CN1750481A - Network abnormal detecting method for weighting statistic model based on time section - Google Patents
Network abnormal detecting method for weighting statistic model based on time section Download PDFInfo
- Publication number
- CN1750481A CN1750481A CN 200510096096 CN200510096096A CN1750481A CN 1750481 A CN1750481 A CN 1750481A CN 200510096096 CN200510096096 CN 200510096096 CN 200510096096 A CN200510096096 A CN 200510096096A CN 1750481 A CN1750481 A CN 1750481A
- Authority
- CN
- China
- Prior art keywords
- attribute
- network
- packet
- probability matrix
- tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention relates to a network abnormal test method based on weight statistic model of the time segment including observing the actions of a master unit by an abnormal observer to generate an attribute for describing these actions, each one stores the registration of a behavior of the master unit and timely merges the attributes of the current and the stored then to judge the abnormal behaviors by comparing them and the time segment weight.
Description
Technical field:
The present invention relates to exception flow of network and detect and the Intrusion Detection Technique field, be specifically related to a kind of network anomaly detection method based on the time period weighting statistic model.
Background technology:
Be accompanied by the normal use flow of network, various abnormal flows are also following on the network, have influence on the normal operation of network, threatening the safety and the use of subscriber's main station.Network is often caused by reasons such as network attack, worm-type virus, net abuses unusually, for example: diverse network scanning, ddos attack, network worm virus, malice downloads, all can cause network performance to descend to the improper use of Internet resources etc., can influence normal network when serious uses, cause network congestion, even cause the inefficacy of network interruption, the network equipment.Therefore, network traffics are monitored in real time and managed, the network of finding the known type that exists in the network and UNKNOWN TYPE is unusual, and having become needs the matter of utmost importance that solves in the network security management, and it has great significance to the reliabilty and availability that improves network.
Traditional exception flow of network detection is analysis, the study by long network operation flow information; set up the performance parameter reference range that network normally uses pattern; when network operation state and normal baseline have obvious deviation, then there be unusual the generation in the decision network.This method can find that basic network is unusual, still, there is algorithm computing complexity in it, do not have time response, lack defectives such as flexibility and rate of false alarm height.
Summary of the invention:
The purpose of this invention is to provide a kind of network anomaly detection method based on the time period weighting statistic model, with overcome algorithm computing complexity that prior art exists, do not have time response, lack flexibility and the high defective of rate of false alarm.
Technical scheme of the present invention is: observe the activity of main body according to anomaly detector, produce the attribute of describing these crawler behaviors then, current certain behavior of each attribute keeping records main body, and, judge abnormal behaviour by more current attribute and the attribute and the time period weighted value of having stored periodically with the attribute merging of current attribute and storage.
The objective of the invention is to realize by following step:
Step 1: section weighting settling time department of statistic numerical table;
Step 2: grasp the packet on the network: grasp packet on the network and be meant that intercepting mode with bypass catches packet on the network;
Step 3: carry out the attribute decomposition for grabbing the packet that comes; The attribute of described packet decomposes and is meant that the network packet that will grab decomposes classification according to the attribute item.That is, produce the attribute record that each TCP/IP connects by grasping the form of network packet, the form of these records is as follows:
R(T,Src.IP,Src.Port,Dst.IP,Dst.Port,FLAG)
Wherein, the T representative connects the time of beginning; Src.IP represents source IP; Src.Port represents source port; Dst.IP represents purpose IP; Dst.Port represents destination interface; FLAG represents the state that TCP/IP connects.By above attribute item, system will be an attribute record collection of each TCP/IP linkage record R.
Step 4: load probability matrix; This probability matrix is meant the probability matrix of the elongated degree that the attribute record collection R that connected by all TCP/IP is formed
Step 5: traversal probability matrix; The traversal probability matrix is meant probability matrix is carried out the statistical traversal.In the process of traversal, merger is carried out in the TCP/IP connection that will have identical attribute, and obtains the statistical value of probability matrix thus, for next step is got ready
Step 6: according to formula 0<log
2P (x)<+∞ calculates threshold values; Calculate the formula 0<log of threshold values
2P (x)<+∞ calculates by the following method:
Step 7: threshold values and the predefined threshold value calculated are compared;
Step 8: the result according to comparison judges whether to exist unusually, and carries out corresponding action.
Compared with prior art, advantage of the present invention is:
Easy, the accuracy of judgement of algorithm of the present invention has added time period weighting attribute in judgment models, for unusual monitoring has strengthened reliability and flexibility.Can be used in the equipment such as intrusion detection, IDS network traffics being monitored in real time, the network of known type that exists in discovery and the fixer network and UNKNOWN TYPE is unusual accurately and rapidly.
Description of drawings:
Accompanying drawing is the network anomaly detection method flow chart that the present invention is based on Bayesian statistical model.
Embodiment:
To be described in detail by in IDS equipment, implementing the present invention below.During enforcement, the network abnormality detection module based on the time period weighting statistic model need be set in IDS equipment, this module is finished network abnormality detection, the controlled function based on the time period weighting statistic model.
Step of the present invention is:
(1) section weighting settling time department of statistic numerical table in system: this table is to cover each time period, is manually set by administrative staff according to the heterogeneous networks accessing characteristic of each time period.Form is as follows:
| 8:00--18:00 | 18:00--23:00 | 23:00--8:00 next day |
| 0.5 | 0.7 | 0.9 |
(2) intercept mode with bypass and catch packet on the network:
(3) packet is carried out the decomposition of attribute with set form:
(4) load probability matrix: the attribute record collection R that each bar TCP/IP is connected pools together the probability matrix of forming elongated degree:
| Connect | T | Src.IP | Src.Port | Dst.IP | Dst.Port | FLAG |
| L1 | T1 | Src.IP1 | Src.Port1 | Dst.IP1 | Dst.Port1 | FLAG1 |
| L2 | T2 | Src.IP2 | Src.Port2 | Dst.IP2 | Dst.Port2 | FLAG2 |
| L3 | T3 | Src.IP3 | Src.Port3 | Dst.IP3 | Dst.Port3 | FLAG3 |
| | | | | | | |
| Ln | Tn | Src.IPn | Src.Portn | Dst.IPn | Dst.Portn | FLAGn |
(5) traversal probability matrix: in the process of traversal, the TCP/IP that will have identical attribute connects and to carry out merger (for example: two property values that are connected of L3 and L1 are identical, then with L3 and L1 merger, and note connection number of times is 2), and obtaining the statistical parameter value of probability matrix thus, these values comprise at least: the total amount of total linking number, each connection.
(6) system calculates threshold values by given formula:
(7) threshold value with threshold values and systemic presupposition compares;
(8) judge whether to exist unusually according to the result, and carry out corresponding action.
It should be noted last that: above execution mode is the unrestricted technical scheme of the present invention in order to explanation only, although the present invention is had been described in detail with reference to above-mentioned execution mode, those of ordinary skill in the art is to be understood that: still can make amendment or be equal to replacement the present invention, and any modification that does not break away from the spirit and scope of the present invention is replaced with local, and it all should be encompassed in the claim scope of the present invention.
Claims (2)
1, based on the network anomaly detection method of time period weighting statistic model, it is characterized in that: observe the activity of main body according to anomaly detector, produce the attribute of describing these crawler behaviors then, current certain behavior of each attribute keeping records main body, and, judge abnormal behaviour by more current attribute and the attribute and the time period weighted value of having stored periodically with the attribute merging of current attribute and storage.
2, according to claim 1, the network anomaly detection method based on the time period weighting statistic model is characterized in that: realize by following step:
Step 1: section weighting settling time department of statistic numerical table;
Step 2: grasp the packet on the network: grasp packet on the network and be meant that intercepting mode with bypass catches packet on the network;
Step 3: carry out the attribute decomposition for grabbing the packet that comes; The attribute of described packet decomposes and is meant that the network packet that will grab decomposes classification according to the attribute item, that is by grasping the form of network packet, produces the attribute record that each TCP/IP connects, and the form of these records is as follows:
R(T,Src.IP,Src.Port,Dst.IP,Dst.Port,FLAG)
Wherein, the T representative connects the time of beginning; Src.IP represents source IP; Src.Port represents source port; Dst.IP represents purpose IP; Dst.Port represents destination interface; FLAG represents the state that TCP/IP connects, and by above attribute item, system will be an attribute record collection of each TCP/IP linkage record R;
Step 4: load probability matrix; This probability matrix is meant the probability matrix of the elongated degree that the attribute record collection R that connected by all TCP/IP is formed
Step 5: traversal probability matrix; The traversal probability matrix is meant probability matrix is carried out the statistical traversal.In the process of traversal, merger is carried out in the TCP/IP connection that will have identical attribute, and obtains the statistical value of probability matrix thus, for next step is got ready
Step 6: according to formula 0<log
2P (x)<+∞ calculates threshold values; Calculate the formula 0<log of threshold values
2P (x)<+∞ calculates by the following method:
Step 7: threshold values and the predefined threshold value calculated are compared;
Step 8: the result according to comparison judges whether to exist unusually, and carries out corresponding action.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510096096 CN1750481A (en) | 2005-09-29 | 2005-09-29 | Network abnormal detecting method for weighting statistic model based on time section |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510096096 CN1750481A (en) | 2005-09-29 | 2005-09-29 | Network abnormal detecting method for weighting statistic model based on time section |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1750481A true CN1750481A (en) | 2006-03-22 |
Family
ID=36605749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510096096 Pending CN1750481A (en) | 2005-09-29 | 2005-09-29 | Network abnormal detecting method for weighting statistic model based on time section |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1750481A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008131667A1 (en) * | 2007-04-28 | 2008-11-06 | Huawei Technologies Co., Ltd. | Method, device for identifying service flows and method, system for protecting against a denial of service attack |
| CN104090893A (en) * | 2013-12-13 | 2014-10-08 | 深圳市腾讯计算机系统有限公司 | Method, device and system for optimizing recommendation algorithms |
| CN109490611A (en) * | 2018-10-29 | 2019-03-19 | 宁波三星智能电气有限公司 | A kind of time counting method of embedded device |
| CN110075524A (en) * | 2019-05-10 | 2019-08-02 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device |
-
2005
- 2005-09-29 CN CN 200510096096 patent/CN1750481A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008131667A1 (en) * | 2007-04-28 | 2008-11-06 | Huawei Technologies Co., Ltd. | Method, device for identifying service flows and method, system for protecting against a denial of service attack |
| CN104090893A (en) * | 2013-12-13 | 2014-10-08 | 深圳市腾讯计算机系统有限公司 | Method, device and system for optimizing recommendation algorithms |
| CN104090893B (en) * | 2013-12-13 | 2015-11-18 | 深圳市腾讯计算机系统有限公司 | Proposed algorithm optimization method, Apparatus and system |
| CN109490611A (en) * | 2018-10-29 | 2019-03-19 | 宁波三星智能电气有限公司 | A kind of time counting method of embedded device |
| CN110075524A (en) * | 2019-05-10 | 2019-08-02 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108521434B (en) | A kind of network security intrusion detecting system based on block chain technology | |
| CN106790008B (en) | Machine learning system for detecting abnormal host in enterprise network | |
| CN101060444A (en) | Bayesian statistical model based network anomaly detection method | |
| Dickerson et al. | Fuzzy intrusion detection | |
| US8209759B2 (en) | Security incident manager | |
| Pan et al. | Hybrid neural network and C4. 5 for misuse detection | |
| CN108605036A (en) | Abnormality detection in data flow | |
| EP2833594A1 (en) | Feature based three stage neural networks intrusion detection method and system | |
| JP2018533897A5 (en) | ||
| CN106209826A (en) | A kind of safety case investigation method of Network Security Device monitoring | |
| CN108933791A (en) | One kind being based on Electricity Information Network Safeguard tactics intelligent optimization method and device | |
| US20100268818A1 (en) | Systems and methods for forensic analysis of network behavior | |
| CN107786532A (en) | The system and method that Virtual honeypot is used in industrial automation system and cloud connector | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| EP3329640B1 (en) | Network operation | |
| CN111224988A (en) | Network security information filtering method | |
| CN106973038A (en) | Network inbreak detection method based on genetic algorithm over-sampling SVMs | |
| CN1741472A (en) | Network invading event risk evaluating method and system | |
| Vaarandi | Real-time classification of IDS alerts with data mining techniques | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN1750481A (en) | Network abnormal detecting method for weighting statistic model based on time section | |
| CN112511351B (en) | Security situation prediction method and system based on MES identification data intercommunication system | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| CN1581089A (en) | Invasion detecting method | |
| CN102195975A (en) | Intelligent NIPS (Network Intrusion Prevention System) framework for quantifying neural network based on mobile agent (MA) and learning vector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20060322 |