CN115842636A - Network abnormal behavior monitoring method and device based on time sequence characteristics - Google Patents
Network abnormal behavior monitoring method and device based on time sequence characteristics Download PDFInfo
- Publication number
- CN115842636A CN115842636A CN202110958581.XA CN202110958581A CN115842636A CN 115842636 A CN115842636 A CN 115842636A CN 202110958581 A CN202110958581 A CN 202110958581A CN 115842636 A CN115842636 A CN 115842636A
- Authority
- CN
- China
- Prior art keywords
- data packet
- network
- processing result
- abnormal behavior
- vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a device for monitoring network abnormal behaviors based on time sequence characteristics. The method comprises the steps of obtaining a network data packet to be processed, wherein the network data packet at least comprises the following components: timing information; determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics; and inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judgment result. The method and the device solve the technical problems that single-flow intrusion detection causes low accuracy and low detection rate. According to the method and the device, each network flow is gathered together according to the time sequence for the forward and backward correlation analysis, and the detection rate is improved.
Description
Technical Field
The present invention relates to the field of network intrusion detection and abnormal behavior detection, and in particular, to a method and an apparatus for monitoring abnormal behavior of a network based on time sequence characteristics.
Background
The intrusion detection system mainly extracts security features from network connection log information to perform feature analysis to realize classification of network behaviors and perform alarm reminding on abnormal behaviors.
In practical situations, the attack behavior is often complex, multi-scenario and multi-demand, and different problems cannot be solved if a universal intrusion detection model is adopted.
Aiming at the problems of low accuracy and low detection rate caused by single-flow intrusion detection in the related technology, an effective solution is not provided at present.
Disclosure of Invention
The application mainly aims to provide a method and a device for monitoring network abnormal behaviors based on time sequence characteristics, so as to solve the problems of low accuracy and low detection rate caused by single flow intrusion detection.
In order to achieve the above object, according to one aspect of the present application, a method for monitoring abnormal network behavior based on time sequence characteristics is provided.
The network abnormal behavior monitoring method based on the time sequence characteristics comprises the following steps: acquiring a network data packet to be processed, wherein the network data packet at least comprises: timing sequence information; determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics; and inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judgment result.
In order to achieve the above object, according to another aspect of the present application, a device for processing network abnormal behavior is provided.
The processing device for the network abnormal behavior comprises the following components: an obtaining module, configured to obtain a network data packet to be processed, where the network data packet at least includes: timing information; the determining module is used for determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics; and the judging module is used for inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judging result.
Because a real complete attack at present is not a simple abnormal connection or a single abnormal flow, different attack means have obvious difference on time characteristics, and different problems cannot be solved by using a general intrusion detection model. In the embodiment of the application, the data packets are aggregated according to a certain rule, and the characteristics of the data packets are transformed, so that the detection efficiency and the accuracy are improved.
In the method and device for monitoring the abnormal network behavior based on the time sequence characteristics in the embodiment of the application, the network data packet to be processed is obtained, and the network data packet at least comprises: and determining a data packet vector for representing the network abnormal behavior by the time sequence information and preset network abnormal behavior characteristics, so that the purpose of obtaining a network abnormal behavior judgment result by inputting the data packet vector into a preset machine learning model is achieved, the technical effect of improving the detection efficiency and the accuracy is achieved, and the technical problems of single intrusion detection mode and low detection rate are solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, serve to provide a further understanding of the application and to enable other features, objects, and advantages of the application to be more apparent. The drawings and their description illustrate the embodiments of the invention and do not limit it. In the drawings:
fig. 1 is a schematic system structure diagram of a network abnormal behavior monitoring method based on time sequence characteristics according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a method for monitoring network abnormal behavior based on time sequence characteristics according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network abnormal behavior monitoring device based on a time sequence characteristic according to an embodiment of the present application;
fig. 4 is a schematic flow chart of a network abnormal behavior monitoring method based on time sequence characteristics in an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
As shown in fig. 1, in an optional implementation manner, a system adopted by the method for monitoring abnormal network behavior based on time-series characteristics in the present application includes: the network data in the application server 100, the data server 200, the file server 300, the security device 400, the data formatting server 500 and the data analysis server 600 form a network data packet with time sequence relevance, and the network data is processed by the data formatting server 500 and the data analysis server 600 to obtain a data packet anomaly detection result.
In practical situations, attack behaviors often have time sequence relevance, and when large-scale attacks occur, relevance must exist between the attack behaviors, and the attack behaviors can be combined to find complete abnormal behaviors. Therefore, the aggregation of the flow rate is carried out under certain conditions, and the analysis of abnormal behaviors of the aggregated flow rate is more practical.
As shown in fig. 2, the method includes steps S201 to S203 as follows:
step S201, obtaining a network data packet to be processed, where the network data packet at least includes: timing information;
step S202, determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics;
and step S203, inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judgment result.
From the above description, it can be seen that the following technical effects are achieved by the present application:
acquiring a network data packet to be processed, wherein the network data packet at least comprises: and determining a data packet vector for representing the network abnormal behavior by the time sequence information and preset network abnormal behavior characteristics, so that the purpose of obtaining a network abnormal behavior judgment result by inputting the data packet vector into a preset machine learning model is achieved, the technical effects of improving the detection efficiency and accuracy are achieved, and the technical problems of single intrusion detection mode and low detection rate are solved.
In the above step S201, the acquired network data packet to be processed is processed according to the timing information. This step is performed in the server.
In the step S202, a data packet vector for characterizing the network abnormal behavior is determined according to the time sequence information obtained in the above step and a preset network abnormal behavior feature. I.e. to express network anomalous behavior on a packet basis. The preset network abnormal behavior characteristics can be obtained through the steps of data aggregation and normalization representation, characteristic transformation based on a self-similarity matrix, mapping conversion of characteristics and the like.
In a specific embodiment, the determining, according to the timing information and preset network abnormal behavior characteristics, a packet vector for characterizing the network abnormal behavior includes: according to the time sequence information, aggregating the network data packets to obtain a first processing result, wherein the first processing result comprises an aggregated and/or normalized processing result; performing feature transformation on the first processing result to obtain a second processing result, wherein the second processing result comprises a feature transformation result based on a self-similarity matrix; and converting the second processing result into a target vector of the data packet.
In one embodiment, the data is divided into abnormal and normal portions, abnormal data and normal data.
In a preferred embodiment, for the exception data: selecting data in a period of time, and aggregating the data of the IP with the same purpose in the period of time to form m x n data packets, wherein m is the number of data pieces, and n is the characteristic of each piece. The same process is performed for the normal data.
In one embodiment, the network packet may be represented as:
in a preferred embodiment, for the following calculation to facilitate fast convergence of the algorithm, the packet matrix is normalized as follows:
wherein, min l (x lk ) Indicates the minimum value, max, in the packet l (x lk ) Representing the maximum value in the data packet.
In a preferred embodiment, the converting the second processing result into a target vector of a data packet includes: setting the same dimension characteristic of different data in the network data packet as x ak And x bk (ii) a Obtaining the distance between the kth characteristic of each sample in the network data packetConverting the data packet of the second processing result into n distance matrixes: s = { D = 1 ,D 2 ,…,D n N is a natural number; and obtaining the target vector through the distance matrix.
In specific implementation, x is defined for the matrix obtained in the above step ak And x bk Are the same dimensional features of different data in a data packet. Defining a distance functionIndicating the distance between the kth features of each sample in a packet.
A packet is converted into n distance matrices: s = { D = 1 ,D 2 ,…,D n D denotes the distance matrix of the kth feature.
I.e. a matrix of m.
In a preferred embodiment, said converting the second processing result into a target vector of the data packet comprises: dynamically defining the number K of Gaussian distributions is adopted, so that the number of samples along with the network data packet is adjusted to a preset degree.
In a preferred embodiment, the converting the second processing result into a target vector of a data packet includes: and simulating the distribution condition of each characteristic in the network data packet summary by adopting a mixed Gaussian model.
In specific implementation, the distance matrix is converted into a vector.
Is determined by the similarity matrix of the kth feature of>The diagonal elements are all 0, and the upper triangular matrix and the lower triangular matrix are all the same, so that the upper triangular matrix is selected and arranged in columns to form vectors:it has a size r × 1->
According to the above characteristic change, the data in one data packet is expanded,the invariance of elements in the data packet is ensured, and all data information is ensured not to be lost. S shows that the invariance of the whole information is ensured even if the flow changes according to the sequence in the form of distance.
In order to better fit the distribution form of the data, a mixed Gaussian model is adopted to simulate the distribution condition of each feature in the data packet.
The gaussian model is as follows:
the Gaussian mixture model is as follows:
wherein, theta i ,μ i ,δ i And (4) optimizing by using an EM algorithm.
By the following mapping functionEach element in the vector is represented as a probability in the gaussian mixture model that is selected by a component. />
in the application scenario, the GMM algorithm fits the data to obtain not a cluster model but a probability model describing the distribution of the data. If the number of the specified Gaussian distribution is large, more computing resources are consumed; if the number is too small, the packetized samples cannot be accurately described. Therefore, the number of gaussian distributions K is chosen to be dynamically defined so that it can be adjusted to some extent with the number of packet samples without loss of generality.
And through grid search, defining the optimal hyper-parameter as c, m as the number of samples and lambda as an adjusting coefficient, and balancing the description degree of the size and statistical distribution of the packet.
In step S203, a network abnormal behavior determination result is obtained by inputting the data packet vector into a preset machine learning model.
In a preferred embodiment, the preset machine learning model is a detection model based on a convolutional neural network, wherein the detection model adopts a CNN model, and the loss function adopts a cross entropy loss function.
In one embodiment, the model input is
Outputs of 0 and 1,0 indicate normal, and 1 indicates abnormal.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than here.
According to an embodiment of the present application, there is also provided a device for processing network abnormal behavior, which is used to implement the method described above, and as shown in fig. 3, the device includes:
an obtaining module 301, configured to obtain a network data packet to be processed, where the network data packet at least includes: timing information;
a determining module 302, configured to determine, according to the timing information and preset network abnormal behavior characteristics, a data packet vector for characterizing the network abnormal behavior;
and the judging module 303 is configured to obtain a network abnormal behavior judging result by inputting the data packet vector into a preset machine learning model.
The obtaining module 301 processes the obtained network data packet to be processed according to the time sequence information. This step is performed in the server.
In the determining module 302, a data packet vector for characterizing the network abnormal behavior is determined according to the time sequence information obtained in the above steps and preset network abnormal behavior characteristics. I.e. to express network anomalous behavior on a packet basis. The preset network abnormal behavior characteristics can be obtained through the steps of data aggregation and normalization representation, characteristic transformation based on a self-similarity matrix, mapping conversion of characteristics and the like.
In a specific embodiment, the determining, according to the timing information and preset network abnormal behavior characteristics, a packet vector for characterizing the network abnormal behavior includes: according to the time sequence information, aggregating the network data packets to obtain a first processing result, wherein the first processing result comprises an aggregated and/or normalized processing result; performing feature transformation on the first processing result to obtain a second processing result, wherein the second processing result comprises a feature transformation result based on a self-similarity matrix; and converting the second processing result into a target vector of the data packet.
In a preferred embodiment, the converting the second processing result into a target vector of a data packet includes: dynamically defining the number K of Gaussian distributions is adopted, so that the number of samples along with the network data packet is adjusted to a preset degree.
In a preferred embodiment, the converting the second processing result into a target vector of a data packet includes: and simulating the distribution condition of each characteristic in the network data packet summary by adopting a mixed Gaussian model.
In the above-mentioned discrimination module 303, a discrimination result of the network abnormal behavior is obtained by inputting the data packet vector into a preset machine learning model.
In a preferred embodiment, the preset machine learning model is a detection model based on a convolutional neural network, wherein the detection model adopts a CNN model, and the loss function adopts a cross entropy loss function.
In order to better understand the flow of the above network abnormal behavior monitoring method based on the time sequence characteristics, the following explains the above technical solutions with reference to the preferred embodiments, but is not limited to the technical solutions of the embodiments of the present invention.
The preferred embodiment of the application provides an attack behavior detection model based on time sequence feature packet representation. Because the network attack behaviors are always persistent, a single network behavior cannot represent a complete path of the network attack, and the same network attack behavior often has similar behavior characteristics, it is very necessary to converge each network traffic together according to the time sequence to perform the front-back association analysis.
As shown in fig. 4, the method for monitoring abnormal network behavior based on time series characteristics in the embodiment of the present application is a schematic flow chart, and specifically includes the following steps:
and step S401, network flow data.
Step S402, packet representation of network behavior characteristics.
Determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics comprises the following steps: according to the time sequence information, aggregating the network data packets to obtain a first processing result, wherein the first processing result comprises an aggregated and/or normalized processing result; performing feature transformation on the first processing result to obtain a second processing result, wherein the second processing result comprises a feature transformation result based on a self-similarity matrix; and converting the second processing result into a target vector of the data packet.
Step S4021, data aggregation and normalization are expressed.
In one embodiment, the data is divided into abnormal and normal portions, abnormal data and normal data.
In a preferred embodiment, for the exception data: selecting data in a period of time, and aggregating the data of the IP with the same purpose in the period of time to form m x n data packets, wherein m is the number of data pieces, and n is the characteristic of each piece. The same process is performed for the normal data.
In one embodiment, the network packet may be represented as:
step S4022, feature transformation based on the self-similarity matrix.
Converting the second processing result into a destination vector of a data packet comprises: setting the same dimension characteristic of different data in the network data packet as x ak And x bk (ii) a Obtaining the distance between the kth characteristic of each sample in the network data packetConverting the data packet of the second processing result into n distance matrixes: s = { D = 1 ,D 2 ,…,D n N is a natural number; and obtaining the target vector through the distance matrix.
Step S4023, mapping conversion of the features.
The converting the second processing result into a target vector of a data packet comprises:
dynamically defining the number K of Gaussian distributions is adopted, so that the number of samples along with the network data packet is adjusted to a preset degree.
The converting the second processing result into a target vector of a data packet comprises: and simulating the distribution condition of each characteristic in the network data packet summary by adopting a mixed Gaussian model.
And step S403, an intrusion detection model based on the convolutional neural network.
The preset machine learning model is a detection model based on a convolutional neural network, wherein the detection model adopts a CNN model, and a loss function adopts a cross entropy loss function.
The model parameters were as follows:
embodiments of the present application further provide a storage medium having a computer program stored therein, wherein the computer program is configured to perform the steps in any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, obtaining a network data packet to be processed, wherein the network data packet at least comprises: timing information;
s2, determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics;
and S3, inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judgment result.
Optionally, the storage medium is further arranged to store a computer program for performing the steps of:
s1, according to the time sequence information, aggregating the network data packets to obtain a first processing result, wherein the first processing result comprises an aggregated and/or normalized processing result;
s2, performing feature transformation on the first processing result to obtain a second processing result, wherein the second processing result comprises a feature transformation result based on a self-similarity matrix;
and S3, converting the second processing result into a target vector of the data packet.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present application further provide an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, obtaining a network data packet to be processed, wherein the network data packet at least comprises: timing information;
s2, determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics;
and S3, inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judgment result.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present application described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present application is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A network abnormal behavior monitoring method based on time sequence characteristics is characterized by comprising the following steps:
acquiring a network data packet to be processed, wherein the network data packet at least comprises: timing information;
determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics;
and inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judgment result.
2. The method of claim 1, wherein determining, according to the timing information and a preset network abnormal behavior characteristic, a packet vector for characterizing the network abnormal behavior comprises:
according to the time sequence information, aggregating the network data packets to obtain a first processing result, wherein the first processing result comprises an aggregated and/or normalized processing result;
performing feature transformation on the first processing result to obtain a second processing result, wherein the second processing result comprises a feature transformation result based on a self-similarity matrix;
and converting the second processing result into a target vector of the data packet.
3. The method of claim 2, wherein converting the second processing result into a destination vector of a packet comprises:
setting the same dimension characteristic of different data in the network data packet as x ak And x bk ;
Converting the data packet of the second processing result into n distance matrixes: s = { D = 1 ,D 2 ,…,D n N is a natural number;
and obtaining the target vector through the distance matrix.
4. The method of claim 2, wherein converting the second processing result into a destination vector of a packet comprises:
dynamically defining the number K of Gaussian distributions is adopted, so that the number of samples along with the network data packet is adjusted to a preset degree.
5. The method of claim 2, wherein converting the second processing result into a destination vector of a packet comprises:
and simulating the distribution condition of each characteristic in the network data packet summary by adopting a mixed Gaussian model.
6. The method according to claim 1, wherein the preset machine learning model is a convolutional neural network-based detection model, wherein the detection model adopts a CNN model, and the loss function adopts a cross entropy loss function.
7. A network abnormal behavior monitoring device based on time sequence characteristics is characterized by comprising:
an obtaining module, configured to obtain a network data packet to be processed, where the network data packet at least includes: timing information;
the determining module is used for determining a data packet vector for representing the network abnormal behavior according to the time sequence information and preset network abnormal behavior characteristics;
and the judging module is used for inputting the data packet vector into a preset machine learning model to obtain a network abnormal behavior judging result.
8. The apparatus of claim 7, wherein the determining module is further configured to determine the determined value
According to the time sequence information, aggregating the network data packets to obtain a first processing result, wherein the first processing result comprises an aggregated and/or normalized processing result;
performing feature transformation on the first processing result to obtain a second processing result, wherein the second processing result comprises a feature transformation result based on a self-similarity matrix;
and converting the second processing result into a target vector of the data packet.
9. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 6 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110958581.XA CN115842636A (en) | 2021-08-20 | 2021-08-20 | Network abnormal behavior monitoring method and device based on time sequence characteristics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110958581.XA CN115842636A (en) | 2021-08-20 | 2021-08-20 | Network abnormal behavior monitoring method and device based on time sequence characteristics |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115842636A true CN115842636A (en) | 2023-03-24 |
Family
ID=85574083
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110958581.XA Pending CN115842636A (en) | 2021-08-20 | 2021-08-20 | Network abnormal behavior monitoring method and device based on time sequence characteristics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115842636A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116781430A (en) * | 2023-08-24 | 2023-09-19 | 克拉玛依市燃气有限责任公司 | Network information security system and method for gas pipe network |
CN117155706A (en) * | 2023-10-30 | 2023-12-01 | 北京中科网芯科技有限公司 | Network abnormal behavior detection method and system |
-
2021
- 2021-08-20 CN CN202110958581.XA patent/CN115842636A/en active Pending
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116781430A (en) * | 2023-08-24 | 2023-09-19 | 克拉玛依市燃气有限责任公司 | Network information security system and method for gas pipe network |
CN116781430B (en) * | 2023-08-24 | 2023-12-01 | 克拉玛依市燃气有限责任公司 | Network information security system and method for gas pipe network |
CN117155706A (en) * | 2023-10-30 | 2023-12-01 | 北京中科网芯科技有限公司 | Network abnormal behavior detection method and system |
CN117155706B (en) * | 2023-10-30 | 2024-02-13 | 北京中科网芯科技有限公司 | Network abnormal behavior detection method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tesfahun et al. | Intrusion detection using random forests classifier with SMOTE and feature reduction | |
Le et al. | Data analytics on network traffic flows for botnet behaviour detection | |
CN113469366B (en) | Encrypted traffic identification method, device and equipment | |
CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
CN115842636A (en) | Network abnormal behavior monitoring method and device based on time sequence characteristics | |
CN113468071A (en) | Fuzzy test case generation method, system, computer equipment and storage medium | |
CN112468347A (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
Cheng et al. | DDoS Attack Detection via Multi-Scale Convolutional Neural Network. | |
CN112613599A (en) | Network intrusion detection method based on generation countermeasure network oversampling | |
CN112416976A (en) | Distributed denial of service attack monitoring system and method based on distributed multi-level cooperation | |
CN111935185B (en) | Method and system for constructing large-scale trapping scene based on cloud computing | |
Neethu | Adaptive intrusion detection using machine learning | |
Boukhalfa et al. | Parallel processing using big data and machine learning techniques for intrusion detection | |
CN117081858A (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
CN111600878A (en) | Low-rate denial of service attack detection method based on MAF-ADM | |
Zhang et al. | Novel DDoS Feature Representation Model Combining Deep Belief Network and Canonical Correlation Analysis. | |
Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
CN112468498B (en) | Cross-mode polymerization method for multi-source heterogeneous safety monitoring data of power distribution terminal | |
Yin et al. | A feature selection method for improved clonal algorithm towards intrusion detection | |
Nalavade et al. | Evaluation of k-means clustering for effective intrusion detection and prevention in massive network traffic data | |
CN117294497A (en) | Network traffic abnormality detection method and device, electronic equipment and storage medium | |
CN115604032B (en) | Method and system for detecting complex multi-step attack of power system | |
CN116599743A (en) | 4A abnormal detour detection method and device, electronic equipment and storage medium | |
CN116707859A (en) | Feature rule extraction method and device, and network intrusion detection method and device | |
CN113420791B (en) | Access control method and device for edge network equipment and terminal equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |