CN108683658A - Industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models - Google Patents
Industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models Download PDFInfo
- Publication number
- CN108683658A CN108683658A CN201810449297.8A CN201810449297A CN108683658A CN 108683658 A CN108683658 A CN 108683658A CN 201810449297 A CN201810449297 A CN 201810449297A CN 108683658 A CN108683658 A CN 108683658A
- Authority
- CN
- China
- Prior art keywords
- data
- rbm
- network
- models
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012549 training Methods 0.000 claims abstract description 41
- 238000001514 detection method Methods 0.000 claims abstract description 17
- 230000002159 abnormal effect Effects 0.000 claims abstract description 15
- 230000005856 abnormality Effects 0.000 claims description 23
- 238000000605 extraction Methods 0.000 claims description 12
- 238000012360 testing method Methods 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000002123 temporal effect Effects 0.000 claims description 6
- 239000012141 concentrate Substances 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 230000005611 electricity Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 241001269238 Data Species 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models; feature is extracted from industry control network and generates training dataset; benchmark model is trained and obtains the abnormal data cluster that the industry control network normal baseline model comprising multiple RBM models and training data are concentrated; real-time network message assessment is carried out with industry control network normal baseline model, realizes Traffic anomaly detection;The present invention by the setting completion dimension whether dimensionality reduction and needs are reduced to of parameter and can have better robustness in inside, without the quantity for needing to cluster is set in advance, the case where being completed by the interrelated degree of model, more meet practical application.
Description
Technical field
The present invention relates to a kind of technologies of computer realm, and in particular to one kind being based on multiple RBM network structions benchmark moulds
Type, and according to the abnormality recognition method of benchmark model progress network flow.
Background technology
With the continuous variation of attack means, cannot network be protected to exempt from based on known attack feature attack detecting technology
It is attacked, carrying out attack detecting to network flow is highly desirable.Attacking network flow packet is made of the data on flows of magnanimity, this
A little datas on flows have recorded all activities and behavior of electric network terminal.By analyzing and integrating these network flow packets, Ke Yicong
Middle extraction feature, to find to attack.But due to network flow enormous amount, to reach attack recognition, must just reach real-time place
Reason is very high to the efficiency requirements of detection algorithm.Traditional network learning method and most of machine learning method often exist
It will appear awkward situation on the problem of handling this respect, for electricity grid network flow attacking detecting system, how efficiently,
High-precision these mass datas of processing are a huge challenges.
Invention content
The present invention proposes a kind of based on more RBM for the deficiency of prior art and the special circumstances of power grid industry control environment
The industry control network Traffic Anomaly recognition methods of network struction benchmark model, passes through the prison to industry control network flow quantity and time
Control, and then clusters out the benchmark model of industry control network flow, and then identifies each of industrial control equipment in industry control network by benchmark model
Kind working condition, therefrom finds out abnormality.
The present invention is achieved by the following technical solutions:
The present invention relates to a kind of industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models, from
Feature is extracted in industry control network and generates training dataset, and benchmark model is trained and obtains including multiple RBM models
Industry control network normal baseline model and training data concentrate abnormal data cluster, with industry control network normal baseline model carries out reality
When network message assess, realize Traffic anomaly detection.
The training dataset, after carrying out feature extraction and merger according to the network characteristic of industry control network, with the period
Mark off the training data of aggregate of data form.
The network characteristic of the industry control network includes but not limited to:Pass through the front-collection machine or network of industry control network
Equipment from bypass copy packet.
The feature extraction refers to:According to industry control network data on flows transmit agreement, extract message transmissions time,
The features such as quantity, type carry out feature selecting, remove the high remaining feature in data set, the message characteristic after being extracted.
The merger refers to:The merger of feature is carried out according to the quantity for merging data on flows in period Ta.
The aggregate of data carries out the period stroke according to the flow transmission time of industry control network as cluster period Tb
Point, data set is divided into each aggregate of data.
The benchmark model includes at least one RBM networks, which is completed by inputting any data cluster
The update of the RBM network parameters and initial parameter of benchmark model is set at random passes through and receives the aggregates of data of different rules and complete RBM
The increase of the number networks.
The network parameter of the RBM networks includes but not limited to:Learning rate α, iterations n, visible layer with hide
Node layer number, root-mean-square error threshold value e, merge period Ta, Temporal Clustering cluster period Tb etc., wherein:Learning rate α
The range that parameter changes every time after being fed back for RBM models, learning rate is bigger, and it is faster to start convergent speed, but very
Difficulty converges to exact value;Iterations n is RBM network trainings to convergent number, in order to prevent RBM models over-fitting, therefore
Allow that there are certain errors;The node number of visible layer is determined that the node number of hidden layer is with drop by the feature of input data
The precision that dimension and convergence after dimension need is related, generally requires experiment and obtains reasonable set value;Root-mean-square error threshold value e refers to
Similarity degree between input data and existing RBM, root-mean-square error is bigger, and similarity degree is smaller, and the model after cluster is got over
It is few, but error is bigger;It refers to individual data after the industry control network feature extraction quantity within the time to merge period Ta
Merge, the flow transmission feature for characterizing the network segment short time;The cluster period Tb of Temporal Clustering refers in each RBM models
Period, wherein have multiple data for merging the period, flow transmission mode of the expression network segment in a period of time input and output.
The training refers to:It is all in test benchmark model by the benchmark model after aggregate of data input initialization
RBM benchmark models, the reconstruct for calculating the aggregate of data in benchmark model exports, and calculates reconstruct output and the square root of initial data
Error is improved training pattern parameter or is increased benchmark model, directly according to the size of distance between each model
To the training of all training datasets, the industry control network normal baseline model comprising multiple RBM models and training number are obtained
According to the abnormal data cluster of concentration.
Distance between the model, using but be not limited to square root error and characterized.
The abnormal data cluster refers to:According to each aggregate of data of the quantity set of the aggregate of data in RBM models after cluster
Abnormality degree, the quantity of aggregate of data is more in RBM models, illustrates that the model more meets network segment transportation law, corresponding aggregate of data
Abnormality degree is lower, which is exactly abnormal data.
The abnormality degree is the percentage of abnormal data in model, by the quantity of the aggregate of data in RBM models after clustering
It determines, the quantity of aggregate of data is more in RBM models, and corresponding RBM models abnormality degree is lower, and what it was characterized is the different of RBM models
Normal state.
It is described benchmark model increase refer to:When output data is all super at a distance from former data in training process
When crossing given threshold, then illustrates that the feature in the aggregate of data is misfitted with existing all RBM network modes and belong to new
Mode type, it is therefore desirable to create a RBM network and the aggregate of data is inputted in the RBM networks be trained and adjust network
This is finally created and the RBM networks after initializing is added in benchmark model by parameter.
The adjustment network parameter refers to:The RBM models for meeting preset abnormality degree detection threshold value are summarized, after summarizing
For RBM Models Sets more than one, Models Sets correspond to multiple RBM models, and the number of RBM models is K, and each RBM models correspond to oneself
Parameter and aggregate of data.
The former data:Data after feature extraction, data correspondence are referred to as weight before inputting RBM networks
The former data of structure output.
The abnormality degree detection threshold value is error of the RBM models with normal baseline model, and threshold value setting is smaller to be illustrated to miss
Difference is smaller, which is exactly normal baseline model.
The training pattern parameter is improved:When in training process output data at a distance from former data part in threshold
When being worth in range, the RBM Models Sets of selected distance minimum add the former data corresponding to the aggregate of data and enter corresponding benchmark model
Training dataset, while networks re -training RBM update model parameter.
When the training data of model concentrates overabundance of data, abandoned at random according to the data set data volume number being set in advance
Partial redundance data, the new data set of training simultaneously update corresponding benchmark model parameter.
The real-time network message is assessed:After network message is carried out feature extraction and merger, drawn with the period
It separates the detection data cluster of aggregate of data form and is input in industry control network normal baseline model, wherein all RBM moulds of test
Type simultaneously calculates the output data of the detection data cluster at a distance from former data, when distance is more than abnormality degree error amount, then detects
The corresponding network message of aggregate of data is exception message.
Technique effect
Compared with prior art, the technology of the present invention effect includes:
1) speed of service of real-time traffic is promoted, when a small when institute of the network of power grid industry control network setting
There is flow into fashionable, the update of the invention that abnormal identification and parameter can be completed within one minute;The present invention uses RBM nets
The structure of network, can be in inside by the setting completion dimension whether dimensionality reduction and needs are reduced to of parameter and due to the present invention
Can give up in the update of parameter and be associated with little data, keep data it is effective while avoid high remaining therefore wanted to hardware
Ask lower;
2) by RBM methods establish benchmark model have the characteristics that it is nonlinear so that industry control network of the present invention
Normal baseline model has better robustness, and multiple RBM are modeled it is possible to prevente effectively from different working condition is to data in addition
It influences, is conducive to hold more normal operating conditions, to more accurate identification abnormality.
3) present invention uses hierarchical clustering, without the quantity for needing to cluster is set in advance, passes through the interrelated journey of model
Degree is come the case where completing, more meet practical application.
Description of the drawings
Fig. 1 is that industry control network normal baseline model of the present invention builds flow chart automatically;
Fig. 2 is that the present invention is based on the anomalous traffic detection method flow charts of normal baseline model.
Specific implementation mode
The present embodiment operation object is the message data that the electricity consumption data of the daily uninterrupted sampling whole network segment samples, this reality
It applies example and uses 15 days data as the structure data of benchmark model based on the data dataset in certain setting network segment, message
Preceding 15 day data is set as benchmark model training data train_data in data, and rear 8 day data is test data test_
data。
As shown in Figure 1, acquiring the exception of flow for a kind of electricity consumption data in power grid industry control network that the present embodiment is related to
Detection method specifically includes following steps:
It is initialized before carry out method detects and sets some parameters, the data prediction described in method includes following
Partial content:The feature that data are determined according to afn, fn of message transmissions property in communication protocol extracts all data
Feature type obtains 97 kinds of message characteristics, according to the 97 of setting kinds of features come conversion data.Then according to sampling time interval 10
Minute carries out the merging (setting Ta=10mins, Tb=1hour) of message amount, is set as within every ten minutes a message transmissions
Data, when ten minutes no data transmissions be then all 0. finally by merging after data carry out min-max standardization normalization
Processing, by simply scaling, the value of each dimension of adjustment data to [0,1], the function of conversion and application is:X=(x-
min)/(max-min).Feature after normalized may be used for the input of K-RBM algorithms.
The RBM network parameters of Clustering Model are concurrently set, the visible layer node number in RBM networks is set as 96, because
The model for being input to RBM is 97 dimensions (the visible node layer of RBM models is since 0), and hidden layer node number is set as 11, study speed
Rate α=0.02, RBM model iterations are 1000 times, and RBM model root-mean-square errors are 0.03, the setting of Temporal Clustering period Tb
It is 1 hour.
Set cluster after RBM abnormality degrees as:When the RBM models aggregate of data all aggregates of data accounting be i%, then
Corresponding abnormality degree is 1-i%, and abnormality degree detection threshold value is 1%, and abnormality degree detection error value is 5%.
As shown in Figure 1, being as follows:
Step 1) is data={ x1, x2 ... xm } when sample sets of the train_data after above-mentioned pretreatment, each
Then data is carried out data cutting, Ta by sample characteristics classification xi={ t1, t2t97 } according to Temporal Clustering period Tb
It is to ensure RBM models while inputting multiple data segments, this multiple data segment represents time tranfer rule of the data on flows in Tb
Rule.The aggregate of data segmented can consider data_i, and (i=1,2 ... n), then total n segment datas cluster establishes benchmark mould by iteration
Type.
Step 2) first aggregate of data data_1 of training and the model parameter para_ for recording first aggregate of data RBM model
1, which is added to Models Sets R, is denoted as R1, para_2 is added to parameter set P, is denoted as P1, it will be each in aggregate of data
Data are added to model data collection D, are denoted as D1, and record cast number K is that 1. subsequent iteration seek benchmark model, and detailed process is such as
Under:
The parameter of all RBM models, is instructed when by model y in step 3) extraction aggregate of data data_j, test parameter collection P
The root mean square e errors of data and former data after white silk are less than RBM model root-mean-square errors, then state parameter collection stata_y=
Otherwise true is state_y=false, y is any one model in Models Sets.All state are verified, when all
False then illustrates that the aggregate of data does not meet all existing models, when existing pattern number is n, training data cluster data_j, and remembers
The RBM models are added to Models Sets R, Rn+1 are denoted as, by para_j by the model parameter para_j for recording aggregate of data RBM models
It is added to parameter set P, is denoted as Pn+1, each data in aggregate of data is added to model data collection D, are denoted as Dn+1, record cast
Number K is n+1;Work as presencestateFor true, then e_d=min (e) is sought, wherein d is corresponding model, then will be in data_j
Data are added to Dd, and training Dd simultaneously updates corresponding parameter Pd, in aggregate of data to corresponding model is added, as of aggregate of data
Number is more than 100, random discard cluster j when training, j random selections so that aggregate of data when training remains at 100.
Then the complete all data of step 4) iteration calculate the exception of each aggregate of data according to above-mentioned abnormality degree method
Degree for the RBM model extractions more than abnormality degree threshold value and is considered abnormal, is less than the RBM models setting of the threshold value of abnormality degree
On the basis of model, benchmark model may include multiple RBM models.
Step 5) reads test_data numbers as shown in Fig. 2, the validity that test benchmark model is applied in real time data
It is data_test={ x1, x2 ... xm } according to the test set after above-mentioned pretreatment, each sample characteristics classification xi=t1,
T2t97 }, it is aggregate of data that data_test is then carried out data cutting according to Temporal Clustering period Tb, reads number according to this
According to the data in cluster, the parameter of all RBM models in normal baseline model is tested, when there are scale models, then the hop count
Just meet normal baseline model according to cluster, which is also the normal message for meeting data transmission rule;When there is no less than different
The square root error of normal detection error degree then illustrates that the secondary message is exception message
In the present embodiment, in order to verify more RBM model constructions benchmark model performance and validity, in above-mentioned electricity
The dataset of net industry control network has done extensive analysis and assessment to method shown in the present invention, using this method it can be found that
Abnormal flow in power grid industry control network and the flow for not meeting proper network transportation law, specific accuracy are specific by power grid
Implementation environment is verified.
Above-mentioned specific implementation can by those skilled in the art under the premise of without departing substantially from the principle of the invention and objective with difference
Mode carry out local directed complete set to it, protection scope of the present invention is subject to claims and not by above-mentioned specific implementation institute
Limit, each implementation within its scope is by the constraint of the present invention.
Claims (10)
1. a kind of industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models, which is characterized in that from work
Feature is extracted in control network and generates training dataset, and benchmark model is trained and is obtained comprising multiple RBM models
The abnormal data cluster that industry control network normal baseline model and training data are concentrated, is carried out in real time with industry control network normal baseline model
Network message is assessed, and realizes Traffic anomaly detection;
The benchmark model includes at least one RBM networks, which completes RBM nets by inputting any data cluster
The update of the network parameter and initial parameter of benchmark model is set at random passes through and receives the aggregates of data of different rules and complete RBM networks
The increase of quantity;
The network parameter of the RBM networks includes:Learning rate α, iterations n, visible layer and hidden layer node number,
Square error threshold value e, merge period Ta, Temporal Clustering cluster period Tb.
2. according to the method described in claim 1, the training refers to:By the benchmark model after aggregate of data input initialization
In, all RBM benchmark models in test benchmark model, the reconstruct for calculating the aggregate of data in benchmark model exports, and calculates weight
Structure exports the square root error with initial data, perfect to training pattern parameter according to the size of distance between each model
Or benchmark model is increased, until after the training of all training datasets, obtain the industry control for including multiple RBM models
The abnormal data cluster that network normal baseline model and training data are concentrated.
3. according to the method described in claim 1, the training dataset, feature is carried out according to the network characteristic of industry control network
After extraction and merger, the training data in the form of aggregate of data is marked off by the period.
4. according to the method described in claim 3, the feature extraction refers to:The association transmitted according to industry control network data on flows
View extracts the features such as time, quantity, the type of message transmissions and carries out feature selecting, removes the high remaining feature in data set, obtains
Message characteristic after extraction.
5. method according to claim 1 or 2, the abnormal data cluster refers to:According to the number in RBM models after cluster
According to the abnormality degree of each aggregate of data of the quantity set of cluster, the quantity of aggregate of data is more in RBM models, illustrates that the model more meets net
Section transportation law, corresponding aggregate of data abnormality degree is lower, which is exactly abnormal data;
The abnormality degree is the percentage of abnormal data in model, is determined by the quantity of the aggregate of data in RBM models after clustering,
The quantity of aggregate of data is more in RBM models, and corresponding RBM models abnormality degree is lower, and what it was characterized is the abnormal shape of RBM models
State.
6. according to the method described in claim 2, it is described to benchmark model carry out increase refer to:When exporting number in training process
According at a distance from former data all more than given threshold when, then illustrate feature in the aggregate of data and existing all RBM networks
Pattern misfits the mode type for belonging to new, it is therefore desirable to create a RBM network and the aggregate of data is inputted the RBM nets
Network parameter is trained and adjusted in network, and finally this is created and the RBM networks after initializing are added in benchmark model.
7. according to the method described in claim 6, the adjustment network parameter refers to:Preset abnormality degree detection threshold will be met
The RBM models of value summarize, and are RBM Models Sets more than one after summarizing, and Models Sets correspond to multiple RBM models, and the number of RBM models is
K, each RBM models correspond to the parameter and aggregate of data of oneself.
8. according to the method described in claim 2, the training pattern parameter is improved refers to:When output data in training process
With when part is in threshold range at a distance from former data, the RBM Models Sets of selected distance minimum add corresponding to the aggregate of data
Former data enter the training dataset of corresponding benchmark model, while the networks re -training RBM, update model parameter.
9. according to the method described in claim 8, when model training data concentrate overabundance of data when, according to the number being set in advance
Partial redundance data are abandoned at random according to collection data volume number, and the new data set of training simultaneously updates corresponding benchmark model parameter.
10. according to the method described in claim 1, the real-time network message assessment refers to:Network message is subjected to feature
After extraction and merger, the detection data cluster in the form of aggregate of data is marked off by the period and is input to industry control network normal baseline model
In, wherein all RBM models of test and calculate the output data of the detection data cluster at a distance from original data, when distance is more than
When abnormality degree error amount, then the corresponding network message of detection data cluster is exception message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810449297.8A CN108683658B (en) | 2018-05-11 | 2018-05-11 | Industrial control network flow abnormity identification method based on multi-RBM network construction reference model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810449297.8A CN108683658B (en) | 2018-05-11 | 2018-05-11 | Industrial control network flow abnormity identification method based on multi-RBM network construction reference model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108683658A true CN108683658A (en) | 2018-10-19 |
| CN108683658B CN108683658B (en) | 2020-11-03 |
Family
ID=63805500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810449297.8A Active CN108683658B (en) | 2018-05-11 | 2018-05-11 | Industrial control network flow abnormity identification method based on multi-RBM network construction reference model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108683658B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110098959A (en) * | 2019-04-23 | 2019-08-06 | 广东技术师范大学 | Modeling method, device, system and the storage medium of industry control protocol interaction behavior |
| CN111832647A (en) * | 2020-07-10 | 2020-10-27 | 上海交通大学 | Abnormal flow detection system and method |
| CN113343587A (en) * | 2021-07-01 | 2021-09-03 | 国网湖南省电力有限公司 | Flow abnormity detection method for electric power industrial control network |
| CN114666075A (en) * | 2020-12-08 | 2022-06-24 | 上海交通大学 | Distributed network anomaly detection method and system based on depth feature coarse coding |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453416A (en) * | 2016-12-01 | 2017-02-22 | 广东技术师范学院 | Detection method of distributed attack intrusion based on deep belief network |
| CN107241358A (en) * | 2017-08-02 | 2017-10-10 | 重庆邮电大学 | A kind of smart home intrusion detection method based on deep learning |
| US20180032862A1 (en) * | 2016-07-29 | 2018-02-01 | Splunk, Inc. | Automated anomaly detection for event-based system |
| CN107679859A (en) * | 2017-07-18 | 2018-02-09 | 中国银联股份有限公司 | A kind of Risk Identification Method and system based on Transfer Depth study |
-
2018
- 2018-05-11 CN CN201810449297.8A patent/CN108683658B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180032862A1 (en) * | 2016-07-29 | 2018-02-01 | Splunk, Inc. | Automated anomaly detection for event-based system |
| CN106453416A (en) * | 2016-12-01 | 2017-02-22 | 广东技术师范学院 | Detection method of distributed attack intrusion based on deep belief network |
| CN107679859A (en) * | 2017-07-18 | 2018-02-09 | 中国银联股份有限公司 | A kind of Risk Identification Method and system based on Transfer Depth study |
| CN107241358A (en) * | 2017-08-02 | 2017-10-10 | 重庆邮电大学 | A kind of smart home intrusion detection method based on deep learning |
Non-Patent Citations (1)
| Title |
|---|
| 逯玉婧: "基于深度信念网络的入侵检测算法研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110098959A (en) * | 2019-04-23 | 2019-08-06 | 广东技术师范大学 | Modeling method, device, system and the storage medium of industry control protocol interaction behavior |
| CN110098959B (en) * | 2019-04-23 | 2021-11-16 | 广东技术师范大学 | Industrial control protocol interactive behavior modeling method, device, system and storage medium |
| CN111832647A (en) * | 2020-07-10 | 2020-10-27 | 上海交通大学 | Abnormal flow detection system and method |
| CN114666075A (en) * | 2020-12-08 | 2022-06-24 | 上海交通大学 | Distributed network anomaly detection method and system based on depth feature coarse coding |
| CN113343587A (en) * | 2021-07-01 | 2021-09-03 | 国网湖南省电力有限公司 | Flow abnormity detection method for electric power industrial control network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108683658B (en) | 2020-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111798312B (en) | Financial transaction system anomaly identification method based on isolated forest algorithm | |
| CN108768946B (en) | Network intrusion detection method based on random forest algorithm | |
| CN108683658A (en) | Industry control network Traffic Anomaly recognition methods based on more RBM network structions benchmark models | |
| CN109034194B (en) | Transaction fraud behavior deep detection method based on feature differentiation | |
| CN107067324A (en) | A kind of utilization network packet capturing data realize the method and system of transaction risk control | |
| CN111191767A (en) | Vectorization-based malicious traffic attack type judgment method | |
| CN109766435A (en) | The recognition methods of barrage classification, device, equipment and storage medium | |
| CN109951462A (en) | A kind of application software Traffic anomaly detection system and method based on holographic modeling | |
| CN106681980B (en) | A kind of refuse messages analysis method and device | |
| Nuiaa et al. | Evolving Dynamic Fuzzy Clustering (EDFC) to Enhance DRDoS_DNS Attacks Detection Mechnism. | |
| CN105446954A (en) | Project duplicate checking method for science and technology big data | |
| Chen et al. | An efficient network intrusion detection model based on temporal convolutional networks | |
| WO2016106944A1 (en) | Method for creating virtual human on mapreduce platform | |
| CN110059126B (en) | LKJ abnormal value data-based complex correlation network analysis method and system | |
| CN115795285A (en) | Abnormal data detection and monitoring method based on CUSUM type variable point statistics | |
| CN113256438B (en) | Role identification method and system for network user | |
| Chu et al. | Exploiting spatial-temporal behavior patterns for fraud detection in telecom networks | |
| CN112422546A (en) | Network anomaly detection method based on variable neighborhood algorithm and fuzzy clustering | |
| CN114124437B (en) | Encrypted flow identification method based on prototype convolutional network | |
| CN107977727B (en) | Method for predicting blocking probability of optical cable network based on social development and climate factors | |
| CN111241145A (en) | Self-healing rule mining method and device based on big data | |
| CN110348005A (en) | Distribution net equipment status data processing method, device, computer equipment and medium | |
| CN116633589A (en) | Malicious account detection method, device and storage medium in social network | |
| CN112561538B (en) | Risk model creation method, apparatus, computer device and readable storage medium | |
| CN110071845A (en) | The method and device that a kind of pair of unknown applications are classified |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |