CN104579846B - Network flow abnormal detecting method based on adjustable segmentation entropy - Google Patents
Network flow abnormal detecting method based on adjustable segmentation entropy Download PDFInfo
- Publication number
- CN104579846B CN104579846B CN201510030470.7A CN201510030470A CN104579846B CN 104579846 B CN104579846 B CN 104579846B CN 201510030470 A CN201510030470 A CN 201510030470A CN 104579846 B CN104579846 B CN 104579846B
- Authority
- CN
- China
- Prior art keywords
- entropy
- sample space
- low probability
- high probability
- probability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 52
- 230000011218 segmentation Effects 0.000 title claims abstract description 35
- 230000000875 corresponding Effects 0.000 claims abstract description 41
- 229920000970 Repeated sequence (DNA) Polymers 0.000 claims description 26
- 239000000203 mixture Substances 0.000 claims description 20
- 238000001514 detection method Methods 0.000 abstract description 12
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005755 formation reaction Methods 0.000 description 1
Abstract
The present invention discloses a kind of network flow abnormal detecting method based on adjustable segmentation entropy, mainly provides a kind of network flow abnormal detecting method based on adjustable segmentation entropy of abnormality detection demand for being suitable for large scale network.Detection method of the present invention comprises the following specific steps that:Choose original sample space;Based on the implementation method of adjustable segmentation entropy, the high probability entropy and low probability sample space low probability entropy of high probability sample space are obtained;The whether abnormal of high probability entropy and low probability entropy is judged respectively, if high probability entropy is less than predetermined high probability entropy threshold, high probability entropy-value anomaly, otherwise, high probability entropy are normal;If low probability entropy is more than predetermined low probability entropy threshold, low probability entropy-value anomaly, otherwise, low probability entropy are normal;It is determined that sample space corresponding to abnormal entropy is exception of network traffic sample space, that is, judge that now there occurs exception of network traffic.
Description
Technical field
The present invention relates to a kind of network flow abnormal detecting method based on adjustable segmentation entropy.
Background technology
It is a kind of simple effective method to carry out exception of network traffic detection based on entropy, but due to the shadow of entropy self character
Ring, it problems is present in exception of network traffic detection:Sample space quantity big ups and downs can not be overcome to entropy
Influence, cause detection inaccurate;Entropy can just be obtained by needing to calculate whole samples, cause the detection to large sample space unwise
Sense;Mixing is abnormal to have cancellation problem in entropy, causes that some Hybrid Attacks can not be detected.Therefore, based on biography
The exception of network traffic detection of system entropy (Shannon entropys, Tsallis entropys etc.) is difficult to apply to that terminal number is huge, flow waves
Move obvious network.
The content of the invention
In view of the above-mentioned problems, the present invention, which provides one kind, overcomes traditional entropy for being asked existing for exception of network traffic detection
Topic, adapt to the network flow abnormal detecting method based on adjustable segmentation entropy of the abnormality detection demand of large scale network.
To reach above-mentioned purpose, network flow abnormal detecting method of the present invention based on adjustable segmentation entropy, methods described
Including:
Obtain data on flows, the data on flows is divided into uniform timeslice, chosen in described timeslice to
A few element set is reference sample space;
Method of each reference sample space based on adjustable segmentation entropy, obtains high probability entropy corresponding to reference sample space
With low probability entropy;
Judge whether described timeslice is abnormal,
, should if high probability entropy and low probability entropy are normal corresponding to each reference sample space in described timeslice
Timeslice is network normal time piece;
If high probability entropy and/or low probability entropy are corresponding at least one reference sample space in described timeslice
Abnormal, then the timeslice is Network Abnormal timeslice;
Wherein, the method for described adjustable segmentation entropy is specially:
High probability set and low probability set are divided into according to probability threshold value to the element in a reference sample space,
The high probability set and virtual not repeat element collection are combined into high probability sample space, and the low probability collection is combined into low probability
Sample space;
Described high probability sample space entropy is calculated respectively and low probability sample space entropy obtains reference sample sky
Between corresponding high probability entropy and low probability entropy.
Further, judge high probability entropy corresponding to reference sample space and low probability entropy whether abnormal method
For:
If described high probability entropy is less than high probability entropy threshold, high probability entropy-value anomaly, otherwise, high probability entropy is just
Often;
If described low probability entropy is more than low probability entropy threshold, low probability entropy-value anomaly, otherwise, low probability entropy is just
Often.
Preferably, the reference sample space chosen in the timeslice is specially:The source IP sample space of source IP composition,
The purpose of the purpose IP sample spaces of purpose IP compositions, the source port sample space of source port composition and/or destination interface composition
Port sample space.
Further, described probability threshold value, the virtual not number of repeat element, high probability entropy threshold, low probability entropy threshold
Value is user's setting value.
To reach above-mentioned purpose, the method that the present invention realizes adjustable segmentation entropy, methods described includes:
High probability set and low probability set are divided into according to probability threshold value to the element in sample space, in the high probability
Set and virtual not repeat element collection are combined into probability sample space, and the low probability collection is combined into low probability sample space;
The entropy for calculating described high probability space sample obtains high probability entropy, calculates described low probability space sample
Entropy obtains low probability entropy;
Wherein, the number realization for being segmented entropy by described probability threshold value and virtual not repeat element is adjustable.
Instant invention overcomes traditional entropy for three major issues existing for exception of network traffic detection, large scale network has been adapted to
Abnormality detection demand, the setting and regulation of parameter can be realized according to the actual conditions of network traffics.
Brief description of the drawings
Fig. 1 is adjustable segmentation entropy pattern schematic diagram;
Fig. 2 is the abnormality detection method of discrimination based on adjustable segmentation entropy.
Embodiment
With reference to Figure of description, the present invention will be further described.
As shown in figure 1, adjustable segmentation entropy pattern is a kind of common-mode for being segmented traditional entropy, different tradition
Entropy can adjust segmentation entropy according to corresponding to this pattern obtains it.First, according to the probability threshold value (T) of user's setting by original
Sample space (A) interior element is divided into high probability element set and low probability element set;Then by high probability element set and use
The virtual not repeat element set of family setting number (N) combines to form new high probability sample space (B), by low probability element
Set independently forms low probability sample space (C);Finally to high probability sample space and low probability sample space respectively with tradition
Entropy calculate entropy, high probability sample space obtains high probability entropy (E_H), and low probability sample space obtains low probability entropy
(E_L).Adjustable segmentation entropy realizes adjustable purpose by two parameters of T and N.
Adjustable segmentation entropy pattern is defined as follows:
Traditional entropy is represented by E=f (A) to the calculating entropy of original sample space (A), then can adjust segmentation entropy E_APE=<
E_H,E_L>, wherein, E_H=f (B), E_L=f (C).
Step 1:Choose sample space:Data on flows is chosen, data on flows is divided into non-uniform time piece and extraction time
Corresponding data on flows in piece, such as all source IPs/purpose IP/ source ports/destination interface form an element samples space, also may be used
The mode formation element sample space being combined using other elements;
Step 2:Calculate adjustable segmentation entropy:This sample space is entered according to adjustable segmentation entropy pattern as shown in Figure 1
High probability entropy E_H and low probability entropy E_L is calculated in row;
Step 3:As shown in Fig. 2 entropy unusual determination:If E_H is less than threshold value T1 set in advance, it is different to judge E_H values
Often, if E_L is more than threshold value T2 set in advance, judge that E_L values are exception;
Step 4:Traffic Anomaly judges:It is exception of network traffic sample sky to judge the sample space that abnormal entropy be present
Between, that is, judge that now there occurs exception of network traffic.
Embodiment 1
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, source is chosen in described timeslice
IP element sets are that reference sample space is also source IP sample space;
High probability set and low probability set are divided into according to probability threshold value to the element in described source IP sample space,
The high probability set and virtual not repeat element collection are combined into probability sample space, and the low probability collection is combined into low probability sample
This space;
Calculate described high probability sample space entropy and obtain high probability entropy, calculate described low probability sample space entropy
It is worth to low probability entropy;
Judge whether described high probability entropy, low probability entropy are abnormal,
Described high probability entropy is less than the high probability entropy threshold of setting, then described high probability entropy-value anomaly;
Described low probability entropy is less than the low probability entropy threshold of setting, then described low probability entropy is normal;
Judge whether described timeslice is abnormal,
There is at least one high probability sample space entropy-value anomaly in described timeslice, then described timeslice is that network is different
Normal timeslice.
Embodiment 2
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, mesh is chosen in described timeslice
IP element sets be reference sample space namely be purpose IP sample spaces;
High probability set and low probability set are divided into according to probability threshold value to the element in described purpose IP sample spaces,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
Calculate described high probability sample space entropy and obtain high probability entropy, calculate described low probability sample space entropy
It is worth to low probability entropy;
Judge whether described high probability entropy, low probability entropy are abnormal,
Described high probability entropy is more than the high probability entropy threshold of setting, then described high probability entropy is normal;
Described low probability entropy is more than the low probability entropy threshold of setting, then described low probability entropy-value anomaly;
Judge whether described timeslice is abnormal, has a low probability sample space entropy-value anomaly in described timeslice,
Then described timeslice is Network Abnormal timeslice.
Embodiment 3
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, source is chosen in described timeslice
It is also source port sample space that port element collection, which is combined into reference sample space,;
High probability set and low probability set are divided into according to probability threshold value to the element in described source port sample space,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
Calculate described high probability sample space entropy and obtain high probability entropy, calculate described low probability sample space entropy
It is worth to low probability entropy;
Judge whether described high probability entropy, low probability entropy are abnormal,
Described high probability entropy is more than the high probability entropy threshold of setting, then described high probability entropy is normal;
Described low probability entropy is less than the low probability entropy threshold of setting, then described low probability entropy is normal;
Judge whether described timeslice is abnormal, and all high and low probability sample space entropy is normal in described timeslice,
Then described timeslice is network normal time piece.
Embodiment 4
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, mesh is chosen in described timeslice
Port element integrate and be combined into reference sample space namely as purpose port sample space;
High probability set and low probability collection are divided into according to probability threshold value to the element in described destination interface sample space
Close, be combined into probability sample space in the high probability set and virtual not repeat element collection, the low probability collection is combined into low
Probability sample space;
Calculate described high probability sample space entropy and obtain high probability entropy, calculate described low probability sample space entropy
It is worth to low probability entropy;
Judge whether described high probability entropy, low probability entropy are abnormal,
Described high probability entropy is equal to the high probability entropy threshold of setting, then described high probability entropy-value anomaly;
Described low probability entropy is equal to the low probability entropy threshold of setting, then described low probability entropy-value anomaly;
Judge whether described timeslice is abnormal, whole high and low probability sample spaces entropy-value anomaly in described timeslice,
Then described timeslice is Network Abnormal timeslice.
In the various embodiments described above, high probability entropy threshold and low probability entropy threshold in the various embodiments described above are not one specific
Value, the high probability sample space in reference sample space is judged to the probable value of the whether abnormal entropy of entropy, is referred to as high general
Rate entropy threshold, the low probability sample space in reference sample space is judged to the probable value of the whether abnormal entropy of entropy, is referred to as
The occurrence of low probability entropy threshold, high probability entropy threshold and low probability entropy threshold will determine according to actual conditions.
Explanation:At least two elements are have selected in following each embodiments and each form reference sample space, and these elements are:
Source IP, purpose IP, source port, destination interface etc., each element form alone a reference sample space, and each reference sample is empty
Between the high probability sample space, the high probability sample space, low in low probability sample space and other reference sample spaces that branch away
Probability sample space is each independent, meanwhile, each reference sample space corresponds to respective high probability entropy threshold and low general respectively
Rate entropy threshold, for convenience distinguish, by the high probability sample space in each reference sample space judge entropy whether exception entropy
Probable value, be referred to as high probability entropy threshold, the low probability sample space in each reference sample space judged whether entropy abnormal
Entropy probable value, be referred to as low probability entropy threshold, the actual high probability entropy threshold in each reference sample space and low probability
The occurrence of entropy threshold will be based on depending on actual conditions.Other at least two elements do not enumerated in this manual simultaneously are each
Composition reference sample space judges that element each forms the embodiment in reference sample space and is also suitable described above.
Embodiment 5
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, source is chosen in described timeslice
IP element sets, purpose IP element sets separately constitute two reference sample spaces, namely source IP sample space, purpose IP samples
Space;
High probability set and low probability set are divided into according to probability threshold value to the element in described source IP sample space,
The high probability set and virtual not repeat element collection are combined into probability sample space, and the low probability collection is combined into low probability sample
This space;
High probability set and low probability set are divided into according to probability threshold value to the element in described purpose IP sample spaces,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
High probability sample space entropy corresponding to calculating source IP sample space obtains high probability entropy, described low probability sample
This space entropy obtains low probability entropy;
High probability sample space entropy corresponding to calculating purpose IP sample spaces obtains high probability entropy, calculates described low
Probability sample space entropy obtains low probability entropy;
Judge whether two described high probability entropy, two low probability entropy are abnormal,
High probability entropy corresponding to described source IP sample space is more than the high probability entropy threshold of setting, then described height is general
Rate entropy is normal;
Low probability entropy corresponding to described source IP sample space is less than the low probability entropy threshold of setting, then described low general
Rate entropy is normal;
High probability entropy corresponding to described purpose IP sample spaces is less than the high probability entropy threshold of setting, then described height
Probability entropy-value anomaly;
Low probability entropy corresponding to described purpose IP sample spaces is less than the low probability entropy threshold of setting, then described low
Probability entropy is normal;
Judge whether described timeslice abnormal, has a high probability entropy-value anomaly in described timeslice, then it is described
Timeslice is Network Abnormal timeslice.
Embodiment 6
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, source is chosen in described timeslice
IP element sets, purpose IP element sets, source port element set separately constitute three reference sample spaces, namely source IP sample
Space, purpose IP sample spaces, source port sample space;
High probability set and low probability set are divided into according to probability threshold value to the element in described source IP sample space,
The high probability set and virtual not repeat element collection are combined into probability sample space, and the low probability collection is combined into low probability sample
This space;
High probability set and low probability set are divided into according to probability threshold value to the element in described purpose IP sample spaces,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
High probability set and low probability set are divided into according to probability threshold value to the element in described source port sample space,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
High probability sample space entropy corresponding to calculating source IP sample space respectively obtains high probability entropy, and described is low general
Rate sample space entropy obtains low probability entropy;High probability sample space entropy obtains high probability corresponding to purpose IP sample spaces
Entropy, described low probability sample space entropy obtain low probability entropy;High probability sample corresponding to source port sample space is empty
Between entropy obtain high probability entropy, described low probability sample space entropy obtains low probability entropy;
Judge whether three described high probability entropy, three low probability entropy are abnormal,
High probability entropy corresponding to described source IP sample space is more than the high probability entropy threshold of setting, then described height is general
Rate entropy is normal;
Low probability entropy corresponding to described source IP sample space is less than the low probability entropy threshold of setting, then described low general
Rate entropy is normal;
High probability entropy corresponding to described purpose IP sample spaces is more than the high probability entropy threshold of setting, then described height
Probability entropy is normal;
Low probability entropy corresponding to described purpose IP sample spaces is less than the low probability entropy threshold of setting, then described low
Probability entropy is normal;
High probability entropy corresponding to described source port sample space is more than the high probability entropy threshold of setting, then described height
Probability entropy is normal;
Low probability entropy corresponding to described source port sample space is less than the low probability entropy threshold of setting, then described low
Probability entropy is normal;
Judge whether described timeslice is abnormal, all high and low probability sample spaces entropy is being just in described timeslice
Often, then described timeslice is network normal time piece.
Embodiment 7
Network flow abnormal detecting method of the present embodiment based on adjustable segmentation entropy, methods described include:
Data on flows is obtained, the data on flows is divided into uniform timeslice, source is chosen in described timeslice
IP element sets, purpose IP element sets, source port element set, destination interface element set separately constitute four reference samples
Space, namely source IP sample space, purpose IP sample spaces, source port sample space, destination interface sample space;
High probability set and low probability set are divided into according to probability threshold value to the element in described source IP sample space,
The high probability set and virtual not repeat element collection are combined into probability sample space, and the low probability collection is combined into low probability sample
This space;
High probability set and low probability set are divided into according to probability threshold value to the element in described purpose IP sample spaces,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
High probability set and low probability set are divided into according to probability threshold value to the element in described source port sample space,
Probability sample space is combined into the high probability set and virtual not repeat element collection, the low probability collection is combined into low probability
Sample space;
High probability set and low probability collection are divided into according to probability threshold value to the element in described destination interface sample space
Close, be combined into probability sample space in the high probability set and virtual not repeat element collection, the low probability collection is combined into low
Probability sample space;
High probability sample space entropy corresponding to calculating source IP sample space respectively obtains high probability entropy, and described is low general
Rate sample space entropy obtains low probability entropy;High probability sample space entropy obtains high probability corresponding to purpose IP sample spaces
Entropy, described low probability sample space entropy obtain low probability entropy;High probability sample corresponding to source port sample space is empty
Between entropy obtain high probability entropy, described low probability sample space entropy obtains low probability entropy;Destination interface sample space
Corresponding high probability sample space entropy obtains high probability entropy, and described low probability sample space entropy obtains low probability entropy
Value;
Judge whether four described high probability entropy, four low probability entropy are abnormal,
High probability entropy corresponding to described source IP sample space is less than the high probability entropy threshold of setting, then described height is general
Rate entropy-value anomaly;
Low probability entropy corresponding to described source IP sample space is less than the low probability entropy threshold of setting, then described low general
Rate entropy is normal;
High probability entropy corresponding to described purpose IP sample spaces is more than the high probability entropy threshold of setting, then described height
Probability entropy is normal;
Low probability entropy corresponding to described purpose IP sample spaces is less than the low probability entropy threshold of setting, then described low
Probability entropy is normal;
High probability entropy corresponding to described source port sample space is more than the high probability entropy threshold of setting, then described height
Probability entropy is normal;
Low probability entropy corresponding to described source port sample space is less than the low probability entropy threshold of setting, then described low
Probability entropy is normal;
High probability entropy corresponding to described destination interface sample space is more than the high probability entropy threshold of setting, then described
High probability entropy is normal;
Low probability entropy corresponding to described destination interface sample space is less than the low probability entropy threshold of setting, then described
Low probability entropy is normal;
Judge whether described timeslice is abnormal, low probability entropy corresponding to purpose IP sample spaces in described timeslice
Abnormal, then described timeslice is Network Abnormal timeslice.
The extension that Traffic Anomaly in embodiment 7 judges:The timeslice for judging to meet feature in table 1 is exception of network traffic
Timeslice.Namely at least one high probability entropy S in the timeslice-HWith low probability entropy S-LAbnormal, then the timeslice is different
Often.
Table 1
Embodiment 8
The method that the present embodiment realizes adjustable segmentation entropy, methods described include:
High probability set and low probability set are divided into according to probability threshold value to the element in sample space, in the high probability
Set and virtual not repeat element collection are combined into probability sample space, and the low probability collection is combined into low probability sample space;
The entropy for calculating described high probability space sample obtains high probability entropy, calculates described low probability space sample
Entropy obtains low probability entropy;
Wherein, the number realization for being segmented entropy by described probability threshold value and virtual not repeat element is adjustable.
In the various embodiments described above, judge whether high probability entropy corresponding to reference sample space and low probability entropy are abnormal
Method is:
If described high probability entropy be less than setting high probability entropy threshold, high probability entropy-value anomaly, otherwise, high probability
Entropy is normal;
If described low probability entropy be more than setting low probability entropy threshold, low probability entropy-value anomaly, otherwise, low probability
Entropy is normal.
In the various embodiments described above, the reference sample space chosen in the timeslice is specially:The source IP of source IP composition
Sample space, the purpose IP sample spaces of purpose IP compositions, the source port sample space and/or destination interface group of source port composition
Into destination interface sample space.
In the various embodiments described above, described probability threshold value, the virtual not number of repeat element, the high probability entropy threshold of setting
Value, setting low probability entropy threshold be user's setting value, and each reference sample space have each individually set it is general
Rate threshold value, the virtual not number of repeat element, high probability entropy threshold, low probability entropy threshold, the value of these values is according to specific feelings
Condition concrete decision.
More than, only presently preferred embodiments of the present invention, but protection scope of the present invention is not limited thereto is any to be familiar with sheet
Those skilled in the art the invention discloses technical scope in, the change or replacement that can readily occur in should all be covered
Within protection scope of the present invention.Therefore, protection scope of the present invention should be defined by the protection domain that claim is defined.
Claims (5)
1. a kind of network flow abnormal detecting method based on adjustable segmentation entropy, it is characterised in that methods described includes:
Data on flows is obtained, the data on flows is divided into uniform timeslice, at least one is chosen in described timeslice
Individual element set is reference sample space;
Method of each reference sample space based on adjustable segmentation entropy, obtains high probability entropy corresponding to reference sample space and low
Probability entropy;
Judge whether described timeslice is abnormal,
If high probability entropy and low probability entropy are normal corresponding to each reference sample space in described timeslice, the time
Piece is network normal time piece;
If high probability entropy corresponding at least one reference sample space and/or low probability entropy are different in described timeslice
Often, then the timeslice is Network Abnormal timeslice;
Wherein, the method for described adjustable segmentation entropy is specially:
High probability set and low probability set are divided into according to probability threshold value to the element in a reference sample space, it is described
High probability set and virtual not repeat element collection are combined into high probability sample space, and the low probability collection is combined into low probability sample
Space;
Described high probability sample space entropy is calculated respectively and low probability sample space entropy obtains the reference sample space pair
The high probability entropy and low probability entropy answered;
The sample space includes:Source IP sample space, purpose IP sample spaces, the source port of purpose IP compositions of source IP composition
The destination interface sample space of source port sample space and/or the destination interface composition of composition.
2. the network flow abnormal detecting method according to claim 1 based on adjustable segmentation entropy, it is characterised in that sentence
Whether abnormal method is for high probability entropy corresponding to disconnected reference sample space and low probability entropy:
If described high probability entropy is less than high probability entropy threshold, high probability entropy-value anomaly, otherwise, high probability entropy are normal;
If described low probability entropy is more than low probability entropy threshold, low probability entropy-value anomaly, otherwise, low probability entropy are normal.
3. the network flow abnormal detecting method according to claim 1 based on adjustable segmentation entropy, it is characterised in that
The reference sample space chosen in the timeslice is specially:The source IP sample space of source IP composition, the purpose of purpose IP compositions
The destination interface sample space of IP sample spaces, the source port sample space of source port composition and/or destination interface composition.
4. the network flow abnormal detecting method according to claim 1 based on adjustable segmentation entropy, it is characterised in that institute
The probability threshold value stated, virtual the number of repeat element, high probability entropy threshold, low probability entropy threshold are not user's setting value.
A kind of 5. method for realizing adjustable segmentation entropy, it is characterised in that methods described includes:
High probability set and low probability set are divided into according to probability threshold value to the element in sample space, in the high probability set
Virtually repeat element collection is not combined into probability sample space, and the low probability collection is combined into low probability sample space;
The entropy for calculating described high probability space sample obtains high probability entropy, and the entropy for calculating described low probability space sample obtains
To low probability entropy;
Wherein, the number realization for being segmented entropy by described probability threshold value and virtual not repeat element is adjustable;
The sample space includes:Source IP sample space, purpose IP sample spaces, the source port of purpose IP compositions of source IP composition
The destination interface sample space of source port sample space and/or the destination interface composition of composition.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510030470.7A CN104579846B (en) | 2015-01-21 | Network flow abnormal detecting method based on adjustable segmentation entropy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510030470.7A CN104579846B (en) | 2015-01-21 | Network flow abnormal detecting method based on adjustable segmentation entropy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104579846A CN104579846A (en) | 2015-04-29 |
CN104579846B true CN104579846B (en) | 2018-02-09 |
Family
ID=
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645884A (en) * | 2009-08-26 | 2010-02-10 | 西安理工大学 | Multi-measure network abnormity detection method based on relative entropy theory |
CN101917732A (en) * | 2010-07-16 | 2010-12-15 | 中国科学院计算技术研究所 | Wireless flow judging method |
CN102904822A (en) * | 2012-10-22 | 2013-01-30 | 西安交通大学 | Hierarchical recognition method of VoIP (Voice Over Internet Protocol) network flow |
CN103560921A (en) * | 2013-11-19 | 2014-02-05 | 中国科学院计算机网络信息中心 | Method for merging network streaming data |
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645884A (en) * | 2009-08-26 | 2010-02-10 | 西安理工大学 | Multi-measure network abnormity detection method based on relative entropy theory |
CN101917732A (en) * | 2010-07-16 | 2010-12-15 | 中国科学院计算技术研究所 | Wireless flow judging method |
CN102904822A (en) * | 2012-10-22 | 2013-01-30 | 西安交通大学 | Hierarchical recognition method of VoIP (Voice Over Internet Protocol) network flow |
CN103560921A (en) * | 2013-11-19 | 2014-02-05 | 中国科学院计算机网络信息中心 | Method for merging network streaming data |
Non-Patent Citations (1)
Title |
---|
A Flow Based Anomaly Detection Method Using Entropy and Multiple Traffic Features;Shuying Chang,Xuesong Qiu,Zhipeng Gao等;《Proceedings ofIC-BNMT2010》;20101231;全文 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2337266A3 (en) | Detecting and classifying anomalies in communication networks | |
CN103605981B (en) | Defects of insulator recognition methods based on image recognition | |
CN103793140B (en) | A kind of application icon aligning method and mobile terminal | |
CN108282497A (en) | For the ddos attack detection method of SDN control planes | |
CN105959976A (en) | VoLTE analysis method based on measurement report | |
CN109982343A (en) | Alien frequencies handoff threshold value determines method, apparatus, equipment and medium | |
CN103324888B (en) | Based on virus characteristic extraction method and the system of family's sample | |
CN105116301B (en) | A kind of data auxiliary judgment method based on dynamic statistics | |
CN107592323A (en) | A kind of DDoS detection methods and detection means | |
CN105049262A (en) | Method and device for adjusting flow loads of ports | |
CN104579846B (en) | Network flow abnormal detecting method based on adjustable segmentation entropy | |
CN106529809A (en) | Implementation method for identification of dangerous scene of LNG storage tank leakage | |
CN107196826A (en) | A kind of network flow programming method algorithm based on sampling | |
CN104539488A (en) | Network flow abnormity detection method based on adjustable sectional Tsallis entropy | |
CN105516164B (en) | Based on point shape and the P2P botnet detection method that adaptively merges | |
CN106533955B (en) | A kind of sequence number recognition methods based on network message | |
WO2021042136A3 (en) | Mini-token bucket for uplink transmission | |
CN107623948A (en) | The system of selection of CCE position candidates and device under a kind of PDCCH polymerization grades | |
CN107966698A (en) | Secondary radar equipment and signal processing method | |
CN104539489A (en) | Network flow abnormality detection method based on adjustable segmented Shannon entropy | |
CN104579846A (en) | Network flow anomaly detection method based on adjustable segmented entropy | |
CN104219110B (en) | A kind of data packet sampling method and device | |
CN108347421A (en) | A kind of malious email detection method and system based on content | |
CN104539382B (en) | Pre-cooperative sensing method in cognitive radio network | |
CN108346155A (en) | The analysis of Influential Factors system that comes down and analysis method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |