CN104935570A - Network flow connection behavior characteristic analysis method based on network flow connection graph - Google Patents
Network flow connection behavior characteristic analysis method based on network flow connection graph Download PDFInfo
- Publication number
- CN104935570A CN104935570A CN201510192318.9A CN201510192318A CN104935570A CN 104935570 A CN104935570 A CN 104935570A CN 201510192318 A CN201510192318 A CN 201510192318A CN 104935570 A CN104935570 A CN 104935570A
- Authority
- CN
- China
- Prior art keywords
- node
- network
- network flow
- connection layout
- limit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network flow connection behavior characteristic analysis method based on a network flow connection graph. The method comprises that a node determination rule is set, and a node object is determined; a side generation rule is set, and a side interaction mode is determined; node filtering and grading rules are set, and main nodes are extracted and graded; side filtering and grading rules are set, and main sides are extracted and graded; and a network flow connection graph based on the port type amount and a network flow connection graph based on the network flow connection amount are generated, and the two connection graphs are combined to analyze the characteristics. According to the network flow connection behavior characteristic analysis method based on the network flow connection graph, large-scale communication network flow behavior can be comprehensively and accurately described in various graph forming manners, complex network scales at present can be adapted to, and the network flow behavior characteristics can be comprehensively and accurately extracted and analyzed.
Description
Technical field
The invention belongs to networks enjoy popularity is analysis technical field, and the network flow particularly relating to a kind of stream connection layout Network Based connects behavior characteristic analysis method.
Background technology
In a communication network, network flow refers to the packet sequence with certain particular community by Internet Transmission.Particular community can be determined according to the needs of research, and the stream information sequential polymerization as having identical five-tuple (source host IP address, destination host IP address, source host port numbers, destination host port numbers and communication protocol) becomes a network flow of bearer network information.
Network flow behavioural characteristic is often referred to the behavioural characteristic of wall scroll or many network flow performances, comprise application-level flow behavioural characteristic and transport layer stream behavioural characteristic, the analysis of application-level flow behavioural characteristic is not in research range of the present invention, and we discuss the connection behavioural characteristic of transport layer stream.Connection mode in the connection behavior Characterizations network of stream between entity, describes the interbehavior pattern between network entity, the interbehavior such as, in communication network between user, the relation etc. in social networks between object.By extracting the mutual connection features of main-machine communication, analyze the connection mode of network flow and build application behavior, the means such as model of connection trend of user and other network entities can obtain comprehensive and accurate communication network Flow Behavior feature and variation characteristic thereof, raising network management and monitoring tool are of great significance.
To be visual be networks enjoy popularity uses the figure of node and line composition to represent the interbehavior between communication network main frame, utilizes visualization technique the annexation between network host to be abstracted into figure on computer screen according to dissimilar Research Requirements.Due to the advantage that figure digging technology possesses in the portraying etc. of visual and connection mode, be generally employed for the annexation feature of portraying network flow.
Network traffics propagate figure (TDG): in 2007 by propositions such as MariosIliofotou and Michalis Faloutsos.TDG portrays the mutual flow propagation figure of different application between network host, and wherein network host is mapped as the node of figure, and the interbehavior between main frame is mapped as the limit of figure.
Network traffics activity diagram (TAG): in 2009 by Yu Jin, the people such as Esam Sharafuddin, Zhi-Li Zhang propose, and the node in TAG with TDG is similar to the definition on limit, but TAG is the directed graph that a nonoriented edge is formed, and directivity is embodied by intranet and extranet node.
Network traffics propagation figure and network traffics activity diagram can describe the annexation feature of different application behavior, but whole behavior annexation feature can not be summarized completely, there is the defect that mode of composition is single, comprise the aspects such as information is imperfect, signature analysis research means is not enough, therefore two kinds of figure cannot portray large-scale communication network network stream annexation accurately and efficiently.
Summary of the invention
Goal of the invention of the present invention is: in order to solve in prior art problems such as cannot portraying large-scale communication network network stream annexation accurately and efficiently, and the network flow that the present invention proposes a kind of stream connection layout Network Based connects behavior characteristic analysis method.
Technical scheme of the present invention is: a kind of network flow of stream connection layout Network Based connects behavior characteristic analysis method, comprises the following steps:
A, setting network stream connection layout node determine rule, determine the node object in network flow connection behavior;
B, setting network stream connection layout limit create-rule, determine the interactive mode on limit in network flow connection behavior;
C, setting network stream connection layout node filtering rule and classification rule, extract main node according to node filtering rule, and carry out classification according to node hierarchy rule to main node;
D, setting network stream connection layout limit filtering rule and classification rule, extract main limit according to limit filtering rule, and carry out classification according to limit classification rule to main limit;
E, generate multiple network stream connection layout according to the filtering rule on node and limit, in conjunction with multiple network stream connection layout, behavioural characteristic is connected to network flow and analyze.
Further, in described steps A, network flow connection layout node determines that rule is specially: using the communication unit in network service as node.
Further, in described step B, network flow connection layout limit create-rule is specially: the corresponding main node connected there being flow is linked to be a limit.
Further, described network flow connection layout node filtering rule is specially: setting Node B threshold, extracts node diagnostic attribute amount and is greater than the node of Node B threshold as main node.
Further, in described step C, network flow connection layout node hierarchy rule is specially: carry out grade classification according to node diagnostic attribute amount to main node, and the node for different stage carries out painted differentiation.
Further, in described step D, network flow connection layout limit filtering rule is specially: setting limit threshold value, extracts the limit that limit characteristic attribute amount is greater than limit threshold value, and retains the leaf node that this limit other end is less than Node B threshold.
Further, in described step D, network flow connection layout limit classification rule is specially: carry out grade classification according to limit characteristic attribute amount opposite side, the node for different stage carries out painted differentiation.
Further, generate multiple network stream connection layout in described step e and comprise generation based on the network flow connection layout of port species number and the network flow connection layout of stream linking number Network Based.
Further, described generation specifically comprises based on the network flow connection layout of port species number: first according to the setting of Node B threshold, extract the open main frame being greater than the port species number of Node B threshold, thus play the part of main servers in crawl network or enliven the node of client role, mutual by the port analyzed between them, determine the network flow behavioural characteristic between main node; Again according to the setting of limit threshold value, extract the leaf node with main node frequent activity, analyze the port interbehavior between them, to determine main node network flow behavioural characteristic in a network.
Further, the network flow connection layout of described generation stream linking number Network Based specifically comprises: first according to the setting of Node B threshold, be extracted into the main frame that flow or outflow number are greater than Node B threshold, thus the core node of high flow capacity in crawl network, by analyzing the flow connection features between them, determine the network flow behavioural characteristic between main node; Again according to the setting of limit threshold value, extract the leaf node with main node frequent activity, analyze flow between them and connect behavior, to determine main node network flow behavioural characteristic in a network.
The network flow of stream connection layout Network Based of the present invention connects behavior characteristic analysis method and has following beneficial effect:
(1) the present invention can the network of self adaptation different scales, is applicable to backbone communications, Small-scale LAN, size Large-scale enterprises net, large groupuscule social networks etc., has the very wide scope of application;
(2) the present invention is by setting node and limit filtering rule, has extracted the core texture in network, has removed the impact that irrelevant structure is brought, can portray its feature more accurately for different types of network flow, improves the accuracy of network flow classification;
(3) the present invention carries out classification by the characteristic attribute amount introducing network flow to node and limit, include the attribute of more Multi net voting stream in network flow connection layout, embody main node, secondary nodes in the drawings, thus the feature of more network stream can be depicted, more network flow is classified;
(4) improve the accuracy of abnormality detection, effectively can detect a greater variety of network flow abnormal behaviour.
Accompanying drawing explanation
Fig. 1 is that the network flow of stream connection layout Network Based of the present invention connects behavior characteristic analysis method schematic flow sheet.
Fig. 2 is the network traffics propagation figure generated according to the one-tenth figure mode of TDG in prior art.
Fig. 3 is the network flow connection layout that the present invention generates according to abnormal data.
Fig. 4 is the network flow connection layout that the present invention is based on port species number.
Fig. 5 is the network flow connection layout that the present invention is based on stream number of connection.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
As shown in Figure 1, for the network flow of stream connection layout Network Based of the present invention connects behavior characteristic analysis method schematic flow sheet.The network flow of stream connection layout Network Based connects a behavior characteristic analysis method, comprises the following steps:
A, setting network stream connection layout node determine rule, determine the node object in network flow connection behavior;
B, setting network stream connection layout limit create-rule, determine the interactive mode on limit in network flow connection behavior;
C, setting network stream connection layout node filtering rule and classification rule, extract main node according to node filtering rule, and carry out classification according to node hierarchy rule to main node;
D, setting network stream connection layout limit filtering rule and classification rule, extract main limit according to limit filtering rule, and carry out classification according to limit classification rule to main limit;
E, generate multiple network stream connection layout according to the filtering rule on node and limit, in conjunction with multiple network stream connection layout, behavioural characteristic is connected to network flow and analyze.
Whole behavior annexation feature can not be summarized completely to solve network traffics propagation figure and network traffics activity diagram in prior art, there is the defect that mode of composition is single, comprise the aspects such as information is imperfect, signature analysis research means is not enough, therefore cannot portray the problem of the stream annexation of large-scale communication network network accurately and efficiently.The network flow that the present invention proposes a kind of stream connection layout Network Based connects behavior characteristic analysis method, large-scale communication network network Flow Behavior is portrayed all-sidedly and accurately by multiple one-tenth figure mode, thus adapt to current complicated network size, to realize comprehensively, extraction and analysis network flow behavioural characteristic exactly.
Network flow connection layout in the present invention refers to communication object in communication network for node, and between node is limit alternately, portrays the schematic diagram of interactive relation in network; Be specially by abstract for the communication entity in network be the node v in figure
i∈ V, if node i, has communication interaction then the node of correspondence to be linked to be a limit e between j
ij, and then introduce the attribute such as grade, the threshold value structure network flow connection layout G=<V on node, limit, E, V
g, E
g, W>, wherein e
gbe the grade on node and limit, W is the threshold value of figure, comprises Node B threshold and limit threshold value.
In step, need setting network stream connection layout interior joint really to establish rules then, node here determines that rule refers to the physical meaning of node in network flow connection layout, is specially using the communication unit in network service as node v
i, different network objects represents the communication unit in heterogeneous networks.Such as, communication object in communication network represents the IP address of a main frame, and the communication object of enterprise network refers to the employee of enterprise, and the communication object in social networks refers to user ID etc.Recycling node is established rules really, determines the node object in network flow connection behavior.Such as in a communication network, use the main frame having independent IP as a node; In social networks, by an interworking entity as a node.
In stepb, need the create-rule on limit in setting network stream connection layout, limit create-rule here refers to the concrete generation type of limit in network flow connection layout, is specially and the corresponding main node having flow to connect is linked to be a limit e
i,j.Such as generate a limit when two nodes produce TCP three-way handshake in a communication network or have flow to connect and just directly generate a limit; In enterprise network, between employee, there is communication interaction just can generate a limit.The interactive mode of limit representative in recycling limit create-rule determination network flow connection behavior.Such as in a communication network, between two main frames, there is flow to produce, then produce a limit between it; In social networks, if having mutual between two entities, then produce a limit in-between.In network flow connection layout, a limit can represent a stream, also can represent many streams.
In step C, need filtering rule and the classification rule of setting network stream connection layout interior joint, here node filtering rule refers to that according to the value of communication unit attribute in network be screening conditions, filters the node in network flow connection layout, is specially setting Node B threshold w
n, extract node diagnostic attribute amount and be greater than Node B threshold w
nnode as main node.Such as when the quantity that the stream that node converges connects arrives a certain value, just by node display in the drawings.Here node hierarchy rule refers to the attribute value of the filtering rule foundation according to node, grade classification is carried out to the node after filtering, node or the limit of different brackets is represented with different colors, be specially and carry out grade classification according to node diagnostic attribute amount to main node, the node for different stage carries out painted differentiation.Such as in an ip network, the port species number open according to node carries out classification, and the node that grade is high dark color, and the node that grade is low light color, and the port species number that color represents this node open is more deeply more.Extract main node according to node filtering rule again, and according to node hierarchy rule, classification is carried out to main node, be specially and produce Node B threshold w according to the characteristic attribute amount of node
n, extract characteristic attribute amount and be greater than w
nmain node, and to node every threshold value v
gcarry out classification, the node for different stage carries out painted to distinguish on visual.Port species number, network flow number of connection etc. in the characteristic attribute amount such as IP network of node here; Node B threshold w
nconcrete value can set according to research purpose; Threshold value v
gfor needing the parameter of carrying out divided rank according to nodal community amount according to difference research, such as Node B threshold is 1000, needs the network flow connection amount of node to be divided into 5 grades, then set v
g=200, thus the node producing 5 grades of flow within the scope of 1000-1200,1200-1400,1400-1600,1600-1800,1800+.
In step D, need filtering rule and the classification rule on limit in setting network stream connection layout, the filtering rule on limit here refers to the particular value of stream attribute representated by limit, and opposite side filters, and is specially setting limit threshold value w
e, extract limit characteristic attribute amount and be greater than limit threshold value w
elimit, and retain the leaf node of this limit other end.The destination node port numbers of network flow is such as utilized to screen the limit meeting certain port number, generate the network flow connection layout of different application kind, or when a network flow linking number arrives a certain threshold value, just produce a limit, the network flow connection layout of generating network stream linking number.The classification rule on limit here refers to the attribute value of the filtering rule foundation according to limit, grade classification is carried out to the limit after filtering, represent the limit of different brackets with different colors, be specially and carry out grade classification according to limit characteristic attribute amount opposite side, the node for different stage carries out painted differentiation.Extract main limit according to limit filtering rule again, and carry out classification according to limit classification rule to main limit, the characteristic attribute amount being specially the limit connected according to main node produces limit threshold value w
e, extract characteristic attribute amount and be greater than w
elimit, and retain the leaf node of this limit other end, and opposite side is every threshold value e
gcarry out classification, the limit for different stage is carried out painted to distinguish on visual.Characteristic attribute amount such as port species number, the network flow linking number etc. on limit here; Threshold value e
gfor needing the parameter of carrying out divided rank according to side attribute amount according to difference research, its setting means and threshold value v
gin like manner.
As shown in Figure 2, the network traffics propagation figure for generating according to the one-tenth figure mode of TDG in prior art.As shown in Figure 3, be the network flow connection layout that the present invention generates according to abnormal data, the present invention carries out grading extraction to node, retains stream connection amount and is greater than the node of 1000 and the network flow connection layout of leaf node thereof.By figure, we can draw:
(1) the network flow connection layout in abnormality detection after classification can extract by the main corporations attacked;
(2) for the network flow connection layout that normal data generates, classification is carried out to node and limit, the primary structure of this application can be highlighted, reach the object of more obvious traffic classification;
(3) network flow connection layout comprises multiple one-tenth chart-pattern, and different figure has contained a large amount of different information, has huge researching value;
The present invention can according to different w
n, w
esetting, make produced network flow connection layout adapt to the network of different scales.By the setting to threshold value, can reach the object extracting core node and connection, this stream for extensive, large data network connects behavioural analysis and has great importance.
In step e, generate multiple network stream connection layout and comprise generation based on the network flow connection layout of port species number and the network flow connection layout of stream linking number Network Based.According to point and the characteristic attribute amount determination port species number on limit, according to the basic create-rule generation of network flow connection layout based on the network flow connection layout of port kind, can be specially: first according to w in a communication network
nsetting, extract and open be greater than w
nthe main frame of port species number, thus capture in network the node of playing the part of main servers or enlivening client role, mutual by the port analyzed between them, determine the Flow Behavior feature between main node; Again according to w
esetting, extract and the leaf node of main node frequent activity, analyze the port interbehavior between them, to determine that main node Major Epidemic is in a network for feature.
As shown in Figure 4, for the present invention is based on the network flow connection layout of port species number.Wherein, data come from the OC-48 link stream statistics of five minutes that U.S. CAIDA organizes.According to the node that the network flow connection behavior characteristic analysis method extraction node open port species number of stream connection layout Network Based of the present invention is greater than 5000, and divide one-level every the port species number of 100, limit port species number is greater than 1000, i.e. w
n=5000, v
g=100, w
e=1000, e
g=0.Mark Node color according to grade, color is more deeply felt and is shown that port species number is more, the leaf node of dark node podomere point with thumb down screening conditions.By figure, we can draw:
(1) nodes that in proper network, open port number is high is not a lot, therefore network large-scale degeneracy can be easy to the abnormal behavior found out wherein;
(2) node IP that wherein open port species number is very high all belongs to large communication common carrier, if occur, the node open port kind of other kind IP is abnormal increases, then can be determined with the generation of abnormal behaviour;
(3) a large amount of information should be contained based on the network flow connection layout of port species number, there is higher researching value.
The network flow connection layout that the present invention is based on port species number can indicate the interbehavior in network between host port, to analyze in network behavioural characteristic between host application port, detects the mutual exception between associated port, as TCP etc.
Characteristic attribute amount according to point and limit is defined as flowing number of connection, can generate the network flow connection layout of stream linking number Network Based in a communication network, be specially: first according to w according to the basic one-tenth rule map of network flow connection layout
nsetting, flow can be extracted into or outflow number is greater than w
nmain frame, thus the core node of high flow capacity in network can being captured, by analyzing the flow connection features between them, determining the Flow Behavior feature between main node; Again according to w
esetting, extract and the leaf node of main node frequent activity, analyze flow between them and connect behavior, to determine main node Flow Behavior feature in a network.
As shown in Figure 5, for the present invention is based on the network flow connection layout of stream number of connection.Wherein, data come from the OC-48 link stream statistics of five minutes that U.S. CAIDA organizes.According to the node that the network flow connection behavior characteristic analysis method extraction node-flow number of connection of stream connection layout Network Based of the present invention is greater than 1000, and divide one-level every the connection amount of 100, limit stream number of connection is greater than 100, i.e. w
n=1000, v
g=100, w
e=100, e
g=0.Mark Node color according to grade, color is more deeply felt and is shown that stream number of connection is larger, the leaf node of dark node podomere point with thumb down screening conditions.By figure, we can draw:
(1) corporations in the lower left corner are abnormal corporations, and after IP inquiry, its Centroid for retaining IP, therefore infers that CAIDA utilizes telescope to test;
(2) this figure captures out the large discharge node in several network, be reserved address, and CAIDA is as the scientific research institution of American Network safety, uses reserved address to carry out experiment much;
(3) contain a large amount of network informations in this figure, we can carry out abnormality detection to utilize these network informations, the extraction of network flow behavioural characteristic and analysis, and the activity analysis of the main corporations of network, has higher researching value.
It is mutual that the network flow connection layout that the present invention is based on stream number of connection can indicate in network between main frame flow, to analyze in network the Flow Behavior feature flowing number of connection between main frame and show, detect associated flow increase suddenly or reduction etc. abnormal, as ALPHA throat floater etc.
The foundation of behavior feature database and the precision of abnormality detection are connected for network flow, a kind of network flow connection layout cannot completely and accurately embody, and therefore the present invention proposes to be combined by two network flow connection layouts thus connect behavioural characteristic to network flow to analyze.
Be foundation and the analysis of feature database to networks enjoy popularity, need network flow is gone to portray from different attribute aspects, the connection layout parameter attribute of such as network flow, the connection layout architectural feature of network flow, the port species characteristic of network flow, the traffic characteristics etc. of network flow, therefore, being feature database to comprehensively set up networks enjoy popularity, needing multiple network stream connection layout to synthesize; Namely identical original stream data is carried out to the process of different one-tenth figure mode, generate multiple network stream connection layout, intersection comparison wherein same node point, after extracting same node point, according to the network flow feature that network flow connection layout not of the same race reflects, feature database is set up to the Flow Behavior of these nodes, analyzes.
Network Abnormal Flow Behavior can reflect uncommon performance in a certain main stream feature, but the research of other attributes for network flow, can more accurately determine abnormal form, as TCP, its main manifestations is the port kind abnormal increase flowed between certain two node, but, due to the feature of its scanning, substantially be stream access port, so whether can be approximately integer to judge that whether this exception is for TCP according to the port species number between node or network fluxion.
Those of ordinary skill in the art will appreciate that, embodiment described here is to help reader understanding's principle of the present invention, should be understood to that protection scope of the present invention is not limited to so special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combination of not departing from essence of the present invention according to these technology enlightenment disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.
Claims (10)
1. the network flow of stream connection layout Network Based connects a behavior characteristic analysis method, it is characterized in that, comprises the following steps:
A, setting network stream connection layout node determine rule, determine the node object in network flow connection behavior;
B, setting network stream connection layout limit create-rule, determine the interactive mode on limit in network flow connection behavior;
C, setting network stream connection layout node filtering rule and classification rule, extract main node according to node filtering rule, and carry out classification according to node hierarchy rule to main node;
D, setting network stream connection layout limit filtering rule and classification rule, extract main limit according to limit filtering rule, and carry out classification according to limit classification rule to main limit;
E, generate multiple network stream connection layout according to the filtering rule on node and limit, in conjunction with multiple network stream connection layout, behavioural characteristic is connected to network flow and analyze.
2. the network flow of stream connection layout Network Based as claimed in claim 1 connects behavior characteristic analysis method, and it is characterized in that, in described steps A, network flow connection layout node determines that rule is specially: using the communication unit in network service as node.
3. the network flow of stream connection layout Network Based as claimed in claim 2 connects behavior characteristic analysis method, and it is characterized in that, in described step B, network flow connection layout limit create-rule is specially: the corresponding main node connected there being flow is linked to be a limit.
4. the network flow of stream connection layout Network Based as claimed in claim 2 connects behavior characteristic analysis method, it is characterized in that, described network flow connection layout node filtering rule is specially: setting Node B threshold, extracts node diagnostic attribute amount and is greater than the node of Node B threshold as main node.
5. the network flow of stream connection layout Network Based as claimed in claim 4 connects behavior characteristic analysis method, it is characterized in that, in described step C, network flow connection layout node hierarchy rule is specially: carry out grade classification according to node diagnostic attribute amount to main node, and the node for different stage carries out painted differentiation.
6. the network flow of stream connection layout Network Based as claimed in claim 3 connects behavior characteristic analysis method, it is characterized in that, in described step D, network flow connection layout limit filtering rule is specially: setting limit threshold value, extract the limit that limit characteristic attribute amount is greater than limit threshold value, and retain the leaf node that this limit other end is less than Node B threshold.
7. the network flow of stream connection layout Network Based as claimed in claim 6 connects behavior characteristic analysis method, it is characterized in that, in described step D, network flow connection layout limit classification rule is specially: carry out grade classification according to limit characteristic attribute amount opposite side, the node for different stage carries out painted differentiation.
8. the network flow of stream connection layout Network Based as claimed in claim 1 connects behavior characteristic analysis method, it is characterized in that, generate multiple network stream connection layout in described step e and comprise generation based on the network flow connection layout of port species number and the network flow connection layout of stream linking number Network Based.
9. the network flow of stream connection layout Network Based as claimed in claim 8 connects behavior characteristic analysis method, it is characterized in that, described generation specifically comprises based on the network flow connection layout of port species number: first according to the setting of Node B threshold, extract the open main frame being greater than the port species number of Node B threshold, thus play the part of main servers in crawl network or enliven the node of client role, mutual by the port analyzed between them, determine the network flow behavioural characteristic between main node; Again according to the setting of limit threshold value, extract the leaf node with main node frequent activity, analyze the port interbehavior between them, to determine main node network flow behavioural characteristic in a network.
10. the network flow of stream connection layout Network Based as claimed in claim 8 connects behavior characteristic analysis method, it is characterized in that, the network flow connection layout of described generation stream linking number Network Based specifically comprises: first according to the setting of Node B threshold, be extracted into the main frame that flow or outflow number are greater than Node B threshold, thus the core node of high flow capacity in crawl network, by analyzing the flow connection features between them, determine the network flow behavioural characteristic between main node; Again according to the setting of limit threshold value, extract the leaf node with main node frequent activity, analyze flow between them and connect behavior, to determine main node network flow behavioural characteristic in a network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510192318.9A CN104935570B (en) | 2015-04-22 | 2015-04-22 | Network flow connection behavioural characteristic analysis method based on network flow connection figure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510192318.9A CN104935570B (en) | 2015-04-22 | 2015-04-22 | Network flow connection behavioural characteristic analysis method based on network flow connection figure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104935570A true CN104935570A (en) | 2015-09-23 |
| CN104935570B CN104935570B (en) | 2017-12-01 |
Family
ID=54122542
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510192318.9A Active CN104935570B (en) | 2015-04-22 | 2015-04-22 | Network flow connection behavioural characteristic analysis method based on network flow connection figure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104935570B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789346A (en) * | 2017-01-22 | 2017-05-31 | 中国人民解放军信息工程大学 | A kind of depth behavior correlating method based on user's connection figure |
| CN106941419A (en) * | 2017-03-13 | 2017-07-11 | 中国科学院深圳先进技术研究院 | The visual analysis method and system of network architecture and network communication mode |
| CN107070952A (en) * | 2017-05-27 | 2017-08-18 | 郑州云海信息技术有限公司 | A kind of network node Traffic Anomaly analysis method and system |
| CN107465543A (en) * | 2017-08-04 | 2017-12-12 | 郑州云海信息技术有限公司 | A kind of Characterizations method and system of network Flow Behavior |
| WO2018165823A1 (en) * | 2017-03-13 | 2018-09-20 | 中国科学院深圳先进技术研究院 | Visual analysis method and system for network architecture and network communication mode |
| CN109002856A (en) * | 2018-07-20 | 2018-12-14 | 西安交通大学 | A kind of traffic characteristic automatic generation method and system based on random walk |
| CN109040130A (en) * | 2018-09-21 | 2018-12-18 | 成都力鸣信息技术有限公司 | Mainframe network behavior pattern measure based on attributed relational graph |
| CN110147366A (en) * | 2019-05-05 | 2019-08-20 | 电子科技大学 | From the exceptional communication behavior visual analysis method of self-centeredness angle |
| CN112650968A (en) * | 2020-11-18 | 2021-04-13 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN113704751A (en) * | 2021-08-31 | 2021-11-26 | 姜虎 | Vulnerability repairing method based on artificial intelligence decision and big data mining system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103731357A (en) * | 2012-10-15 | 2014-04-16 | 中兴通讯股份有限公司 | Network topology determination method and device |
| EP2770688A1 (en) * | 2013-02-22 | 2014-08-27 | Alcatel Lucent | Method and apparatus for assessing the efficiency of rules of filtering devices protecting a network |
-
2015
- 2015-04-22 CN CN201510192318.9A patent/CN104935570B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103731357A (en) * | 2012-10-15 | 2014-04-16 | 中兴通讯股份有限公司 | Network topology determination method and device |
| EP2770688A1 (en) * | 2013-02-22 | 2014-08-27 | Alcatel Lucent | Method and apparatus for assessing the efficiency of rules of filtering devices protecting a network |
Non-Patent Citations (2)
| Title |
|---|
| YINGJIE ZHOU,ET.AL: "Network-Wide Anomaly Detection Based on Routers" Connection Relationships", 《IEICE TRANS.COMMUN.》 * |
| YINGJIE ZHOU,ET.AL: "Using Graph to Detect Network Traffic Anomaly", 《INTERNATIONAL CONFERENCE ON COMMUNICATIONS,CIRCUITS AND SYSTEMS,ICCCAS 2009》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789346A (en) * | 2017-01-22 | 2017-05-31 | 中国人民解放军信息工程大学 | A kind of depth behavior correlating method based on user's connection figure |
| CN106941419B (en) * | 2017-03-13 | 2019-12-06 | 中国科学院深圳先进技术研究院 | visual analysis method and system for network architecture and network communication mode |
| WO2018165823A1 (en) * | 2017-03-13 | 2018-09-20 | 中国科学院深圳先进技术研究院 | Visual analysis method and system for network architecture and network communication mode |
| CN106941419A (en) * | 2017-03-13 | 2017-07-11 | 中国科学院深圳先进技术研究院 | The visual analysis method and system of network architecture and network communication mode |
| US10833964B2 (en) | 2017-03-13 | 2020-11-10 | Shenzhen Institutes Of Advanced Technology Chinese Academy Of Sciences | Visual analytical method and system for network system structure and network communication mode |
| CN107070952A (en) * | 2017-05-27 | 2017-08-18 | 郑州云海信息技术有限公司 | A kind of network node Traffic Anomaly analysis method and system |
| CN107465543A (en) * | 2017-08-04 | 2017-12-12 | 郑州云海信息技术有限公司 | A kind of Characterizations method and system of network Flow Behavior |
| CN109002856A (en) * | 2018-07-20 | 2018-12-14 | 西安交通大学 | A kind of traffic characteristic automatic generation method and system based on random walk |
| CN109040130A (en) * | 2018-09-21 | 2018-12-18 | 成都力鸣信息技术有限公司 | Mainframe network behavior pattern measure based on attributed relational graph |
| CN109040130B (en) * | 2018-09-21 | 2020-12-22 | 成都力鸣信息技术有限公司 | Method for measuring host network behavior pattern based on attribute relation graph |
| CN110147366A (en) * | 2019-05-05 | 2019-08-20 | 电子科技大学 | From the exceptional communication behavior visual analysis method of self-centeredness angle |
| CN110147366B (en) * | 2019-05-05 | 2023-10-03 | 电子科技大学 | Visual analysis method for abnormal communication behavior from self-center angle |
| CN112650968A (en) * | 2020-11-18 | 2021-04-13 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN112650968B (en) * | 2020-11-18 | 2022-07-12 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN113704751A (en) * | 2021-08-31 | 2021-11-26 | 姜虎 | Vulnerability repairing method based on artificial intelligence decision and big data mining system |
| CN113704751B (en) * | 2021-08-31 | 2022-03-29 | 山东中关创业信息科技股份有限公司 | Vulnerability repairing method based on artificial intelligence decision and big data mining system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104935570B (en) | 2017-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104935570A (en) | Network flow connection behavior characteristic analysis method based on network flow connection graph | |
| Shittu et al. | Intrusion alert prioritisation and attack detection using post-correlation analysis | |
| DE60112044T2 (en) | DEVICE AND METHOD FOR ASSESSING THE LOSS OF NETWORK SECURITY | |
| Siganos et al. | Analyzing BGP policies: Methodology and tool | |
| CN108900541B (en) | System and method for sensing security situation of SDN (software defined network) of cloud data center | |
| CN102271090B (en) | Transport-layer-characteristic-based traffic classification method and device | |
| CN100361450C (en) | System for blocking off erotic images and unhealthy information in internet | |
| CN107896160B (en) | A kind of data center network flowmeter factor method based on distributed system | |
| CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
| CN107683586A (en) | Method and apparatus for rare degree of the calculating in abnormality detection based on cell density | |
| WO2022048668A1 (en) | Knowledge graph construction method and apparatus, check method and storage medium | |
| CN102611713A (en) | Entropy operation-based network intrusion detection method and device | |
| Boschetti et al. | TVi: A visual querying system for network monitoring and anomaly detection | |
| Shi et al. | Scalable network traffic visualization using compressed graphs | |
| CN103973589B (en) | Network traffic classification method and device | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| CN114598499B (en) | Network risk behavior analysis method combined with business application | |
| CN103425648B (en) | The disposal route of relation loop and system | |
| CN104021348A (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| CN112765313B (en) | False information detection method based on original text and comment information analysis algorithm | |
| CN109150920A (en) | A kind of attack detecting source tracing method based on software defined network | |
| CN103501302A (en) | Method and system for automatically extracting worm features | |
| CN108923954A (en) | A kind of network data visual analyzing and display systems | |
| Tilch et al. | A multilayer graph model of the internet topology | |
| Hu et al. | Graph analysis of network flow connectivity behaviors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |