CN116032526A - Abnormal network flow detection method based on machine learning model optimization - Google Patents

Abnormal network flow detection method based on machine learning model optimization Download PDF

Info

Publication number
CN116032526A
CN116032526A CN202211383186.4A CN202211383186A CN116032526A CN 116032526 A CN116032526 A CN 116032526A CN 202211383186 A CN202211383186 A CN 202211383186A CN 116032526 A CN116032526 A CN 116032526A
Authority
CN
China
Prior art keywords
flow
layer
data
network
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211383186.4A
Other languages
Chinese (zh)
Inventor
季恩卉
房鹏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Focus Technology Co Ltd
Original Assignee
Focus Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Focus Technology Co Ltd filed Critical Focus Technology Co Ltd
Priority to CN202211383186.4A priority Critical patent/CN116032526A/en
Publication of CN116032526A publication Critical patent/CN116032526A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an abnormal network flow detection method based on machine learning model optimization, which is characterized by comprising the following steps: acquiring network traffic according to the network node, counting the size of the network traffic, and storing; constructing a flow matrix according to the historical stored flow data; building a 3-sigma model, and generating abnormal distribution of node flow data according to the historical flow of the node; building a deep clustering algorithm model, and training a historical flow deep clustering model; and acquiring the real-time traffic of the node, judging the abnormal traffic of the 3-sigma model, and if the abnormal traffic is abnormal, entering a deep clustering model to predict the abnormal traffic. The invention is based on the data mining technology and the machine learning algorithm to carry out modeling according to the historical flow data, and can carry out the detection of the current flow in real time and high efficiency, thereby achieving the large-scale service availability root cause positioning and the discovery of abnormal network flow.

Description

Abnormal network flow detection method based on machine learning model optimization
Technical Field
The invention relates to the technical field of intelligent fortune dimension and machine learning, in particular to an abnormal network flow detection method based on machine learning model optimization.
Background
With the continuous update of hardware technology, the rapid development of software technology makes the bearing capacity of the existing network dramatically improved, but there is still an upper limit of the bearing capacity of the network. In the information society, massive information is generated every day, and some of the network information is generated by normal and reasonable demands of people, and some of the network information is junk information. These network traffic, which is a significant proportion of the network load and which can steal personal privacy information of people while bringing a great pressure to the network, are generally referred to as abnormal traffic. There are many reasons for network traffic anomalies, including: malicious attacks, such as viruses, doS attacks, DDoS attacks, and the like; illegal access, such as persistent port scanning, remote unauthorized access, etc.
The network traffic anomaly detection technology plays an important role in network supervision, and is widely applied to intelligent operation and maintenance, intrusion detection, DDoS attack detection and other technologies. Network traffic is essentially a random time series, and predictive models and algorithms have been studied for decades as time series analysis evolves. The time series model provides a solution to the linear stationary process by Auto-Regressive (AR), moving Average (MA), and combinations thereof. In addition, common abnormal flow monitoring techniques are also feature-based detection. The method generally needs to build a detailed feature database, and the method is used for detecting by analyzing user or host logs or counting information of data packets in a network, such as flow, packet header information (e.g. source-destination IP, source-destination port, protocol, etc.), content features, and the like, building a judging rule and matching with the data in the feature database.
The common method for abnormal flow detection comprises an integrated learning xgboost algorithm of machine learning, a semi-supervised learning ganomaly algorithm of deep learning and a 3-sigma algorithm of data mining algorithm, wherein the three algorithms have limitations on feature learning, but one algorithm cannot well complete abnormal flow detection tasks, and a large number of false positives are brought, so that the situation of low accuracy rate occurs.
For example, patent CN 202011087361-an automated security protection method based on association of camouflage agents and dynamic technologies, discloses a method for analyzing traffic based on a traditional tool tshark, and uses a deep learning model of a custom neural network to perform hack portraits for matching pairs, but the method aims at using the deep learning network to construct a user image to detect a user, and after sealing, all traffic of the user is judged as abnormal, and obviously, a large number of misjudgment conditions exist for a single event of behavior traffic.
Thus, there is a need for a more applicable and efficient method of abnormal network traffic detection that can be directed to a single event.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide an abnormal network flow detection method based on machine learning model optimization. The method aims to replace the traditional method for detecting abnormal flow, such as detecting abnormal flow by adopting a flow threshold. The invention not only ensures the accuracy of detecting abnormal flow, but also greatly reduces the false alarm rate, and simultaneously has high-efficiency real-time performance.
In order to solve the technical problems, the invention provides an abnormal network flow detection method based on machine learning model optimization, which is characterized by comprising the following steps:
step 1: acquiring network traffic according to the network node, counting the size of the network traffic, and storing;
step 2: constructing a flow matrix according to the historical stored flow data;
step 3: building a 3-sigma model, and generating abnormal distribution of node flow data according to the historical flow of the node;
step 4: building a deep clustering algorithm model, and training a historical flow deep clustering model;
step 5: and acquiring the real-time traffic of the node, judging the abnormal traffic of the 3-sigma model, and if the abnormal traffic is abnormal, entering a deep clustering model to predict the abnormal traffic.
The step 1 specifically includes:
step 1.1: distributing node traffic of traffic generated by a service through a switch and a router network forwarding unit, adopting a linux system by a network equipment system, analyzing a traditional tool tshark by a traffic statistics system by using a network subpackage, counting the traffic according to the tshark system, collecting network information, and sending network topology data to a control plane;
step 1.2: and carrying out data processing on the counted flow data, mapping the flow data into a 0-1 interval in a time period normalization mode, then storing the flow data into a data warehouse, and adopting clickhouse as a data storage warehouse.
The step 2 specifically includes: and carrying out partition calculation on the flow data of different nodes, taking the flow data once every five minutes on average, carrying out flow data analysis, constructing a flow vector once every two hours, then constructing a 24 x 24 flow matrix by taking the flow data with the same date of 24 weeks, converting the flow matrix into a binary file, and storing the binary file in a file storage system.
The step 3 specifically includes:
step 3.1: the data mining algorithm uses a 3-sigma algorithm to calculate the limit error of the flow matrix;
step 3.2: and calculating the corresponding flow mean mu and variance sigma by using the flow matrix, and storing the data of mu-3 sigma and mu+3 sigma of the network node in real time.
The step 4 specifically includes:
