CN109510811A - Intrusion detection method, device and storage medium based on data packet - Google Patents

Intrusion detection method, device and storage medium based on data packet Download PDF

Info

Publication number
CN109510811A
CN109510811A CN201811144177.3A CN201811144177A CN109510811A CN 109510811 A CN109510811 A CN 109510811A CN 201811144177 A CN201811144177 A CN 201811144177A CN 109510811 A CN109510811 A CN 109510811A
Authority
CN
China
Prior art keywords
sample
data packet
training
feature
sample set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811144177.3A
Other languages
Chinese (zh)
Other versions
CN109510811B (en
Inventor
龙春
魏金侠
赵静
杨帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Computer Network Information Center of CAS
Original Assignee
Computer Network Information Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Network Information Center of CAS filed Critical Computer Network Information Center of CAS
Publication of CN109510811A publication Critical patent/CN109510811A/en
Application granted granted Critical
Publication of CN109510811B publication Critical patent/CN109510811B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • G06F18/2148Generating training patterns; Bootstrap methods, e.g. bagging or boosting characterised by the process organisation or structure, e.g. boosting cascade
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a kind of intrusion detection method based on data packet, device and storage mediums, are related to network safety filed.The method comprise the steps that data flow is divided into data packet during intrusion detection;Packet generates training package sample set and test bag sample set based on the data, wherein includes at least one training sample in the training package sample set, includes at least one test bag sample in test bag sample set;Using the training package sample set as input, training obtains strong classifier, and the strong classifier is made of multiple base classifiers;Based on the strong classifier, IDS Framework is constructed;Using the test bag sample set as input, the IDS Framework is tested, and obtain test result, the test result includes normal condition and abnormality.The present invention can be improved the performance of intrusion detection.

Description

Intrusion detection method, device and storage medium based on data packet
Technical field
The present invention relates to network safety filed more particularly to a kind of intrusion detection method based on data packet, device and deposit Storage media.
Background technique
The problem of development of network security technology at any time, intrusion detection becomes growing interest.
Existing intrusion detection method is the detection based on individual traffic mostly, but these methods are directly applied to In the detection of duration attack (continuous a plurality of abnormal flow), it can not accurately reflect security status in real time.Than Such as DDOS attack is detected, intrusion behavior can not be detected by only analyzing a certain data stream.And for The detection for continuing attack carries out one by one continuous detecting method using single data flow and also reduces algorithm to a certain extent Performance.
Summary of the invention
The embodiment of the present invention provides a kind of intrusion detection method, device and storage medium in data packet, is able to solve The low problem of intrusion detection performance.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of intrusion detection method based on data packet, comprising:
During intrusion detection, data flow is divided into data packet;
Packet generates training package sample set and test bag sample set based on the data, wherein in the training package sample set It include at least one test bag sample in test bag sample set including at least one training sample;
Using the training package sample set as input, training obtains strong classifier, and the strong classifier is classified by multiple bases Device is constituted;
Based on the strong classifier, IDS Framework is constructed;
Using the test bag sample set as input, the IDS Framework is tested, and obtain test result, The test result includes normal condition and abnormality.
With reference to first aspect, in the first possible implementation of the first aspect, the Bao Sheng based on the data Include: at training package sample set and test bag sample set
Feature normalization processing is carried out to each sample characteristics in the data packet, wherein include more in the data packet A sample includes multiple sample characteristics in each sample;
Range conversion is carried out to the sample characteristics after each normalized;
Transformed each sample characteristics of adjusting the distance carry out mapping processing, obtain the corresponding feature of each sample to Amount;
Based on the corresponding feature vector of each sample, select multiple samples as training package in each sample Sample obtains the training package sample set;And select multiple samples as test bag sample in each sample, it obtains described Test bag sample set.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect In, each sample characteristics in the data packet carry out feature normalization processing, comprising:
According to formulaObtain data packet matrix, wherein the data packet is by m sample This composition, each sample are made of n feature, xi=(xi1,xi2,…,xin), i=1 ..., m be each sample feature to Amount, xlkFor k-th of feature of first of sample;
According to formulaData packet matrix is carried out special Sign normalization transformation, wherein X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
The possible implementation of with reference to first aspect the first, in the third possible implementation of first aspect In, the sample characteristics to after each normalized carry out range conversion, comprising:
According to formulaRange conversion is carried out,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor k-th of feature of a-th of sample and b sample in matrix X, τ= {D1,D2,…,DnBe each sample n feature distance matrix.
The possible implementation of with reference to first aspect the first, in the 4th kind of possible implementation of first aspect In, transformed each sample characteristics of adjusting the distance carry out mapping processing, the corresponding feature vector of each sample is obtained, Include:
Construct 1 × r dimensional vectorWherein
According to formulaFeature is carried out to reflect It penetrates, whereinP is 0≤i of dimension≤b-1 of z.
With reference to first aspect, in the fifth possible implementation of the first aspect, described by the training package sample Collection obtains strong classifier and includes: as input, training
Based on Bagging mode, sampling operation is carried out;
Based on Adaboost iterative algorithm, adjustment samples obtained sample size;
According to the corresponding each sample of the sample size that sampling obtains, training obtains the strong classifier.
Second aspect, the embodiment of the present invention provide a kind of invasion detecting device based on data packet, comprising:
Division module, for during intrusion detection, data flow to be divided into data packet;
Generation module generates training package sample set and test bag sample set for packet based on the data, wherein the instruction Practicing this concentration of ladle sample includes at least one training sample, includes at least one test bag sample in test bag sample set;
Training module, for using the training package sample set as input, training to obtain strong classifier, the strong classifier It is made of multiple base classifiers;
Module is constructed, for being based on the strong classifier, constructs IDS Framework;
Test module, for testing the IDS Framework using the test bag sample set as input, and Test result is obtained, the test result includes normal condition and abnormality.
In conjunction with second aspect, in the first possible implementation of the second aspect, the generation module includes:
Normalized submodule, for carrying out feature normalization processing to each sample characteristics in the data packet, In, include multiple samples in the data packet, includes multiple sample characteristics in each sample;
Range conversion submodule, for carrying out range conversion to the sample characteristics after each normalized;
Mapping submodule, for adjusting the distance, transformed each sample characteristics carry out mapping processing, obtain each sample point Not corresponding feature vector;
Submodule is selected, for being based on the corresponding feature vector of each sample, is selected in each sample more A sample obtains the training package sample set as training package sample;And select multiple samples as survey in each sample Ladle sample sheet is tried, the test bag sample set is obtained.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect In,
The normalized submodule, for according to formulaObtain data packet square Battle array, wherein the data packet is made of m sample, and each sample is made of n feature, xi=(xi1,xi2,…,xin), i= 1 ..., m is the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix, In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
In conjunction with the first possible implementation of second aspect, in the third possible implementation of second aspect In,
The range conversion submodule, for according to formulaIt carries out Range conversion,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor a-th of sample in matrix X With k-th of feature of b sample, τ={ D1,D2,…,DnBe each sample n feature distance matrix.
In conjunction with the first possible implementation of second aspect, in the 4th kind of possible implementation of second aspect In,
The mapping submodule, for constructing 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
In conjunction with second aspect, in a fifth possible implementation of the second aspect,
Submodule is sampled, for being based on Bagging mode, carries out sampling operation;
Adjusting submodule, for being based on Adaboost iterative algorithm, the sample size that adjustment sampling obtains;
Training submodule, the corresponding each sample of the sample size for being obtained according to sampling, training obtain described strong Classifier.
The third aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer journey Sequence, which is characterized in that the step of method that first aspect provides is realized when described program is executed by processor.
Intrusion detection method based on data packet, device and storage medium provided in an embodiment of the present invention, by invading In detection process, data flow is divided into data packet;Packet generates training package sample set and test bag sample set based on the data, Wherein, include at least one training sample in the training package sample set, include at least one test bag in test bag sample set Sample;Using the training package sample set as input, training obtains strong classifier, and the strong classifier is by multiple base classifier structures At;Based on the strong classifier, IDS Framework is constructed;Using the test bag sample set as input, the invasion is examined It surveys model to be tested, and obtains test result, the test result includes normal condition and abnormality.It can be improved invasion The precision of detection, improve recall rate during intrusion detection, improve intrusion detection during score value, reduce FPR (False Positive Rate, false positive rate), so as to improve the performance of intrusion detection.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ability For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.
Fig. 1 is the flow diagram of the intrusion detection method based on data packet of the embodiment of the present invention;
Fig. 2 is another flow diagram of the intrusion detection method based on data packet of the embodiment of the present invention;
Fig. 3 is the invasion detecting device structural schematic diagram based on data packet of the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of the generation module of the embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the training module of the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of the invasion detecting device 600 based on data packet of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts all other Embodiment shall fall within the protection scope of the present invention.
One embodiment of the invention provides a kind of intrusion detection method based on data packet, as shown in Figure 1, the method packet It includes:
101, during intrusion detection, data flow is divided into data packet.
102, packet generates training package sample set and test bag sample based on the data.
Wherein, include at least one training sample in the training package sample set, include at least one in test bag sample set A test bag sample.
103, using the training package sample set as input, training obtains strong classifier.
Wherein, the strong classifier is made of multiple base classifiers.
104, it is based on the strong classifier, constructs IDS Framework.
105, using the test bag sample set as input, the IDS Framework is tested, and is tested As a result.
Wherein, the test result includes normal condition and abnormality.
Compared with prior art, during the embodiment of the present invention can be improved the precision of intrusion detection, improve intrusion detection Recall rate, improve score value during intrusion detection, reduce FPR (False Positive Rate, false positive rate), from And the performance of intrusion detection can be improved.
Further embodiment of this invention provides a kind of intrusion detection method based on data packet, as shown in Fig. 2, the method packet It includes:
201, during intrusion detection, data flow is divided into data packet.
202, feature normalization processing is carried out to each sample characteristics in the data packet.
Wherein, include multiple samples in the data packet, include multiple sample characteristics in each sample.
203, range conversion is carried out to the sample characteristics after each normalized.
Optionally, step 203 can be with are as follows: according to formulaData packet matrix is obtained, Wherein, the data packet is made of m sample, and each sample is made of n feature, xi=(xi1,xi2,…,xin), i= 1 ..., m is the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix, In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
204, transformed each sample characteristics of adjusting the distance carry out mapping processing, obtain the corresponding feature of each sample Vector.
Optionally, step 204 can be with are as follows: according to formulaCarry out away from From transformation,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor a-th sample in matrix X and K-th of feature of b sample, τ={ D1,D2,…,DnBe each sample n feature distance matrix.
205, it is based on the corresponding feature vector of each sample, selects multiple samples as instruction in each sample Practice ladle sample sheet, obtains the training package sample set;And select multiple samples as test bag sample in each sample, it obtains The test bag sample set.
Optionally, step 205 can be with are as follows: building 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
206, using the training package sample set as input, training obtains strong classifier.
Wherein, the strong classifier is made of multiple base classifiers.
Optionally, step 206 may include: to carry out sampling operation based on Bagging mode;Based on Adaboost iteration Algorithm, the sample size that adjustment sampling obtains;According to the corresponding each sample of the sample size that sampling obtains, training obtains institute State strong classifier.
207, it is based on the strong classifier, constructs IDS Framework.
208, using the test bag sample set as input, the IDS Framework is tested, and is tested As a result.
Wherein, the test result includes normal condition and abnormality.
Compared with prior art, during the embodiment of the present invention can be improved the precision of intrusion detection, improve intrusion detection Recall rate, improve score value during intrusion detection, reduce FPR (False Positive Rate, false positive rate), from And the performance of intrusion detection can be improved.
The following are the intrusion detection methods based on data packet provided through the embodiment of the present invention, in operation Windows 7 8GB RAM Intel (R) Core (TM) i7-4720HQ [email protected] computer on the experimental data that executes. Matrixing, classifier training and being integrated in Python in data packet expression are realized.
In order to illustrate the performance of the IDS Framework proposed, select Precision (P), Recall (R), False Evaluation index of the Positive Rate (FPR) and F-Score as proposed model, each evaluation index are as follows:
Precision: P=TP/ (TP+FP)
Recall rate: R=TP/ (TP+FN)
False positive rate: FPR=FP/ (FP+TN)
F- value: being the harmonic-mean between parameter recall rate and precision, can be used as the statistics mark of assessment models performance Standard, F-Score is higher, and the performance of model is better.
Packet indicates SVM and other performance comparison results of three kinds of SVM on test data set A, B, C and D such as 4 institute of table 1- table Show, average relatively the results are shown in Table 5.Packet indicates that SVM refers to the present invention program in table, other three kinds of data alternative types SVM respectively refers to divide by the data packet sample input classifier of feature normalization, by the data packet sample input of characteristic distance transformation Class device and the data packet sample of mapping transformation is inputted into classifier.
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 1. test data set A of table
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 2. test data set B of table
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 3. test data set C of table
Indicate SVM compared with the performance of other three kinds of data alternative types SVM based on packet on 4. test data set D of table
Compared with table 5. indicates SVM and the performance of other three kinds of data alternative types SVM averagely based on packet
The result shows that, the SVM indicated based on packet is better than being based on other three kinds existing common type data shown in table 1- table 4 The SVM of set representations, it was demonstrated that compared with prior art, the embodiment of the present invention can be improved the precision of intrusion detection, improve invasion inspection The score value during recall rate, raising intrusion detection during survey, reduction FPR, so as to improve intrusion detection Performance.
Further embodiment of this invention provides a kind of invasion detecting device based on data packet, as shown in figure 3, described device packet It includes:
Division module 31, for during intrusion detection, data flow to be divided into data packet;
Generation module 32 generates training package sample set and test bag sample set for packet based on the data, wherein described Include at least one training sample in training package sample set, includes at least one test bag sample in test bag sample set;
Training module 33, for using the training package sample set as input, training to obtain strong classifier, the strong classification Device is made of multiple base classifiers;
Module 34 is constructed, for being based on the strong classifier, constructs IDS Framework;
Test module 35, for testing the IDS Framework using the test bag sample set as input, And test result is obtained, the test result includes normal condition and abnormality.
Further, as shown in figure 4, the generation module 32 includes:
Normalized submodule 3201, for being carried out at feature normalization to each sample characteristics in the data packet Reason, wherein include multiple samples in the data packet, include multiple sample characteristics in each sample;
Range conversion submodule 3202, for carrying out range conversion to the sample characteristics after each normalized;
Mapping submodule 3203, for adjusting the distance, transformed each sample characteristics carry out mapping processing, obtain each sample This corresponding feature vector;
Submodule 3204 is selected, for being based on the corresponding feature vector of each sample, is selected in each sample Multiple samples are selected as training package sample, obtain the training package sample set;And multiple samples is selected to make in each sample For test bag sample, the test bag sample set is obtained.
The normalized submodule 3201, for according to formulaObtain data Packet matrix, wherein the data packet is made of m sample, and each sample is made of n feature, xi=(xi1,xi2,…,xin), I=1 ..., m is the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix, In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
The range conversion submodule 3202, for according to formula Range conversion is carried out,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkIt is a-th in matrix X K-th of feature of sample and b sample, τ={ D1,D2,…,DnBe each sample n feature distance matrix.
The mapping submodule 3203, for constructing 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
Further, as shown in figure 5, the training module 33 includes:
Submodule 3301 is sampled, for being based on Bagging mode, carries out sampling operation;
Adjusting submodule 3302, for being based on Adaboost iterative algorithm, the sample size that adjustment sampling obtains;
Training submodule 3303, the corresponding each sample of the sample size for being obtained according to sampling, training obtain institute State strong classifier.
Compared with prior art, during the embodiment of the present invention can be improved the precision of intrusion detection, improve intrusion detection Recall rate, improve score value during intrusion detection, reduce FPR (False Positive Rate, false positive rate), from And the performance of intrusion detection can be improved.
The embodiment of the present invention also provides another computer readable storage medium, which can be Computer readable storage medium included in memory in above-described embodiment;It is also possible to individualism, eventually without supplying Computer readable storage medium in end.The computer-readable recording medium storage has one or more than one program, institute State that one or more than one program by one or more than one processor are used to execute Fig. 1, embodiment illustrated in fig. 2 provides The intrusion detection method based on data packet.
The method that above-mentioned offer may be implemented in invasion detecting device provided in an embodiment of the present invention based on data packet is implemented Example, concrete function realize the explanation referred in embodiment of the method, and details are not described herein.It is provided in an embodiment of the present invention to be based on number It can be adapted for performing intrusion detection according to the intrusion detection method, device and storage medium of packet, but be not limited only to this.
As shown in fig. 6, the invasion detecting device 600 based on data packet can be mobile phone, computer, digital broadcasting end End, messaging devices, game console, tablet device, personal digital assistant etc..
Referring to Fig. 6, the invasion detecting device 600 based on data packet may include following one or more components: processing group Part 602, memory 604, power supply module 606, multimedia component 608, audio component 610, the interface of input/output (I/O) 612, sensor module 614 and communication component 616.
Processing component 602 usually control unmanned aerial vehicle (UAV) control device 600 integrated operation, such as with display, call, number According to communication, camera operation and record operate associated operation.Processing component 602 may include one or more processors 620 To execute instruction.
In addition, processing component 602 may include one or more modules, convenient between processing component 602 and other assemblies Interaction.For example, processing component 602 may include multi-media module, with facilitate multimedia component 608 and processing component 602 it Between interaction.
Memory 604 is configured as storing various types of data to support the operation in unmanned aerial vehicle (UAV) control device 600.This The example of a little data includes the instruction of any application or method for operating on unmanned aerial vehicle (UAV) control device 600, connection Personal data, telephone book data, message, picture, video etc..Memory 604 can be by any kind of volatibility or non-volatile It stores equipment or their combination is realized, such as static random access memory (SRAM), the read-only storage of electrically erasable Device (EEPROM), Erasable Programmable Read Only Memory EPROM (EPROM), programmable read only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, disk or CD.
Power supply module 606 provides electric power for the various assemblies of unmanned aerial vehicle (UAV) control device 600.Power supply module 606 may include Power-supply management system, one or more power supplys and other with for unmanned aerial vehicle (UAV) control device 600 generate, manage, and distribute electric power phase Associated component.
Multimedia component 608 includes one output interface of offer between the unmanned aerial vehicle (UAV) control device 600 and user Screen.In some embodiments, screen may include liquid crystal display (LCD) and touch panel (TP).If screen includes Touch panel, screen may be implemented as touch screen, to receive input signal from the user.Touch panel includes one or more A touch sensor is to sense the gesture on touch, slide, and touch panel.The touch sensor can not only sense touch Or the boundary of sliding action, but also detect duration and pressure associated with the touch or slide operation.In some realities It applies in example, multimedia component 608 includes a front camera and/or rear camera.When unmanned aerial vehicle (UAV) control device 600 is in Operation mode, such as in a shooting mode or a video mode, front camera and/or rear camera can receive external multimedia Data.Each front camera and rear camera can be a fixed optical lens system or there is focal length and optics to become Burnt ability.
Audio component 610 is configured as output and/or input audio signal.For example, audio component 610 includes a Mike Wind (MIC), when unmanned aerial vehicle (UAV) control device 600 is in operation mode, when such as call mode, recording mode, and voice recognition mode, Microphone is configured as receiving external audio signal.The received audio signal can be further stored in memory 604 or It is sent via communication component 616.In some embodiments, audio component 610 further includes a loudspeaker, for exporting audio letter Number.
I/O interface 612 provides interface between processing component 602 and peripheral interface module, and above-mentioned peripheral interface module can To be keyboard, click wheel, button etc..These buttons may include, but are not limited to: home button, volume button, start button and lock Determine button.
Sensor module 614 includes one or more sensors, for providing various aspects for unmanned aerial vehicle (UAV) control device 600 Status assessment.For example, sensor module 614 can detecte the state that opens/closes of unmanned aerial vehicle (UAV) control device 600, component Relative positioning, such as the component is the display and keypad of unmanned aerial vehicle (UAV) control device 600, and sensor module 614 may be used also To detect the position change of 600 1 components of unmanned aerial vehicle (UAV) control device 600 or unmanned aerial vehicle (UAV) control device, user and unmanned aerial vehicle (UAV) control The existence or non-existence that device 600 contacts, 600 orientation of unmanned aerial vehicle (UAV) control device or acceleration/deceleration and unmanned aerial vehicle (UAV) control device 600 Temperature change.Sensor module 614 may include proximity sensor, be configured to examine without any physical contact Survey presence of nearby objects.Sensor module 614 can also include that optical sensor is used for such as CMOS or ccd image sensor It is used in imaging applications.In some embodiments, which can also include acceleration transducer, and gyroscope passes Sensor, Magnetic Sensor, pressure sensor or temperature sensor.
Communication component 616 is configured to facilitate wired or wireless way between unmanned aerial vehicle (UAV) control device 600 and other equipment Communication.Unmanned aerial vehicle (UAV) control device 600 can access the wireless network based on communication standard, such as WiFi, 2G or 3G or they Combination.In one exemplary embodiment, communication component 616 is received via broadcast channel from the wide of external broadcasting management system Broadcast signal or broadcast related information.In one exemplary embodiment, the communication component 616 further includes near-field communication (NFC) Module, to promote short range communication.For example, radio frequency identification (RFID) technology, Infrared Data Association (IrDA) can be based in NFC module Technology, ultra wide band (UWB) technology, bluetooth (BT) technology and other technologies are realized.
In the exemplary embodiment, unmanned aerial vehicle (UAV) control device 600 can be by one or more application specific integrated circuit (ASIC), digital signal processor (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), scene can Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are programmed to realize.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method Part explanation.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (13)

1. a kind of intrusion detection method based on data packet characterized by comprising
During intrusion detection, data flow is divided into data packet;
Packet generates training package sample set and test bag sample set based on the data, wherein includes in the training package sample set At least one training sample includes at least one test bag sample in test bag sample set;
Using the training package sample set as input, training obtains strong classifier, and the strong classifier is by multiple base classifier structures At;
Based on the strong classifier, IDS Framework is constructed;
Using the test bag sample set as input, the IDS Framework is tested, and obtain test result, it is described Test result includes normal condition and abnormality.
2. the intrusion detection method according to claim 1 based on data packet, which is characterized in that it is described based on the data Packet generates training package sample set and test bag sample set includes:
Feature normalization processing is carried out to each sample characteristics in the data packet, wherein include multiple samples in the data packet This, includes multiple sample characteristics in each sample;
Range conversion is carried out to the sample characteristics after each normalized;
Transformed each sample characteristics of adjusting the distance carry out mapping processing, obtain the corresponding feature vector of each sample;
Based on the corresponding feature vector of each sample, select multiple samples as training ladle sample in each sample This, obtains the training package sample set;And select multiple samples as test bag sample in each sample, obtain the survey Try packet sample set.
3. the intrusion detection method according to claim 2 based on data packet, which is characterized in that described to the data packet In each sample characteristics carry out feature normalization processing, comprising:
According to formulaObtain data packet matrix, wherein the data packet is by m sample structure At each sample is made of n feature, xi=(xi1, xi2..., xin), i=1 ..., m are the feature vector of each sample, xlk For k-th of feature of first of sample;
According to formulaFeature is carried out to data packet matrix to return One changes transformation, wherein and X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
4. the intrusion detection method according to claim 2 based on data packet, which is characterized in that it is described to each normalization at Sample characteristics after reason carry out range conversion, comprising:
According to formulaRange conversion is carried out,For xakWith xbkCharacteristic distance function between a, xakAnd xbkFor k-th of feature of a-th of sample and b sample in matrix X, τ={ D1, D2..., DnBe each sample n feature distance matrix.
5. the intrusion detection method according to claim 2 based on data packet, which is characterized in that after the transformation of adjusting the distance Each sample characteristics carry out mapping processing, obtain the corresponding feature vector of each sample, comprising:
Construct 1 × r dimensional vectorWherein
According to formulaFeature Mapping is carried out, In,P is 0≤i of dimension≤b-1 of z.
6. the intrusion detection method according to claim 1 based on data packet, which is characterized in that described by the training package Sample set obtains strong classifier and includes: as input, training
Based on Bagging mode, sampling operation is carried out;
Based on Adaboost iterative algorithm, adjustment samples obtained sample size;
According to the corresponding each sample of the sample size that sampling obtains, training obtains the strong classifier.
7. a kind of invasion detecting device based on data packet characterized by comprising
Division module, for during intrusion detection, data flow to be divided into data packet;
Generation module generates training package sample set and test bag sample set for packet based on the data, wherein the training package Include at least one training sample in sample set, includes at least one test bag sample in test bag sample set;
Training module, for using the training package sample set as input, training to obtain strong classifier, and the strong classifier is by more A base classifier is constituted;
Module is constructed, for being based on the strong classifier, constructs IDS Framework;
Test module, for testing the IDS Framework, and obtain using the test bag sample set as input Test result, the test result include normal condition and abnormality.
8. the invasion detecting device according to claim 7 based on data packet, which is characterized in that the generation module packet It includes:
Normalized submodule, for carrying out feature normalization processing to each sample characteristics in the data packet, wherein institute Stating includes multiple samples in data packet, includes multiple sample characteristics in each sample;
Range conversion submodule, for carrying out range conversion to the sample characteristics after each normalized;
Mapping submodule, for adjusting the distance, transformed each sample characteristics carry out mapping processing, and it is right respectively to obtain each sample The feature vector answered;
Submodule is selected, for being based on the corresponding feature vector of each sample, selects multiple samples in each sample This obtains the training package sample set as training package sample;And select multiple samples as test bag in each sample Sample obtains the test bag sample set.
9. the invasion detecting device according to claim 8 based on data packet, which is characterized in that
The normalized submodule, for according to formulaData packet matrix is obtained, Wherein, the data packet is made of m sample, and each sample is made of n feature, xi=(xi1, xi2..., xin), i= 1 ..., m are the feature vector of each sample, xlkFor k-th of feature of first of sample;According to formulaFeature normalization transformation is carried out to data packet matrix, In, X is the sample characteristics after normalized,Value of the middle all elements between [0,1].
10. the invasion detecting device according to claim 8 based on data packet, which is characterized in that
The range conversion submodule, for according to formulaCarry out distance Transformation,For xakAnd xbkCharacteristic distance function between a, xakAnd xbkFor a-th of sample and b in matrix X K-th of feature of sample, τ={ D1, D2..., DnBe each sample n feature distance matrix.
11. the invasion detecting device according to claim 8 based on data packet, which is characterized in that
The mapping submodule, for constructing 1 × r dimensional vectorWhereinAccording to formulaCarry out Feature Mapping, whereinP is 0≤i of dimension≤b-1 of z.
12. the invasion detecting device according to claim 7 based on data packet, which is characterized in that the training module packet It includes:
Submodule is sampled, for being based on Bagging mode, carries out sampling operation;
Adjusting submodule, for being based on Adaboost iterative algorithm, the sample size that adjustment sampling obtains;
Training submodule, the corresponding each sample of the sample size for being obtained according to sampling, training obtain the strong classification Device.
13. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed The step of claim 1-6 the method is realized when device executes.
CN201811144177.3A 2018-07-23 2018-09-29 Intrusion detection method and device based on data packet and storage medium Active CN109510811B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810809761X 2018-07-23
CN201810809761 2018-07-23

Publications (2)

Publication Number Publication Date
CN109510811A true CN109510811A (en) 2019-03-22
CN109510811B CN109510811B (en) 2022-08-09

Family

ID=65746298

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811144177.3A Active CN109510811B (en) 2018-07-23 2018-09-29 Intrusion detection method and device based on data packet and storage medium

Country Status (1)

Country Link
CN (1) CN109510811B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060004754A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Methods and apparatus for dynamic classification of data in evolving data stream
CN101060443A (en) * 2006-04-17 2007-10-24 中国科学院自动化研究所 An improved adaptive boosting algorithm based Internet intrusion detection method
JP2009075737A (en) * 2007-09-19 2009-04-09 Nec Corp Semi-supervised learning method, device, and program
CN101471782A (en) * 2007-12-26 2009-07-01 中国科学院自动化研究所 Network inbreak detection method based on on-line hoisting algorithm
CN101827002A (en) * 2010-05-27 2010-09-08 文益民 Concept drift detection method of data flow classification
CN103678512A (en) * 2013-12-26 2014-03-26 大连民族学院 Data stream merge sorting method under dynamic data environment
CN103716204A (en) * 2013-12-20 2014-04-09 中国科学院信息工程研究所 Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process
US20170364795A1 (en) * 2016-06-15 2017-12-21 Akw Analytics Inc. Petroleum analytics learning machine system with machine learning analytics applications for upstream and midstream oil and gas industry
CN108023876A (en) * 2017-11-20 2018-05-11 西安电子科技大学 Intrusion detection method and intruding detection system based on sustainability integrated study
CN108093406A (en) * 2017-11-29 2018-05-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on integrated study
CN108234500A (en) * 2018-01-08 2018-06-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on deep learning

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060004754A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Methods and apparatus for dynamic classification of data in evolving data stream
CN101060443A (en) * 2006-04-17 2007-10-24 中国科学院自动化研究所 An improved adaptive boosting algorithm based Internet intrusion detection method
JP2009075737A (en) * 2007-09-19 2009-04-09 Nec Corp Semi-supervised learning method, device, and program
CN101471782A (en) * 2007-12-26 2009-07-01 中国科学院自动化研究所 Network inbreak detection method based on on-line hoisting algorithm
CN101827002A (en) * 2010-05-27 2010-09-08 文益民 Concept drift detection method of data flow classification
CN103716204A (en) * 2013-12-20 2014-04-09 中国科学院信息工程研究所 Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process
CN103678512A (en) * 2013-12-26 2014-03-26 大连民族学院 Data stream merge sorting method under dynamic data environment
US20170364795A1 (en) * 2016-06-15 2017-12-21 Akw Analytics Inc. Petroleum analytics learning machine system with machine learning analytics applications for upstream and midstream oil and gas industry
CN108023876A (en) * 2017-11-20 2018-05-11 西安电子科技大学 Intrusion detection method and intruding detection system based on sustainability integrated study
CN108093406A (en) * 2017-11-29 2018-05-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on integrated study
CN108234500A (en) * 2018-01-08 2018-06-29 重庆邮电大学 A kind of wireless sense network intrusion detection method based on deep learning

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
冯璐: "基于数据流特征选择及分类算法的入侵检测模型研究", 《中国优秀硕士学位论文全文数据库》 *
姚远: "海量动态数据流分类方法研究", 《中国博士学位论文全文数据库》 *
朱桂宏: "基于数据流的网络入侵检测研究", 《计算机技术与发展》 *
王小川: "《MATLAB神经网络43个案例分析》", 31 August 2013, 北京航空航天大学出版社 *
闻新: "《应用MATLAB实现神经网络》", 30 June 2015, 国防工业出版社 *

Also Published As

Publication number Publication date
CN109510811B (en) 2022-08-09

Similar Documents

Publication Publication Date Title
CN105512685B (en) Object identification method and device
CN109389162B (en) Sample image screening technique and device, electronic equipment and storage medium
CN110009090A (en) Neural metwork training and image processing method and device
CN106709399A (en) Fingerprint identification method and device
WO2017128767A1 (en) Fingerprint template input method and device
CN105701997A (en) Alarm method and device
CN111242188B (en) Intrusion detection method, intrusion detection device and storage medium
CN103902689A (en) Clustering method, incremental clustering method and related device
CN109359056A (en) A kind of applied program testing method and device
CN109842612A (en) Log security analysis method, device and storage medium based on picture library model
CN104503888A (en) Warning method and device
CN110191085A (en) Based on polytypic intrusion detection method, device and storage medium
CN110222706A (en) Ensemble classifier method, apparatus and storage medium based on feature reduction
CN109117874A (en) Operation behavior prediction technique and device
CN105354560A (en) Fingerprint identification method and device
CN105654093A (en) Feature extraction method and apparatus thereof
CN109981624A (en) Intrusion detection method, device and storage medium
CN109598120A (en) Security postures intelligent analysis method, device and the storage medium of mobile terminal
CN104484683A (en) Porn picture detection method and device
US20220270352A1 (en) Methods, apparatuses, devices, storage media and program products for determining performance parameters
CN109671051A (en) Picture quality detection model training method and device, electronic equipment and storage medium
CN106331328A (en) Information prompting method and device
CN109214175A (en) Method, apparatus and storage medium based on sample characteristics training classifier
WO2022227562A1 (en) Identity recognition method and apparatus, and electronic device, storage medium and computer program product
CN104268149A (en) Clustering method and clustering device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant