WO2019129915A1 - Plateforme de défense et de filtrage intelligente pour trafic de réseau - Google Patents
Plateforme de défense et de filtrage intelligente pour trafic de réseau Download PDFInfo
- Publication number
- WO2019129915A1 WO2019129915A1 PCT/FI2017/050953 FI2017050953W WO2019129915A1 WO 2019129915 A1 WO2019129915 A1 WO 2019129915A1 FI 2017050953 W FI2017050953 W FI 2017050953W WO 2019129915 A1 WO2019129915 A1 WO 2019129915A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- network packets
- features
- computer
- packets
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Definitions
- IoT Internet of Things
- the protocol analyzer component functions to filter the network packets and identify suspected protocols. For certain suspected attacks, such as DoS (denial of service) attacks, the protocol analyzer forwards the filtered packets to a linear algorithm. For other suspected attacks, the protocol analyzer forwards the filtered packets to a combination of a linear algorithm and a learning algorithm.
- the linear algorithm initially defines whether the packets are safe or unsafe regardless of the suspected attack type, then extracts the features of the suspected attack and provides them to the learning algorithm.
- the learning algorithm compares the extracted features against known attack features and classifies the suspected attack as either known or unknown, then outputs this information to the validator and database component.
- the disclosed embodiments are directed to a computer-based system for detecting a cyber-attack on a communication network.
- the system comprises at least one processor and at least one memory connected to the at least one processor, the at least one memory having a plurality of processing components stored therein.
- the at least one memory and the plurality of processing components are configured to, with the at least one processor, cause the system at least to perform the plurality of the processing components.
- the plurality of the processing components comprises a protocol analyzer component configured to receive a plurality of network packets from a computing device via the communication network.
- the plurality of processing the components further comprises a dynamic machine learning component configured to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic.
- the dynamic machine learning component is further configured to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
- the disclosed embodiments are directed to a computer- based system for detecting a cyber-attack on a communication network.
- the system comprises one or more processors and one or more storage devices connected to the one or more processors, the one or more storage devices storing computer-readable instructions thereon.
- the computer-readable instructions are executable by the one or more processors to cause the system to receive a plurality of network packets from a computing device via the communication network.
- the computer-readable instructions are further executable by the one or more processors to cause the system to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic.
- FIG. 1 illustrates an exemplary communication network equipped with an exemplary hybrid anomaly detection module (HADM) according to aspects of the disclosed embodiments;
- HADM hybrid anomaly detection module
- FIG. 3 illustrates an exemplary protocol analyzer module for an HADM according to aspects of the disclosed embodiments
- FIG. 4 illustrates an exemplary dynamic machine learning module for an HADM according to aspects of the disclosed embodiments
- FIG. 5 illustrates an exemplary threat validator and database storage module for an HADM according to aspects of the disclosed embodiments
- a communication network 100 such as a mobile communication network, is shown equipped with an HADM according to disclosed embodiments.
- the network 100 may be any current or soon-to-be available mobile network, such as 3G, 4G, 5G, cloud services and similar networks, that can provide online or Internet connectivity to computing devices.
- computing devices are connected to the network 100 in the present example, such as a smartphone 102, a personal computer 104, as well as a personal communication device, one or more communication network equipment, one or more IoT devices, one or more sensor devices, one or more vehicles, and one or more smart household appliances, indicated generally at 106, or any combination thereof.
- These computing devices 102, 104, and 106 may of course comprise any other computing device that is capable of transmitting to and receiving data packets from the communication network 100, for example over a mobile communication link 108, such as a cellular communication link.
- the HADM focuses on one or more particular network protocols that are known or considered to be vulnerable to cyber-attacks over other protocols that are not considered vulnerable and therefore not typically used by cyber-attackers, such as streaming protocols. This allows the HADM to avoid burdening the at least one network server 110 with unnecessary computational load.
- FIG. 2 shows an exemplary physical implementation of the at least one network server 110 having the HADM thereon.
- This network server 110 may be any suitable computing system known to those having ordinary skill in the art, such as a high-end computer, workstation, main frame, circuitry, and the like.
- Such a network server 110 typically comprises a bus 200 or other communication mechanism for transferring information within the network server 110 and one or more circuitries, such as one or more single or multi-core CPU’s (Central Processing Unit) 202, such as field programmable gate arrays (FPGA), an AI (Artificial Intelligence) accelerator or a GPU (Graphics Processing Unit), or any combination thereof, coupled with the bus 200 for processing the information.
- CPU Central Processing Unit
- FPGA field programmable gate arrays
- AI Artificial Intelligence
- GPU Graphics Processing Unit
- the network server 110 may also comprise a main memory 204, such as a random access memory (RAM) or other dynamic storage device coupled to the bus 200 for storing computer-readable instructions, such as one or more computer program product, to be executed by the CPU 202.
- the main memory 204 may also be used for storing temporary variables or other intermediate information during execution of the instructions to be executed by the CPU 202.
- the network server 110 may further comprise a read only memory (ROM) 206 or other static storage device coupled to the bus 200 for storing static information and instructions for the CPU 202.
- ROM read only memory
- a computer-readable storage device 208 such as a magnetic disk or optical disk, may be coupled to the bus 200 for storing information and instructions for the CPU 202.
- Non-volatile media may comprise, for example, optical or magnetic disks, such as the storage device 208.
- Volatile media may comprise dynamic memory, such as main memory 204.
- Transmission media may comprise coaxial cables, copper wire and fiber optics, such as wires of the bus 200.
- Transmission itself may take the form of acoustic or light waves, such as those generated during radio frequency (RF) and infrared (IR) data communications.
- RF radio frequency
- IR infrared
- Common forms of computer-readable media may comprise, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, other magnetic medium, a CD ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disc), other optical medium, a RAM (Random-access memory), a PROM (Programmable read-only memory), an EPROM (Erasable programmable read-only memory, a FLASH EPROM, other memory chip or cartridge, or any other medium from which a computer can read.
- a floppy disk a flexible disk, hard disk, magnetic tape, other magnetic medium
- CD ROM Compact Disc Read-Only Memory
- DVD Digital Versatile Disc
- RAM Random-access memory
- PROM Programmable read-only memory
- EPROM Erasable
- the CPU 202 may also be coupled via the bus 200 to a display 210, such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
- a display 210 such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
- One or more input devices 212 such as alphanumeric and other keyboards, mouse, trackball, cursor direction keys, and so forth, may be coupled to the bus 200 for communicating information and command selections to the CPU 202.
- a communication interface 214 provides two-way data communication between the network server 110 and other computers.
- the communication interface 214 may be an integrated services digital network (ISDN) card or a modem used to provide a data communication connection to a corresponding type of communication line.
- ISDN integrated services digital network
- the communication interface 214 may be a local area network (LAN) card used to provide a data communication connection to a compatible LAN.
- Wireless links may also be implemented via the communication interface 214.
- the main function of the communication interface 214 is to send and receive electrical, electromagnetic, optical, or other signals that carry digital data streams representing various types of information.
- an HADM 216 may also reside on the storage device 208.
- the computer- readable instructions for the HADM 216 may then be executed by the CPU 202 and/or other components of the network server 110.
- the HADM 216 has been expanded into several discrete blocks or modules representing operational phases, such as Phase 1, Phase 2, and Phase 3, each operational phase comprising a phase-specific processing component.
- the first operational phase, Phase 1 is a protocol analyzer phase and comprises a protocol analyzer component 218, such as a protocol analyzer circuitry.
- the second operational phase, Phase 2 is a dynamic machine learning phase and comprises a dynamic machine learning component 220, such as dynamic machine learning circuitry.
- the third operational phase, Phase 3, is a validator and database phase and comprises a validator and database component 222, such as a validator and database circuitry.
- circuitry may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) combinations of hardware circuits and software, such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and (ii) any portions of hardware processor(s) with software (such as digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
- hardware-only circuit implementations such as implementations in only analog and/or digital circuitry
- combinations of hardware circuits and software such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s
- circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
- circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
- Features and attributes of one or more suspected attacks that are considered to be distinctive are extracted and provided to the validator and database component 222, indicated generally at 230.
- the extracted features and attributes 230 are compared against the expected output defined in the validator.
- the packets that are sent using a non-vulnerable protocol, indicated generally at 228, are likewise validated by the validator and database component 222 in a similar manner.
- the validation results are stored by the validator and database component 222 in a database and their attack features are provided as feedback 232 to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detections.
- FIG. 3 illustrates an exemplary implementation of the protocol analyzer component 218 according to the disclosed embodiments.
- the protocol analyzer component 218 uses one or more functional modules and/or circuitries to filter the network packets 224, such as a decision module and/or circuitry 300, a counter and prioritization module and/or circuitry 302, a feature extraction module and/or circuitry 304, a first learning algorithm module and/or circuitry 306 comprising a Learning Algorithm I, and a log file 308.
- These functional modules and/or circuitries 300-308 operate in a manner that allows the protocol analyzer component 218 to focus on packets sent using a network protocol that is considered to be vulnerable to cyber-attacks.
- the modules and/or circuitries 300-306 can be implemented in one or more circuitries and/or modules, in any combination.
- Network packets 224 that are found to have been carried using a vulnerable protocol, indicated at 310, are forwarded by the decision module 300 to the counter and prioritization module 302.
- the counter and prioritization module 302 prioritizes the vulnerable protocols with which the packets 310 were sent based on the number of times the protocol was used and a minimum occurrence threshold, n. For example, only protocols that have been used n times within a predefined time window (e.g., 1 hour, 1 day, etc.) are prioritized. Additionally, vulnerable protocols that are used more frequently are prioritized over vulnerable protocols that are used less frequently.
- network packets 224 found not to have been carried using a vulnerable protocol, indicated at 314, may be considered safe and no further processing is needed.
- these non- vulnerable protocol network packets 314 are forwarded by the decision module 300 to the feature extraction module 304 for further processing, as shown in the FIG. 3 example.
- the feature extraction module 304 extracts features and attributes from the packets 314 and provides these features and attributes, indicated at 316, to the first learning algorithm 306 for analysis.
- a network packet has a header and a payload. The header contains overhead information about the packet, the network service, and other transmission related information, while the payload contains the content carried by the packet.
- the log file 308 operates as a repository for suspicious packets carried over vulnerable protocols.
- the log file 308 records information about the packets, such as timestamp, packet size, IP header, and network layers (e.g., Ethernet, TCP, application layer, etc.). Every time the first learning algorithm module 306 detects a new vulnerable protocol, that protocol is recorded into the log file 308, which may then be accessed by the other modules in the protocol analyzer component 218 as needed.
- the log file 308 also forwards any suspicious packets 318 to the validator and database component 222.
- the decision module 400 receives suspicious packets 312 sent using a vulnerable protocol from the protocol analyzer component 218 and determines whether the packets were carried over UDP or TCP. Note that the function of the decision module 400 may also be implemented in the protocol analyzer component 218 instead of the dynamic machine learning component 220 in some embodiments. In either case, suspicious packets that were sent using UDP, indicated at 414, are forwarded to the first feature extraction module 402 for feature extraction.
- the first feature extraction module 402 operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets and therefore will not be described in detail here. These features and attributes, indicated at 416, are provided to the first linear algorithm 404 for analysis.
- the packets that arrive at this module have already been identified as attack packets, if the packets do not exhibit features belonging to any of the already defined clusters, then they are considered a new type of attack (N) and the second learning algorithm 412 creates a new cluster for the packets. In this way, the features of the new type of attack (N) may be added to the second learning algorithm 412 for subsequent detection.
- the second learning algorithm 412 then forwards the labeled attack packets as malicious packets 432 to the validator and database component 222.
- FIG. 7 is flow chart 700, or portion thereof, outlining a high-level method that may be used to operate the HADM described herein.
- the flow chart 700 begins with input of traffic in the form of network packets at block 702.
- the network packets arrive, they first go through a data normalization process at block 704 where the data in the packets undergo data conversion, data enrichment and data scaling operations.
- data conversion converts data into a format that subsequent processes can understand, such as converting hexadecimal into decimal.
- Data enrichment produces data elements by performing arithmetic and logical operations on the data in the packets.
- Data scaling scales the data so that data fields have the same range of values and the variance among data fields is reduced.
- the flow chart 700 proceeds to block 710 where the HADM undergoes testing using test data. Thereafter, the results of the testing is evaluated at block 712 to confirm the effectiveness and efficiency of the training from block 708.
- blocks 832, 834, and 836 may be performed by a learning algorithm 838.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Artificial Intelligence (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
L'invention concerne des systèmes et des procédés de détection et de prévention de cyberattaques sur des réseaux de communication fournissant un module de détection d'anomalie hybride (HADM) qui utilise une combinaison d'algorithmes linéaires et d'algorithmes d'apprentissage. Les algorithmes linéaires filtrent et extraient des attributs et des caractéristiques distinctifs des cyber-attaques et les algorithmes d'apprentissage utilisent ces attributs et caractéristiques pour identifier de nouveaux types de cyberattaques. Les algorithmes d'apprentissage, qui peuvent être des algorithmes qui utilisent des réseaux neuronaux artificiels (ANN), des algorithmes génétiques (GA), des machines à apprentissage extrême (ELM), des cartes à auto-organisation (SOM), des perceptrons multicouche (MLP), ou l'intelligence d'essaim (SI) et analogues, ont une meilleure précision de détection lorsqu'ils sont utilisés conjointement avec des algorithmes linéaires, tels que des algorithmes qui emploient un arbre de décision, une machine à vecteur de support, la logique floue, ou analogues. L'utilisation d'algorithmes linéaires conjointement avec des algorithmes d'apprentissage permet au HADM d'obtenir une détection de cyberattaque améliorée sur des solutions existantes.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/FI2017/050953 WO2019129915A1 (fr) | 2017-12-29 | 2017-12-29 | Plateforme de défense et de filtrage intelligente pour trafic de réseau |
EP17832511.4A EP3732844A1 (fr) | 2017-12-29 | 2017-12-29 | Plateforme de défense et de filtrage intelligente pour trafic de réseau |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/FI2017/050953 WO2019129915A1 (fr) | 2017-12-29 | 2017-12-29 | Plateforme de défense et de filtrage intelligente pour trafic de réseau |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019129915A1 true WO2019129915A1 (fr) | 2019-07-04 |
Family
ID=61007714
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FI2017/050953 WO2019129915A1 (fr) | 2017-12-29 | 2017-12-29 | Plateforme de défense et de filtrage intelligente pour trafic de réseau |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP3732844A1 (fr) |
WO (1) | WO2019129915A1 (fr) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111181930A (zh) * | 2019-12-17 | 2020-05-19 | 中移(杭州)信息技术有限公司 | DDoS攻击检测的方法、装置、计算机设备及存储介质 |
CN113139598A (zh) * | 2021-04-22 | 2021-07-20 | 湖南大学 | 一种基于改进智能优化算法的入侵检测方法和系统 |
WO2021152262A1 (fr) * | 2020-01-31 | 2021-08-05 | Orange | Procede de surveillance de donnees echangees sur un reseau et dispositif de detection d'intrusions |
CN113242226A (zh) * | 2021-05-05 | 2021-08-10 | 航天云网云制造科技(浙江)有限公司 | 一种基于大数据的网络安全态势智能预测方法 |
CN114866349A (zh) * | 2022-07-06 | 2022-08-05 | 深圳市永达电子信息股份有限公司 | 一种网络信息过滤方法 |
FR3142058A1 (fr) * | 2022-11-15 | 2024-05-17 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Procédé et dispositif de détection d’intrusion réseau par anomalie dans des communications réseau |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113103535A (zh) * | 2021-03-17 | 2021-07-13 | 贵州大学 | 一种基于ga-elm-ga的注塑件模具参数优化方法 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2139199A2 (fr) * | 2008-06-27 | 2009-12-30 | Juniper Networks, Inc. | Fourniture de politique dynamique dans des dispositifs de sécurité de réseau |
US20110231564A1 (en) * | 2000-09-25 | 2011-09-22 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US8418249B1 (en) * | 2011-11-10 | 2013-04-09 | Narus, Inc. | Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats |
-
2017
- 2017-12-29 WO PCT/FI2017/050953 patent/WO2019129915A1/fr unknown
- 2017-12-29 EP EP17832511.4A patent/EP3732844A1/fr not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110231564A1 (en) * | 2000-09-25 | 2011-09-22 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
EP2139199A2 (fr) * | 2008-06-27 | 2009-12-30 | Juniper Networks, Inc. | Fourniture de politique dynamique dans des dispositifs de sécurité de réseau |
US8418249B1 (en) * | 2011-11-10 | 2013-04-09 | Narus, Inc. | Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111181930A (zh) * | 2019-12-17 | 2020-05-19 | 中移(杭州)信息技术有限公司 | DDoS攻击检测的方法、装置、计算机设备及存储介质 |
WO2021152262A1 (fr) * | 2020-01-31 | 2021-08-05 | Orange | Procede de surveillance de donnees echangees sur un reseau et dispositif de detection d'intrusions |
FR3106914A1 (fr) * | 2020-01-31 | 2021-08-06 | Orange | Procédé de surveillance de données échangées sur un réseau et dispositif de détection d’intrusions |
CN113139598A (zh) * | 2021-04-22 | 2021-07-20 | 湖南大学 | 一种基于改进智能优化算法的入侵检测方法和系统 |
CN113139598B (zh) * | 2021-04-22 | 2022-04-22 | 湖南大学 | 一种基于改进智能优化算法的入侵检测方法和系统 |
CN113242226A (zh) * | 2021-05-05 | 2021-08-10 | 航天云网云制造科技(浙江)有限公司 | 一种基于大数据的网络安全态势智能预测方法 |
CN114866349A (zh) * | 2022-07-06 | 2022-08-05 | 深圳市永达电子信息股份有限公司 | 一种网络信息过滤方法 |
CN114866349B (zh) * | 2022-07-06 | 2022-11-15 | 深圳市永达电子信息股份有限公司 | 一种网络信息过滤方法 |
FR3142058A1 (fr) * | 2022-11-15 | 2024-05-17 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Procédé et dispositif de détection d’intrusion réseau par anomalie dans des communications réseau |
WO2024104681A1 (fr) * | 2022-11-15 | 2024-05-23 | Commissariat à l'Energie Atomique et aux Energies Alternatives | Procede et dispositif de detection d'intrusion reseau par anomalie dans des communications reseau |
Also Published As
Publication number | Publication date |
---|---|
EP3732844A1 (fr) | 2020-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Lima Filho et al. | Smart detection: an online approach for DoS/DDoS attack detection using machine learning | |
US11985169B2 (en) | Classification of unknown network traffic | |
EP3732844A1 (fr) | Plateforme de défense et de filtrage intelligente pour trafic de réseau | |
US11899786B2 (en) | Detecting security-violation-associated event data | |
US11394728B2 (en) | Associating a user identifier detected from web traffic with a client address | |
US8418249B1 (en) | Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats | |
US9426166B2 (en) | Method and apparatus for processing finite automata | |
US9426165B2 (en) | Method and apparatus for compilation of finite automata | |
JP5362669B2 (ja) | ネットワークパケットの効率的な分類 | |
US20230025946A1 (en) | Network Attack Detection Method and Apparatus | |
Hatef et al. | HIDCC: A hybrid intrusion detection approach in cloud computing | |
US20170034195A1 (en) | Apparatus and method for detecting abnormal connection behavior based on analysis of network data | |
WO2019190403A1 (fr) | Module pare-feu de système de contrôle industriel | |
CN113518042B (zh) | 一种数据处理方法、装置、设备及存储介质 | |
Vashishtha et al. | HIDM: A hybrid intrusion detection model for cloud based systems | |
US11552986B1 (en) | Cyber-security framework for application of virtual features | |
Shaikh et al. | Advanced signature-based intrusion detection system | |
Bensaid et al. | Toward a Real‐Time TCP SYN Flood DDoS Mitigation Using Adaptive Neuro‐Fuzzy Classifier and SDN Assistance in Fog Computing | |
Schumacher et al. | One-Class Models for Intrusion Detection at ISP Customer Networks | |
Lautert et al. | Micro IDS: On-line recognition of denial-of-service attacks on IoT networks | |
KR102369240B1 (ko) | 네트워크 공격 탐지 장치 및 방법 | |
Ismail et al. | Stateless malware packet detection by incorporating naive bayes with known malware signatures | |
Lee et al. | Malicious traffic compression and classification technique for secure internet of things | |
BS et al. | P‐DNN: Parallel DNN based IDS framework for the detection of IoT vulnerabilities | |
Shaik et al. | capsAEUL: Slow http DoS attack detection using autoencoders through unsupervised learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17832511 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2017832511 Country of ref document: EP Effective date: 20200729 |