CN113553581A - Intrusion detection system for unbalanced data - Google Patents
Intrusion detection system for unbalanced data Download PDFInfo
- Publication number
- CN113553581A CN113553581A CN202110785175.8A CN202110785175A CN113553581A CN 113553581 A CN113553581 A CN 113553581A CN 202110785175 A CN202110785175 A CN 202110785175A CN 113553581 A CN113553581 A CN 113553581A
- Authority
- CN
- China
- Prior art keywords
- data
- sample
- intrusion detection
- detection system
- unbalanced
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 69
- 238000005070 sampling Methods 0.000 claims abstract description 25
- 238000012549 training Methods 0.000 claims description 11
- 238000007781 pre-processing Methods 0.000 claims description 7
- 239000000523 sample Substances 0.000 description 61
- 230000006870 function Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 238000000034 method Methods 0.000 description 6
- 238000013459 approach Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012952 Resampling Methods 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002194 synthesizing effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T3/00—Geometric image transformations in the plane of the image
- G06T3/40—Scaling of whole images or parts thereof, e.g. expanding or contracting
- G06T3/4007—Scaling of whole images or parts thereof, e.g. expanding or contracting based on interpolation, e.g. bilinear interpolation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Burglar Alarm Systems (AREA)
Abstract
The invention discloses an intrusion detection system aiming at unbalanced data, which comprises an acquisition module, a code reading module, a classification module, an up-sampling module and an intrusion detection module.
Description
Technical Field
The invention mainly relates to the technical field of computers, in particular to an intrusion detection system aiming at unbalanced data.
Background
Data imbalance refers to the fact that the data amount greatly varies from one category to another due to the difference of data distribution. In practical applications, the problem of data imbalance is widely existed, especially in the fields of financial fraud, disease diagnosis, etc. The significant characteristic of data imbalance is that a certain class of data is very easy to obtain, and a part of classes of data cause very rare samples due to the difficulty of acquisition.
A general intrusion detection system needs to collect a large amount of behavior data, a pattern expert carries out statistical analysis to find characteristics, a tag comparison base is added, or by utilizing data mining and machine learning algorithms, the characteristics are firstly abstracted and extracted, and an algorithm model is used for training and detecting to judge the safety. However, the above construction method is very dependent on the acquired data samples, and for the data with unbalanced distribution, the prediction of the result will cause large deviation if no additional processing is performed.
Disclosure of Invention
In order to solve the problems, the invention provides an intrusion detection system for unbalanced data, aims at the phenomenon that part of data distribution is unbalanced in intrusion detection, eliminates partial category unbalance by resampling data in data set construction, and further reduces the difficulty of unbalanced data classification on an intrusion detection model, can effectively solve the problem of unbalanced data detection in the intrusion detection system, can further improve the capability of ensuring system safety, and achieves high efficiency and intelligence.
Specifically, the present invention provides an intrusion detection system for unbalanced data, including:
the acquisition module is used for acquiring a data sample;
the classification module is used for classifying the data samples to obtain a minority sample set and a majority sample set;
the up-sampling module is used for up-sampling the minority sample set by using a preset sampling algorithm, and adding a new data sample obtained by up-sampling into the data sample to form to-be-detected data;
and the intrusion detection module is used for inputting the data to be detected into a pre-trained intrusion detection model for detection so as to judge the safety.
Preferably, the intrusion detection system for unbalanced data as described above further includes:
and the model training module is used for training the intrusion detection model in advance to obtain the trained intrusion detection model, and the training of the intrusion detection model adopts a Focal local Loss function.
Preferably, as mentioned above, the acquisition module includes a raw data acquisition unit and a data preprocessing unit.
Preferably, in the intrusion detection system for unbalanced data described above, the raw data acquiring unit acquires raw data; and the data preprocessing unit removes invalid data and repeated data in the original data to obtain a data sample.
Preferably, in the intrusion detection system for unbalanced data described above, the classification module includes a feature statistics unit and a sample classification unit.
Preferably, in the intrusion detection system for unbalanced data described above, the feature statistics unit performs feature statistics on the data samples to obtain corresponding data features; the sample classification unit classifies the data characteristics to obtain a numerical value attribute, a sequence attribute and a category attribute; and dividing all data samples into a minority sample set and a majority sample set according to the category attributes.
Preferably, in the intrusion detection system for unbalanced data described above, the preset sampling algorithm is a SMOTE sampling algorithm.
Preferably, as mentioned above, the up-sampling module includes a neighbor sample acquiring unit and a linear interpolation unit.
Preferably, in the intrusion detection system for unbalanced data described above, the neighbor sample acquiring unit calculates, for each sample in the minority sample set, a distance from each sample to all samples in the minority sample set using euclidean distance as a standard, and obtains the k neighbor samples thereof according to the distance.
Preferably, in the intrusion detection system for unbalanced data as described above, the linear interpolation unit randomly selects a preset number of neighboring samples from k neighboring samples of each minority sample, and constructs a new data sample with the original minority sample according to the following formula for each randomly selected neighboring sample:
xim=xi+λ1*(xin-xi) (ii) a Wherein x isimRepresenting a new data sample, xiRepresenting randomly selected neighboring samples, xinRepresenting the original minority class of samples, λ1Is a random number between 0 and 1.
The intrusion detection system aiming at the unbalanced data has the following beneficial effects that:
aiming at the phenomenon of unbalanced distribution of partial data in intrusion detection, in the construction of a data set, data is resampled to eliminate unbalance of partial categories, and in addition, the difficulty of unbalanced data classification is further reduced on an intrusion detection model, so that the problem of unbalanced data detection in an intrusion detection system can be effectively solved, the capability of guaranteeing the safety of the system can be further improved, and high-efficiency intelligence is realized.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a diagram illustrating an intrusion detection system for unbalanced data according to a first embodiment of the present invention;
fig. 2 is a structural diagram of an acquisition module according to a first embodiment of the invention;
FIG. 3 is a block diagram of a classification module according to a first embodiment of the invention;
fig. 4 is a schematic diagram illustrating a format and information of network data according to a first embodiment of the present invention;
fig. 5 is a block diagram of an up-sampling module according to a first embodiment of the present invention;
FIG. 6 is a flowchart illustrating specific steps for classifying data samples according to a first embodiment of the present invention;
FIG. 7 is a block diagram of another intrusion detection system for unbalanced data according to a first embodiment of the present invention;
FIG. 8 shows the final comparison results using a consistent TCN-IDS model;
fig. 9 is a flowchart illustrating an intrusion detection method for unbalanced data according to a second embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Example one
As shown in fig. 1, an embodiment of the present invention provides an intrusion detection system 100 for unbalanced data, which includes the following modules:
an obtaining module 110, configured to obtain a data sample;
as shown in fig. 2, the acquisition module 110 includes a raw data acquisition unit 111 and a data preprocessing unit 112. The raw data acquisition unit 111 acquires raw data; the data preprocessing unit 112 removes invalid data and duplicate data in the original data to obtain a data sample.
A classification module 120, configured to perform classification processing on the data samples to obtain a minority sample set and a majority sample set;
as shown in fig. 3, the classification module 120 includes a feature statistics unit 121 and a sample classification unit 122. The feature statistics unit 121 performs feature statistics on the data samples to obtain corresponding data features; the sample classification unit 122 classifies the data features to obtain a numerical value attribute, a sequence attribute and a category attribute; and dividing all data samples into a minority sample set and a majority sample set according to the category attribute.
The above-described acquisition module 110 and classification module 120 are further illustrated. Taking an input data source as an example of network data, the format and information are shown in fig. 4, including inherent attributes, contents, network-based traffic, host-based traffic, and classes, and the like, and it can be seen that the method has fixed protocol features and traffic features, wherein a classification label such as normal is a class attribute, most of the character features are protocol-related information, include sequence features, and most of the character features are numerical features. Initializing the sample data, preprocessing the raw data, and counting features includes: and removing invalid data and repeated data, and classifying data characteristics, including numerical attributes, sequence attributes and category attributes. And classifying the data according to the class labels, wherein the data is in minority classes and majority classes, so that a minority sample set and a majority sample set are obtained.
The upsampling module 130 is configured to upsample the minority sample set by using a preset sampling algorithm, and add a new data sample obtained by upsampling to the data sample to form data to be detected;
the preset sampling algorithm may be a SMOTE (Synthetic minimum Oversampling Technique) sampling algorithm.
As shown in fig. 5, the upsampling module 130 includes a neighboring sample obtaining unit 131 and a linear interpolation unit 132.
The neighboring sample obtaining unit 131 calculates, for each sample in the minority sample set, a distance from each sample to all samples in the minority sample set using the euclidean distance as a standard, and obtains the k neighboring sample according to the distance.
For each minority sample, the linear interpolation unit 132 randomly selects a preset number of neighboring samples from k neighboring samples thereof, and for each randomly selected neighboring sample, constructs a new data sample with the original minority sample according to the following formula:
xim=xi+λ1*(xin-xi) (ii) a Wherein x isimRepresenting a new data sample, xiRepresenting randomly selected neighboring samples, xinRepresenting the original minority class of samples, λ1Is a random number between 0 and 1.
In particular, the use of SMOTE sampling algorithm upsampled by 2, 40, and 10 times for the exemplary data classes Probe, U2L, and R2L, finds x from the few class samples that need to be upsampledinK neighbor samples of (a), labeled xi(near)Near ∈ {1,2 … k }; selecting one sample x from the obtained k samplesiTraversing the features (numerical, sequence and category) of each dimension, and if the features of the dimension are numerical, generating a random number λ between 0 and 11Then synthesizing the feature x of the new sample in the dimensionim=xi+λ1*(xin-xi) (ii) a If the characteristic of the dimension is a sequence attribute and is similar to a numerical attribute, performing interpolation generation, and taking an integer as a result; if the dimension feature is a category attribute, the dimension feature remains unchanged, and the specific steps are as shown in fig. 6. And repeating the steps until N new samples are generated, and integrating the samples into the original data to form the data to be detected.
And the intrusion detection module 140 is configured to input the data to be detected into a pre-trained intrusion detection model for detection, so as to determine security.
As shown in fig. 7, the system further includes the following modules:
and the model training module 150 is used for training the intrusion detection model in advance to obtain a trained intrusion detection model, wherein the intrusion detection model is trained by adopting a Focal local Loss function.
After the data up-sampling step is completed, the Loss function design of the intrusion detection model by using the improved Focal local Loss function comprises the following steps: using a modified Loss function, replacing the original Loss function with a Focal local function, wherein the Focal local function is expressed as: FL(pt)=-α(1-pt)γlog(pt) Gamma is a modulation coefficient, alpha is a balance factor, the importance of the sample class can be changed through alpha, and the loss contribution of the samples which are easy to classify and difficult to classify is influenced through gamma. p is a radical oftIs the predicted output (values between 0 and 1) through the associated activation function (e.g., sigmoid).
By changing the importance of the sample class by α, the loss contribution by γ affecting the easy-to-classify hard-to-classify samples includes: when a sample is classified incorrectly, then ptThe modulation factor is small, close to 1, and thus close to the original loss. p is a radical oftWhen the modulation coefficient approaches to 1 (namely the classification is correct and the sample is easy to classify), the modulation coefficient approaches to 0, then the loss approaches to 0, and the influence is small at the moment; when γ is 0, Focal local is a conventional cross-entropy function, which increases the modulation factor. Through multiple sets of comparison experiments, comparison of control variables is performed, the magnitudes of the modulation factor and the balance factor are adjusted, in this example, α is 0.3, γ is 2, and the final comparison result using the consistent TCN-IDS model is shown in fig. 8, where P, R, F1 and ACC are both evaluation indicators for machine learning and are not described in detail. Therefore, by adopting the improved strategy of improving SMOTE sampling and the Focal local function, the performance of the intrusion detection system can be effectively improved, and the detection capability of the intrusion detection system on unbalanced data is improved.
According to the intrusion detection system for unbalanced data, by using the SMOTE sampling algorithm and the Focal local Loss function, the generation of linear interpolation can be respectively carried out on unbalanced minority data on a data level, the up-sampling is completed, and the unbalanced distribution of the data is further solved. Meanwhile, the influence of the unbalanced data on the model can be further improved on the algorithm level by setting the modulation coefficient and the balance factor. Under the current complex network security environment, the detection capability of the intrusion detection system on unbalanced data is greatly improved, and the security of the system is guaranteed.
Example two
As shown in fig. 9, a second embodiment of the present invention provides an intrusion detection method for unbalanced data, including the following steps:
step S101: acquiring a data sample;
step S102: classifying the data samples to obtain a minority sample set and a majority sample set;
step S103: the minority sample set is subjected to upsampling by using a preset sampling algorithm, and a new data sample obtained by the upsampling is added into the data sample to form data to be detected;
step S104: and inputting the data to be detected into a pre-trained intrusion detection model for detection so as to judge the safety.
Preferably, the method further comprises the steps of:
and training an intrusion detection model in advance to obtain the trained intrusion detection model, wherein the training of the intrusion detection model adopts a Focal local Loss function.
It should be noted that:
the algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose devices may be used with the teachings herein. The required structure for constructing such a device will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known systems, structures, and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed system should not be interpreted to reflect the intent: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device of an embodiment may be adaptively changed and disposed in one or more devices other than the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore, they may be divided into a plurality of units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any system or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Moreover, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than others, the combination of features of different embodiments is intended to be within the scope of the invention and form part of different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in the creation apparatus of a virtual machine according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the system described herein. Such programs implementing the invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or modules not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. An intrusion detection system for unbalanced data, comprising:
the acquisition module is used for acquiring a data sample;
the classification module is used for classifying the data samples to obtain a minority sample set and a majority sample set;
the up-sampling module is used for up-sampling the minority sample set by using a preset sampling algorithm, and adding a new data sample obtained by up-sampling into the data sample to form to-be-detected data;
and the intrusion detection module is used for inputting the data to be detected into a pre-trained intrusion detection model for detection so as to judge the safety.
2. The intrusion detection system for unbalanced data as recited in claim 1, further comprising:
and the model training module is used for training the intrusion detection model in advance to obtain the trained intrusion detection model, and the training of the intrusion detection model adopts a Focal local Loss function.
3. The intrusion detection system for unbalanced data as recited in claim 1, wherein the acquisition module comprises a raw data acquisition unit and a data pre-processing unit.
4. The intrusion detection system for unbalanced data according to claim 3, wherein the raw data obtaining unit obtains raw data; and the data preprocessing unit removes invalid data and repeated data in the original data to obtain a data sample.
5. The intrusion detection system for unbalanced data as recited in claim 1, wherein the classification module comprises a feature statistics unit and a sample classification unit.
6. The intrusion detection system for unbalanced data according to claim 5, wherein the feature statistics unit performs feature statistics on the data samples to obtain corresponding data features; the sample classification unit classifies the data features to obtain a numerical value attribute, a sequence attribute and a category attribute; and dividing all data samples into a minority sample set and a majority sample set according to the category attribute.
7. The intrusion detection system for unbalanced data as recited in claim 1, wherein the predetermined sampling algorithm is a SMOTE sampling algorithm.
8. The intrusion detection system for unbalanced data as recited in claim 7, wherein the up-sampling module comprises a neighbor sample acquisition unit and a linear interpolation unit.
9. The intrusion detection system according to claim 8, wherein the neighbor sample acquiring unit calculates a distance from each sample to all samples in the minority sample set using euclidean distance as a criterion for each sample in the minority sample set, and obtains k neighbor samples thereof according to the distance.
10. The intrusion detection system for unbalanced data according to claim 9, wherein the linear interpolation unit randomly selects a preset number of neighboring samples from k neighboring samples for each minority sample, and constructs a new data sample for each randomly selected neighboring sample according to the following formula with the original minority sample, respectively:
xim=xi+λ1*(xin-xi) (ii) a Wherein x isimRepresenting a new data sample, xiRepresenting randomly selected neighbour samples, xinRepresents the original minorityClass sample, λ1Is a random number between 0 and 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110785175.8A CN113553581A (en) | 2021-07-12 | 2021-07-12 | Intrusion detection system for unbalanced data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110785175.8A CN113553581A (en) | 2021-07-12 | 2021-07-12 | Intrusion detection system for unbalanced data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113553581A true CN113553581A (en) | 2021-10-26 |
Family
ID=78131600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110785175.8A Pending CN113553581A (en) | 2021-07-12 | 2021-07-12 | Intrusion detection system for unbalanced data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113553581A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180210944A1 (en) * | 2017-01-26 | 2018-07-26 | Agt International Gmbh | Data fusion and classification with imbalanced datasets |
| CN111914253A (en) * | 2020-08-10 | 2020-11-10 | 中国海洋大学 | Method, system, equipment and readable storage medium for intrusion detection |
| CN112085046A (en) * | 2019-06-13 | 2020-12-15 | 中国科学院计算机网络信息中心 | Intrusion detection method and system based on sampling and feature reduction for unbalanced data set conversion |
| CN112766379A (en) * | 2021-01-21 | 2021-05-07 | 中国科学技术大学 | Data equalization method based on deep learning multi-weight loss function |
-
2021
- 2021-07-12 CN CN202110785175.8A patent/CN113553581A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180210944A1 (en) * | 2017-01-26 | 2018-07-26 | Agt International Gmbh | Data fusion and classification with imbalanced datasets |
| CN112085046A (en) * | 2019-06-13 | 2020-12-15 | 中国科学院计算机网络信息中心 | Intrusion detection method and system based on sampling and feature reduction for unbalanced data set conversion |
| CN111914253A (en) * | 2020-08-10 | 2020-11-10 | 中国海洋大学 | Method, system, equipment and readable storage medium for intrusion detection |
| CN112766379A (en) * | 2021-01-21 | 2021-05-07 | 中国科学技术大学 | Data equalization method based on deep learning multi-weight loss function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220222929A1 (en) | Method and device for testing the robustness of an artificial neural network | |
| US11941491B2 (en) | Methods and apparatus for identifying an impact of a portion of a file on machine learning classification of malicious content | |
| US20170063893A1 (en) | Learning detector of malicious network traffic from weak labels | |
| CN114244603B (en) | Anomaly detection and comparison embedded model training and detection method, device and medium | |
| CN111818198B (en) | Domain name detection method, domain name detection device, equipment and medium | |
| CN112200081A (en) | Abnormal behavior identification method and device, electronic equipment and storage medium | |
| CN115511890A (en) | Analysis system for large-flow data of special-shaped network interface | |
| CN112884121A (en) | Traffic identification method based on generation of confrontation deep convolutional network | |
| CN110581856A (en) | malicious code detection method and system | |
| Hashemi et al. | Runtime monitoring for out-of-distribution detection in object detection neural networks | |
| Ugarte-Pedrero et al. | On the adoption of anomaly detection for packed executable filtering | |
| Karakose | Reinforcement learning based artificial immune classifier | |
| CN112839047A (en) | Asset vulnerability scanning method, device, equipment and medium on cloud platform | |
| Čeponis et al. | Evaluation of deep learning methods efficiency for malicious and benign system calls classification on the AWSCTD | |
| CN113591892A (en) | Training data processing method and device | |
| CN113553581A (en) | Intrusion detection system for unbalanced data | |
| CN111582647A (en) | User data processing method and device and electronic equipment | |
| CN113553580A (en) | Intrusion detection method for unbalanced data | |
| CN111695117B (en) | Webshell script detection method and device | |
| CN114492366A (en) | Binary file classification method, computing device and storage medium | |
| CN114241253A (en) | Model training method, system, server and storage medium for illegal content identification | |
| CN113591881A (en) | Intention recognition method and device based on model fusion, electronic equipment and medium | |
| Xiong et al. | An Anomaly Detection Framework for System Logs Based on Ensemble Learning | |
| CN111581640A (en) | Malicious software detection method, device and equipment and storage medium | |
| CN113569879A (en) | Training method of abnormal recognition model, abnormal account recognition method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211026 |
|
| RJ01 | Rejection of invention patent application after publication |