CN107070941A - The method and apparatus of abnormal traffic detection - Google Patents
The method and apparatus of abnormal traffic detection Download PDFInfo
- Publication number
- CN107070941A CN107070941A CN201710310754.0A CN201710310754A CN107070941A CN 107070941 A CN107070941 A CN 107070941A CN 201710310754 A CN201710310754 A CN 201710310754A CN 107070941 A CN107070941 A CN 107070941A
- Authority
- CN
- China
- Prior art keywords
- minimum value
- credibility interval
- standard deviation
- flow bandwidth
- average
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 27
- 238000001514 detection method Methods 0.000 title claims abstract description 26
- 238000005070 sampling Methods 0.000 claims description 20
- 239000000523 sample Substances 0.000 description 8
- 238000000205 computational method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure is directed to a kind of method and apparatus of abnormal traffic detection, it is related to network safety filed, methods described includes:Multiple repairing weld is carried out to flow bandwidth in equipment, multiple flow bandwidth sampled values are obtained;Flow bandwidth sampled value according to being obtained determines the credibility interval of the flow bandwidth of equipment;The flow bandwidth of the equipment is detected, judges whether the flow bandwidth detected is located in the credibility interval;When detected flow bandwidth is located at outside the credibility interval, the flow of the equipment is identified as exception.The present invention be able to not can also be detected by the whether disclosed limitation of consensus standard specification for the flow using proprietary protocol and specialized protocol.
Description
Technical field
This disclosure relates to network safety filed, more particularly to abnormal traffic detection method and apparatus.
Background technology
With the development of information technology, industrial control system progressively moves towards open, interconnection, general.Many Industry Control associations
View is gradually run on EPA, and the attack for industrial control system is also more universal.Abnormal traffic detection in network
Technology includes white list.
Based on the abnormal traffic detection of white list method, realized by protocol depth analytic method.This detection method is former
Reason is learnt first against protocol massages, in study stage monitoring protocol massages, is generated according to consensus standard specification a set of
White list is used as behavioral standard.In detection-phase, network traffics are carried out according to the protocol format of the protocol massages monitored deep
Degree parsing, and analysis result is compared with white list, abnormal flow is considered if white list is not hit by.
White list method depend on consensus standard specification, for disclosed protocol comparison effectively, but for proprietary protocol with
And specialized protocol, then it can not realize abnormality detection.
The content of the invention
The method and apparatus that the disclosure provides abnormal traffic detection, to solve above-mentioned technical problem, are solved at least in part
Above-mentioned technical problem.
According to the first aspect of the embodiment of the present disclosure there is provided a kind of method of abnormal traffic detection, methods described includes:It is right
Flow bandwidth carries out multiple repairing weld in equipment, obtains multiple flow bandwidth sampled values;According to the flow bandwidth sampled value obtained
Determine the credibility interval of the flow bandwidth of equipment;The flow bandwidth of the equipment is detected, the flow band detected is judged
It is wide whether to be located in the credibility interval;When detected flow bandwidth is located at outside the credibility interval, by the equipment
Flow be identified as exception.
Optionally, the credibility interval bag of the flow bandwidth that equipment is determined according to the flow bandwidth sampled value obtained
Include:Calculate at least one of standard deviation and average of multiple traffic sampling values and maximum and minimum value;According to what is calculated
At least one of standard deviation and average and maximum and minimum value determine the higher limit and lower limit of credibility interval.
It is optionally, described that determined according at least one of standard deviation and average for being calculated and maximum and minimum value can
Believing the higher limit and lower limit in interval includes:Determine that the higher limit of credibility interval adds 2 times of standard deviation for maximum;Judge most
Whether small value is more than 2 times of standard deviation;When minimum value is more than 2 times of standard deviation, the lower limit of credibility interval subtracts for minimum value
Go standard deviation 2 times;When minimum value is not greater than 2 times of standard deviation, the lower limit of credibility interval is 0.
It is optionally, described that determined according at least one of standard deviation and average for being calculated and maximum and minimum value can
Believing the higher limit and lower limit in interval includes:Determine that the higher limit of credibility interval adds 1/2 average for maximum;Judge minimum
Whether value is more than 1/2 average;When minimum value is more than 1/2 average, the lower limit of credibility interval subtracts 1/2 for minimum value
Average;When minimum value is not greater than 1/2 average, the lower limit of credibility interval is 0.
Optionally, methods described also includes:, will be described when detected flow bandwidth is located in the credibility interval
The flow of equipment is identified as normally.
According to the second aspect of the embodiment of the present disclosure there is provided a kind of device of abnormal traffic detection, described device includes:Adopt
Egf block, for carrying out multiple repairing weld to flow bandwidth in equipment, obtains multiple flow bandwidth sampled values;Determining module, is used for
Flow bandwidth sampled value according to being obtained determines the credibility interval of the flow bandwidth of equipment;Judge module, for being set to described
Standby flow bandwidth is detected, judges whether the flow bandwidth detected is located in the credibility interval;Identification module, is used for
When detected flow bandwidth is located at outside the credibility interval, the flow of the equipment is identified as exception.
Optionally, the determining module be used for calculate at least one of standard deviation and average of multiple traffic sampling values and
Maximum and minimum value;Confidence region is determined according at least one of standard deviation and average calculated and maximum and minimum value
Between higher limit and lower limit.
Optionally, the determining module is used to determine 2 times that the higher limit of credibility interval adds standard deviation for maximum;Sentence
Whether disconnected minimum value is more than 2 times of standard deviation;When minimum value is more than 2 times of standard deviation, the lower limit of credibility interval is minimum
Value subtracts 2 times of standard deviation;When minimum value is not greater than 2 times of standard deviation, the lower limit of credibility interval is 0.
Optionally, the determining module is used for the average for determining that the higher limit of credibility interval adds 1/2 for maximum;Judge
Whether minimum value is more than 1/2 average;When minimum value is more than 1/2 average, the lower limit of credibility interval subtracts for minimum value
1/2 average;When minimum value is not greater than 1/2 average, the lower limit of credibility interval is 0.
Optionally, the identification module is additionally operable to when detected flow bandwidth is located in the credibility interval, will
The flow of the equipment is identified as normally.
The technical scheme provided by this disclosed embodiment can include the following benefits:Flow bandwidth in equipment is carried out
Multiple repairing weld, the credibility interval of flow bandwidth is determined according to flow bandwidth sampled value, when detected flow bandwidth be located at can
When letter is interval outer, the flow of equipment is identified as exception;It so, it is possible not by the whether disclosed limitation of consensus standard specification, it is right
It can also be detected in the flow using proprietary protocol and specialized protocol.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not
The disclosure can be limited.
Brief description of the drawings
Accompanying drawing herein is merged in specification and constitutes the part of this specification, shows the implementation for meeting the present invention
Example, and for explaining principle of the invention together with specification.
Fig. 1 is a kind of flow chart of the method for abnormal traffic detection according to an exemplary embodiment.
Fig. 2 is the flow chart of the method for the calculating credibility interval according to an exemplary embodiment.
Fig. 3 be according to an exemplary embodiment calculating credibility interval higher limit and lower limit method flow
Figure.
Fig. 4 be according to an exemplary embodiment calculating credibility interval higher limit and lower limit method flow
Figure.
Fig. 5 is a kind of structured flowchart of the device of abnormal traffic detection according to an exemplary embodiment.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the present invention.
Fig. 1 is a kind of flow chart of the method for abnormal traffic detection according to an exemplary embodiment, such as Fig. 1 institutes
Show, this method comprises the following steps.
In step s 110, multiple repairing weld is carried out to flow bandwidth in equipment, obtains multiple flow bandwidth sampled values.
For example, network traffics are gathered using the probe device disposed in network, in the study stage, periodically to net
The flow bandwidth of individual device in network is sampled.Through sampling after a while, the sampling of each equipment flow bandwidth is formed
Sample.
For example, flow bandwidth sampling is carried out to M platforms equipment, and the flow bandwidth sampled point of every equipment is N number of, then may be used
To obtain sample data as shown in table 1 below.Bm,nRepresent n-th of sampling in equipment m flow bandwidth sample
Point.
Table 1
In the step s 120, the credibility interval of the flow bandwidth of equipment is determined according to the flow bandwidth sampled value obtained.
For example, by flow bandwidth sampled value to for flow be set to normal discharge, adopted for flow bandwidth
Sample value carries out statistics calculating, and then obtains the credibility interval of flow bandwidth.
In step s 130, the flow bandwidth of equipment is detected, whether the flow bandwidth that judgement is detected is located at can
In letter is interval.
For example, the flow bandwidth of equipment can be obtained after being detected to equipment, if the flow bandwidth detected is big
In or equal to credibility interval lower limit and flow bandwidth be less than or equal to credibility interval higher limit, it is determined that detect
Flow bandwidth is located in credibility interval.
In step S140, when detected flow bandwidth is located at outside credibility interval, the flow of equipment is identified as
It is abnormal.
For example, under normal circumstances, the equipment flow bandwidth in industry control network is stable and regular.In detection
In the stage, the outside that normal flow bandwidth falls into credibility interval is small probability event, or impossible event, is thus judged
Whether the flow bandwidth of equipment is abnormal.
Further, methods described may also include:, will when detected flow bandwidth is located in the credibility interval
The flow of the equipment is identified as normally.
Using in the present embodiment, technical scheme can not be by the whether disclosed limitation of consensus standard specification, for using private
The flow for having agreement and specialized protocol can also be detected.
In one embodiment, as shown in Fig. 2 determining the flow bandwidth of equipment according to the flow bandwidth sampled value obtained
Credibility interval may include following steps.
In step S202, at least one of standard deviation and average of multiple traffic sampling values and maximum and most are calculated
Small value.
For example, for equipment m, standard deviation, average, the maximum of multiple traffic sampling values can be calculated as follows
And minimum value.
Sampling maximum value calculation method:
Bmax=max { Bm,1,Bm,2,......,Bm,N-1,Bm,N}
Wherein, BmaxFor maximum, Bm,1……Bm,NFor equipment m N number of traffic sampling value.
Sampling minimum calculation method:
Bmin=min { Bm,1,Bm,2,......,Bm,N-1,Bm,N}
Wherein, BminFor minimum value, Bm,1……Bm,NFor equipment m N number of traffic sampling value.
Sample average computational methods:
Wherein,For average, Bm,1……Bm,NFor equipment m N number of traffic sampling value.
Sample standard deviation computational methods:
Wherein,For standard deviation, Bm,1……Bm,NFor equipment m N number of traffic sampling value.
In step S204, determined according at least one of standard deviation and average calculated and maximum and minimum value
The higher limit and lower limit of credibility interval.
For example, as shown in figure 3, true according at least one of standard deviation and average calculated and maximum and minimum value
Determining the higher limit and lower limit of credibility interval may include following steps.
In step s 302, determine that the higher limit of credibility interval adds 2 times of standard deviation for maximum.
In step s 304, judge whether minimum value is more than 2 times of standard deviation, if it is, step S306 is performed, otherwise,
Perform step S308.
In step S306, when minimum value is more than 2 times of standard deviation, the lower limit of credibility interval subtracts mark for minimum value
2 times of quasi- difference.
In step S308, when minimum value is not greater than 2 times of standard deviation, the lower limit of credibility interval is 0.
For example, credibility interval can be calculated as follows.
Credibility interval upper limit computational methods are:
Credibility interval Method of Calculating Lower Limit is:
If
If
Credibility interval is to be limited to the closed interval of the credibility interval upper limit under credibility interval
[credibility interval]=[BLower limit,BThe upper limit]
In another example, as shown in figure 4, according at least one of standard deviation and average calculated and maximum and minimum value
Determining the higher limit and lower limit of credibility interval may include following steps.
In step S402, determine that the higher limit of credibility interval adds 1/2 average for maximum.
In step s 404, judge the average whether minimum value is more than 1/2, if it is, performing step S406, otherwise, hold
Row step S408.
In step S406, when minimum value is more than 1/2 average, the lower limit of credibility interval subtracts 1/2 for minimum value
Average.
In step S408, when minimum value is not greater than 1/2 average, the lower limit of credibility interval is 0.
For example, the calculating of credibility interval also has other methods.
If
IfBLower limit=0
[credibility interval]=[BLower limit,BThe upper limit]
By above-mentioned technical proposal, credibility interval can be determined by statistics so that credibility interval is more reasonable, Jin Erzeng
The accuracy for having added Traffic Anomaly to judge.
Fig. 5 is a kind of structured flowchart of the device of abnormal traffic detection according to an exemplary embodiment.Reference picture
5, the device includes sampling module 151, determining module 152, judge module 153 and identification module 154.
The sampling module 151 is configured as carrying out multiple repairing weld to flow bandwidth in equipment, obtains multiple flow bandwidths and adopts
Sample value;
The determining module 152 be configured as according to the flow bandwidth sampled value obtained determine equipment flow bandwidth can
Letter is interval;
The judge module 153 is configured as detecting the flow bandwidth of equipment, judges that the flow bandwidth detected is
It is no to be located in credibility interval.
When the identification module 154 is configured as detected flow bandwidth outside credibility interval, by the stream of equipment
Amount is identified as exception.
Using in the present embodiment, technical scheme can not be by the whether disclosed limitation of consensus standard specification, for using private
The flow for having agreement and specialized protocol can also be detected.
In one embodiment, the determining module 152 is configured as calculating in the standard deviation and average of multiple traffic sampling values
At least one and maximum and minimum value;According at least one of standard deviation and average calculated and maximum and minimum
Value determines the higher limit and lower limit of credibility interval.
Further, the determining module 152 is configured to determine that the higher limit of credibility interval adds standard deviation for maximum
2 times;Judge whether minimum value is more than 2 times of standard deviation;When minimum value is more than 2 times of standard deviation, the lower limit of credibility interval
It is worth subtract standard deviation for minimum value 2 times;When minimum value is not greater than 2 times of standard deviation, the lower limit of credibility interval is 0.
Further, the determining module 152 be configured to determine that the higher limit of credibility interval for maximum plus 1/2 it is equal
Value;Judge the average whether minimum value is more than 1/2;When minimum value is more than 1/2 average, the lower limit of credibility interval is minimum
Value subtracts 1/2 average;When minimum value is not greater than 1/2 average, the lower limit of credibility interval is 0.
In one embodiment, the identification module 154 is additionally configured to when detected flow bandwidth is positioned at described credible
When in interval, the flow of the equipment is identified as normally.
By above-mentioned technical proposal, credibility interval can be determined by statistics so that credibility interval is more reasonable, Jin Erzeng
The accuracy for having added Traffic Anomaly to judge.
Said apparatus is corresponding with preceding method, and embodiment can be found in method and be described in detail, and no longer goes to live in the household of one's in-laws on getting married herein
State.
On the device in above-described embodiment, wherein modules perform the concrete mode of operation in relevant this method
Embodiment in be described in detail, explanation will be not set forth in detail herein.
Those skilled in the art will readily occur to its of the present invention after considering specification and putting into practice invention disclosed herein
Its embodiment.The application be intended to the present invention any modification, purposes or adaptations, these modifications, purposes or
Person's adaptations follow the general principle of the present invention and including the undocumented common knowledge in the art of the disclosure
Or conventional techniques.Description and embodiments are considered only as exemplary, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be appreciated that the invention is not limited in the precision architecture for being described above and being shown in the drawings, and
And various modifications and changes can be being carried out without departing from the scope.The scope of the present invention is only limited by appended claim.
Claims (10)
1. a kind of method of abnormal traffic detection, it is characterised in that methods described includes:
Multiple repairing weld is carried out to flow bandwidth in equipment, multiple flow bandwidth sampled values are obtained;
Flow bandwidth sampled value according to being obtained determines the credibility interval of the flow bandwidth of equipment;
The flow bandwidth of the equipment is detected, judges whether the flow bandwidth detected is located in the credibility interval;
When detected flow bandwidth is located at outside the credibility interval, the flow of the equipment is identified as exception.
2. the method for abnormal traffic detection according to claim 1, it is characterised in that described according to the flow band obtained
Wide sampled value determines that the credibility interval of the flow bandwidth of equipment includes:
Calculate at least one of standard deviation and average of multiple traffic sampling values and maximum and minimum value;
The higher limit of credibility interval is determined according at least one of standard deviation and average calculated and maximum and minimum value
And lower limit.
3. the method for abnormal traffic detection according to claim 2, it is characterised in that described according to the standard deviation calculated
Determine that the higher limit and lower limit of credibility interval include with least one of average and maximum and minimum value:
Determine that the higher limit of credibility interval adds 2 times of standard deviation for maximum;
Judge whether minimum value is more than 2 times of standard deviation;
When minimum value is more than 2 times of standard deviation, the lower limit of credibility interval subtracts 2 times of standard deviation for minimum value;
When minimum value is not greater than 2 times of standard deviation, the lower limit of credibility interval is 0.
4. the method for abnormal traffic detection according to claim 2, it is characterised in that described according to the standard deviation calculated
Determine that the higher limit and lower limit of credibility interval include with least one of average and maximum and minimum value:
Determine that the higher limit of credibility interval adds 1/2 average for maximum;
Judge the average whether minimum value is more than 1/2;
When minimum value is more than 1/2 average, the lower limit of credibility interval subtracts 1/2 average for minimum value;
When minimum value is not greater than 1/2 average, the lower limit of credibility interval is 0.
5. according to the method for any described abnormal traffic detection of Claims 1-4, it is characterised in that methods described also includes:
When detected flow bandwidth is located in the credibility interval, the flow of the equipment is identified as normally.
6. a kind of device of abnormal traffic detection, it is characterised in that described device includes:
Sampling module, for carrying out multiple repairing weld to flow bandwidth in equipment, obtains multiple flow bandwidth sampled values;
Determining module, the credibility interval of the flow bandwidth for determining equipment according to the flow bandwidth sampled value obtained;
Judge module, is detected for the flow bandwidth to the equipment, judges whether the flow bandwidth detected is located at institute
State in credibility interval;
Identification module, for when detected flow bandwidth is located at outside the credibility interval, the flow of the equipment to be known
Wei not be abnormal.
7. the device of abnormal traffic detection according to claim 6, it is characterised in that the determining module is used to calculate many
At least one of standard deviation and average of individual traffic sampling value and maximum and minimum value;According to the standard deviation calculated and
At least one of value and maximum and minimum value determine the higher limit and lower limit of credibility interval.
8. the device of abnormal traffic detection according to claim 7, it is characterised in that the determining module can for determination
The interval higher limit of letter adds 2 times of standard deviation for maximum;Judge whether minimum value is more than 2 times of standard deviation;Work as minimum value
During standard deviation more than 2 times, the lower limit of credibility interval subtracts 2 times of standard deviation for minimum value;When minimum value is not greater than 2 times
Standard deviation when, the lower limit of credibility interval is 0.
9. the device of abnormal traffic detection according to claim 7, it is characterised in that the determining module can for determination
The interval higher limit of letter adds 1/2 average for maximum;Judge the average whether minimum value is more than 1/2;When minimum value is more than
During 1/2 average, the lower limit of credibility interval subtracts 1/2 average for minimum value;When minimum value is not greater than 1/2 equal value difference
When, the lower limit of credibility interval is 0.
10. according to the device of any described abnormal traffic detection of claim 6 to 9, it is characterised in that the identification module is also
For when detected flow bandwidth is located in the credibility interval, the flow of the equipment to be identified as normally.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710310754.0A CN107070941A (en) | 2017-05-05 | 2017-05-05 | The method and apparatus of abnormal traffic detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710310754.0A CN107070941A (en) | 2017-05-05 | 2017-05-05 | The method and apparatus of abnormal traffic detection |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107070941A true CN107070941A (en) | 2017-08-18 |
Family
ID=59597598
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710310754.0A Pending CN107070941A (en) | 2017-05-05 | 2017-05-05 | The method and apparatus of abnormal traffic detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107070941A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110113347A (en) * | 2019-05-14 | 2019-08-09 | 北京天地和兴科技有限公司 | A method of detection industry control network application layer protocol message length is abnormal |
CN110247911A (en) * | 2019-06-14 | 2019-09-17 | 曹严清 | A kind of Traffic anomaly detection method and system |
CN110635947A (en) * | 2019-09-20 | 2019-12-31 | 曹严清 | Abnormal access monitoring method and device |
CN111882289A (en) * | 2020-07-01 | 2020-11-03 | 国网河北省电力有限公司经济技术研究院 | Device and method for measuring and calculating item data audit index interval |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090130546A (en) * | 2008-06-16 | 2009-12-24 | 주식회사 케이티 | Apparatus for determining traffic state and mehtod thereof |
CN102014031A (en) * | 2010-12-31 | 2011-04-13 | 湖南神州祥网科技有限公司 | Method and system for network flow anomaly detection |
CN103581186A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
US20160142435A1 (en) * | 2014-11-13 | 2016-05-19 | Cyber-Ark Software Ltd. | Systems and methods for detection of anomalous network behavior |
-
2017
- 2017-05-05 CN CN201710310754.0A patent/CN107070941A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090130546A (en) * | 2008-06-16 | 2009-12-24 | 주식회사 케이티 | Apparatus for determining traffic state and mehtod thereof |
CN102014031A (en) * | 2010-12-31 | 2011-04-13 | 湖南神州祥网科技有限公司 | Method and system for network flow anomaly detection |
CN103581186A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
US20160142435A1 (en) * | 2014-11-13 | 2016-05-19 | Cyber-Ark Software Ltd. | Systems and methods for detection of anomalous network behavior |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110113347A (en) * | 2019-05-14 | 2019-08-09 | 北京天地和兴科技有限公司 | A method of detection industry control network application layer protocol message length is abnormal |
CN110247911A (en) * | 2019-06-14 | 2019-09-17 | 曹严清 | A kind of Traffic anomaly detection method and system |
CN110247911B (en) * | 2019-06-14 | 2021-06-08 | 曹严清 | Flow abnormity detection method and system |
CN110635947A (en) * | 2019-09-20 | 2019-12-31 | 曹严清 | Abnormal access monitoring method and device |
CN111882289A (en) * | 2020-07-01 | 2020-11-03 | 国网河北省电力有限公司经济技术研究院 | Device and method for measuring and calculating item data audit index interval |
CN111882289B (en) * | 2020-07-01 | 2023-11-14 | 国网河北省电力有限公司经济技术研究院 | Device and method for measuring and calculating project data auditing index interval |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107070941A (en) | The method and apparatus of abnormal traffic detection | |
CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
CN112788066B (en) | Abnormal flow detection method and system for Internet of things equipment and storage medium | |
US20170163680A1 (en) | Method and apparatus for ddos attack detection | |
US7872584B2 (en) | Analyzing smoke or other emissions with pattern recognition | |
CN110120935B (en) | Method and device for identifying anomalies in data flows in a communication network | |
CN109660518B (en) | Communication data detection method and device of network and machine-readable storage medium | |
CN111181971B (en) | System for automatically detecting industrial network attack | |
CN111970229B (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
US20120090027A1 (en) | Apparatus and method for detecting abnormal host based on session monitoring | |
KR101797400B1 (en) | Method and apparatus for diagnosing fault based on probabilistic density | |
CN114965924A (en) | Sewage pollutant concentration detection system | |
CN105871861B (en) | A kind of intrusion detection method of self study protocol rule | |
CN107426136B (en) | Network attack identification method and device | |
CN105959321A (en) | Passive identification method and apparatus for network remote host operation system | |
CN109714311A (en) | A method of the unusual checking based on clustering algorithm | |
CN117319047A (en) | Network path analysis method and system based on network security anomaly detection | |
CN117336055A (en) | Network abnormal behavior detection method and device, electronic equipment and storage medium | |
CN106453404B (en) | A kind of network inbreak detection method and device | |
KR102265134B1 (en) | A Security Monitoring System using Packet Flow for automation control system | |
CN116764261B (en) | Execution safety supervision system for distillation flow | |
CN110958251A (en) | Method and device for detecting and backtracking lost host based on real-time stream processing | |
CN105516164B (en) | Based on point shape and the P2P botnet detection method that adaptively merges | |
CN110113347A (en) | A method of detection industry control network application layer protocol message length is abnormal | |
CN115801538A (en) | Site server application asset deep identification method, system and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |