CN114070601B - LDoS attack detection method based on EMDR-WE algorithm - Google Patents

LDoS attack detection method based on EMDR-WE algorithm Download PDF

Info

Publication number
CN114070601B
CN114070601B CN202111332817.5A CN202111332817A CN114070601B CN 114070601 B CN114070601 B CN 114070601B CN 202111332817 A CN202111332817 A CN 202111332817A CN 114070601 B CN114070601 B CN 114070601B
Authority
CN
China
Prior art keywords
entropy
window
tcp flow
characteristic
entropies
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111332817.5A
Other languages
Chinese (zh)
Other versions
CN114070601A (en
Inventor
汤澹
王小彩
李欣萌
刘泊儒
姚苏庭
郑思桥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202111332817.5A priority Critical patent/CN114070601B/en
Publication of CN114070601A publication Critical patent/CN114070601A/en
Application granted granted Critical
Publication of CN114070601B publication Critical patent/CN114070601B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2218/00Aspects of pattern recognition specially adapted for signal processing
    • G06F2218/02Preprocessing
    • G06F2218/04Denoising
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2218/00Aspects of pattern recognition specially adapted for signal processing
    • G06F2218/08Feature extraction

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an LDoS attack detection method based on an EMDR-WE algorithm, and belongs to the field of computer network security. Wherein the method comprises the following steps: in view of the characteristic that a TCP traffic sequence under LDoS attack presents high complexity, the TCP traffic sequence complexity of an attack window and a normal window is quantified by combining four characteristic entropies, namely approximate entropy, sample entropy, fuzzy entropy and permutation entropy. Firstly, constructing a preprocessing model for empirical mode decomposition and reconstruction of a TCP flow sequence, filtering noise components of the TCP flow sequence through the model, obtaining a sliding window sequence of the TCP flow, and extracting four characteristic entropies of each window. And then, giving higher weight to the characteristic entropy with high information contribution degree by using an entropy weight method to obtain a comprehensive score of the complexity of each TCP flow window. And comparing the result with a threshold value obtained by logistic regression training, and judging that the LDoS attack exists in a window with the comprehensive score higher than the threshold value. The LDoS attack detection method based on empirical mode decomposition, reconstruction and entropy weight method can accurately detect LDoS attack and has stable performance.

Description

LDoS attack detection method based on EMDR-WE algorithm
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an LDoS attack detection method based on an EMDR-WE algorithm.
Background
A Denial of Service (DoS) attack is a worldwide network attack that maliciously encroaches on network resources, rendering legitimate users unable to obtain normal services. Slow-rate Denial of Service (LDoS) attacks have been discovered as a new variant of DoS attacks and have attracted network security concerns. Different from the traditional mode that the DoS attack continuously initiates high-strength attack flows to occupy the most of bandwidth, the LDoS attack intermittently generates high-rate attack flows, and the service quality of a damaged network is reduced by utilizing the security loophole of a network self-adaptive mechanism. By reasonably setting the LDoS attack period, a high-strength pulse attack is initiated when a TCP sender retransmits a data packet every time, so that retransmission fails, and the network is always in a congestion state. Therefore, the average rate of the LDoS attack flow is low, the LDoS attack flow is not different from the data flow of a legal user greatly, the detection difficulty is increased, and the traditional DoS attack detection method is not applicable any more.
The existing LDoS attack detection method mainly comprises a time-frequency domain analysis method and a flow characteristic analysis method, wherein the time-frequency domain analysis method treats LDoS attack flows as abnormal signals different from normal network flows, carries out spectrum analysis on the flows, extracts frequency domain characteristics of the flows or calculates energy distribution of the flows, and realizes extraction and filtration of the attack flows. The flow characteristic analysis rule is to extract characteristics based on abnormal forms of network flow when the attack occurs, such as average values, variances and the like of TCP and UDP flows, combine learning algorithm to fuse the characteristics, and realize the attack detection according to the abnormal characteristics of the network when the attack occurs. However, the problems of low detection rate and unstable performance are generally existed.
The invention provides an LDoS attack detection method based on Empirical Mode Decomposition (EMD) and Reconstruction (Reconstruction, R) and using Weighted Entropy (WE), which takes abnormal fluctuation of a TCP flow sequence in LDoS attack as an entry point and aims to detect the characteristic and improve the detection rate. The invention constructs a signal preprocessing model for decomposing and reconstructing a TCP flow sequence in an empirical mode, and is used for completing the purification of the TCP flow sequence before feature extraction. For two networks in a normal state and under LDoS attack, a radar graph and a box graph of a TCP traffic sequence of the two networks are drawn, and the abnormal fluctuation is found to cause the complexity of the TCP traffic sequence to be improved. The invention selects approximate entropy, sample entropy, fuzzy entropy and permutation entropy as indexes to quantize the complexity of the TCP sequence, and evaluates the weights of the four indexes by using an entropy weight method to calculate the comprehensive score of the complexity. And finally, judging whether the complexity of the TCP flow sequence is in a normal range according to the comprehensive score, thereby achieving the purpose of LDoS attack detection.
Disclosure of Invention
The invention provides an LDoS attack detection method based on an EMDR-WE algorithm, aiming at the defects of low detection rate and unstable performance of the existing LDoS attack detection method. The TCP flow sequence is a non-stationary signal with more complex components, and is affected by complex factors in the network, and some useless frequency components may affect the feature extraction effect. In consideration of the defects of poor signal effect such as lack of adaptability, non-stable processing and non-linearity in the traditional time-frequency analysis method, the invention constructs a signal preprocessing model, can accurately and effectively extract the main components of a TCP flow sequence and avoids the interference of noise signals on feature extraction. Compared with the traditional information entropy, the four characteristic entropies related in the invention have better anti-interference and anti-noise capabilities, especially anti-transient interference capabilities, and a stable estimated value can be obtained by using relatively short data, so that the method is suitable for LDoS attack detection. The entropy weight method gives respective weight on the basis of considering the information quantity provided by the four characteristic entropies, thereby calculating a comprehensive score, realizing comprehensive and comprehensive judgment on the complexity of a TCP flow sequence and further improving the detection rate.
The invention is realized by the following technical scheme: data sampling, data processing, feature extraction, comprehensive grading and result judgment.
1. And (6) sampling data. And acquiring TCP flow on the bottleneck link, and setting a sampling point every the same unit time to obtain a TCP flow sequence.
2. And (6) data processing. And decomposing the TCP flow sequence in an empirical mode to obtain a plurality of components, screening the components through two steps of Grave causal relationship test and correlation coefficient ranking, filtering false components and noise in the components, linearly adding the rest components to reconstruct the TCP flow sequence, and setting a sliding window for the TCP flow sequence.
3. And (5) feature extraction. And extracting four characteristic entropies of each TCP flow window as characteristic values for judging the complexity of the window, wherein the characteristic entropies comprise approximate entropy, sample entropy, fuzzy entropy and permutation entropy.
4. And (6) comprehensive grading. Assuming n TCP traffic windows for training, their 4 indices are calculated respectively: approximate entropy A 1 Sample entropy A 2 Fuzzy entropy A 3 And permutation entropy A 4 Wherein A is i ={a 1 ,a 2 …a n (i =1,2,3,4), a composite score for each window complexity was obtained using the entropy weight method.
5. And (6) judging a result. And comparing the comprehensive score of the window with a threshold value, if the comprehensive score is higher than the threshold value, judging that the LDoS attack occurs in the window, otherwise, judging that the LDoS attack does not occur.
Advantageous effects
The LDoS attack detection method comprises two parts of signal preprocessing and comprehensive weight fixing of an entropy weight method, and the two parts improve the detection effect together. The EMD method in the signal preprocessing model does not need to set any basis function in advance, carries out signal decomposition according to the time scale characteristics of data, has self-adaptability and is suitable for processing nonlinear and non-stationary signals such as TCP flow sequences. The approximate entropy, the sample entropy, the fuzzy entropy and the permutation entropy can reconstruct the sequence during calculation, the complexity degree between the subsequences is calculated, the anti-interference and anti-noise capability, particularly the anti-transient interference capability is realized, and a stable estimated value can be obtained only by relatively short data. Therefore, the LDoS attack detection method provided by the invention not only has high accuracy and low false alarm rate, but also can ensure stable performance.
Drawings
FIG. 1 is a radar chart and a boxed chart comparing TCP traffic in a normal network and a network under LDoS attack. Under a normal state, the TCP flow distribution is concentrated, the fluctuation degree along with time is low, and the sequence is simple; when the LDoS attack occurs, the distribution range of TCP flow is wide, the fluctuation is irregular along with time, and the sequence is more complex. There is a large difference in the complexity of the TCP sequence in the two modes.
Fig. 2 is a schematic diagram of a preprocessing model of a TCP traffic sequence. The adopted signal processing method is empirical mode decomposition, and a plurality of components can be obtained after EMD is carried out on an original TCP flow sequence. And respectively carrying out grand cause-effect relationship inspection on each component and the original TCP flow sequence, and eliminating the components which do not pass the inspection as false components generated in the EMD process. And respectively calculating the Pearson correlation coefficients of the residual components passing the inspection and the original TCP flow sequence, linearly reconstructing the TCP flow sequence by selecting the first five components with high correlation, and setting a sliding window as a unit for subsequent feature extraction and attack detection.
FIG. 3 is a flow chart of an entropy weight method. If the information utility value provided by a certain entropy in the process of measuring the complexity of the TCP traffic sequence is larger, a larger weight is correspondingly distributed.
Fig. 4 is a flowchart of an LDoS attack detection method using weighted entropy based on empirical mode decomposition and reconstruction.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 4, which is a flowchart of the method of the present invention, the method for detecting an LDoS attack mainly includes five steps: data sampling, data processing, feature extraction, comprehensive grading and result judgment.
1. And (6) sampling data. And setting a sampling point every other same unit time, and collecting the TCP flow on a bottleneck link in the network to form an original TCP flow sequence.
2. And (6) data processing. And decomposing the TCP flow sequence in an empirical mode to obtain a plurality of components, screening the components through two steps of Grave causal relationship test and correlation coefficient ranking, filtering false components and noise in the components, linearly adding the rest components to reconstruct the TCP flow sequence, and setting a sliding window for the TCP flow sequence. The above process is constructed as a signal preprocessing model of the present invention, as shown in fig. 2, and comprises the following sub-steps:
A. the original TCP flow sequence X (t) is decomposed into a linear superposition of n eigenmode components (IMFs) and a margin res by EMD:
Figure BDA0003349443320000041
B. when the sampling frequency of the TCP traffic sequence is insufficient, the EMD may generate redundant IMF and generate false components. For each IMF i Y (i =1,2 \8230;, n) judges whether it is the cause of glangary change in the original TCP traffic sequence X. Proposes the original hypothesis "H 0 : the IMF i Y is not the cause of the change in TCP traffic sequence X, the following two regression models, α, were estimated 0 Representing a constant term, p and q being the maximum number of lag periods, ε, of variables X and Y, respectively t White noise:
regression-free constraint model:
Figure BDA0003349443320000042
the regression constraint model is as follows:
Figure BDA0003349443320000043
constructing F statistics, wherein RSS u Residual sum of squares, RSS, for regression-free constrained models r The sum of squares of residuals for the regression constrained model:
Figure BDA0003349443320000044
if F ≧ F α (q, n-p-q-1) (α is a selected level of significance), then β 1 、β 2 …β q Significantly different from 0, the original hypothesis H should be rejected 0 That is, Y is the glancing cause of X, and this component has correlation with the original TCP traffic sequence and is not a spurious component. Otherwise, the original hypothesis cannot be rejected, that is, Y is not the cause of the granger causing the change of X, and this component is a false component generated after EMD and should be removed.
C. And assuming that k IMFs remain after screening through the Glange causal relationship test, respectively calculating Pearson correlation coefficients of the k IMFs and the original TCP sequence X (t), and selecting a component reconstruction signal with the correlation coefficient ranking in the top five, so that false components and noise signals are filtered, and the purification of the TCP flow sequence is realized.
D. And sliding the same interval to set windows for the preprocessed TCP flow sequence, wherein each window is used as an attack detection unit.
3. And (5) feature extraction. FIG. 1 is a radar chart and a boxed chart comparing TCP traffic in a normal network and a network under LDoS attack. TCP flow under normal state is almost uniformly distributed at each time point, the radar chart is in a circle shape, the four-quadrant distance in the box chart is small, and data distribution is centralized; the distribution of TCP flow at each time point in the network attacked by LDoS is uncertain, the radar graph is in an irregular petal shape, the four-quadrant distance in the box-shaped graph is large, and the data dispersion degree is high. Therefore, the TCP traffic in the network subjected to the LDoS attack has a wide distribution range and fluctuates irregularly along with time, the TCP traffic sequence has higher complexity compared with the TCP traffic sequence of the network in a normal state, and whether the LDoS attack occurs in the network can be detected by analyzing the characteristic.
Four kinds of characteristic entropy of each TCP flow window are extracted to be used as characteristic values for judging the complexity of the window, including approximate entropy, sample entropy, fuzzy entropy and permutation entropy, and compared with the traditional information entropy, the characteristic entropy has the capability of resisting transient interference.
4. And (6) comprehensive scoring. Although the above four entropies can evaluate the complexity of the TCP traffic sequence, their ability to distinguish between normal and attacked modes in attack detection is different. If the average is considered, the accuracy of detection is affected, so that the evaluation capability of the detection on the TCP traffic sequence complexity needs to be quantified.
The entropy weight method is a comprehensive evaluation method which can be used for multiple objects and multiple indexes. A composite index is calculated in consideration of the amount of information provided by the factors, wherein the amount of information is measured by the entropy of each index. Fig. 3 is a flow chart of an entropy weight method, which takes a TCP flow window in a training set as a member, takes approximate entropy, sample entropy, fuzzy entropy and permutation entropy as 4 evaluation indexes, and uses the entropy weight method to obtain more reasonable and more comprehensive scores of the complexity of the windows.
Assuming n TCP traffic windows for training, their 4 indices are calculated: approximate entropy A 1 Sample entropy A 2 Fuzzy entropy A 3 And permutation entropy A 4 Wherein A is i ={a 1 ,a 2 …a n -calculating a composite score using entropy weight method (i =1,2,3, 4) by the following substeps:
A. normalizing the index data to obtain B 1 、B 2 、B 3 、B 4 Wherein, in the step (A),
Figure BDA0003349443320000051
B. calculating the information entropy E of each index i The formula is as follows:
Figure BDA0003349443320000052
Figure BDA0003349443320000053
C. information entropy E according to each index i Obtaining the corresponding information utility value D i =1-E i (i=1,2,3,4)。
D. Determining the weight W of each index i The larger the information utility value of the index is, the more important the characteristic entropy corresponding to the index is, and the larger the function of the index in judging the complexity of the TCP sequence is.
Figure BDA0003349443320000054
E. The composite scores for these n TCP traffic windows for training are given:
Figure BDA0003349443320000061
F. and inputting the comprehensive scores of the n training windows into a logistic regression algorithm, and selecting the optimal learning rate and the iteration times to train to obtain a threshold value TH of the comprehensive scores. Specifically, experiments can be performed near parameters with high accuracy, high recall rate and low false alarm rate, and the performance of the parameters is integrated, so that a parameter combination with a learning rate of 0.012 and an iteration number of 400 is selected to achieve the best learning effect.
5. And (6) judging a result. And (4) after four characteristic entropies of the test set window are calculated, directly using the determined weights in the step (4) to obtain a comprehensive score CS of the window. And if the comprehensive score is higher than the threshold value, judging that the LDoS attack occurs in the window, otherwise, judging that the LDoS attack does not occur.

Claims (3)

1. An LDoS attack detection method based on an EMDR-WE algorithm, wherein the LDoS is fully called Low-rate Denial of Service, namely slow Denial of Service, is characterized in that EMD is empirical mode decomposition, R represents signal reconstruction, EMDR is a signal preprocessing model, WE is weighted entropy after weight is determined through an entropy weight method, and the detection method comprises the following steps:
step 1, data sampling: acquiring TCP flow on a bottleneck link, and setting a sampling point every other same unit time to obtain an original TCP flow sequence;
step 2, data processing: the method comprises the following steps of decomposing an original TCP flow sequence in an empirical mode, selecting effective components to reconstruct so as to purify the TCP flow sequence, and setting a sliding window, wherein the method specifically comprises the following four steps:
step 2.1, decomposing the original TCP flow sequence acquired in the step 1 in an empirical mode, wherein the decomposition result shows that the TCP flow sequence is linear superposition of finite content modal components and residual waves;
step 2.2, providing an original hypothesis H for each content modal component 0 : the connotative modal component is not the cause of the Glanberg causing the change of the original TCP flow sequence, if the Glanberg causal relationship test cannot reject the original hypothesis, the component is taken as a false component generated in the empirical mode decomposition process and is removed;
step 2.3, respectively calculating the Pearson correlation coefficient of each residual connotation modal component and the original TCP flow sequence, and selecting the component with the correlation coefficient ranked in the top five to reconstruct the TCP flow sequence;
step 2.4, dividing the processed TCP flow sequence into a plurality of TCP flow windows with equal length by sliding the same interval, wherein each window is used as an attack detection unit;
step 3, feature extraction: extracting four characteristic entropies of each TCP flow window as characteristic values for judging the complexity of the window, wherein the characteristic entropies comprise approximate entropy, sample entropy, fuzzy entropy and permutation entropy;
step 4, comprehensive scoring: taking the TCP flow window as an evaluation object, taking the four characteristic entropies as evaluation indexes, distinguishing the evaluation capacity of the four characteristic entropies by using an entropy weight method, determining the weight of the evaluation capacity, calculating the comprehensive score of the complexity of each TCP flow window, and training to obtain a threshold value, wherein the method comprises the following six steps of:
step 4.1, carrying out standardization processing on values of four indexes, namely approximate entropy, sample entropy, fuzzy entropy and permutation entropy;
4.2, calculating the information entropy of the four characteristic entropies;
4.3, calculating information utility values of the four characteristic entropies;
step 4.4, distributing the weight of the four characteristic entropies by taking the information utility value as the basis, and enabling D i (i =1,2,3,4) information utility value, W, representing four characteristic entropies i (i =1,2,3,4) represents the weights of the four characteristic entropies in the composite score, and the calculation formula is expressed as:
Figure FDA0003833323670000011
step 4.5, weighting and summing the four characteristic entropies to obtain a comprehensive score of the complexity of each TCP flow window;
4.6, training the comprehensive scores of the complexity of each TCP flow window by using a logistic regression model and obtaining a threshold value;
step 5, result evaluation: and judging whether the LDoS attack exists in the network in the window according to the comprehensive score of the TCP flow window.
2. An LDoS attack detection method according to claim 1, characterized in that, step 4.6 is to input the composite score of each TCP traffic window complexity as a training set to the logistic regression model, select the optimal learning rate and iteration times to train to obtain the threshold of the composite score.
3. An LDoS attack detection method according to claim 1, characterized in that, step 5 compares the composite score of the window with a threshold, if the composite score is higher than the threshold, it is determined that an LDoS attack has occurred in the window, otherwise it is determined that no LDoS attack has occurred.
CN202111332817.5A 2021-11-11 2021-11-11 LDoS attack detection method based on EMDR-WE algorithm Active CN114070601B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111332817.5A CN114070601B (en) 2021-11-11 2021-11-11 LDoS attack detection method based on EMDR-WE algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111332817.5A CN114070601B (en) 2021-11-11 2021-11-11 LDoS attack detection method based on EMDR-WE algorithm

Publications (2)

Publication Number Publication Date
CN114070601A CN114070601A (en) 2022-02-18
CN114070601B true CN114070601B (en) 2022-11-11

Family

ID=80275029

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111332817.5A Active CN114070601B (en) 2021-11-11 2021-11-11 LDoS attack detection method based on EMDR-WE algorithm

Country Status (1)

Country Link
CN (1) CN114070601B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2230797A1 (en) * 2009-03-20 2010-09-22 ETH Zurich Detecting network traffic anomalies in a communication network
CN103139166A (en) * 2011-11-30 2013-06-05 中国民航大学 Low-rate denial of service (LDoS) attack detection method based on small signal detection theory
CN112788062B (en) * 2021-01-29 2022-03-01 湖南大学 ET-EDR-based LDoS attack detection and mitigation method in SDN

Also Published As

Publication number Publication date
CN114070601A (en) 2022-02-18

Similar Documents

Publication Publication Date Title
CN108805059B (en) Sparse regularization filtering and self-adaptive sparse decomposition gearbox fault diagnosis method
CN114172748B (en) Encrypted malicious traffic detection method
CN111585948B (en) Intelligent network security situation prediction method based on power grid big data
CN113378990B (en) Flow data anomaly detection method based on deep learning
CN105275833A (en) CEEMD (Complementary Empirical Mode Decomposition)-STFT (Short-Time Fourier Transform) time-frequency information entropy and multi-SVM (Support Vector Machine) based fault diagnosis method for centrifugal pump
CN102098180A (en) Network security situational awareness method
CN105424366A (en) Bearing fault diagnosis method based on EEMD adaptive denoising
CN102137115A (en) Method for evaluating malicious code attack effect of communication network
CN116559598A (en) Smart distribution network fault positioning method and system
CN117421684A (en) Abnormal data monitoring and analyzing method based on data mining and neural network
CN112039903A (en) Network security situation assessment method based on deep self-coding neural network model
CN106850511B (en) Method and device for identifying access attack
CN111478904A (en) Method and device for detecting communication anomaly of Internet of things equipment based on concept drift
CN114239807A (en) RFE-DAGMM-based high-dimensional data anomaly detection method
CN118041581A (en) Network security situation prediction method and system based on artificial intelligence
CN111444501B (en) LDoS attack detection method based on combination of Mel cepstrum and semi-space forest
CN112668105A (en) Helicopter transmission shaft abnormity judgment method based on SAE and Mahalanobis distance
CN117336011A (en) Mining behavior detection method and device, electronic equipment and storage medium
CN114710310B (en) Method and system for recognizing Tor user access website based on network traffic frequency domain fingerprint
CN111726350A (en) Internal threat detection method based on VAE and BPNN
CN115242441A (en) Network intrusion detection method based on feature selection and deep neural network
CN118353667A (en) Network security early warning method and system based on deep learning
CN114070601B (en) LDoS attack detection method based on EMDR-WE algorithm
CN117172601A (en) Non-invasive load monitoring method based on residual total convolution neural network
CN115396242B (en) Data identification method and network security vulnerability detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant