CN107682377A - A kind of online Traffic anomaly detection method and device - Google Patents

A kind of online Traffic anomaly detection method and device Download PDF

Info

Publication number
CN107682377A
CN107682377A CN201711172399.1A CN201711172399A CN107682377A CN 107682377 A CN107682377 A CN 107682377A CN 201711172399 A CN201711172399 A CN 201711172399A CN 107682377 A CN107682377 A CN 107682377A
Authority
CN
China
Prior art keywords
flow
matrix
abnormal
openflow
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711172399.1A
Other languages
Chinese (zh)
Inventor
周燕红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201711172399.1A priority Critical patent/CN107682377A/en
Publication of CN107682377A publication Critical patent/CN107682377A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a kind of online Traffic anomaly detection method and device, wherein, methods described includes:Flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanger informations in real time;Gather flow statistic;Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow combination entropy matrix;Identified using principal component analytical method abnormal.Realization of the embodiment of the present invention is simple, effectively online Traffic Anomaly is detected, and is a kind of online test method of lightweight.

Description

A kind of online Traffic anomaly detection method and device
Technical field
The present invention relates to field of computer technology, more particularly to a kind of online Traffic anomaly detection method and device.
Background technology
Software defined network technology has separated the datum plane and control plane of network, for research and development network new opplication and future Internet technology provides a kind of new solution.At present, software defined network has been widely used for traffic engineering, exception The network flow managements such as detection, traffic statistics and Optimization Work.
However, the work in terms of software defined network is applied into abnormality detection at present is also in conceptual phase.Conventional side Method has the network load using the routing statisticses information in controller, analyzed from different interchangers acquisition stream statistics data to ask Topic, so as to build the traffic matrix of whole network.Or after the flow statistic of interchanger is read, using Data Structure Design A kind of scheme for identifying layering high capacity stream.It is or related to distributed denial of service attack in flow statistic by extracting Hexa-atomic group, dimension-reduction treatment is carried out using Artificial Neural Network SOM (Self Organizing Maps), so as to identify point Cloth Denial of Service attack.
But these methods still suffer from following defect:The traffic characteristic data of use are more single, specific only for certain It is abnormal.
The content of the invention
The embodiments of the invention provide a kind of online Traffic anomaly detection method and device, to solve to detect in the prior art The traffic characteristic data used during Traffic Anomaly are more single, only for certain specific abnormal technical problem.
In a first aspect, the embodiments of the invention provide a kind of online Traffic anomaly detection method, including:
Flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanger informations in real time;
Gather flow statistic;
Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow Combine entropy matrix;
Identified using principal component analytical method abnormal.
Second aspect, the embodiment of the present invention additionally provide a kind of online Traffic anomaly detection device, including:
Flow table installs module, and for installing flow table item in OpenFlow interchangers, controller obtains OpenFlow in real time Exchanger information;
Flow statistic acquisition module, for gathering flow statistic;
Matrix generation module, build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, And then build flow combination entropy matrix;
Abnormality detection module, identified using principal component analytical method abnormal.
A kind of online Traffic anomaly detection method and device provided in an embodiment of the present invention, pacifies in OpenFlow interchangers Flow table item is filled, controller obtains OpenFlow exchanger informations in real time;Build whole network traffic matrix and for source address, The combination entropy matrix of destination address, and then build flow combination entropy matrix;Identified using principal component analytical method abnormal.The present invention Embodiment realization is simple, effectively online Traffic Anomaly is detected, and is a kind of online test method of lightweight.
Brief description of the drawings
Fig. 1 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention one provides;
Fig. 2 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention two provides;
Fig. 3 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention three provides.
Embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched The specific embodiment stated is used only for explaining the present invention, rather than limitation of the invention.It also should be noted that in order to just Part related to the present invention rather than entire infrastructure are illustrate only in description, accompanying drawing.
Embodiment one
Fig. 1 is a kind of flow chart for online Traffic anomaly detection method that the embodiment of the present invention one provides, and the present embodiment can Suitable for occurring abnormal situation to network traffics, this method can be performed by online Traffic anomaly detection device, specific bag Include following steps:
Step 110, flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow interchangers letter in real time Breath.
NOX is the network operating system for realizing controller function earliest.OpenFlow interchangers succeed in registration it on NOX Afterwards, NOX can safeguard current network topology situation, and flow table item is installed to OpenFlow interchangers according to the packet of arrival.If only Traffic matrix is generated, then the source IP in flow table item and purpose IP address can be directly disposed as subnet, so as to reduce flow table item Quantity;To generation source IP address and the Sample Entropy matrix of purpose IP address, then NOX needs are according to actual source IP address and mesh IP address installation flow table item.
Step 120, collection flow statistic.
The counter of stream includes 3 static fields, that is, message number, byte number and the duration received.Flow statistic The time interval of collection is using fixed duration.If the cycle is oversize, the time delay for detecting abnormal flow and being handled is also longer; If the cycle is too short, it will the processing expense of increase NOX and OpenFlow interchangers.Need exist for it is further noted that, if stream List item is deleted and (deleted by controller, soft time-out is deleted or hard time-out is deleted), then the flow statistic obtained next time will Omit the data statistics that flow table item is deleted in this cycle.In order to prevent this from occurring, stream is added in this module Trigger mechanism is deleted, i.e., when some flow table item is deleted, statistical information is sent to NOX, flow statistic collection mould by it automatically Block by data accumulation into the flow statistic obtained next time.
Step 130, build whole network traffic matrix and for source address, the combination entropy matrix of destination address, and then Build flow combination entropy matrix.
The data obtained to flow statistic acquisition module are handled, and generate flow square according to different facilities Battle array or Sample Entropy matrix.Wherein, traffic matrix refers to the traffic demand between institute active node and destination node pair in network.Root According to the difference of network node types, traffic matrix can be defined as link level, route level and POP traffic matrixs.Sample Entropy is to use To portray the average information of scattered and intensity the index, i.e. data set of data set, Sample Entropy matrix is according in network Each node is directed to the observation value set of a certain traffic characteristic to measuring.Vacation is when carrying out Traffic anomaly detection, by source IP address It is combined with the Sample Entropy matrix of purpose IP address, composition combination entropy matrix;Equally, by traffic matrix and combination entropy matrix group Flow combination entropy matrix is combined into, is compared with the testing result to different input datas.In order to ensure online Traffic Anomaly inspection The real-time effectiveness and lightweight expense of the online processing mode of survey method, input flow rate should be divided into training stage and detection rank Section, i.e., the matrix that sliding window initially enters should be normal discharge, then be added gradually to the data of newest detection-phase In sliding window.
Step 140, identified using principal component analytical method it is abnormal.
The traffic matrix of input is detected by principal component analytical method, checks Traffic Anomaly therein.
In the present embodiment, flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanges in real time Machine information;Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow group Close entropy matrix;Identified using principal component analytical method abnormal.The embodiment of the present invention is realized simply, effectively to online Traffic Anomaly Detected, be a kind of online test method of lightweight.
Embodiment two
Fig. 2 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention two provides.This implementation Example is optimized based on above-described embodiment, in the present embodiment, by abnormal, the tool using principal component analytical method identification Body is optimized for:Traffic matrix or flow combination entropy matrix are handled, and set whether threshold decision detects abnormal flow.
Accordingly, a kind of online Traffic anomaly detection method that the present embodiment is provided, is specifically included:
Step 210, flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow interchangers letter in real time Breath.
Step 220, collection flow statistic.
Step 230, build whole network traffic matrix and for source address, the combination entropy matrix of destination address, and then Build flow combination entropy matrix.
Step 240, traffic matrix or flow combination entropy matrix are handled, and whether set threshold decision to detect different Normal flow.
Realize that Traffic anomaly detection is broadly divided into two steps based on principal component analytical method:Subspace is built and threshold test.
For the traffic matrix X (flow Sample Entropy matrix method is also similar) of input, preceding k is taken using principal component analytical method Individual principal component characteristic value so that contribution rate of accumulative total is more than 90%, then preceding k principal component characteristic vector constitutes subspace S1, And remaining p-k principal component characteristic vector constitutes another sub-spaces S2.After S1 and S2 is built, by matrix X to this Two sub-spaces are projected.Take the matrix a certain moment measured value vector, the measured value vector be by model vector with it is residual Difference vector forms.After the data vector got to some cycle is handled, if this measurement period is different there occurs network Often, then the residual error flow value of measurement period of the value in residual error flow with Network Abnormal does not occur is otherwise varied.It is because residual Poor flow is mainly as caused by various abnormal behaviours.Therefore whether normal network traffics can be detected by given threshold.
After Traffic anomaly detection is completed, also need to handle the abnormal flow detected, specifically can be by repairing Change corresponding flow table item on node-flow destination OpenFlow interchangers, abnormal data flow is abandoned.
The present embodiment described will identify exception by described using principal component analytical method, specifically be optimized for:Traffic matrix Or flow combination entropy matrix is handled, and set whether threshold decision detects abnormal flow.Make a concrete analysis of abnormality detection Process.
Embodiment three
Fig. 3 is a kind of structural representation for online Traffic anomaly detection device that the embodiment of the present invention three provides, such as Fig. 3 institutes Show, described device includes:
Flow table installs module 310, and for installing flow table item in OpenFlow interchangers, controller obtains in real time OpenFlow exchanger informations;
Flow statistic acquisition module 320, for gathering flow statistic;
Matrix generation module 330, build the traffic matrix of whole network and for source address, the combination entropy square of destination address Battle array, and then build flow combination entropy matrix;
Abnormality detection module 340, identified using principal component analytical method abnormal.
A kind of online Traffic anomaly detection device that the present embodiment provides, can realize it is simple, effectively in linear flow rate Exception is detected.
Further, described device also includes:
ARP message processing module (MPM)s, for after ARP messages are received, OpenFlow exchange opportunities to forward it to controller.
Further, described device also includes:
Flow isolation module, will be abnormal for changing corresponding flow table item on node-flow destination OpenFlow interchangers Data traffic abandons.
Further, described device also includes:
Abnormality detection module, handled for traffic matrix or flow combination entropy matrix, and set the threshold decision to be It is no to detect abnormal flow.
A kind of online Traffic anomaly detection device that the embodiment of the present invention is provided can perform any embodiment institute of the present invention A kind of online Traffic anomaly detection method provided, possesses the corresponding functional module of execution method and beneficial effect.
Pay attention to, above are only presently preferred embodiments of the present invention and institute's application technology principle.It will be appreciated by those skilled in the art that The invention is not restricted to specific embodiment described here, can carry out for a person skilled in the art various obvious changes, Readjust and substitute without departing from protection scope of the present invention.Therefore, although being carried out by above example to the present invention It is described in further detail, but the present invention is not limited only to above example, without departing from the inventive concept, also Other more equivalent embodiments can be included, and the scope of the present invention is determined by scope of the appended claims.

Claims (8)

  1. A kind of 1. online Traffic anomaly detection method, it is characterised in that including:
    Flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanger informations in real time;
    Gather flow statistic;
    Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow combination Entropy matrix;
    Identified using principal component analytical method abnormal.
  2. 2. according to the method for claim 1, it is characterised in that before flow table item is installed in OpenFlow interchangers, also It is included in after receiving ARP messages, OpenFlow exchange opportunities forward it to controller.
  3. 3. according to the method for claim 1, it is characterised in that include well after identification is abnormal:
    Corresponding flow table item on node-flow destination OpenFlow interchangers is changed, abnormal data flow is abandoned.
  4. 4. according to the method for claim 1, it is characterised in that described to include using principal component analytical method identification is abnormal:
    Traffic matrix or flow combination entropy matrix are handled, and set whether threshold decision detects abnormal flow.
  5. A kind of 5. online Traffic anomaly detection device, it is characterised in that including:
    Flow table installs module, and for installing flow table item in OpenFlow interchangers, controller obtains OpenFlow exchanges in real time Machine information;
    Flow statistic acquisition module, for gathering flow statistic;
    Matrix generation module, build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then Build flow combination entropy matrix;
    Abnormality detection module, identified using principal component analytical method abnormal.
  6. 6. device according to claim 5, it is characterised in that described device also includes:
    ARP message processing module (MPM)s, for after ARP messages are received, OpenFlow exchange opportunities to forward it to controller.
  7. 7. device according to claim 5, it is characterised in that described device also includes:
    Flow isolation module, for changing corresponding flow table item on node-flow destination OpenFlow interchangers, by abnormal data Flow abandons.
  8. 8. device according to claim 5, it is characterised in that described device also includes:
    Abnormality detection module, handled for traffic matrix or flow combination entropy matrix, and set whether threshold decision is examined Measure abnormal flow.
CN201711172399.1A 2017-11-22 2017-11-22 A kind of online Traffic anomaly detection method and device Withdrawn CN107682377A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711172399.1A CN107682377A (en) 2017-11-22 2017-11-22 A kind of online Traffic anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711172399.1A CN107682377A (en) 2017-11-22 2017-11-22 A kind of online Traffic anomaly detection method and device

Publications (1)

Publication Number Publication Date
CN107682377A true CN107682377A (en) 2018-02-09

Family

ID=61149157

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711172399.1A Withdrawn CN107682377A (en) 2017-11-22 2017-11-22 A kind of online Traffic anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN107682377A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274673A (en) * 2018-09-26 2019-01-25 广东工业大学 A kind of detection of exception of network traffic and defence method
CN115086186A (en) * 2022-06-28 2022-09-20 清华大学 Method and device for generating data center network flow demand data

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302021A (en) * 2016-08-18 2017-01-04 清华大学深圳研究生院 A kind of network flow forwards method for detecting abnormality

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302021A (en) * 2016-08-18 2017-01-04 清华大学深圳研究生院 A kind of network flow forwards method for detecting abnormality

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
左青云等: "一种基于SDN的在线流量异常检测方法", 《西安电子科技大学学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274673A (en) * 2018-09-26 2019-01-25 广东工业大学 A kind of detection of exception of network traffic and defence method
CN109274673B (en) * 2018-09-26 2021-02-12 广东工业大学 Network flow abnormity detection and defense method
CN115086186A (en) * 2022-06-28 2022-09-20 清华大学 Method and device for generating data center network flow demand data
CN115086186B (en) * 2022-06-28 2024-06-04 清华大学 Method and device for generating network flow demand data of data center

Similar Documents

Publication Publication Date Title
JP3510658B2 (en) Network analysis method
CN107683586A (en) Method and apparatus for rare degree of the calculating in abnormality detection based on cell density
CN102868553B (en) Fault Locating Method and relevant device
CN106130786A (en) The detection method of a kind of network failure and device
JPH04263536A (en) Apparatus and system for monitoring of network
CN109783552A (en) A kind of data cleansing restorative procedure
CN109347688B (en) Method and device for positioning fault in wireless local area network
CN113938407B (en) Data center network fault detection method and device based on in-band network telemetry system
CN116633835B (en) Complex high-reliability network performance comprehensive evaluation method
CN104917628B (en) A kind of ethernet router/interchanger packet loss automatic fault diagnosis method
CN107682377A (en) A kind of online Traffic anomaly detection method and device
CN108259364A (en) A kind of network congestion determines method and device
CN113691507A (en) Industrial control network security detection method and system
CN105357071B (en) A kind of network complexity method for recognizing flux and identifying system
CN109660396A (en) A kind of method for monitoring network and device
CN102739527B (en) Network packet loss rate detection method
CN108248641A (en) A kind of urban track traffic data processing method and device
US20120296996A1 (en) Method and system for analysis of message transactions in a distributed system
CN110166319A (en) A kind of network equipment parameter collecting method
CN114338441A (en) Analysis method for intelligently identifying service link based on service flow
GB2382263A (en) Network/system modelling using node discovery and node associated data
CN108156019A (en) A kind of network based on SDN derives alarm filtering system and method
CN111064637B (en) NetFlow data duplicate removal method and device
CN116170322B (en) Network topology discovery method combining active and passive detection
Yoon et al. Framework for multi-level application traffic identification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20180209