CN108540443A - A kind of computer Traffic anomaly detection analysis system - Google Patents

A kind of computer Traffic anomaly detection analysis system Download PDF

Info

Publication number
CN108540443A
CN108540443A CN201810154063.0A CN201810154063A CN108540443A CN 108540443 A CN108540443 A CN 108540443A CN 201810154063 A CN201810154063 A CN 201810154063A CN 108540443 A CN108540443 A CN 108540443A
Authority
CN
China
Prior art keywords
network
data
flow
analysis
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810154063.0A
Other languages
Chinese (zh)
Inventor
罗子江
王继红
崔潇
倪照风
杨晨
郭祥
王一
陈焕飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou University of Finance and Economics
Original Assignee
Guizhou University of Finance and Economics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou University of Finance and Economics filed Critical Guizhou University of Finance and Economics
Priority to CN201810154063.0A priority Critical patent/CN108540443A/en
Publication of CN108540443A publication Critical patent/CN108540443A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of computer Traffic anomaly detection analysis system, the Network Traffic Monitoring process is divided into three phases:(1) collection network data:(2) data processing:(3) abnormality detection:For the system by thousand network flow of master of single-link, detection range is wider, can effectively find between link or between OD streams abnormal behaviour correlation;And when data flow monitoring object changes, inspection policies can be flexibly formulated, improve detection rates of the system to abnormal flow.

Description

A kind of computer Traffic anomaly detection analysis system
Technical field
The present invention relates to computer system device technical fields, specially a kind of computer Traffic anomaly detection analysis system System.
Background technology
The fast development of internet fundamentally changes people’s lives and working method, substantially increases work effect Rate is also constantly expanding the harm of the enhancing abnormal flow of the dependence of internet however as people, influences interconnection at present The abnormal flow of net normal operation mainly have DDOS attack, network worm, uncontrollable P2P application and some can influence Netowrk tape Wide and performance flow.
Invention content
The purpose of the present invention is to provide a kind of computer Traffic anomaly detection analysis systems, are lacked with solving existing technology It falls into and inaccessiable technology requires.
To achieve the above object, the present invention provides the following technical solutions:A kind of computer Traffic anomaly detection analysis system, The Network Traffic Monitoring process is divided into three phases:(1) collection network data:The data of collection include relevant quiet with configuration State data and the relevant dynamic data of network event and the statistical data summed up from dynamic data;(2) data processing: The data of collection are handled, interested abnormal information is mainly therefrom extracted;(3) abnormality detection:To report Information carries out comprehensive analysis, detects whether to go wrong, and analyze the reason of leading to the problem of;The described analysis system workflow Including three steps, modeling sample selection, model learning is established to be assessed with irrelevance;The acquisition side of the currently used flow Formula is divided into three kinds:First, the flow monitoring technology based on SNMP;Second is that the function of being provided based on operating system bottom;Third, being based on The flow monitoring technology of NetFlow;The Network Abnormal generally means that the appearance such as performance or the flow parameter of network exception, Quantity, interval time, resource consumption etc. including audit event are commonly estimated in abnormality detection, in statistical model.
Preferably, the flow monitoring advantage of the SNMP is that the overall performance and shape of network can be checked from the angle of macroscopic view Condition from the level analysis of overall situation and solves the problems, such as to bring conveniently to administrative staff;The function of being provided based on operating system bottom It is compared with other two kinds of flow collection modes, the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message; The flow monitoring technology of NetFlow is compared with other two kinds of flow collection modes, and the maximum feature of traffic mirroring acquisition is can Abundant application layer message is provided.
Preferably, the basis of the exception of network traffic detection is the data on flows generated on network;Assemble according to data Granularity, network flow data source is segmented into packet tracking, network flow and SNMP statistical data, packet tracking refer to flow through network or IP sequence of data packet on network link;Network flow is a certain unidirectional using data packet between specific source and destination endpoint The polymerization of sequence, produced by being assembled according to the attribute of the data packet forwarded by the router of support network flow function;Net Network stream does not include the content information of data packet, but remains the characteristic information of data packet;SNMP statistical data refers to supporting SNMP The network equipment data of statistic of classification are carried out by flow to the data packet that flows through and forward, the granularity of network flow contains number According to the main feature of stream, but the content not comprising data, network flow contains the underlying attribute for anomaly analysis, but have compared with Few data volume is not concerned with packet load when carrying out data analysis to network flow, reduce packet processing expense, be more convenient for carrying out high The detection and determination of effect, real-time Network Abnormal.
Preferably, described for a complicated network system, in order to ensure the bandwidth demand of important application, by being based on The network traffic analysis of bandwidth can make it definitely, carry out agreement division to network flow, flowed for different agreements , there is extraordinary rise suddenly and sharply, it is possible to be attack traffic or worm within a period of some agreement in amount monitoring and analysis Virus occurs.
Preferably, the Traffic anomaly detection analysis system it excavated by the network flow to acquisition, relevance Analysis;The safety of network flow, access behavior and operation system is combined, administrative staff is helped to grasp Internet usage Situation, analysis operation system abnormal conditions, ensure the safe and stable and Effec-tive Function of operation system.
Compared with prior art, beneficial effects of the present invention are as follows:
Thousand network flow of master of single-link, detection range is wider, can effectively find between link or OD streams between it is different The correlation of Chang Hangwei;And when data flow monitoring object changes, inspection policies can be flexibly formulated, improve system to different The detection rates of normal flow.
Specific implementation mode
Below in conjunction with the present invention, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that Described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the implementation in the present invention Example, every other embodiment obtained by those of ordinary skill in the art without making creative efforts belong to The scope of protection of the invention.
The present invention provides a kind of technical solution:A kind of computer Traffic anomaly detection analysis system, the network flow prison Survey process is divided into three phases:(1) collection network data:The data of collection include and configure relevant static data and network The relevant dynamic data of event and the statistical data summed up from dynamic data;(2) data processing:To the data of collection into Row processing, mainly therefrom extracts interested abnormal information;(3) abnormality detection:Comprehensive point is carried out to the information of report Analysis, detects whether to go wrong, and analyze the reason of leading to the problem of;The described analysis system workflow includes three steps, Modeling sample selects, and model learning is established to be assessed with irrelevance;The acquisition mode of the currently used flow is divided into three kinds:One It is the flow monitoring technology based on SNMP;Second is that the function of being provided based on operating system bottom;Third, the flow based on NetFlow Monitoring technology;The Network Abnormal generally means that the appearance such as performance or the flow parameter of network exception, in abnormality detection, system Commonly estimate quantity, interval time, resource consumption etc. including audit event in meter model.
The flow monitoring advantage of SNMP is that the overall performance and situation of network can be checked from the angle of macroscopic view, gives administrative staff From the level analysis of overall situation and solve the problems, such as to bring conveniently;The function of being provided based on operating system bottom and other two kinds of flows Acquisition mode is compared, and the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message;The flow of NetFlow is supervised Survey technology is compared with other two kinds of flow collection modes, and the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer Information.
The basis of exception of network traffic detection is the data on flows generated on network;According to the granularity that data are assembled, network Data on flows source is segmented into packet tracking, network flow and SNMP statistical data, and packet tracking refers to flowing through on network or network link IP sequence of data packet;Network flow is a certain unidirectional using the poly- of sequence of data packet between specific source and destination endpoint It closes, produced by being assembled according to the attribute of the data packet forwarded by the router of support network flow function;Network flow does not wrap Content information containing data packet, but remain the characteristic information of data packet;SNMP statistical data refers to that the network of SNMP is supported to set For the data of statistic of classification are carried out by flow to the data packet for flowing through and forwarding, the granularity of network flow contains the master of data flow Feature, but the content not comprising data are wanted, network flow contains the underlying attribute for anomaly analysis, and has less data Amount is not concerned with packet load when carrying out data analysis to network flow, reduce packet processing expense, be more convenient for carrying out efficiently, in real time The detection and determination of Network Abnormal.
For a complicated network system, in order to ensure the bandwidth demand of important application, pass through the network based on bandwidth Flow analysis can make it definitely, and agreement division is carried out to network flow, carry out traffic monitoring for different agreements and divide , there is extraordinary rise suddenly and sharply within a period of some agreement in analysis, it is possible to be that attack traffic or worm-type virus occur.
Traffic anomaly detection analysis system it excavated by the network flow to acquisition, correlation analysis;By network The safety of flow, access behavior and operation system combines, and administrative staff is helped to grasp Internet usage situation, analysis industry Business system exception situation, ensures the safe and stable and Effec-tive Function of operation system.
A kind of computer Traffic anomaly detection analysis system of the present invention can change setting in real time according to actual needs, for Certain specific attack will be related to the subset of the essential characteristic of the attack as the spy of this kind of attack of description Sign.For example SYN FLOOD are attacked, assemblage characteristic can choose the information such as pkts/s, average packet length, the number of SYN packets. Data using previous essential characteristic set are learnt and are trained to the feature of this kind of attack, so that it may to be somebody's turn to do in real time The normal and Exception Model of attack assemblage characteristic.This kind of attack on network can be carried out in real time with this model Detection.On the other hand the data set of known attack type and behavior is learnt that the attack artificially chosen can also be combined special Sign optimizes, the characteristics of being allowed to more reflect the attack.Since data set is by being obtained to network flow extract real-time , truly reflect the real-time status of network, thus by share the data set can be in network different management domains it Between abnormality detection system provide a synthetic operation and control platform.
It although an embodiment of the present invention has been shown and described, for the ordinary skill in the art, can be with Understanding without departing from the principles and spirit of the present invention can carry out these embodiments a variety of variations, modification, replace And modification, the scope of the present invention is defined by the appended.

Claims (5)

1. a kind of computer Traffic anomaly detection analysis system, it is characterised in that:The Network Traffic Monitoring process is divided into three Stage:(1) collection network data:The data of collection include and configure relevant static data and the relevant dynamic of network event Data and the statistical data summed up from dynamic data;(2) data processing:The data of collection are handled, mainly Therefrom extract interested abnormal information;(3) abnormality detection:Comprehensive analysis is carried out to the information of report, is detected whether out Existing problem, and analyze the reason of leading to the problem of;The described analysis system workflow includes three steps, and modeling sample selects, Model learning is established to be assessed with irrelevance;The acquisition mode of the currently used flow is divided into three kinds:First, based on SNMP's Flow monitoring technology;Second is that the function of being provided based on operating system bottom;Third, the flow monitoring technology based on NetFlow;Institute It states Network Abnormal and generally means that the appearance such as performance or the flow parameter of network exception, in abnormality detection, in statistical model often Estimate quantity, interval time, resource consumption etc. including audit event.
2. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:The SNMP's Flow monitoring advantage is that the overall performance and situation of network can be checked from the angle of macroscopic view, is divided from the level of overall situation to administrative staff It analyses and solves the problems, such as to bring conveniently;The function of being provided based on operating system bottom is compared with other two kinds of flow collection modes, The maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message;The flow monitoring technology of NetFlow and other Two kinds of flow collection modes are compared, and the maximum feature of traffic mirroring acquisition is to be capable of providing abundant application layer message.
3. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:The network flow The basis for measuring abnormality detection is the data on flows generated on network;According to the granularity that data are assembled, network flow data source can be with It is divided into packet tracking, network flow and SNMP statistical data, packet tracking refers to the IP sequence of data packet flowed through on network or network link; Network flow is a certain unidirectional polymerization using sequence of data packet between specific source and destination endpoint, by support network flow work( Produced by the router of energy is assembled according to the attribute of the data packet forwarded;The content that network flow does not include data packet is believed Breath, but remain the characteristic information of data packet;SNMP statistical data refers to supporting the network equipment of SNMP to flowing through and forwarding Data packet by flow carry out statistic of classification data, the granularity of network flow contains the main feature of data flow, but does not wrap Content containing data, network flow contain the underlying attribute for anomaly analysis, and have less data amount, are carried out to network flow Be not concerned with packet load when data analysis, reduce packet processing expense, be more convenient for carrying out the detection of efficient, real-time Network Abnormal and It determines.
4. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:It is described for one The network system of a complexity can make it to ensure the bandwidth demand of important application by the network traffic analysis based on bandwidth Definitely, agreement division is carried out to network flow, traffic monitoring and analysis is carried out for different agreements, in some agreement A period in occur extraordinary rising suddenly and sharply, it is possible to be that attack traffic or worm-type virus occur.
5. a kind of computer Traffic anomaly detection analysis system according to claim 1, it is characterised in that:The flow is different Normal testing and analysis system it excavated by the network flow to acquisition, correlation analysis;By network flow, access behavior and The safety of operation system combines, and administrative staff is helped to grasp Internet usage situation, analysis operation system abnormal conditions, Ensure the safe and stable and Effec-tive Function of operation system.
CN201810154063.0A 2018-02-22 2018-02-22 A kind of computer Traffic anomaly detection analysis system Pending CN108540443A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810154063.0A CN108540443A (en) 2018-02-22 2018-02-22 A kind of computer Traffic anomaly detection analysis system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810154063.0A CN108540443A (en) 2018-02-22 2018-02-22 A kind of computer Traffic anomaly detection analysis system

Publications (1)

Publication Number Publication Date
CN108540443A true CN108540443A (en) 2018-09-14

Family

ID=63486148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810154063.0A Pending CN108540443A (en) 2018-02-22 2018-02-22 A kind of computer Traffic anomaly detection analysis system

Country Status (1)

Country Link
CN (1) CN108540443A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194590A (en) * 2018-09-17 2019-01-11 中国科学技术大学 Support the internet exchange system of intelligence in net
CN111953504A (en) * 2019-05-15 2020-11-17 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN112612998A (en) * 2020-12-25 2021-04-06 福州掌中云科技有限公司 Method and equipment for detecting and identifying abnormal channel based on real-time access condition

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101414927A (en) * 2008-11-20 2009-04-22 浙江大学 Alarm and response system for inner-mesh network aggression detection
CN103647665A (en) * 2013-12-13 2014-03-19 北京启明星辰信息技术股份有限公司 Network flow curve analysis method and apparatus
US9225736B1 (en) * 2013-06-27 2015-12-29 Symantec Corporation Techniques for detecting anomalous network traffic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101414927A (en) * 2008-11-20 2009-04-22 浙江大学 Alarm and response system for inner-mesh network aggression detection
US9225736B1 (en) * 2013-06-27 2015-12-29 Symantec Corporation Techniques for detecting anomalous network traffic
CN103647665A (en) * 2013-12-13 2014-03-19 北京启明星辰信息技术股份有限公司 Network flow curve analysis method and apparatus

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
杨雅辉: ""网络流量异常检测及分析的研究"", 《计算机科学》 *
王海龙: ""大规模网络流量异常分析"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
电脑杂谈: ""流量分析系统_东华流量分析_统计分析系统的作用"", 《HTTP://WWW.PC-FLY.COM/A/TONGXINSHUYU/ARTICLE-39512-1.HTML》 *
穆斌 等: ""网络流量监测及异常流量分析技术"", 《信息系统工程》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194590A (en) * 2018-09-17 2019-01-11 中国科学技术大学 Support the internet exchange system of intelligence in net
CN109194590B (en) * 2018-09-17 2020-08-25 中国科学技术大学 Network switching system supporting intelligence in network
CN111953504A (en) * 2019-05-15 2020-11-17 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN111953504B (en) * 2019-05-15 2023-03-24 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN112612998A (en) * 2020-12-25 2021-04-06 福州掌中云科技有限公司 Method and equipment for detecting and identifying abnormal channel based on real-time access condition

Similar Documents

Publication Publication Date Title
Barford et al. Characteristics of network traffic flow anomalies
Lee et al. Network monitoring: Present and future
CN103067192B (en) A kind of analytical system of network traffics and method
US7924739B2 (en) Method and apparatus for one-way passive loss measurements using sampled flow statistics
US9584533B2 (en) Performance enhancements for finding top traffic patterns
Burschka et al. Tranalyzer: Versatile high performance network traffic analyser
CN108540443A (en) A kind of computer Traffic anomaly detection analysis system
Pekár et al. Adaptive aggregation of flow records
CN106973012A (en) A kind of computer network loop detecting method
Mahmood et al. An efficient clustering scheme to exploit hierarchical data in network traffic analysis
CN101741608A (en) Traffic characteristic-based P2P application identification system and method
CN112333020B (en) Network security monitoring and data message analysis system based on quintuple
Mahmood et al. Network traffic analysis and SCADA security
CN106452941A (en) Network anomaly detection method and device
Harrison et al. Carpe elephants: Seize the global heavy hitters
Cho et al. Aguri: An aggregation-based traffic profiler
CN105991623B (en) A kind of services interconnection relationship auditing method and system
Onut et al. A Feature Classification Scheme For Network Intrusion Detection.
CN104079452A (en) Data monitoring technology and network traffic abnormality classifying method
D’Antonio et al. High-speed intrusion detection in support of critical infrastructure protection
CN109150920A (en) A kind of attack detecting source tracing method based on software defined network
Pekár et al. Issues in the passive approach of network traffic monitoring
CN103957128A (en) Method and system for monitoring data flow direction in cloud computing environment
Roy et al. State of the art analysis of network traffic anomaly detection
Liu et al. Next generation internet traffic monitoring system based on netflow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180914

RJ01 Rejection of invention patent application after publication