CN110149315A - Abnormal network traffic detection method, readable storage medium storing program for executing and terminal - Google Patents

Abnormal network traffic detection method, readable storage medium storing program for executing and terminal Download PDF

Info

Publication number
CN110149315A
CN110149315A CN201910336725.0A CN201910336725A CN110149315A CN 110149315 A CN110149315 A CN 110149315A CN 201910336725 A CN201910336725 A CN 201910336725A CN 110149315 A CN110149315 A CN 110149315A
Authority
CN
China
Prior art keywords
network traffic
abnormal network
external parameter
frequency signal
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910336725.0A
Other languages
Chinese (zh)
Inventor
杜臻
孙国梓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201910336725.0A priority Critical patent/CN110149315A/en
Publication of CN110149315A publication Critical patent/CN110149315A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of Abnormal network traffic detection method, readable storage medium storing program for executing and terminal, which comprises construct Abnormal network traffic disaggregated model using the external parameter data of Abnormal network traffic;The Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model.The accuracy of Abnormal network traffic detection can be improved in above-mentioned scheme.

Description

Abnormal network traffic detection method, readable storage medium storing program for executing and terminal
Technical field
The invention belongs to technical field of network security, more particularly to a kind of Abnormal network traffic detection method, readable deposit Storage media and terminal.
Background technique
Exception of network traffic detection, for monitoring whether network working condition is healthy, for ensuring the normal of network system Work is significant.
In the high risk loophole quantity for including in national information security breaches shared platform (CNVD), cross-site scripting attack (XSS), SQL injection and Denial of Service attack have become the primary challenge method of domestic internet facilities.In weblication Ten big ten major class for threatening safety message OWASP TOP 10 to determine after the detection of expert threaten current web application maximum In most widely used loophole, XSS attack and injection attacks are always the threat that needs in the top draw attention.
But network flow detection method in the prior art, it can not accurately detect the abnormal net in the flow of network Network flow, has seriously threatened network security.
Summary of the invention
Present invention solves the technical problem that being how to improve the accuracy of Abnormal network traffic detection.
In order to achieve the above object, the present invention provides a kind of Abnormal network traffic detection method, which comprises
Abnormal network traffic disaggregated model is constructed using the external parameter data of Abnormal network traffic;
The Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model.
Optionally, the external parameter using Abnormal network traffic constructs Abnormal network traffic disaggregated model, comprising:
Extract the external parameter data of Abnormal network traffic;
Exception Type mark is carried out for the external parameter data of extracted Abnormal network traffic;
It is identified using extracted external parameter data and corresponding Exception Type, generates corresponding external parameter numerical value sequence Column;
Extract the energy feature data of the external parameter sequence of values;
Extracted energy feature data are trained, the Abnormal network traffic disaggregated model is obtained.
Optionally, the energy feature data for extracting the external parameter sequence of values, comprising:
The external parameter sequence of values is analyzed, the period of the external parameter sequence of values is obtained;
It uses using the size in the period as sliding window and preset sliding step, by the external parameter numerical value sequence Column are divided into corresponding multiple subsequences;
Wavelet decomposition is carried out using to each subsequence, obtains corresponding energy feature data.
Optionally, the energy feature data include low frequency signal energy, low frequency signal energy accounting, first to layer 5 Higher frequency signal energy, higher frequency signal energy accounting.
Optionally, the low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, height Frequency signal energy accounting is respectively adopted following formula and is calculated:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency Signal a5Energy accounting, ERdjIndicate jth layer high-frequency signal djEnergy accounting.
Optionally, the external parameter data include the data packet length and URL length of Abnormal network traffic.
Optionally, the Exception Type mark includes injection type abnormal flow mark and XSS type abnormal flow mark.
Optionally, the Abnormal network traffic disaggregated model is SVM classifier.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer instruction, described The step of computer instruction executes Abnormal network traffic detection method described in any of the above embodiments when running.
The embodiment of the invention also provides a kind of terminal, including memory and processor, energy is stored on the memory Enough computer instructions run on the processor, the processor execute any of the above-described when running the computer instruction The step of described Abnormal network traffic detection method.
Optionally, the Abnormal network traffic disaggregated model is SVM classifier.
Compared with prior art, the invention has the benefit that
Above-mentioned scheme, by using the external parameter data building Abnormal network traffic classification mould of Abnormal network traffic Type, and the Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model, due to The Abnormal network traffic in network flow is detected using external parameter data, human subject's mistake and knowledge can be overcome Updating slowly influences on caused by network flow detection, and the accuracy of Abnormal network traffic detection can be improved.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for For those of ordinary skill in the art, without any creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is the flow diagram of one of embodiment of the present invention Abnormal network traffic detection method;
Fig. 2 is the flow diagram of another Abnormal network traffic detection method in the embodiment of the present invention;
Fig. 3 is the schematic diagram that low frequency and high-frequency decomposition are carried out using wavelet function sub-sequences in the embodiment of the present invention;
Fig. 4 is being shown using sliding window the progress subsequence division of external parameter values sequence in the embodiment of the present invention It is intended to;
Fig. 5 is the schematic diagram for carrying out multilayer decomposition to signal using wavelet analysis in the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of one of embodiment of the present invention Abnormal network traffic detection device.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.Related directionality instruction in the embodiment of the present invention (such as upper and lower, left and right, It is forward and backward etc.) it is only used for the relative positional relationship explained under a certain particular pose (as shown in the picture) between each component, movement feelings Condition etc., if the particular pose changes, directionality instruction is also correspondingly changed correspondingly.
As stated in the background art, artificial experience is generally based on to the detection of abnormal flow in the prior art.Even base In the algorithm detected automatically, generally also based on priori knowledge.For example, carrying out rule match, threshold using the rule base pre-established Value matching etc..But these methods are all based on the knowledge of the mankind, it may be slow by human subject's mistake and the renewal of knowledge It influences.Accordingly, there exist the low problems of Detection accuracy.
Technical solution of the present invention is divided by using the external parameter data building Abnormal network traffic of Abnormal network traffic Class model, and the Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model, Due to being detected to the Abnormal network traffic in network flow using external parameter data, can overcome human subject's mistake and The renewal of knowledge is slowly influenced on caused by network flow detection, and the accuracy of Abnormal network traffic detection can be improved.
It is understandable to enable above-mentioned purpose of the invention, feature and beneficial effect to become apparent, with reference to the accompanying drawing to this The specific embodiment of invention is described in detail.
Fig. 1 is a kind of flow diagram of Abnormal network traffic detection method of the embodiment of the present invention.It is a kind of referring to Fig. 1 Abnormal network traffic detection method can specifically include following step:
Step S101: Abnormal network traffic disaggregated model is constructed using the external parameter data of Abnormal network traffic.
In specific implementation, the external parameter data are the external parameter data of Abnormal network traffic data packet, no The content being related in Abnormal network traffic data packet.
Step S102: using constructed Abnormal network traffic disaggregated model to the Abnormal network traffic in network flow into Row detection.
It in specific implementation, can be by network flow when corresponding Abnormal network traffic disaggregated model is completed in building The Abnormal network traffic disaggregated model is inputted, realizes the detection of Abnormal network traffic.
Above-mentioned scheme, by using the external parameter data building Abnormal network traffic classification mould of Abnormal network traffic Type, and the Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model, due to The Abnormal network traffic in network flow is detected using external parameter data, Abnormal network traffic detection can be improved Accuracy.
Further details of Jie is carried out to the Abnormal network traffic detection method in the embodiment of the present invention below in conjunction with Fig. 2 It continues.
Step S201: extracting the external parameter data of Abnormal network traffic, and is the outer of extracted Abnormal network traffic Portion's supplemental characteristic carries out Exception Type mark.
In an embodiment of the present invention, extracted external parameter data include the data packet of Abnormal network traffic data packet Length and uniform resource locator (URL) length.
In specific implementation, when the data volume of pure anomaly network flow is less, in order to sufficiently excavate Abnormal network traffic Feature, the source of the Abnormal network traffic may include pure anomaly network flow and including proper network flow and abnormal net The hybrid network flow of network flow.
In an embodiment of the present invention, institute's pure anomaly network flow and hybrid network flow are all made of the shape of pcap data packet Formula.It wherein, can be using the scapy module of python to pcap when carrying out external parameter extraction to pure anomaly network flow Packet is parsed and is extracted corresponding external parameter, and according to different in the field numbered extremely in corresponding alarm log The information of normal network flow type stamps corresponding Abnormal network traffic type identification to the external parameter extracted, such as injects Type abnormal flow mark and XSS type abnormal flow mark etc..
In hybrid network flow, Abnormal network traffic only accounts for wherein very small part, therefore in order to mitigate workload, first Proper network flow in hybrid network flow is filtered.In an embodiment of the present invention, with K arest neighbors (KNN) algorithm By the proper network traffic filtering in hybrid network flow.Wherein, KNN is being used) algorithm is to normal in hybrid network flow When network flow is filtered, need to optimize parameter K.In an embodiment of the present invention, using grid-search algorithms pair Parameter K is optimized, and final selected K value is 3.
Step S202: it is identified using extracted external parameter data and corresponding Exception Type, generates corresponding outside Parameter values sequence.
In specific implementation, it is extracted by external parameter and type marks, obtained the numerical value of long data packet and URL length Sequence and corresponding type label.Next, by the external parameter and correspondence of extracted each Abnormal network traffic data Abnormal network traffic type identification arranged in sequence, corresponding external parameter sequence of values can be obtained.
Step S203: the energy feature data of the external parameter sequence of values are extracted.
In specific implementation, extract when stating the energy feature data of external parameter sequence of values, can first will it is described outside Portion's parameter values sequence regards signal as.In an embodiment of the present invention, using Haar wavelet transform function to the external parameter numerical value sequence The signal that column are constituted carries out wavelet decomposition, extracts corresponding energy feature data.
In order to obtain sufficient amount of feature group length in long sequence, need wherein extracting the son with certain length Sequence.In an embodiment of the present invention, it can satisfy this requirement by the way that sliding window is arranged.The sequence length T for being m for length With targets threshold w, the sliding window that length is w is by T to obtain (m × w)+1 subsequence.In order to obtain the feature of sufficient amount Vector Groups obtain its rough week firstly, carrying out preliminary analysis to external parameter values sequence for the study of subsequent classifier Phase.Then, it uses using the obtained period as sliding window, and to preset sliding step (such as 1) mobile described sliding window, Using the sequence of values in each sliding window as a subsequence, external parameter sequence of values is divided into corresponding (m × w) + 1 subsequence.Finally, extracting one group of feature vector to each subsequence.
In an embodiment of the present invention, when sliding into data trailer and data are inadequate, sequence is joined end to end, is built into Cyclic sequence.Referring to Fig. 3, it is assumed that have 4 datas, respectively 1,2,3,4, sliding window 3, step-length 1.So data 1 are right The sequence answered is 1,2,3, and the corresponding sequence of data 2 is 2,3,4, and so on, small echo is carried out to the sequence in grey box every time It decomposes and extracts feature.To be every data construction feature vector.
Referring to fig. 4, it needs to extract characteristics of low-frequency to analyze the global feature of Traffic Anomaly, it is two different in order to distinguish Traffic Anomaly needs to extract high-frequency characteristic.In practical applications, obtained subsequence is constituted using Haar wavelet transform function When signal carries out wavelet decomposition processing, it usually needs characteristic signal-based or standard appropriate select an appropriate number of decomposition Layer.In Fig. 4, H1 and G1 are the coefficient of high-pass filter and low-pass filter respectively, pass through high-pass filter and low pass respectively The signal that filter subsequence is constituted carries out wavelet decomposition, and sequence of values can be decomposed into low frequency overview C0, kAnd high frequency detail d0, k, the order of the finger filter of arrow 2 is 2.Referring to Fig. 5, to there is external parameter notice sequence, i.e. signal carries out inventor's discovery One layer of high fdrequency component cD1 obtained after decomposing sufficiently illustrates details, and high frequency waveforms do not become after then further layer decomposes Change;Low-frequency component cA1, cA2, cA3 and cA4 are constantly decomposed, and when it is broken down into five layers of high frequency when component cD5, In only contain single sample.Therefore, in an embodiment of the present invention, to the extracted energy feature data packet of each subsequence Include low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting.Its In, energy accounting is the energy and each high-frequency signal d1 of low frequency signal a5, the energy of d2 ... d5 signal and the ratio of gross energy, Following formula can be respectively adopted to be calculated:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency Signal a5Energy accounting, ERdjIndicate jth layer high-frequency signal djEnergy accounting.
Step S204: being trained extracted energy feature data, obtains the Abnormal network traffic disaggregated model.
It in specific implementation, can be to extracted energy when extracting the energy feature data of all subsequences Characteristic is trained, and obtains corresponding Abnormal network traffic disaggregated model.In an embodiment of the present invention, the abnormal net Network traffic classification model is support vector machines (SVM) classifier.
It, can be using indirect when the energy feature data to the subsequence are trained to obtain the SVM classifier Algorithm carries out.
Wherein, the training optimization of SVM classifier considers the selection of kernel function first, and Gaussian radial basis function is that locality is strong Kernel function, sample can be mapped to more higher dimensional space by it, this is its most widely used key point.No matter large sample or Small sample has relatively good performance, and it has less parameter than Polynomial kernel function, therefore in most cases, When not knowing using what kernel function, gaussian kernel function is preferentially used.
The training study of SVM model is it is contemplated that two critically important parameters, are cost and gamma respectively.Wherein, Cost generally can choose are as follows: 10t, t=-4, -3 ..., 3,4.Cost is selected bigger, bigger to wrong example punishment degree, But it may result in the overfitting of model.Gamma is that radial basis function (Radjal basis function, RBF) is included As soon as parameter, the natural value that consider this parameter when selecting kernel function of the RBF function as SVM.Data are from plane Distribution after being mapped to new high-dimensional feature space is implicit to be determined by the function.The value size of gamma determines supporting vector Quantity.And the number of supporting vector influences the speed of training with prediction, so as cost, the value of gamma It to measure carefully, numerical value is defaulted as the inverse of class number n_features, and in an embodiment of the present invention, gamma value is 0.5。
Step S205: using constructed Abnormal network traffic disaggregated model to the Abnormal network traffic in network flow into Row detection.
In specific implementation, network flow is examined using building completion corresponding Abnormal network traffic disaggregated model When survey, external parameter data are extracted to network flow to be detected first, the energy for calculating extracted external parameter data is special Sign, then the energy feature of extracted external parameter data is inputted into the Abnormal network traffic disaggregated model, to abnormal network Flow is detected and is identified.
The above-mentioned Abnormal network traffic detection method in the embodiment of the present invention is described in detail, below will be to above-mentioned The corresponding device of method be introduced.
Fig. 6 shows the structural schematic diagram of one of embodiment of the present invention Abnormal network traffic detection device.Referring to figure 6, a kind of Abnormal network traffic detection device 60 may include model construction unit 601 and flow detection unit 602, in which:
The model construction unit 601, suitable for constructing abnormal network stream using the external parameter data of Abnormal network traffic Measure disaggregated model;In an embodiment of the present invention, the external parameter data include Abnormal network traffic data packet length and URL length.In an alternative embodiment of the invention, the Abnormal network traffic disaggregated model is SVM classifier.
The flow detection unit 602, suitable for using constructed Abnormal network traffic disaggregated model in network flow Abnormal network traffic detected.
In an embodiment of the present invention, the model construction unit 602, suitable for extracting the external parameter of Abnormal network traffic Data;Exception Type mark is carried out for the external parameter data of extracted Abnormal network traffic;Using extracted external ginseng Number data and corresponding Exception Type mark, generate corresponding external parameter sequence of values;Extract the external parameter numerical value sequence The energy feature data of column;Extracted energy feature data are trained, the Abnormal network traffic disaggregated model is obtained. In an embodiment of the present invention, the Exception Type mark includes injection type abnormal flow mark and XSS type abnormal flow Mark.
In an alternative embodiment of the invention, the model construction unit 602, be suitable for the external parameter sequence of values into Row analysis, obtains the period of the external parameter sequence of values;It uses using the size in the period as sliding window and default Sliding step, the external parameter sequence of values is divided into corresponding multiple subsequences;Using to each subsequence Wavelet decomposition is carried out, corresponding energy feature data are obtained.
In still another embodiment of the process, the model construction unit 602, the extracted energy feature data, packet Include low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting.
In yet another embodiment of the invention, the model construction unit 602, the formula suitable for being respectively adopted following is calculated It is accounted for the low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy Than:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency Signal a5Energy accounting, ERdjIndicate thejLayer high-frequency signal djEnergy accounting.
The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer instruction, described The step of Abnormal network traffic detection method is executed when computer instruction is run.Wherein, the Abnormal network traffic inspection Survey method refers to being discussed in detail for preceding sections, repeats no more.
The embodiment of the invention also provides a kind of terminal, including memory and processor, energy is stored on the memory Enough computer instructions run on the processor, the processor execute the exception when running the computer instruction The step of network flow detection method.Wherein, the Abnormal network traffic detection method refers to being discussed in detail for preceding sections, It repeats no more.
It is different by using the external parameter data building of Abnormal network traffic using the above scheme in the embodiment of the present invention Normal network flow classified model, and using constructed Abnormal network traffic disaggregated model to the abnormal network stream in network flow Amount is detected, and due to detecting using external parameter data to the Abnormal network traffic in network flow, can overcome people Class subjective errors and the renewal of knowledge are slowly influenced on caused by network flow detection, therefore Abnormal network traffic detection can be improved Accuracy.
The basic principles, main features and advantages of the present invention have been shown and described above.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, the present invention Claimed range is delineated by the appended claims, the specification and equivalents thereof from the appended claims.

Claims (10)

1. a kind of Abnormal network traffic detection method characterized by comprising
Abnormal network traffic disaggregated model is constructed using the external parameter data of Abnormal network traffic;
The Abnormal network traffic in network flow is detected using constructed Abnormal network traffic disaggregated model.
2. Abnormal network traffic detection method according to claim 1, which is characterized in that described to use Abnormal network traffic External parameter construct Abnormal network traffic disaggregated model, comprising:
Extract the external parameter data of Abnormal network traffic;
Exception Type mark is carried out for the external parameter data of extracted Abnormal network traffic;
It is identified using extracted external parameter data and corresponding Exception Type, generates corresponding external parameter sequence of values;
Extract the energy feature data of the external parameter sequence of values;
Extracted energy feature data are trained, the Abnormal network traffic disaggregated model is obtained.
3. Abnormal network traffic detection method according to claim 2, which is characterized in that described to extract the external parameter The energy feature data of sequence of values, comprising:
The external parameter sequence of values is analyzed, the period of the external parameter sequence of values is obtained;It uses with described The external parameter sequence of values is divided into corresponding multiple by the size in period as sliding window and preset sliding step Subsequence;
Wavelet decomposition is carried out using to each subsequence, obtains corresponding energy feature data.
4. Abnormal network traffic detection method according to claim 3, which is characterized in that the energy feature data include Low frequency signal energy, low frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting.
5. Abnormal network traffic detection method according to claim 4, which is characterized in that the low frequency signal energy, low Following formula meter is respectively adopted in frequency signal energy accounting, first to layer 5 higher frequency signal energy, higher frequency signal energy accounting It obtains:
Wherein, Ea5Indicate low frequency signal a5Energy, EdjIndicate jth layer high-frequency signal djEnergy, ERa5Indicate low frequency signal a5Energy accounting, ERdjIndicate jth layer high-frequency signal djEnergy accounting.
6. Abnormal network traffic detection method according to claim 1-5, which is characterized in that the external parameter Data include the data packet length and URL length of Abnormal network traffic.
7. Abnormal network traffic detection method according to claim 6, which is characterized in that the Exception Type, which identifies, includes Inject type abnormal flow mark and XSS type abnormal flow mark.
8. Abnormal network traffic detection method according to claim 7, which is characterized in that the Abnormal network traffic classification Model is SVM classifier.
9. a kind of computer readable storage medium, is stored thereon with computer instruction, which is characterized in that the computer instruction fortune Perform claim requires the step of 1 to 8 described in any item Abnormal network traffic detection methods when row.
10. a kind of terminal, which is characterized in that including memory and processor, storing on the memory can be at the place The computer instruction run on reason device, perform claim requires any one of 1 to 8 institute when the processor runs the computer instruction The step of Abnormal network traffic detection method stated.
CN201910336725.0A 2019-04-24 2019-04-24 Abnormal network traffic detection method, readable storage medium storing program for executing and terminal Pending CN110149315A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910336725.0A CN110149315A (en) 2019-04-24 2019-04-24 Abnormal network traffic detection method, readable storage medium storing program for executing and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910336725.0A CN110149315A (en) 2019-04-24 2019-04-24 Abnormal network traffic detection method, readable storage medium storing program for executing and terminal

Publications (1)

Publication Number Publication Date
CN110149315A true CN110149315A (en) 2019-08-20

Family

ID=67594391

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910336725.0A Pending CN110149315A (en) 2019-04-24 2019-04-24 Abnormal network traffic detection method, readable storage medium storing program for executing and terminal

Country Status (1)

Country Link
CN (1) CN110149315A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111614576A (en) * 2020-06-02 2020-09-01 国网山西省电力公司电力科学研究院 Network data traffic identification method and system based on wavelet analysis and support vector machine
CN111626322A (en) * 2020-04-08 2020-09-04 中南大学 Application activity identification method of encrypted flow based on wavelet transformation
CN112329713A (en) * 2020-11-25 2021-02-05 恩亿科(北京)数据科技有限公司 Network flow abnormity online detection method, system, computer equipment and storage medium
CN112866185A (en) * 2019-11-28 2021-05-28 海信集团有限公司 Network traffic monitoring device and abnormal traffic detection method
CN113472721A (en) * 2020-03-31 2021-10-01 华为技术有限公司 Network attack detection method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713371A (en) * 2016-12-08 2017-05-24 中国电子科技网络信息安全有限公司 Fast Flux botnet detection method based on DNS anomaly mining
CN109391599A (en) * 2017-08-10 2019-02-26 蓝盾信息安全技术股份有限公司 A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713371A (en) * 2016-12-08 2017-05-24 中国电子科技网络信息安全有限公司 Fast Flux botnet detection method based on DNS anomaly mining
CN109391599A (en) * 2017-08-10 2019-02-26 蓝盾信息安全技术股份有限公司 A kind of detection system of the Botnet communication signal based on HTTPS traffic characteristics analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHEN DU等: "Network Traffic Anomaly Detection Based on Wavelet Analysis", 《2018 IEEE 16TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING RESEARCH, MANAGEMENT AND APPLICATIONS (SERA)》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112866185A (en) * 2019-11-28 2021-05-28 海信集团有限公司 Network traffic monitoring device and abnormal traffic detection method
CN113472721A (en) * 2020-03-31 2021-10-01 华为技术有限公司 Network attack detection method and device
CN113472721B (en) * 2020-03-31 2022-12-06 华为技术有限公司 Network attack detection method and device
CN111626322A (en) * 2020-04-08 2020-09-04 中南大学 Application activity identification method of encrypted flow based on wavelet transformation
CN111626322B (en) * 2020-04-08 2024-01-05 中南大学 Application activity recognition method for encrypted traffic based on wavelet transformation
CN111614576A (en) * 2020-06-02 2020-09-01 国网山西省电力公司电力科学研究院 Network data traffic identification method and system based on wavelet analysis and support vector machine
CN112329713A (en) * 2020-11-25 2021-02-05 恩亿科(北京)数据科技有限公司 Network flow abnormity online detection method, system, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110149315A (en) Abnormal network traffic detection method, readable storage medium storing program for executing and terminal
CN113159147B (en) Image recognition method and device based on neural network and electronic equipment
CN106709345A (en) Deep learning method-based method and system for deducing malicious code rules and equipment
CN111565171B (en) Abnormal data detection method and device, electronic equipment and storage medium
CN105208040A (en) Network attack detection method and device
CN103607391B (en) SQL injection attack detection method based on K-means
CN106121622B (en) A kind of Multiple faults diagnosis approach of the Dlagnosis of Sucker Rod Pumping Well based on indicator card
CN111626311B (en) Heterogeneous graph data processing method and device
CN102291392A (en) Hybrid intrusion detection method based on bagging algorithm
CN114037478A (en) Advertisement abnormal flow detection method and system, electronic equipment and readable storage medium
CN113269228B (en) Method, device and system for training graph network classification model and electronic equipment
Cheng et al. Anomaly detection for internet of things time series data using generative adversarial networks with attention mechanism in smart agriculture
CN114124460B (en) Industrial control system intrusion detection method and device, computer equipment and storage medium
Liu et al. An adaptive detection of multilevel co-location patterns based on natural neighborhoods
CN107766204A (en) A kind of method and system for checking cluster health status
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
CN114448657B (en) Distribution communication network security situation awareness and abnormal intrusion detection method
CN110149317A (en) Abnormal network traffic detection device
CN117811845A (en) Threat detection and model training method, threat detection and model training device, threat detection system, electronic equipment and medium
CN112888008B (en) Base station abnormality detection method, device, equipment and storage medium
Sheng et al. Network traffic anomaly detection method based on chaotic neural network
CN112966728A (en) Transaction monitoring method and device
CN115757987B (en) Method, device, equipment and medium for determining companion object based on track analysis
CN115186772B (en) Method, device and equipment for detecting partial discharge of power equipment
CN110472416A (en) A kind of web virus detection method and relevant apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190820

RJ01 Rejection of invention patent application after publication