CN1741526A - Method and system for detecting exception flow of network - Google Patents
Method and system for detecting exception flow of network Download PDFInfo
- Publication number
- CN1741526A CN1741526A CN 200510086354 CN200510086354A CN1741526A CN 1741526 A CN1741526 A CN 1741526A CN 200510086354 CN200510086354 CN 200510086354 CN 200510086354 A CN200510086354 A CN 200510086354A CN 1741526 A CN1741526 A CN 1741526A
- Authority
- CN
- China
- Prior art keywords
- data
- flow
- network
- rule
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A detection method of network abnormal flow rate includes carrying out statistics and analysis on network flow rate data and generating abnormal flow rate event and its packet according to language definition of abnormal flow rate rule ; judging whether abnormal is occurred or not according to whether ratio occupied by packet in total flow rate is consistence to range of certain threshold or not or according to whether ratio , sum and D-value between two packets is satisfied to a threshold or not as well as according to whether variation slope of packet flow rate is satisfied to a threshold or not.
Description
Technical field
The present invention relates to core key technology---the detection method and the system of abnormal flow of the Network Intrusion Detection System (NIDS:Network Intrusion Detection System) of one of a kind of staple product as network security.
Background technology
NIDS is installed in the protected network segment, and it is monitored network interface card and is operated under the promiscuous mode, analyzes all packets in the network segment, carries out the real-time detection and the response of network safety event.NIDS generally adopts two class technology to carry out the detection of security incident at present: the abnormality detection technology of the matching technique of data characteristics Network Based and flow behavior Network Based.The former is a technology of utilizing network data and attack mode characteristic matching, if in network data, find the attack signature data, and generating feature incident then, the alarm of realization event (referred to herein as the network characterization incident).
The shortcoming of characteristic matching technology is to be difficult to find unknown attack pattern.Along with the continuous variation of cyber-attack techniques, nids system also should improve fast for the detection of new attack means.The abnormality detection technology of flow behavior Network Based, also seeming becomes more and more important.
The technology and the product of also reporting to the police before relevant for abnormal flow.For example, whether their the capaciated flow network flows that can monitor in the certain hour of certain agreement or certain IP are below or above certain threshold value.We can call grouping to the all-network bag that satisfies certain agreement or certain IP here.
But there is following limitation in they:
1. Fen Zu definite condition is quite simple.Be merely able to define common agreement variablees such as agreement, IP;
2. can only judge whether the byte number of certain certain packet traffic of time and message number have surpassed or be lower than certain threshold value.Data message is very simple.
Summary of the invention
The objective of the invention is to design a kind of technology that detects at exception flow of network, it provides the abnormal flow rule language of a textization, on the basis of data on flows, finish anomaly analysis to data on flows, obtain the abnormal conditions of network traffics, and good user's definable interface is provided, be convenient to developer and user's on-site maintenance.
Abnormal flow discover method of the present invention is obtaining on the network traffics data basis data on flows to be carried out comprehensive statistics, analysis, and according to the definition of abnormal flow rule language, produces the abnormal flow incident.
This method comprises the steps:
(1) definition flow rule: definition can comprise the filtercondition of the grouping of any agreement variable;
(2) definition abnormal flow rule: specify some data of traffic packet are calculated gained result's bound threshold value afterwards;
(3) the flow engine is caught the network traffics grouped data that meets filtercondition on the network according to the flow rule of definition;
(4) the abnormal flow analysis engine mates the traffic packet data and the abnormal flow rule of catching, if the data of traffic packet exceed specified scope, then thinks and has taken place unusually.
Definition flow rule
The filtercondition of a grouping of flow rule definition.
The network packet that only meets filtercondition is only that our system's needs observe.For example, we filtercondition can be set is that IP equals 192.168.0.1 and agreement is HTTP.This expression have only satisfy these two conditions network packet we just can add up.All network packet that meet filtercondition are referred to as traffic packet.
The flow rule is simple these agreement variablees of process IP and agreement not only, and can mate any agreement variable.For example we can mate agreement variablees such as ICMP word type, TCP flag bit, HTTP return informations.
The flow engine can be according to the raw information of quoting all network packet that meets filtercondition on the flow rule that defines.Raw information generally comprises byte number and bag number.
Definition abnormal flow rule
The abnormal flow discovery procedure can be monitored the traffic packet information that the flow engine reports.It checks whether traffic packet is followed the abnormal flow rule to be complementary and determined whether having taken place unusually.
The implication of abnormal flow rule is the occurrence scope of a certain data of our target flow grouping, specifies the bound threshold value in other words.If the data of traffic packet exceed specified scope, then think and taken place unusually.
Our abnormal flow rule can be specified the occurrence scope of multiple data on flows, specifically comprises:
1) byte number of arbitrary traffic packet
2) the message number of arbitrary traffic packet
3) the average message length of arbitrary traffic packet
4) slope of arbitrary traffic packet
5) ratio of two traffic packet
Also can make up mutually between these datas on flows, for example we can monitor the ratio of message number, also can monitor the ratio of byte number.
For they being monitored with a kind of uniform way, the abnormal flow rule definition grammer below we have adopted.If we need monitor new abnormal flow like this, only need the new abnormal flow rule of definition and needn't update routine.
Abnormal flow rule definition grammer
The syntactic definition of abnormal flow rule definition language formalization is as follows:
The abnormal flow rule: :=regular unit [relation rule unit, unit]
The rule unit: :=constraints comparison operator threshold value
Constraints: :=operation function (Monitoring Data)
Monitoring Data: :=arithmetic operation symbol and initial data are carried out computing
Comparison operator: :=>or<
The arithmetic operation symbol: :=+ or-or/
Initial data:: the message number or the byte number of=traffic packet
Operation function: :=Count or Slope
The unit relation: :=﹠amp; Or |
Threshold value: :=double precision numerical value
Specify below:
1) abnormal flow rule ﹠amp; Or | be divided into a plurality of regular unit, each regular unit is a Boolean; If use ﹠amp; Connect, then having only a plurality of regular unit all is really to talk about exception rules just to mate; If use | connect, as long as then a plurality of have unusually one for really talking about exception rules even if the match is successful;
2) each regular unit with<or>two parts about being divided into, be used for judging the magnitude relationship of left part and right part;
3) relatively symbol (<,>) right part is a numerical value;
4) relatively symbol (<,>) left part is an operation expression, and the result is a numerical value;
Be called constraints;
5) constraints is that Monitoring Data is carried out operation function.Operation function comprises two kinds of Count and Slope, and the former represents directly Monitoring Data to be compared; The latter represents Monitoring Data changes persuing slope at first, and then with threshold ratio;
6) Monitoring Data is each initial data constantly to be added, subtracts and removes operation obtain;
7) the abnormal flow rule of can define abnormal flow rule that the data of single grouping are judged unusually, the abnormal flow rule that the ratio between two groupings is judged unusually in this way, the slope of traffic packet being judged unusually.Can also define many other abnormal flow rules.
This system includes:
Flow rule definition unit, the filtercondition of a grouping of definition, filtercondition also can be user-defined restrictive condition, filtercondition also can be that port address, agreement, packet length, IP address and variety of protocol variable are specified occurrence; Abnormal flow rule definition unit, the required rule of definition abnormal flow coupling; Data capture unit is used for catching the original message data of network; The flow generation unit is used for filtering, merger and statistics, generating the different types of traffic data according to network packet; Abnormal flow is found the unit, and abnormal flow rule and the flow that reports are mated.
The advanced part of this method is:
1. can be by grouping of definition of agreement variable complexity.For example, we can specify one to satisfy certain IP simultaneously, satisfy certain agreement and satisfy the grouping of certain length range.We can monitor the packet traffic that satisfies these conditions and whether meet certain threshold range and judge whether to have taken place unusually.
2. can whether meet certain threshold range and judge whether to take place unusual according to being grouped in the ratio that accounts in the whole flow.For example, we can judge that the scope whether ICMP flow shared ratio in whole flow has exceeded appointment judges whether to have taken place unusually.
3. can whether satisfy certain threshold value according to the ratio between two packet traffics judges whether to take place unusual.For example, we can compare the scope whether two flow ratios between the IP met appointment and judge whether to have taken place unusually.
4. can whether satisfy certain threshold value according to the variation slope of packet traffic judges whether to take place unusual.
Description of drawings
Fig. 1 entire system block diagram
Fig. 2 abnormal flow detection module flow chart
Embodiment
Flow rule and abnormal flow rule are for example
We define three traffic packet.First is defined as ip=1.2.3.4, and its ID is 1; Second is defined as ip=5.6.7.8, and its ID is 2; The 3rd does not have filtercondition, and expression overall network bag is all added up, and its ID is 3.
Then
1) if byte number warning above 10000 of monitoring main frame 1.2.3.4, then we can define abnormal flow rule: Count (Byte (1))>10000.Wherein 1 is the ID of grouping.
2) if the agreement of the message number of monitoring main frame 1.2.3.4 can not surpass 1, the warning above 1.Then we define abnormal flow rule: Slope (Packet (1))>1
3) if the message number of monitoring main frame 1.2.3.4 can not surpass 20% in total several ratios that account for of message.Then define the abnormal flow rule:
Count(Packet(1)/Packet(3))>0.2
4) if the average message length of monitoring main frame 1.2.3.4 can not surpass 100, our definition rule: Count (Byte (1)/Packet (1))>100 then
5) if the byte gap of monitoring main frame 1.2.3.4 and 5.6.7.8 can not surpass 200, then be defined as follows: Count (Byte (1)-Byte (2))>200|Count (Byte (2)-Byte (1)>200.
Abnormal flow is found the cell processing process
Abnormal flow finds that the unit at first reads in the abnormal flow rule that defines before all, preserves with a regulation linked.We carry out the morphology parsing to each rule, obtain regular unit, constraints, threshold value, operation function, Monitoring Data.
Come temporarily as traffic packet data, the rule relevant with this grouping can be checked in abnormal flow discovery unit.According to the constraints of these regular appointments grouped data is calculated then, the result of calculation that obtains compares the result who obtains regular unit with threshold value.A plurality of regular unit use with or or obtain end product.If very then report unusual.
If only relate to the data of current group with the rule of arriving grouped data, then analyze at once.If relate to the data of a plurality of groupings, the data that then need to wait for other grouping arrive could analyze afterwards.
This process can be with reference to figure 1,2.
Claims (5)
1. the detection method of an exception flow of network is characterized in that: be to obtain on the network traffics data basis data on flows to be carried out comprehensive statistics, analysis, and according to the definition of abnormal flow rule language, produce the abnormal flow incident;
This method comprises the steps:
(1) definition flow rule: the filtercondition that can comprise the grouping of any agreement variable;
(2) definition abnormal flow rule: specify some data of traffic packet are calculated gained result's bound threshold value afterwards;
(3) the flow engine is caught the network traffics grouped data that meets filtercondition on the network according to the flow rule of definition;
(4) the abnormal flow analysis engine mates the traffic packet data and the abnormal flow rule of catching, if the data of traffic packet exceed specified scope, then thinks and has taken place unusually.
2. the detection system of an exception flow of network, this system comprises a main frame, one webserver, a plurality of terminal servers, data storage device, network interface card, and data input device and output device, it is characterized in that: it also comprises flow rule unit, the filtercondition of a grouping of definition; Abnormal flow rule definition unit, the required rule of definition abnormal flow coupling; Data capture unit is used for catching the original message data of network; The flow generation unit is used for filtering, merger and statistics, generating the different types of traffic data according to network packet; Abnormal flow is found the unit, and abnormal flow rule and the flow that reports are mated.
3. the detection system of a kind of exception flow of network according to claim 2 is characterized in that: the occurrence scope of multiple data on flows can be specified in abnormal flow rule unit, specifically comprises:
(1) byte number of arbitrary traffic packet
(2) the message number of arbitrary traffic packet
(3) the average message length of arbitrary traffic packet
(4) slope of arbitrary traffic packet
The ratio of (5) two traffic packet
Can make up mutually between these datas on flows.
4. the detection system of a kind of exception flow of network according to claim 2, it is characterized in that: the syntactic definition of the language formalization of abnormal flow rule definition unit is as follows:
Abnormal flow rule ∷=regular unit [relation rule unit, unit]
Rule unit ∷=constraints comparison operator threshold value
Constraints ∷=operation function (Monitoring Data)
Monitoring Data ∷=arithmetic operation symbol and initial data are carried out computing
Comparison operator ∷=>or<
Arithmetic operation symbol ∷=+ or-or/
The message number of initial data ∷=traffic packet | byte number
Operation function ∷=Count or Slope
The unit concerns ∷=﹠amp; Or |
Threshold value ∷=double precision numerical value.
5. the detection system of a kind of exception flow of network according to claim 2 is characterized in that: filtercondition is that port address, agreement, packet length, IP address and variety of protocol variable are specified occurrence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510086354 CN1741526A (en) | 2005-09-05 | 2005-09-05 | Method and system for detecting exception flow of network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510086354 CN1741526A (en) | 2005-09-05 | 2005-09-05 | Method and system for detecting exception flow of network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1741526A true CN1741526A (en) | 2006-03-01 |
Family
ID=36093739
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510086354 Pending CN1741526A (en) | 2005-09-05 | 2005-09-05 | Method and system for detecting exception flow of network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1741526A (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060396B (en) * | 2006-03-24 | 2011-02-09 | 东软集团股份有限公司 | An event detection method and device |
| CN101309179B (en) * | 2007-05-18 | 2011-03-16 | 北京启明星辰信息技术股份有限公司 | Real-time flux abnormity detection method on basis of host activity and communication pattern analysis |
| CN101267353B (en) * | 2008-04-24 | 2011-12-21 | 北京大学 | A load-independent method for detecting network abuse |
| CN101442519B (en) * | 2007-11-22 | 2012-06-20 | 北京启明星辰信息技术股份有限公司 | Method and system for monitoring P2P software |
| CN102882798A (en) * | 2012-09-04 | 2013-01-16 | 中国人民解放军理工大学 | Statistical counting method facing to backbone network flow analysis |
| CN101895828B (en) * | 2009-05-20 | 2013-01-16 | 中兴通讯股份有限公司 | Short message monitoring system and method |
| CN104105124A (en) * | 2013-04-08 | 2014-10-15 | 南京理工大学常熟研究院有限公司 | Traffic monitoring system based on Android intelligent mobile terminal |
| WO2015007095A1 (en) * | 2013-07-19 | 2015-01-22 | 华为技术有限公司 | Approximate matching method and related device, and communication system |
| CN104901833A (en) * | 2015-05-19 | 2015-09-09 | 无锡天脉聚源传媒科技有限公司 | Method for finding abnormal device and device |
| CN104994076A (en) * | 2015-06-01 | 2015-10-21 | 广东电网有限责任公司信息中心 | Machine-learning-based daily access model implementation method and system |
| CN105515888A (en) * | 2015-06-30 | 2016-04-20 | 国家电网公司 | Intelligent substation communication network anomaly detection method based on multi-dimensional entropy sequence classification |
| CN104267610B (en) * | 2014-08-29 | 2017-05-17 | 内蒙古科技大学 | High-precision blast furnace smelting process abnormal data detection and repair method |
| CN106899977A (en) * | 2015-12-18 | 2017-06-27 | 中国电信股份有限公司 | The abnormal flow method of inspection and device |
| CN107171817A (en) * | 2016-03-07 | 2017-09-15 | 中国移动通信集团福建有限公司 | A kind of failure information obtaining method and device |
| CN107690776A (en) * | 2015-06-04 | 2018-02-13 | 思科技术公司 | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection |
| CN108810948A (en) * | 2018-05-29 | 2018-11-13 | 浙江每日互动网络科技股份有限公司 | A method of differentiating real traffic |
| CN110008096A (en) * | 2018-11-29 | 2019-07-12 | 阿里巴巴集团控股有限公司 | Data monitoring method, device, electronic equipment and computer readable storage medium |
| CN117688464A (en) * | 2024-02-04 | 2024-03-12 | 国网上海市电力公司 | Hidden danger analysis method and system based on multi-source sensor data |
-
2005
- 2005-09-05 CN CN 200510086354 patent/CN1741526A/en active Pending
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060396B (en) * | 2006-03-24 | 2011-02-09 | 东软集团股份有限公司 | An event detection method and device |
| CN101309179B (en) * | 2007-05-18 | 2011-03-16 | 北京启明星辰信息技术股份有限公司 | Real-time flux abnormity detection method on basis of host activity and communication pattern analysis |
| CN101442519B (en) * | 2007-11-22 | 2012-06-20 | 北京启明星辰信息技术股份有限公司 | Method and system for monitoring P2P software |
| CN101267353B (en) * | 2008-04-24 | 2011-12-21 | 北京大学 | A load-independent method for detecting network abuse |
| CN101895828B (en) * | 2009-05-20 | 2013-01-16 | 中兴通讯股份有限公司 | Short message monitoring system and method |
| CN102882798A (en) * | 2012-09-04 | 2013-01-16 | 中国人民解放军理工大学 | Statistical counting method facing to backbone network flow analysis |
| CN102882798B (en) * | 2012-09-04 | 2015-05-20 | 中国人民解放军理工大学 | Statistical counting method facing to backbone network flow analysis |
| CN104105124A (en) * | 2013-04-08 | 2014-10-15 | 南京理工大学常熟研究院有限公司 | Traffic monitoring system based on Android intelligent mobile terminal |
| WO2015007095A1 (en) * | 2013-07-19 | 2015-01-22 | 华为技术有限公司 | Approximate matching method and related device, and communication system |
| CN104267610B (en) * | 2014-08-29 | 2017-05-17 | 内蒙古科技大学 | High-precision blast furnace smelting process abnormal data detection and repair method |
| CN104901833A (en) * | 2015-05-19 | 2015-09-09 | 无锡天脉聚源传媒科技有限公司 | Method for finding abnormal device and device |
| CN104901833B (en) * | 2015-05-19 | 2018-05-08 | 无锡天脉聚源传媒科技有限公司 | A kind of method and device for the equipment that notes abnormalities |
| CN104994076A (en) * | 2015-06-01 | 2015-10-21 | 广东电网有限责任公司信息中心 | Machine-learning-based daily access model implementation method and system |
| CN107690776A (en) * | 2015-06-04 | 2018-02-13 | 思科技术公司 | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection |
| CN105515888A (en) * | 2015-06-30 | 2016-04-20 | 国家电网公司 | Intelligent substation communication network anomaly detection method based on multi-dimensional entropy sequence classification |
| CN106899977A (en) * | 2015-12-18 | 2017-06-27 | 中国电信股份有限公司 | The abnormal flow method of inspection and device |
| CN106899977B (en) * | 2015-12-18 | 2020-02-18 | 中国电信股份有限公司 | Abnormal flow detection method and device |
| CN107171817A (en) * | 2016-03-07 | 2017-09-15 | 中国移动通信集团福建有限公司 | A kind of failure information obtaining method and device |
| CN107171817B (en) * | 2016-03-07 | 2020-09-11 | 中国移动通信集团福建有限公司 | Fault information acquisition method and device |
| CN108810948A (en) * | 2018-05-29 | 2018-11-13 | 浙江每日互动网络科技股份有限公司 | A method of differentiating real traffic |
| CN108810948B (en) * | 2018-05-29 | 2021-03-19 | 每日互动股份有限公司 | Method for identifying real flow |
| CN110008096A (en) * | 2018-11-29 | 2019-07-12 | 阿里巴巴集团控股有限公司 | Data monitoring method, device, electronic equipment and computer readable storage medium |
| CN110008096B (en) * | 2018-11-29 | 2024-02-06 | 创新先进技术有限公司 | Data monitoring method, device, electronic equipment and computer readable storage medium |
| CN117688464A (en) * | 2024-02-04 | 2024-03-12 | 国网上海市电力公司 | Hidden danger analysis method and system based on multi-source sensor data |
| CN117688464B (en) * | 2024-02-04 | 2024-04-19 | 国网上海市电力公司 | Hidden danger analysis method and system based on multi-source sensor data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1741526A (en) | Method and system for detecting exception flow of network | |
| CN111614627B (en) | SDN-oriented cross-plane cooperation DDOS detection and defense method and system | |
| CN108616534B (en) | Method and system for preventing DDoS (distributed denial of service) attack of Internet of things equipment based on block chain | |
| Yegneswaran et al. | Using honeynets for internet situational awareness | |
| CN1655518A (en) | Network security system and method | |
| CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
| US9584533B2 (en) | Performance enhancements for finding top traffic patterns | |
| CN113904862A (en) | Distributed train control network intrusion detection method, system and storage medium | |
| CN101034974A (en) | Associative attack analysis and detection method and device based on the time sequence and event sequence | |
| CN201491020U (en) | Event classification and rule tree-based association analysis device | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN1578227A (en) | Dynamic IP data packet filtering method | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| CN110855493A (en) | Application topological graph drawing device for mixed environment | |
| CN1968180A (en) | Multilevel aggregation-based abnormal flow control method and system | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN102104606B (en) | Worm detection method of intranet host | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| CN111431752B (en) | Safety detection method based on adaptive flow control | |
| CN115333915B (en) | Heterogeneous host-oriented network management and control system | |
| CN117375957A (en) | Industrial control flow analysis system and equipment | |
| CN114760126B (en) | Industrial control network flow real-time intrusion detection method | |
| CN114338189B (en) | Situation awareness defense method, device and system based on node topology relation chain | |
| CN1317855C (en) | Invasion detecting system and its invasion detecting method | |
| Peng et al. | Anomaly detection based on multiple streams clustering for train real-time ethernet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |