CN114157506A - Network anomaly scanning method and system based on flow and activity analysis and storage medium - Google Patents
Network anomaly scanning method and system based on flow and activity analysis and storage medium Download PDFInfo
- Publication number
- CN114157506A CN114157506A CN202111501051.9A CN202111501051A CN114157506A CN 114157506 A CN114157506 A CN 114157506A CN 202111501051 A CN202111501051 A CN 202111501051A CN 114157506 A CN114157506 A CN 114157506A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- scanning
- activity
- information
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000694 effects Effects 0.000 title claims abstract description 56
- 238000004458 analytical method Methods 0.000 title claims abstract description 55
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000002159 abnormal effect Effects 0.000 claims description 154
- 230000003993 interaction Effects 0.000 claims description 64
- 238000001914 filtration Methods 0.000 claims description 26
- 230000006378 damage Effects 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 15
- 238000013500 data storage Methods 0.000 claims description 10
- 238000007726 management method Methods 0.000 claims description 10
- 238000012512 characterization method Methods 0.000 claims description 7
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 13
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000005070 sampling Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the field of network anomaly scanning, and particularly relates to a network anomaly scanning method, a system and a storage medium based on flow and activity analysis. Therefore, the invention can solve the problems that the existing network anomaly scanning technology has low scanning efficiency and can not scan insensitive abnormal behaviors.
Description
Technical Field
The invention belongs to the field of network anomaly scanning, and particularly relates to a network anomaly scanning method and system based on flow and activity analysis and a storage medium.
Background
The computer network has great influence on the development of human society, and the occurrence of the computer network enables the internet to play an increasingly important role in daily work and life of people, more and more people utilize the internet for communication in life during working as soon as possible, but at the same time, unsafe factors in the network are continuously increased, abnormal traffic behaviors of various network users occur, and the abnormal traffic behaviors mainly comprise two aspects, namely abnormal network traffic behaviors caused by improper operation of users and abnormal traffic behaviors caused by network attacks, so that the importance of real-time scanning and monitoring of abnormal traffic in the computer network is higher and higher.
Firstly, the existing scanning technology scans abnormal data in a network in real time by reading data interaction information in a database, wherein the database is a hard disk, and the reading and caching rates of the database are slow, so that the scanning efficiency is slow; secondly, in the scanning of a large computer network group, insensitive abnormal behaviors cannot be scanned, and some small problems are accumulated in the long term, so that the missing rate and the misjudgment rate of the scanning technology are higher and higher, and the experience of a user is poorer and poorer.
Disclosure of Invention
The invention aims to provide a method, a system and a storage medium for scanning network abnormity based on flow and activity analysis. The method and the device solve the problems that the existing network anomaly scanning technology is low in scanning efficiency and cannot scan insensitive abnormal behaviors.
The invention provides a basic scheme I: the network anomaly scanning method based on flow and activity analysis comprises the following steps:
a data acquisition step: acquiring IP data interaction information in a computer network line and storing the IP data interaction information into a redis cache library;
an exception scanning step: dynamically scanning the flow information and the liveness information of each IP on a computer network line in real time according to the data interaction information stored in the redis cache library, and finding out an abnormal IP address on the current computer network line;
and (3) exception filtering: setting a flow abnormal threshold and an activity abnormal threshold according to the requirements of users, and filtering abnormal IP addresses reaching the flow abnormal threshold and the activity abnormal threshold from scanning results;
tracking statistics: summarizing the filtered results in the exception filtering step, tracking the exception IP addresses in the exception filtered results according to preset time, and counting the IP addresses which are still in exception when the preset time is reached in the tracking results;
a characteristic analysis step: performing characteristic analysis on the information of the abnormal IP address according to the statistical result, and finding the abnormal characteristic of the abnormal IP address;
the tracking statistics step further comprises:
and summarizing the abnormal IP addresses which do not reach the abnormal flow threshold and the abnormal activity threshold, tracking the abnormal IP addresses at low frequency, and storing the abnormal IP addresses in a statistical result if the abnormal flow threshold and the abnormal activity threshold are reached.
The principle and the advantages of the first basic scheme provided by the invention are as follows: in the prior art, the problem of slow scanning efficiency can occur when abnormal network traffic is scanned by reading the IP data interaction information in the database, and meanwhile, insensitive abnormal behaviors can not be found often in the case of abnormal scanning of a large-scale computer network, and huge loss can be caused because the insensitive abnormal behaviors can not be found in time when the problem becomes serious.
Therefore, the invention stores the acquired data interaction information of the IP in the computer network line into the redis cache library, and carries out abnormal scanning on the data interaction information to find out the abnormal IP address, the scanning speed of the computer network line is greatly improved by the characteristic of high read-write speed of the redis cache library, the abnormal threshold value is determined according to the actual requirement of a user by the abnormal filtering step, the abnormal IP address which does not reach the set abnormal threshold value is eliminated, the requirement of the user is met in a targeted manner, after the filtering is finished, the abnormal IP address is dynamically tracked in real time within a period of time, the abnormal IP address which lasts for a long time is analyzed in a characteristic way, the abnormal characteristic is analyzed, the management personnel can conveniently carry out targeted solution, and meanwhile, the abnormal IP address which does not reach the abnormal threshold value is collected and tracked with low frequency, namely insensitive abnormal behaviors, on one hand, the method does not occupy excessive memory, and on the other hand, the method can also avoid more serious problems of abnormal IP addresses which do not reach the abnormal threshold. Therefore, the invention has the advantages that: (1) the scanning efficiency aiming at abnormal network traffic is improved; (2) the continuous abnormal IP address can be analyzed to obtain the characteristics, so that management personnel can timely and effectively solve the problem; (3) aiming at insensitive abnormal behaviors, the invention does not occupy excessive memory on one hand and prevents the more serious problem of the insensitive abnormal behaviors through low-frequency tracking.
Further, the data interaction information includes IP traffic information, IP activity information, and IP interaction information.
Has the advantages that: the data source for scanning the network abnormity of the user can be met by collecting the IP flow information, the IP activity information and the IP interaction information.
Further, the tracking statistics step further includes:
and (3) hazard degree analysis step: and analyzing the degree of harm of the abnormal IP to the computer network circuit according to the tracking result.
Has the advantages that: by analyzing the damage degree of the abnormal IP address to the network, the manager can preferentially handle the problem of high damage degree, and the larger loss is avoided.
Further, still include:
a data storage step: receiving the result subjected to the characteristic processing, and storing the result subjected to the characteristic processing in a database according to the degree of importance in a grading manner;
a display step: displaying the storage result in the database on a WEB interface;
an alarming step: and carrying out abnormity alarm through an alarm or a mail or a nail message.
Has the advantages that: the final result can be stored through the data storage step, the scanning result can be checked by the user in real time through the display step, and the user can be reminded in time through the alarm step.
The invention provides a second basic scheme: network anomaly scanning system based on traffic and liveness analysis, comprising:
a data acquisition module: the system comprises a data interaction database, a data interaction database and a data interaction database, wherein the data interaction database is used for acquiring IP data interaction information in a computer network line and storing the IP data interaction information into a redis cache library;
an anomaly scanning module: the system comprises a data interaction library, a network management server and a network management server, wherein the data interaction library is used for dynamically scanning the flow information and the activity information of each IP on a computer network line in real time according to data interaction information stored in a redis cache library and finding out an abnormal IP address on the current computer network line;
an exception filtering module: the method comprises the steps of setting a flow abnormity threshold value and an activity abnormity threshold value according to the requirements of users, and filtering abnormal IP addresses reaching the flow abnormity threshold value and the activity abnormity threshold value from scanning results;
a tracking statistics module: the IP address processing module is used for summarizing the filtered result in the exception filtering module, tracking the exception IP address in the exception filtered result according to the preset time, and counting the IP address which is still in the exception state when the preset time is reached in the tracking result;
a characteristic analysis module: the system is used for performing characteristic analysis on the information of the abnormal IP address according to the statistical result and finding the abnormal characteristics of the abnormal IP address;
the tracking statistical module is internally provided with a low-frequency tracking statistical module which is used for summarizing the abnormal IP addresses which do not reach the abnormal flow threshold and the abnormal activity threshold, carrying out low-frequency tracking on the abnormal IP addresses, and storing the abnormal IP addresses into statistical results if the abnormal flow threshold and the abnormal activity threshold are reached.
The principle and the advantages of the second basic scheme provided by the invention are as follows: in the prior art, the problem of slow scanning efficiency can occur when abnormal network traffic is scanned by reading the IP data interaction information in the database, and meanwhile, insensitive abnormal behaviors can not be found often in the case of abnormal scanning of a large-scale computer network, and huge loss can be caused because the insensitive abnormal behaviors can not be found in time when the problem becomes serious.
Therefore, the invention stores the acquired IP data interaction information in the computer network line into the redis cache library through the data acquisition module, and carries out abnormal scanning on the data interaction information through the abnormal scanning module to find out the abnormal IP address, and the scanning speed aiming at the computer network line is greatly improved through the characteristic of high read-write speed of the redis cache library, and meanwhile, the abnormal threshold value is determined according to the actual requirement of a user through the abnormal filtering module, the abnormal IP address which does not reach the set abnormal threshold value is eliminated, so as to meet the requirement of the user in a targeted manner, after the filtering is finished, the abnormal IP address is dynamically tracked in real time through the tracking statistical module within a period of time, the abnormal IP address with long duration is transmitted to the characteristic analysis module for characteristic analysis, the abnormal characteristic is analyzed, and the management personnel can conveniently carry out targeted solution, meanwhile, the low-frequency tracking statistical module collects the abnormal IP addresses which do not reach the abnormal threshold value and performs low-frequency tracking, namely insensitive abnormal behaviors are avoided, on one hand, excessive memory is not occupied, and on the other hand, the problem that the abnormal IP addresses which do not reach the abnormal threshold value are more serious can be avoided. Therefore, the invention has the advantages that: (1) the scanning efficiency aiming at abnormal network traffic is improved; (2) the continuous abnormal IP address can be analyzed to obtain the characteristics, so that management personnel can timely and effectively solve the problem; (3) aiming at insensitive abnormal behaviors, the invention does not occupy excessive memory on one hand and prevents the more serious problem of the insensitive abnormal behaviors through low-frequency tracking.
Further, the data interaction information includes IP traffic information, IP activity information, and IP interaction information.
Has the advantages that: the data source for scanning the network abnormity of the user can be met by collecting the IP flow information, the IP activity information and the IP interaction information.
Further, the tracking statistic module is provided with a harm degree analysis module, and the harm degree analysis module is used for analyzing the harm degree of the abnormal IP to the computer network circuit according to the tracking result.
Has the advantages that: the harm degree of the abnormal IP address to the network is analyzed through the harm degree analysis module, and then managers can preferentially handle the problem of high harm degree, so that greater loss is avoided.
The system further comprises a data storage module, a display module and an alarm module, wherein the data storage module is used for receiving the result subjected to the characterization processing and storing the result subjected to the characterization processing in a database according to the degree of importance in a grading manner; the display module is used for displaying the storage result in the database on a webpage interface or a software interface; the alarm module is used for carrying out abnormity alarm through an alarm or a mail or a nail information.
Has the advantages that: the final result can be stored through the data storage module, the scanning result can be checked by a user in real time through the display module, and the user can be timely reminded through the alarm module.
A network anomaly scanning storage medium based on traffic and activity analysis, which is applied to a computer, wherein a network anomaly scanning program based on traffic and activity analysis is stored in the storage medium, and when the network anomaly scanning program based on traffic and activity analysis is executed by a computer processor, the network anomaly scanning method based on traffic and activity analysis, which is claimed in claims 1-4, is realized.
Drawings
FIG. 1 is a block flow diagram of an embodiment of the present invention;
FIG. 2 is a schematic block diagram of an embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention, while a logical order is shown in the embodiments, in some cases steps shown or described may be performed in an order different than that shown.
The following is further detailed by way of specific embodiments:
the embodiment is basically as shown in the attached figure 1: the network anomaly scanning method based on flow and activity analysis comprises the following steps:
a data acquisition step: acquiring IP data interaction information in a computer network line and storing the IP data interaction information into a redis cache library;
an exception scanning step: and dynamically scanning the flow information and the liveness information of each IP on the computer network line in real time according to the data interaction information stored in the redis cache library, and finding out the abnormal IP address on the current computer network line.
In this embodiment, data interaction is performed on a line of a computer network at any time, a large amount of IP data interaction information is generated in the data interaction process, the data interaction information includes IP traffic information, IP liveness information, and IP interaction information, when acquiring the IP traffic information, the occurrence frequency of an IP is mainly acquired by calculating traffic data generated in the computer network line, when acquiring the IP liveness information, the traffic ratio of an IP address at a source address and a destination address, the liveness of the IP address at the source address and the liveness of the IP address at the destination address are mainly acquired when acquiring the IP interaction information; after the data interaction information of the IP is acquired, the data interaction information is stored in a redis cache library in real time, the redis cache library has the characteristic of high reading and writing speed, the data interaction information needing to be scanned is stored in the redis cache library, the redis cache library is directly accessed in the scanning process instead of being read from the database, and the problem that the data reading efficiency of the database is low is solved. In the scanning process, the IP address with the exception is found out, and the IP address with the exception found out in this embodiment is based on all exception data recorded in the redis cache library as a template. Taking the traffic data of the IP at the source address as an example:
firstly, collecting flow information of an IP address at a source address under a normal environment, wherein the flow information comprises flow size, packet length information, protocol information and TCP zone bit information, using the flow information as comparison data, and then collecting flow information of a target IP at the source address, wherein if the flow size is too large with the comparison data, for example, the flow size of the comparison data is 1MB, and the flow size of the target IP is 10MB, the flow information is marked as an abnormal IP address.
And (3) exception filtering: setting a flow abnormal threshold and an activity abnormal threshold according to the requirements of users, and filtering abnormal IP addresses reaching the flow abnormal threshold and the activity abnormal threshold from scanning results;
tracking statistics: and summarizing the filtered result in the exception filtering step, tracking the exception IP address in the exception filtered result according to the preset time, and counting the IP address which is still in the exception state when the preset time is reached in the tracking result.
In this embodiment, the anomaly filtering step mainly sets an intentional traffic threshold and an activity threshold by a user, that is, the user manually changes the traffic threshold and the activity threshold according to the access data of the actual server and the generated traffic data, for example, the traffic data generated by a server in a peak period of the user access far exceeds the traffic data in a normal period, but belongs to a normal range in the peak period, so the user can manually increase the traffic threshold, and the activity threshold is the HIT number of IP HITs in this embodiment; after abnormal IP filtering is carried out according to the flow threshold and the activity threshold set by the user, the remained abnormal IP address is the final result. Then, summarizing the final result of the exception filtering step, observing the result, wherein a time is set during observation, the time set in the embodiment is set by a user, for example, 5 days is a cycle, and after 5 days, if the observed exception IP address is still in an exception state, the exception state is counted in a table, and in the embodiment, the content recorded in the table is as follows: (1) HIT number HIT and flow information of the abnormal IP address; (2) and calculating the abnormal time, the starting time, the abnormal type and the abnormal data of the abnormal IP address.
In the tracking statistics step, the method further comprises the following steps: and summarizing the abnormal IP addresses which do not reach the abnormal flow threshold and the abnormal activity threshold, tracking the abnormal IP addresses at low frequency, and storing the abnormal IP addresses in a statistical result if the abnormal flow threshold and the abnormal activity threshold are reached.
In this embodiment, in order to solve the problem that the insensitive abnormal IP address is not regarded as important in the prior art, the tracking principle is substantially the same as the tracking statistics step described above, but the difference is that the tracked frequency is low frequency tracking, specifically, 5 days of one cycle in the tracking statistics step, and 10 days of one cycle in this step; the method has the advantages that on one hand, excessive memory is not occupied, and on the other hand, the more serious problem of the insensitive abnormal IP address can be avoided.
In the tracking statistic step, the method also comprises a harm degree analysis step: and analyzing the degree of harm of the abnormal IP to the computer network circuit according to the tracking result. In this embodiment, the main point is to analyze the damage degree of the abnormal IP in the tracking result to the computer network line, for example: if the abnormal IP in the tracking result is the phenomenon of excessive abnormal flow, and the damage degree of the abnormal IP to the computer network line may cause normal use of more than 60% of users, the abnormal IP is judged to be high-level damage and needs to be processed by a manager in an emergency.
A characteristic analysis step: and performing characteristic analysis on the information of the abnormal IP address according to the statistical result to find the abnormal characteristics of the abnormal IP address.
In this embodiment, the main feature of performing the characterization analysis on the information of the abnormal IP address according to the statistical result is that, for the long-time abnormal IP address, the abnormal feature needs to be analyzed, the sampling detection is adopted as a method, part of the related information is extracted from the filtering result, and the information is compared with the abnormal type pre-stored in the database, for example, the abnormal type pre-stored in the database includes: (1) network attack, which can cause network abnormity, is generally performed by a sampling method of extracting traffic and activity information of a host and a port scanned by a vulnerability scanning technology; (2) network failures or configuration errors, and network abnormalities caused by network failures and configuration errors usually cause routers or switches to send a large amount of error information, for example, due to the failure of router configuration, the routers frequently exchange information to cause a large amount of OSPF traffic and make them abnormally active addresses; (3) the misoperation of the network administrator refers to considering the abnormal IP address caused by the operation, so the sampling is the flow information from the source address to the target address; (4) the user abuse, which means traffic data exception caused by improper over-use of individual users, is usually embodied on the server, so the sampling method is to extract the traffic access data of the target server.
Further comprising: a data storage step: receiving the result subjected to the characteristic processing, and storing the result subjected to the characteristic processing in a database according to the degree of importance in a grading manner;
a display step: displaying the storage result in the database on a webpage interface or a software interface;
an alarming step: and carrying out abnormity alarm through an alarm or a mail or a nail message.
In this embodiment, the characterized result is stored in the database and displayed on a web interface or a software interface, in this embodiment, the result is mainly displayed through the software interface, and then pushed to a manager through an alarm or an email or a nail message to perform an exception alarm, and in this embodiment, the result is mainly sent to the manager through the email.
As shown in fig. 2, the network anomaly scanning system based on traffic and activity analysis includes:
a data acquisition module: the system comprises a data interaction database, a data interaction database and a data interaction database, wherein the data interaction database is used for acquiring IP data interaction information in a computer network line and storing the IP data interaction information into a redis cache library; the data interaction information comprises IP flow information, IP activity information and IP interaction information;
an anomaly scanning module: the system comprises a data interaction library, a network management server and a network management server, wherein the data interaction library is used for dynamically scanning the flow information and the activity information of each IP on a computer network line in real time according to data interaction information stored in a redis cache library and finding out an abnormal IP address on the current computer network line;
an exception filtering module: the method comprises the steps of setting a flow abnormity threshold value and an activity abnormity threshold value according to the requirements of users, and filtering abnormal IP addresses reaching the flow abnormity threshold value and the activity abnormity threshold value from scanning results;
a tracking statistics module: the IP address processing module is used for summarizing the filtered result in the exception filtering module, tracking the exception IP address in the exception filtered result according to the preset time, and counting the IP address which is still in the exception state when the preset time is reached in the tracking result; the tracking statistical module is internally provided with a low-frequency tracking statistical module and a hazard degree analysis module, the low-frequency tracking statistical module is used for summarizing the abnormal IP addresses which do not reach the abnormal flow threshold and the abnormal activity threshold, carrying out low-frequency tracking on the abnormal IP addresses, and storing the abnormal IP addresses into a statistical result if the abnormal flow threshold and the abnormal activity threshold are reached; the hazard degree analysis module is used for analyzing the hazard degree of the abnormal IP to the computer network line according to the tracking result;
a characteristic analysis module: the system is used for performing characteristic analysis on the information of the abnormal IP address according to the statistical result and finding the abnormal characteristics of the abnormal IP address;
a data storage module: the database is used for receiving the result subjected to the characterization processing and storing the result subjected to the characterization processing in a database according to the degree of importance in a grading manner;
a display module: the system is used for displaying the storage result in the database on a webpage interface or a software interface;
an alarm module: for alarming abnormality by alarm or mail or nailing message.
The network anomaly scanning storage medium based on the traffic and activity analysis is applied to a computer, a network anomaly scanning program based on the traffic and activity analysis is stored in the storage medium, and the network anomaly scanning program based on the traffic and activity analysis is executed by a computer processor to realize the network anomaly scanning method based on the traffic and activity analysis.
The foregoing are merely exemplary embodiments of the present invention, and no attempt is made to show structural details of the invention in more detail than is necessary for the fundamental understanding of the art, the description taken with the drawings making apparent to those skilled in the art how the several forms of the invention may be embodied in practice with the teachings of the invention. It should be noted that, for those skilled in the art, without departing from the structure of the present invention, several changes and modifications can be made, which should also be regarded as the protection scope of the present invention, and these will not affect the effect of the implementation of the present invention and the practicability of the patent. The scope of the claims of the present application shall be determined by the contents of the claims, and the description of the embodiments and the like in the specification shall be used to explain the contents of the claims.
Claims (9)
1. The network anomaly scanning method based on flow and activity analysis is characterized by comprising the following steps: the method comprises the following steps:
a data acquisition step: acquiring IP data interaction information in a computer network line and storing the IP data interaction information into a redis cache library;
an exception scanning step: dynamically scanning the flow information and the liveness information of each IP on a computer network line in real time according to the data interaction information stored in the redis cache library, and finding out an abnormal IP address on the current computer network line;
and (3) exception filtering: setting a flow abnormal threshold and an activity abnormal threshold according to the requirements of users, and filtering abnormal IP addresses reaching the flow abnormal threshold and the activity abnormal threshold from scanning results;
tracking statistics: summarizing the filtered results in the exception filtering step, tracking the exception IP addresses in the exception filtered results according to preset time, and counting the IP addresses which are still in exception when the preset time is reached in the tracking results;
a characteristic analysis step: performing characteristic analysis on the information of the abnormal IP address according to the statistical result, and finding the abnormal characteristic of the abnormal IP address;
the tracking statistics step further comprises:
and summarizing the abnormal IP addresses which do not reach the abnormal flow threshold and the abnormal activity threshold, tracking the abnormal IP addresses at low frequency, and storing the abnormal IP addresses in a statistical result if the abnormal flow threshold and the abnormal activity threshold are reached.
2. The network anomaly scanning method based on traffic and activity analysis according to claim 1, characterized in that: the data interaction information comprises IP flow information, IP activity information and IP interaction information.
3. The network anomaly scanning method based on traffic and activity analysis according to claim 1, characterized in that: the tracking statistics step further comprises:
and (3) hazard degree analysis step: and analyzing the degree of harm of the abnormal IP to the computer network circuit according to the tracking result.
4. The network anomaly scanning method based on traffic and activity analysis according to claim 3, characterized in that: further comprising:
a data storage step: receiving the result subjected to the characteristic processing, and storing the result subjected to the characteristic processing in a database according to the degree of importance in a grading manner;
a display step: displaying the storage result in the database on a WEB interface;
an alarming step: and carrying out abnormity alarm through an alarm or a mail or a nail message.
5. Network anomaly scanning system based on flow and liveness analysis, its characterized in that: the method comprises the following steps:
a data acquisition module: the system comprises a data interaction database, a data interaction database and a data interaction database, wherein the data interaction database is used for acquiring IP data interaction information in a computer network line and storing the IP data interaction information into a redis cache library;
an anomaly scanning module: the system comprises a data interaction library, a network management server and a network management server, wherein the data interaction library is used for dynamically scanning the flow information and the activity information of each IP on a computer network line in real time according to data interaction information stored in a redis cache library and finding out an abnormal IP address on the current computer network line;
an exception filtering module: the method comprises the steps of setting a flow abnormity threshold value and an activity abnormity threshold value according to the requirements of users, and filtering abnormal IP addresses reaching the flow abnormity threshold value and the activity abnormity threshold value from scanning results;
a tracking statistics module: the IP address processing module is used for summarizing the filtered result in the exception filtering module, tracking the exception IP address in the exception filtered result according to the preset time, and counting the IP address which is still in the exception state when the preset time is reached in the tracking result;
a characteristic analysis module: the system is used for performing characteristic analysis on the information of the abnormal IP address according to the statistical result and finding the abnormal characteristics of the abnormal IP address;
the tracking statistical module is internally provided with a low-frequency tracking statistical module which is used for summarizing the abnormal IP addresses which do not reach the abnormal flow threshold and the abnormal activity threshold, carrying out low-frequency tracking on the abnormal IP addresses, and storing the abnormal IP addresses into statistical results if the abnormal flow threshold and the abnormal activity threshold are reached.
6. The traffic and activity analysis based network anomaly scanning system according to claim 5, wherein: the data interaction information comprises IP flow information, IP activity information and IP interaction information.
7. The traffic and activity analysis based network anomaly scanning system according to claim 5, wherein: the tracking statistical module is provided with a harm degree analysis module, and the harm degree analysis module is used for analyzing the harm degree of the abnormal IP to the computer network lines according to the tracking result.
8. The traffic and activity analysis based network anomaly scanning system according to claim 7, wherein: the system also comprises a data storage module, a display module and an alarm module, wherein the data storage module is used for receiving the result subjected to the characterization processing and storing the result subjected to the characterization processing in a database according to the degree of importance in a grading manner; the display module is used for displaying the storage result in the database on a webpage interface or a software interface; the alarm module is used for carrying out abnormity alarm through an alarm or a mail or a nail information.
9. Network anomaly scanning storage medium based on flow and activity analysis is characterized in that: applied to a computer, the storage medium stores a network anomaly scanning program based on traffic and activity analysis, and when the network anomaly scanning program based on traffic and activity analysis is executed by a computer processor, the network anomaly scanning program based on traffic and activity analysis realizes the network anomaly scanning method based on traffic and activity analysis according to claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111501051.9A CN114157506A (en) | 2021-12-09 | 2021-12-09 | Network anomaly scanning method and system based on flow and activity analysis and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111501051.9A CN114157506A (en) | 2021-12-09 | 2021-12-09 | Network anomaly scanning method and system based on flow and activity analysis and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114157506A true CN114157506A (en) | 2022-03-08 |
Family
ID=80454253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111501051.9A Pending CN114157506A (en) | 2021-12-09 | 2021-12-09 | Network anomaly scanning method and system based on flow and activity analysis and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157506A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580543A (en) * | 2022-10-10 | 2023-01-06 | 国网江苏省电力有限公司南通供电分公司 | Network system activity evaluation method based on Hash counting |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309179A (en) * | 2007-05-18 | 2008-11-19 | 北京启明星辰信息技术有限公司 | Real-time flux abnormity detection method on basis of host activity and communication pattern analysis |
| CN103067192A (en) * | 2011-10-20 | 2013-04-24 | 北京天行网安信息技术有限责任公司 | Analytic system and method of network flow |
| US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
| CN106357657A (en) * | 2016-09-29 | 2017-01-25 | 广州鹤互联网科技有限公司 | Method and device for managing sign initiating user |
| CN108063764A (en) * | 2017-12-13 | 2018-05-22 | 北京搜狐新媒体信息技术有限公司 | A kind of network traffics treating method and apparatus |
| CN111131332A (en) * | 2020-01-16 | 2020-05-08 | 沈阳铁道科学技术研究所有限公司 | Network service interconnection and flow acquisition, analysis and recording system |
| CN112350882A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Distributed network traffic analysis system and method |
| CN112507208A (en) * | 2020-11-02 | 2021-03-16 | 北京迅达云成科技有限公司 | Network data acquisition system based on big data |
| CN112560027A (en) * | 2020-12-18 | 2021-03-26 | 福建中信网安信息科技有限公司 | Data safety monitoring system |
| CN112651006A (en) * | 2020-12-07 | 2021-04-13 | 中国电力科学研究院有限公司 | Power grid security situation perception platform framework |
| CN113271322A (en) * | 2021-07-20 | 2021-08-17 | 北京明略软件系统有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
-
2021
- 2021-12-09 CN CN202111501051.9A patent/CN114157506A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101309179A (en) * | 2007-05-18 | 2008-11-19 | 北京启明星辰信息技术有限公司 | Real-time flux abnormity detection method on basis of host activity and communication pattern analysis |
| CN103067192A (en) * | 2011-10-20 | 2013-04-24 | 北京天行网安信息技术有限责任公司 | Analytic system and method of network flow |
| US20160219067A1 (en) * | 2015-01-28 | 2016-07-28 | Korea Internet & Security Agency | Method of detecting anomalies suspected of attack, based on time series statistics |
| CN106357657A (en) * | 2016-09-29 | 2017-01-25 | 广州鹤互联网科技有限公司 | Method and device for managing sign initiating user |
| CN108063764A (en) * | 2017-12-13 | 2018-05-22 | 北京搜狐新媒体信息技术有限公司 | A kind of network traffics treating method and apparatus |
| CN111131332A (en) * | 2020-01-16 | 2020-05-08 | 沈阳铁道科学技术研究所有限公司 | Network service interconnection and flow acquisition, analysis and recording system |
| CN112350882A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Distributed network traffic analysis system and method |
| CN112507208A (en) * | 2020-11-02 | 2021-03-16 | 北京迅达云成科技有限公司 | Network data acquisition system based on big data |
| CN112651006A (en) * | 2020-12-07 | 2021-04-13 | 中国电力科学研究院有限公司 | Power grid security situation perception platform framework |
| CN112560027A (en) * | 2020-12-18 | 2021-03-26 | 福建中信网安信息科技有限公司 | Data safety monitoring system |
| CN113271322A (en) * | 2021-07-20 | 2021-08-17 | 北京明略软件系统有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580543A (en) * | 2022-10-10 | 2023-01-06 | 国网江苏省电力有限公司南通供电分公司 | Network system activity evaluation method based on Hash counting |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108933791B (en) | Intelligent optimization method and device based on power information network safety protection strategy | |
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| US10984010B2 (en) | Query summary generation using row-column data storage | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US7995496B2 (en) | Methods and systems for internet protocol (IP) traffic conversation detection and storage | |
| CN107992398A (en) | The monitoring method and monitoring system of a kind of operation system | |
| US20100050262A1 (en) | Methods and systems for automated detection and tracking of network attacks | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| CN114143020A (en) | Rule-based network security event correlation analysis method and system | |
| WO2011153227A2 (en) | Dynamic multidimensional schemas for event monitoring priority | |
| JP2004318552A (en) | Device, method and program for supporting ids log analysis | |
| CN112905548B (en) | Security audit system and method | |
| CN111835681A (en) | Large-scale abnormal flow host detection method and device | |
| CN110865866B (en) | Virtual machine safety detection method based on introspection technology | |
| CN114157506A (en) | Network anomaly scanning method and system based on flow and activity analysis and storage medium | |
| CN110855461A (en) | Log analysis method based on association analysis and rule base | |
| CN112104628B (en) | Adaptive feature rule matching real-time malicious flow detection method | |
| CN111818097B (en) | Traffic monitoring method and device based on behaviors | |
| US10404730B1 (en) | High-volume network threat trace engine | |
| Chang et al. | A flow-based anomaly detection method using entropy and multiple traffic features | |
| WO2020017000A1 (en) | Cyber attack information analyzing program, cyber attack information analyzing method, and information processing device | |
| CN114567501B (en) | Automatic asset identification method, system and equipment based on label scoring | |
| CN113703365A (en) | Management method and system for equipment monitoring information | |
| CN111274235B (en) | Unknown protocol data cleaning and protocol field feature extraction method | |
| CN110839045B (en) | Abnormal flow detection method for power monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |