CN112422513A - Anomaly detection and attack initiator analysis system based on network traffic message - Google Patents
Anomaly detection and attack initiator analysis system based on network traffic message Download PDFInfo
- Publication number
- CN112422513A CN112422513A CN202011155629.5A CN202011155629A CN112422513A CN 112422513 A CN112422513 A CN 112422513A CN 202011155629 A CN202011155629 A CN 202011155629A CN 112422513 A CN112422513 A CN 112422513A
- Authority
- CN
- China
- Prior art keywords
- attack
- data
- attribute
- group
- clustering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Medical Informatics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an anomaly detection and attack initiator analysis system based on network flow messages, which comprises: the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database; the attacker group feature generation module is used for sequentially standardizing original data, calculating complex attributes of the data, distributing the weight of each attribute, adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index, and adopting a clustering model with the highest clustering index score to obtain attacker group feature clusters; and the attack detection module is used for performing matching analysis of the attack group characteristics and incremental correction of the attacker group characteristics on all the network attack messages triggering the custom rules. The system can dig out the characteristics of the initiator in a single attack and locate the suspect of the attack.
Description
Technical Field
The invention belongs to the field of network flow abnormity detection and analysis, and particularly relates to an abnormity detection and attack initiator analysis system based on a network flow message.
Background
With the popularity of mobile devices and the massive growth of IOT devices, the rate of network traffic has seen an increase in geometric multiples, accompanied by a flooding of network attacks. In the current network environment, the abnormal flow of the network attack and the massive conventional flow are mixed, and a severe test is provided for the network property protection of enterprises. The enterprise firewall is used as a key facility for protecting enterprise network property, all messages transmitted from an external network to an internal server are firstly sent to the firewall gateway and then forwarded to different internal service servers through the firewall gateway, so that the firewall gateway often receives massive message data which is difficult to count, wherein the massive message data contains attack data disguised by various attackers. Due to the tremendous network flow rates, both data storage and instantaneous analysis result in unacceptable space/time consumption, resulting in higher cost for attack protection than enterprise acceptance.
Meanwhile, due to the special properties of online assets, attacks of competitors or hackers are often attracted, but due to the free characteristics of the internet, all format legal messages can be forwarded and circulated in the internet, so that an initiator and a real source which cannot be identified by conventional protection work are avoided, and the tracing of network attacks is not provided. The enterprise has no way to master enough information to find out the suspect object of the attack initiator, thereby further perfecting defense or mastering the evidence of attack initiation.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an anomaly detection and attack initiator analysis system based on network flow messages, which can dig out the characteristics of an initiator in a single attack and locate the suspect of attack initiation. The specific technical scheme is as follows:
an anomaly detection and attack initiator analysis system based on network flow messages comprises a data attribute extraction module, an attacker group feature generation module and an attack detection module;
the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database;
the attacker group feature generation module is used for carrying out standardized processing on original data, then calculating complex attributes of the data, adopting a classifier for cross validation, distributing the weight of each attribute according to an optimal result, finally adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index, and adopting a clustering model with the highest clustering index score to obtain an attacker group feature cluster;
the attack detection module is used for carrying out matching analysis of attack group characteristics and incremental correction of the attacker group characteristics on all network flow messages triggering the self-defined rules.
Further, the data attribute extraction module comprises the following three sub-modules:
(1) a message interception submodule deployed on a firewall gateway, which is constructed by a self-defined rule, monitors the flow rate of conventional flow which does not trigger the self-defined rule, intercepts a network flow message for abnormal network flow which triggers the self-defined rule, forwards the information to a data attribute analysis and calculation submodule, and simultaneously opens a self-defined rule modification interface;
(2) a data attribute analysis calculation submodule deployed on the server and used for judging whether the message is legal or not, discarding the illegal message, recording the proportion of the illegal message, analyzing each attribute of the legal message and discarding the encrypted information;
(3) and the database storage submodule uses MongoDB as a database framework and records the analyzed characteristic attributes by adopting a JSON input format.
Further, when the attacker group class feature generation module standardizes data, invalid data is discarded first, then the data type is judged, the format standard of non-digital type data is unified, partial data is normalized, and the partial enumeration type is digitized.
Further, the attacker group class feature generation module calculates the complex attribute of the data by combining a plurality of original data attributes.
Further, when the attacker group feature generation module performs attribute feature weight assignment, the marked attack types are adopted, the feature attributes subjected to raw data standardization and complex attribute feature calculation are used as training data sets, multiple classifiers are adopted for cross validation, the weight of each attribute is assigned according to the optimal result, and the attribute with low weight proportion is abandoned.
Furthermore, when the attacker group feature generation module executes unsupervised machine learning clustering, firstly, attribute data with high weight ratio is selected, cross validation is carried out by adopting various clustering algorithms, various unsupervised machine learning clustering indexes are introduced, and a clustering model with the highest index score is adopted to obtain the attacker group feature clustering.
Further, when the attack detection module performs matching analysis on the attack group characteristics, firstly, according to the attribute characteristics obtained by new attack standardization and complex attribute calculation, the mapping distance between the attribute characteristics and the mass center of the existing different attack group characteristic clusters is calculated, and when the mapping distance does not exceed the maximum threshold value, the mapping distance is attributed to the attack group characteristics with the minimum mapping distance.
Further, when the attack detection module performs incremental correction on the attacker cluster characteristics, for the attack characteristics of which the mapping distance is greater than the maximum threshold value, a new attack cluster is generated and added to the existing attack cluster characteristics, and the centroid of the characteristic cluster is updated in a circulating manner.
The invention has the following beneficial effects:
the anomaly detection and attack initiator analysis system completes information extraction and storage of attack flow data by building a monitor with custom rules for an enterprise firewall, and constructs a more perfect database with different attacker behavior characteristic limitations and preferences; available information is extracted through standardization of basic information stored in a database and calculation of complex information, and low-value information is removed through weight analysis and screening, so that the capacity of information storage is reduced; the attacker group characteristics are generated by a machine learning method, so that the enterprise can be helped to dig out the characteristics of the initiator in a single attack and locate the suspect of attack initiation.
Drawings
Fig. 1 is a system for anomaly detection and attack initiator analysis based on network traffic messages according to the present invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings and preferred embodiments, and the objects and effects of the present invention will become more apparent, it being understood that the specific embodiments described herein are merely illustrative of the present invention and are not intended to limit the present invention.
As shown in fig. 1, the system for anomaly detection and attack initiator analysis based on network traffic messages of the present invention includes:
(1) the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database; the module is specifically realized by three submodules for deployment:
firstly, a message interception submodule deployed on a firewall gateway is constructed by a self-defined rule, monitors the flow rate of conventional flow which does not trigger the self-defined rule, intercepts a network flow message for abnormal network flow which triggers the self-defined rule, forwards the information to a data attribute analysis and calculation submodule, and simultaneously opens a self-defined rule modification interface; the network flow message is all flow messages contained in a single attack of a trigger message intercepting submodule self-defined attack rule.
A data attribute analysis calculation submodule deployed on the server and used for judging whether the message is legal or not, discarding the illegal message, recording the proportion of the illegal message, analyzing each attribute of the legal message and discarding the encrypted information;
and thirdly, a database storage submodule, which uses MongoDB as a database framework and adopts JSON input format to record the analyzed characteristic attributes.
(2) An attacker group class feature generation module, which is used for sequentially realizing the following functions: 1) raw data are standardized; 2) calculating complex attribute features; 3) attribute feature weight distribution; 4) unsupervised machine learning clustering. Thereby forming information integration and cluster feature generation for the data in (1). The method comprises the following specific steps:
raw data normalization: for abnormal network traffic triggering a custom rule, firstly discarding invalid data, such as illegal data types, special data and the like, then judging the data types, unifying format standards of non-digital type data, normalizing partial data and digitizing partial enumeration types;
calculating complex attribute features: the method comprises the following steps that attributes obtained by calculation are combined with a plurality of original data attributes, such as port pairing relation, proportion occupied by different ports, source IP proportion, IP pairing proportion and the like, and high-level significance which is not possessed by original single data is shown;
attribute feature weight assignment: adopting marked attack types, taking characteristic attributes subjected to raw data standardization and complex attribute feature calculation as a training data set, adopting a plurality of classifiers (such as ridge regression, support vector machines and random forests) for cross verification, distributing the weight of each attribute according to the optimal result, and abandoning the attribute with low weight proportion;
fourthly, unsupervised machine learning clustering: selecting attribute data with high weight ratio after attribute screening by the attribute feature weight distribution step, performing cross validation by adopting various clustering algorithms (such as k-means clustering algorithm, Mean-shift clustering algorithm, spectral clustering algorithm and hierarchical clustering algorithm), introducing various unsupervised machine learning clustering indexes (such as centroid distance index, intra-cluster variance index, clustering ratio layout index and Calinski-harabaz score), and adopting a clustering model with highest index score to obtain attacker group feature clustering. The attacker group characteristics are capability limitation and preference characteristics exhibited by attackers of different types when initiating network attacks, and are generally expressed as highest flow rate limitation, attack duration and message disguising preference characteristics during an attack period.
(3) The attack detection module is used for performing matching analysis of attack group characteristics and incremental correction of attacker group characteristics on all network flow messages triggering the custom rule, and specifically comprises the following steps:
matching and analyzing the attack group characteristics: for a flow message triggering a custom rule, firstly, raw data standardization and complex attribute feature calculation are carried out through an attacker group feature generation module. Then, the module carries out matching analysis on the attack group characteristics, namely, the mapping distance between the module and the mass center of different attack group characteristic clusters is calculated, and when the mapping distance does not exceed a maximum threshold value, the mapping distance is attributed to the attack group characteristics with the minimum mapping distance;
and secondly, incrementally correcting the attacker group characteristics, generating a new attack group cluster for the attack characteristics of which the mapping distance is greater than the maximum threshold value, adding the new attack group cluster into the existing attack group characteristics, and circularly updating the mass center of the characteristic group cluster in the same way.
As shown in fig. 1, the anomaly detection and attack initiator analysis system based on network traffic messages of the present invention is deployed on an enterprise-level firewall and connected to the real network environment on the line. Setting self-defined rules, sensitive flow rate threshold and duration. While maintaining operation of the firewall and server database connection ports. The system provided by the invention is carried on the firewall at the enterprise level, and the firewall runs for more than one month, and particularly, the flow monitoring and the attacker mining work of a single service are maintained.
The following provides an example of a specific application of the system of the present invention, so as to verify the functional effect of the system of the present invention.
Example 1
For the most common and flooding DDOS attacks, the common representation of this attack is two:
firstly, DDOS attacks often exhibit extremely high attack rate and long attack duration, so that a server with weak processing capability is paralyzed and cannot normally process normal requests.
And secondly, attack messages of DDOS attack are often wrong and repeated, and even if IP disguise bypass interception is carried out, the content in the attack messages is disordered.
If the attacker comes from the same initiator and is kidnapped with numerous zombie machines to initiate the attack, the conventional attack detection can only find that the flow rate of the attack is abnormal and block some abnormal IP, but the attacker can change the own IP and even the signature to bypass the blocking of the blacklist by using a disguised mode, so that the DDOS attack can be ensured to last for a long time.
In order to find out the attack suspects of the attack, the database in the system records some summary information and data flow rate information of all DDOS attacks in a long time, and stores the attack records of the attackers with accurately marked sources, thereby ensuring the richness and the integrity of the information of the attackers.
In order to find out the attack suspects of DDOS attack, the attacker group class characteristic generation module in the system of the invention is used for standardizing data and producing complex attributes aiming at 30G network flow abstract, generating complex attributes such as data port proportion, source IP proportion, IP repetition rate, IP message type and the like, and abandoning various low-weight attributes such as minimum port value, ICMP message proportion and the like through weight distribution.
And finally, performing cross validation on the high-value weight attribute by adopting a k-means clustering algorithm, a Mean-shift clustering algorithm, a spectral clustering algorithm and a hierarchical clustering algorithm, and determining the best classification effect as the classification result with the highest Calinski _ harabaz score in the k-means with the clustering number of 5. The highest proportion of each class is 40.78%, the lowest proportion is 2.8%, and the centroid variance distance is far higher than the intra-cluster variance, so that the classification effect is obvious. And the effect judgment of the attacker is returned according to the enterprise side, so that the classification effect is good.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.
Claims (8)
1. An anomaly detection and attack initiator analysis system based on network flow messages is characterized by comprising a data attribute extraction module, an attacker group class feature generation module and an attack detection module;
the data attribute extraction module is used for intercepting original message data of network flow from the firewall gateway, extracting network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database.
The attacker group feature generation module is used for carrying out standardized processing on original data, then calculating complex attributes of the data, adopting a classifier for cross validation, distributing the weight of each attribute according to an optimal result, finally adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index, and adopting a clustering model with the highest clustering index score to obtain an attacker group feature cluster;
the attack detection module is used for carrying out matching analysis of attack group characteristics and incremental correction of the attacker group characteristics on all network flow messages triggering the self-defined rules.
2. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein the data attribute extraction module comprises the following three sub-modules:
(1) a message interception submodule deployed on a firewall gateway, which is constructed by a self-defined rule, monitors the flow rate of conventional flow which does not trigger the self-defined rule, intercepts a network flow message for abnormal network flow which triggers the self-defined rule, forwards the information to a data attribute analysis and calculation submodule, and simultaneously opens a self-defined rule modification interface;
(2) a data attribute analysis calculation submodule deployed on the server and used for judging whether the message is legal or not, discarding the illegal message, recording the proportion of the illegal message, analyzing each attribute of the legal message and discarding the encrypted information;
(3) and the database storage submodule uses MongoDB as a database framework and records the analyzed characteristic attributes by adopting a JSON input format.
3. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attacker group class feature generation module standardizes data, invalid data is discarded first, then the data type is determined, the format standard of non-digital type data is unified, partial data is normalized, and partial enumeration type is digitized.
4. The anomaly detection and attack initiator analysis system based on network traffic packets according to claim 1, wherein said attacker group class signature generation module calculates complex attributes of data by combining multiple original data attributes.
5. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attacker group class feature generation module performs attribute feature weight assignment, the labeled attack types are adopted, the feature attributes subjected to raw data standardization and complex attribute feature calculation are used as training data sets, multiple classifiers are adopted for cross validation, the weight of each attribute is assigned according to the optimal result, and the attribute with low weight proportion is abandoned.
6. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attacker group feature generation module executes unsupervised machine learning clustering, firstly, attribute data with high weight ratio is selected, a plurality of clustering algorithms are adopted for cross validation, a plurality of unsupervised machine learning clustering indexes are introduced, and a clustering model with highest index score is adopted to obtain attacker group feature clustering.
7. The anomaly detection and attack initiator analysis system based on network traffic messages according to claim 1, wherein when the attack detection module performs matching analysis of attack group features, the mapping distance between the new attack standardized and complex attribute feature and the centroid of the existing different attack group feature cluster is calculated according to the attribute feature obtained by calculation of the new attack standardized and complex attribute, and when the mapping distance does not exceed the maximum threshold value, the mapping distance is attributed to the attack group feature with the minimum mapping distance.
8. The anomaly detection and attack initiator analysis system based on network traffic packets according to claim 7, wherein when the attack detection module performs incremental modification of the attacker group class signature, for the attack signature whose mapping distance is greater than the maximum threshold, a new attack group cluster is generated and added to the existing attack group signature, and the centroid of the signature group cluster is updated in this way.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011155629.5A CN112422513B (en) | 2020-10-26 | 2020-10-26 | Anomaly detection and attack initiator analysis system based on network traffic message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011155629.5A CN112422513B (en) | 2020-10-26 | 2020-10-26 | Anomaly detection and attack initiator analysis system based on network traffic message |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112422513A true CN112422513A (en) | 2021-02-26 |
CN112422513B CN112422513B (en) | 2021-10-26 |
Family
ID=74841553
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011155629.5A Active CN112422513B (en) | 2020-10-26 | 2020-10-26 | Anomaly detection and attack initiator analysis system based on network traffic message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112422513B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113949555A (en) * | 2021-10-13 | 2022-01-18 | 中国商用飞机有限责任公司 | Online network defense method and system based on time mark and data comparison module |
CN114205161A (en) * | 2021-12-13 | 2022-03-18 | 北京影安电子科技有限公司 | Network attacker discovering and tracking method |
CN115277098A (en) * | 2022-06-27 | 2022-11-01 | 深圳铸泰科技有限公司 | Intelligent learning-based network flow anomaly detection device and method |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
CN109960729A (en) * | 2019-03-28 | 2019-07-02 | 国家计算机网络与信息安全管理中心 | The detection method and system of HTTP malicious traffic stream |
WO2019167847A1 (en) * | 2018-02-27 | 2019-09-06 | 日本電信電話株式会社 | Classification device and classification method |
CN110213287A (en) * | 2019-06-12 | 2019-09-06 | 北京理工大学 | A kind of double mode invasion detecting device based on ensemble machine learning algorithm |
CN110519248A (en) * | 2019-08-19 | 2019-11-29 | 光通天下网络科技股份有限公司 | Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning |
CN111107102A (en) * | 2019-12-31 | 2020-05-05 | 上海海事大学 | Real-time network flow abnormity detection method based on big data |
CN111507368A (en) * | 2020-01-03 | 2020-08-07 | 浙江大学 | Campus network intrusion detection method and system |
CN111800430A (en) * | 2020-07-10 | 2020-10-20 | 南方电网科学研究院有限责任公司 | Attack group identification method, device, equipment and medium |
-
2020
- 2020-10-26 CN CN202011155629.5A patent/CN112422513B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
WO2019167847A1 (en) * | 2018-02-27 | 2019-09-06 | 日本電信電話株式会社 | Classification device and classification method |
CN109960729A (en) * | 2019-03-28 | 2019-07-02 | 国家计算机网络与信息安全管理中心 | The detection method and system of HTTP malicious traffic stream |
CN110213287A (en) * | 2019-06-12 | 2019-09-06 | 北京理工大学 | A kind of double mode invasion detecting device based on ensemble machine learning algorithm |
CN110519248A (en) * | 2019-08-19 | 2019-11-29 | 光通天下网络科技股份有限公司 | Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning |
CN111107102A (en) * | 2019-12-31 | 2020-05-05 | 上海海事大学 | Real-time network flow abnormity detection method based on big data |
CN111507368A (en) * | 2020-01-03 | 2020-08-07 | 浙江大学 | Campus network intrusion detection method and system |
CN111800430A (en) * | 2020-07-10 | 2020-10-20 | 南方电网科学研究院有限责任公司 | Attack group identification method, device, equipment and medium |
Non-Patent Citations (4)
Title |
---|
JULIJA ASMUSS,GUNARS LAUKS: "Network traffic classification for anomaly detection fuzzy clustering based approach", 《2015 12TH INTERNATIONAL CONFERENCE ON FUZZY SYSTEMS AND KNOWLEDGE DISCOVERY》 * |
SHANG GAO,ZHE PENG,BIN XIAO,AIQUN HU,YUBO SONG, KUI REN: "Detection and Mitigation of DoS Attacks in Software Defined Networks", 《ACM TRANSACTIONS ON NETWORKING》 * |
任奎,王丁玎,周亚金: "物联网设备软件安全综述", 《广州大学学报》 * |
吴晓平,周舟,李洪成: "Spark框架下基于无指导学习环境的网络流量异常检测研究与实现", 《信息网络安全》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113949555A (en) * | 2021-10-13 | 2022-01-18 | 中国商用飞机有限责任公司 | Online network defense method and system based on time mark and data comparison module |
CN114205161A (en) * | 2021-12-13 | 2022-03-18 | 北京影安电子科技有限公司 | Network attacker discovering and tracking method |
CN114205161B (en) * | 2021-12-13 | 2024-03-29 | 北京影安电子科技有限公司 | Network attacker discovery and tracking method |
CN115277098A (en) * | 2022-06-27 | 2022-11-01 | 深圳铸泰科技有限公司 | Intelligent learning-based network flow anomaly detection device and method |
CN115277098B (en) * | 2022-06-27 | 2023-07-18 | 深圳铸泰科技有限公司 | Network flow abnormality detection device and method based on intelligent learning |
Also Published As
Publication number | Publication date |
---|---|
CN112422513B (en) | 2021-10-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11658992B2 (en) | Lateral movement candidate detection in a computer network | |
CN112422513B (en) | Anomaly detection and attack initiator analysis system based on network traffic message | |
US20240250980A1 (en) | System and Method for Assigning Threat Valuations to Network Events and Security Events | |
CN110431817B (en) | Identifying malicious network devices | |
CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
CN107579956B (en) | User behavior detection method and device | |
Bajtoš et al. | Network intrusion detection with threat agent profiling | |
Brandao et al. | Log Files Analysis for Network Intrusion Detection | |
CN118337484A (en) | Network information security analysis method and system based on big data | |
Srilatha et al. | DDoSNet: A deep learning model for detecting network attacks in cloud computing | |
CN117354024A (en) | DNS malicious domain name detection system and method based on big data | |
Gautam et al. | Anomaly detection system using entropy based technique | |
CN115080554B (en) | Warning method and system based on multi-dimensional data collision analysis | |
Daneshgadeh et al. | A hybrid approach to detect DDoS attacks using KOAD and the Mahalanobis distance | |
CN109657447B (en) | Equipment fingerprint generation method and device | |
CN113343231A (en) | Data acquisition system of threat information based on centralized management and control | |
CN112437085A (en) | Network attack identification method and device | |
Lugo-Cordero et al. | What defines an intruder? an intelligent approach | |
CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
CN118138312B (en) | Intelligent payment port encryption method and system | |
CN114157514B (en) | Multi-channel IDS integrated detection method and device | |
EP4407497A1 (en) | Privacy-controlled analytics service | |
Li et al. | Task‐Oriented Network Abnormal Behavior Detection Method | |
Gondalia et al. | A Survey of Advancement in AnomalyIntrusion Detection System | |
Zhang et al. | Identification of SSH Honeypots Using Machine Learning Techniques Based on Multi-Fingerprinting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PP01 | Preservation of patent right |
Effective date of registration: 20230817 Granted publication date: 20211026 |
|
PP01 | Preservation of patent right |