CN105357079A - Method and device for identifying abnormal traffic - Google Patents

Method and device for identifying abnormal traffic Download PDF

Info

Publication number
CN105357079A
CN105357079A CN201510856011.4A CN201510856011A CN105357079A CN 105357079 A CN105357079 A CN 105357079A CN 201510856011 A CN201510856011 A CN 201510856011A CN 105357079 A CN105357079 A CN 105357079A
Authority
CN
China
Prior art keywords
flow
time
traffic
network traffic
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510856011.4A
Other languages
Chinese (zh)
Inventor
储来斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rui Feng Network Cloud (beijing) Polytron Technologies Inc
Original Assignee
Rui Feng Network Cloud (beijing) Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rui Feng Network Cloud (beijing) Polytron Technologies Inc filed Critical Rui Feng Network Cloud (beijing) Polytron Technologies Inc
Priority to CN201510856011.4A priority Critical patent/CN105357079A/en
Publication of CN105357079A publication Critical patent/CN105357079A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention discloses a method for identifying abnormal traffic. The method comprises the following steps: capturing network traffic information through bypass packet capture, and generating traffic data according to the captured network traffic information; stabilizing the captured network traffic, modeling the time traffic in the network traffic by utilizing the principle of least square error, forecasting the feature value of the modeled traffic value, and designing a forecasting method of a user traffic behavior time sequence in the form of difference equation; and establishing a behavior model of a user according to the forecasting method of the time sequence, and judging the traffic beyond the behavior model as abnormal traffic. The method has the advantages that the abnormal traffic is judged in time by analyzing the behaviors of the user, so that the method has good instantaneity and can be applied to multiple occasions.

Description

A kind of recognition methods of abnormal flow and device
Technical field
The present invention relates to a kind of recognition methods and device of abnormal flow.
Background technology
Network is concerning essential us, but anything has disadvantageous one side, a lot of obstacle can be produced equally when use network, and the most difficult what avoid is exactly the abnormal flow of network, abnormal flow is equal to assault, and the improper flow that it is initiated as flood for a certain particular port causes network paralysis, and bring huge loss to us, client cannot communication, and commercial affairs cannot be carried out, and then ensures that the stability of network traffics just serves vital effect.
For the problem in correlation technique, at present effective solution is not yet proposed.
Summary of the invention
The object of this invention is to provide a kind of recognition methods of abnormal flow, to overcome currently available technology above shortcomings.
The object of the invention is to be achieved through the following technical solutions:
A recognition methods for abnormal flow, comprises the steps:
Capture network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Tranquilization process is carried out to the network traffics captured, and utilizes the minimum principle of the residue difference of two squares to carry out modeling to the time flow in network traffics
Characteristic value prediction is carried out to the flow value after modeling, adopts the Forecasting Methodology of difference equation form design customer flow time of the act sequence;
Set up the behavior model of user according to seasonal effect in time series Forecasting Methodology, the flow outside behavior model is judged as abnormal flow.
Further, the network traffic information of crawl comprises temporal information, source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
Abnormal flow set a device, comprise flow grabbing device, time model model building device, characteristic value prediction unit and abnormal flow judgment means; Wherein:
Flow grabbing device: for capturing network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Time model model building device: for carrying out tranquilization process to the network traffics captured, and utilize the minimum principle of the residue difference of two squares to carry out modeling to the time flow in network traffics
Characteristic value prediction unit: for carrying out characteristic value prediction to the flow value after modeling, adopts the Forecasting Methodology of difference equation form design customer flow time of the act sequence;
Abnormal flow judgment means: for setting up the behavior model of user according to seasonal effect in time series Forecasting Methodology, the flow outside behavior model is judged as abnormal flow.
Beneficial effect of the present invention is: by the behavioural analysis of user to abnormal flow and drive in the wrong direction and judge to there is good real-time, multiple occasion can be applied to.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the abnormal flow recognition methods according to the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
As shown in Figure 1, the recognition methods of a kind of abnormal flow according to embodiments of the invention, comprises the steps:
Capture network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Tranquilization process is carried out to the network traffics captured, and utilizes the minimum principle of the residue difference of two squares to carry out modeling to the time flow in network traffics
Characteristic value prediction is carried out to the flow value after modeling, adopts the Forecasting Methodology of difference equation form design customer flow time of the act sequence;
Wherein, to the expection of flow be the behavior coming out user's expection according to former traffic characteristic.
Set up the behavior model of user according to seasonal effect in time series Forecasting Methodology, the flow outside behavior model is judged as abnormal flow.
Further, the network traffic information of crawl comprises temporal information, source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
Abnormal flow set a device, comprise flow grabbing device, time model model building device, characteristic value prediction unit and abnormal flow judgment means; Wherein:
Flow grabbing device: for capturing network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Time model model building device: for carrying out tranquilization process to the network traffics captured, and utilize the minimum principle of the residue difference of two squares to carry out modeling to the time flow in network traffics
Characteristic value prediction unit: for carrying out characteristic value prediction to the flow value after modeling, adopts the Forecasting Methodology of difference equation form design customer flow time of the act sequence;
Abnormal flow judgment means: for setting up the behavior model of user according to seasonal effect in time series Forecasting Methodology, the flow outside behavior model is judged as abnormal flow.
In sum, by means of technique scheme of the present invention, by the behavioural analysis of user to abnormal flow and drive in the wrong direction and judge to there is good real-time, multiple occasion can be applied to.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (3)

1. a recognition methods for abnormal flow, is characterized in that, comprises the steps:
Capture network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Tranquilization process is carried out to the network traffics captured, and utilizes the minimum principle of the residue difference of two squares to carry out modeling to the time flow in network traffics;
Characteristic value prediction is carried out to the flow value after modeling; Adopt the Forecasting Methodology of difference equation form design customer flow time of the act sequence;
Set up the behavior model of user according to seasonal effect in time series Forecasting Methodology, the flow outside behavior model is judged as abnormal flow.
2. the recognition methods of abnormal flow according to claim 1, is characterized in that, the network traffic information of crawl comprises temporal information, source address, source port, destination address, destination interface, TCP/UDP agreement, direction, length, head length, tcp head length, tcp flag bit.
3. abnormal flow set a device, it is characterized in that, comprise flow grabbing device, time model model building device, characteristic value prediction unit and abnormal flow judgment means; Wherein:
Flow grabbing device: for capturing network traffic information by bypass packet capturing, and generate data on flows according to the network traffic information captured;
Time model model building device: for carrying out tranquilization process to the network traffics captured, and utilize the minimum principle of the residue difference of two squares to carry out modeling to the time flow in network traffics
Characteristic value prediction unit: for carrying out characteristic value prediction to the flow value after modeling, adopts the Forecasting Methodology of difference equation form design customer flow time of the act sequence;
Abnormal flow judgment means: for setting up the behavior model of user according to seasonal effect in time series Forecasting Methodology, the flow outside behavior model is judged as abnormal flow.
CN201510856011.4A 2015-11-30 2015-11-30 Method and device for identifying abnormal traffic Pending CN105357079A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510856011.4A CN105357079A (en) 2015-11-30 2015-11-30 Method and device for identifying abnormal traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510856011.4A CN105357079A (en) 2015-11-30 2015-11-30 Method and device for identifying abnormal traffic

Publications (1)

Publication Number Publication Date
CN105357079A true CN105357079A (en) 2016-02-24

Family

ID=55332955

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510856011.4A Pending CN105357079A (en) 2015-11-30 2015-11-30 Method and device for identifying abnormal traffic

Country Status (1)

Country Link
CN (1) CN105357079A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733921A (en) * 2017-11-14 2018-02-23 深圳中兴网信科技有限公司 Network flow abnormal detecting method, device, computer equipment and storage medium
CN111953504A (en) * 2019-05-15 2020-11-17 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101795215A (en) * 2010-01-28 2010-08-04 哈尔滨工程大学 Network traffic anomaly detection method and detection device
CN103078760A (en) * 2009-12-31 2013-05-01 蓝盾信息安全技术股份有限公司 Online diagnosis method for abnormal network flow

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078760A (en) * 2009-12-31 2013-05-01 蓝盾信息安全技术股份有限公司 Online diagnosis method for abnormal network flow
CN101795215A (en) * 2010-01-28 2010-08-04 哈尔滨工程大学 Network traffic anomaly detection method and detection device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘光星: "单因素时间序列ARMA建模在卡钻预测中的应用研究", 《重庆科技学院学报(自然科学版)》 *
李秀龙: "基于网络流量监测与预测的用户流量行为分析方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733921A (en) * 2017-11-14 2018-02-23 深圳中兴网信科技有限公司 Network flow abnormal detecting method, device, computer equipment and storage medium
WO2019095719A1 (en) * 2017-11-14 2019-05-23 深圳中兴网信科技有限公司 Network traffic anomaly detection method, apparatus, computer device and storage medium
CN111953504A (en) * 2019-05-15 2020-11-17 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN111953504B (en) * 2019-05-15 2023-03-24 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN105376248A (en) Method and device for identifying abnormal flow
CN105337951B (en) The method and apparatus of path backtracking is carried out to system attack
CN105376247A (en) Method and device for identifying abnormal flow based on frequent algorithm
WO2014144520A3 (en) Network traffic mapping and performance analysis
DE602005017910D1 (en) METHOD AND DEVICE FOR DETECTING AN ASSISTANCE OF A PROTOCOL DEFINING SUPPLEMENT HEADS
US9942256B2 (en) Detecting network address translation devices in a network based on network traffic logs
CN101841440B (en) Peer-to-peer network flow identification method based on support vector machine and deep packet inspection
CN106034056A (en) Service safety analysis method and system thereof
WO2010118255A3 (en) Methods, systems, and computer program products for network server performance anomaly detection
CN101262491A (en) Application layer network analysis method and system
CN105790990B (en) A kind of method and its system for supervising adapted telecommunication business
CN105376110A (en) Network data packet analysis method and system in big data stream technology
CN105357079A (en) Method and device for identifying abnormal traffic
CN104618144A (en) Method and system for tracking data package according to message identifier
CN103152341A (en) Virtuality and reality combined network security situation awareness simulation method and system
CN103746915A (en) Routing selection method based on differentiated service
CN105812346B (en) A kind of data interactive method of serial equipment and ethernet device
CN101635720B (en) Filtering method of unknown flow rate and bandwidth management equipment
CN104298782A (en) Method for analyzing active access behaviors of internet users
WO2017120019A3 (en) Data monitoring/ aggregation for evaluating connections between networks
CN103944775A (en) Network traffic collection analysis and display output method
ATE553627T1 (en) REDIVERTING THE DATA FLOW OF A SECONDARY PDP TO A PRIMARY PDP PRIOR TO ESTABLISHING THE SECONDARY PDP CONTEXT
CN105323258A (en) Method and device for identifying abnormal flow based on time attenuation model
CN205353708U (en) Two real -time monitoring system that live of application data
CN105279230A (en) Method and system for constructing internet application feature identification database with active learning method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160224