CN107682377A - A kind of online Traffic anomaly detection method and device - Google Patents
A kind of online Traffic anomaly detection method and device Download PDFInfo
- Publication number
- CN107682377A CN107682377A CN201711172399.1A CN201711172399A CN107682377A CN 107682377 A CN107682377 A CN 107682377A CN 201711172399 A CN201711172399 A CN 201711172399A CN 107682377 A CN107682377 A CN 107682377A
- Authority
- CN
- China
- Prior art keywords
- flow
- matrix
- abnormal
- openflow
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of online Traffic anomaly detection method and device, wherein, methods described includes:Flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanger informations in real time;Gather flow statistic;Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow combination entropy matrix;Identified using principal component analytical method abnormal.Realization of the embodiment of the present invention is simple, effectively online Traffic Anomaly is detected, and is a kind of online test method of lightweight.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of online Traffic anomaly detection method and device.
Background technology
Software defined network technology has separated the datum plane and control plane of network, for research and development network new opplication and future
Internet technology provides a kind of new solution.At present, software defined network has been widely used for traffic engineering, exception
The network flow managements such as detection, traffic statistics and Optimization Work.
However, the work in terms of software defined network is applied into abnormality detection at present is also in conceptual phase.Conventional side
Method has the network load using the routing statisticses information in controller, analyzed from different interchangers acquisition stream statistics data to ask
Topic, so as to build the traffic matrix of whole network.Or after the flow statistic of interchanger is read, using Data Structure Design
A kind of scheme for identifying layering high capacity stream.It is or related to distributed denial of service attack in flow statistic by extracting
Hexa-atomic group, dimension-reduction treatment is carried out using Artificial Neural Network SOM (Self Organizing Maps), so as to identify point
Cloth Denial of Service attack.
But these methods still suffer from following defect:The traffic characteristic data of use are more single, specific only for certain
It is abnormal.
The content of the invention
The embodiments of the invention provide a kind of online Traffic anomaly detection method and device, to solve to detect in the prior art
The traffic characteristic data used during Traffic Anomaly are more single, only for certain specific abnormal technical problem.
In a first aspect, the embodiments of the invention provide a kind of online Traffic anomaly detection method, including:
Flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanger informations in real time;
Gather flow statistic;
Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow
Combine entropy matrix;
Identified using principal component analytical method abnormal.
Second aspect, the embodiment of the present invention additionally provide a kind of online Traffic anomaly detection device, including:
Flow table installs module, and for installing flow table item in OpenFlow interchangers, controller obtains OpenFlow in real time
Exchanger information;
Flow statistic acquisition module, for gathering flow statistic;
Matrix generation module, build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address,
And then build flow combination entropy matrix;
Abnormality detection module, identified using principal component analytical method abnormal.
A kind of online Traffic anomaly detection method and device provided in an embodiment of the present invention, pacifies in OpenFlow interchangers
Flow table item is filled, controller obtains OpenFlow exchanger informations in real time;Build whole network traffic matrix and for source address,
The combination entropy matrix of destination address, and then build flow combination entropy matrix;Identified using principal component analytical method abnormal.The present invention
Embodiment realization is simple, effectively online Traffic Anomaly is detected, and is a kind of online test method of lightweight.
Brief description of the drawings
Fig. 1 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention one provides;
Fig. 2 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention two provides;
Fig. 3 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention three provides.
Embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining the present invention, rather than limitation of the invention.It also should be noted that in order to just
Part related to the present invention rather than entire infrastructure are illustrate only in description, accompanying drawing.
Embodiment one
Fig. 1 is a kind of flow chart for online Traffic anomaly detection method that the embodiment of the present invention one provides, and the present embodiment can
Suitable for occurring abnormal situation to network traffics, this method can be performed by online Traffic anomaly detection device, specific bag
Include following steps:
Step 110, flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow interchangers letter in real time
Breath.
NOX is the network operating system for realizing controller function earliest.OpenFlow interchangers succeed in registration it on NOX
Afterwards, NOX can safeguard current network topology situation, and flow table item is installed to OpenFlow interchangers according to the packet of arrival.If only
Traffic matrix is generated, then the source IP in flow table item and purpose IP address can be directly disposed as subnet, so as to reduce flow table item
Quantity;To generation source IP address and the Sample Entropy matrix of purpose IP address, then NOX needs are according to actual source IP address and mesh
IP address installation flow table item.
Step 120, collection flow statistic.
The counter of stream includes 3 static fields, that is, message number, byte number and the duration received.Flow statistic
The time interval of collection is using fixed duration.If the cycle is oversize, the time delay for detecting abnormal flow and being handled is also longer;
If the cycle is too short, it will the processing expense of increase NOX and OpenFlow interchangers.Need exist for it is further noted that, if stream
List item is deleted and (deleted by controller, soft time-out is deleted or hard time-out is deleted), then the flow statistic obtained next time will
Omit the data statistics that flow table item is deleted in this cycle.In order to prevent this from occurring, stream is added in this module
Trigger mechanism is deleted, i.e., when some flow table item is deleted, statistical information is sent to NOX, flow statistic collection mould by it automatically
Block by data accumulation into the flow statistic obtained next time.
Step 130, build whole network traffic matrix and for source address, the combination entropy matrix of destination address, and then
Build flow combination entropy matrix.
The data obtained to flow statistic acquisition module are handled, and generate flow square according to different facilities
Battle array or Sample Entropy matrix.Wherein, traffic matrix refers to the traffic demand between institute active node and destination node pair in network.Root
According to the difference of network node types, traffic matrix can be defined as link level, route level and POP traffic matrixs.Sample Entropy is to use
To portray the average information of scattered and intensity the index, i.e. data set of data set, Sample Entropy matrix is according in network
Each node is directed to the observation value set of a certain traffic characteristic to measuring.Vacation is when carrying out Traffic anomaly detection, by source IP address
It is combined with the Sample Entropy matrix of purpose IP address, composition combination entropy matrix;Equally, by traffic matrix and combination entropy matrix group
Flow combination entropy matrix is combined into, is compared with the testing result to different input datas.In order to ensure online Traffic Anomaly inspection
The real-time effectiveness and lightweight expense of the online processing mode of survey method, input flow rate should be divided into training stage and detection rank
Section, i.e., the matrix that sliding window initially enters should be normal discharge, then be added gradually to the data of newest detection-phase
In sliding window.
Step 140, identified using principal component analytical method it is abnormal.
The traffic matrix of input is detected by principal component analytical method, checks Traffic Anomaly therein.
In the present embodiment, flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanges in real time
Machine information;Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow group
Close entropy matrix;Identified using principal component analytical method abnormal.The embodiment of the present invention is realized simply, effectively to online Traffic Anomaly
Detected, be a kind of online test method of lightweight.
Embodiment two
Fig. 2 is a kind of schematic flow sheet for online Traffic anomaly detection method that the embodiment of the present invention two provides.This implementation
Example is optimized based on above-described embodiment, in the present embodiment, by abnormal, the tool using principal component analytical method identification
Body is optimized for:Traffic matrix or flow combination entropy matrix are handled, and set whether threshold decision detects abnormal flow.
Accordingly, a kind of online Traffic anomaly detection method that the present embodiment is provided, is specifically included:
Step 210, flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow interchangers letter in real time
Breath.
Step 220, collection flow statistic.
Step 230, build whole network traffic matrix and for source address, the combination entropy matrix of destination address, and then
Build flow combination entropy matrix.
Step 240, traffic matrix or flow combination entropy matrix are handled, and whether set threshold decision to detect different
Normal flow.
Realize that Traffic anomaly detection is broadly divided into two steps based on principal component analytical method:Subspace is built and threshold test.
For the traffic matrix X (flow Sample Entropy matrix method is also similar) of input, preceding k is taken using principal component analytical method
Individual principal component characteristic value so that contribution rate of accumulative total is more than 90%, then preceding k principal component characteristic vector constitutes subspace S1,
And remaining p-k principal component characteristic vector constitutes another sub-spaces S2.After S1 and S2 is built, by matrix X to this
Two sub-spaces are projected.Take the matrix a certain moment measured value vector, the measured value vector be by model vector with it is residual
Difference vector forms.After the data vector got to some cycle is handled, if this measurement period is different there occurs network
Often, then the residual error flow value of measurement period of the value in residual error flow with Network Abnormal does not occur is otherwise varied.It is because residual
Poor flow is mainly as caused by various abnormal behaviours.Therefore whether normal network traffics can be detected by given threshold.
After Traffic anomaly detection is completed, also need to handle the abnormal flow detected, specifically can be by repairing
Change corresponding flow table item on node-flow destination OpenFlow interchangers, abnormal data flow is abandoned.
The present embodiment described will identify exception by described using principal component analytical method, specifically be optimized for:Traffic matrix
Or flow combination entropy matrix is handled, and set whether threshold decision detects abnormal flow.Make a concrete analysis of abnormality detection
Process.
Embodiment three
Fig. 3 is a kind of structural representation for online Traffic anomaly detection device that the embodiment of the present invention three provides, such as Fig. 3 institutes
Show, described device includes:
Flow table installs module 310, and for installing flow table item in OpenFlow interchangers, controller obtains in real time
OpenFlow exchanger informations;
Flow statistic acquisition module 320, for gathering flow statistic;
Matrix generation module 330, build the traffic matrix of whole network and for source address, the combination entropy square of destination address
Battle array, and then build flow combination entropy matrix;
Abnormality detection module 340, identified using principal component analytical method abnormal.
A kind of online Traffic anomaly detection device that the present embodiment provides, can realize it is simple, effectively in linear flow rate
Exception is detected.
Further, described device also includes:
ARP message processing module (MPM)s, for after ARP messages are received, OpenFlow exchange opportunities to forward it to controller.
Further, described device also includes:
Flow isolation module, will be abnormal for changing corresponding flow table item on node-flow destination OpenFlow interchangers
Data traffic abandons.
Further, described device also includes:
Abnormality detection module, handled for traffic matrix or flow combination entropy matrix, and set the threshold decision to be
It is no to detect abnormal flow.
A kind of online Traffic anomaly detection device that the embodiment of the present invention is provided can perform any embodiment institute of the present invention
A kind of online Traffic anomaly detection method provided, possesses the corresponding functional module of execution method and beneficial effect.
Pay attention to, above are only presently preferred embodiments of the present invention and institute's application technology principle.It will be appreciated by those skilled in the art that
The invention is not restricted to specific embodiment described here, can carry out for a person skilled in the art various obvious changes,
Readjust and substitute without departing from protection scope of the present invention.Therefore, although being carried out by above example to the present invention
It is described in further detail, but the present invention is not limited only to above example, without departing from the inventive concept, also
Other more equivalent embodiments can be included, and the scope of the present invention is determined by scope of the appended claims.
Claims (8)
- A kind of 1. online Traffic anomaly detection method, it is characterised in that including:Flow table item is installed in OpenFlow interchangers, controller obtains OpenFlow exchanger informations in real time;Gather flow statistic;Build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then build flow combination Entropy matrix;Identified using principal component analytical method abnormal.
- 2. according to the method for claim 1, it is characterised in that before flow table item is installed in OpenFlow interchangers, also It is included in after receiving ARP messages, OpenFlow exchange opportunities forward it to controller.
- 3. according to the method for claim 1, it is characterised in that include well after identification is abnormal:Corresponding flow table item on node-flow destination OpenFlow interchangers is changed, abnormal data flow is abandoned.
- 4. according to the method for claim 1, it is characterised in that described to include using principal component analytical method identification is abnormal:Traffic matrix or flow combination entropy matrix are handled, and set whether threshold decision detects abnormal flow.
- A kind of 5. online Traffic anomaly detection device, it is characterised in that including:Flow table installs module, and for installing flow table item in OpenFlow interchangers, controller obtains OpenFlow exchanges in real time Machine information;Flow statistic acquisition module, for gathering flow statistic;Matrix generation module, build the traffic matrix of whole network and for source address, the combination entropy matrix of destination address, and then Build flow combination entropy matrix;Abnormality detection module, identified using principal component analytical method abnormal.
- 6. device according to claim 5, it is characterised in that described device also includes:ARP message processing module (MPM)s, for after ARP messages are received, OpenFlow exchange opportunities to forward it to controller.
- 7. device according to claim 5, it is characterised in that described device also includes:Flow isolation module, for changing corresponding flow table item on node-flow destination OpenFlow interchangers, by abnormal data Flow abandons.
- 8. device according to claim 5, it is characterised in that described device also includes:Abnormality detection module, handled for traffic matrix or flow combination entropy matrix, and set whether threshold decision is examined Measure abnormal flow.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711172399.1A CN107682377A (en) | 2017-11-22 | 2017-11-22 | A kind of online Traffic anomaly detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711172399.1A CN107682377A (en) | 2017-11-22 | 2017-11-22 | A kind of online Traffic anomaly detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107682377A true CN107682377A (en) | 2018-02-09 |
Family
ID=61149157
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711172399.1A Withdrawn CN107682377A (en) | 2017-11-22 | 2017-11-22 | A kind of online Traffic anomaly detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107682377A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109274673A (en) * | 2018-09-26 | 2019-01-25 | 广东工业大学 | A kind of detection of exception of network traffic and defence method |
CN115086186A (en) * | 2022-06-28 | 2022-09-20 | 清华大学 | Method and device for generating data center network flow demand data |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106302021A (en) * | 2016-08-18 | 2017-01-04 | 清华大学深圳研究生院 | A kind of network flow forwards method for detecting abnormality |
-
2017
- 2017-11-22 CN CN201711172399.1A patent/CN107682377A/en not_active Withdrawn
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106302021A (en) * | 2016-08-18 | 2017-01-04 | 清华大学深圳研究生院 | A kind of network flow forwards method for detecting abnormality |
Non-Patent Citations (1)
Title |
---|
左青云等: "一种基于SDN的在线流量异常检测方法", 《西安电子科技大学学报》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109274673A (en) * | 2018-09-26 | 2019-01-25 | 广东工业大学 | A kind of detection of exception of network traffic and defence method |
CN109274673B (en) * | 2018-09-26 | 2021-02-12 | 广东工业大学 | Network flow abnormity detection and defense method |
CN115086186A (en) * | 2022-06-28 | 2022-09-20 | 清华大学 | Method and device for generating data center network flow demand data |
CN115086186B (en) * | 2022-06-28 | 2024-06-04 | 清华大学 | Method and device for generating network flow demand data of data center |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP3510658B2 (en) | Network analysis method | |
CN107683586A (en) | Method and apparatus for rare degree of the calculating in abnormality detection based on cell density | |
CN102868553B (en) | Fault Locating Method and relevant device | |
CN106130786A (en) | The detection method of a kind of network failure and device | |
JPH04263536A (en) | Apparatus and system for monitoring of network | |
CN109783552A (en) | A kind of data cleansing restorative procedure | |
CN109347688B (en) | Method and device for positioning fault in wireless local area network | |
CN113938407B (en) | Data center network fault detection method and device based on in-band network telemetry system | |
CN116633835B (en) | Complex high-reliability network performance comprehensive evaluation method | |
CN104917628B (en) | A kind of ethernet router/interchanger packet loss automatic fault diagnosis method | |
CN107682377A (en) | A kind of online Traffic anomaly detection method and device | |
CN108259364A (en) | A kind of network congestion determines method and device | |
CN113691507A (en) | Industrial control network security detection method and system | |
CN105357071B (en) | A kind of network complexity method for recognizing flux and identifying system | |
CN109660396A (en) | A kind of method for monitoring network and device | |
CN102739527B (en) | Network packet loss rate detection method | |
CN108248641A (en) | A kind of urban track traffic data processing method and device | |
US20120296996A1 (en) | Method and system for analysis of message transactions in a distributed system | |
CN110166319A (en) | A kind of network equipment parameter collecting method | |
CN114338441A (en) | Analysis method for intelligently identifying service link based on service flow | |
GB2382263A (en) | Network/system modelling using node discovery and node associated data | |
CN108156019A (en) | A kind of network based on SDN derives alarm filtering system and method | |
CN111064637B (en) | NetFlow data duplicate removal method and device | |
CN116170322B (en) | Network topology discovery method combining active and passive detection | |
Yoon et al. | Framework for multi-level application traffic identification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180209 |