CN110149315A - Abnormal network traffic detection method, readable storage medium storing program for executing and terminal - Google Patents
Abnormal network traffic detection method, readable storage medium storing program for executing and terminal Download PDFInfo
- Publication number
- CN110149315A CN110149315A CN201910336725.0A CN201910336725A CN110149315A CN 110149315 A CN110149315 A CN 110149315A CN 201910336725 A CN201910336725 A CN 201910336725A CN 110149315 A CN110149315 A CN 110149315A
- Authority
- CN
- China
- Prior art keywords
- network traffic
- abnormal network
- external parameter
- frequency signal
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of Abnormal network traffic detection method, readable storage medium storing program for executing and terminal, which comprises construct Abnormal network traffic disaggregated model using the external parameter data of Abnormal network traffic;The Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model.The accuracy of Abnormal network traffic detection can be improved in above-mentioned scheme.
Description
Technical field
The invention belongs to technical field of network security, more particularly to a kind of Abnormal network traffic detection method, readable deposit
Storage media and terminal.
Background technique
Exception of network traffic detection, for monitoring whether network working condition is healthy, for ensuring the normal of network system
Work is significant.
In the high risk loophole quantity for including in national information security breaches shared platform (CNVD), cross-site scripting attack
(XSS), SQL injection and Denial of Service attack have become the primary challenge method of domestic internet facilities.In weblication
Ten big ten major class for threatening safety message OWASP TOP 10 to determine after the detection of expert threaten current web application maximum
In most widely used loophole, XSS attack and injection attacks are always the threat that needs in the top draw attention.
But network flow detection method in the prior art, it can not accurately detect the abnormal net in the flow of network
Network flow, has seriously threatened network security.
Summary of the invention
Present invention solves the technical problem that being how to improve the accuracy of Abnormal network traffic detection.
In order to achieve the above object, the present invention provides a kind of Abnormal network traffic detection method, which comprises
Abnormal network traffic disaggregated model is constructed using the external parameter data of Abnormal network traffic;
The Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model.
Optionally, the external parameter using Abnormal network traffic constructs Abnormal network traffic disaggregated model, comprising:
Extract the external parameter data of Abnormal network traffic;
Exception Type mark is carried out for the external parameter data of extracted Abnormal network traffic;
It is identified using extracted external parameter data and corresponding Exception Type, generates corresponding external parameter numerical value sequence
Column;
Extract the energy feature data of the external parameter sequence of values;
Extracted energy feature data are trained, the Abnormal network traffic disaggregated model is obtained.
Optionally, the energy feature data for extracting the external parameter sequence of values, comprising:
The external parameter sequence of values is analyzed, the period of the external parameter sequence of values is obtained;
It uses using the size in the period as sliding window and preset sliding step, by the external parameter numerical value sequence
Column are divided into corresponding multiple subsequences;
Wavelet decomposition is carried out using to each subsequence, obtains corresponding energy feature data.
Optionally, the energy feature data include low frequency signal energy, low frequency signal energy accounting, first to layer 5
Higher frequency signal energy, higher frequency signal energy accounting.
Optionally, the low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, height
Frequency signal energy accounting is respectively adopted following formula and is calculated:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency
Signal a5Energy accounting, ERdjIndicate jth layer high-frequency signal djEnergy accounting.
Optionally, the external parameter data include the data packet length and URL length of Abnormal network traffic.
Optionally, the Exception Type mark includes injection type abnormal flow mark and XSS type abnormal flow mark.
Optionally, the Abnormal network traffic disaggregated model is SVM classifier.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer instruction, described
The step of computer instruction executes Abnormal network traffic detection method described in any of the above embodiments when running.
The embodiment of the invention also provides a kind of terminal, including memory and processor, energy is stored on the memory
Enough computer instructions run on the processor, the processor execute any of the above-described when running the computer instruction
The step of described Abnormal network traffic detection method.
Optionally, the Abnormal network traffic disaggregated model is SVM classifier.
Compared with prior art, the invention has the benefit that
Above-mentioned scheme, by using the external parameter data building Abnormal network traffic classification mould of Abnormal network traffic
Type, and the Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model, due to
The Abnormal network traffic in network flow is detected using external parameter data, human subject's mistake and knowledge can be overcome
Updating slowly influences on caused by network flow detection, and the accuracy of Abnormal network traffic detection can be improved.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for
For those of ordinary skill in the art, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is the flow diagram of one of embodiment of the present invention Abnormal network traffic detection method;
Fig. 2 is the flow diagram of another Abnormal network traffic detection method in the embodiment of the present invention;
Fig. 3 is the schematic diagram that low frequency and high-frequency decomposition are carried out using wavelet function sub-sequences in the embodiment of the present invention;
Fig. 4 is being shown using sliding window the progress subsequence division of external parameter values sequence in the embodiment of the present invention
It is intended to;
Fig. 5 is the schematic diagram for carrying out multilayer decomposition to signal using wavelet analysis in the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of one of embodiment of the present invention Abnormal network traffic detection device.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.Related directionality instruction in the embodiment of the present invention (such as upper and lower, left and right,
It is forward and backward etc.) it is only used for the relative positional relationship explained under a certain particular pose (as shown in the picture) between each component, movement feelings
Condition etc., if the particular pose changes, directionality instruction is also correspondingly changed correspondingly.
As stated in the background art, artificial experience is generally based on to the detection of abnormal flow in the prior art.Even base
In the algorithm detected automatically, generally also based on priori knowledge.For example, carrying out rule match, threshold using the rule base pre-established
Value matching etc..But these methods are all based on the knowledge of the mankind, it may be slow by human subject's mistake and the renewal of knowledge
It influences.Accordingly, there exist the low problems of Detection accuracy.
Technical solution of the present invention is divided by using the external parameter data building Abnormal network traffic of Abnormal network traffic
Class model, and the Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model,
Due to being detected to the Abnormal network traffic in network flow using external parameter data, can overcome human subject's mistake and
The renewal of knowledge is slowly influenced on caused by network flow detection, and the accuracy of Abnormal network traffic detection can be improved.
It is understandable to enable above-mentioned purpose of the invention, feature and beneficial effect to become apparent, with reference to the accompanying drawing to this
The specific embodiment of invention is described in detail.
Fig. 1 is a kind of flow diagram of Abnormal network traffic detection method of the embodiment of the present invention.It is a kind of referring to Fig. 1
Abnormal network traffic detection method can specifically include following step:
Step S101: Abnormal network traffic disaggregated model is constructed using the external parameter data of Abnormal network traffic.
In specific implementation, the external parameter data are the external parameter data of Abnormal network traffic data packet, no
The content being related in Abnormal network traffic data packet.
Step S102: using constructed Abnormal network traffic disaggregated model to the Abnormal network traffic in network flow into
Row detection.
It in specific implementation, can be by network flow when corresponding Abnormal network traffic disaggregated model is completed in building
The Abnormal network traffic disaggregated model is inputted, realizes the detection of Abnormal network traffic.
Above-mentioned scheme, by using the external parameter data building Abnormal network traffic classification mould of Abnormal network traffic
Type, and the Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model, due to
The Abnormal network traffic in network flow is detected using external parameter data, Abnormal network traffic detection can be improved
Accuracy.
Further details of Jie is carried out to the Abnormal network traffic detection method in the embodiment of the present invention below in conjunction with Fig. 2
It continues.
Step S201: extracting the external parameter data of Abnormal network traffic, and is the outer of extracted Abnormal network traffic
Portion's supplemental characteristic carries out Exception Type mark.
In an embodiment of the present invention, extracted external parameter data include the data packet of Abnormal network traffic data packet
Length and uniform resource locator (URL) length.
In specific implementation, when the data volume of pure anomaly network flow is less, in order to sufficiently excavate Abnormal network traffic
Feature, the source of the Abnormal network traffic may include pure anomaly network flow and including proper network flow and abnormal net
The hybrid network flow of network flow.
In an embodiment of the present invention, institute's pure anomaly network flow and hybrid network flow are all made of the shape of pcap data packet
Formula.It wherein, can be using the scapy module of python to pcap when carrying out external parameter extraction to pure anomaly network flow
Packet is parsed and is extracted corresponding external parameter, and according to different in the field numbered extremely in corresponding alarm log
The information of normal network flow type stamps corresponding Abnormal network traffic type identification to the external parameter extracted, such as injects
Type abnormal flow mark and XSS type abnormal flow mark etc..
In hybrid network flow, Abnormal network traffic only accounts for wherein very small part, therefore in order to mitigate workload, first
Proper network flow in hybrid network flow is filtered.In an embodiment of the present invention, with K arest neighbors (KNN) algorithm
By the proper network traffic filtering in hybrid network flow.Wherein, KNN is being used) algorithm is to normal in hybrid network flow
When network flow is filtered, need to optimize parameter K.In an embodiment of the present invention, using grid-search algorithms pair
Parameter K is optimized, and final selected K value is 3.
Step S202: it is identified using extracted external parameter data and corresponding Exception Type, generates corresponding outside
Parameter values sequence.
In specific implementation, it is extracted by external parameter and type marks, obtained the numerical value of long data packet and URL length
Sequence and corresponding type label.Next, by the external parameter and correspondence of extracted each Abnormal network traffic data
Abnormal network traffic type identification arranged in sequence, corresponding external parameter sequence of values can be obtained.
Step S203: the energy feature data of the external parameter sequence of values are extracted.
In specific implementation, extract when stating the energy feature data of external parameter sequence of values, can first will it is described outside
Portion's parameter values sequence regards signal as.In an embodiment of the present invention, using Haar wavelet transform function to the external parameter numerical value sequence
The signal that column are constituted carries out wavelet decomposition, extracts corresponding energy feature data.
In order to obtain sufficient amount of feature group length in long sequence, need wherein extracting the son with certain length
Sequence.In an embodiment of the present invention, it can satisfy this requirement by the way that sliding window is arranged.The sequence length T for being m for length
With targets threshold w, the sliding window that length is w is by T to obtain (m × w)+1 subsequence.In order to obtain the feature of sufficient amount
Vector Groups obtain its rough week firstly, carrying out preliminary analysis to external parameter values sequence for the study of subsequent classifier
Phase.Then, it uses using the obtained period as sliding window, and to preset sliding step (such as 1) mobile described sliding window,
Using the sequence of values in each sliding window as a subsequence, external parameter sequence of values is divided into corresponding (m × w)
+ 1 subsequence.Finally, extracting one group of feature vector to each subsequence.
In an embodiment of the present invention, when sliding into data trailer and data are inadequate, sequence is joined end to end, is built into
Cyclic sequence.Referring to Fig. 3, it is assumed that have 4 datas, respectively 1,2,3,4, sliding window 3, step-length 1.So data 1 are right
The sequence answered is 1,2,3, and the corresponding sequence of data 2 is 2,3,4, and so on, small echo is carried out to the sequence in grey box every time
It decomposes and extracts feature.To be every data construction feature vector.
Referring to fig. 4, it needs to extract characteristics of low-frequency to analyze the global feature of Traffic Anomaly, it is two different in order to distinguish
Traffic Anomaly needs to extract high-frequency characteristic.In practical applications, obtained subsequence is constituted using Haar wavelet transform function
When signal carries out wavelet decomposition processing, it usually needs characteristic signal-based or standard appropriate select an appropriate number of decomposition
Layer.In Fig. 4, H1 and G1 are the coefficient of high-pass filter and low-pass filter respectively, pass through high-pass filter and low pass respectively
The signal that filter subsequence is constituted carries out wavelet decomposition, and sequence of values can be decomposed into low frequency overview C0, kAnd high frequency detail
d0, k, the order of the finger filter of arrow 2 is 2.Referring to Fig. 5, to there is external parameter notice sequence, i.e. signal carries out inventor's discovery
One layer of high fdrequency component cD1 obtained after decomposing sufficiently illustrates details, and high frequency waveforms do not become after then further layer decomposes
Change;Low-frequency component cA1, cA2, cA3 and cA4 are constantly decomposed, and when it is broken down into five layers of high frequency when component cD5,
In only contain single sample.Therefore, in an embodiment of the present invention, to the extracted energy feature data packet of each subsequence
Include low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting.Its
In, energy accounting is the energy and each high-frequency signal d1 of low frequency signal a5, the energy of d2 ... d5 signal and the ratio of gross energy,
Following formula can be respectively adopted to be calculated:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency
Signal a5Energy accounting, ERdjIndicate jth layer high-frequency signal djEnergy accounting.
Step S204: being trained extracted energy feature data, obtains the Abnormal network traffic disaggregated model.
It in specific implementation, can be to extracted energy when extracting the energy feature data of all subsequences
Characteristic is trained, and obtains corresponding Abnormal network traffic disaggregated model.In an embodiment of the present invention, the abnormal net
Network traffic classification model is support vector machines (SVM) classifier.
It, can be using indirect when the energy feature data to the subsequence are trained to obtain the SVM classifier
Algorithm carries out.
Wherein, the training optimization of SVM classifier considers the selection of kernel function first, and Gaussian radial basis function is that locality is strong
Kernel function, sample can be mapped to more higher dimensional space by it, this is its most widely used key point.No matter large sample or
Small sample has relatively good performance, and it has less parameter than Polynomial kernel function, therefore in most cases,
When not knowing using what kernel function, gaussian kernel function is preferentially used.
The training study of SVM model is it is contemplated that two critically important parameters, are cost and gamma respectively.Wherein,
Cost generally can choose are as follows: 10t, t=-4, -3 ..., 3,4.Cost is selected bigger, bigger to wrong example punishment degree,
But it may result in the overfitting of model.Gamma is that radial basis function (Radjal basis function, RBF) is included
As soon as parameter, the natural value that consider this parameter when selecting kernel function of the RBF function as SVM.Data are from plane
Distribution after being mapped to new high-dimensional feature space is implicit to be determined by the function.The value size of gamma determines supporting vector
Quantity.And the number of supporting vector influences the speed of training with prediction, so as cost, the value of gamma
It to measure carefully, numerical value is defaulted as the inverse of class number n_features, and in an embodiment of the present invention, gamma value is
0.5。
Step S205: using constructed Abnormal network traffic disaggregated model to the Abnormal network traffic in network flow into
Row detection.
In specific implementation, network flow is examined using building completion corresponding Abnormal network traffic disaggregated model
When survey, external parameter data are extracted to network flow to be detected first, the energy for calculating extracted external parameter data is special
Sign, then the energy feature of extracted external parameter data is inputted into the Abnormal network traffic disaggregated model, to abnormal network
Flow is detected and is identified.
The above-mentioned Abnormal network traffic detection method in the embodiment of the present invention is described in detail, below will be to above-mentioned
The corresponding device of method be introduced.
Fig. 6 shows the structural schematic diagram of one of embodiment of the present invention Abnormal network traffic detection device.Referring to figure
6, a kind of Abnormal network traffic detection device 60 may include model construction unit 601 and flow detection unit 602, in which:
The model construction unit 601, suitable for constructing abnormal network stream using the external parameter data of Abnormal network traffic
Measure disaggregated model;In an embodiment of the present invention, the external parameter data include Abnormal network traffic data packet length and
URL length.In an alternative embodiment of the invention, the Abnormal network traffic disaggregated model is SVM classifier.
The flow detection unit 602, suitable for using constructed Abnormal network traffic disaggregated model in network flow
Abnormal network traffic detected.
In an embodiment of the present invention, the model construction unit 602, suitable for extracting the external parameter of Abnormal network traffic
Data;Exception Type mark is carried out for the external parameter data of extracted Abnormal network traffic;Using extracted external ginseng
Number data and corresponding Exception Type mark, generate corresponding external parameter sequence of values;Extract the external parameter numerical value sequence
The energy feature data of column;Extracted energy feature data are trained, the Abnormal network traffic disaggregated model is obtained.
In an embodiment of the present invention, the Exception Type mark includes injection type abnormal flow mark and XSS type abnormal flow
Mark.
In an alternative embodiment of the invention, the model construction unit 602, be suitable for the external parameter sequence of values into
Row analysis, obtains the period of the external parameter sequence of values;It uses using the size in the period as sliding window and default
Sliding step, the external parameter sequence of values is divided into corresponding multiple subsequences;Using to each subsequence
Wavelet decomposition is carried out, corresponding energy feature data are obtained.
In still another embodiment of the process, the model construction unit 602, the extracted energy feature data, packet
Include low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting.
In yet another embodiment of the invention, the model construction unit 602, the formula suitable for being respectively adopted following is calculated
It is accounted for the low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy
Than:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency
Signal a5Energy accounting, ERdjIndicate thejLayer high-frequency signal djEnergy accounting.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer instruction, described
The step of Abnormal network traffic detection method is executed when computer instruction is run.Wherein, the Abnormal network traffic inspection
Survey method refers to being discussed in detail for preceding sections, repeats no more.
The embodiment of the invention also provides a kind of terminal, including memory and processor, energy is stored on the memory
Enough computer instructions run on the processor, the processor execute the exception when running the computer instruction
The step of network flow detection method.Wherein, the Abnormal network traffic detection method refers to being discussed in detail for preceding sections,
It repeats no more.
It is different by using the external parameter data building of Abnormal network traffic using the above scheme in the embodiment of the present invention
Normal network flow classified model, and using constructed Abnormal network traffic disaggregated model to the abnormal network stream in network flow
Amount is detected, and due to detecting using external parameter data to the Abnormal network traffic in network flow, can overcome people
Class subjective errors and the renewal of knowledge are slowly influenced on caused by network flow detection, therefore Abnormal network traffic detection can be improved
Accuracy.
The basic principles, main features and advantages of the present invention have been shown and described above.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this
The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, the present invention
Claimed range is delineated by the appended claims, the specification and equivalents thereof from the appended claims.
Claims (10)
1. a kind of Abnormal network traffic detection method characterized by comprising
Abnormal network traffic disaggregated model is constructed using the external parameter data of Abnormal network traffic;
The Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model.
2. Abnormal network traffic detection method according to claim 1, which is characterized in that described to use Abnormal network traffic
External parameter construct Abnormal network traffic disaggregated model, comprising:
Extract the external parameter data of Abnormal network traffic;
Exception Type mark is carried out for the external parameter data of extracted Abnormal network traffic;
It is identified using extracted external parameter data and corresponding Exception Type, generates corresponding external parameter sequence of values;
Extract the energy feature data of the external parameter sequence of values;
Extracted energy feature data are trained, the Abnormal network traffic disaggregated model is obtained.
3. Abnormal network traffic detection method according to claim 2, which is characterized in that described to extract the external parameter
The energy feature data of sequence of values, comprising:
The external parameter sequence of values is analyzed, the period of the external parameter sequence of values is obtained;It uses with described
The external parameter sequence of values is divided into corresponding multiple by the size in period as sliding window and preset sliding step
Subsequence;
Wavelet decomposition is carried out using to each subsequence, obtains corresponding energy feature data.
4. Abnormal network traffic detection method according to claim 3, which is characterized in that the energy feature data include
Low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting.
5. Abnormal network traffic detection method according to claim 4, which is characterized in that the low frequency signal energy, low
Following formula meter is respectively adopted in frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting
It obtains:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency signal
a5Energy accounting, ERdjIndicate jth layer high-frequency signal djEnergy accounting.
6. Abnormal network traffic detection method according to claim 1-5, which is characterized in that the external parameter
Data include the data packet length and URL length of Abnormal network traffic.
7. Abnormal network traffic detection method according to claim 6, which is characterized in that the Exception Type, which identifies, includes
Inject type abnormal flow mark and XSS type abnormal flow mark.
8. Abnormal network traffic detection method according to claim 7, which is characterized in that the Abnormal network traffic classification
Model is SVM classifier.
9. a kind of computer readable storage medium, is stored thereon with computer instruction, which is characterized in that the computer instruction fortune
Perform claim requires the step of 1 to 8 described in any item Abnormal network traffic detection methods when row.
10. a kind of terminal, which is characterized in that including memory and processor, storing on the memory can be at the place
The computer instruction run on reason device, perform claim requires any one of 1 to 8 institute when the processor runs the computer instruction
The step of Abnormal network traffic detection method stated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910336725.0A CN110149315A (en) | 2019-04-24 | 2019-04-24 | Abnormal network traffic detection method, readable storage medium storing program for executing and terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910336725.0A CN110149315A (en) | 2019-04-24 | 2019-04-24 | Abnormal network traffic detection method, readable storage medium storing program for executing and terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110149315A true CN110149315A (en) | 2019-08-20 |
Family
ID=67594391
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910336725.0A Pending CN110149315A (en) | 2019-04-24 | 2019-04-24 | Abnormal network traffic detection method, readable storage medium storing program for executing and terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110149315A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111614576A (en) * | 2020-06-02 | 2020-09-01 | 国网山西省电力公司电力科学研究院 | Network data traffic identification method and system based on wavelet analysis and support vector machine |
CN111626322A (en) * | 2020-04-08 | 2020-09-04 | 中南大学 | Application activity identification method of encrypted flow based on wavelet transformation |
CN112329713A (en) * | 2020-11-25 | 2021-02-05 | 恩亿科(北京)数据科技有限公司 | Network flow abnormity online detection method, system, computer equipment and storage medium |
CN112866185A (en) * | 2019-11-28 | 2021-05-28 | 海信集团有限公司 | Network traffic monitoring device and abnormal traffic detection method |
CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
CN109391599A (en) * | 2017-08-10 | 2019-02-26 | 蓝盾信息安全技术股份有限公司 | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis |
-
2019
- 2019-04-24 CN CN201910336725.0A patent/CN110149315A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
CN109391599A (en) * | 2017-08-10 | 2019-02-26 | 蓝盾信息安全技术股份有限公司 | A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis |
Non-Patent Citations (1)
Title |
---|
ZHEN DU等: "Network Traffic Anomaly Detection Based on Wavelet Analysis", 《2018 IEEE 16TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING RESEARCH, MANAGEMENT AND APPLICATIONS (SERA)》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112866185A (en) * | 2019-11-28 | 2021-05-28 | 海信集团有限公司 | Network traffic monitoring device and abnormal traffic detection method |
CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
CN113472721B (en) * | 2020-03-31 | 2022-12-06 | 华为技术有限公司 | Network attack detection method and device |
CN111626322A (en) * | 2020-04-08 | 2020-09-04 | 中南大学 | Application activity identification method of encrypted flow based on wavelet transformation |
CN111626322B (en) * | 2020-04-08 | 2024-01-05 | 中南大学 | Application activity recognition method for encrypted traffic based on wavelet transformation |
CN111614576A (en) * | 2020-06-02 | 2020-09-01 | 国网山西省电力公司电力科学研究院 | Network data traffic identification method and system based on wavelet analysis and support vector machine |
CN112329713A (en) * | 2020-11-25 | 2021-02-05 | 恩亿科(北京)数据科技有限公司 | Network flow abnormity online detection method, system, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110149315A (en) | Abnormal network traffic detection method, readable storage medium storing program for executing and terminal | |
CN113792453B (en) | Digital twinning-based partial discharge monitoring system, method and device | |
Gao et al. | A Novel Deep Convolutional Neural Network Based on ResNet‐18 and Transfer Learning for Detection of Wood Knot Defects | |
Liu et al. | An adaptive detection of multilevel co-location patterns based on natural neighborhoods | |
CN114338195B (en) | Web flow anomaly detection method and device based on improved isolated forest algorithm | |
Cheng et al. | Anomaly detection for internet of things time series data using generative adversarial networks with attention mechanism in smart agriculture | |
CN112148305B (en) | Application detection method, device, computer equipment and readable storage medium | |
CN102291392A (en) | Hybrid intrusion detection method based on bagging algorithm | |
CN113269228B (en) | Method, device and system for training graph network classification model and electronic equipment | |
CN111626311B (en) | Heterogeneous graph data processing method and device | |
CN114124460B (en) | Industrial control system intrusion detection method and device, computer equipment and storage medium | |
CN106121622A (en) | A kind of Multiple faults diagnosis approach of Dlagnosis of Sucker Rod Pumping Well based on indicator card | |
CN109948604A (en) | Recognition methods, device, electronic equipment and the storage medium of irregular alignment text | |
CN115660262B (en) | Engineering intelligent quality inspection method, system and medium based on database application | |
CN113746780A (en) | Abnormal host detection method, device, medium and equipment based on host image | |
CN110149317A (en) | Abnormal network traffic detection device | |
CN112888008B (en) | Base station abnormality detection method, device, equipment and storage medium | |
CN109918901A (en) | The method that real-time detection is attacked based on Cache | |
CN112966728A (en) | Transaction monitoring method and device | |
CN115757987B (en) | Method, device, equipment and medium for determining companion object based on track analysis | |
CN115186772B (en) | Method, device and equipment for detecting partial discharge of power equipment | |
CN110472416A (en) | A kind of web virus detection method and relevant apparatus | |
CN113079168B (en) | Network anomaly detection method and device and storage medium | |
CN115314267A (en) | Monitoring method for dealing with webpage faults and webpage bugs | |
Wang et al. | Application of data denoising and classification algorithm based on RPCA and multigroup random walk random forest in engineering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190820 |
|
RJ01 | Rejection of invention patent application after publication |