CN111082995A - Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device - Google Patents

Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device Download PDF

Info

Publication number
CN111082995A
CN111082995A CN201911359152.XA CN201911359152A CN111082995A CN 111082995 A CN111082995 A CN 111082995A CN 201911359152 A CN201911359152 A CN 201911359152A CN 111082995 A CN111082995 A CN 111082995A
Authority
CN
China
Prior art keywords
node
node set
network
nodes
ethernet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911359152.XA
Other languages
Chinese (zh)
Inventor
李真真
熊刚
扶佩佩
夏葳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201911359152.XA priority Critical patent/CN111082995A/en
Publication of CN111082995A publication Critical patent/CN111082995A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1061Peer-to-peer [P2P] networks using node-based peer discovery mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an Ethernet workshop network behavior analysis method, a corresponding storage medium and an electronic device, wherein the method comprises the following steps: detecting Ethernet workshop nodes in network traffic data by using a passive association method to obtain an Ethernet workshop node set, and obtaining an Ethernet workshop iterative node set according to an iterative association relation among nodes in the Ethernet workshop node set; converging the Ether mill iteration node set through a machine learning classifier to obtain an Ether mill convergence node set; and monitoring the Ethernet workshop node set and the Ethernet workshop convergence node set to obtain a communication relation data set, and analyzing the communication relation data set to obtain an Ethernet workshop network attribute analysis result. The invention utilizes the real backbone network NetFlow flow to detect the Ethernet node, the NetFlow data summarizes and counts the data packet information, the important information which embodies the flow characteristic is reserved, and the privacy of the user is not involved.

Description

Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device
Technical Field
The invention belongs to the field of network security, and particularly relates to an Ethernet workshop network behavior analysis method, a corresponding storage medium and an electronic device.
Background
In 2008, the inventor proposed a peer-to-peer digital currency in the paper, which can exist independently of any country and outside of the institution, and is not restricted by the third party institution, because of the special feature of the encryption algorithm, it is difficult to be forged by lawbreakers, which is a bit currency known by people later. The concept of the blockchain appears for the first time in the paper, a design idea for solving the problems of the double blossoms and the Byzantine general through a timestamp and workload certification consensus mechanism is given, and meanwhile, all nodes can enable other nodes to receive real intentions of the nodes, so that data consistency is kept. The bitcoin uses the block chain as the underlying technology, so that the true value of the application of the bitcoin far exceeds that of an electronic currency system. Bitcoin is considered a blockchain 1.0 system, which the etherhouse makes by its introduction of intelligent contract functionality a blockchain 2.0 system.
Bitcoin is the first reliable decentralized solution, and then people's attention is rapidly turning to how to apply bitcoin-based blockchain technology to fields other than currency, and Etheng is an open blockchain platform. In the 90 s of the 20 th century, Nick Szabo first proposed the concept of intelligent contracts. Smart contracts have not been applied to the real industry due to the lack of a trusted execution environment. The Etherhouse firstly sees the conjunction of the block chain and the intelligent contract and is dedicated to becoming the best operating platform of the intelligent contract. The Etherhouse is a programmable block chain, which does not give a series of preset operations to a user, but realizes the analysis of any complex code logic (intelligent contracts) by using a flexible virtual machine (EVM), and allows the user to create complex operations according to own wishes. It allows anyone to build and use a decentralized application running through blockchain techniques in the platform. In conjunction with the P2P network, each ethernet house node runs a virtual machine and executes the same instructions. Thus, one sometimes also visually calls the Etherhouse "world computer". The large-scale parallel operation architecture penetrating through the whole Ethernet workshop network can bring strong fault tolerance to the Ethernet workshop, and ensure that data on a block chain are consistent and cannot be tampered. In theory, any complex financial activity or transaction can be automatically and reliably conducted at the Etherns using the code. Except for financial applications, any application scenario with high requirements on trust, safety and durability, such as asset registration, voting, management and internet of things, is largely influenced by the Etherhouse platform. Therefore, the Etherhouse successfully draws high attention and wide attention from the financial industry, scientific research institutions, government departments and investment companies by virtue of the huge potential and the future.
Disclosure of Invention
The invention provides an Ethernet workshop network behavior analysis method, a corresponding storage medium and an electronic device, which can detect Ethernet workshop nodes in NetFlow flow by using a passive monitoring method based on NetFlow data of a certain urban backbone network provided by an operator, monitor the behavior of the detected nodes, acquire real communication relation among the nodes, accumulate Ethernet workshop real nodes and behavior data sets for a certain time, analyze the data, and provide multiple dimensional measurement results in the angles of the nodes, the connection relation and the like.
The technical scheme adopted by the invention is as follows:
a method for analyzing Ethernet network behavior comprises the following steps:
1) monitoring network flow data to obtain an Ether house node set;
2) converging the Ether mill iterative node set obtained according to the Ether mill node set through a machine learning classifier to obtain an Ether mill convergent node set;
3) and monitoring the Ethernet workshop node set and the Ethernet workshop convergence node set to obtain a communication relation data set, and analyzing the communication relation data set to obtain an Ethernet workshop network attribute analysis result.
Further, the step of obtaining the ethernet house node set includes:
1) acquiring an Ether house full node set by using an Ether house P2P node discovery method;
2) observing the flow data of the Ethernet workshop full node set serving as an initial node in the network flow data to obtain a counter node set communicated with the initial node;
3) and merging the obtained ether house full node set and the opposite end node set to obtain the ether house node set.
Further, the network flow data is NetFlow data; the network flow data is sampled according to a set proportion.
Further, obtaining the ether house iterative node set by using an association method according to the P2P network communication characteristics of the nodes in the ether house node set.
Further, the machine learning classifier is logistic regression, SV, KNN, C4.5 decision tree, Adaboost, or random forest.
Further, the Ethernet bay node set and the Ethernet bay convergence node set are monitored by using a traffic passive monitoring method.
Further, the analysis method is an attribute analysis method, a link attribute analysis method or a network topology attribute analysis method.
Further, the analyzed dimensionalities comprise node geographic distribution, node survival time, node out-degree-in degree, network topology coverage rate and network connectivity degree.
A storage medium having a computer program stored therein, wherein the computer program performs the method described above.
An electronic device comprising a memory in which the computer program is stored and a processor arranged to run the computer to perform the method described above.
Compared with the prior art, the invention has the following advantages:
1) and detecting the Ethernet nodes by using the flow of the real backbone network NetFlow. NetFlow data summarizes and counts data packet information, important information for embodying flow characteristics is reserved, and user privacy is not involved, so that the Ether shop behavior measured by using NetFlow data analysis meets the ethical requirement.
2) The data are collected by using a passive association method, and the data collection is not influenced by factors such as the realization of a client distributed hash algorithm, the design of a sniffer, the network state and the like.
3) And converging the node set associated for the second time by using a machine learning method, so that the accuracy of node discovery by using a twice iterative association method is improved.
4) And (3) performing behavior monitoring on the Ethernet workshop nodes in the NetFlow flow by using a passive monitoring method, acquiring the real communication relation between the nodes, and accumulating the Ethernet workshop real nodes and the behavior data set for a certain time.
Drawings
FIG. 1 is a system diagram of a method for analyzing Ethernet plant network behavior.
Fig. 2 is a schematic diagram of ethernet plant network behavior association detection.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the objects, features, and advantages of the present invention more comprehensible, the technical core of the present invention is described in further detail below with reference to the accompanying drawings and embodiments.
In the present invention, an ethernet network behavior analysis method based on NetFlow data is provided, please refer to fig. 1, which includes the following steps:
referring to fig. 2, the ethernet lane network is a typical P2P network, and if a node N2 is connected to a certain ethernet lane node N1, then N2 may be considered a network node running the ethernet lane service. N2 may be an ether house routing node or an ether house light node or wallet node. If network node N3 is simultaneously connected to network node N2, then N3 may be an ethernet service node and, to a large extent, a network node running other services.
Firstly, a node behavior flow correlation method is used, and an Etherhouse node set is expanded and comprises light-weight nodes or client nodes which cannot be obtained by an active method. The invention provides a node behavior flow correlation method, which is used for detecting Ethernet nodes in one-thousandth sampled real backbone network NetFlow flow. The NetFlow data is flow statistics data and does not include traffic load information. And the problem of network privacy disclosure can be avoided by carrying out flow detection on the data. Meanwhile, the node behavior flow correlation detection Ether house node is carried out by utilizing one-per-thousand NetFlow data of the sampled flow, and the effectiveness is very high through experimental verification. The node behavior traffic correlation method can only acquire a certain number of EtherFang full nodes by utilizing the EtherFang P2P node discovery protocol to carry out active detection. And observing flow data related to the initial node in the Netflow data by using the full nodes as the initial node, thereby obtaining a correspondent node which is communicated with the initial node, wherein the correspondent node is an EtherFang node and comprises a full node, a light node and a client node, and the light node and the client node are points which cannot be detected (do not follow the discovery protocol of the EtherFang P2P node) in an active detection mode. In summary, the NetFlow data summarizes and counts the packet information, retains important information representing flow characteristics, and does not relate to user privacy, so that it is in line with ethical requirements to analyze and measure the ether house behavior by using the NetFlow data. And the data are collected by using a node behavior traffic association method, and the data collection is not influenced by factors such as the realization of a client distributed hash algorithm, the design of a sniffer, the network state and the like.
The real traffic in the backbone network by means of these nodes illustrates that they produce actual interaction behavior in the ethernet network. The network connectivity feature through P2P may use association methods to discover more nodes.
However, after two iterations, the accuracy of the found node is greatly reduced, so that the second-time associated node set is converged by using a machine learning method. By means of iterative parameter adjustment of various machine learning classifiers such as logistic regression, SV, KNN, C4.5 decision trees, Adaboost, random forests and the like, the method compares the several machine learning classical methods, selects a random forest algorithm to converge associated data, and improves the efficiency of ether house service discovery.
And performing Netflow flow monitoring on the IP addresses of the Ethernet workshop nodes in the Ethernet workshop node set by using a node behavior flow association method so as to obtain the communication relation of the Ethernet workshop nodes in Netflow data and obtain a Netflow communication relation data set of the Ethernet workshop nodes. On the basis of the data set, the Ethernet workshop network behavior is analyzed by using a plurality of analysis mining methods such as a node attribute analysis method, a link attribute analysis method, a network topology attribute analysis method and the like, an Ethernet workshop network attribute analysis result is obtained on the basis of the Ethernet workshop real network behavior, and the real behavior characteristics of good connectivity and stability of the Ethernet workshop network are disclosed.
One embodiment is described below.
The method is based on one thousandth sampling NetFlow data of a certain urban backbone network provided by an operator, detects the Ether house nodes in NetFlow flow by using a passive correlation method, and can detect the Ether house nodes about 9000 every day. Detection convergence is carried out on about 5000 nodes associated with the secondary iteration through a machine learning method, and the accuracy can reach about 40%. Meanwhile, the behavior of the detected nodes and the nodes obtained by converging the secondary iteration associated nodes are monitored, the real communication relation between the nodes is obtained, the data sets of the real nodes of the ether house and the network communication relation are accumulated for two weeks, the data are analyzed, and various dimensional measurement results can be given in the angles of node scale, node geographic distribution, node survival time, node out-degree-in degree, network topology coverage rate, network connectivity degree and the like.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the embodiments have been described in detail for the present invention, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered in the claims of the present invention.

Claims (10)

1. A method for analyzing Ethernet network behavior comprises the following steps:
1) monitoring network flow data to obtain an Ether house node set;
2) converging the Ether mill iterative node set obtained according to the Ether mill node set through a machine learning classifier to obtain an Ether mill convergent node set;
3) and monitoring the Ethernet workshop node set and the Ethernet workshop convergence node set to obtain a communication relation data set, and analyzing the communication relation data set to obtain an Ethernet workshop network attribute analysis result.
2. The method of claim 1, wherein the step of obtaining the set of etherhouse nodes comprises:
1) acquiring an Ether house full node set by using an Ether house P2P node discovery method;
2) observing the flow data of the Ethernet workshop full node set serving as an initial node in the network flow data to obtain a counter node set communicated with the initial node;
3) and merging the obtained ether house full node set and the opposite end node set to obtain the ether house node set.
3. The method of claim 1, wherein the network traffic data is NetFlow data; the network flow data is sampled according to a set proportion.
4. The method of claim 1, wherein the set of ether house iterative nodes is obtained using correlation methods according to P2P network connectivity characteristics of nodes in the set of ether house nodes.
5. The method of claim 1, wherein the machine learning classifier is a logistic regression, SV, KNN, C4.5 decision tree, Adaboost, or random forest.
6. The method of claim 1, wherein the set of ether house nodes and the set of ether house convergence nodes are monitored using a method of passive listening.
7. The method of claim 1, wherein the method of analysis is an attribute analysis method, a link attribute analysis method, or a network topology attribute analysis method.
8. The method of claim 7, wherein the dimensions of the analysis include node geographical distribution, node time-to-live, node out-to-in-degree, network topology coverage, and network connectivity.
9. A storage medium having a computer program stored therein, wherein the computer program performs the method of any one of claims 1 to 8.
10. An electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the method according to any of claims 1-8.
CN201911359152.XA 2019-12-25 2019-12-25 Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device Pending CN111082995A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911359152.XA CN111082995A (en) 2019-12-25 2019-12-25 Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911359152.XA CN111082995A (en) 2019-12-25 2019-12-25 Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device

Publications (1)

Publication Number Publication Date
CN111082995A true CN111082995A (en) 2020-04-28

Family

ID=70317814

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911359152.XA Pending CN111082995A (en) 2019-12-25 2019-12-25 Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN111082995A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113469275A (en) * 2021-07-21 2021-10-01 东南大学 Refined classification method for ether house behavior traffic
CN114024748A (en) * 2021-11-04 2022-02-08 东南大学 Efficient Ethernet workshop flow identification method combining active node library and machine learning
CN115208767A (en) * 2022-05-12 2022-10-18 哈尔滨工业大学(深圳) Ether mill network detection method, device, equipment and medium based on simulation technology
CN115442291A (en) * 2022-08-19 2022-12-06 南京理工大学 Ethernet-oriented active network topology sensing method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347643A (en) * 2018-11-21 2019-02-15 海南新软软件有限公司 A kind of monitoring and managing method and device of the customer center system safety based on ether mill
US20190171438A1 (en) * 2017-12-05 2019-06-06 Archemy, Inc. Active adaptation of networked compute devices using vetted reusable software components

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190171438A1 (en) * 2017-12-05 2019-06-06 Archemy, Inc. Active adaptation of networked compute devices using vetted reusable software components
CN109347643A (en) * 2018-11-21 2019-02-15 海南新软软件有限公司 A kind of monitoring and managing method and device of the customer center system safety based on ether mill

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHENZHEN LI等: ""Ethereum Behavior Analysis with NetFlow Data"", 《2019 20TH ASIA-PACIFIC NETWORK OPERATIONS AND MANAGEMENT SYMPOSIUM (APNOMS)》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113469275A (en) * 2021-07-21 2021-10-01 东南大学 Refined classification method for ether house behavior traffic
CN114024748A (en) * 2021-11-04 2022-02-08 东南大学 Efficient Ethernet workshop flow identification method combining active node library and machine learning
CN114024748B (en) * 2021-11-04 2024-04-30 东南大学 Efficient Ethernet traffic identification method combining active node library and machine learning
CN115208767A (en) * 2022-05-12 2022-10-18 哈尔滨工业大学(深圳) Ether mill network detection method, device, equipment and medium based on simulation technology
CN115208767B (en) * 2022-05-12 2023-10-27 哈尔滨工业大学(深圳) Ethernet network detection method, device, equipment and medium based on simulation technology
CN115442291A (en) * 2022-08-19 2022-12-06 南京理工大学 Ethernet-oriented active network topology sensing method

Similar Documents

Publication Publication Date Title
CN111082995A (en) Ethernet workshop network behavior analysis method, corresponding storage medium and electronic device
US8676729B1 (en) Network traffic classification using subspace clustering techniques
CN107683597A (en) Network behavior data collection and analysis for abnormality detection
CN107690776A (en) For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection
CN102984140B (en) Malicious software feature fusion analytical method and system based on shared behavior segments
CN107683586A (en) Method and apparatus for rare degree of the calculating in abnormality detection based on cell density
Zhang et al. Artificial immune system based intrusion detection in a distributed hierarchical network architecture of smart grid
Karimi et al. Distributed network traffic feature extraction for a real-time IDS
CN111343169B (en) System and method for gathering security resources and sharing information under industrial control environment
CN106452955A (en) Abnormal network connection detection method and system
Li et al. An efficient DAG blockchain architecture for IoT
Xu et al. [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN
CN114401516B (en) 5G slice network anomaly detection method based on virtual network traffic analysis
Dong et al. ISP self-operated BGP anomaly detection based on weakly supervised learning
CN115664703A (en) Attack tracing method based on multi-dimensional information
Tan et al. DDoS detection method based on Gini impurity and random forest in SDN environment
Kardes et al. Graph based induction of unresponsive routers in internet topologies
Singh Blockchain and IOT integrated Smart City Architecture
CN112235254A (en) Rapid identification method for Tor network bridge in high-speed backbone network
Govindan et al. Pronet: Network trust assessment based on incomplete provenance
Akgun et al. Impact of multi-access links on the internet topology modeling
Boukhalfa et al. Network Traffic Analysis using Big Data and Deep Learning Techniques
Long et al. Botnet Detection Based on Flow Summary and Graph Sampling with Machine Learning
Kim et al. A machine learning approach to peer connectivity estimation for reliable blockchain networking
Tafazzoli et al. A proposed architecture for network forensic system in large-scale networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200428

WD01 Invention patent application deemed withdrawn after publication