CN105376247A - Method and device for identifying abnormal flow based on frequent algorithm - Google Patents
Method and device for identifying abnormal flow based on frequent algorithm Download PDFInfo
- Publication number
- CN105376247A CN105376247A CN201510856189.9A CN201510856189A CN105376247A CN 105376247 A CN105376247 A CN 105376247A CN 201510856189 A CN201510856189 A CN 201510856189A CN 105376247 A CN105376247 A CN 105376247A
- Authority
- CN
- China
- Prior art keywords
- frequent
- flow
- algorithm
- episode
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for identifying abnormal flow based on a frequent algorithm. The method comprises the following steps: capturing network flow, and generating network flow data; carrying out discretization processing on the grabbed data flow, and classifying the data flow according to the size of the data flow value; extracting a frequent item from the data flow after the discretization processing according to an association rule algorithm, and setting a support degree and a confidence coefficient for the frequent item; generating an association rule according to a frequent set to generate the frequent set; comparing the frequent set with a threshold to judge whether the flow is abnormal. The method disclosed by the invention has the beneficial effects of extracting flow features, extracting the frequent set, and comparing the frequent set with the threshold to judge the abnormal flow, so that good instantaneity is achieved, the method can be applied to a variety of occasions, meanwhile, more abnormal flow can be further found by information accumulation.
Description
Technical field
The present invention relates to a kind of recognition methods and device of the abnormal flow based on frequent algorithm.
Background technology
Network is concerning essential us, but anything has disadvantageous one side, a lot of obstacle can be produced equally when use network, and the most difficult what avoid is exactly the abnormal flow of network, abnormal flow is equal to assault, and the improper flow that it is initiated as flood for a certain particular port causes network paralysis, and bring huge loss to us, client cannot communication, and commercial affairs cannot be carried out, and then ensures that the stability of network traffics just serves vital effect.
For the problem in correlation technique, at present effective solution is not yet proposed.
Summary of the invention
The object of this invention is to provide a kind of recognition methods and device of the abnormal flow based on frequent algorithm, to overcome currently available technology above shortcomings.
The object of the invention is to be achieved through the following technical solutions:
Based on a recognition methods for the abnormal flow of frequent algorithm, comprise the steps:
Capture network traffics, and generating network data on flows;
Sliding-model control is carried out to the data traffic captured, and classifies according to the size of data flow value;
According to association rule algorithm, frequent episode extraction is carried out to the data traffic after sliding-model control, and frequent episode is arranged support and confidence level;
The correlation rule produced according to Frequent Set and then generation Frequent Set;
By the comparison of Frequent Set and threshold values and then judge whether flow exception occurs.
Further, the network traffic information of crawl comprises source ip, object ip, source port, destination interface, application protocol, direction.
Further, the frequent episode of extraction comprises the frequent episode of user at one time in section, and the frequent episode of application.
Based on a recognition device for the abnormal flow of frequent algorithm, comprise flow grabbing device, flow value sorter, frequent episode extraction element, Frequent Set generating apparatus and abnormal flow judgment means; Wherein
Flow grabbing device: for capturing network traffics, and generating network data on flows;
Flow value sorter: for carrying out sliding-model control to the data traffic captured, and classify according to the size of data flow value;
Frequent episode extraction element: for carrying out frequent episode extraction according to association rule algorithm to the data traffic after sliding-model control, and frequent episode is arranged support and confidence level;
Frequent Set generating apparatus: for the correlation rule that produces according to Frequent Set and then generate Frequent Set;
Abnormal flow judgment means: for by the comparison of Frequent Set and threshold values and then judge whether flow exception occurs.
Further, the information that described flow grabbing device captures comprises source ip, object ip, source port, destination interface, application protocol, direction.
Beneficial effect of the present invention: extracted by traffic characteristic extraction, frequent episode, Frequent Set and threshold values compare and then judge that abnormal flow reaches good real-time, can be applied to multiple occasion, simultaneously, by information accumulation, more abnormal flow can be found further.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the recognition methods based on frequent algorithm abnormal flow according to the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain, all belongs to the scope of protection of the invention.
As shown in Figure 1, the recognition methods of a kind of abnormal flow based on frequent algorithm according to embodiments of the invention, comprises the steps:
Capture network traffics, and generating network data on flows;
Sliding-model control is carried out to the data traffic captured, and classifies according to the size of data flow value;
According to association rule algorithm, frequent episode extraction is carried out to the data traffic after sliding-model control, and frequent episode is arranged support and confidence level;
The correlation rule produced according to Frequent Set and then generation Frequent Set;
By the comparison of Frequent Set and threshold values and then judge whether flow exception occurs.
Further, the network traffic information of crawl comprises source ip, object ip, source port, destination interface, application protocol, direction.
Further, the frequent episode of extraction comprises the frequent episode of user at one time in section, and the frequent episode of application.
Based on a recognition device for the abnormal flow of frequent algorithm, comprise flow grabbing device, flow value sorter, frequent episode extraction element, Frequent Set generating apparatus and abnormal flow judgment means; Wherein
Flow grabbing device: for capturing network traffics, and generating network data on flows;
Flow value sorter: for carrying out sliding-model control to the data traffic captured, and classify according to the size of data flow value;
Frequent episode extraction element: for carrying out frequent episode extraction according to association rule algorithm to the data traffic after sliding-model control, and frequent episode is arranged support and confidence level;
Frequent Set generating apparatus: for the correlation rule that produces according to Frequent Set and then generate Frequent Set;
Abnormal flow judgment means: for by the comparison of Frequent Set and threshold values and then judge whether flow exception occurs.
Further, the information that described flow grabbing device captures comprises source ip, object ip, source port, destination interface, application protocol, direction.
In sum, by means of technique scheme of the present invention, extracted by traffic characteristic extraction, frequent episode, Frequent Set and threshold values compare and then judge that abnormal flow reaches good real-time, multiple occasion can be applied to, meanwhile, by information accumulation, more abnormal flow can be found further.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1. based on a recognition methods for the abnormal flow of frequent algorithm, it is characterized in that, comprise the steps:
Capture network traffics, and generating network data on flows;
Sliding-model control is carried out to the data traffic captured, and classifies according to the size of data flow value;
According to association rule algorithm, frequent episode extraction is carried out to the data traffic after sliding-model control, and frequent episode is arranged support and confidence level;
The correlation rule produced according to Frequent Set and then generation Frequent Set;
By the comparison of Frequent Set and threshold values and then judge whether flow exception occurs.
2. the recognition methods of the abnormal flow based on frequent algorithm according to claim 1, is characterized in that, the network traffic information of crawl comprises source ip, object ip, source port, destination interface, application protocol, direction.
3. according to claim 1 based on frequent algorithm abnormal flow recognition methods, it is characterized in that, the frequent episode of extraction comprises the frequent episode of user at one time in section, and the frequent episode of application.
4. based on a recognition device for the abnormal flow of frequent algorithm, it is characterized in that, comprise flow grabbing device, flow value sorter, frequent episode extraction element, Frequent Set generating apparatus and abnormal flow judgment means; Wherein
Flow grabbing device: for capturing network traffics, and generating network data on flows;
Flow value sorter: for carrying out sliding-model control to the data traffic captured, and classify according to the size of data flow value;
Frequent episode extraction element: for carrying out frequent episode extraction according to association rule algorithm to the data traffic after sliding-model control, and frequent episode is arranged support and confidence level;
Frequent Set generating apparatus: for the correlation rule that produces according to Frequent Set and then generate Frequent Set;
Abnormal flow judgment means: for by the comparison of Frequent Set and threshold values and then judge whether flow exception occurs.
5. the recognition device of the abnormal flow based on frequent algorithm according to claim 4, is characterized in that, the information that described flow grabbing device captures comprises source ip, object ip, source port, destination interface, application protocol, direction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510856189.9A CN105376247A (en) | 2015-11-30 | 2015-11-30 | Method and device for identifying abnormal flow based on frequent algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510856189.9A CN105376247A (en) | 2015-11-30 | 2015-11-30 | Method and device for identifying abnormal flow based on frequent algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105376247A true CN105376247A (en) | 2016-03-02 |
Family
ID=55378052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510856189.9A Pending CN105376247A (en) | 2015-11-30 | 2015-11-30 | Method and device for identifying abnormal flow based on frequent algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105376247A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547543A (en) * | 2017-05-26 | 2018-01-05 | 四川紫皓云端科技有限责任公司 | A kind of recognition methods of Network anomalous behaviors and device |
| CN108650684A (en) * | 2018-02-12 | 2018-10-12 | 中国联合网络通信集团有限公司 | A kind of correlation rule determines method and device |
| CN108875800A (en) * | 2018-05-29 | 2018-11-23 | 重庆大学 | A kind of behavioural characteristic extracting method based on RFID card |
| CN109743286A (en) * | 2018-11-29 | 2019-05-10 | 武汉极意网络科技有限公司 | A kind of IP type mark method and apparatus based on figure convolutional neural networks |
| CN109873788A (en) * | 2017-12-01 | 2019-06-11 | 中国联合网络通信集团有限公司 | The method and device of Botnet detection |
| CN117097578A (en) * | 2023-10-20 | 2023-11-21 | 杭州烛微智能科技有限责任公司 | Network traffic safety monitoring method, system, medium and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100211991A1 (en) * | 2009-02-17 | 2010-08-19 | Toru Akutsu | Information processing device, information processing method, and program |
| CN104123504A (en) * | 2014-06-27 | 2014-10-29 | 武汉理工大学 | Cloud platform privacy protection method based on frequent item retrieval |
-
2015
- 2015-11-30 CN CN201510856189.9A patent/CN105376247A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100211991A1 (en) * | 2009-02-17 | 2010-08-19 | Toru Akutsu | Information processing device, information processing method, and program |
| CN104123504A (en) * | 2014-06-27 | 2014-10-29 | 武汉理工大学 | Cloud platform privacy protection method based on frequent item retrieval |
Non-Patent Citations (1)
| Title |
|---|
| 李秀龙: "基于网络流量监测与预测的用户流量行为分析方法研究", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547543A (en) * | 2017-05-26 | 2018-01-05 | 四川紫皓云端科技有限责任公司 | A kind of recognition methods of Network anomalous behaviors and device |
| CN109873788A (en) * | 2017-12-01 | 2019-06-11 | 中国联合网络通信集团有限公司 | The method and device of Botnet detection |
| CN108650684A (en) * | 2018-02-12 | 2018-10-12 | 中国联合网络通信集团有限公司 | A kind of correlation rule determines method and device |
| CN108650684B (en) * | 2018-02-12 | 2021-03-23 | 中国联合网络通信集团有限公司 | Association rule determination method and device |
| CN108875800A (en) * | 2018-05-29 | 2018-11-23 | 重庆大学 | A kind of behavioural characteristic extracting method based on RFID card |
| CN109743286A (en) * | 2018-11-29 | 2019-05-10 | 武汉极意网络科技有限公司 | A kind of IP type mark method and apparatus based on figure convolutional neural networks |
| CN117097578A (en) * | 2023-10-20 | 2023-11-21 | 杭州烛微智能科技有限责任公司 | Network traffic safety monitoring method, system, medium and electronic equipment |
| CN117097578B (en) * | 2023-10-20 | 2024-01-05 | 杭州烛微智能科技有限责任公司 | Network traffic safety monitoring method, system, medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105376247A (en) | Method and device for identifying abnormal flow based on frequent algorithm | |
| CN105376248A (en) | Method and device for identifying abnormal flow | |
| CN109768981B (en) | Network attack defense method and system based on machine learning under SDN architecture | |
| CN111064678A (en) | Network traffic classification method based on lightweight convolutional neural network | |
| CN101902484B (en) | Method and system for classifying local area network http application services | |
| CN105376110B (en) | The analysis method and system of network packet are realized with big data streaming technology | |
| US9942256B2 (en) | Detecting network address translation devices in a network based on network traffic logs | |
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| CN104168272A (en) | Trojan horse detection method based on communication behavior clustering | |
| MX2022006543A (en) | Crowdsourced on-demand ai data annotation, collection and processing. | |
| CN106254379B (en) | The processing system and processing method of network security policy | |
| CN109286576A (en) | A kind of network agent encryption traffic characteristic extracting method of data packet frequency analysis | |
| CN103532955B (en) | Embedded multi-protocol mobile network data acquisition probe equipment | |
| CN106375295B (en) | Data store monitoring method | |
| CN110839042B (en) | Flow-based self-feedback malicious software monitoring system and method | |
| CN108667804B (en) | DDoS attack detection and protection method and system based on SDN architecture | |
| CN110708341B (en) | User behavior detection method and system based on remote desktop encryption network traffic mode difference | |
| CN105553787B (en) | Edge net egress network Traffic anomaly detection method based on Hadoop | |
| CN107566372B (en) | The secure data optimization of collection method that feature based value is fed back under big data environment | |
| CN105357079A (en) | Method and device for identifying abnormal traffic | |
| CN105323258A (en) | Method and device for identifying abnormal flow based on time attenuation model | |
| CN109039806A (en) | A kind of performance optimization method of message mirror and network monitoring based on SDN | |
| WO2017206499A1 (en) | Network attack detection method and attack detection apparatus | |
| CN103051501B (en) | Detection method for identifying network data according to network data recovery manner | |
| CN111614611B (en) | Network security auditing method and device for power grid embedded terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160302 |