CN112422513A - Anomaly detection and attack initiator analysis system based on network traffic message - Google Patents

Anomaly detection and attack initiator analysis system based on network traffic message Download PDF

Info

Publication number
CN112422513A
CN112422513A CN202011155629.5A CN202011155629A CN112422513A CN 112422513 A CN112422513 A CN 112422513A CN 202011155629 A CN202011155629 A CN 202011155629A CN 112422513 A CN112422513 A CN 112422513A
Authority
CN
China
Prior art keywords
attack
data
attribute
group
clustering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011155629.5A
Other languages
Chinese (zh)
Other versions
CN112422513B (en
Inventor
陈卓
吴磊
周亚金
任奎
赵俊
单夏烨
任新新
段吉瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangtong Tianxia Network Technology Co ltd
Zhejiang University ZJU
Original Assignee
Guangtong Tianxia Network Technology Co ltd
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangtong Tianxia Network Technology Co ltd, Zhejiang University ZJU filed Critical Guangtong Tianxia Network Technology Co ltd
Priority to CN202011155629.5A priority Critical patent/CN112422513B/en
Publication of CN112422513A publication Critical patent/CN112422513A/en
Application granted granted Critical
Publication of CN112422513B publication Critical patent/CN112422513B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Medical Informatics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Probability & Statistics with Applications (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an anomaly detection and attack initiator analysis system based on network flow messages, which comprises: the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database; the attacker group feature generation module is used for sequentially standardizing original data, calculating complex attributes of the data, distributing the weight of each attribute, adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index, and adopting a clustering model with the highest clustering index score to obtain attacker group feature clusters; and the attack detection module is used for performing matching analysis of the attack group characteristics and incremental correction of the attacker group characteristics on all the network attack messages triggering the custom rules. The system can dig out the characteristics of the initiator in a single attack and locate the suspect of the attack.

Description

Anomaly detection and attack initiator analysis system based on network traffic message
Technical Field
The invention belongs to the field of network flow abnormity detection and analysis, and particularly relates to an abnormity detection and attack initiator analysis system based on a network flow message.
Background
With the popularity of mobile devices and the massive growth of IOT devices, the rate of network traffic has seen an increase in geometric multiples, accompanied by a flooding of network attacks. In the current network environment, the abnormal flow of the network attack and the massive conventional flow are mixed, and a severe test is provided for the network property protection of enterprises. The enterprise firewall is used as a key facility for protecting enterprise network property, all messages transmitted from an external network to an internal server are firstly sent to the firewall gateway and then forwarded to different internal service servers through the firewall gateway, so that the firewall gateway often receives massive message data which is difficult to count, wherein the massive message data contains attack data disguised by various attackers. Due to the tremendous network flow rates, both data storage and instantaneous analysis result in unacceptable space/time consumption, resulting in higher cost for attack protection than enterprise acceptance.
Meanwhile, due to the special properties of online assets, attacks of competitors or hackers are often attracted, but due to the free characteristics of the internet, all format legal messages can be forwarded and circulated in the internet, so that an initiator and a real source which cannot be identified by conventional protection work are avoided, and the tracing of network attacks is not provided. The enterprise has no way to master enough information to find out the suspect object of the attack initiator, thereby further perfecting defense or mastering the evidence of attack initiation.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an anomaly detection and attack initiator analysis system based on network flow messages, which can dig out the characteristics of an initiator in a single attack and locate the suspect of attack initiation. The specific technical scheme is as follows:
an anomaly detection and attack initiator analysis system based on network flow messages comprises a data attribute extraction module, an attacker group feature generation module and an attack detection module;
the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database;
the attacker group feature generation module is used for carrying out standardized processing on original data, then calculating complex attributes of the data, adopting a classifier for cross validation, distributing the weight of each attribute according to an optimal result, finally adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index, and adopting a clustering model with the highest clustering index score to obtain an attacker group feature cluster;
the attack detection module is used for carrying out matching analysis of attack group characteristics and incremental correction of the attacker group characteristics on all network flow messages triggering the self-defined rules.
Further, the data attribute extraction module comprises the following three sub-modules:
(1) a message interception submodule deployed on a firewall gateway, which is constructed by a self-defined rule, monitors the flow rate of conventional flow which does not trigger the self-defined rule, intercepts a network flow message for abnormal network flow which triggers the self-defined rule, forwards the information to a data attribute analysis and calculation submodule, and simultaneously opens a self-defined rule modification interface;
(2) a data attribute analysis calculation submodule deployed on the server and used for judging whether the message is legal or not, discarding the illegal message, recording the proportion of the illegal message, analyzing each attribute of the legal message and discarding the encrypted information;
(3) and the database storage submodule uses MongoDB as a database framework and records the analyzed characteristic attributes by adopting a JSON input format.
Further, when the attacker group class feature generation module standardizes data, invalid data is discarded first, then the data type is judged, the format standard of non-digital type data is unified, partial data is normalized, and the partial enumeration type is digitized.
Further, the attacker group class feature generation module calculates the complex attribute of the data by combining a plurality of original data attributes.
Further, when the attacker group feature generation module performs attribute feature weight assignment, the marked attack types are adopted, the feature attributes subjected to raw data standardization and complex attribute feature calculation are used as training data sets, multiple classifiers are adopted for cross validation, the weight of each attribute is assigned according to the optimal result, and the attribute with low weight proportion is abandoned.
Furthermore, when the attacker group feature generation module executes unsupervised machine learning clustering, firstly, attribute data with high weight ratio is selected, cross validation is carried out by adopting various clustering algorithms, various unsupervised machine learning clustering indexes are introduced, and a clustering model with the highest index score is adopted to obtain the attacker group feature clustering.
Further, when the attack detection module performs matching analysis on the attack group characteristics, firstly, according to the attribute characteristics obtained by new attack standardization and complex attribute calculation, the mapping distance between the attribute characteristics and the mass center of the existing different attack group characteristic clusters is calculated, and when the mapping distance does not exceed the maximum threshold value, the mapping distance is attributed to the attack group characteristics with the minimum mapping distance.
Further, when the attack detection module performs incremental correction on the attacker cluster characteristics, for the attack characteristics of which the mapping distance is greater than the maximum threshold value, a new attack cluster is generated and added to the existing attack cluster characteristics, and the centroid of the characteristic cluster is updated in a circulating manner.
The invention has the following beneficial effects:
the anomaly detection and attack initiator analysis system completes information extraction and storage of attack flow data by building a monitor with custom rules for an enterprise firewall, and constructs a more perfect database with different attacker behavior characteristic limitations and preferences; available information is extracted through standardization of basic information stored in a database and calculation of complex information, and low-value information is removed through weight analysis and screening, so that the capacity of information storage is reduced; the attacker group characteristics are generated by a machine learning method, so that the enterprise can be helped to dig out the characteristics of the initiator in a single attack and locate the suspect of attack initiation.
Drawings
Fig. 1 is a system for anomaly detection and attack initiator analysis based on network traffic messages according to the present invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings and preferred embodiments, and the objects and effects of the present invention will become more apparent, it being understood that the specific embodiments described herein are merely illustrative of the present invention and are not intended to limit the present invention.
As shown in fig. 1, the system for anomaly detection and attack initiator analysis based on network traffic messages of the present invention includes:
(1) the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database; the module is specifically realized by three submodules for deployment:
firstly, a message interception submodule deployed on a firewall gateway is constructed by a self-defined rule, monitors the flow rate of conventional flow which does not trigger the self-defined rule, intercepts a network flow message for abnormal network flow which triggers the self-defined rule, forwards the information to a data attribute analysis and calculation submodule, and simultaneously opens a self-defined rule modification interface; the network flow message is all flow messages contained in a single attack of a trigger message intercepting submodule self-defined attack rule.
A data attribute analysis calculation submodule deployed on the server and used for judging whether the message is legal or not, discarding the illegal message, recording the proportion of the illegal message, analyzing each attribute of the legal message and discarding the encrypted information;
and thirdly, a database storage submodule, which uses MongoDB as a database framework and adopts JSON input format to record the analyzed characteristic attributes.
(2) An attacker group class feature generation module, which is used for sequentially realizing the following functions: 1) raw data are standardized; 2) calculating complex attribute features; 3) attribute feature weight distribution; 4) unsupervised machine learning clustering. Thereby forming information integration and cluster feature generation for the data in (1). The method comprises the following specific steps:
raw data normalization: for abnormal network traffic triggering a custom rule, firstly discarding invalid data, such as illegal data types, special data and the like, then judging the data types, unifying format standards of non-digital type data, normalizing partial data and digitizing partial enumeration types;
calculating complex attribute features: the method comprises the following steps that attributes obtained by calculation are combined with a plurality of original data attributes, such as port pairing relation, proportion occupied by different ports, source IP proportion, IP pairing proportion and the like, and high-level significance which is not possessed by original single data is shown;
attribute feature weight assignment: adopting marked attack types, taking characteristic attributes subjected to raw data standardization and complex attribute feature calculation as a training data set, adopting a plurality of classifiers (such as ridge regression, support vector machines and random forests) for cross verification, distributing the weight of each attribute according to the optimal result, and abandoning the attribute with low weight proportion;
fourthly, unsupervised machine learning clustering: selecting attribute data with high weight ratio after attribute screening by the attribute feature weight distribution step, performing cross validation by adopting various clustering algorithms (such as k-means clustering algorithm, Mean-shift clustering algorithm, spectral clustering algorithm and hierarchical clustering algorithm), introducing various unsupervised machine learning clustering indexes (such as centroid distance index, intra-cluster variance index, clustering ratio layout index and Calinski-harabaz score), and adopting a clustering model with highest index score to obtain attacker group feature clustering. The attacker group characteristics are capability limitation and preference characteristics exhibited by attackers of different types when initiating network attacks, and are generally expressed as highest flow rate limitation, attack duration and message disguising preference characteristics during an attack period.
(3) The attack detection module is used for performing matching analysis of attack group characteristics and incremental correction of attacker group characteristics on all network flow messages triggering the custom rule, and specifically comprises the following steps:
matching and analyzing the attack group characteristics: for a flow message triggering a custom rule, firstly, raw data standardization and complex attribute feature calculation are carried out through an attacker group feature generation module. Then, the module carries out matching analysis on the attack group characteristics, namely, the mapping distance between the module and the mass center of different attack group characteristic clusters is calculated, and when the mapping distance does not exceed a maximum threshold value, the mapping distance is attributed to the attack group characteristics with the minimum mapping distance;
and secondly, incrementally correcting the attacker group characteristics, generating a new attack group cluster for the attack characteristics of which the mapping distance is greater than the maximum threshold value, adding the new attack group cluster into the existing attack group characteristics, and circularly updating the mass center of the characteristic group cluster in the same way.
As shown in fig. 1, the anomaly detection and attack initiator analysis system based on network traffic messages of the present invention is deployed on an enterprise-level firewall and connected to the real network environment on the line. Setting self-defined rules, sensitive flow rate threshold and duration. While maintaining operation of the firewall and server database connection ports. The system provided by the invention is carried on the firewall at the enterprise level, and the firewall runs for more than one month, and particularly, the flow monitoring and the attacker mining work of a single service are maintained.
The following provides an example of a specific application of the system of the present invention, so as to verify the functional effect of the system of the present invention.
Example 1
For the most common and flooding DDOS attacks, the common representation of this attack is two:
firstly, DDOS attacks often exhibit extremely high attack rate and long attack duration, so that a server with weak processing capability is paralyzed and cannot normally process normal requests.
And secondly, attack messages of DDOS attack are often wrong and repeated, and even if IP disguise bypass interception is carried out, the content in the attack messages is disordered.
If the attacker comes from the same initiator and is kidnapped with numerous zombie machines to initiate the attack, the conventional attack detection can only find that the flow rate of the attack is abnormal and block some abnormal IP, but the attacker can change the own IP and even the signature to bypass the blocking of the blacklist by using a disguised mode, so that the DDOS attack can be ensured to last for a long time.
In order to find out the attack suspects of the attack, the database in the system records some summary information and data flow rate information of all DDOS attacks in a long time, and stores the attack records of the attackers with accurately marked sources, thereby ensuring the richness and the integrity of the information of the attackers.
In order to find out the attack suspects of DDOS attack, the attacker group class characteristic generation module in the system of the invention is used for standardizing data and producing complex attributes aiming at 30G network flow abstract, generating complex attributes such as data port proportion, source IP proportion, IP repetition rate, IP message type and the like, and abandoning various low-weight attributes such as minimum port value, ICMP message proportion and the like through weight distribution.
And finally, performing cross validation on the high-value weight attribute by adopting a k-means clustering algorithm, a Mean-shift clustering algorithm, a spectral clustering algorithm and a hierarchical clustering algorithm, and determining the best classification effect as the classification result with the highest Calinski _ harabaz score in the k-means with the clustering number of 5. The highest proportion of each class is 40.78%, the lowest proportion is 2.8%, and the centroid variance distance is far higher than the intra-cluster variance, so that the classification effect is obvious. And the effect judgment of the attacker is returned according to the enterprise side, so that the classification effect is good.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.

Claims (8)

1. An anomaly detection and attack initiator analysis system based on network flow messages is characterized by comprising a data attribute extraction module, an attacker group class feature generation module and an attack detection module;
the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database.
The attacker group feature generation module is used for carrying out standardized processing on original data, then calculating complex attributes of the data, adopting a classifier for cross validation, distributing the weight of each attribute according to an optimal result, finally adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index, and adopting a clustering model with the highest clustering index score to obtain an attacker group feature cluster;
the attack detection module is used for carrying out matching analysis of attack group characteristics and incremental correction of the attacker group characteristics on all network flow messages triggering the self-defined rules.
2. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein the data attribute extraction module comprises the following three sub-modules:
(1) a message interception submodule deployed on a firewall gateway, which is constructed by a self-defined rule, monitors the flow rate of conventional flow which does not trigger the self-defined rule, intercepts a network flow message for abnormal network flow which triggers the self-defined rule, forwards the information to a data attribute analysis and calculation submodule, and simultaneously opens a self-defined rule modification interface;
(2) a data attribute analysis calculation submodule deployed on the server and used for judging whether the message is legal or not, discarding the illegal message, recording the proportion of the illegal message, analyzing each attribute of the legal message and discarding the encrypted information;
(3) and the database storage submodule uses MongoDB as a database framework and records the analyzed characteristic attributes by adopting a JSON input format.
3. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attacker group class feature generation module standardizes data, invalid data is discarded first, then the data type is determined, the format standard of non-digital type data is unified, partial data is normalized, and partial enumeration type is digitized.
4. The anomaly detection and attack initiator analysis system based on network traffic packets according to claim 1, wherein said attacker group class signature generation module calculates complex attributes of data by combining multiple original data attributes.
5. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attacker group class feature generation module performs attribute feature weight assignment, the labeled attack types are adopted, the feature attributes subjected to raw data standardization and complex attribute feature calculation are used as training data sets, multiple classifiers are adopted for cross validation, the weight of each attribute is assigned according to the optimal result, and the attribute with low weight proportion is abandoned.
6. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attacker group feature generation module executes unsupervised machine learning clustering, firstly, attribute data with high weight ratio is selected, a plurality of clustering algorithms are adopted for cross validation, a plurality of unsupervised machine learning clustering indexes are introduced, and a clustering model with highest index score is adopted to obtain attacker group feature clustering.
7. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attack detection module performs matching analysis of attack group features, the mapping distance between the new attack standardized and complex attribute feature and the centroid of the existing different attack group feature cluster is calculated according to the attribute feature obtained by calculation of the new attack standardized and complex attribute, and when the mapping distance does not exceed the maximum threshold value, the mapping distance is attributed to the attack group feature with the minimum mapping distance.
8. The anomaly detection and attack initiator analysis system based on network traffic packets according to claim 7, wherein when the attack detection module performs incremental modification of the attacker group class signature, for the attack signature whose mapping distance is greater than the maximum threshold, a new attack group cluster is generated and added to the existing attack group signature, and the centroid of the signature group cluster is updated in this way.
CN202011155629.5A 2020-10-26 2020-10-26 Anomaly detection and attack initiator analysis system based on network traffic message Active CN112422513B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011155629.5A CN112422513B (en) 2020-10-26 2020-10-26 Anomaly detection and attack initiator analysis system based on network traffic message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011155629.5A CN112422513B (en) 2020-10-26 2020-10-26 Anomaly detection and attack initiator analysis system based on network traffic message

Publications (2)

Publication Number Publication Date
CN112422513A true CN112422513A (en) 2021-02-26
CN112422513B CN112422513B (en) 2021-10-26

Family

ID=74841553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011155629.5A Active CN112422513B (en) 2020-10-26 2020-10-26 Anomaly detection and attack initiator analysis system based on network traffic message

Country Status (1)

Country Link
CN (1) CN112422513B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949555A (en) * 2021-10-13 2022-01-18 中国商用飞机有限责任公司 Online network defense method and system based on time mark and data comparison module
CN114205161A (en) * 2021-12-13 2022-03-18 北京影安电子科技有限公司 Network attacker discovering and tracking method
CN115277098A (en) * 2022-06-27 2022-11-01 深圳铸泰科技有限公司 Intelligent learning-based network flow anomaly detection device and method

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN109960729A (en) * 2019-03-28 2019-07-02 国家计算机网络与信息安全管理中心 The detection method and system of HTTP malicious traffic stream
WO2019167847A1 (en) * 2018-02-27 2019-09-06 日本電信電話株式会社 Classification device and classification method
CN110213287A (en) * 2019-06-12 2019-09-06 北京理工大学 A kind of double mode invasion detecting device based on ensemble machine learning algorithm
CN110519248A (en) * 2019-08-19 2019-11-29 光通天下网络科技股份有限公司 Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning
CN111107102A (en) * 2019-12-31 2020-05-05 上海海事大学 Real-time network flow abnormity detection method based on big data
CN111507368A (en) * 2020-01-03 2020-08-07 浙江大学 Campus network intrusion detection method and system
CN111800430A (en) * 2020-07-10 2020-10-20 南方电网科学研究院有限责任公司 Attack group identification method, device, equipment and medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
WO2019167847A1 (en) * 2018-02-27 2019-09-06 日本電信電話株式会社 Classification device and classification method
CN109960729A (en) * 2019-03-28 2019-07-02 国家计算机网络与信息安全管理中心 The detection method and system of HTTP malicious traffic stream
CN110213287A (en) * 2019-06-12 2019-09-06 北京理工大学 A kind of double mode invasion detecting device based on ensemble machine learning algorithm
CN110519248A (en) * 2019-08-19 2019-11-29 光通天下网络科技股份有限公司 Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning
CN111107102A (en) * 2019-12-31 2020-05-05 上海海事大学 Real-time network flow abnormity detection method based on big data
CN111507368A (en) * 2020-01-03 2020-08-07 浙江大学 Campus network intrusion detection method and system
CN111800430A (en) * 2020-07-10 2020-10-20 南方电网科学研究院有限责任公司 Attack group identification method, device, equipment and medium

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
JULIJA ASMUSS,GUNARS LAUKS: "Network traffic classification for anomaly detection fuzzy clustering based approach", 《2015 12TH INTERNATIONAL CONFERENCE ON FUZZY SYSTEMS AND KNOWLEDGE DISCOVERY》 *
SHANG GAO,ZHE PENG,BIN XIAO,AIQUN HU,YUBO SONG, KUI REN: "Detection and Mitigation of DoS Attacks in Software Defined Networks", 《ACM TRANSACTIONS ON NETWORKING》 *
任奎,王丁玎,周亚金: "物联网设备软件安全综述", 《广州大学学报》 *
吴晓平,周舟,李洪成: "Spark框架下基于无指导学习环境的网络流量异常检测研究与实现", 《信息网络安全》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949555A (en) * 2021-10-13 2022-01-18 中国商用飞机有限责任公司 Online network defense method and system based on time mark and data comparison module
CN114205161A (en) * 2021-12-13 2022-03-18 北京影安电子科技有限公司 Network attacker discovering and tracking method
CN114205161B (en) * 2021-12-13 2024-03-29 北京影安电子科技有限公司 Network attacker discovery and tracking method
CN115277098A (en) * 2022-06-27 2022-11-01 深圳铸泰科技有限公司 Intelligent learning-based network flow anomaly detection device and method
CN115277098B (en) * 2022-06-27 2023-07-18 深圳铸泰科技有限公司 Network flow abnormality detection device and method based on intelligent learning

Also Published As

Publication number Publication date
CN112422513B (en) 2021-10-26

Similar Documents

Publication Publication Date Title
US11658992B2 (en) Lateral movement candidate detection in a computer network
CN112422513B (en) Anomaly detection and attack initiator analysis system based on network traffic message
US20240250980A1 (en) System and Method for Assigning Threat Valuations to Network Events and Security Events
CN110431817B (en) Identifying malicious network devices
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN107579956B (en) User behavior detection method and device
Bajtoš et al. Network intrusion detection with threat agent profiling
Brandao et al. Log Files Analysis for Network Intrusion Detection
CN118337484A (en) Network information security analysis method and system based on big data
Srilatha et al. DDoSNet: A deep learning model for detecting network attacks in cloud computing
CN117354024A (en) DNS malicious domain name detection system and method based on big data
Gautam et al. Anomaly detection system using entropy based technique
CN115080554B (en) Warning method and system based on multi-dimensional data collision analysis
Daneshgadeh et al. A hybrid approach to detect DDoS attacks using KOAD and the Mahalanobis distance
CN109657447B (en) Equipment fingerprint generation method and device
CN113343231A (en) Data acquisition system of threat information based on centralized management and control
CN112437085A (en) Network attack identification method and device
Lugo-Cordero et al. What defines an intruder? an intelligent approach
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation
CN118138312B (en) Intelligent payment port encryption method and system
CN114157514B (en) Multi-channel IDS integrated detection method and device
EP4407497A1 (en) Privacy-controlled analytics service
Li et al. Task‐Oriented Network Abnormal Behavior Detection Method
Gondalia et al. A Survey of Advancement in AnomalyIntrusion Detection System
Zhang et al. Identification of SSH Honeypots Using Machine Learning Techniques Based on Multi-Fingerprinting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PP01 Preservation of patent right

Effective date of registration: 20230817

Granted publication date: 20211026

PP01 Preservation of patent right