CN117061249B - Intrusion monitoring method and system based on network traffic - Google Patents
Intrusion monitoring method and system based on network traffic Download PDFInfo
- Publication number
- CN117061249B CN117061249B CN202311316100.0A CN202311316100A CN117061249B CN 117061249 B CN117061249 B CN 117061249B CN 202311316100 A CN202311316100 A CN 202311316100A CN 117061249 B CN117061249 B CN 117061249B
- Authority
- CN
- China
- Prior art keywords
- unit
- decision tree
- data
- monitoring
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 147
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000003066 decision tree Methods 0.000 claims abstract description 123
- 238000012549 training Methods 0.000 claims abstract description 59
- 238000012545 processing Methods 0.000 claims abstract description 31
- 238000004891 communication Methods 0.000 claims abstract description 21
- 238000012800 visualization Methods 0.000 claims abstract description 18
- 238000013480 data collection Methods 0.000 claims abstract description 11
- 238000004458 analytical method Methods 0.000 claims description 83
- 238000001514 detection method Methods 0.000 claims description 16
- 241001501944 Suricata Species 0.000 claims description 14
- 230000002068 genetic effect Effects 0.000 claims description 9
- 238000012216 screening Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 6
- 230000010354 integration Effects 0.000 claims description 4
- 230000035772 mutation Effects 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000007405 data analysis Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000010485 coping Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000013079 data visualisation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 108010064775 protein C activator peptide Proteins 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intrusion monitoring method and system based on network traffic, wherein the system comprises a data acquisition unit, a network monitoring unit, a Logstar unit, a storage unit, a visualization unit, a data forwarding unit, a data collection unit and a decision tree training unit; the data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstar unit sequentially through the data acquisition unit and the data forwarding unit, the Logstar unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstar unit, the visualization unit and the decision tree training unit are respectively in communication connection with the storage unit. The invention is based on a powerful technical system of flow collection, processing and malicious attack behavior identification, can better meet the requirement of network monitoring, and has certain flexibility and expansibility.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intrusion monitoring method and system based on network traffic.
Background
With the rapid development of the internet, a large amount of network traffic flows into the network, which brings a plurality of challenges to network security. Monitoring and analyzing network traffic becomes critical in order to protect network security.
There are some technical solutions for monitoring and analyzing network traffic, but they have some limitations and disadvantages. The following are several common technical schemes:
1. Traditional network monitoring system: the traditional network monitoring system is mainly designed aiming at an IPv4 network, and cannot completely meet the requirements of an IPv6 network. These systems typically collect network traffic data based on SNMP (Simple Network Management Protocol) and NetFlow protocols and use a rules engine to detect and alert. However, in the IPv6 network, SNMP has limited functions, and NetFlow protocol needs to be upgraded to the IPv6 version to support collection and analysis of IPv6 traffic.
2. Suricata and ELK stacks: suricata is an open source intrusion detection and firewall system supporting IPv6 networks. ELK stacks (ELASTICSEARCH, LOGSTASH and Kibana) are a popular open source log analysis platform. By combining Suricata with the ELK stack, the flow collection, analysis and visual display of the IPv6 network can be realized. However, this approach is not yet adequate for high throughput, massive data analysis.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide the intrusion monitoring method and the intrusion monitoring system based on the network traffic, and the strong technical system based on traffic collection, processing and malicious attack behavior identification can better meet the requirement of network monitoring and has certain flexibility and expansibility.
In order to solve the technical problems, the invention provides the following technical scheme:
the intrusion monitoring method based on the network traffic comprises the following steps:
s1) a data acquisition unit acquires network flow passing through a network data forwarding device and sends the acquired network flow to a network monitoring unit for monitoring analysis;
S2) a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model are arranged in the network monitoring unit to respectively analyze the network flow acquired by the data acquisition unit in the step S1) and send the analysis result to the Logstar unit for processing;
and S3) the Logstar unit integrates the data of the analysis result obtained in the step S2) and the network flow acquired in the step S1) and uniformly processes the data to obtain processed data, and the processed data is displayed in the visualization unit.
In the above method, in step S3), the log mesh unit sends the processed data to the decision tree training unit to train the decision tree model, and the decision tree training unit sends the decision tree model obtained after training to the second monitoring analysis module to iteratively update the decision tree model built in the second monitoring analysis module.
According to the method, the version of the basic model of the decision tree used by the decision tree training unit when training the decision tree model each time is not lower than the version of the decision tree model built in the second monitoring analysis module when the decision tree training unit trains the decision tree model each time.
Before training the decision tree model, the decision tree training unit divides the processed data into training set data and verification set data according to the information gain of the data, and then trains the decision tree model by using the training set data and the verification set data.
According to the method, the decision tree training unit performs selection, crossing and mutation processing on the trained decision tree model by utilizing a genetic algorithm, and sends the processed decision tree model to the second monitoring analysis module to perform iterative updating on the decision tree built in the second monitoring analysis module.
According to the method, the network monitoring unit is in communication connection with the Logstar unit through the data collecting unit and the data forwarding unit.
A system for performing intrusion monitoring by using the intrusion monitoring method based on network traffic comprises:
the data acquisition unit is used for acquiring network traffic passing through the network data forwarding equipment;
The network monitoring unit is used for monitoring and analyzing the network traffic; the network monitoring unit comprises a first monitoring analysis module internally provided with a Suricata engine and a second monitoring analysis module internally provided with a decision tree model, and the first monitoring analysis module and the second monitoring analysis module respectively monitor and analyze the network flow acquired by the data unit;
the Logstar unit is used for integrating data and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit; the unified data processing comprises data filtering and conversion;
The storage unit is used for storing the network flow acquired by the data acquisition unit, the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit and the processed data obtained by integrating and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit by the logstar unit;
The visualization unit is used for displaying the processed data of the data integration and the data unified processing of the network flow acquired by the log mesh unit and the analysis result obtained by the monitoring and analysis of the network flow by the network monitoring unit;
The data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstash unit, the Logstash unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstash unit and the visualization unit are respectively in communication connection with the storage unit.
The system further comprises a data forwarding unit and a data collecting unit for collecting analysis results of the network detection unit, and the network monitoring unit is connected with the Logstar unit in a communication mode through the data collecting unit and the data forwarding unit in sequence.
The system further comprises a decision tree training unit for training the decision tree model, wherein the decision tree training unit trains the decision tree model by utilizing the processed data obtained after the processing of the logmesh unit, and sends the decision tree model obtained after training to the second monitoring analysis module for iteratively updating the decision tree model built in the second monitoring analysis module.
In the system, the decision tree training unit is internally provided with the decision tree screening module, the decision tree screening module utilizes a genetic algorithm to select, cross and mutate the trained decision tree model, and then the decision tree training unit sends the decision tree model obtained after the processing to the second monitoring analysis module to iteratively update the decision tree arranged in the second monitoring analysis module.
The technical scheme of the invention has the following beneficial technical effects:
1. The invention adopts novel network intrusion detection technology and algorithm, thus providing more accurate and comprehensive network intrusion detection capability. This means that it can better identify known attacks, cope with unknown attacks, zero-day vulnerabilities, etc., thus improving the security of the network.
2. The invention improves big data analysis technology to adapt to complex characteristics of network. This enables the system to analyze massive amounts of network data more quickly and accurately, identifying potential network threats and abnormal behavior. This agile big data analysis capability enables the system to respond and address various threats more timely.
3. By deeply analyzing and interpreting the diverse features of network traffic, the system can more accurately identify abnormal behavior and potential offensive behavior. This behavior analysis capability based on flow characteristics improves the accuracy and reliability of the system.
4. The present invention provides high performance and flexible configuration management. By optimizing the algorithm and adopting the technical means of parallel computing, distributed processing and the like, the performance and response speed of the system are improved. In addition, the system also provides a flexible configuration management interface, so that an administrator can customize monitoring strategies and rules according to the needs. This high performance and flexible configuration management allows the system to be more adaptable to a variety of complex network environments and requirements.
Drawings
FIG. 1 is a schematic diagram of the operation of an intrusion monitoring system based on network traffic in the present invention;
fig. 2 is a flow chart of intrusion monitoring based on network traffic in the present invention.
Detailed Description
The invention is further described below with reference to examples.
As shown in fig. 1, the system for intrusion monitoring based on network traffic comprises a data acquisition unit, a network monitoring unit, a logstar unit, a storage unit, a visualization unit, a data forwarding unit, a data collection unit and a decision tree training unit, wherein the network monitoring unit comprises a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model, and the first monitoring analysis module and the second monitoring analysis module respectively monitor and analyze the network traffic acquired by the data unit; the data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstar unit sequentially through the data acquisition unit and the data forwarding unit, the Logstar unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstar unit, the visualization unit and the decision tree training unit are respectively in communication connection with the storage unit.
In this embodiment, the data acquisition unit is configured to acquire network traffic passing through the network data forwarding device, and monitor, by using a sensor (data packet capturing device), a network communication data packet passing through a SPAN port on a network switch or a router or mirrored to the sensor using a network TAP device, where a format of the network communication data packet is PCAP; the network monitoring unit is used for monitoring and analyzing the network traffic; the Logstar unit is used for carrying out data integration and data unified processing on the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit, and provides a reliable basis for subsequent data analysis, inquiry and visualization, wherein the data unified processing comprises data filtering and conversion; the storage unit is used for storing the network flow acquired by the data acquisition unit, the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit and the processed data obtained by integrating and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit by the logstar unit; the visualization unit is used for displaying the processed data of the data integration and the data unified processing of the network flow acquired by the log mesh unit and the analysis result obtained by the monitoring and analysis of the network flow by the network monitoring unit; the decision tree training unit is internally provided with a decision tree screening module, the decision tree training unit trains the decision tree model by using processed data obtained after the processing of the Logmesh unit, then the decision tree screening module selects, crosses and mutates the trained decision tree model by using a genetic algorithm, and then the decision tree training unit sends the processed decision tree model to the second monitoring analysis module to update the built-in decision tree of the second monitoring analysis module in an iterative manner. The genetic algorithm can select the decision tree model obtained by training and obtain an excellent decision tree model for reproduction, namely: the method comprises the steps of screening and dividing high-quality groups according to a self-defined objective function, generating next-generation groups by adopting random cross or random variation operation, updating in time to form a new decision tree model, and detecting potential intrusion behaviors by utilizing the decision tree model through repeated updating iteration to achieve a better effect.
The Suricata engine is a network intrusion detection and prevention system that can discover and block potential attacks by analyzing network traffic.
The decision tree model is used to solve classification and regression problems, implement security detection and classification of network traffic, and generate labels representing classification or attribution of one sample or data point, which can help the user understand how the model should map data to a particular class or result.
Both the Suricata engine and the decision tree model can be used to detect potential intrusion behavior. When abnormal network traffic is detected, the second monitoring and analyzing module judges whether the abnormal network traffic is a malicious attack or not according to the characteristics by utilizing the decision tree model, and gives an alarm to related personnel. In the network monitoring unit, the first monitoring analysis module utilizes Suricata engine to perform standard inspection on network traffic and obtain standard inspection data, the second monitoring analysis module utilizes decision tree model to classify network traffic, so as to perform data complementation on the detection performed by the first monitoring analysis module and perform leak detection and repair on the detection performed by the first monitoring analysis module as much as possible, and in iterative updating, the capability of capturing the data which the Suricata engine cannot capture is obtained by utilizing mutation logic of genetic algorithm.
The data collection unit is Filebeat, filebeat is a lightweight log transmission tool, and the main function of the data collection unit is to collect, parse and send log file data in real time.
The data forwarding unit is selected from kafka, which is used as a distributed stream processing platform, and receives and delivers messages in a high-throughput and sustainable manner. Kafka is able to efficiently accept and deliver a large number of messages, guaranteeing data persistence and reliability. Its distributed architecture and partitioning mechanism enables Kafka to function in a large-scale data stream processing scenario and meet the requirements of high throughput and low latency.
The storage unit is ClickHouse, which is used as a high-performance and columnar storage distributed database management system, and ClickHouse is mainly used for large-scale data analysis and query. All data collected in the present invention is finally stored ClickHouse. ClickHouse has high-performance data storage and query capability in the machine learning field, supports real-time data processing and analysis, has large-scale data processing and horizontal expansibility, and simultaneously provides flexible data model and SQL support, and high-efficiency data compression and storage efficiency. The method can improve the efficiency of data processing and training in the machine learning task and support large-scale and real-time machine learning application.
The visualization unit is Grafana, and is used as an open source data visualization and monitoring tool, and Grafana provides rich instrument panels, charts and alarm functions for displaying and monitoring various index data. Grafana provides a convenient data query, analysis and collaboration mode for users, so that the data visualization and monitoring work is more efficient and flexible.
As shown in fig. 2, the intrusion monitoring system based on network traffic is used to monitor intrusion behavior in a network, and specifically comprises the following operations:
s1) a data acquisition unit acquires network flow passing through a network data forwarding device and sends the acquired network flow to a network monitoring unit for monitoring analysis; the network data forwarding equipment comprises a switch and a router;
S2) a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model are arranged in the network monitoring unit to respectively analyze the network flow acquired by the data acquisition unit in the step S1) and send the analysis result to the Logstar unit for processing;
and S3) the Logstar unit integrates the data of the analysis result obtained in the step S2) and the network flow acquired in the step S1) and uniformly processes the data to obtain processed data, and the processed data is displayed in the visualization unit.
In the invention, in step S3), the log-mesh unit sends the processed data to the decision tree training unit to train the decision tree model, the decision tree training unit sends the decision tree model obtained after training to the second monitoring analysis module to iteratively update the decision tree model built in the second monitoring analysis module, and the version of the decision tree basic model used by the decision tree training unit each time when training the decision tree model is not lower than the version of the decision tree model built in the second monitoring analysis module each time when training the decision tree model by the decision tree training unit. Along with training the decision tree model and iteratively updating the decision tree model in the second monitoring analysis module, more accurate and comprehensive network intrusion detection capability can be provided for users, including the recognition of known attacks, the coping of unknown attacks, zero-day vulnerabilities and the like, and meanwhile, the detection accuracy and coverage of the system can be improved.
Before training the decision tree model, the decision tree training unit divides the processed data into training group data and verification group data according to the information gain of the data, then the training group data and the verification group data are used for training the decision tree model, the decision tree screening module uses a genetic algorithm to select, cross and mutate the trained decision tree model, and the decision tree training unit sends the decision tree model obtained after the processing to the second monitoring analysis module for iterative updating of the decision tree built in the second monitoring analysis module. When the processed data are grouped, the information entropy, the conditional entropy and the information gain of the data are calculated according to the following formula:
wherein H (D) represents the information entropy of the data, The conditional entropy of the data is represented, and g (D, a) represents the information gain of the data.
When the network with more devices is subjected to intrusion monitoring, a plurality of data acquisition units, a corresponding number of network monitoring units and a corresponding number of data collection units are required to be arranged, each router or switch is provided with a network intrusion monitoring component consisting of one data acquisition unit, one network monitoring unit and one data collection unit, the network intrusion monitoring component is used for intrusion monitoring of network traffic passing through the router or switch, at the moment, filebeat is used as the data collection unit and is used as a lightweight log transmission tool, filebeat can be used for quickly and safely collecting data without occupying too much resources, and finally, the data are uniformly transmitted to kafka for uniform data collection. In this case, a decision tree model is set in the second monitoring analysis unit of each network monitoring unit, the decision tree models in different second monitoring analysis units may be different, at this time, decision tree basic models with the same number as the network monitoring units exist in the decision tree training unit, after the decision tree training unit finishes training the decision tree basic models, the decision tree screening module screens the trained decision tree basic models according to the self-defined objective function to screen out the trained decision tree models with excellent individuals, then the decision tree training unit uses the genetic algorithm to randomly cross or randomly mutate the optimized trained decision tree models to generate a next generation group, and updates in time to form new decision tree models, and the second monitoring analysis detects potential intrusion behaviors through repeated updating iteration to achieve better effects.
In the invention, the network traffic is subjected to combined intrusion monitoring through the Suricata engine and the decision tree model, so that the intrusion detection capability in abnormal traffic is effectively improved, thereby providing more accurate and comprehensive network intrusion detection capability, including the steps of identifying known attacks, coping with unknown attacks, zero-day vulnerabilities and the like, and simultaneously improving the detection accuracy and coverage of the system.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While the obvious variations or modifications which are extended therefrom remain within the scope of the claims of this patent application.
Claims (9)
1. The intrusion monitoring method based on the network traffic is characterized by comprising the following steps:
s1) a data acquisition unit acquires network flow passing through a network data forwarding device and sends the acquired network flow to a network monitoring unit for monitoring analysis;
S2) a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model are arranged in the network monitoring unit to respectively analyze the network flow acquired by the data acquisition unit in the step S1) and send the analysis result to the Logstar unit for processing;
S3) the Logstar unit integrates data and uniformly processes the analysis result obtained in the step S2) and the network flow acquired in the step S1) to obtain processed data, and displays the processed data in the visualization unit; the Logstar unit sends the processed data to the decision tree training unit to train the decision tree model, and the decision tree training unit sends the decision tree model obtained after training to the second monitoring analysis module to iteratively update the decision tree model built in the second monitoring analysis module.
2. The method of claim 1, wherein the version of the base model of the decision tree used by the decision tree training unit each time the decision tree model is trained is not lower than the version of the decision tree model built into the second monitoring analysis module each time the decision tree training unit trains the decision tree model.
3. The method of claim 1, wherein the decision tree training unit divides the processed data into training set data and verification set data according to the information gain of the data before training the decision tree model, and then trains the decision tree model with the training set data and the verification set data.
4. The method of claim 1, wherein the decision tree training unit performs selection, crossover and mutation processing on the trained decision tree model by using a genetic algorithm, and sends the processed decision tree model to the second monitoring analysis module to perform iterative updating on a decision tree built in the second monitoring analysis module.
5. The method according to claim 1, characterized in that the network monitoring unit is communicatively connected to the logstar unit via a data collection unit and a data forwarding unit.
6. A system for intrusion monitoring using the network traffic based intrusion monitoring method of claim 1, comprising:
the data acquisition unit is used for acquiring network traffic passing through the network data forwarding equipment;
The network monitoring unit is used for monitoring and analyzing the network traffic; the network monitoring unit comprises a first monitoring analysis module internally provided with a Suricata engine and a second monitoring analysis module internally provided with a decision tree model, and the first monitoring analysis module and the second monitoring analysis module respectively monitor and analyze the network flow acquired by the data unit;
the Logstar unit is used for integrating data and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit; the unified data processing comprises data filtering and conversion;
The storage unit is used for storing the network flow acquired by the data acquisition unit, the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit and the processed data obtained by integrating and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit by the logstar unit;
The visualization unit is used for displaying the processed data of the data integration and the data unified processing of the network flow acquired by the log mesh unit and the analysis result obtained by the monitoring and analysis of the network flow by the network monitoring unit;
The data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstash unit, the Logstash unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstash unit and the visualization unit are respectively in communication connection with the storage unit.
7. The system of claim 6, further comprising a data forwarding unit and a data collection unit for collecting analysis results of the network detection unit, wherein the network detection unit is in communication connection with the logstack unit sequentially through the data collection unit and the data forwarding unit.
8. The system of claim 6, further comprising a decision tree training unit for training the decision tree model, wherein the decision tree training unit trains the decision tree model using processed data obtained after processing by the logstar unit, and sends the trained decision tree model to the second monitoring analysis module for iterative updating of the decision tree model built in the second monitoring analysis module.
9. The system of claim 8, wherein the decision tree training unit is provided with a decision tree screening module, the decision tree screening module performs selection, crossover and mutation processing on the trained decision tree model by using a genetic algorithm, and then the decision tree training unit sends the processed decision tree model to the second monitoring analysis module to perform iterative updating on the decision tree built in the second monitoring analysis module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311316100.0A CN117061249B (en) | 2023-10-12 | 2023-10-12 | Intrusion monitoring method and system based on network traffic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311316100.0A CN117061249B (en) | 2023-10-12 | 2023-10-12 | Intrusion monitoring method and system based on network traffic |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117061249A CN117061249A (en) | 2023-11-14 |
| CN117061249B true CN117061249B (en) | 2024-04-26 |
Family
ID=88657596
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311316100.0A Active CN117061249B (en) | 2023-10-12 | 2023-10-12 | Intrusion monitoring method and system based on network traffic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117061249B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348741A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and system for detecting P2P (peer-to-peer) traffic based on multi-dimensional analysis and decision tree |
| CN106603538A (en) * | 2016-12-20 | 2017-04-26 | 北京安信天行科技有限公司 | Invasion detection method and system |
| CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
| CN112350882A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Distributed network traffic analysis system and method |
| CN112528277A (en) * | 2020-12-07 | 2021-03-19 | 昆明理工大学 | Hybrid intrusion detection method based on recurrent neural network |
| CN113542253A (en) * | 2021-07-12 | 2021-10-22 | 杭州安恒信息技术股份有限公司 | Network flow detection method, device, equipment and medium |
| US11310142B1 (en) * | 2021-04-23 | 2022-04-19 | Trend Micro Incorporated | Systems and methods for detecting network attacks |
| CN114710416A (en) * | 2022-02-23 | 2022-07-05 | 沈阳化工大学 | Real-time data acquisition method based on process flow and network flow |
-
2023
- 2023-10-12 CN CN202311316100.0A patent/CN117061249B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348741A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and system for detecting P2P (peer-to-peer) traffic based on multi-dimensional analysis and decision tree |
| CN106603538A (en) * | 2016-12-20 | 2017-04-26 | 北京安信天行科技有限公司 | Invasion detection method and system |
| CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
| CN112350882A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Distributed network traffic analysis system and method |
| CN112528277A (en) * | 2020-12-07 | 2021-03-19 | 昆明理工大学 | Hybrid intrusion detection method based on recurrent neural network |
| US11310142B1 (en) * | 2021-04-23 | 2022-04-19 | Trend Micro Incorporated | Systems and methods for detecting network attacks |
| CN113542253A (en) * | 2021-07-12 | 2021-10-22 | 杭州安恒信息技术股份有限公司 | Network flow detection method, device, equipment and medium |
| CN114710416A (en) * | 2022-02-23 | 2022-07-05 | 沈阳化工大学 | Real-time data acquisition method based on process flow and network flow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117061249A (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
| CN110011999B (en) | IPv6 network DDoS attack detection system and method based on deep learning | |
| Al-Hadhrami et al. | Real time dataset generation framework for intrusion detection systems in IoT | |
| CN107404400B (en) | Network situation awareness implementation method and device | |
| CN104506484B (en) | A kind of proprietary protocol analysis and recognition methods | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN112383538B (en) | Hybrid high-interaction industrial honeypot system and method | |
| CN107196930B (en) | The method of computer network abnormality detection | |
| CN113259313A (en) | Malicious HTTPS flow intelligent analysis method based on online training algorithm | |
| CN109104438B (en) | Botnet early warning method and device in narrow-band Internet of things and readable storage medium | |
| CN113206860B (en) | DRDoS attack detection method based on machine learning and feature selection | |
| CN112367307A (en) | Intrusion detection method and system based on container-grade honey pot group | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| CN116232774B (en) | Network path analysis system and method for network security anomaly detection | |
| CN112291213A (en) | Abnormal flow analysis method and device based on intelligent terminal | |
| JP7086230B2 (en) | Protocol-independent anomaly detection | |
| CN115277113A (en) | Power grid network intrusion event detection and identification method based on ensemble learning | |
| CN112953961B (en) | Equipment type identification method in power distribution room Internet of things | |
| Tan et al. | DDoS detection method based on Gini impurity and random forest in SDN environment | |
| CN113660267A (en) | Botnet detection system and method aiming at IoT environment and storage medium | |
| CN117061249B (en) | Intrusion monitoring method and system based on network traffic | |
| CN113162939A (en) | Detection and defense system for DDoS (distributed denial of service) attack under SDN (software defined network) based on improved k-nearest neighbor algorithm | |
| CN112291226A (en) | Method and device for detecting abnormality of network traffic | |
| Cukier et al. | A statistical analysis of attack data to separate attacks | |
| EP3826242B1 (en) | Cyber attack information analyzing program, cyber attack information analyzing method, and information processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |