CN108540443A - A kind of computer Traffic anomaly detection analysis system - Google Patents
A kind of computer Traffic anomaly detection analysis system Download PDFInfo
- Publication number
- CN108540443A CN108540443A CN201810154063.0A CN201810154063A CN108540443A CN 108540443 A CN108540443 A CN 108540443A CN 201810154063 A CN201810154063 A CN 201810154063A CN 108540443 A CN108540443 A CN 108540443A
- Authority
- CN
- China
- Prior art keywords
- network
- data
- flow
- analysis
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of computer Traffic anomaly detection analysis system, the Network Traffic Monitoring process is divided into three phases:(1) collection network data:(2) data processing:(3) abnormality detection:For the system by thousand network flow of master of single-link, detection range is wider, can effectively find between link or between OD streams abnormal behaviour correlation;And when data flow monitoring object changes, inspection policies can be flexibly formulated, improve detection rates of the system to abnormal flow.
Description
Technical field
The present invention relates to computer system device technical fields, specially a kind of computer Traffic anomaly detection analysis system
System.
Background technology
The fast development of internet fundamentally changes people’s lives and working method, substantially increases work effect
Rate is also constantly expanding the harm of the enhancing abnormal flow of the dependence of internet however as people, influences interconnection at present
The abnormal flow of net normal operation mainly have DDOS attack, network worm, uncontrollable P2P application and some can influence Netowrk tape
Wide and performance flow.
Invention content
The purpose of the present invention is to provide a kind of computer Traffic anomaly detection analysis systems, are lacked with solving existing technology
It falls into and inaccessiable technology requires.
To achieve the above object, the present invention provides the following technical solutions:A kind of computer Traffic anomaly detection analysis system,
The Network Traffic Monitoring process is divided into three phases:(1) collection network data:The data of collection include relevant quiet with configuration
State data and the relevant dynamic data of network event and the statistical data summed up from dynamic data;(2) data processing:
The data of collection are handled, interested abnormal information is mainly therefrom extracted;(3) abnormality detection:To report
Information carries out comprehensive analysis, detects whether to go wrong, and analyze the reason of leading to the problem of;The described analysis system workflow
Including three steps, modeling sample selection, model learning is established to be assessed with irrelevance;The acquisition side of the currently used flow
Formula is divided into three kinds:First, the flow monitoring technology based on SNMP;Second is that the function of being provided based on operating system bottom;Third, being based on
The flow monitoring technology of NetFlow;The Network Abnormal generally means that the appearance such as performance or the flow parameter of network exception,
Quantity, interval time, resource consumption etc. including audit event are commonly estimated in abnormality detection, in statistical model.
Preferably, the flow monitoring advantage of the SNMP is that the overall performance and shape of network can be checked from the angle of macroscopic view
Condition from the level analysis of overall situation and solves the problems, such as to bring conveniently to administrative staff;The function of being provided based on operating system bottom
It is compared with other two kinds of flow collection modes, the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message;
The flow monitoring technology of NetFlow is compared with other two kinds of flow collection modes, and the maximum feature of traffic mirroring acquisition is can
Abundant application layer message is provided.
Preferably, the basis of the exception of network traffic detection is the data on flows generated on network;Assemble according to data
Granularity, network flow data source is segmented into packet tracking, network flow and SNMP statistical data, packet tracking refer to flow through network or
IP sequence of data packet on network link;Network flow is a certain unidirectional using data packet between specific source and destination endpoint
The polymerization of sequence, produced by being assembled according to the attribute of the data packet forwarded by the router of support network flow function;Net
Network stream does not include the content information of data packet, but remains the characteristic information of data packet;SNMP statistical data refers to supporting SNMP
The network equipment data of statistic of classification are carried out by flow to the data packet that flows through and forward, the granularity of network flow contains number
According to the main feature of stream, but the content not comprising data, network flow contains the underlying attribute for anomaly analysis, but have compared with
Few data volume is not concerned with packet load when carrying out data analysis to network flow, reduce packet processing expense, be more convenient for carrying out high
The detection and determination of effect, real-time Network Abnormal.
Preferably, described for a complicated network system, in order to ensure the bandwidth demand of important application, by being based on
The network traffic analysis of bandwidth can make it definitely, carry out agreement division to network flow, flowed for different agreements
, there is extraordinary rise suddenly and sharply, it is possible to be attack traffic or worm within a period of some agreement in amount monitoring and analysis
Virus occurs.
Preferably, the Traffic anomaly detection analysis system it excavated by the network flow to acquisition, relevance
Analysis;The safety of network flow, access behavior and operation system is combined, administrative staff is helped to grasp Internet usage
Situation, analysis operation system abnormal conditions, ensure the safe and stable and Effec-tive Function of operation system.
Compared with prior art, beneficial effects of the present invention are as follows:
Thousand network flow of master of single-link, detection range is wider, can effectively find between link or OD streams between it is different
The correlation of Chang Hangwei;And when data flow monitoring object changes, inspection policies can be flexibly formulated, improve system to different
The detection rates of normal flow.
Specific implementation mode
Below in conjunction with the present invention, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that
Described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the implementation in the present invention
Example, every other embodiment obtained by those of ordinary skill in the art without making creative efforts belong to
The scope of protection of the invention.
The present invention provides a kind of technical solution:A kind of computer Traffic anomaly detection analysis system, the network flow prison
Survey process is divided into three phases:(1) collection network data:The data of collection include and configure relevant static data and network
The relevant dynamic data of event and the statistical data summed up from dynamic data;(2) data processing:To the data of collection into
Row processing, mainly therefrom extracts interested abnormal information;(3) abnormality detection:Comprehensive point is carried out to the information of report
Analysis, detects whether to go wrong, and analyze the reason of leading to the problem of;The described analysis system workflow includes three steps,
Modeling sample selects, and model learning is established to be assessed with irrelevance;The acquisition mode of the currently used flow is divided into three kinds:One
It is the flow monitoring technology based on SNMP;Second is that the function of being provided based on operating system bottom;Third, the flow based on NetFlow
Monitoring technology;The Network Abnormal generally means that the appearance such as performance or the flow parameter of network exception, in abnormality detection, system
Commonly estimate quantity, interval time, resource consumption etc. including audit event in meter model.
The flow monitoring advantage of SNMP is that the overall performance and situation of network can be checked from the angle of macroscopic view, gives administrative staff
From the level analysis of overall situation and solve the problems, such as to bring conveniently;The function of being provided based on operating system bottom and other two kinds of flows
Acquisition mode is compared, and the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message;The flow of NetFlow is supervised
Survey technology is compared with other two kinds of flow collection modes, and the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer
Information.
The basis of exception of network traffic detection is the data on flows generated on network;According to the granularity that data are assembled, network
Data on flows source is segmented into packet tracking, network flow and SNMP statistical data, and packet tracking refers to flowing through on network or network link
IP sequence of data packet;Network flow is a certain unidirectional using the poly- of sequence of data packet between specific source and destination endpoint
It closes, produced by being assembled according to the attribute of the data packet forwarded by the router of support network flow function;Network flow does not wrap
Content information containing data packet, but remain the characteristic information of data packet;SNMP statistical data refers to that the network of SNMP is supported to set
For the data of statistic of classification are carried out by flow to the data packet for flowing through and forwarding, the granularity of network flow contains the master of data flow
Feature, but the content not comprising data are wanted, network flow contains the underlying attribute for anomaly analysis, and has less data
Amount is not concerned with packet load when carrying out data analysis to network flow, reduce packet processing expense, be more convenient for carrying out efficiently, in real time
The detection and determination of Network Abnormal.
For a complicated network system, in order to ensure the bandwidth demand of important application, pass through the network based on bandwidth
Flow analysis can make it definitely, and agreement division is carried out to network flow, carry out traffic monitoring for different agreements and divide
, there is extraordinary rise suddenly and sharply within a period of some agreement in analysis, it is possible to be that attack traffic or worm-type virus occur.
Traffic anomaly detection analysis system it excavated by the network flow to acquisition, correlation analysis;By network
The safety of flow, access behavior and operation system combines, and administrative staff is helped to grasp Internet usage situation, analysis industry
Business system exception situation, ensures the safe and stable and Effec-tive Function of operation system.
A kind of computer Traffic anomaly detection analysis system of the present invention can change setting in real time according to actual needs, for
Certain specific attack will be related to the subset of the essential characteristic of the attack as the spy of this kind of attack of description
Sign.For example SYN FLOOD are attacked, assemblage characteristic can choose the information such as pkts/s, average packet length, the number of SYN packets.
Data using previous essential characteristic set are learnt and are trained to the feature of this kind of attack, so that it may to be somebody's turn to do in real time
The normal and Exception Model of attack assemblage characteristic.This kind of attack on network can be carried out in real time with this model
Detection.On the other hand the data set of known attack type and behavior is learnt that the attack artificially chosen can also be combined special
Sign optimizes, the characteristics of being allowed to more reflect the attack.Since data set is by being obtained to network flow extract real-time
, truly reflect the real-time status of network, thus by share the data set can be in network different management domains it
Between abnormality detection system provide a synthetic operation and control platform.
It although an embodiment of the present invention has been shown and described, for the ordinary skill in the art, can be with
Understanding without departing from the principles and spirit of the present invention can carry out these embodiments a variety of variations, modification, replace
And modification, the scope of the present invention is defined by the appended.
Claims (5)
1. a kind of computer Traffic anomaly detection analysis system, it is characterised in that:The Network Traffic Monitoring process is divided into three
Stage:(1) collection network data:The data of collection include and configure relevant static data and the relevant dynamic of network event
Data and the statistical data summed up from dynamic data;(2) data processing:The data of collection are handled, mainly
Therefrom extract interested abnormal information;(3) abnormality detection:Comprehensive analysis is carried out to the information of report, is detected whether out
Existing problem, and analyze the reason of leading to the problem of;The described analysis system workflow includes three steps, and modeling sample selects,
Model learning is established to be assessed with irrelevance;The acquisition mode of the currently used flow is divided into three kinds:First, based on SNMP's
Flow monitoring technology;Second is that the function of being provided based on operating system bottom;Third, the flow monitoring technology based on NetFlow;Institute
It states Network Abnormal and generally means that the appearance such as performance or the flow parameter of network exception, in abnormality detection, in statistical model often
Estimate quantity, interval time, resource consumption etc. including audit event.
2. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:The SNMP's
Flow monitoring advantage is that the overall performance and situation of network can be checked from the angle of macroscopic view, is divided from the level of overall situation to administrative staff
It analyses and solves the problems, such as to bring conveniently;The function of being provided based on operating system bottom is compared with other two kinds of flow collection modes,
The maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message;The flow monitoring technology of NetFlow and other
Two kinds of flow collection modes are compared, and the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message.
3. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:The network flow
The basis for measuring abnormality detection is the data on flows generated on network;According to the granularity that data are assembled, network flow data source can be with
It is divided into packet tracking, network flow and SNMP statistical data, packet tracking refers to the IP sequence of data packet flowed through on network or network link;
Network flow is a certain unidirectional polymerization using sequence of data packet between specific source and destination endpoint, by support network flow work(
Produced by the router of energy is assembled according to the attribute of the data packet forwarded;The content that network flow does not include data packet is believed
Breath, but remain the characteristic information of data packet;SNMP statistical data refers to supporting the network equipment of SNMP to flowing through and forwarding
Data packet by flow carry out statistic of classification data, the granularity of network flow contains the main feature of data flow, but does not wrap
Content containing data, network flow contain the underlying attribute for anomaly analysis, and have less data amount, are carried out to network flow
Be not concerned with packet load when data analysis, reduce packet processing expense, be more convenient for carrying out the detection of efficient, real-time Network Abnormal and
It determines.
4. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:It is described for one
The network system of a complexity can make it to ensure the bandwidth demand of important application by the network traffic analysis based on bandwidth
Definitely, agreement division is carried out to network flow, traffic monitoring and analysis is carried out for different agreements, in some agreement
A period in occur extraordinary rising suddenly and sharply, it is possible to be that attack traffic or worm-type virus occur.
5. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:The flow is different
Normal testing and analysis system it excavated by the network flow to acquisition, correlation analysis;By network flow, access behavior and
The safety of operation system combines, and administrative staff is helped to grasp Internet usage situation, analysis operation system abnormal conditions,
Ensure the safe and stable and Effec-tive Function of operation system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810154063.0A CN108540443A (en) | 2018-02-22 | 2018-02-22 | A kind of computer Traffic anomaly detection analysis system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810154063.0A CN108540443A (en) | 2018-02-22 | 2018-02-22 | A kind of computer Traffic anomaly detection analysis system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108540443A true CN108540443A (en) | 2018-09-14 |
Family
ID=63486148
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810154063.0A Pending CN108540443A (en) | 2018-02-22 | 2018-02-22 | A kind of computer Traffic anomaly detection analysis system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108540443A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109194590A (en) * | 2018-09-17 | 2019-01-11 | 中国科学技术大学 | Support the internet exchange system of intelligence in net |
CN111953504A (en) * | 2019-05-15 | 2020-11-17 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN112612998A (en) * | 2020-12-25 | 2021-04-06 | 福州掌中云科技有限公司 | Method and equipment for detecting and identifying abnormal channel based on real-time access condition |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414927A (en) * | 2008-11-20 | 2009-04-22 | 浙江大学 | Alarm and response system for inner-mesh network aggression detection |
CN103647665A (en) * | 2013-12-13 | 2014-03-19 | 北京启明星辰信息技术股份有限公司 | Network flow curve analysis method and apparatus |
US9225736B1 (en) * | 2013-06-27 | 2015-12-29 | Symantec Corporation | Techniques for detecting anomalous network traffic |
-
2018
- 2018-02-22 CN CN201810154063.0A patent/CN108540443A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414927A (en) * | 2008-11-20 | 2009-04-22 | 浙江大学 | Alarm and response system for inner-mesh network aggression detection |
US9225736B1 (en) * | 2013-06-27 | 2015-12-29 | Symantec Corporation | Techniques for detecting anomalous network traffic |
CN103647665A (en) * | 2013-12-13 | 2014-03-19 | 北京启明星辰信息技术股份有限公司 | Network flow curve analysis method and apparatus |
Non-Patent Citations (4)
Title |
---|
杨雅辉: ""网络流量异常检测及分析的研究"", 《计算机科学》 * |
王海龙: ""大规模网络流量异常分析"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
电脑杂谈: ""流量分析系统_东华流量分析_统计分析系统的作用"", 《HTTP://WWW.PC-FLY.COM/A/TONGXINSHUYU/ARTICLE-39512-1.HTML》 * |
穆斌 等: ""网络流量监测及异常流量分析技术"", 《信息系统工程》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109194590A (en) * | 2018-09-17 | 2019-01-11 | 中国科学技术大学 | Support the internet exchange system of intelligence in net |
CN109194590B (en) * | 2018-09-17 | 2020-08-25 | 中国科学技术大学 | Network switching system supporting intelligence in network |
CN111953504A (en) * | 2019-05-15 | 2020-11-17 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN111953504B (en) * | 2019-05-15 | 2023-03-24 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN112612998A (en) * | 2020-12-25 | 2021-04-06 | 福州掌中云科技有限公司 | Method and equipment for detecting and identifying abnormal channel based on real-time access condition |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Barford et al. | Characteristics of network traffic flow anomalies | |
Lee et al. | Network monitoring: Present and future | |
CN103067192B (en) | A kind of analytical system of network traffics and method | |
US7924739B2 (en) | Method and apparatus for one-way passive loss measurements using sampled flow statistics | |
US9584533B2 (en) | Performance enhancements for finding top traffic patterns | |
Burschka et al. | Tranalyzer: Versatile high performance network traffic analyser | |
CN108540443A (en) | A kind of computer Traffic anomaly detection analysis system | |
Pekár et al. | Adaptive aggregation of flow records | |
CN106973012A (en) | A kind of computer network loop detecting method | |
Mahmood et al. | An efficient clustering scheme to exploit hierarchical data in network traffic analysis | |
CN101741608A (en) | Traffic characteristic-based P2P application identification system and method | |
CN112333020B (en) | Network security monitoring and data message analysis system based on quintuple | |
Mahmood et al. | Network traffic analysis and SCADA security | |
CN106452941A (en) | Network anomaly detection method and device | |
Harrison et al. | Carpe elephants: Seize the global heavy hitters | |
Cho et al. | Aguri: An aggregation-based traffic profiler | |
CN105991623B (en) | A kind of services interconnection relationship auditing method and system | |
Onut et al. | A Feature Classification Scheme For Network Intrusion Detection. | |
CN104079452A (en) | Data monitoring technology and network traffic abnormality classifying method | |
D’Antonio et al. | High-speed intrusion detection in support of critical infrastructure protection | |
CN109150920A (en) | A kind of attack detecting source tracing method based on software defined network | |
Pekár et al. | Issues in the passive approach of network traffic monitoring | |
CN103957128A (en) | Method and system for monitoring data flow direction in cloud computing environment | |
Roy et al. | State of the art analysis of network traffic anomaly detection | |
Liu et al. | Next generation internet traffic monitoring system based on netflow |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180914 |
|
RJ01 | Rejection of invention patent application after publication |