CN107733721A - A kind of network anomaly detection method and device - Google Patents
A kind of network anomaly detection method and device Download PDFInfo
- Publication number
- CN107733721A CN107733721A CN201711113098.1A CN201711113098A CN107733721A CN 107733721 A CN107733721 A CN 107733721A CN 201711113098 A CN201711113098 A CN 201711113098A CN 107733721 A CN107733721 A CN 107733721A
- Authority
- CN
- China
- Prior art keywords
- network
- abnormal
- stream
- note
- stream mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Abstract
This application discloses a kind of network anomaly detection method and device, and applied to the network equipment, this method includes:The network flow of NetFlow agreements and sFlow agreements is gathered respectively;Extract some fields respectively from the NetFlow network flows and sFlow network flows collected, and some fields to extracting respectively merge, and generate the network flow of preset format;The abnormality detection of various dimensions is carried out for the network flow of the preset format.The application can lift the comprehensive of Network anomaly detection.
Description
Technical field
The application is related to computer realm, more particularly to a kind of network anomaly detection method and device.
Background technology
In the prior art, in order to realize Network anomaly detection, user may be usually based on snmp protocol to gather network flow,
And the relevant information for collecting network flow is recorded, can when the relevant information for detecting network flow reaches the scope of user preset
To determine the network flow as abnormal network stream.
But the relevant information that network flow in actual applications, can be provided based on the network flow that snmp protocol collects is compared
It is limited, more comprehensive information can not be provided, so as to cause the incomplete problem of subsequent network abnormality detection.
The content of the invention
The application provides a kind of network anomaly detection method, applied to the network equipment, including:
The network flow of NetFlow agreements and sFlow agreements is gathered respectively;
Some fields are extracted respectively from the NetFlow network flows and sFlow network flows collected, and to extracting respectively
Some fields merged, generate the network flow of preset format;
The abnormality detection of various dimensions is carried out for the network flow of the preset format.
Optionally, the abnormality detection of the various dimensions includes Network Abnormal state-detection;It is described to be directed to the preset format
Network flow carry out various dimensions abnormality detection include:
Calculate the network normality desired value of the network flow of the preset format;
Determine whether the network normality desired value is more than default threshold value;
If it is, the network flow for determining the preset format is abnormal network stream.
Optionally, the abnormality detection of the various dimensions detects including abnormal single current, and methods described also includes:
Off-note is extracted from the abnormal network stream;
The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, institute
The off-note sample stated in off-note storehouse is marked with corresponding Exception Type;
, will be with the exception when the off-note extracted and any off-note sample matches in the off-note storehouse
Exception Type corresponding to feature samples is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormality detection of the various dimensions includes exception stream mode detection, and methods described also includes:
Analyze the abnormal stream mode of the abnormal network stream;
The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Its
In, the abnormal stream mode sample in the abnormal patterns storehouse is marked with corresponding Exception Type;
, will be with this when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse
Exception Type corresponding to abnormal stream mode sample is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormal stream mode of the analysis abnormal network stream, including:
Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
The index in the tables of data is counted based on preset rules, analysis obtains the exception of the abnormal network stream
Stream mode.
Optionally, some pre-set levels include:
Identical source address, identical source MAC and identical destination address.
Optionally, the specific indexes include following any one or more:
The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and the abnormal network stream
Average byte number.
The application also provides a kind of Network anomaly detection device, applied to the network equipment, including:
Acquisition module, for gathering the network flow of NetFlow agreements and sFlow agreements respectively;
Fusion Module, for extracting some fields respectively from the NetFlow network flows and sFlow network flows collected,
And some fields to extracting respectively merge, the network flow of preset format is generated;
Detection module, for carrying out the abnormality detection of various dimensions for the network flow of the preset format.
Optionally, the abnormality detection of the various dimensions includes Network Abnormal state-detection, and the detection module is further used
In:
Calculate the network normality desired value of the network flow of the preset format;
Determine whether the network normality desired value is more than default threshold value;
If it is, the network flow for determining the preset format is abnormal network stream.
Optionally, the abnormality detection of the various dimensions detects including abnormal single current, in addition to:
Abnormal single current detection module, is used for
Off-note is extracted from the abnormal network stream;
The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, institute
The off-note sample stated in off-note storehouse is marked with corresponding Exception Type;
, will be with the exception when the off-note extracted and any off-note sample matches in the off-note storehouse
Exception Type corresponding to feature samples is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormality detection of the various dimensions includes exception stream mode detection, in addition to:
Exception stream mode detection module, is used for
Analyze the abnormal stream mode of the abnormal network stream;
The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Its
In, the abnormal stream mode sample in the abnormal patterns storehouse is marked with corresponding Exception Type;
, will be with this when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse
Exception Type corresponding to abnormal stream mode sample is defined as the Exception Type of the abnormal network stream.
Optionally, the exception stream mode detection module is further used for:
Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
The index in the tables of data is counted based on preset rules, analysis obtains the exception of the abnormal network stream
Stream mode.
Optionally, some pre-set levels include:
Identical source address, identical source MAC and identical destination address.
Optionally, the specific indexes value includes following any one or more:
The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and the abnormal network stream
Average byte number.
In this application, by extracting some words respectively from the NetFlow network flows and sFlow network flows collected
Section, and some fields to extracting respectively merge, and generate the network flow of preset format, then can be directed to described
The network flow of preset format carries out the abnormality detection of various dimensions;Wherein, it is different can to include network for the abnormality detection of the various dimensions
Normal state-detection, the detection of abnormal single current and exception stream mode detection.
On the one hand, because the application gathers the network flow of NetFlow agreements and sFlow agreements, and two kinds are collected
Network flow is fused into a kind of network flow based on preset format, can provide more fully network flow relevant information so that follow-up
The data basis of abnormality detection is relatively reliable.
On the other hand, because follow-up detection mode can also be divided into multiple dimensions, so that Network anomaly detection enters
Capable analysis is also more comprehensive.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, come for those of ordinary skill in the art
Say, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart for network anomaly detection method that the embodiment of the application one provides;
Fig. 2 is a kind of flow chart for UNE stream method that the embodiment of the application one provides;
Fig. 3 is a kind of schematic diagram of the network flow for preset format that the embodiment of the application one provides;
Fig. 4 is a kind of flow chart for Network Abnormal condition detection method that the embodiment of the application one provides;
Fig. 5 is a kind of flow chart for abnormal single current detection method that the embodiment of the application one provides;
Fig. 6 is a kind of flow chart for exception stream mode detection method that the embodiment of the application one provides;
Fig. 7 is a kind of logic diagram for Network anomaly detection device that the embodiment of the application one provides;
Fig. 8 is carrying a kind of hardware of the network equipment of Network anomaly detection device that the embodiment of the application one provides
Structure chart.
Embodiment
In the prior art, in order to realize Network anomaly detection, user may be usually based on snmp protocol to gather network flow,
And the relevant information for collecting network flow is recorded, can when the relevant information for detecting network flow reaches the scope of user preset
To determine the network flow as abnormal network stream.
But the relevant information that network flow in actual applications, can be provided based on the network flow that snmp protocol collects is compared
It is limited, more comprehensive information can not be provided, so as to cause the incomplete problem of subsequent network abnormality detection.
In view of considerations above, the application proposes a kind of network anomaly detection method, by from the NetFlow networks collected
Some fields are extracted respectively in stream and sFlow network flows, and some fields to extracting respectively merge, generation is pre-
If the network flow of form, the network flow that then can be directed to the preset format carries out the abnormality detection of various dimensions;Wherein, it is described
The abnormality detection of various dimensions can include Network Abnormal state-detection, the detection of abnormal single current and exception stream mode detection.
On the one hand, because the application gathers the network flow of NetFlow agreements and sFlow agreements, and two kinds are collected
Network flow is fused into a kind of network flow based on preset format, can provide more fully network flow relevant information so that follow-up
The data basis of abnormality detection is relatively reliable.
On the other hand, because follow-up detection mode can also be divided into multiple dimensions, so that Network anomaly detection enters
Capable analysis is also more comprehensive.
The application is described below by specific embodiment and with reference to specific application scenarios.
Refer to Fig. 1, Fig. 1 is a kind of network anomaly detection method that the embodiment of the present application provides, applied to the network equipment,
Perform following steps:
S101, the network flow of NetFlow agreements and sFlow agreements is gathered respectively;
S102, extract some fields respectively from the NetFlow network flows and sFlow network flows collected, and to respectively
Some fields extracted are merged, and generate the network flow of preset format;
S103, the abnormality detection of various dimensions is carried out for the network flow of the preset format.
The above-mentioned network equipment can include any form of common apparatus for being provided with abnormality detection software;Wherein, it is described
Abnormality detection software can be equipped with Network anomaly detection logic.
The abnormality detection of above-mentioned various dimensions can be understood as allowing the Through Several Survey Measure that sequencing be present.
With reference to figure 2, Fig. 2 is a kind of flow chart for UNE stream method that the embodiment of the application one provides.
In this example, the network equipment can gather NetFlow primitive networks stream and sFlow primitive networks from network traffics
Stream.
In this example, after above two primitive network stream is collected, the network equipment can be using such as subString's ()
Function extracts required field respectively from two kinds of primitive network stream, and the field extracted respectively is stored in into memory cache
Area;Wherein, the field of the extraction is generally corresponding with the network stream format of user preset.
Shown in Figure 3, Fig. 3 is a kind of schematic diagram of the network flow for preset format that the embodiment of the application one provides.
Wherein, corresponding to the network stream format shown in Fig. 3, the field extracted from NetFlow primitive network streams can be
Source IP address, purpose IP address, TCP/UDP source port address, TCP/UDP destination interfaces address, IP protocol type, input and output
The index value and network flow quantity of interface;The field extracted from sFlow primitive network streams can be source IP address, purpose IP
It is location, TCP/UDP source port address, TCP/UDP destination interfaces address, IP protocol type, source MAC, target MAC (Media Access Control) address, defeated
Enter the port value and network flow quantity of output interface.
In this example, the network equipment can be carried out the field extracted stored in internal memory cache region according to user preset
Network stream format merged.
Wherein, specific amalgamation mode can be the value and sFlow networks in the field that will be extracted in NetFlow network flows
Value in the field extracted in stream is placed in the corresponding field of the network flow of fusion.It is understood that from above two network
In the same field for the network flow that value in the same field extracted in stream can be placed on fusion jointly.
For example, being all extracted corresponding source IP address from NetFlow network flows and sFlow network flows, the network equipment can
The source IP address extracted respectively to be placed on jointly in the same field of the network flow of fusion.
In addition, specific amalgamation mode can also be value and sFlow networks in the field for extracting NetFlow network flows
Value in the field extracted in stream is added, in the corresponding field for the network flow for being then placed on fusion.
For example, corresponding network flow quantity, the network equipment are all extracted from NetFlow network flows and sFlow network flows
The value for the network flow quantity extracted respectively can be added, then can be placed on the network flow quantity of fusion this field
In.
In this way, because the application gathers the network flow of NetFlow agreements and sFlow agreements, and two kinds are adopted
The network flow collected is fused into a kind of network flow based on preset format, can provide more fully network flow relevant information so that
The data basis of follow-up abnormality detection is relatively reliable.
In this example, in internal memory cache region, network flow Hash table can be previously provided with, the network flow Hash table is used for
Network flow after storage fusion.
Wherein, before the network flow Hash table is stored in, the network equipment is required for the network flow after every fusion
The hash index value of the network flow is calculated, and check whether the hash index value has been present in network flow Hash table.
If the hash index value has been present, the network equipment can update network flow corresponding with the hash index value
Relevant information, such as, the bag number of the network flow and the byte number of network flow.
Correspondingly, if the hash index value is not present, can in the network flow Hash table newly-built list item, for storing
The network flow and hash index value corresponding with the network flow.
In this example, the network equipment can be preset and be equipped with amalgamation database, when the network equipment detects internal memory cache region
When being filled with, the network flow of the fusion of storage can be stored in default amalgamation database.
With reference to figure 4, Fig. 4 is a kind of flow chart for Network Abnormal condition detection method that the embodiment of the application one provides.Net
Network equipment can carry out Network Abnormal state-detection based on the data stored in amalgamation database.
In this example, the network equipment can first calculate the network normality desired value for the network flow being fused into;Wherein, the network
Normality desired value can be network traffics and source mesh port number ratio.
In this example, after the network normality desired value of the network flow is calculated, the network equipment can be by the network normality
Desired value, can be true when detecting that the network normality desired value is more than predetermined threshold value compared with the threshold value of user preset
The fixed network flow is abnormal network stream;Wherein, user can be set corresponding reasonable based on different network normality desired values
Threshold value.
In a kind of embodiment shown, the network equipment can be previously provided with off-note storehouse, the off-note storehouse
The off-note sample of Exception Type corresponding to being marked with can be stored with.
Referring to Fig. 5, Fig. 5 is a kind of flow chart for abnormal single current detection method that the embodiment of the application one provides.
After it will detect that abnormal network stream is stored in default amalgamation database, the network equipment can be read from amalgamation database
Take abnormal network stream, and off-note extracted from the abnormal network stream of reading, then can by the off-note extracted with
Default off-note sample is matched in off-note storehouse.
Wherein, can be with if any off-note sample matches in the off-note extracted and off-note storehouse
The Exception Type of the abnormal network stream will be defined as to the Exception Type that sample is answered with the off-note;If that extracts is different
Chang Tezheng can not match with any off-note sample standard deviation in off-note storehouse, then can be by the exception of the abnormal network stream
Type categorization is UNKNOWN TYPE.
For example, it is that source address is loopback address that an off-note can be preset with the off-note storehouse
The sample of (127.0.0.1), if the network equipment extracted from the abnormal network stream detected source address for loopback address this
One feature, then it can determine that the Exception Type of the abnormal network stream is abnormal for source address.
It is understood that after by the corresponding Exception Type of abnormal network flow label, can be further by described in
Abnormal network stream is as Sample preservation to off-note storehouse, to complete the renewal in off-note storehouse.
This embodiment is detected by abnormal single current, user can further confirm that the abnormal network stream of amalgamation database
Exception Type, and Exception Type and UNKNOWN TYPE can be updated to off-note storehouse jointly so that Network Abnormal is examined
The analysis of survey is more comprehensive.
In the another embodiment shown, the network equipment can be previously provided with abnormal patterns storehouse, the abnormal patterns
Storehouse can be stored with the abnormal stream mode sample for being marked with corresponding Exception Type.
Wherein, the abnormal stream mode can be understood as a kind of rule by analyzing to obtain in a plurality of abnormal network stream.Example
Such as, the abnormal stream mode of worm virus spreading is that a plurality of abnormal network stream has identical source address or source MAC, and is had
There is different destination addresses.
Referring to Fig. 6, Fig. 6 is a kind of flow chart for exception stream mode detection method that the embodiment of the application one provides.
After it will detect that abnormal network stream is stored in default amalgamation database, the network equipment can be from amalgamation database
Abnormal network stream is read, some pre-set levels of abnormal network stream is may then based on, the abnormal network stream is classified;
Wherein, some pre-set levels can be configured by user, for example, it may be identical source address, identical source MAC
Location and identical destination address.
After the completion of the abnormal network flow point class, the network equipment is also based on each pre-set level, should having
The abnormal network stream of pre-set level stores together and polymerize tables of data;Wherein, the tables of data can be every preset duration
With regard to once being updated.
If for example, the pre-set level were identical source address, some index of the same source tables of data of generation
Source IP address can be included, the byte number that bag number, the network flow that network flow quantity, network flow include include, different purpose IP
Location number, source port number, syndicated feeds IP number, destination interface number and connection number.
Likewise, the network equipment can also generate identical source MAC tables of data, some indexs of the tables of data can wrap
Include byte number, different purpose IP address numbers that bag number, the network flow that source MAC, network flow quantity, network flow include include,
Source port number, different source IP address numbers, destination interface number, syndicated feeds MAC number and connection number.
Likewise, the network equipment can also generate identical destination address tables of data, some indexs of the tables of data can wrap
Include byte number, different source IP address numbers that bag number, the network flow that purpose IP address, network flow quantity, network flow include include,
Source port number, polymerization purpose IP number, destination interface number and connection number.
In this example, after some tables of data are generated, the network equipment can detect the specific finger in the tables of data
Mark.
Wherein, the specific indexes can be understood as the finger for being carried out statistical analysis based on the data in the tables of data and being obtained
Mark, for example, the specific indexes can include total polymerization number, the average bag of the abnormal network stream of the abnormal network stream
It is any or multiple in the average byte number of number and the abnormal network stream.
In this example, each specific indexes can preset corresponding threshold value.It is specific in the tables of data when detecting
When index meets corresponding predetermined threshold value, the network equipment can open exception stream mode detection.
In this example, after exception stream mode detection is opened, based on preset rules, the network equipment can be to the number
Counted according to the index in table, analysis obtains the abnormal stream mode of abnormal network stream.
For example, being based on identical source address tables of data, the network equipment can obtain different purpose IP address numbers, work as institute
State different purpose IP address numbers and reach preset number, then the abnormal stream mode that can analyze to obtain abnormal network stream is with identical
Source address and different purpose IP address.
In this example, after the abnormal stream mode of the abnormal network stream is analyzed, the network equipment will can be analyzed
The abnormal stream mode gone out is matched with the abnormal stream mode sample in default abnormal patterns storehouse.
Wherein, if the abnormal stream mode analyzed and any abnormal stream mode sample matches in abnormal patterns storehouse,
It can will be defined as the Exception Type of the abnormal network stream to the Exception Type that sample is answered with the abnormal stream mode;If analysis
The abnormal stream mode gone out can not match with any abnormal stream mode sample standard deviation in abnormal patterns storehouse, then can be by the abnormal net
The Exception Type of network stream is classified as UNKNOWN TYPE.
It is understood that after by the corresponding Exception Type of abnormal network flow label, can be further by described in
Abnormal network stream is as Sample preservation to abnormal patterns storehouse, to complete the renewal in abnormal patterns storehouse.
By this embodiment of exception stream mode detection, user can further confirm that the abnormal network of amalgamation database
The Exception Type of stream, and Exception Type and UNKNOWN TYPE can be updated to abnormal patterns storehouse jointly so that Network Abnormal
The analysis of detection is more comprehensive.
In this example, it is determined that after the Exception Type of the abnormal network stream, the network equipment can be further by abnormal net
Network stream and corresponding Exception Type are provided to visualization interface.
Wherein, after user receives the relevant information of abnormal network stream on visualization interface, default resistance can be based on
Disconnected strategy operates to abnormal network stream;For example the blocking strategy can be that abnormal network stream is carried out into discard processing.
Corresponding with above method embodiment, present invention also provides the embodiment of device.
Fig. 7 is refer to, Fig. 7 is a kind of Network anomaly detection device 70 that the embodiment of the application one provides, applied to network
Equipment;Wherein, Fig. 8 is refer to, as the hardware structure carried involved by the network equipment of the Network anomaly detection device 70
In, generally include CPU, internal memory, nonvolatile memory and internal bus etc.;Exemplified by implemented in software, the Network Abnormal
Detection means 70 is generally understood that the computer program being carried in internal memory, the software and hardware formed afterwards by CPU operations
The logic device being combined, the Network anomaly detection device 70, applied to the network equipment, described device includes:
Acquisition module 701, for gathering the network flow of NetFlow agreements and sFlow agreements respectively;
Fusion Module 702, for extracting some words respectively from the NetFlow network flows and sFlow network flows collected
Section, and some fields to extracting respectively merge, and generate the network flow of preset format;
Detection module 703, for carrying out the abnormality detection of various dimensions for the network flow of the preset format.
Optionally, the abnormality detection of the various dimensions includes Network Abnormal state-detection, and the detection module is further used
In:
Calculate the network normality desired value of the network flow of the preset format;
Determine whether the network normality desired value is more than default threshold value;
If it is, the network flow for determining the preset format is abnormal network stream.
Optionally, the abnormality detection of the various dimensions detects including abnormal single current, in addition to:
Abnormal single current detection module 704, is used for
Off-note is extracted from the abnormal network stream;
The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, institute
The off-note sample stated in off-note storehouse is marked with corresponding Exception Type;
, will be with the exception when the off-note extracted and any off-note sample matches in the off-note storehouse
Exception Type corresponding to feature samples is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormality detection of the various dimensions includes exception stream mode detection, in addition to:
Exception stream mode detection module 705, is used for
Analyze the abnormal stream mode of the abnormal network stream;
The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Its
In, the abnormal stream mode sample in the abnormal patterns storehouse is marked with corresponding Exception Type;
, will be with this when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse
Exception Type corresponding to abnormal stream mode sample is defined as the Exception Type of the abnormal network stream.
Optionally, the exception stream mode detection module is further used for:
Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
The index in the tables of data is counted based on preset rules, analysis obtains the exception of the abnormal network stream
Stream mode.
Optionally, some pre-set levels include:
Identical source address, identical source MAC and identical destination address.
Optionally, the specific indexes value includes following any one or more:
The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and the abnormal network stream
Average byte number.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not limiting the application, all essences in the application
God any modification, equivalent substitution and improvements done etc., should be included within the scope of the application protection with principle.
Claims (14)
- A kind of 1. network anomaly detection method, it is characterised in that applied to the network equipment, including:The network flow of NetFlow agreements and sFlow agreements is gathered respectively;Extract some fields, and the institute to extracting respectively respectively from the NetFlow network flows and sFlow network flows collected State some fields to be merged, generate the network flow of preset format;The abnormality detection of various dimensions is carried out for the network flow of the preset format.
- 2. according to the method for claim 1, it is characterised in that the abnormality detection of the various dimensions includes Network Abnormal state Detection;The abnormality detection that the network flow for the preset format carries out various dimensions includes:Calculate the network normality desired value of the network flow of the preset format;Determine whether the network normality desired value is more than default threshold value;If it is, the network flow for determining the preset format is abnormal network stream.
- 3. according to the method for claim 2, it is characterised in that the abnormality detection of the various dimensions is examined including abnormal single current Survey;Methods described also includes:Off-note is extracted from the abnormal network stream;The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, it is described different Off-note sample in normal feature database is marked with corresponding Exception Type;, will be with the off-note when the off-note extracted and any off-note sample matches in the off-note storehouse It is defined as the Exception Type of the abnormal network stream to the Exception Type that sample is answered.
- 4. according to the method for claim 2, it is characterised in that the abnormality detection of the various dimensions also includes abnormal stream mode Detection;Methods described also includes:Analyze the abnormal stream mode of the abnormal network stream;The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Wherein, institute The abnormal stream mode sample stated in abnormal patterns storehouse is marked with corresponding Exception Type;, will be with the exception when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to stream mode sample is defined as the Exception Type of the abnormal network stream.
- 5. according to the method for claim 4, it is characterised in that the abnormal stream mode of the analysis abnormal network stream, Including:Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;The index in the tables of data is counted based on preset rules, analysis obtains the exception stream mould of the abnormal network stream Formula.
- 6. according to the method for claim 5, it is characterised in that some pre-set levels include:Identical source address, identical source MAC and identical destination address.
- 7. according to the method for claim 5, it is characterised in that the specific indexes include following any one or more:The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and being averaged for the abnormal network stream Byte number.
- A kind of 8. Network anomaly detection device, it is characterised in that applied to the network equipment, including:Acquisition module, for gathering the network flow of NetFlow agreements and sFlow agreements respectively;Fusion Module, for extracting some fields respectively from the NetFlow network flows and sFlow network flows collected, and it is right Some fields extracted respectively are merged, and generate the network flow of preset format;Detection module, for carrying out the abnormality detection of various dimensions for the network flow of the preset format.
- 9. device according to claim 8, it is characterised in that the abnormality detection of the various dimensions includes Network Abnormal state Detection, the detection module are further used for:Calculate the network normality desired value of the network flow of the preset format;Determine whether the network normality desired value is more than default threshold value;If it is, the network flow for determining the preset format is abnormal network stream.
- 10. device according to claim 9, it is characterised in that the abnormality detection of the various dimensions is examined including abnormal single current Survey, in addition to:Abnormal single current detection module, is used forOff-note is extracted from the abnormal network stream;The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, it is described different Off-note sample in normal feature database is marked with corresponding Exception Type;, will be with the off-note when the off-note extracted and any off-note sample matches in the off-note storehouse Exception Type corresponding to sample is defined as the Exception Type of the abnormal network stream.
- 11. device according to claim 9, it is characterised in that the abnormality detection of the various dimensions includes abnormal stream mode Detection, in addition to:Exception stream mode detection module, is used forAnalyze the abnormal stream mode of the abnormal network stream;The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Wherein, institute The abnormal stream mode sample stated in abnormal patterns storehouse is marked with corresponding Exception Type;, will be with the exception when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to stream mode sample is defined as the Exception Type of the abnormal network stream.
- 12. device according to claim 11, it is characterised in that the exception stream mode detection module is further used for:Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;The index in the tables of data is counted based on preset rules, analysis obtains the exception stream mould of the abnormal network stream Formula.
- 13. device according to claim 12, it is characterised in that some pre-set levels include:Identical source address, identical source MAC and identical destination address.
- 14. device according to claim 12, it is characterised in that the specific indexes value includes following any one or more:The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and being averaged for the abnormal network stream Byte number.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711113098.1A CN107733721A (en) | 2017-11-13 | 2017-11-13 | A kind of network anomaly detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711113098.1A CN107733721A (en) | 2017-11-13 | 2017-11-13 | A kind of network anomaly detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107733721A true CN107733721A (en) | 2018-02-23 |
Family
ID=61215148
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711113098.1A Pending CN107733721A (en) | 2017-11-13 | 2017-11-13 | A kind of network anomaly detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107733721A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108494583A (en) * | 2018-02-24 | 2018-09-04 | 广州西麦科技股份有限公司 | A kind of method and device generating network topology based on sFlow |
CN108566335A (en) * | 2018-03-02 | 2018-09-21 | 广州西麦科技股份有限公司 | A kind of network topology generation method based on NetFlow |
CN112839018A (en) * | 2019-11-25 | 2021-05-25 | 华为技术有限公司 | Degree value generation method and related equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101686235A (en) * | 2008-09-26 | 2010-03-31 | 中联绿盟信息技术(北京)有限公司 | Device and method for analyzing abnormal network flow |
CN106790050A (en) * | 2016-12-19 | 2017-05-31 | 北京启明星辰信息安全技术有限公司 | A kind of anomalous traffic detection method and detecting system |
-
2017
- 2017-11-13 CN CN201711113098.1A patent/CN107733721A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101686235A (en) * | 2008-09-26 | 2010-03-31 | 中联绿盟信息技术(北京)有限公司 | Device and method for analyzing abnormal network flow |
CN106790050A (en) * | 2016-12-19 | 2017-05-31 | 北京启明星辰信息安全技术有限公司 | A kind of anomalous traffic detection method and detecting system |
Non-Patent Citations (1)
Title |
---|
陈欣: "基于NetFlow和sFlow网络流融合的异常检测方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑(月刊)》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108494583A (en) * | 2018-02-24 | 2018-09-04 | 广州西麦科技股份有限公司 | A kind of method and device generating network topology based on sFlow |
CN108566335A (en) * | 2018-03-02 | 2018-09-21 | 广州西麦科技股份有限公司 | A kind of network topology generation method based on NetFlow |
CN108566335B (en) * | 2018-03-02 | 2021-04-27 | 广州西麦科技股份有限公司 | Network topology generation method based on NetFlow |
CN112839018A (en) * | 2019-11-25 | 2021-05-25 | 华为技术有限公司 | Degree value generation method and related equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8510830B2 (en) | Method and apparatus for efficient netflow data analysis | |
CN106790050B (en) | A kind of anomalous traffic detection method and detection system | |
CN105141604B (en) | A kind of network security threats detection method and system based on trusted service stream | |
JP6535809B2 (en) | Anomaly detection device, an anomaly detection system, and an anomaly detection method | |
CN101075911B (en) | Statistical information collecting system and apparatus thereof | |
US8111629B2 (en) | Media session identification method for IP networks | |
US8634717B2 (en) | DDoS attack detection and defense apparatus and method using packet data | |
CN107733921A (en) | Network flow abnormal detecting method, device, computer equipment and storage medium | |
US20060230167A1 (en) | Network controller, network control system and network control method | |
CN108282497A (en) | For the ddos attack detection method of SDN control planes | |
CN107733721A (en) | A kind of network anomaly detection method and device | |
CN107196930A (en) | Method, system and the mobile terminal of computer network abnormality detection | |
CN110392013A (en) | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted | |
CN103532969A (en) | Zombie network detection method, device and processor | |
CN107508816A (en) | A kind of attack traffic means of defence and device | |
CN110035062A (en) | A kind of network inspection method and apparatus | |
CN107426132B (en) | The detection method and device of network attack | |
US11863584B2 (en) | Infection spread attack detection device, attack origin specification method, and program | |
CN105871861A (en) | Intrusion detection method for self-learning protocol rule | |
CN110417748A (en) | A kind of attack detection method and device | |
CN111865951A (en) | Network data flow abnormity detection method based on data packet feature extraction | |
CN108881181A (en) | A kind of filter method and device of message | |
CN112929364B (en) | Data leakage detection method and system based on ICMP tunnel analysis | |
CN106936805B (en) | A kind of defence method and system of network attack | |
Zhou et al. | Classification of botnet families based on features self-learning under network traffic censorship |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180223 |
|
RJ01 | Rejection of invention patent application after publication |