CN114301694A - Network abnormal flow analysis method, device, equipment and medium - Google Patents
Network abnormal flow analysis method, device, equipment and medium Download PDFInfo
- Publication number
- CN114301694A CN114301694A CN202111647136.8A CN202111647136A CN114301694A CN 114301694 A CN114301694 A CN 114301694A CN 202111647136 A CN202111647136 A CN 202111647136A CN 114301694 A CN114301694 A CN 114301694A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- flow
- destination address
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 64
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000005206 flow analysis Methods 0.000 title abstract description 4
- 238000001514 detection method Methods 0.000 claims abstract description 97
- 230000004044 response Effects 0.000 claims abstract description 58
- 238000007781 pre-processing Methods 0.000 claims abstract description 20
- 230000003993 interaction Effects 0.000 claims abstract description 10
- 238000004458 analytical method Methods 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 15
- 230000015654 memory Effects 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 6
- 230000005856 abnormality Effects 0.000 claims 1
- 238000007689 inspection Methods 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000003672 processing method Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network abnormal flow analysis method, which relates to the field of next generation internet threat detection, and comprises the following steps: dividing data of a target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow, wherein the request packet number is generated by interaction between the source address and the destination address; respectively carrying out session preprocessing on at least one type of protocol data to obtain session data contained in an access path corresponding to a source address or a destination address; calculating a detection data set corresponding to each source address or destination address according to the session data; determining an access path with abnormal flow according to the detection data set; the method and the device take two scenes of distributed denial of service attack and abnormal scanning as entry points, analyze the flow data in the target backbone network in two ways, and can effectively improve the detection rate and the detection effect of network flow.
Description
Technical Field
The present disclosure relates to the field of next generation internet threat detection, and more particularly, to a method, an apparatus, a device, and a medium for analyzing network abnormal traffic.
Background
IPv6, the abbreviation of Internet Protocol Version 6, namely the next generation Internet, IPv6 has the most obvious advantage that the address is 128 bits, and the problem that the IPv4 address is gradually exhausted is solved by a massive address space. NetFlow is a technology for collecting network traffic statistical information on a routing device, and the routing device sends sampling traffic information to a collector through a network.
DDoS, abbreviation of Distributed Denial of service attack, an attacker uses multiple sources to send a large number of requests to a destination, so that the destination service resources are exhausted and even crashed, and the service cannot be provided normally.
At present, under the background of national policy guidance, the IPv6 network access volume and the related application popularity rate are rapidly increased, and the problem of IPv6 network security is gradually highlighted. Network security technology has been developed for many years, and is mature in many application directions, but mainly aims at the network of the IPv4 protocol. The IPv6 network has a huge amount of address space, and the size of the network space is qualitatively changed compared with that of IPv 4. Therefore, the research on security technology under the IPv6 network is very urgent.
From the perspective of the analysis object, there are two main types of network security detection:
firstly, for the analysis of complete mirror image data flow, the technology needs to copy flow, has all data of the flow, needs to add an additional physical link to transmit the mirror image flow, and has high cost, which is not practical for a backbone network with large scale. Moreover, the security detection technology based on the mirror flow needs to be matched and judged with the known attack type, and the unknown novel attack is stranded, so that the detection has certain hysteresis.
And secondly, analyzing data streams containing the traffic summary information, such as IP, ports, traffic and the like. The NetFlow data belongs to summary information containing a data packet, and can be remotely transmitted through a network, so that an operator can conveniently monitor the data of the whole network at low cost. At present, a main technical direction is to combine machine learning and intelligently judge whether threats exist, but the detection effect also has a great space improvement.
BRIEF SUMMARY OF THE PRESENT DISCLOSURE
Technical problem to be solved
In view of the prior art, the present disclosure provides a method, an apparatus, a device, and a medium for analyzing abnormal network traffic, which are used to at least partially solve the above technical problems.
(II) technical scheme
According to a first aspect of the present disclosure, a method for analyzing network abnormal traffic is provided, including:
dividing data of a target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow, wherein the request packet number is generated by interaction between the source address and the destination address; respectively carrying out session preprocessing on at least one type of protocol data to obtain session data contained in an access path corresponding to a source address or a destination address; calculating a detection data set corresponding to each source address or destination address according to the session data; an access path for the traffic anomaly is determined from the sensed data set.
According to an embodiment of the present disclosure, wherein the network protocols include a transmission control protocol, a user data packet prevention protocol, and an internet control information protocol, and dividing data of the target backbone network into protocol data according to the network protocols includes: reading data from a target backbone network; and judging the protocol corresponding to the read data, and dividing the read data into transmission control protocol data, user data packet protocol data and Internet control information protocol data according to the judgment result.
According to an embodiment of the present disclosure, wherein data of the target backbone network is divided into protocol data based on a multithreading manner.
According to the embodiment of the present disclosure, respectively performing session preprocessing on at least one type of protocol data, and obtaining session data included in an access path corresponding to a source address or a destination address includes: for each destination address, determining a source address for accessing the destination address; and correspondingly accumulating the request packet number, the request flow, the response packet number and the response flow generated by accessing the destination address by all the source addresses respectively to obtain first session data.
According to the embodiment of the present disclosure, respectively performing session preprocessing on at least one type of protocol data, and obtaining session data included in an access path corresponding to a source address or a destination address includes: for each source address, determining a destination address of source address access; and respectively and correspondingly accumulating the request packet number, the request flow, the response packet number and the response flow generated by all destination addresses accessed by the source address to obtain second session data.
According to an embodiment of the present disclosure, wherein calculating a detection data set corresponding to each source address or destination address according to the session data includes: for each source address or destination address, respectively distributing corresponding weights for the accumulated request packet number, request flow, response packet number and response flow; carrying out weighted summation on the accumulated request packet number, request flow, response packet number and response flow to obtain detection data; and collecting the detection data corresponding to all the source addresses or collecting the detection data corresponding to all the destination addresses to obtain a detection data set.
According to an embodiment of the present disclosure, wherein determining an access path for a traffic anomaly from a test data set comprises: judging whether each detection data in the detection data set is within a preset range; if not, the access path flow corresponding to the detection data is abnormal.
A second aspect of the present disclosure provides a processing apparatus of an abnormal traffic analysis method, including:
the data classification module is used for classifying the data of the target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow, wherein the request packet number is generated by interaction between the source address and the destination address; the session preprocessing module is used for respectively carrying out session preprocessing on at least one type of protocol data to obtain session data contained in an access path corresponding to a source address or a destination address; the data set generating module is used for calculating a detection data set corresponding to each source address or destination address according to the session data; and the determining module is used for determining an access path with abnormal flow according to the detection data set.
A third aspect of the present disclosure provides an electronic device comprising: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as above.
A fourth aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as above when executed.
(III) advantageous effects
The present disclosure has at least the following beneficial effects:
(1) two scenes of distributed denial of service attack and abnormal scanning are used as entry points, and flow data in a target backbone network is analyzed in two ways, so that the detection rate and the detection effect of network flow can be effectively improved.
(2) By dividing the NetFlow data of the backbone network into three types according to the protocols, the pertinence of flow detection can be enhanced by dividing the flow data according to the protocols, and the detection efficiency is improved; meanwhile, a multithreading development mode is adopted to classify the flow, so that the flow analysis efficiency can be further improved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a system architecture 100 of a network abnormal traffic analysis method and system according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flowchart of an abnormal traffic analysis method provided by an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a data processing method of an embodiment of the present disclosure;
fig. 4 schematically shows a block diagram of a processing device of an abnormal traffic analysis method according to an embodiment of the present disclosure;
fig. 5 schematically shows a block diagram of an electronic device of an abnormal traffic analysis method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure, application and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations, necessary confidentiality measures are taken, and the customs of the public order is not violated.
In the technical scheme of the disclosure, before the personal information of the user is acquired or collected, the authorization or the consent of the user is acquired.
Embodiments of the present disclosure provide for dividing data of a target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow, wherein the request packet number is generated by interaction between the source address and the destination address; respectively carrying out session preprocessing on at least one type of protocol data to obtain session data contained in an access path corresponding to a source address or a destination address; calculating a detection data set corresponding to each source address or destination address according to the session data; an access path for the traffic anomaly is determined from the sensed data set.
Fig. 1 schematically illustrates a system architecture 100 of a network abnormal traffic analysis method and system according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, in the present application, firstly, NetFlow data of a backbone network is divided into three types, then, session preprocessing is performed on the classified protocol data, different session data are obtained in different processing scenarios, for example, session preprocessing can be performed in a DDoS detection scenario and an abnormal scan detection scenario respectively, DDoS detection session data and abnormal scan detection session data are obtained, a corresponding data set is generated through the DDoS detection session data and the abnormal scan detection session data, abnormal traffic detection is performed through the generated data set, and an abnormal access path is determined.
Fig. 2 schematically shows a flowchart of an abnormal traffic analysis method provided by the embodiment of the present disclosure.
As shown in fig. 2, the method may include, for example, operations S201 to S204.
In operation S201, dividing NetFlow data of a target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow, wherein the request packet number is generated by interaction between the source address and the destination address.
In the embodiment of the disclosure, the NetFlow traffic data of the target backbone network can be divided into three types including at least Transmission Control Protocol (TCP) data, User Datagram Protocol (UDP) data, and internet control information protocol (ICMP) data according to a protocol through multithread development, wherein the internet control information protocol data can be further upgraded to version six, namely ICMP 6, so as to improve the efficiency of processing data.
Fig. 3 schematically shows a flow chart of a data processing method according to an embodiment of the present disclosure.
As shown in fig. 3, the data processing method may include, for example, operation S301 to S303.
In operation S301, data is read from a target backbone network; and establishing a reading thread, reading data from the target backbone network, and inserting a linked list which is used for temporarily storing the data read by the reading thread.
In operation S302, a protocol corresponding to the read data is determined, a protocol determination thread is created, the data is read from the link inserted in step S301, and it is determined whether the read data conforms to the corresponding network protocol, the data conforming to TCP is inserted into the TCP link, the data conforming to UDP is inserted into the UDP link, and the data conforming to ICMPv6 is inserted into the ICMPv6 link.
In operation S303, dividing the read data into tcp data, pdcp data, and tcp data according to the determination result; and creating a write thread, creating three different write threads, reading data from the TCP linked list, the UDP linked list and the ICMPv6 linked list respectively, and correspondingly writing a TCP data file, a UDP data file and an ICMPv6 data file.
In operation S202, session preprocessing is performed on at least one type of protocol data, so as to obtain session data included in an access path corresponding to a source address or a destination address.
In the embodiment of the present disclosure, DDoS detection session data and abnormal scan detection session data are respectively generated according to the classified protocol text data. DDoS is where multiple source IPs initiate access to one destination IP, and belongs to many-to-one, whereas exception scanning is generally where one source IP makes a detection attempt to multiple destination IPs, and belongs to one-to-many. Therefore, in the two scenarios, the angle of statistics is different, and what needs to be analyzed in the DDoS detection scenario is: for each destination address, determining a source address for accessing the destination address; and correspondingly accumulating the request packet number, the request flow, the response packet number and the response flow generated by accessing the destination address by all the source addresses respectively to obtain first session data. What needs to be analyzed in an anomalous scan detection scenario is: for each source address, determining a destination address of source address access; and respectively and correspondingly accumulating the request packet number, the request flow, the response packet number and the response flow generated by all destination addresses accessed by the source address to obtain second session data.
The formats of the TCP data file, the UDP data file and the ICMPv6 data file are the same, and the TCP data file, the UDP data file and the ICMPv6 data file all comprise the following fields: the method comprises the steps of source IP, source port, destination IP, destination port, protocol number, request packet number, request flow, response packet number and response flow which are generated by interaction between the source IP and the destination IP. The session preprocessing respectively processes the TCP data file, the UDP data file and the ICMPv6 data file, and the processing logics are consistent.
For example, taking TCP data as an example, assume that there are four pieces of TCP data: (1) sa1, sp1, da1, dp1, pro _ tcp, pkts _ in1, octs _ in1, pkts _ out1, octs _ out1, (2) sa2, sp2, da2, dp2, pro _ tcp, pkts _ in2, octs _ in2, pkts _ out2, octs _ out2, (3) sa3, sp3, da3, dp3, pro _ tcp, pkts _ in3, octs _ in3, pkts _ out3, octs _ out3, (4) sa4, sp4, da4, dp4, pro _ tcp, pkts _ in4, octs _ in4, pkts _ in4, octs _ 4.
