDA0003055841330000072
TABLE 3 training data set LSTM method and packet loss in this method
Figure BDA0003055841330000073
TABLE 4 test data set LSTM method and packet loss in this method
Figure BDA0003055841330000074
Table 1 shows the values for the training data set LSTM and the accuracy of the method. Table 2 provides the values for LSTM for the test data set and the accuracy of the method. Tables 3 and 4 provide the LSTM method of training and testing the data set and the loss values for this method. Experimental data show that the accuracy of the method is superior to that of the LSTM method.
In summary, the invention provides a new layer added on the long-short term memory network method and provides additional information about newly added users, so that the anomaly detection capability is improved under the condition of less user behavior data. By using the method, the transaction data of the user is compared with the data of other similar users, and the transaction history of the user is analyzed so as to actively detect the high-precision attack. The method is not limited by the configuration file state of the user, reduces the error degree caused by insufficient new user data, and improves the accuracy.
The above-described embodiment is only one embodiment of the present invention, and it will be apparent to those skilled in the art that various modifications and variations can be easily made based on the application and principle of the present invention disclosed in the present application, and the present invention is not limited to the method described in the above-described embodiment of the present invention, so that the above-described embodiment is only preferred, and not restrictive.

Claims (4)

1. An edge cloud anomaly detection method based on a reliable long-short term memory network is characterized by comprising the following steps: step one, in the edge cloud, a new layer B is addedtAdding the state into the state, and performing self-training; step two, reserving, adding and deleting units according to information requirements through an S-shaped door of the LSTM; step three, the old unit state Ct-1Updated to a new cell state CtAnd then determining the output value of the network.
2. The method for detecting the edge cloud anomaly based on the trusted long-short term memory network according to claim 1, wherein the first step is realized by the following sub-steps:
a) new layer BtAdded to the state, this layer provides additional information about the cell state contrast, which is used to predict the anomaly; b istThe value of (d) can be expressed as:
Bt=σ(WB·[ht-1,xt]+bB) (1)
in equation (1), σ is the neural network layer, and outputs a number between 0 and 1, describing how much information each component can pass, 0 meaning no information, 1 meaning all passes, WBIs added with layersWeight, ht-1Is the previous output of the t-th layer, i.e. the output of the t-1 th layer, xtIs the input of the t-th layer, bBIs a bias to add layers;
b) training each user data in a supervised learning mode, wherein the model is trained through prior data, and the model can be dynamically trained in the prior data according to the behaviors of the users in the edge network; in this framework, the model uses Personal User Behavior Data (PUBD) and Comparable User Behavior Data (CUBD) for self-training to identify anomalies and improve prediction accuracy without enough Data for newly added users.
3. The method for detecting the edge cloud anomaly based on the trusted long-short term memory network according to claim 1, wherein the second step is realized by the following sub-steps:
c) determining which information to delete from the cell state; in LSTM, the first S-shaped door is a forgetting door, and a forgetting door layer ftCan be expressed as:
ft=σ(Wf·[ht-1,xt]+bf) (2)
in equation (2), σ is the neural network layer, WfIs the weight of the forgotten door, ht-1Is the previous output of the t-th layer, xtIs the input of the t-th layer, bfIs the bias of the forgetting gate; forget door ftIn cell state Ct-1(last state of t layer) outputs a value between 0 and 1, ftThe closer to 1, the more the cell state is required; when the value is 1, it indicates that the cell state is most needed and should be maintained; when the value is 0, it indicates that the cell state is completely deleted;
d) determining which new information should remain in the cell state; setting an input door layer itAnd tan h layer, input gate layer itIt is decided which values are to be updated, and subsequently tanh creates new candidate values that can be added to the cell state
Figure FDA0003055841320000025
Then combining the two components to create an update to the cell state; input gate layer itCan be expressed as:
it=σ(Wi·[ht-1,xt]+bi) (3)
new candidate value
Figure FDA0003055841320000021
Can be expressed as:
Figure FDA0003055841320000022
in the formulae (3) and (4), WiAnd WcWeights of input gate and tanh gate, ht-1Is the previous output of the t-th layer, xtIs the input of the t-th layer, biAnd bcRespectively, the input gate and the tanh gate.
4. The method for detecting the edge cloud anomaly based on the trusted long-short term memory network according to claim 1, wherein the third step is realized by the following sub-steps:
e) updating the state of the unit; in order to change the old cell state Ct-1Updated to a new cell state CtMultiply the old state by ftThus, the expected forgetting part is expressed and then the expression is performed
Figure FDA0003055841320000023
Adding to obtain a new cell state; new cell state CtCan be expressed as:
Figure FDA0003055841320000024
f) determining an output value; the output will be based on the cell state, but will be a filtered version, first, running an S-layer to decide which parts of the cell state should be output; the output portion of the cell state can be expressed as:
ot=σ(Wo·[ht-1,xt]+bo) (6)
the cell state is then passed through the tanh gate and multiplied by the output of the S-gate, which outputs an output portion h that is updated through the entire systemtCan be expressed as:
ht=ot*tan h(Ci) (7)。
CN202110500177.8A 2021-05-08 2021-05-08 Edge cloud anomaly detection method based on reliable long-term and short-term memory network Pending CN113138904A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110500177.8A CN113138904A (en) 2021-05-08 2021-05-08 Edge cloud anomaly detection method based on reliable long-term and short-term memory network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110500177.8A CN113138904A (en) 2021-05-08 2021-05-08 Edge cloud anomaly detection method based on reliable long-term and short-term memory network

Publications (1)

Publication Number Publication Date
CN113138904A true CN113138904A (en) 2021-07-20

Family

ID=76816967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110500177.8A Pending CN113138904A (en) 2021-05-08 2021-05-08 Edge cloud anomaly detection method based on reliable long-term and short-term memory network

Country Status (1)

Country Link
CN (1) CN113138904A (en)

Similar Documents

Publication Publication Date Title
Han et al. Unicorn: Runtime provenance-based detector for advanced persistent threats
Kozik et al. A scalable distributed machine learning approach for attack detection in edge computing environments
Cai et al. Structural temporal graph neural networks for anomaly detection in dynamic graphs
US9544321B2 (en) Anomaly detection using adaptive behavioral profiles
US10686829B2 (en) Identifying changes in use of user credentials
Hu et al. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection
Park et al. Anomaly intrusion detection by clustering transactional audit streams in a host computer
Lavrova et al. Applying correlation and regression analysis to detect security incidents in the internet of things
Landauer et al. Time series analysis: unsupervised anomaly detection beyond outlier detection
Wang et al. Heterogeneous graph matching networks: Application to unknown malware detection
Lin et al. Collaborative alert ranking for anomaly detection
Al-Utaibi et al. Intrusion detection taxonomy and data preprocessing mechanisms
Dongre et al. Intrusion detection system using new ensembleboosting approach
Cao et al. Behavior-based community detection: Application to host assessment in enterprise information networks
Liu et al. Multi-step attack scenarios mining based on neural network and Bayesian network attack graph
Lambert II Security analytics: Using deep learning to detect Cyber Attacks
Wetzig et al. Unsupervised anomaly alerting for iot-gateway monitoring using adaptive thresholds and half-space trees
Liu et al. Fast community discovery and its evolution tracking in time-evolving social networks
Ahmed et al. Host based intrusion detection using RBF neural networks
Alserhani et al. Event-based alert correlation system to detect SQLI activities
Xuan et al. New approach for APT malware detection on the workstation based on process profile
CN113138904A (en) Edge cloud anomaly detection method based on reliable long-term and short-term memory network
CN113079168B (en) Network anomaly detection method and device and storage medium
Taheri et al. Cyberattack triage using incremental clustering for intrusion detection systems
Fedorchenko et al. IOT Security event correlation based on the analysis of event types

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination