CN116170208A - Network intrusion real-time detection method based on semi-supervised ISODATA algorithm - Google Patents

Network intrusion real-time detection method based on semi-supervised ISODATA algorithm Download PDF

Info

Publication number
CN116170208A
CN116170208A CN202310144550.XA CN202310144550A CN116170208A CN 116170208 A CN116170208 A CN 116170208A CN 202310144550 A CN202310144550 A CN 202310144550A CN 116170208 A CN116170208 A CN 116170208A
Authority
CN
China
Prior art keywords
clustering
data
distance
class
average
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310144550.XA
Other languages
Chinese (zh)
Inventor
胡赞
安亚鹏
李周
韩雪松
白旭东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing An Xin Tian Xing Technology Co ltd
Original Assignee
Beijing An Xin Tian Xing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing An Xin Tian Xing Technology Co ltd filed Critical Beijing An Xin Tian Xing Technology Co ltd
Priority to CN202310144550.XA priority Critical patent/CN116170208A/en
Publication of CN116170208A publication Critical patent/CN116170208A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a network intrusion real-time detection method based on a semi-supervised ISODATA algorithm, which relates to the technical field of network security and comprises the following steps: collecting internet traffic data, and mixing a small amount of marked various network intrusion traffic as a training data set; extracting features through feature engineering, and performing standardized pretreatment; clustering the data set by using an ISODATA algorithm, and adjusting clustering parameters until an expected clustering effect is achieved; a stream processing engine is adopted to calculate the Euclidean distance between the network flow and each clustering center in real time, and whether the invasion and the invasion type are judged; the invention carries out iterative self-organizing clustering by means of ISODATA algorithm, can flexibly carry out multi-center clustering, has excellent anti-noise and abnormal point capability, and is beneficial to improving the detection rate and accuracy rate of network intrusion; by using the stream processing engine, high throughput and low delay can be maintained under the condition of massive data, the detection efficiency is obviously improved, and the timeliness of network intrusion detection is ensured.

Description

Network intrusion real-time detection method based on semi-supervised ISODATA algorithm
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network intrusion real-time detection method based on a semi-supervised ISODATA algorithm.
Background
With the development and wide application of internet technology, various works are increasingly dependent on networks for processing, and meanwhile, various network intrusion means are increasingly lost, so that national security is even endangered. However, the existing intrusion detection system lacks active defense capability, and the update of the detection rule always lags behind the update of the attack means. And the traditional means have no mature method for solving the serious false alarm and missing alarm phenomena. The research of new intrusion behavior detection means is particularly important to realize the active defense function of network intrusion.
At present, network intrusion detection based on a k-means algorithm is to divide similar data into the same cluster, divide dissimilar data into different clusters, mark the clusters to indicate whether the clusters are normal or abnormal, divide the data on the network into each cluster, and judge whether the network data are abnormal according to the marks of the clusters. The detection mode is simple to realize and high in convergence speed, but an iteration method is adopted, so that only a local optimal solution can be obtained, and the detection mode is sensitive to noise and abnormal points.
The abnormality detection method based on the HMM mainly utilizes the characteristic that the HMM can track state transition, a normal program model is established by using a normal system call sequence, and calibration is carried out according to the matching of a short sequence and a normal system call behavior model during detection. A model can be built using a smaller number of samples, but there is no guarantee that the predicted state sequence as a whole is the most likely state sequence.
The network intrusion real-time detection method based on the semi-supervised ISODATA algorithm can utilize a small amount of marked data as priori information to guide the clustering process, thereby improving the clustering quality. The network intrusion detection method based on the model has strong adaptability, not only can identify some unknown attack behaviors, but also has good real-time performance on a large-flow network.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.
Disclosure of Invention
The invention aims to provide a network intrusion real-time detection method based on a semi-supervised ISODATA algorithm, which solves the problems existing in the prior art.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a network intrusion real-time detection method based on a semi-supervised ISODATA algorithm, the method comprising:
s1: collecting internet traffic data, and mixing various marked network intrusion traffic as a training data set;
s2: extracting features through feature engineering, and performing standardized pretreatment;
s3: clustering the data set by using an ISODATA algorithm, and adjusting clustering parameters until an expected clustering effect is achieved;
s4: and adopting a stream processing engine to calculate the Euclidean distance between the network flow and each clustering center in real time, and judging whether the intrusion and the intrusion type are generated.
Further, in step S1, the internet traffic data is transport layer statistics information, and the network intrusion traffic is various historical intrusion data manually screened out; the transport layer statistics information is a transport layer message stored in a Pcap file format, including a Pcap Header, a Packet Header, and Packet Data.
Further, in step S2, the feature extraction is to extract an 80-dimensional feature set by using a TCP stream or a UDP stream as a unit; the normalization processing is to convert data of different orders into scores of unified metrics by adopting a Z-Score normalization method, and the calculation formula of the Z-Score normalization method is as follows:
Figure BDA0004088693950000031
wherein z is i Representing the normalized data; x is x i Feature data representing a training dataset; mu represents the average of some characteristic values.
Further, the step S3 specifically includes the following steps:
s31: performing ISODATA iterative self-organizing clustering on the standardized training data; the iterative self-organizing clustering comprises the steps of:
t1: setting initial parameters, and carrying out neighbor clustering according to an initial clustering center;
t2: calculating splitting and merging operation judgment parameters; the method comprises the steps of calculating average distances in classes and total average distances of all samples, wherein the specific function formula is as follows:
Figure BDA0004088693950000032
Figure BDA0004088693950000033
wherein the method comprises the steps of
Figure BDA0004088693950000034
For a certain cluster block C i Each sample in the list is far from the cluster center c i Average distance of>
Figure BDA0004088693950000035
For the average distance of all samples from their cluster center, N i For clustering block C i K is the initial cluster number
T3: judging the ending, splitting and merging operation; the method comprises the following steps: the standard deviation vector in the class is calculated,
and find the component sigma with the largest standard deviation for each class imax The specific calculation formula is as follows:
σ i =(σ i1i2 ,……,σ im ) T
Figure BDA0004088693950000036
wherein sigma im Is the standard deviation, x, of the mth component of the ith cluster lm Is the mth component, x of the ith sample im Is the mth component of the ith cluster center, when the standard deviation parameter theta is input simax And when one of the two conditions is satisfied, the block C is clustered i Split into two cluster blocks:
condition 1:
Figure BDA0004088693950000037
and N is i >2(N+1)
Condition 2: k is less than or equal to K/2
Where K is the expected number of clusters and N is the minimum number of samples in each cluster domain;
when the splitting operation is satisfied, the iteration times are enabled to be +1, and two new clustering centers c are generated simultaneously i + And c i - The method is characterized by comprising the following steps:
c i + =c iimax
c i - =c iimax
wherein c i To satisfy the cluster center of the class of the splitting condition, σ imax Is the component of the maximum standard deviation;
when the merging operation is satisfied, the two classes are merged into a brand new class, and the clustering center of the class has the following calculation formula:
Figure BDA0004088693950000041
wherein n is i And n j Representing the number of samples of both classes satisfying the merge operation;
for all cluster centers, the distance between every two is calculated:
δ ij =d(c i ,c j ),i=1,2,……,k,j=i,i+1,……,k
delta less than C ij Arranged in ascending order of size from the smallest delta ij Firstly, combining two types, wherein C is the minimum distance parameter of two clustering centers;
when the iteration number ip=k, the algorithm ends;
t4: judging whether the clustering result is the last iteration, and repeating the steps or ending the program;
s32: by adjusting parameters, various intrusion types are enabled to achieve the expected effect of minimum intra-class distance and maximum inter-class distance; the expected effect is determined by a performance index function, and a specific calculation formula is as follows:
Figure BDA0004088693950000042
Figure BDA0004088693950000043
Figure BDA0004088693950000044
inter_min(k)=min(||c i -c j ||)
where M is the total number of data, N i For clustering block C i K is the initial cluster number, c ij For belonging cluster center c i The four functions intra average, intra max and inter average, inter min represent the average intra-class distance, the maximum intra-class distance, the average inter-class distance and the minimum inter-class distance, respectively
Figure BDA0004088693950000051
Respectively represent the sum of' average clustering performance indexes between classes-within classes"inter-class-intra-class edge clustering performance index".
Further, the step S4 specifically includes the following steps:
s41: receiving internet data by using a streaming framework, extracting features and performing standardization processing;
s42: sequentially passing the processed data through the constructed models, and respectively calculating Euclidean distances D between the processed data and each clustering center;
s43: and comparing the Euclidean distance D with the intra-class maximum distance intra-max to judge the intrusion type.
By adopting the technical scheme, the invention has the following beneficial effects:
1) The ISODATA iterative self-organizing clustering can automatically adjust the number of categories and the clustering center in the clustering process, and the clustering result is closer to the objective and real clustering result. The influence of the initial clustering quantity selected in advance by the K-means algorithm on the clustering result is avoided, and meanwhile, the difference of a plurality of algorithms in operation efficiency is also solved.
2) The semi-supervised ISODATA solves the problem of high cost of the supervised learning artificial marking sample, can accurately output the category by only a small amount of marking samples, has the advantage of unsupervised learning, can obtain an unknown mapping relation between data, can identify some unknown attack behaviors, and meets the requirement of artificial intelligence.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will briefly explain the drawings needed in the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network intrusion real-time detection method based on a semi-supervised ISODATA algorithm according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the invention provides a network intrusion real-time detection method based on a semi-supervised ISODATA algorithm, which comprises the following steps:
s1: collecting internet traffic data, and mixing various marked network intrusion traffic as a training data set;
s2: extracting features through feature engineering, and performing standardized pretreatment;
s3: clustering the data set by using an ISODATA algorithm, and adjusting clustering parameters until an expected clustering effect is achieved;
s4: and adopting a stream processing engine to calculate the Euclidean distance between the network flow and each clustering center in real time, and judging whether the intrusion and the intrusion type are generated.
In this embodiment, in step S1, the internet traffic data is transport layer statistics information, and the network intrusion traffic is various historical intrusion data manually screened out; the transport layer statistics information is a transport layer message stored in a Pcap file format, including a Pcap Header, a Packet Header, and Packet Data.
In this embodiment, the feature extraction in step S2 is to extract an 80-dimensional feature set in units of a TCP stream or a UDP stream; the normalization processing is to convert data of different orders into scores of unified metrics by adopting a Z-Score normalization method, and the calculation formula of the Z-Score normalization method is as follows:
Figure BDA0004088693950000071
wherein z is i Representing the normalized data; x is x i Feature data representing a training dataset; mu represents the average of some characteristic values.
In this embodiment, step S3 specifically includes the steps of:
s31: performing ISODATA iterative self-organizing clustering on the standardized training data; the iterative self-organizing clustering comprises the steps of:
t1: setting initial parameters, and carrying out neighbor clustering according to an initial clustering center;
t2: calculating splitting and merging operation judgment parameters; the method comprises the steps of calculating average distances in classes and total average distances of all samples, wherein the specific function formula is as follows:
Figure BDA0004088693950000072
Figure BDA0004088693950000073
wherein the method comprises the steps of
Figure BDA0004088693950000074
For a certain cluster block C i Each sample in the list is far from the cluster center c i Average distance of>
Figure BDA0004088693950000075
For the average distance of all samples from their cluster center, N i For clustering block C i K is the initial cluster number
T3: judging the ending, splitting and merging operation; the method comprises the following steps: the standard deviation vector in the class is calculated,
and find the component sigma with the largest standard deviation for each class imax The specific calculation formula is as follows:
σ i =(σ i1i2 ,……,σ im ) T
Figure BDA0004088693950000076
wherein sigma im Is the standard deviation of the mth component of the ith cluster, x lm Is the mth component, x of the ith sample im Is the mth component of the ith cluster center, when the standard deviation θ simax And when one of the two conditions is satisfied, the block C is clustered i Split into two cluster blocks:
condition 1:
Figure BDA0004088693950000077
and N is i >2(N+1)
Condition 2: k is less than or equal to K/2
Where K is the expected number of clusters and N is the minimum number of samples in each cluster domain;
when the splitting operation is satisfied, the iteration times are enabled to be +1, and two new clustering centers c are generated simultaneously i + And c i - The method is characterized by comprising the following steps:
c i + =c iimax
c i - =c iimax
wherein c i To satisfy the cluster center of the class of the splitting condition, σ imax Is the component of the maximum standard deviation;
when the merging operation is satisfied, the two classes are merged into a brand new class, and the clustering center of the class has the following calculation formula:
Figure BDA0004088693950000081
wherein n is i And n j Representing the number of samples of both classes satisfying the merge operation;
for all cluster centers, the distance between every two is calculated:
δ ij =d(c i ,c j ),i=1,2,……,k,j=i,i+1,……,k
delta less than C ij Arranged in ascending order of size from the smallest delta ij Initially, the two classes are combined, where C is the minimum distance between the centers of the two clustersParameters;
when the iteration number ip=k, the algorithm ends;
t4: judging whether the clustering result is the last iteration, and repeating the steps or ending the program;
s32: by adjusting parameters, various intrusion types are enabled to achieve the expected effect of minimum intra-class distance and maximum inter-class distance; the expected effect is determined by a performance index function, and a specific calculation formula is as follows:
Figure BDA0004088693950000082
Figure BDA0004088693950000083
Figure BDA0004088693950000084
inter_min(k)=min(||c i -c j ||)
where M is the total number of data, N i For clustering block C i K is the initial cluster number, c ij For belonging cluster center c i The four functions intra average, intra max and inter average, inter min represent the average intra-class distance, the maximum intra-class distance, the average inter-class distance and the minimum inter-class distance, respectively
Figure BDA0004088693950000091
Respectively representing an average clustering performance index between classes and an average clustering performance index in classes and an edge clustering performance index between classes and an edge clustering performance index in classes.
In this embodiment, step S4 specifically includes the steps of:
s41: receiving internet data by using a streaming framework, extracting features and performing standardization processing;
s42: sequentially passing the processed data through the constructed models, and respectively calculating Euclidean distances D between the processed data and each clustering center;
s43: and comparing the Euclidean distance D with the intra-class maximum distance intra-max to judge the intrusion type.
In conclusion, the iterative self-organizing clustering is carried out by means of the ISODATA algorithm, so that multi-center clustering can be flexibly carried out, the anti-noise and abnormal point capability is excellent, and the detection rate and the accuracy rate of network intrusion are improved; by using the stream processing engine, high throughput and low delay can be maintained under the condition of massive data, the detection efficiency is obviously improved, and the timeliness of network intrusion detection is ensured.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.

Claims (5)

1. A network intrusion real-time detection method based on a semi-supervised ISODATA algorithm is characterized by comprising the following steps:
s1: collecting internet traffic data, and mixing various marked network intrusion traffic as a training data set;
s2: extracting features through feature engineering, and performing standardized pretreatment;
s3: clustering the data set by using an ISODATA algorithm, and adjusting clustering parameters until an expected clustering effect is achieved;
s4: and adopting a stream processing engine to calculate the Euclidean distance between the network flow and each clustering center in real time, and judging whether the intrusion and the intrusion type are generated.
2. The method for detecting network intrusion in real time based on semi-supervised ISODATA algorithm according to claim 1, wherein in step S1, the Internet traffic data is statistical information of a transmission layer, and the network intrusion traffic is various historical intrusion data manually screened out; the transport layer statistics information is a transport layer message stored in a Pcap file format, including a Pcap Header, a Packet Header, and Packet Data.
3. The method for detecting network intrusion in real time based on semi-supervised ISODATA algorithm according to claim 1, wherein the feature extraction in step S2 is to extract an 80-dimensional feature set in units of TCP stream or UDP stream; the normalization processing is to convert data of different orders into scores of unified metrics by adopting a Z-Score normalization method, and the calculation formula of the Z-Score normalization method is as follows:
Figure FDA0004088693940000011
wherein z is i Representing the normalized data; x is x i Feature data representing a training dataset; mu represents the average of some characteristic values.
4. The method for detecting network intrusion in real time based on semi-supervised ISODATA algorithm according to claim 1, wherein step S3 specifically comprises the following steps:
s31: performing ISODATA iterative self-organizing clustering on the standardized training data; the iterative self-organizing clustering comprises the steps of:
t1: setting initial parameters, and carrying out neighbor clustering according to an initial clustering center;
t2: calculating splitting and merging operation judgment parameters; the method comprises the steps of calculating average distances in classes and total average distances of all samples, wherein the specific function formula is as follows:
Figure FDA0004088693940000021
Figure FDA0004088693940000022
wherein the method comprises the steps of
Figure FDA0004088693940000023
For a certain cluster block C i Each sample c of (3) l Distance cluster center c i Average distance of>
Figure FDA0004088693940000026
For the average distance of all samples from their cluster center, N i For clustering block C i K is the initial cluster number
T3: judging the ending, splitting and merging operation; the method comprises the following steps: the standard deviation vector in the class is calculated,
and find the component sigma with the largest standard deviation for each class imax The specific calculation formula is as follows:
σ i =(σ i1i2 ,……,σ im ) T
Figure FDA0004088693940000024
wherein sigma im Is the standard deviation, x, of the mth component of the ith cluster lm Is the mth component, x of the ith sample im Is the mth component of the ith cluster center, when the standard deviation parameter theta is input simax And when one of the two conditions is satisfied, the block C is clustered i Split into two cluster blocks:
condition 1:
Figure FDA0004088693940000025
and N is i >2(N+1)
Condition 2: k is less than or equal to K/2
Where K is the expected number of clusters and N is the minimum number of samples in each cluster domain;
when the splitting operation is satisfiedLet iteration number +1, generate two new clustering centers c at the same time i + And c i - The method is characterized by comprising the following steps:
c i + =c iimax
c i - =c iimax
wherein c i To satisfy the cluster center of the class of the splitting condition, σ imax Is the component of the maximum standard deviation;
when the merging operation is satisfied, the two classes are merged into a brand new class, and the clustering center of the class has the following calculation formula:
Figure FDA0004088693940000031
wherein n is i And n j Representing the number of samples of both classes satisfying the merge operation;
for all cluster centers, the distance between every two is calculated:
δ ij =d(c i ,c j ),i=1,2,……,k,j=i,i+1,……,k
delta less than C ij Arranged in ascending order of size from the smallest delta ij Firstly, combining two types, wherein C is the minimum distance parameter of two clustering centers;
when the iteration number ip=k, the algorithm ends;
t4: judging whether the clustering result is the last iteration, and repeating the steps or ending the program;
s32: by adjusting parameters, various intrusion types are enabled to achieve the expected effect of minimum intra-class distance and maximum inter-class distance; the expected effect is determined by a performance index function, and a specific calculation formula is as follows:
Figure FDA0004088693940000032
Figure FDA0004088693940000033
Figure FDA0004088693940000034
inter_min(k)=min(||c i -c j ||)
where M is the total number of data, N i For clustering block C i K is the initial cluster number, c ij For belonging cluster center c i The four functions intra average, intra max and inter average, inter min represent the average intra-class distance, the maximum intra-class distance, the average inter-class distance and the minimum inter-class distance, respectively
Figure FDA0004088693940000041
Respectively representing an average clustering performance index between classes and an average clustering performance index in classes and an edge clustering performance index between classes and an edge clustering performance index in classes. />
5. The method for detecting network intrusion in real time based on semi-supervised ISODATA algorithm according to claim 1, wherein step S4 specifically comprises the following steps:
s41: receiving internet data by using a streaming framework, extracting features and performing standardization processing;
s42: sequentially passing the processed data through the constructed models, and respectively calculating Euclidean distances D between the processed data and each clustering center;
s43: and comparing the Euclidean distance D with the intra-class maximum distance intra-max to judge the intrusion type.
CN202310144550.XA 2023-02-21 2023-02-21 Network intrusion real-time detection method based on semi-supervised ISODATA algorithm Pending CN116170208A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310144550.XA CN116170208A (en) 2023-02-21 2023-02-21 Network intrusion real-time detection method based on semi-supervised ISODATA algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310144550.XA CN116170208A (en) 2023-02-21 2023-02-21 Network intrusion real-time detection method based on semi-supervised ISODATA algorithm

Publications (1)

Publication Number Publication Date
CN116170208A true CN116170208A (en) 2023-05-26

Family

ID=86421606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310144550.XA Pending CN116170208A (en) 2023-02-21 2023-02-21 Network intrusion real-time detection method based on semi-supervised ISODATA algorithm

Country Status (1)

Country Link
CN (1) CN116170208A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116756595A (en) * 2023-08-23 2023-09-15 深圳市森瑞普电子有限公司 Conductive slip ring fault data acquisition and monitoring method
CN117807550A (en) * 2024-02-29 2024-04-02 山东宙雨消防科技股份有限公司 Intelligent quantitative detection method and system for building fire-fighting facilities

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116756595A (en) * 2023-08-23 2023-09-15 深圳市森瑞普电子有限公司 Conductive slip ring fault data acquisition and monitoring method
CN116756595B (en) * 2023-08-23 2023-12-01 深圳市森瑞普电子有限公司 Conductive slip ring fault data acquisition and monitoring method
CN117807550A (en) * 2024-02-29 2024-04-02 山东宙雨消防科技股份有限公司 Intelligent quantitative detection method and system for building fire-fighting facilities

Similar Documents

Publication Publication Date Title
CN116170208A (en) Network intrusion real-time detection method based on semi-supervised ISODATA algorithm
US10587632B1 (en) Neural network-based malware detection
CN110460605B (en) Abnormal network flow detection method based on automatic coding
CN108833376B (en) DoS attack detection method for software defined network
CN107579846B (en) Cloud computing fault data detection method and system
CN110430224B (en) Communication network abnormal behavior detection method based on random block model
CN111598179B (en) Power monitoring system user abnormal behavior analysis method, storage medium and equipment
CN116055413B (en) Tunnel network anomaly identification method based on cloud edge cooperation
CN112822189A (en) Traffic identification method and device
CN113378990B (en) Flow data anomaly detection method based on deep learning
CN112367303B (en) Distributed self-learning abnormal flow collaborative detection method and system
CN113821793B (en) Multi-stage attack scene construction method and system based on graph convolution neural network
CN114221790A (en) BGP (Border gateway protocol) anomaly detection method and system based on graph attention network
CN110851422A (en) Data anomaly monitoring model construction method based on machine learning
CN111224984B (en) Snort improvement method based on data mining algorithm
CN111191720B (en) Service scene identification method and device and electronic equipment
CN108683658A (en) Industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models
CN114513367A (en) Cellular network anomaly detection method based on graph neural network
CN112422546A (en) Network anomaly detection method based on variable neighborhood algorithm and fuzzy clustering
CN117478390A (en) Network intrusion detection method based on improved density peak clustering algorithm
CN114936614B (en) Operation risk identification method and system based on neural network
CN111327480A (en) Method for monitoring multiple QoS of Web service under mobile edge environment
CN115423041A (en) Edge cloud fault prediction method and system based on deep learning
CN115175192A (en) Vehicle networking intrusion detection method based on graph neural network
CN113254485A (en) Real-time data flow abnormity detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination