CN102118272A - Network perimeter anomaly monitoring method - Google Patents
Network perimeter anomaly monitoring method Download PDFInfo
- Publication number
- CN102118272A CN102118272A CN2009102145254A CN200910214525A CN102118272A CN 102118272 A CN102118272 A CN 102118272A CN 2009102145254 A CN2009102145254 A CN 2009102145254A CN 200910214525 A CN200910214525 A CN 200910214525A CN 102118272 A CN102118272 A CN 102118272A
- Authority
- CN
- China
- Prior art keywords
- port
- network
- size
- flow
- analyzed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a network perimeter anomaly monitoring method against the defects of the conventional anomaly monitoring method that the parameter reference range is difficult to define, the flexibility is short and the false alarm rate is rather high. In the method, flow data packets on the network are captured on line by means of network opening copying, analyzed and formatted into uniform format, expressed by a curve and then compared with an outline built in advance to monitor abnormal condition.
Description
Technical field:
The present invention relates to a kind of network boundary abnormality monitoring method in exception flow of network detection and Intrusion Detection Technique field.
Background technology:
Along with development of internet technology, network attack on the network, worm-type virus, malice are downloaded and are also following to the variety of issues such as improper use of Internet resources, cause the serious problems that network performance decline, network congestion even network interrupt and the network equipment lost efficacy.Network attack, worm-type virus, malice are downloaded and all exception of network traffic can be occurred to the improper use of Internet resources, therefore, network traffics are monitored and managed, find the abnormal conditions in the network, having become needs the matter of utmost importance that solves in the network security management.
Traditional network anomaly detection method is by the analysis of long network operation flow information, study, set up the parameter benchmark scope under the network normal condition, when state of network traffic and normal condition have than large deviation, then there is unusual condition in the decision network.The parameter benchmark scope of the method is difficult to determine, lack flexibility, and rate of false alarm is also quite high.
Summary of the invention:
In order to overcome above-mentioned defective, the invention provides a kind of network boundary abnormality monitoring method.With the data on flows bag on the online extracting network of network interface Zero-copy mode, analyze and be formatted as consolidation form, represent with the form of curve, compare the monitoring unusual condition again with the outline line that makes up in advance.
The present invention realizes by following steps:
Step 1: with the data on flows bag on the online extracting network of network interface Zero-copy mode;
Step 2: captured packets is analyzed, learnt, make up the flow outline line of normal condition;
Step 3: the data on flows bag that continues to grasp on the network is in real time analyzed, and is formatted as consolidation form, represents with curve form;
Step 4: compare with the flow outline line of normal condition, if note abnormalities, then report to the police and with unusual type records to the unusual condition database;
Step 5: rerun by mean algorithm, learn this normal cycle curve, generation new with reference to outline line, and return step 3.
In the described step 1, can adopt the DMA technology, externally directly grasp packet between equipment and the memory, reduce copy number of times and system call.
In the described step 2, will analyze captured packets, by the average computing, through self study after a while, (comprise default port, total linking number at different monitoring objectives, newly-built linking number, gateway flow size, gateway flow bag number) generate different from outline line.
In the described step 3, each packet will analyzed as being a record R, form such as R (T, Src.IP, Src.Port, Dst.IP, Dst.Port, Protocol, Size, FLAG) wherein, T represents the current time, and Src.IP and Src.Port represent source IP and port, Dst.IP and Dst.IP represent purpose IP and port, Protocol presentation protocol, Size represent that bag size, FLAG represent the state that connects;
With unit record with statistics connection, port, flow be that purpose is formatted as 3 kinds of different record Rc, Rp, Rs, form as:
(New_Conn) wherein T represents the current time to Rc for T, Totle_Conn, and Totle_Conn represents total linking number, and New_Conn represents newly-built linking number;
Rp (T, Port1, [Port2 ,] ...) wherein T represents the current time, and the port that Port1 indicates to monitor, ellipsis are represented can the self-defined port that will monitor;
Rs (T, Size, Pack, FLAG) wherein T represents the current time, and Size represents the size of flow, and Pack represents the quantity of wrapping, and FLAG represents connection status;
More than 3 record sets represented the indicator-specific statistics of T period respectively about connection, port, flow (size/bag quantity), actual curve is determined by these records.
In the described step 4, by the comparison of actual curve (comprising real-time junction curve, real-time port curve, real-time traffic curve (size/bag quantity)) with the predefine outline line, if the point value of actual curve surmounts the defined scope of outline line, then it is defined as unusually.
In the described step 5, if the point value of the actual curve of one-period is all in the normal range (NR) of definition, then system will consider each point value of this actual curve and currently carries out computing again with reference to outline line, as the standard that continues monitoring, it is 1min that the point value of actual curve generates accuracy with the outline line value after the computing.
Description of drawings:
Accompanying drawing is the flow chart of patent working step of the present invention.
Embodiment:
Shown in accompanying drawing, the present invention realizes by following steps:
Step 1: adopted the DMA technology,, reduced copy number of times and system call directly to grasp the data on flows bag between online externally equipment of network interface Zero-copy mode and the memory;
Step 2: captured packets is analyzed, learnt, make up the flow outline line of normal condition; To analyze captured packets,,, generate different at different monitoring objective (comprising default port, total linking number, newly-built linking number, gateway flow size, gateway flow bag number) with reference to outline line through self study after a while by the average computing;
Step 3: the data on flows bag that continues to grasp on the network is in real time analyzed, and each packet will analyzed as being a record R, form such as R (T, Src.IP, Src.Port, Dst.IP, Dst.Port, Protocol, Size, FLAG) wherein, T represents the current time, and Src.IP and Src.Port represent source IP and port, Dst.IP and Dst.IP represent purpose IP and port, Protocol presentation protocol, Size represent that bag size, FLAG represent the state that connects;
With unit record with statistics connection, port, flow be that purpose is formatted as 3 kinds of different record Rc, Rp, Rs, form as:
(New_Conn) wherein T represents the current time to Rc for T, Totle_Conn, and Totle_Conn represents total linking number, and New_Conn represents newly-built linking number;
Rp (T, Port1, [Port2 ,] ...) wherein T represents the current time, and the port that Port1 indicates to monitor, ellipsis are represented can the self-defined port that will monitor;
Rs (T, Size, Pack, FLAG) wherein T represents the current time, and Size represents the size of flow, and Pack represents the quantity of wrapping, and FLAG represents connection status;
More than 3 record sets represented the indicator-specific statistics of T period respectively about connection, port, flow (size/bag quantity), actual curve is determined by these records;
Step 4: compare with the flow outline line of normal condition,, then it is defined as unusually, report to the police and unusual type records is arrived the unusual condition database if the point value of actual curve surmounts the defined scope of outline line;
Step 5: if the point value of the actual curve of one-period all in the normal range (NR) of definition, is then rerun by mean algorithm, learn this normal cycle curve, generation new with reference to outline line, and return step 3.
Claims (2)
1. network boundary abnormality monitoring method, it is characterized in that: described method is realized by following steps:
Step 1: with the data on flows bag on the online extracting network of network interface Zero-copy mode;
Step 2: captured packets is analyzed, made up the flow outline line of normal condition;
Step 3: the data on flows bag that continues to grasp on the network is in real time analyzed, and is formatted as consolidation form, represents with curve form;
Step 4: compare with the flow outline line of normal condition, if note abnormalities, then report to the police and with unusual type records to the unusual condition database;
Step 5: rerun by mean algorithm, learn this normal cycle curve, generation new with reference to outline line, and return step 3.
2. a kind of network boundary abnormality monitoring method according to claim 1, it is characterized in that: the described data on flows bag of described step 3 is analyzed, promptly be that each packet will be analyzed as being a record R (T, Src.IP, Src.Port, Dst.IP, Dst.Port, Protocol, Size, FLAG);
Is that purpose is formatted as 3 kinds of different record Rc, Rp, Rs with unit record with statistics connection, port, flow;
(New_Conn) wherein T represents the current time to Rc for T, Totle_Conn, and Totle_Conn represents total linking number, and New_Conn represents newly-built linking number;
Rp (T, Port1, [Port2 ,] ...) wherein T represents the current time, and the port that Port1 indicates to monitor, ellipsis are represented can the self-defined port that will monitor;
Rs (T, Size, Pack, FLAG) wherein T represents the current time, and Size represents the size of flow, and Pack represents the quantity of wrapping, and FLAG represents connection status;
More than 3 record sets represented the indicator-specific statistics of T period respectively about connection, port, flow (size/bag quantity), actual curve is determined by these records.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009102145254A CN102118272A (en) | 2009-12-31 | 2009-12-31 | Network perimeter anomaly monitoring method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009102145254A CN102118272A (en) | 2009-12-31 | 2009-12-31 | Network perimeter anomaly monitoring method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102118272A true CN102118272A (en) | 2011-07-06 |
Family
ID=44216876
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009102145254A Pending CN102118272A (en) | 2009-12-31 | 2009-12-31 | Network perimeter anomaly monitoring method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102118272A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202329A (en) * | 2014-09-12 | 2014-12-10 | 北京神州绿盟信息安全科技股份有限公司 | DDoS (distributed denial of service) attack detection method and device |
CN104883281A (en) * | 2015-05-27 | 2015-09-02 | 北京北信源软件股份有限公司 | Network boundary detection method |
CN105187451A (en) * | 2015-10-09 | 2015-12-23 | 携程计算机技术(上海)有限公司 | Website flow abnormity detection method and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101355463A (en) * | 2008-08-27 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for judging network attack |
CN101488960A (en) * | 2009-03-04 | 2009-07-22 | 哈尔滨工程大学 | Apparatus and method for TCP protocol and data recovery based on parallel processing |
US7636305B1 (en) * | 2005-06-17 | 2009-12-22 | Cisco Technology, Inc. | Method and apparatus for monitoring network traffic |
-
2009
- 2009-12-31 CN CN2009102145254A patent/CN102118272A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7636305B1 (en) * | 2005-06-17 | 2009-12-22 | Cisco Technology, Inc. | Method and apparatus for monitoring network traffic |
CN101355463A (en) * | 2008-08-27 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for judging network attack |
CN101488960A (en) * | 2009-03-04 | 2009-07-22 | 哈尔滨工程大学 | Apparatus and method for TCP protocol and data recovery based on parallel processing |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202329A (en) * | 2014-09-12 | 2014-12-10 | 北京神州绿盟信息安全科技股份有限公司 | DDoS (distributed denial of service) attack detection method and device |
CN104202329B (en) * | 2014-09-12 | 2018-01-26 | 北京神州绿盟信息安全科技股份有限公司 | Ddos attack detection method and device |
US11140197B2 (en) | 2014-09-12 | 2021-10-05 | NSFOCUS Information Technology Co., Ltd. | Method and apparatus for DDoS attack detection |
CN104883281A (en) * | 2015-05-27 | 2015-09-02 | 北京北信源软件股份有限公司 | Network boundary detection method |
CN104883281B (en) * | 2015-05-27 | 2019-03-08 | 北京北信源软件股份有限公司 | A kind of network boundary detection method |
CN105187451A (en) * | 2015-10-09 | 2015-12-23 | 携程计算机技术(上海)有限公司 | Website flow abnormity detection method and system |
CN105187451B (en) * | 2015-10-09 | 2018-10-09 | 携程计算机技术(上海)有限公司 | Website traffic method for detecting abnormality and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103532776B (en) | Service traffics detection method and system | |
CN103532940B (en) | network security detection method and device | |
CN103067192B (en) | A kind of analytical system of network traffics and method | |
CN105429977B (en) | Deep packet inspection device abnormal flow monitoring method based on comentropy measurement | |
CN103078760A (en) | Online diagnosis method for abnormal network flow | |
CN101980506B (en) | Flow characteristic analysis-based distributed intrusion detection method | |
CN101309179B (en) | Real-time flux abnormity detection method on basis of host activity and communication pattern analysis | |
US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
CN106533832B (en) | Network flow detection system based on distributed deployment | |
US20190007292A1 (en) | Apparatus and method for monitoring network performance of virtualized resources | |
CN104486153B (en) | A kind of transformer station process layer network transmission performance monitoring method based on FPGA | |
WO2018001326A1 (en) | Method and device for acquiring fault information | |
CN106452941A (en) | Network anomaly detection method and device | |
CN104883346A (en) | Network equipment behavior analysis method and system | |
CN109379255B (en) | Intelligent switch based process layer network flow monitoring and early warning method | |
CN114124478A (en) | Power system industrial control flow abnormity detection method and system | |
CN111698209A (en) | Network abnormal flow detection method and device | |
CN115190191B (en) | Power grid industrial control system and control method based on protocol analysis | |
CN113810362A (en) | Safety risk detection and disposal system and method thereof | |
CN110266680B (en) | Industrial communication anomaly detection method based on dual similarity measurement | |
CN102118272A (en) | Network perimeter anomaly monitoring method | |
WO2019006018A1 (en) | Apparatus and method for establishing baseline network behavior and producing reports therefrom | |
CN106446008A (en) | Management method and analysis system for database security event | |
CN113612657A (en) | Method for detecting abnormal HTTP connection | |
CN107241359A (en) | A kind of software-oriented defines the lightweight network flow abnormal detecting method of network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Passing Preliminary Examination of the Application for Invention |
|
DD01 | Delivery of document by public notice |
Addressee: Wu Bingtang Document name: Notification of Passing Examination on Formalities |
|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110706 |