CN113553580A - Intrusion detection method for unbalanced data - Google Patents
Intrusion detection method for unbalanced data Download PDFInfo
- Publication number
- CN113553580A CN113553580A CN202110785171.XA CN202110785171A CN113553580A CN 113553580 A CN113553580 A CN 113553580A CN 202110785171 A CN202110785171 A CN 202110785171A CN 113553580 A CN113553580 A CN 113553580A
- Authority
- CN
- China
- Prior art keywords
- data
- sample
- intrusion detection
- samples
- unbalanced
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 70
- 238000005070 sampling Methods 0.000 claims abstract description 19
- 238000000034 method Methods 0.000 claims description 18
- 238000012549 training Methods 0.000 claims description 12
- 238000007781 pre-processing Methods 0.000 claims description 7
- 239000000523 sample Substances 0.000 description 62
- 230000006870 function Effects 0.000 description 14
- 238000012545 processing Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002194 synthesizing effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T3/00—Geometric image transformations in the plane of the image
- G06T3/40—Scaling of whole images or parts thereof, e.g. expanding or contracting
- G06T3/4007—Scaling of whole images or parts thereof, e.g. expanding or contracting based on interpolation, e.g. bilinear interpolation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses an intrusion detection method aiming at unbalanced data, which comprises an acquisition step, a code reading step, a classification step, an up-sampling step and an intrusion detection step.
Description
Technical Field
The invention mainly relates to the technical field of computers, in particular to an intrusion detection method aiming at unbalanced data.
Background
Data imbalance refers to the fact that the data amount is greatly different among different classes due to the difference of data distribution. In practical applications, the problem of data imbalance is widely existed, especially in the fields of financial fraud, disease diagnosis and the like. The significant characteristic of data imbalance is that a certain class of data is very easy to obtain, and a part of classes of data cause very rare samples due to the difficulty of acquisition.
A general intrusion detection system needs to collect a large amount of behavior data, a pattern expert carries out statistical analysis to find behavior characteristics, a tag comparison base is added, or by utilizing data mining and machine learning algorithms, the characteristics are firstly abstracted and extracted, and an algorithm model is used for training and detecting to judge the safety. However, the above-mentioned construction method is very dependent on the acquired data samples, and for the data with unbalanced distribution, if no additional processing is performed, the result prediction will result in large deviation.
Disclosure of Invention
In order to solve the problems, the invention provides an intrusion detection method for unbalanced data, aiming at the phenomenon that part of data distribution is unbalanced in intrusion detection, in the construction of a data set, the data is resampled to eliminate partial category unbalance, and in addition, the difficulty of unbalanced data classification is further reduced on an intrusion detection model, so that the problem of unbalanced data detection in an intrusion detection system can be effectively solved, the capability of ensuring the safety of the system can be further improved, and high-efficiency intelligence is realized.
Specifically, the invention provides an intrusion detection method for unbalanced data, which comprises the following steps:
an acquisition step of acquiring a data sample;
classifying, namely classifying the data samples to obtain a minority sample set and a majority sample set;
an upsampling step, namely upsampling the minority sample set by using a preset sampling algorithm, and adding a new data sample obtained by upsampling into the data sample to form to-be-detected data;
and an intrusion detection step, inputting the data to be detected into a pre-trained intrusion detection model for detection so as to judge the security.
Preferably, the intrusion detection method for unbalanced data as described above further includes:
and a model training step, namely training an intrusion detection model in advance to obtain a trained intrusion detection model, wherein the training of the intrusion detection model adopts a Focal local Loss function.
Preferably, the intrusion detection method for unbalanced data as described above, the acquiring step includes a raw data acquiring step and a data preprocessing step.
Preferably, in the intrusion detection method for unbalanced data described above, the raw data obtaining step obtains raw data; and the data preprocessing step removes invalid data and repeated data in the original data to obtain a data sample.
Preferably, the intrusion detection method for unbalanced data as described above, the classifying step includes a feature statistics step and a sample classification step.
Preferably, in the intrusion detection method for unbalanced data, the characteristic statistics step performs characteristic statistics on the data samples to obtain corresponding data characteristics; the sample classification step is used for classifying the data characteristics to obtain a numerical value attribute, a sequence attribute and a category attribute; and dividing all data samples into a minority sample set and a majority sample set according to the category attribute.
Preferably, in the intrusion detection method for unbalanced data described above, the preset sampling algorithm is a SMOTE sampling algorithm.
Preferably, as described above, in the intrusion detection method for unbalanced data, the up-sampling step includes a neighbor sample acquiring step and a linear interpolation step.
Preferably, in the intrusion detection method for unbalanced data described above, the neighbor sample obtaining step calculates, for each sample in the minority sample set, a distance from each sample to all samples in the minority sample set using euclidean distance as a standard, and obtains the k neighbor sample thereof according to the distance.
Preferably, in the intrusion detection method for unbalanced data described above, the linear interpolation step randomly selects a preset number of neighboring samples from k neighboring samples of each minority sample, and constructs a new data sample with the original minority sample according to the following formula for each randomly selected neighboring sample:
xim=xi+λ1*(xin-xi) (ii) a Wherein x isimRepresenting a new data sample, xiRepresenting randomly selected neighbour samples, xinRepresenting the original minority class of samples, λ1Is a random number between 0 and 1.
The intrusion detection method aiming at the unbalanced data has the following beneficial effects that:
aiming at the phenomenon of unbalanced distribution of partial data in intrusion detection, in the construction of a data set, the data is resampled to eliminate unbalance of partial categories, and in addition, the difficulty of classifying the unbalanced data is further reduced on an intrusion detection model, so that the problem of detection of the unbalanced data in an intrusion detection system can be effectively solved, the capability of ensuring the safety of the system can be further improved, and high-efficiency intelligence is realized.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings.
In the drawings:
fig. 1 is a flowchart illustrating an intrusion detection method for unbalanced data according to a first embodiment of the present invention;
FIG. 2 is a flow chart illustrating the acquisition step according to a first embodiment of the present invention;
FIG. 3 is a flow chart illustrating the classification steps according to a first embodiment of the invention;
fig. 4 is a schematic diagram illustrating a format and information of network data according to a first embodiment of the present invention;
fig. 5 shows a flow chart of an upsampling step according to a first embodiment of the present invention;
FIG. 6 is a flowchart illustrating specific steps for classifying data samples according to a first embodiment of the present invention;
FIG. 7 is a flow chart of another intrusion detection method for unbalanced data according to a first embodiment of the present invention;
FIG. 8 shows the final comparison results using a consistent TCN-IDS model;
fig. 9 is a block diagram of an intrusion detection system for unbalanced data according to a second embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Example one
As shown in fig. 1, an embodiment of the present invention provides an intrusion detection method 100 for unbalanced data, where the method includes the following steps:
an obtaining step 110 of obtaining a data sample;
as shown in fig. 2, the acquiring step 110 includes a raw data acquiring step 111 and a data preprocessing step 112. The raw data obtaining step 111 obtains raw data; the data preprocessing step 112 removes invalid data and duplicate data from the original data to obtain a data sample.
A classification step 120, performing classification processing on the data samples to obtain a minority sample set and a majority sample set;
as shown in fig. 3, the classification step 120 includes a feature statistics step 121 and a sample classification step 122. The characteristic statistics step 121 performs characteristic statistics on the data samples to obtain corresponding data characteristics; the sample classification step 122 performs classification processing on the data features to obtain a numerical value attribute, a sequence attribute and a category attribute; and dividing all data samples into a minority sample set and a majority sample set according to the category attribute.
The above-described acquisition step 110 and classification step 120 are further illustrated. Taking an input data source as an example of network data, the format and information are shown in fig. 4, including inherent attributes, contents, network-based traffic, host-based traffic, and classes, and the like, and it can be seen that the method has fixed protocol features and traffic features, wherein a classification label such as normal is a class attribute, most of the character features are protocol-related information, including sequence features, and most of the character features are numerical features. Initializing example data, preprocessing raw data, and counting features includes: and removing invalid data and repeated data, and classifying data characteristics, including numerical value attributes, sequence attributes and category attributes. And classifying the data according to the class labels, wherein the data is in minority classes and majority classes, so that a minority sample set and a majority sample set are obtained.
An upsampling step 130, performing upsampling on the minority sample set by using a preset sampling algorithm, and adding a new data sample obtained by the upsampling into the data sample to form data to be detected;
the preset sampling algorithm may be a SMOTE (Synthetic minimum Oversampling Technique) sampling algorithm.
As shown in fig. 5, the upsampling step 130 includes a neighbor sample acquisition step 131 and a linear interpolation step 132.
The neighbor sample acquiring step 131 calculates, for each sample in the minority sample set, a distance from each sample to all samples in the minority sample set using the euclidean distance as a standard, and obtains a k neighbor sample thereof according to the distance.
In the linear interpolation step 132, for each minority sample, a preset number of neighboring samples are randomly selected from k neighboring samples, and for each randomly selected neighboring sample, a new data sample is respectively constructed with the original minority sample according to the following formula:
xim=xi+λ1*(xin-xi) (ii) a Wherein x isimRepresenting a new data sample, xiRepresenting randomly selected neighbour samples, xinRepresenting the original minority class of samples, λ1Is a random number between 0 and 1.
In particular, the use of SMOTE sampling algorithm upsampled by 2, 40, and 10 times for the exemplary data classes Probe, U2L, and R2L, finds x from the few class samples that need to be upsampledinK neighbor samples of (a), labeled xi(near)Near ∈ {1,2 … k }; selecting one sample x from the obtained k samplesiTraversing the characteristics (numerical attributes, sequence attributes and category attributes) of each dimension, and if the characteristics of the dimension are numerical characteristics, generating a random number lambda between 0 and 11Then synthesizing the feature x of the new sample in the dimensionim=xi+λ1*(xin-xi) (ii) a If the characteristic of the dimension is a sequence attribute and is similar to a numerical attribute, performing interpolation generation, and taking an integer as a result; if the dimension feature is a category attribute, the dimension feature remains unchanged, and the specific steps are as shown in fig. 6. And repeating the steps until N new samples are generated, and integrating the samples into the original data to form the data to be detected.
And an intrusion detection step 140, inputting the data to be detected into a pre-trained intrusion detection model for detection so as to judge the security.
As shown in fig. 7, the method further comprises the steps of:
and a model training step 150, wherein an intrusion detection model is trained in advance to obtain a trained intrusion detection model, and the training of the intrusion detection model adopts a Focal local Loss function.
Complete data miningAfter the step, the method for designing the Loss function of the intrusion detection model by using the improved Focal local Loss function comprises the following steps: using the improved Loss function, replacing the original Loss function with a Focal local function, wherein the Focal local function is expressed as: FL(pt)=-α(1-pt)γlog(pt) Gamma is a modulation coefficient, alpha is a balance factor, the importance of the sample class can be changed through alpha, and the loss contribution of the samples which are easy to classify and difficult to classify is influenced through gamma. p is a radical oftIs the predicted output (values between 0 and 1) through the associated activation function (e.g., sigmoid).
By changing the importance of the sample class by α, the loss contribution by γ affecting the easy-to-classify hard-to-classify samples includes: when a sample is classified incorrectly, then ptThe modulation factor is small, close to 1, and thus close to the original loss. p is a radical oftWhen the modulation coefficient approaches to 1 (namely the classification is correct and the sample is easy to classify), the modulation coefficient approaches to 0, then the loss approaches to 0, and the influence is small at the moment; when γ is 0, Focal local is a conventional cross-entropy function, which increases the modulation factor. Through multiple sets of comparison experiments, comparison of control variables is performed, the magnitudes of the modulation factor and the balance factor are adjusted, in this example, α is 0.3, γ is 2, and the final comparison result using the consistent TCN-IDS model is shown in fig. 8, where P, R, F1 and ACC are both evaluation indexes for machine learning, and details are not repeated. Therefore, by adopting the improved strategy of improving SMOTE sampling and the Focal local function, the performance of the intrusion detection system can be effectively improved, and the detection capability of the intrusion detection system on unbalanced data is improved.
According to the intrusion detection method for the unbalanced data, by using the SMOTE sampling algorithm and the Focal local Loss function, the generation of linear interpolation can be respectively carried out on unbalanced minority data on a data level, the up-sampling is completed, and the unbalanced distribution of the data is further solved. Meanwhile, the influence of the unbalanced data on the model can be further improved on the algorithm level by setting the modulation coefficient and the balance factor. Under the current complex network security environment, the detection capability of the intrusion detection system on unbalanced data is greatly improved, and the security of the system is guaranteed.
Example two
As shown in fig. 9, a second embodiment of the present invention provides an intrusion detection system for unbalanced data, including:
an obtaining module 101, configured to obtain a data sample;
a classification module 102, configured to perform classification processing on the data samples to obtain a minority sample set and a majority sample set;
the up-sampling module 103 is configured to up-sample the minority sample set by using a preset sampling algorithm, and add a new data sample obtained by the up-sampling into the data sample to form data to be detected;
and the intrusion detection module 104 is configured to input the data to be detected into a pre-trained intrusion detection model for detection, so as to determine security.
Preferably, the system further comprises:
and the model training module is used for training the intrusion detection model in advance to obtain the trained intrusion detection model, and the training of the intrusion detection model adopts a Focal local Loss function.
It should be noted that:
the algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose devices may be used with the teachings herein. The required structure for constructing such a device will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the steps in the devices of the embodiments may be adaptively changed and disposed in one or more devices other than the embodiments. Steps or components in the embodiments may be combined into one step or component, and further, may be divided into a plurality of steps or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or steps of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or steps are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software steps running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in the creation apparatus of a virtual machine according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) that perform a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the step claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. An intrusion detection method for unbalanced data, comprising:
an acquisition step of acquiring a data sample;
classifying, namely classifying the data samples to obtain a minority sample set and a majority sample set;
an upsampling step, namely upsampling the minority sample set by using a preset sampling algorithm, and adding a new data sample obtained by upsampling into the data sample to form to-be-detected data;
and an intrusion detection step, inputting the data to be detected into a pre-trained intrusion detection model for detection so as to judge the security.
2. The method of intrusion detection for unbalanced data as recited in claim 1, further comprising:
and a model training step, namely training an intrusion detection model in advance to obtain a trained intrusion detection model, wherein the training of the intrusion detection model adopts a Focal local Loss function.
3. The method of intrusion detection for unbalanced data as claimed in claim 1, wherein the acquiring step comprises a raw data acquiring step and a data preprocessing step.
4. The intrusion detection method for unbalanced data according to claim 3, wherein the raw data obtaining step obtains raw data; and the data preprocessing step removes invalid data and repeated data in the original data to obtain a data sample.
5. The method of intrusion detection for unbalanced data as claimed in claim 1, wherein the classifying step comprises a feature statistics step and a sample classification step.
6. The intrusion detection method for unbalanced data according to claim 5, wherein the characteristic statistics step performs characteristic statistics on the data samples to obtain corresponding data characteristics; the sample classification step is used for classifying the data characteristics to obtain a numerical value attribute, a sequence attribute and a category attribute; and dividing all data samples into a minority sample set and a majority sample set according to the category attribute.
7. The method of intrusion detection for unbalanced data according to claim 1, wherein the predetermined sampling algorithm is a SMOTE sampling algorithm.
8. The intrusion detection method for unbalanced data as claimed in claim 7, wherein the up-sampling step comprises a neighbor sample acquisition step and a linear interpolation step.
9. The method according to claim 8, wherein the neighbor sample acquiring step calculates a distance from each sample to all samples in the minority sample set using euclidean distance as a criterion for each sample in the minority sample set, and obtains k neighbor samples thereof according to the distance.
10. The method according to claim 9, wherein the linear interpolation step randomly selects a preset number of neighboring samples from k neighboring samples for each minority sample, and constructs a new data sample with the original minority sample according to the following formula for each randomly selected neighboring sample:
xim=xi+λ1*(xin-xi) (ii) a Wherein x isimRepresenting a new data sample, xiRepresenting randomly selected neighbour samples, xinRepresenting the original minority class of samples, λ1Is a random number between 0 and 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110785171.XA CN113553580A (en) | 2021-07-12 | 2021-07-12 | Intrusion detection method for unbalanced data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110785171.XA CN113553580A (en) | 2021-07-12 | 2021-07-12 | Intrusion detection method for unbalanced data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113553580A true CN113553580A (en) | 2021-10-26 |
Family
ID=78131598
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110785171.XA Pending CN113553580A (en) | 2021-07-12 | 2021-07-12 | Intrusion detection method for unbalanced data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113553580A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110991653A (en) * | 2019-12-10 | 2020-04-10 | 电子科技大学 | Method for classifying unbalanced data sets |
| CN111626336A (en) * | 2020-04-29 | 2020-09-04 | 南京理工大学 | Subway fault data classification method based on unbalanced data set |
| CN111914253A (en) * | 2020-08-10 | 2020-11-10 | 中国海洋大学 | Method, system, equipment and readable storage medium for intrusion detection |
| CN112766379A (en) * | 2021-01-21 | 2021-05-07 | 中国科学技术大学 | Data equalization method based on deep learning multi-weight loss function |
-
2021
- 2021-07-12 CN CN202110785171.XA patent/CN113553580A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110991653A (en) * | 2019-12-10 | 2020-04-10 | 电子科技大学 | Method for classifying unbalanced data sets |
| CN111626336A (en) * | 2020-04-29 | 2020-09-04 | 南京理工大学 | Subway fault data classification method based on unbalanced data set |
| CN111914253A (en) * | 2020-08-10 | 2020-11-10 | 中国海洋大学 | Method, system, equipment and readable storage medium for intrusion detection |
| CN112766379A (en) * | 2021-01-21 | 2021-05-07 | 中国科学技术大学 | Data equalization method based on deep learning multi-weight loss function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109492395B (en) | Method, device and storage medium for detecting malicious program | |
| US20170063893A1 (en) | Learning detector of malicious network traffic from weak labels | |
| CN108200054A (en) | A kind of malice domain name detection method and device based on dns resolution | |
| EP2431918B1 (en) | Graph lattice method for image clustering, classification, and repeated structure finding | |
| CN114244603B (en) | Anomaly detection and comparison embedded model training and detection method, device and medium | |
| CN111368289B (en) | Malicious software detection method and device | |
| Zhong et al. | Malware-on-the-brain: Illuminating malware byte codes with images for malware classification | |
| Murray et al. | Explainable NILM networks | |
| CN111400713A (en) | Malicious software family classification method based on operation code adjacency graph characteristics | |
| Čeponis et al. | Evaluation of deep learning methods efficiency for malicious and benign system calls classification on the AWSCTD | |
| CN113438209A (en) | Phishing website detection method based on improved Stacking strategy | |
| CN113591892A (en) | Training data processing method and device | |
| CN111797395A (en) | Malicious code visualization and variety detection method, device, equipment and storage medium | |
| CN111582647A (en) | User data processing method and device and electronic equipment | |
| CN113553580A (en) | Intrusion detection method for unbalanced data | |
| CN113553581A (en) | Intrusion detection system for unbalanced data | |
| CN116226850A (en) | Method, device, equipment, medium and program product for detecting virus of application program | |
| CN114417860A (en) | Information detection method, device and equipment | |
| CN115049843A (en) | Confrontation sample generation method and device, electronic equipment and storage medium | |
| CN111695117B (en) | Webshell script detection method and device | |
| Bojesen et al. | Annotating otoliths with a deep generative model | |
| CN113962216A (en) | Text processing method and device, electronic equipment and readable storage medium | |
| KR101893029B1 (en) | Method and Apparatus for Classifying Vulnerability Information Based on Machine Learning | |
| CN111797397A (en) | Malicious code visualization and variation detection method, equipment and storage medium | |
| US20210174199A1 (en) | Classifying domain names based on character embedding and deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211026 |
|
| RJ01 | Rejection of invention patent application after publication |