CN103281293A - Network flow rate abnormity detection method based on multi-dimension layering relative entropy - Google Patents
Network flow rate abnormity detection method based on multi-dimension layering relative entropy Download PDFInfo
- Publication number
- CN103281293A CN103281293A CN2013100930650A CN201310093065A CN103281293A CN 103281293 A CN103281293 A CN 103281293A CN 2013100930650 A CN2013100930650 A CN 2013100930650A CN 201310093065 A CN201310093065 A CN 201310093065A CN 103281293 A CN103281293 A CN 103281293A
- Authority
- CN
- China
- Prior art keywords
- dimension
- flow
- network
- entropy
- network traffics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a network flow rate abnormity detection method based on multi-dimension layering relative entropy. According to the method, the network flow rate data is subjected to multi-dimension layering processing, the information entropy is utilized for calculating the distribution of network flow rate data packets, and then, the relative entropy is adopted on each analysis view of the network flow rate for detecting the abnormal flow rate according to the self similarity characteristics of the network flow rate. Through the adoption of the method, the real-time performance and the accuracy of the flow rate detection can be greatly improved, and the detection on the flow rate abnormity in the real network environment is realized.
Description
Technical field
The present invention is a kind of method that detects exception of network traffic.Be mainly used in solving network and under fire cause flow that detection problem when unusual takes place, belong to the network security technology field.
Background technology
The rapid expansion of current network size, the safety problem that network faces becomes increasingly complex, and quantitative analysis is the especially important research content of intrusion detection analysis of network security management to network flow.The referring to unusually of network traffics causes the reason of exception of network traffic a lot of to the conventional dysgenic network traffics pattern that causes of using of network, generally comprises: 1) network storage exhausts and network mismatches and puts etc.; 2) the use problem of network, the influence that network traffics is caused as the P2P application model that takes place frequently in a large number; 3) internet worm is as worm-type virus, wooden horse etc.; 4) assault is as Port Scan Attacks, DoS attack and the ddos attack etc. of continuation.The detection of exception of network traffic refers to detect and when even where to cause the network traffics pattern to take place, and is convenient to safety and performance that the Security Officer investigates that network is unusual, maintaining network runs well, guarantees network.
Studies show that in a large number in recent years, no matter be local area network (LAN) or wide area network, network traffics all have obvious abrupt and long correlation, and the self-similarity characteristic of network can be described these characteristics of flow well, so self-similarity has become the key property of network traffics and with this basis of detecting as Traffic Anomaly.The algorithm and model in existing a large amount of computer subjects field comprises that methods such as cluster analysis, SVMs SVM, neural net all have been used in the abnormality detection aspect of network traffics now, but because network traffics itself have sudden and fast-changing characteristics, the feasible efficient of Traffic Anomaly detection method when the number of samples amount is big based on non-statisticals such as neural net, SVMs SVM reduces greatly, and the algorithmic procedure complexity causes them also to be difficult for being deployed on the online real-time abnormality detection system.
Method based on statistics, it is a kind of active safety guard technology, be with the reference of historical flow as normal discharge, by gathering historical flow in the expired certain hour window as normal discharge, intensity of variation according to the data of gathering in the current window and previous window data detects unusually, this method is not owing to need to know in advance unusual feature, thereby can detect the Traffic Anomaly of unknown characteristics.And based on the unusual method of statistics such as PCA subspace detection method, with the wavelet analysis method of association in time on the real-time performance and detect on the effect also shortcoming of performance.
In sum, the Traffic Anomaly detection method time complexity of non-statistical is higher relatively, and the detection method of statistics class is also not satisfactory in the detection effect.And it is current because the Traffic Anomaly that network attack causes all the more is tending towards disguised, such as the Conficker worm, because modes such as its employing dormancy reduce sweep speed effectively, so such attack violent change can't occur on whole flow, as adopts above method just can not effectively detect Traffic Anomaly.
Summary of the invention
Technical problem:The purpose of this invention is to provide and a kind ofly at network traffics the solution that how to detect when unusual takes place, solve the real-time and the not high problem of accuracy that detect exception of network traffic.
Technical scheme:Method of the present invention is a kind of method of tactic, by network traffics are carried out multiple-dimensional hierarchical, uses the theory of entropy, analyzes view at each and sets up the entropy sequence, adopts relative entropy to come network traffics are carried out abnormality detection.
The concept that the present invention is applied to is described below.
Definition 1:
The dimension of network traffics,Refer to can be used in the data on flows attribute of abnormality detection, the tuple of packet correspondence among the network traffics S for example is defined as:
T wherein
iBe the timestamp of network traffics, A
uBe a detection dimensions of network traffics, subscript dmax is the maximum number of dimensions of network traffics.
Because the situation of change that entropy can the valid metric system parameters distributes is described long random process, thereby be can be used to describe the distribution situation of network traffics on some dimension.Be example with the source IP address, may be defined as at the entropy of the source IP address dimension of certain time window map network flow:
(2)
Wherein N is the data packet number of the different source IP addresss of appearance, P (SrcIP)
iIt is the ratio that the data packet number of i source IP address correspondence accounts for total data bag quantity.When SrcIP has only a kind of value namely all packets is same source IP address, there is not uncertainty, obtain minimum value 0; When the SrcIP value is all identical, obtain maximum log
2N is so have
The entropy of network traffics source IP address is more big, and the expression flow distributes more at random at source IP address, and is more even; On the contrary, entropy is more little, and it is more little to be illustrated on these addresses distribution, and source IP is just more high at the probability that some value occurs.
The changes in distribution that flow presented when entropy can be described exception of network traffic well, yet on each dimension according to single sign amount assemble statistics and unrealistic also need not, can assemble to reduce in a large number identifying quantitative statistics according to the dimension value at higher level.Level, analysis view to network traffics defines below.
Definition 2:
The level of network traffics,Be in the process of a dimension being carried out the concept layering, it recursively to be carried out layering or multiresolution that discretization produces property value to divide, each sub-definition a discretization of this dimension.For example for the Au dimension in the formula (1), it is carried out obtaining after the discretization in the value space
Each L wherein
vBe dimension A
uOn a level, lmax
uBe detection dimensions A
uThe maximum hierachy number that can assemble.
Definition 3:
Network flow quantitative analysis view,Be time to assemble in the detection dimensions corresponding abstraction layer.Convolution (1) and (3) are analyzed view for one and are referred to the distribution of a group network data on flows on the relevant level of a dimension, are defined as:
The dimension that the present invention pays close attention to is active/order IP, and source/eye end mouth, protocol type and Tcpflag field.Below utilization formula (4) set forth analysis view after the dimension layering.
(1) the analysis view of IP address
With reference to Fig. 1, suppose that checkout equipment is deployed on the border router, the network traffics in the time window at first are divided into Intranet flow and outer net flow two classes by the IP address; Then on the IP dimension with this two classes flow ascending ordering respectively, the flow of getting its IP address of preceding 10% is decided to be big flow set, the flow of all the other IP addresses is the rill quantity set; The rill quantity set segments according to C class subnet again, and the network traffics of each C class subnet number IP address are assembled as a level.The analysis view S of network traffics after assembling level according to formula (4) on the IP dimension so
IpFor:
(5) wherein subscript ib, is, ob and os represent the big flow set of Intranet, Intranet rill quantity set, the big flow set of outer net and outer net rill quantity set respectively,
,
Be respectively the hierachy number of the low discharge of Intranet, outer net being assembled by class c network according to the real network flow.
(2) the analysis view of Port port
As shown in Figure 2, be that unit divides gathering with 10 and 100 respectively with static port 0~1023 and dynamic port 1024~49151, the random port greater than 49152 is because seldom use, so these network traffics can be decided to be a gathering.The analysis view S of network traffics after the Port dimension is assembled level so
PortFor:
(3) the analysis view of Protocol agreement
According among the IP trace the normal protocol type that adopts, as shown in Figure 3, can be respectively come that from application layer protocol and transport layer protocol network traffics are carried out level and assemble.Network traffics are made as in the general number of protocols maximum that adopts of application layer
γ, the analysis view S of the gathering level of network traffics on the Protocol dimension so
PrcFor:
(7)
Wherein
γIt is fixed that value can be got according to the actual application layer protocol type cases of often using of network traffics.
(4) the analysis view of Tcpflag
This paper carries out analysis of agglomeration according to following field value to the network traffics that adopt Transmission Control Protocol.
Effectively whether the URG(urgent pointer field); Whether effectively ACK(replys field); Whether PUS(is pushed to the application layer field as early as possible with packet); RST(connects the field that whether effectively to reset); Whether effectively SYN(connect sets up sequence number field synchronously); Whether effectively FIN(stops connection field).
Network traffics are assembled the analysis view S that the back forms at the Tcpflag dimension hierarchy
TcpfFor:
Workflow:
By the detection to the network traffics entropy, in case when having abnormal flow to take place, network traffics will take place on the analysis view of relevant dimension and historical experience is analyzed the significant otherness of view and changed, the present invention adopts " relative entropy " to measure this species diversity.In order to reduce the memory space of network traffics, " relative entropy " is defined as the entropy ratio of two distributions here.Supposing has 2 flow distribution P and Q in the SrcIP dimension, has identical value space, and its relative entropy is so:
SrcIP_P and SrcIP_Q represent current network flow distribution to be detected on the SrcIP dimension and normal web-based history flow distribution respectively in the formula.Suppose
,
Be the bound threshold value, if
Then the decision network flow occurs unusual in the SrcIP dimension.By that analogy, can obtain in the unusual situation of other dimension down-off.
The exception of network traffic detection algorithm is divided into training and detects two stages.
(1) training stage
1. ask the entropy formula that the sample flow of history is analyzed view with time window size W according to formula (5), (6), (7) and (8) according to formula (2) and set up the entropy sequence;
2. sample flow acceptance of the bid is known and be normal network traffics, upgrade the historical entropy of this window with averaging method, set up the entropy baseline;
3. sample flow acceptance of the bid knowledge is unusual network traffics, calculates relative entropy by formula (9), determine the bound threshold value according to given verification and measurement ratio and rate of false alarm.
(2) detection-phase
As Fig. 4, exception of network traffic testing process of the present invention is:
1. to the network traffics to be detected of the network collection equipment of flowing through, W is that unit carries out traffic capture with the time window size, opens buffer area, the data message in this time window of buffer memory;
2. based on the parsing of header packet information and the inner beginning of bag byte the network traffics data are filtered, the blacklist technology is used for irrelevant flow is filtered, and the white list technology is used for the flow of specific region or specific occasion is left and taken;
3. successively by { [SrcIP, DestIP], [SrcPort, DestPort], Protocol, Tcpflag} dimension order is tried to achieve the entropy of dimension lower network flow analysis view separately according to formula (5), (6), (7) and (8) stratification rule with formula (1), the historical entropy that acquires with the training stage uses formula (9) to calculate relative entropy respectively, exceed the threshold range that it analyzes view as arbitrary dimension relative entropy, forward 5 to;
4. the network flow identifier is normal discharge in this time window, and can be used as the experience flow historical entropy is upgraded, and goes to 6;
5. the network flow identifier is unusual in this time window;
6. remove and get back to 1 after data cached, prepare next time window and detect.
Beneficial effect
The present invention is directed to the current network flow method for detecting abnormality and improve problem inadequately in real-time and accuracy, proposed a kind of new detection scheme.The network traffics data are carried out multiple-dimensional hierarchical handle, utilize comentropy that the distribution of network traffics packet is calculated, then according to the self-similarity nature of network traffics, analyze view at each of network traffics and adopt relative entropy that abnormal flow is detected.By using this method can greatly improve real-time and the accuracy of flow detection.
Description of drawings
The extensive backbone network schematic diagram of Fig. 1.
The stratification schematic diagram of the Port of Fig. 2.
The stratification schematic diagram of the Protocol of Fig. 3.
The schematic flow sheet that the exception of network traffic of Fig. 4 the inventive method detects.
Embodiment
With reference to shown in Figure 1, the exception of network traffic detection algorithm is divided into training and detects two stages.
(1) training stage
1. ask the entropy formula that the sample flow of history is analyzed view with time window size W according to formula (5), (6), (7) and (8) according to formula (2) and set up the entropy sequence;
2. sample flow acceptance of the bid is known and be normal network traffics, upgrade the historical entropy of this window with averaging method, set up the entropy baseline;
3. sample flow acceptance of the bid knowledge is unusual network traffics, calculates relative entropy by formula (9), determine the bound threshold value according to given verification and measurement ratio and rate of false alarm.
(2) detection-phase
1. to the network traffics to be detected of the network collection equipment of flowing through, W is that unit carries out traffic capture with the time window size, opens buffer area, the data message in this time window of buffer memory;
2. based on the parsing of header packet information and the inner beginning of bag byte the network traffics data are filtered, the blacklist technology is used for irrelevant flow is filtered, and the white list technology is used for the flow of specific region or specific occasion is left and taken;
3. successively by { [SrcIP, DestIP], [SrcPort, DestPort], Protocol, Tcpflag} dimension order is tried to achieve the entropy of dimension lower network flow analysis view separately according to formula (5), (6), (7) and (8) stratification rule with formula (1), the historical entropy that acquires with the training stage uses formula (9) to calculate relative entropy respectively, exceed the threshold range that it analyzes view as arbitrary dimension relative entropy, forward 5 to;
4. the network flow identifier is normal discharge in this time window, and can be used as the experience flow historical entropy is upgraded, and goes to 6;
5. the network flow identifier is unusual in this time window;
6. remove and get back to 1 after data cached, prepare next time window and detect.
Claims (7)
1. network flow abnormal detecting method based on the multiple-dimensional hierarchical relative entropy is characterized in that comprising following two stages:
Stage 1 is the training stage: set up entropy baseline and threshold range according to the sample flow;
Whether the stage 2 is detection-phase: detect network traffics according to actual flow and take place unusually.
2. detection method according to claim 1 is characterized in that the described stage 1 may further comprise the steps:
Step 1 is analyzed view with time window size W by the various dimensions stratification to the sample flow of history and is set up the entropy sequence at each;
Step 2 is known sample flow acceptance of the bid and to be normal network traffics, upgrades the historical entropy of this window with averaging method, sets up the entropy baseline;
Step 3 is unusual network traffics to sample flow acceptance of the bid knowledge, calculates relative entropy, determines the bound threshold value according to given verification and measurement ratio and rate of false alarm.
3. detection method according to claim 1 is characterized in that the described stage 2 may further comprise the steps:
Step 1, to the network traffics to be detected of the network collection equipment of flowing through, W is that unit carries out traffic capture with the time window size, opens buffer area, the data message in this time window of buffer memory;
Step 2, try to achieve the entropy of dimension lower network flow analysis view separately successively, the historical entropy that acquires with the training stage uses and calculates relative entropy respectively, exceeds the threshold range that it analyzes view as arbitrary dimension relative entropy, and the network flow identifier is unusual in this time window;
Step 3, in it analyzed the threshold range of view, the network flow identifier was normal discharge in this time window as arbitrary dimension relative entropy, and can be used as the experience flow historical entropy is upgraded.
4. detection method according to claim 2 is characterized in that in the described step 1, is calculated as follows network traffics at the entropy of each dimension:
Wherein N is for wrapping in the number that different values appear in this dimension, P in network data
iIt is the ratio that the data packet number of i value correspondence accounts for total data bag quantity.
5. detection method according to claim 2, it is characterized in that in the described step 1, come the phase-split network flow from following a plurality of dimensions: IP address dimension comprises that source IP and order IP, IP port dimension comprise source port and destination interface, Protocol agreement dimension and Tcpflag dimension.
6. detection method according to claim 2 is characterized in that in the described step 1, is the stratification to the flow various dimensions of the analysis view that makes up flow:
1) to the stratification of IP dimension: the network traffics in the time window at first are divided into Intranet flow and outer net flow two classes by the IP address; Then on the IP dimension with this two classes flow ascending ordering respectively, the flow of getting its IP address of preceding 10% is decided to be big flow set, the flow of all the other IP addresses is the rill quantity set; The rill quantity set segments according to C class subnet again, and the network traffics of each C class subnet number IP address are assembled as a level;
2) to the stratification of Port dimension: be that unit divides gathering with 10 and 100 respectively with static port 0~1023 and dynamic port 1024~49151, the random port greater than 49152 is because few the use, so these network traffics can be decided to be a gathering;
3) to the stratification of Protocol dimension: come that from application layer protocol and transport layer protocol network traffics are carried out level and assemble;
4) stratification of Tcpflag dimension: carry out level according to URG field, ACK field, PUS field, RST field, SYN field and FIN field in the Tcpflag field and assemble.
7. detection method according to claim 3, it is characterized in that in the described step 2, adopting relative entropy to measure network traffics takes place under certain dimension unusually, with the SrcIP dimension for example, supposing has 2 flow distribution P and Q in the SrcIP dimension, have identical value space, its relative entropy is so:
SrcIP_P and SrcIP_Q represent current network flow distribution to be detected on the SrcIP dimension and normal web-based history flow distribution respectively, suppose
,
Be the bound threshold value, if
, then the decision network flow occurs by that analogy, can obtaining in the unusual situation of other dimension down-off unusually in the SrcIP dimension.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100930650A CN103281293A (en) | 2013-03-22 | 2013-03-22 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100930650A CN103281293A (en) | 2013-03-22 | 2013-03-22 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103281293A true CN103281293A (en) | 2013-09-04 |
Family
ID=49063740
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100930650A Pending CN103281293A (en) | 2013-03-22 | 2013-03-22 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103281293A (en) |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514398A (en) * | 2013-10-18 | 2014-01-15 | 中国科学院信息工程研究所 | Real-time online log detection method and system |
| CN104065748A (en) * | 2014-07-10 | 2014-09-24 | 哈尔滨工程大学 | Method for dynamically monitoring brittleness of distributed system |
| CN104079452A (en) * | 2014-06-30 | 2014-10-01 | 电子科技大学 | Data monitoring technology and network traffic abnormality classifying method |
| CN104394021A (en) * | 2014-12-09 | 2015-03-04 | 中南大学 | Network flow abnormity analysis method based on visualization clustering |
| CN104504233A (en) * | 2014-11-14 | 2015-04-08 | 北京系统工程研究所 | Method for abnormal recognition based on random sampling of multi-dimensional vector entropies |
| CN105071985A (en) * | 2015-07-24 | 2015-11-18 | 四川大学 | Server network behavior description method |
| CN105187451A (en) * | 2015-10-09 | 2015-12-23 | 携程计算机技术(上海)有限公司 | Website flow abnormity detection method and system |
| CN105306297A (en) * | 2015-10-22 | 2016-02-03 | 清华大学 | Network traffic anomaly detection method based on dual-parameter Tsallis entropy pair |
| CN105553787A (en) * | 2016-03-01 | 2016-05-04 | 清华大学 | Edge network exit network flow abnormality detection method and system based on Hadoop |
| CN105824906A (en) * | 2016-03-15 | 2016-08-03 | 焦点科技股份有限公司 | Quality assessment and entering method and system for IP library |
| CN106357434A (en) * | 2016-08-30 | 2017-01-25 | 国家电网公司 | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network |
| CN106357673A (en) * | 2016-10-19 | 2017-01-25 | 中国科学院信息工程研究所 | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system |
| CN103618651B (en) * | 2013-12-11 | 2017-03-29 | 上海电机学院 | It is a kind of based on comentropy and the network anomaly detection method and system of sliding window |
| CN106603497A (en) * | 2016-11-15 | 2017-04-26 | 国家数字交换系统工程技术研究中心 | Multi-granularity detection method of network space attack flow |
| CN107086944A (en) * | 2017-06-22 | 2017-08-22 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
| CN107276808A (en) * | 2017-06-21 | 2017-10-20 | 北京华创网安科技股份有限公司 | A kind of optimization method of Traffic Anomaly monitoring |
| CN107357712A (en) * | 2017-07-17 | 2017-11-17 | 顺丰科技有限公司 | A kind of verification certificate method for detecting abnormality, system and equipment |
| CN107508816A (en) * | 2017-08-31 | 2017-12-22 | 杭州迪普科技股份有限公司 | A kind of attack traffic means of defence and device |
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN108718257A (en) * | 2018-05-23 | 2018-10-30 | 浙江大学 | A kind of wireless camera detection and localization method based on network flow |
| CN109409042A (en) * | 2018-08-23 | 2019-03-01 | 顺丰科技有限公司 | A kind of user right distribution abnormality detection system, method, equipment and storage medium |
| CN109462521A (en) * | 2018-11-26 | 2019-03-12 | 华北电力大学 | A kind of network flow abnormal detecting method suitable for source net load interaction industrial control system |
| CN109726364A (en) * | 2018-07-06 | 2019-05-07 | 平安科技(深圳)有限公司 | Electricity consumption method for detecting abnormality, device, terminal and computer readable storage medium |
| CN110049004A (en) * | 2019-03-03 | 2019-07-23 | 北京立思辰安科技术有限公司 | The generation method of industry control environment flow white list baseline |
| CN110162969A (en) * | 2018-10-08 | 2019-08-23 | 腾讯科技(深圳)有限公司 | A kind of analysis method and device of flow |
| CN110572402A (en) * | 2019-09-11 | 2019-12-13 | 国网湖南省电力有限公司 | internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN111756708A (en) * | 2020-06-09 | 2020-10-09 | 北京天空卫士网络安全技术有限公司 | Method and device for detecting directional threat attack |
| CN111935145A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Hardware-independent method and system for realizing network flow security analysis |
| CN112261019A (en) * | 2020-10-13 | 2021-01-22 | 中移(杭州)信息技术有限公司 | Distributed denial of service attack detection method, device and storage medium |
| CN112448947A (en) * | 2020-11-10 | 2021-03-05 | 奇安信科技集团股份有限公司 | Network anomaly determination method, equipment and storage medium |
| CN112637224A (en) * | 2020-12-28 | 2021-04-09 | 浙江工业大学 | DDoS attack detection method based on subspace and relative entropy in autonomous system |
| CN112910825A (en) * | 2019-11-19 | 2021-06-04 | 华为技术有限公司 | Worm detection method and network equipment |
| CN113794733A (en) * | 2021-09-26 | 2021-12-14 | 杭州安恒信息技术股份有限公司 | Request processing method, device, equipment and storage medium |
| CN114124478A (en) * | 2021-11-08 | 2022-03-01 | 湖南大学 | Power system industrial control flow abnormity detection method and system |
| CN115086242A (en) * | 2021-03-12 | 2022-09-20 | 天翼云科技有限公司 | Encrypted data packet identification method and device and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645884A (en) * | 2009-08-26 | 2010-02-10 | 西安理工大学 | Multi-measure network abnormity detection method based on relative entropy theory |
| CN101795215A (en) * | 2010-01-28 | 2010-08-04 | 哈尔滨工程大学 | Network traffic anomaly detection method and detection device |
-
2013
- 2013-03-22 CN CN2013100930650A patent/CN103281293A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645884A (en) * | 2009-08-26 | 2010-02-10 | 西安理工大学 | Multi-measure network abnormity detection method based on relative entropy theory |
| CN101795215A (en) * | 2010-01-28 | 2010-08-04 | 哈尔滨工程大学 | Network traffic anomaly detection method and detection device |
Cited By (52)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514398B (en) * | 2013-10-18 | 2016-08-17 | 中国科学院信息工程研究所 | A kind of real-time online log detection method and system |
| CN103514398A (en) * | 2013-10-18 | 2014-01-15 | 中国科学院信息工程研究所 | Real-time online log detection method and system |
| CN103618651B (en) * | 2013-12-11 | 2017-03-29 | 上海电机学院 | It is a kind of based on comentropy and the network anomaly detection method and system of sliding window |
| CN104079452A (en) * | 2014-06-30 | 2014-10-01 | 电子科技大学 | Data monitoring technology and network traffic abnormality classifying method |
| CN104065748A (en) * | 2014-07-10 | 2014-09-24 | 哈尔滨工程大学 | Method for dynamically monitoring brittleness of distributed system |
| CN104504233A (en) * | 2014-11-14 | 2015-04-08 | 北京系统工程研究所 | Method for abnormal recognition based on random sampling of multi-dimensional vector entropies |
| CN104394021A (en) * | 2014-12-09 | 2015-03-04 | 中南大学 | Network flow abnormity analysis method based on visualization clustering |
| CN104394021B (en) * | 2014-12-09 | 2017-08-25 | 中南大学 | Exception of network traffic analysis method based on visualization cluster |
| CN105071985A (en) * | 2015-07-24 | 2015-11-18 | 四川大学 | Server network behavior description method |
| CN105071985B (en) * | 2015-07-24 | 2018-04-06 | 四川大学 | A kind of server network behavior description method |
| CN105187451A (en) * | 2015-10-09 | 2015-12-23 | 携程计算机技术(上海)有限公司 | Website flow abnormity detection method and system |
| CN105187451B (en) * | 2015-10-09 | 2018-10-09 | 携程计算机技术(上海)有限公司 | Website traffic method for detecting abnormality and system |
| CN105306297A (en) * | 2015-10-22 | 2016-02-03 | 清华大学 | Network traffic anomaly detection method based on dual-parameter Tsallis entropy pair |
| CN105553787A (en) * | 2016-03-01 | 2016-05-04 | 清华大学 | Edge network exit network flow abnormality detection method and system based on Hadoop |
| CN105553787B (en) * | 2016-03-01 | 2019-07-26 | 清华大学 | Edge net egress network Traffic anomaly detection method based on Hadoop |
| CN105824906B (en) * | 2016-03-15 | 2019-02-05 | 焦点科技股份有限公司 | A kind of quality evaluation of library IP and storage method and system |
| CN105824906A (en) * | 2016-03-15 | 2016-08-03 | 焦点科技股份有限公司 | Quality assessment and entering method and system for IP library |
| CN106357434A (en) * | 2016-08-30 | 2017-01-25 | 国家电网公司 | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network |
| CN106357673A (en) * | 2016-10-19 | 2017-01-25 | 中国科学院信息工程研究所 | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system |
| CN106357673B (en) * | 2016-10-19 | 2019-06-21 | 中国科学院信息工程研究所 | A kind of multi-tenant cloud computing system ddos attack detection method and system |
| CN106603497A (en) * | 2016-11-15 | 2017-04-26 | 国家数字交换系统工程技术研究中心 | Multi-granularity detection method of network space attack flow |
| CN107276808A (en) * | 2017-06-21 | 2017-10-20 | 北京华创网安科技股份有限公司 | A kind of optimization method of Traffic Anomaly monitoring |
| CN107086944A (en) * | 2017-06-22 | 2017-08-22 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
| CN107086944B (en) * | 2017-06-22 | 2020-04-21 | 北京奇艺世纪科技有限公司 | Anomaly detection method and device |
| CN107357712A (en) * | 2017-07-17 | 2017-11-17 | 顺丰科技有限公司 | A kind of verification certificate method for detecting abnormality, system and equipment |
| CN107357712B (en) * | 2017-07-17 | 2020-09-25 | 顺丰科技有限公司 | Order checking abnormity detection method, system and equipment |
| CN107508816A (en) * | 2017-08-31 | 2017-12-22 | 杭州迪普科技股份有限公司 | A kind of attack traffic means of defence and device |
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN108234524B (en) * | 2018-04-02 | 2020-08-21 | 广州广电研究院有限公司 | Method, device, equipment and storage medium for network data anomaly detection |
| CN108718257A (en) * | 2018-05-23 | 2018-10-30 | 浙江大学 | A kind of wireless camera detection and localization method based on network flow |
| CN109726364B (en) * | 2018-07-06 | 2023-01-10 | 平安科技(深圳)有限公司 | Power consumption abnormity detection method, device, terminal and computer readable storage medium |
| CN109726364A (en) * | 2018-07-06 | 2019-05-07 | 平安科技(深圳)有限公司 | Electricity consumption method for detecting abnormality, device, terminal and computer readable storage medium |
| CN109409042A (en) * | 2018-08-23 | 2019-03-01 | 顺丰科技有限公司 | A kind of user right distribution abnormality detection system, method, equipment and storage medium |
| CN109409042B (en) * | 2018-08-23 | 2021-04-20 | 顺丰科技有限公司 | User authority distribution abnormity detection system, method, equipment and storage medium |
| CN110162969A (en) * | 2018-10-08 | 2019-08-23 | 腾讯科技(深圳)有限公司 | A kind of analysis method and device of flow |
| CN109462521A (en) * | 2018-11-26 | 2019-03-12 | 华北电力大学 | A kind of network flow abnormal detecting method suitable for source net load interaction industrial control system |
| CN110049004A (en) * | 2019-03-03 | 2019-07-23 | 北京立思辰安科技术有限公司 | The generation method of industry control environment flow white list baseline |
| CN110572402A (en) * | 2019-09-11 | 2019-12-13 | 国网湖南省电力有限公司 | internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN110572402B (en) * | 2019-09-11 | 2021-11-16 | 国网湖南省电力有限公司 | Internet hosting website detection method and system based on network access behavior analysis and readable storage medium |
| CN112910825A (en) * | 2019-11-19 | 2021-06-04 | 华为技术有限公司 | Worm detection method and network equipment |
| CN112910825B (en) * | 2019-11-19 | 2022-06-14 | 华为技术有限公司 | Worm detection method and network equipment |
| CN111756708A (en) * | 2020-06-09 | 2020-10-09 | 北京天空卫士网络安全技术有限公司 | Method and device for detecting directional threat attack |
| CN111756708B (en) * | 2020-06-09 | 2022-06-28 | 北京天空卫士网络安全技术有限公司 | Method and device for detecting directional threat attack |
| CN111935145A (en) * | 2020-08-10 | 2020-11-13 | 武汉思普崚技术有限公司 | Hardware-independent method and system for realizing network flow security analysis |
| CN111935145B (en) * | 2020-08-10 | 2021-05-25 | 武汉思普崚技术有限公司 | Hardware-independent method and system for realizing network flow security analysis |
| CN112261019A (en) * | 2020-10-13 | 2021-01-22 | 中移(杭州)信息技术有限公司 | Distributed denial of service attack detection method, device and storage medium |
| CN112448947A (en) * | 2020-11-10 | 2021-03-05 | 奇安信科技集团股份有限公司 | Network anomaly determination method, equipment and storage medium |
| CN112448947B (en) * | 2020-11-10 | 2022-10-28 | 奇安信科技集团股份有限公司 | Network anomaly determination method, equipment and storage medium |
| CN112637224A (en) * | 2020-12-28 | 2021-04-09 | 浙江工业大学 | DDoS attack detection method based on subspace and relative entropy in autonomous system |
| CN115086242A (en) * | 2021-03-12 | 2022-09-20 | 天翼云科技有限公司 | Encrypted data packet identification method and device and electronic equipment |
| CN113794733A (en) * | 2021-09-26 | 2021-12-14 | 杭州安恒信息技术股份有限公司 | Request processing method, device, equipment and storage medium |
| CN114124478A (en) * | 2021-11-08 | 2022-03-01 | 湖南大学 | Power system industrial control flow abnormity detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103281293A (en) | Network flow rate abnormity detection method based on multi-dimension layering relative entropy | |
| Cui et al. | SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks | |
| Wang et al. | An entropy-based distributed DDoS detection mechanism in software-defined networking | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| US7623466B2 (en) | Symmetric connection detection | |
| US20190034631A1 (en) | System and method for malware detection | |
| KR101295708B1 (en) | Apparatus for capturing traffic and apparatus, system and method for analyzing traffic | |
| CN106357673A (en) | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system | |
| Tang et al. | Performance and features: Mitigating the low-rate TCP-targeted DoS attack via SDN | |
| Liu et al. | The detection method of low-rate DoS attack based on multi-feature fusion | |
| CN107302534A (en) | A kind of DDoS network attack detecting methods and device based on big data platform | |
| CN102821081A (en) | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow | |
| Ahmed et al. | Filtration model for the detection of malicious traffic in large-scale networks | |
| CN104092588B (en) | A kind of exception flow of network detection method combined based on SNMP with NetFlow | |
| CN105007175A (en) | Openflow-based flow depth correlation analysis method and system | |
| Tang et al. | ADMS: An online attack detection and mitigation system for LDoS attacks via SDN | |
| Hareesh et al. | Anomaly detection system based on analysis of packet header and payload histograms | |
| CN101316268B (en) | Detection method and system for exception stream | |
| Shamsolmoali et al. | C2DF: High rate DDOS filtering method in cloud computing | |
| CN104079452A (en) | Data monitoring technology and network traffic abnormality classifying method | |
| CN112055007B (en) | Programmable node-based software and hardware combined threat situation awareness method | |
| CN107864110A (en) | Botnet main control end detection method and device | |
| CN112235242A (en) | C & C channel detection method and system | |
| CN103269337A (en) | Data processing method and device | |
| Kaur et al. | A novel multi scale approach for detecting high bandwidth aggregates in network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130904 |