For example, in a DDoS detection scenario, it is counted that a single destination IP is accessed by those source IPs, and therefore, taking the destination IP as a key value, it is counted that, assuming that the destination IP da1 is accessed by the source IPs sa1 and sa2, what needs to be counted for generating DDoS detection session data for the destination IP da1 is the number of source IPs, the number of request packets, the request traffic, the number of response packets, and the response traffic; respectively as follows: 2. pkts _ in1+ pkts _ in2, octs _ in1+ octs _ in2, pkts _ out1+ pkts _ out2, octs _ out1+ octs _ out 2. The DDoS detection session data may be represented by a dictionary as:
of course, it should be understood that the destination IP da1 may be accessed by one or more other source IPs, and the same principles apply to statistical source IP numerical algorithms and obtaining corresponding DDoS detection session data. The additional destinations IP da2, IP da3, IP da4 may also be calculated in the same manner.
In an exemplary scenario of anomaly scan detection, it is counted which destination IPs a single source IP accesses, so that, taking the source IP as a key value, taking TCP data as an example, there are the above four pieces of TCP data: assuming that the source IP sa1 has access to the destination IP da3 and da4, the number of IP, request packet, request traffic, response packet, and response traffic that need to be counted for the source IP sa 1; respectively as follows: 2. pkts _ in3+ pkts _ in4, octs _ in3+ octs _ in4, pkts _ out3+ pkts _ out4, octs _ out3+ octs _ out 4. The anomaly scan detection session data may be represented by a dictionary as:
of course, it should be understood that the source IP da1 may also access one or more other destination IPs, statistical number of IPs algorithms, and obtain corresponding exception scan detection session data. In addition, the external sources IP sa2, IP sa3 and IP sa4 can also be counted in the same way.
In operation S203, a detection data set corresponding to each source address or destination address is calculated according to the session data.
In the embodiment of the present disclosure, for each source address or destination address, corresponding weights may be respectively assigned to the accumulated request packet number, request traffic, response packet number, and response traffic; carrying out weighted summation on the accumulated request packet number, request flow, response packet number and response flow to obtain detection data; and collecting the detection data corresponding to all the source addresses or collecting the detection data corresponding to all the destination addresses to obtain a detection data set.
Illustratively, the four characteristics of the request packet number, the request traffic, the response packet number, and the response traffic are different in the importance degree of the calculation session data in the DDoS detection scenario and the abnormal scanning detection scenario, and therefore, each has a different weight. And respectively calculating weights of the DDoS detection session data and the abnormal scanning detection session data generated in the step S202 based on an information entropy theory and generating a DDoS detection data set and an abnormal scanning detection data set. The weights of the request packet number, the request flow, the response packet number and the response flow are calculated based on an information entropy weight calculation formula, and the information entropy weight calculation belongs to a standard calculation method and is not described here. In a DDoS detection scenario, assuming that weights of characteristics of request packet number, request traffic, response packet number, and response traffic are DDoS _ weight 0, DDoS _ weight 1, DDoS _ weight 2, and DDoS _ weight 3, respectively, in step S202, corresponding DDoS detection data of the destination IPda1 is: data1 is (pkts _ in1+ pkts _ in2) × DDoS _ weight 0+ (octs _ in1+ octs _ in2) × DDoS _ weight 1+ (pkts _ out1+ pkts _ out2) × DDoS _ weight 2+ (octs _ out1+ octs _ out2) × DDoS _ weight 3, data calculation methods corresponding to other destination IPs are the same, and DDoS detection data of a plurality of destination IPs form a DDoS detection data set.
Similarly, in the assumed abnormal scan detection scenario, assuming that the weights of the characteristics of the request packet number, the request traffic, the response packet number, and the response traffic are scan _ weight 0, scan _ weight 1, scan _ weight 2, and scan _ weight 3, respectively, in step S202, the source IPsa1 corresponds to the abnormal scan detection data1 ═ (pkts _ in3+ pkts _ in4) — scan _ weight 0+ (oct _ in3+ oct _ in4) — scan _ weight 1+ (pkts _ out3+ pkts _ out4) — scan _ weight 2+ (oct _ out3+ oct _ out4) — scan _ weight 3. The data calculation methods corresponding to other source IPs are the same, and the abnormal scanning detection data of a plurality of source IPs form an abnormal scanning detection data set.
In operation S204, an access path for traffic anomaly is determined from the sensed data set.
In the embodiment of the disclosure, the access bit path of the traffic anomaly may be determined by judging whether each detection data in the detection data set is within a preset range. And if the detection data is not in the preset range, indicating that the access path flow corresponding to the detection data is abnormal.
Illustratively, abnormal points in a DDoS detection data set and an abnormal scanning detection data set are respectively calculated according to a boxchart theory, so that suspicious DDoS traffic and suspicious abnormal scanning traffic are analyzed. The method comprises the steps of respectively calculating a first quantile, a second quantile and a third quantile for a DDOS data set and an abnormal scanning data set based on a calculation formula of a box diagram theoretical standard, and detecting the first quantile, the second quantile and the third quantile to divide the data set into 4 equal parts, so that an upper limit and a lower limit of the data set are obtained, abnormal points which are located outside a range from the lower limit to the upper limit are obtained, the abnormal points can be judged to be suspicious DDoS flow or suspicious abnormal scanning flow, and abnormal access paths in a DDoS detection scene or an abnormal scanning detection scene of abnormal flow are judged through the abnormal points.
Fig. 4 schematically shows a block diagram of a processing device of an abnormal traffic analysis method according to an embodiment of the present disclosure.
As shown in fig. 4, the processing apparatus 400 of the abnormal traffic analysis method may include, for example, a data classification module 410, a session preprocessing module 420, a data set generation module 430, and an abnormal path determination module 440.
A data classification module 410, configured to classify data of the target backbone network into protocol data according to a network protocol.
The session preprocessing module 420 is configured to perform session preprocessing on the protocol data, respectively, to generate session data, where the session data includes at least one source address, at least one destination address, and a request packet number, a request traffic, a response packet number, and a response traffic, which are generated by interaction between the source address and the destination address.
And the data set generating module 430 is configured to calculate, based on the access path included in the session data, a detection data set corresponding to each source address or destination address according to the number of request packets, the request traffic, the number of response packets, and the response traffic.
A determination module 440 for determining an access path for a traffic anomaly from the sensed data set
According to the abnormal traffic analysis method provided by the embodiment of the disclosure, before traffic detection, data of a backbone network is divided into three types including at least TCP data, UDP data and ICMPv6 data according to a network protocol, and the flow data is divided according to the protocol, so that the pertinence of the traffic detection can be enhanced, and the detection efficiency is improved; the method comprises the steps of respectively carrying out session preprocessing on protocol data to generate session data, wherein the session data comprise at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow generated by interaction between the source address and the destination address, generating DDoS detection session data and abnormal scanning detection session data from the protocol data according to different detection scenes, calculating a corresponding DDoS detection data set and an abnormal scanning detection data set according to the DDoS detection session data and the abnormal scanning detection session data, further determining an access path with abnormal flow, and effectively improving the detection rate and the detection effect on network flow.
It should be noted that the processing device portion of the abnormal traffic analysis method in the embodiment of the present disclosure corresponds to the method portion of the abnormal traffic analysis method in the embodiment of the present disclosure, and the specific implementation details thereof are also the same, and are not described herein again.
Fig. 5 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, an electronic device 500 according to an embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM503, various programs and data necessary for the operation of the electronic apparatus 500 are stored. The processor 501, the ROM502, and the RAM503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM502 and/or the RAM 503. Note that the program may also be stored in one or more memories other than the ROM502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in one or more memories.
According to an embodiment of the present disclosure, electronic device 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The electronic device 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM502 and/or RAM503 and/or one or more memories other than ROM502 and RAM503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
Claims (10)
1. A network abnormal traffic analysis method comprises the following steps:
dividing data of a target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow generated by interaction between the source address and the destination address;
respectively carrying out session preprocessing on the at least one type of protocol data to obtain session data contained in an access path corresponding to the source address or the destination address;
calculating a detection data set corresponding to each source address or destination address according to the session data;
and determining an access path with abnormal flow according to the detection data set.
2. The abnormal traffic analyzing method according to claim 1, wherein the network protocols include a transmission control protocol, a user data packet protocol, and an internet control information protocol, and the dividing data of the target backbone network into protocol data according to the network protocols includes:
reading data from a target backbone network;
and judging a protocol corresponding to the read data, and dividing the read data into transmission control protocol data, user data packet protocol data and Internet control information protocol data according to a judgment result.
3. The abnormal traffic analyzing method according to claim 1, wherein the data of the target backbone network is divided into protocol data based on a multithreading manner.
4. The abnormal traffic analysis method according to claim 1, wherein performing session preprocessing on the at least one type of protocol data respectively to obtain session data included in an access path corresponding to the source address or the destination address comprises:
for each destination address, determining a source address for accessing the destination address;
and correspondingly accumulating the request packet number, the request flow, the response packet number and the response flow generated by accessing the destination address by all the source addresses respectively to obtain first session data.
5. The abnormal traffic analysis method according to claim 1, wherein performing session preprocessing on the at least one type of protocol data respectively to obtain session data included in an access path corresponding to the source address or the destination address comprises:
for each source address, determining a destination address accessed by the source address;
and correspondingly accumulating the request packet number, the request flow, the response packet number and the response flow generated by all destination addresses accessed by the source address respectively to obtain second session data.
6. The abnormal traffic analyzing method according to claim 4 or 5, wherein the calculating a detection data set corresponding to each source address or destination address according to the session data comprises:
for each source address or destination address, respectively distributing corresponding weights for the accumulated request packet number, request flow, response packet number and response flow;
carrying out weighted summation on the accumulated request packet number, request flow, response packet number and response flow to obtain detection data;
and collecting the detection data corresponding to all the source addresses or collecting the detection data corresponding to all the destination addresses to obtain the detection data set.
7. The abnormal traffic analyzing method according to claim 6, wherein the determining an access path of a traffic abnormality from the inspection data set comprises:
judging whether each detection data in the detection data set is within a preset range;
if not, the access path flow corresponding to the detection data is abnormal.
8. A processing apparatus of an abnormal traffic analysis method, the apparatus comprising:
the data classification module is used for classifying the data of the target backbone network into at least one type of protocol data according to a network protocol; the protocol data comprises at least one source address, at least one destination address, request packet number, request flow, response packet number and response flow generated by interaction between the source address and the destination address;
the session preprocessing module is used for respectively carrying out session preprocessing on the at least one type of protocol data to obtain session data contained in an access path corresponding to the source address or the destination address;
the data set generating module is used for calculating a detection data set corresponding to each source address or destination address according to the session data;
and the determining module is used for determining an access path with abnormal flow according to the detection data set.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-5 or 7.
10. A computer-readable storage medium storing computer-executable instructions for implementing the method of any one of claims 1 to 5 or 7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111647136.8A CN114301694B (en) | 2021-12-29 | 2021-12-29 | Network abnormal flow analysis method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111647136.8A CN114301694B (en) | 2021-12-29 | 2021-12-29 | Network abnormal flow analysis method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301694A true CN114301694A (en) | 2022-04-08 |
| CN114301694B CN114301694B (en) | 2024-03-15 |
Family
ID=80971657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111647136.8A Active CN114301694B (en) | 2021-12-29 | 2021-12-29 | Network abnormal flow analysis method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301694B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826717A (en) * | 2022-04-18 | 2022-07-29 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
| CN115277477A (en) * | 2022-07-24 | 2022-11-01 | 杭州迪普科技股份有限公司 | Flow detection method and device based on simple object access protocol |
| CN115361319A (en) * | 2022-10-20 | 2022-11-18 | 科来网络技术股份有限公司 | SNMP-based network equipment performance analysis method, device and equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102315974A (en) * | 2011-10-17 | 2012-01-11 | 北京邮电大学 | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows |
| CN104348794A (en) * | 2013-07-30 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system |
| CN105516196A (en) * | 2016-01-19 | 2016-04-20 | 国家计算机网络与信息安全管理中心江苏分中心 | HTTP message data-based parallelization network anomaly detection method and system |
| WO2019015931A1 (en) * | 2017-07-18 | 2019-01-24 | Institut Superieur De L'aeronautique Et De L'espace | Point-to-point transmitting method based on the use of an erasure coding scheme and a tcp/ip protocol |
| CN110149343A (en) * | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
| CN113079143A (en) * | 2021-03-24 | 2021-07-06 | 北京锐驰信安技术有限公司 | Flow data-based anomaly detection method and system |
-
2021
- 2021-12-29 CN CN202111647136.8A patent/CN114301694B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102315974A (en) * | 2011-10-17 | 2012-01-11 | 北京邮电大学 | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows |
| CN104348794A (en) * | 2013-07-30 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system |
| CN105516196A (en) * | 2016-01-19 | 2016-04-20 | 国家计算机网络与信息安全管理中心江苏分中心 | HTTP message data-based parallelization network anomaly detection method and system |
| WO2019015931A1 (en) * | 2017-07-18 | 2019-01-24 | Institut Superieur De L'aeronautique Et De L'espace | Point-to-point transmitting method based on the use of an erasure coding scheme and a tcp/ip protocol |
| CN110149343A (en) * | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
| CN113079143A (en) * | 2021-03-24 | 2021-07-06 | 北京锐驰信安技术有限公司 | Flow data-based anomaly detection method and system |
Non-Patent Citations (1)
| Title |
|---|
| 宋洪涛;王小峰;王勇军;常帅;: "基于信息熵的分布式拒绝服务攻击协同检测系统的设计与实现", 小型微型计算机系统, no. 01 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826717A (en) * | 2022-04-18 | 2022-07-29 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
| CN114826717B (en) * | 2022-04-18 | 2024-02-23 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
| CN115277477A (en) * | 2022-07-24 | 2022-11-01 | 杭州迪普科技股份有限公司 | Flow detection method and device based on simple object access protocol |
| CN115277477B (en) * | 2022-07-24 | 2024-03-01 | 杭州迪普科技股份有限公司 | Flow detection method and device based on simple object access protocol |
| CN115361319A (en) * | 2022-10-20 | 2022-11-18 | 科来网络技术股份有限公司 | SNMP-based network equipment performance analysis method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301694B (en) | 2024-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114301694B (en) | Network abnormal flow analysis method, device, equipment and medium | |
| CN112953933B (en) | Abnormal attack behavior detection method, device, equipment and storage medium | |
| CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
| US9930055B2 (en) | Unwanted tunneling alert system | |
| US8086609B2 (en) | Graph caching | |
| US20180278500A1 (en) | Scalable streaming analytics platform for network monitoring | |
| CN109194684B (en) | Method and device for simulating denial of service attack and computing equipment | |
| US20130326056A1 (en) | Network flow abnormality detection system and a method of the same | |
| CN112788007A (en) | DDoS attack detection method based on convolutional neural network | |
| CN113765846B (en) | Intelligent detection and response method and device for network abnormal behaviors and electronic equipment | |
| CN114448830A (en) | Equipment detection system and method | |
| Kim et al. | Performance of packet analysis between observer and wireshark | |
| WO2017091286A1 (en) | Suspicious network traffic identification method and apparatus | |
| CN113206850B (en) | Malicious sample message information acquisition method, device, equipment and storage medium | |
| KR102177998B1 (en) | Learning methods, preprocessing methods, learning devices and preprocessing devices for detecting syn flood attacks based on machine learning models | |
| CN111209566A (en) | Intelligent anti-crawler system and method for multi-layer threat interception | |
| US10171483B1 (en) | Utilizing endpoint asset awareness for network intrusion detection | |
| Mugitama et al. | An evidence-based technical process for openflow-based SDN forensics | |
| CN113395255B (en) | Autossh reverse proxy detection method, system, device and readable storage medium | |
| CN115086018A (en) | Video front-end equipment clustering analysis intrusion detection method | |
| CN111431909B (en) | Method and device for detecting grouping abnormity in user entity behavior analysis and terminal | |
| CN114884748A (en) | Network attack monitoring method and device, electronic equipment and storage medium | |
| CN114760106B (en) | Network attack determination method, system, electronic equipment and storage medium | |
| KR102471618B1 (en) | Netflow based large-scale service network aceess tracking method and device and system therefor | |
| CN112600816B (en) | Intrusion prevention method, system and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |