CN107733721A - A kind of network anomaly detection method and device - Google Patents

A kind of network anomaly detection method and device Download PDF

Info

Publication number
CN107733721A
CN107733721A CN201711113098.1A CN201711113098A CN107733721A CN 107733721 A CN107733721 A CN 107733721A CN 201711113098 A CN201711113098 A CN 201711113098A CN 107733721 A CN107733721 A CN 107733721A
Authority
CN
China
Prior art keywords
network
abnormal
stream
note
stream mode
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711113098.1A
Other languages
Chinese (zh)
Inventor
杨印州
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711113098.1A priority Critical patent/CN107733721A/en
Publication of CN107733721A publication Critical patent/CN107733721A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements

Abstract

This application discloses a kind of network anomaly detection method and device, and applied to the network equipment, this method includes:The network flow of NetFlow agreements and sFlow agreements is gathered respectively;Extract some fields respectively from the NetFlow network flows and sFlow network flows collected, and some fields to extracting respectively merge, and generate the network flow of preset format;The abnormality detection of various dimensions is carried out for the network flow of the preset format.The application can lift the comprehensive of Network anomaly detection.

Description

A kind of network anomaly detection method and device
Technical field
The application is related to computer realm, more particularly to a kind of network anomaly detection method and device.
Background technology
In the prior art, in order to realize Network anomaly detection, user may be usually based on snmp protocol to gather network flow, And the relevant information for collecting network flow is recorded, can when the relevant information for detecting network flow reaches the scope of user preset To determine the network flow as abnormal network stream.
But the relevant information that network flow in actual applications, can be provided based on the network flow that snmp protocol collects is compared It is limited, more comprehensive information can not be provided, so as to cause the incomplete problem of subsequent network abnormality detection.
The content of the invention
The application provides a kind of network anomaly detection method, applied to the network equipment, including:
The network flow of NetFlow agreements and sFlow agreements is gathered respectively;
Some fields are extracted respectively from the NetFlow network flows and sFlow network flows collected, and to extracting respectively Some fields merged, generate the network flow of preset format;
The abnormality detection of various dimensions is carried out for the network flow of the preset format.
Optionally, the abnormality detection of the various dimensions includes Network Abnormal state-detection;It is described to be directed to the preset format Network flow carry out various dimensions abnormality detection include:
Calculate the network normality desired value of the network flow of the preset format;
Determine whether the network normality desired value is more than default threshold value;
If it is, the network flow for determining the preset format is abnormal network stream.
Optionally, the abnormality detection of the various dimensions detects including abnormal single current, and methods described also includes:
Off-note is extracted from the abnormal network stream;
The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, institute The off-note sample stated in off-note storehouse is marked with corresponding Exception Type;
, will be with the exception when the off-note extracted and any off-note sample matches in the off-note storehouse Exception Type corresponding to feature samples is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormality detection of the various dimensions includes exception stream mode detection, and methods described also includes:
Analyze the abnormal stream mode of the abnormal network stream;
The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Its In, the abnormal stream mode sample in the abnormal patterns storehouse is marked with corresponding Exception Type;
, will be with this when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to abnormal stream mode sample is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormal stream mode of the analysis abnormal network stream, including:
Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
The index in the tables of data is counted based on preset rules, analysis obtains the exception of the abnormal network stream Stream mode.
Optionally, some pre-set levels include:
Identical source address, identical source MAC and identical destination address.
Optionally, the specific indexes include following any one or more:
The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and the abnormal network stream Average byte number.
The application also provides a kind of Network anomaly detection device, applied to the network equipment, including:
Acquisition module, for gathering the network flow of NetFlow agreements and sFlow agreements respectively;
Fusion Module, for extracting some fields respectively from the NetFlow network flows and sFlow network flows collected, And some fields to extracting respectively merge, the network flow of preset format is generated;
Detection module, for carrying out the abnormality detection of various dimensions for the network flow of the preset format.
Optionally, the abnormality detection of the various dimensions includes Network Abnormal state-detection, and the detection module is further used In:
Calculate the network normality desired value of the network flow of the preset format;
Determine whether the network normality desired value is more than default threshold value;
If it is, the network flow for determining the preset format is abnormal network stream.
Optionally, the abnormality detection of the various dimensions detects including abnormal single current, in addition to:
Abnormal single current detection module, is used for
Off-note is extracted from the abnormal network stream;
The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, institute The off-note sample stated in off-note storehouse is marked with corresponding Exception Type;
, will be with the exception when the off-note extracted and any off-note sample matches in the off-note storehouse Exception Type corresponding to feature samples is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormality detection of the various dimensions includes exception stream mode detection, in addition to:
Exception stream mode detection module, is used for
Analyze the abnormal stream mode of the abnormal network stream;
The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Its In, the abnormal stream mode sample in the abnormal patterns storehouse is marked with corresponding Exception Type;
, will be with this when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to abnormal stream mode sample is defined as the Exception Type of the abnormal network stream.
Optionally, the exception stream mode detection module is further used for:
Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
The index in the tables of data is counted based on preset rules, analysis obtains the exception of the abnormal network stream Stream mode.
Optionally, some pre-set levels include:
Identical source address, identical source MAC and identical destination address.
Optionally, the specific indexes value includes following any one or more:
The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and the abnormal network stream Average byte number.
In this application, by extracting some words respectively from the NetFlow network flows and sFlow network flows collected Section, and some fields to extracting respectively merge, and generate the network flow of preset format, then can be directed to described The network flow of preset format carries out the abnormality detection of various dimensions;Wherein, it is different can to include network for the abnormality detection of the various dimensions Normal state-detection, the detection of abnormal single current and exception stream mode detection.
On the one hand, because the application gathers the network flow of NetFlow agreements and sFlow agreements, and two kinds are collected Network flow is fused into a kind of network flow based on preset format, can provide more fully network flow relevant information so that follow-up The data basis of abnormality detection is relatively reliable.
On the other hand, because follow-up detection mode can also be divided into multiple dimensions, so that Network anomaly detection enters Capable analysis is also more comprehensive.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, come for those of ordinary skill in the art Say, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart for network anomaly detection method that the embodiment of the application one provides;
Fig. 2 is a kind of flow chart for UNE stream method that the embodiment of the application one provides;
Fig. 3 is a kind of schematic diagram of the network flow for preset format that the embodiment of the application one provides;
Fig. 4 is a kind of flow chart for Network Abnormal condition detection method that the embodiment of the application one provides;
Fig. 5 is a kind of flow chart for abnormal single current detection method that the embodiment of the application one provides;
Fig. 6 is a kind of flow chart for exception stream mode detection method that the embodiment of the application one provides;
Fig. 7 is a kind of logic diagram for Network anomaly detection device that the embodiment of the application one provides;
Fig. 8 is carrying a kind of hardware of the network equipment of Network anomaly detection device that the embodiment of the application one provides Structure chart.
Embodiment
In the prior art, in order to realize Network anomaly detection, user may be usually based on snmp protocol to gather network flow, And the relevant information for collecting network flow is recorded, can when the relevant information for detecting network flow reaches the scope of user preset To determine the network flow as abnormal network stream.
But the relevant information that network flow in actual applications, can be provided based on the network flow that snmp protocol collects is compared It is limited, more comprehensive information can not be provided, so as to cause the incomplete problem of subsequent network abnormality detection.
In view of considerations above, the application proposes a kind of network anomaly detection method, by from the NetFlow networks collected Some fields are extracted respectively in stream and sFlow network flows, and some fields to extracting respectively merge, generation is pre- If the network flow of form, the network flow that then can be directed to the preset format carries out the abnormality detection of various dimensions;Wherein, it is described The abnormality detection of various dimensions can include Network Abnormal state-detection, the detection of abnormal single current and exception stream mode detection.
On the one hand, because the application gathers the network flow of NetFlow agreements and sFlow agreements, and two kinds are collected Network flow is fused into a kind of network flow based on preset format, can provide more fully network flow relevant information so that follow-up The data basis of abnormality detection is relatively reliable.
On the other hand, because follow-up detection mode can also be divided into multiple dimensions, so that Network anomaly detection enters Capable analysis is also more comprehensive.
The application is described below by specific embodiment and with reference to specific application scenarios.
Refer to Fig. 1, Fig. 1 is a kind of network anomaly detection method that the embodiment of the present application provides, applied to the network equipment, Perform following steps:
S101, the network flow of NetFlow agreements and sFlow agreements is gathered respectively;
S102, extract some fields respectively from the NetFlow network flows and sFlow network flows collected, and to respectively Some fields extracted are merged, and generate the network flow of preset format;
S103, the abnormality detection of various dimensions is carried out for the network flow of the preset format.
The above-mentioned network equipment can include any form of common apparatus for being provided with abnormality detection software;Wherein, it is described Abnormality detection software can be equipped with Network anomaly detection logic.
The abnormality detection of above-mentioned various dimensions can be understood as allowing the Through Several Survey Measure that sequencing be present.
With reference to figure 2, Fig. 2 is a kind of flow chart for UNE stream method that the embodiment of the application one provides.
In this example, the network equipment can gather NetFlow primitive networks stream and sFlow primitive networks from network traffics Stream.
In this example, after above two primitive network stream is collected, the network equipment can be using such as subString's () Function extracts required field respectively from two kinds of primitive network stream, and the field extracted respectively is stored in into memory cache Area;Wherein, the field of the extraction is generally corresponding with the network stream format of user preset.
Shown in Figure 3, Fig. 3 is a kind of schematic diagram of the network flow for preset format that the embodiment of the application one provides.
Wherein, corresponding to the network stream format shown in Fig. 3, the field extracted from NetFlow primitive network streams can be Source IP address, purpose IP address, TCP/UDP source port address, TCP/UDP destination interfaces address, IP protocol type, input and output The index value and network flow quantity of interface;The field extracted from sFlow primitive network streams can be source IP address, purpose IP It is location, TCP/UDP source port address, TCP/UDP destination interfaces address, IP protocol type, source MAC, target MAC (Media Access Control) address, defeated Enter the port value and network flow quantity of output interface.
In this example, the network equipment can be carried out the field extracted stored in internal memory cache region according to user preset Network stream format merged.
Wherein, specific amalgamation mode can be the value and sFlow networks in the field that will be extracted in NetFlow network flows Value in the field extracted in stream is placed in the corresponding field of the network flow of fusion.It is understood that from above two network In the same field for the network flow that value in the same field extracted in stream can be placed on fusion jointly.
For example, being all extracted corresponding source IP address from NetFlow network flows and sFlow network flows, the network equipment can The source IP address extracted respectively to be placed on jointly in the same field of the network flow of fusion.
In addition, specific amalgamation mode can also be value and sFlow networks in the field for extracting NetFlow network flows Value in the field extracted in stream is added, in the corresponding field for the network flow for being then placed on fusion.
For example, corresponding network flow quantity, the network equipment are all extracted from NetFlow network flows and sFlow network flows The value for the network flow quantity extracted respectively can be added, then can be placed on the network flow quantity of fusion this field In.
In this way, because the application gathers the network flow of NetFlow agreements and sFlow agreements, and two kinds are adopted The network flow collected is fused into a kind of network flow based on preset format, can provide more fully network flow relevant information so that The data basis of follow-up abnormality detection is relatively reliable.
In this example, in internal memory cache region, network flow Hash table can be previously provided with, the network flow Hash table is used for Network flow after storage fusion.
Wherein, before the network flow Hash table is stored in, the network equipment is required for the network flow after every fusion The hash index value of the network flow is calculated, and check whether the hash index value has been present in network flow Hash table.
If the hash index value has been present, the network equipment can update network flow corresponding with the hash index value Relevant information, such as, the bag number of the network flow and the byte number of network flow.
Correspondingly, if the hash index value is not present, can in the network flow Hash table newly-built list item, for storing The network flow and hash index value corresponding with the network flow.
In this example, the network equipment can be preset and be equipped with amalgamation database, when the network equipment detects internal memory cache region When being filled with, the network flow of the fusion of storage can be stored in default amalgamation database.
With reference to figure 4, Fig. 4 is a kind of flow chart for Network Abnormal condition detection method that the embodiment of the application one provides.Net Network equipment can carry out Network Abnormal state-detection based on the data stored in amalgamation database.
In this example, the network equipment can first calculate the network normality desired value for the network flow being fused into;Wherein, the network Normality desired value can be network traffics and source mesh port number ratio.
In this example, after the network normality desired value of the network flow is calculated, the network equipment can be by the network normality Desired value, can be true when detecting that the network normality desired value is more than predetermined threshold value compared with the threshold value of user preset The fixed network flow is abnormal network stream;Wherein, user can be set corresponding reasonable based on different network normality desired values Threshold value.
In a kind of embodiment shown, the network equipment can be previously provided with off-note storehouse, the off-note storehouse The off-note sample of Exception Type corresponding to being marked with can be stored with.
Referring to Fig. 5, Fig. 5 is a kind of flow chart for abnormal single current detection method that the embodiment of the application one provides.
After it will detect that abnormal network stream is stored in default amalgamation database, the network equipment can be read from amalgamation database Take abnormal network stream, and off-note extracted from the abnormal network stream of reading, then can by the off-note extracted with Default off-note sample is matched in off-note storehouse.
Wherein, can be with if any off-note sample matches in the off-note extracted and off-note storehouse The Exception Type of the abnormal network stream will be defined as to the Exception Type that sample is answered with the off-note;If that extracts is different Chang Tezheng can not match with any off-note sample standard deviation in off-note storehouse, then can be by the exception of the abnormal network stream Type categorization is UNKNOWN TYPE.
For example, it is that source address is loopback address that an off-note can be preset with the off-note storehouse The sample of (127.0.0.1), if the network equipment extracted from the abnormal network stream detected source address for loopback address this One feature, then it can determine that the Exception Type of the abnormal network stream is abnormal for source address.
It is understood that after by the corresponding Exception Type of abnormal network flow label, can be further by described in Abnormal network stream is as Sample preservation to off-note storehouse, to complete the renewal in off-note storehouse.
This embodiment is detected by abnormal single current, user can further confirm that the abnormal network stream of amalgamation database Exception Type, and Exception Type and UNKNOWN TYPE can be updated to off-note storehouse jointly so that Network Abnormal is examined The analysis of survey is more comprehensive.
In the another embodiment shown, the network equipment can be previously provided with abnormal patterns storehouse, the abnormal patterns Storehouse can be stored with the abnormal stream mode sample for being marked with corresponding Exception Type.
Wherein, the abnormal stream mode can be understood as a kind of rule by analyzing to obtain in a plurality of abnormal network stream.Example Such as, the abnormal stream mode of worm virus spreading is that a plurality of abnormal network stream has identical source address or source MAC, and is had There is different destination addresses.
Referring to Fig. 6, Fig. 6 is a kind of flow chart for exception stream mode detection method that the embodiment of the application one provides.
After it will detect that abnormal network stream is stored in default amalgamation database, the network equipment can be from amalgamation database Abnormal network stream is read, some pre-set levels of abnormal network stream is may then based on, the abnormal network stream is classified; Wherein, some pre-set levels can be configured by user, for example, it may be identical source address, identical source MAC Location and identical destination address.
After the completion of the abnormal network flow point class, the network equipment is also based on each pre-set level, should having The abnormal network stream of pre-set level stores together and polymerize tables of data;Wherein, the tables of data can be every preset duration With regard to once being updated.
If for example, the pre-set level were identical source address, some index of the same source tables of data of generation Source IP address can be included, the byte number that bag number, the network flow that network flow quantity, network flow include include, different purpose IP Location number, source port number, syndicated feeds IP number, destination interface number and connection number.
Likewise, the network equipment can also generate identical source MAC tables of data, some indexs of the tables of data can wrap Include byte number, different purpose IP address numbers that bag number, the network flow that source MAC, network flow quantity, network flow include include, Source port number, different source IP address numbers, destination interface number, syndicated feeds MAC number and connection number.
Likewise, the network equipment can also generate identical destination address tables of data, some indexs of the tables of data can wrap Include byte number, different source IP address numbers that bag number, the network flow that purpose IP address, network flow quantity, network flow include include, Source port number, polymerization purpose IP number, destination interface number and connection number.
In this example, after some tables of data are generated, the network equipment can detect the specific finger in the tables of data Mark.
Wherein, the specific indexes can be understood as the finger for being carried out statistical analysis based on the data in the tables of data and being obtained Mark, for example, the specific indexes can include total polymerization number, the average bag of the abnormal network stream of the abnormal network stream It is any or multiple in the average byte number of number and the abnormal network stream.
In this example, each specific indexes can preset corresponding threshold value.It is specific in the tables of data when detecting When index meets corresponding predetermined threshold value, the network equipment can open exception stream mode detection.
In this example, after exception stream mode detection is opened, based on preset rules, the network equipment can be to the number Counted according to the index in table, analysis obtains the abnormal stream mode of abnormal network stream.
For example, being based on identical source address tables of data, the network equipment can obtain different purpose IP address numbers, work as institute State different purpose IP address numbers and reach preset number, then the abnormal stream mode that can analyze to obtain abnormal network stream is with identical Source address and different purpose IP address.
In this example, after the abnormal stream mode of the abnormal network stream is analyzed, the network equipment will can be analyzed The abnormal stream mode gone out is matched with the abnormal stream mode sample in default abnormal patterns storehouse.
Wherein, if the abnormal stream mode analyzed and any abnormal stream mode sample matches in abnormal patterns storehouse, It can will be defined as the Exception Type of the abnormal network stream to the Exception Type that sample is answered with the abnormal stream mode;If analysis The abnormal stream mode gone out can not match with any abnormal stream mode sample standard deviation in abnormal patterns storehouse, then can be by the abnormal net The Exception Type of network stream is classified as UNKNOWN TYPE.
It is understood that after by the corresponding Exception Type of abnormal network flow label, can be further by described in Abnormal network stream is as Sample preservation to abnormal patterns storehouse, to complete the renewal in abnormal patterns storehouse.
By this embodiment of exception stream mode detection, user can further confirm that the abnormal network of amalgamation database The Exception Type of stream, and Exception Type and UNKNOWN TYPE can be updated to abnormal patterns storehouse jointly so that Network Abnormal The analysis of detection is more comprehensive.
In this example, it is determined that after the Exception Type of the abnormal network stream, the network equipment can be further by abnormal net Network stream and corresponding Exception Type are provided to visualization interface.
Wherein, after user receives the relevant information of abnormal network stream on visualization interface, default resistance can be based on Disconnected strategy operates to abnormal network stream;For example the blocking strategy can be that abnormal network stream is carried out into discard processing.
Corresponding with above method embodiment, present invention also provides the embodiment of device.
Fig. 7 is refer to, Fig. 7 is a kind of Network anomaly detection device 70 that the embodiment of the application one provides, applied to network Equipment;Wherein, Fig. 8 is refer to, as the hardware structure carried involved by the network equipment of the Network anomaly detection device 70 In, generally include CPU, internal memory, nonvolatile memory and internal bus etc.;Exemplified by implemented in software, the Network Abnormal Detection means 70 is generally understood that the computer program being carried in internal memory, the software and hardware formed afterwards by CPU operations The logic device being combined, the Network anomaly detection device 70, applied to the network equipment, described device includes:
Acquisition module 701, for gathering the network flow of NetFlow agreements and sFlow agreements respectively;
Fusion Module 702, for extracting some words respectively from the NetFlow network flows and sFlow network flows collected Section, and some fields to extracting respectively merge, and generate the network flow of preset format;
Detection module 703, for carrying out the abnormality detection of various dimensions for the network flow of the preset format.
Optionally, the abnormality detection of the various dimensions includes Network Abnormal state-detection, and the detection module is further used In:
Calculate the network normality desired value of the network flow of the preset format;
Determine whether the network normality desired value is more than default threshold value;
If it is, the network flow for determining the preset format is abnormal network stream.
Optionally, the abnormality detection of the various dimensions detects including abnormal single current, in addition to:
Abnormal single current detection module 704, is used for
Off-note is extracted from the abnormal network stream;
The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, institute The off-note sample stated in off-note storehouse is marked with corresponding Exception Type;
, will be with the exception when the off-note extracted and any off-note sample matches in the off-note storehouse Exception Type corresponding to feature samples is defined as the Exception Type of the abnormal network stream.
Optionally, the abnormality detection of the various dimensions includes exception stream mode detection, in addition to:
Exception stream mode detection module 705, is used for
Analyze the abnormal stream mode of the abnormal network stream;
The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Its In, the abnormal stream mode sample in the abnormal patterns storehouse is marked with corresponding Exception Type;
, will be with this when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to abnormal stream mode sample is defined as the Exception Type of the abnormal network stream.
Optionally, the exception stream mode detection module is further used for:
Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
The index in the tables of data is counted based on preset rules, analysis obtains the exception of the abnormal network stream Stream mode.
Optionally, some pre-set levels include:
Identical source address, identical source MAC and identical destination address.
Optionally, the specific indexes value includes following any one or more:
The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and the abnormal network stream Average byte number.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not limiting the application, all essences in the application God any modification, equivalent substitution and improvements done etc., should be included within the scope of the application protection with principle.

Claims (14)

  1. A kind of 1. network anomaly detection method, it is characterised in that applied to the network equipment, including:
    The network flow of NetFlow agreements and sFlow agreements is gathered respectively;
    Extract some fields, and the institute to extracting respectively respectively from the NetFlow network flows and sFlow network flows collected State some fields to be merged, generate the network flow of preset format;
    The abnormality detection of various dimensions is carried out for the network flow of the preset format.
  2. 2. according to the method for claim 1, it is characterised in that the abnormality detection of the various dimensions includes Network Abnormal state Detection;
    The abnormality detection that the network flow for the preset format carries out various dimensions includes:
    Calculate the network normality desired value of the network flow of the preset format;
    Determine whether the network normality desired value is more than default threshold value;
    If it is, the network flow for determining the preset format is abnormal network stream.
  3. 3. according to the method for claim 2, it is characterised in that the abnormality detection of the various dimensions is examined including abnormal single current Survey;
    Methods described also includes:
    Off-note is extracted from the abnormal network stream;
    The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, it is described different Off-note sample in normal feature database is marked with corresponding Exception Type;
    , will be with the off-note when the off-note extracted and any off-note sample matches in the off-note storehouse It is defined as the Exception Type of the abnormal network stream to the Exception Type that sample is answered.
  4. 4. according to the method for claim 2, it is characterised in that the abnormality detection of the various dimensions also includes abnormal stream mode Detection;
    Methods described also includes:
    Analyze the abnormal stream mode of the abnormal network stream;
    The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Wherein, institute The abnormal stream mode sample stated in abnormal patterns storehouse is marked with corresponding Exception Type;
    , will be with the exception when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to stream mode sample is defined as the Exception Type of the abnormal network stream.
  5. 5. according to the method for claim 4, it is characterised in that the abnormal stream mode of the analysis abnormal network stream, Including:
    Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
    When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
    The index in the tables of data is counted based on preset rules, analysis obtains the exception stream mould of the abnormal network stream Formula.
  6. 6. according to the method for claim 5, it is characterised in that some pre-set levels include:
    Identical source address, identical source MAC and identical destination address.
  7. 7. according to the method for claim 5, it is characterised in that the specific indexes include following any one or more:
    The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and being averaged for the abnormal network stream Byte number.
  8. A kind of 8. Network anomaly detection device, it is characterised in that applied to the network equipment, including:
    Acquisition module, for gathering the network flow of NetFlow agreements and sFlow agreements respectively;
    Fusion Module, for extracting some fields respectively from the NetFlow network flows and sFlow network flows collected, and it is right Some fields extracted respectively are merged, and generate the network flow of preset format;
    Detection module, for carrying out the abnormality detection of various dimensions for the network flow of the preset format.
  9. 9. device according to claim 8, it is characterised in that the abnormality detection of the various dimensions includes Network Abnormal state Detection, the detection module are further used for:
    Calculate the network normality desired value of the network flow of the preset format;
    Determine whether the network normality desired value is more than default threshold value;
    If it is, the network flow for determining the preset format is abnormal network stream.
  10. 10. device according to claim 9, it is characterised in that the abnormality detection of the various dimensions is examined including abnormal single current Survey, in addition to:
    Abnormal single current detection module, is used for
    Off-note is extracted from the abnormal network stream;
    The off-note extracted is matched with the off-note sample in default off-note storehouse;Wherein, it is described different Off-note sample in normal feature database is marked with corresponding Exception Type;
    , will be with the off-note when the off-note extracted and any off-note sample matches in the off-note storehouse Exception Type corresponding to sample is defined as the Exception Type of the abnormal network stream.
  11. 11. device according to claim 9, it is characterised in that the abnormality detection of the various dimensions includes abnormal stream mode Detection, in addition to:
    Exception stream mode detection module, is used for
    Analyze the abnormal stream mode of the abnormal network stream;
    The abnormal stream mode analyzed is matched with the abnormal stream mode sample in default abnormal patterns storehouse;Wherein, institute The abnormal stream mode sample stated in abnormal patterns storehouse is marked with corresponding Exception Type;
    , will be with the exception when the abnormal stream mode analyzed and any abnormal stream mode sample matches in the abnormal patterns storehouse Exception Type corresponding to stream mode sample is defined as the Exception Type of the abnormal network stream.
  12. 12. device according to claim 11, it is characterised in that the exception stream mode detection module is further used for:
    Tables of data is polymerize respectively based on some pre-set levels;Wherein, every tables of data includes some indexs;
    When detecting that the specific indexes in the tables of data meet predetermined threshold value, the exception stream mode detection is opened;
    The index in the tables of data is counted based on preset rules, analysis obtains the exception stream mould of the abnormal network stream Formula.
  13. 13. device according to claim 12, it is characterised in that some pre-set levels include:
    Identical source address, identical source MAC and identical destination address.
  14. 14. device according to claim 12, it is characterised in that the specific indexes value includes following any one or more:
    The total polymerization number of the abnormal network stream, the average bag number of the abnormal network stream and being averaged for the abnormal network stream Byte number.
CN201711113098.1A 2017-11-13 2017-11-13 A kind of network anomaly detection method and device Pending CN107733721A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711113098.1A CN107733721A (en) 2017-11-13 2017-11-13 A kind of network anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711113098.1A CN107733721A (en) 2017-11-13 2017-11-13 A kind of network anomaly detection method and device

Publications (1)

Publication Number Publication Date
CN107733721A true CN107733721A (en) 2018-02-23

Family

ID=61215148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711113098.1A Pending CN107733721A (en) 2017-11-13 2017-11-13 A kind of network anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN107733721A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494583A (en) * 2018-02-24 2018-09-04 广州西麦科技股份有限公司 A kind of method and device generating network topology based on sFlow
CN108566335A (en) * 2018-03-02 2018-09-21 广州西麦科技股份有限公司 A kind of network topology generation method based on NetFlow
CN112839018A (en) * 2019-11-25 2021-05-25 华为技术有限公司 Degree value generation method and related equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686235A (en) * 2008-09-26 2010-03-31 中联绿盟信息技术(北京)有限公司 Device and method for analyzing abnormal network flow
CN106790050A (en) * 2016-12-19 2017-05-31 北京启明星辰信息安全技术有限公司 A kind of anomalous traffic detection method and detecting system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686235A (en) * 2008-09-26 2010-03-31 中联绿盟信息技术(北京)有限公司 Device and method for analyzing abnormal network flow
CN106790050A (en) * 2016-12-19 2017-05-31 北京启明星辰信息安全技术有限公司 A kind of anomalous traffic detection method and detecting system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈欣: "基于NetFlow和sFlow网络流融合的异常检测方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑(月刊)》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494583A (en) * 2018-02-24 2018-09-04 广州西麦科技股份有限公司 A kind of method and device generating network topology based on sFlow
CN108566335A (en) * 2018-03-02 2018-09-21 广州西麦科技股份有限公司 A kind of network topology generation method based on NetFlow
CN108566335B (en) * 2018-03-02 2021-04-27 广州西麦科技股份有限公司 Network topology generation method based on NetFlow
CN112839018A (en) * 2019-11-25 2021-05-25 华为技术有限公司 Degree value generation method and related equipment

Similar Documents

Publication Publication Date Title
US8510830B2 (en) Method and apparatus for efficient netflow data analysis
CN106790050B (en) A kind of anomalous traffic detection method and detection system
CN105141604B (en) A kind of network security threats detection method and system based on trusted service stream
JP6535809B2 (en) Anomaly detection device, an anomaly detection system, and an anomaly detection method
CN101075911B (en) Statistical information collecting system and apparatus thereof
US8111629B2 (en) Media session identification method for IP networks
US8634717B2 (en) DDoS attack detection and defense apparatus and method using packet data
CN107733921A (en) Network flow abnormal detecting method, device, computer equipment and storage medium
US20060230167A1 (en) Network controller, network control system and network control method
CN108282497A (en) For the ddos attack detection method of SDN control planes
CN107733721A (en) A kind of network anomaly detection method and device
CN107196930A (en) Method, system and the mobile terminal of computer network abnormality detection
CN110392013A (en) A kind of Malware recognition methods, system and electronic equipment based on net flow assorted
CN103532969A (en) Zombie network detection method, device and processor
CN107508816A (en) A kind of attack traffic means of defence and device
CN110035062A (en) A kind of network inspection method and apparatus
CN107426132B (en) The detection method and device of network attack
US11863584B2 (en) Infection spread attack detection device, attack origin specification method, and program
CN105871861A (en) Intrusion detection method for self-learning protocol rule
CN110417748A (en) A kind of attack detection method and device
CN111865951A (en) Network data flow abnormity detection method based on data packet feature extraction
CN108881181A (en) A kind of filter method and device of message
CN112929364B (en) Data leakage detection method and system based on ICMP tunnel analysis
CN106936805B (en) A kind of defence method and system of network attack
Zhou et al. Classification of botnet families based on features self-learning under network traffic censorship

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180223

RJ01 Rejection of invention patent application after publication