CN101360014B - Method implementing network exception location by multi-point dislocation combined detection - Google Patents
Method implementing network exception location by multi-point dislocation combined detection Download PDFInfo
- Publication number
- CN101360014B CN101360014B CN2008100461178A CN200810046117A CN101360014B CN 101360014 B CN101360014 B CN 101360014B CN 2008100461178 A CN2008100461178 A CN 2008100461178A CN 200810046117 A CN200810046117 A CN 200810046117A CN 101360014 B CN101360014 B CN 101360014B
- Authority
- CN
- China
- Prior art keywords
- link
- subsystem
- network
- data
- data processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a method of realizing positioning abnormity in network by multipoint dislocation combined detection in the Internet network security technology, comprising establishing detection system, and detecting and locking abnormal parts. That is: based on the commonly distributing type abnormal detection system, a simulated normal link is introduced into; the same number of data collectors and data processors (the number is respectively n) are used; different combined n-1 data collectors are sequentially correspondingly connected with a data processor to form a group of subsystem; and n groups of subsystems are formed. Thus, the whole detection system forms a multipoint dislocation combined detection of multi to multi, and thus the network abnormal points can be judged timely and correctly so that reliable basis can be provided for debugging timely to assure the safe operation of the network. The method has the advantages that the sampled data is not needed to be updated timely, the calculation amount is small, the method can effectively detect and position the abnormity in network in real time and correctly and greatly improves the efficiency of debugging the network faults, and the method overcomes the disadvantage that the prior art can not judge the abnormal link in real time and correctly, thereby causing the network faults can not be debugged timely and effectively and affecting the security and normal operation of the network.
Description
Technical field
The invention belongs to the Internet safe practice, particularly a kind of method of utilizing multi-point dislocation combined detection to realize the unusual location of network is so that the abnormity point of real-time judge network, in time, fix a breakdown effectively.
Background technology
Recent statistics data according to the China Internet Network Information Center show that get permission to add the Internet so far from China in 1994, Chinese netizen's quantity is up to 1.37 hundred million people, and the computer total amount of online is near 6,000 ten thousand.This wherein the overwhelming majority be the common netizen who does not have computer network safety professional knowledge.On the other hand, CNCERT/CC organizes the emergent annual meeting report of Chinese computer network security in 2008 to point out, compares with 2006 in 2007, and the security incident growth rate is more than 100%-200%.Wherein, Botnet has become one of very basic means of network attack.Found that Botnet was used to start distributed denial of service attack (DDoS) more than 10000 time, also sends spam simultaneously in 2007 through sampling Detection, implementation information is stolen etc.The quantity of disparate networks security attack incident is doubled and redoubled, and the situation that the Internet is described has been very severe.
Denial of Service attack (DoS) is meant the assailant by sending the resource that a large amount of false datas or request take target of attack, makes normal request can not get service.And distributed denial of service attack (DDoS) to be exactly the assailant adopt distributed attack pattern uses Botnet to carry out DoS attack.Therefore, because the distributed characteristic of DDoS, methods such as terminal detection, single-link detection can't effectively detect DDoS.So it is very important to adopt Distributed Multi to detect.
Press detecting pattern, DDoS detects probably can be divided into two classes.The first kind is a mode detection.The feature of existing network data is compared with the feature of the ddos attack of collecting in advance, if the coupling of discovery is then thought to have sent attack.The shortcoming of this class mode is: it is closely related to detect effect and ddos attack Feature Extraction, thereby for the emerging type of DDoS, can't effectively detect; In addition, also there is certain difficulty to attacking Feature Extraction.Second class is an abnormality detection, promptly by finding detecting unusually in the network.At present, most of detection systems all belong to this class.With the statistics detection system that generally adopts in such detection is example (accompanying drawing 1 is this detection system structural representation), and its detection mode is imported same data processor in the lump for several a tree names of several data acquisition unit collections and handled.If monitored in the link, as long as there have a link to occur to be unusual, data processor is then reported to the police.Owing to be that a plurality of data acquisition units are imported data simultaneously, then exist detection system can't be in real time, accurately judge unusually from any bar link, will cause network can't handle in time, effectively unusually and influence network security, normal disadvantages such as operation.
According to Xia Chun with wait institute show " research of attack source orientation problem ", the existing localization method of attacking mainly comprises: ICMP locatees the message method, sample labelling method, router log method, path writing-method.There is following shortcoming in said method: generally will recall the cost height from begun to recall by object of attack, respond afterwards; Irrelevant with detection system, do not make full use of secure resources, poor compatibility.
Summary of the invention
The objective of the invention is a kind of method of utilizing multi-point dislocation combined detection to realize the unusual location of network of research and design.Utilize distributed abnormality detection system, carry out multi-point dislocation combined detection, accurately locate attacking stream; Finally reach to the fault that occurs in the network operation carry out in time, purpose such as processing effectively.
Solution of the present invention is: based on general distributed abnormality detection system, make up multiple spot misplace successively multi-to-multi (being the corresponding composition with a plurality of data processors of multi-group data collector) comprehensive detection, navigation system.Introduce the normal link of a simulation, and utilize the data acquisition unit of equal number and data processor (supposing to be n respectively), then n-1 data collector by various combination is corresponding with data processor successively connects to form one group of subsystem, form n subsystem altogether, whole detection system then forms a kind of multi-point dislocation combined detection of multi-to-multi, with in time, judge the safety detection system of the point of attack exactly.Detection method of the present invention is:
A.. set up detection system:, form the 1st subsystem with n-1 data collector in n the data collector and the 1st the corresponding connection of data processor; With n-1 data collector of another group and the 2nd the corresponding connection of data processor of various combination, form the 2nd subsystem again; Form n subsystem successively altogether with the combination of different data acquisition device and data processor composition; All subsystem has promptly been formed a multi-point dislocation combined detection system;
B. detection and location: in system when operation,, when the data processor of certain subsystem is reported to the police, and the data processor of other subsystem all sends alarm signal, and the link that does not then insert this subsystem is unusual link; And when the data processor of all subsystems all sends alarm signal, then:
A, with the alarm times of all data processors according to size ordering (ascending order, descending all can);
The absolute value of the difference between b, the adjacent alarm times of calculating;
C, according to that difference of maximum, the alarm times of pairing two subsystems of this difference is decided to be upper and lower limit respectively, every alarm times is equal to or greater than higher limit in each subsystem, its link that does not insert this subsystem is a normal link; Every alarm times is equal to or less than lower limit, and its link that does not insert this subsystem is unusual link.
The present invention is owing to take the strategy of multi-point joint dislocation abnormality detection, and introduced the normal link of a simulation, all detected in links have at least 1 to be normal link, can guarantee to position unusually detected, locks unusual place link.Do not need the immediate updating sampled data thereby have, amount of calculation is little, can be effectively at network carry out in real time unusually, detection and location exactly, improved the characteristics such as efficient of getting rid of network failure greatly; Overcome background technology and can't in real time, accurately judge unusual link, caused and to get rid of network failure in time, effectively, influenced disadvantages such as network security, normal operation.
Description of drawings
Fig. 1 is the background technology structural representation;
Fig. 2 is a position finding and detection method structural representation of the present invention;
Fig. 3~7 are the structural representation of each subsystem of present embodiment;
Among the figure: A
1, A
2, A
3, A
4, A
N-1, A
n, A
CBe data acquisition unit; B, B
1, B
2, B
3, B
4, B
5, B
N-1, B
nBe data processor;
Embodiment
Present embodiment is an example with the detection system of being made up of 5 data collectors and 5 data processors.People such as data acquisition unit and data processor use Ling Huang show data acquisition unit and the data processor in " Communication-Efficient Tracking of DistributedCumulative Triggers ".And the experimental data that present embodiment uses derive from by Association for Computing Machinery's data communication special interest group (ACM SIGCOMM) network (The Internet Traffic Archive.http: //the real network data on flows daily record that provided on www.acm.org/sigs/sigcomm/ITA).Wherein 4 links are for the operation link, respectively with data acquisition unit A
1~A
4Link to each other, and data acquisition unit A
CAnother that is attached thereto a normal link for simulation.In the operation link, select 3 to add attack stream, the annexation that connect data acquisition unit group and data processor between in each subsystem this moment is seen accompanying drawing 3~7, wherein numeral is the alarm times of this subsystem shown in each subsystem data processor bracket.The unusual position fixing process of present embodiment is as follows:
1. with alarm times according to ascending sort: 24 (B
3), 33 (B
1), 33 (B
4), 59 (B
2), 60 (B
5);
2. calculate the difference of consecutive value: B
1-B
3=9, B
4-B
1=0, B
2-B
4=26, B
5-B
2=1, wherein maximum difference is (B
2-B
4) 26;
3. be 26 according to maximum difference, corresponding B
4Alarm times 33 be lower limit, then B
1, B
3Alarm times equal and less than this lower limit so B respectively
3, B
1, B
4The link that does not insert in the pairing subsystem is unusual (fault) link; And B
2Alarm times 59 be the upper limit, so B
2, B
5The link that does not insert in the pairing subsystem is that normal link (does not wherein insert B
5The link of corresponding subsystem is an analog link).
Can judge rapidly, exactly according to the testing result of present embodiment and not insert B
3, B
1, B
4The link of corresponding subsystem be (fault) link unusually, thereby can provide the accurate target working position to follow-up maintenance in time, guarantee network security, operation normally.
Claims (1)
1. one kind is utilized multi-point dislocation combined detection to realize the unusual method of locating of network, and its method comprises:
A.. set up detection system:, form the 1st subsystem with n-1 data collector in n the data collector and the 1st the corresponding connection of data processor; With n-1 data collector of another group and the 2nd the corresponding connection of data processor of various combination, form the 2nd subsystem again; Form n subsystem successively altogether with the combination of different data acquisition device and data processor composition; All subsystem has promptly been formed a multi-point dislocation combined detection system; Wherein each data acquisition unit connects a link, and one of them data acquisition unit connects the normal link of a simulation;
B. detection and location: in system when operation,, when the data processor of certain subsystem is reported to the police, and the data processor of other subsystem all sends alarm signal, and the link that does not then insert this certain subsystem is unusual link; And when the data processor of all subsystems all sends alarm signal, then:
A, the alarm times of all data processors is sorted according to size;
The absolute value of the difference between b, the adjacent alarm times of calculating;
C, the alarm times of pairing two subsystems of absolute value maximum in the absolute difference of aforementioned calculation is decided to be upper and lower limit respectively, not inserting the link that alarm times is equal to or greater than the subsystem of higher limit is normal link; Not inserting the link that alarm times is equal to or less than the subsystem of lower limit is unusual link.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100461178A CN101360014B (en) | 2008-09-22 | 2008-09-22 | Method implementing network exception location by multi-point dislocation combined detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100461178A CN101360014B (en) | 2008-09-22 | 2008-09-22 | Method implementing network exception location by multi-point dislocation combined detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101360014A CN101360014A (en) | 2009-02-04 |
| CN101360014B true CN101360014B (en) | 2010-09-15 |
Family
ID=40332360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100461178A Expired - Fee Related CN101360014B (en) | 2008-09-22 | 2008-09-22 | Method implementing network exception location by multi-point dislocation combined detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101360014B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841442B (en) * | 2010-02-08 | 2011-11-16 | 电子科技大学 | Method for detecting network anomaly in name-address separated network |
| CN101888657B (en) * | 2010-07-16 | 2012-10-03 | 北京市万网元通信技术有限公司 | Mobile data core network fault positioning method based on multipoint access multipath analysis |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1520070A (en) * | 1999-04-30 | 2004-08-11 | 汤姆森特许公司 | State monitoring and data processing system available for two-way communicating appts. |
| CN1866860A (en) * | 2005-10-19 | 2006-11-22 | 华为技术有限公司 | Method and system for positioning DoS attack source |
| CN101192998A (en) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | Data line detection method based on network processor |
-
2008
- 2008-09-22 CN CN2008100461178A patent/CN101360014B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1520070A (en) * | 1999-04-30 | 2004-08-11 | 汤姆森特许公司 | State monitoring and data processing system available for two-way communicating appts. |
| CN1866860A (en) * | 2005-10-19 | 2006-11-22 | 华为技术有限公司 | Method and system for positioning DoS attack source |
| CN101192998A (en) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | Data line detection method based on network processor |
Non-Patent Citations (1)
| Title |
|---|
| 夏春和,王海泉,吴震,王继伟.攻击源定位问题的研究.《计算机研究与发展》.2003,第40卷(第7期),1021-1027. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101360014A (en) | 2009-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108616534B (en) | Method and system for preventing DDoS (distributed denial of service) attack of Internet of things equipment based on block chain | |
| CN110336827A (en) | A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| CN111556083B (en) | Network attack physical side and information side collaborative source tracing device of power grid information physical system | |
| CN106371986A (en) | Log treatment operation and maintenance monitoring system | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| US20100050262A1 (en) | Methods and systems for automated detection and tracking of network attacks | |
| CN105049291A (en) | Method for detecting network traffic anomaly | |
| CN104252401B (en) | Weight based device status judgment method and system thereof | |
| CN106104556A (en) | Log analysis system | |
| CN106254125A (en) | The method and system of security incident correlation analysiss based on big data | |
| CN108712433A (en) | A kind of network security detection method and system | |
| CN109150869A (en) | A kind of exchanger information acquisition analysis system and method | |
| CN106789351A (en) | A kind of online intrusion prevention method and system based on SDN | |
| CN111800419B (en) | DDoS attack detection system and method in SDN environment | |
| CN114244564A (en) | Attack defense method, device, equipment and readable storage medium | |
| CN101360014B (en) | Method implementing network exception location by multi-point dislocation combined detection | |
| CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
| CN104092588A (en) | Network anomaly traffic flow detection method based on combination of SNMP and NetFlow | |
| CN117312098B (en) | Log abnormity alarm method and device | |
| CN107682166A (en) | The implementation method of safe O&M service platform remote data acquisition based on big data | |
| CN109634808B (en) | Chain monitoring event root cause analysis method based on correlation analysis | |
| CN111865667A (en) | Network connectivity fault root cause positioning method and device | |
| CN114124538B (en) | Intrusion detection method and system for GOOSE and SV messages of intelligent substation | |
| CN110636077A (en) | Network security protection system and method based on unified platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100915 Termination date: 20120922 |