after the stored flow matrix is subjected to data cleaning, the flow matrix is manufactured into a tensor dataset, a deep learning model adopts a custom neural network, the custom neural network adopts a TensorFlow intelligent computing platform, and the custom neural network model structure is as follows: the input layer is a fully connected layer dense (128) layer, the second layer is a dense (256) layer, the third layer is a dense (256) layer, dropout=0.5, dropout is connected through a random disconnected neural network, the fourth layer is a dense (256) layer, a relu activation function is adopted, the fifth layer is a dense (8) layer, a relu activation function is adopted, the sixth layer is a dense (256) layer, a relu activation function is adopted, the seventh layer is a dense (256) layer, a relu activation function is adopted, the eighth layer is a dense (256) layer, a relu activation function is adopted, and the decoder output layer is a dense (24) layer, a relu activation function is adopted, and the relu activation function formula is as follows: reLU (θ) =max (0, θ), θ being the output set for each layer;
entering a 2-means layer to be processed,
step 4.1, randomly selecting a point from an input data point set as a first clustering center, wherein the data point set at least comprises 2 clusters;
step 4.2, for each point x in the dataset, calculating its distance D (x) from the first cluster center;
step 4.3, selecting a new data point as a second aggregation center, wherein the selection basis is that: the larger D (x), the greater the probability of being selected as the second cluster center;
and 4.4, repeating the steps 4.2 and 4.3 until 2 cluster centers are selected, wherein the loss function is formed by summing the MSE mean square error of the input data and the decoder output layer and the Euclidean distance generated by k-means, and the formula is as follows:
Figure BDA0003928816190000031
wherein w and b are parameter matrices for calculating predicted values; wx (Wx) i +b is a predicted value; y is (i) Is a true value;
Figure BDA0003928816190000032
and (3) for the calculated Euclidean distance, carrying out model training according to the defined network model structure and the processed data set, and carrying out model storage according to the nodes.
The step 5 specifically includes:
step 5.1, distributing node traffic of traffic generated by the service through a switch and a router network forwarding unit, analyzing network traffic and collecting network information by using tshark, and sending network topology data to a control plane;
step 5.2, preprocessing and storing flow data;
and 5.3, detecting according to the 3-sigma threshold value of the corresponding node, judging normal flow if the current flow is between mu-3 sigma and mu+3 sigma, performing deep clustering detection if the current flow is out of the threshold value, judging abnormal flow if the current flow is not in accordance with the past trend, performing real-time alarm, and storing results if the current flow is in accordance with the past trend, and performing subsequent manual review.
The invention has the beneficial effects that:
the method adopts an creative technical combination mode, adopts the combination of deep learning and data mining technology, utilizes 3-sigma algorithm to advance abnormal flow primary screening, and then uses the deep learning technology to carry out deep detection, and results show that the method has high effect on detecting abnormal network flow, has the accuracy and precision exceeding similar technologies, fully meets the requirements of application scenes, achieves the purpose of rapid warning of abnormal flow, and can be combined with past trend data to carry out more accurate judgment.
Drawings
FIG. 1 is a method flow diagram of an exemplary embodiment of the present invention.
Detailed Description
The core idea of the invention is that the following flow is set:
(1) Acquiring network traffic according to the network ports of the switch routers of different nodes, counting the size of the network traffic and storing the network traffic;
(2) Constructing a flow matrix according to the historical stored flow data, reading the stored flow data by the background according to the numpy computing platform, converting the flow value into a characteristic matrix, and storing the characteristic matrix in a database;
(3) And (3) building a 3-sigma model, generating abnormal distribution of node flow data according to the historical flow of the node, designing a flow monitoring time range, carrying out statistical calculation according to the flow stored in real time through a 3-sigma algorithm, corresponding to the normal flow threshold range of the node, and carrying out dynamic storage.
(4) Building a deep clustering algorithm model, training a historical flow deep clustering model, building a data set according to a historical flow characteristic matrix, building a self-defined deep learning model and a self-defined loss function, training a flow trend detection and classification model, and then storing a dynamic model.
(5) And acquiring real-time flow, performing data preprocessing and matrix transformation operation, then detecting a dynamic threshold value, detecting the trend of the historical flow in the next step if the flow is abnormal, and performing real-time alarm if the flow deviates from the trend excessively and is judged to be abnormal.
The invention is further described below with reference to the drawings and exemplary embodiments:
an exemplary embodiment of the present invention as shown in fig. 1, an abnormal network traffic detection method based on machine learning model optimization, includes the steps of:
step 1: the node network port obtains the flow, distributes the node flow through a switch and a router network forwarding unit, the network equipment system adopts a linux system, the flow statistics system uses a network subpackage to analyze a traditional tool tshark, the flow statistics is carried out according to the tshark system, the network information is collected, and the network topology data is sent to a control plane.
And counting the traffic of the nodes and storing the traffic into a database. And carrying out data processing on the counted flow data, mapping the flow data into a 0-1 interval in a time period normalization mode, then storing the flow data into a data warehouse, and adopting clickhouse as a data storage warehouse. Because the data magnitude is relatively large, higher writing is needed, meanwhile, deleting and updating operations are not needed, the ClickHouse data is stored in columns, meanwhile, the processing and writing speed is very high, 50-200M/s is realized according to vectors, the method is very applicable to a large amount of data updating, and even if the used data is not in an index, the speed of full-table scanning of the ClickHouse is also very high due to various parallel processing mechanisms, and in sum, the ClickHouse data is stored in a ClickHouse large database.
Step 2: and constructing a flow matrix according to the historical data, carrying out partition calculation on the flow data of different nodes, taking the flow data every five minutes on average, constructing a flow vector every two hours, then taking the flow data of the same date of 24 weeks, constructing a 24 x 24 flow matrix according to a numpy computing platform, converting the flow matrix into a binary file, and storing the binary file in a file storage system.
Step 3: and training a 3-sigma model according to the historical traffic matrix. The algorithm is established on the basis of equal-precision repeated measurement of normal flow distribution, disturbance of sense data caused by abnormal flow and normal flow distribution of which the flow noise does not meet the normal flow are established, wherein the probability of abnormal flow data distribution at 1-sigma is 32%, the probability at 2-sigma is 4.5%, the probability at 3-sigma is 0.27%, corresponding flow mean mu and variance sigma are calculated by using a flow matrix, and then data of mu-3 sigma and mu+3 sigma of a network node are stored in real time. The algorithm using 3-sigma is really to filter out most of the data for the primary screening.
Step 4: training a deep clustering model according to the historical traffic matrix. The deep learning model adopts a custom neural network and a TensorFlow intelligent computing platform, and the network model has the following structure: the input layer is a fully connected layer dense (128) layer, a relu activation function is adopted, the second layer is a dense (256) layer, the relu activation function is adopted, the third layer is a dense (256) layer, the relu activation function is adopted, dropout=0.5, dropout is connected through a random disconnection neural network, the fourth layer is a dense (256) layer, the relu activation function is adopted, the fifth layer is a dense (8) layer, the relu activation function is adopted, the sixth layer is a dense (256) layer, the relu activation function is adopted, the seventh layer is a dense (256) layer, the relu activation function is adopted, the eighth layer is a dense (256) layer, the relu activation function is adopted, and the decoer output layer is a dense (24) layer, and the relu activation function is adopted. Relu activation function formula: reLU (x) =max (0, x), x being the output set for each layer; then entering a 2-means layer to train a trend flow detection model, wherein the training comprises the following steps:
step 4.1, randomly selecting a point from an input data point set as a first clustering center, wherein the data point set at least comprises 2 clusters;
step 4.2, for each point x in the dataset, calculating its distance D (x) from the first cluster center;
step 4.3, selecting a new data point as a second aggregation center, wherein the selection basis is that: the larger D (x), the greater the probability of being selected as the second cluster center;
and 4.4, repeating the steps 4.2 and 4.3 until 2 cluster centers are selected, wherein the loss function is formed by summing the MSE mean square error of the input data and the decoder output layer and the Euclidean distance generated by k-means, and the formula is as follows:
Figure BDA0003928816190000051
wherein w and b are parameter matrices for calculating predicted values; wx (Wx) i +b is a predicted value; y is (i) Is a true value;
Figure BDA0003928816190000052
and (3) for the calculated Euclidean distance, carrying out model training according to the defined network model structure and the processed data set, and carrying out model storage according to the nodes.
The Relu activation function is a preferred parameter in the neural network layer, the algorithm core is operated by adopting a self-encoder model and clustering mode, namely a deep clustering mode, and the loss function of the algorithm core is also a self-defined loss function.
Step 5: and detecting the node in real time to judge the abnormal flow. Acquiring real-time traffic, distributing node traffic by a switch and router network forwarding unit, analyzing network traffic by using tshark, forwarding traffic data, storing, detecting according to a 3-sigma threshold value of a corresponding node, judging normal traffic if the traffic is between mu-3 sigma and mu+3 sigma, detecting deep clustering if the traffic is out of the threshold value, judging abnormal traffic if the current traffic does not accord with the prior trend, and alarming in real time. If the result is stored according with the previous trend, the result is manually reviewed later.
In the scheme, flow anomaly detection is carried out in a mode of combining 3-sigma with deep clustering, and relu is used as an activation function in deep learning. The deep clustering DCE is basically not applied in the field of abnormal flow detection, and the DCE detection after 3-sigma primary screening is rarely carried out in the field, and the superior technical effect brought by the technical combination is unexpected.
The comparison of the detection effect achieved by the invention with other similar technologies is shown in the following table:
Method abnormal flow detection accuracy Abnormal flow detection accuracy
Traditional fixed threshold detection 10% 23%
3-sigma algorithm 45% 56%
Depth representation technique 83% 88%
The method 95% 97%
The invention tests the disclosed flow data set, and the accuracy represents the proportion of the correct number of abnormal flow and normal flow detection to the total number; the accuracy rate represents the accuracy rate of the abnormal flow identification, and the number of data sets is 38w. In comparison, the method has excellent technical performance from the detection rate (equivalent to the accuracy rate) of abnormal flow or false alarm.
The beneficial effects achieved by the invention are as follows:
the method adopts an creative technical combination mode, adopts the combination of deep learning and data mining technology, utilizes 3-sigma algorithm to advance abnormal flow primary screening, and then uses the deep learning technology to carry out deep detection, and results show that the method has high effect on detecting abnormal network flow, has the accuracy and precision exceeding similar technologies, fully meets the requirements of application scenes, achieves the purpose of rapid warning of abnormal flow, and can be combined with past trend data to carry out more accurate judgment.
The above embodiments do not limit the present invention in any way, and through the above description, the related workers can completely make various changes and modifications without departing from the scope of the technical idea of the present invention, and all other improvements and applications made to the above embodiments in equivalent transformation form belong to the protection scope of the present invention, and the technical scope of the present invention is not limited to the content on the description, and must be determined according to the scope of claims.

Claims (6)

1. The abnormal network flow detection method based on machine learning model optimization is characterized by comprising the following steps:
step 1: acquiring network traffic according to the network node, counting the size of the network traffic, and storing;
step 2: constructing a flow matrix according to the historical stored flow data;
step 3: building a 3-sigma model, and generating abnormal distribution of node flow data according to the historical flow of the node;
step 4: building a deep clustering algorithm model, and training a historical flow deep clustering model;
step 5: and acquiring the real-time traffic of the node, judging the abnormal traffic of the 3-sigma model, and if the abnormal traffic is abnormal, entering a deep clustering model to predict the abnormal traffic.
2. The abnormal network traffic detection method based on machine learning model optimization of claim 1, wherein: the step 1 specifically includes:
step 1.1: distributing node traffic of traffic generated by a service through a switch and a router network forwarding unit, adopting a linux system by a network equipment system, analyzing a traditional tool tshark by a traffic statistics system by using a network subpackage, counting the traffic according to the tshark system, collecting network information, and sending network topology data to a control plane;
step 1.2: and carrying out data processing on the counted flow data, mapping the flow data into a 0-1 interval in a time period normalization mode, then storing the flow data into a data warehouse, and adopting clickhouse as a data storage warehouse.
3. The abnormal network traffic detection method based on machine learning model optimization of claim 2, wherein: the step 2 specifically includes: and carrying out partition calculation on the flow data of different nodes, taking the flow data once every five minutes on average, carrying out flow data analysis, constructing a flow vector once every two hours, then constructing a 24 x 24 flow matrix by taking the flow data with the same date of 24 weeks, converting the flow matrix into a binary file, and storing the binary file in a file storage system.
4. The abnormal network traffic detection method based on machine learning model optimization of claim 3, wherein: the step 3 specifically includes:
step 3.1: the data mining algorithm uses a 3-sigma algorithm to calculate the limit error of the flow matrix;
step 3.2: and calculating the corresponding flow mean mu and variance sigma by using the flow matrix, and storing the data of mu-3 sigma and mu+3 sigma of the network node in real time.
5. The abnormal network traffic detection method based on machine learning model optimization of claim 4, wherein: the step 4 specifically includes:
after the stored flow matrix is subjected to data cleaning, the flow matrix is manufactured into a tensor dataset, a deep learning model adopts a custom neural network, the custom neural network adopts a TensorFlow intelligent computing platform, and the custom neural network model structure is as follows: the input layer is a fully connected layer dense (128) layer, the second layer is a dense (256) layer, the third layer is a dense (256) layer, dropout=0.5, dropout is connected through a random disconnected neural network, the fourth layer is a dense (256) layer, a relu activation function is adopted, the fifth layer is a dense (8) layer, a relu activation function is adopted, the sixth layer is a dense (256) layer, a relu activation function is adopted, the seventh layer is a dense (256) layer, a relu activation function is adopted, the eighth layer is a dense (256) layer, a relu activation function is adopted, and the decoder output layer is a dense (24) layer, a relu activation function is adopted, and the relu activation function formula is as follows: reLU (θ) =max (0, θ), θ being the output set for each layer;
entering a 2-means layer to be processed,
step 4.1, randomly selecting a point from an input data point set as a first clustering center, wherein the data point set at least comprises 2 clusters;
step 4.2, for each point x in the dataset, calculating its distance D (x) from the first cluster center;
step 4.3, selecting a new data point as a second aggregation center, wherein the selection basis is that: the larger D (x), the greater the probability of being selected as the second cluster center;
and 4.4, repeating the steps 4.2 and 4.3 until 2 cluster centers are selected, wherein the loss function is formed by summing the MSE mean square error of the input data and the decoder output layer and the Euclidean distance generated by k-means, and the formula is as follows:
Figure FDA0003928816180000021
wherein w and b are parameter matrices for calculating predicted values; wx (Wx) i +b is a predicted value; y is (i) Is a true value;
Figure FDA0003928816180000022
and (3) for the calculated Euclidean distance, carrying out model training according to the defined network model structure and the processed data set, and carrying out model storage according to the nodes.
6. The abnormal network traffic detection method based on machine learning model optimization of claim 5, wherein the step 5 specifically comprises:
step 5.1, distributing node traffic of traffic generated by the service through a switch and a router network forwarding unit, analyzing network traffic and collecting network information by using tshark, and sending network topology data to a control plane;
step 5.2, preprocessing and storing flow data;
and 5.3, detecting according to the 3-sigma threshold value of the corresponding node, judging normal flow if the current flow is between mu-3 sigma and mu+3 sigma, performing deep clustering detection if the current flow is out of the threshold value, judging abnormal flow if the current flow is not in accordance with the past trend, performing real-time alarm, and storing results if the current flow is in accordance with the past trend, and performing subsequent manual review.
CN202211383186.4A 2022-11-07 2022-11-07 Abnormal network flow detection method based on machine learning model optimization Pending CN116032526A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211383186.4A CN116032526A (en) 2022-11-07 2022-11-07 Abnormal network flow detection method based on machine learning model optimization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211383186.4A CN116032526A (en) 2022-11-07 2022-11-07 Abnormal network flow detection method based on machine learning model optimization

Publications (1)

Publication Number Publication Date
CN116032526A true CN116032526A (en) 2023-04-28

Family

ID=86078664

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211383186.4A Pending CN116032526A (en) 2022-11-07 2022-11-07 Abnormal network flow detection method based on machine learning model optimization

Country Status (1)

Country Link
CN (1) CN116032526A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117579295A (en) * 2023-10-07 2024-02-20 广东云下汇金科技有限公司 Data center flow abnormality monitoring sudden rise and fall monitoring system and method thereof
CN117938864A (en) * 2024-03-22 2024-04-26 无锡九方科技有限公司 Node load matching method and system based on machine learning

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117579295A (en) * 2023-10-07 2024-02-20 广东云下汇金科技有限公司 Data center flow abnormality monitoring sudden rise and fall monitoring system and method thereof
CN117938864A (en) * 2024-03-22 2024-04-26 无锡九方科技有限公司 Node load matching method and system based on machine learning
CN117938864B (en) * 2024-03-22 2024-05-28 无锡九方科技有限公司 Node load matching method and system based on machine learning

Similar Documents

Publication Publication Date Title
CN116032526A (en) Abnormal network flow detection method based on machine learning model optimization
Bivens et al. Network-based intrusion detection using neural networks
CN108874927B (en) Intrusion detection method based on hypergraph and random forest
CN107493277B (en) Large data platform online anomaly detection method based on maximum information coefficient
CN109729090B (en) Slow denial of service attack detection method based on WEDMS clustering
KR20210115991A (en) Method and apparatus for detecting network anomaly using analyzing time-series data
CN111614627A (en) SDN-oriented cross-plane cooperation DDOS detection and defense method and system
Zhe et al. DoS attack detection model of smart grid based on machine learning method
KR20200087299A (en) Network Intrusion Detection Method using unsupervised deep learning algorithms and Computer Readable Recording Medium on which program therefor is recorded
CN111092862A (en) Method and system for detecting abnormal communication flow of power grid terminal
CN113162893B (en) Attention mechanism-based industrial control system network flow abnormity detection method
CN106973038A (en) Network inbreak detection method based on genetic algorithm over-sampling SVMs
CN109218321A (en) A kind of network inbreak detection method and system
CN111191720B (en) Service scene identification method and device and electronic equipment
CN114201374B (en) Operation and maintenance time sequence data anomaly detection method and system based on hybrid machine learning
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN113723452A (en) Large-scale anomaly detection system based on KPI clustering
CN111598179A (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN110430224A (en) A kind of communication network anomaly detection method based on random block models
CN109150920A (en) A kind of attack detecting source tracing method based on software defined network
CN113420802A (en) Alarm data fusion method based on improved spectral clustering
Ghalehgolabi et al. Intrusion detection system using genetic algorithm and data mining techniques based on the reduction
CN114070641B (en) Network intrusion detection method, device, equipment and storage medium
CN110650124A (en) Network flow abnormity detection method based on multilayer echo state network
CN111709021B (en) Attack event identification method based on mass alarms and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination