CN117061249B - Intrusion monitoring method and system based on network traffic - Google Patents

Intrusion monitoring method and system based on network traffic Download PDF

Info

Publication number
CN117061249B
CN117061249B CN202311316100.0A CN202311316100A CN117061249B CN 117061249 B CN117061249 B CN 117061249B CN 202311316100 A CN202311316100 A CN 202311316100A CN 117061249 B CN117061249 B CN 117061249B
Authority
CN
China
Prior art keywords
unit
decision tree
data
monitoring
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311316100.0A
Other languages
Chinese (zh)
Other versions
CN117061249A (en
Inventor
王鹏飞
张�成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mingyang Dianshi Technology Shenyang Co ltd
Mingyang Shichuang Beijing Technology Co ltd
Original Assignee
Mingyang Dianshi Technology Shenyang Co ltd
Mingyang Shichuang Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mingyang Dianshi Technology Shenyang Co ltd, Mingyang Shichuang Beijing Technology Co ltd filed Critical Mingyang Dianshi Technology Shenyang Co ltd
Priority to CN202311316100.0A priority Critical patent/CN117061249B/en
Publication of CN117061249A publication Critical patent/CN117061249A/en
Application granted granted Critical
Publication of CN117061249B publication Critical patent/CN117061249B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an intrusion monitoring method and system based on network traffic, wherein the system comprises a data acquisition unit, a network monitoring unit, a Logstar unit, a storage unit, a visualization unit, a data forwarding unit, a data collection unit and a decision tree training unit; the data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstar unit sequentially through the data acquisition unit and the data forwarding unit, the Logstar unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstar unit, the visualization unit and the decision tree training unit are respectively in communication connection with the storage unit. The invention is based on a powerful technical system of flow collection, processing and malicious attack behavior identification, can better meet the requirement of network monitoring, and has certain flexibility and expansibility.

Description

Intrusion monitoring method and system based on network traffic
Technical Field
The invention relates to the technical field of network security, in particular to an intrusion monitoring method and system based on network traffic.
Background
With the rapid development of the internet, a large amount of network traffic flows into the network, which brings a plurality of challenges to network security. Monitoring and analyzing network traffic becomes critical in order to protect network security.
There are some technical solutions for monitoring and analyzing network traffic, but they have some limitations and disadvantages. The following are several common technical schemes:
1. Traditional network monitoring system: the traditional network monitoring system is mainly designed aiming at an IPv4 network, and cannot completely meet the requirements of an IPv6 network. These systems typically collect network traffic data based on SNMP (Simple Network Management Protocol) and NetFlow protocols and use a rules engine to detect and alert. However, in the IPv6 network, SNMP has limited functions, and NetFlow protocol needs to be upgraded to the IPv6 version to support collection and analysis of IPv6 traffic.
2. Suricata and ELK stacks: suricata is an open source intrusion detection and firewall system supporting IPv6 networks. ELK stacks (ELASTICSEARCH, LOGSTASH and Kibana) are a popular open source log analysis platform. By combining Suricata with the ELK stack, the flow collection, analysis and visual display of the IPv6 network can be realized. However, this approach is not yet adequate for high throughput, massive data analysis.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide the intrusion monitoring method and the intrusion monitoring system based on the network traffic, and the strong technical system based on traffic collection, processing and malicious attack behavior identification can better meet the requirement of network monitoring and has certain flexibility and expansibility.
In order to solve the technical problems, the invention provides the following technical scheme:
the intrusion monitoring method based on the network traffic comprises the following steps:
s1) a data acquisition unit acquires network flow passing through a network data forwarding device and sends the acquired network flow to a network monitoring unit for monitoring analysis;
S2) a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model are arranged in the network monitoring unit to respectively analyze the network flow acquired by the data acquisition unit in the step S1) and send the analysis result to the Logstar unit for processing;
and S3) the Logstar unit integrates the data of the analysis result obtained in the step S2) and the network flow acquired in the step S1) and uniformly processes the data to obtain processed data, and the processed data is displayed in the visualization unit.
In the above method, in step S3), the log mesh unit sends the processed data to the decision tree training unit to train the decision tree model, and the decision tree training unit sends the decision tree model obtained after training to the second monitoring analysis module to iteratively update the decision tree model built in the second monitoring analysis module.
According to the method, the version of the basic model of the decision tree used by the decision tree training unit when training the decision tree model each time is not lower than the version of the decision tree model built in the second monitoring analysis module when the decision tree training unit trains the decision tree model each time.
Before training the decision tree model, the decision tree training unit divides the processed data into training set data and verification set data according to the information gain of the data, and then trains the decision tree model by using the training set data and the verification set data.
According to the method, the decision tree training unit performs selection, crossing and mutation processing on the trained decision tree model by utilizing a genetic algorithm, and sends the processed decision tree model to the second monitoring analysis module to perform iterative updating on the decision tree built in the second monitoring analysis module.
According to the method, the network monitoring unit is in communication connection with the Logstar unit through the data collecting unit and the data forwarding unit.
A system for performing intrusion monitoring by using the intrusion monitoring method based on network traffic comprises:
the data acquisition unit is used for acquiring network traffic passing through the network data forwarding equipment;
The network monitoring unit is used for monitoring and analyzing the network traffic; the network monitoring unit comprises a first monitoring analysis module internally provided with a Suricata engine and a second monitoring analysis module internally provided with a decision tree model, and the first monitoring analysis module and the second monitoring analysis module respectively monitor and analyze the network flow acquired by the data unit;
the Logstar unit is used for integrating data and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit; the unified data processing comprises data filtering and conversion;
The storage unit is used for storing the network flow acquired by the data acquisition unit, the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit and the processed data obtained by integrating and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit by the logstar unit;
The visualization unit is used for displaying the processed data of the data integration and the data unified processing of the network flow acquired by the log mesh unit and the analysis result obtained by the monitoring and analysis of the network flow by the network monitoring unit;
The data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstash unit, the Logstash unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstash unit and the visualization unit are respectively in communication connection with the storage unit.
The system further comprises a data forwarding unit and a data collecting unit for collecting analysis results of the network detection unit, and the network monitoring unit is connected with the Logstar unit in a communication mode through the data collecting unit and the data forwarding unit in sequence.
The system further comprises a decision tree training unit for training the decision tree model, wherein the decision tree training unit trains the decision tree model by utilizing the processed data obtained after the processing of the logmesh unit, and sends the decision tree model obtained after training to the second monitoring analysis module for iteratively updating the decision tree model built in the second monitoring analysis module.
In the system, the decision tree training unit is internally provided with the decision tree screening module, the decision tree screening module utilizes a genetic algorithm to select, cross and mutate the trained decision tree model, and then the decision tree training unit sends the decision tree model obtained after the processing to the second monitoring analysis module to iteratively update the decision tree arranged in the second monitoring analysis module.
The technical scheme of the invention has the following beneficial technical effects:
1. The invention adopts novel network intrusion detection technology and algorithm, thus providing more accurate and comprehensive network intrusion detection capability. This means that it can better identify known attacks, cope with unknown attacks, zero-day vulnerabilities, etc., thus improving the security of the network.
2. The invention improves big data analysis technology to adapt to complex characteristics of network. This enables the system to analyze massive amounts of network data more quickly and accurately, identifying potential network threats and abnormal behavior. This agile big data analysis capability enables the system to respond and address various threats more timely.
3. By deeply analyzing and interpreting the diverse features of network traffic, the system can more accurately identify abnormal behavior and potential offensive behavior. This behavior analysis capability based on flow characteristics improves the accuracy and reliability of the system.
4. The present invention provides high performance and flexible configuration management. By optimizing the algorithm and adopting the technical means of parallel computing, distributed processing and the like, the performance and response speed of the system are improved. In addition, the system also provides a flexible configuration management interface, so that an administrator can customize monitoring strategies and rules according to the needs. This high performance and flexible configuration management allows the system to be more adaptable to a variety of complex network environments and requirements.
Drawings
FIG. 1 is a schematic diagram of the operation of an intrusion monitoring system based on network traffic in the present invention;
fig. 2 is a flow chart of intrusion monitoring based on network traffic in the present invention.
Detailed Description
The invention is further described below with reference to examples.
As shown in fig. 1, the system for intrusion monitoring based on network traffic comprises a data acquisition unit, a network monitoring unit, a logstar unit, a storage unit, a visualization unit, a data forwarding unit, a data collection unit and a decision tree training unit, wherein the network monitoring unit comprises a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model, and the first monitoring analysis module and the second monitoring analysis module respectively monitor and analyze the network traffic acquired by the data unit; the data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstar unit sequentially through the data acquisition unit and the data forwarding unit, the Logstar unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstar unit, the visualization unit and the decision tree training unit are respectively in communication connection with the storage unit.
In this embodiment, the data acquisition unit is configured to acquire network traffic passing through the network data forwarding device, and monitor, by using a sensor (data packet capturing device), a network communication data packet passing through a SPAN port on a network switch or a router or mirrored to the sensor using a network TAP device, where a format of the network communication data packet is PCAP; the network monitoring unit is used for monitoring and analyzing the network traffic; the Logstar unit is used for carrying out data integration and data unified processing on the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit, and provides a reliable basis for subsequent data analysis, inquiry and visualization, wherein the data unified processing comprises data filtering and conversion; the storage unit is used for storing the network flow acquired by the data acquisition unit, the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit and the processed data obtained by integrating and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit by the logstar unit; the visualization unit is used for displaying the processed data of the data integration and the data unified processing of the network flow acquired by the log mesh unit and the analysis result obtained by the monitoring and analysis of the network flow by the network monitoring unit; the decision tree training unit is internally provided with a decision tree screening module, the decision tree training unit trains the decision tree model by using processed data obtained after the processing of the Logmesh unit, then the decision tree screening module selects, crosses and mutates the trained decision tree model by using a genetic algorithm, and then the decision tree training unit sends the processed decision tree model to the second monitoring analysis module to update the built-in decision tree of the second monitoring analysis module in an iterative manner. The genetic algorithm can select the decision tree model obtained by training and obtain an excellent decision tree model for reproduction, namely: the method comprises the steps of screening and dividing high-quality groups according to a self-defined objective function, generating next-generation groups by adopting random cross or random variation operation, updating in time to form a new decision tree model, and detecting potential intrusion behaviors by utilizing the decision tree model through repeated updating iteration to achieve a better effect.
The Suricata engine is a network intrusion detection and prevention system that can discover and block potential attacks by analyzing network traffic.
The decision tree model is used to solve classification and regression problems, implement security detection and classification of network traffic, and generate labels representing classification or attribution of one sample or data point, which can help the user understand how the model should map data to a particular class or result.
Both the Suricata engine and the decision tree model can be used to detect potential intrusion behavior. When abnormal network traffic is detected, the second monitoring and analyzing module judges whether the abnormal network traffic is a malicious attack or not according to the characteristics by utilizing the decision tree model, and gives an alarm to related personnel. In the network monitoring unit, the first monitoring analysis module utilizes Suricata engine to perform standard inspection on network traffic and obtain standard inspection data, the second monitoring analysis module utilizes decision tree model to classify network traffic, so as to perform data complementation on the detection performed by the first monitoring analysis module and perform leak detection and repair on the detection performed by the first monitoring analysis module as much as possible, and in iterative updating, the capability of capturing the data which the Suricata engine cannot capture is obtained by utilizing mutation logic of genetic algorithm.
The data collection unit is Filebeat, filebeat is a lightweight log transmission tool, and the main function of the data collection unit is to collect, parse and send log file data in real time.
The data forwarding unit is selected from kafka, which is used as a distributed stream processing platform, and receives and delivers messages in a high-throughput and sustainable manner. Kafka is able to efficiently accept and deliver a large number of messages, guaranteeing data persistence and reliability. Its distributed architecture and partitioning mechanism enables Kafka to function in a large-scale data stream processing scenario and meet the requirements of high throughput and low latency.
The storage unit is ClickHouse, which is used as a high-performance and columnar storage distributed database management system, and ClickHouse is mainly used for large-scale data analysis and query. All data collected in the present invention is finally stored ClickHouse. ClickHouse has high-performance data storage and query capability in the machine learning field, supports real-time data processing and analysis, has large-scale data processing and horizontal expansibility, and simultaneously provides flexible data model and SQL support, and high-efficiency data compression and storage efficiency. The method can improve the efficiency of data processing and training in the machine learning task and support large-scale and real-time machine learning application.
The visualization unit is Grafana, and is used as an open source data visualization and monitoring tool, and Grafana provides rich instrument panels, charts and alarm functions for displaying and monitoring various index data. Grafana provides a convenient data query, analysis and collaboration mode for users, so that the data visualization and monitoring work is more efficient and flexible.
As shown in fig. 2, the intrusion monitoring system based on network traffic is used to monitor intrusion behavior in a network, and specifically comprises the following operations:
s1) a data acquisition unit acquires network flow passing through a network data forwarding device and sends the acquired network flow to a network monitoring unit for monitoring analysis; the network data forwarding equipment comprises a switch and a router;
S2) a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model are arranged in the network monitoring unit to respectively analyze the network flow acquired by the data acquisition unit in the step S1) and send the analysis result to the Logstar unit for processing;
and S3) the Logstar unit integrates the data of the analysis result obtained in the step S2) and the network flow acquired in the step S1) and uniformly processes the data to obtain processed data, and the processed data is displayed in the visualization unit.
In the invention, in step S3), the log-mesh unit sends the processed data to the decision tree training unit to train the decision tree model, the decision tree training unit sends the decision tree model obtained after training to the second monitoring analysis module to iteratively update the decision tree model built in the second monitoring analysis module, and the version of the decision tree basic model used by the decision tree training unit each time when training the decision tree model is not lower than the version of the decision tree model built in the second monitoring analysis module each time when training the decision tree model by the decision tree training unit. Along with training the decision tree model and iteratively updating the decision tree model in the second monitoring analysis module, more accurate and comprehensive network intrusion detection capability can be provided for users, including the recognition of known attacks, the coping of unknown attacks, zero-day vulnerabilities and the like, and meanwhile, the detection accuracy and coverage of the system can be improved.
Before training the decision tree model, the decision tree training unit divides the processed data into training group data and verification group data according to the information gain of the data, then the training group data and the verification group data are used for training the decision tree model, the decision tree screening module uses a genetic algorithm to select, cross and mutate the trained decision tree model, and the decision tree training unit sends the decision tree model obtained after the processing to the second monitoring analysis module for iterative updating of the decision tree built in the second monitoring analysis module. When the processed data are grouped, the information entropy, the conditional entropy and the information gain of the data are calculated according to the following formula:
wherein H (D) represents the information entropy of the data, The conditional entropy of the data is represented, and g (D, a) represents the information gain of the data.
When the network with more devices is subjected to intrusion monitoring, a plurality of data acquisition units, a corresponding number of network monitoring units and a corresponding number of data collection units are required to be arranged, each router or switch is provided with a network intrusion monitoring component consisting of one data acquisition unit, one network monitoring unit and one data collection unit, the network intrusion monitoring component is used for intrusion monitoring of network traffic passing through the router or switch, at the moment, filebeat is used as the data collection unit and is used as a lightweight log transmission tool, filebeat can be used for quickly and safely collecting data without occupying too much resources, and finally, the data are uniformly transmitted to kafka for uniform data collection. In this case, a decision tree model is set in the second monitoring analysis unit of each network monitoring unit, the decision tree models in different second monitoring analysis units may be different, at this time, decision tree basic models with the same number as the network monitoring units exist in the decision tree training unit, after the decision tree training unit finishes training the decision tree basic models, the decision tree screening module screens the trained decision tree basic models according to the self-defined objective function to screen out the trained decision tree models with excellent individuals, then the decision tree training unit uses the genetic algorithm to randomly cross or randomly mutate the optimized trained decision tree models to generate a next generation group, and updates in time to form new decision tree models, and the second monitoring analysis detects potential intrusion behaviors through repeated updating iteration to achieve better effects.
In the invention, the network traffic is subjected to combined intrusion monitoring through the Suricata engine and the decision tree model, so that the intrusion detection capability in abnormal traffic is effectively improved, thereby providing more accurate and comprehensive network intrusion detection capability, including the steps of identifying known attacks, coping with unknown attacks, zero-day vulnerabilities and the like, and simultaneously improving the detection accuracy and coverage of the system.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While the obvious variations or modifications which are extended therefrom remain within the scope of the claims of this patent application.

Claims (9)

1. The intrusion monitoring method based on the network traffic is characterized by comprising the following steps:
s1) a data acquisition unit acquires network flow passing through a network data forwarding device and sends the acquired network flow to a network monitoring unit for monitoring analysis;
S2) a first monitoring analysis module with a Suricata engine and a second monitoring analysis module with a decision tree model are arranged in the network monitoring unit to respectively analyze the network flow acquired by the data acquisition unit in the step S1) and send the analysis result to the Logstar unit for processing;
S3) the Logstar unit integrates data and uniformly processes the analysis result obtained in the step S2) and the network flow acquired in the step S1) to obtain processed data, and displays the processed data in the visualization unit; the Logstar unit sends the processed data to the decision tree training unit to train the decision tree model, and the decision tree training unit sends the decision tree model obtained after training to the second monitoring analysis module to iteratively update the decision tree model built in the second monitoring analysis module.
2. The method of claim 1, wherein the version of the base model of the decision tree used by the decision tree training unit each time the decision tree model is trained is not lower than the version of the decision tree model built into the second monitoring analysis module each time the decision tree training unit trains the decision tree model.
3. The method of claim 1, wherein the decision tree training unit divides the processed data into training set data and verification set data according to the information gain of the data before training the decision tree model, and then trains the decision tree model with the training set data and the verification set data.
4. The method of claim 1, wherein the decision tree training unit performs selection, crossover and mutation processing on the trained decision tree model by using a genetic algorithm, and sends the processed decision tree model to the second monitoring analysis module to perform iterative updating on a decision tree built in the second monitoring analysis module.
5. The method according to claim 1, characterized in that the network monitoring unit is communicatively connected to the logstar unit via a data collection unit and a data forwarding unit.
6. A system for intrusion monitoring using the network traffic based intrusion monitoring method of claim 1, comprising:
the data acquisition unit is used for acquiring network traffic passing through the network data forwarding equipment;
The network monitoring unit is used for monitoring and analyzing the network traffic; the network monitoring unit comprises a first monitoring analysis module internally provided with a Suricata engine and a second monitoring analysis module internally provided with a decision tree model, and the first monitoring analysis module and the second monitoring analysis module respectively monitor and analyze the network flow acquired by the data unit;
the Logstar unit is used for integrating data and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit; the unified data processing comprises data filtering and conversion;
The storage unit is used for storing the network flow acquired by the data acquisition unit, the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit and the processed data obtained by integrating and uniformly processing the data of the network flow acquired by the data acquisition unit and the analysis result obtained by monitoring and analyzing the network flow by the network monitoring unit by the logstar unit;
The visualization unit is used for displaying the processed data of the data integration and the data unified processing of the network flow acquired by the log mesh unit and the analysis result obtained by the monitoring and analysis of the network flow by the network monitoring unit;
The data acquisition unit is in communication connection with the network monitoring unit, the network monitoring unit is in communication connection with the Logstash unit, the Logstash unit is in communication connection with the visualization unit, and the data acquisition unit, the network monitoring unit, the Logstash unit and the visualization unit are respectively in communication connection with the storage unit.
7. The system of claim 6, further comprising a data forwarding unit and a data collection unit for collecting analysis results of the network detection unit, wherein the network detection unit is in communication connection with the logstack unit sequentially through the data collection unit and the data forwarding unit.
8. The system of claim 6, further comprising a decision tree training unit for training the decision tree model, wherein the decision tree training unit trains the decision tree model using processed data obtained after processing by the logstar unit, and sends the trained decision tree model to the second monitoring analysis module for iterative updating of the decision tree model built in the second monitoring analysis module.
9. The system of claim 8, wherein the decision tree training unit is provided with a decision tree screening module, the decision tree screening module performs selection, crossover and mutation processing on the trained decision tree model by using a genetic algorithm, and then the decision tree training unit sends the processed decision tree model to the second monitoring analysis module to perform iterative updating on the decision tree built in the second monitoring analysis module.
CN202311316100.0A 2023-10-12 2023-10-12 Intrusion monitoring method and system based on network traffic Active CN117061249B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311316100.0A CN117061249B (en) 2023-10-12 2023-10-12 Intrusion monitoring method and system based on network traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311316100.0A CN117061249B (en) 2023-10-12 2023-10-12 Intrusion monitoring method and system based on network traffic

Publications (2)

Publication Number Publication Date
CN117061249A CN117061249A (en) 2023-11-14
CN117061249B true CN117061249B (en) 2024-04-26

Family

ID=88657596

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311316100.0A Active CN117061249B (en) 2023-10-12 2023-10-12 Intrusion monitoring method and system based on network traffic

Country Status (1)

Country Link
CN (1) CN117061249B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348741A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and system for detecting P2P (peer-to-peer) traffic based on multi-dimensional analysis and decision tree
CN106603538A (en) * 2016-12-20 2017-04-26 北京安信天行科技有限公司 Invasion detection method and system
CN110753064A (en) * 2019-10-28 2020-02-04 中国科学技术大学 Machine learning and rule matching fused security detection system
CN112350882A (en) * 2020-09-28 2021-02-09 广东电力信息科技有限公司 Distributed network traffic analysis system and method
CN112528277A (en) * 2020-12-07 2021-03-19 昆明理工大学 Hybrid intrusion detection method based on recurrent neural network
CN113542253A (en) * 2021-07-12 2021-10-22 杭州安恒信息技术股份有限公司 Network flow detection method, device, equipment and medium
US11310142B1 (en) * 2021-04-23 2022-04-19 Trend Micro Incorporated Systems and methods for detecting network attacks
CN114710416A (en) * 2022-02-23 2022-07-05 沈阳化工大学 Real-time data acquisition method based on process flow and network flow

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348741A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and system for detecting P2P (peer-to-peer) traffic based on multi-dimensional analysis and decision tree
CN106603538A (en) * 2016-12-20 2017-04-26 北京安信天行科技有限公司 Invasion detection method and system
CN110753064A (en) * 2019-10-28 2020-02-04 中国科学技术大学 Machine learning and rule matching fused security detection system
CN112350882A (en) * 2020-09-28 2021-02-09 广东电力信息科技有限公司 Distributed network traffic analysis system and method
CN112528277A (en) * 2020-12-07 2021-03-19 昆明理工大学 Hybrid intrusion detection method based on recurrent neural network
US11310142B1 (en) * 2021-04-23 2022-04-19 Trend Micro Incorporated Systems and methods for detecting network attacks
CN113542253A (en) * 2021-07-12 2021-10-22 杭州安恒信息技术股份有限公司 Network flow detection method, device, equipment and medium
CN114710416A (en) * 2022-02-23 2022-07-05 沈阳化工大学 Real-time data acquisition method based on process flow and network flow

Also Published As

Publication number Publication date
CN117061249A (en) 2023-11-14

Similar Documents

Publication Publication Date Title
CN111277578B (en) Encrypted flow analysis feature extraction method, system, storage medium and security device
CN110011999B (en) IPv6 network DDoS attack detection system and method based on deep learning
Al-Hadhrami et al. Real time dataset generation framework for intrusion detection systems in IoT
CN107404400B (en) Network situation awareness implementation method and device
CN104506484B (en) A kind of proprietary protocol analysis and recognition methods
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
CN112383538B (en) Hybrid high-interaction industrial honeypot system and method
CN107196930B (en) The method of computer network abnormality detection
CN113259313A (en) Malicious HTTPS flow intelligent analysis method based on online training algorithm
CN109104438B (en) Botnet early warning method and device in narrow-band Internet of things and readable storage medium
CN113206860B (en) DRDoS attack detection method based on machine learning and feature selection
CN112367307A (en) Intrusion detection method and system based on container-grade honey pot group
CN110460611B (en) Machine learning-based full-flow attack detection technology
CN116232774B (en) Network path analysis system and method for network security anomaly detection
CN112291213A (en) Abnormal flow analysis method and device based on intelligent terminal
JP7086230B2 (en) Protocol-independent anomaly detection
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
CN112953961B (en) Equipment type identification method in power distribution room Internet of things
Tan et al. DDoS detection method based on Gini impurity and random forest in SDN environment
CN113660267A (en) Botnet detection system and method aiming at IoT environment and storage medium
CN117061249B (en) Intrusion monitoring method and system based on network traffic
CN113162939A (en) Detection and defense system for DDoS (distributed denial of service) attack under SDN (software defined network) based on improved k-nearest neighbor algorithm
CN112291226A (en) Method and device for detecting abnormality of network traffic
Cukier et al. A statistical analysis of attack data to separate attacks
EP3826242B1 (en) Cyber attack information analyzing program, cyber attack information analyzing method, and information processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant