CN114936615B - Small sample log information anomaly detection method based on characterization consistency correction - Google Patents
Small sample log information anomaly detection method based on characterization consistency correction Download PDFInfo
- Publication number
- CN114936615B CN114936615B CN202210876386.7A CN202210876386A CN114936615B CN 114936615 B CN114936615 B CN 114936615B CN 202210876386 A CN202210876386 A CN 202210876386A CN 114936615 B CN114936615 B CN 114936615B
- Authority
- CN
- China
- Prior art keywords
- network
- self
- learning
- consistency
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Quality & Reliability (AREA)
- Probability & Statistics with Applications (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a small sample log information abnormity detection method based on characterization consistency proofreading, which comprises the following steps of: preprocessing data, extracting event characteristics and carrying out serialization processing; the self-learning characteristic representation network is subjected to iterative training, an original special-shaped computing network is used for learning a characteristic extractor from a small sample classification task, a characteristic consistency correction module is constructed, the original special-shaped computing network and the self-learning characteristic representation network are respectively trained through characteristic consistency correction functions of the original special-shaped computing network and the self-learning characteristic representation network, and the trained self-learning characteristic representation network is used as an embedded network; inputting test set data to obtain a classification result; and performing corresponding processing according to the output result. The method utilizes the supervision information of the original special-shaped computing network to guide the self-learning characteristic to represent network training, is more suitable for model training under the condition of small samples, and simultaneously improves the classification effect of the abnormal detection model under the condition of small samples.
Description
Technical Field
The invention relates to a classification detection method, in particular to a small sample log information abnormity detection method based on characterization consistency proofreading.
Background
With the development of new technologies such as internet, big data, cloud computing and the like, more and more industries and scenes start digital operation. The services enable the life of common users to be convenient and efficient, but also bring a profit channel for the black and gray industry, so that a series of new network security problems are derived. Aiming at the endless network security problems, the traditional detection method can not meet the current requirements on network security defense. The anomaly detection technology based on artificial intelligence technologies such as neural networks has self-learning capability and dynamic monitoring capability, and the network security technology is improved qualitatively. A large number of samples are needed as training data for a traditional neural network detection model, however, in practical application, user data acquisition difficulty is large, time consumption is long, and labeling cost is high, so that effective samples are scarce, and a high-efficiency detection model is difficult to train in the face of a small sample task.
The proofreading learning is an important learning paradigm, and mainly utilizes auxiliary tasks to mine own supervision information from large-scale unsupervised data, and trains a network through the constructed supervision information, so that valuable characteristics of downstream tasks can be learned, and the method comprises main methods based on context, time sequence and the like. However, conventional collation learning methods tend to rely on a large number of training samples. In a small sample scene, due to the lack of enough samples, the obtained supervision information is mainly concentrated on the difference of base class samples, and valuable semantic information of a new class is ignored. The direct application of the learning task in a small sample scene may learn some inappropriate "shortcuts" instead of the key semantic information, i.e. learn a biased representation, thereby leading to misdirection of the main task, causing a performance degradation of the small sample learning.
Disclosure of Invention
The purpose of the invention is as follows: the invention aims to provide a small sample log information abnormity detection method based on characterization consistency proofreading, which can improve the small sample learning performance, and can efficiently distinguish abnormal behaviors aiming at mobile phone application.
The technical scheme is as follows: the invention relates to a small sample log information abnormity detection method based on characterization consistency proofreading, which comprises the following steps of:
(1) Data preprocessing, namely analyzing log information to obtain structured log data, extracting and classifying event characteristics, performing serialization processing, and converting the event characteristics into numerical vector data;
(2) The method comprises the steps that a model feature extractor is subjected to iterative training, preprocessed data are divided into a training set and a testing set, based on training set data, a small sample classification task is executed on each epsilon by using a task-based epicode training strategy, an original special-shaped computing network is used for learning a feature extractor from the small sample classification task, then a characterization consistency checking module is constructed, characterization consistency checking functions of the original special-shaped computing network and a self-learning feature representation network are computed, the characterization consistency checking functions are used for respectively training the original special-shaped computing network and the self-learning feature representation network, parameters of the original special-shaped computing network and the self-learning feature representation network are continuously updated in the iterative process, and finally the trained self-learning feature representation network is used as an embedded network;
(3) Inputting the preprocessed test set data as a model, using the trained self-learning characteristic representation network, calculating the similarity of the test sample and each category, and obtaining the category with the highest similarity as a classification result;
(4) And performing corresponding processing according to the output result of the prediction stage, and if abnormal behaviors are found, sending a warning prompt to remind system management personnel to pay attention to the abnormal behaviors so as to ensure the system safety.
Preferably, the event characteristics in step (1) are an event behavior description string _ id and a security label, where the event behavior description string _ id includes three categories, namely File operation File, process operation Process, and Registry operation register, and the three categories of events include 16 event operation behaviors, and are divided as shown in the following table:
preferably, the 16 event operation behaviors are sequentially stored in a reference vector with the vector size of 16, and a vector matrix corresponding to the reference vector is initialized with the matrix size ofEach binary bit represents an event operation behavior attribute flag value executed by the program, 0 represents that there is no such event type, and 1 represents that there is such event type.
Preferably, the vector matrix is spliced with the security label to form an event behavior vector, and the vector size isWherein the first 16 bits represent attribute flag values of 16 event operation behaviors, the last 1 bit security label represents a flag value of normal event behaviors or abnormal event behaviors, when the security label is 0, it indicates that there is no abnormal behavior, 1 indicates that there is a file operation abnormal behavior, 2 indicates that there is a process operation abnormal behavior, and 3 indicates that there is a registry operation abnormal behavior.
Preferably, the step (2) comprises the following steps:
(2.1) using the training set as input to the model, computing the network using the original idiotypesComputing a class prototype in whichAre learnable network parameters. In particular, for a small sample task,In order to support the set of data,computing a category for a set of queriesIs prototyped as
Wherein the content of the first and second substances,representing a sample label in a feature space ofThe class prototype of (a) is,presentation support setWherein the label isIs determined by the data set of (a),representing a data setThe size of (a) is (b),a feature vector representing the sample is then generated,a label representing the corresponding sample;
for a query from a set of queriesNew sample ofEach category is obtained by distance discrimination as followsNormalized classification score of (a):
whereinRepresents the softmax function; specifying classification loss functionsComprises the following steps:
wherein the content of the first and second substances,x q a feature vector representing the sample is then generated,y q a label representing the corresponding sample;
(2.2) building a self-learning feature representation network for a query from a set of queriesInput data ofGenerating transformations using a method of random enhancementForming pairs of training samples, calculating the objective function of the self-learning feature representation networkComprises the following steps:
(2.3) constructing a characteristic consistency proofreading functionComputing the original profile into a networkAnd self-learning feature representation networkAnd (4) performing proofreading:
(2.4) computing network for primitive specialtiesAnd fusing a classification loss function and a characterization consistency correction function, and calculating a final original special type calculation network training function as follows:
(2.5) representing networks for self-learning featuresAnd fusing a target function and a characteristic consistency correction function of the self-learning characteristic representation network, and calculating a final self-learning characteristic representation network training function as follows:
(2.6) in model training, designing and using an original special-shaped computing network and a self-learning feature representation network interactive iterative updating method, and trainingAndusing the finalAs an embedded network.
Preferably, the interactive iterative update method includes: first, the original special-type computing network is initialized respectivelyAnd self-learning feature representation network(ii) a Fixed self-learning feature representation of parameters in a networkTo obtain a characteristic consistency check functionFurther using the primitive prototype to compute a network training functionFor parameterOne-step optimization is performed, followed by updated parametersTo obtain a new characterization consistency check functionRepresenting network training functions using self-learning featuresPerforming one-step optimization to obtain updated parametersAnd repeating the interactive iteration updating step until the training function is converged.
Preferably, the step (3) includes using the preprocessed test set data as model input, and using the trained self-learning feature representation networkExtracting the characteristics of the sample, calculating the average value of the support set samples corresponding to each class as a prototype of the class, then calculating the similarity between the test sample and each class prototype through a small sample log information abnormity judgment function, and finally obtaining the class with the highest similarity as a final detection result.
Preferably, the small sample log information anomaly determination function is:
the invention also provides a computer readable storage medium, a computer program is stored in the computer readable storage medium, and when the computer program is executed by a processor, the method for detecting the small sample log information abnormity based on the characterization consistency proofreading is realized.
Has the advantages that: compared with the prior art, the invention has the following remarkable advantages: the method has the advantages that the self-supervision learning of the characteristic consistency proofreading is provided, the supervision information of the original special type computing network is used for guiding the self-learning characteristic representation network training, so that the two modules are matched, the characteristic consistency proofreading learning utilizes the inherent supervision information in the marked data, the learning characteristic manifold is improved, the representation deviation is reduced, more effective semantic information is mined, the information is integrated to form uniform distribution, and the original characterization method is further enriched and expanded; the interactive iteration updating method can further converge the target function, is more suitable for model training under the condition of small samples, improves the classification effect of the abnormal detection model under the condition of small samples, effectively detects abnormal behaviors in log files and ensures the application safety of the mobile phone.
Drawings
FIG. 1 is a flow chart of the operation of the present invention;
FIG. 2 is a schematic flow chart of the model iterative training phase of the present invention;
FIG. 3 is a comparison graph of classification discrimination accuracy between the method of the present invention and the prior art.
Detailed Description
The technical scheme of the invention is further explained by combining the attached drawings.
For the task of judging whether the system has abnormal behavior or not by the given log record file, a high-efficiency abnormal detection model can be trained by using a training set, and then the user record is monitored in real time and early warned by using the model. As shown in fig. 1, the method for detecting the abnormality of the log information of the small sample based on the token consistency proofreading includes the following steps: the method comprises a data preprocessing stage, a model iterative training stage, a prediction stage and a response stage.
(1) A data preprocessing stage:
analyzing the log information to obtain structured log data, extracting event features, classifying and sorting the extracted features, serializing the features, and converting the features into numerical vector data. The method specifically comprises the following steps:
the log data set D is composed of a plurality of records, each record is composed of log data content and a label, and in the data preprocessing stage, key fields including event behavior description string _ id and a security label are extracted from the log data. In this embodiment, the following information can be extracted for one log record:
{
"start_time":"2020-08-16T20:55:00",
"end_time":"2020-08-16T20:57:00",
"size":2741,
"Processes":{
"pid":3500,
"name":[python]\\python.exe",
"events":{
"time":"2020-08-16T20:55:00",
"event_id":2233,
"ignored":false,
"string-id":"File:Permissions:|temp|\\000c34576f5c",
"action":"Permissions",
"target":"[temp]\\000c34576f5c",
"abstraction":""
}
}
"label": 1
}
the event behavior description string _ id is 'File: permissions | < temp | \ \000c34576f5 c', the event type can be 'File', the specific event operation behavior is 'Permissions', and the illegal change permission operation for the File is realized. The security label is 1, which indicates that the log record has abnormal behavior for the file system.
In this embodiment, the event vector matrix is 0010000000000000, where bit 3 is 1, indicating that there is a "Permissions" event type. By splicing the vector matrix with the security label, the vector size is formedI.e., 00100000000000001. All data records are preprocessed as described above, each obtained data is a feature vector with the size of 1 × 17, and the data is randomly divided into a training set and a test set.
(2) And (3) in the model iterative training stage, optimizing the self-learning feature representation network, as shown in FIG. 2.
(2.1) using the training set as input to the model, computing the network using the original idiotypesI.e. prototype network, computing class prototypes, in whichAre learnable network parameters. The method comprises the following specific steps: randomly extracting, for each epsilon, from a training set using a task-based epsilon training strategyNEach class is extracted respectivelyKEach sample constitutes a support setSAnd then from thisNThe remaining samples in the individual class extract a portion of the data as a query setQThe constructed classification problem is called the N-way K-shot small sample task. Performing a small sample classification task for each epicode,In order to support the set of data,computing a category for a set of queriesIs prototyped as
Wherein the content of the first and second substances,representing a sample label in a feature space ofThe class prototype of (a) is,presentation support setThe middle label isIs determined by the data set of (a),representing a data setThe size of (a) is (b),a feature vector representing the sample is determined,a label representing the corresponding sample;
for a query from a set of queriesNew sample ofEach category is obtained by distance discrimination as followsNormalized classification score of (a):
whereinRepresents the softmax function; specifying classification penalty functionsComprises the following steps:
wherein the content of the first and second substances,x q a feature vector representing the sample is then generated,y q a label representing the corresponding sample;
(2.2) building a self-learning feature representation network for a query from a set of queriesInput data ofGenerating transformations using a method of random enhancementForming pairs of training samples, calculating the objective function of the self-learning feature representation networkComprises the following steps:
(2.3) constructing a characteristic consistency proofreading functionComputing the original profile into a networkAnd self-learning feature representation networkAnd (4) performing proofreading:
(2.4) computing network for primitive specialtiesAnd fusing a classification loss function and a characterization consistency correction function, and calculating a final original special type calculation network training function as follows:
(2.5) representing networks for self-learning featuresAnd fusing a target function and a characteristic consistency correction function of the self-learning characteristic representation network, and calculating a final self-learning characteristic representation network training function as follows:
wherein, the first and the second end of the pipe are connected with each other,is a weight variable;
(2.6) in model training, designing and using an original special-shaped computing network and a self-learning feature representation network interactive iterative updating method, and trainingAndthe method specifically comprises the following steps:
first, the original special-type computing network is initialized respectivelyAnd self-learning feature representation network(ii) a Fixed self-learning characterization of parameters in a networkTo obtain a characteristic consistency check functionFurther using the primitive prototype to compute a network training functionFor parameterPerforming a one-step optimization, followed by updated parametersTo obtain a new characterization consistency check functionRepresenting network training functions using self-learning featuresPerforming one-step optimization to obtain updated parametersRepeating the interactive iteration updating step until the training function is converged, and representing the network by using the finally trained self-learning characteristicsAs an embedded network.
(3) A prediction stage: the preprocessed test set data is used as model input, and a self-learning characteristic representation network is usedExtracting the characteristics of the sample, calculating the average value of the support set samples corresponding to each class as the prototype of the class, then calculating the similarity between the test sample and each class prototype through a small sample log information abnormity decision function, and finally obtaining the class with the highest similarity as the final detection result, wherein the small sample log information abnormity decision function is
And finally obtaining the distance which is most similar to the class prototype distance of label =1 for the vector matrix 00100000000000000000, namely considering that the prediction label of the segment record is 1 and the abnormal behavior aiming at the file operation exists.
(4) A response phase: and performing corresponding processing according to the prediction result, and the system finds that the event has abnormal behavior aiming at the file system, timely sends out a warning prompt and gives record information of the abnormal behavior so as to facilitate the manager to further troubleshoot errors.
The small sample log information anomaly detection method based on the characterization consistency proofreading is verified through a simulation experiment, a model training method and a model testing method are realized by using python, the method is compared with small sample learning methods such as an original special type calculation network, a matching network and a relation network, and the comparison result under a 5way 5shot task is shown in figure 3. ProtoNet represents an original special type calculation network, matchingNet represents a matching network, relationship Net represents a relational network, MAML represents a model independent algorithm, and RAS represents the small sample learning method based on the characterization consistency proofreading. All procedures were performed on a standard server equipped with Intel Core i7-8700 CPU,3.20GHz,32 GBRAM, and NVIDIA TITAN RTX, using a neural network with activation function ReLu function, adam optimizer, using 0.01 as initial learning rate, and decreasing it gradually during training. As can be seen from FIG. 3, the classification and identification accuracy of the small sample log information anomaly detection method based on the characterization consistency proofreading is higher than that of other methods by more than 5%, so that the method has the advantages of being more suitable for a special task of small sample learning, and meanwhile, the anomaly detection model classification effect under the condition of small samples is improved.
Claims (7)
1. A small sample log information abnormity detection method based on characterization consistency proofreading is characterized by comprising the following steps:
(1) Preprocessing data, analyzing log information, extracting event characteristics and classifying;
(2) The method comprises the steps of iterative training of a self-learning characteristic representation network, dividing preprocessed data into a training set and a testing set, based on training set data, firstly using an epicode training strategy based on tasks, executing a small sample classification task for each epicode, using an original special-type computing network to learn a characteristic extractor from the small sample classification task, then constructing a characterization consistency proofreading module, computing characterization consistency proofreading functions of the original special-type computing network and the self-learning characteristic representation network, respectively training the original special-type computing network and the self-learning characteristic representation network by using the characterization consistency proofreading functions, continuously updating parameters of the original special-type computing network and the self-learning characteristic representation network by using an interactive iterative updating method, and finally using the trained self-learning characteristic representation network as an embedded network;
(2.1) using the training set as input to the model, computing the network using the original idiotypesComputing a class prototype in whichIs a learnable network parameter; for a small sample task,In order to support the set of data,computing categories for a set of queriesThe prototype of (a) is:
wherein the content of the first and second substances,representing a sample label in a feature space ofThe class prototype of (a) is,presentation support setThe middle label isIs determined by the data set of (a),representing a data setThe size of (a) is (b),a feature vector representing the sample is then generated,a label representing the corresponding sample;
for a query from a set of queriesNew sample ofEach category is obtained by distance discriminationNormalized classification score of (a):
whereinRepresents the softmax function; specifying classification penalty functionsComprises the following steps:
wherein, the first and the second end of the pipe are connected with each other,a feature vector representing the sample is then generated,a label representing the corresponding sample;
(2.2) building a self-learning feature representation network for a query from a set of queriesFeature vector of the sampleGenerating transformations using a method of random enhancementForming pairs of training samples, calculating an objective function of a self-learning feature representation networkComprises the following steps:
(2.3) constructing a characteristic consistency proofreading functionComputing the original profile into a networkAnd self-learning feature representation networkAnd (4) performing proofreading:
(2.4) computing network for primitive specialtiesAnd fusing a classification loss function and a characterization consistency correction function, and calculating a final original special type calculation network training function as follows:
(2.5) representing the network for self-learning characteristicsAnd fusing a target function and a characteristic consistency correction function of the self-learning characteristic representation network, and calculating a final self-learning characteristic representation network training function as follows:
(2.6) performing model training by using the characterization consistency correction function, and training a final self-learning characteristic representation network by using an original special type calculation and self-learning characteristic representation interactive iteration updating methodAs an embedded network;
first, the original special-type computing network is initialized respectivelyAnd self-learning feature representation networkAfter which the fixed self-learning features represent parameters in the networkCalculating a characteristic consistency check functionFurther using the primitive prototype to compute a network training functionTo the parameterPerforming a one-step optimization and then updating by optimizationRecalculating the characterization consistency check functionUsing self-learning characterizing functionsTo the parameterPerforming one-step optimization to obtain optimized and updated parametersRepeating the iteration updating step until the training function is converged;
(3) And (3) using the trained self-learning characteristic representation network to calculate the similarity between the test set data and each category, and obtaining the category with the highest similarity as a final detection result.
2. The method for detecting the small sample log information abnormality based on the characterization consistency proofreading according to claim 1, wherein the event characteristics in the step (1) include an event behavior description string _ id and a security label, wherein the event behavior description string _ id includes a File operation File, a Process operation Process and a Registry operation registration.
3. The method for detecting the small sample log information anomaly based on the characterization consistency proofreading according to claim 2, characterized in that an event behavior description string _ id is represented by binary numbers, each binary bit represents an event operation behavior attribute flag value executed by a program, 0 represents that the event type does not exist, and 1 represents that the event type exists, so as to form a vector matrix; the security label represents a normal event behavior or an abnormal event behavior marking value, when the security label is 0, the label represents that no abnormal behavior exists, when the label is 1, the document operation abnormal behavior exists, when the label is 2, the process operation abnormal behavior exists, and when the label is 3, the registry operation abnormal behavior exists; and splicing the vector matrix and the security label to form an event behavior vector.
4. The method for detecting the abnormality of the log information of the small samples based on the characterization consistency check as claimed in claim 1, wherein the step (3) comprises using the preprocessed test set data as the model input and using the trained self-learning feature representation networkExtracting the characteristics of the samples, calculating the average value of the support set samples corresponding to each class as a prototype of the class, and then calculating the similarity between the test sample and each class prototype through a small sample log information abnormity judgment function to obtain the class with the highest similarity as a classification result.
6. the method for detecting the small sample log information abnormality based on the characterization consistency proofreading as claimed in claim 1, further comprising the step (4) of performing early warning and response processing according to a detection result.
7. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210876386.7A CN114936615B (en) | 2022-07-25 | 2022-07-25 | Small sample log information anomaly detection method based on characterization consistency correction |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210876386.7A CN114936615B (en) | 2022-07-25 | 2022-07-25 | Small sample log information anomaly detection method based on characterization consistency correction |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114936615A CN114936615A (en) | 2022-08-23 |
CN114936615B true CN114936615B (en) | 2022-10-14 |
Family
ID=82868605
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210876386.7A Active CN114936615B (en) | 2022-07-25 | 2022-07-25 | Small sample log information anomaly detection method based on characterization consistency correction |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114936615B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116032557B (en) * | 2022-12-09 | 2024-07-02 | 清华大学 | Method and device for updating deep learning model in network security anomaly detection |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112069921A (en) * | 2020-08-18 | 2020-12-11 | 浙江大学 | Small sample visual target identification method based on self-supervision knowledge migration |
CN113705699A (en) * | 2021-08-31 | 2021-11-26 | 平安科技(深圳)有限公司 | Sample abnormity detection method, device, equipment and medium based on machine learning |
CN114092747A (en) * | 2021-11-30 | 2022-02-25 | 南通大学 | Small sample image classification method based on depth element metric model mutual learning |
CN114169442A (en) * | 2021-12-08 | 2022-03-11 | 中国电子科技集团公司第五十四研究所 | Remote sensing image small sample scene classification method based on double prototype network |
CN114299326A (en) * | 2021-12-07 | 2022-04-08 | 浙江大学 | Small sample classification method based on conversion network and self-supervision |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7296018B2 (en) * | 2004-01-02 | 2007-11-13 | International Business Machines Corporation | Resource-light method and apparatus for outlier detection |
US7962429B2 (en) * | 2007-05-24 | 2011-06-14 | Paul Adams | Neuromorphic device for proofreading connection adjustments in hardware artificial neural networks |
CN109062774A (en) * | 2018-06-21 | 2018-12-21 | 平安科技(深圳)有限公司 | Log processing method, device and storage medium, server |
US11829869B2 (en) * | 2018-07-25 | 2023-11-28 | Servicenow Canada Inc. | Multiple task transfer learning |
CN109961089B (en) * | 2019-02-26 | 2023-04-07 | 中山大学 | Small sample and zero sample image classification method based on metric learning and meta learning |
CN111273870B (en) * | 2020-01-20 | 2023-06-06 | 深圳奥思数据科技有限公司 | Method, equipment and storage medium for iterative migration of mass data among cloud storage systems |
CN113450300A (en) * | 2020-03-24 | 2021-09-28 | 北京基石生命科技有限公司 | Machine learning-based primary tumor cell picture identification method and system |
CN112529878B (en) * | 2020-12-15 | 2024-04-02 | 西安交通大学 | Multi-view semi-supervised lymph node classification method, system and equipment |
CN112764997B (en) * | 2021-01-28 | 2024-02-20 | 抖音视界有限公司 | Log storage method and device, computer equipment and storage medium |
CN113128613B (en) * | 2021-04-29 | 2023-10-17 | 南京大学 | Semi-supervised anomaly detection method based on transfer learning |
CN113391900B (en) * | 2021-06-18 | 2024-04-09 | 长春吉星印务有限责任公司 | Abnormal event processing method and system in discrete production environment |
CN113723387A (en) * | 2021-07-08 | 2021-11-30 | 常州工学院 | Chinese ancient book non-standard font recognition system based on deep learning |
CN113610139A (en) * | 2021-08-02 | 2021-11-05 | 大连理工大学 | Multi-view-angle intensified image clustering method |
CN113963165A (en) * | 2021-09-18 | 2022-01-21 | 中国科学院信息工程研究所 | Small sample image classification method and system based on self-supervision learning |
-
2022
- 2022-07-25 CN CN202210876386.7A patent/CN114936615B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112069921A (en) * | 2020-08-18 | 2020-12-11 | 浙江大学 | Small sample visual target identification method based on self-supervision knowledge migration |
CN113705699A (en) * | 2021-08-31 | 2021-11-26 | 平安科技(深圳)有限公司 | Sample abnormity detection method, device, equipment and medium based on machine learning |
CN114092747A (en) * | 2021-11-30 | 2022-02-25 | 南通大学 | Small sample image classification method based on depth element metric model mutual learning |
CN114299326A (en) * | 2021-12-07 | 2022-04-08 | 浙江大学 | Small sample classification method based on conversion network and self-supervision |
CN114169442A (en) * | 2021-12-08 | 2022-03-11 | 中国电子科技集团公司第五十四研究所 | Remote sensing image small sample scene classification method based on double prototype network |
Non-Patent Citations (2)
Title |
---|
Meta-Learning with Dynamic-Memory-Based Prototypical Network for Few-Shot Event Detection;Shumin Deng等;《WSDM"20:Proceedings of the 13th International Conference on Web Search and Data Mining》;20200131;第151-159页 * |
基于异常检测模型的日志开销优化方法研究与实现;郑倩慧志;《中国优秀硕士学位论文全文数据库 信息科技辑》;20220315(第3期);第I138-300页 * |
Also Published As
Publication number | Publication date |
---|---|
CN114936615A (en) | 2022-08-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8543522B2 (en) | Automatic rule discovery from large-scale datasets to detect payment card fraud using classifiers | |
Zhao et al. | A malware detection method of code texture visualization based on an improved faster RCNN combining transfer learning | |
CN113590698B (en) | Artificial intelligence technology-based data asset classification modeling and hierarchical protection method | |
CN111143838B (en) | Database user abnormal behavior detection method | |
CN113011889B (en) | Account anomaly identification method, system, device, equipment and medium | |
CN113742733B (en) | Method and device for extracting trigger words of reading and understanding vulnerability event and identifying vulnerability type | |
CN113656805A (en) | Event map automatic construction method and system for multi-source vulnerability information | |
CN111126820A (en) | Electricity stealing prevention method and system | |
CN113595998A (en) | Bi-LSTM-based power grid information system vulnerability attack detection method and device | |
CN110909542A (en) | Intelligent semantic series-parallel analysis method and system | |
CN114936615B (en) | Small sample log information anomaly detection method based on characterization consistency correction | |
CN110765285A (en) | Multimedia information content control method and system based on visual characteristics | |
CN111709225B (en) | Event causal relationship discriminating method, device and computer readable storage medium | |
CN109543038B (en) | Emotion analysis method applied to text data | |
CN116541755A (en) | Financial behavior pattern analysis and prediction method based on time sequence diagram representation learning | |
CN114254691A (en) | Multi-channel operation wind control method based on active identification and intelligent monitoring | |
CN108647497A (en) | A kind of API key automatic recognition systems of feature based extraction | |
CN117290508A (en) | Post-loan text data processing method and system based on natural language processing | |
CN111611774A (en) | Operation and maintenance operation instruction security analysis method, system and storage medium | |
CN116226769A (en) | Short video abnormal behavior recognition method based on user behavior sequence | |
CN111797904A (en) | Method and device for detecting tampering of webpage features | |
CN113657443B (en) | On-line Internet of things equipment identification method based on SOINN network | |
CN115618297A (en) | Method and device for identifying abnormal enterprise | |
CN112733144B (en) | Intelligent malicious program detection method based on deep learning technology | |
CN115426194A (en) | Data processing method and device, storage medium and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |