CN102014031A - Method and system for network flow anomaly detection - Google Patents

Method and system for network flow anomaly detection Download PDF

Info

Publication number
CN102014031A
CN102014031A CN2010106198107A CN201010619810A CN102014031A CN 102014031 A CN102014031 A CN 102014031A CN 2010106198107 A CN2010106198107 A CN 2010106198107A CN 201010619810 A CN201010619810 A CN 201010619810A CN 102014031 A CN102014031 A CN 102014031A
Authority
CN
China
Prior art keywords
network traffics
network
unit
average
sliding window
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010106198107A
Other languages
Chinese (zh)
Inventor
郝燕
张广兴
文吉刚
袁小坊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HUNAN CNSUNET TECHNOLOGY Co Ltd
Original Assignee
HUNAN CNSUNET TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by HUNAN CNSUNET TECHNOLOGY Co Ltd filed Critical HUNAN CNSUNET TECHNOLOGY Co Ltd
Priority to CN2010106198107A priority Critical patent/CN102014031A/en
Publication of CN102014031A publication Critical patent/CN102014031A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for network flow anomaly detection, comprising the following steps: acquiring statistical information on bit rate and flow rate of the network flow in a sliding window, and calculating a mean value of the bit rate and the flow rate; building a flow model in accordance with the mean value of the bit rate and the flow rate; determining the normal confidence interval of the network flow in accordance with the flow model; and when the network flow does not meet the normal confidence interval, judging that the network flow is abnormal network flow. The embodiment of the invention provides the method and system for network flow anomaly detection; and by means of the method and the system, the network flow can be detected more simply and more exactly from the standpoint of correlation of the bit rate and flow rate of the network.

Description

A kind of network flow abnormal detecting method and system
Technical field
The application relates to computer network flow monitoring analysis technical field, particularly relates to a kind of network flow abnormal detecting method and system.
Background technology
Along with the expansion day by day of computer network scale and application, network has become the important component part of people's routine work and life.But along with the popularity of network is more and more higher, increasing by the exception of network traffic that factors such as network attack, worm-type virus, malice download, unit exception cause to the influence of network performance, some has aggressive abnormal flow and has disturbed normal network operation order, and network security has been caused serious threat.In this case, how in time and accurately to detect exception of network traffic, guarantee the normal operation of network, become a research topic that receives much concern for the user provides a good network environment.
Method for detecting abnormality commonly used at present mainly contains following several:
Method for detecting abnormality based on statistics: these class methods are normally sampled to system or user's behavior by certain time interval, the sample that at every turn collects is calculated, draw a series of parametric variable and come these behaviors are described, thereby produce behavior profile.The behavior profile and the existing profile that obtain after sampling are merged at every turn, finally obtain normal behavior profile.Abnormality detection system detects whether there is abnormal behaviour by current behavior profile that collects and normal behaviour profile phase are compared.Its deficiency is that unusual threshold values is difficult to determine, threshold values is provided with to such an extent that higher meeting produces too much flase drop, and the loss that then can cause on the low side raises; And the order that incident is taken place is insensitive, rely on fully this method may miss those utilize correlating event and realize unusual.
Method for detecting abnormality based on machine learning: this method for detecting abnormality is realized abnormality detection by machine learning, abnormality detection is summed up as the behavioural characteristic of the interim sequence of discrete data being learnt to obtain individuality, system and network.Main learning method comprises former state record, supervised learning, inductive learning, analogical learning etc.Also have the case-based learning method (IBL) based on similarity in addition, this method is by calculating new sequence similarity degree, and initial data (for example discrete event stream, unordered record etc.) is changed into measurable space.Abnormality detection system uses IBL learning art and a kind of new sorting technique based on the sequence types of events that notes abnormalities, and detects abnormal behaviour with this, wherein to the probability decision by member classifying chosen of threshold values.The detection speed of machine learning method for detecting abnormality is fast, and rate of false alarm is low.Yet the method changes for user's dynamic behaviour and independent abnormality detection is still waiting to improve.
Method for detecting abnormality based on data mining: it is because it has the ability of handling the mass data record that data mining technology is applied to abnormality detection.The data volume of network traffics record of the audit is very big, particularly more the and network speed of the quantity of main frame faster under the situation in network.Data are excavated the abnormality detection technology and extract relevant knowledge information from various Audit datas or network data flows, and these knowledge informations are to contain among data, and they are concluded rule, the pattern etc. of being summarized as.The advantage of this detection method is that deal with data is very capable, and shortcoming is that the entire system operational efficiency is lower.
Method for detecting abnormality based on neural net: neural net is meant a kind of algorithm, and is right by learning existing I/O information, takes out the relation of its inherence, and it is right to obtain new I/O by conclusion then.Utilizing neural net to detect unusual basic thought is with a series of information units (order) training neural unit, after given one group of input, just may dope output like this.The neural network module structure that is used for intrusion detection roughly is such: the current command and W the order in past just constitute the input of network, the size of the past command set that is comprised when wherein W is the neural network prediction Next Command.Behind the representative command sequence training network according to the user, this network just can form the mark sheet of relative users, so network has reflected the intensity of anomaly of user behavior to a certain extent to the prediction error rate of next event.The advantage of neural net method is to handle better the stochastic behaviour of initial data, does not promptly need these data are made any statistical hypothesis, and has better anti-jamming capability.Shortcoming is that the weight of network topology structure and each element is difficult to determine, must be through repeatedly attempting.In addition, the size of command window W also is difficult to choose.Window is too little, and then network output is bad, and window is too big, and then network can lower efficiency because of a large amount of extraneous data.
In sum, existing Traffic Anomaly detection algorithm still has many limitation.Too emphasize to detect accuracy rate, make the computational methods complexity to be unfavorable for real-time detection; Too pursue real-time and reduced the accuracy of detection of algorithm; Lack a kind of lightweight, adaptive exception of network traffic detection algorithm.Simultaneously, existing detection method is carried out Measurement and analysis at the single network index mostly, sets up discharge model on this basis.The less correlation of considering between the heterogeneous networks parameter, the normal discharge model of starting with and setting up network from the correlation analysis of network index.
Summary of the invention
For solving the problems of the technologies described above, the embodiment of the present application provides a kind of network flow abnormal detecting method and system from the correlation of network bit rate and flow rate, more simply, accurately network traffics are detected.
Technical scheme is as follows:
A kind of network flow abnormal detecting method comprises:
Obtain the bit rate of network traffics in the sliding window and the statistical information of flow rate, and calculate the average of described bit rate and flow rate;
Average according to described bit rate and flow rate is set up discharge model;
Use described discharge model and determine the normal confidential interval of described network traffics;
When network traffics do not satisfy described normal confidential interval, judge that described network traffics are unusual network traffics.
Above-mentioned method, preferred, described sliding window is the time window of regular length, is used for the burst with regular time interval sliding intercepting endless, to obtain the network signal sequence to be detected of fixed length.
Above-mentioned method, preferred, after network traffics are judged in the current sliding window, also comprise the described sliding window of translation, to the described process that detects through network traffics in the sliding window of translation.
Above-mentioned method, preferred, the process of setting up of described discharge model is specially:
The average of described bit rate and flow rate is applied in the least square fitting equation in the linear regression sets up discharge model.
Above-mentioned method, preferred, described application traffic model determines that the specific implementation of the normal confidential interval of network traffics is:
Use the individual offset amount that described discharge model calculates described network traffics;
To the summation of described individual offset amount and calculate the average of described summation side-play amount;
The average of described summation side-play amount as the tolerance boundary, is determined the normal confidential interval of described network traffics according to described tolerance boundary.
Above-mentioned method, preferred, also comprise: when judgement draws unusual network traffics, these unusual network traffics are carried out alarm operation.
A kind of exception of network traffic detection system comprises:
Acquiring unit, computing unit, set up unit, determining unit and identifying unit;
Wherein:
Described acquiring unit is used to obtain the bit rate of network traffics in the sliding window and the statistical information of flow rate;
Described computing unit is used to calculate the average of described bit rate and flow rate;
The described unit of setting up is used for setting up discharge model according to the bit rate of described computing unit calculating and the average of flow rate;
Described determining unit is used to use the described normal confidential interval that the discharge model of setting up the unit is determined described network traffics of setting up;
Described identifying unit is used for judging that described network traffics are unusual network traffics when network traffics do not satisfy the normal confidential interval that described determining unit determines.
Above-mentioned system, preferred, also comprise translation unit;
Described translation unit is used for when described identifying unit after network traffics judge in to current sliding window sliding window being carried out translation.
Above-mentioned system, preferred, described determining unit comprises: first computation subunit, second computation subunit and definite subelement;
Described first computation subunit is used for the individual offset amount of the described network traffics of application traffic Model Calculation;
Described second computation subunit is used for individual offset amount summation that described first computation subunit is calculated and the average of calculating described summation side-play amount;
Described definite subelement is used for the average of summation side-play amount that described second computation subunit is calculated as the tolerance boundary, and determines the normal confidential interval of described network traffics according to described tolerance boundary.
Above-mentioned system, preferred, also comprise alarm unit;
Described alarm unit is used for when described identifying unit judgement draws unusual network traffics these unusual network traffics being carried out alarm operation.
The technical scheme that is provided by above the embodiment of the present application as seen, network flow abnormal detecting method provided by the invention and system, obtain network traffics by sliding window, the average of bit rate in the network traffics and flow rate is calculated also set up the proper network discharge model according to described average; Determine the normal confidential interval of proper network discharge model; By judging whether network traffics sample to be measured whether in confidential interval, unusually accurately detects network traffics.The method and system that the embodiment of the present application provides are set up the proper network discharge model based on the correlation of phase-split network bit rate and flow rate, with respect to single index modeling, have reflected the actual characteristic of network more accurately; The embodiment of the present application is directly utilized the historical data modeling normal discharge model of least square method according to a period of time window, on this basis, calculate historical data point with respect to the average of vertical accumulation side-play amount of model as range of tolerable variance, carry out Traffic Anomaly and detect, reduced the flow monitoring time; Comprehensively, network flow abnormal detecting method that the embodiment of the present application provides and system, computational process is simpler; Testing result is more accurate.
Description of drawings
In order to be illustrated more clearly in the embodiment of the present application or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, the accompanying drawing that describes below only is some embodiment that put down in writing among the application, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The method flow diagram that the exception of network traffic that Fig. 1 provides for the embodiment of the present application detects;
The sliding window structure of models schematic diagram that Fig. 2 provides for the embodiment of the present application;
The detailed method flow chart that the exception of network traffic that Fig. 3 provides for the embodiment of the present application detects;
Fig. 4 provides the interval method flow diagram of fixation letter really for the embodiment of the present application;
The another detailed method flow chart that the exception of network traffic that Fig. 5 provides for the embodiment of the present application detects;
The detailed method flow chart again that the exception of network traffic that Fig. 6 provides for the embodiment of the present application detects;
The structural representation of the exception of network traffic detection system that Fig. 7 provides for the embodiment of the present application;
One detailed structure schematic diagram of the exception of network traffic detection system that Fig. 8 provides for the embodiment of the present application;
The another detailed structure schematic diagram of the exception of network traffic detection system that Fig. 9 provides for the embodiment of the present application;
A detailed structure schematic diagram again of the exception of network traffic detection system that Figure 10 provides for the embodiment of the present application;
The bit rate figure of the background traffic that Figure 11 provides for the embodiment of the present application;
The flow rate figure of the background traffic that Figure 12 provides for the embodiment of the present application;
The scatter diagram of the background traffic that Figure 13 provides for the embodiment of the present application;
The bit rate figure that Figure 14 attacks for the adding that the embodiment of the present application provides;
The flow rate figure that Figure 15 attacks for the adding that the embodiment of the present application provides;
The scatter diagram that Figure 16 attacks for the adding that the embodiment of the present application provides.
Embodiment
In order to make those skilled in the art person understand the application's scheme better.Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is clearly and completely described, obviously, described embodiment only is the application's part embodiment, rather than whole embodiment.Based on the embodiment among the application, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all should belong to the scope of the application's protection.
At first needed term in the embodiment of the present application is defined, as follows:
Bit rate s: bps.Represent in each second transmission or the bit quantity that receives.
Business Stream: refer to number these five set that amount is formed of source IP address, source port, purpose IP address, destination interface and transport layer protocol.For example: (192.168.1.1,10000,121.14.88.76,80) expression: the terminal that IP address is 192.168.1.1 is by port one 0000, and utilizing Transmission Control Protocol and IP address is 121.14.88.76, and port is that 80 terminal connects.Can uniquely determine a session by above five elements.
Flow rate f: stream/second, represent the concurrent flow amount in a second.
Correct verification and measurement ratio (the P of abnormity point D): the total number of correct detected abnormity point number/abnormity point;
Abnormity point false drop rate (FAR): abnormity point number/total sample point number that mistake identifies.
The flow chart of the network flow abnormal detecting method that the embodiment of the present application provides comprises as shown in Figure 1:
Step S101: obtain the bit rate of network traffics in the sliding window and the statistical information of flow rate, and calculate the average of described bit rate and flow velocity;
With bit rate and flow rate serves as to detect unit, at first with network traffics packet basis<source IP address, purpose IP address, source port number, destination slogan, protocol number〉constitute five-tuple, be matched to stream, form the stream table; The bit information of statistical unit time and stream information.
Obtain in different time points ... t N-2, t N-1, t n... flow rate and bit rate observation sequence value: ..., (xt N-2), x (t N-1), x (t n) ... with ..., y (t N-2), y (t N-1), y (t n) ... calculate the mean value of flow rate Mean value with bit rate
Figure BDA0000042391230000062
Wherein:
x ‾ = Σ t = 1 n x t n
y ‾ = Σ t = 1 n y t n
Step S102: the average according to described bit rate and flow rate is set up discharge model;
According to bit rate that draws among the step S101 and flow rate, utilize the least square fitting in the linear regression to obtain equation y Best=ax+b, wherein
a = Σ t = 1 n ( x t - x ‾ ) ( y t - y ‾ ) Σ t = 1 n ( x t - x ‾ ) 2 = Σ t = 1 n x t y t - n xy ‾ Σ t = 1 n x t 2 - n x ‾ 2
b = y ‾ - a x ‾
Step S103: use the normal confidential interval that described discharge model is determined described network traffics;
For the pattern detection value (x that needs in the network traffics to observe 1, y 1), (x 2, y 2) ... (x n, y n), and the best straight line that passes through the pattern detection value obtained of match: y Best=ax+b.For each sample point (x t, y t), with x tBring following formula into and calculate a y ' t(y ' t=ax t+ b), the fore-and-aft distance d of this actual sample point skew best straight line is so: d t=| y ' t-y t|.The average σ that method of testing that the embodiment of the present application provides adopts overall offset is as the tolerance boundary: wherein
σ = d total n = Σ t = 1 n d t n = Σ t = 1 n ( | y t ′ - y t | ) n
The coboundary that σ obtains normal confidential interval: y will be moved on the optimum flow model Upper=y Best+ σ; The optimum flow model is moved down the lower boundary that σ obtains normal confidential interval: y Nether=y Best-σ.
Determine to draw the normal confidential interval of network traffics thus;
Step S104: when network traffics do not satisfy described normal confidential interval, judge that described network traffics are unusual network traffics;
For unknown flow rate data point (x N+1, y N+1), the y that obtains according to match among the step S103 Best=ax+b and σ:
If satisfy y N+1>ax N+1+ b+ σ or y N+1<ax N+1+ b-σ judges that then this point is abnormity point;
If satisfy ax N+1+ b-σ≤y N+1≤ ax N+1+ b+ σ judges that then this point is normal point.
By the judgement of abnormity point or normal point being realized detection to network traffics.
The sliding window structure of models schematic diagram that the embodiment of the present application provides as shown in Figure 2, sliding window is in detecting in real time, time window with fixed length intercepts the network signal sequence of endless at interval with regular time by sliding, to obtain the burst to be detected of fixed length.In the network flow abnormal detecting method that the embodiment of the present application provides, sliding window can improve the detection performance of network signal by the selection to window such as rectangular window or Gaussian window and window function parameter.
The detailed method flow chart that the exception of network traffic that the embodiment of the present application provides detects comprises step S105 as shown in Figure 3: the described sliding window of translation, detect described network traffics of passing through the sliding window of translation;
In the network flow abnormal detecting method that the embodiment of the present application provides, when carrying out flow detection, only the network traffics data to current sliding window detect, after the sample point detection to be detected in the current sliding window finishes, move described sliding window, obtain new sample point to be detected, recomputate the bit rate of the interior network traffics of sliding window after moving and the average of flow rate, set up new discharge model, determine to put the letter space, the sample point to be detected in the sliding window after moving is detected as new judgment basis.
As seen, in the network flow abnormal detecting method that the embodiment of the present application provides, along with the continuous arrival of network traffics data, the continuous translation of sliding window, statistical information is also being brought in constant renewal in; By sliding window dynamic refresh sample points certificate, make discharge model and the foundation of putting the letter space can reflect the real-time condition of network traffics more.
The embodiment of the present application provides the interval method flow diagram of the letter of fixation really as shown in Figure 4, comprising:
Step S201: use the individual offset amount that described discharge model calculates described network traffics;
Step S202: to the summation of described individual offset amount and calculate the average of described summation side-play amount;
Step S203: the average of described summation side-play amount as the tolerance boundary, is determined the normal confidential interval of described network traffics according to described tolerance boundary.
More than the implementation procedure that is embodied in the described method step S103 of Fig. 1 of each step to describe in detail, repeat no more herein.
The network flow abnormal detecting method that the embodiment of the present application provides after judgement draws abnormal flow, also comprises the alarm operation that unusual network traffics are carried out; Specifically as shown in Figure 5, on the basis of method shown in Figure 1, comprising:
Step S106: described abnormal flow is carried out alarm operation.
In order more clearly to introduce the network flow abnormal detecting method that the embodiment of the present application provides, in conjunction with the method flow diagram shown in Fig. 6, the network flow abnormal detecting method that the embodiment of the present application is provided is introduced; As shown in Figure 6, comprising:
Step S301: read stream and bit statistical information in the sliding window;
Step S302: according to the best straight line of least square fitting by historical data;
Step S303: the mean value of vertical cumulative amount of the bit rate offset linear of calculating historical data point;
Step S304: judge that the unknown number strong point is whether in confidential interval; If, execution in step S305; Otherwise, execution in step S306;
Step S305: unit of sliding window reach, return step S301;
Step S306: to not carrying out alarm operation in the data point of confidential interval.
For aforesaid method embodiment, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not subjected to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the specification all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
At above method embodiment, the embodiment of the present application also provides the system that detects with the corresponding exception of network traffic of described method embodiment, comprising:
Acquiring unit 401, computing unit 402, set up unit 403, determining unit 404 and identifying unit 405;
Wherein:
Acquiring unit 401 is used to obtain the bit rate of network traffics in the sliding window and the statistical information of flow rate;
Computing unit 402 is used to calculate the average of described bit rate and flow rate;
Setting up unit 403 is used for setting up discharge model according to the bit rate of described computing unit 402 calculating and the average of flow rate;
Determining unit 404 is used to use the described normal confidential interval that the discharge model of setting up unit 403 is determined described network traffics of setting up;
Identifying unit 405 is used for judging that described network traffics are unusual network traffics when network traffics do not satisfy the normal confidential interval that described determining unit 404 determines.
In the exception of network traffic detection system that the embodiment of the present application provides, as shown in Figure 8, also comprise translation unit 406;
Translation unit 406 is used for after network traffics are judged in 405 pairs of current sliding windows of described identifying unit sliding window being carried out translation.
In the exception of network traffic detection system that the embodiment of the present application provides the detailed structure schematic diagram of determining unit as shown in Figure 9, described determining unit 404 comprises: first computation subunit 408, second computation subunit 409 and definite subelement 410;
First computation subunit 408 is used for the individual offset amount of the described network traffics of application traffic Model Calculation;
Second computation subunit 409 is used for individual offset amount summation that described first computation subunit 408 is calculated and the average of calculating described summation side-play amount;
Determine average that subelement 410 is used for summation side-play amount that described second computation subunit 409 is calculated as the tolerance boundary, and determine the normal confidential interval of described network traffics according to described tolerance boundary.
The exception of network traffic detection system that the embodiment of the present application provides as shown in figure 10, also comprises alarm unit 407;
Alarm unit 407 is used for when described identifying unit 405 judgements draw unusual network traffics these unusual network traffics being carried out alarm operation.
Comprehensive above method embodiment and system embodiment, all online the finishing of four steps in the application's method embodiment process pressed sliding window length N=30 estimations, the amount of calculation of the first step very little (mainly being the multiplication and division computing to be arranged 2 times, plus and minus calculation 58 times).Main amount of calculation is determined two stages in the match and the confidential interval of the 2nd, 3 step normal discharge models.The 2nd step multiplication and division computing 66 times, plus and minus calculation 62 times, the 3rd step multiplication and division computing 31 times, plus and minus calculation 89 times, the 4th step amount of calculation very little (mainly containing plus and minus calculation 4 times).All on-line computing total amount is about multiplication and division 99 times, plus and minus calculation 213 times.Once needing 20 μ s approximately through measuring and calculating detection on the machine of Intel Pentium (R) 4CPU 3.00GHz, is feasible so detect in real time on existing machine.
The embodiment of the present application is chosen the data of the Lawrence Berkeley laboratory of University of California Berkeley gathering flow as a setting.These data are widely adopted as classical data in the analysis of Model of network traffic.According to subsidiary trace explanation document sanitize-readme.txt, know that this data on flows can be divided into following a few class according to protocol type and suffix name:
The implication of table 1 background traffic data suffix name
Figure BDA0000042391230000111
Owing in 16 kinds of trace files that provide, have only dec-pkt-n.tcp to comprise byte information and five-tuple information simultaneously, therefore being primarily aimed at it has carried out statistical analysis.
(1) because the timing statistics of original trace stamp is a unit with the millisecond,, is that 10ms is a unit, bit number in the unit interval and flow amount have been carried out converging statistics according to the sampling interval for the ease of analyzing.Background traffic is got 2000 sampled points.
The bit rate figure of background traffic as shown in Figure 11, flow rate figure is as shown in Figure 12.
With the flow rate is transverse axis, and bit rate is the longitudinal axis, and the scatter diagram that obtains as shown in Figure 13.
(2) based on background traffic signal shown in Figure 11~13.On this basis, (time range: 400-500) (time range: 1500-1700), corresponding bit speed and flow rate sequential chart are shown in accompanying drawing 14, accompanying drawing 15 with flow attacking signal 2 to count signal to attack 1.
(3) can find that from the sequential chart of bit rate and flow rate the fluctuation of single parameter is not fairly obvious.Therefore, be difficult to judge unusually accurately to taking place.
As transverse axis, bit is the longitudinal axis with flow, diffusing some distribution map of above sample conceptual data as shown in Figure 16:
As seen from Figure 16, be that normal discharge model and the confidential interval that time window constructs can be judged the part abnormal flow with 2000 sampled points.
(4) in order to improve accuracy of detection, according to arthmetic statement before, we select detection window is 50 sampled points.Guaranteeing accuracy in detection, do not influencing again simultaneously under the situation of live effect of detection algorithm that the slip of setting detection window is AL=1 at interval.That is to say, whenever finish one-time detection, sliding window is toward one step of front slide.
This algorithm and self adaptation residual error ratio detection method [10] are contrasted.Wherein, the size of setting the sliding window of residual error ratio is 20, and the exponent number ρ of AR model is 2.Weighting constant α is 0.5.Last testing result is as shown in table 2:
Table 2 detection method result contrast
Figure BDA0000042391230000121
From more as can be seen, no matter adaptive threshold datum line detection method is to detect aspect the accuracy rate, all improving a lot than self adaptation residual error ratio detection method.
By above argumentation as can be known, the application has proposed a kind of new network traffics modeling pattern: based on the one-dimensional linear function model method of bit rate in the historical time window and flow rate.And according to historical data point with respect to vertical accumulation side-play amount average of model as range of tolerable variance, realize that Traffic Anomaly detects.
The application has designed and Implemented the exception of network traffic detection algorithm based on the threshold value datum line.Verified the validity of this algorithm by experiment.With abnormity point detection rate and two aspects of abnormity point false drop rate algorithm is assessed.And contrast with existing self adaptation residual error ratio detection method.The result shows: the verification and measurement ratio based on the threshold value datum line detection method of bit rate and flow rate is higher than 90%.The average judgement time is no more than 20us, is fit to monitoring in real time.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is difference with other embodiment.The above only is the application's a embodiment; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the application's principle; can also make some improvements and modifications, these improvements and modifications also should be considered as the application's protection range.

Claims (10)

1. a network flow abnormal detecting method is characterized in that, comprising:
Obtain the bit rate of network traffics in the sliding window and the statistical information of flow rate, and calculate the average of described bit rate and flow rate;
Average according to described bit rate and flow rate is set up discharge model;
Use described discharge model and determine the normal confidential interval of described network traffics;
When network traffics do not satisfy described normal confidential interval, judge that described network traffics are unusual network traffics.
2. method according to claim 1 is characterized in that described sliding window is the time window of regular length, is used for the burst with regular time interval sliding intercepting endless, to obtain the network signal sequence to be detected of fixed length.
3. method according to claim 2 is characterized in that, after network traffics are judged in the current sliding window, also comprises the described sliding window of translation, to the described process that detects through network traffics in the sliding window of translation.
4. method according to claim 1 is characterized in that, the process of setting up of described discharge model is specially:
The average of described bit rate and flow rate is applied in the least square fitting equation in the linear regression sets up discharge model.
5. method according to claim 1 is characterized in that, described application traffic model determines that the specific implementation of the normal confidential interval of network traffics is:
Use the individual offset amount that described discharge model calculates described network traffics;
To the summation of described individual offset amount and calculate the average of described summation side-play amount;
The average of described summation side-play amount as the tolerance boundary, is determined the normal confidential interval of described network traffics according to described tolerance boundary.
6. method according to claim 1 is characterized in that, also comprises: when judgement draws unusual network traffics, these unusual network traffics are carried out alarm operation.
7. an exception of network traffic detection system is characterized in that, comprising:
Acquiring unit, computing unit, set up unit, determining unit and identifying unit;
Wherein:
Described acquiring unit is used to obtain the bit rate of network traffics in the sliding window and the statistical information of flow rate;
Described computing unit is used to calculate the average of described bit rate and flow rate;
The described unit of setting up is used for setting up discharge model according to the bit rate of described computing unit calculating and the average of flow rate;
Described determining unit is used to use the described normal confidential interval that the discharge model of setting up the unit is determined described network traffics of setting up;
Described identifying unit is used for judging that described network traffics are unusual network traffics when network traffics do not satisfy the normal confidential interval that described determining unit determines.
8. system according to claim 7 is characterized in that, also comprises translation unit;
Described translation unit is used for when described identifying unit after network traffics judge in to current sliding window sliding window being carried out translation.
9. system according to claim 7 is characterized in that, described determining unit comprises: first computation subunit, second computation subunit and definite subelement;
Described first computation subunit is used for the individual offset amount of the described network traffics of application traffic Model Calculation;
Described second computation subunit is used for individual offset amount summation that described first computation subunit is calculated and the average of calculating described summation side-play amount;
Described definite subelement is used for the average of summation side-play amount that described second computation subunit is calculated as the tolerance boundary, and determines the normal confidential interval of described network traffics according to described tolerance boundary.
10. system according to claim 7 is characterized in that, also comprises alarm unit;
Described alarm unit is used for when described identifying unit judgement draws unusual network traffics these unusual network traffics being carried out alarm operation.
CN2010106198107A 2010-12-31 2010-12-31 Method and system for network flow anomaly detection Pending CN102014031A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010106198107A CN102014031A (en) 2010-12-31 2010-12-31 Method and system for network flow anomaly detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010106198107A CN102014031A (en) 2010-12-31 2010-12-31 Method and system for network flow anomaly detection

Publications (1)

Publication Number Publication Date
CN102014031A true CN102014031A (en) 2011-04-13

Family

ID=43844057

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010106198107A Pending CN102014031A (en) 2010-12-31 2010-12-31 Method and system for network flow anomaly detection

Country Status (1)

Country Link
CN (1) CN102014031A (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001972A (en) * 2012-12-25 2013-03-27 苏州山石网络有限公司 Identification method and identification device and firewall for DDOS (distributed denial of service) attack
CN103207727A (en) * 2012-01-11 2013-07-17 国际商业机器公司 Method And System For Processing Data
CN103268286A (en) * 2013-06-04 2013-08-28 百度在线网络技术(北京)有限公司 Method, system and testing machine for testing flow of application program in mobile terminal
CN103580905A (en) * 2012-08-09 2014-02-12 中兴通讯股份有限公司 Method and system for flow forecasting and method and system for flow monitoring
CN104753733A (en) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 Method and device for detecting abnormal network traffic data
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold
CN105808368A (en) * 2016-03-15 2016-07-27 南京联成科技发展有限公司 Information security abnormity detection method and system based on random probability distribution
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
US9438656B2 (en) 2012-01-11 2016-09-06 International Business Machines Corporation Triggering window conditions by streaming features of an operator graph
CN106302487A (en) * 2016-08-22 2017-01-04 中国农业大学 Agricultural Internet of Things data flow anomaly detects processing method and processing device in real time
CN103618651B (en) * 2013-12-11 2017-03-29 上海电机学院 It is a kind of based on comentropy and the network anomaly detection method and system of sliding window
CN107070941A (en) * 2017-05-05 2017-08-18 北京匡恩网络科技有限责任公司 The method and apparatus of abnormal traffic detection
CN107124314A (en) * 2017-05-12 2017-09-01 腾讯科技(深圳)有限公司 Data monitoring method and device
CN107222497A (en) * 2017-06-30 2017-09-29 联想(北京)有限公司 Network traffic anomaly monitor method and electronic equipment
CN107862866A (en) * 2017-11-06 2018-03-30 浙江工商大学 Noise data point detecting method based on the translation of mean deviation amount
CN108076032A (en) * 2016-11-15 2018-05-25 中国移动通信集团广东有限公司 A kind of abnormal behaviour user identification method and device
CN108415845A (en) * 2018-03-28 2018-08-17 北京达佳互联信息技术有限公司 AB tests computational methods, device and the server of system index confidence interval
CN108667684A (en) * 2018-03-30 2018-10-16 桂林电子科技大学 A kind of data flow anomaly detection method based on partial vector dot product density
CN109167708A (en) * 2018-09-13 2019-01-08 中国人民解放军国防科技大学 Self-adaptive online anomaly detection method based on sliding window
CN109218062A (en) * 2017-07-07 2019-01-15 百度在线网络技术(北京)有限公司 Internet service alarm method and device based on confidence interval
CN109272432A (en) * 2018-08-08 2019-01-25 广州杰赛科技股份有限公司 User behavior monitoring method and system, computer equipment, computer storage medium
CN109936487A (en) * 2019-04-19 2019-06-25 浙江中烟工业有限责任公司 A kind of real-time analysis and monitoring method and system of Web broadcast packet
CN110659669A (en) * 2019-08-26 2020-01-07 中国科学院信息工程研究所 User behavior identification method and system based on encrypted camera video traffic mode change
CN111541791A (en) * 2020-03-16 2020-08-14 武汉猎鹰网安科技有限公司 Flow pressure test system of platform in network security
WO2021073114A1 (en) * 2019-10-18 2021-04-22 平安科技(深圳)有限公司 Abnormal traffic monitoring method, apparatus and device based on statistics, and storage medium
CN112751869A (en) * 2020-12-31 2021-05-04 中国人民解放军战略支援部队航天工程大学 Network abnormal flow detection method and device based on sliding window group
CN113904831A (en) * 2021-09-29 2022-01-07 广东电网有限责任公司电力调度控制中心 Low-voltage power line carrier communication network security defense method and system
CN114285612A (en) * 2021-12-14 2022-04-05 北京天融信网络安全技术有限公司 Method, system, device, equipment and medium for detecting abnormal data
CN114389881A (en) * 2022-01-13 2022-04-22 北京金山云网络技术有限公司 Network abnormal flow detection method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534305A (en) * 2009-04-24 2009-09-16 中国科学院计算技术研究所 Method and system for detecting network flow exception
CN101808017A (en) * 2010-03-26 2010-08-18 中国科学院计算技术研究所 Method and system for quantificationally calculating network abnormity index

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534305A (en) * 2009-04-24 2009-09-16 中国科学院计算技术研究所 Method and system for detecting network flow exception
CN101808017A (en) * 2010-03-26 2010-08-18 中国科学院计算技术研究所 Method and system for quantificationally calculating network abnormity index

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《北京航空航天大学学报》 20090531 吕军晖,周刚,金毅 一种基于时间序列的自适应网络异常检测算法 637-639 1-10 第35卷, 第5期 2 *

Cited By (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9430117B2 (en) 2012-01-11 2016-08-30 International Business Machines Corporation Triggering window conditions using exception handling
CN103207727A (en) * 2012-01-11 2013-07-17 国际商业机器公司 Method And System For Processing Data
CN103207727B (en) * 2012-01-11 2016-12-28 国际商业机器公司 For processing the method and system of data
US9531781B2 (en) 2012-01-11 2016-12-27 International Business Machines Corporation Triggering window conditions by streaming features of an operator graph
US9438656B2 (en) 2012-01-11 2016-09-06 International Business Machines Corporation Triggering window conditions by streaming features of an operator graph
CN103580905B (en) * 2012-08-09 2017-05-31 中兴通讯股份有限公司 A kind of method for predicting, system and flow monitoring method, system
CN103580905A (en) * 2012-08-09 2014-02-12 中兴通讯股份有限公司 Method and system for flow forecasting and method and system for flow monitoring
CN103001972B (en) * 2012-12-25 2015-11-25 山石网科通信技术有限公司 The recognition methods of DDOS attack and recognition device and fire compartment wall
CN103001972A (en) * 2012-12-25 2013-03-27 苏州山石网络有限公司 Identification method and identification device and firewall for DDOS (distributed denial of service) attack
CN103268286A (en) * 2013-06-04 2013-08-28 百度在线网络技术(北京)有限公司 Method, system and testing machine for testing flow of application program in mobile terminal
CN103268286B (en) * 2013-06-04 2017-08-18 百度在线网络技术(北京)有限公司 The flow rate test method of application program, system and test machine in mobile terminal
CN103618651B (en) * 2013-12-11 2017-03-29 上海电机学院 It is a kind of based on comentropy and the network anomaly detection method and system of sliding window
CN104753733A (en) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 Method and device for detecting abnormal network traffic data
CN104753733B (en) * 2013-12-31 2019-08-13 南京中兴软件有限责任公司 The detection method and device of exception of network traffic data
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold
CN105357228B (en) * 2015-12-19 2018-03-20 中国人民解放军信息工程大学 A kind of burst flow detection method based on dynamic threshold
CN105808368B (en) * 2016-03-15 2019-04-30 南京联成科技发展股份有限公司 A kind of method and system of the information security abnormality detection based on random probability distribution
CN105808368A (en) * 2016-03-15 2016-07-27 南京联成科技发展有限公司 Information security abnormity detection method and system based on random probability distribution
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN106302487A (en) * 2016-08-22 2017-01-04 中国农业大学 Agricultural Internet of Things data flow anomaly detects processing method and processing device in real time
CN106302487B (en) * 2016-08-22 2019-08-09 中国农业大学 Agriculture internet of things data throat floater real-time detection processing method and processing device
CN108076032B (en) * 2016-11-15 2020-11-06 中国移动通信集团广东有限公司 Abnormal behavior user identification method and device
CN108076032A (en) * 2016-11-15 2018-05-25 中国移动通信集团广东有限公司 A kind of abnormal behaviour user identification method and device
CN107070941A (en) * 2017-05-05 2017-08-18 北京匡恩网络科技有限责任公司 The method and apparatus of abnormal traffic detection
CN107124314A (en) * 2017-05-12 2017-09-01 腾讯科技(深圳)有限公司 Data monitoring method and device
CN107222497A (en) * 2017-06-30 2017-09-29 联想(北京)有限公司 Network traffic anomaly monitor method and electronic equipment
CN109218062A (en) * 2017-07-07 2019-01-15 百度在线网络技术(北京)有限公司 Internet service alarm method and device based on confidence interval
CN109218062B (en) * 2017-07-07 2022-04-05 上海优扬新媒信息技术有限公司 Internet service alarm method and device based on confidence interval
CN107862866A (en) * 2017-11-06 2018-03-30 浙江工商大学 Noise data point detecting method based on the translation of mean deviation amount
CN107862866B (en) * 2017-11-06 2020-10-16 浙江工商大学 Data noise point detection method based on average offset translation
CN108415845B (en) * 2018-03-28 2019-05-31 北京达佳互联信息技术有限公司 Calculation method, device and the server of AB test macro index confidence interval
CN108415845A (en) * 2018-03-28 2018-08-17 北京达佳互联信息技术有限公司 AB tests computational methods, device and the server of system index confidence interval
CN108667684B (en) * 2018-03-30 2021-04-30 桂林电子科技大学 Data flow anomaly detection method based on local vector dot product density
CN108667684A (en) * 2018-03-30 2018-10-16 桂林电子科技大学 A kind of data flow anomaly detection method based on partial vector dot product density
CN109272432B (en) * 2018-08-08 2020-11-13 广州杰赛科技股份有限公司 User behavior monitoring method and system, computer device and computer storage medium
CN109272432A (en) * 2018-08-08 2019-01-25 广州杰赛科技股份有限公司 User behavior monitoring method and system, computer equipment, computer storage medium
CN109167708A (en) * 2018-09-13 2019-01-08 中国人民解放军国防科技大学 Self-adaptive online anomaly detection method based on sliding window
CN109936487A (en) * 2019-04-19 2019-06-25 浙江中烟工业有限责任公司 A kind of real-time analysis and monitoring method and system of Web broadcast packet
CN110659669A (en) * 2019-08-26 2020-01-07 中国科学院信息工程研究所 User behavior identification method and system based on encrypted camera video traffic mode change
WO2021073114A1 (en) * 2019-10-18 2021-04-22 平安科技(深圳)有限公司 Abnormal traffic monitoring method, apparatus and device based on statistics, and storage medium
CN111541791A (en) * 2020-03-16 2020-08-14 武汉猎鹰网安科技有限公司 Flow pressure test system of platform in network security
CN112751869A (en) * 2020-12-31 2021-05-04 中国人民解放军战略支援部队航天工程大学 Network abnormal flow detection method and device based on sliding window group
CN112751869B (en) * 2020-12-31 2023-07-14 中国人民解放军战略支援部队航天工程大学 Method and device for detecting abnormal network traffic based on sliding window group
CN113904831A (en) * 2021-09-29 2022-01-07 广东电网有限责任公司电力调度控制中心 Low-voltage power line carrier communication network security defense method and system
CN113904831B (en) * 2021-09-29 2023-10-27 广东电网有限责任公司电力调度控制中心 Security defense method and system for power line carrier communication network of voltage
CN114285612A (en) * 2021-12-14 2022-04-05 北京天融信网络安全技术有限公司 Method, system, device, equipment and medium for detecting abnormal data
CN114285612B (en) * 2021-12-14 2023-09-26 北京天融信网络安全技术有限公司 Method, system, device, equipment and medium for detecting abnormal data
CN114389881A (en) * 2022-01-13 2022-04-22 北京金山云网络技术有限公司 Network abnormal flow detection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN102014031A (en) Method and system for network flow anomaly detection
CN107483455B (en) Flow-based network node anomaly detection method and system
Wang A multinomial logistic regression modeling approach for anomaly intrusion detection
Petrovic A comparison between the silhouette index and the davies-bouldin index in labelling ids clusters
CN102340485B (en) Network security situation awareness system and method based on information correlation
CN105847283A (en) Information entropy variance analysis-based abnormal traffic detection method
CN104468262B (en) A kind of network protocol identification method and system based on semantic sensitivity
CN109831465A (en) A kind of invasion detection method based on big data log analysis
CN101286897A (en) Network flow rate abnormality detecting method based on super stochastic theory
CN105357063A (en) Cyberspace security situation real-time detection method
KR102120214B1 (en) Cyber targeted attack detect system and method using ensemble learning
CN108470003A (en) Fuzz testing methods, devices and systems
CN105959316A (en) Network security authentication system
CN116471124B (en) Computer network safety prediction system for analyzing based on big data information
CN109359234B (en) Multi-dimensional network security event grading device
Wu et al. Validation of chaos hypothesis in NADA and improved DDoS detection algorithm
Deutschmann et al. Behavioral biometrics for DARPA's active authentication program
CN112231621A (en) Method for reducing element detection limit based on BP-adaboost
CN112787984B (en) Vehicle-mounted network anomaly detection method and system based on correlation analysis
CN105827611A (en) Distributed rejection service network attack detection method and system based on fuzzy inference
CN114679327A (en) Network attack level determination method and device, computer equipment and storage medium
CN117375982B (en) Network situation safety monitoring system
Katz Role of statistics in the validation of general circulation models
CN103501302A (en) Method and system for automatically extracting worm features
US11665185B2 (en) Method and apparatus to detect scripted network traffic

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110413