CN113987482B - IP first access detection method, system and equipment based on FM - Google Patents
IP first access detection method, system and equipment based on FM Download PDFInfo
- Publication number
- CN113987482B CN113987482B CN202111615931.9A CN202111615931A CN113987482B CN 113987482 B CN113987482 B CN 113987482B CN 202111615931 A CN202111615931 A CN 202111615931A CN 113987482 B CN113987482 B CN 113987482B
- Authority
- CN
- China
- Prior art keywords
- access
- source
- preset
- algorithm
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses an IP first access detection method, system and device based on FM, mainly relates to the technical field of access detection, and aims to solve the technical problem that the existing first access detection method is high in false alarm rate. The method comprises the following steps: determining the access frequency between a source IP and a target IP according to the source IP and the target IP in a plurality of historical flow access logs; obtaining a trained preset FM algorithm; acquiring a parameter list between a source IP and a target IP according to a trained preset FM algorithm and a preset grid search algorithm; wherein, the list comprises the access probability between the source IP and the destination IP; and acquiring the actual access destination IP of the source IP, and when the first access probability of the actual access destination IP in the parameter list is smaller than the preset access probability, determining that the source IP has a first access behavior. The false alarm rate of the first detection is reduced by the method.
Description
Technical Field
The present application relates to the field of access detection technologies, and in particular, to a method, a system, and a device for detecting a first access to an IP based on an FM.
Background
Detecting a failed host or threatening user based on traffic data is an important component of user behavior analysis, wherein the first access of the host IP is a typical potential threat. The sudden access of the host IP to a server that has never been accessed before or is completely unrelated to its personal work usually means that the host may be lost or that the host user may risk the information collection being compromised.
At present, the method for detecting the first access mainly comprises the following steps: the method adopts a black and white list and a threshold value rule, but since the first access involves too many influencing factors, the fixed rule or the threshold value can easily cause false alarm.
Therefore, how to capture the abnormality in time before the intruder or the divulger does not collect the information, reduce the divulging risk and loss, and reduce the false alarm rate has become a problem to be solved urgently.
Disclosure of Invention
In view of the above-mentioned deficiencies of the prior art, the present invention provides a method, a system and a device for detecting the first access of an IP based on FM, so as to solve the above-mentioned technical problems.
In a first aspect, an embodiment of the present application provides an FM-based IP first access detection method, where the method includes: determining the access frequency between a source IP and a target IP according to the source IP and the target IP in a plurality of historical flow access logs; carrying out training by bringing the source IP, the destination IP and the access frequency after data preprocessing into a preset FM algorithm formula to obtain a trained preset FM algorithm; acquiring a parameter list between a source IP and a target IP according to a trained preset FM algorithm and a preset grid search algorithm; wherein, the list comprises the access probability between the source IP and the destination IP; and acquiring the actual access destination IP of the source IP, and when the first access probability of the actual access destination IP in the parameter list is smaller than the preset access probability, determining that the source IP has a first access behavior.
In an implementation manner of the present application, determining an access frequency between a source IP and a destination IP according to the source IP and the destination IP in a plurality of historical traffic access logs specifically includes: acquiring a source IP and a destination IP in a historical flow access log; and in a preset fixed detection time window, counting the access frequency of the source IP for accessing the destination IP.
In an implementation manner of the present application, before the source IP, the destination IP, and the access frequency after data preprocessing are brought into a preset FM algorithm formula for training, the method further includes: converting the format types of the source IP and the target IP into an Int type based on a preset IP-Int database; and acquiring the access frequency after discretization processing by presetting a discretization conversion algorithm.
In an implementation manner of the present application, the preset FM algorithm formula is specifically as follows:
wherein x is a source IP, f is an access frequency, omega is a destination IP, y is an access probability,<
,
>in order to be a cross-term,
in order to preset the first concealment vector(s),
n is the number of destination IPs for presetting the second hidden vector.
In an implementation manner of the present application, the source IP, the destination IP, and the access frequency after data preprocessing are brought into a preset FM algorithm formula for training to obtain a trained preset FM algorithm, which specifically includes: carrying out training by bringing the source IP, the destination IP and the access frequency after data preprocessing into a preset FM algorithm formula so as to obtain a plurality of cross items through the preset FM algorithm formula; introducing a plurality of cross terms into an algorithm for obtaining random samples to obtain qualified cross terms; and determining the qualified cross item as a final cross item of a preset FM algorithm formula so as to obtain the trained preset FM algorithm.
In an implementation manner of the present application, obtaining a parameter list between a source IP and a destination IP according to a trained preset FM algorithm and a preset grid search algorithm specifically includes: obtaining the access probability between the source IP and the target IP through a trained preset FM algorithm; and listing the relation among the source IP, the destination IP and the access probability by a preset grid search algorithm to obtain a parameter list.
In a second aspect, an embodiment of the present application provides an FM-based IP first access detection system, where the system includes: the determining module is used for determining the access frequency between the source IP and the destination IP according to the source IP and the destination IP in the plurality of historical flow access logs; the acquisition module is used for bringing the source IP, the target IP and the access frequency after the data preprocessing into a preset FM algorithm formula for training so as to obtain a trained preset FM algorithm; the system is also used for acquiring a parameter list between the source IP and the target IP according to the trained preset FM algorithm and the preset grid search algorithm; wherein, the list comprises the access probability between the source IP and the destination IP; and the determining module is used for acquiring the actual access destination IP of the source IP, and determining that the source IP has a first access behavior when the first access probability of the actual access destination IP in the parameter list is smaller than the preset access probability.
In a third aspect, an embodiment of the present application provides an FM-based IP first access detection apparatus, where the apparatus includes a processor, a memory, and an execution instruction stored on the memory, where the execution instruction is configured to, when executed by the processor, enable the apparatus to perform the above-mentioned FM-based IP first access detection method.
As can be appreciated by those skilled in the art, the present invention has at least the following beneficial effects: the method has the advantages of simple flow, simple realization and high operation speed, can calculate the first access probability of the source IP and a plurality of target IPs in real time, compares the first access probability with the target IPs corresponding to actual access behaviors in real time, and finds abnormality in time. The method only needs to set the preset access probability, does not need other settings, and effectively solves the problem that the conventional method for detecting the first access is easy to misreport. The invention can find the abnormity in time, and capture the abnormity in time before the information collection of the invader or the divulger is not carried out, thereby reducing the divulgence risk and loss to the maximum extent.
Drawings
Some embodiments of the disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of an FM-based IP first access detection method according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an internal structure of an FM-based IP first access detection system according to an embodiment of the present application.
Fig. 3 is a schematic diagram of an internal structure of an FM-based IP first access detection device according to an embodiment of the present application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not mean that the present disclosure can be implemented only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure and are not intended to limit the scope of the present disclosure. All other embodiments that can be derived by one of ordinary skill in the art from the preferred embodiments provided by the disclosure without undue experimentation will still fall within the scope of the disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
In addition, in the IP first access detection method based on FM proposed in the embodiment of the present application, the execution subject is the server.
The technical solutions proposed in the embodiments of the present application are explained in detail below with reference to the accompanying drawings.
Fig. 1 is a diagram illustrating an FM-based IP first access detection method according to an embodiment of the present disclosure. As shown in fig. 1, the adaptation method provided in the embodiment of the present application mainly includes the following steps:
and step 110, determining the access frequency between the source IP and the destination IP according to the source IP and the destination IP in the plurality of historical traffic access logs.
Note that the history traffic access log includes the source IP and the destination IP. Illustratively, five-tuple data is contained in the historical traffic access log. The quintuple data comprises a source IP, a source port, a destination IP, a destination port and a protocol.
Illustratively, a source IP and a destination IP in a historical traffic access log are obtained; and in a preset fixed detection time window, counting the access frequency of the source IP for accessing the destination IP.
Specifically, five-element group data is firstly acquired from a historical traffic access log, a source IP and a destination IP are regarded as a field, and the access frequency of the behavior that the source IP accesses the destination IP in a fixed detection time window is counted.
And step 120, bringing the source IP, the destination IP and the access frequency after the data preprocessing into a preset FM algorithm formula for training so as to obtain a trained preset FM algorithm.
It should be noted that the preset fm (differentiation mechanisms) algorithm is mainly used to solve the problem of how to combine features when data is sparse.
Before the source IP, the destination IP and the access frequency after data preprocessing are brought into a preset FM algorithm formula for training, the method can also preprocess the source IP, the destination IP and the access frequency so as to facilitate the training of the preset FM algorithm.
Illustratively, the format types of the source IP and the destination IP are converted into an Int type; and acquiring the access frequency after discretization processing by presetting a discretization conversion algorithm.
Specifically, in the invention, the source IP and the target IP are subjected to character string processing, and after' in the character string is deleted, the source IP and the target IP are naturally converted into an Int type. The predetermined discretization transformation algorithm may be any feasible algorithm capable of discretizing data, such as, for example, stl (standard Template library) algorithm. Specifically, discretization processing is carried out after access frequency aggregation is carried out through a preset discretization conversion algorithm, and the access frequency after discretization processing is divided into a plurality of levels to serve as a preset FM algorithm access frequency value.
Regarding "converting the format types of the source IP and the destination IP into the Int type", further concrete may be:
a preset IP-Int database exists, and the data prestores a source IP and Int type data corresponding to a plurality of destination IPs; when any destination IP is detected not to exist in the database, the server randomly generates Int type data; it should be noted that the Int type data has uniqueness in the server.
As can be appreciated by those skilled in the art, the preset FM algorithm is mainly used for processing the feature combination problem under sparse data. The preset FM algorithm comprises a preset FM algorithm formula. Since the historical traffic access log becomes sparse after the source IP increases, it is a suitable choice to use the FM algorithm with linear computational complexity.
As an example, the preset FM algorithm formula is:
wherein x is a source IP, f is an access frequency, omega is a destination IP, y is an access probability,<
,
>in order to be a cross-term,
in order to pre-set the first concealment vector,
n is the number of destination IPs for presetting the second hidden vector.
Specifically, the values of the preset first hidden vector and the preset second hidden vector mainly depend on random values selected by a person skilled in the art when the FM algorithm is trained for the first time, and as an example, the preset first hidden vector may be 1, and the second abnormal vector may be 9.
It should be noted that the preset FM algorithm includes a preset FM algorithm formula. The preset fm (differentiation mechanisms) algorithm is mainly used for solving the problem of how to combine features under the condition of sparse data. The preset FM algorithm is mainly used for processing the feature combination problem under sparse data. Since the historical traffic access log becomes sparse after the source IP increases, it is a suitable choice to use the FM algorithm with linear computational complexity. The trained preset FM algorithm is mainly used for calculating the access probability of the source IP accessing the destination IP. The preset FM algorithm needs to be trained before calculating the access probability.
Illustratively, a source IP, a destination IP and an access frequency after data preprocessing are brought into a preset FM algorithm formula for training, so as to obtain a plurality of cross terms through the preset FM algorithm formula; introducing a plurality of cross terms into a random sample algorithm to obtain qualified cross terms; and determining the qualified cross item as a final cross item of a preset FM algorithm formula so as to obtain the trained preset FM algorithm.
It should be noted that the random sample algorithm may be an MCMC (markov Chain Monte carlo) algorithm, where "a plurality of cross terms are introduced into the random sample algorithm to obtain qualified cross terms", and specifically, the plurality of cross terms are introduced into the MCMC algorithm, and the MCMC algorithm iteratively optimizes the plurality of cross terms to find an optimal cross term (qualified cross term), so that the calculation is completed.
And step 130, obtaining a parameter list between the source IP and the destination IP according to the trained preset FM algorithm and the preset grid search algorithm.
It should be noted that the preset grid search algorithm is mainly used for arranging and combining all possible values, and listing all possible combination results to generate a "grid". Each combination was then used for pre-set FM algorithm training and performance was evaluated using cross-validation. After the fitting function tries all parameter combinations, a suitable list is returned, and the parameter list is automatically adjusted to the best parameter combination (parameter list), which can be obtained through clf.
Illustratively, the access probability between the source IP and the destination IP is obtained through a trained preset FM algorithm; and listing the relation among the source IP, the destination IP and the access probability by a preset grid search algorithm to obtain a parameter list.
And 140, acquiring an actual access destination IP of the source IP, and when the first access probability of the actual access destination IP in the parameter list is smaller than the preset access probability, determining that the source IP has a first access behavior.
It should be noted that the preset access probability may be any feasible value, and those skilled in the art may determine a specific value corresponding to the preset access probability according to actual requirements.
Specifically, the server may check whether the actual access destination IP exists in a pre-stored parameter list according to a destination IP (actual access destination IP) actually accessed by the source IP in the flow access log generated in real time, determine a first access probability corresponding to the actual access destination IP if the actual access destination IP exists in the parameter list, and determine that the source IP has a first access behavior when the first access probability is smaller than a preset access probability. And if the actual access destination IP does not exist in the parameter list, determining that the first access probability corresponding to the source IP is 0, and the source IP has a first access behavior.
Based on the above description, those skilled in the art can understand that the present invention has the advantages of simple process, simple implementation and fast operation speed, and can calculate the first access probability of the source IP and the plurality of destination IPs in real time, compare the first access probability with the destination IPs corresponding to the actual access behavior in real time, and find the abnormality in time. The method only needs to set the preset access probability, does not need other settings, and effectively solves the problem that the conventional method for detecting the first access is easy to misreport. The invention can find the abnormity in time, and capture the abnormity in time before the information collection of the invader or the divulger is not carried out, thereby reducing the divulgence risk and loss to the maximum extent.
In addition, an embodiment of the present application further provides an FM-based IP first access detection system, as shown in fig. 2, the system includes:
the determining module 210 is configured to determine, according to a source IP and a destination IP in a plurality of historical traffic access logs, an access frequency between the source IP and the destination IP;
an obtaining module 220, configured to bring the source IP, the destination IP, and the access frequency after data preprocessing into a preset FM algorithm formula for training, so as to obtain a trained preset FM algorithm; the system is also used for obtaining a parameter list between the source IP and the target IP according to the trained preset FM algorithm and the preset grid search algorithm; wherein, the list comprises the access probability between the source IP and the destination IP;
the determining module 230 is configured to obtain an actual access destination IP of the source IP, and determine that the source IP has a first access behavior when a first access probability corresponding to the actual access destination IP in the parameter list is smaller than a preset access probability.
Besides, the embodiment of the present application further provides an FM-based IP first access detection device, as shown in fig. 3, where executable instructions are stored thereon, and when the executable instructions are executed, the FM-based IP first access detection method as described above is implemented. Specifically, the server sends an execution instruction to the memory through the bus, and when the memory receives the execution instruction, sends an execution signal to the processor through the bus so as to activate the processor.
The processor is used for determining the access frequency between the source IP and the destination IP according to the source IP and the destination IP in the historical flow access logs; carrying out training by bringing the source IP, the destination IP and the access frequency after data preprocessing into a preset FM algorithm formula to obtain a trained preset FM algorithm; acquiring a parameter list between a source IP and a target IP according to a trained preset FM algorithm and a preset grid search algorithm; wherein, the list comprises the access probability between the source IP and the destination IP; and acquiring an actual access destination IP of the source IP, and confirming that the source IP has a first access behavior when the first access probability corresponding to the actual access destination IP in the parameter list is smaller than the preset access probability.
So far, the technical solutions of the present disclosure have been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments can be split and combined, and equivalent changes or substitutions can be made on related technical features by those skilled in the art without departing from the technical principles of the present disclosure, and any changes, equivalents, improvements, and the like made within the technical concept and/or technical principles of the present disclosure will fall within the protection scope of the present disclosure.
Claims (6)
1. An IP first access detection method based on FM, characterized in that the method comprises:
determining the access frequency between a source IP and a destination IP according to the source IP and the destination IP in a plurality of historical flow access logs;
converting the format types of a source IP and a target IP into an Int type based on a preset IP-Int database;
acquiring the access frequency after discretization processing through a preset discretization conversion algorithm;
carrying out training by bringing the source IP, the destination IP and the access frequency after data preprocessing into a preset FM algorithm formula to obtain a trained preset FM algorithm;
acquiring a parameter list between a source IP and a target IP according to a trained preset FM algorithm and a preset grid search algorithm; wherein, the list comprises the access probability between the source IP and the destination IP;
the method includes the steps of obtaining a parameter list between a source IP and a target IP according to a trained preset FM algorithm and a preset grid search algorithm, and specifically includes the following steps: obtaining the access probability between the source IP and the target IP through a trained preset FM algorithm; tabulating the relation among a source IP, a target IP and an access probability through a preset grid search algorithm to obtain a parameter list;
and acquiring an actual access destination IP of the source IP, and when the first access probability of the actual access destination IP in the parameter list is smaller than a preset access probability, determining that the source IP has a first access behavior.
2. The FM-based IP initial access detection method according to claim 1, wherein determining the access frequency between the source IP and the destination IP according to the source IP and the destination IP in the plurality of historical traffic access logs specifically comprises:
acquiring a source IP and a destination IP in the historical flow access log;
and in a preset fixed detection time window, counting the access frequency of the source IP accessing the target IP.
3. The FM-based IP initial access detection method of claim 1, wherein the preset FM algorithm formula is specifically as follows:
wherein x is a source IP, f is an access frequency, omega is a destination IP, y is an access probability,<
,
>in order to be a cross-term,
in order to preset the first concealment vector(s),
n is the number of destination IPs for presetting the second hidden vector.
4. The FM-based IP initial access detection method according to claim 1, wherein the source IP, the destination IP, and the access frequency after data preprocessing are substituted into a preset FM algorithm formula for training to obtain a trained preset FM algorithm, specifically comprising:
the source IP, the target IP and the access frequency after data preprocessing are brought into a preset FM algorithm formula for training, so that a plurality of cross items are obtained through the preset FM algorithm formula;
leading the plurality of cross terms into an algorithm for obtaining random samples to obtain qualified cross terms;
and determining the qualified cross item as a final cross item of a preset FM algorithm formula so as to obtain a trained preset FM algorithm.
5. An FM-based IP first access detection system, the system comprising:
the determining module is used for determining the access frequency between a source IP and a destination IP according to the source IP and the destination IP in a plurality of historical flow access logs;
the acquisition module is used for converting the format types of the source IP and the target IP into an Int type based on a preset IP-Int database; acquiring the access frequency after discretization processing through a preset discretization conversion algorithm;
the obtaining module is used for substituting the source IP, the target IP and the access frequency after data preprocessing into a preset FM algorithm formula for training so as to obtain a trained preset FM algorithm; the system is also used for obtaining a parameter list between the source IP and the target IP according to the trained preset FM algorithm and the preset grid search algorithm; the list comprises the access probability between the source IP and the destination IP; the method comprises the following steps of obtaining a parameter list between a source IP and a target IP according to a trained preset FM algorithm and a preset grid search algorithm, and specifically comprises the following steps: obtaining the access probability between the source IP and the target IP through a trained preset FM algorithm; tabulating the relation among a source IP, a target IP and an access probability through a preset grid search algorithm to obtain a parameter list;
and the determining module is used for acquiring the actual access destination IP of the source IP, and determining that the source IP has a first access behavior when the first access probability of the actual access destination IP in the parameter list is smaller than the preset access probability.
6. An FM-based IP first access detection device, the device comprising:
a processor;
and a memory having executable code stored thereon that, when executed, causes the processor to perform an FM based IP first access detection method as claimed in any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615931.9A CN113987482B (en) | 2021-12-28 | 2021-12-28 | IP first access detection method, system and equipment based on FM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615931.9A CN113987482B (en) | 2021-12-28 | 2021-12-28 | IP first access detection method, system and equipment based on FM |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113987482A CN113987482A (en) | 2022-01-28 |
| CN113987482B true CN113987482B (en) | 2022-05-06 |
Family
ID=79734571
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111615931.9A Active CN113987482B (en) | 2021-12-28 | 2021-12-28 | IP first access detection method, system and equipment based on FM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113987482B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107291911A (en) * | 2017-06-26 | 2017-10-24 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
| CN108446546A (en) * | 2018-03-20 | 2018-08-24 | 深信服科技股份有限公司 | Abnormal access detection method, device, equipment and computer readable storage medium |
| CN111641658A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Request intercepting method, device, equipment and readable storage medium |
| CN112565164A (en) * | 2019-09-26 | 2021-03-26 | 中国电信股份有限公司 | Dangerous IP identification method, dangerous IP identification device and computer readable storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6883135B1 (en) * | 2000-01-28 | 2005-04-19 | Microsoft Corporation | Proxy server using a statistical model |
| US9727616B2 (en) * | 2009-07-06 | 2017-08-08 | Paypal, Inc. | Systems and methods for predicting sales of item listings |
| US10171491B2 (en) * | 2014-12-09 | 2019-01-01 | Fortinet, Inc. | Near real-time detection of denial-of-service attacks |
| CN106709755A (en) * | 2016-11-28 | 2017-05-24 | 加和(北京)信息科技有限公司 | Method of predicting user frequency and apparatus thereof |
| CN107438079B (en) * | 2017-08-18 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Method for detecting unknown abnormal behaviors of website |
| CN108259482B (en) * | 2018-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
-
2021
- 2021-12-28 CN CN202111615931.9A patent/CN113987482B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107291911A (en) * | 2017-06-26 | 2017-10-24 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
| CN108446546A (en) * | 2018-03-20 | 2018-08-24 | 深信服科技股份有限公司 | Abnormal access detection method, device, equipment and computer readable storage medium |
| CN112565164A (en) * | 2019-09-26 | 2021-03-26 | 中国电信股份有限公司 | Dangerous IP identification method, dangerous IP identification device and computer readable storage medium |
| CN111641658A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Request intercepting method, device, equipment and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| FM算法解析;王多鱼;《百度》;20180709;第1页 * |
| 基于改进的Apriori算法的入侵检测系统研究;于延等;《计算机工程与科学》;20100915(第09期);第27-30页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113987482A (en) | 2022-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114172701B (en) | Knowledge-graph-based APT attack detection method and device | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN113162794B (en) | Next attack event prediction method and related equipment | |
| EP2284752B1 (en) | Intrusion detection systems and methods | |
| CN113904881B (en) | Intrusion detection rule false alarm processing method and device | |
| CN112565164B (en) | Dangerous IP identification method, dangerous IP identification device and computer readable storage medium | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN113343228B (en) | Event credibility analysis method and device, electronic equipment and readable storage medium | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN113542252A (en) | Detection method, detection model and detection device for Web attack | |
| CN113987482B (en) | IP first access detection method, system and equipment based on FM | |
| CN115589339B (en) | Network attack type identification method, device, equipment and storage medium | |
| CN111784404A (en) | Abnormal asset identification method based on behavior variable prediction | |
| Thomas et al. | Comparative analysis of dimensionality reduction techniques on datasets for zero-day attack vulnerability | |
| CN111625825B (en) | Virus detection method, device, equipment and storage medium | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN117376030B (en) | Flow anomaly detection method, device, computer equipment and readable storage medium | |
| CN114157514B (en) | Multi-channel IDS integrated detection method and device | |
| CN116915506B (en) | Abnormal flow detection method and device, electronic equipment and storage medium | |
| Atnafu et al. | Comparative Analysis of Intrusion Detection Attack Based on Machine Learning Classifiers | |
| CN115733633A (en) | Detection method and system, and storage medium | |
| Zhang | Design of Network Intrusion Detection System Based on Data Mining | |
| Duraz et al. | Explainability-based Metrics to Help Cyber Operators Find and Correct Misclassified Cyberattacks | |
| CN117650938A (en) | Industry industrial system network threat handling method and device based on data association analysis | |
| CN114244539A (en) | Web application attack analysis method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |