CN112637118A - Flow analysis implementation method based on internal and external network drainage abnormity - Google Patents
Flow analysis implementation method based on internal and external network drainage abnormity Download PDFInfo
- Publication number
- CN112637118A CN112637118A CN202011250484.7A CN202011250484A CN112637118A CN 112637118 A CN112637118 A CN 112637118A CN 202011250484 A CN202011250484 A CN 202011250484A CN 112637118 A CN112637118 A CN 112637118A
- Authority
- CN
- China
- Prior art keywords
- flow
- data
- drainage
- matrix
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000005206 flow analysis Methods 0.000 title claims abstract description 16
- 239000011159 matrix material Substances 0.000 claims abstract description 63
- 230000002159 abnormal effect Effects 0.000 claims abstract description 37
- 230000007123 defense Effects 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims abstract description 4
- 238000001514 detection method Methods 0.000 claims abstract description 4
- 230000002452 interceptive effect Effects 0.000 claims abstract description 4
- 230000008569 process Effects 0.000 claims description 5
- 230000002155 anti-virotic effect Effects 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 2
- 238000011156 evaluation Methods 0.000 abstract description 2
- 230000005856 abnormality Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a flow analysis implementation method based on internal and external network drainage abnormity, which comprises the steps of draining the flow from an internal network and an external network to a third-party interactive honeypot or other safety detection equipment through a trusted exchange defense system; performing original acquisition on the introduced traffic by means of a data acquisition unit, and constructing an original network traffic data matrix through a data transmission channel; performing data acquisition and summarization on real-time drainage data twice, and determining a flow matrix during drainage; comparing the original network flow data matrix with the flow matrix during flow guiding, and counting the flow data of the flow guiding, the characteristic matching and the access; when the matrix of the drainage flow is a low-rank matrix, the flow matrix during drainage is a normal flow matrix, and abnormal flow or network attack does not exist. Through the judgment logic, analysis can be carried out based on the traffic conditions of the internal network and the external network, and the evaluation capability of the network state safety based on abnormal traffic is improved.
Description
Technical Field
The application belongs to the field of data analysis, and particularly relates to a flow analysis implementation method based on internal and external network drainage abnormity.
Background
The development of network information technology is emerging into new industrial and technical revolution, but also brings huge safety risk. Hackers often invade intelligent automobiles and intelligent home equipment, and the Mirai botnet and variety are controlled by tens of millions of intelligent cameras and intelligent routers in the global scope.
Currently, internal and external network physical isolation is the most commonly adopted network security defense mode. But this mode cannot be protected according to the security level. Since mobile office is a daily work mode, government, medical treatment, finance and other departments and industries which are not at the highest security level need to visit the business intranet of a unit externally to process daily business, and the demand is huge. In view of the high security requirement of the intranet, the security of the access of the intranet and the extranet cannot be ensured by the common network security technologies such as security gateway and VPN.
Disclosure of Invention
In order to solve the defects and shortcomings in the prior art, the method for analyzing and achieving the flow based on the internal and external network drainage abnormity, which is provided by the application, improves the accuracy based on abnormal flow judgment by means of a flow matrix comparison mode.
Specifically, the method for implementing flow analysis based on internal and external network drainage abnormality provided by this embodiment includes:
the flow from the internal network and the external network is guided to a third-party interactive honeypot or other safety detection equipment through a trusted exchange defense system;
performing original acquisition on the introduced traffic by means of a data acquisition unit, and constructing an original network traffic data matrix through a data transmission channel;
performing data acquisition and summarization on real-time drainage data twice, and determining a flow matrix during drainage;
comparing the original network flow data matrix with the flow matrix during flow guiding, and counting the flow data of the flow guiding, the characteristic matching and the access;
when the matrix of the drainage flow is a low-rank matrix, the flow matrix during drainage is a normal flow matrix, and abnormal flow or network attack does not exist;
when the matrix of the drainage flow is a sparse matrix, the flow matrix during the drainage is an abnormal flow matrix, whether all elements of the matrix are zero or not is judged, when all elements of the matrix are zero, the abnormal flow or the network attack does not exist, and when all elements of the matrix are not zero, the abnormal flow or the network attack possibly exists.
Optionally, the method includes:
the trusted switching defense system automatically acquires flow information in the network and judges the business data flow relation among various network assets.
Optionally, the method includes: in the process of performing the original data acquisition statistics, five times of data acquisition are required, the acquired data are counted, the summarized data are compared, and a data median is selected.
Optionally, the method includes:
before selecting a middle value during the collection and statistics of the original data, the data at the two ends are abandoned, and the data values at the two ends are not put into a reference range.
Optionally, the method includes:
after the drainage data is collected, the data detected twice need to be compared, and when the data detected twice are similar, the flow matrix during drainage is determined.
Optionally, the method includes:
when the difference of the two drainage data is large, the data acquisition is carried out again;
and comparing the data acquired by the third data acquisition with the data acquired by the previous two times, and selecting one of the two sets of data to determine the flow matrix during drainage when the two sets of data are close to each other.
Optionally, the method includes:
when data matrix comparison is carried out, feature matching is carried out on the flow data of the drainage, and meanwhile statistics is carried out on access of the flow data of the drainage;
and collecting the counted data through a data collector.
Optionally, the method includes:
when determining that abnormal flow or network attack does not exist, detecting the characteristic matching and access in the flow data of the drainage;
if no abnormity occurs, the access is safe, and if abnormal access occurs, a warning is given.
Optionally, the method includes:
when abnormal flow or network attack exists, detecting characteristic matching and access in the flow data of the drainage;
if no abnormity occurs, the access is safe, and if abnormal access occurs, an abnormal access warning is also sent.
Optionally, the method includes:
when the abnormal flow or the network attack is determined to exist, the abnormal flow or the network attack is marked out by comparing and checking with the original data, and maintenance, defense or antivirus is carried out.
The beneficial effect that technical scheme that this application provided brought is:
through the judgment logic, analysis can be carried out based on the traffic conditions of the internal network and the external network, and the evaluation capability of the network state safety based on abnormal traffic is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a flow analysis implementation method based on internal and external network drainage abnormality according to an embodiment of the present application.
Detailed Description
To make the structure and advantages of the present application clearer, the structure of the present application will be further described with reference to the accompanying drawings.
Example one
The method for analyzing and implementing the flow based on the internal and external network drainage abnormity, as shown in fig. 1, includes:
11. the flow from the internal network and the external network is guided to a third-party interactive honeypot or other safety detection equipment through a trusted exchange defense system;
12. performing original acquisition on the introduced traffic by means of a data acquisition unit, and constructing an original network traffic data matrix through a data transmission channel;
13. performing data acquisition and summarization on real-time drainage data twice, and determining a flow matrix during drainage;
14. comparing the original network flow data matrix with the flow matrix during flow guiding, and counting the flow data of the flow guiding, the characteristic matching and the access;
15. when the matrix of the drainage flow is a low-rank matrix, the flow matrix during drainage is a normal flow matrix, and abnormal flow or network attack does not exist;
16. when the matrix of the drainage flow is a sparse matrix, the flow matrix during the drainage is an abnormal flow matrix, whether all elements of the matrix are zero or not is judged, when all elements of the matrix are zero, the abnormal flow or the network attack does not exist, and when all elements of the matrix are not zero, the abnormal flow or the network attack possibly exists.
In the implementation, the trusted switching defense system mentioned in step 11 automatically acquires the traffic information in the network, and determines the traffic relationship of the service data between various network assets.
Specifically, in the acquisition process in step 12, five times of data acquisition are required when performing the original data acquisition statistics, the acquired data are counted, the summarized data are compared, and a data median is selected.
Before selecting a middle value during the collection and statistics of the original data, the data at the two ends are abandoned, and the data values at the two ends are not put into a reference range.
After the drainage data is collected, the data detected twice need to be compared, and when the data detected twice are similar, the flow matrix during drainage is determined.
In addition, the method comprises:
when the difference of the two drainage data is large, the data acquisition is carried out again;
and comparing the data acquired by the third data acquisition with the data acquired by the previous two times, and selecting one of the two sets of data to determine the flow matrix during drainage when the two sets of data are close to each other.
When data matrix comparison is carried out, feature matching is carried out on the flow data of the drainage, and meanwhile statistics is carried out on access of the flow data of the drainage;
and collecting the counted data through a data collector.
If the abnormal flow or network attack does not exist in the process of executing the method, detecting the characteristic matching and access in the flow data of the drainage;
if no abnormity occurs, the access is safe, and if abnormal access occurs, a warning is given.
Further, if abnormal flow or network attack is determined to exist, detecting characteristic matching and access in the flow data of the drainage;
if no abnormity occurs, the access is safe, and if abnormal access occurs, an abnormal access warning is also sent.
Correspondingly, when the abnormal flow or the network attack is determined to exist, the abnormal flow or the network attack is marked out by comparing and checking with the original data, and maintenance, defense or antivirus is carried out.
The sequence numbers in the above embodiments are merely for description, and do not represent the sequence of the assembly or the use of the components.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A flow analysis implementation method based on internal and external network drainage abnormity is characterized by comprising the following steps:
the flow from the internal network and the external network is guided to a third-party interactive honeypot or other safety detection equipment through a trusted exchange defense system;
performing original acquisition on the introduced traffic by means of a data acquisition unit, and constructing an original network traffic data matrix through a data transmission channel;
performing data acquisition and summarization on real-time drainage data twice, and determining a flow matrix during drainage;
comparing the original network flow data matrix with the flow matrix during flow guiding, and counting the flow data of the flow guiding, the characteristic matching and the access;
when the matrix of the drainage flow is a low-rank matrix, the flow matrix during drainage is a normal flow matrix, and abnormal flow or network attack does not exist;
when the matrix of the drainage flow is a sparse matrix, the flow matrix during the drainage is an abnormal flow matrix, whether all elements of the matrix are zero or not is judged, when all elements of the matrix are zero, the abnormal flow or the network attack does not exist, and when all elements of the matrix are not zero, the abnormal flow or the network attack possibly exists.
2. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
the trusted switching defense system automatically acquires flow information in the network and judges the business data flow relation among various network assets.
3. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps: in the process of performing the original data acquisition statistics, five times of data acquisition are required, the acquired data are counted, the summarized data are compared, and a data median is selected.
4. The method for realizing flow analysis based on internal and external network drainage abnormity according to the claim 3, characterized by comprising the following steps:
before selecting a middle value during the collection and statistics of the original data, the data at the two ends are abandoned, and the data values at the two ends are not put into a reference range.
5. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
after the drainage data is collected, the data detected twice need to be compared, and when the data detected twice are similar, the flow matrix during drainage is determined.
6. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
when the difference of the two drainage data is large, the data acquisition is carried out again;
and comparing the data acquired by the third data acquisition with the data acquired by the previous two times, and selecting one of the two sets of data to determine the flow matrix during drainage when the two sets of data are close to each other.
7. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
when data matrix comparison is carried out, feature matching is carried out on the flow data of the drainage, and meanwhile statistics is carried out on access of the flow data of the drainage;
and collecting the counted data through a data collector.
8. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
when determining that abnormal flow or network attack does not exist, detecting the characteristic matching and access in the flow data of the drainage;
if no abnormity occurs, the access is safe, and if abnormal access occurs, a warning is given.
9. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
when abnormal flow or network attack exists, detecting characteristic matching and access in the flow data of the drainage;
if no abnormity occurs, the access is safe, and if abnormal access occurs, an abnormal access warning is also sent.
10. The method for realizing flow analysis based on internal and external network drainage abnormity according to claim 1, characterized by comprising the following steps:
when the abnormal flow or the network attack is determined to exist, the abnormal flow or the network attack is marked out by comparing and checking with the original data, and maintenance, defense or antivirus is carried out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011250484.7A CN112637118A (en) | 2020-11-10 | 2020-11-10 | Flow analysis implementation method based on internal and external network drainage abnormity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011250484.7A CN112637118A (en) | 2020-11-10 | 2020-11-10 | Flow analysis implementation method based on internal and external network drainage abnormity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112637118A true CN112637118A (en) | 2021-04-09 |
Family
ID=75303009
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011250484.7A Pending CN112637118A (en) | 2020-11-10 | 2020-11-10 | Flow analysis implementation method based on internal and external network drainage abnormity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637118A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633693A (en) * | 2023-07-24 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Trusted security gateway implementation method based on full-element network identification |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051964A (en) * | 2007-05-21 | 2007-10-10 | 杭州华三通信技术有限公司 | Method and system and device for collecting flow data |
| WO2016173203A1 (en) * | 2015-04-29 | 2016-11-03 | 中兴通讯股份有限公司 | Testing method and device for deep network analysis system |
| CN107404471A (en) * | 2017-04-05 | 2017-11-28 | 青海民族大学 | One kind is based on ADMM algorithm network flow abnormal detecting methods |
| CN111130890A (en) * | 2019-12-26 | 2020-05-08 | 深圳市高德信通信股份有限公司 | Network flow dynamic prediction system |
-
2020
- 2020-11-10 CN CN202011250484.7A patent/CN112637118A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051964A (en) * | 2007-05-21 | 2007-10-10 | 杭州华三通信技术有限公司 | Method and system and device for collecting flow data |
| WO2016173203A1 (en) * | 2015-04-29 | 2016-11-03 | 中兴通讯股份有限公司 | Testing method and device for deep network analysis system |
| CN107404471A (en) * | 2017-04-05 | 2017-11-28 | 青海民族大学 | One kind is based on ADMM algorithm network flow abnormal detecting methods |
| CN111130890A (en) * | 2019-12-26 | 2020-05-08 | 深圳市高德信通信股份有限公司 | Network flow dynamic prediction system |
Non-Patent Citations (1)
| Title |
|---|
| 江苏极元信息技术有限公司: "极元可信防御系统技术原则", 《极元可信防御系统OXTREA SWITCHWALL产品技术白皮书》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633693A (en) * | 2023-07-24 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Trusted security gateway implementation method based on full-element network identification |
| CN116633693B (en) * | 2023-07-24 | 2023-10-31 | 深圳市永达电子信息股份有限公司 | Trusted security gateway implementation method based on full-element network identification |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN111669375B (en) | Online safety situation assessment method and system for power industrial control terminal | |
| Zhe et al. | DoS attack detection model of smart grid based on machine learning method | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN110324323A (en) | A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system | |
| Abdulrahaman Okino Otuoze et al. | Electricity theft detection framework based on universal prediction algorithm | |
| CN112416872A (en) | Cloud platform log management system based on big data | |
| CN111786986B (en) | Numerical control system network intrusion prevention system and method | |
| CN115935415A (en) | Data safety early warning system based on industrial internet multi-factor perception | |
| KR20080079767A (en) | A standardization system and method of event types in real time cyber threat with large networks | |
| Xue et al. | Prediction of computer network security situation based on association rules mining | |
| CN112637118A (en) | Flow analysis implementation method based on internal and external network drainage abnormity | |
| KR100609707B1 (en) | Method for analyzing security condition by representing network events in graphs and apparatus thereof | |
| CN111865951A (en) | Network data flow abnormity detection method based on data packet feature extraction | |
| CN116170197A (en) | Risk control method and device for user behavior data | |
| CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
| Hassanzadeh et al. | Intrusion detection with data correlation relation graph | |
| KR20140014784A (en) | A method for detecting abnormal patterns of network traffic by analyzing linear patterns and intensity features | |
| Xiang et al. | Network Intrusion Detection Method for Secondary System of Intelligent Substation based on Semantic Enhancement | |
| CN112653666B (en) | Thermal power plant industrial control system generalized network security situation assessment index system | |
| KR102471618B1 (en) | Netflow based large-scale service network aceess tracking method and device and system therefor | |
| CN116595512B (en) | Third party server safety management system | |
| CN117176470B (en) | Block chain data supervision method and system | |
| CN116938606B (en) | Network traffic detection method and device | |
| Wu et al. | Network Traffic Monitoring and Real-time Risk Warning based on Static Baseline Algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210409 |