WO2019129915A1 - Plateforme de défense et de filtrage intelligente pour trafic de réseau - Google Patents

Plateforme de défense et de filtrage intelligente pour trafic de réseau Download PDF

Info

Publication number
WO2019129915A1
WO2019129915A1 PCT/FI2017/050953 FI2017050953W WO2019129915A1 WO 2019129915 A1 WO2019129915 A1 WO 2019129915A1 FI 2017050953 W FI2017050953 W FI 2017050953W WO 2019129915 A1 WO2019129915 A1 WO 2019129915A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
network packets
features
computer
packets
Prior art date
Application number
PCT/FI2017/050953
Other languages
English (en)
Inventor
Mehrnoosh Monshizadeh
Kimmo HÄTÖNEN
Vikramajeet Khatri
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to EP17832511.4A priority Critical patent/EP3732844A1/fr
Priority to PCT/FI2017/050953 priority patent/WO2019129915A1/fr
Publication of WO2019129915A1 publication Critical patent/WO2019129915A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • IoT Internet of Things
  • the protocol analyzer component functions to filter the network packets and identify suspected protocols. For certain suspected attacks, such as DoS (denial of service) attacks, the protocol analyzer forwards the filtered packets to a linear algorithm. For other suspected attacks, the protocol analyzer forwards the filtered packets to a combination of a linear algorithm and a learning algorithm.
  • the linear algorithm initially defines whether the packets are safe or unsafe regardless of the suspected attack type, then extracts the features of the suspected attack and provides them to the learning algorithm.
  • the learning algorithm compares the extracted features against known attack features and classifies the suspected attack as either known or unknown, then outputs this information to the validator and database component.
  • the disclosed embodiments are directed to a computer-based system for detecting a cyber-attack on a communication network.
  • the system comprises at least one processor and at least one memory connected to the at least one processor, the at least one memory having a plurality of processing components stored therein.
  • the at least one memory and the plurality of processing components are configured to, with the at least one processor, cause the system at least to perform the plurality of the processing components.
  • the plurality of the processing components comprises a protocol analyzer component configured to receive a plurality of network packets from a computing device via the communication network.
  • the plurality of processing the components further comprises a dynamic machine learning component configured to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non-suspicious traffic.
  • the dynamic machine learning component is further configured to perform an analysis of the one or more features of the network packets using at least one linear algorithm in conjunction with at least one learning algorithm and designate the network packets as suspicious traffic based on the analysis performed using the at least one linear algorithm in conjunction with the at least one learning algorithm.
  • the disclosed embodiments are directed to a computer- based system for detecting a cyber-attack on a communication network.
  • the system comprises one or more processors and one or more storage devices connected to the one or more processors, the one or more storage devices storing computer-readable instructions thereon.
  • the computer-readable instructions are executable by the one or more processors to cause the system to receive a plurality of network packets from a computing device via the communication network.
  • the computer-readable instructions are further executable by the one or more processors to cause the system to extract one or more features of the network packets, the one or more features of the network packets being sufficiently distinctive to allow a content of the network packets to be designated as suspicious traffic or non- suspicious traffic.
  • FIG. 1 illustrates an exemplary communication network equipped with an exemplary hybrid anomaly detection module (HADM) according to aspects of the disclosed embodiments;
  • HADM hybrid anomaly detection module
  • FIG. 3 illustrates an exemplary protocol analyzer module for an HADM according to aspects of the disclosed embodiments
  • FIG. 4 illustrates an exemplary dynamic machine learning module for an HADM according to aspects of the disclosed embodiments
  • FIG. 5 illustrates an exemplary threat validator and database storage module for an HADM according to aspects of the disclosed embodiments
  • a communication network 100 such as a mobile communication network, is shown equipped with an HADM according to disclosed embodiments.
  • the network 100 may be any current or soon-to-be available mobile network, such as 3G, 4G, 5G, cloud services and similar networks, that can provide online or Internet connectivity to computing devices.
  • computing devices are connected to the network 100 in the present example, such as a smartphone 102, a personal computer 104, as well as a personal communication device, one or more communication network equipment, one or more IoT devices, one or more sensor devices, one or more vehicles, and one or more smart household appliances, indicated generally at 106, or any combination thereof.
  • These computing devices 102, 104, and 106 may of course comprise any other computing device that is capable of transmitting to and receiving data packets from the communication network 100, for example over a mobile communication link 108, such as a cellular communication link.
  • the HADM focuses on one or more particular network protocols that are known or considered to be vulnerable to cyber-attacks over other protocols that are not considered vulnerable and therefore not typically used by cyber-attackers, such as streaming protocols. This allows the HADM to avoid burdening the at least one network server 110 with unnecessary computational load.
  • FIG. 2 shows an exemplary physical implementation of the at least one network server 110 having the HADM thereon.
  • This network server 110 may be any suitable computing system known to those having ordinary skill in the art, such as a high-end computer, workstation, main frame, circuitry, and the like.
  • Such a network server 110 typically comprises a bus 200 or other communication mechanism for transferring information within the network server 110 and one or more circuitries, such as one or more single or multi-core CPU’s (Central Processing Unit) 202, such as field programmable gate arrays (FPGA), an AI (Artificial Intelligence) accelerator or a GPU (Graphics Processing Unit), or any combination thereof, coupled with the bus 200 for processing the information.
  • CPU Central Processing Unit
  • FPGA field programmable gate arrays
  • AI Artificial Intelligence
  • GPU Graphics Processing Unit
  • the network server 110 may also comprise a main memory 204, such as a random access memory (RAM) or other dynamic storage device coupled to the bus 200 for storing computer-readable instructions, such as one or more computer program product, to be executed by the CPU 202.
  • the main memory 204 may also be used for storing temporary variables or other intermediate information during execution of the instructions to be executed by the CPU 202.
  • the network server 110 may further comprise a read only memory (ROM) 206 or other static storage device coupled to the bus 200 for storing static information and instructions for the CPU 202.
  • ROM read only memory
  • a computer-readable storage device 208 such as a magnetic disk or optical disk, may be coupled to the bus 200 for storing information and instructions for the CPU 202.
  • Non-volatile media may comprise, for example, optical or magnetic disks, such as the storage device 208.
  • Volatile media may comprise dynamic memory, such as main memory 204.
  • Transmission media may comprise coaxial cables, copper wire and fiber optics, such as wires of the bus 200.
  • Transmission itself may take the form of acoustic or light waves, such as those generated during radio frequency (RF) and infrared (IR) data communications.
  • RF radio frequency
  • IR infrared
  • Common forms of computer-readable media may comprise, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, other magnetic medium, a CD ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disc), other optical medium, a RAM (Random-access memory), a PROM (Programmable read-only memory), an EPROM (Erasable programmable read-only memory, a FLASH EPROM, other memory chip or cartridge, or any other medium from which a computer can read.
  • a floppy disk a flexible disk, hard disk, magnetic tape, other magnetic medium
  • CD ROM Compact Disc Read-Only Memory
  • DVD Digital Versatile Disc
  • RAM Random-access memory
  • PROM Programmable read-only memory
  • EPROM Erasable
  • the CPU 202 may also be coupled via the bus 200 to a display 210, such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
  • a display 210 such as a liquid crystal display (LCD), cathode ray tube (CRT), and the like for displaying information to a user.
  • One or more input devices 212 such as alphanumeric and other keyboards, mouse, trackball, cursor direction keys, and so forth, may be coupled to the bus 200 for communicating information and command selections to the CPU 202.
  • a communication interface 214 provides two-way data communication between the network server 110 and other computers.
  • the communication interface 214 may be an integrated services digital network (ISDN) card or a modem used to provide a data communication connection to a corresponding type of communication line.
  • ISDN integrated services digital network
  • the communication interface 214 may be a local area network (LAN) card used to provide a data communication connection to a compatible LAN.
  • Wireless links may also be implemented via the communication interface 214.
  • the main function of the communication interface 214 is to send and receive electrical, electromagnetic, optical, or other signals that carry digital data streams representing various types of information.
  • an HADM 216 may also reside on the storage device 208.
  • the computer- readable instructions for the HADM 216 may then be executed by the CPU 202 and/or other components of the network server 110.
  • the HADM 216 has been expanded into several discrete blocks or modules representing operational phases, such as Phase 1, Phase 2, and Phase 3, each operational phase comprising a phase-specific processing component.
  • the first operational phase, Phase 1 is a protocol analyzer phase and comprises a protocol analyzer component 218, such as a protocol analyzer circuitry.
  • the second operational phase, Phase 2 is a dynamic machine learning phase and comprises a dynamic machine learning component 220, such as dynamic machine learning circuitry.
  • the third operational phase, Phase 3, is a validator and database phase and comprises a validator and database component 222, such as a validator and database circuitry.
  • circuitry may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry); (b) combinations of hardware circuits and software, such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and (ii) any portions of hardware processor(s) with software (such as digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
  • hardware-only circuit implementations such as implementations in only analog and/or digital circuitry
  • combinations of hardware circuits and software such as (as applicable): (i) a combination of analog and/or digital hardware circuit(s
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • Features and attributes of one or more suspected attacks that are considered to be distinctive are extracted and provided to the validator and database component 222, indicated generally at 230.
  • the extracted features and attributes 230 are compared against the expected output defined in the validator.
  • the packets that are sent using a non-vulnerable protocol, indicated generally at 228, are likewise validated by the validator and database component 222 in a similar manner.
  • the validation results are stored by the validator and database component 222 in a database and their attack features are provided as feedback 232 to the protocol analyzer component 218 and the dynamic machine learning component 220 for use in subsequent detections.
  • FIG. 3 illustrates an exemplary implementation of the protocol analyzer component 218 according to the disclosed embodiments.
  • the protocol analyzer component 218 uses one or more functional modules and/or circuitries to filter the network packets 224, such as a decision module and/or circuitry 300, a counter and prioritization module and/or circuitry 302, a feature extraction module and/or circuitry 304, a first learning algorithm module and/or circuitry 306 comprising a Learning Algorithm I, and a log file 308.
  • These functional modules and/or circuitries 300-308 operate in a manner that allows the protocol analyzer component 218 to focus on packets sent using a network protocol that is considered to be vulnerable to cyber-attacks.
  • the modules and/or circuitries 300-306 can be implemented in one or more circuitries and/or modules, in any combination.
  • Network packets 224 that are found to have been carried using a vulnerable protocol, indicated at 310, are forwarded by the decision module 300 to the counter and prioritization module 302.
  • the counter and prioritization module 302 prioritizes the vulnerable protocols with which the packets 310 were sent based on the number of times the protocol was used and a minimum occurrence threshold, n. For example, only protocols that have been used n times within a predefined time window (e.g., 1 hour, 1 day, etc.) are prioritized. Additionally, vulnerable protocols that are used more frequently are prioritized over vulnerable protocols that are used less frequently.
  • network packets 224 found not to have been carried using a vulnerable protocol, indicated at 314, may be considered safe and no further processing is needed.
  • these non- vulnerable protocol network packets 314 are forwarded by the decision module 300 to the feature extraction module 304 for further processing, as shown in the FIG. 3 example.
  • the feature extraction module 304 extracts features and attributes from the packets 314 and provides these features and attributes, indicated at 316, to the first learning algorithm 306 for analysis.
  • a network packet has a header and a payload. The header contains overhead information about the packet, the network service, and other transmission related information, while the payload contains the content carried by the packet.
  • the log file 308 operates as a repository for suspicious packets carried over vulnerable protocols.
  • the log file 308 records information about the packets, such as timestamp, packet size, IP header, and network layers (e.g., Ethernet, TCP, application layer, etc.). Every time the first learning algorithm module 306 detects a new vulnerable protocol, that protocol is recorded into the log file 308, which may then be accessed by the other modules in the protocol analyzer component 218 as needed.
  • the log file 308 also forwards any suspicious packets 318 to the validator and database component 222.
  • the decision module 400 receives suspicious packets 312 sent using a vulnerable protocol from the protocol analyzer component 218 and determines whether the packets were carried over UDP or TCP. Note that the function of the decision module 400 may also be implemented in the protocol analyzer component 218 instead of the dynamic machine learning component 220 in some embodiments. In either case, suspicious packets that were sent using UDP, indicated at 414, are forwarded to the first feature extraction module 402 for feature extraction.
  • the first feature extraction module 402 operates in the same or nearly the same manner as the feature extraction module 304 in the protocol analyzer module 218 to extract features and attributes of the suspicious packets and therefore will not be described in detail here. These features and attributes, indicated at 416, are provided to the first linear algorithm 404 for analysis.
  • the packets that arrive at this module have already been identified as attack packets, if the packets do not exhibit features belonging to any of the already defined clusters, then they are considered a new type of attack (N) and the second learning algorithm 412 creates a new cluster for the packets. In this way, the features of the new type of attack (N) may be added to the second learning algorithm 412 for subsequent detection.
  • the second learning algorithm 412 then forwards the labeled attack packets as malicious packets 432 to the validator and database component 222.
  • FIG. 7 is flow chart 700, or portion thereof, outlining a high-level method that may be used to operate the HADM described herein.
  • the flow chart 700 begins with input of traffic in the form of network packets at block 702.
  • the network packets arrive, they first go through a data normalization process at block 704 where the data in the packets undergo data conversion, data enrichment and data scaling operations.
  • data conversion converts data into a format that subsequent processes can understand, such as converting hexadecimal into decimal.
  • Data enrichment produces data elements by performing arithmetic and logical operations on the data in the packets.
  • Data scaling scales the data so that data fields have the same range of values and the variance among data fields is reduced.
  • the flow chart 700 proceeds to block 710 where the HADM undergoes testing using test data. Thereafter, the results of the testing is evaluated at block 712 to confirm the effectiveness and efficiency of the training from block 708.
  • blocks 832, 834, and 836 may be performed by a learning algorithm 838.

Abstract

L'invention concerne des systèmes et des procédés de détection et de prévention de cyberattaques sur des réseaux de communication fournissant un module de détection d'anomalie hybride (HADM) qui utilise une combinaison d'algorithmes linéaires et d'algorithmes d'apprentissage. Les algorithmes linéaires filtrent et extraient des attributs et des caractéristiques distinctifs des cyber-attaques et les algorithmes d'apprentissage utilisent ces attributs et caractéristiques pour identifier de nouveaux types de cyberattaques. Les algorithmes d'apprentissage, qui peuvent être des algorithmes qui utilisent des réseaux neuronaux artificiels (ANN), des algorithmes génétiques (GA), des machines à apprentissage extrême (ELM), des cartes à auto-organisation (SOM), des perceptrons multicouche (MLP), ou l'intelligence d'essaim (SI) et analogues, ont une meilleure précision de détection lorsqu'ils sont utilisés conjointement avec des algorithmes linéaires, tels que des algorithmes qui emploient un arbre de décision, une machine à vecteur de support, la logique floue, ou analogues. L'utilisation d'algorithmes linéaires conjointement avec des algorithmes d'apprentissage permet au HADM d'obtenir une détection de cyberattaque améliorée sur des solutions existantes.
PCT/FI2017/050953 2017-12-29 2017-12-29 Plateforme de défense et de filtrage intelligente pour trafic de réseau WO2019129915A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP17832511.4A EP3732844A1 (fr) 2017-12-29 2017-12-29 Plateforme de défense et de filtrage intelligente pour trafic de réseau
PCT/FI2017/050953 WO2019129915A1 (fr) 2017-12-29 2017-12-29 Plateforme de défense et de filtrage intelligente pour trafic de réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2017/050953 WO2019129915A1 (fr) 2017-12-29 2017-12-29 Plateforme de défense et de filtrage intelligente pour trafic de réseau

Publications (1)

Publication Number Publication Date
WO2019129915A1 true WO2019129915A1 (fr) 2019-07-04

Family

ID=61007714

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2017/050953 WO2019129915A1 (fr) 2017-12-29 2017-12-29 Plateforme de défense et de filtrage intelligente pour trafic de réseau

Country Status (2)

Country Link
EP (1) EP3732844A1 (fr)
WO (1) WO2019129915A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181930A (zh) * 2019-12-17 2020-05-19 中移(杭州)信息技术有限公司 DDoS攻击检测的方法、装置、计算机设备及存储介质
CN113139598A (zh) * 2021-04-22 2021-07-20 湖南大学 一种基于改进智能优化算法的入侵检测方法和系统
WO2021152262A1 (fr) * 2020-01-31 2021-08-05 Orange Procede de surveillance de donnees echangees sur un reseau et dispositif de detection d'intrusions
CN113242226A (zh) * 2021-05-05 2021-08-10 航天云网云制造科技(浙江)有限公司 一种基于大数据的网络安全态势智能预测方法
CN114866349A (zh) * 2022-07-06 2022-08-05 深圳市永达电子信息股份有限公司 一种网络信息过滤方法

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113103535A (zh) * 2021-03-17 2021-07-13 贵州大学 一种基于ga-elm-ga的注塑件模具参数优化方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2139199A2 (fr) * 2008-06-27 2009-12-30 Juniper Networks, Inc. Fourniture de politique dynamique dans des dispositifs de sécurité de réseau
US20110231564A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
US8418249B1 (en) * 2011-11-10 2013-04-09 Narus, Inc. Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231564A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
EP2139199A2 (fr) * 2008-06-27 2009-12-30 Juniper Networks, Inc. Fourniture de politique dynamique dans des dispositifs de sécurité de réseau
US8418249B1 (en) * 2011-11-10 2013-04-09 Narus, Inc. Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181930A (zh) * 2019-12-17 2020-05-19 中移(杭州)信息技术有限公司 DDoS攻击检测的方法、装置、计算机设备及存储介质
WO2021152262A1 (fr) * 2020-01-31 2021-08-05 Orange Procede de surveillance de donnees echangees sur un reseau et dispositif de detection d'intrusions
FR3106914A1 (fr) * 2020-01-31 2021-08-06 Orange Procédé de surveillance de données échangées sur un réseau et dispositif de détection d’intrusions
CN113139598A (zh) * 2021-04-22 2021-07-20 湖南大学 一种基于改进智能优化算法的入侵检测方法和系统
CN113139598B (zh) * 2021-04-22 2022-04-22 湖南大学 一种基于改进智能优化算法的入侵检测方法和系统
CN113242226A (zh) * 2021-05-05 2021-08-10 航天云网云制造科技(浙江)有限公司 一种基于大数据的网络安全态势智能预测方法
CN114866349A (zh) * 2022-07-06 2022-08-05 深圳市永达电子信息股份有限公司 一种网络信息过滤方法
CN114866349B (zh) * 2022-07-06 2022-11-15 深圳市永达电子信息股份有限公司 一种网络信息过滤方法

Also Published As

Publication number Publication date
EP3732844A1 (fr) 2020-11-04

Similar Documents

Publication Publication Date Title
US11323481B2 (en) Classification of unknown network traffic
US11899786B2 (en) Detecting security-violation-associated event data
WO2019129915A1 (fr) Plateforme de défense et de filtrage intelligente pour trafic de réseau
US11394728B2 (en) Associating a user identifier detected from web traffic with a client address
US8418249B1 (en) Class discovery for automated discovery, attribution, analysis, and risk assessment of security threats
US9426166B2 (en) Method and apparatus for processing finite automata
US9426165B2 (en) Method and apparatus for compilation of finite automata
CN113364752B (zh) 一种流量异常检测方法、检测设备及计算机可读存储介质
US20230025946A1 (en) Network Attack Detection Method and Apparatus
Hatef et al. HIDCC: A hybrid intrusion detection approach in cloud computing
US20170034195A1 (en) Apparatus and method for detecting abnormal connection behavior based on analysis of network data
CN113497797B (zh) 一种icmp隧道传输数据的异常检测方法及装置
WO2019190403A1 (fr) Module pare-feu de système de contrôle industriel
CN113518042B (zh) 一种数据处理方法、装置、设备及存储介质
Vashishtha et al. HIDM: A hybrid intrusion detection model for cloud based systems
US11552986B1 (en) Cyber-security framework for application of virtual features
Shaikh et al. Advanced signature-based intrusion detection system
McLaren et al. Mining malware command and control traces
Schumacher et al. One-Class Models for Intrusion Detection at ISP Customer Networks
Lautert et al. Micro IDS: On-line recognition of denial-of-service attacks on IoT networks
Shaik et al. capsAEUL: Slow http DoS attack detection using autoencoders through unsupervised learning
Bahlali Anomaly-Based Network Intrusion Detection System: A Machine Learning Approach
Majed et al. Efficient and Secure Statistical Port Scan Detection Scheme
Lee et al. Malicious Traffic Compression and Classification Technique for Secure Internet of Things
US20220407871A1 (en) Massive vulnerable surface protection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17832511

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2017832511

Country of ref document: EP

Effective date: 20200729