CN107454073A - A kind of Network Traffic Analysis method and system - Google Patents

A kind of Network Traffic Analysis method and system Download PDF

Info

Publication number
CN107454073A
CN107454073A CN201710637414.9A CN201710637414A CN107454073A CN 107454073 A CN107454073 A CN 107454073A CN 201710637414 A CN201710637414 A CN 201710637414A CN 107454073 A CN107454073 A CN 107454073A
Authority
CN
China
Prior art keywords
network
wavelet packet
wavelet
analysis
principal component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710637414.9A
Other languages
Chinese (zh)
Inventor
赵宏昊
赵思雯
于华东
吴江宁
姜学朴
隋佳新
游平
林屹
张喆
吴庆
李温静
王兴涛
蒋定德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
State Grid Liaoning Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
State Grid Liaoning Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Information and Telecommunication Co Ltd, State Grid Liaoning Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201710637414.9A priority Critical patent/CN107454073A/en
Publication of CN107454073A publication Critical patent/CN107454073A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a kind of Network Traffic Analysis method, including:In network topology structure, the data on flows of capture source node to destination node;Wavelet package transforms are carried out to data on flows, obtain wavelet packet coefficient;Principal component analysis is carried out to wavelet packet coefficient and draws network flow characteristic.Utilize the hiding feature of wavelet package transforms extraction network traffics, then, after wavelet package transforms are carried out to network traffics, the time and frequency domain characteristics of network traffics are further portrayed using principal component analytical method, improve the precision to Network Traffic Analysis in communication network.The invention also discloses a kind of Network Traffic Analysis system.

Description

A kind of Network Traffic Analysis method and system
Technical field
The present invention relates to technical field of communication network, more specifically to a kind of Network Traffic Analysis method and System.
Background technology
With the progress of the new network technology such as Internet of Things, software defined network, network centered on information, new is logical Letter type and characteristic are already present in current communication network.More specifically, for some brand-new applications, such as online Pay, mobile network etc., new application causes new business model and feature.The network performance that legacy network is supported, is not examined Consider these new features, such as due to scheduling, path delay caused by the reason such as packet loss and network failure.In addition, Traffic Anomaly Experience and network to user have a major impact, such as new attack, new abnormal patterns, unknown hiding flow property.Therefore, It is extremely important for operator and user how network flow characteristic is captured.Up to the present, the signature analysis of network traffics Academic and industry hot issue is turned into.
The signature analysis of network traffics and extraction are widely studied, and generalized entropy measurement and information distance measurement can be used In detecting low rate distributed denial of service attack behavior by measuring the difference between legitimate traffic and attack traffic.It is empty M- temporal correlation is used to finding and detecting the exception in network, and detection method is used between polymerization traffic statistics and distributed space Network Abnormal is identified, signature analysis is used to diagnose Abnormal network traffic.In addition, by analyzing network flow characteristic, can build Model detects network event.TCP (Transmission Control in the router with compared with minibuffer area Protocol, transmission control protocol) Traffic Anomaly problem has also been studied.Wavelet transformation is used to describe the more of network traffics Scale feature, time frequency analysis are used to extract network traffics property.In addition, from the perspective of network, Abnormal network traffic is also It can be become by signal and bring detection, these methods can all capture the feature of network traffics.However, they have it is larger Error, therefore, how to reduce the error raising analysis precision of Network Traffic Analysis is a urgent problem to be solved.
The content of the invention
In view of this, it is an object of the invention to provide a kind of Network Traffic Analysis method, it is possible to increase feature point The precision of analysis reduces error.
To achieve the above object, the present invention provides following technical scheme:
A kind of Network Traffic Analysis method, including:
In network topology structure, the data on flows of capture source node to destination node;
Wavelet package transforms are carried out to the data on flows, obtain wavelet packet coefficient;
Principal component analysis is carried out to the wavelet packet coefficient and draws network flow characteristic.
Preferably, described to carry out wavelet package transforms to the data on flows, obtaining wavelet packet coefficient includes:
The wavelet packet coefficient is divided into high and low frequency two parts;
The reciprocal relation of high-frequency signal and low frequency signal and time-domain signal is drawn based on wavelet packet change inverse transformation.
Preferably, it is described that network flow characteristic, which includes, to be drawn to wavelet packet coefficient progress principal component analysis:
Based on principal component analysis by signal with the product form table of eigenvectors matrix, energy spectrum matrix and feature stream matrix Show;
The high-frequency signal is added with low frequency signal and draws network flow characteristic.
A kind of Network Traffic Analysis system, including:
Trapping module, in network topology structure, capturing source node to the data on flows of destination node;
Conversion module, for carrying out wavelet package transforms to the data on flows, obtain wavelet packet coefficient;
Analysis module, network flow characteristic is drawn for carrying out principal component analysis to the wavelet packet coefficient.
Preferably, the conversion module includes:
Discrimination unit, for the wavelet packet coefficient to be divided into high and low frequency two parts;
First generation unit, for showing that high-frequency signal and low frequency signal are believed with time domain based on wavelet packet change inverse transformation Number reciprocal relation.
Preferably, the analysis module includes:
Represent unit, for based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream matrix Product form represent;
Second generation unit, network flow characteristic is drawn for the high-frequency signal to be added with low frequency signal.
As shown from the above technical solution, a kind of Network Traffic Analysis method is present embodiments provided, when needs are to net When network traffic characteristic is analyzed, first in network topology structure, the data on flows of capture source node to destination node, so Wavelet package transforms are carried out to data on flows afterwards, obtain wavelet packet coefficient, finally carrying out principal component analysis to wavelet packet coefficient draws Network flow characteristic, the hiding feature of network traffics is extracted using wavelet package transforms, then, small echo is being carried out to network traffics After packet transform, the time and frequency domain characteristics of network traffics are further improved using principal component analytical method, are improved in communication network The precision of Network Traffic Analysis.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will to embodiment or The required accompanying drawing used is briefly described in description of the prior art, it should be apparent that, drawings in the following description are only Some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, also Other accompanying drawings can be obtained according to these accompanying drawings.
Fig. 1 is a kind of method flow diagram of Network Traffic Analysis embodiment of the method 1 disclosed by the invention;
Fig. 2 is a kind of method flow diagram of Network Traffic Analysis embodiment of the method 2 disclosed by the invention;
Fig. 3 is that one embodiment of the present invention has Abnormal network traffic and do not have Abnormal network traffic schematic diagram, its In, (a) represents proper network flow, and (b) represents Abnormal network traffic;
Fig. 4 is eight kinds of different scale wavelet package transforms lower network flow schematic diagrames of one embodiment of the present invention, wherein, (a) it is 4 to represent wavelet package transforms yardstick, and (b) represents that wavelet packet yardstick is 8, and (c) represents that wavelet packet yardstick is 12, and (d) is represented Wavelet packet yardstick is 16, and (e) represents that wavelet packet yardstick is 20, and (f) represents that wavelet packet yardstick is 24, and (g) represents wavelet packet yardstick For 28, (h) represents that wavelet packet yardstick is 32;
Fig. 5 is network flow characteristic schematic diagram of the one embodiment of the present invention based on principal component analysis, wherein, (a) table Show the non-principal composition of network traffics, (b) represents the main component of network traffics;
Fig. 6 is testing result schematic diagram of the one embodiment of the present invention to Abnormal network traffic, wherein, (a) represents master Composition analysis result, (b) represent to inject abnormal flow at different moments;
Fig. 7 is a kind of structural representation of Network Traffic Analysis system embodiment 1 disclosed by the invention;
Fig. 8 is a kind of structural representation of Network Traffic Analysis system embodiment 2 disclosed by the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art obtained under the premise of creative work is not made it is all its Its embodiment, belongs to the scope of protection of the invention.
In order to more specifically emphasize the independence implemented, this specification is related to number of modules or unit.For example, Module or unit can realize by hardware circuit, and the hardware circuit includes special VLSI circuits OR gate array, such as logic chip, Transistor, or other components.Module or unit can also realize in programmable computer hardware, such as field effect programmable gate array, Programmable logic array, programmable logic device etc..
Module or unit can also be realized in by the software performed by various forms of processors.Such as one can hold Row code module may include one or more entities or logic computer instruction block, and the block is formed into, such as Say, object, program or function.However, the executable part of identification module or unit need not physically be put together, but It can be made up of the different instruction for being stored in diverse location, when combining in logic, form module or unit and reach this Purpose required by module or unit.
In fact, executable code module or unit can be a single instruction or multiple instruction, it might even be possible to which distribution is in place In several different code sections of different programs, and across several storage devices.Similarly, operation data can be identified And be shown in this module or unit, and can implement in any suitable form and in any suitable data structure shape Formula inner tissue.Operation data can assemble single data set, or can be distributed in the different positions with different storage devices Put, and be only present in a system or network in a manner of electronic signal at least in part.
" embodiment " or similar term mentioned by this specification represent characteristic, structure or the feature relevant with embodiment, It is included at least embodiment of the present invention.Therefore, this specification occurs term " in one embodiment ", " implementing In example " and similar to term possibility but it is not necessarily all the identical embodiment of sensing.
Furthermore characteristic of the present invention, structure or feature can be incorporated in one or more embodiments in any way In.Explanation will provide many specific details, such as programming, software module, user's selection, network trading, database below The examples such as inquiry, database structure, hardware module, hardware circuit, hardware chip, to provide the understanding to the embodiment of the present invention. But those of ordinary skill in the related art will be seen that the present invention, though wherein one or more specific details are not utilized, or It can also be implemented using other methods, component, material etc..On the other hand, be the present invention that avoids confusion, known structure, material or Operation does not have a detailed description.
As shown in figure 1, be a kind of flow chart of Network Traffic Analysis embodiment of the method 1 disclosed by the invention, we Method comprises the following steps:
S101, in network topology structure, capture source node to destination node data on flows;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij (2),...}。
S102, wavelet package transforms are carried out to data on flows, obtain wavelet packet coefficient;
Then wavelet package transforms are carried out to the data on flows got, analysis extracts the hiding feature of network traffics.
S103, network flow characteristic is shown to wavelet packet coefficient progress principal component analysis.
Then Theory of Principal Components Analysis is utilized to parcel coefficient, analysis and improvement time-frequency domain network flow characteristic, draws network Traffic characteristic.
In summary, in the above-described embodiments, when needing to analyze network flow characteristic, opened up first in network Flutter in structure, the data on flows of capture source node to destination node, wavelet package transforms then are carried out to data on flows, obtain small Ripple bag coefficient, principal component analysis finally is carried out to wavelet packet coefficient and draws network flow characteristic, net is extracted using wavelet package transforms The hiding feature of network flow, it is then, further using principal component analytical method after wavelet package transforms are carried out to network traffics The time and frequency domain characteristics of network traffics are improved, improve the precision to Network Traffic Analysis in communication network.
As shown in Fig. 2 for for a kind of flow chart of Network Traffic Analysis embodiment of the method 2 disclosed by the invention, this Method comprises the following steps:
S201, in network topology structure, capture source node to destination node data on flows;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij (2),...}。
S202, wavelet packet coefficient is divided into high and low frequency two parts;
S203, change the reciprocal relation that inverse transformation draws high-frequency signal and low frequency signal and time-domain signal based on wavelet packet;
Utilize the hiding feature of wavelet packet analysis extraction network traffics.First, to network traffics xij={ xij(1),xij (2) wavelet package transforms ... } are carried out, carry out WAVELET PACKET DECOMPOSITION, specific formula is:
HereMeet
Expression represents the subspace of metric space and wavelet space.Calculated according to WAVELET PACKET DECOMPOSITION The decomposition method of method, utilize formula (1)Go to obtainWith
According to method of wavelet packet, the wavelet packet of reconstruct can be expressed as equation:
According to formula (3a), utilizeWithGo to calculateThus the primitive network stream reconstructed Measure xij(t), formula is:
Drawn from formula (1), network traffics signal xij(t) metric space and wavelet space of Analysis On Multi-scale Features is presented, this It is included in wavelet packet coefficientIn, different time-frequency characteristics is shown, in this case, by time-frequency network traffics Different frequency bands is divided into, to obtain corresponding traffic characteristic.Fig. 4 shows the wavelet package transforms of 8 kinds of different scales.Very It is clear that for different change of scales, different T/F features is presented in network traffics.This shows our method The function of the network traffics of wavelet packet analysis extraction different scales can be used.Fig. 4 (a) shows the height that wavelet packet yardstick is 4 Frequency characteristic.For wavelet packet yardstick is in Fig. 48,12 and 16 when, as shown in Fig. 4 (b)-(d), we can effectively catch Obtain the intermediate frequency characteristics of network traffics.However, for other wavelet packet yardsticks in figure, as shown in Fig. 4 (e)-(h), can accurately carry Take the characteristics of low-frequency of network traffics.Accordingly, it is shown that our method can effectively capture the net in time-frequency domain The feature of network flow.
For wavelet packet coefficientLow-frequency component and radio-frequency component can be expressed as:
In order to obtain the time-domain signal of corresponding equation (4), changed by the bag of formula (3a), formula (4) can represent For:
By formula (3), the time-domain signal corresponding to formula (5) can be derived, is expressed as:
xij,lowAnd xij,highNetwork traffics x is represented respectivelyijThe low-frequency component and radio-frequency component of time-domain signal.
S204, based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream matrix product shape Formula represents;
S205, high-frequency signal is added with low frequency signal draws network flow characteristic.
Time-frequency domain network flow characteristic is improved using principal component analysis.Specific practice is:
According to Theory of Principal Components Analysis, principal component analysis is performed to formula (6a), obtains frequency temporal signal xij,low's Main component and non-principal component, are expressed as:
Wherein,
Similarly, principal component analysis is carried out to high frequency time signal, principal component analysis is carried out to formula (6b), high frequency is believed Number it is expressed as main component and non-principal component:
The characteristic model of network traffics is represented by above-mentioned formula (7)~(10), Ulow、Dlow、VlowFeature is represented respectively Vector matrix, can spectrum matrix and feature stream matrix.
According to principal component analysis, k main principal components of extraction, the parameter on above-mentioned Model of network traffic is then obtained: V′low D′low V′high D′high, pass through model extraction time signal xij,low, xij,highCorresponding principal component xij,low,p, xij,high,p.Finally obtain xij,lowPrincipal component:xp=xij,low,p+xij,high,p
It may be seen that the chief component of network traffics is correctly extracted from Fig. 5.Importantly, network The great variety of flow chief component represents possible exception.This will help us to perform the effective detection of network traffics. This also indicates that our method effectively can capture and characterize network traffics.Fig. 6 depicts our method to abnormality detection As a result.In our simulation, abnormal flow is injected in four times, the duration is 50 unit time slots, respectively at the moment 300,500,800 and 1200.Fig. 4 shows that our method can detect exactly and is being injected into network traffics at different moments Abnormal component.This further illustrates that our method can efficiently extract the off-note in network traffics, and perform Accurate network traffics detection.
As shown in fig. 7, be a kind of structural representation of Network Traffic Analysis system embodiment 1 disclosed by the invention, The system includes:
Trapping module 701, in network topology structure, capturing source node to the data on flows of destination node;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij (2),...}。
Conversion module 702, for carrying out wavelet package transforms to data on flows, obtain wavelet packet coefficient;
Then wavelet package transforms are carried out to the data on flows got, analysis extracts the hiding feature of network traffics.
Analysis module 703, network flow characteristic is drawn for carrying out principal component analysis to wavelet packet coefficient.
Then Theory of Principal Components Analysis is utilized to parcel coefficient, analysis and improvement time-frequency domain network flow characteristic, draws network Traffic characteristic.
In summary, in the above-described embodiments, when needing to analyze network flow characteristic, opened up first in network Flutter in structure, the data on flows of capture source node to destination node, wavelet package transforms then are carried out to data on flows, obtain small Ripple bag coefficient, principal component analysis finally is carried out to wavelet packet coefficient and draws network flow characteristic, net is extracted using wavelet package transforms The hiding feature of network flow, it is then, further using principal component analytical method after wavelet package transforms are carried out to network traffics The time and frequency domain characteristics of network traffics are improved, improve the precision to Network Traffic Analysis in communication network.
As shown in figure 8, for for a kind of structural representation of Network Traffic Analysis system embodiment 2 disclosed by the invention Figure, the system include:
Trapping module 801, in network topology structure, capturing source node to the data on flows of destination node;
When the feature of network traffics in needing to communication network is analyzed, obtained first in network topology structure One group from source node i to destination node j data on flows as appetite signals to be analyzed, be expressed as xij={ xij(1),xij (2),...}。
Discrimination unit 802, for wavelet packet coefficient to be divided into high and low frequency two parts;
First generation unit 803, for drawing high-frequency signal and low frequency signal and time domain based on wavelet packet change inverse transformation The reciprocal relation of signal;
Utilize the hiding feature of wavelet packet analysis extraction network traffics.First, to network traffics xij={ xij(1),xij (2) wavelet package transforms ... } are carried out, carry out WAVELET PACKET DECOMPOSITION, specific formula is:
HereMeet
Expression represents the subspace of metric space and wavelet space.Calculated according to WAVELET PACKET DECOMPOSITION The decomposition method of method, utilize formula (1)Go to obtainWith
According to method of wavelet packet, the wavelet packet of reconstruct can be expressed as equation:
According to formula (3a), utilizeWithGo to calculateThus the primitive network stream reconstructed Measure xij(t), formula is:
Drawn from formula (1), network traffics signal xij(t) metric space and wavelet space of Analysis On Multi-scale Features is presented, this It is included in wavelet packet coefficientIn, different time-frequency characteristics is shown, in this case, by time-frequency network traffics Different frequency bands is divided into, to obtain corresponding traffic characteristic.Fig. 4 shows the wavelet package transforms of 8 kinds of different scales.Very It is clear that for different change of scales, different T/F features is presented in network traffics.This shows our method The function of the network traffics of wavelet packet analysis extraction different scales can be used.Fig. 4 (a) shows the height that wavelet packet yardstick is 4 Frequency characteristic.For wavelet packet yardstick is in Fig. 48,12 and 16 when, as shown in Fig. 4 (b)-(d), we can effectively catch Obtain the intermediate frequency characteristics of network traffics.However, for other wavelet packet yardsticks in figure, as shown in Fig. 4 (e)-(h), can accurately carry Take the characteristics of low-frequency of network traffics.Accordingly, it is shown that our method can effectively capture the net in time-frequency domain The feature of network flow.
For wavelet packet coefficientLow-frequency component and radio-frequency component can be expressed as:
In order to obtain the time-domain signal of corresponding equation (4), changed by the bag of formula (3a), formula (4) can represent For:
By formula (3), the time-domain signal corresponding to formula (5) can be derived, is expressed as:
xij,lowAnd xij,highNetwork traffics x is represented respectivelyijThe low-frequency component and radio-frequency component of time-domain signal.
Represent unit 804, for based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream The product form of matrix represents;
Second generation unit 805, network flow characteristic is drawn for high-frequency signal to be added with low frequency signal.
Time-frequency domain network flow characteristic is improved using principal component analysis.Specific practice is:
According to Theory of Principal Components Analysis, principal component analysis is performed to formula (6a), obtains frequency temporal signal xij,low's Main component and non-principal component, are expressed as:
Wherein,
Similarly, principal component analysis is carried out to high frequency time signal, principal component analysis is carried out to formula (6b), high frequency is believed Number it is expressed as main component and non-principal component:
The characteristic model of network traffics is represented by above-mentioned formula (7)~(10), Ulow、Dlow、VlowFeature is represented respectively Vector matrix, can spectrum matrix and feature stream matrix.
According to principal component analysis, k main principal components of extraction, the parameter on above-mentioned Model of network traffic is then obtained: V′low D′low V′high D′high, pass through model extraction time signal xij,low, xij,highCorresponding principal component xij,low,p, xij,high,p.Finally obtain xij,lowPrincipal component:xp=xij,low,p+xij,high,p
It may be seen that the chief component of network traffics is correctly extracted from Fig. 5.Importantly, network The great variety of flow chief component represents possible exception.This will help us to perform the effective detection of network traffics. This also indicates that our method effectively can capture and characterize network traffics.Fig. 6 depicts our method to abnormality detection As a result.In our simulation, abnormal flow is injected in four times, the duration is 50 unit time slots, respectively at the moment 300,500,800 and 1200.Fig. 4 shows that our method can detect exactly and is being injected into network traffics at different moments Abnormal component.This further illustrates that our method can efficiently extract the off-note in network traffics, and perform Accurate network traffics detection.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be and its The difference of its embodiment, between each embodiment identical similar portion mutually referring to.
The foregoing description of the disclosed embodiments, professional and technical personnel in the field are enable to realize or using the present invention. A variety of modifications to these embodiments will be apparent for those skilled in the art, defined herein General Principle can realize in other embodiments without departing from the spirit or scope of the present invention.Therefore, originally Invention is not intended to be limited to the embodiments shown herein, and is to fit to special with principles disclosed herein and novelty The consistent most wide scope of point.

Claims (6)

  1. A kind of 1. Network Traffic Analysis method, it is characterised in that including:
    In network topology structure, the data on flows of capture source node to destination node;
    Wavelet package transforms are carried out to the data on flows, obtain wavelet packet coefficient;
    Principal component analysis is carried out to the wavelet packet coefficient and draws network flow characteristic.
  2. 2. according to the method for claim 1, it is characterised in that it is described that wavelet package transforms are carried out to the data on flows, obtain Obtaining wavelet packet coefficient includes:
    The wavelet packet coefficient is divided into high and low frequency two parts;
    The reciprocal relation of high-frequency signal and low frequency signal and time-domain signal is drawn based on wavelet packet change inverse transformation.
  3. 3. according to the method for claim 2, it is characterised in that described that wavelet packet coefficient progress principal component analysis is obtained Going out network flow characteristic includes:
    Signal is represented with the product form of eigenvectors matrix, energy spectrum matrix and feature stream matrix based on principal component analysis;
    The high-frequency signal is added with low frequency signal and draws network flow characteristic.
  4. A kind of 4. Network Traffic Analysis system, it is characterised in that including:
    Trapping module, in network topology structure, capturing source node to the data on flows of destination node;
    Conversion module, for carrying out wavelet package transforms to the data on flows, obtain wavelet packet coefficient;
    Analysis module, network flow characteristic is drawn for carrying out principal component analysis to the wavelet packet coefficient.
  5. 5. system according to claim 4, it is characterised in that the conversion module includes:
    Discrimination unit, for the wavelet packet coefficient to be divided into high and low frequency two parts;
    First generation unit, for drawing the mutual of high-frequency signal and low frequency signal and time-domain signal based on wavelet packet change inverse transformation Reverse-power.
  6. 6. system according to claim 5, it is characterised in that the analysis module includes:
    Represent unit, for based on principal component analysis by signal with eigenvectors matrix, can spectrum matrix and feature stream matrix multiplying Product form represents;
    Second generation unit, network flow characteristic is drawn for the high-frequency signal to be added with low frequency signal.
CN201710637414.9A 2017-07-31 2017-07-31 A kind of Network Traffic Analysis method and system Pending CN107454073A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710637414.9A CN107454073A (en) 2017-07-31 2017-07-31 A kind of Network Traffic Analysis method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710637414.9A CN107454073A (en) 2017-07-31 2017-07-31 A kind of Network Traffic Analysis method and system

Publications (1)

Publication Number Publication Date
CN107454073A true CN107454073A (en) 2017-12-08

Family

ID=60489775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710637414.9A Pending CN107454073A (en) 2017-07-31 2017-07-31 A kind of Network Traffic Analysis method and system

Country Status (1)

Country Link
CN (1) CN107454073A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654327A (en) * 2019-11-08 2020-09-11 国网辽宁省电力有限公司电力科学研究院 Service feature extraction method for optical cable fiber core remote management control

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252482A (en) * 2008-04-07 2008-08-27 华为技术有限公司 Network flow abnormity detecting method and device
CN101729315A (en) * 2009-12-24 2010-06-09 北京邮电大学 Network flow-predicting method and device based on wavelet package decomposition and fuzzy neural network
CN104168131A (en) * 2014-06-05 2014-11-26 国家电网公司 Flow generation method of power dispatching exchange network based on multicast communication
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN105897517A (en) * 2016-06-20 2016-08-24 广东电网有限责任公司信息中心 Network traffic abnormality detection method based on SVM (Support Vector Machine)
CN106209868A (en) * 2016-07-18 2016-12-07 国网辽宁省电力有限公司阜新供电公司 A kind of large-scale network traffic exception detecting method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252482A (en) * 2008-04-07 2008-08-27 华为技术有限公司 Network flow abnormity detecting method and device
CN101729315A (en) * 2009-12-24 2010-06-09 北京邮电大学 Network flow-predicting method and device based on wavelet package decomposition and fuzzy neural network
CN104168131A (en) * 2014-06-05 2014-11-26 国家电网公司 Flow generation method of power dispatching exchange network based on multicast communication
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN105897517A (en) * 2016-06-20 2016-08-24 广东电网有限责任公司信息中心 Network traffic abnormality detection method based on SVM (Support Vector Machine)
CN106209868A (en) * 2016-07-18 2016-12-07 国网辽宁省电力有限公司阜新供电公司 A kind of large-scale network traffic exception detecting method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
赵宏昊 等: "面向通信网络的业务流量特征分析方法", 《东北电力技术》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654327A (en) * 2019-11-08 2020-09-11 国网辽宁省电力有限公司电力科学研究院 Service feature extraction method for optical cable fiber core remote management control

Similar Documents

Publication Publication Date Title
US9210181B1 (en) Detection of anomaly in network flow data
US11301778B2 (en) Method and system for training and validating machine learning in network environments
Bae et al. Identifying and ranking influential spreaders in complex networks by neighborhood coreness
Zhang et al. Network anomography
TWI541662B (en) Methods and systems for estimating entropy
CN105306463B (en) Modbus TCP intrusion detection methods based on support vector machines
JP2019061565A (en) Abnormality diagnostic method and abnormality diagnostic device
CN111030941A (en) Decision tree-based HTTPS encrypted flow classification method
EP1907940A2 (en) Method and apparatus for whole-network anomaly diagnosis and method to detect and classify network anomalies using traffic feature distributions
CN106161098B (en) A kind of network behavior detection method and device
US20190342190A1 (en) System for preparing network traffic for fast analysis
CN109150817A (en) A kind of web-page requests recognition methods and device
Riadi et al. Internet forensics framework based-on clustering
Naidu et al. A comparison of data mining techniques for intrusion detection
CN107231383A (en) The detection method and device of CC attacks
CN107454073A (en) A kind of Network Traffic Analysis method and system
KR101073402B1 (en) Method for simulating and examining traffic and network traffic analysis system
CN109214023A (en) A kind of test method and device of technological design kit
Forouzani et al. Method for assessing software quality using source code analysis
CN111310796B (en) Web user click recognition method oriented to encrypted network flow
CN106209868A (en) A kind of large-scale network traffic exception detecting method and system
David et al. Blind automatic malicious activity detection in honeypot data
Yu et al. Mining anomaly communication patterns for industrial control systems
CN111917715B (en) Equipment identification method based on 802.11ac MAC layer fingerprint
CN110084620B (en) Electronic credential high-frequency abnormal opening detection system and method based on deep learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171208