CN115473734B - Remote code execution attack detection method based on single classification and federal learning - Google Patents
Remote code execution attack detection method based on single classification and federal learning Download PDFInfo
- Publication number
- CN115473734B CN115473734B CN202211108049.XA CN202211108049A CN115473734B CN 115473734 B CN115473734 B CN 115473734B CN 202211108049 A CN202211108049 A CN 202211108049A CN 115473734 B CN115473734 B CN 115473734B
- Authority
- CN
- China
- Prior art keywords
- data packet
- feature extraction
- extraction model
- machine feature
- anomaly detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a remote code execution attack detection method based on single classification and federal learning, which relates to the technical field of information security; it comprises the following steps: step 1: building a single machine feature extraction model for extracting semantic features of the data packet; step 2: building a federal learning frame, and accessing a single machine feature extraction model; step 3: extracting semantic features of the data packet by using the updated single machine feature extraction model and training an anomaly detection model; step 4: a determination is made as to whether the data packet is a remote code execution attack data packet using a trained anomaly detection model. The invention can reduce the dependence of the detection model on manual specialists, and solves the problem of low performance of the classification model caused by the lack of training data of a single enterprise or organization to a certain extent.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a remote code execution attack detection method based on single classification and federal learning.
Background
Remote code execution attacks are extremely hidden and extremely dangerous, and are important points of attention of experts and researchers in the field of network security in recent years. An attacker can steal data and destroy network infrastructure and other malicious targets by utilizing remote code execution loopholes on the equipment. Remote code execution attacks typically use network communication packets as a carrier to induce a target server to execute malicious code by uploading a carefully constructed attack payload to the target server. Therefore, detecting the malicious nature of the communication data packet is of great importance.
In general, to prevent an attacker from performing a remote code execution attack, enterprises and organizations filter data packets containing the remote code execution attack payload from being executed by a server by establishing various rules. However, the granularity of the rules can affect the proper operation of the system traffic. In order to evade the detection of the security system, an attacker deforms the attack load of the remote code and conceals the malicious behavior of the attack load, so that a data packet carrying the attack load of the remote code is close to a data packet of a normal service system; in addition, since the normal service system also involves the functional requirement of remote code execution, the basic library and function used for executing the remote code may be the same as the library and function used for remote code attack load, the rule with too fine granularity may cause the service system to operate normally, and the rule with too coarse granularity may not filter the attack data packet.
Attack packet detection based on machine learning is a popular research direction. Machine learning techniques have great advantages in terms of natural language semantic analysis and understanding. However, for remote code execution attack packets, the disclosed samples are few and insufficient to support training an excellent machine learning model; meanwhile, high similarity can exist between the attack data packet and the normal service data packet, and the attack detection is challenging to be performed on the basis of the remote code of machine learning.
Disclosure of Invention
To solve the defects and shortcomings of the prior art; the invention aims to provide a remote code execution attack detection method based on single classification and federal learning. The remote code execution attack detection method based on single classification and federal learning is divided into two modules: and the transverse federal learning module and the anomaly detection module. The transverse federal learning is one of federal learning, is used for the condition of identical characteristics but different data sets, and can realize expansion of samples. Anomaly detection is a method commonly used in the technical field of information security, and the core idea is to discover abnormal behaviors deviating from normal characteristics and modes by learning the characteristics and modes of a large number of normal samples. The lateral federation learning module is based on a server-client lateral federation learning architecture. In each client, firstly preprocessing input text data, normalizing the preprocessed data packets according to a special keyword mapping table, and converting the normalized data packets into vector forms based on a pre-training word vector; then constructing a single machine feature extraction model based on the textCNN; then building a federal learning frame, and accessing a single machine feature extraction model; and then training an anomaly detection model by using an One-Class SVM algorithm on the basis of the single-machine feature extraction model, and judging whether the data packet is a remote code execution attack data packet.
The technical scheme of the invention is as follows:
a remote code execution attack detection method based on single classification and federal learning comprises two modules of transverse federal learning and anomaly detection, and specifically comprises the following steps:
step 1: building a single machine feature extraction model for extracting semantic features of the data packet;
step 2: building a federal learning frame, and accessing a single machine feature extraction model;
step 3: extracting semantic features of the data packet by using the updated single machine feature extraction model and training an anomaly detection model;
step 4: a determination is made as to whether the data packet is a remote code execution attack data packet using a trained anomaly detection model.
It is emphasized that the present invention is concerned with HTTP packets.
Further, step 1 includes the steps of:
step 1.1: and preprocessing the data packet. The URL encoded and Base64 encoded content in the data packet first needs to be decoded. Next, splitting the data packet by using predefined separators in units of rows, and splitting each row in the data packet into a word list consisting of words and short strings, wherein the words and the short strings are collectively referred to as words;
step 1.2: data packet standardization. Standardizing the word list based on a special keyword mapping table, and replacing the special keyword with a specific symbol;
step 1.3: and vectorizing the data packet. Words in each word list are sequentially converted into word vectors based on the pre-training word vectors. And then carrying out arithmetic average on the word vectors in each word list to obtain corresponding row vectors. Splicing the row vectors according to the sequence of the rows in the data packet to obtain a data packet vector;
step 1.4: and constructing a data packet semantic feature extraction network. And constructing a textCNN neural network, and extracting semantic features of the data packet based on the data packet vector.
Further, step 2 includes the steps of:
step 2.1: and building a federal learning framework. Deploying an aggregation server and a client, and accessing a single machine feature extraction model into a federal learning framework;
step 2.2: the client trains the respective single machine feature extraction model on own data set;
step 2.3: uploading parameters of a trained single-machine feature extraction model to an aggregation server by a client;
step 2.4: the aggregation server aggregates and updates the network parameters and transmits the updated network parameters to the client;
step 2.5: and the client updates parameters of the single machine feature extraction model to obtain an optimized single machine feature extraction model.
Further, step 3 includes the steps of:
step 3.1: constructing an anomaly detection original data set which comprises a group of non-network attack data packets and a small number of remote code execution attack data packets;
step 3.2: using the updated single machine feature extraction model obtained in the step 2 to extract semantic features of the data packet based on the anomaly detection original data set, and constructing an anomaly detection training data set;
step 3.3: based on the anomaly detection training dataset, an anomaly detection model is trained using an One-Class SVM algorithm.
Further, step 4 includes the steps of:
step 4.1: and (3) giving the probability that the target data packet is the remote code execution attack data packet based on the anomaly detection model trained in the step (3). If the probability value is greater than or equal to the threshold value, the target data packet is considered to be a remote code execution attack data packet by comparison with a manually defined threshold value.
Compared with the prior art, the invention has the beneficial effects that: the invention utilizes the textCNN network to carry out semantic analysis on the content of the data packet and extract the semantic characteristics thereof; based on an anomaly detection method, the semantic features of the data packet are learned by using an One-Class SVM algorithm. In addition, in order to solve the problem that the remote code execution attack data set is scarce and influences the classification performance of the model, the federal learning framework is built by introducing federal learning technology, the single-machine feature extraction model is accessed into the federal learning framework, model parameters obtained by training the single-machine feature extraction model on each data island (namely, the own data set of each client) are aggregated, and the single-machine feature extraction model is updated, so that the single-machine feature extraction model with higher robustness is obtained. Compared with the traditional remote code execution attack data packet detection method based on rules, the method can remarkably reduce the workload of manual experts and solve the problem of scarcity of training data to a certain extent; and establishing an anomaly detection model only through learning the semantic features of the normal data packet to realize the judgment of executing the attack data packet on the remote code.
Drawings
For ease of illustration, the invention is described in detail by the following detailed description and the accompanying drawings.
Fig. 1 is a flow chart of the method of the present invention.
Fig. 2 is a frame diagram of the method of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the present invention is described below by way of specific examples shown in the accompanying drawings. It is to be understood that such descriptive knowledge is exemplary and not intended to limit the scope of the invention. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as to avoid unnecessary confusion of concepts.
It should be further noted that, in order to avoid obscuring the concepts of the present invention due to unnecessary details, only structures and/or processing steps closely related to the aspects of the present invention are shown in the drawings, while other details not greatly related to the present invention are omitted.
As shown in fig. 1, a remote code execution attack detection method based on single classification and federal learning includes the following steps:
step 1: and building a single-machine feature extraction model for extracting semantic features of the data packet. The specific method comprises the following steps:
step 1.1: and preprocessing the data packet. The URL encoding and Base64 encoding in the data packet first need to be decoded. Next, the data packet is split in units of rows using predefined separators, each row in the data packet is split into a word list consisting of words and short strings, wherein the words and short strings are collectively referred to as words, and the predefined separators are: {', "<, +, _, {, }, (,), [, -, #, -, and +: (II), (III), (V), (|, @, |, =,% }. For example: for a row "POST/user/1/wait HTTP/1.1", split into [ POST, user,1, wait, HTTP, 1];
step 1.2: data packet standardization. The word list is normalized based on a special keyword map, replacing the special keyword with a specific symbol. Wherein, special keywords are divided into 9 categories: pure digits, nonsensical words, binary strings, IP addresses, encrypted content, file suffixes, browser type, request method, request language, are replaced with NUM, MEANLESS, BNY, IPADDR, ENCRYPSTR, FILESUFFIX, BROWSERRELATED, RQENAME, BROWSERRELATED, respectively. For example: for the word list [ POST, user,1, wait, HTTP, 1], it is normalized to: [ RQENAME, user, NUM, edit, HTTP, NUM, NUM ];
step 1.3: and vectorizing the data packet. Sequentially converting words in a word list intoWord vectors of dimensions. And carrying out arithmetic average on all word vectors in each word list to obtain corresponding row vectors, wherein the calculation method comprises the following steps of: />Wherein->Finger->Row vectors corresponding to row word list, +.>Indicate when->The number of word vectors in the list of line words,finger->First>Word vectors for individual words. Splicing the row vectors according to the sequence of the rows in the data packet to obtain the data packet vector, wherein the calculation method comprises the following steps: />Wherein->Refers to the number of rows of the packet. The method unifies->Set to 15, for line number deficiency +.>Data package of (1) using->Personal->Zero vector of dimension is filled, wherein +.>Representing the actual number of lines of the data packet; for a line number exceeding +.>Cut it off, leaving only the former +.>A row;
step 1.4: and constructing a data packet semantic feature extraction network. And constructing a textCNN neural network, and extracting semantic features of the data packet based on the data packet vector. The TextCNN neural network consists of one convolutional layer and one pooling layer, and includes 6 convolutional kernels of sizes (3, 300), (4, 300), (5, 300), (6, 300), (7, 300) and (8, 300), respectively, the number of input channels of the 6 convolutional kernels is 1, and the number of output channels is 50. During training, the optimizer uses Adam, the loss function uses cross EntopyLoss, the learning rate is set to 0.01, the training batch is set to 16, and the training round is set to 160;
step 2: and building a federal learning framework, and accessing the single-machine feature extraction model into the federal learning framework. The specific method comprises the following steps:
step 2.1: the federal learning framework is built based on mindscore. Deploying an aggregation server and a client, and accessing a single machine feature extraction model into a federal learning framework;
step 2.2: the client trains the respective single machine feature extraction model on own data set;
step 2.3: uploading parameters of a trained single-machine feature extraction model to an aggregation server by a client;
step 2.4: the aggregation server aggregates and updates the network parameters and transmits the updated network parameters to the client;
step 2.5: the client updates parameters of the single machine feature extraction model to obtain an optimized single machine feature extraction model;
step 3: and extracting semantic features of the data packet by using the updated single machine feature extraction model and training an anomaly detection model. The specific method comprises the following steps:
step 3.1: an anomaly detection original data set is constructed, and the anomaly detection original data set comprises a group of non-network attack data packets and a small amount of remote code execution attack data packets. The ratio of the number of the remote code execution attack data packets to the number of the non-network attack data packets is 1:4;
step 3.2: using the updated single machine feature extraction model obtained in the step 2 to extract semantic features of the data packet based on the anomaly detection original data set, and constructing an anomaly detection training data set;
step 3.3: based on the anomaly detection training dataset, an anomaly detection model is trained using an One-Class SVM algorithm. Wherein, the kernel parameter of the One-Class SVM algorithm is set as 'rbf', the gamma parameter is set as 5e-5, and the nu parameter is set as 0.03;
step 4: a determination is made as to whether the data packet is a remote code execution attack data packet using a trained anomaly detection model. The specific method comprises the following steps:
step 4.1: and (3) giving the probability that the target data packet is the remote code execution attack data packet based on the anomaly detection model trained in the step (3). If the probability value is greater than or equal to the threshold value, the target data packet is considered to be a remote code execution attack data packet by comparison with a manually defined threshold value. Wherein the threshold is set to 0.5 by default.
The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the foregoing embodiments, which have been set forth merely in the foregoing description and which illustrate the principles of the invention, and that various changes and modifications may be effected therein without departing from the spirit and scope of the invention as defined by the appended claims and their equivalents.
Claims (5)
1. A method for detecting an attack by a remote code based on single classification and federal learning, comprising the steps of:
step 1: the method comprises the steps of constructing a single-machine feature extraction model for extracting semantic features of data packets, wherein the constructing of the single-machine feature extraction model comprises data packet preprocessing, data packet standardization, data packet vectorization and constructing of a data packet semantic feature extraction network; specifically, the data packet preprocessing comprises data packet decoding and data packet content splitting; the data packet standardization standardizes the word list based on the special keyword mapping table, and replaces the special keywords with specific symbols; data packet vectorization uses GloVe pre-trained word vector GloVe-wiki-gigaword-300 to sequentially convert words in a word list intoA word vector of dimensions; constructing a data packet semantic feature extraction network, constructing a textCNN neural network, and extracting semantic features of the data packet based on the data packet vector;
step 2: building a federal learning frame and accessing a single machine feature extraction model, wherein the building of the federal learning frame and the accessing of the single machine feature extraction model comprise building the federal learning frame based on MindSpore, deploying an aggregation server and a client, and accessing the single machine feature extraction model into the federal learning frame; the client trains the respective single machine feature extraction model on own data set; uploading parameters of a trained single-machine feature extraction model to an aggregation server by a client; the aggregation server aggregates and updates the network parameters and transmits the updated network parameters to the client; the client updates parameters of the single machine feature extraction model to obtain an optimized single machine feature extraction model;
step 3: extracting semantic features of the data packet by using an updated single-machine feature extraction model and training an anomaly detection model, wherein the method comprises the steps of extracting the semantic features of the data packet by using the updated single-machine feature extraction model and training the anomaly detection model, wherein the method is specifically characterized by constructing an anomaly detection original data set and comprises a group of non-network attack data packets and a small number of remote code execution attack data packets; using the updated single machine feature extraction model obtained in the step 2 to extract semantic features of the data packet based on the anomaly detection original data set, and constructing an anomaly detection training data set; training an anomaly detection model by using an One-Class SVM algorithm based on the anomaly detection training dataset; wherein, the kernel parameter of the One-Class SVM algorithm is set as 'rbf', the gamma parameter is set as 5e-5, and the nu parameter is set as 0.03;
step 4: judging whether the data packet is a remote code execution attack data packet or not by using a trained abnormality detection model, wherein the judging method of whether the data packet is the remote code execution attack data packet by using the trained abnormality detection model is based on the abnormality detection model trained in the step 3, and gives the probability that the target data packet is the remote code execution attack data packet; if the probability value is greater than or equal to the threshold value by comparison with the manually defined threshold value, the target data packet is considered to be a remote code execution attack data packet; wherein the threshold is set to 0.5 by default.
2. The method according to claim 1, wherein step 1 comprises the steps of:
step 1.1: preprocessing a data packet, namely firstly decoding URL codes and Base64 codes in the data packet; next, the data packet is split in units of rows using predefined separators, each row in the data packet is split into a word list consisting of words and short strings, wherein the words and short strings are collectively referred to as words, and the predefined separators are: {', "<, +, _, {, }, (,), [, -, #, -, and +: (II), (III), (V), (|, @, |, =,% };
step 1.2: data package standardization, standardizing word list based on special keyword mapping table, and replacing special keyword with specific symbol; wherein, special keywords are divided into 9 categories: pure digits, nonsensical words, binary strings, IP addresses, encrypted content, file suffixes, browser type, request method, request language, are replaced with NUM, MEANLESS, BNY, IPADDR, ENCRYPSTR, FILESUFFIX, BROWSERRELATED, RQENAME, BROWSERRELATED, respectively;
step 1.3: packet vectorization using GloV-basede pre-trained word vector glove-wiki-gigaword-300, which converts words in the word list sequentially intoA word vector of dimensions; and carrying out arithmetic average on all word vectors in each word list to obtain corresponding row vectors, wherein the calculation method comprises the following steps of: />WhereinFinger->Row vectors corresponding to row word list, +.>Indicate when->The number of word vectors in the list of line words,finger->First>Word vectors for individual words; splicing the row vectors according to the sequence of the rows in the data packet to obtain the data packet vector, wherein the calculation method comprises the following steps: />Wherein->Refers to the number of lines of the data packet; the method unifies->Set to 15, for line number deficiency +.>Data package of (1) using->Personal->Zero vector of dimension is filled, wherein +.>Representing the actual number of lines of the data packet; for a line number exceeding +.>Cut it off, leaving only the former +.>A row;
step 1.4: constructing a data packet semantic feature extraction network, constructing a textCNN neural network, and extracting semantic features of the data packet based on the data packet vector; the TextCNN neural network consists of a convolution layer and a pooling layer, and comprises 6 convolution kernels, the sizes of which are (3, 300), (4, 300), (5, 300), (6, 300), (7, 300) and (8, 300), respectively, the number of input channels of the 6 convolution kernels is 1, and the number of output channels is 50; in training, the optimizer uses Adam, the loss function uses cross entropyloss, the learning rate is set to 0.01, the training batch is set to 16, and the training round is set to 160.
3. The method according to claim 1, characterized in that step 2 comprises in particular the steps of:
step 2.1: constructing a federal learning framework, deploying an aggregation server and a client, and accessing a single machine feature extraction model into the federal learning framework;
step 2.2: the client trains the respective single machine feature extraction model on own data set;
step 2.3: uploading parameters of a trained single-machine feature extraction model to an aggregation server by a client;
step 2.4: the aggregation server aggregates and updates the network parameters and transmits the updated network parameters to the client;
step 2.5: and the client updates parameters of the single machine feature extraction model to obtain an optimized single machine feature extraction model.
4. The method according to claim 1, characterized in that step 3 comprises in particular the steps of:
step 3.1: constructing an anomaly detection original data set which comprises a group of non-network attack data packets and a small number of remote code execution attack data packets;
step 3.2: using the updated single machine feature extraction model obtained in the step 2 to extract semantic features of the data packet based on the anomaly detection original data set, and constructing an anomaly detection training data set;
step 3.3: training an anomaly detection model by using an One-Class SVM algorithm based on the anomaly detection training dataset; wherein, the kernel parameter of the One-Class SVM algorithm is set to be 'rbf', the gamma parameter is set to be 5e-5, and the nu parameter is set to be 0.03.
5. The method according to claim 1, characterized in that step 4 comprises in particular the steps of:
step 4.1: based on the anomaly detection model trained in the step 3, giving the probability that the target data packet is the remote code execution attack data packet; if the probability value is greater than or equal to the threshold value by comparison with the manually defined threshold value, the target data packet is considered to be a remote code execution attack data packet; wherein the threshold is set to 0.5 by default.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211108049.XA CN115473734B (en) | 2022-09-13 | 2022-09-13 | Remote code execution attack detection method based on single classification and federal learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211108049.XA CN115473734B (en) | 2022-09-13 | 2022-09-13 | Remote code execution attack detection method based on single classification and federal learning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115473734A CN115473734A (en) | 2022-12-13 |
| CN115473734B true CN115473734B (en) | 2023-08-11 |
Family
ID=84332715
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211108049.XA Active CN115473734B (en) | 2022-09-13 | 2022-09-13 | Remote code execution attack detection method based on single classification and federal learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115473734B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117688558B (en) * | 2024-02-01 | 2024-05-07 | 杭州海康威视数字技术股份有限公司 | Terminal attack lightweight detection method and device based on microstructure abnormal event |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111709034A (en) * | 2020-05-29 | 2020-09-25 | 成都金隼智安科技有限公司 | Machine learning-based industrial control environment intelligent safety detection system and method |
| CN112270367A (en) * | 2020-11-05 | 2021-01-26 | 四川大学 | Semantic information-based method for enhancing robustness of deep learning model |
| CN113990454A (en) * | 2021-10-27 | 2022-01-28 | 河南工程学院 | Malicious behavior identification method based on federal learning and feature extraction |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11616804B2 (en) * | 2019-08-15 | 2023-03-28 | Nec Corporation | Thwarting model poisoning in federated learning |
-
2022
- 2022-09-13 CN CN202211108049.XA patent/CN115473734B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111709034A (en) * | 2020-05-29 | 2020-09-25 | 成都金隼智安科技有限公司 | Machine learning-based industrial control environment intelligent safety detection system and method |
| CN112270367A (en) * | 2020-11-05 | 2021-01-26 | 四川大学 | Semantic information-based method for enhancing robustness of deep learning model |
| CN113990454A (en) * | 2021-10-27 | 2022-01-28 | 河南工程学院 | Malicious behavior identification method based on federal learning and feature extraction |
Non-Patent Citations (1)
| Title |
|---|
| 基于深度图卷积神经网络的ExploitKit 攻击活动检测方法;刘小乐 等;《信息安全研究》;685-693 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115473734A (en) | 2022-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110084365B (en) | Service providing system and method based on deep learning | |
| CN110351301B (en) | HTTP request double-layer progressive anomaly detection method | |
| CN111314353A (en) | Network intrusion detection method and system based on hybrid sampling | |
| CN113194058B (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
| CN111758098B (en) | Named entity identification and extraction using genetic programming | |
| CN111191767A (en) | Vectorization-based malicious traffic attack type judgment method | |
| CN115473734B (en) | Remote code execution attack detection method based on single classification and federal learning | |
| CN112968872B (en) | Malicious flow detection method, system and terminal based on natural language processing | |
| CN110868404A (en) | Industrial control equipment automatic identification method based on TCP/IP fingerprint | |
| CN112884121A (en) | Traffic identification method based on generation of confrontation deep convolutional network | |
| CN112019500A (en) | Encrypted traffic identification method based on deep learning and electronic device | |
| Yan et al. | Cross-site scripting attack detection based on a modified convolution neural network | |
| CN111224998A (en) | Botnet identification method based on extreme learning machine | |
| CN113946823A (en) | SQL injection detection method and device based on URL baseline deviation analysis | |
| CN114726823B (en) | Domain name generation method, device and equipment based on generation countermeasure network | |
| CN110889467A (en) | Company name matching method and device, terminal equipment and storage medium | |
| CN111291078A (en) | Domain name matching detection method and device | |
| CN115829029A (en) | Channel attention-based self-distillation implementation method | |
| CN113011875B (en) | Text processing method, text processing device, computer equipment and storage medium | |
| CN112417886A (en) | Intention entity information extraction method and device, computer equipment and storage medium | |
| CN114169540A (en) | Webpage user behavior detection method and system based on improved machine learning | |
| CN113657443A (en) | Online Internet of things equipment identification method based on SOINN network | |
| CN116775889B (en) | Threat information automatic extraction method, system, equipment and storage medium based on natural language processing | |
| CN117714130A (en) | Network message detection method and device and electronic equipment | |
| CN115622810B (en) | Business application identification system and method based on machine learning algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |