CN113850294A - Abnormal encrypted traffic identification method and system - Google Patents

Abnormal encrypted traffic identification method and system Download PDF

Info

Publication number
CN113850294A
CN113850294A CN202110967661.1A CN202110967661A CN113850294A CN 113850294 A CN113850294 A CN 113850294A CN 202110967661 A CN202110967661 A CN 202110967661A CN 113850294 A CN113850294 A CN 113850294A
Authority
CN
China
Prior art keywords
flow
abnormal
traffic
features
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110967661.1A
Other languages
Chinese (zh)
Inventor
戴世诚
王霄雨
袁凯
乔安
袁晨晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Digital Life Technology Co Ltd
Original Assignee
Tianyi Digital Life Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Digital Life Technology Co Ltd filed Critical Tianyi Digital Life Technology Co Ltd
Priority to CN202110967661.1A priority Critical patent/CN113850294A/en
Publication of CN113850294A publication Critical patent/CN113850294A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/211Selection of the most significant subset of features
    • G06F18/2115Selection of the most significant subset of features by evaluating different subsets according to an optimisation criterion, e.g. class separability, forward selection or backward elimination
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an abnormal encryption traffic identification method and system based on REF-PSO feature extraction. The method comprises the steps that a preprocessing module is used for carrying out flow cleaning and flow aggregation, a characteristic extraction module is used for distributing weight to characteristics by utilizing a Relief (recursive F) algorithm, the characteristics with smaller weight are removed, flow characteristics with higher weight are selected, particle swarm is initialized, an optimal characteristic subset is obtained through a PSO (particle swarm optimization) algorithm, a data set dividing module divides a training data set and a testing data set according to a ratio of 2:1, a model training module and a testing module respectively carry out training and testing on the basis of the training data set and the testing data set, the flow is identified to be normal encryption flow and abnormal encryption flow, and the identified abnormal encryption flow is divided according to the type of malicious software. The method can effectively distinguish the normal encryption flow from the abnormal encryption flow, and has higher accuracy and shorter running time.

Description

Abnormal encrypted traffic identification method and system
Technical Field
The invention relates to the field of network security, in particular to an abnormal encryption traffic identification method and system based on REF-PSO feature extraction.
Background
With the rapid development of the internet in recent years, the network traffic is greatly increased. The network traffic includes normal traffic and abnormal traffic. Wherein an increase in abnormal traffic means that a network failure or even a network malicious attack may occur. In order to prevent and timely prevent network malicious attacks and maintain a good internet user environment, the method has important significance for efficient and accurate identification and analysis of abnormal traffic.
The abnormal traffic can be divided into abnormal encrypted traffic and abnormal unencrypted traffic, compared with the abnormal unencrypted traffic, the message length, the time interval, the information entropy and other characteristics of the abnormal encrypted traffic are changed, the included characteristics are different from the abnormal unencrypted traffic, and the identification difficulty is high.
At present, the related research on abnormal encrypted traffic identification is less, and the Moore feature set widely used in abnormal traffic identification based on multi-granularity features has the defects of more features (248 in total), stronger subjectivity of feature selection, low identification accuracy, long identification time and the like.
Therefore, a method and a system for identifying characteristics of abnormal encrypted traffic found in network monitoring, which have high accuracy and short identification time period, are needed.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter; nor is it intended to be used as an aid in determining or limiting the scope of the claimed subject matter.
According to the characteristics of the abnormal encryption flow, the characteristics of the abnormal encryption flow are analyzed in a key mode, the characteristic analysis and machine learning are combined, and the method and the system for identifying the abnormal encryption flow based on REF-PSO characteristic extraction are provided by combining the Relief F characteristic selection and PSO (particle swarm optimization) particle swarm optimization.
The method and the system can identify and analyze the abnormal encryption traffic found in network monitoring, can effectively identify the abnormal encryption traffic generated by network problems, faults and malicious software attacks in the traffic in time, eliminate the network faults and solve the network problems at the first time. The method can be applied to different types of abnormal encryption traffic identification, including abnormal encryption traffic generated by malicious software attacks in the processes of e-mail, webpage browsing, video and audio, instant messaging and file transmission.
The method for identifying the abnormal encryption traffic based on the REF-PSO feature extraction comprises the following steps: carrying out flow cleaning and carrying out flow polymerization on the cleaned flow; performing feature extraction, filtering flow features with lower weight by using a Relief (recursive F) algorithm, initializing particle swarms by selecting the flow features with higher weight, and obtaining an optimal feature subset by a PSO (particle swarm optimization) algorithm; dividing the processed flow data into a training data set and a testing data set; training and adjusting parameters of the model by using the training data set, and testing by using the model after adjusting the parameters by using the test data set; and identifying the traffic as normal encrypted traffic and abnormal encrypted traffic.
The invention relates to an abnormal encryption traffic identification system based on REF-PSO feature extraction, which comprises a data processing module and an abnormal traffic identification module, wherein: the data processing module comprises a preprocessing module for carrying out flow cleaning and flow aggregation, a feature extraction module for feature extraction and a data set partitioning module for partitioning a data set; the abnormal flow identification module comprises a model training module and a testing module. The feature extraction module filters flow features with low weight by using a Relief (recursive F) algorithm, initializes the particle swarm by selecting the flow features with high weight, and obtains an optimal feature subset by a PSO (particle swarm optimization) algorithm.
These and other features and advantages will become apparent upon reading the following detailed description and upon reference to the accompanying drawings. It is to be understood that both the foregoing general description and the following detailed description are explanatory only and are not restrictive of aspects as claimed.
Drawings
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which specific embodiments of the invention are shown.
FIG. 1 is an overall flow diagram of a REF-PSO based anomaly encryption traffic identification method according to the present invention;
FIG. 2 is a detailed step of the weight assignment of FIG. 1;
FIG. 3 is a graph of classification model parameter selection results in the training of the model of FIG. 1;
FIG. 4 is a detailed step of flow identification in FIG. 1;
fig. 5 is a block diagram of a REF-PSO based anomaly encryption traffic identification system according to the present invention.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
Detailed Description
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which specific embodiments of the invention are shown. Various advantages and benefits of the present invention will become apparent to those of ordinary skill in the art upon reading the following detailed description of the specific embodiments. It should be understood, however, that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. The following embodiments are provided so that the invention may be more fully understood. Unless otherwise defined, technical or scientific terms used herein shall have the ordinary meaning as understood by those of skill in the art to which this application belongs.
According to the invention, the Relief feature selection and PSO particle swarm optimization are combined, and the abnormal flow identification model based on REF-PSO feature extraction is established, so that respective defects in feature processing of the Relief feature selection and the PSO particle swarm optimization are overcome, and the feature subset with strong distinguishing capability can be effectively obtained.
According to the REF-PSO-based abnormal encryption flow identification method, weights are distributed to a plurality of features through the Relief feature selection, the feature group with strong classification capability is selected according to the weight, and the dimension reduction processing of the features is realized to reduce the calculation amount of particle space search; the inconsistency rate is used as a fitness function of a REF-PSO method, the computation complexity of the inconsistency rate is low, the consistency between the features and the samples can be measured, the advantages and the disadvantages of the feature set can be effectively reflected, the particle speed and the positions are updated according to the fitness, redundant features in the feature set are eliminated, and the optimal feature subset is obtained. On the basis of realizing feature optimization, an XGboost classification model is selected, the optimal parameters of the classification model are determined, and further classification, identification and analysis are carried out on normal encryption traffic, abnormal encryption traffic and malicious software, so that abnormal encryption traffic caused by network problems, faults and malicious software attacks in the traffic can be timely and effectively identified, network faults are eliminated at the first time, and the network problems are solved.
The method for identifying abnormal encrypted traffic based on REF-PSO according to the present invention is specifically explained below with reference to the drawings.
The overall flow chart of the method of the invention is shown in fig. 1, and comprises five stages of 100 data preprocessing, 200 feature extraction, 300 data set division, 400 model training and 500 flow identification (namely model testing). Data are processed and divided into a training set and a test set, relevant indexes of machine learning classification results are adopted, the number, the length, the duration and statistical characteristics of data packets contained in network flow are selected as feature screening objects according to abnormal flow characteristics, namely 72 features are screened from 248 features of a Moore feature set to distribute weights, feature groups with strong classification capacity are selected according to the weights to achieve dimension reduction processing, redundant features are eliminated, an optimal feature subset with 18 features is obtained, and feature extraction is performed on the basis of selecting proper classifier parameters for classification and identification of abnormal encryption flow. Specifically, the method comprises the following steps:
stage 100 data preprocessing includes: step 110 flow purge and step 120 flow aggregation. The data is cleaned in flow, and the main purpose is to clean special fields (VLAN fields in data packets) in the read data messages, and meanwhile, the incomplete data messages (incomplete flow data) are also required to be cleaned from the original data packets; and carrying out flow aggregation on the cleaned flow, and aggregating the data packets with the same quintuple into a network flow (comprising an incoming data packet and an outgoing data packet).
The next stage 200 feature extraction includes step 210 weight assignment and step 220 feature optimization. On the basis of realizing flow cleaning and flow aggregation in data preprocessing, feature extraction is carried out, features with lower weights are filtered by utilizing a Relief F (short for short) algorithm in step 210 for weight distribution, dimension reduction is carried out on the features, the features with higher weights are selected for feature optimization in step 220, particle swarm is initialized, and then an optimal feature subset is obtained through a PSO optimization algorithm.
In the feature extraction process, determining the evaluation index is completed first.
And the characteristic effect evaluation extracted by the REF-PSO algorithm adopts machine learning classification result related indexes. The commonly used evaluation indexes include Accuracy (Accuracy), Recall (Recall), Precision (Precision) and F-value (F-Measure), and the specific calculation formula of the evaluation index is as follows:
Figure BDA0003224733590000051
Figure BDA0003224733590000052
Figure BDA0003224733590000053
Figure BDA0003224733590000054
wherein the parameter TP (true Positive) means the number of samples predicted as positive examples by positive examples, FP (False positive) means the number of samples predicted as positive examples by Negative examples, TN (true Negative) means the number of samples predicted as Negative examples by positive examples, and F N (False Negative) means the number of samples predicted as Negative examples by Negative examples.
The features extracted in the 200 feature extraction stage are all derived from the Moore feature set. The Moore feature set is one of the most widely used feature sets for the current network traffic classification identification, and 248 features are defined in total and numbered from 1 to 248. Features in the Moore feature set can be classified into the following five categories: port related characteristics, the number of packets contained in a network flow and related statistical characteristics, the length of the packets and related statistical characteristics, time-related characteristics in the network flow (including the duration of the flow, the time interval and related statistical characteristics), and TCP bidirectional flow and flag bit related characteristics.
According to the abnormal flow characteristics, the invention selects the number and the length of data packets contained in the network flow, the duration of the flow and the related statistical characteristics thereof as characteristic screening objects, and the total number is 72. And distributing weights to the 72 features by using a REF-PSO algorithm, selecting a feature group with stronger classification capability according to the weight, and realizing the dimension reduction processing of the features so as to reduce the calculation amount of particle space search. The specific implementation steps of the weight assignment 210 in fig. 1 are as follows (see fig. 2):
step 211: distributing weights to 72 features by using a Relief F algorithm, removing the features with smaller weights, and selecting a good feature subset from the features:
using a Relief F algorithm to assign weights to 72 features in the Moore feature set related to the number, length, duration of flow and their statistical features (all features are numbered as 1-72), the sample feature weight is a random number between 0-100, and the ordering result of part of feature weights is shown in table one:
watch 1
Figure BDA0003224733590000055
Figure BDA0003224733590000061
Step 212: selecting the features with higher weight in the feature subset for PSO algorithm particle swarm initialization;
step 213: calculating the fitness, and updating the speed and the position of the particle according to the fitness of the particle, wherein the calculation formula of the fitness is as follows:
Figure BDA0003224733590000062
in the formula, STIs the total number of samples, SFFor the total number of samples containing the feature combination, SMThe number of label samples with the largest number of occurrences.
Step 214: if the maximum iteration number is reached or the fitness value is unchanged, outputting the optimal solution (namely the optimal feature subset), otherwise, repeating the step 3.
On the basis of realizing the distribution of the feature weight, the optimal particles are searched by a PSO algorithm in the step of 220 feature optimization to obtain an optimal feature subset, and finally, 18 obtained features are selected as shown in a table two:
watch two
Figure BDA0003224733590000063
Next, in stage 300 dataset partitioning, the processed dataset is partitioned into a training dataset and a testing dataset in a 2:1 ratio.
Then, in stage 400, an xgboost (extreme Gradient boosting) classifier is used to perform model training using the training data set partitioned in the previous stage 300. The purpose of model training is to tune classifier parameters, and then the tuned parameters can be used in subsequent model testing with the test data set for testing.
In model training, the max _ depth parameter setting of the XGBoost classifier obtains the optimal parameter by performing parameter statistical analysis on a data set sample, and an experimental result shows that the result is visible from the classification model parameter selection result of fig. 3 (the ordinate is accuracy percentage), and when max _ depth is 8, the abnormal traffic and the malware classification accuracy are the highest.
Finally, at stage 500, as shown in fig. 4, the traffic is first identified as normal encrypted traffic and abnormal encrypted traffic by the XGBoost two classifier, and then the malware types are further distinguished as Miuref, Zbot, Emotet, Dridex, and the like by the XGBoost multi classifier.
On the basis of selecting proper classifier parameters, respectively extracting the characteristics of an experimental data set by utilizing the REF-PSO algorithm and the traditional PSO algorithm, and using the extracted characteristics for classification and identification of abnormal encryption flow, and comparing the extracted characteristics, the REF-PSO method provided by the invention has short operation time and high accuracy, and the specific comparison result is as follows:
Figure BDA0003224733590000071
the REF-PSO method provided by the invention has lower fitness function complexity, does not need to use a classification algorithm in each iteration, and has obviously reduced running time compared with the PSO algorithm; meanwhile, through the dimension reduction of the REF method, the REF-PSO method can effectively avoid being trapped in local optimization, and the accuracy is improved by 11.5% compared with that of the traditional PSO method, so that the improved REF-PSO algorithm is higher in abnormal encryption traffic classification efficiency and identification accuracy.
Fig. 5 is a block diagram of a REF-PSO based anomaly encryption traffic identification system according to the present invention.
The system includes a data processing module 510 and an abnormal traffic identification module 520. Wherein the content of the first and second substances,
the data processing module 510 further includes a preprocessing module 511 for traffic cleansing and traffic aggregation, a feature extraction module 512 for feature extraction, and a dataset partitioning module 513 for dataset partitioning;
the abnormal traffic identification module 520 further includes a model training module 521 and a testing module 522.
The invention relates to an abnormal encryption traffic identification method based on particle swarm optimization feature extraction, wherein a REF-PSO feature extraction algorithm optimizes 248 features in a Moore feature set by utilizing a Relief F algorithm, screens out 72 features in total related to the number and length of data packets contained in a network flow and the duration of the flow, distributes weights, removes the features with lower weights, and searches optimal particles through the PSO algorithm to obtain an optimal feature subset; and finally, utilizing an XGboost classification algorithm to classify and identify normal encryption traffic, abnormal encryption traffic and malicious software.
In this way, normal encrypted traffic and abnormal encrypted traffic can be effectively distinguished, compared with a traditional abnormal traffic identification algorithm based on multi-granularity features, the identification accuracy is improved to 98.6% from 87.1%, the running time is reduced by 40.8%, the classification performance of feature extraction is remarkably improved, the classification identification accuracy is improved, the identification time is greatly reduced, and the method has a good classification effect on different malicious software in the aspects of e-mails, web browsing, video audio, instant messaging and the like.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present disclosure, and the present disclosure should be construed as being covered by the claims and the specification.

Claims (10)

1. An abnormal encryption traffic identification method based on REF-PSO feature extraction comprises the following steps:
carrying out flow cleaning and carrying out flow polymerization on the cleaned flow;
performing feature extraction, filtering flow features with lower weight by using a Relief (recursive F) algorithm, initializing particle swarms by selecting the flow features with higher weight, and obtaining an optimal feature subset by a PSO (particle swarm optimization) algorithm;
dividing the processed flow data into a training data set and a testing data set;
training and adjusting parameters of the model by using the training data set, and testing by using the model after adjusting the parameters by using the test data set; and
the traffic is identified as normal encrypted traffic and abnormal encrypted traffic.
2. The method of claim 1, wherein the steps of performing traffic flushing and aggregating the flushed traffic comprise flushing VLAN fields in the read data packets, removing the missing data packets from the original data packets, and aggregating the packets with the same quintuple into a network flow.
3. The method of claim 1, wherein the features extracted in the feature extraction step are derived from a Moore feature set, the feature extraction includes weight distribution and feature optimization, a Relief F algorithm is used for distributing weights to the features related to the number, the length, the flow duration and the statistical features of the data packets in the Moore feature set, the features with smaller weights are removed, the features with higher weights are selected for PSO algorithm particle swarm initialization, the fitness of the particles is calculated, the speed and the positions of the particles are updated according to the fitness of the particles, and the optimal feature subset is output when the maximum iteration number or the fitness value is unchanged.
4. The method of claim 1, wherein the training data set and the test data set are divided in a ratio of 2: 1.
5. The method of claim 1, wherein the optimal parameters are derived by performing a parametric statistical analysis on the data set samples during model training.
6. The method of claim 1, wherein identifying traffic as normal encrypted traffic and abnormal encrypted traffic is performed by an XGBoost two classifier, the method further comprising partitioning the identified abnormal encrypted traffic by type of malware by an XGBoost multi classifier.
7. An abnormal encryption traffic identification system based on REF-PSO feature extraction comprises a data processing module and an abnormal traffic identification module, wherein:
the data processing module comprises a preprocessing module for carrying out flow cleaning and flow aggregation, a feature extraction module for feature extraction and a data set partitioning module for partitioning a data set;
the abnormal flow identification module comprises a model training module and a testing module,
the feature extraction module filters flow features with low weight by using a Relief (recursive F) algorithm, initializes the particle swarm by selecting the flow features with high weight, and obtains an optimal feature subset by a PSO (particle swarm optimization) algorithm.
8. The system of claim 7, wherein the feature extraction module assigns weights to features in the Moore feature set related to the number, length, flow duration and statistical features thereof by using a Relief F algorithm, removes features with smaller weights, selects features with higher weights for PSO algorithm particle swarm initialization, calculates the fitness of the particles, updates the speed and position of the particles according to the fitness of the particles, and outputs an optimal feature subset when the maximum iteration number or the fitness value is reached.
9. The system of claim 7, wherein the abnormal traffic identification module identifies traffic as normal encrypted traffic and abnormal encrypted traffic and divides the identified abnormal encrypted traffic by a type of malware.
10. The system of claim 7, wherein the pre-processing module clears the VLAN field in the read data packet, removes the missing data packet from the original data packet, and aggregates the data packets with the same five-tuple into a network flow.
CN202110967661.1A 2021-08-23 2021-08-23 Abnormal encrypted traffic identification method and system Pending CN113850294A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110967661.1A CN113850294A (en) 2021-08-23 2021-08-23 Abnormal encrypted traffic identification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110967661.1A CN113850294A (en) 2021-08-23 2021-08-23 Abnormal encrypted traffic identification method and system

Publications (1)

Publication Number Publication Date
CN113850294A true CN113850294A (en) 2021-12-28

Family

ID=78975908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110967661.1A Pending CN113850294A (en) 2021-08-23 2021-08-23 Abnormal encrypted traffic identification method and system

Country Status (1)

Country Link
CN (1) CN113850294A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301844A (en) * 2021-12-30 2022-04-08 天翼物联科技有限公司 Internet of things capability open platform flow control method, system and related components thereof
CN115174170A (en) * 2022-06-23 2022-10-11 东北电力大学 VPN encrypted flow identification method based on ensemble learning

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301844A (en) * 2021-12-30 2022-04-08 天翼物联科技有限公司 Internet of things capability open platform flow control method, system and related components thereof
CN114301844B (en) * 2021-12-30 2024-04-19 天翼物联科技有限公司 Flow control method and system for Internet of things capability open platform and related components thereof
CN115174170A (en) * 2022-06-23 2022-10-11 东北电力大学 VPN encrypted flow identification method based on ensemble learning
CN115174170B (en) * 2022-06-23 2023-05-09 东北电力大学 VPN encryption flow identification method based on ensemble learning

Similar Documents

Publication Publication Date Title
Janarthanan et al. Feature selection in UNSW-NB15 and KDDCUP'99 datasets
CN102420723A (en) Anomaly detection method for various kinds of intrusion
JP5961354B2 (en) Method and apparatus for efficient netflow data analysis
CN113850294A (en) Abnormal encrypted traffic identification method and system
CN113645232A (en) Intelligent flow monitoring method and system for industrial internet and storage medium
CN111294233A (en) Network alarm statistical analysis method, system and computer readable storage medium
CN112134862B (en) Coarse-fine granularity hybrid network anomaly detection method and device based on machine learning
Ghalehgolabi et al. Intrusion detection system using genetic algorithm and data mining techniques based on the reduction
CN112395608A (en) Network security threat monitoring method, device and readable storage medium
CN113821793A (en) Multi-stage attack scene construction method and system based on graph convolution neural network
CN116318928A (en) Malicious traffic identification method and system based on data enhancement and feature fusion
CN112884121A (en) Traffic identification method based on generation of confrontation deep convolutional network
CN116915450A (en) Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction
Hendry et al. Intrusion signature creation via clustering anomalies
CN116684877A (en) GYAC-LSTM-based 5G network traffic anomaly detection method and system
Das et al. An efficient feature selection approach for intrusion detection system using decision tree
CN117857088A (en) Network traffic abnormality detection method, system, equipment and medium
CN117527295A (en) Self-adaptive network threat detection system based on artificial intelligence
CN117294497A (en) Network traffic abnormality detection method and device, electronic equipment and storage medium
CN113746707B (en) Encrypted traffic classification method based on classifier and network structure
Zhao et al. Machine-learning based TCP security action prediction
CN116647844A (en) Vehicle-mounted network intrusion detection method based on stacking integration algorithm
CN115514581A (en) Data analysis method and equipment for industrial internet data security platform
Lei et al. Optimizing traffic classification using hybrid feature selection
CN114726570A (en) Host flow abnormity detection method and device based on graph model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination