CN117914629A - Network security detection method and system - Google Patents

Network security detection method and system Download PDF

Info

Publication number
CN117914629A
CN117914629A CN202410306380.5A CN202410306380A CN117914629A CN 117914629 A CN117914629 A CN 117914629A CN 202410306380 A CN202410306380 A CN 202410306380A CN 117914629 A CN117914629 A CN 117914629A
Authority
CN
China
Prior art keywords
data
feature
original
time sequence
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410306380.5A
Other languages
Chinese (zh)
Other versions
CN117914629B (en
Inventor
陈鹏辉
金琛森
程似锦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taizhou Big Data Development Co ltd
Original Assignee
Taizhou Big Data Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taizhou Big Data Development Co ltd filed Critical Taizhou Big Data Development Co ltd
Priority to CN202410306380.5A priority Critical patent/CN117914629B/en
Publication of CN117914629A publication Critical patent/CN117914629A/en
Application granted granted Critical
Publication of CN117914629B publication Critical patent/CN117914629B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Complex Calculations (AREA)

Abstract

The invention provides a network security detection method and a system, which relate to the technical field of network security detection, wherein the method comprises the following steps: performing feature importance ranking on the preprocessed data by adopting a feature extraction algorithm based on principal component analysis to obtain a representative feature subset; expanding and generating the feature subset by using a self-encoder to obtain network behavior feature time sequence data; decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method; and carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode. The invention improves the detection accuracy.

Description

Network security detection method and system
Technical Field
The present invention relates to the field of network security detection technologies, and in particular, to a network security detection method and system.
Background
With the rapid development of network technology, network behavior is increasingly complex, which presents a great challenge to network security detection. The time sequence data of the network behavior characteristic is used as an important information source reflecting the network state and behavior mode, and plays a key role in network security detection. However, the original network behavior feature time sequence data is often high in dimension, high in noise and redundant in features, is directly used for the security detection effect, and is easily influenced by data sparsity and unbalance.
Traditional network security detection methods generally process raw data directly, neglect the internal structure and relevance of the data, and result in limited detection performance. In addition, these methods often lack an effective assessment of feature importance and cannot extract key information from the massive features that actually contributes to the detection.
Disclosure of Invention
The invention aims to provide a network security detection method and a network security detection system, which improve the detection accuracy.
In order to solve the technical problems, the technical scheme of the invention is as follows:
In a first aspect, a network security detection method, the method comprising:
Preprocessing the original network behavior characteristic time sequence data to obtain preprocessed data;
performing feature importance ranking on the preprocessed data by adopting a feature extraction algorithm based on principal component analysis to obtain a representative feature subset;
Expanding and generating the feature subset by using a self-encoder to obtain network behavior feature time sequence data;
decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method;
and carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode.
Further, preprocessing the original network behavior characteristic time sequence data to obtain preprocessed data, including:
determining an initial window size based on the characteristics of the data and the analysis target;
placing a window on the data starting from a starting point of the data;
Calculating the average value of all data in the current window;
Recording the calculated average value as a new data point in the filtered data set;
moving the window to the right by one data point position, repeating the steps until the window slides to the end of the data;
After the average value for each location is calculated, a new data point is obtained, which constitutes the pre-processing data.
Further, calculating an average value of all data in the current window includes: by passing throughThe average of all the data within the current window is calculated, wherein,Is a point in the filtered data sequence representing the position in the original data sequenceA moving average of the values,Is the window size of the moving average filter, which represents the number of data points to be considered in calculating the moving average of a point, is a positive integer,Is a summation symbol representing a pair of slavesTo the point ofIs summed up of all the terms of (a),Is a point in the original data sequence, represented in positionThe data values at which, during the summation process,From 0 toIs an element in the weight vector that corresponds to the position in the windowIs a weight of the data point of (c).
Further, a feature extraction algorithm based on principal component analysis is adopted to sort the feature importance of the preprocessed data to obtain a representative feature subset, and the method comprises the following steps:
acquiring a preprocessed data set, wherein the preprocessed data set is a data matrix X comprising n total samples and p features, and the data matrix X is:
wherein each row represents a sample and each column represents a feature;
Calculating the average value of each feature in the data matrix X according to the data matrix X, wherein the average value vector The method comprises the following steps:
wherein, Mean of p-th feature and mean of j-th featureThe calculation formula of (2) is as follows: Wherein j=1, 2, …, p; i is an index that is used to traverse all samples in the dataset, i varies from 1 to n, Elements representing the ith row and jth column of the data matrix X;
According to the mean vector Calculating covariance matrixCovariance matrixExpressed as:
wherein, Represented in covariance matrixIn the covariance matrixCovariance of row p and column p; covariance matrixMiddle (f)Line 1Covariance of columnsThe calculation formula of (2) is as follows:
Where k=1, 2, …, p, Representing the elements of the ith row and kth column of the data matrix X,Is the mean value of the j-th feature,Is the mean of the kth feature;
performing feature decomposition on the covariance matrix to obtain feature vectors and feature values of the covariance matrix;
sorting the principal components according to the magnitude of the characteristic values, and calculating the proportion of accumulated interpretation variances;
According to the determined principal components, obtaining feature vectors corresponding to the principal components, and projecting original features to subspaces formed by the principal components;
analyzing the correlation of each original feature in the principal component;
sorting the original features according to the relevance of each original feature in the main component to obtain a sorting result;
and obtaining a representative feature subset according to the sequencing result.
Further, the expanding and generating the feature subset by using the self-encoder to obtain the network behavior feature time sequence data comprises:
Determining input original network behavior characteristic time sequence data;
Encoding the original network behavior feature time sequence data into a distribution of hidden variables by using a self-encoder;
Sampling hidden variables from the hidden variable distribution output from the encoder, decoding the sampled hidden variables into a candidate set of feature timing data using the self-encoder;
determining an original feature subset from the original feature set, generating a plurality of feature timing data similar to the particular feature subset from the original feature subset using the sampled hidden variables and the decoder;
an extended feature timing data set is formed from the original feature subset and a plurality of feature timing data that are similar to the particular feature subset.
Further, the method of wavelet transformation is adopted to decompose the time sequence data of the network behavior characteristic to different time scales, and the method comprises the following steps:
Determining the decomposition layer number of wavelet transformation according to the complexity and analysis requirement of the data;
performing wavelet transformation according to the network behavior characteristic time sequence data, the wavelet basis function and the decomposition layer number so as to decompose the original data into wavelet coefficients;
wavelet coefficients are analyzed to obtain patterns of behavior on different time scales.
Further, by means of an anomaly detection algorithm, anomaly point recognition is performed on the time series data of different time scales to obtain an anomaly behavior deviating from a normal mode, including:
Performing outlier recognition on the time sequence data of each time scale by using a density-based method to obtain recognition data;
And identifying abnormal points on each time scale according to the identification data and a preset threshold value.
In a second aspect, a network security detection system includes:
the acquisition module is used for preprocessing the original network behavior characteristic time sequence data to obtain preprocessed data; performing feature importance ranking on the preprocessed data by adopting a feature extraction algorithm based on principal component analysis to obtain a representative feature subset;
The processing module is used for expanding and generating the feature subset by utilizing the self-encoder so as to obtain network behavior feature time sequence data; decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method; and carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode.
In a third aspect, a computing device includes:
one or more processors;
And a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the above-described methods.
In a fourth aspect, a computer readable storage medium stores a program that when executed by a processor implements the above method.
The scheme of the invention at least comprises the following beneficial effects:
According to the scheme, through the preprocessing and feature extraction steps, noise and redundant information in original data can be effectively eliminated, key features contributing to detection are extracted, and therefore detection accuracy is improved. By using the data enhancement method based on the variation self-encoder, the invention can expand and generate the feature subset, enrich the data set and improve the generalization capability of the model, so that the detection method has better adaptability in the face of unknown attack. The enhanced data is decomposed to different time scales by adopting a wavelet transformation method, so that the internal structure and multi-scale characteristics of the data can be revealed. By means of the anomaly detection algorithm, anomaly point identification is carried out on time sequence data of different time scales, and the method and the device can accurately find out the abnormal behavior deviating from the normal mode, so that the performance and the efficiency of anomaly detection are improved. The method of the invention has flexibility and expandability, and can be adjusted and optimized according to different network environments and security requirements.
Drawings
Fig. 1 is a flow chart of a network security detection method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a network security detection system according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described more closely below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As shown in fig. 1, an embodiment of the present invention proposes a network security detection method, which includes:
step 11, preprocessing the original network behavior characteristic time sequence data to obtain preprocessed data;
Step 12, adopting a feature extraction algorithm based on principal component analysis to sort the feature importance degree of the preprocessed data so as to obtain a representative feature subset;
step 13, expanding and generating the feature subset by using a self-encoder to obtain network behavior feature time sequence data;
step 14, decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method;
and 15, carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode.
In the embodiment of the invention, in step 12, the principal component analysis can effectively reduce the dimension of data, reduce the calculation amount and the storage requirement, select the feature subset most contributing to the detection task by sorting the importance of the features, improve the detection precision, and eliminate the multiple collinearity problem among the original features by the principal component analysis. And 13, the self-encoder can learn the internal representation of the data, generate new data samples through the encoding and decoding processes, enrich a data set, and increase the generalization capability of the model through data enhancement, so that the model has better robustness in the face of unknown attack, and the hidden layer of the self-encoder can learn the deeper features of the data, thereby being beneficial to improving the performance of subsequent detection tasks. And 14, the wavelet transformation can provide information of the data on different time scales, is helpful for capturing short-term and long-term change modes of network behaviors, has finer and comprehensive characteristics extracted through the wavelet transformation, can reflect local and global characteristics of the data, has certain denoising capability, can further purify data signals, and improves detection accuracy. And 15, the abnormal behavior deviating from the normal mode can be effectively identified by the abnormal detection algorithm, potential security threats can be timely found, the abnormal mode can be more comprehensively captured by carrying out abnormal detection on data of different time scales, the detection precision and recall rate are improved, the abnormal detection algorithm generally has higher processing speed, the requirement of real-time detection can be met, and the security events can be timely responded.
In a preferred embodiment of the present invention, the step 11 includes:
Step 111, determining an initial window size according to the characteristics of the data and the analysis target;
Step 112, starting from the starting point of the data, placing a window on the data;
Step 113, calculating the average value of all data in the current window;
step 114, recording the calculated average value as a new data point in the filtered data set;
step 115, moving the window to the right by one data point position, repeating the steps until the window slides to the end of the data;
Step 116, after calculating the average value for each location, to obtain a new data point, the new data point forms the preprocessing data.
In the embodiment of the present invention, step 111 determines the window size according to the characteristics and the analysis target of the data, so that the preprocessing process is more suitable for the characteristics of the data itself, the processing effect is improved, the selection of the initial window size provides flexibility for the subsequent data processing, and the adjustment can be performed according to the actual requirements. Step 112, starting from the starting point of the data, sliding a window to ensure that each data point has an opportunity to be contained in the window for processing, realizing the full coverage of the data, and dividing the data into a plurality of small segments for analysis by sliding the window, thereby helping to capture the local characteristics of the data. In step 113, calculating the average value of the data in the window can play a role of smoothing the data, reduce random fluctuation and noise in the data, and the average value is used as a representative of the data in the window, and can reflect the overall level and trend of the data in the window. In step 114, the average value is used as a new data point, so that the data volume can be reduced while the main characteristics of the data are reserved, the subsequent processing process is simplified, the influence of noise can be reduced by replacing the original data point with the average value, and the signal-to-noise ratio of the data is improved. In step 115, the window is moved and processed data point by data point, so that the data continuity in time can be maintained, the subsequent time sequence analysis is facilitated, each data point is ensured to be processed in a sliding window mode, and the data processing integrity is ensured. In step 116, by applying the moving average method over the entire data set, the resulting new data point set is smoother, reducing fluctuations and burrs in the original data.
In a preferred embodiment of the present invention, calculating the average of all data within the current window comprises:
By passing through The average of all the data within the current window is calculated, wherein,Is a point in the filtered data sequence representing the position in the original data sequenceA moving average of the values,Is the window size of the moving average filter, which represents the number of data points to be considered in calculating the moving average of a point, is a positive integer,Is a summation symbol representing a pair of slavesTo the point ofIs summed up of all the terms of (a),Is a point in the original data sequence, represented in positionThe data values at which, during the summation process,From 0 toIs an element in the weight vector that corresponds to the position in the windowIs a weight of the data point of (c).
In the embodiment of the invention, by introducing the weight vector, not only the simple average value of the data in the window can be calculated, but also the weighted average can be carried out according to the importance or the credibility of the data points, and the processing mode ensures that the average value is more flexible and the actual characteristics of the data can be better reflected. The weighted average method is used for calculating the average value of the data in the window, random noise in the data can be effectively restrained, and the setting of the weight vector can be adjusted according to the noise characteristic of the data so as to further reduce the influence of the noise on the average value. By assigning different weights to different data points, certain important features in the data can be enhanced to occupy a greater proportion in the average calculation, which is helpful for more accurately identifying abnormal behavior deviating from the normal mode in subsequent abnormal detection. The introduction of weight vectors provides additional flexibility for data preprocessing. According to different application scenes and data characteristics, the setting of the weight vector can be adjusted so as to achieve the optimal data processing effect. The weighted average method can better adapt to the actual characteristics of the data, so that the adaptability and accuracy of the whole network security detection algorithm can be improved. When facing complex and changeable network environment and security threat, the processing method can more effectively ensure the security of the network.
In a preferred embodiment of the present invention, the step 12 includes: step 121, acquiring a preprocessed data set, wherein the preprocessed data set is a data matrix X comprising n total samples and p features, and the data matrix X is:
wherein each row represents a sample and each column represents a feature;
Step 122, calculating the mean value of each feature in the data matrix X according to the data matrix X, wherein the mean value vector The method comprises the following steps:
wherein, Mean value of p-th feature, thMean of individual featuresThe calculation formula of (2) is as follows: Wherein j=1, 2, …, p; i is an index that is used to traverse all samples in the dataset, i varies from 1 to n, Elements representing the ith row and jth column of the data matrix X;
Step 123, according to the mean vector Calculating covariance matrixCovariance matrixExpressed as:
wherein, Represented in covariance matrixIn the covariance matrixCovariance of row p and column p; covariance matrixMiddle (f)Line 1Covariance of columnsThe calculation formula of (2) is as follows:
Where k=1, 2, …, p, Representing the elements of the ith row and kth column of the data matrix X,Is the mean value of the j-th feature,Is the mean of the kth feature;
Step 124, performing feature decomposition on the covariance matrix to obtain feature vectors and feature values of the covariance matrix;
step 125, sorting the principal components according to the magnitude of the eigenvalues, and calculating the proportion of the accumulated interpretation variance;
Step 126, according to the determined principal component, obtaining a feature vector corresponding to the principal component, and projecting the original feature onto a subspace formed by the principal component;
step 127, analyzing the correlation of each original feature in the principal component;
Step 128, sorting the original features according to the relevance of each original feature in the main component to obtain a sorting result;
step 129, obtaining a representative feature subset according to the ranking result.
In the embodiment of the present invention, the core process of Principal Component Analysis (PCA) is implemented in steps 124 to 126, and the original high-dimensional data is successfully reduced to the low-dimensional space by performing feature decomposition on the covariance matrix of the data set and selecting the important principal components, so that the dimension reduction not only simplifies the data structure, but also reduces the computational complexity of subsequent processing. The PCA is able to transform the original features into new features (principal components) that are not related to each other, and steps 127 and 128 further analyze the relevance of the original features in the principal components and rank the features according to these relevance, which helps to remove redundant information in the data so that subsequent analysis is focused more on truly important features. By selecting principal components with higher proportions of cumulative interpretation variances, step 125 ensures that the reduced-dimension data still retains most of the important information in the original dataset, thus minimizing the data dimensions while also preserving the inherent structure and pattern of the data. After preprocessing with PCA, a more compact and less relevant feature subset may be obtained (step 129). Such feature subsets not only improve the training efficiency and performance of subsequent machine learning models, but also help to enhance the interpretability of the models, as each principal component represents a combination of the original features. When the data falls to two or three dimensions (as may be the case in step 126), the visual analysis may be more easily performed. The method is helpful for intuitively understanding key information such as distribution, clustering, outliers and the like of the data, thereby providing convenience for further exploratory data analysis. PCA has some robustness to noise and outliers in the data. By selecting an appropriate number of principal components, the impact of these adverse factors on subsequent analysis can be reduced to some extent.
In the embodiment of the present invention, step 124 performs feature decomposition on the covariance matrix calculated previously. The eigenvalue is a method of decomposing the matrix into its eigenvectors and eigenvalues, the eigenvectors of the covariance matrix representing the principal directions of change of the data, and the eigenvalues representing the amounts of change in these directions. Feature decomposition helps to understand the inherent structure and pattern of the data, and feature values and feature vectors provide the basis for subsequent data dimension reduction. Step 125, principal Components (PCs) are determined by sorting feature values from large to small, and the variance ratio of each principal component interpretation can be calculated by the ratio of the corresponding feature value to the sum of all feature values, and the ratio of accumulated interpretation variances is the ratio of total variances which can be interpreted by selecting the first several principal components; by choosing the first few principal components that account for most of the variance, the dimensionality of the data can be reduced while preserving important information, and the proportion of accumulated explained variance helps determine how many principal components need to be preserved to preserve sufficient information.
In step 126, feature vectors corresponding to the first few principal components are selected and the original data is projected onto a low-dimensional subspace formed by these feature vectors, which in effect converts the original data into a new coordinate system, wherein the coordinate axes are the principal components. The projected data has a simpler structure in the new coordinate system for analysis and processing, and the principal components are orthogonal, i.e. they are uncorrelated. This helps to eliminate multiple collinearity problems between the original features. Step 127, by analyzing the load of each original feature on the principal component (i.e., the coefficient of each original feature on the principal component), the degree of contribution of each original feature to the principal component and the correlation between them can be understood, which is helpful for understanding the importance and effect of each original feature in the dataset. Step 128, sorting each original feature according to its correlation in the principal component, the result of the sorting helping to determine which features contribute most to the principal component (i.e., the direction of the principal change of the data); the ranking results provide a visual representation of the importance of the original features, helping to identify key features. Step 129, selecting a representative feature subset based on the ranking of features. This subset may contain several features that contribute most to the principal component, or may be selected based on some threshold criteria, by selecting a smaller subset of features, the complexity of the model may be reduced, the risk of overfitting reduced, fewer features may be used to speed up the training of the model and increase computational efficiency.
In a preferred embodiment of the present invention, the step 13 includes:
step 131, determining the input original network behavior characteristic time sequence data;
step 132, using a self-encoder to encode the original network behavior feature time sequence data into a distribution of hidden variables;
Step 133, sampling hidden variables from the hidden variable distribution output by the encoder, and decoding the sampled hidden variables into a candidate set of characteristic time sequence data by using the self-encoder;
Step 134, determining an original feature subset from the original feature set, and generating a plurality of feature time sequence data similar to the specific feature subset according to the original feature subset by using the sampled hidden variables and the decoder;
In step 135, an extended feature timing data set is formed from the original feature subset and a plurality of feature timing data that are similar to the particular feature subset.
In an embodiment of the present invention, step 131 involves determining and collecting raw network behavior feature time series data for analysis, where time series data refers to data arranged in time series, such as network traffic, user behavior records, and the like. By analyzing the time series data, the network behavior pattern and anomalies can be better understood. Step 132, the self-encoder is an unsupervised neural network model, which is composed of two parts, encoder and decoder. The encoder compresses the input data into a low-dimensional hidden variable representation and the decoder attempts to reconstruct the original input from the hidden variable representation, in which step the original network behavior feature timing data is encoded into a distribution of hidden variables. The hidden variable representation is typically of lower dimensionality, helping to reduce the complexity of the data, and the encoder learns the inherent structure and important features of the data.
Step 133, randomly sampling hidden variables from the hidden variable distribution output by the encoder, and then decoding these sampled hidden variables into a possible feature timing data candidate set using a decoder. New data similar to the original data can be generated, data enhancement is facilitated, and different representations and potential structures of the data can be explored by sampling different hidden variables. Step 134, selecting a subset of the original feature set and generating new feature timing data similar to the feature subset using the previously sampled hidden variables and the decoder, by selecting a particular feature subset, may focus on analyzing the most important features, generating new data similar to the selected feature subset, for expanding the data set and enhancing model training. Step 135, combining the original feature subset and the generated new feature time sequence data to form a larger and expanded feature time sequence data set, and combining the original data and the generated data to obtain a larger data set, which is helpful for improving training effect of the model, and the expanded data set contains more data variability and modes, which is helpful for improving generalization capability of the model.
In a preferred embodiment of the present invention, the step 14 includes:
step 141, determining the decomposition layer number of wavelet transformation according to the complexity and analysis requirement of the data;
step 142, performing wavelet transformation according to the network behavior characteristic time sequence data, the wavelet basis function and the decomposition layer number to decompose the original data into wavelet coefficients;
At step 143, the wavelet coefficients are analyzed to obtain patterns of behavior on different time scales.
In the embodiment of the present invention, step 141, the wavelet transform is a signal processing method with good localization characteristics in both time and frequency, and the number of decomposition layers determines the level of detail to which the wavelet transform decomposes the signal. A higher number of decomposition levels means that finer data features can be captured, but may also increase computational complexity and noise. The number of decomposition layers is selected according to the characteristics of the data, so that the analysis is more suitable for the complexity of the data, unnecessary excessive decomposition is avoided, and the calculation efficiency is improved. At step 142, wavelet transforms are performed on the network behavior feature timing data using the selected wavelet basis functions (e.g., haar) and the determined number of decomposition layers. The wavelet transform decomposes the raw data into a series of wavelet coefficients that represent the characteristics of the data over different time scales and frequencies. The wavelet transformation provides the capability of multi-scale analysis, so that the global and local characteristics of the data can be observed at the same time, and key information in the time sequence data of the network behavior characteristics can be effectively extracted through wavelet coefficients. Step 143, the wavelet coefficients obtained from the wavelet transform are analyzed. By observing wavelet coefficient changes on different scales, patterns, trends, and anomalies in network behavior on different time scales can be found. The mode of the network behavior on different time scales can be effectively identified by analyzing the wavelet coefficients, the mutation or abnormal value of the wavelet coefficients possibly indicates abnormal events in the network behavior, the network problems can be found and processed in time, and the future trend of the network behavior can be predicted to a certain extent by analyzing the variation trend of the wavelet coefficients.
In a preferred embodiment of the present invention, the step 15 includes:
step 151, performing outlier recognition on the time sequence data of each time scale by using a density-based method to obtain recognition data;
Step 152, identifying abnormal points on each time scale according to the identification data and the preset threshold.
In an embodiment of the present invention, step 151, a density-based method (e.g., DBSCAN, LOF algorithm, etc.) is applied to the network behavior feature timing data for each time scale to identify outliers, i.e., those data points in the low density region are considered outliers, by examining the density differences between the data points. The density-based method has good adaptability to data sets with different distributions and shapes, the distribution form of the data is not required to be assumed in advance, and abnormal points which are obviously different from surrounding data points can be accurately identified by considering the density relation among the data points. The data of each time scale are processed respectively, so that abnormal behavior patterns on different time scales can be captured. In step 152, according to the identification data (i.e. the anomaly score or label of each data point) obtained in step 151, a preset threshold is combined to determine which data points are anomaly points, for example, an anomaly score threshold may be set, and data points with scores higher than the threshold are considered to be anomaly. By setting the threshold value, the recognition sensitivity of the abnormal points can be adjusted according to actual demands, so that the analysis is more flexible, a clear judgment standard is provided by the introduction of the threshold value, the recognition result of the abnormal points is clearer and easier to explain, and the abnormal points on each time scale can be effectively detected by combining with the threshold value judgment, thereby being beneficial to timely finding out and processing the abnormal conditions in the network behaviors.
When the method is applied to the specific application, the method can be applied to detecting network intrusion of a cloud data center, and the cloud data center is an important place for enterprises to store and process key business data, so that network security of the cloud data center is important. Network intrusion is one of the major threats faced by cloud data centers, which may lead to serious consequences such as data leakage, service interruption, and system paralysis. In this scenario, the network intrusion behavior of the cloud data center will be detected using the network security detection method described above.
The specific use process is as follows:
First, network traffic data of a cloud data center is collected, wherein the data includes information such as the size, transmission time, source IP address, destination IP address, port number and the like of a network packet, and the data forms original network behavior characteristic time sequence data.
Preprocessing is required because the raw data may contain noise, redundant information, and inconsistencies. Preprocessing may include data cleansing (removing duplicate and invalid data), data normalization (scaling the data to a uniform range), and data smoothing (removing short term fluctuations using a moving average filter or the like). The preprocessed data will be input for subsequent analysis.
Next, the preprocessed data is processed using a feature extraction algorithm based on Principal Component Analysis (PCA), a dimensionality reduction technique that can convert high-dimensional data into a representation in a low-dimensional space while preserving the dominant pattern of variation in the data.
By calculating covariance matrix of data and performing feature decomposition, PCA can extract main components of the data, and rank according to corresponding feature values, and select main components with higher accumulated interpretation variance ratio as representative feature subsets, which can effectively represent the structure of the original data and remove the features with lower redundancy and relevance.
To enhance the generalization ability and detection performance of the model, a representative subset of features may be extended and generated using a self-encoder, which is an unsupervised neural network model that can learn the intrinsic representation of the data and generate new data samples.
By training the self-encoder, taking a representative feature subset as input and causing it to be reconstructed by the encoder and decoder processes, during the encoding phase, the self-encoder compresses the input data into a representation of hidden variables; in the decoding stage, the self-encoder recovers the original data from the hidden variables, in such a way that a plurality of network behavior feature time series data samples similar to the original feature subset can be generated.
And then, carrying out multi-scale analysis on the generated network behavior characteristic time sequence data by adopting a wavelet transformation method, wherein the wavelet transformation is a time-frequency analysis method which can decompose signals into components with different frequencies and time scales.
And selecting proper wavelet base functions and decomposition layers, and executing wavelet transformation on the generated characteristic time sequence data. This will enable the data to be decomposed onto different time scales so that long-term trends, periodic variations, bursty behaviour etc. of the network traffic can be captured, and by analysis of wavelet coefficients, patterns of network behaviour on different time scales can be revealed.
Finally, carrying out abnormal point identification on the network behavior characteristic time sequence data of different time scales by using an abnormal detection algorithm, wherein the abnormal detection algorithm can adopt a statistical-based method, a machine learning algorithm or a deep learning model and the like.
By modeling and learning the behavior patterns of normal network traffic, the anomaly detection algorithm is able to identify anomalous behavior that deviates from the normal patterns, which may represent network intrusion, malicious traffic, or other security threats, and when an anomaly is detected, an alarm may be triggered in time and corresponding security measures taken to address the potential intrusion behavior.
By applying the network security detection method to the network intrusion detection scene of the cloud data center, abnormal behaviors in network traffic can be effectively identified and processed. Through the combined use of the steps of data preprocessing, feature extraction and sequencing, feature expansion and generation, multi-scale analysis, anomaly detection and the like, the network security and reliability of the cloud data center can be improved, and key business data are protected from potential network threats.
As shown in fig. 2, an embodiment of the present invention further provides a network security detection system 20, including:
An acquisition module 21, configured to preprocess the original network behavior feature time sequence data to obtain preprocessed data; performing feature importance ranking on the preprocessed data by adopting a feature extraction algorithm based on principal component analysis to obtain a representative feature subset;
A processing module 22, configured to utilize the self-encoder to expand and generate the feature subset to obtain the network behavior feature time sequence data; decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method; and carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode.
Optionally, preprocessing the original network behavior feature time sequence data to obtain preprocessed data, including:
determining an initial window size based on the characteristics of the data and the analysis target;
placing a window on the data starting from a starting point of the data;
Calculating the average value of all data in the current window;
Recording the calculated average value as a new data point in the filtered data set;
moving the window to the right by one data point position, repeating the steps until the window slides to the end of the data;
After the average value for each location is calculated, a new data point is obtained, which constitutes the pre-processing data.
Optionally, calculating an average value of all data in the current window includes:
By passing through The average of all data within the current window is calculated, wherein,Is a point in the filtered data sequence representing the position in the original data sequenceA moving average of the values,Is the window size of the moving average filter, which represents the number of data points to be considered in calculating the moving average of a point, is a positive integer,Is a summation symbol representing a pair of slavesTo the point ofIs summed up of all the terms of (a),Is a point in the original data sequence, represented in positionThe data values at which, during the summation process,From 0 toIs an element in the weight vector that corresponds to the position in the windowIs a weight of the data point of (c).
Optionally, a feature extraction algorithm based on principal component analysis is used to rank the feature importance of the preprocessed data to obtain a representative feature subset, including:
acquiring a preprocessed data set, wherein the preprocessed data set is a data matrix X comprising n total samples and p features, and the data matrix X is:
wherein each row represents a sample and each column represents a feature;
Calculating the average value of each feature in the data matrix X according to the data matrix X, wherein the average value vector The method comprises the following steps:
wherein, Mean value of p-th feature, thMean of individual featuresThe calculation formula of (2) is as follows: Wherein j=1, 2, …, p; i is an index that is used to traverse all samples in the dataset, i varies from 1 to n, Elements representing the ith row and jth column of the data matrix X;
According to the mean vector Calculating covariance matrixCovariance matrixExpressed as:
wherein, Represented in covariance matrixIn the covariance matrixCovariance of row p and column p; covariance matrixMiddle (f)Line 1Covariance of columnsThe calculation formula of (2) is as follows:
Where k=1, 2, …, p, Representing the elements of the ith row and kth column of the data matrix X,Is the mean value of the j-th feature,Is the mean of the kth feature;
performing feature decomposition on the covariance matrix to obtain feature vectors and feature values of the covariance matrix;
sorting the principal components according to the magnitude of the characteristic values, and calculating the proportion of accumulated interpretation variances;
According to the determined principal components, obtaining feature vectors corresponding to the principal components, and projecting original features to subspaces formed by the principal components;
analyzing the correlation of each original feature in the principal component;
sorting the original features according to the relevance of each original feature in the main component to obtain a sorting result;
and obtaining a representative feature subset according to the sequencing result.
Optionally, expanding and generating the feature subset with the self-encoder to obtain the network behavior feature timing data includes:
Determining input original network behavior characteristic time sequence data;
Encoding the original network behavior feature time sequence data into a distribution of hidden variables by using a self-encoder;
Sampling hidden variables from the hidden variable distribution output from the encoder, decoding the sampled hidden variables into a candidate set of feature timing data using the self-encoder;
determining an original feature subset from the original feature set, generating a plurality of feature timing data similar to the particular feature subset from the original feature subset using the sampled hidden variables and the decoder;
an extended feature timing data set is formed from the original feature subset and a plurality of feature timing data that are similar to the particular feature subset.
Optionally, decomposing the network behavior feature time sequence data to different time scales by adopting a wavelet transformation method comprises the following steps:
Determining the decomposition layer number of wavelet transformation according to the complexity and analysis requirement of the data;
performing wavelet transformation according to the network behavior characteristic time sequence data, the wavelet basis function and the decomposition layer number so as to decompose the original data into wavelet coefficients;
wavelet coefficients are analyzed to obtain patterns of behavior on different time scales.
Optionally, performing anomaly point recognition on the time series data of different time scales by using an anomaly detection algorithm to obtain an anomaly behavior deviating from a normal mode, including:
Performing outlier recognition on the time sequence data of each time scale by using a density-based method to obtain recognition data;
And identifying abnormal points on each time scale according to the identification data and a preset threshold value.
It should be noted that the apparatus is an apparatus corresponding to the above method, and all implementation manners in the above method embodiment are applicable to this embodiment, so that the same technical effects can be achieved.
Embodiments of the present invention also provide a computing device comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
Furthermore, it should be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. Also, the steps of performing the series of processes described above may naturally be performed in chronological order in the order of description, but are not necessarily performed in chronological order, and some steps may be performed in parallel or independently of each other. It will be appreciated by those of ordinary skill in the art that all or any of the steps or components of the methods and apparatus of the present invention may be implemented in hardware, firmware, software, or a combination thereof in any computing device (including processors, storage media, etc.) or network of computing devices, as would be apparent to one of ordinary skill in the art after reading this description of the invention.
The object of the invention can thus also be achieved by running a program or a set of programs on any computing device. The computing device may be a well-known general purpose device. The object of the invention can thus also be achieved by merely providing a program product containing program code for implementing said method or apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is apparent that the storage medium may be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The steps of executing the series of processes may naturally be executed in chronological order in the order described, but are not necessarily executed in chronological order. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims (10)

1. A method for network security detection, the method comprising:
Preprocessing the original network behavior characteristic time sequence data to obtain preprocessed data;
performing feature importance ranking on the preprocessed data by adopting a feature extraction algorithm based on principal component analysis to obtain a representative feature subset;
Expanding and generating the feature subset by using a self-encoder to obtain network behavior feature time sequence data;
decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method;
and carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode.
2. The network security detection method of claim 1, wherein preprocessing the raw network behavior feature timing data to obtain preprocessed data comprises:
determining an initial window size based on the characteristics of the data and the analysis target;
placing a window on the data starting from a starting point of the data;
Calculating the average value of all data in the current window;
Recording the calculated average value as a new data point in the filtered data set;
moving the window to the right by one data point position, repeating the steps until the window slides to the end of the data;
After the average value for each location is calculated, a new data point is obtained, which constitutes the pre-processing data.
3. The network security detection method of claim 2, wherein calculating an average of all data within the current window comprises:
By passing through The average of all the data within the current window is calculated, wherein,Is a point in the filtered data sequence representing the position in the original data sequenceA moving average of the values,Is the window size of the moving average filter, which represents the number of data points to be considered in calculating the moving average of a point, is a positive integer,Is a summation symbol representing a pair of slavesTo the point ofIs summed up of all the terms of (a),Is a point in the original data sequence, represented in positionThe data values at which, during the summation process,From the slaveChange toIs an element in the weight vector that corresponds to the position in the windowIs a weight of the data point of (c).
4. A network security detection method according to claim 3 wherein ranking the feature importance of the preprocessed data to obtain the representative feature subset using a feature extraction algorithm based on principal component analysis comprises:
acquiring a preprocessed data set, wherein the preprocessed data set is a data matrix X comprising n total samples and p features, and the data matrix X is:
wherein each row represents a sample and each column represents a feature;
According to the data matrix Calculating a data matrixThe mean value of each feature in (1), wherein the mean value vectorThe method comprises the following steps:
wherein, Represent the firstMean of individual featuresThe calculation formula of (2) is as follows: Wherein j=1, 2, …, p; i is an index that is used to traverse all samples in the dataset, i varies from 1 to n, Representing a data matrixElements of the ith row and the jth column;
According to the mean vector Calculating covariance matrixCovariance matrixExpressed as:
wherein, Represented in covariance matrixIn the covariance matrixCovariance of row p and column p; covariance matrixMiddle (f)Line 1Covariance of columnsThe calculation formula of (2) is as follows:
Where k=1, 2, …, p, Representing the elements of the ith row and kth column of the data matrix X,Is the mean value of the j-th feature,Is the mean of the kth feature;
performing feature decomposition on the covariance matrix to obtain feature vectors and feature values of the covariance matrix;
sorting the principal components according to the magnitude of the characteristic values, and calculating the proportion of accumulated interpretation variances;
According to the determined principal components, obtaining feature vectors corresponding to the principal components, and projecting original features to subspaces formed by the principal components;
analyzing the correlation of each original feature in the principal component;
sorting the original features according to the relevance of each original feature in the main component to obtain a sorting result;
and obtaining a representative feature subset according to the sequencing result.
5. The network security detection method of claim 4, wherein expanding and generating the feature subset with the self-encoder to obtain the network behavior feature timing data comprises:
Determining input original network behavior characteristic time sequence data;
Encoding the original network behavior feature time sequence data into a distribution of hidden variables by using a self-encoder;
Sampling hidden variables from the hidden variable distribution output from the encoder, decoding the sampled hidden variables into a candidate set of feature timing data using the self-encoder;
determining an original feature subset from the original feature set, generating a plurality of feature timing data similar to the particular feature subset from the original feature subset using the sampled hidden variables and the decoder;
an extended feature timing data set is formed from the original feature subset and a plurality of feature timing data that are similar to the particular feature subset.
6. The network security detection method of claim 5, wherein decomposing the network behavior feature time series data onto different time scales using a wavelet transform method comprises:
Determining the decomposition layer number of wavelet transformation according to the complexity and analysis requirement of the data;
performing wavelet transformation according to the network behavior characteristic time sequence data, the wavelet basis function and the decomposition layer number so as to decompose the original data into wavelet coefficients;
wavelet coefficients are analyzed to obtain patterns of behavior on different time scales.
7. The network security detection method according to claim 6, wherein performing anomaly point recognition on time series data of different time scales by an anomaly detection algorithm to obtain anomaly behavior deviating from a normal mode comprises:
Performing outlier recognition on the time sequence data of each time scale by using a density-based method to obtain recognition data;
And identifying abnormal points on each time scale according to the identification data and a preset threshold value.
8. A network security inspection system, comprising:
the acquisition module is used for preprocessing the original network behavior characteristic time sequence data to obtain preprocessed data; performing feature importance ranking on the preprocessed data by adopting a feature extraction algorithm based on principal component analysis to obtain a representative feature subset;
The processing module is used for expanding and generating the feature subset by utilizing the self-encoder so as to obtain network behavior feature time sequence data; decomposing the network behavior characteristic time sequence data to different time scales by adopting a wavelet transformation method; and carrying out abnormal point identification on time sequence data of different time scales through an abnormal detection algorithm to obtain abnormal behaviors deviating from a normal mode.
9. A computing device, comprising:
one or more processors;
Storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the method of any of claims 1-7.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a program which, when executed by a processor, implements the method according to any of claims 1-7.
CN202410306380.5A 2024-03-18 2024-03-18 Network security detection method and system Active CN117914629B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410306380.5A CN117914629B (en) 2024-03-18 2024-03-18 Network security detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410306380.5A CN117914629B (en) 2024-03-18 2024-03-18 Network security detection method and system

Publications (2)

Publication Number Publication Date
CN117914629A true CN117914629A (en) 2024-04-19
CN117914629B CN117914629B (en) 2024-05-28

Family

ID=90690850

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410306380.5A Active CN117914629B (en) 2024-03-18 2024-03-18 Network security detection method and system

Country Status (1)

Country Link
CN (1) CN117914629B (en)

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111312A (en) * 2011-03-28 2011-06-29 钱叶魁 Multi-scale principle component analysis-based network abnormity detection method
US20180284745A1 (en) * 2016-05-09 2018-10-04 StrongForce IoT Portfolio 2016, LLC Methods and systems for self-organization of collected data using 3rd party data from a data marketplace in an industrial internet of things environment
CN109948117A (en) * 2019-03-13 2019-06-28 南京航空航天大学 A kind of satellite method for detecting abnormality fighting network self-encoding encoder
US20200076841A1 (en) * 2018-09-05 2020-03-05 Oracle International Corporation Context-aware feature embedding and anomaly detection of sequential log data using deep recurrent neural networks
CN111885059A (en) * 2020-07-23 2020-11-03 清华大学 Method for detecting and positioning abnormal industrial network flow
US20200387797A1 (en) * 2018-06-12 2020-12-10 Ciena Corporation Unsupervised outlier detection in time-series data
WO2021072887A1 (en) * 2019-10-18 2021-04-22 平安科技(深圳)有限公司 Abnormal traffic monitoring method and apparatus, and device and storage medium
CN112784881A (en) * 2021-01-06 2021-05-11 北京西南交大盛阳科技股份有限公司 Network abnormal flow detection method, model and system
CN113852603A (en) * 2021-08-13 2021-12-28 京东科技信息技术有限公司 Method and device for detecting abnormality of network traffic, electronic equipment and readable medium
EP4016325A1 (en) * 2020-12-17 2022-06-22 Telefonica Digital España, S.L.U. A computer-implemented method for detecting anomalous behaviors of electronic devices and computer programs thereof
CN116522993A (en) * 2023-03-10 2023-08-01 华南理工大学 Chemical process fault detection method based on countermeasure self-coding network
CN116668083A (en) * 2023-05-06 2023-08-29 华中科技大学 Network traffic anomaly detection method and system
CN116756594A (en) * 2023-06-20 2023-09-15 中国电力科学研究院有限公司 Method, system, equipment and medium for detecting abnormal points of power grid data
CN117251813A (en) * 2023-09-25 2023-12-19 安徽省产品质量监督检验研究院 Network traffic anomaly detection method and system
CN117527441A (en) * 2023-12-25 2024-02-06 中科紫东信息技术(北京)有限公司 Internet behavior abnormality detection method, device, equipment and storage medium
CN117648215A (en) * 2024-01-26 2024-03-05 国网山东省电力公司营销服务中心(计量中心) Abnormal tracing method and system for electricity consumption information acquisition system

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111312A (en) * 2011-03-28 2011-06-29 钱叶魁 Multi-scale principle component analysis-based network abnormity detection method
US20180284745A1 (en) * 2016-05-09 2018-10-04 StrongForce IoT Portfolio 2016, LLC Methods and systems for self-organization of collected data using 3rd party data from a data marketplace in an industrial internet of things environment
US20200387797A1 (en) * 2018-06-12 2020-12-10 Ciena Corporation Unsupervised outlier detection in time-series data
US20200076841A1 (en) * 2018-09-05 2020-03-05 Oracle International Corporation Context-aware feature embedding and anomaly detection of sequential log data using deep recurrent neural networks
CN109948117A (en) * 2019-03-13 2019-06-28 南京航空航天大学 A kind of satellite method for detecting abnormality fighting network self-encoding encoder
WO2021072887A1 (en) * 2019-10-18 2021-04-22 平安科技(深圳)有限公司 Abnormal traffic monitoring method and apparatus, and device and storage medium
CN111885059A (en) * 2020-07-23 2020-11-03 清华大学 Method for detecting and positioning abnormal industrial network flow
EP4016325A1 (en) * 2020-12-17 2022-06-22 Telefonica Digital España, S.L.U. A computer-implemented method for detecting anomalous behaviors of electronic devices and computer programs thereof
CN112784881A (en) * 2021-01-06 2021-05-11 北京西南交大盛阳科技股份有限公司 Network abnormal flow detection method, model and system
CN113852603A (en) * 2021-08-13 2021-12-28 京东科技信息技术有限公司 Method and device for detecting abnormality of network traffic, electronic equipment and readable medium
CN116522993A (en) * 2023-03-10 2023-08-01 华南理工大学 Chemical process fault detection method based on countermeasure self-coding network
CN116668083A (en) * 2023-05-06 2023-08-29 华中科技大学 Network traffic anomaly detection method and system
CN116756594A (en) * 2023-06-20 2023-09-15 中国电力科学研究院有限公司 Method, system, equipment and medium for detecting abnormal points of power grid data
CN117251813A (en) * 2023-09-25 2023-12-19 安徽省产品质量监督检验研究院 Network traffic anomaly detection method and system
CN117527441A (en) * 2023-12-25 2024-02-06 中科紫东信息技术(北京)有限公司 Internet behavior abnormality detection method, device, equipment and storage medium
CN117648215A (en) * 2024-01-26 2024-03-05 国网山东省电力公司营销服务中心(计量中心) Abnormal tracing method and system for electricity consumption information acquisition system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
D. HAYES, ED.;UNIVERSITY OF OSLO; S. FERLIN; SIMULA RESEARCH LABORATORY;M. WELZL;UNIVERSITY OF OSLO;: "Shared Bottleneck Detection for Coupled Congestion Control for RTP Media. draft-hayes-rmcat-sbd-02", IETF, 3 March 2015 (2015-03-03) *
王风宇;云晓春;曹震中;: "多时间尺度同步的网络异常检测方法", 通信学报, no. 12, 25 December 2007 (2007-12-25) *

Also Published As

Publication number Publication date
CN117914629B (en) 2024-05-28

Similar Documents

Publication Publication Date Title
Chaovalit et al. Discrete wavelet transform-based time series analysis and mining
De Ryck et al. Change point detection in time series data using autoencoders with a time-invariant representation
Mi et al. GAN-generated image detection with self-attention mechanism against GAN generator defect
Rong et al. Locality-sensitive hashing for earthquake detection: A case study of scaling data-driven science
US20050149296A1 (en) Greedy adaptive signature discrimination system and method
Giannakis et al. Nonlinear Laplacian spectral analysis: capturing intermittent and low‐frequency spatiotemporal patterns in high‐dimensional data
Zhao et al. A novel multivariate time-series anomaly detection approach using an unsupervised deep neural network
CN110705722A (en) Diagnostic model for industrial equipment fault diagnosis and construction method and application thereof
Wan et al. A generative model for sparse hyperparameter determination
Cárdenas-Peña et al. Selection of time-variant features for earthquake classification at the Nevado-del-Ruiz volcano
CN114282571B (en) Method, system, equipment and medium for constructing multidimensional health index of bearing
Kohlsdorf et al. An auto encoder for audio dolphin communication
Tibau et al. Spatio‐temporal Autoencoders in Weather and Climate Research
CN117914629B (en) Network security detection method and system
Asendorf et al. The performance of a matched subspace detector that uses subspaces estimated from finite, noisy, training data
CN115733673B (en) Data anomaly detection method based on multi-scale residual error classifier
CN116522993A (en) Chemical process fault detection method based on countermeasure self-coding network
Lu et al. Weak monotonicity with trend analysis for unsupervised feature evaluation
Sundaram et al. Denoising Algorithm for Subtle Anomaly Detection
Kasubi et al. A Comparative Study of Feature Selection Methods for Activity Recognition in the Smart Home Environment
Oyedotun et al. A closer look at autoencoders for unsupervised anomaly detection
Rong et al. Locality-sensitive hashing for earthquake detection: A case study of scaling data-driven science (extended version)
Zhang et al. Detecting temporal patterns using Reconstructed Phase Space and Support Vector Machine in the dynamic data system
Li et al. Real-time Earthquake Monitoring using Deep Learning: a case study on Turkey Earthquake Aftershock Sequence
Zhang et al. Predictive temporal patterns detection in multivariate dynamic data system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant