CN116647372A - Threat detection method based on full flow analysis - Google Patents
Threat detection method based on full flow analysis Download PDFInfo
- Publication number
- CN116647372A CN116647372A CN202310524875.0A CN202310524875A CN116647372A CN 116647372 A CN116647372 A CN 116647372A CN 202310524875 A CN202310524875 A CN 202310524875A CN 116647372 A CN116647372 A CN 116647372A
- Authority
- CN
- China
- Prior art keywords
- threat
- flow
- data
- data set
- flow data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000005206 flow analysis Methods 0.000 title claims abstract description 9
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000006399 behavior Effects 0.000 claims abstract description 22
- 238000010801 machine learning Methods 0.000 claims abstract description 20
- 238000013144 data compression Methods 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims abstract description 17
- 238000013528 artificial neural network Methods 0.000 claims abstract description 10
- 238000009826 distribution Methods 0.000 claims abstract description 5
- 230000002159 abnormal effect Effects 0.000 claims description 17
- 230000006870 function Effects 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 11
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 238000011156 evaluation Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 238000007906 compression Methods 0.000 claims description 5
- 230000006835 compression Effects 0.000 claims description 5
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000012847 principal component analysis method Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 9
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003153 chemical reaction reagent Substances 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a threat detection method based on full flow analysis, which relates to the field of network data security and comprises the following steps: acquiring a flow data set, acquiring information entropy data and network behavior distance data of the flow data set, constructing a high-dimensional data compression structure, and detecting a first threat degree of the flow data set; establishing a threat probability model by combining flow characteristics of the flow data set with a normal distribution model, and detecting a second threat degree of the flow data set; establishing a threat machine learning model by combining the feature vector of the flow data set with the artificial neural network model, and detecting a third threat degree of the flow data set; the first, second, and third threat processes are integrated to detect a total threat level of the traffic data set. The constraint of quadruple indexes is used, and the situation of misjudgment is reduced by combining good adaptability of information entropy judgment and network behavior distance data judgment, instantaneity of probability model judgment and high accuracy of machine learning judgment.
Description
Technical Field
The invention relates to the field of network data security, in particular to a threat detection method based on full-flow analysis.
Background
With the rapid development of internet technology, network traffic is larger and larger, application is richer and richer, network attack behaviors are more and more, attack modes are more and more hidden, and the traditional network security analysis system is more and more difficult to meet the requirements of enterprises and public institutions on network security, and particularly under the condition of complex networks in a large-scale park, the network security faces greater challenges. In order to cope with increasingly complex network security threats, the security requirements of a large-scale network environment cannot be well met by means of a single security detection technology, for example, a network traffic analysis technology based on a neural network technology is adopted, and the method has the advantage of identifying unknown security attacks, but the accuracy is to be improved; the knowledge graph technology is adopted, so that the method has the advantage of higher accuracy, but the recall rate is required to be improved. The network malicious traffic detection is used as an effective safety protection technology, can monitor the network in real time, effectively sense external attack and provide response decisions for relevant management personnel.
Chinese patent CN115941361a, "malicious traffic identification method, device and apparatus", discloses a malicious traffic identification method for classifying traffic data to be identified based on certificate registration information of the traffic data to be identified, thereby determining whether the traffic data to be identified has a malicious risk. However, the patent only uses the certificate registration information of the traffic data to identify whether the traffic data has malicious risks, and uses the certificate registration information to identify whether the traffic data has large errors, so that multiple judgment standards need to be added.
Disclosure of Invention
In view of this, the invention provides a threat detection method based on full flow analysis, which detects flow data by information entropy-distance measurement, probability model and machine learning triplex index, and reduces the error of threat detection.
The technical scheme of the invention is realized as follows: the invention provides a threat detection method based on full flow analysis, which comprises the following steps:
s1, acquiring a flow data set, acquiring information entropy data and network behavior distance data of the flow data set, constructing a high-dimensional data compression structure, and detecting a first threat degree of the flow data set;
s2, establishing a threat probability model by combining flow characteristics of the flow data set with a normal distribution model, and detecting a second threat degree of the flow data set;
s3, establishing a threat machine learning model by combining the feature vector of the flow data set with the artificial neural network model, and detecting a third threat degree of the flow data set;
s4, the total threat degrees of the flow data sets are detected through the first threat process, the second threat process and the third threat process.
Preferably, the step S1 further includes:
randomly aggregating information entropy data and network behavior distance data through a hash function to construct a high-dimensional data compression structure:
C[a,h a (key)]+=Value,a∈[l,H],h a (key)∈[l,K],
wherein C is a, h a (key)]Compression of structure row a and h for high-dimensional data a The value of the (key) column is the number of bytes or packets, the key is the information entropy data, H is the number of hash functions, and H a (key) is a hash function, K is the size of a hash table, and the number of hash tables is H.
Preferably, the step S1 further includes:
judging whether the hash table of the high-dimension data compression structure exceeds a threshold value, wherein the hash table exceeding the threshold value is an abnormal hash table, and when the hash table exceeding H/2 is the abnormal hash table, judging that the high-dimension data compression structure is abnormal, and outputting a first threat degree of 2; otherwise, outputting the first threat level to be 0.
Preferably, the step S2 further includes:
the method comprises the steps of obtaining a flow characteristic with high-dimension attribute characteristics through a flow data set, establishing a threat probability model, eliminating repeated samples from the flow characteristic, selecting the characteristic with the most discrimination capability from the flow characteristics by adopting a principal component analysis method, and clustering the flow characteristics through a robust space kernel fuzzy C-means algorithm.
Preferably, the step S2 further includes:
clustering the flow characteristics to obtain a characteristic subset with the most characteristic, directly detecting threat degrees of the characteristic subset, and outputting a second threat degree of 1 if the threat degrees are abnormal; otherwise, outputting the first threat level to be 0.
Preferably, the step S3 further includes:
a high-dimensional feature vector is obtained through a flow data set, a threat machine learning model is established through an artificial neural network model, log data in the flow data and an operating system monitoring index are screened out, and abnormal behaviors are detected and classified through the feature of the elastic distributed data set.
Preferably, the step S3 further includes:
presetting a dynamic threshold, comparing a predicted value obtained by feature detection with the dynamic threshold, marking the predicted value as an abnormal predicted value if the predicted value exceeds the threshold, and outputting a third threat degree of 1; otherwise, outputting the first threat level to be 0.
Preferably, the step S4 further includes:
combining the total threat levels P of the first, second and third threat process detection traffic data sets:
wherein P is 1 For the first threat level, P 2 To a second threat level, P 3 A third threat level.
Preferably, the step S4 further includes:
the information entropy data and the network behavior distance data are used as threat degree evaluation indexes together, the weight of the first threat degree is set to be 2, the probability model and the machine learning are respectively parallel to the information entropy data and the network behavior distance data and used as threat degree evaluation indexes, and the weight of the second threat degree and the third threat degree is set to be 1.
Compared with the prior art, the threat detection method based on full flow analysis has the following steps
The beneficial effects are that:
(1) Threat detection of flow data is carried out through information entropy, network behavior distance data, a probability model and machine learning quadruple indexes, and misjudgment is reduced by using restriction of the quadruple indexes and combining good adaptability of information entropy judgment and network behavior distance data judgment, instantaneity of probability model judgment and high accuracy of machine learning judgment;
(2) The information entropy data and the network behavior distance data are randomly aggregated through the hash function, the flow data are distributed relatively randomly in each hash table by utilizing the randomness of the hash function, and the flow data are kept relatively stable in a short time, so that the abnormal behavior of the flow data can be intuitively reflected;
(3) The method has the advantages that different weights are respectively assigned to quadruple indexes such as information entropy, network behavior distance data, probability models and machine learning, threat degrees of flow data are judged by the quadruple indexes together, and the accidental occurrence of single index judgment is avoided.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a threat detection method based on full traffic analysis in accordance with the present invention.
Detailed Description
The following description of the embodiments of the present invention will clearly and fully describe the technical aspects of the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, are intended to fall within the scope of the present invention.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or wireless connection terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or wireless connection terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or wireless connection terminal comprising the element.
Examples:
the threat detection method based on full flow analysis is provided, as shown in fig. 1, and comprises the following steps:
s1, acquiring a flow data set, acquiring information entropy data and network behavior distance data of the flow data set, constructing a high-dimensional data compression structure, and detecting a first threat degree of the flow data set;
s2, establishing a threat probability model by combining flow characteristics of the flow data set with a normal distribution model, and detecting a second threat degree of the flow data set;
s3, establishing a threat machine learning model by combining the feature vector of the flow data set with the artificial neural network model, and detecting a third threat degree of the flow data set;
s4, the total threat degrees of the flow data sets are detected through the first threat process, the second threat process and the third threat process.
It should be noted that: with the vigorous development of computer network technology, the Internet has been integrated into the aspects of production and life, and network traffic is tightly connected with a host, a network and an application, so that a system with complex structure and multi-factor integration is formed. But the social group enjoys the convenience brought by informatization and intellectualization, and a great deal of network malicious activities exist in the Internet. These malicious activities consume network resources to reduce the performance of network devices and end hosts, and can also pose a network security threat to a wide range of network users. With the upgrade of hacking means, the detection capability of traditional technologies based on host, network and signature matching gradually decreases, network security is again threatened, and researchers start to move to research based on malicious traffic detection technology.
The threat detection of the flow data is carried out through the information entropy, the network behavior distance data, the probability model and the machine learning quadruple index, and the situation of misjudgment is reduced by using the restriction of the quadruple index and combining the good self-adaptability of the information entropy judgment and the network behavior distance data judgment, the instantaneity of the probability model judgment and the high accuracy of the machine learning judgment.
Step S1 further includes:
randomly aggregating information entropy data and network behavior distance data through a hash function to construct a high-dimensional data compression structure:
C[a,h a (key)]+=Value,a∈[1,H],h a (key)∈[l,K],
wherein C is a, h a (key)]Compression of structure row a and h for high-dimensional data a The value of the (key) column is the number of bytes or packets, the key is the information entropy data, H is the number of hash functions, and H a (key) is a hash function, K is the size of a hash table, and the number of hash tables is H.
Judging whether the hash table of the high-dimension data compression structure exceeds a threshold value, wherein the hash table exceeding the threshold value is an abnormal hash table, and when the hash table exceeding H/2 is the abnormal hash table, judging that the high-dimension data compression structure is abnormal, and outputting a first threat degree of 2; otherwise, outputting the first threat level to be 0.
It should be noted that: the high-dimensional data compression structure is a probability aggregation and compression stream data structure, and the data structure is a compact high-dimensional data compression structure with constant size formed by randomly aggregating flow data through a hash function. The high-dimensional data compression structure is intuitively in the form of a two-dimensional table of H rows and K columns, and is actually composed of H hash tables of size K. Each row of hash table in the high-dimensional data compression structure corresponds to an independent hash function h a (key)。
In the process of detecting abnormal flow data, key value is generally provided by information entropy data, and value is byte number or packet number. High-dimensional data compression structures are an effective data summarization and compression tool, accompanied by a tolerable error. And because of the randomness of the hash function, the flow data is distributed relatively randomly in each hash table and remains relatively stable for a short period of time. Therefore, when the flow data has great change, the distribution of the high-dimensional data compression structure can be changed greatly, so that abnormal behaviors of the flow data are reflected, and the threat is detected.
Step S2 further includes:
the method comprises the steps of obtaining a flow characteristic with high-dimension attribute characteristics through a flow data set, establishing a threat probability model, eliminating repeated samples from the flow characteristic, selecting the characteristic with the most discrimination capability from the flow characteristics by adopting a principal component analysis method, and clustering the flow characteristics through a robust space kernel fuzzy C-means algorithm.
Clustering the flow characteristics to obtain a characteristic subset with the most characteristic, directly detecting threat degrees of the characteristic subset, and outputting a second threat degree of 1 if the threat degrees are abnormal; otherwise, outputting the first threat level to be 0.
It should be noted that: in a traffic feature with high-dimensional attribute features, numerous redundant features exist, which affect the detection efficiency and effectiveness of network abnormal behavior, and in order to eliminate the influence of the redundant features on abnormal detection, it is necessary to select important features by feature selection or feature extraction methods, which are helpful to improve the accuracy of an intrusion detection system and reduce the execution time of intrusion detection.
And clustering flow characteristics by a principal component analysis method and a robust space kernel fuzzy C-means algorithm, and reducing detection reagents and improving detection efficiency on the level of a probability model.
Step S3 further includes:
a high-dimensional feature vector is obtained through a flow data set, a threat machine learning model is established through an artificial neural network model, log data in the flow data and an operating system monitoring index are screened out, and abnormal behaviors are detected and classified through the feature of the elastic distributed data set.
Presetting a dynamic threshold, comparing a predicted value obtained by feature detection with the dynamic threshold, marking the predicted value as an abnormal predicted value if the predicted value exceeds the threshold, and outputting a third threat degree of 1; otherwise, outputting the first threat level to be 0.
It should be noted that: in order to effectively reduce the false alarm rate of an anomaly detection system, many researchers apply data mining and machine learning methods to anomaly detection research, common algorithms include linear regression, decision trees, support vector machines, naive bayes, random forests and other models, and artificial neural network models are more common models with self-learning capability and also have the capability of searching for optimal solutions at a high speed. Threat detection at the machine learning level is completed through the artificial neural network model, log data of flow data and monitoring indexes of an operating system can be rapidly screened out, and abnormal behaviors can be accurately detected and classified based on the characteristics of the elastic distributed data set.
Step S4 further includes:
combining the total threat levels P of the first, second and third threat process detection traffic data sets:
wherein P is 1 For the first threat level, P 2 To a second threat level, P 3 A third threat level.
The information entropy data and the network behavior distance data are used as threat degree evaluation indexes together, the weight of the first threat degree is set to be 2, the probability model and the machine learning are respectively parallel to the information entropy data and the network behavior distance data and used as threat degree evaluation indexes, and the weight of the second threat degree and the third threat degree is set to be 1.
It should be noted that: by respectively endowing the information entropy, network behavior distance data, probability model, machine learning and other quadruple indexes with different weights, the quadruple indexes jointly judge the threat degree of the flow data, so that the accidental occurrence of single index judgment is avoided, and the threat detection accuracy is improved.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the invention.
Claims (9)
1. The threat detection method based on full flow analysis is characterized by comprising the following steps:
s1, acquiring a flow data set, acquiring information entropy data and network behavior distance data of the flow data set, constructing a high-dimensional data compression structure, and detecting a first threat degree of the flow data set;
s2, establishing a threat probability model by combining flow characteristics of the flow data set with a normal distribution model, and detecting a second threat degree of the flow data set;
s3, establishing a threat machine learning model by combining the feature vector of the flow data set with the artificial neural network model, and detecting a third threat degree of the flow data set;
s4, the total threat degrees of the flow data sets are detected through the first threat process, the second threat process and the third threat process.
2. The threat detection method based on full traffic analysis of claim 1, wherein step S1 further comprises:
randomly aggregating information entropy data and network behavior distance data through a hash function to construct a high-dimensional data compression structure:
C[a,h a (key)]+=value,a∈[1,H],h a (key)∈[1,K],
wherein C is a, h a (key)]Compression of structure row a and h for high-dimensional data a The value of the (key) column is the number of bytes or packets, the key is the information entropy data, H is the number of hash functions, and H a (key) is a hash function, K is the size of a hash table, and the number of hash tables is H.
3. The threat detection method based on full traffic analysis of claim 2, wherein step S1 further comprises:
judging whether the hash table of the high-dimension data compression structure exceeds a threshold value, wherein the hash table exceeding the threshold value is an abnormal hash table, and when the hash table exceeding H/2 is the abnormal hash table, judging that the high-dimension data compression structure is abnormal, and outputting a first threat degree of 2; otherwise, outputting the first threat level to be 0.
4. A threat detection method based on full traffic analysis according to claim 3, wherein said step S2 further comprises:
the method comprises the steps of obtaining a flow characteristic with high-dimension attribute characteristics through a flow data set, establishing a threat probability model, eliminating repeated samples from the flow characteristic, selecting the characteristic with the most discrimination capability from the flow characteristics by adopting a principal component analysis method, and clustering the flow characteristics through a robust space kernel fuzzy C-means algorithm.
5. The threat detection method based on full traffic analysis of claim 4, wherein step S2 further comprises:
clustering the flow characteristics to obtain a characteristic subset with the most characteristic, directly detecting threat degrees of the characteristic subset, and outputting a second threat degree of 1 if the threat degrees are abnormal; otherwise, outputting the first threat level to be 0.
6. The threat detection method based on full traffic analysis of claim 5, wherein step S3 further comprises:
a high-dimensional feature vector is obtained through a flow data set, a threat machine learning model is established through an artificial neural network model, log data in the flow data and an operating system monitoring index are screened out, and abnormal behaviors are detected and classified through the feature of the elastic distributed data set.
7. The threat detection method based on full traffic analysis of claim 6, wherein step S3 further comprises:
presetting a dynamic threshold, comparing a predicted value obtained by feature detection with the dynamic threshold, marking the predicted value as an abnormal predicted value if the predicted value exceeds the threshold, and outputting a third threat degree of 1; otherwise, outputting the first threat level to be 0.
8. The threat detection method based on full traffic analysis of claim 1, wherein step S4 further comprises:
combining the total threat levels P of the first, second and third threat process detection traffic data sets:
wherein P is 1 For the first threat level, P 2 To a second threat level, P 3 A third threat level.
9. The threat detection method based on full traffic analysis of claim 8, wherein step S4 further comprises:
the information entropy data and the network behavior distance data are used as threat degree evaluation indexes together, the weight of the first threat degree is set to be 2, the probability model and the machine learning are respectively parallel to the information entropy data and the network behavior distance data and used as threat degree evaluation indexes, and the weight of the second threat degree and the third threat degree is set to be 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310524875.0A CN116647372A (en) | 2023-05-10 | 2023-05-10 | Threat detection method based on full flow analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310524875.0A CN116647372A (en) | 2023-05-10 | 2023-05-10 | Threat detection method based on full flow analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116647372A true CN116647372A (en) | 2023-08-25 |
Family
ID=87614498
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310524875.0A Pending CN116647372A (en) | 2023-05-10 | 2023-05-10 | Threat detection method based on full flow analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116647372A (en) |
-
2023
- 2023-05-10 CN CN202310524875.0A patent/CN116647372A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gao et al. | A distributed network intrusion detection system for distributed denial of service attacks in vehicular ad hoc network | |
| Wang et al. | Abstracting massive data for lightweight intrusion detection in computer networks | |
| Saxena et al. | Intrusion detection in KDD99 dataset using SVM-PSO and feature reduction with information gain | |
| CN113079143A (en) | Flow data-based anomaly detection method and system | |
| Tellenbach et al. | Accurate network anomaly classification with generalized entropy metrics | |
| CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
| Koshal et al. | Cascading of C4. 5 decision tree and support vector machine for rule based intrusion detection system | |
| WO2020005250A1 (en) | Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time | |
| Balogun et al. | Anomaly intrusion detection using an hybrid of decision tree and K-nearest neighbor | |
| CN115021997B (en) | Network intrusion detection system based on machine learning | |
| Somwang et al. | Computer network security based on support vector machine approach | |
| CN113904881A (en) | Intrusion detection rule false alarm processing method and device | |
| Zheng et al. | Preprocessing method for encrypted traffic based on semisupervised clustering | |
| Baich et al. | Machine Learning for IoT based networks intrusion detection: a comparative study | |
| Soewu et al. | Analysis of Data Mining-Based Approach for Intrusion Detection System | |
| CN113542252A (en) | Detection method, detection model and detection device for Web attack | |
| Yang et al. | Clustering and classification based anomaly detection | |
| Salem et al. | A comparison of one‐class bag‐of‐words user behavior modeling techniques for masquerade detection | |
| CN116647372A (en) | Threat detection method based on full flow analysis | |
| Salek et al. | Intrusion detection using neuarl networks trained by differential evaluation algorithm | |
| Sulaiman et al. | Big data analytic of intrusion detection system | |
| Alshede et al. | Ensemble Voting-Based Anomaly Detection for a Smart Grid Communication Infrastructure. | |
| CN111507368B (en) | Campus network intrusion detection method and system | |
| Qiao et al. | Behavior analysis-based learning framework for host level intrusion detection | |
| Lin et al. | Genetic-clustering algorithm for intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |