CN107454073A - A kind of Network Traffic Analysis method and system - Google Patents
A kind of Network Traffic Analysis method and system Download PDFInfo
- Publication number
- CN107454073A CN107454073A CN201710637414.9A CN201710637414A CN107454073A CN 107454073 A CN107454073 A CN 107454073A CN 201710637414 A CN201710637414 A CN 201710637414A CN 107454073 A CN107454073 A CN 107454073A
- Authority
- CN
- China
- Prior art keywords
- network
- wavelet packet
- wavelet
- analysis
- principal component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of Network Traffic Analysis method, including:In network topology structure, the data on flows of capture source node to destination node;Wavelet package transforms are carried out to data on flows, obtain wavelet packet coefficient;Principal component analysis is carried out to wavelet packet coefficient and draws network flow characteristic.Utilize the hiding feature of wavelet package transforms extraction network traffics, then, after wavelet package transforms are carried out to network traffics, the time and frequency domain characteristics of network traffics are further portrayed using principal component analytical method, improve the precision to Network Traffic Analysis in communication network.The invention also discloses a kind of Network Traffic Analysis system.
Description
Technical field
The present invention relates to technical field of communication network, more specifically to a kind of Network Traffic Analysis method and
System.
Background technology
With the progress of the new network technology such as Internet of Things, software defined network, network centered on information, new is logical
Letter type and characteristic are already present in current communication network.More specifically, for some brand-new applications, such as online
Pay, mobile network etc., new application causes new business model and feature.The network performance that legacy network is supported, is not examined
Consider these new features, such as due to scheduling, path delay caused by the reason such as packet loss and network failure.In addition, Traffic Anomaly
Experience and network to user have a major impact, such as new attack, new abnormal patterns, unknown hiding flow property.Therefore,
It is extremely important for operator and user how network flow characteristic is captured.Up to the present, the signature analysis of network traffics
Academic and industry hot issue is turned into.
The signature analysis of network traffics and extraction are widely studied, and generalized entropy measurement and information distance measurement can be used
In detecting low rate distributed denial of service attack behavior by measuring the difference between legitimate traffic and attack traffic.It is empty
M- temporal correlation is used to finding and detecting the exception in network, and detection method is used between polymerization traffic statistics and distributed space
Network Abnormal is identified, signature analysis is used to diagnose Abnormal network traffic.In addition, by analyzing network flow characteristic, can build
Model detects network event.TCP (Transmission Control in the router with compared with minibuffer area
Protocol, transmission control protocol) Traffic Anomaly problem has also been studied.Wavelet transformation is used to describe the more of network traffics
Scale feature, time frequency analysis are used to extract network traffics property.In addition, from the perspective of network, Abnormal network traffic is also
It can be become by signal and bring detection, these methods can all capture the feature of network traffics.However, they have it is larger
Error, therefore, how to reduce the error raising analysis precision of Network Traffic Analysis is a urgent problem to be solved.
The content of the invention
In view of this, it is an object of the invention to provide a kind of Network Traffic Analysis method, it is possible to increase feature point
The precision of analysis reduces error.
To achieve the above object, the present invention provides following technical scheme:
A kind of Network Traffic Analysis method, including:
In network topology structure, the data on flows of capture source node to destination node;
Wavelet package transforms are carried out to the data on flows, obtain wavelet packet coefficient;
Principal component analysis is carried out to the wavelet packet coefficient and draws network flow characteristic.
Preferably, described to carry out wavelet package transforms to the data on flows, obtaining wavelet packet coefficient includes:
The wavelet packet coefficient is divided into high and low frequency two parts;
The reciprocal relation of high-frequency signal and low frequency signal and time-domain signal is drawn based on wavelet packet change inverse transformation.
Preferably, it is described that network flow characteristic, which includes, to be drawn to wavelet packet coefficient progress principal component analysis:
Based on principal component analysis by signal with the product form table of eigenvectors matrix, energy spectrum matrix and feature stream matrix
Show;
The high-frequency signal is added with low frequency signal and draws network flow characteristic.
A kind of Network Traffic Analysis system, including:
Trapping module, in network topology structure, capturing source node to the data on flows of destination node;
Conversion module, for carrying out wavelet package transforms to the data on flows, obtain wavelet packet coefficient;
Analysis module, network flow characteristic is drawn for carrying out principal component analysis to the wavelet packet coefficient.
Preferably, the conversion module includes:
Discrimination unit, for the wavelet packet coefficient to be divided into high and low frequency two parts;
First generation unit, for showing that high-frequency signal and low frequency signal are believed with time domain based on wavelet packet change inverse transformation
Number reciprocal relation.
Preferably, the analysis module includes:
Represent unit, for based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream matrix
Product form represent;
Second generation unit, network flow characteristic is drawn for the high-frequency signal to be added with low frequency signal.
As shown from the above technical solution, a kind of Network Traffic Analysis method is present embodiments provided, when needs are to net
When network traffic characteristic is analyzed, first in network topology structure, the data on flows of capture source node to destination node, so
Wavelet package transforms are carried out to data on flows afterwards, obtain wavelet packet coefficient, finally carrying out principal component analysis to wavelet packet coefficient draws
Network flow characteristic, the hiding feature of network traffics is extracted using wavelet package transforms, then, small echo is being carried out to network traffics
After packet transform, the time and frequency domain characteristics of network traffics are further improved using principal component analytical method, are improved in communication network
The precision of Network Traffic Analysis.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will to embodiment or
The required accompanying drawing used is briefly described in description of the prior art, it should be apparent that, drawings in the following description are only
Some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, also
Other accompanying drawings can be obtained according to these accompanying drawings.
Fig. 1 is a kind of method flow diagram of Network Traffic Analysis embodiment of the method 1 disclosed by the invention;
Fig. 2 is a kind of method flow diagram of Network Traffic Analysis embodiment of the method 2 disclosed by the invention;
Fig. 3 is that one embodiment of the present invention has Abnormal network traffic and do not have Abnormal network traffic schematic diagram, its
In, (a) represents proper network flow, and (b) represents Abnormal network traffic;
Fig. 4 is eight kinds of different scale wavelet package transforms lower network flow schematic diagrames of one embodiment of the present invention, wherein,
(a) it is 4 to represent wavelet package transforms yardstick, and (b) represents that wavelet packet yardstick is 8, and (c) represents that wavelet packet yardstick is 12, and (d) is represented
Wavelet packet yardstick is 16, and (e) represents that wavelet packet yardstick is 20, and (f) represents that wavelet packet yardstick is 24, and (g) represents wavelet packet yardstick
For 28, (h) represents that wavelet packet yardstick is 32;
Fig. 5 is network flow characteristic schematic diagram of the one embodiment of the present invention based on principal component analysis, wherein, (a) table
Show the non-principal composition of network traffics, (b) represents the main component of network traffics;
Fig. 6 is testing result schematic diagram of the one embodiment of the present invention to Abnormal network traffic, wherein, (a) represents master
Composition analysis result, (b) represent to inject abnormal flow at different moments;
Fig. 7 is a kind of structural representation of Network Traffic Analysis system embodiment 1 disclosed by the invention;
Fig. 8 is a kind of structural representation of Network Traffic Analysis system embodiment 2 disclosed by the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art obtained under the premise of creative work is not made it is all its
Its embodiment, belongs to the scope of protection of the invention.
In order to more specifically emphasize the independence implemented, this specification is related to number of modules or unit.For example,
Module or unit can realize by hardware circuit, and the hardware circuit includes special VLSI circuits OR gate array, such as logic chip,
Transistor, or other components.Module or unit can also realize in programmable computer hardware, such as field effect programmable gate array,
Programmable logic array, programmable logic device etc..
Module or unit can also be realized in by the software performed by various forms of processors.Such as one can hold
Row code module may include one or more entities or logic computer instruction block, and the block is formed into, such as
Say, object, program or function.However, the executable part of identification module or unit need not physically be put together, but
It can be made up of the different instruction for being stored in diverse location, when combining in logic, form module or unit and reach this
Purpose required by module or unit.
In fact, executable code module or unit can be a single instruction or multiple instruction, it might even be possible to which distribution is in place
In several different code sections of different programs, and across several storage devices.Similarly, operation data can be identified
And be shown in this module or unit, and can implement in any suitable form and in any suitable data structure shape
Formula inner tissue.Operation data can assemble single data set, or can be distributed in the different positions with different storage devices
Put, and be only present in a system or network in a manner of electronic signal at least in part.
" embodiment " or similar term mentioned by this specification represent characteristic, structure or the feature relevant with embodiment,
It is included at least embodiment of the present invention.Therefore, this specification occurs term " in one embodiment ", " implementing
In example " and similar to term possibility but it is not necessarily all the identical embodiment of sensing.
Furthermore characteristic of the present invention, structure or feature can be incorporated in one or more embodiments in any way
In.Explanation will provide many specific details, such as programming, software module, user's selection, network trading, database below
The examples such as inquiry, database structure, hardware module, hardware circuit, hardware chip, to provide the understanding to the embodiment of the present invention.
But those of ordinary skill in the related art will be seen that the present invention, though wherein one or more specific details are not utilized, or
It can also be implemented using other methods, component, material etc..On the other hand, be the present invention that avoids confusion, known structure, material or
Operation does not have a detailed description.
As shown in figure 1, be a kind of flow chart of Network Traffic Analysis embodiment of the method 1 disclosed by the invention, we
Method comprises the following steps:
S101, in network topology structure, capture source node to destination node data on flows;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure
One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij
(2),...}。
S102, wavelet package transforms are carried out to data on flows, obtain wavelet packet coefficient;
Then wavelet package transforms are carried out to the data on flows got, analysis extracts the hiding feature of network traffics.
S103, network flow characteristic is shown to wavelet packet coefficient progress principal component analysis.
Then Theory of Principal Components Analysis is utilized to parcel coefficient, analysis and improvement time-frequency domain network flow characteristic, draws network
Traffic characteristic.
In summary, in the above-described embodiments, when needing to analyze network flow characteristic, opened up first in network
Flutter in structure, the data on flows of capture source node to destination node, wavelet package transforms then are carried out to data on flows, obtain small
Ripple bag coefficient, principal component analysis finally is carried out to wavelet packet coefficient and draws network flow characteristic, net is extracted using wavelet package transforms
The hiding feature of network flow, it is then, further using principal component analytical method after wavelet package transforms are carried out to network traffics
The time and frequency domain characteristics of network traffics are improved, improve the precision to Network Traffic Analysis in communication network.
As shown in Fig. 2 for for a kind of flow chart of Network Traffic Analysis embodiment of the method 2 disclosed by the invention, this
Method comprises the following steps:
S201, in network topology structure, capture source node to destination node data on flows;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure
One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij
(2),...}。
S202, wavelet packet coefficient is divided into high and low frequency two parts;
S203, change the reciprocal relation that inverse transformation draws high-frequency signal and low frequency signal and time-domain signal based on wavelet packet;
Utilize the hiding feature of wavelet packet analysis extraction network traffics.First, to network traffics xij={ xij(1),xij
(2) wavelet package transforms ... } are carried out, carry out WAVELET PACKET DECOMPOSITION, specific formula is:
HereMeet
Expression represents the subspace of metric space and wavelet space.Calculated according to WAVELET PACKET DECOMPOSITION
The decomposition method of method, utilize formula (1)Go to obtainWith
According to method of wavelet packet, the wavelet packet of reconstruct can be expressed as equation:
According to formula (3a), utilizeWithGo to calculateThus the primitive network stream reconstructed
Measure xij(t), formula is:
Drawn from formula (1), network traffics signal xij(t) metric space and wavelet space of Analysis On Multi-scale Features is presented, this
It is included in wavelet packet coefficientIn, different time-frequency characteristics is shown, in this case, by time-frequency network traffics
Different frequency bands is divided into, to obtain corresponding traffic characteristic.Fig. 4 shows the wavelet package transforms of 8 kinds of different scales.Very
It is clear that for different change of scales, different T/F features is presented in network traffics.This shows our method
The function of the network traffics of wavelet packet analysis extraction different scales can be used.Fig. 4 (a) shows the height that wavelet packet yardstick is 4
Frequency characteristic.For wavelet packet yardstick is in Fig. 48,12 and 16 when, as shown in Fig. 4 (b)-(d), we can effectively catch
Obtain the intermediate frequency characteristics of network traffics.However, for other wavelet packet yardsticks in figure, as shown in Fig. 4 (e)-(h), can accurately carry
Take the characteristics of low-frequency of network traffics.Accordingly, it is shown that our method can effectively capture the net in time-frequency domain
The feature of network flow.
For wavelet packet coefficientLow-frequency component and radio-frequency component can be expressed as:
In order to obtain the time-domain signal of corresponding equation (4), changed by the bag of formula (3a), formula (4) can represent
For:
By formula (3), the time-domain signal corresponding to formula (5) can be derived, is expressed as:
xij,lowAnd xij,highNetwork traffics x is represented respectivelyijThe low-frequency component and radio-frequency component of time-domain signal.
S204, based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream matrix product shape
Formula represents;
S205, high-frequency signal is added with low frequency signal draws network flow characteristic.
Time-frequency domain network flow characteristic is improved using principal component analysis.Specific practice is:
According to Theory of Principal Components Analysis, principal component analysis is performed to formula (6a), obtains frequency temporal signal xij,low's
Main component and non-principal component, are expressed as:
Wherein,
Similarly, principal component analysis is carried out to high frequency time signal, principal component analysis is carried out to formula (6b), high frequency is believed
Number it is expressed as main component and non-principal component:
The characteristic model of network traffics is represented by above-mentioned formula (7)~(10), Ulow、Dlow、VlowFeature is represented respectively
Vector matrix, can spectrum matrix and feature stream matrix.
According to principal component analysis, k main principal components of extraction, the parameter on above-mentioned Model of network traffic is then obtained:
V′low D′low V′high D′high, pass through model extraction time signal xij,low, xij,highCorresponding principal component xij,low,p,
xij,high,p.Finally obtain xij,lowPrincipal component:xp=xij,low,p+xij,high,p。
It may be seen that the chief component of network traffics is correctly extracted from Fig. 5.Importantly, network
The great variety of flow chief component represents possible exception.This will help us to perform the effective detection of network traffics.
This also indicates that our method effectively can capture and characterize network traffics.Fig. 6 depicts our method to abnormality detection
As a result.In our simulation, abnormal flow is injected in four times, the duration is 50 unit time slots, respectively at the moment
300,500,800 and 1200.Fig. 4 shows that our method can detect exactly and is being injected into network traffics at different moments
Abnormal component.This further illustrates that our method can efficiently extract the off-note in network traffics, and perform
Accurate network traffics detection.
As shown in fig. 7, be a kind of structural representation of Network Traffic Analysis system embodiment 1 disclosed by the invention,
The system includes:
Trapping module 701, in network topology structure, capturing source node to the data on flows of destination node;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure
One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij
(2),...}。
Conversion module 702, for carrying out wavelet package transforms to data on flows, obtain wavelet packet coefficient;
Then wavelet package transforms are carried out to the data on flows got, analysis extracts the hiding feature of network traffics.
Analysis module 703, network flow characteristic is drawn for carrying out principal component analysis to wavelet packet coefficient.
Then Theory of Principal Components Analysis is utilized to parcel coefficient, analysis and improvement time-frequency domain network flow characteristic, draws network
Traffic characteristic.
In summary, in the above-described embodiments, when needing to analyze network flow characteristic, opened up first in network
Flutter in structure, the data on flows of capture source node to destination node, wavelet package transforms then are carried out to data on flows, obtain small
Ripple bag coefficient, principal component analysis finally is carried out to wavelet packet coefficient and draws network flow characteristic, net is extracted using wavelet package transforms
The hiding feature of network flow, it is then, further using principal component analytical method after wavelet package transforms are carried out to network traffics
The time and frequency domain characteristics of network traffics are improved, improve the precision to Network Traffic Analysis in communication network.
As shown in figure 8, for for a kind of structural representation of Network Traffic Analysis system embodiment 2 disclosed by the invention
Figure, the system include:
Trapping module 801, in network topology structure, capturing source node to the data on flows of destination node;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure
One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij
(2),...}。
Discrimination unit 802, for wavelet packet coefficient to be divided into high and low frequency two parts;
First generation unit 803, for drawing high-frequency signal and low frequency signal and time domain based on wavelet packet change inverse transformation
The reciprocal relation of signal;
Utilize the hiding feature of wavelet packet analysis extraction network traffics.First, to network traffics xij={ xij(1),xij
(2) wavelet package transforms ... } are carried out, carry out WAVELET PACKET DECOMPOSITION, specific formula is:
HereMeet
Expression represents the subspace of metric space and wavelet space.Calculated according to WAVELET PACKET DECOMPOSITION
The decomposition method of method, utilize formula (1)Go to obtainWith
According to method of wavelet packet, the wavelet packet of reconstruct can be expressed as equation:
According to formula (3a), utilizeWithGo to calculateThus the primitive network stream reconstructed
Measure xij(t), formula is:
Drawn from formula (1), network traffics signal xij(t) metric space and wavelet space of Analysis On Multi-scale Features is presented, this
It is included in wavelet packet coefficientIn, different time-frequency characteristics is shown, in this case, by time-frequency network traffics
Different frequency bands is divided into, to obtain corresponding traffic characteristic.Fig. 4 shows the wavelet package transforms of 8 kinds of different scales.Very
It is clear that for different change of scales, different T/F features is presented in network traffics.This shows our method
The function of the network traffics of wavelet packet analysis extraction different scales can be used.Fig. 4 (a) shows the height that wavelet packet yardstick is 4
Frequency characteristic.For wavelet packet yardstick is in Fig. 48,12 and 16 when, as shown in Fig. 4 (b)-(d), we can effectively catch
Obtain the intermediate frequency characteristics of network traffics.However, for other wavelet packet yardsticks in figure, as shown in Fig. 4 (e)-(h), can accurately carry
Take the characteristics of low-frequency of network traffics.Accordingly, it is shown that our method can effectively capture the net in time-frequency domain
The feature of network flow.
For wavelet packet coefficientLow-frequency component and radio-frequency component can be expressed as:
In order to obtain the time-domain signal of corresponding equation (4), changed by the bag of formula (3a), formula (4) can represent
For:
By formula (3), the time-domain signal corresponding to formula (5) can be derived, is expressed as:
xij,lowAnd xij,highNetwork traffics x is represented respectivelyijThe low-frequency component and radio-frequency component of time-domain signal.
Represent unit 804, for based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream
The product form of matrix represents;
Second generation unit 805, network flow characteristic is drawn for high-frequency signal to be added with low frequency signal.
Time-frequency domain network flow characteristic is improved using principal component analysis.Specific practice is:
According to Theory of Principal Components Analysis, principal component analysis is performed to formula (6a), obtains frequency temporal signal xij,low's
Main component and non-principal component, are expressed as:
Wherein,
Similarly, principal component analysis is carried out to high frequency time signal, principal component analysis is carried out to formula (6b), high frequency is believed
Number it is expressed as main component and non-principal component:
The characteristic model of network traffics is represented by above-mentioned formula (7)~(10), Ulow、Dlow、VlowFeature is represented respectively
Vector matrix, can spectrum matrix and feature stream matrix.
According to principal component analysis, k main principal components of extraction, the parameter on above-mentioned Model of network traffic is then obtained:
V′low D′low V′high D′high, pass through model extraction time signal xij,low, xij,highCorresponding principal component xij,low,p,
xij,high,p.Finally obtain xij,lowPrincipal component:xp=xij,low,p+xij,high,p。
It may be seen that the chief component of network traffics is correctly extracted from Fig. 5.Importantly, network
The great variety of flow chief component represents possible exception.This will help us to perform the effective detection of network traffics.
This also indicates that our method effectively can capture and characterize network traffics.Fig. 6 depicts our method to abnormality detection
As a result.In our simulation, abnormal flow is injected in four times, the duration is 50 unit time slots, respectively at the moment
300,500,800 and 1200.Fig. 4 shows that our method can detect exactly and is being injected into network traffics at different moments
Abnormal component.This further illustrates that our method can efficiently extract the off-note in network traffics, and perform
Accurate network traffics detection.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be and its
The difference of its embodiment, between each embodiment identical similar portion mutually referring to.
The foregoing description of the disclosed embodiments, professional and technical personnel in the field are enable to realize or using the present invention.
A variety of modifications to these embodiments will be apparent for those skilled in the art, defined herein
General Principle can realize in other embodiments without departing from the spirit or scope of the present invention.Therefore, originally
Invention is not intended to be limited to the embodiments shown herein, and is to fit to special with principles disclosed herein and novelty
The consistent most wide scope of point.
Claims (6)
- A kind of 1. Network Traffic Analysis method, it is characterised in that including:In network topology structure, the data on flows of capture source node to destination node;Wavelet package transforms are carried out to the data on flows, obtain wavelet packet coefficient;Principal component analysis is carried out to the wavelet packet coefficient and draws network flow characteristic.
- 2. according to the method for claim 1, it is characterised in that it is described that wavelet package transforms are carried out to the data on flows, obtain Obtaining wavelet packet coefficient includes:The wavelet packet coefficient is divided into high and low frequency two parts;The reciprocal relation of high-frequency signal and low frequency signal and time-domain signal is drawn based on wavelet packet change inverse transformation.
- 3. according to the method for claim 2, it is characterised in that described that wavelet packet coefficient progress principal component analysis is obtained Going out network flow characteristic includes:Signal is represented with the product form of eigenvectors matrix, energy spectrum matrix and feature stream matrix based on principal component analysis;The high-frequency signal is added with low frequency signal and draws network flow characteristic.
- A kind of 4. Network Traffic Analysis system, it is characterised in that including:Trapping module, in network topology structure, capturing source node to the data on flows of destination node;Conversion module, for carrying out wavelet package transforms to the data on flows, obtain wavelet packet coefficient;Analysis module, network flow characteristic is drawn for carrying out principal component analysis to the wavelet packet coefficient.
- 5. system according to claim 4, it is characterised in that the conversion module includes:Discrimination unit, for the wavelet packet coefficient to be divided into high and low frequency two parts;First generation unit, for drawing the mutual of high-frequency signal and low frequency signal and time-domain signal based on wavelet packet change inverse transformation Reverse-power.
- 6. system according to claim 5, it is characterised in that the analysis module includes:Represent unit, for based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream matrix multiplying Product form represents;Second generation unit, network flow characteristic is drawn for the high-frequency signal to be added with low frequency signal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710637414.9A CN107454073A (en) | 2017-07-31 | 2017-07-31 | A kind of Network Traffic Analysis method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710637414.9A CN107454073A (en) | 2017-07-31 | 2017-07-31 | A kind of Network Traffic Analysis method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107454073A true CN107454073A (en) | 2017-12-08 |
Family
ID=60489775
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710637414.9A Pending CN107454073A (en) | 2017-07-31 | 2017-07-31 | A kind of Network Traffic Analysis method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107454073A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111654327A (en) * | 2019-11-08 | 2020-09-11 | 国网辽宁省电力有限公司电力科学研究院 | Service feature extraction method for optical cable fiber core remote management control |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101252482A (en) * | 2008-04-07 | 2008-08-27 | 华为技术有限公司 | Network flow abnormity detecting method and device |
CN101729315A (en) * | 2009-12-24 | 2010-06-09 | 北京邮电大学 | Network flow-predicting method and device based on wavelet package decomposition and fuzzy neural network |
CN104168131A (en) * | 2014-06-05 | 2014-11-26 | 国家电网公司 | Flow generation method of power dispatching exchange network based on multicast communication |
US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
CN106209868A (en) * | 2016-07-18 | 2016-12-07 | 国网辽宁省电力有限公司阜新供电公司 | A kind of large-scale network traffic exception detecting method and system |
-
2017
- 2017-07-31 CN CN201710637414.9A patent/CN107454073A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101252482A (en) * | 2008-04-07 | 2008-08-27 | 华为技术有限公司 | Network flow abnormity detecting method and device |
CN101729315A (en) * | 2009-12-24 | 2010-06-09 | 北京邮电大学 | Network flow-predicting method and device based on wavelet package decomposition and fuzzy neural network |
CN104168131A (en) * | 2014-06-05 | 2014-11-26 | 国家电网公司 | Flow generation method of power dispatching exchange network based on multicast communication |
US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
CN106209868A (en) * | 2016-07-18 | 2016-12-07 | 国网辽宁省电力有限公司阜新供电公司 | A kind of large-scale network traffic exception detecting method and system |
Non-Patent Citations (1)
Title |
---|
赵宏昊 等: "面向通信网络的业务流量特征分析方法", 《东北电力技术》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111654327A (en) * | 2019-11-08 | 2020-09-11 | 国网辽宁省电力有限公司电力科学研究院 | Service feature extraction method for optical cable fiber core remote management control |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9210181B1 (en) | Detection of anomaly in network flow data | |
US11301778B2 (en) | Method and system for training and validating machine learning in network environments | |
Bae et al. | Identifying and ranking influential spreaders in complex networks by neighborhood coreness | |
Zhang et al. | Network anomography | |
TWI541662B (en) | Methods and systems for estimating entropy | |
CN105306463B (en) | Modbus TCP intrusion detection methods based on support vector machines | |
JP2019061565A (en) | Abnormality diagnostic method and abnormality diagnostic device | |
CN111030941A (en) | Decision tree-based HTTPS encrypted flow classification method | |
EP1907940A2 (en) | Method and apparatus for whole-network anomaly diagnosis and method to detect and classify network anomalies using traffic feature distributions | |
CN106161098B (en) | A kind of network behavior detection method and device | |
US20190342190A1 (en) | System for preparing network traffic for fast analysis | |
CN109150817A (en) | A kind of web-page requests recognition methods and device | |
Riadi et al. | Internet forensics framework based-on clustering | |
Naidu et al. | A comparison of data mining techniques for intrusion detection | |
CN107231383A (en) | The detection method and device of CC attacks | |
CN107454073A (en) | A kind of Network Traffic Analysis method and system | |
KR101073402B1 (en) | Method for simulating and examining traffic and network traffic analysis system | |
CN109214023A (en) | A kind of test method and device of technological design kit | |
Forouzani et al. | Method for assessing software quality using source code analysis | |
CN111310796B (en) | Web user click recognition method oriented to encrypted network flow | |
CN106209868A (en) | A kind of large-scale network traffic exception detecting method and system | |
David et al. | Blind automatic malicious activity detection in honeypot data | |
Yu et al. | Mining anomaly communication patterns for industrial control systems | |
CN111917715B (en) | Equipment identification method based on 802.11ac MAC layer fingerprint | |
CN110084620B (en) | Electronic credential high-frequency abnormal opening detection system and method based on deep learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171208 |