CN104935570B - Network flow connection behavioural characteristic analysis method based on network flow connection figure - Google Patents

Network flow connection behavioural characteristic analysis method based on network flow connection figure Download PDF

Info

Publication number
CN104935570B
CN104935570B CN201510192318.9A CN201510192318A CN104935570B CN 104935570 B CN104935570 B CN 104935570B CN 201510192318 A CN201510192318 A CN 201510192318A CN 104935570 B CN104935570 B CN 104935570B
Authority
CN
China
Prior art keywords
node
network flow
network
flow connection
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510192318.9A
Other languages
Chinese (zh)
Other versions
CN104935570A (en
Inventor
胡光岷
翟学萌
胡航宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201510192318.9A priority Critical patent/CN104935570B/en
Publication of CN104935570A publication Critical patent/CN104935570A/en
Application granted granted Critical
Publication of CN104935570B publication Critical patent/CN104935570B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network flow based on network flow connection figure to connect behavioural characteristic analysis method;It includes setting node determination rule, determines node object, set while create-rule, determine while interactive mode, setting node filtering rule and classification rule, extract main node and be classified, setting is when filtering rule and classification are regular, extraction is main and is classified, and generates and connects the network flow connection figure of number with based on network flow based on the network flow connection figure of port species number, network flow connection behavioural characteristic is analyzed with reference to two figures.The connection behavioural characteristic analysis method of the network flow based on network flow connection figure of the present invention, with a variety of large-scale communication network network Flow Behavior is all-sidedly and accurately portrayed into figure mode, so as to adapt to the network size of current complexity, with realize comprehensively, extraction and analysis network flow behavioural characteristic exactly.

Description

Network flow connection behavioural characteristic analysis method based on network flow connection figure
Technical field
The invention belongs to network flow behavioral analysis technology field, more particularly to a kind of network flow based on network flow connection figure Connect behavioural characteristic analysis method.
Background technology
In a communication network, network flow refers to the packet sequence with certain particular community by network transmission.It is specific Attribute can determine such as there is identical five-tuple (source host IP address, destination host IP address, source according to the needs of research Host side slogan, destination host port numbers and communication protocol) stream information sequential polymerization into bearer network information a network Stream.
Network flow behavioural characteristic is often referred to the behavioural characteristic of wall scroll or the performance of a plurality of network flow, including application-level flow behavior spy Transport layer stream of seeking peace behavioural characteristic, for the analysis of application-level flow behavioural characteristic not in the research range of the present invention, we discuss biography The connection behavioural characteristic of defeated laminar flow.The connection behavioural characteristic of stream features the connection mode in network between entity, describes network Interbehavior pattern between entity, such as the interbehavior in communication network between user, the pass in social networks between object System etc..The connection features interacted by extracting main-machine communication, the connection mode and structure for analyzing network flow apply behavior, user And the means such as model of connection trend of other network entities can obtain comprehensive and accurate communication network prevalence be characterized and Its variation characteristic, it is of great significance to improving network management and monitoring tool.
The visualization of network Flow Behavior is to represent the friendship between communication network main frame using the figure of node and line composition Mutual behavior, the annexation between network host is abstracted into calculating using visualization technique according to different types of Research Requirements Figure on machine screen.Due to the advantage that figure digging technology portraying in visualization and connection mode etc. possesses, Generally it is employed for portraying the annexation feature of network flow.
Network traffics propagate figure (TDG):Carried in 2007 by MariosIliofotou and Michalis Faloutsos etc. Go out.TDG is to portray the flow propagation figure that different application interacts between network host, and wherein network host is mapped as the section of figure Point, the interbehavior between main frame are mapped as the side of figure.
Network traffics activity diagram (TAG):In 2009 by Yu Jin, Esam Sharafuddin, Zhi-Li Zhang etc. People proposes that the node in TAG and TDG is similar to the definition on side, but TAG is the digraph that a nonoriented edge is formed, directionality Embodied by intranet and extranet node.
Network traffics propagation figure and network traffics activity diagram can describe the annexation feature of different application behavior, but not Whole behavior annexation features can be summarized completely, exist mode of composition it is single, comprising information is imperfect, signature analysis research hand The defects of section deficiency etc., therefore two kinds of figures all can not accurately and efficiently portray large-scale communication network network stream annexation.
The content of the invention
The present invention goal of the invention be:In order to solve can not accurately and efficiently to portray large-scale communication network in the prior art The problems such as network stream annexation, the present invention propose a kind of network flow connection behavioural characteristic analysis side based on network flow connection figure Method.
The technical scheme is that:A kind of network flow connection behavioural characteristic analysis method based on network flow connection figure, Comprise the following steps:
A, setting network stream connection node of graph determines rule, determines the node object in network flow connection behavior;
B, setting network stream connection figure side create-rule, the interactive mode on side in network flow connection behavior is determined;
C, setting network stream connection node of graph filtering rule and classification rule, main section is extracted according to node filtering rule Point, and main node is classified according to node hierarchy rule;
D, setting network stream connection figure side filtering rule and classification rule, according to when filtering rule extraction is main, and root According to while classification rule to it is main while be classified;
E, multiple network stream connection figure is generated according to node and the filtering rule on side, with reference to multiple network stream connection figure to net Network stream connection behavioural characteristic is analyzed.
Further, network flow connection node of graph determines that rule is specially in the step A:With the communication in network service Unit is as node.
Further, network flow connection figure side create-rule is specially in the step B:The corresponding master that will there is flow to connect Node is wanted to be linked to be a line.
Further, the network flow connection node of graph filtering rule is specially:Node B threshold is set, extracts node diagnostic Attribute amount is more than the node of Node B threshold as main node.
Further, network flow connection figure node hierarchy rule is specially in the step C:According to node diagnostic attribute amount Grade classification is carried out to main node, coloring differentiation is carried out for the node of different stage.
Further, network flow connection figure side filtering rule is specially in the step D:Side threshold value is set, extraction side is special Levy attribute amount be more than while threshold value while, and retain the leaf node that the side other end is less than Node B threshold.
Further, network flow connection figure side classification rule is specially in the step D:According to side characteristic attribute amount opposite side Grade classification is carried out, coloring differentiation is carried out for the side of different stage.
Further, multiple network stream connection figure is generated in the step E includes network of the generation based on port species number Stream connection figure connects the network flow connection figure of number with based on network flow.
Further, the network flow connection figure of the generation based on port species number specifically includes:First according to node threshold The setting of value, the main frame of the open port species number more than Node B threshold of extraction, plays the part of main servers so as to capture in network Or the node of active client role, interacted by port of the analysis between them, determine that the network between main node is popular It is characterized;Further according to the setting of side threshold value, extraction and the leaf node of main node frequent activity, the port between them is analyzed Interbehavior, to determine the network flow behavioural characteristic of main node in a network.
Further, network flow connection figure of the generation based on network flow connection number specifically includes:First according to node The setting of threshold value, extracts inbound traffics or outflow number is more than the main frame of Node B threshold, so as to capture the core of high flow capacity in network Node, by analyzing the flow connection features between them, determine the network flow behavioural characteristic between main node;Further according to side The setting of threshold value, extraction and the leaf node of main node frequent activity, flow connection behavior between them is analyzed, to determine to lead Want the network flow behavioural characteristic of node in a network.
The connection of the network flow based on the network flow connection figure behavioural characteristic analysis method of the present invention has the advantages that:
(1) present invention can adaptive different scales network, suitable for backbone communications, Small-scale LAN, size rule Mould enterprise network, big groupuscule social networks etc., possess very wide use range;
(2) present invention has extracted the core texture in network, removed unrelated by setting node and side filtering rule The influence that structure is brought, its feature can be more accurately portrayed for different types of network flow, improve network flow classification Accuracy;
(3) present invention is classified by introducing the characteristic attribute amount of network flow to node and side, by more networks stream Attribute includes network flow connection figure, and main node, secondary nodes are embodied in figure, so as to depict more network stream Feature, more network flows are classified;
(4) accuracy of abnormality detection is improved, can effectively detect a greater variety of network flow abnormal behaviours.
Brief description of the drawings
Fig. 1 is the connection behavioural characteristic analysis method schematic flow sheet of the network flow based on network flow connection figure of the present invention.
Fig. 2 is the network traffics propagation figure generated into figure mode according to TDG in the prior art.
Fig. 3 is the network flow connection figure that the present invention generates according to abnormal data.
Fig. 4 is the network flow connection figure of the invention based on port species number.
Fig. 5 is network flow connection figure of the present invention based on stream connection quantity.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, not For limiting the present invention.
As shown in figure 1, connect behavioural characteristic analysis method flow for the network flow based on network flow connection figure of the present invention Schematic diagram.A kind of network flow connection behavioural characteristic analysis method based on network flow connection figure, comprises the following steps:
A, setting network stream connection node of graph determines rule, determines the node object in network flow connection behavior;
B, setting network stream connection figure side create-rule, the interactive mode on side in network flow connection behavior is determined;
C, setting network stream connection node of graph filtering rule and classification rule, main section is extracted according to node filtering rule Point, and main node is classified according to node hierarchy rule;
D, setting network stream connection figure side filtering rule and classification rule, according to when filtering rule extraction is main, and root According to while classification rule to it is main while be classified;
E, multiple network stream connection figure is generated according to node and the filtering rule on side, with reference to multiple network stream connection figure to net Network stream connection behavioural characteristic is analyzed.
It can not summarize whole behaviors completely to solve network traffics propagation figure in the prior art and network traffics activity diagram Annexation feature, exist mode of composition it is single, comprising information is imperfect, signature analysis research meanses deficiency etc. lacks The problem of falling into, therefore can not accurately and efficiently portraying the stream annexation of large-scale communication network network.The present invention proposes a kind of base Behavioural characteristic analysis method is connected in the network flow of network flow connection figure, is all-sidedly and accurately portrayed on a large scale into figure mode with a variety of Communication network Flow Behavior, so as to adapt to the network size of current complexity, with realize comprehensively, extraction and analysis network Flow Behavior exactly Feature.
Network flow connection figure in the present invention refers to that using communication object in communication network as node the interaction between node is Side, portray the schematic diagram of interactive relation in network;The node the v specially communication entity in network being abstracted as in figurei∈ V, If node i, there is communication interaction that corresponding node then is linked to be into a line e between jij, and then introduce node, the grade on side, threshold value Network flow connection figure G=< V, E, V are built Deng attributeG,EG, W >, wherein eGIt is the grade on node and side, W is the threshold value of figure, bag Include Node B threshold and side threshold value.
In step, it is necessary to which setting network stream connection figure interior joint is established rules then really, node here determines that rule refers to Physical meaning of the node in network flow connection figure, node v is specially used as using the communication unit in network servicei, it is different Network object represents the communication unit in heterogeneous networks.Such as the communication object in communication network is with representing the IP of a main frame Location, the communication object of enterprise network refer to the employee of enterprise, and the communication object in social networks refers to ID etc..Recycle node It is determined that rule determines the node object in network flow connection behavior.Such as in a communication network, use the main frame for possessing independent IP As a node;In social networks, a node is used as by the use of an interworking entity.
In stepb, it is necessary in setting network stream connection figure side create-rule, here when create-rule refers to Specific generation type in network flow connection figure, the corresponding main node for having flow to connect specially is linked to be a line ei,j.Example One is directly generated if generating a line when two nodes produce TCP three-way handshake in a communication network or having flow connection Side;There is communication interaction just to generate a line between employee in enterprise network.Side create-rule is recycled to determine network flow The interactive mode that side represents in connection behavior.Such as in a communication network, there is flow generation between two main frames, then produced between it Raw a line;In social networks, if having interaction between two entities, a line is produced in-between.Connected in network flow A line can represent a stream in figure, can also represent a plurality of stream.
, it is necessary to the filtering rule of setting network stream connection figure interior joint and classification rule, node mistake here in step C Filter rule refers to that according to the value of communication unit attribute in network be screening conditions, and the node in network flow connection figure is entered Row filtering, specially sets Node B threshold wN, extract node diagnostic attribute amount and be more than Node B threshold wNNode as main section Point.Such as when the quantity of the stream connection of node convergence reaches a certain value, just node is included in figure.Here node hierarchy Rule refers to the attribute value of the filtering rule foundation according to node, grade classification is carried out to the node after filtering, with different Color represents different grades of node or side, specially carries out grade classification to main node according to node diagnostic attribute amount, right Coloring differentiation is carried out in the node of different stage.Such as in an ip network, be classified according to the port species number that node opens, The high node of grade dark color, and the low node of grade light color, and the port species number that color is deeper to represent node opening is more. Main node is extracted further according to node filtering rule, and main node is classified according to node hierarchy rule, specially root Node B threshold w is produced according to the characteristic attribute amount of nodeN, extract characteristic attribute amount and be more than wNMain node, and to node every threshold Value vGIt is classified, is coloured for the node of different stage to be made a distinction in visualization.Here the feature of node Attribute amount is such as the port species number in IP network, network flow connection quantity;Node B threshold wNSpecific value can be according to grinding Study carefully purpose to be set;Threshold value vGTo be needed to carry out the parameter of divided rank according to nodal community amount according to different researchs, such as Node B threshold is 1000, it is necessary to the network flow connection amount of node is divided into 5 grades, then sets vG=200, so as to produce stream Measure the node of 5 grades in the range of 1000-1200,1200-1400,1400-1600,1600-1800,1800+.
In step D, it is necessary to the filtering rule on side and classification rule, the filtering on side here in setting network stream connection figure Rule refers to the particular value of the stream attribute according to representated by side, and opposite side is filtered, and specially sets side threshold value wE, extract side feature Attribute amount is more than side threshold value wESide, and retain the leaf node of the side other end.Such as the destination node end using network flow Slogan screens the side for meeting certain port number, generates the network flow connection figure of different application species, or when a network flow connects Count to when reaching a certain threshold value, just produce a line, the network flow connection figure of generation network flow connection number.The classifier on side here Then refer to the attribute value of the filtering rule foundation according to side, grade classification is carried out to the side after filtering, with different color generations The different grades of side of table, grade classification is specially carried out according to side characteristic attribute amount opposite side, carried out for the side of different stage Color is distinguished.Further according to when filtering rule extraction is main, and according to while classification rule to it is main while be classified, specially basis Main node connected while characteristic attribute amount produce while threshold value wE, extract characteristic attribute amount and be more than wESide, and retain the side The leaf node of the other end, and opposite side is every threshold value eGIt is classified, is coloured for the side of different stage to visualize On make a distinction.The characteristic attribute amount on side here is such as port species number, network flow connection number;Threshold value eGFor according to difference Research needs to carry out the parameter of divided rank, its setting means and threshold value v according to side attribute amountGSimilarly.
As shown in Fig. 2 it is the network traffics propagation figure generated into figure mode according to TDG in the prior art.Such as Fig. 3 institutes Show, the network flow connection figure generated for the present invention according to abnormal data, the present invention carries out grading extraction to node, retains stream connection The network flow connection figure of node of the amount more than 1000 and its leaf node.By figure, we can draw:
(1) the network flow connection figure after being classified in abnormality detection can extract the main corporations attacked;
(2) for the network flow connection figure of normal data generation, node and side is classified, the application can be highlighted Primary structure, reach the purpose of more obvious flow point class;
(3) network flow connection figure includes a variety of into chart-pattern, and different figures has contained a large amount of different information, has huge Researching value;
The present invention can be according to different wN、wESetting, make caused by network flow connection figure adapt to the nets of different scales Network.By the setting to threshold value, the purpose of extraction core node and connection can be reached, this is for extensive, big data net The stream connection behavioural analysis of network has great importance.
In step E, generation multiple network stream connection figure include network flow connection figure of the generation based on port species number and Network flow connection figure based on network flow connection number.Port species number is determined according to the characteristic attribute amount of point and side, in communication network The network flow connection figure based on port species can be generated according to the basic create-rule of network flow connection figure in network, be specially: First according to wNSetting, extraction opening is more than wNPort species number main frame, play the part of main servers in network so as to capture Or the node of active client role, interacted by port of the analysis between them, determine that the Flow Behavior between main node is special Sign;Further according to wESetting, extraction and the leaf node of main node frequent activity analyze the port interaction row between them For characterized by determining the Major Epidemic of main node in a network.
As shown in figure 4, it is network flow connection figure of the present invention based on port species number.Wherein, data come from the U.S. The OC-48 links stream statistics data of five minutes of CAIDA tissues.Connected according to the network flow based on network flow connection figure of the present invention The node that behavioural characteristic analysis method extraction node open port species number is more than 5000 is connect, and every 100 port species number Divide one-level, side end mouth species number is more than 1000, i.e. wN=5000, vG=100, wE=1000, eG=0.Node is marked according to grade Color, color, which is more deeply felt, shows that port species number is more, the leaf node of dark node podomere point screening conditions with thumb down.By scheming We can draw:
(1) the high nodes of open port number are not many in proper network, therefore can be by network large-scale degeneracy And it is easy to find out abnormal behavior therein;
(2) the wherein very high node IP of open port species number belongs to big communication common carrier, if there are other kinds of IP likes Node open port species increase extremely, then can determine that the generation of abnormal behaviour;
(3) it is somebody's turn to do the network flow connection figure based on port species number and contains substantial amounts of information, there is higher researching value.
Network flow connection figure of the invention based on port species number can represent the interaction row in network between host port For, to analyze in network behavioural characteristic between main frame application port, detect it is abnormal about the interaction between port, as port is swept Retouch.
Stream connection quantity is defined as according to the characteristic attribute amount of point and side, can be connected in a communication network according to network flow The basic network flow connection figure for connecting number based on network flow into rule map generation of figure, it is specially:First according to wNSetting, can It is more than w to extract inbound traffics or outflow numberNMain frame, so as to capture the core node of high flow capacity in network, by point The flow connection features between them are analysed, determine that the prevalence between main node is characterized;Further according to wESetting, extraction and main Activity On the Node frequently leaf node is wanted, flow connection behavior between them is analyzed, to determine the stream of main node in a network Behavioural characteristic.
As shown in figure 5, it is network flow connection figure of the present invention based on stream connection quantity.Wherein, data come from the U.S. The OC-48 links stream statistics data of five minutes of CAIDA tissues.Connected according to the network flow based on network flow connection figure of the present invention Connect behavioural characteristic analysis method extraction node-flow connection quantity and be more than 1000 node, and divide one-level, side every 100 connection amount Stream connection quantity is more than 100, i.e. wN=1000, vG=100, wE=100, eG=0.Node color is marked according to grade, color is got over Deeply feel and show that stream connection quantity is bigger, the leaf node of dark node podomere point screening conditions with thumb down.By figure, we can obtain Go out:
(1) corporations in the lower left corner are abnormal corporations, and after IP is inquired about, its Centroid is inferred to retain IP CAIDA is tested using telescope;
(2) figure captures out the big flow node in several networks, is reserved address, and CAIDA is as American Network The scientific research institution of safety, with reserved address test much;
(3) the substantial amounts of network information is contained in the figure, we can carry out abnormality detection, network using these network informations The extraction and analysis that prevalence is characterized, the activity analysis of the main corporations of network, there is higher researching value.
Network flow connection figure of the present invention based on stream connection quantity can represent the interaction in network between main frame flow, with The prevalence that stream connection quantity is shown between main frame in analysis network is characterized, and is detected the increase suddenly of relevant flow or is reduced Deng abnormal, such as ALPHA throat floaters.
The precision of foundation and abnormality detection for network flow connection behavioural characteristic storehouse, a kind of network flow connection figure are Can not completely and accurately it embody, therefore the present invention is proposed to combine two network flow connection figures and gone so as to be connected to network flow It is characterized and is analyzed.
Foundation and analysis to network flow behavioural characteristic storehouse in terms of different attributes for network flow, it is necessary to go to carve Draw, such as the connection figure architectural feature of the connection figure parameter attribute of network flow, network flow, the port species characteristic of network flow, net Traffic characteristics of network stream etc., therefore, in order to comprehensively establish network flow behavioural characteristic storehouse, it is necessary to multiple network stream connection figure Synthesized;The different processing into figure mode are carried out to identical original stream data, generate multiple network stream connection figure, are intersected Wherein same node point is compared, after extracting same node point, the network flow feature that is reflected according to network flow connection figure not of the same race, to this The Flow Behavior of a little nodes establishes feature database, is analyzed.
Network Abnormal Flow Behavior can reflect uncommon performance in a certain main stream feature, but for network flow The research of other attributes, abnormal form, such as port scan can be more accurately determined, it is mainly shown as certain two node Between the port species abnormal increase that flows, still, due to the feature of its scanning, substantially one stream accesses a port, then Whether can be approximately integer according to the port species number between node or network fluxion to judge whether the exception is port Scanning.
One of ordinary skill in the art will be appreciated that embodiment described here is to aid in reader and understands this hair Bright principle, it should be understood that protection scope of the present invention is not limited to such especially statement and embodiment.This area Those of ordinary skill can make according to these technical inspirations disclosed by the invention various does not depart from the other each of essence of the invention The specific deformation of kind and combination, these deform and combined still within the scope of the present invention.

Claims (10)

1. a kind of network flow connection behavioural characteristic analysis method based on network flow connection figure, it is characterised in that including following step Suddenly:
A, setting network stream connection node of graph determines rule, determines the node object in network flow connection behavior;
B, setting network stream connection figure side create-rule, the interactive mode on side in network flow connection behavior is determined;
C, setting network stream connection node of graph filtering rule and classification rule, main node is extracted according to node filtering rule, and Main node is classified according to node hierarchy rule;
D, setting network stream connection figure side filtering rule and classification rule, according to when filtering rule extraction is main, and according to side Classification rule is classified to main side;
E, multiple network stream connection figure is generated according to node and the filtering rule on side, with reference to multiple network stream connection figure to network flow Connection behavioural characteristic is analyzed.
2. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 1 In network flow connection node of graph determines that rule is specially in the step A:Node is used as using the communication unit in network service.
3. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 2 In network flow connection figure side create-rule is specially in the step B:The corresponding main node for having flow to connect is linked to be one Side.
4. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 2 In the network flow connection node of graph filtering rule is specially:Node B threshold is set, extraction node diagnostic attribute amount is more than node The node of threshold value is as main node.
5. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 4 In network flow connection figure node hierarchy rule is specially in the step C:Main node is carried out according to node diagnostic attribute amount Grade classification, coloring differentiation is carried out for the node of different stage.
6. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 3 In network flow connection figure side filtering rule is specially in the step D:Side threshold value is set, extraction is when characteristic attribute amount is more than The side of threshold value, and retain the leaf node that the side other end is less than Node B threshold.
7. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 6 In network flow connection figure side classification rule is specially in the step D:Grade classification is carried out according to side characteristic attribute amount opposite side, Coloring differentiation is carried out for the side of different stage.
8. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 1 In generation multiple network stream connection figure includes the network flow connection figure generated based on port species number and is based in the step E Network flow connects the network flow connection figure of number.
9. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 8 In the network flow connection figure of the generation based on port species number specifically includes:Opened first according to the setting of Node B threshold, extraction Amplify in the main frame of the port species number of Node B threshold, play the part of main servers or active client role in network so as to capture Node, interacted by port of the analysis between them, determine the network flow behavioural characteristic between main node;Further according to side threshold The setting of value, extraction and the leaf node of main node frequent activity, analyze the port interbehavior between them, to determine to lead Want the network flow behavioural characteristic of node in a network.
10. the network flow connection behavioural characteristic analysis method based on network flow connection figure, its feature exist as claimed in claim 8 In network flow connection figure of the generation based on network flow connection number specifically includes:First according to the setting of Node B threshold, extraction Inbound traffics or outflow number are more than the main frame of Node B threshold, so as to capture the core node of high flow capacity in network, by analyzing it Between flow connection features, determine the network flow behavioural characteristic between main node;Further according to the setting of side threshold value, extraction With the leaf node of main node frequent activity, flow connection behavior between them is analyzed, to determine main node in a network Network flow behavioural characteristic.
CN201510192318.9A 2015-04-22 2015-04-22 Network flow connection behavioural characteristic analysis method based on network flow connection figure Active CN104935570B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510192318.9A CN104935570B (en) 2015-04-22 2015-04-22 Network flow connection behavioural characteristic analysis method based on network flow connection figure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510192318.9A CN104935570B (en) 2015-04-22 2015-04-22 Network flow connection behavioural characteristic analysis method based on network flow connection figure

Publications (2)

Publication Number Publication Date
CN104935570A CN104935570A (en) 2015-09-23
CN104935570B true CN104935570B (en) 2017-12-01

Family

ID=54122542

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510192318.9A Active CN104935570B (en) 2015-04-22 2015-04-22 Network flow connection behavioural characteristic analysis method based on network flow connection figure

Country Status (1)

Country Link
CN (1) CN104935570B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789346A (en) * 2017-01-22 2017-05-31 中国人民解放军信息工程大学 A kind of depth behavior correlating method based on user's connection figure
CN106941419B (en) * 2017-03-13 2019-12-06 中国科学院深圳先进技术研究院 visual analysis method and system for network architecture and network communication mode
WO2018165823A1 (en) * 2017-03-13 2018-09-20 中国科学院深圳先进技术研究院 Visual analysis method and system for network architecture and network communication mode
CN107070952A (en) * 2017-05-27 2017-08-18 郑州云海信息技术有限公司 A kind of network node Traffic Anomaly analysis method and system
CN107465543A (en) * 2017-08-04 2017-12-12 郑州云海信息技术有限公司 A kind of Characterizations method and system of network Flow Behavior
CN109002856B (en) * 2018-07-20 2020-08-14 西安交通大学 Automatic flow characteristic generation method and system based on random walk
CN109040130B (en) * 2018-09-21 2020-12-22 成都力鸣信息技术有限公司 Method for measuring host network behavior pattern based on attribute relation graph
CN110147366B (en) * 2019-05-05 2023-10-03 电子科技大学 Visual analysis method for abnormal communication behavior from self-center angle
CN112650968B (en) * 2020-11-18 2022-07-12 天津大学 Abnormal subgraph detection method based on abnormal alignment model for multiple networks
CN113704751B (en) * 2021-08-31 2022-03-29 山东中关创业信息科技股份有限公司 Vulnerability repairing method based on artificial intelligence decision and big data mining system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103731357A (en) * 2012-10-15 2014-04-16 中兴通讯股份有限公司 Network topology determination method and device
EP2770688A1 (en) * 2013-02-22 2014-08-27 Alcatel Lucent Method and apparatus for assessing the efficiency of rules of filtering devices protecting a network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103731357A (en) * 2012-10-15 2014-04-16 中兴通讯股份有限公司 Network topology determination method and device
EP2770688A1 (en) * 2013-02-22 2014-08-27 Alcatel Lucent Method and apparatus for assessing the efficiency of rules of filtering devices protecting a network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Network-Wide Anomaly Detection Based on Routers" Connection Relationships;Yingjie Zhou,et.al;《IEICE TRANS.COMMUN.》;20100804;第1-13页 *
Using Graph to Detect Network Traffic Anomaly;Yingjie Zhou,et.al;《International Conference on Communications,Circuits and Systems,ICCCAS 2009》;20090918;第341-345页 *

Also Published As

Publication number Publication date
CN104935570A (en) 2015-09-23

Similar Documents

Publication Publication Date Title
CN104935570B (en) Network flow connection behavioural characteristic analysis method based on network flow connection figure
CN100361450C (en) System for blocking off erotic images and unhealthy information in internet
DE60112044T2 (en) DEVICE AND METHOD FOR ASSESSING THE LOSS OF NETWORK SECURITY
DE602004010865T2 (en) Automatic characterization of network traffic
CN102315974B (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
US7792775B2 (en) Filtering rule analysis method and system
CN107294966A (en) A kind of IP white list construction methods based on Intranet flow
CN103970872B (en) Multi-level data processing method based on service aperture
CN106452955B (en) A kind of detection method and system of abnormal network connection
WO2022048668A1 (en) Knowledge graph construction method and apparatus, check method and storage medium
Boschetti et al. TVi: A visual querying system for network monitoring and anomaly detection
CN110995643B (en) Abnormal user identification method based on mail data analysis
CN112788064B (en) Encryption network abnormal flow detection method based on knowledge graph
CN109150859A (en) A kind of Botnet detection method flowing to similitude based on network flow
CN110377659A (en) A kind of intelligence chart recommender system and method
CN107465691A (en) Network attack detection system and detection method based on router log analysis
CN104021348B (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
CN104767744B (en) Protocol state machine active estimating method based on protocol knowledge
KR101655948B1 (en) Relationship Circle Processing Method and System, and Computer Storage Medium
CN114598499A (en) Network risk behavior analysis method combined with business application
WO2020228527A1 (en) Data stream classification method and message forwarding device
CN106572103A (en) Hidden port detection method based on SDN network architecture
CN108595617A (en) A kind of education big data overall analysis system
CN107203771A (en) Database building method
CN101764754A (en) Sample acquiring method in business identifying system based on DPI and DFI

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant