CN111935172B - Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium - Google Patents
Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium Download PDFInfo
- Publication number
- CN111935172B CN111935172B CN202010861223.2A CN202010861223A CN111935172B CN 111935172 B CN111935172 B CN 111935172B CN 202010861223 A CN202010861223 A CN 202010861223A CN 111935172 B CN111935172 B CN 111935172B
- Authority
- CN
- China
- Prior art keywords
- network
- data
- information
- topology
- network device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 56
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 230000006399 behavior Effects 0.000 claims abstract description 14
- 238000004590 computer program Methods 0.000 claims description 22
- 238000004891 communication Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims 1
- 238000000034 method Methods 0.000 abstract description 19
- 230000002159 abnormal effect Effects 0.000 abstract description 8
- 238000004458 analytical method Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010972 statistical evaluation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network abnormal behavior detection method, a computer device and a computer readable storage medium based on network topology, wherein the method comprises the steps of obtaining network element information of network flow data, marking each network device according to the network element information, and constructing the network topology according to the connection among a plurality of network devices; counting flow data of each network device in a preset history period in the network topology and forming history data; and acquiring actual flow data of each network device in the network topology in a preset time, judging whether the difference value of the actual flow data and the historical data exceeds a preset threshold value, and if so, sending out alarm information of network abnormal behaviors. The invention also provides a computer device for realizing the method and a computer readable storage medium. The invention can efficiently and accurately detect the abnormal network behavior.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network abnormal behavior detection method based on network topology, a computer device for realizing the method and a computer readable storage medium.
Background
With the development of network technology, network security issues have become a concern. In a complex computer network, there are a large number of security holes through which an intruder can invade the computer network and bypass the existing security detection devices through various operations to implement illicit criminals such as data theft. Therefore, people detect the abnormal network behaviors through various technical means and discover the abnormal network behaviors in time.
The existing network abnormal behavior detection main mode is that firstly, an abnormal network flow behavior feature library is established according to the existing network intrusion case, then the flow behavior of the network to be detected is matched with the abnormal behavior in the feature library one by one, if the flow behavior of the network to be detected is matched with the abnormal behavior in the feature library, the existence of the network abnormal behavior is indicated, for example, an intruder is invading the network.
However, the network intrusion technology is very different day by day, the feature library cannot be established to timely keep up with the development of the intrusion technology, and the network abnormal behavior is difficult to timely and accurately identify by using the existing network abnormal behavior detection method, so that the network information security is affected. In addition, the existing feature library is built according to the existing network intrusion cases, but huge differences exist in different networks, and the feature library built according to the existing network intrusion cases is not necessarily suitable for a new network, so that false alarm situations can be generated. Finally, in the existing network abnormal behavior detection method, when the characteristics of network traffic data are extracted, the network abnormal behaviors are diversified, so that the extraction is performed more manually, time and labor are consumed, and the efficiency of network abnormal behavior detection is also affected.
For this reason, people improve the method for detecting network abnormal behavior, another existing method for detecting network abnormal behavior is to determine whether there is network abnormal behavior according to the flow direction of network traffic data, for example, firstly obtain the source port, the source IP address, the destination port and the destination IP address of the network traffic data, then count the data and the traffic, and process the traffic data to form a hash value; and then, inserting the hash value into the hash bucket, transmitting the information and the flow of the network data to an evaluation unit, carrying out statistical evaluation on the data flow by the evaluation unit, and judging whether the network abnormal behavior exists according to the evaluation result.
However, this method does not establish a network topology according to the flow direction of the traffic data, that is, does not analyze the traffic data condition of each network device from the perspective of the network topology, resulting in inaccurate analysis of network abnormal behavior and still having the problem of false alarm. On the other hand, the method needs to calculate the hash value, but the calculation of the hash value is very time-consuming, and the efficiency of network abnormal behavior detection is affected.
Disclosure of Invention
The invention mainly aims to provide a network abnormal behavior detection method based on network topology, which can rapidly and accurately detect network abnormal behaviors.
Another object of the present invention is to provide a computer device implementing the network anomaly detection method based on network topology.
It is still another object of the present invention to provide a computer readable storage medium implementing the above network topology-based network anomaly detection method.
In order to achieve the main purpose of the invention, the network topology-based network abnormal behavior detection method provided by the invention comprises the steps of obtaining network element information of network flow data, marking each network device according to the network element information, and constructing a network topology according to the connection among a plurality of network devices; counting flow data of each network device in a preset history period in the network topology and forming history data; and acquiring actual flow data of each network device in the network topology in a preset time, judging whether the difference value of the actual flow data and the historical data exceeds a preset threshold value, and if so, sending out alarm information of network abnormal behaviors.
According to the scheme, after each network device is identified by the application of the network element information, the network topology is constructed according to the connection among the plurality of network devices, and the analysis of the network abnormal behavior is realized based on the network topology, so that the accuracy of detecting the network abnormal behavior can be improved. In addition, when the network abnormal behavior is analyzed, the hash value does not need to be calculated, and the efficiency of detecting the network abnormal behavior can be improved.
Preferably, the network element information includes flow information and time information of the network traffic data.
It can be seen that each network device in the network is comprehensively analyzed by the flow direction information and the time information of the network traffic data, and accurate data is provided for the construction of the network topology.
Further, the flow direction information of the network traffic data includes: source IP address information, source port information, communication protocol information, destination IP address information, and destination port information of the network traffic data.
Therefore, each network device in the network topology can be accurately identified according to the five flow direction information.
In a further aspect, the counting the traffic data of each network device in the network topology in the preset history period includes: and counting flow data of each network device in the network topology in a first time period.
It can be seen that by analyzing the traffic data of each network device of the network topology in a period of time, historical data in the period can be obtained, thereby being used as the basis for the analysis of the abnormal behavior of the subsequent network.
In a further aspect, the counting the traffic data of each network device in the network topology in the preset history period further includes: and counting flow data of each network device in the network topology in a second time period, wherein the second time period is longer than the first time period.
Therefore, the network traffic data in two different time periods are acquired, the historical data analysis of the network traffic data is more accurate, and the accuracy of network abnormal behavior analysis is improved.
Further, the second time period includes a plurality of first time periods; the statistics of the flow data of each network device in the network topology in the preset history period comprises the following steps: and counting flow data of each network device in the network topology in each first time period in the second time period.
Because the second time period is several times of the first time period, the method is equivalent to the situation that network flow data in two different time periods are analyzed, more accurate historical data is further provided, and the accuracy of flow data analysis can be improved.
Further, the determining whether the difference value between the actual flow data and the historical data exceeds the preset threshold includes: and judging whether the difference value of the actual flow data of the network equipment in the first time period corresponding to the second time period and the contemporaneous historical data exceeds a preset threshold value or not.
Therefore, by comparing the actual flow data in the first time period with the contemporaneous historical data in the second time period, the network abnormal behavior can be more accurately analyzed, and the accuracy of the network abnormal behavior analysis is improved.
Still further, marking each network device according to the network element information includes: each network device is identified based on the network element information and the IP address is used as a label for each network device.
Therefore, the analysis of each network device is realized according to the network flow direction data, and each network device is marked by the IP address, so that the operation of marking the network device can be simplified, and the convenience of detecting the abnormal network behaviors is improved.
To achieve the above another object, the present invention provides a computer device including a processor and a memory, where the memory stores a computer program, and the computer program when executed by the processor implements the steps of the network anomaly detection method based on network topology.
In order to achieve the above object, the present invention provides a computer program stored on a computer readable storage medium, which when executed by a processor, implements the steps of the network anomaly detection method based on network topology.
Drawings
Fig. 1 is a flowchart of an embodiment of a network anomaly detection method based on a network topology of the present invention.
Fig. 2 is a network topology diagram constructed in an embodiment of the network anomaly detection method based on network topology of the present invention.
The invention is further described below with reference to the drawings and examples.
Detailed Description
The network abnormal behavior detection method based on the network topology is operated on network equipment, for example, the method is operated on a server, and abnormal behaviors in a network are monitored through the server. The computer device of the present invention may be a device such as a server, and may be provided with a processor and a memory, and the memory may store a computer program, and the computer program may implement the network anomaly detection method based on the network topology when executed.
Network anomaly detection method embodiment based on network topology:
the method and the device are used for realizing automatic detection of network abnormal behaviors, specifically, the method and the device are used for confirming each network device in a network by analyzing network flow data, determining network topology according to the flow direction of the network flow data, and analyzing the network flow data by applying a network topology model to form historical data. The analysis of the network abnormal behavior is mainly to compare actual flow data with historical data so as to judge whether the network abnormal behavior occurs.
Referring to fig. 1, step S1 is first performed to acquire network element information of network traffic data. In this embodiment, the network element information of the network traffic data includes flow direction information and time information of the network traffic data, where the flow direction information of the network traffic data includes the following five information: the source IP address information, source port information, communication protocol information, destination IP address information, and destination port information of the network traffic data, and the time information is a timestamp of the network traffic data, that is, a time when the network traffic data is transmitted.
Specifically, the embodiment may use a probe device to acquire network element information of network traffic data, where the probe device is a device for identifying and analyzing the network traffic data, and the device analyzes the accessed mirrored traffic data, extracts flow direction information and a timestamp of the traffic data, and transmits the acquired network element information to an analysis server. After receiving the flow information uploaded by the probe device, the analysis server saves the flow information in an RDF (resource description framework) format into a database.
Then, the analysis server executes step S2 to determine a plurality of network devices according to the network element information. Specifically, according to the source IP address information and the destination IP address information of the network traffic data, it can be determined which IP address the network traffic data is sent from and received by, and generally, a network device has a unique IP address, so that the sending network device and the receiving network device of the network traffic data can be determined by the source IP address and the destination IP address of the network traffic data. Further, according to the source port information and the target port information, the port flow direction condition of the network traffic data can be determined, and the matching relationship between the source device and the target device of the network traffic data can be determined by combining the communication protocol information.
After each network device is determined, step S3 is executed to mark the network device, specifically, using the IP address of the network device as the unique identifier of the network device. Then, according to the flow direction information of the flow data, the connection between the network devices is used as a connection, so as to construct a network topology, and the constructed network topology is shown in fig. 2.
For example, in the network topology, there are four network devices in total, in which the network device IP1 mainly transmits data to the network device IP2 and the network device IP4, and the network device IP2 mainly transmits data to the network device IP3, according to which it can be analyzed that the network device IP2 may be a routing device, and the network devices IP3 and IP4 may be terminal devices used by the user.
After the network topology is built, step S4 is executed, and network traffic data of each network device in the network topology is counted in a preset historical time period and historical data is formed. In this embodiment, the network traffic data is counted based on two time periods, the first time period is shorter, for example, the first time period is one hour, and the second time period is longer, and may be several times of the first time period, for example, the second time period is one week, so that 168 second time periods are included in one second time period.
In step S4, the network traffic data of each network device is counted according to the first time period, and then the network traffic data of each first time period is analyzed according to the second time period, so as to form the history data. Specifically, the statistics is performed on the network traffic data of each network device according to the hours, for example, the number of times that the network device a accesses the network device B between 12 hours and 13 hours on the thursday is 70 times, the number of times that the network device a accesses the network device C during the time period is 12 times, and the number of times that the network device D during the time period is 5 times.
Then, based on the hour statistics, the access trend of each network device is further counted from the week dimension, for example, the network device a accesses the network device B about 100 times between 12 hours and 13 hours every thursday, the number of times of accessing the network device C is about 20 times, and the number of times of accessing the network device D is about 10 times. According to the statistical mode, the access trend of each network device in each hour in each week can be analyzed, so that historical data can be formed.
In addition, according to the above access trend, the type of each network device may be determined in conjunction with the communication protocol used by each network device when performing data access, for example, the network device a accesses the network device B about 100 times through the HTTP protocol between 12 hours and 13 hours of each thursday, and then it may be considered that the network device B is an HTTP server during this time.
After modeling the historical data, the number of times a certain network device accesses another network device within a certain period of time may be determined. Assuming that according to the previous trend, the network device a never accesses the network device B, but at a certain moment, the network device a suddenly accesses the network device B frequently, it can be confirmed that the network device a deviates from its normal access trend, and there is a certain risk.
On the other hand, according to the past access trend of each network device, the role of a specific network device in a specific time period, for example, between 12 hours and 13 hours of every thursday of the network device B, can be known to be an HTTP server. And between 12 hours and 13 hours of thursday of a certain week, network device B no longer has HTTP traffic to access it, or FTP traffic to access network device B, indicating that there is a certain risk for network device B.
According to the above analysis, the method can be applied to daily monitoring of the network equipment so as to determine whether abnormal behaviors exist in the network. The daily monitoring needs to execute step S5 to obtain the actual traffic data of each network device, for example, obtain the access times and the accessed times of each network device in each time period, and also obtain the information such as the accessed source IP address, the target IP address, the source port, the target port, the communication protocol, and the like.
Then, step S6 is performed to calculate a difference value between the actual flow data and the history data. For example, in the history data, the network device a accesses the network device B about 100 times between 12 and 13 times every thursday, the number of times of accessing the network device C is about 20 times, but on a certain thursday, the number of times of accessing the network device a accesses the network device B between 12 and 13 times every thursday is 351 times, and the number of times of accessing the network device C is 95 times, it can be calculated that the difference of the network device a accessing the network device B in the period is 251 times, and the difference of the network device C accessing the period is 75 times.
Next, step S7 is executed to determine whether the difference value is greater than a preset threshold. In this embodiment, a preset threshold value of access of each network device is preset, for example, the number of accesses in the time period in the historical data is taken as a reference, the preset threshold value may be a percentage, for example, ±20%, that is, the actual access is within ±20% of the reference value at this time, so that no network abnormal behavior is considered to occur, and if the preset threshold value is exceeded, the network abnormal behavior is considered to occur.
If the network abnormal behavior does not occur as a result of the determination in step S7, no alarm information of the abnormal behavior is issued, and monitoring is continued, that is, the process returns to step S5. If the judgment result of the step S7 is yes, it indicates that there is a possibility of network abnormal behavior, the step S8 is executed, alarm information of the network abnormal behavior is sent, and the user or the network administrator is informed of the network attack behavior in time, so that the network administrator can monitor the network attack behavior in time and adopt security measures, for example, disconnect the network connection of an attacker or an attacked party, or disconnect the network connection of other network devices in the network topology, thereby avoiding other network devices from being attacked, and ensuring the network to be complete.
Compared with the traditional scheme, namely the scheme for establishing the abnormal network traffic behavior feature library, the embodiment can detect the network abnormal behavior more rapidly and more accurately, and the detection of the network abnormal behavior is more targeted. Because the traditional abnormal network flow behavior feature library is established for the whole Internet, the network topology constructed by the embodiment is constructed according to a specific network, the historical data obtained by analyzing the network flow data based on the network topology is also the historical data belonging to the specific network topology, the data volume of the historical data is small, and a large amount of redundant information can be reduced, when the historical data is compared with the actual flow data, the compared operation volume is greatly reduced, and the efficiency of analyzing the network abnormal behavior is improved. In addition, since the embodiment is the history data obtained for the specific network topology, the history data is very specific, and the network abnormal behavior can be found very accurately.
On the other hand, compared with the mode of adopting machine learning modeling, the embodiment can reduce the time used for modeling and reduce the participation of manpower. Since modeling using machine learning requires running a machine for a period of time and collecting a large amount of data, modeling based on the collected data, human involvement, such as adjusting the model, is also required in this process to ensure accuracy in detecting abnormal network behavior. In the embodiment, the network abnormal behavior is detected based on the network topology, the network topology is established, statistics on historical data is performed in real time, the operation of finding out the network abnormal behavior is also performed automatically, no human participation is needed in the process of detecting the network abnormal behavior, and no adjustment is needed to the model, so that the complexity and difficulty of detecting the network abnormal behavior are greatly reduced.
Computer apparatus embodiment:
the computer device of the present embodiment may be a server, and the computer device includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the processor executes the computer program to implement the steps of the network abnormal behavior detection method based on network topology.
For example, a computer program may be split into one or more modules, which are stored in memory and executed by a processor to perform the various modules of the invention. One or more modules may be a series of computer program instruction segments capable of performing particular functions to describe the execution of a computer program in a computer device.
The processor referred to in the present invention may be a central processing unit (Central Processing Unit, CPU), or other general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being a control center of the computer device, and the various interfaces and lines connecting the various parts of the overall computer device.
The memory may be used to store computer programs and/or modules, and the processor implements various functions of the computer device by running or executing the computer programs and/or modules stored in the memory, and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
Computer-readable storage medium embodiments:
the computer program stored in the above-mentioned computer means may be stored in a computer readable storage medium if it is implemented in the form of software functional units and sold or used as a separate product. Based on such understanding, the present invention may implement all or part of the flow of the method of the foregoing embodiment, or may be implemented by instructing related hardware by a computer program, where the computer program may be stored in a computer readable storage medium, and the computer program may implement the steps of the method for detecting network abnormal behavior based on network topology when executed by a processor.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be appropriately increased or decreased according to the requirements of the jurisdiction's jurisdiction and the patent practice, for example, in some jurisdictions, the computer readable medium does not include electrical carrier signals and telecommunication signals according to the jurisdiction and the patent practice.
Finally, it should be emphasized that the invention is not limited to the above-described embodiments, e.g. variations of the network element information for analysing the network topology, or variations of the specific method of constructing the network topology, etc., which variations are intended to be included within the scope of the claims of the invention.
Claims (7)
1. The network abnormal behavior detection method based on the network topology is characterized by comprising the following steps:
acquiring network element information of network flow data, marking each network device according to the network element information, and constructing a network topology according to the connection among a plurality of network devices;
counting flow data of each network device in the network topology in a periodical preset historical period to form historical data, and determining the effect of a specific network device in a specific time period according to the historical access trend of each network device;
acquiring actual flow data of each network device in the network topology in a preset time, judging whether the difference value between the actual flow data and the historical data exceeds a preset threshold value, and if so, sending out alarm information of network abnormal behaviors;
the statistics of the flow data of each network device in the network topology in the preset historical period comprises the following steps: counting flow data of each network device in the network topology in a first time period, and counting flow data of each network device in the network topology in a second time period, wherein the second time period is longer than the first time period;
when forming the historical data, firstly counting the network traffic data of each network device according to the first time period, and then analyzing the network traffic data of each first time period according to the second time period, so as to form the historical data.
2. The network topology-based network anomaly detection method of claim 1, wherein:
the network element information includes flow information and time information of the network traffic data.
3. The network topology-based network anomaly detection method of claim 2, wherein:
the flow direction information of the network traffic data includes: the source IP address information, the source port information, the communication protocol information, the target IP address information and the target port information of the network flow data.
4. The network topology-based network anomaly detection method of claim 1, wherein:
the step of judging whether the difference value between the actual flow data and the historical data exceeds a preset threshold value comprises the following steps: and judging whether the difference value between the actual flow data of the network equipment in the second time period and the historical data in the same period exceeds a preset threshold value.
5. A network topology-based network anomaly behavior detection method according to any one of claims 1 to 3, wherein:
marking each of the network devices according to the network element information comprises: and confirming each network device according to the network element information, and using the IP address as a mark of each network device.
6. Computer arrangement, characterized in that it comprises a processor and a memory, said memory storing a computer program which, when executed by the processor, implements the steps of the network topology based network anomaly detection method according to any one of claims 1 to 5.
7. A computer readable storage medium having stored thereon a computer program characterized by: the computer program, when executed by a processor, implements the steps of the network topology based network anomaly behavior detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010861223.2A CN111935172B (en) | 2020-08-25 | 2020-08-25 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010861223.2A CN111935172B (en) | 2020-08-25 | 2020-08-25 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111935172A CN111935172A (en) | 2020-11-13 |
| CN111935172B true CN111935172B (en) | 2023-09-05 |
Family
ID=73305111
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010861223.2A Active CN111935172B (en) | 2020-08-25 | 2020-08-25 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111935172B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112583825B (en) * | 2020-12-07 | 2022-09-27 | 四川虹微技术有限公司 | Method and device for detecting abnormality of industrial system |
| CN112994978B (en) * | 2021-02-25 | 2023-01-24 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN112882905A (en) * | 2021-03-22 | 2021-06-01 | 四川英得赛克科技有限公司 | Method, system and electronic equipment for judging whether network communication behavior is abnormal or not |
| CN113709030B (en) * | 2021-08-27 | 2024-04-23 | 新华三大数据技术有限公司 | Control method and device for network traffic and electronic equipment |
| CN115834437A (en) * | 2021-09-15 | 2023-03-21 | 中国移动通信集团山东有限公司 | Network anomaly evaluation method and device, electronic equipment and storage medium |
| CN114422390B (en) * | 2022-01-11 | 2024-02-13 | 支付宝(杭州)信息技术有限公司 | Data processing method and device |
| CN114726758B (en) * | 2022-06-01 | 2022-11-04 | 山东云天安全技术有限公司 | Industrial network abnormity determining method and device, computer equipment and storage medium |
| CN115022078A (en) * | 2022-06-28 | 2022-09-06 | 杭州康吉森自动化科技有限公司 | Controller built-in network safety protection method and device and electronic equipment |
| CN115225385B (en) * | 2022-07-20 | 2024-02-23 | 深信服科技股份有限公司 | Flow monitoring method, system, equipment and computer readable storage medium |
| CN115038088B (en) * | 2022-08-10 | 2022-11-08 | 蓝深远望科技股份有限公司 | Intelligent network security detection early warning system and method |
| CN115442254B (en) * | 2022-09-05 | 2024-01-30 | 南京中孚信息技术有限公司 | Network data packet flow direction judging method and device and gateway equipment |
| CN116471066A (en) * | 2023-04-06 | 2023-07-21 | 华能信息技术有限公司 | Flow analysis method based on flow probe |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733921A (en) * | 2017-11-14 | 2018-02-23 | 深圳中兴网信科技有限公司 | Network flow abnormal detecting method, device, computer equipment and storage medium |
| CN110380888A (en) * | 2019-05-29 | 2019-10-25 | 华为技术有限公司 | A kind of network anomaly detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8676964B2 (en) * | 2008-07-31 | 2014-03-18 | Riverbed Technology, Inc. | Detecting outliers in network traffic time series |
| US10404732B2 (en) * | 2016-06-14 | 2019-09-03 | Sdn Systems, Llc | System and method for automated network monitoring and detection of network anomalies |
-
2020
- 2020-08-25 CN CN202010861223.2A patent/CN111935172B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733921A (en) * | 2017-11-14 | 2018-02-23 | 深圳中兴网信科技有限公司 | Network flow abnormal detecting method, device, computer equipment and storage medium |
| CN110380888A (en) * | 2019-05-29 | 2019-10-25 | 华为技术有限公司 | A kind of network anomaly detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111935172A (en) | 2020-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935172B (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN112651006B (en) | Power grid security situation sensing system | |
| WO2019095719A1 (en) | Network traffic anomaly detection method, apparatus, computer device and storage medium | |
| CN110868425A (en) | Industrial control information safety monitoring system adopting black and white list for analysis | |
| EP3222004B1 (en) | Diagnostic testing in networks | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN112437034B (en) | False terminal detection method and device, storage medium and electronic device | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| CN111865951A (en) | Network data flow abnormity detection method based on data packet feature extraction | |
| EP3826242B1 (en) | Cyber attack information analyzing program, cyber attack information analyzing method, and information processing device | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| CN115509854A (en) | Inspection processing method, inspection server and inspection system | |
| CN114500247A (en) | Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
| CN114189361A (en) | Situation awareness method, device and system for defending threats | |
| Sasu et al. | Using constant traffic to specific IP destinations for detecting spoofed MAC addresses in local area networks | |
| RU2781822C1 (en) | System and method for automatic assessment of quality of network traffic signatures | |
| CN117061252B (en) | Data security detection method, device, equipment and storage medium | |
| EP4332804A2 (en) | System for automatically evaluating the quality of network traffic signatures | |
| CN116204386B (en) | Method, system, medium and equipment for automatically identifying and monitoring application service relationship | |
| CN115442279B (en) | Alarm source positioning method, device, equipment and storage medium | |
| CN112995104B (en) | Communication equipment and network security prediction method | |
| CN117978534A (en) | Method and device for processing abnormal test behaviors under mass measurement platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 1901, No. 120, Huangpu Avenue West, Tianhe District, Guangzhou, Guangdong 510,000 (office only) Applicant after: Guangdong Yizhi Security Technology Co.,Ltd. Address before: Room 1211, Building A2, No. 23, Middle Spectra Road, Huangpu District, Guangzhou, Guangdong 510000 Applicant before: Guangzhou Yizhi Security Technology Co.,Ltd. Address after: Room 1211, Building A2, No. 23, Middle Spectra Road, Huangpu District, Guangzhou, Guangdong 510000 Applicant after: Guangzhou Yizhi Security Technology Co.,Ltd. Address before: 519000 room 105-44388, No. 6, Baohua Road, Hengqin new area, Zhuhai, Guangdong (centralized office area) Applicant before: ZHUHAI YIZHI SECURITY TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Network abnormal behavior detection method, computer device, and computer-readable storage medium based on network topology Granted publication date: 20230905 Pledgee: Bank of China Limited by Share Ltd. Guangzhou Tianhe branch Pledgor: Guangdong Yizhi Security Technology Co.,Ltd. Registration number: Y2024980011672 |