CN106612289A - Network collaborative abnormality detection method based on SDN - Google Patents
Network collaborative abnormality detection method based on SDN Download PDFInfo
- Publication number
- CN106612289A CN106612289A CN201710037077.XA CN201710037077A CN106612289A CN 106612289 A CN106612289 A CN 106612289A CN 201710037077 A CN201710037077 A CN 201710037077A CN 106612289 A CN106612289 A CN 106612289A
- Authority
- CN
- China
- Prior art keywords
- network
- hmrf
- model
- sdn
- traffic data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 230000005856 abnormality Effects 0.000 title claims abstract description 30
- 238000000034 method Methods 0.000 claims abstract description 53
- 238000012549 training Methods 0.000 claims abstract description 23
- 230000002159 abnormal effect Effects 0.000 claims abstract description 18
- 238000005259 measurement Methods 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 11
- 238000007689 inspection Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 description 22
- 230000006870 function Effects 0.000 description 11
- 239000011159 matrix material Substances 0.000 description 9
- 230000003993 interaction Effects 0.000 description 6
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000007812 deficiency Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000004069 differentiation Effects 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- BCGWQEUPMDMJNV-UHFFFAOYSA-N imipramine Chemical compound C1CC2=CC=CC=C2N(CCCN(C)C)C2=CC=CC=C21 BCGWQEUPMDMJNV-UHFFFAOYSA-N 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 241000208340 Araliaceae Species 0.000 description 1
- RPNUMPOLZDHAAY-UHFFFAOYSA-N Diethylenetriamine Chemical compound NCCNCCN RPNUMPOLZDHAAY-UHFFFAOYSA-N 0.000 description 1
- 230000005366 Ising model Effects 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000002195 synergetic effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network collaborative abnormality detection method based on an SDN (Software Defined Network). The method belongs to an SDN network application, and is implemented through controller programming. The method comprises the following steps: colleting the historical traffic data of network nodes in an SDN; training an HMRF model based on the historical traffic data; inputting to-be-detected real-time traffic data to an existing HMRF behavior model to estimate the local and global network states; detecting whether there is an abnormal network behavior according to the degree of deviation between measurement data and the model; and updating the model online based on the real-time traffic data passing model detection to increase the robustness of the model. Collaborative abnormality detection of a distributed network is realized based on context information of network nodes.
Description
Technical field
The present invention relates to networking technology area, is based on software defined network (Software more particularly, to a kind of
Defined Network, abbreviation SDN) network cooperating method for detecting abnormality.
Background technology
With the fast development of computer networking technology, network has incorporated the fields such as politics, economy, culture dearly,
The Working Life for giving people brings great convenience.However, the network security problem for emerging in an endless stream not only affects the Internet
It is normal to run, it is also serious to threaten nation's security, so as to cause the concern in the whole world.
According to document announcement, the network in the whole world daily all be subjected to it is different degrees of threaten, including:For personal user's
The aggressive behavior for the purpose of politics, economy of Trojan attack, Government and enterprise.These attacks often result in large-area
Network paralysis, and cause huge economic loss, for example:Large-scale distributed refusal service (Distributed Denial of
Service, abbreviation DDoS) attack, worm propagation etc..The emergency center CNCERT monitoring discoveries of China national the Internet, 2015
Further increase for the ddos attack flow of China's domain name system, in August, 2015, China's TLD system is successively subjected to 2
Secondary big flow ddos attack, peak flow is more than 10Gbit/s.In October, 2016, American Network service supplier's Dien company
Server suffers ddos attack, causes the large-scale the Internet paralysis in the U.S..
In order to tackle the Cyberthreat of various numerous and complicateds, improve the ability that network tackles Scattered Attack, academia with
Industrial quarters proposes many schemes for abnormality detection, including:Abnormality detection strategy is disposed over the backbone and is killed accordingly
Malicious instrument, the defence reinforcement measure such as fire wall is set in important network node.These measures slow down network to a certain extent
Suffered attack and the Stability and dependability for threatening, improving the network operation.But, these schemes there is also deficiency:Tradition
Single-point method for detecting abnormality defence is realized by monitoring to network boundary or protected object only, do not make full use of network
Interconnectivity and network side distributed node and link information, so as to limit the performance of detecting system.In addition, this
In scheme, when Cyberthreat reaches under fire node, detecting system can just detect abnormal signal, so that emergency response
Implement extremely difficult.
In order to tackle the deficiency of single-point method for detecting abnormality, the information using global network is needed, gather distributed node
Data, realize network side abnormality detection, improve the performance of detecting system.Research worker proposes the scheme of collaboration abnormality detection, should
Scheme is detected Deviant Behavior from the overall situation, but is limited to traditional TCP/IP in realization using the data of distributed node
The network architecture lacks the synergistic mechanism between node.SDN is a kind of new Network Management Model, has separated control plane and number
According to Forwarding plane, the control mode of centralization can be realized gathering data on flows on datum plane equipment, is calculated analytically
Network cooperating abnormality detection can be applied to.
From in terms of the data collected, the abnormality detection scheme for being currently based on SDN has following several:Braga proposes a kind of light
The method of magnitude, realizes the detection to DDoS flood attacks by using NOX controllers.In this scheme, using NOX controls
The programmable interface of device collects the statistical information of switch, including:The number-of-packet of flow table, byte number, time interval etc., adopt
The method of Self-organizing Maps (Self-Organizing Maps, abbreviation SOM) artificial neural network is analyzed, and then detects
The characteristic signal of DDoS flood attacks.Chen Xiaofan proposes another kind SDN abnormality detections and hold-up interception method and system, and the method is being handed over
Port of changing planes carries out stochastical sampling to data flow, obtains sampled data, extracts multiple feature fields of sampled data, constructs each
The corresponding Hash tabular value of feature field, in default time window interval, calculates the corresponding Hash table of each feature field
Entropy, according to the unusual determination threshold value of setting, detects abnormal network behavior.Left high official position devises a kind of light weight based on SDN
The online Traffic anomaly detection method of level, in the method, controller obtains the traffic statistics of switch in real time, and structure is based on
The source of OpenFlow networks, purpose node are to (Origin and Destination Pairs, abbreviation OD to) traffic matrix, right
Common Abnormity traffic characteristic, build OD to Sample Entropy matrix, to different characteristic, be merged into flow combination entropy matrix, using it is main into
Divide analysis method to build abnormal subspace, realize online abnormal traffic detection.
The advantage of above-mentioned method for detecting abnormality is to carry out abnormality detection using distributed method collection network traffic information.But
It is in collaboration abnormality detection is realized to yet suffer from limitation:They do not account for the relatedness between adjacent network node, this
Relatedness is derived from the interconnection of network itself, i.e., adjacent network node presence interacts, the abnormal flow feature of adjacent node is deposited
In similarity.As this relatedness between node is ignored, the contextual information of network node is not sufficiently used for exception
Detection, is caused traditional technology to be difficult to effective early detection and is responded with early stage.For this purpose, proposing a kind of new based on SDN
Network cooperating method for detecting abnormality be necessary.
The content of the invention
The present invention is to overcome at least one defect (deficiency) described in above-mentioned prior art, there is provided a kind of net based on SDN
Network cooperates with method for detecting abnormality.The method is by the contextual information between network interconnection node, real-time estimation localized network section
The behavior state of point and global network, is achieved in the collaboration abnormality detection of distributed network.
In order to realize goal of the invention, the technical scheme of employing is as follows:
A kind of network cooperating method for detecting abnormality based on SDN, this method belong to the upper layer network application of SDN, by control
Device programming realization processed, the method step are as follows:
1) network behavior model is built using the data on flows of distributed network;
2) based on existing network behavior model and real-time traffic data, realize the estimation of local and global state;
3) by real-time measuring data and the degree of fitting of setting models, realize the unusual checking of distributed network;
4) using automatically updating by the measurement data implementation model of abnormality detection.
The step 1) implementation:
10) using Hidden Markov random field (Hidden Markov Random Field, abbreviation HMRF) model to dividing
The dynamic changing process modeling of cloth network;
11) historical traffic data is gathered, is included in SDN to the acquisition of network topological information and to network traffic information
Collection;
12) using the historical traffic data training HMRF models of collection, obtain model parameter.
The step 2) implementation:
20) real-time traffic data are gathered;
21) based on given HMRF models, estimate to calculate using maximum a posteriori (MaximumA Posteriori, abbreviation MAP)
Method realizes the estimation of local and global state.
The step 3) implementation:Using likelihood function, according to real-time measuring data and given HMRF models
Departure degree realizes detection of abnormal network behavior.
The step 4) implementation:Using the real-time traffic data by given HMRF model inspections, mould is realized
The online updating of type.
Compared with prior art, the beneficial effect of technical solution of the present invention is:A kind of network cooperating based on SDN is examined extremely
Survey method, in the new network architecture, is not limited to each network node and independently measures the data for obtaining, also make full use of net
Interaction between network node, realizes that distributed network behavior and detection abnormal early stage perceives.
Description of the drawings
Overall framework schematic diagrams of the Fig. 1 for this method;
Fig. 2 is network cooperating abnormality detection network frame in this method SDN;
Fig. 3 is the controller application and development schematic diagram in SDN;
Fig. 4 is SDN controller link discovery procedures;
Fig. 5 is that controller obtains switch ports themselves informational message interaction;
Fig. 6 is that controller asks switch ports themselves infomational message form;
Fig. 7 is that switch responds controller asks port information message format;
Fig. 8 is model training process flow diagram flow chart.
Specific embodiment
Accompanying drawing being for illustration only property explanation, it is impossible to be interpreted as the restriction to this patent;It is in order to more preferably illustrate the present embodiment, attached
Scheme some parts to have omission, zoom in or out, do not represent the size of actual product;
To those skilled in the art, it can be to understand that in accompanying drawing, some known features and its explanation may be omitted
's.
With reference to the accompanying drawings and examples technical scheme is described further.
Overall framework
A kind of network cooperating method for detecting abnormality based on SDN, this method are belonging to upper layer network application, this method it is total
Body framework is as shown in figure 1, including seven parts:HMRF models, historical traffic data, model training, real-time traffic data, local
And globalstate estimation, detection of abnormal network behavior, model modification.Wherein, HMRF is for the dynamic change to distributed network
Process is modeled;Historical traffic data includes network topological information and network traffic information, for the training of HMRF models;
Model training trains HMRF models using historical traffic data, obtains model parameter;Real-time traffic data are referred in practical application
In the network traffic information to be detected that collects.Local and globalstate estimation are referred to based on given HMRF models, are utilized
MAP algorithm for estimating realizes the estimation of network state;Detection of abnormal network behavior is to utilize likelihood function, is obtained according to measurement in real time
Network traffics assess whether there is abnormal network behavior relative to the departure degree of given HMRF behavior models;Model modification
It is the parameter that existing model is updated using the real-time traffic data by detection, is conducive to increasing the robustness of model so as to energy
Enough adapt to the migration of network behavior and develop.
The execution method of the present invention is as follows:Historical traffic data is gathered in SDN, it is defeated as model training data set
Enter model training process, corresponding HMRF models are obtained through training.In actual applications, it is to be detected real-time by what is collected
Data on flows is input into existing HMRF models, estimates local and global network state using MAP algorithms, thus further realizes
The detection of abnormal network behavior.Finally, model is fed back to by the real-time traffic of model inspection, realized using efficient algorithm
The online updating of model.
This method various pieces content is described in detail with reference to Fig. 1.
First, HMRF models
The dynamic changing process of distributed network is modeled using HMRF models.
As shown in Fig. 2 the present invention is divided into two parts the behavioral value information of network node:Observable part with it is inconsiderable
Survey part.Wherein, Observable part refer to those by survey tool can with the physical quantity of direct access, including:Packet is reached
Rate, packet queuing delay, packet packet loss etc..In the present embodiment, use stochastic variable On,tRepresent node n time t's
Observation, represents the observation value set from all nodes in t networks of time 1 with O, is designated as measuring field (Measuring
Field, abbreviation MF).Unobservable part refers to internal mechanism, reason or the state of driving node behavior.This class variable cannot lead to
Cross survey tool to directly obtain, can only be estimated according to the possibly―observed physical quantity of node.Stochastic variable X is used hereinaftern,tRepresent
Internal states of the node n in time t, represents the state set from all nodes in t networks of time 1 with X, is designated as hidden state field
(State Field, abbreviation SF).Present invention assumes that observation O of noden,tBy its hidden state Xn,tControlled, different nodes it
Between hidden state influence each other.Therefore, a given network is constituted in special time by the double-deck random field that { O, X } is constituted
Complete detection information.By the model structure for comparing HMRF and the double-deck random field being made up of { O, X }, it is seen that HMRF is fitted very much
Close the differentiation relation of behavioral value information and its context with the time of description distributed network.
The interaction of network node is represented in SF using single order space Markov property, i.e. the state of present node is straight
Receive the impact of its adjacent hop node state, the node state outside jumping with is unrelated.Therefore the joint probability of SF can be led to
Cross Hammersley-Clifford theorems to calculate, especially, it is assumed that each network node only exists two states, can
The state field model of network is described with using Ising models.Under the conditions of known to neighbor node state, node n can lead to
Cross equation below and calculate its conditional probability in t in state x:
Wherein,Represent t neighbor node state, NnThe neighbor node of node n is represented, Energy function is represented, parameter alpha, β represent the potential parameter of single-point group and two point group respectively, thing here
Reason meaning represents the phase of influence degree and present node of the whole network environment to present node state and surroundings nodes respectively
Interaction degree.The state of the state and neighbor node of present node, affects energy function, and then affects node to select shape
The probability of state x.
With regard to parameter alpha, the determination of β, 1 is determined using following two modes, according to actual network environment and network
The demand of manager, directly determines parameter.2nd, based on non-supervisory method, using observation, parameter is estimated by EM algorithms.
When present node is identical with the state of neighbor node, energy subtracts β, and when state is different, then energy adds β, and alpha reaction is whole
Impact of the network environment to present node.By the state for comparing present node and neighbor node, energy function is calculated, is obtained
Node selects the probability of state x.
In t, node n under conditions of state is x is output as observation probability and is expressed as:
Calculate for convenience, by observation On,tCarry out discretization, usage frequency approximately replacing probability, i.e., using observation
Frequency of the value under state x carrys out approximate condition probability.
Node state is estimated using Maximize, i.e.,:
Node state is determined by the maximum of two parts model product:A part is state model ξn,t(x), i.e., known
Neighbor node state lower node selects the probability of state x;A part is output model φn,tX (), i.e., be output as seeing under state x
The probability of measured value.
2nd, historical traffic data
This content includes three parts, introduces the exploitation of SDN controller network applications first, and next introduces network application pair
The acquisition of network topological information and the collection to network traffic information.
It is SDN controller network application and development schematic diagrams as shown in Figure 3.So that Floodlight increases income controller as an example, profit
With the programmable northbound interface of controller, Internet resources, developing network application are called.REST API are that controller is externally provided
One of northbound interface, user can be based on REST interface exploitation applications using arbitrary programming language, it is first determined using required
Information of network service, secondly be selected to meet the REST API of demand for services from REST API lists, finally using can
REST API Calls, design, realization, test application.This method obtains network topological information using REST API and adopts
Collection network traffic information.
Network application obtains network topological information using programmable northbound interface REST API.
The REST api interface information for being used is as follows:
/wm/topology/links/json
Call example as follows:
http://<controller-ip>:port/wm/topology/links/json
<controller-ip>For the ip addresses of remote controllers, port is director port, calls return json forms
Data, programming language parsing obtain calling rear data.
Controller carries out statistical disposition to the information that bottom switching equipment is reported using the data feedback channel of southbound interface.Use
Link Layer Discovery Protocol (Link Layer Discovery Protocol, abbreviation LLDP) realizes link discovery, link discovery mistake
Journey is as shown in Figure 4.
Controller sends LLDP packet to all switches being attached thereto by Packet_out message, and switch connects
LLDP packets are forwarded from other ports after receiving message, neighboring switch receives LLDP packets, passes through
Packet_in message sends data packets to controller, and controller is analyzed and preserves the linkage record between two switches.
Network application obtains the connection list in SDN between switch by above-mentioned API, obtains network node and is connected with each other
Relation, thus obtains network topological information.Network application utilizes constructing network topology network node connection relationship matrix:
In matrix, transverse axis represents switch (S with the longitudinal axis1,S2,S3,S4…Sn), 1 company of expression in connection relationship matrix
Connect, 0 represents connectionless, and this matrix is a symmetrical matrix.That above-mentioned matrix is represented is S1—S2, S1—S3, S2—S4, S3—
S4... these nodes are to annexation, thus obtaining the neighbouring relations of node.
Network application is using programmable northbound interface RESTAPI collection network traffic informations.
As a example by gathering switch ports themselves statistical information, used REST api interfaces information is as follows:
/wm/core/switch/all/port/json
Call method is with above-mentioned.
Between controller and switch, message interaction process is as shown in Figure 5.RESTAPI is called in network application, under controller
OFPT_MULTIPART_REQUEST message is sent out to switch (the sub- message of correspondence is OFPMP_PORT_STATS), switch parsing
The message, port statistics info is encapsulated into OFPT_MULTIPART_REPLY message packet afterbodys, and (corresponding to sub- message is
OFPMP_PORT_STATS), return it to controller.Thus network application collects switch ports themselves statistical information.
Controller asks switch ports themselves infomational message form as shown in fig. 6, message format defines the message class of request
Type and port.Switch responds controller asks port information message format as shown in fig. 7, message format defines switch
Port statistics info is encapsulated in OFPT_ by the contents such as port transmission, the data packet number for receiving and byte number, switch
The message is back to controller by MULTIPART_REPLY message packet afterbodys.
Gather the RESTAPI interface messages that other network traffic informations use as follows:
/wm/core/switch/all/<statType>/json
/wm/core/switch/<switchId>/<statType>/json
/wm/core/counter/<counterTitle>/json
/wm/core/counter/<switchId>/<counterName>/json
The optional port of statType, queue, flow, aggregate, desc, table, festures.SwitchId is
Legal switch DPID.Optional all of counterTitle or<DPID>_<COUNTER_NAME>_<SUB_CATEGORY>Shape
Formula, such as 00:00:00:00:00:00:00:01_OFPacketIn_L3_ARP.The optional OFPacketIn of counterName,
OFPacketOut etc..Network application passes through count information, the stream that above-mentioned API is gathered in network traffic information, including exchange flow table
In number-of-packet and the byte number information in stream, port send the information such as the data packet number that receives and byte number.
This method takes node data bag arrival rate as observation On,t。
3rd, model training
Historical traffic data is gathered in SDN, as training dataset input model training process, through training
To corresponding HMRF models.This method takes node data bag arrival rate as observation.In practice can according to network environment with
And the purpose of network manager selects other observations, it is also possible to select multiple measurement indexes, obtained using multi-attribute analysis method
To observation.
The degree of network node is had an impact to observation, needs to carry out node flow data averagely according to the degree of node, this
Method is carried out averagely according to the number of links of node.Respective handling can be made according to purpose in practice.
For convenience of calculating, by observation On,tCarry out discretization.
The training algorithm flow chart of model is as shown in Figure 8.
The algorithm steps of training are as follows:
1st, the historical traffic data O of all nodes is gathered as observation;
2nd, initialized using K-means clustering algorithms, observation data are divided into into two states, original state field is obtained;
3rd, calculate the frequency distribution of observation under each state;
4th, based on MAP algorithms, reevaluate each node state;
5th, judge whether to meet the condition of convergence, train if meeting and terminate;Otherwise, 3 are gone to step.
The condition of convergence of training could be arranged to iterationses, it is also possible to be set to the difference of iteration twice.When iteration time
Number is full, or iteration difference presets numerical value less than certain, you can stop iteration.
Training obtain model parameter, be here under different conditions export observation frequency distribution, i.e. φn,t(x)。
4th, real-time traffic data
Real-time traffic data refer to the network traffic information to be detected for collecting in actual applications.Network application passes through
Above-mentioned REST API gather real-time traffic data, using the data on flows of all switches as model input data Ot, input
Existing HMRF models.
Apply in default time window t, gather all switch traffic information, obtain packet arrival rate, Jing is discrete
Observation O is obtained after changet, HMRF models are input into, for further estimating network behavior state and detection abnormal network row
For.
5th, local and globalstate estimation
In default time window, for each node, present flow rate statistical information is collected, is carried out discrete
Change, obtain observation On,t, the neighbor node state of the nodeRepresented using the node state at a upper moment, according to upper
State the estimation that the MAP algorithms mentioned realize network state.
Global state is obtained by traveling through all nodes.
By this process, the global figure for portraying distributed network state of real-time update is obtained.
6th, detection of abnormal network behavior
Using likelihood function, according to measuring the deviation of the network traffics that obtain relative to given HMRF behavior models in real time
Scale evaluation whether there is abnormal network behavior.
The likelihood function of node n is calculated as follows:
Above-mentioned likelihood function characterizes the probability of observation appearance in node.
The likelihood function of global network is calculated as follows:
Above-mentioned likelihood function characterizes the probability of observation appearance in whole network.
Abnormal network behavior is detected using log-likelihood function, by the plan for comparing real-time measuring data and setting models
Right, namely compare real-time observed data and normal network scenarios, larger deviation means abnormal probability occur larger.
7th, model modification
Using by the real-time traffic data of model inspection, the online updating of implementation model.
State model in this method describes the interaction relationship of node state, and parameter is relatively stable.Output model table
The probability that node exports observation under state x is levied, parameter changes with the differentiation of network behavior, therefore fixed model ginseng
Number can cause the error of model.Model modification is to adapt to the migration of network behavior and developing.
In the cycle for updating, model is returned using by the real-time traffic data feedback of model inspection, according to above-mentioned instruction
Practice process, update model parameter, it is to avoid the raising of computational complexity is caused to the re -training of old data on flows, while
Make model can adapt to the differentiation of network behavior, increase the robustness of model.
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not right
The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description
To make other changes in different forms.There is no need to be exhaustive to all of embodiment.It is all this
Any modification, equivalent and improvement made within the spirit and principle of invention etc., should be included in the claims in the present invention
Protection domain within.
Claims (5)
1. a kind of network cooperating method for detecting abnormality based on SDN, belongs to the upper layer network application of SDN, it is characterised in that the party
Method step is as follows:
1) historical traffic data is gathered in SDN, as model training data set input model training process, through training
Obtain corresponding HMRF models;
2) based on step 1) the real-time traffic data of the HMRF models that obtain of training and collection, realize local and global state
Estimate;
3) by real-time measuring data and the degree of fitting of HMRF models, realize the unusual checking of distributed network;
4) adopt and automatically updating for HMRF models is realized by the measurement data of abnormality detection.
2. the network cooperating method for detecting abnormality based on SDN according to claim 1, it is characterised in that the step 1)
Implementation:
10) dynamic changing process of distributed network is modeled using Hidden Markov random field HMRF model;
11) historical traffic data is gathered, is included in SDN to the acquisition of network topological information and network traffic information is adopted
Collection;
12) using the historical traffic data training HMRF models of collection, HMRF model parameters are obtained.
3. the network cooperating method for detecting abnormality based on SDN according to claim 1, it is characterised in that the step 2)
Implementation:
20) real-time traffic data are gathered;
21) based on step 1) the HMRF models for obtaining are trained, local and global state are realized using maximum a posteriori MAP algorithm for estimating
Estimation.
4. the network cooperating method for detecting abnormality based on SDN according to claim 1, it is characterised in that the step 3)
Implementation:Using likelihood function, abnormal network behavior is realized according to departure degree of the real-time measuring data with HMRF models
Detection.
5. the network cooperating method for detecting abnormality based on SDN according to claim 1, it is characterised in that the step 4)
Implementation:Using the real-time traffic data by given HMRF model inspections, the renewal of implementation model parameter, so as to reality
The online updating of existing model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710037077.XA CN106612289A (en) | 2017-01-18 | 2017-01-18 | Network collaborative abnormality detection method based on SDN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710037077.XA CN106612289A (en) | 2017-01-18 | 2017-01-18 | Network collaborative abnormality detection method based on SDN |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106612289A true CN106612289A (en) | 2017-05-03 |
Family
ID=58636303
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710037077.XA Pending CN106612289A (en) | 2017-01-18 | 2017-01-18 | Network collaborative abnormality detection method based on SDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106612289A (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107425999A (en) * | 2017-04-20 | 2017-12-01 | 电子科技大学 | A kind of safety detection node dynamic deployment method of low overhead |
CN107508717A (en) * | 2017-10-13 | 2017-12-22 | 北京航空航天大学 | The data transmission delay of Ethernet based on discrete-time control system opinion determines method |
CN107844406A (en) * | 2017-10-25 | 2018-03-27 | 千寻位置网络有限公司 | Method for detecting abnormality and system, service terminal, the memory of distributed system |
CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
CN108848095A (en) * | 2018-06-22 | 2018-11-20 | 安徽大学 | The detection of server ddos attack and defence method under SDN environment based on double entropys |
CN108923975A (en) * | 2018-07-05 | 2018-11-30 | 中山大学 | A kind of traffic behavior analysis method of Based on Distributed network |
WO2019052630A1 (en) * | 2017-09-12 | 2019-03-21 | Huawei Technologies Co., Ltd. | Data traffic management in a software defined networks |
CN110990236A (en) * | 2019-10-08 | 2020-04-10 | 山东科技大学 | SaaS software performance problem recognition method based on hidden Markov random field |
CN111147516A (en) * | 2019-12-31 | 2020-05-12 | 中南民族大学 | SDN-based dynamic interconnection and intelligent routing decision system and method for security equipment |
CN111181901A (en) * | 2018-11-09 | 2020-05-19 | 财团法人资讯工业策进会 | Abnormal flow detection device and abnormal flow detection method thereof |
CN111641685A (en) * | 2020-05-14 | 2020-09-08 | 丁勇军 | Distributed industrial internet equipment cooperative operation method and cloud server |
CN111835541A (en) * | 2019-04-18 | 2020-10-27 | 华为技术有限公司 | Model aging detection method, device, equipment and system |
CN111953504A (en) * | 2019-05-15 | 2020-11-17 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN112333027A (en) * | 2020-11-20 | 2021-02-05 | 桂林航天工业学院 | Method for realizing distributed virtual network monitor based on software defined network |
CN114389974A (en) * | 2022-03-23 | 2022-04-22 | 中国人民解放军国防科技大学 | Method, device and medium for searching abnormal flow node in distributed training system |
US20220294812A1 (en) * | 2019-12-20 | 2022-09-15 | Intel Corporation | Active attack detection in autonomous vehicle networks |
CN117118738A (en) * | 2023-09-22 | 2023-11-24 | 北京远禾科技有限公司 | DDoS attack risk quantification defense method and system in software defined network |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102045708A (en) * | 2011-01-25 | 2011-05-04 | 河海大学常州校区 | Energy prediction-based wireless sensor network intrusion detection method |
CN103400040A (en) * | 2013-07-31 | 2013-11-20 | 中国人民解放军国防科学技术大学 | Fault diagnosis and prediction method utilizing multistep time domain difference value learning |
CN103686806A (en) * | 2013-12-02 | 2014-03-26 | 清华大学 | Method and system for detecting abnormal events of networks |
CN105553998A (en) * | 2015-12-23 | 2016-05-04 | 中国电子科技集团公司第三十研究所 | Network attack abnormality detection method |
-
2017
- 2017-01-18 CN CN201710037077.XA patent/CN106612289A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102045708A (en) * | 2011-01-25 | 2011-05-04 | 河海大学常州校区 | Energy prediction-based wireless sensor network intrusion detection method |
CN103400040A (en) * | 2013-07-31 | 2013-11-20 | 中国人民解放军国防科学技术大学 | Fault diagnosis and prediction method utilizing multistep time domain difference value learning |
CN103686806A (en) * | 2013-12-02 | 2014-03-26 | 清华大学 | Method and system for detecting abnormal events of networks |
CN105553998A (en) * | 2015-12-23 | 2016-05-04 | 中国电子科技集团公司第三十研究所 | Network attack abnormality detection method |
Non-Patent Citations (1)
Title |
---|
YI XIE等: "A General Collaborative Framework for Modeling", 《IEEE/ACM TRANSACTIONS ON NETWORKING》 * |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107425999B (en) * | 2017-04-20 | 2020-11-10 | 电子科技大学 | Low-overhead dynamic deployment method for security detection nodes |
CN107425999A (en) * | 2017-04-20 | 2017-12-01 | 电子科技大学 | A kind of safety detection node dynamic deployment method of low overhead |
WO2019052630A1 (en) * | 2017-09-12 | 2019-03-21 | Huawei Technologies Co., Ltd. | Data traffic management in a software defined networks |
CN111095868A (en) * | 2017-09-12 | 2020-05-01 | 华为技术有限公司 | Data traffic management in software defined networks |
CN107508717A (en) * | 2017-10-13 | 2017-12-22 | 北京航空航天大学 | The data transmission delay of Ethernet based on discrete-time control system opinion determines method |
CN107844406A (en) * | 2017-10-25 | 2018-03-27 | 千寻位置网络有限公司 | Method for detecting abnormality and system, service terminal, the memory of distributed system |
CN108173708A (en) * | 2017-12-18 | 2018-06-15 | 北京天融信网络安全技术有限公司 | Anomalous traffic detection method, device and storage medium based on incremental learning |
CN108848095A (en) * | 2018-06-22 | 2018-11-20 | 安徽大学 | The detection of server ddos attack and defence method under SDN environment based on double entropys |
CN108923975A (en) * | 2018-07-05 | 2018-11-30 | 中山大学 | A kind of traffic behavior analysis method of Based on Distributed network |
CN108923975B (en) * | 2018-07-05 | 2021-08-10 | 中山大学 | Traffic behavior analysis method for distributed network |
CN111181901B (en) * | 2018-11-09 | 2022-05-10 | 财团法人资讯工业策进会 | Abnormal flow detection device and abnormal flow detection method thereof |
CN111181901A (en) * | 2018-11-09 | 2020-05-19 | 财团法人资讯工业策进会 | Abnormal flow detection device and abnormal flow detection method thereof |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
CN111835541A (en) * | 2019-04-18 | 2020-10-27 | 华为技术有限公司 | Model aging detection method, device, equipment and system |
CN111953504A (en) * | 2019-05-15 | 2020-11-17 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN111953504B (en) * | 2019-05-15 | 2023-03-24 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN110990236A (en) * | 2019-10-08 | 2020-04-10 | 山东科技大学 | SaaS software performance problem recognition method based on hidden Markov random field |
US20220294812A1 (en) * | 2019-12-20 | 2022-09-15 | Intel Corporation | Active attack detection in autonomous vehicle networks |
US11799883B2 (en) * | 2019-12-20 | 2023-10-24 | Intel Corporation | Active attack detection in autonomous vehicle networks |
CN111147516A (en) * | 2019-12-31 | 2020-05-12 | 中南民族大学 | SDN-based dynamic interconnection and intelligent routing decision system and method for security equipment |
CN111641685B (en) * | 2020-05-14 | 2021-05-18 | 安擎(天津)计算机有限公司 | Distributed industrial internet equipment cooperative operation method and cloud server |
CN111641685A (en) * | 2020-05-14 | 2020-09-08 | 丁勇军 | Distributed industrial internet equipment cooperative operation method and cloud server |
CN112333027A (en) * | 2020-11-20 | 2021-02-05 | 桂林航天工业学院 | Method for realizing distributed virtual network monitor based on software defined network |
CN114389974A (en) * | 2022-03-23 | 2022-04-22 | 中国人民解放军国防科技大学 | Method, device and medium for searching abnormal flow node in distributed training system |
CN117118738A (en) * | 2023-09-22 | 2023-11-24 | 北京远禾科技有限公司 | DDoS attack risk quantification defense method and system in software defined network |
CN117118738B (en) * | 2023-09-22 | 2024-03-29 | 北京远禾科技有限公司 | DDoS attack risk quantification defense method and system in software defined network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106612289A (en) | Network collaborative abnormality detection method based on SDN | |
CN111526096B (en) | Intelligent identification network state prediction and congestion control system | |
CN107483251B (en) | Network service abnormity detection method based on distributed probe monitoring | |
CN108923975A (en) | A kind of traffic behavior analysis method of Based on Distributed network | |
CN102821002B (en) | Network flow abnormal detecting method and system | |
CN107682195B (en) | Communication network robustness evaluation method based on combination of complex network and big data | |
CN102523166B (en) | Structured network system applicable to future internet | |
CN113271225B (en) | Network reliability evaluation method based on in-band network telemetry technology | |
CN105847151A (en) | Multi-constrained QoS (Quality of Service) routing strategy designing method for software defined network | |
Yang et al. | Griffin: an ensemble of autoencoders for anomaly traffic detection in SDN | |
CN106559407A (en) | A kind of Network traffic anomaly monitor system based on SDN | |
CN108632269A (en) | Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms | |
CN107483487B (en) | TOPSIS-based multi-dimensional network security measurement method | |
CN112350948B (en) | Distributed network tracing method of SDN-based distributed network tracing system | |
Dayal et al. | An RBF-PSO based approach for early detection of DDoS attacks in SDN | |
CN113572764B (en) | Industrial Internet network security situation awareness system based on AI | |
CN110049528A (en) | Mobile trust data collection method based on trust value effectiveness in a kind of Sensor Network | |
Sarao | Machine learning and deep learning techniques on wireless networks | |
CN114531273A (en) | Method for defending distributed denial of service attack of industrial network system | |
CN108419304A (en) | A kind of wireless sensor network (WSN) water quality monitoring system | |
CN105991623B (en) | A kind of services interconnection relationship auditing method and system | |
CN115987643A (en) | Industrial control network intrusion detection method based on LSTM and SDN | |
Hendaoui et al. | FID: Fuzzy based intrusion detection for distributed smart devices | |
Zhang et al. | Maintenance of large scale wireless sensor networks | |
Geetha et al. | Cronbach alpha reliability factor based reputation mechanism for mitigating byzantine attack in manets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170503 |