CN108337216A - A kind of sextuple space traffic security analysis model generation method and system - Google Patents

A kind of sextuple space traffic security analysis model generation method and system Download PDF

Info

Publication number
CN108337216A
CN108337216A CN201710205202.3A CN201710205202A CN108337216A CN 108337216 A CN108337216 A CN 108337216A CN 201710205202 A CN201710205202 A CN 201710205202A CN 108337216 A CN108337216 A CN 108337216A
Authority
CN
China
Prior art keywords
dimension
destination
source
time
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710205202.3A
Other languages
Chinese (zh)
Other versions
CN108337216B (en
Inventor
李波
肖天炜
侯文伶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ahtech Network Safe Technology Ltd
Original Assignee
Beijing Ahtech Network Safe Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ahtech Network Safe Technology Ltd filed Critical Beijing Ahtech Network Safe Technology Ltd
Priority to CN201710205202.3A priority Critical patent/CN108337216B/en
Publication of CN108337216A publication Critical patent/CN108337216A/en
Application granted granted Critical
Publication of CN108337216B publication Critical patent/CN108337216B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention proposes a kind of sextuple space traffic security analysis model generation method and system, the sextuple space traffic security analysis model include:Fundamental dimension, time dimension, variation dimension, information dimension, relevant dimension, Spatial Dimension.The present invention compensates for traditional five-tuple and deep packet inspection technical in the prior art and is unable to reach effective detectability this technical problem in some scenes.Traffic characteristic is diffused to 23 tuples by the present invention, flow each section feature is characterized by sextuple space model, sextuple space traffic security analysis model through the invention, which can be realized effectively, more comprehensively analyzes flow, can efficient identification go out malicious traffic stream and attack, analysis result is more accurate.

Description

A kind of sextuple space traffic security analysis model generation method and system
Technical field
The present invention relates to field of information security technology more particularly to a kind of sextuple space traffic security analysis model generation sides Method and system.
Background technology
Traditional IP packet stream amounts identification only analyzes " 5 tuple " in the packet header IP, to determine the basic letter of present flow rate Breath only analyzes the content of packet networks layer and transport layer, depth analysis cannot be carried out to IP data services and content.
DPI(Deep packet inspection, deep message detection)Technology increases on the basis of analyzing packet header It is right(Data)The analysis of application layer can analyze the feature of four to seven layer protocols in OSI seven layer models, but still to some Scene is unable to reach comprehensive flow analysis ability.
Invention content
For the above-mentioned prior art the problem of, the present invention propose a kind of sextuple space traffic security analysis model Flow is diffused to 23 tuples and analyzed by generation method and system, in the hope of realizing more accurate, comprehensive flow analysis inspection Survey, can be more efficient identify malicious traffic stream and APT events.
Specifically invention content includes:
A kind of sextuple space traffic security analysis model generation method, including:
Establish the fundamental dimension being made of source IP, source port, destination IP, destination interface, protocol number;Fundamental dimension is remembered Record the fundamental of network communication, including the communication of attack each time;
The time dimension formed with the end time at the beginning of establishing by session each time;Time dimension record each time can Words, each time IP communication times, include the duration of attack each time, each attack;
Establish the variation dimension being made of slope, transmission speed;Change every a pair of of the uplink and downlink communication data packet ratio of dimension record, And the ratio of communication data packet size and time each time;
Establish the information being made of fixed keyword, floating keyword, crucial load information, User Identity, application identities Dimension;The reduction of the not responsible information of information dimension, only according to the required crucial letter of demand, regulation and scene record security analysis Breath;
Establish according to identical five-tuple packet number form at relevant dimension;Identical five-tuple represents a session, and represents scattered letter The relevance of breath, how much five-tuple packet number represents a call duration time length and transmits the size of information, so relevant dimension Preliminary judgement can be done to the classification and movement content of attack;
It establishes by source IP longitude, source IP latitude, source IP country, source IP city, destination IP longitude, destination IP latitude, destination IP state The Spatial Dimension that family, destination IP city form;Spatial Dimension records the accurate geographic position of each communication IP, including each time Initiate geographical location in the accurate source of attack;
The fundamental dimension, time dimension, variation dimension, information dimension, relevant dimension, Spatial Dimension are combined, Obtain sextuple space traffic security analysis model.
Further, the slope, calculation are:In data packet with identical five-tuple, upstream data packet The number of number and downlink data packet ask discussing calculation, if downlink data packet number is 0, is considered as no response.
Further, the transmission speed, calculation are:The sum of data package size ask discussing with transmission time It calculates.
A kind of sextuple space traffic security analysis model generation system, including:
Dimension establishes module, for establishing the fundamental dimension being made of source IP, source port, destination IP, destination interface, protocol number Degree;The time dimension formed with the end time at the beginning of establishing by session each time;Foundation is made of slope, transmission speed Variation dimension;It establishes and is made of fixed keyword, floating keyword, crucial load information, User Identity, application identities Information dimension;Establish according to identical five-tuple packet number form at relevant dimension;It establishes by source IP longitude, source IP latitude, source IP The Spatial Dimension that country, source IP city, destination IP longitude, destination IP latitude, destination IP country, destination IP city form;
Wherein, time dimension records session each time, each time IP communication times, including attack each time, each attacks Hit the duration of action;Change dimension record per a pair of of uplink and downlink communication data packet ratio, and communication data packet each time The ratio of size and time;The reduction of the not responsible information of information dimension analyzes institute only according to demand, regulation and scene record security The key message needed;Identical five-tuple represents a session, and represents the relevance of fragmented information, and five-tuple is packet number how many generation Call duration time length of table and the size for transmitting information, so relevant dimension can be in the classification of attack and action Appearance does preliminary judgement;Spatial Dimension records the accurate geographic position of each communication IP, including attacks each time accurate Initiate geographical location in source;
Model building module, for by the fundamental dimension, time dimension, variation dimension, information dimension, relevant dimension, Spatial Dimension is combined, and obtains sextuple space traffic security analysis model.
Further, the slope, calculation are:In data packet with identical five-tuple, upstream data packet The number of number and downlink data packet ask discussing calculation, if downlink data packet number is 0, is considered as no response.
Further, the transmission speed, calculation are:The sum of data package size ask discussing with transmission time It calculates.
The beneficial effects of the invention are as follows:
Traffic characteristic is diffused to 23 tuples by the present invention, and flow each section feature is characterized by sextuple space model, is led to Crossing the sextuple space traffic security analysis model of the present invention can effectively realize and more comprehensively analyze flow, can efficiently know Do not go out malicious traffic stream and attack, analysis result is more accurate.
Description of the drawings
It, below will be to embodiment or the prior art in order to illustrate more clearly of the present invention or technical solution in the prior art Attached drawing needed in description is briefly described, it should be apparent that, the accompanying drawings in the following description is only in the present invention Some embodiments recorded for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is the method flow diagram that a kind of sextuple space traffic security analysis model of the present invention generates;
Fig. 2 is the system construction drawing that a kind of sextuple space traffic security analysis model of the present invention generates.
Specific implementation mode
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present invention, and make the present invention's Above objects, features, and advantages can be more obvious and easy to understand, makees below in conjunction with the accompanying drawings to technical solution in the present invention further detailed Thin explanation.
The present invention gives the embodiments of the method that a kind of sextuple space traffic security analysis model generates, as shown in Figure 1, packet It includes:
S101:Establish the fundamental dimension being made of source IP, source port, destination IP, destination interface, protocol number;Fundamental Dimension records the fundamental of network communication, including the communication of attack each time;
S102:The time dimension formed with the end time at the beginning of establishing by session each time;Time dimension records each Secondary session, each time IP communication times include the duration of attack each time, each attack;
S103:Establish the variation dimension being made of slope, transmission speed;Change dimension record per a pair of of uplink and downlink communication data packet Ratio, and the ratio of communication data packet size and time each time;
S104:It establishes and is made of fixed keyword, floating keyword, crucial load information, User Identity, application identities Information dimension;The reduction of the not responsible information of information dimension analyzes required pass only according to demand, regulation and scene record security Key information;
S105:Establish according to identical five-tuple packet number form at relevant dimension;Identical five-tuple represents a session, and represents zero The relevance of information is dissipated, how much five-tuple packet number represents a call duration time length and transmits the size of information, so association Dimension can do preliminary judgement to the classification and movement content of attack;
S106:It establishes by source IP longitude, source IP latitude, source IP country, source IP city, destination IP longitude, destination IP latitude, purpose The Spatial Dimension that IP countries, destination IP city form;Spatial Dimension records the accurate geographic position of each communication IP, including every Initiate geographical location in the accurate source once attacked;
S107:The fundamental dimension, time dimension, variation dimension, information dimension, relevant dimension, Spatial Dimension are carried out Combination, obtains sextuple space traffic security analysis model.
Preferably, the slope, calculation are:In data packet with identical five-tuple, of upstream data packet The number of number and downlink data packet, which ask, discusses calculation, if downlink data packet number is 0, is considered as no response.
Preferably, the transmission speed, calculation are:The sum of data package size ask discussing with transmission time It calculates.
The present invention gives a kind of system embodiment that sextuple space traffic security analysis model generates, as shown in Fig. 2, Including:
Dimension establishes module 201, is wanted substantially by what source IP, source port, destination IP, destination interface, protocol number formed for establishing Plain dimension;The time dimension formed with the end time at the beginning of establishing by session each time;It establishes by slope, transmission speed The variation dimension of composition;It establishes by fixed keyword, floating keyword, crucial load information, User Identity, application identities The information dimension of composition;Establish according to identical five-tuple packet number form at relevant dimension;Establish by source IP longitude, source IP latitude, The Spatial Dimension that source IP country, source IP city, destination IP longitude, destination IP latitude, destination IP country, destination IP city form;
Wherein, time dimension records session each time, each time IP communication times, including attack each time, each attacks Hit the duration of action;Change dimension record per a pair of of uplink and downlink communication data packet ratio, and communication data packet each time The ratio of size and time;The reduction of the not responsible information of information dimension analyzes institute only according to demand, regulation and scene record security The key message needed;Identical five-tuple represents a session, and represents the relevance of fragmented information, and five-tuple is packet number how many generation Call duration time length of table and the size for transmitting information, so relevant dimension can be in the classification of attack and action Appearance does preliminary judgement;Spatial Dimension records the accurate geographic position of each communication IP, including attacks each time accurate Initiate geographical location in source;
Model building module 202 is used for the fundamental dimension, time dimension, variation dimension, information dimension, correlation dimension Degree, Spatial Dimension are combined, and obtain sextuple space traffic security analysis model.
Preferably, the slope, calculation are:In data packet with identical five-tuple, of upstream data packet The number of number and downlink data packet, which ask, discusses calculation, if downlink data packet number is 0, is considered as no response.
Preferably, the transmission speed, calculation are:The sum of data package size ask discussing with transmission time It calculates.
The embodiment of method is described by the way of progressive in this specification, for the embodiment of system, due to it It is substantially similar to embodiment of the method, so description is fairly simple, the relevent part can refer to the partial explaination of embodiments of method. For traditional five-tuple and deep packet inspection technical in the prior art be unable to reach in some scenes effective detectability this One technical problem, the present invention propose a kind of sextuple space traffic security analysis model generation method and system, including:Establish by The fundamental dimension of source IP, source port, destination IP, destination interface, protocol number composition;At the beginning of establishing by session each time Between and the end time composition time dimension;Establish the variation dimension being made of slope, transmission speed;It establishes by fixed crucial The information dimension of word, floating keyword, crucial load information, User Identity, application identities composition;It establishes according to identical five Tuple packet number form at relevant dimension;Establish by source IP longitude, source IP latitude, source IP country, source IP city, destination IP longitude, The Spatial Dimension that destination IP latitude, destination IP country, destination IP city form;By the fundamental dimension, time dimension, change Change dimension, information dimension, relevant dimension, Spatial Dimension to be combined, obtains sextuple space traffic security analysis model.The present invention Traffic characteristic is diffused into 23 tuples, flow each section feature is characterized by sextuple space model, through the invention Sextuple space traffic security analysis model can realize effectively and more comprehensively be analyzed flow, can efficient identification go out malicious stream Amount and attack, analysis result are more accurate.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and Change the spirit without departing from the present invention, it is desirable to which the attached claims include these deformations and change without departing from the present invention's Spirit.

Claims (6)

1. a kind of sextuple space traffic security analysis model generation method, which is characterized in that including:
Establish the fundamental dimension being made of source IP, source port, destination IP, destination interface, protocol number;
The time dimension formed with the end time at the beginning of establishing by session each time;
Establish the variation dimension being made of slope, transmission speed;
Establish the information being made of fixed keyword, floating keyword, crucial load information, User Identity, application identities Dimension;
Establish according to identical five-tuple packet number form at relevant dimension;
It establishes by source IP longitude, source IP latitude, source IP country, source IP city, destination IP longitude, destination IP latitude, destination IP state The Spatial Dimension that family, destination IP city form;
The fundamental dimension, time dimension, variation dimension, information dimension, relevant dimension, Spatial Dimension are combined, Obtain sextuple space traffic security analysis model.
2. the method as described in claim 1, which is characterized in that the slope, calculation are:With identical five-tuple In data packet, the number of upstream data packet and the number of downlink data packet ask and discuss calculation, if downlink data packet number is 0, Then it is considered as no response.
3. the method as described in claim 1, which is characterized in that the transmission speed, calculation are:Data package size it Discuss calculation with transmission time ask.
4. a kind of sextuple space traffic security analysis model generates system, which is characterized in that including:
Dimension establishes module, for establishing the fundamental dimension being made of source IP, source port, destination IP, destination interface, protocol number Degree;The time dimension formed with the end time at the beginning of establishing by session each time;Foundation is made of slope, transmission speed Variation dimension;It establishes and is made of fixed keyword, floating keyword, crucial load information, User Identity, application identities Information dimension;Establish according to identical five-tuple packet number form at relevant dimension;It establishes by source IP longitude, source IP latitude, source IP The Spatial Dimension that country, source IP city, destination IP longitude, destination IP latitude, destination IP country, destination IP city form;
Model building module, for by the fundamental dimension, time dimension, variation dimension, information dimension, relevant dimension, Spatial Dimension is combined, and obtains sextuple space traffic security analysis model.
5. system as claimed in claim 4, which is characterized in that the slope, calculation are:With identical five-tuple In data packet, the number of upstream data packet and the number of downlink data packet ask and discuss calculation, if downlink data packet number is 0, Then it is considered as no response.
6. system as claimed in claim 4, which is characterized in that the transmission speed, calculation are:Data package size it Discuss calculation with transmission time ask.
CN201710205202.3A 2017-03-31 2017-03-31 Six-dimensional space flow safety analysis model generation method and system Active CN108337216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710205202.3A CN108337216B (en) 2017-03-31 2017-03-31 Six-dimensional space flow safety analysis model generation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710205202.3A CN108337216B (en) 2017-03-31 2017-03-31 Six-dimensional space flow safety analysis model generation method and system

Publications (2)

Publication Number Publication Date
CN108337216A true CN108337216A (en) 2018-07-27
CN108337216B CN108337216B (en) 2020-02-07

Family

ID=62923009

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710205202.3A Active CN108337216B (en) 2017-03-31 2017-03-31 Six-dimensional space flow safety analysis model generation method and system

Country Status (1)

Country Link
CN (1) CN108337216B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2369529A1 (en) * 2010-03-24 2011-09-28 Alcatel Lucent A method of detecting anomalies in a message exchange, corresponding computer program product, and data storage device therefor
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN103957205A (en) * 2014-04-25 2014-07-30 国家电网公司 Trojan horse detection method based on terminal traffic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2369529A1 (en) * 2010-03-24 2011-09-28 Alcatel Lucent A method of detecting anomalies in a message exchange, corresponding computer program product, and data storage device therefor
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN103957205A (en) * 2014-04-25 2014-07-30 国家电网公司 Trojan horse detection method based on terminal traffic

Also Published As

Publication number Publication date
CN108337216B (en) 2020-02-07

Similar Documents

Publication Publication Date Title
CN106101015B (en) Mobile internet traffic class marking method and system
Chou et al. An efficient anonymous communication protocol for peer-to-peer applications over mobile ad-hoc networks
KR101506849B1 (en) A generalized dual-mode data forwarding plane for information-centric network
Scheuermann et al. Implicit hop-by-hop congestion control in wireless multihop networks
CN102664881B (en) Method for positioning hidden service under hypertext transfer protocol 1.1
CN103491076B (en) The prevention method and system of a kind of network attack
Kadloor et al. Low-cost side channel remote traffic analysis attack in packet networks
Jeyanthi et al. RQA based approach to detect and prevent DDoS attacks in VoIP networks
CN108337216A (en) A kind of sextuple space traffic security analysis model generation method and system
CN102664810A (en) 3G (The 3rd Generation Telecommunication) traffic management and optimization platform system
CN107864119B (en) Network traffic confusion method and system on Android platform
Kumarasamy et al. An Efficient Detection Mechanism for Distributed Denial of Service (DDoS) Attack
Jia et al. Capability-based defenses against DoS attacks in multi-path MANET communications
Ito et al. A bandwidth allocation scheme to improve fairness and link utilization in data center networks
Hosny et al. Security of 5G-IOV Networks: DDOS Case Study
Fusenig et al. Slotted packet counting attacks on anonymity protocols
CN108337217A (en) Wooden horse based on sextuple space flow analysis model returns joint inspection examining system and method
Rahim et al. Performance evaluation of video streaming in vehicular adhoc network
Abdelhafez et al. Modeling and simulations of tcp manet worms
Chen et al. Data collection with privacy preserving in participatory sensing
Yi et al. Effects of denial of service attack in mobile ad hoc networks
Keceli et al. Fair and efficient transmission control protocol access in the IEEE 802.11 infrastructure basic service set
Suri et al. Analyzing the Effect of Denial of Service Attacks on Packet Delivery Ratio in Mobile Ad-hoc Networks Carrying Packet Telephony.
Schoeneich et al. The channel for hidden data transmission in WSN
Nguyen et al. On the correlation of TCP traffic in backbone networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant