CN114244549B - GSSK-means abnormal flow detection method, memory and processor for industrial Internet - Google Patents

GSSK-means abnormal flow detection method, memory and processor for industrial Internet Download PDF

Info

Publication number
CN114244549B
CN114244549B CN202110912005.1A CN202110912005A CN114244549B CN 114244549 B CN114244549 B CN 114244549B CN 202110912005 A CN202110912005 A CN 202110912005A CN 114244549 B CN114244549 B CN 114244549B
Authority
CN
China
Prior art keywords
data
algorithm
population
flow
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110912005.1A
Other languages
Chinese (zh)
Other versions
CN114244549A (en
Inventor
王艺霖
许金燕
王安平
靳方舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
He'an Technology Innovation Co ltd
Original Assignee
He'an Technology Innovation Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by He'an Technology Innovation Co ltd filed Critical He'an Technology Innovation Co ltd
Priority to CN202110912005.1A priority Critical patent/CN114244549B/en
Publication of CN114244549A publication Critical patent/CN114244549A/en
Application granted granted Critical
Publication of CN114244549B publication Critical patent/CN114244549B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/12Computing arrangements based on biological models using genetic models
    • G06N3/126Evolutionary algorithms, e.g. genetic algorithms or genetic programming

Abstract

The invention provides a GSSK-means abnormal flow detection method, a memory and a processor facing to industrial Internet, comprising the following steps: preprocessing flow data: and carrying out normalization processing on the flow data, optimizing and selecting the characteristics of the flow data, avoiding overhigh dimensionality and improving the accuracy of anomaly detection. The abnormal flow detection model is constructed, the selection, crossing and mutation operations of the genetic algorithm are introduced into the updating of the goblet sea squirt population, so that the population can generate a plurality of new goblet sea squirt individuals during each iteration, and the difficulty of jumping out of the goblet sea squirt population from local optimum is reduced. And combining the GSS algorithm with the improved K-means algorithm, providing the GSSK-means algorithm, regarding the fitness function of the clustering algorithm as an objective function of the GSS algorithm, solving an optimal initial clustering center in the improved K-means algorithm through the GSS algorithm, clustering the data, and finally obtaining an optimal abnormal flow detection model. The method can be applied to the field of industrial Internet data security.

Description

GSSK-means abnormal flow detection method, memory and processor for industrial Internet
Technical Field
The invention relates to the field of machine learning, in particular to a GSSK-means abnormal flow detection method, a memory and a processor for industrial Internet.
Background
The flow anomaly detection is to take flow data as input, and discover abnormal data packets, abnormal interaction and other information through methods such as statistical analysis, data mining, machine learning and the like. In the flow anomaly detection process, a data flow grabbing tool such as sniffer, netFlow, fprobe and flow-tools is firstly required to collect massive data flow information, then data attributes which can be used for detecting anomalies are extracted and selected from data, and a conclusion that the data record is normal or abnormal is obtained through analysis of the data attributes. The network traffic abnormality detection method mainly comprises a method based on unsupervised learning, supervised learning and semi-supervised learning.
Clustering is a technology for researching the logical or physical interrelationships among data, and the analysis result can not only reveal the internal relation and distinction among the data, but also provide important basis for further data analysis and knowledge discovery. The clustering algorithm is roughly divided into a clustering algorithm based on division, a clustering algorithm based on hierarchy, a clustering algorithm based on grid, a clustering algorithm based on density and a clustering algorithm based on a model, and the K-means algorithm proposed by Macqueen is a classical algorithm for solving the clustering problem and has the characteristics of simplicity and high efficiency and can be applied to flow anomaly detection.
With the gradual increase of network applications, the overall complexity of flow characteristics is continuously increased, and the accuracy of abnormal flow detection still needs to be improved due to subjective judgment difference between data acquisition and data analysis.
Disclosure of Invention
The invention aims to solve the technical problem of providing an industrial Internet-oriented GSSK-means abnormal flow detection method, which combines a machine learning algorithm with an intelligent optimization algorithm to construct an efficient and accurate abnormal flow detection model.
In one aspect, the invention provides a GSSK-means abnormal flow detection method facing to the industrial Internet, which mainly comprises the following steps:
s100, acquiring flow data, and preprocessing the data;
s200, adopting a GSS algorithm and a K-means algorithm to obtain an optimal initial clustering center, and clustering flow data to obtain an optimal abnormal flow detection model; the GSS algorithm is to introduce the selection, crossing and mutation operations of a genetic algorithm into a goblet sea squirt population optimization algorithm;
s300, after model training is completed, enabling flow data to enter a model, and judging whether the flow data is abnormal flow.
Specifically, the preprocessing includes normalization processing.
Specifically, the preprocessing further comprises the step of acquiring a data characteristic weight value.
Specifically, the S200 specifically includes: initializing the goblet sea squirt population, and calculating the fitness function value of each individual in the goblet sea squirt population and the average fitness value of the whole population; if the iteration stop condition is met, an initial cluster center is obtained, the distance between the point of the data center and each cluster center is calculated, the cluster center closest to the data center is selected to form a class cluster according to the principle of closest distance, the fitness is calculated, and if the iteration stop condition is met, an abnormal flow detection model is obtained.
Specifically, the S300 specifically includes: the flow data of the industrial Internet system are collected in real time; preprocessing the flow information and sending the flow information into a detection model; calculating the distance D_CP between the real-time monitoring data and each clustering center in the model 0 ,D_CP 1 ,...,D_CP k The method comprises the steps of carrying out a first treatment on the surface of the When the distance D_CP between the sample point and each normal cluster center is monitored in real time i And when the data are larger than the set threshold distance, identifying the data as abnormal data, and carrying out abnormal early warning.
On the other hand, the invention also provides a memory for storing software, wherein the software is used for executing the method.
On the other hand, the invention also provides a processor for executing software, wherein the software is used for executing the method.
The invention introduces the selection, crossing and mutation operations of the genetic algorithm into the updating of the ascidian population, ensures that the population can generate some new ascidian individuals during each iteration, and reduces the difficulty of the ascidian population jumping out of local optimum. And combining a GSS algorithm with an improved K-means algorithm, providing the GSSK-means algorithm, regarding an adaptability function of a clustering algorithm as an objective function of the GSS algorithm, solving an optimal initial clustering center in the improved K-means algorithm through the GSS algorithm, clustering the data, and finally obtaining an optimal abnormal flow detection model.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
According to an embodiment of the invention, there is provided a GSSK-means abnormal flow detection method facing to industrial Internet, comprising:
s100, acquiring flow data, and preprocessing the data.
Firstly, acquiring a network data packet, then analyzing protocols and extracting information to obtain basic characteristic information of original network flow data. Preprocessing original network data, normalizing the flow data, and optimally selecting the characteristics of the flow data to prevent the dimension from being too high and improve the accuracy of anomaly detection.
S101, numerical normalization.
The network traffic data contains the following feature types: (1) unordered enumeration features such as protocol type, connection status, and network service type of the target host; (2) orderly enumerating features, such as the number of times of accessing the sensitive file of the system, the number of connections with the same target host currently connected in the past two seconds, and the like; (3) {0,1} type features, such as whether login was successful, whether it was a gust user, etc.; (4) ordered continuous features, such as the percentage of the total number of connections that are the same as the current connection at a feature value, within a fixed time.
For the ordered enumeration type and ordered continuous type features, the following formula is used for data preprocessing:
wherein b ip Is a as ip Values after pretreatment, R p For the p-th dimension feature number in the data setThe value takes the upper limit of the range of values. Assuming that the total number of records in the acquired flow data set is N, the number of characteristic numbers of each record is P, and the value of the P-th characteristic of the ith data record is expressed as a ip (1≤i≤N,1≤p≤P)。
S102, preferentially selecting flow data characteristics.
Traffic data often has many features, which can be too high in dimension if they are all involved in the clustering process. In addition, the importance degree of each dimension feature of the network traffic in the anomaly detection is often greatly different, so that feature selection is required for the high-dimension network traffic, and the accuracy of the anomaly detection is improved. The invention provides a feature optimization selection method based on feature numerical distribution analysis. The method obtains the weight of a certain feature by calculating the mean square error of the value of the data record of different network flows at the feature and normalizing the data record. The calculation formula is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,mean value, sigma of p-th feature distribution p Mean square error, w representing the p-th feature distribution p The weight of the p-th feature is represented. After the feature weight is calculated, selecting the feature with larger weight for next operation, and further improving the accuracy of the clustering detection result.
S200, constructing a GSSK-means abnormal flow detection model.
An abnormal flow detection model is constructed, an improved Zostera Marinae optimization algorithm is combined with an improved genetic algorithm, a GSS algorithm is provided, and selection, crossover and mutation operations of the genetic algorithm are introduced into Zostera Marinae population update. The method ensures that the population can generate a plurality of new ascidians individuals during each iteration, and reduces the difficulty of the ascidians population jumping out of local optimum. And combining a GSS algorithm with an improved genetic K-means algorithm, providing the GSSK-means algorithm, regarding an adaptability function of a clustering algorithm as an objective function of the GSS algorithm, obtaining an optimal initial clustering center in the improved K-means algorithm through the GSS algorithm, clustering flow data by utilizing the result, and finally obtaining an optimal abnormal flow detection model.
S201, initializing the goblet sea squirt population.
Initializing a group of the ascidians for the GSS algorithm, and then obtaining an optimal solution by simulating the group motion of the ascidians. In each iteration, the individuals in the sea squirt population update their own position with the current search state. Any individual i in a population is defined herein as follows:
s i =(s i1 ,s i2 ,…,s ik ) (5)
s ik representing the kth dimension characteristic represented by the ith population of individuals.
The upper and lower search space limits of the algorithm define the search range of the GSS algorithm.
Wherein the search space upper limit is expressed as:
ub=(ub 1max ,ub 2max ,…,ub jmax ,…,ub nmax )j∈[1,n] (6)
wherein the search space lower limit is expressed as:
lb=(lb 1min ,lb 2min ,…,lb jmin ,…,lb nmin )j∈[1,n] (7)
s202, calculating the fitness function value of each individual in the goblet sea squirt population and the average fitness value of the whole population.
The GSS algorithm can be used for searching an optimal solution, an initial clustering center can be regarded as the optimal solution of the algorithm in K-means clustering, and the optimal clustering center can enable the fitness function to reach an optimal value, so that the fitness function of the clustering algorithm is regarded as an objective function of the GSS algorithm, the optimal initial clustering center is obtained, and the data are clustered by using the result.
S203, updating the leader position according to the proposed new leader position updating formula.
In the search space there is a food source called F which serves as the optimization target, i.e. the optimal solution, for the group of goblet sea squirts, in order for the algorithm to reach F as soon as possible, the improved SSA algorithm leader location update formula of the present invention is as in equation (8).
Wherein r is 1j Is the position of the first goblet in the j-th dimensional goblet sea squirt population in solution space, i.e., the leader position in the population; f (F) j Is the most suitable position of all the ecteinascidial individuals in the j-th dimension of the last cycle, i.e., the individual closest to the "food" position in the current ecteinascidial population; ub (Ub) j Representing the upper bound, lb, of the j-th dimension search space j Representing the lower bound of the j-th dimension search space.
First part c 1 F j Changing the part influenced by the global optimal individual for the particle position, wherein the part ensures that a leader in the algorithm moves to the position where the food is; second part + -c 2 ((ub j -lb j )c 3 +lb j ) The position of the leader is adjusted according to the range of the search space, so that the search range of the population in the search space is ensured to be expanded as much as possible, and the optimizing efficiency of the algorithm is improved. The invention improves the parameter c of the original algorithm 1 And c 3 And introducing parameter c 2 Thereby ensuring the randomness and the effectiveness in the searching process of the ecteinascidiphyllum population.
Wherein parameter c in the present invention 1 The definition is as follows.
Wherein l is the current iteration number; l is the maximum iteration number designed by the algorithm;the adaptability of the goblet sea squirt individual with the best adaptability in the current first iteration times is obtained; />The fitness of the goblet sea squirt individual with the best fitness in the number of iterations of the first to 1 is shown.
The invention is directed to c 2 、c 3 The definition of the two parameters is as follows:
wherein E is fit Representing the average fitness of all individuals in the current iteration.Representing the individual fitness with the worst fitness in the current iteration; parameter c 4 Is at [ -1,1]Random numbers generated uniformly in the interval. In the actual searching process, c 4 Indicating whether the next position in dimension j should increase toward positive or negative.
S204, updating the follower position according to the proposed new follower position updating formula.
In the practical algorithm, the follower accounts for most of the goblet sea squirt population, and the rest of individuals are followers except the leader located at the head of the population. The update of the follower position has a great impact on the efficiency of SSA algorithm.
The invention provides a new follower position updating formula:
in the formula (3-9)Representing the position of the ith sea squirt individual in the jth dimension prior to the non-update; />Is the fitness of the goblet sea squirt individual with the best fitness in the last iteration, and is->The adaptability of the ecteinascidia individuals with the best adaptability in the iteration is shown; />Is the fitness of the ith sea squirt in the last iteration; />The fitness of the ith sea squirt in the iteration is shown. The above-mentioned two parts are divided into: first part->Indicating that the update of the position of the goblet-sea squirt follower is affected by the original position; second part->Indicating the effect of the rate of adaptation change on the follower position update, the step size per iteration becomes smaller as the adaptation increases.
S205, selecting all individuals in the population according to the fitness sorting.
The invention adopts a selection strategy based on fitness sequencing. The individuals in the goblet sea squirt population are ranked according to the fitness, and then all the individuals in the population are selected according to the fitness, so that the individuals possibly becoming the optimal solution are not eliminated, and a large number of individuals are not repeatedly selected.
S206, eliminating individuals with poor fitness according to the self-adaptive crossover probability, and then supplementing the number of eliminated populations through crossover.
Assuming that the probability of selection is P choice The overall number of sea squirt populations in the goblet is N, i.e. at each selection, fitness is ranked N x P choice Is selected, the remaining N x (1-P choice ) Can be eliminated, and then by crossing, the same amount of new ascidians can be generated, so that the total number of ascidians can not be reduced. The probability formula is selected as formula (12).
P choice =(1-P cross ) (12)
The crossover can increase the search range of the algorithm, but as the fitness gradually increases and the number of iterations gradually increases, the algorithm gradually approaches the optimal solution, and does not need to expand too much of the search range, i.e., the crossover probability needs to gradually decrease, so the crossover probability in the present invention is defined by equations (13) - (16).
P cross =(1-P choice ) (13)
P cross,l =max(P' cross,l ,0.1) (15)
P cross,0 =0.5 (16)
In the formulae (13) to (16), P cross,0 For the initial crossover probability, l is the current iteration number, P cross,l For the crossover probability of the first iteration,representing the maximum fitness value of all individuals in the first iteration population, +.>Representing the first iteration of the group of ecteinascidiphyllaeThere is an individual average fitness value.
S207, performing mutation operation according to the mutation probability in the new individuals generated by crossing according to the adaptive mutation probability.
The mutation increases the randomness of the genetic algorithm, and if the local optimum is reached, some random individuals are needed to be provided for the algorithm, so that the algorithm is helped to jump out of the local optimum. The invention utilizes the mutation operation to increase a certain randomness for the SSA algorithm, so that the algorithm has the opportunity to jump out of local optimum, and the algorithm is more efficient. In summary, when the fitness is closer to the optimal or the iteration enters the later stage, the probability of mutation generation needs to be increased more, so as to prevent the algorithm from being at the local optimal point and not jumping out. Further, since the mutation operation in the algorithm is directed to a new individual generated by the previous crossover operation, not to all individuals of the ascidian population, it is not considered that the ascidian individuals with optimal fitness due to the mutation operation disappear. The mutation probability is defined as the following formulas (17), (18).
P mutation,l =max(P' mutation,l ,0.1) (18)
Wherein P is mutation,l Representing the probability of variation of the first iteration, P cross,l For the crossover probability of the first iteration, L represents the maximum number of iterations, L is the current number of iterations,representing the maximum fitness value of all individuals in the first iteration population,representing the minimum fitness value of all individuals in the first iteration population, +.>Representing the average fitness value of all individuals in the first iteration population.
S208, calculating the distance between the points of the data center and each cluster center by using a distance measurement formula based on information entropy improvement.
The invention improves the distance measurement function, transforms the circles with the same radius represented by the Euclidean distance into ellipses with different radii, and adds proper weight to each characteristic value of the data. It is proposed to use a distance metric formula based on the entropy of the information.
The information amount, i.e., a measure of how much information is, is expressed as equation (19).
I(x)=-log 2 p(x) (19)
Information entropy (shannon entropy) which is used for uncertainty measurement of random variables, and an information entropy calculation formula is shown as formula (20).
The combination of shannon entropy as a weight and euclidean distance can yield an improved distance metric formula, see formula (21).
Wherein H (i) represents the information entropy of the ith dimension eigenvalue, x i Represents the ith dimension eigenvalue of x, y i Representing the i-th dimensional eigenvalue of y.
S209, selecting the cluster center closest to the nearest principle to form a cluster.
S210, calculating the fitness of the current cluster center by using the improved fitness function.
The fitness function is used for measuring whether the current clustering situation is good enough or not and whether the required clustering effect is achieved or not. The clustering algorithm aims at classifying similar particles into the same cluster, so that the closer the particles in the same cluster are to a clustering center, the better the clustering effect is, and the larger the difference between the two clusters is, the better the clustering effect is, and the farther the distance between the two clustering centers is, the better the clustering effect is, and the adaptability is designed as shown in formulas (22) and (23).
In formula (22), fit i Representing fitness functions of individuals in the ith population; b (B) l Is defined as formula (23). In formula (23), c ij A j-th cluster center represented by the i-th sea squirt individual; x represents c ij Particles contained in a cluster of the cluster center; dis (x-c) ij ) Class cluster center c representing x and class cluster to which it belongs ij Is a distance of (2); c ia And c ib Are all cluster centers represented by the ith sea squirt individual; dis (c) ia ,c ib ) Representing the distance between the cluster centers. Wherein the calculation formula of the distance is shown in formula (21).
S300, detecting abnormal flow in real time.
After model training is completed, real-time flow data can be sent into the model for detection, and whether the flow is abnormal or not is judged. The detection step is that 1) industrial Internet system flow data are collected in real time; 2) Preprocessing the flow information and sending the flow information into a detection model; 3) Calculating the distance D_CP between the real-time monitoring data and each clustering center in the model 0 ,D_CP 1 ,...,D_CP k The method comprises the steps of carrying out a first treatment on the surface of the 4) When the distance D_CP between the sample point and each normal cluster center is monitored in real time i Are all greater than the set threshold distance threshold i And identifying the data as abnormal data, and carrying out abnormal early warning.
According to a second aspect of the present invention there is provided a memory for storing software for performing the method described above.
According to a third aspect of the present invention there is provided a processor for executing software, wherein the software is for performing the above method.
It should be noted that, the data security sharing method executed by the software is the same as the data security sharing method described above, and will not be described herein.
In this embodiment, there is provided an electronic device including a memory in which a computer program is stored, and a processor configured to run the computer program to perform the method in the above embodiment.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks, and corresponding steps may be implemented in different modules.
The above-described programs may be run on a processor or may also be stored in memory (or referred to as computer-readable media), including both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technique. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are to be included in the scope of the claims of the present invention.

Claims (4)

1. The GSSK-means abnormal flow detection method for the industrial Internet is characterized by comprising the following steps:
s100, acquiring flow data, and preprocessing the data, wherein the preprocessing comprises numerical normalization and preferential selection of flow data characteristics;
s200, adopting a GSS algorithm and a K-means algorithm to obtain an optimal initial clustering center, and clustering flow data to obtain an optimal abnormal flow detection model; the GSS algorithm is to introduce the selection, crossing and mutation operations of a genetic algorithm into a goblet sea squirt population optimization algorithm;
s300, after model training is completed, enabling flow data to enter a model, and judging whether the flow data are abnormal flows or not, wherein the specific steps are as follows: the flow data of the industrial Internet system are collected in real time; preprocessing the flow information and sending the flow information into a detection model; calculating the distance D_CP between the real-time monitoring data and each clustering center in the model 0 ,D_CP 1 ,...,D_CP k The method comprises the steps of carrying out a first treatment on the surface of the When the distance D_CP between the sample point and each normal cluster center is monitored in real time i And when the data are larger than the set threshold distance, identifying the data as abnormal data, and carrying out abnormal early warning.
2. The method according to claim 1, wherein S200 specifically comprises: initializing the goblet sea squirt population, and calculating the fitness function value of each individual in the goblet sea squirt population and the average fitness value of the whole population; if the iteration stop condition is met, an initial cluster center is obtained, the distance between the point of the data center and each cluster center is calculated, the cluster center closest to the data center is selected to form a class cluster according to the principle of closest distance, the fitness is calculated, and if the iteration stop condition is met, an abnormal flow detection model is obtained.
3. A memory, characterized in that the memory has stored therein a computer program which, when processed and executed, implements the method of any of claims 1 to 2.
4. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, characterized in that the processor implements the method of any one of claims 1 to 2 when executing the computer program.
CN202110912005.1A 2021-08-10 2021-08-10 GSSK-means abnormal flow detection method, memory and processor for industrial Internet Active CN114244549B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110912005.1A CN114244549B (en) 2021-08-10 2021-08-10 GSSK-means abnormal flow detection method, memory and processor for industrial Internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110912005.1A CN114244549B (en) 2021-08-10 2021-08-10 GSSK-means abnormal flow detection method, memory and processor for industrial Internet

Publications (2)

Publication Number Publication Date
CN114244549A CN114244549A (en) 2022-03-25
CN114244549B true CN114244549B (en) 2023-10-03

Family

ID=80742903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110912005.1A Active CN114244549B (en) 2021-08-10 2021-08-10 GSSK-means abnormal flow detection method, memory and processor for industrial Internet

Country Status (1)

Country Link
CN (1) CN114244549B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115296837B (en) * 2022-06-24 2023-09-15 沈阳化工大学 Sustainable integrated intrusion detection method based on SSA optimization

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108919641A (en) * 2018-06-21 2018-11-30 山东科技大学 A kind of unmanned aerial vehicle flight path planing method based on improvement cup ascidian algorithm
CN109587144A (en) * 2018-12-10 2019-04-05 广东电网有限责任公司 Network security detection method, device and electronic equipment
CN111935170A (en) * 2020-08-20 2020-11-13 杭州安恒信息技术股份有限公司 Network abnormal flow detection method, device and equipment
CN112115969A (en) * 2020-08-11 2020-12-22 温州大学 Method and device for optimizing FKNN model parameters based on variant goblet sea squirt group algorithm

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6907436B2 (en) * 2000-10-27 2005-06-14 Arizona Board Of Regents, Acting For And On Behalf Of Arizona State University Method for classifying data using clustering and classification algorithm supervised

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108919641A (en) * 2018-06-21 2018-11-30 山东科技大学 A kind of unmanned aerial vehicle flight path planing method based on improvement cup ascidian algorithm
CN109587144A (en) * 2018-12-10 2019-04-05 广东电网有限责任公司 Network security detection method, device and electronic equipment
CN112115969A (en) * 2020-08-11 2020-12-22 温州大学 Method and device for optimizing FKNN model parameters based on variant goblet sea squirt group algorithm
CN111935170A (en) * 2020-08-20 2020-11-13 杭州安恒信息技术股份有限公司 Network abnormal flow detection method, device and equipment

Also Published As

Publication number Publication date
CN114244549A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
CN108632279B (en) Multilayer anomaly detection method based on network traffic
Bamakan et al. A new intrusion detection approach using PSO based multiple criteria linear programming
Xu et al. Evaluation of GO-based functional similarity measures using S. cerevisiae protein interaction and expression profile data
CN111314353B (en) Network intrusion detection method and system based on hybrid sampling
CN111626431A (en) System and method for operating a data center based on a generated machine learning pipeline
CN109257383B (en) BGP anomaly detection method and system
US7716152B2 (en) Use of sequential nearest neighbor clustering for instance selection in machine condition monitoring
CN110149347B (en) Network intrusion detection method for realizing dynamic self-adaptive clustering by using inflection point radius
CN110826617A (en) Situation element classification method and training method and device of model thereof, and server
CN110825545A (en) Cloud service platform anomaly detection method and system
CN112363896A (en) Log anomaly detection system
CN112416976A (en) Distributed denial of service attack monitoring system and method based on distributed multi-level cooperation
CN103780588A (en) User abnormal behavior detection method in digital home network
CN113364751A (en) Network attack prediction method, computer-readable storage medium, and electronic device
CN114244549B (en) GSSK-means abnormal flow detection method, memory and processor for industrial Internet
Ghalehgolabi et al. Intrusion detection system using genetic algorithm and data mining techniques based on the reduction
US20170293608A1 (en) Unusual score generators for a neuro-linguistic behavioral recognition system
CN114693088B (en) Reservoir temperature field influence factor analysis method, device and storage medium
Aljibawi et al. A survey on clustering density based data stream algorithms
CN112651422B (en) Space-time sensing network flow abnormal behavior detection method and electronic device
KR102433598B1 (en) A System and Method for Deriving Data Boundary
Babu et al. Improved Monarchy Butterfly Optimization Algorithm (IMBO): Intrusion Detection Using Mapreduce Framework Based Optimized ANU-Net.
CN113642017A (en) Encrypted flow identification method based on self-adaptive feature classification, memory and processor
Supardi et al. An evolutionary stream clustering technique for outlier detection
CN113609480B (en) Multipath learning intrusion detection method based on large-scale network flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant