CN108400972A - A kind of method for detecting abnormality and device - Google Patents
A kind of method for detecting abnormality and device Download PDFInfo
- Publication number
- CN108400972A CN108400972A CN201810087357.6A CN201810087357A CN108400972A CN 108400972 A CN108400972 A CN 108400972A CN 201810087357 A CN201810087357 A CN 201810087357A CN 108400972 A CN108400972 A CN 108400972A
- Authority
- CN
- China
- Prior art keywords
- mahalanobis distance
- matrix
- score
- calculating
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005856 abnormality Effects 0.000 title claims abstract description 11
- 238000000034 method Methods 0.000 title abstract description 11
- 239000011159 matrix material Substances 0.000 claims abstract description 88
- 239000013598 vector Substances 0.000 claims abstract description 50
- 238000001514 detection method Methods 0.000 claims abstract description 35
- 230000002159 abnormal effect Effects 0.000 claims abstract description 20
- 230000006399 behavior Effects 0.000 claims description 37
- 238000000354 decomposition reaction Methods 0.000 claims description 19
- 238000010606 normalization Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 4
- 230000002547 anomalous effect Effects 0.000 claims 1
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012417 linear regression Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000002759 z-score normalization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of method for detecting abnormality and device, the method includes:Basis matrix is established according to the historical traffic data of user access server behavior, and obtains the observation vector on the same day to be detected according to the data on flows of same day user access server behavior to be detected;The mahalanobis distance for calculating basis matrix and the observation vector on the same day to be detected judges whether user access server behavior is abnormal according to mahalanobis distance.The application realizes the detection to the abnormal behaviour in enterprise based on mahalanobis distance, to improve the safety of enterprise.
Description
Technical Field
The present application relates to internet technologies, and in particular, to a method and an apparatus for detecting an anomaly.
Background
One key issue in enterprise security is the detection of compromised users (i.e., users of the enterprise network that are controlled after being subjected to a network attack (e.g., being infected with a virus)) and internal workers in the enterprise with malicious intent. This problem is very complicated due to the diversity of the scenes in which the problem occurs and the enormous diversity of roles of the network environments of the connecting companies. However, there is no reliable and effective method for performing behavior analysis and anomaly detection on compromised users or malicious users.
Disclosure of Invention
The application provides an anomaly detection method and device, which can detect abnormal behaviors in an enterprise, so that the security of the enterprise is improved.
The application provides an anomaly detection method, which comprises the following steps:
establishing a basic matrix according to historical flow data of user access server behaviors, and acquiring observation vectors of the current day to be detected according to the flow data of the user access server behaviors of the current day to be detected;
and calculating the Mahalanobis distance between the basic matrix and the observation vector to be detected on the current day, and judging whether the behavior of the user for accessing the server is abnormal or not according to the Mahalanobis distance.
Optionally, the calculating the mahalanobis distance between the basis matrix and the observation vector on the current day to be detected includes:
normalizing the basic matrix and the observation vector;
performing singular value decomposition on the normalized basic matrix;
and calculating the Mahalanobis distance according to the observation vector after the normalization processing and a matrix obtained by singular value decomposition.
Optionally, the calculating the mahalanobis distance according to the observation vector after the normalization processing and the matrix obtained by the singular value decomposition includes:
according to the formulaCalculating the mahalanobis distance;
wherein,the matrix obtained by taking the first r columns of the matrix U,in order to normalize the processed observation vector,is a matrix obtained by taking diagonal elements of the first r terms of the matrix S,the matrix U and the matrix S are obtained by the singular decomposition.
Optionally, the determining whether the behavior of the user accessing the server is abnormal according to the mahalanobis distance includes:
and calculating a score according to the Mahalanobis distance, and judging whether the behavior of the user for accessing the server is abnormal or not according to the score.
Optionally, the calculating a score according to the mahalanobis distance includes:
according to the formulaCalculating the score;
wherein score is the score, A is the difference between the highest and lowest values of the score, m is the Mahalanobis distance, m is0The mahalanobis distance corresponding to the score of A/2 is taken as k, which is the slope of the curve.
An embodiment of the present invention provides an anomaly detection apparatus, including:
the acquisition module is used for establishing a basic matrix according to historical flow data of the user access server behaviors and acquiring observation vectors of the current day to be detected according to the flow data of the user access server behaviors on the current day to be detected;
the calculation module is used for calculating the Mahalanobis distance between the basic matrix and the observation vector of the current day to be detected;
and the detection module is used for judging whether the behavior of the user for accessing the server is abnormal or not according to the Mahalanobis distance.
Optionally, the calculation module is specifically configured to:
normalizing the basic matrix and the observation vector;
performing singular value decomposition on the normalized basic matrix;
and calculating the Mahalanobis distance according to the observation vector after the normalization processing and a matrix obtained by singular value decomposition.
Optionally, the detection module is specifically configured to:
and calculating a score according to the Mahalanobis distance, and judging whether the behavior of the user for accessing the server is abnormal or not according to the score.
An embodiment of the present invention provides a terminal, including a processor and a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed by the processor, any one of the above-mentioned abnormality detection methods is implemented.
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the above-mentioned abnormality detection methods.
Compared with the related art, the method comprises the following steps: establishing a basic matrix according to historical flow data of user access server behaviors, and acquiring observation vectors of the current day to be detected according to the flow data of the user access server behaviors of the current day to be detected; and calculating the Mahalanobis distance between the basic matrix and the observation vector to be detected on the current day, and judging whether the behavior of the user for accessing the server is abnormal or not according to the Mahalanobis distance. The method and the device realize the detection of the abnormal behaviors in the enterprise based on the Mahalanobis distance, thereby improving the safety of the enterprise.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
FIG. 1 is a flow chart of the anomaly detection method of the present application;
FIG. 2 is a schematic structural diagram of an anomaly detection device according to the present application;
fig. 3 is a schematic structural diagram of the terminal of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The anomaly detection is performed based on the Mahalanobis distance.
Given an observed value for a set of variables, an anomaly in the observed value is rarely likely to be observed, i.e., a low probability event. If the variable is assumed to have a positive-too distribution as the first approximation, then the low probability event is at the tail of the distribution, far from the mean. In other words, the farther the observation is from the average, the lower the probability. That is, the distance to the average can be used as a reflection of the degree of abnormality, finding an observed value with a low probability is equivalent to finding an abnormal value that is far from the average. The distance of the observed value from the mean may be expressed in the form of a standard deviation rather than an absolute value, e.g., using z-score normalization to process the data to calculate a standard deviation, so that even different probability distributions may be used to compare anomalies. Mahalanobis distance is a multidimensional generalization of z-score, and when an observed value is a multidimensional variable, mahalanobis distance calculates the standard deviation of one observed value and the mean of all observed values, which is a distance independent of unit and independent of vector dimension scale.
Referring to fig. 1, the present application proposes an abnormality detection method including:
step 100, establishing a basic matrix according to historical traffic data of user access server behaviors, and acquiring observation vectors of the current day to be detected according to the traffic data of the user access server behaviors of the current day to be detected.
In the application, the behavior of accessing the server by the user is generally to connect the server when the traffic (flow) data needs to be downloaded, and disconnect the server after the traffic data is downloaded.
In this application, flow data may be collected by the probe and then obtained from the probe.
In this application, the traffic data includes: a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port, an access traffic size, an access time, etc.
In this application, establishing a basis matrix according to historical traffic data includes: and acquiring at least two historical observation vectors according to the historical traffic data, wherein each historical observation vector comprises characteristic data of a user accessing the server on a certain historical day.
Wherein the characteristic data of the user accessing the service weapon is obtained according to historical flow data.
Wherein the characteristic data includes:
the time of the first connection to the server in a day, the time of the last connection to the server in a day, the interval between the last connection to the server and the first connection to the server in a day, the sum of the connection durations of all traffic data in a day, the number of connections of traffic data in a day, the total number of bytes uploaded in a day, the total number of bytes downloaded in a day, and the like.
For example, the base matrix is a matrix of N rows and K columns, i.e.Wherein k is the number of the characteristic data, and n is the number of days.
In the application, the basic matrix is also preprocessed after the basic matrix is established, and the preprocessing of the basic matrix comprises normalization, dimension reduction, abnormal value removal and the like of the basic matrix.
Step 101, calculating the mahalanobis distance between the basic matrix and the observation vector to be detected on the day, and judging whether the behavior of the user for accessing the server is abnormal or not according to the mahalanobis distance.
In the application, the mahalanobis distance between the basic matrix and the observation vector to be detected on the day can be calculated in the following way, namely, the mean vector and the covariance matrix are calculated according to the basic matrix, and the mahalanobis distance is calculated according to the mean vector and the covariance matrix.
Wherein the mean vector μ ═ μ1,μ2,…,μk]Is the average value of each column in the base matrix, e.g., μ 1 is the average value of the 1 st column in the base matrix, μ 2 is the average value of the 2 nd column in the base matrix, and so on.
Covariance matrixIs the covariance of each element in the base matrix with the mean of the column in which it is located.
Wherein, according to the formulaAnd calculating the mahalanobis distance.
Wherein m is mahalanobis distance, x ═ x1,x2,…,xk]As observation vector on the day to be examined, μ=[μ1,μ2,…,μk]Is a vector of the mean value of the vectors,is a covariance matrix.
In reality, in order to obtain the mahalanobis distance, the eigenvalue of the covariance matrix cannot contain a singular value, or the covariance matrix cannot be ill-conditioned, and if the eigenvalue of the covariance matrix contains a singular value, or the covariance matrix is ill-conditioned, the inverse of the covariance matrix cannot be solved.
To avoid this limitation, when calculating the mahalanobis distance, the basis matrix and the observation vector of the day to be detected are first normalized, i.e., normalized Wherein,in order to normalize the processed basis matrix,to normalize the processed observation vector, [ sigma ]1σ2…σk]Is the covariance vector of the observation vector of the day to be detected.
Then, Singular Value Decomposition (SVD) is performed on the normalized basis matrix, that is, Singular Value Decomposition (SVD) is performed on the basis matrix(ii) a Wherein, U and V are orthogonal matrices, S is a matrix in which the elements on the diagonal are eigenvalues of the normalized basis matrix and the other elements are 0, and the eigenvalues of the normalized basis matrix in S are sequentially decreased, and the elements in U and the elements in S are in one-to-one correspondence, and thus the elements in U are also sequentially decreased.
Finally, the Mahalanobis distance is calculated according to the observation vector after normalization processing and the matrix obtained by singular value decomposition, namely according to a formulaAnd calculating the mahalanobis distance.
Wherein,the matrix obtained by taking the first r columns of the matrix U,in order to normalize the processed observation vector,is a matrix obtained by taking diagonal elements of the first r items of the matrix S.
In the present application, since mahalanobis distance is unbounded, mahalanobis distance may be infinitely large for the calculation process, and thus mahalanobis distance may be mapped to a limited interval (e.g., [0,100]) as a score of the degree of abnormality. Namely, judging whether the behavior of the user for accessing the server is abnormal according to the Mahalanobis distance comprises the following steps:
and calculating a score according to the Mahalanobis distance, and judging whether the behavior of the user for accessing the server is abnormal or not according to the score.
When calculating the score according to the mahalanobis distance, a sigmoid (sigmod) function can be adopted to calculate the score, that is, calculating the score according to the mahalanobis distance includes: according to the formulaCalculating a score; where score is the score, A is the difference between the highest and lowest score values (e.g., 100), m is the Mahalanobis distance, m is0K is the slope of the curve for a mahalanobis distance scored as a/2 (e.g., 50).
The larger the mahalanobis distance is, the higher the corresponding score is, which indicates that the difference between the current behavior of the user and the historical behavior is larger, and the higher the possibility that the current behavior of the user accessing the server is abnormal is, the more the attention of the security operation and maintenance personnel is drawn, so that the purpose of monitoring the security of the enterprise server data is achieved.
Specifically, when the score is greater than or equal to a preset threshold value, determining that the behavior of a user for accessing the server is abnormal;
and when the score is smaller than a preset threshold value, determining that the user has normal behavior when accessing the server.
K and m above0Can be calculated by linear regression, namely, the scores corresponding to at least two Mahalanobis distances are obtained according to the experience given by experts, and then k and m are calculated according to the scores corresponding to at least two Mahalanobis distances0The value of (c).
In particular, to the formulaTaking logarithm to obtainThen, substituting the scores corresponding to at least two Mahalanobis distances into a formulaThus, k and m can be obtained0The value of (c).
The method and the device realize the detection of the abnormal behaviors in the enterprise based on the Mahalanobis distance, thereby improving the safety of the enterprise.
Referring to fig. 2, the present application proposes an abnormality detection apparatus including:
the acquisition module is used for establishing a basic matrix according to historical flow data of the user access server behaviors and acquiring observation vectors of the current day to be detected according to the flow data of the user access server behaviors on the current day to be detected;
the calculation module is used for calculating the Mahalanobis distance between the basic matrix and the observation vector of the current day to be detected;
and the detection module is used for judging whether the behavior of the user for accessing the server is abnormal or not according to the Mahalanobis distance.
Optionally, the calculation module is specifically configured to:
normalizing the basic matrix and the observation vector;
performing singular value decomposition on the normalized basic matrix;
and calculating the Mahalanobis distance according to the observation vector after the normalization processing and a matrix obtained by singular value decomposition.
Optionally, the calculation module is specifically configured to calculate the mahalanobis distance according to the observation vector after the normalization processing and a matrix obtained by singular value decomposition in the following manner:
according to the formulaCalculating the mahalanobis distance;
wherein,the matrix obtained by taking the first r columns of the matrix U,in order to normalize the processed observation vector,the matrix is obtained by taking diagonal elements of the front r items of the matrix S, and the matrix U and the matrix S are obtained by singular decomposition.
Optionally, the detection module is specifically configured to:
and calculating a score according to the Mahalanobis distance, and judging whether the behavior of the user for accessing the server is abnormal or not according to the score.
Optionally, the detection module is specifically configured to calculate the score according to the mahalanobis distance by using the following method:
according to the formulaCalculating the score;
wherein score is the score, A is the difference between the highest and lowest values of the score, m0The mahalanobis distance corresponding to the score of A/2 is taken as k, which is the slope of the curve.
Referring to fig. 3, the present application proposes a terminal including a processor and a computer-readable storage medium, wherein instructions are stored in the computer-readable storage medium, and when the instructions are executed by the processor, any one of the above-mentioned abnormality detection methods is implemented.
The present application proposes a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the above-described anomaly detection methods.
Although the embodiments disclosed in the present application are described above, the descriptions are only for the convenience of understanding the present application, and are not intended to limit the present application. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims.
Claims (10)
1. An abnormality detection method characterized by comprising:
establishing a basic matrix according to historical flow data of user access server behaviors, and acquiring observation vectors of the current day to be detected according to the flow data of the user access server behaviors of the current day to be detected;
and calculating the Mahalanobis distance between the basic matrix and the observation vector to be detected on the current day, and judging whether the behavior of the user for accessing the server is abnormal or not according to the Mahalanobis distance.
2. The anomaly detection method according to claim 1, wherein said calculating the mahalanobis distance between the basis matrix and the observation vector for the day to be detected comprises:
normalizing the basic matrix and the observation vector;
performing singular value decomposition on the normalized basic matrix;
and calculating the Mahalanobis distance according to the observation vector after the normalization processing and a matrix obtained by singular value decomposition.
3. The anomaly detection method according to claim 2, wherein said calculating mahalanobis distances from the normalized observation vectors and the matrix obtained by singular value decomposition comprises:
according to the formulaCalculating the mahalanobis distance;
wherein,the matrix obtained by taking the first r columns of the matrix U,in order to normalize the processed observation vector,the matrix is obtained by taking diagonal elements of the front r items of the matrix S, and the matrix U and the matrix S are obtained by singular decomposition.
4. The anomaly detection method according to claim 1, wherein said determining whether the user's access to the server behavior is anomalous based on mahalanobis distance comprises:
and calculating a score according to the Mahalanobis distance, and judging whether the behavior of the user for accessing the server is abnormal or not according to the score.
5. The anomaly detection method according to claim 4, wherein said calculating a score from Mahalanobis distance comprises:
according to the formulaCalculating the score;
wherein score is the score, A is the difference between the highest and lowest values of the score, m is the Mahalanobis distance0The mahalanobis distance corresponding to the score of A/2 is taken as k, which is the slope of the curve.
6. An abnormality detection device characterized by comprising:
the acquisition module is used for establishing a basic matrix according to historical flow data of the user access server behaviors and acquiring observation vectors of the current day to be detected according to the flow data of the user access server behaviors on the current day to be detected;
the calculation module is used for calculating the Mahalanobis distance between the basic matrix and the observation vector of the current day to be detected;
and the detection module is used for judging whether the behavior of the user for accessing the server is abnormal or not according to the Mahalanobis distance.
7. The anomaly detection device of claim 6, wherein said computation module is specifically configured to:
normalizing the basic matrix and the observation vector;
performing singular value decomposition on the normalized basic matrix;
and calculating the Mahalanobis distance according to the observation vector after the normalization processing and a matrix obtained by singular value decomposition.
8. The anomaly detection device according to claim 6, wherein said detection module is specifically configured to:
and calculating a score according to the Mahalanobis distance, and judging whether the behavior of the user for accessing the server is abnormal or not according to the score.
9. A terminal comprising a processor and a computer readable storage medium having instructions stored thereon, wherein the instructions, when executed by the processor, implement the anomaly detection method of any one of claims 1-5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the anomaly detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810087357.6A CN108400972A (en) | 2018-01-30 | 2018-01-30 | A kind of method for detecting abnormality and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810087357.6A CN108400972A (en) | 2018-01-30 | 2018-01-30 | A kind of method for detecting abnormality and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108400972A true CN108400972A (en) | 2018-08-14 |
Family
ID=63095749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810087357.6A Pending CN108400972A (en) | 2018-01-30 | 2018-01-30 | A kind of method for detecting abnormality and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108400972A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109816211A (en) * | 2018-12-29 | 2019-05-28 | 北京英视睿达科技有限公司 | Judge Polluted area similitude and improves the method and device of pollution administration efficiency |
| CN110071829A (en) * | 2019-04-12 | 2019-07-30 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method, device and computer readable storage medium |
| CN110210507A (en) * | 2018-10-29 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Detection method, device and the readable storage medium storing program for executing that machine is clicked |
| CN110858262A (en) * | 2018-08-16 | 2020-03-03 | 三菱重工业株式会社 | Abnormality detection device, abnormality detection method, and non-transitory computer-readable medium |
| CN111242695A (en) * | 2020-01-17 | 2020-06-05 | 深圳前海微众银行股份有限公司 | Data processing method, device, equipment and computer readable storage medium |
| CN112146904A (en) * | 2019-06-28 | 2020-12-29 | 三菱重工业株式会社 | Abnormality detection device, abnormality detection method, and storage medium |
| CN113252320A (en) * | 2020-02-10 | 2021-08-13 | 三菱重工业株式会社 | Abnormality sensing device, abnormality sensing method, and program |
| CN115499207A (en) * | 2022-09-15 | 2022-12-20 | 中债金科信息技术有限公司 | Intrusion detection method and device, storage medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102214299A (en) * | 2011-06-21 | 2011-10-12 | 电子科技大学 | Method for positioning facial features based on improved ASM (Active Shape Model) algorithm |
| CN102982165A (en) * | 2012-12-10 | 2013-03-20 | 南京大学 | Large-scale human face image searching method |
| CN103674511A (en) * | 2013-03-18 | 2014-03-26 | 北京航空航天大学 | Mechanical wearing part performance assessment and prediction method based on EMD (empirical mode decomposition)-SVD (singular value decomposition) and MTS (Mahalanobis-Taguchi system) |
| EP3001265A1 (en) * | 2014-09-26 | 2016-03-30 | Palo Alto Research Center, Incorporated | Computer-implemented method and system for machine tool damage assessment, prediction, and planning in manufacturing shop floor |
| CN107196953A (en) * | 2017-06-14 | 2017-09-22 | 上海丁牛信息科技有限公司 | A kind of anomaly detection method based on user behavior analysis |
-
2018
- 2018-01-30 CN CN201810087357.6A patent/CN108400972A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102214299A (en) * | 2011-06-21 | 2011-10-12 | 电子科技大学 | Method for positioning facial features based on improved ASM (Active Shape Model) algorithm |
| CN102982165A (en) * | 2012-12-10 | 2013-03-20 | 南京大学 | Large-scale human face image searching method |
| CN103674511A (en) * | 2013-03-18 | 2014-03-26 | 北京航空航天大学 | Mechanical wearing part performance assessment and prediction method based on EMD (empirical mode decomposition)-SVD (singular value decomposition) and MTS (Mahalanobis-Taguchi system) |
| EP3001265A1 (en) * | 2014-09-26 | 2016-03-30 | Palo Alto Research Center, Incorporated | Computer-implemented method and system for machine tool damage assessment, prediction, and planning in manufacturing shop floor |
| CN107196953A (en) * | 2017-06-14 | 2017-09-22 | 上海丁牛信息科技有限公司 | A kind of anomaly detection method based on user behavior analysis |
Non-Patent Citations (1)
| Title |
|---|
| MADHU SHASHANKA等: "User and entity behavior analytics for enterprise security", 《2016 IEEE INTERNATIONAL CONFERENCE ON BIG DATA (BIG DATA)》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110858262A (en) * | 2018-08-16 | 2020-03-03 | 三菱重工业株式会社 | Abnormality detection device, abnormality detection method, and non-transitory computer-readable medium |
| CN110210507A (en) * | 2018-10-29 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Detection method, device and the readable storage medium storing program for executing that machine is clicked |
| CN109816211A (en) * | 2018-12-29 | 2019-05-28 | 北京英视睿达科技有限公司 | Judge Polluted area similitude and improves the method and device of pollution administration efficiency |
| CN110071829A (en) * | 2019-04-12 | 2019-07-30 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method, device and computer readable storage medium |
| CN110071829B (en) * | 2019-04-12 | 2022-03-04 | 腾讯科技(深圳)有限公司 | DNS tunnel detection method and device and computer readable storage medium |
| CN112146904A (en) * | 2019-06-28 | 2020-12-29 | 三菱重工业株式会社 | Abnormality detection device, abnormality detection method, and storage medium |
| US11500965B2 (en) | 2019-06-28 | 2022-11-15 | Mitsubishi Heavy Industries, Ltd. | Abnormality detection device, abnormality detection method, and non-transitory computer-readable medium |
| CN111242695A (en) * | 2020-01-17 | 2020-06-05 | 深圳前海微众银行股份有限公司 | Data processing method, device, equipment and computer readable storage medium |
| CN113252320A (en) * | 2020-02-10 | 2021-08-13 | 三菱重工业株式会社 | Abnormality sensing device, abnormality sensing method, and program |
| CN115499207A (en) * | 2022-09-15 | 2022-12-20 | 中债金科信息技术有限公司 | Intrusion detection method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108400972A (en) | A kind of method for detecting abnormality and device | |
| US10063581B1 (en) | Measure based anomaly detection | |
| CN107426199B (en) | Method and system for detecting and analyzing network abnormal behaviors | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| JP6878445B2 (en) | Reactive and preemptive security systems for computer network and system protection | |
| US9386028B2 (en) | System and method for malware detection using multidimensional feature clustering | |
| CN109067722B (en) | LDoS detection method based on two-step clustering and detection piece analysis combined algorithm | |
| CN112995161B (en) | Network security situation prediction system based on artificial intelligence | |
| CN107666490A (en) | A kind of suspicious domain name detection method and device | |
| CN110351291B (en) | DDoS attack detection method and device based on multi-scale convolutional neural network | |
| CN110572413A (en) | Low-rate denial of service attack detection method based on Elman neural network | |
| CN112165470B (en) | Intelligent terminal access safety early warning system based on log big data analysis | |
| CN108718298A (en) | Connect flow rate testing methods and device outside a kind of malice | |
| CN109257393A (en) | XSS attack defence method and device based on machine learning | |
| CN110602109A (en) | Application layer DDoS attack detection and defense method based on multi-feature entropy | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN110365636B (en) | Method and device for judging attack data source of industrial control honeypot | |
| CN115021997A (en) | Network intrusion detection system based on machine learning | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN110298170B (en) | Power SCADA system security assessment method considering blind attack factors | |
| CN117834311B (en) | Malicious behavior identification system for network security | |
| CN114157480A (en) | Method, device, equipment and storage medium for determining network attack scheme | |
| CN111865941A (en) | Abnormal behavior identification method and device | |
| Kanna et al. | A defensive mechanism based on PCA to defend denial of-service attack | |
| CN115118525B (en) | Internet of things safety protection system and protection method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180814 |