CN111082995A - Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device - Google Patents
Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device Download PDFInfo
- Publication number
- CN111082995A CN111082995A CN201911359152.XA CN201911359152A CN111082995A CN 111082995 A CN111082995 A CN 111082995A CN 201911359152 A CN201911359152 A CN 201911359152A CN 111082995 A CN111082995 A CN 111082995A
- Authority
- CN
- China
- Prior art keywords
- node
- node set
- network
- nodes
- ethernet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1061—Peer-to-peer [P2P] networks using node-based peer discovery mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an Ethernet workshop network behavior analysis method, a corresponding storage medium and an electronic device, wherein the method comprises the following steps: detecting Ethernet workshop nodes in network traffic data by using a passive association method to obtain an Ethernet workshop node set, and obtaining an Ethernet workshop iterative node set according to an iterative association relation among nodes in the Ethernet workshop node set; converging the Ether mill iteration node set through a machine learning classifier to obtain an Ether mill convergence node set; and monitoring the Ethernet workshop node set and the Ethernet workshop convergence node set to obtain a communication relation data set, and analyzing the communication relation data set to obtain an Ethernet workshop network attribute analysis result. The invention utilizes the real backbone network NetFlow flow to detect the Ethernet node, the NetFlow data summarizes and counts the data packet information, the important information which embodies the flow characteristic is reserved, and the privacy of the user is not involved.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to an Ethernet workshop network behavior analysis method, a corresponding storage medium and an electronic device.
Background
In 2008, the inventor proposed a peer-to-peer digital currency in the paper, which can exist independently of any country and outside of the institution, and is not restricted by the third party institution, because of the special feature of the encryption algorithm, it is difficult to be forged by lawbreakers, which is a bit currency known by people later. The concept of the blockchain appears for the first time in the paper, a design idea for solving the problems of the double blossoms and the Byzantine general through a timestamp and workload certification consensus mechanism is given, and meanwhile, all nodes can enable other nodes to receive real intentions of the nodes, so that data consistency is kept. The bitcoin uses the block chain as the underlying technology, so that the true value of the application of the bitcoin far exceeds that of an electronic currency system. Bitcoin is considered a blockchain 1.0 system, which the etherhouse makes by its introduction of intelligent contract functionality a blockchain 2.0 system.
Bitcoin is the first reliable decentralized solution, and then people's attention is rapidly turning to how to apply bitcoin-based blockchain technology to fields other than currency, and Etheng is an open blockchain platform. In the 90 s of the 20 th century, Nick Szabo first proposed the concept of intelligent contracts. Smart contracts have not been applied to the real industry due to the lack of a trusted execution environment. The Etherhouse firstly sees the conjunction of the block chain and the intelligent contract and is dedicated to becoming the best operating platform of the intelligent contract. The Etherhouse is a programmable block chain, which does not give a series of preset operations to a user, but realizes the analysis of any complex code logic (intelligent contracts) by using a flexible virtual machine (EVM), and allows the user to create complex operations according to own wishes. It allows anyone to build and use a decentralized application running through blockchain techniques in the platform. In conjunction with the P2P network, each ethernet house node runs a virtual machine and executes the same instructions. Thus, one sometimes also visually calls the Etherhouse "world computer". The large-scale parallel operation architecture penetrating through the whole Ethernet workshop network can bring strong fault tolerance to the Ethernet workshop, and ensure that data on a block chain are consistent and cannot be tampered. In theory, any complex financial activity or transaction can be automatically and reliably conducted at the Etherns using the code. Except for financial applications, any application scenario with high requirements on trust, safety and durability, such as asset registration, voting, management and internet of things, is largely influenced by the Etherhouse platform. Therefore, the Etherhouse successfully draws high attention and wide attention from the financial industry, scientific research institutions, government departments and investment companies by virtue of the huge potential and the future.
Disclosure of Invention
The invention provides an Ethernet workshop network behavior analysis method, a corresponding storage medium and an electronic device, which can detect Ethernet workshop nodes in NetFlow flow by using a passive monitoring method based on NetFlow data of a certain urban backbone network provided by an operator, monitor the behavior of the detected nodes, acquire real communication relation among the nodes, accumulate Ethernet workshop real nodes and behavior data sets for a certain time, analyze the data, and provide multiple dimensional measurement results in the angles of the nodes, the connection relation and the like.
The technical scheme adopted by the invention is as follows:
a method for analyzing Ethernet network behavior comprises the following steps:
1) monitoring network flow data to obtain an Ether house node set;
2) converging the Ether mill iterative node set obtained according to the Ether mill node set through a machine learning classifier to obtain an Ether mill convergent node set;
3) and monitoring the Ethernet workshop node set and the Ethernet workshop convergence node set to obtain a communication relation data set, and analyzing the communication relation data set to obtain an Ethernet workshop network attribute analysis result.
Further, the step of obtaining the ethernet house node set includes:
1) acquiring an Ether house full node set by using an Ether house P2P node discovery method;
2) observing the flow data of the Ethernet workshop full node set serving as an initial node in the network flow data to obtain a counter node set communicated with the initial node;
3) and merging the obtained ether house full node set and the opposite end node set to obtain the ether house node set.
Further, the network flow data is NetFlow data; the network flow data is sampled according to a set proportion.
Further, obtaining the ether house iterative node set by using an association method according to the P2P network communication characteristics of the nodes in the ether house node set.
Further, the machine learning classifier is logistic regression, SV, KNN, C4.5 decision tree, Adaboost, or random forest.
Further, the Ethernet bay node set and the Ethernet bay convergence node set are monitored by using a traffic passive monitoring method.
Further, the analysis method is an attribute analysis method, a link attribute analysis method or a network topology attribute analysis method.
Further, the analyzed dimensionalities comprise node geographic distribution, node survival time, node out-degree-in degree, network topology coverage rate and network connectivity degree.
A storage medium having a computer program stored therein, wherein the computer program performs the method described above.
An electronic device comprising a memory in which the computer program is stored and a processor arranged to run the computer to perform the method described above.
Compared with the prior art, the invention has the following advantages:
1) and detecting the Ethernet nodes by using the flow of the real backbone network NetFlow. NetFlow data summarizes and counts data packet information, important information for embodying flow characteristics is reserved, and user privacy is not involved, so that the Ether shop behavior measured by using NetFlow data analysis meets the ethical requirement.
2) The data are collected by using a passive association method, and the data collection is not influenced by factors such as the realization of a client distributed hash algorithm, the design of a sniffer, the network state and the like.
3) And converging the node set associated for the second time by using a machine learning method, so that the accuracy of node discovery by using a twice iterative association method is improved.
4) And (3) performing behavior monitoring on the Ethernet workshop nodes in the NetFlow flow by using a passive monitoring method, acquiring the real communication relation between the nodes, and accumulating the Ethernet workshop real nodes and the behavior data set for a certain time.
Drawings
FIG. 1 is a system diagram of a method for analyzing Ethernet plant network behavior.
Fig. 2 is a schematic diagram of ethernet plant network behavior association detection.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the objects, features, and advantages of the present invention more comprehensible, the technical core of the present invention is described in further detail below with reference to the accompanying drawings and embodiments.
In the present invention, an ethernet network behavior analysis method based on NetFlow data is provided, please refer to fig. 1, which includes the following steps:
referring to fig. 2, the ethernet lane network is a typical P2P network, and if a node N2 is connected to a certain ethernet lane node N1, then N2 may be considered a network node running the ethernet lane service. N2 may be an ether house routing node or an ether house light node or wallet node. If network node N3 is simultaneously connected to network node N2, then N3 may be an ethernet service node and, to a large extent, a network node running other services.
Firstly, a node behavior flow correlation method is used, and an Etherhouse node set is expanded and comprises light-weight nodes or client nodes which cannot be obtained by an active method. The invention provides a node behavior flow correlation method, which is used for detecting Ethernet nodes in one-thousandth sampled real backbone network NetFlow flow. The NetFlow data is flow statistics data and does not include traffic load information. And the problem of network privacy disclosure can be avoided by carrying out flow detection on the data. Meanwhile, the node behavior flow correlation detection Ether house node is carried out by utilizing one-per-thousand NetFlow data of the sampled flow, and the effectiveness is very high through experimental verification. The node behavior traffic correlation method can only acquire a certain number of EtherFang full nodes by utilizing the EtherFang P2P node discovery protocol to carry out active detection. And observing flow data related to the initial node in the Netflow data by using the full nodes as the initial node, thereby obtaining a correspondent node which is communicated with the initial node, wherein the correspondent node is an EtherFang node and comprises a full node, a light node and a client node, and the light node and the client node are points which cannot be detected (do not follow the discovery protocol of the EtherFang P2P node) in an active detection mode. In summary, the NetFlow data summarizes and counts the packet information, retains important information representing flow characteristics, and does not relate to user privacy, so that it is in line with ethical requirements to analyze and measure the ether house behavior by using the NetFlow data. And the data are collected by using a node behavior traffic association method, and the data collection is not influenced by factors such as the realization of a client distributed hash algorithm, the design of a sniffer, the network state and the like.
The real traffic in the backbone network by means of these nodes illustrates that they produce actual interaction behavior in the ethernet network. The network connectivity feature through P2P may use association methods to discover more nodes.
However, after two iterations, the accuracy of the found node is greatly reduced, so that the second-time associated node set is converged by using a machine learning method. By means of iterative parameter adjustment of various machine learning classifiers such as logistic regression, SV, KNN, C4.5 decision trees, Adaboost, random forests and the like, the method compares the several machine learning classical methods, selects a random forest algorithm to converge associated data, and improves the efficiency of ether house service discovery.
And performing Netflow flow monitoring on the IP addresses of the Ethernet workshop nodes in the Ethernet workshop node set by using a node behavior flow association method so as to obtain the communication relation of the Ethernet workshop nodes in Netflow data and obtain a Netflow communication relation data set of the Ethernet workshop nodes. On the basis of the data set, the Ethernet workshop network behavior is analyzed by using a plurality of analysis mining methods such as a node attribute analysis method, a link attribute analysis method, a network topology attribute analysis method and the like, an Ethernet workshop network attribute analysis result is obtained on the basis of the Ethernet workshop real network behavior, and the real behavior characteristics of good connectivity and stability of the Ethernet workshop network are disclosed.
One embodiment is described below.
The method is based on one thousandth sampling NetFlow data of a certain urban backbone network provided by an operator, detects the Ether house nodes in NetFlow flow by using a passive correlation method, and can detect the Ether house nodes about 9000 every day. Detection convergence is carried out on about 5000 nodes associated with the secondary iteration through a machine learning method, and the accuracy can reach about 40%. Meanwhile, the behavior of the detected nodes and the nodes obtained by converging the secondary iteration associated nodes are monitored, the real communication relation between the nodes is obtained, the data sets of the real nodes of the ether house and the network communication relation are accumulated for two weeks, the data are analyzed, and various dimensional measurement results can be given in the angles of node scale, node geographic distribution, node survival time, node out-degree-in degree, network topology coverage rate, network connectivity degree and the like.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the embodiments have been described in detail for the present invention, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered in the claims of the present invention.
Claims (10)
1. A method for analyzing Ethernet network behavior comprises the following steps:
1) monitoring network flow data to obtain an Ether house node set;
2) converging the Ether mill iterative node set obtained according to the Ether mill node set through a machine learning classifier to obtain an Ether mill convergent node set;
3) and monitoring the Ethernet workshop node set and the Ethernet workshop convergence node set to obtain a communication relation data set, and analyzing the communication relation data set to obtain an Ethernet workshop network attribute analysis result.
2. The method of claim 1, wherein the step of obtaining the set of etherhouse nodes comprises:
1) acquiring an Ether house full node set by using an Ether house P2P node discovery method;
2) observing the flow data of the Ethernet workshop full node set serving as an initial node in the network flow data to obtain a counter node set communicated with the initial node;
3) and merging the obtained ether house full node set and the opposite end node set to obtain the ether house node set.
3. The method of claim 1, wherein the network traffic data is NetFlow data; the network flow data is sampled according to a set proportion.
4. The method of claim 1, wherein the set of ether house iterative nodes is obtained using correlation methods according to P2P network connectivity characteristics of nodes in the set of ether house nodes.
5. The method of claim 1, wherein the machine learning classifier is a logistic regression, SV, KNN, C4.5 decision tree, Adaboost, or random forest.
6. The method of claim 1, wherein the set of ether house nodes and the set of ether house convergence nodes are monitored using a method of passive listening.
7. The method of claim 1, wherein the method of analysis is an attribute analysis method, a link attribute analysis method, or a network topology attribute analysis method.
8. The method of claim 7, wherein the dimensions of the analysis include node geographical distribution, node time-to-live, node out-to-in-degree, network topology coverage, and network connectivity.
9. A storage medium having a computer program stored therein, wherein the computer program performs the method of any one of claims 1 to 8.
10. An electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the method according to any of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911359152.XA CN111082995A (en) | 2019-12-25 | 2019-12-25 | Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911359152.XA CN111082995A (en) | 2019-12-25 | 2019-12-25 | Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111082995A true CN111082995A (en) | 2020-04-28 |
Family
ID=70317814
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911359152.XA Pending CN111082995A (en) | 2019-12-25 | 2019-12-25 | Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111082995A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113469275A (en) * | 2021-07-21 | 2021-10-01 | 东南大学 | Refined classification method for ether house behavior traffic |
CN114024748A (en) * | 2021-11-04 | 2022-02-08 | 东南大学 | Efficient Ethernet workshop flow identification method combining active node library and machine learning |
CN115208767A (en) * | 2022-05-12 | 2022-10-18 | 哈尔滨工业大学(深圳) | Ether mill network detection method, device, equipment and medium based on simulation technology |
CN115442291A (en) * | 2022-08-19 | 2022-12-06 | 南京理工大学 | Ethernet-oriented active network topology sensing method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109347643A (en) * | 2018-11-21 | 2019-02-15 | 海南新软软件有限公司 | A kind of monitoring and managing method and device of the customer center system safety based on ether mill |
US20190171438A1 (en) * | 2017-12-05 | 2019-06-06 | Archemy, Inc. | Active adaptation of networked compute devices using vetted reusable software components |
-
2019
- 2019-12-25 CN CN201911359152.XA patent/CN111082995A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190171438A1 (en) * | 2017-12-05 | 2019-06-06 | Archemy, Inc. | Active adaptation of networked compute devices using vetted reusable software components |
CN109347643A (en) * | 2018-11-21 | 2019-02-15 | 海南新软软件有限公司 | A kind of monitoring and managing method and device of the customer center system safety based on ether mill |
Non-Patent Citations (1)
Title |
---|
ZHENZHEN LI等: ""Ethereum Behavior Analysis with NetFlow Data"", 《2019 20TH ASIA-PACIFIC NETWORK OPERATIONS AND MANAGEMENT SYMPOSIUM (APNOMS)》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113469275A (en) * | 2021-07-21 | 2021-10-01 | 东南大学 | Refined classification method for ether house behavior traffic |
CN114024748A (en) * | 2021-11-04 | 2022-02-08 | 东南大学 | Efficient Ethernet workshop flow identification method combining active node library and machine learning |
CN114024748B (en) * | 2021-11-04 | 2024-04-30 | 东南大学 | Efficient Ethernet traffic identification method combining active node library and machine learning |
CN115208767A (en) * | 2022-05-12 | 2022-10-18 | 哈尔滨工业大学(深圳) | Ether mill network detection method, device, equipment and medium based on simulation technology |
CN115208767B (en) * | 2022-05-12 | 2023-10-27 | 哈尔滨工业大学(深圳) | Ethernet network detection method, device, equipment and medium based on simulation technology |
CN115442291A (en) * | 2022-08-19 | 2022-12-06 | 南京理工大学 | Ethernet-oriented active network topology sensing method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111082995A (en) | Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device | |
US8676729B1 (en) | Network traffic classification using subspace clustering techniques | |
CN107683597A (en) | Network behavior data collection and analysis for abnormality detection | |
CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
CN102984140B (en) | Malicious software feature fusion analytical method and system based on shared behavior segments | |
CN107683586A (en) | Method and apparatus for rare degree of the calculating in abnormality detection based on cell density | |
Zhang et al. | Artificial immune system based intrusion detection in a distributed hierarchical network architecture of smart grid | |
Karimi et al. | Distributed network traffic feature extraction for a real-time IDS | |
CN111343169B (en) | System and method for gathering security resources and sharing information under industrial control environment | |
CN106452955A (en) | Abnormal network connection detection method and system | |
Li et al. | An efficient DAG blockchain architecture for IoT | |
Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
CN114401516B (en) | 5G slice network anomaly detection method based on virtual network traffic analysis | |
Dong et al. | ISP self-operated BGP anomaly detection based on weakly supervised learning | |
CN115664703A (en) | Attack tracing method based on multi-dimensional information | |
Tan et al. | DDoS detection method based on Gini impurity and random forest in SDN environment | |
Kardes et al. | Graph based induction of unresponsive routers in internet topologies | |
Singh | Blockchain and IOT integrated Smart City Architecture | |
CN112235254A (en) | Rapid identification method for Tor network bridge in high-speed backbone network | |
Govindan et al. | Pronet: Network trust assessment based on incomplete provenance | |
Akgun et al. | Impact of multi-access links on the internet topology modeling | |
Boukhalfa et al. | Network Traffic Analysis using Big Data and Deep Learning Techniques | |
Long et al. | Botnet Detection Based on Flow Summary and Graph Sampling with Machine Learning | |
Kim et al. | A machine learning approach to peer connectivity estimation for reliable blockchain networking | |
Tafazzoli et al. | A proposed architecture for network forensic system in large-scale networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200428 |
|
WD01 | Invention patent application deemed withdrawn after publication |