US 12,381,899 B2
Network traffic anomaly detection method and apparatus, and electronic apparatus and storage medium
Yueqing Lin, Hangzhou (CN); Yuan Fan, Hangzhou (CN); and Bo Liu, Hangzhou (CN)
Assigned to DBAPPSECURITY CO., LTD, Hangzhou (CN)
Appl. No. 18/022,170
Filed by DBAPPSECURITY CO., LTD, Hangzhou (CN)
PCT Filed May 7, 2021, PCT No. PCT/CN2021/092227
§ 371(c)(1), (2) Date Feb. 20, 2023,
PCT Pub. No. WO2022/037130, PCT Pub. Date Feb. 24, 2022.
Claims priority of application No. 202010847761.6 (CN), filed on Aug. 21, 2020.
Prior Publication US 2023/0300159 A1, Sep. 21, 2023
Int. Cl. H04L 9/40 (2022.01); H04L 41/16 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 41/16 (2013.01)] 13 Claims
OG exemplary drawing
 
1. A network traffic anomaly detection method, comprising:
acquiring a plurality of segments of traffic data in different monitoring states;
acquiring an anomaly feature vector from the plurality of segments of traffic data;
training an initial classification model according to the anomaly feature vector and on a basis of a KNN algorithm, so as to obtain a plurality of initial classifiers;
training an initial Adaboost classification model according to the anomaly feature vector and the plurality of initial classifiers and on a basis of an Adaboost algorithm, so as to obtain an Adaboost classifier; and
classifying collected traffic data via the Adaboost classifier;
the training the initial classification model according to the anomaly feature vector and on the basis of the KNN algorithm, so as to obtain the plurality of initial classifiers further comprises:
taking first anomaly feature vectors as a training set, wherein the number of the first anomaly feature vectors is a first preset threshold;
performing a data normalization process on the anomaly feature vectors in the training set;
determining distances among the anomaly feature vectors in the training set after performing the data normalization process; and
training the initial classification model according to the distances and the KNN algorithm, so as to obtain the plurality of initial classifiers; and
after the training the initial classification model according to the distances and the KNN algorithm, so as to obtain the plurality of initial classifiers, the method further comprises:
taking second anomaly feature vectors as a testing set, wherein the number of the second anomaly feature vectors is a second preset threshold;
inputting the testing set into the plurality of initial classifiers, respectively, to obtain a classification result corresponding to each initial classifier;
determining an accuracy rate of the classification result corresponding to each initial classifier;
determining whether the accuracy rate of the classification result corresponding to each initial classifier is greater than a third preset threshold, if no, acquiring first initial classifiers corresponding to which the accuracy rate is not greater than the third preset threshold; and
training the first initial classifiers according to the distances and the KNN algorithm.