This application claims priority to the Chinese Patent Application No. 2020109673229, filed with the China National Intellectual Property Administration (CNIPA) on Sep. 15, 2020, and entitled “METHOD FOR ANOMALY CLASSIFICATION OF INDUSTRIAL CONTROL SYSTEM COMMUNICATION NETWORK BASED ON STATISTICAL LEARNING AND DEEP LEARNING”, which is incorporated herein by reference in its entirety.
The present disclosure relates to the technical field of industrial information security detection, and in particular, to a method for anomaly classification of an industrial control system (ICS) communication network.
Key infrastructures such as energy, refining, and transportation are critical for a country's stable development, and ensuring network security of the key infrastructures is the top priority. With the automation, interconnection and intelligence of national large-scale infrastructure equipment (such as smart substations, intelligent chemical engineering process systems, and distributed industrial control systems), the cyberspace security issues are becoming apparent. In recent years, a series of cyber attacks on national critical infrastructure have caused huge losses to the national economy and irreversible damage to society. Top hackers frequently invade the communication networks of hub substations, process industrial systems, and even nuclear power plants in more concealed, efficient, and destructive intrusion ways. At present, the defense and hardening of national critical infrastructure network systems have been escalated to the national strategic level. Communication traffic analysis is recognized as the most promising solution to industrial system security problems. The intelligent analysis of communication traffic is a solution that organically combines the security solutions in the traditional Internet field with the characteristics of modern power communication networks and industrial control systems. Specifically, network anomaly events are extracted by using the traffic analysis technology during operation of industrial control systems, are accurately positioned, qualitatively and quantitatively analyzed through statistical learning and deep learning, and are further classified in terms of principle and structure.
According to related reports and papers, all attacks on industrial systems can be reflected on the communication network. Most industrial control network attacks may cause damage to the related communication network. The degree and location of network damage vary with attack types. “Blackenergy”-oriented combined attacks and a series of malicious code injections may cause the communication network to be paralyzed, key channels to be blocked, the supervisory control and data acquisition (SCADA) system to be manipulated, and the control system to be delayed in recovery or even shut down. Since ICS data traffic presents different traffic patterns and characteristics similar to Internet traffic, mathematical models can be generated to analyze, develop, and interpret the characteristics of the ICS data traffic. For complex time series like ICS data traffic, regression algorithms are generally used for modeling and statistical analysis. For anomaly analysis and event classification of the ICS communication network, traditional machine learning algorithms are generally used for offline analysis and modeling of anomaly events. However, the existing ICS anomaly detection algorithms cannot accurately locate real-time anomalies and have a high false positive rate. The existing ICS anomaly event classification models have the defects of high algorithm complexity, poor interpretability, and low classification accuracy.
To implement dynamic modeling and anomaly classification and detection of real-time collected ICS communication traffic without priori knowledge, the present disclosure proposes a comprehensive analysis method to resolve the problem that the existing classification and detection algorithms for ICS anomaly events cannot be actually deployed due to the excessive rely on priori knowledge, low classification accuracy, and high algorithm complexity. The present disclosure also design an ICS network anomaly classification model based on statistical learning and deep learning, which is helpful for the network security protection and anomaly detection of major national industrial infrastructures.
The objectives of the present disclosure can be achieved by the following technical solutions:
A method for anomaly classification of an ICS communication network includes the following steps:
The present disclosure addresses the issue of anomaly detection and classification of the ICS communication network; and provides a network anomaly event classification method based on statistical learning and deep learning that is helpful for ICS network security protection. The ICS network anomaly classification method can monitor network traffic in real time and quickly analyze network anomaly events. The method also provides real-time and accurate source location of anomaly events for typical ICS systems, and detailed analysis of impacts and types of the anomaly events, thereby providing decision support for future network optimization, network adjustment, network construction, and network security protection. In the early stage, accurate and reliable real-time modeling is performed based on the actually collected ICS communication network traffic, and intelligent anomaly classification and detection are performed for different network anomaly events at a traffic level by using combined algorithms, thereby achieving intrusion detection, classified security protection, and security situation awareness for the ICS. The present disclosure can efficiently and accurately defend against typical network attacks on the ICS, and significantly improve margins for system protection against typical network anomalies.
Based on characteristics of ICS communication network traffic, the present disclosure deeply combines the existing SARIMA statistical learning model and LSTM deep learning model. In the early stage, through distributed short-cycle SARIMA modeling for the real-time collected ICS communication traffic data, real-time threshold intervals are generated efficiently and stably. Based on the threshold intervals and ICS network background traffic forecast sequences generated by the LSTM deep learning model, the designed ICS network anomaly classification method can quickly and accurately classify and trace real-time ICS anomaly events, implementing analysis after anomaly detection of ICS network traffic. In this way, real-time situation awareness, warning, and security protection upgrade are finally realized for the ICS network. In the present disclosure, ICS communication traffic data is collected from an ICS test network range involving virtual and physical devices, and an industrial control test platform in Zhejiang Province, and modeling analysis is performed to build a distributed short-cycle SARIMA model with appropriate parameters. Based on statistical learning, an optimized SARIMA(p,d,q)×(P,D,Q)s model is used to calculate a normal traffic threshold interval of the ICS, and adaptability of the model is analyzed. Based on deep learning, the LSTM model is used to perform offline training and modeling analysis based on a large amount of ICS network background traffic data, with a short-cycle SARIMA model training set with an anomaly event as the input. A well-trained LSTM model can use the input to online output forecast values of the ICS network background traffic under the current anomaly event. Dynamic analysis of the real-time collected ICS network traffic is performed by using custom and adaptable combined anomaly classification algorithms, to finally achieving classification and source tracing of the ICS anomaly events. The present disclosure has been deployed in an ICS of a chemical group in Zhejiang Province, achieving an extremely short algorithm running time, a high detection rate, and a low false positive rate.
The present disclosure will be explained in detail with reference to the accompanying drawings.
The technical solutions of the embodiments of the present disclosure are clearly and completely described below with reference to the accompanying drawings. Apparently, the described embodiments are merely a part rather than all of the embodiments of the present disclosure. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present disclosure without creative efforts shall fall within the protection scope of the present disclosure.
An existing machine learning-based offline classification method cannot dynamically analyze collected ICS communication traffic in real time or trace a source of an anomaly event. Only a type of the anomaly event is returned finally. Since the source of ICS anomaly events cannot be traced, operation and maintenance personnel cannot conduct real-time situation awareness and warning for the ICS network or take network defense measures for security audit and hardening.
The present disclosure aims to provide a method for anomaly classification of an ICS communication network. This SARIMA statistical learning and LSTM deep learning based method can dynamically generate normal traffic thresholds for real-time collected ICS data traffic, and perform integrated computation on currently collected ICS data traffic, dynamic normal traffic threshold intervals, static background traffic forecast values, traffic filtered by a Berkeley filter, and time of whitelisted events by using a combined classification algorithm, to quickly and accurately classify and trace real-time ICS abnormal events and analyze ICS network traffic after anomaly detection. In this way, real-time situation awareness, warning, and security protection upgrade are finally realized for the ICS network.
The present disclosure will be described in detail with reference to the drawings, to make the objectives and effects of the present disclosure clearer.
Referring to
Without any human operation and intervention, a total of Pcap data packets in the normal ICS communication network were captured in this experiment. During the operation time of about 20 hours, there was no packet loss. In addition, Pcap background traffic data packets of the ICS communication network were captured. During the operation time of about 20 hours, the background traffic data packets were communication traffic captured in a case that all devices in the ICS were in standby mode, the host computer and the monitoring host stay in communication, and there is no human operation or intervention. The specific details of the ICS communication network traffic are shown in
Based on the overall process of the method shown in
W is a weight matrix, and b is a weight vector, used to establish connections at an input layer, a memory layer, and an output layer. st(l) represents a state of a memory cell in the t-th step of the l-th layer, and ht(l) represents an output state of the memory cell in the t-th step of the l-th layer. δ is an activation function, ψ is a tanh function. ⊙ is a Hadamard product between sets. i, o, and f represent the input gate, the output gate, and the forget gate, respectively. g represents an input node of the tanh function.
fLSTM( ) is the simplified LSTM deep learning model function. This function uses a training sequence X′N
The SARIMA(p,d,q)×(P,D,Q)s model is obtained by separately performing d-order difference calculation and D-order seasonal difference calculation on an auto regressive moving average ARMA(p,q) model, where the ARMA(p,q) model is a combination of AR(p) and MA(q) models.
The ARMA(p,q) model is defined as follows:
Xt=ϕ1Xt−1+ϕ2Xt−2+ . . . +ϕpXt−p+εt−θ1εt−1− . . . −θqεt−q
In the foregoing formula, Xt represents a short-cycle stationary time series after averaging, with a relatively short length; ϕp represents a coefficient of an auto regressive term AR; θq represents a coefficient of a moving average term MA; εt represents a random error term; p represents an order number of AR; and q represents an order number of MA.
Define a delay operator B, and let BXt=Xt−1 such that an AR coefficient polynomial is Φ(B)=1−ϕ1B− . . . −ϕp(B)p and an MA coefficient polynomial is Θ(B)=1−θ1B− . . . −θq(B)q.
Introduce a difference operator Δd=(1−B)d. Then the ARIMA(p, d, q) model is expressed as follows:
Φ(B)ΔdXt=Θ(B)εt
The SARIMA model is obtained by performing seasonal difference calculation on the ARIMA model. The SARIMA model is defined as follows:
Φp(B)Φp(Bs)ΔdΔsDXt=Θq(B)ΘQ(Bs)εt
εt represents a white noise sequence, d represents an order number of a trend difference, D represents an order number of a seasonal difference compensated based on cycle s, Bs represents an s-order delay operator, ΔsD represents a seasonal difference operator, BsXt=Xt−s , ΔsD=1−Bs, Φp(Bs) is a Q-order polynomial of Bs, and Φp(Bs) is a P-order polynomial of Bs.
fSARIMA( ) is a functional expression of the SARIMA(p, d, q)×(P, D, Q)s model XT
Calculate a forecast average {circumflex over (μ)}(i) of the i-th iteration:
z(1−α
Normal ICS communication traffic of the i-th iteration is defined as follows:
XT
Based on a real-time correlation between an ICS forecast sequence XT
XT
A function ∩ is used to get an intersection of two time series sets.
Assuming that a sequence of actual occurrence time of ICS anomalies is Tnanom={t1anom, t2anom, . . . , tnanom, n∈}, where n is the total number of anomalies, a sequence of sample sizes corresponding to short-cycle sequence numbers upon anomalies, Snanom={s1anom, s2anom, . . . , snanom, n∈
}, is:
Snanom=(Tnanom−tdebug)/γsamp
tdebug is real-time debugging time before a program runs, γsamp is a sampling frequency of ICS traffic, and a time series algorithm directly performs calculation on corresponding sequence elements.
The n-th ICS anomaly occurs in the inanom-th short-cycle iteration. Therefore, the number of short-cycle iterations upon an ICS anomaly event, inanom (element of Inanom), can be calculated according to the following equations:
Kn is an intermediate variable.
A variance {circumflex over (σ)}k of the dynamic ICS traffic threshold interval generated by the SARIMA online detection algorithm can be obtained according to the following formula:
k=1, 2, . . . , n n∈, and {circumflex over (σ)}k can measure an overall deviation of a threshold of the ikanom-th short-cycle iteration, which is helpful for analyzing an abnormal degree of the ICS network.
An LSTM deep learning model-based algorithm for online forecasting and analysis of ICS normal communication traffic is as follows:
{tilde over (X)}′N
ModelLSTM( ) is the LSTM deep learning model obtained from offline training in step 2, {tilde over (X)}′N}) of short cycles of the online SARIMA model upon anomaly events, an online SARIMA model training set XT
is a SARIMA training set for each short training cycle), where n is the total number of anomaly events. This training set retains a traffic pattern before occurrence of an anomaly, and also defines the input of the online LSTM deep learning model, based on which an LSTM online forecast sequence of {tilde over (X)}′N
The offline LSTM deep learning model can be used as priori knowledge to validate normal background traffic of the ICS communication network. Based on a time correspondence between the ikanom (k=1, 2, . . . , n n∈)-th short cycle in which an anomaly event occurs and the online SARIMA model training set XT
A variance {tilde over (σ)}k of the online forecast sequence of the LSTM deep learning model is:
k=1, 2, . . . , n n∈, and {tilde over (σ)}k can reflect fluctuation and deviation of online forecasting by the LSTM model at the k-th anomaly event, and can be used as a key parameter for analyzing the background traffic of the ICS communication network.
A predefined error ε is used as a critical value to limit a deviation between a timestamp of an anomaly event and a timestamp of whitelisting, tianom is an element of an anomaly event time series Tnanom, and tiwhit is an element of a time series Tnwhit of whitelisted ICS valid action time and planned maintenance event time. If the critical value of the deviation between the timestamp of the anomaly event and the timestamp of whitelisting is within the deviation, the abnormal ICS communication traffic is generated by an ICS valid action and planned maintenance event.
If |tkanom−tkwhit|/(γsamp·Ttrai)>ε, the abnormal ICS communication traffic is generated by a malicious action.
{tilde over (x)}′i,k is an element of {tilde over (X)}′N
From the variance {tilde over (σ)}k of the online forecast sequence of the LSTM deep learning model and the variance {circumflex over (σ)}k of the dynamic traffic threshold interval generated by the SARIMA online detection algorithm, it can be learned that a variance {tilde over (σ)}k of the normal ICS communication network background traffic needs to be less than the variance {circumflex over (σ)}k of the dynamic traffic threshold interval generated by the SARIMA algorithm:
{tilde over (σ)}k≤{circumflex over (σ)}k
Therefore, when the following inequation holds, it can be inferred that the ICS communication network is faulty or abnormal.
In this case, the abnormal ICS communication traffic is caused by the abnormal ICS network or communication data transmission failure.
is the BPF algorithm, XtTCP is a TCP traffic sequence split from an original traffic sequence Xt, and similarly, XtUDP is a UDP traffic sequence split from the original traffic sequence Xt.
[Xt]type represents total traffic of a specified type of packet (TCP, UDP, ARP, or the like) in the ICS communication network traffic sequence Xt. Calculate a distribution deviation τtype(i
where type=TCP, UDP, ARP . . . .
A baseline of the distribution deviation can be calculated by the BPF from a training sequence X′N
When τtype(i
τtype(i
εtypepd is an allowable distribution error of a specified type of packet.
In this case, Atttype=type (type=UDP,TCP,ARP, etc) indicates that the abnormal ICS communication traffic is caused by malicious intrusion into the ICS communication network. An attack type is type (UDP Flooding, TCP Flooding, ARP Spoofing, or the like).
The detected ICS communication network anomaly events can be classified into three types: malicious action on the ICS communication network, ICS network anomaly or communication data transmission failure, and malicious intrusion attack on the ICS communication network.
Based on the previous offline analysis of the communication network traffic actually collected from the ICS test network range in Zhejiang University, as well as the characteristics of the ICS communication network traffic, an actual test platform is built, and an industrial switch, a monitoring host, and a test host are deployed in the test environment, and online testing and analysis are performed on an ICS attack injection platform and a network security platform. As shown in
The distributed short-cycle SARIMA model is used to analyze the ICS communication network traffic, and generate a threshold interval in real time, with an ICS traffic sampling frequency of 1 ms.
Based on the collected ICS communication network background traffic data, appropriate LSTM training parameters are selected to train an LSTM deep learning-based ICS network background traffic model in offline mode. The following table lists LSTM training parameters.
As shown in
ModelLSTM←fLSTM(X′200,20,Para□)
Para□ represents the LSTM training parameters in Table 1.
Test and validation are performed on the stored LSTM offline model. A new round of collection is performed to collect ICS communication network background traffic as new input of the model. Actual data is output for validation. Every 200 sequences collected are used as training sequences, and 20 sequences are used as forecast sequences (totally 220 sequences in one cycle), MAPE and RMSE values of the forecast sequences are calculated, and ICS communication network background traffic collected in a new round is used. The analysis is repeated for 10 cycles. The values of MAPE, RMSE, and Time are shown in Table 2.
In the table, 1-220 indicates that the first 1 to 200 data samples are a training set and the next 201 to 220 data samples are a test set. It can be seen that in each analyzed sequence set, the MAPE value is less than 0.15, and the RMSE value is less than 100. Samples 441 to 660, 881 to 1000, and 1001 to 1220 have similar MAPE and RMSE values, reflecting the periodicity and self-similarity of ICS network background traffic data.
A distributed SARIMA(p, d, q)×(P, D, Q)s model is built for the real-time collected ICS communication network traffic. The number of short-cycle training items is defined as Ttrai=300 and Tfore=30, and econometric analysis is performed on the SARIMA(p, d, q)×(P, D, Q)s model in a single short cycle. Taking the first short-cycle iteration (that is, i=1) of the SARIMA(p, d, q)×(P, D, Q)s model as an example, the following shows how to calculate an ICS network traffic threshold interval for the first short cycle. Assuming that original sequences are not aggregated, modeling is performed based on ICS traffic data collected online in a single short cycle, to obtain a model SARIMA(2, 1, 3)×(2, 0, 0)10. A fitting parameter of the model is
R−Square=0.89. Therefore, it can be obtained that SARIMA(2, 1, 3)×(2, 0, 0)10 can well interpret ICS communication traffic in the short cycle Ttrai=300, and its threshold interval represents the situation of ICS communication traffic in Tfore=30. An upper bound time series of the threshold interval is:
A timestamp corresponding to the time series is: {13:52:19, 13:52:20, 13:52:21, . . . , 13:52:50, 13:52:51}. This timestamp indicates that the ICS communication traffic is consistent with that in an actual site, and physical information spatially corresponds to each other.
Therefore, after the SARIMA(2,1,3)×(2,0,0)10 model is built for the ICS communication traffic in the short cycle Ttrai=300, ICS communication traffic in the validation cycle Tfore=30 is normal ICS communication traffic without any anomaly. A sequence tnanom of ICS anomaly occurrence time is an empty set, and a sequence Inanom of short-cycle iteration counts upon anomaly events is an empty set. In this case, the variance {circumflex over (σ)}k is 0. An abnormal degree sequence is λT
After modeling characteristics of the SARIMA model are validated, real-time anomaly detection is performed on a next ICS traffic sequence with a different sampling frequency. The specified ICS traffic sampling frequency γsamp is 60(s). The aggregation scale is changed to 1 s. The start time of running the model is 04:14:26, the online traffic monitoring model is kept running, and model parameters in the current short cycle are acquired. With respect to the current time, SARIMA(5, 0, 3)×(0, 0, 1)1 is the optimal model.
Table 3 shows econometrics parameters of the SARIMA(5, 0, 3)×(0, 0, 1)1 model.
Table 4 shows fitting parameters of the SARIMA(5,0,3)×(0,0,1)1 model.
The following tests how an algorithm classifies ICS network anomaly events. First, the test host is connected to the industrial switch and initiates TCP-flooding attacks on the monitoring host. Abnormal traffic increases abruptly per unit time, and traffic returns to normal after the attacks. The TCP-flooding attack was injected at 14:36:50, and the traffic increased abruptly. Then injection of abnormal traffic stopped at 14:38:00.
In this case, an upper bound time series of the threshold interval is:
A lower bound time series of the threshold interval is:
A timestamp corresponding to the time series is:
{14:36:20, 14:37:20, 14:38:20, . . . , 14:54:20, 14:55:20}
Through the above model, a normal flow threshold at an actual moment can be approximately obtained in a short time interval. For example, at 14:36:20, when a confidence interval is 95%, a normal traffic interval is [350.3, 1650.3]; and when the confidence interval is 90%, the normal traffic interval is [398.3, 1621.6]. Based on this, an ICS communication traffic threshold model at a specific moment under normal circumstances can be obtained.
Because l1(i)≤x1(i)≤u1(i), l2(i)≤x2(i)≤u2(i), and l3(i)≤x3(i)≤u3(i) at 14:36:20, 14:37:20, 14:38:20, the ICS communication network traffic exceeds the normal traffic threshold interval generated by the SARIMA model, so the system determines that an ICS network anomaly event occurs.
The actual occurrence time of the anomaly events is:
T3anom={14:36:20, 14:37:20, 14:38:20}
where n is 3, which means three anomalies.
tdebug=4, γanom=60, and S3anom={s1anom, s1anom, s1anom} can be obtained:
S3anom={(37314−4)/60, (37374−4)/60, (37434−4)/60}
From the following formula:
and i1anomi2anom=i3anom, I3anom={17,17,17} can be obtained. Therefore, the number of short-cycle iterations upon ICS anomaly events is 17.
Through calculation and analysis, XT
A variance {circumflex over (σ)}k of the dynamic ICS traffic threshold interval generated by the SARIMA online detection algorithm can be obtained according to the following formula:
k=1,2,3 (where {circumflex over (σ)}l) can measure an overall deviation of a threshold of the ikanom-th short-cycle iteration, which is helpful for analyzing an abnormal degree of the ICS network. According to the above variance analysis, a normal fluctuation range of the normal traffic is 0˜1475.079.
The possibility of ICS anomaly events coming from planned ICS maintenance or valid actions is evaluated.
According to the action audit time table Tnwhit, {t1anom, t2anom, t3anom}∉Tnwhit. Based on a delay coefficient defined for ICS communication, ε=0.001, thus:
|tkanom−tkwhit)/(60·200)>0.001 (k=1, 2, 3)
Therefore, the three ICS anomaly events come from malicious actions instead of planned ICS maintenance or valid actions.
The possibility of ICS anomaly events coming from significant changes in the background traffic of the ICS communication network caused by its own anomaly or failure is evaluated.
Because the three anomalies all occurred in the 17-th iteration of the same short-cycle SARIMA model, X200(i
{tilde over (X)}′20,3=ModelLSTM(X200(i
The LSTM forecasting variance {tilde over (σ)}k is calculated, and a mean value of the sequence forecast by the LSTM, and a mean value of the upper and lower threshold interval sequence forecast by the SARIMA online forecasting algorithm are calculated:
Therefore, the anomaly events are not caused by significant changes in the background traffic of the ICS communication network due to abnormality or failure of the network itself; the background traffic of the ICS communication network maintains the original pattern, and the underlying protocol and heartbeat messages are not affected.
The possibility of ICS anomalies coming from cyber attacks is evaluated.
A deviation τtype(17) after BPF is calculated. The most typical message type, that is, type=UDP, TCP, ARP, is selected for analysis and calculation.
A packet distribution benchmark Disttype under the large-volume offline LSTM training set is calculated, where type=UDP, TCP, ARP.
According to actual experience, the communication network of the ICS test bench has less redundant data, so εTCPpd=εARPpd=εUDPpd=1 is set. Thus:
τTCP(17)>>εTCPpd·DistTCP2
τARP(17)<εARPpd·DistARP2
τUDP(17)<εUDPpd·DistUDP2
The most likely type of anomaly is an attack against TCP packets, that is, a TCP-Flooding attack. Therefore, Atttype=TCP. Therefore, the ICS anomaly event comes from a TCP-Flooding attack.
To stun up, in the period of 14:36:20 to 14:39:20, there were anomaly events in the ICS communication network, and the anomaly events were caused by malicious or unauthorized operations. Calculation and analysis showed that an attacker initiated malicious intrusion through TCP-Flooding attacks.
Number | Date | Country | Kind |
---|---|---|---|
202010967322.9 | Sep 2020 | CN | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/CN2021/089288 | 4/23/2021 | WO |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2022/057260 | 3/24/2022 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
20170017735 | Srinivasan et al. | Jan 2017 | A1 |
20180024511 | Wang | Jan 2018 | A1 |
20180157933 | Brauer | Jun 2018 | A1 |
20180219895 | Silver | Aug 2018 | A1 |
20190093187 | Lee | Mar 2019 | A1 |
20190280942 | Côté | Sep 2019 | A1 |
20190303726 | Côté | Oct 2019 | A1 |
20200076840 | Peinador | Mar 2020 | A1 |
20200210393 | Beaver | Jul 2020 | A1 |
20210065031 | Parikh | Mar 2021 | A1 |
20220004897 | Jadon | Jan 2022 | A1 |
Number | Date | Country |
---|---|---|
103684910 | Mar 2014 | CN |
107517205 | Dec 2017 | CN |
110730099 | Jan 2020 | CN |
111431937 | Jul 2020 | CN |
112202736 | Jan 2021 | CN |
3528463 | Aug 2019 | EP |
Entry |
---|
Kao et al. ‘Anomaly Detection for Univariate Time Series with Statistics and Deep Learning’, 2019 IEEE Eurasia Conference on IOT, Communication and Engineering (ECICE), pp. 404-407. IEEE, published 2019. |
Nediyanchath et al. ‘Anomaly Detection in Mobile Networks’ 2020 IEEE Wireless Communications and Networking Conference Workshops (WCNCW) Apr. 6, 2020 (pp. 1-5) IEEE. |
Holm et al. ‘Cloud-Based Business Intelligence for a Cellular IoT Network’ 2019 IEEE Africon, pp. 1-8. IEEE, published 2019. |
Kromkowski et al. ‘Evaluating Statistical Models for Network Traffic Anomaly Detection’ 2019 systems and information engineering design symposium (SIEDS), pp. 1-6. IEEE, published 2019. |
International Search Report, PCT/CN2021/089288, dated Jul. 21, 2021, 4 Pages. |
Number | Date | Country | |
---|---|---|---|
20220269258 A1 | Aug 2022 | US |