CN105323258A - Method and device for identifying abnormal flow based on time attenuation model - Google Patents
Method and device for identifying abnormal flow based on time attenuation model Download PDFInfo
- Publication number
- CN105323258A CN105323258A CN201510856862.9A CN201510856862A CN105323258A CN 105323258 A CN105323258 A CN 105323258A CN 201510856862 A CN201510856862 A CN 201510856862A CN 105323258 A CN105323258 A CN 105323258A
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal flow
- time
- attenuation model
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method for identifying abnormal flow based on a time attenuation model. The method includes the steps of: capturing network flow information through bypass packet capture, and generating flow data according to the captured network flow information; screening data flow attributes according to discretization operation, and forming a data set used for behavior pattern analysis; storing user behavior data and normal user behavior patterns in the data set in a database, and performing data classification on dimensions in the database according to a correlation rule instruction; performing deep mining of a frequent pattern in time on the classified data according to a time attenuation model; and analyzing abnormal flow information according to the frequent pattern. The method for identifying the abnormal flow based on the time attenuation model has the beneficial effects that the abnormal flow is identified through flow characteristic extraction and based on the time attenuation model, the method has good real-time performance, and can be applied to various occasions, and at the same time, through information accumulation, more abnormal flow can be further discovered.
Description
Technical field
The present invention relates to a kind of recognition methods and device of the abnormal flow based on time attenuation model.
Background technology
Network is concerning essential us, but anything has disadvantageous one side, a lot of obstacle can be produced equally when use network, and the most difficult what avoid is exactly the abnormal flow of network, abnormal flow is equal to assault, and the improper flow that it is initiated as flood for a certain particular port causes network paralysis, and bring huge loss to us, client cannot communication, and commercial affairs cannot be carried out, and then ensures that the stability of network traffics just serves vital effect.
For the problem in correlation technique, at present effective solution is not yet proposed.
Summary of the invention
The object of this invention is to provide a kind of recognition methods of the abnormal flow based on time attenuation model, to overcome currently available technology above shortcomings.
The object of the invention is to be achieved through the following technical solutions:
Based on a recognition methods for the abnormal flow of time attenuation model, comprise the steps:
Capture network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
According to discretization operations, data flow attribution is screened, and form the data set being used for BMAT;
By the user behavior data of data centralization and normal users behavior pattern poke in database, and according to correlation rule instruction, Data classification is carried out to the dimension in database;
The frequent mode in the deep excavation time is carried out according to the data of time attenuation model to classification;
Abnormal flow information is analyzed according to frequent mode.
Further, the network traffic information of crawl comprises temporal information, source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
A recognition device for abnormal flow, comprises packet capturing device, data set analysis device, device for classifying data, time model processing unit and abnormal flow analytical equipment; Wherein:
Packet capturing device: for capturing network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Data set analysis device: for screening data flow attribution according to discretization operations, and form the data set being used for BMAT
Device for classifying data: for by the user behavior data of data centralization and normal users behavior pattern poke in database, and according to correlation rule instruction, Data classification is carried out to the dimension in database;
Time model processing unit: for carrying out the frequent mode in the deep excavation time according to the data of time attenuation model to classification;
Abnormal flow analytical equipment: for analyzing abnormal flow information according to frequent mode.
Further, the information that described packet capturing device captures comprises source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
Beneficial effect of the present invention: by traffic characteristic extraction and by identifying abnormal flow based on time attenuation model, there is good real-time, multiple occasion can be applied to, simultaneously, by information accumulation, more abnormal flow can be found further.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the recognition methods of the abnormal flow based on time attenuation model according to the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
As shown in Figure 1, according to embodiments of the invention
Based on a recognition methods for the abnormal flow of time attenuation model, comprise the steps:
Capture network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
According to discretization operations, data flow attribution is screened, and form the data set being used for BMAT;
By the user behavior data of data centralization and normal users behavior pattern poke in database, and according to correlation rule instruction, Data classification is carried out to the dimension in database;
The frequent mode in the deep excavation time is carried out according to the data of time attenuation model to classification;
Abnormal flow information is analyzed according to frequent mode.
Further, the network traffic information of crawl comprises temporal information, source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
A recognition device for abnormal flow, comprises packet capturing device, data set analysis device, device for classifying data, time model processing unit and abnormal flow analytical equipment; Wherein:
Packet capturing device: for capturing network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Data set analysis device: for screening data flow attribution according to discretization operations, and form the data set being used for BMAT
Device for classifying data: for by the user behavior data of data centralization and normal users behavior pattern poke in database, and according to correlation rule instruction, Data classification is carried out to the dimension in database;
Time model processing unit: for carrying out the frequent mode in the deep excavation time according to the data of time attenuation model to classification;
Abnormal flow analytical equipment: for analyzing abnormal flow information according to frequent mode.
Further, the information that described packet capturing device captures comprises source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
In sum, by means of technique scheme of the present invention, by traffic characteristic extraction and by identifying abnormal flow based on time attenuation model, there is good real-time, multiple occasion can be applied to, simultaneously, by information accumulation, more abnormal flow can be found further.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1. based on a recognition methods for the abnormal flow of time attenuation model, it is characterized in that, comprise the steps:
Capture network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
According to discretization operations, data flow attribution is screened, and form the data set being used for BMAT;
By the user behavior data of data centralization and normal users behavior pattern poke in database, and according to correlation rule instruction, Data classification is carried out to the dimension in database;
The frequent mode in the deep excavation time is carried out according to the data of time attenuation model to classification;
Abnormal flow information is analyzed according to frequent mode.
2. the recognition methods of the abnormal flow based on time attenuation model according to claim 1, is characterized in that, the network traffic information of crawl comprises temporal information, source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
3. based on a recognition device for the abnormal flow of time attenuation model, it is characterized in that, comprise packet capturing device, data set analysis device, device for classifying data, time model processing unit and abnormal flow analytical equipment; Wherein:
Packet capturing device: for capturing network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Data set analysis device: for screening data flow attribution according to discretization operations, and form the data set being used for BMAT
Device for classifying data: for by the user behavior data of data centralization and normal users behavior pattern poke in database, and according to correlation rule instruction, Data classification is carried out to the dimension in database;
Time model processing unit: for carrying out the frequent mode in the deep excavation time according to the data of time attenuation model to classification;
Abnormal flow analytical equipment: for analyzing abnormal flow information according to frequent mode.
4. the recognition device of the abnormal flow based on time attenuation model according to claim 3, it is characterized in that, the information that described packet capturing device captures comprises source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510856862.9A CN105323258A (en) | 2015-11-30 | 2015-11-30 | Method and device for identifying abnormal flow based on time attenuation model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510856862.9A CN105323258A (en) | 2015-11-30 | 2015-11-30 | Method and device for identifying abnormal flow based on time attenuation model |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105323258A true CN105323258A (en) | 2016-02-10 |
Family
ID=55249853
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510856862.9A Pending CN105323258A (en) | 2015-11-30 | 2015-11-30 | Method and device for identifying abnormal flow based on time attenuation model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105323258A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547543A (en) * | 2017-05-26 | 2018-01-05 | 四川紫皓云端科技有限责任公司 | A kind of recognition methods of Network anomalous behaviors and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101060444A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | Bayesian statistical model based network anomaly detection method |
EP1178635B1 (en) * | 2000-08-04 | 2010-10-13 | Alcatel Lucent | Method for real time data communication |
CN103023725A (en) * | 2012-12-20 | 2013-04-03 | 北京工业大学 | Anomaly detection method based on network flow analysis |
-
2015
- 2015-11-30 CN CN201510856862.9A patent/CN105323258A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1178635B1 (en) * | 2000-08-04 | 2010-10-13 | Alcatel Lucent | Method for real time data communication |
CN101060444A (en) * | 2007-05-23 | 2007-10-24 | 西安交大捷普网络科技有限公司 | Bayesian statistical model based network anomaly detection method |
CN103023725A (en) * | 2012-12-20 | 2013-04-03 | 北京工业大学 | Anomaly detection method based on network flow analysis |
Non-Patent Citations (2)
Title |
---|
赖军: "流数据挖掘在网络流量分析中的应用研究", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
陈辉: "数据流频繁模式挖掘及数据预测算法研究", 《中国博士学位论文全文数据库(信息科技辑)》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547543A (en) * | 2017-05-26 | 2018-01-05 | 四川紫皓云端科技有限责任公司 | A kind of recognition methods of Network anomalous behaviors and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
CN105376248A (en) | Method and device for identifying abnormal flow | |
CN101902484B (en) | Method and system for classifying local area network http application services | |
CN105376247A (en) | Method and device for identifying abnormal flow based on frequent algorithm | |
CN101262491A (en) | Application layer network analysis method and system | |
CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
CN105376110A (en) | Network data packet analysis method and system in big data stream technology | |
CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
CN109151880A (en) | Mobile application flow identification method based on multilayer classifier | |
CN102882881A (en) | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service | |
CN101841440A (en) | Peer-to-peer network flow identification method based on support vector machine and deep packet inspection | |
CN110417729A (en) | A kind of service and application class method and system encrypting flow | |
CN104618144A (en) | Method and system for tracking data package according to message identifier | |
CN105450434A (en) | Internet traffic analysis method based on traffic graphs | |
CN107689958A (en) | A kind of network audit subsystem applied to cloud auditing system | |
CN109660656A (en) | A kind of intelligent terminal method for identifying application program | |
CN105516098A (en) | Web page script identification method and apparatus | |
Yang et al. | Characterizing smartphone traffic with MapReduce | |
CN105323258A (en) | Method and device for identifying abnormal flow based on time attenuation model | |
CN110266603A (en) | Authentication business network flow analysis system and method based on http protocol | |
CN103944775A (en) | Network traffic collection analysis and display output method | |
CN105357079A (en) | Method and device for identifying abnormal traffic | |
Jaiswal et al. | Analysis of early traffic processing and comparison of machine learning algorithms for real time internet traffic identification using statistical approach | |
CN105279230A (en) | Method and system for constructing internet application feature identification database with active learning method | |
CN105323257A (en) | Method and device for identifying abnormal flow |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160210 |
|
RJ01 | Rejection of invention patent application after publication |