CN101026510A - Network flow abnormal detecting method and system - Google Patents
Network flow abnormal detecting method and system Download PDFInfo
- Publication number
- CN101026510A CN101026510A CNA2007100631920A CN200710063192A CN101026510A CN 101026510 A CN101026510 A CN 101026510A CN A2007100631920 A CNA2007100631920 A CN A2007100631920A CN 200710063192 A CN200710063192 A CN 200710063192A CN 101026510 A CN101026510 A CN 101026510A
- Authority
- CN
- China
- Prior art keywords
- session
- packet
- udp
- session status
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The detection method includes steps: receiving data packet, determining type of data packet, and using protocol session state machine (PSSM) built in advance to measure normal degree of session or pseudo session actions the data packet affiliated; based on result of measurement, using data mining to determine whether the session or pseudo session is abnormal. Combining and improving anomaly detection technique in network intrusion detection system and state track technique, the invention establishes behavioral model the PSSM in normal sessions must follow to. Using the state machine carries out detecting and counting errors for data packets in sessions or pseudo sessions passing through the detection system. Combining with data mining technique to carry out abnormity determination, the invention can find unknown attack of network abnormal session behavioral model effectively.
Description
Technical field
The present invention relates to communication network, the particularly detection of exception of network traffic relates to a kind of network flow abnormal detecting method and system specifically.
Background technology
Usually can be divided into two classes to Intrusion Detection Technique: misuse detects and abnormality detection.The packet that receives and the feature of known attack need be compared because misuse detects, therefore can't make judgement the attack of the unknown.Abnormality detection by the observation to the flow behavior, is a foundation with the normal behaviour in the network then, and every inconsistent network traffics of normal behaviour with expection all are regarded as wherein may comprising new unknown attack pattern unusually.Employed intrusion detection means comprise the pattern matching of simple pattern matching, carrier state, based on the pattern feature coupling of protocol-decoding, heuristic characteristic matching etc.Usually, can check the content of each protocol layer in the network based on the intruding detection system of characteristic matching, and can only check that based on unusual detection the 3rd layer is the situation of network layer.The key issue of abnormality detection is normally to use the foundation of pattern and how utilizes this pattern and current flow behavior compares, thereby judges the departure degree with normal mode.Pattern uses the tolerance of a group system to define usually, measures the system that refers to or the user behavior criterion in particular aspects here.
Also can be divided into following two classes based on unusual Intrusion Detection Technique: fixing normal mode and based on study normal mode.In open source code project SNORT, utilize the preprocessor can predetermined threshold value, exceed this threshold value, just can take corresponding action when a certain tolerance of the stream that is observed departs from unalterable rules.In this method, must make supposition to the normal behaviour of network tolerance, be fixed up in the mode of threshold value.Another kind of mode is utilized the new good method of handling of artificial intelligence, machine learning, data mining or statistics to know the normal discharge feature by inference, and is detected abnormal flow then based on the statistics to network measure.
In the prior art, as the preprocessor among the open source code project SNORT.The regular general format of SNORT is as shown in table 1, and this rule is operated on network layer and the transport layer.
Table 1
| Action | Protocol | Address | Port | Direction | Address | Port |
As shown in table 1, Action: action, Protocol: agreement, Address: address, Port: port, Direction: direction, Address: address, Port: port.
Wherein, agreement comprises IP, internet control message protocol (ICMP:Internet Control MessageProtocol), transmission control protocol (TCP:Transmission Control Protocol) and User Datagram Protoco (UDP) (UDP:User Datagram Protocol).
Rule can be followed some options, and option is made of two parts: keyword and parameter.In option, keyword content and parameter indicate the feature that needs coupling.For a packet that receives, SNORT carries out rule match to it, if packet is consistent with need compatible portion in rule and the option, SNORT is according to the action action of " Action " defined.For example, alert tcp any any → 10.1.1.0/24 80 (content: "/cgi-bin/phf "; "; "
Before the utilization rule, SNORT can utilize preprocessor that the packet that receives is operated.Some preprocessor can be used for detecting the obvious error in data of unusual or packet.The preliminary treatment rule can be worked out in configuration file.The preliminary treatment that detects with TCP is an example, and the preprocessor form that adds in configuration file snort.conf is as follows:
Preprocessor TCP (Preprocessor portscan):<address〉<port〉<timeperiod〉<file 〉, the preprocessor portscan that scans attack for detection port has four parameters that can be provided with, promptly monitor IP address range, port access quantity, the time interval and journal file name.Wherein " time period " specified with the second be time interval of unit as threshold value, and " ports " provided the port number upper limit that the IP of " address " representative in " time period " can visit.
But there is the problem of the following aspects in the abnormality detection based on preprocessor among the SNORT:
1) validity is not high.
With portscan is example, the numerical value that provides in " ports " and " time period " needs to be drawn by existing intrusion behavior is analyzed the back conclusion by the expert of security fields or SNORT administrative staff, yet, in the face of increasingly sophisticated network condition, do not have enough completenesses and accuracy usually only according to expert's experience; In addition, because system's treatable data source is limited, this has also limited its detectability to a certain extent.
2) adaptability is not strong.
Fixing preliminary treatment configuration often is difficult to adapt to the novel attack pattern that emerges in an endless stream at present.
3) limited extensibility.
Abnormality detection in the preprocessor does not have versatility at certain environment and attack, and it is very big to reuse and customize the intruding detection system difficulty of having set up in new network environment.
In addition, status tracking a kind of access control technology of being in the fire compartment wall to be used.The technology that fire compartment wall adopts comprises the packet filtering that operates mainly in the 3rd layer of protocol layer, is operated in the status checkout of the 4th layer of protocol layer, is operated in the proxy gateway fire compartment wall of application layer and dedicated proxies server etc.
In the fire compartment wall of status tracking, the state that connects can be used to help to judge whether to allow a packet to pass through fire compartment wall, for example, only permission can be set enter the place of safety by fire compartment wall, and this request is exactly the result of state-detection with the identification of replying existing response packet of asking.
When status checkout, the state that all TCP connect is all by connection status Track Table record, and fire compartment wall can be controlled single client port like this, adds the management to the 4th layer of TCP/IP, thereby safer than simple packet filter firewall.
In the fire compartment wall that carries out status checkout, the connection status Track Table is used to monitor the state variation that TCP connects.So, can make to the visit the control granularity thinner.Such as, only allow replying of the request from the Intranet to the outer net entered Intranet.In essence, status checkout is the processing that has increased on the packet filtering basis of standard the TCP layer.For non-Connection-oriented Protocol such as UDP, then can adopt virtual ways of connecting to follow the tracks of.Each bag all will compare with the state in the affiliated connection status table, and it is legal to have only the bag of match state to be only.The key element of formation state comprises: source/destination address, source/target port, protocol number, sign, sequence number, acknowledgement number, ICMP code and type, application layer packet header and application layer order etc.With TCP is example, has defined 11 kinds of states that connect in RFC793, that is: monitor (LISTEN), synchronized transmission (SYN_SENT), receive (SYN_RECEIVED) synchronously, connect and set up (ESTABLISHED), finish to wait for _ 1 (FIN_WAIT_1), finish to wait for _ 2 (FIN_WAIT_2), close wait (CLOSE_WAIT), close (CLOSING) simultaneously, reply (LAST_ACK) at last, waiting-timeout (TIME_WAIT) is closed (CLOSED).
As shown in Figure 1, shift schematic diagram for tcp state.Wherein, → client's normal condition transition are described;--the normal condition transition of---- explanation server; Application process: illustrate when using and carry out the status change that takes place when certain is operated; Receive: the transition of state when receiving tcp data bag section are described; Send out: illustrate in order to carry out the tcp data bag section that certain status change will send.
Illustrate the use of state transition diagram below with reference to Fig. 1.As one initiatively the connectionist from initial CLOSED, at first will send the bag request that has the SYN sign connects, enter the SYN_SENT state, after receiving connection response person's the bag that has SYN and ACK sign, send the ACK bag again, connection just is established and enters the ESTABLISHED state, has so just finished the work of three-way handshake.
In a word, status checkout is employed a kind of access control technology in the fire compartment wall, is not used to intrusion detection.Even illegal packet occurred, can not determine whether to cause by attack.
From the above, abnormality detection technology in the Network Intrusion Detection System and the status tracking technology in the fire compartment wall are not combined in the prior art;
The state transition diagram that does not have UDP and ICMP; And tcp state transition diagram of the prior art is also complicated.
Summary of the invention
In view of the above-mentioned problems in the prior art, the embodiment of the invention provides a kind of network flow abnormal detecting method and system.The embodiment of the invention is at the attack in the TCP/IP network; set up the protocol conversation state machine as normal conversation the behavior pattern that must defer to; and come detecting and error count to the network of flowing through as TCP, UDP and ICMP packet based on above-mentioned session status machine; and the binding data digging technology judges unusually, finds network abnormal behaviour effectively.
The embodiment of the invention provides a kind of network flow abnormal detecting method, and the method comprising the steps of:
Receive packet, judgment data bag type also utilizes the protocol conversation state machine of setting up in advance that the normal degree of session under this packet or pseudo conversational behavior is measured;
According to the result of tolerance, and utilize data mining to judge whether this session or pseudo conversational are unusual.
The embodiment of the invention also provides a kind of exception of network traffic detection system, and this detection system comprises at least: memory, processing data packets unit and data mining unit; Wherein,
Memory is used to store the protocol conversation state machine;
The processing data packets unit is connected with described memory, is used to receive packet, and judgment data bag type also utilizes the protocol conversation state machine of storing in the memory that the normal degree of session under the described packet or pseudo conversational behavior is measured;
The data mining unit is connected with described processing data packets unit, according to measuring the result and utilizing data mining to judge whether session or pseudo conversational under the described packet are unusual.
The beneficial effect of the embodiment of the invention is, the abnormality detection technology in the Network Intrusion Detection System and the status tracking technology in the fire compartment wall are combined and improved; Set up the protocol conversation state machine as normal conversation the behavior pattern that must defer to, the session or the packet in the pseudo conversational of system detect and error count after testing to utilize this state machine convection current; The binding data digging technology is judged unusually, finds the unknown attack of the unusual session behavior pattern of network effectively.
Description of drawings
Fig. 1 shifts schematic diagram for tcp state in the prior art;
Fig. 2 is the TCP session state transfer figure of the embodiment of the invention;
Fig. 3 is the UDP session state transfer figure of the embodiment of the invention;
Fig. 4 is the ICMP session state transfer figure of the embodiment of the invention;
Fig. 5 is the Traffic Anomaly testing process figure of the embodiment of the invention;
Fig. 6 is the Traffic Anomaly detection system structural representation of the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of network flow abnormal detecting method and system.Wherein, the method comprising the steps of: receive packet, judgment data bag type also utilizes the protocol conversation state machine of setting up in advance that the normal degree of session under this packet or pseudo conversational behavior is measured; According to the result of tolerance, and utilize data mining to judge whether this session or pseudo conversational are unusual.
The embodiment of the invention is comprehensive and improved abnormality detection technology in the Network Intrusion Detection System and the status tracking technology in the fire compartment wall; at the attack in the TCP/IP network; set up the protocol conversation state machine as normal conversation the behavior pattern that must defer to; and come detecting and error count to the network of flowing through as TCP, UDP and ICMP packet based on above-mentioned session status machine; and the binding data digging technology judges unusually, finds network abnormal behaviour effectively.
In the present embodiment, receiving transmission control protocol TCP, User Datagram Protoco (UDP) UDP or internet control message protocol ICMP packet, the protocol conversation state machine of TCP, UDP and I CMP protocol data bag being set up normal behaviour is the detection method that example illustrates the embodiment of the invention.For each packet that detection system received,, then can utilize corresponding protocol session status machine to carry out abnormality detection if adopt one of above-mentioned three kinds of agreements.
When the packet that receives is transmission control protocol tcp data bag, can utilize existing TCP session status machine as shown in Figure 1 that the normal behaviour of the session under this tcp data bag is measured.
Preferably, the embodiment of the invention is improved existing TCP session status machine, has set up a kind of TCP session status machine, when the packet that receives is transmission control protocol tcp data bag, also can utilize tcp state machine as shown in Figure 2 to measure.
In addition, also set up UDP session status machine, as shown in Figure 3, when the packet that receives is the UDP message bag, utilized UDP session status machine as shown in Figure 3 to measure;
When the packet that receives is the ICMP packet, utilizes UDP session status machine respectively or utilize ICMP session status machine as shown in Figure 4 to measure according to the type of reception ICMP packet.In the present embodiment,, utilize UDP session status machine to measure when the type of the ICMP packet that receives is port when unreachable; When the type of the ICMP packet that receives is non-port when unreachable, then utilize ICMP session status machine to measure.
At first the session status machine of setting up with reference to 2~4 pairs of embodiment of the invention of accompanying drawing is elaborated.
At first the protocol conversation state machine is carried out brief description.The protocol conversation state machine is a finite state machine.Finite state machine is a kind of common modeling method of describing the discrete event system behavior.Finite state machine can use five-tuple S, E, s, δ, F} represent, wherein,
S represents a limited state set; E represents a limited event sets; S is an element among the S, the initial condition of expression system; δ represents to be defined in a mapping on S x E → S, is called state transition function; F is the subclass of S, the set of expression end-state.Wherein,
State transition function is described under the driving of incident, and finite state machine is transferred to the relation of next incident from current event, is a mapping from the ordered pair of state and incident to state;
State transitions is meant, when being in described initial condition and receiving packet, according to the described incident of the content map that comprises in this packet to correspondence, according to current state and this incident next state is transferred in the session under this packet then, and with this state as current state, under the driving of the incident that in the packet that newly receives, is contained, constantly carry out the process of state variation.
Initial condition is an element of state set, and set of final state is combined into a subclass of state set.
In the present embodiment, set up normal behaviour session finite state machine respectively at TCP, UDP and ICMP packet, as Fig. 2 shown in the state transition diagram shown in Figure 4.And provided processing method to the ICMP packet.
As shown in Figure 2, be transmission control protocol TCP session state transfer figure.Wherein,
Described TCP session status machine comprises: state set, event sets, initial condition, state transition function, end-state set; Wherein,
State set comprises initial condition, error condition and done state; Wherein initial condition comprises: idle (Idle), (Syn) synchronously, reply (Ack), connect and set up (Establish), Data Receiving (Data RCVD), data send (Data SEND), (RST) resets, finish to wait for (FinWAit), finish to wait for I (FinWaitI), finish to wait for A (FinWait_A), finish to wait for B (FinWait_B), finish to wait for C (FinWait_C), finish to wait for D (FinWait_D), finish to wait for I_A (FinWaitI_A), finish to wait for I_B (FinWaitI_B), finish to wait for I_C (FinWaitI_C), finish to wait for I_D (FinWaitI_D);
Event sets comprises: synchronously (Syn), reply (Ack), reset (RST), finish to reply (FinAck) and data (Data);
State transition function: as shown in Figure 2; Wherein, state transitions is meant, when being in described initial condition and receiving packet, to corresponding described incident, according to current state and this incident next state is transferred in the session under this packet then according to the content map that comprises in this packet.
For example, as shown in Figure 2, when initial state is idle (Idle) state, comprise in the packet that is received the forward synchronous event (+Syn) time, with free time (Idle) state transitions to synchronous (Syn) state; In the packet that is received, comprise the reverse sync incident of replying and (SynAck), incite somebody to action synchronous (Syn) state transitions to response status (Ack); In the packet that is received, comprise forward reply incident (+Ack), will reply (Ack) state transitions to connect setting up (Establish) state;
In the packet that is received, comprise reverse data (Data) or forward data (+Data) incident will connect foundation (Establish) state transitions to Data Receiving (Data RCVD) state or data and send (Data SEND) state;
When comprise in the received packet forward (+Data) or reverse data (Data) during incident, Data Receiving (Data RCVD) or data are sent (Data SEND) state transitions to data send (DataSEND) or Data Receiving (Data RCVD) state;
When comprise in the received packet forward synchronously (+Syn) or forward reset (+RST) during incident, with current response status (Ack) or connect (Establish) state of foundation, data receiving state (Data RCVD), data and send (Data SEND) state transitions to error condition (Error);
When comprise forward in the received packet or oppositely finish to reply (+/-FinAck) during incident, will connect foundations (Establish) state, Data Receiving (Data RCVD) state, data and send (DataSEND) state transitions to finishing wait I (FinWaitI) or end wait state (FinWait);
Other situation and the like, repeat no more herein.
In Fig. 2:
1. "+" "-" of incident number expression direction; For example: if send data from A to B are "+Data ", and then sending data from B to A is exactly " Data ".
2. when state transitions took place, the session timer resetted.If in the time of a preset value " T ", without any status change, then timer triggers and produces the TIMEOUT incident, except that initial condition, error condition and end-state, remembers one time ERROR.
3.Data flag bit be ACK or PSHAck, be convenient to data answering and uniform data are handled.
As shown in Figure 3, be User Datagram Protoco (UDP) UDP session state transfer figure.Wherein,
Described UDP session status machine comprises: state set, event sets, state transition function; Wherein,
State set comprises initial condition, intermediateness, error condition; Wherein initial condition comprises: Idle; Intermediateness comprises: RCVD, SEND;
Event sets comprises: Data and ICMP;
State transition function: as shown in Figure 3, state transitions mode and Fig. 2 are similar, repeat no more herein.
As shown in Figure 3:
1. "+" "-" of incident number expression direction; For example: if send data from A to B are "+Data ", and then sending data from B to A is exactly " Data ".
2. if in the time of a preset value " T ", without any status change, then system finds this session by cyclic check, and reports TIMEOUT, remembers one time ERROR.
3.Data be other data except ICMP.
In addition, also provide processing method in the present embodiment, and set up corresponding ICMP session status machine the ICMP packet.
ICMP is an internet control data packet protocol, is used for to main frame or router report error situation, carries out the control corresponding operation simultaneously.ICMP is not a upper-layer protocol, belongs to the agreement of internetwork layer.Its function mainly contains: whether the sensing far-end main frame exists; Set up and safeguard the route data; Be redirected the data transmission path.
In convergence-level, can cause that the ICMP packet of obvious flow mainly contains three types:
Port is unreachable: the unreachable polytype that is divided into of terminal point, but the packet relevant with attack is the unreachable packet of User Datagram Protoco (UDP) UDP message bag corresponding port usually.
The request of answering: Here it is PING packet, whether the main frame that is used for inquiring about far-end exists.
Answer: the PONG packet is used for responding the query requests of far-end.
In the present embodiment, at above-mentioned three kinds of packets corresponding solution is proposed respectively.
1.UDP the packet corresponding port is unreachable, the data format of this packet is as shown in table 2:
Table 2
| The ICMP stem | The IP datagram stem of makeing mistakes | The UDP datagram stem of makeing mistakes |
In the present embodiment, when capturing such packet, the content that is comprised in the IP data packet header that will make mistakes and the UDP message bag stem of makeing mistakes is changed to reverse session identification five-tuple, source IP in the IP data packet header that is about to make mistakes is arranged to the purpose IP of new five-tuple, purpose IP is set to the source IP of new five-tuple, the destination interface of the UDP datagram stem of makeing mistakes is changed to the source port of new five-tuple, source port wherein is changed to the destination interface of new five-tuple, and the protocol type of new five-tuple is arranged to UDP.The unreachable packet of this port is mapped as an ICMP incident in the corresponding udp state machine of new five-tuple.In this way, just the unreachable packet of udp port has been mapped in the state machine of UDP.Therefore, when the packet that receives is the unreachable packet of port, can utilize the udp state machine to detect and error count.
2.PING and PONG packet
(1) PING packet.Because this packet is used for inquiring whether main frame can reach, there is not serve port, so carry out following processing: the source IP that the source IP in the five-tuple is arranged to packet, purpose IP in the five-tuple is arranged to the purpose IP of packet, source port is arranged to 0, destination interface is arranged to 65535, and protocol type is arranged to ICMP.
(2) PONG packet.Because this packet is used for inquiring whether main frame can reach, there is not serve port, so carry out following processing: the source IP that the source IP in the five-tuple is arranged to packet, purpose IP in the five-tuple is arranged to the purpose IP of packet, source port is arranged to 65535, destination interface is arranged to 0, and protocol type is arranged to ICMP.As shown in Figure 4, be internet control message protocol ICMP state transition diagram.
When the packet that receives is PING and PONG packet, adopt state machine shown in Figure 4 that the normal behaviour of the pseudo conversational under this packet is measured.
Described ICMP session status machine comprises: state set, event sets, state transition function; Wherein,
State set comprises initial condition, intermediateness, error condition; Wherein initial condition comprises: Idle (free time); Intermediateness comprises: Ping, Pong;
Event sets comprises: Ping and Pong;
State transition function: as shown in Figure 4; State transitions mode and Fig. 2 are similar, repeat no more herein.
Protocol conversation state machine shown in Fig. 2~4 is the preferred embodiments of the present invention only, is not limited to aforesaid way.
Detection system and method below in conjunction with 5~6 pairs of embodiment of the invention of accompanying drawing are elaborated.
Embodiment one
The embodiment of the invention provides a kind of exception flow of network detection system.As shown in Figure 6, this detection system 600 comprises: memory 604, processing data packets unit 602 and data mining unit 603; Wherein,
Processing data packets unit 602 is connected with memory 604, is used to receive packet, and judgment data bag type also utilizes the protocol conversation state machine of storage in the memory 604 that the normal degree of session under the described packet or pseudo conversational behavior is measured;
In the present embodiment, described memory 604 also stores the session status Track Table.
As shown in Figure 6, detection system 600 also comprises initialization unit 601, is connected with described memory 604, before this detection system 600 receives packet, session status Track Table to storage in the memory 604 carries out initialization, and the content of this session status Track Table is changed to sky.
Described processing data packets unit 602 also can comprise: receiving element 602a, processing unit 602b and metric element 602c; Wherein,
Receiving element 602a is used to receive packet, and this packet is sent to processing unit 602b;
Wherein, described normal degree to session under the packet or pseudo conversational behavior is measured and is meant: the error count value in the described session status Track Table is added up, with the tolerance of the error count value after the statistics as the normal degree of session or pseudo conversational behavior.
Like this, in the present embodiment, processing unit 602b, judgment data bag type, and according to the type of packet this packet is handled accordingly; When result for the state of making a mistake or when whether being present in the described session status Track Table, increase the error count value in the described session status Track Table.Metric element 602c can be used for the error count value in the described session status Track Table is added up, and the error count value after the statistics as the tolerance of the normal degree of this session or pseudo conversational behavior, and is sent to data mining unit 603 with statistics.Wherein, can regularly add up the error count value in the session status Track Table.
In the present embodiment, described sign is meant: source address, source port, destination address, destination interface and agreement.As shown in table 3, be a session status Track Table action points.
Table 3
| The cryptographic Hash of five-tuple | Source IP address | Purpose IP address | Source port | Destination interface | ||
| Protocol number | Current state | The time interval | Multiframe/IP side-play amount more | TCP expects sequence number | Error count (vector) | |
As shown in table 4, exemplify concrete session status Track Table.
Table 4
| 0 | 202.199.22.48 | 202.205.3.142 | 6775 | 80 |
| TCP | SYN | 2 | 0 | 0 | 0 | |
| 210.42.100.7 | 202.108.9.78 | 10000 | 25 | |||
| UDP | SEND | 100 | 0 | 0 | 2 | |
In the present embodiment, when the type of packet is internet control message protocol ICMP packet, judge when internet control message protocol ICMP type of data packet is the unreachable packet of User Datagram Protoco (UDP) UDP message bag corresponding port, utilize UDP session status machine to measure; If when judged result is the unreachable packet of non-port, then utilize ICMP session status machine to measure.
When the type of packet is transmission control protocol TCP or User Datagram Protoco (UDP) UDP message bag, utilize TCP or UDP session status machine to measure.
In order to detecting with said detecting system is example, and the network flow abnormal detecting method of the embodiment of the invention is elaborated.
Embodiment two
The embodiment of the invention provides a kind of network flow abnormal detecting method.The method comprising the steps of: receive packet, judgment data bag type also utilizes the protocol conversation state machine of setting up in advance that the normal degree of session under this packet or pseudo conversational behavior is measured; According to the result of tolerance, and utilize data mining to judge whether this session or pseudo conversational are unusual.
In this detection system, the protocol conversation state machine of foundation is stored in the memory 604 shown in Fig. 2~4;
In addition, set up a session status Track Table, this session status Track Table is stored in the memory 604, and the session in the table (or pseudo conversational) action points comprises the residing current state of sign, session and the error count value of a session or pseudo conversational at least; In the present embodiment, described sign is meant: source address, source port, destination address, destination interface and agreement.This session status Track Table repeats no more shown in table 3,4 herein, but is not limited to this kind form.
Be elaborated below in conjunction with the detection method of the detection system shown in the accompanying drawing 6 to the embodiment of the invention.
At first carry out initialization,, make its content be empty (seeing step 500) by session status Track Table in initialization unit 601 initializes memory 604.
The processing data packets unit 602 of detection system receives packet; Judgment data bag type is according to type of data packet and utilize ICMP, UDP or TCP session status machine is measured the normal degree of session or pseudo conversational under this packet; Wherein, receiving element 602a receives packet (seeing step 501), deliver to processing unit 602b and metric element 602c then, respectively packet is handled and the error count value is added up, with the tolerance of the error count value after the statistics as the normal degree of session or pseudo conversational under this packet; Concrete steps are as follows:
In the present embodiment, receiving element 602a receives (seeing step 501) behind the packet, and this packet is delivered to processing unit 602b and metric element 602c, and packet is handled and the error count value is added up; Wherein,
At first check whether complete (the seeing step 502) of packet IP section, if the result who checks is that the packet IP section is imperfect, then abandon (see step 502 '); If the result who checks is that the packet IP section is complete, then type of data packet is judged;
Judge whether this packet is ICMP packet (seeing step 503), when being the ICMP packet, then judge the ICMP type of data packet, judge whether it is the unreachable packet of UDP message bag corresponding port (seeing step 504) as if the result who judges;
If during the result who judges to be port unreachable packet, then the unreachable packet of port is mapped to corresponding UDP session status machine, thereby utilize UDP session status machine that the normal degree of this pseudo conversational is measured (seeing step 505), wherein, the unreachable packet of port is mapped to the aforesaid content of step of corresponding UDP session status machine, repeats no more herein;
In step 505, can adopt following step to utilize UDP session status machine that the normal degree of this pseudo conversational is measured:
According to User Datagram Protoco (UDP) UDP that comprises in the unreachable packet of port and session identification five-tuple, be mapped in the corresponding session status Track Table; In the session status Track Table whether judgement Already in sets up in advance to the action points of this packet place pseudo conversational; If the result who judges then increases the described error count value of this action points for existing; If judged result for not existing, is then created a new session action points according to the session identification five-tuple, and will be revised the error count value of this action points in this session status Track Table, be about to the error count value and add 1.
Then, described metric element 602c regularly adds up the error count value, with the tolerance of the error count value after the statistics as the normal degree of this pseudo conversational behavior.
If in step 504, judge that the ICMP type of data packet is the unreachable packet of non-port, as when being PING or PONG packet, then utilize the tolerance (see step 506) of ICMP session status machine the normal degree of this pseudo conversational behavior.In step 506, can adopt following step that the normal degree of this pseudo conversational is measured:
In the session status Track Table whether judgement Already in sets up in advance to the action points of this packet place pseudo conversational; If the result who judges then detects the packet that receives according to this ICMP session status machine for existing, the step of detection comprises: according to the content of head in the received data packet, and the direction of judgment data bag transmission, and be mapped to pairing incident; According to the protocol conversation state machine under the data pack protocol type, session current state and described incident next state is transferred in session, and upgraded content corresponding in the session status Track Table; Whether then, detect current state is error condition; When testing result when making a mistake state, increase the error count value of this action points in the described session status Track Table.
Described then metric element 602c regularly adds up the error count value, and the error count value after will adding up is as the tolerance of the normal degree of this session or pseudo conversational behavior.
In addition, when in the session status the Track Table whether action points of judgment data bag place pseudo conversational is Already in set up in advance, if judged result is not for existing, the new session action points of establishment one in this session status Track Table then; Current state is changed to the initial condition of ICMP session status machine; Incident transfering state according to the current data packet representative upgrades current state.
In above-mentioned steps 503,, then judge whether to be UDP message bag (seeing step 507) if when the result who judges is non-ICMP packet;
If when the result who judges is the UDP message bag, then utilize UDP session status machine that the normal degree of pseudo conversational under this packet is measured (seeing step 508), wherein can adopt following step to measure:
In the session status Track Table whether judgement Already in sets up in advance to the action points of packet place pseudo conversational;
If the result who judges then detects the packet that receives according to UDP session status machine for existing, comprising: according to the content of head in the received data packet, the direction of judgment data bag transmission, and be mapped to pairing incident; According to UDP session status machine, session current state and described incident next state is transferred in session, and upgraded content corresponding in the session status Track Table; Whether then, detect current state is error condition;
When testing result when making a mistake state, increase the error count value of this action points in the described session status Track Table;
Described then metric element 602c regularly adds up this error count value, with the tolerance of the error count value after the statistics as the normal degree of this session or pseudo conversational behavior.
In addition, when in the session status the Track Table whether action points of judgment data bag place pseudo conversational is Already in set up in advance, if judged result is not for existing, the new session action points of establishment one in this session status Track Table then; Current state is changed to the initial condition of UDP session status machine; Incident transfering state according to the current data packet representative upgrades current state.
In step 507,, further judge whether to be tcp data bag (seeing step 509) if when judged result is non-UDP message bag; If when the result who judges is the tcp data bag, then utilize TCP session status machine that the normal degree of session under this packet is measured (seeing step 510), wherein can adopt following step to measure:
In the session status Track Table whether judgement Already in sets up in advance to the action points of packet place session;
If the result who judges then detects the packet that receives according to TCP session status machine for existing, comprising: according to the content of head in the received data packet, the direction of judgment data bag transmission, and be mapped to pairing incident; According to TCP session status machine, session current state and described incident next state is transferred in session, and upgraded content corresponding in the session status Track Table; Whether then, detect current state is error condition;
When testing result when making a mistake state, increase the error count value of this action points in the described session status Track Table;
Described then metric element 602c regularly adds up this error count value, with the tolerance of the error count value after the statistics as the normal degree of this session or pseudo conversational behavior.
In addition, when in the session status the Track Table whether action points of judgment data bag place session is Already in set up in advance, if judged result is not for existing, the new session action points of establishment one in this session status Track Table then; Current state is changed to the initial condition of TCP session status machine; Incident transfering state according to the current data packet representative upgrades current state.
If in step 509, judge the non-tcp data bag of this packet, then return step 501.
At last, the data mining unit 603 of detection system 600 is according to the tolerance result in step 505,508,510, and promptly Tong Ji error count value utilizes the data mining means that this error count value is analyzed, and judges whether unusually according to the result who analyzes.Present embodiment can utilize based on the grader of artificial neural net the error count value is analyzed, and this analysis mode is a prior art, therefore analytic process is repeated no more.
If the result who analyzes is for meaning attack, then indication is attacked and is occurred; Judge current state then; If current state is Done, then remove this session respective items in the conversational list, return step 501 then.
Detection method as shown in Figure 5 only is embodiments of the invention, judges that wherein the order of the type of the packet that receives can adopt other order.
By the foregoing description as can be known, the embodiment of the invention combines the abnormality detection technology in the Network Intrusion Detection System and the status tracking technology in the fire compartment wall and is improved; Set up TCP, UDP, ICMP protocol conversation state machine as normal conversation the behavior pattern that must defer to, the session or the packet in the pseudo conversational of system detect and error count after testing to utilize this state machine convection current; The binding data digging technology is judged unusually, can find the unknown attack of the unusual session behavior pattern of network effectively.
The foregoing description only is used to illustrate the present invention, but not is used to limit the present invention.
Claims (18)
1. a network flow abnormal detecting method is characterized in that, comprising:
Receive packet, judgment data bag type also utilizes the protocol conversation state machine of setting up in advance that the normal degree of session under this packet or pseudo conversational behavior is measured;
Result according to tolerance utilizes data mining to judge whether this session or pseudo conversational are unusual.
2. network flow abnormal detecting method according to claim 1, it is characterized in that described protocol conversation state machine is transmission control protocol TCP session status machine, User Datagram Protoco (UDP) UDP session status machine or internet control message protocol ICMP session status machine.
3. network flow abnormal detecting method according to claim 2, it is characterized in that, when described type of data packet is tcp data bag or UDP message bag, utilize the protocol conversation state machine of setting up in advance that the normal degree of session under the packet or pseudo conversational is measured, comprise step:
In the session status Track Table whether judgement Already in sets up in advance to the action points of this packet place session or pseudo conversational; Wherein, sign, the session current state of living in and the error count value that comprise session in this session status Track Table at least;
If the result who judges then detects the packet that receives according to TCP session status machine under this data pack protocol type or UDP session status machine for existing;
When testing result when making a mistake state, increase the error count value of this action points in the described session status Track Table;
This error count value is added up, with the tolerance of the error count value after the statistics as the normal degree of this session or pseudo conversational behavior.
4. network flow abnormal detecting method according to claim 3 is characterized in that, describedly according to TCP session status machine under the data pack protocol type or UDP session status machine the packet that receives is detected, and comprises step:
According to the content of head in the received data packet, the direction of judgment data bag transmission, and be mapped to pairing incident;
According to the protocol conversation state machine under the data pack protocol type, session current state and described incident next state is transferred in session, and upgraded content corresponding in the session status Track Table;
Whether then, detect current state is error condition.
5. network flow abnormal detecting method according to claim 2 is characterized in that, when described type of data packet is the ICMP packet, utilizes ICMP session status machine that the normal degree of pseudo conversational is measured, and comprises step:
Judge the ICMP type of data packet;
If during the result who judges be UDP message bag corresponding port unreachable packet, then the unreachable packet of this port is mapped to the UDP session status machine of correspondence, thereby utilizes UDP session status machine that the normal degree of this pseudo conversational is measured.
6. network flow abnormal detecting method according to claim 5 is characterized in that, the data format of the unreachable packet of described port is: ICMP stem, the IP data packet header of makeing mistakes and the UDP message bag stem of makeing mistakes.
7. network flow abnormal detecting method according to claim 6, it is characterized in that, the unreachable packet of described port is mapped to UDP session status machine to be meant: the content that is comprised in the described IP data packet header of makeing mistakes and the UDP message bag stem of makeing mistakes is changed to reverse session identification five-tuple, comprises step:
Purpose IP address, the purpose IP address that source IP address in the IP data packet header that will make mistakes is arranged to this reverse session identification five-tuple is set to the source IP address of described reverse session identification five-tuple;
The destination interface of the UDP datagram stem of makeing mistakes is changed to the source port of described reverse session identification five-tuple, the source port of this UDP datagram stem of makeing mistakes is changed to the destination interface of described reverse session identification five-tuple;
The protocol type of described reverse session identification five-tuple is arranged to udp protocol.
8. according to any described network flow abnormal detecting method of claim in the claim 5 to 7, it is characterized in that the described UDP of utilization session status machine is measured the normal degree of this session, comprises step:
According to User Datagram Protoco (UDP) UDP that comprises in the unreachable packet of described port and session identification five-tuple, be mapped in the corresponding session status Track Table;
In the session status Track Table whether judgement Already in sets up in advance to the action points of this packet place pseudo conversational; Wherein, sign, the session current state of living in and the error count value that comprise session in this session status Track Table at least;
If the result who judges then increases the error count value of this action points for existing;
The error count value is added up, with the tolerance of the error count value after the statistics as the normal degree of this pseudo conversational behavior.
9. network flow abnormal detecting method according to claim 8, it is characterized in that, also comprise step: if the result who judges is not for existing, then in described session status Track Table, create a new session action points, and the error count value of this action points is made amendment according to the session identification five-tuple.
10. network flow abnormal detecting method according to claim 5 is characterized in that, if during the result who judges to be non-port unreachable packet, then utilizes ICMP session status machine that the normal degree of the pseudo conversational under the packet is measured, and comprises step:
In the session status Track Table whether judgement Already in sets up in advance to the action points of this packet place pseudo conversational; Wherein, sign, the session current state of living in and the error count value that comprise session in this session status Track Table at least;
If the result who judges then detects the packet that receives according to this ICMP session status machine for existing;
When testing result when making a mistake state, increase the error count value of this action points in the described session status Track Table;
This error count value is added up, with the tolerance of the error count value after the statistics as the normal degree of this session or pseudo conversational behavior.
11. network flow abnormal detecting method according to claim 10 is characterized in that, describedly according to ICMP session status machine the packet that receives is detected, and comprises step:
According to the content of head in the received data packet, the direction of judgment data bag transmission, and be mapped to pairing incident;
According to the protocol conversation state machine under the data pack protocol type, session current state and described incident next state is transferred in session, and upgraded content corresponding in the session status Track Table;
Whether then, detect current state is error condition.
12. according to claim 3 or 10 described network flow abnormal detecting methods, it is characterized in that, be not present in the session status Track Table of setting up in advance if judged result is the action points of place session of described packet or pseudo conversational, then in this session status Track Table, create a new session action points;
Current state is changed to the initial condition of the protocol conversation state machine under this data pack protocol type;
Incident transfering state according to the current data packet representative upgrades current state.
13. an exception of network traffic detection system is characterized in that, this detection system comprises at least: memory, processing data packets unit and data mining unit; Wherein,
Memory is used to store the protocol conversation state machine;
The processing data packets unit is connected with described memory, is used to receive packet, and judgment data bag type also utilizes the protocol conversation state machine of storing in the memory that the normal degree of session under the described packet or pseudo conversational behavior is measured;
The data mining unit is connected with described processing data packets unit, according to measuring the result and utilizing data mining to judge whether session or pseudo conversational under the described packet are unusual.
14. exception of network traffic detection system according to claim 13, it is characterized in that described protocol conversation state machine is transmission control protocol TCP session status machine, User Datagram Protoco (UDP) UDP session status machine or internet control message protocol ICMP session status machine.
15. exception of network traffic detection system according to claim 13 is characterized in that, described processing data packets unit comprises at least: receiving element, processing unit and metric element; Wherein,
Receiving element is used to receive packet, and this packet is sent to processing unit;
Processing unit, judgment data bag type, and utilize described protocol conversation state machine that the packet that receives is handled according to the type of packet;
Metric element utilizes the protocol conversation state machine of storing in the memory that the normal degree of session under the described packet or pseudo conversational behavior is measured, and will measure the result and be sent to the data mining unit.
16. exception of network traffic detection system according to claim 15, it is characterized in that, described memory storage session status Track Table, described normal degree to session under the packet or pseudo conversational behavior is measured and is meant: the error count value in the described session status Track Table is added up, with the tolerance of the error count value after the statistics as the normal degree of session or pseudo conversational behavior.
17. exception of network traffic detection system according to claim 14, it is characterized in that, when the type of packet is internet control message protocol ICMP packet, judge when internet control message protocol ICMP type of data packet is the unreachable packet of User Datagram Protoco (UDP) UDP message bag corresponding port, utilize UDP session status machine to measure; If when judged result is the unreachable packet of non-port, then utilize ICMP session status machine to measure.
18. exception of network traffic detection system according to claim 14 is characterized in that, when the type of packet is transmission control protocol TCP or User Datagram Protoco (UDP) UDP message bag, utilizes TCP or UDP session status machine to measure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100631920A CN100514921C (en) | 2007-01-31 | 2007-01-31 | Network flow abnormal detecting method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100631920A CN100514921C (en) | 2007-01-31 | 2007-01-31 | Network flow abnormal detecting method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101026510A true CN101026510A (en) | 2007-08-29 |
| CN100514921C CN100514921C (en) | 2009-07-15 |
Family
ID=38744444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100631920A Expired - Fee Related CN100514921C (en) | 2007-01-31 | 2007-01-31 | Network flow abnormal detecting method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100514921C (en) |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010037261A1 (en) * | 2008-09-26 | 2010-04-08 | 中联绿盟信息技术(北京)有限公司 | Equipment and method for network abnormal traffic analysis |
| CN101902461A (en) * | 2010-04-07 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Method and device for filtering data stream contents |
| CN102006290A (en) * | 2010-08-12 | 2011-04-06 | 清华大学 | IP source address tracing method |
| CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
| CN101420419B (en) * | 2008-10-27 | 2011-05-18 | 吉林大学 | Adaptive high-speed network flow layered sampling and collecting method |
| CN101635658B (en) * | 2009-08-26 | 2011-08-17 | 中国科学院计算技术研究所 | Method and system for detecting abnormality of network secret stealing behavior |
| CN101123492B (en) * | 2007-09-06 | 2012-01-18 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
| CN102439906A (en) * | 2011-10-27 | 2012-05-02 | 华为技术有限公司 | Exception handling method and server in calling continuous process |
| CN102546587A (en) * | 2011-11-16 | 2012-07-04 | 深信服网络科技(深圳)有限公司 | Method and device for preventing gateway system conversation resource from being exhausted maliciously |
| CN101707601B (en) * | 2009-11-23 | 2012-09-05 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
| CN101599976B (en) * | 2009-07-10 | 2012-10-17 | 成都市华为赛门铁克科技有限公司 | Method and device for filtering user datagram protocol data packet |
| CN102843373A (en) * | 2012-08-28 | 2012-12-26 | 北京星网锐捷网络技术有限公司 | Method and device for obtaining UDP (user datagram protocol) service inaccessibility and network device |
| CN103051633A (en) * | 2012-12-25 | 2013-04-17 | 华为技术有限公司 | Attack prevention method and equipment |
| CN103067384A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Threat processing method, system, linkage client, safety equipment and host |
| CN103338183A (en) * | 2013-05-22 | 2013-10-02 | 蓝盾信息安全技术股份有限公司 | Linkage method of intrusion detection system and firewall |
| CN103581355A (en) * | 2012-08-02 | 2014-02-12 | 北京千橡网景科技发展有限公司 | Method and device for handling abnormal behaviors of user |
| CN103905406A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Failed firewall policy detection method and device |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
| CN105207977A (en) * | 2014-06-24 | 2015-12-30 | 阿里巴巴集团控股有限公司 | TCP data packet processing method and device |
| CN105306476A (en) * | 2015-11-09 | 2016-02-03 | 北京奇虎科技有限公司 | PING (Packet Internet Groper) packet detection method and device for DNS (Domain Name System) |
| CN107733906A (en) * | 2017-10-24 | 2018-02-23 | 北京全路通信信号研究设计院集团有限公司 | A kind of RSSP II communication means based on UDP communications |
| CN108173717A (en) * | 2018-01-11 | 2018-06-15 | 郑州云海信息技术有限公司 | A kind of method under User space by obtaining ICMP error message monitoring network situations |
| CN108737273A (en) * | 2018-05-10 | 2018-11-02 | 新华三技术有限公司 | A kind of message processing method and device |
| CN109076071A (en) * | 2016-04-11 | 2018-12-21 | 西门子股份公司 | Method for checking the equipment of at least one firewall device and for protecting at least one data sink |
| CN109428763A (en) * | 2017-09-05 | 2019-03-05 | 华为技术有限公司 | A kind of method and apparatus of fault measuring |
| CN109644146A (en) * | 2016-08-12 | 2019-04-16 | 微软技术许可有限责任公司 | By the variance analysis of TCP telemetering come locating network fault |
| CN109951348A (en) * | 2017-12-21 | 2019-06-28 | 北京奇虎科技有限公司 | A kind of method, apparatus and electronic equipment of quality that verifying application traffic |
| CN110798427A (en) * | 2018-08-01 | 2020-02-14 | 深信服科技股份有限公司 | Anomaly detection method, device and equipment in network security defense |
| CN112437070A (en) * | 2020-11-16 | 2021-03-02 | 深圳市永达电子信息股份有限公司 | Operation-based spanning tree state machine integrity verification calculation method and system |
| CN113055335A (en) * | 2019-12-26 | 2021-06-29 | 中国电信股份有限公司 | Method, apparatus, network system and storage medium for detecting communication abnormality |
| CN116074401A (en) * | 2023-04-06 | 2023-05-05 | 合肥综合性国家科学中心人工智能研究院(安徽省人工智能实验室) | Method for realizing transmission layer protocol on programmable exchanger |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102523238B (en) * | 2012-01-04 | 2015-03-11 | 北京网御星云信息技术有限公司 | Method for accelerating bypass intrusion detection and device adopting same |
-
2007
- 2007-01-31 CN CNB2007100631920A patent/CN100514921C/en not_active Expired - Fee Related
Cited By (50)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101123492B (en) * | 2007-09-06 | 2012-01-18 | 杭州华三通信技术有限公司 | Method and device for detecting scanning attack |
| US8483056B2 (en) | 2008-09-26 | 2013-07-09 | NSFOCUS Information Technology Co., Ltd. | Analysis apparatus and method for abnormal network traffic |
| CN101686235B (en) * | 2008-09-26 | 2013-04-24 | 北京神州绿盟信息安全科技股份有限公司 | Device and method for analyzing abnormal network flow |
| WO2010037261A1 (en) * | 2008-09-26 | 2010-04-08 | 中联绿盟信息技术(北京)有限公司 | Equipment and method for network abnormal traffic analysis |
| CN101420419B (en) * | 2008-10-27 | 2011-05-18 | 吉林大学 | Adaptive high-speed network flow layered sampling and collecting method |
| CN101599976B (en) * | 2009-07-10 | 2012-10-17 | 成都市华为赛门铁克科技有限公司 | Method and device for filtering user datagram protocol data packet |
| CN101635658B (en) * | 2009-08-26 | 2011-08-17 | 中国科学院计算技术研究所 | Method and system for detecting abnormality of network secret stealing behavior |
| CN101707601B (en) * | 2009-11-23 | 2012-09-05 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
| CN101902461B (en) * | 2010-04-07 | 2013-01-30 | 北京星网锐捷网络技术有限公司 | Method and device for filtering data stream contents |
| CN101902461A (en) * | 2010-04-07 | 2010-12-01 | 北京星网锐捷网络技术有限公司 | Method and device for filtering data stream contents |
| CN102006290A (en) * | 2010-08-12 | 2011-04-06 | 清华大学 | IP source address tracing method |
| CN102006290B (en) * | 2010-08-12 | 2013-08-07 | 清华大学 | IP source address tracing method |
| CN102045358A (en) * | 2010-12-29 | 2011-05-04 | 深圳市永达电子股份有限公司 | Intrusion detection method based on integral correlation analysis and hierarchical clustering |
| CN102439906A (en) * | 2011-10-27 | 2012-05-02 | 华为技术有限公司 | Exception handling method and server in calling continuous process |
| CN102546587A (en) * | 2011-11-16 | 2012-07-04 | 深信服网络科技(深圳)有限公司 | Method and device for preventing gateway system conversation resource from being exhausted maliciously |
| CN102546587B (en) * | 2011-11-16 | 2015-08-05 | 深信服网络科技(深圳)有限公司 | Prevent gateway system Session Resources by the method that maliciously exhausts and device |
| CN103581355A (en) * | 2012-08-02 | 2014-02-12 | 北京千橡网景科技发展有限公司 | Method and device for handling abnormal behaviors of user |
| CN102843373A (en) * | 2012-08-28 | 2012-12-26 | 北京星网锐捷网络技术有限公司 | Method and device for obtaining UDP (user datagram protocol) service inaccessibility and network device |
| WO2014101634A1 (en) * | 2012-12-25 | 2014-07-03 | 华为技术有限公司 | Attack defense method and device |
| US9628441B2 (en) | 2012-12-25 | 2017-04-18 | Huawei Technologies Co., Ltd. | Attack defense method and device |
| CN103051633A (en) * | 2012-12-25 | 2013-04-17 | 华为技术有限公司 | Attack prevention method and equipment |
| CN103051633B (en) * | 2012-12-25 | 2016-09-07 | 华为技术有限公司 | A kind of method and apparatus of defensive attack |
| CN103067384A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Threat processing method, system, linkage client, safety equipment and host |
| CN103067384B (en) * | 2012-12-27 | 2016-12-28 | 华为技术有限公司 | Threaten processing method and system, linkage client, safety equipment and main frame |
| CN103905406A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Failed firewall policy detection method and device |
| CN103905406B (en) * | 2012-12-28 | 2017-09-12 | 中国移动通信集团公司 | A kind of detection method and device of the firewall policy that fails |
| CN103338183A (en) * | 2013-05-22 | 2013-10-02 | 蓝盾信息安全技术股份有限公司 | Linkage method of intrusion detection system and firewall |
| CN103973700A (en) * | 2014-05-21 | 2014-08-06 | 成都达信通通讯设备有限公司 | Mobile terminal preset networking address firewall isolation application system |
| CN105207977A (en) * | 2014-06-24 | 2015-12-30 | 阿里巴巴集团控股有限公司 | TCP data packet processing method and device |
| CN105306476B (en) * | 2015-11-09 | 2018-09-11 | 北京奇虎科技有限公司 | The PING packet inspection methods and device of DNS |
| CN105306476A (en) * | 2015-11-09 | 2016-02-03 | 北京奇虎科技有限公司 | PING (Packet Internet Groper) packet detection method and device for DNS (Domain Name System) |
| CN109076071B (en) * | 2016-04-11 | 2021-10-12 | 西门子股份公司 | Device for checking at least one firewall means and method for protecting at least one data receiver |
| US11044231B2 (en) | 2016-04-11 | 2021-06-22 | Siemens Aktiengesellschaft | Assembly for checking at least one firewall device, and method for protecting at least one data receiver |
| CN109076071A (en) * | 2016-04-11 | 2018-12-21 | 西门子股份公司 | Method for checking the equipment of at least one firewall device and for protecting at least one data sink |
| CN109644146B (en) * | 2016-08-12 | 2022-05-27 | 微软技术许可有限责任公司 | Locating network faults through differential analysis of TCP telemetry |
| CN109644146A (en) * | 2016-08-12 | 2019-04-16 | 微软技术许可有限责任公司 | By the variance analysis of TCP telemetering come locating network fault |
| CN109428763A (en) * | 2017-09-05 | 2019-03-05 | 华为技术有限公司 | A kind of method and apparatus of fault measuring |
| CN109428763B (en) * | 2017-09-05 | 2021-11-19 | 华为技术有限公司 | Fault measurement method and device |
| CN107733906A (en) * | 2017-10-24 | 2018-02-23 | 北京全路通信信号研究设计院集团有限公司 | A kind of RSSP II communication means based on UDP communications |
| CN107733906B (en) * | 2017-10-24 | 2020-04-17 | 北京全路通信信号研究设计院集团有限公司 | RSSP-II communication method based on UDP communication |
| CN109951348A (en) * | 2017-12-21 | 2019-06-28 | 北京奇虎科技有限公司 | A kind of method, apparatus and electronic equipment of quality that verifying application traffic |
| CN109951348B (en) * | 2017-12-21 | 2022-11-04 | 北京奇虎科技有限公司 | Method and device for verifying quality of application flow and electronic equipment |
| CN108173717A (en) * | 2018-01-11 | 2018-06-15 | 郑州云海信息技术有限公司 | A kind of method under User space by obtaining ICMP error message monitoring network situations |
| CN108737273B (en) * | 2018-05-10 | 2021-03-23 | 新华三技术有限公司 | Message processing method and device |
| CN108737273A (en) * | 2018-05-10 | 2018-11-02 | 新华三技术有限公司 | A kind of message processing method and device |
| CN110798427A (en) * | 2018-08-01 | 2020-02-14 | 深信服科技股份有限公司 | Anomaly detection method, device and equipment in network security defense |
| CN113055335A (en) * | 2019-12-26 | 2021-06-29 | 中国电信股份有限公司 | Method, apparatus, network system and storage medium for detecting communication abnormality |
| CN112437070A (en) * | 2020-11-16 | 2021-03-02 | 深圳市永达电子信息股份有限公司 | Operation-based spanning tree state machine integrity verification calculation method and system |
| CN116074401A (en) * | 2023-04-06 | 2023-05-05 | 合肥综合性国家科学中心人工智能研究院(安徽省人工智能实验室) | Method for realizing transmission layer protocol on programmable exchanger |
| CN116074401B (en) * | 2023-04-06 | 2023-07-18 | 合肥综合性国家科学中心人工智能研究院(安徽省人工智能实验室) | Method for realizing transmission layer protocol on programmable exchanger |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100514921C (en) | 2009-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100514921C (en) | Network flow abnormal detecting method and system | |
| Li et al. | A survey of network flow applications | |
| Rossow et al. | Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets | |
| CN103947156B (en) | Method, apparatus and communication network for root cause analysis | |
| CN101447898B (en) | Test system used for network safety product and test method thereof | |
| Ensafi et al. | Detecting intentional packet drops on the Internet via TCP/IP side channels | |
| CN107580081A (en) | A kind of NAT penetrating methods and device | |
| CN103763156A (en) | Network speed measurement method and system | |
| CN107205026A (en) | A kind of Point-to-Point Data Transmission method and system | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| Hubballi et al. | An event based technique for detecting spoofed IP packets | |
| CN108989438A (en) | Implementation method, the device and system of data distribution network | |
| Won et al. | A hybrid approach for accurate application traffic identification | |
| CN114301676A (en) | Nondestructive asset detection method of power monitoring system | |
| CN104023036A (en) | TCP (transmission control protocol) bypass blocking method and device | |
| CN101442519A (en) | Method and system for monitoring P2P software | |
| CN109391523A (en) | Method for monitoring the traffic between the network members in network | |
| CN107634971A (en) | A kind of method and device for detecting flood attack | |
| CN108353027A (en) | A kind of software defined network system for detecting port failure | |
| Freire et al. | On metrics to distinguish skype flows from http traffic | |
| Koyama et al. | SOME/IP intrusion detection system using real-time and retroactive anomaly detection | |
| CN102480503B (en) | P2P (peer-to-peer) traffic identification method and P2P traffic identification device | |
| CN100353711C (en) | Communication system, communication apparatus, operation control method, and program | |
| CN106878346B (en) | Network concealed communication method and system based on BitTorrent agreements |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090715 Termination date: 20160131 |
|
| EXPY | Termination of patent right or utility model |