CN1764126A - Method for detecting and monitoring gusty abnormal network flow - Google Patents

Method for detecting and monitoring gusty abnormal network flow Download PDF

Info

Publication number
CN1764126A
CN1764126A CN 200510110267 CN200510110267A CN1764126A CN 1764126 A CN1764126 A CN 1764126A CN 200510110267 CN200510110267 CN 200510110267 CN 200510110267 A CN200510110267 A CN 200510110267A CN 1764126 A CN1764126 A CN 1764126A
Authority
CN
China
Prior art keywords
flow
network
attack
information
statistics
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200510110267
Other languages
Chinese (zh)
Other versions
CN100384149C (en
Inventor
杨树堂
陆松年
李建华
马进
周明春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CNB2005101102677A priority Critical patent/CN100384149C/en
Publication of CN1764126A publication Critical patent/CN1764126A/en
Application granted granted Critical
Publication of CN100384149C publication Critical patent/CN100384149C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The detection and monitor method for burst abnormal network flow comprises: simulating and realizing the worm attack on NS-2 network simulator platform and DDoS distributed denial service attack, gathering the network flow information by Net Flow protocol, determining the behavior character of abnormal source, and taking control measures to interrupt attack. This invention originates to integrates character comparison and flow self-learning, overcomes the problem that SNMP protocol is lack for analysis and hard to determine flow abnormal threshold, and improves efficiency and practicality of monitor flow greatly. The experiment shows: this method is very well in real-time, and lays the foundation of inverse track well.

Description

The detection of gusty abnormal network flow and method for supervising
Technical field
What the present invention relates to is a kind of method of networking technology area, specifically is a kind of detection and method for supervising of gusty abnormal network flow.
Background technology
Based on network attack has become the serious obstruction of current network information system, particularly worm-type virus is attacked and distributed denial of service attack, utilize the leak of network service, system service or utilize the finiteness of Internet resources, system resource, having is exactly the imperfection that utilizes procotol and authentication mechanism self again, attack by starting large scale network at short notice, consume specific resources, realize the target of attack of Denial of Service attack.Existing network security mechanism as intruding detection system (IDS), fire compartment wall and VPN (virtual private network) (VPN) and tolerate that attack technology all also do not consider the detection and the tracking problem in network attack source, though detect attack also lack network range from dynamic response.At these traffic attacks, countermeasure mostly is the protection algorithm setting such as Random Drop, SYN Cookie, the bandwidth constraints greatly, realize IDS and ways such as firewall linkage and technical specialist's analytical attack, but produce little effect mostly, can only alleviate ddos attack and can not really solve ddos attack.Wherein the problem of most critical just is to distinguish how efficiently normal discharge and unusual attack traffic.Current relatively effective method is " black hole " technology of China domestic NSFOCUS company and in the world by the AM IPS technology of TopLayer company exploitation.As seen, the exception of network traffic monitoring technology is the primary technological means that solves the abnormal flow problem.The acquisition mode of current network abnormal flow is divided into three kinds: the monitoring technology of the full mirror image of flow Network Based, based on the monitoring technology of SNMP with based on three kinds of common technologies of monitoring technology of NetFlow.Also have based on bag analysis (BPF) model of intercepting network packet in addition.Usually the network manager of local area network (LAN) likes using MRTG, but its function is more single, and analytic function is not strong, and its flow information of collecting is the statistical information of port, can not be used for complicated analysis.So no matter NetFlow can both satisfy the needs that exception of network traffic is analyzed on resource consumption still is network collection information the level of detail.
Find through literature search prior art, Chinese patent application numbers 200310101710.5, patent name " a kind of device and method of realizing abnormal flow control ", adopt the real-time sampling analysis mode in this patent, short bag in certain period is analyzed rather than lasting dynamic the analysis, though reduced the work of treatment amount, it is complete inadequately that the effect of analytic statistics just seems, and cannot effectively solve for the unexpected abnormality stream detection in crack in short-term.
Summary of the invention
The object of the invention is at the deficiencies in the prior art, a kind of detection and method for supervising of gusty abnormal network flow are provided, make it pass through model analysis to flow, improve the efficient that paroxysmal abnormality detects, for intrusion detection provides reliable foundation to the real-time backward tracing and the protection of attack source.
The present invention is achieved by the following technical solutions, the present invention is by the worm attack under the NS-2 network simulation applicator platform and the The Realization of Simulation of DDoS distributed denial of service attack, adopt network traffics to analyze agreement NetFlow network traffic information is carried out collection analysis, judge the behavioural characteristic of anomaly source, take corresponding control measures to interrupt this type of attack at last.
Below the present invention is further illustrated, comprise the steps:
(1) flow mapping is gathered, and gathers flow information under the whole network environment by NetFlow under the NS-2 analogue simulation environment;
(2) statistics, sortingand merging are classified to flow according to the website that the user visited, and sorted flow are added up, and deposit pairing RRD circular database then in, set up network zones of different, the discharge record information of different periods;
(3) simulation worm attack and ddos attack are attacked the abnormal flow feature that causes by the monitoring method collection analysis based on statistics, as searching in information bank less than just adding this characteristic information, handle unusual simultaneously;
(4) by statistical analysis, carry out volume forecasting to network traffics;
(5) according to the flow information of preserving in the RRD database, the rendered visualization chart;
(6) reverse information trace is carried out in the source of attack traffic, and relevant flow information is carried out association analysis, to judge the position of attack source.
The present invention is directed to traditional flow collection method, adopt, finely solved the burst flow blockage problem that DDoS and worm attack cause, further improved the stability of network service in conjunction with NetFlow and abnormality detection discrimination technology based on MRTG.Make respective handling for the abnormal flow that determines by the IDS interlock, realize the Intelligent Flow control and management.When anomaly analysis, it is fixed not need the user to get in advance, by the means that feature detection and abnormality detection combine, dynamically unknown ddos attack feature is added in the information bank, therefore the intelligent level of present technique is further improved.
The present invention has characteristics such as low consumption of resources and information gathering is detailed, adopt popular self-similarity network forecast model, can alleviate the intensity of information gathering preferably, extract the burst feature reliablely, can accelerate the data processing speed of the network equipment greatly.Especially in the complicated network structure, device resource is various, under the huge environment of network information flow, the present invention can fine solution based on the overload problem of SNMP flow collection method, thereby the tolerance of network is improved greatly.Go back in addition cost low, dispose easily, excellent in efficiency, to characteristics such as web influence are little.
Description of drawings
Fig. 1 is a flow chart of the present invention
Fig. 2 hides Markov model for 2-state of the present invention
Embodiment
Below in conjunction with accompanying drawing realization of the present invention is further specified.System based on the inventive method is made up of acquisition module, alanysis module, detection processing module, volume forecasting module, graphics module and six of backward tracing modules, and specifically practicing of each module is as follows:
(1) acquisition module---flow mapping is gathered, and gathers flow information under the whole network environment by NetFlow under the NS-2 analogue simulation environment;
(2) alanysis module---statistics, sortingand merging, difference according to user institute access site is classified to flow, and sorted flow added up, deposit pairing RRD circular database then in, set up network zones of different, the discharge record information of different periods;
(3) detect processing module---simulation worm attack and ddos attack, attack the abnormal flow feature that causes by monitoring method collection analysis based on statistics, as in information bank, searching, use modes such as cutting off connection, filtration, flow restriction to handle unusually simultaneously less than just adding this characteristic information;
(4) volume forecasting module---by statistical analysis, carry out volume forecasting, reduce resource consumption, improve the real-time that network traffics are handled simultaneously network traffics.
(5) graphics module---according to the flow information of preserving in the RRD database, the rendered visualization chart;
(6) backward tracing module---reverse information trace is carried out in the source to attack traffic, and relevant flow information is carried out association analysis, to judge the position of attack source.The foundation that provides law to solve.
The statistical information that NetFlow collects from network traffics comprises statistics based on each user, based on the statistics of the statistics of every kind of agreement, per-port basis with based on the statistics of every kind of equipment, can provide than the more detailed traffic flow information of the snmp protocol that is operated in link layer, when flow takes place to change suddenly, which agreement the energy express analysis goes out, serve port goes wrong, and further determines to cause the main frame of network traffics sudden change.Protocal analysis adopts high-performance RRD circular database, and being fit to very much also provides powerful data compression, drawing function simultaneously based on the seasonal effect in time series storage, can greatly improve efficiency for data access.
In this case study on implementation, the unexpected abnormality flow of the NS-2 environment being simulated the initiation of ddos attack and worm attack down adopts the hiding Markov model (2 state Hidden Markov Model) of 2-state to carry out the off-note statistics.The threshold detection method that this is conventional, rate of false alarm is lower, and real-time is stronger.Be implemented as follows:
Hypothesis network flow velocity satisfies Gaussian Profile N (μ h, σ h) in this model, and μ h is that average σ h is a variance.Markovian transition matrix T is followed in conversion between the state, as shown in Figure 2
T = 1 - p p q 1 - q
According to these six parameter (μ 1, σ 1, μ 2, σ 2, p, q) flow that NetFlow is collected carries out statistic of classification, and choosing according to maximum similarity criterion (maximum likelihood criteria) of parameter promptly guarantees to satisfy the data flow probability of occurrence maximum of these parameters.Studies show that this-model is inadequate for the feature of describing whole network flow, but enough for the division that is used for flowing.
Stream based on HMM is divided, and is proved to be effectively for unusual attacks such as detecting DDOS.Used detection window control synchronization to handle the size of stream, window size generally uses 12,18 or 24, and real-time efficient height can satisfy the requirement of on-line monitoring like this.The unknown characteristics that extracts deposits the behavioral characteristics storehouse in by abnormality detection, and which kind of attack pattern occurs just directly determining from feature database when this class is attacked when next time is again.
The inventive method combines feature and compares and the flow self study when unusual judgement, still count initiative in network performance monitoring field based on stream, can solve snmp protocol analytic function deficiency, the Traffic Anomaly threshold value is difficult to problems such as judgement, thereby the efficient of traffic monitoring and practicality are improved greatly.The present invention is used to the appointment watch-dog in the NS-2 analog simulation environment is carried out the flow collection management, experiment shows, this method real-time, through the stream information after the RRD stores processor is fully detailed when characterizing network state, has established good basis for further carrying out backward tracing.

Claims (5)

1, a kind of detection of gusty abnormal network flow and method for supervising, it is characterized in that, The Realization of Simulation by worm attack under the NS-2 network simulation applicator platform and DDoS distributed denial of service attack, adopt network traffics to analyze agreement NetFlow network traffic information is carried out collection analysis, judge the behavioural characteristic of anomaly source, take corresponding control measures to interrupt this type of attack at last.
2, the detection of gusty abnormal network flow according to claim 1 and method for supervising is characterized in that, comprise the steps:
(1) flow mapping is gathered, and gathers flow information under the whole network environment by NetFlow under the NS-2 analogue simulation environment;
(2) statistics, sortingand merging are classified to flow according to the website that the user visited, and sorted flow are added up, and deposit pairing RRD circular database then in, set up network zones of different, the discharge record information of different periods;
(3) simulation worm attack and ddos attack are attacked the abnormal flow feature that causes by the monitoring method collection analysis based on statistics, as searching in information bank less than just adding this characteristic information, handle unusual simultaneously;
(4) by statistical analysis, carry out volume forecasting to network traffics;
(5) according to the flow information of preserving in the RRD database, the rendered visualization chart;
(6) reverse information trace is carried out in the source of attack traffic, and relevant flow information is carried out association analysis, to judge the position of attack source.
3, the detection of gusty abnormal network flow according to claim 2 and method for supervising, it is characterized in that, the statistical information that NetFlow collects from network traffics comprises statistics based on each user, based on the statistics of the statistics of every kind of agreement, per-port basis with based on the statistics of every kind of equipment, provide than the more detailed traffic flow information of the snmp protocol that is operated in link layer, when flow takes place to change suddenly, which agreement the energy express analysis goes out, serve port goes wrong, and further determines to cause the main frame of network traffics sudden change.
4, the detection of gusty abnormal network flow according to claim 2 and method for supervising is characterized in that, handle unusual mode for cutting off connection, filtration or flow restriction.
5, the detection of gusty abnormal network flow according to claim 2 and method for supervising, it is characterized in that, the unexpected abnormality flow of the NS-2 environment being simulated the initiation of ddos attack and worm attack down adopts the hiding Markov model of 2-state to carry out the off-note statistics, is implemented as follows:
Suppose that the network flow velocity satisfies Gaussian Profile N (μ h, σ h), μ h is that average σ h is a variance, and markovian transition matrix T is followed in the conversion between the state,
T = 1 - p p q 1 - q
According to these six parameter μ 1, σ 1, μ 2, σ 2, p, q carries out statistic of classification to the flow that NetFlow collects, and choosing according to maximum similarity criterion of parameter promptly guarantees to satisfy the data flow probability of occurrence maximum of these parameters.
CNB2005101102677A 2005-11-11 2005-11-11 Method for detecting and monitoring gusty abnormal network flow Expired - Fee Related CN100384149C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005101102677A CN100384149C (en) 2005-11-11 2005-11-11 Method for detecting and monitoring gusty abnormal network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005101102677A CN100384149C (en) 2005-11-11 2005-11-11 Method for detecting and monitoring gusty abnormal network flow

Publications (2)

Publication Number Publication Date
CN1764126A true CN1764126A (en) 2006-04-26
CN100384149C CN100384149C (en) 2008-04-23

Family

ID=36748092

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005101102677A Expired - Fee Related CN100384149C (en) 2005-11-11 2005-11-11 Method for detecting and monitoring gusty abnormal network flow

Country Status (1)

Country Link
CN (1) CN100384149C (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101510826B (en) * 2008-12-17 2010-12-22 天津大学 DDoS aggression detection method based on visualization
CN101217377B (en) * 2008-01-18 2010-12-22 南京邮电大学 A detecting method of distributed denial of service attacking based on improved sequence scale regulation
CN101505219B (en) * 2009-03-18 2011-03-16 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN101136922B (en) * 2007-04-28 2011-04-13 华为技术有限公司 Service stream recognizing method, device and distributed refusal service attack defending method, system
CN101521604B (en) * 2009-04-03 2011-04-20 南京邮电大学 Strategy-based distributed performance monitoring method
CN102209010A (en) * 2011-06-10 2011-10-05 北京神州绿盟信息安全科技股份有限公司 Network test system and method
CN102281295A (en) * 2011-08-06 2011-12-14 黑龙江大学 Method for easing distributed denial of service attacks
CN101714929B (en) * 2009-11-19 2012-03-07 中国科学院计算技术研究所 Method and system for quantitatively calculating network availability indexes
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN104038372A (en) * 2014-05-30 2014-09-10 国家电网公司 Power wide area network (WAN) flow monitoring method
CN104796301A (en) * 2015-03-31 2015-07-22 北京奇艺世纪科技有限公司 Network traffic abnormity judgment and device
CN105187451A (en) * 2015-10-09 2015-12-23 携程计算机技术(上海)有限公司 Website flow abnormity detection method and system
CN105337951A (en) * 2014-08-15 2016-02-17 中国电信股份有限公司 Method and device carrying out path backtracking for system attack
CN105681063A (en) * 2014-11-18 2016-06-15 中国移动通信集团北京有限公司 Method and apparatus for monitoring network index
CN106027406A (en) * 2016-05-23 2016-10-12 电子科技大学 NS3 simulation system flow importing method based on Netflow
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN106209839A (en) * 2016-07-08 2016-12-07 杭州迪普科技有限公司 The means of defence of invasion message and device
CN106453434A (en) * 2016-12-20 2017-02-22 北京启明星辰信息安全技术有限公司 Monitoring method and monitoring system for network traffic
CN106789944A (en) * 2016-11-29 2017-05-31 神州网云(北京)信息技术有限公司 Attack main body in attack determines method and device
CN106899601A (en) * 2017-03-10 2017-06-27 北京华清信安科技有限公司 Network attack defence installation and method based on cloud and local platform
CN104023342B (en) * 2007-11-20 2017-10-13 泰斯特瑞有限公司 For the system and method for the scale for determining cellular telecommunication network
CN107800706A (en) * 2017-11-06 2018-03-13 国网福建省电力有限公司 A kind of network attack dynamic monitoring method based on Gaussian distribution model
CN109639524A (en) * 2018-12-13 2019-04-16 国网上海市电力公司 Communication network data method for visualizing, device and equipment based on volume forecasting
CN111198805A (en) * 2018-11-20 2020-05-26 北京京东尚科信息技术有限公司 Abnormity monitoring method and device
CN111343206A (en) * 2020-05-19 2020-06-26 上海飞旗网络技术股份有限公司 Active defense method and device for data flow attack
CN112152895A (en) * 2020-09-02 2020-12-29 珠海格力电器股份有限公司 Intelligent household equipment control method, device, equipment and computer readable medium
CN112422433A (en) * 2020-11-10 2021-02-26 合肥浩瀚深度信息技术有限公司 DDoS attack tracing method, device and system based on NetFlow
CN113038035A (en) * 2020-10-29 2021-06-25 中国农业银行股份有限公司福建省分行 AI video point counting method for live pig breeding
CN114978617A (en) * 2022-05-06 2022-08-30 国网湖北省电力有限公司信息通信公司 Network attack threat statistical judgment method based on Markov process learning model

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1257632C (en) * 2002-12-11 2006-05-24 中国科学院研究生院 Firm gateway system and its attack detecting method
CN1282331C (en) * 2003-10-21 2006-10-25 中兴通讯股份有限公司 Device and method for realizing abnormal flow control

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136922B (en) * 2007-04-28 2011-04-13 华为技术有限公司 Service stream recognizing method, device and distributed refusal service attack defending method, system
CN104023342B (en) * 2007-11-20 2017-10-13 泰斯特瑞有限公司 For the system and method for the scale for determining cellular telecommunication network
CN101217377B (en) * 2008-01-18 2010-12-22 南京邮电大学 A detecting method of distributed denial of service attacking based on improved sequence scale regulation
CN101510826B (en) * 2008-12-17 2010-12-22 天津大学 DDoS aggression detection method based on visualization
CN101505219B (en) * 2009-03-18 2011-03-16 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN101521604B (en) * 2009-04-03 2011-04-20 南京邮电大学 Strategy-based distributed performance monitoring method
CN101714929B (en) * 2009-11-19 2012-03-07 中国科学院计算技术研究所 Method and system for quantitatively calculating network availability indexes
CN102821081B (en) * 2011-06-10 2014-12-17 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN102209010A (en) * 2011-06-10 2011-10-05 北京神州绿盟信息安全科技股份有限公司 Network test system and method
CN102821081A (en) * 2011-06-10 2012-12-12 中国电信股份有限公司 Method and system for monitoring DDOS (distributed denial of service) attacks in small flow
CN102209010B (en) * 2011-06-10 2013-09-25 北京神州绿盟信息安全科技股份有限公司 Network test system and method
CN102281295B (en) * 2011-08-06 2015-01-21 黑龙江大学 Method for easing distributed denial of service attacks
CN102281295A (en) * 2011-08-06 2011-12-14 黑龙江大学 Method for easing distributed denial of service attacks
CN104038372A (en) * 2014-05-30 2014-09-10 国家电网公司 Power wide area network (WAN) flow monitoring method
CN104038372B (en) * 2014-05-30 2016-03-09 国家电网公司 Electric power wide area flux monitoring method
CN105337951B (en) * 2014-08-15 2019-04-23 中国电信股份有限公司 The method and apparatus of path backtracking is carried out to system attack
CN105337951A (en) * 2014-08-15 2016-02-17 中国电信股份有限公司 Method and device carrying out path backtracking for system attack
CN105681063A (en) * 2014-11-18 2016-06-15 中国移动通信集团北京有限公司 Method and apparatus for monitoring network index
CN106034056B (en) * 2015-03-18 2020-04-24 北京启明星辰信息安全技术有限公司 Method and system for analyzing business safety
CN106034056A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Service safety analysis method and system thereof
CN104796301A (en) * 2015-03-31 2015-07-22 北京奇艺世纪科技有限公司 Network traffic abnormity judgment and device
CN105187451B (en) * 2015-10-09 2018-10-09 携程计算机技术(上海)有限公司 Website traffic method for detecting abnormality and system
CN105187451A (en) * 2015-10-09 2015-12-23 携程计算机技术(上海)有限公司 Website flow abnormity detection method and system
CN106027406A (en) * 2016-05-23 2016-10-12 电子科技大学 NS3 simulation system flow importing method based on Netflow
CN106027406B (en) * 2016-05-23 2019-03-15 电子科技大学 NS3 analogue system flow introduction method based on Netflow
CN106209839A (en) * 2016-07-08 2016-12-07 杭州迪普科技有限公司 The means of defence of invasion message and device
CN106209839B (en) * 2016-07-08 2019-08-06 杭州迪普科技股份有限公司 Invade the means of defence and device of message
CN106789944A (en) * 2016-11-29 2017-05-31 神州网云(北京)信息技术有限公司 Attack main body in attack determines method and device
CN106453434A (en) * 2016-12-20 2017-02-22 北京启明星辰信息安全技术有限公司 Monitoring method and monitoring system for network traffic
CN106899601A (en) * 2017-03-10 2017-06-27 北京华清信安科技有限公司 Network attack defence installation and method based on cloud and local platform
CN107800706B (en) * 2017-11-06 2021-03-30 国网福建省电力有限公司 Network attack dynamic monitoring method based on Gaussian distribution model
CN107800706A (en) * 2017-11-06 2018-03-13 国网福建省电力有限公司 A kind of network attack dynamic monitoring method based on Gaussian distribution model
CN111198805A (en) * 2018-11-20 2020-05-26 北京京东尚科信息技术有限公司 Abnormity monitoring method and device
CN111198805B (en) * 2018-11-20 2024-02-02 北京京东尚科信息技术有限公司 Abnormality monitoring method and device
CN109639524A (en) * 2018-12-13 2019-04-16 国网上海市电力公司 Communication network data method for visualizing, device and equipment based on volume forecasting
CN111343206B (en) * 2020-05-19 2020-08-21 上海飞旗网络技术股份有限公司 Active defense method and device for data flow attack
CN111343206A (en) * 2020-05-19 2020-06-26 上海飞旗网络技术股份有限公司 Active defense method and device for data flow attack
CN112152895A (en) * 2020-09-02 2020-12-29 珠海格力电器股份有限公司 Intelligent household equipment control method, device, equipment and computer readable medium
CN113038035A (en) * 2020-10-29 2021-06-25 中国农业银行股份有限公司福建省分行 AI video point counting method for live pig breeding
CN113038035B (en) * 2020-10-29 2022-05-17 中国农业银行股份有限公司福建省分行 AI video point counting method for live pig breeding
CN112422433A (en) * 2020-11-10 2021-02-26 合肥浩瀚深度信息技术有限公司 DDoS attack tracing method, device and system based on NetFlow
CN114978617A (en) * 2022-05-06 2022-08-30 国网湖北省电力有限公司信息通信公司 Network attack threat statistical judgment method based on Markov process learning model
CN114978617B (en) * 2022-05-06 2023-08-08 国网湖北省电力有限公司信息通信公司 Network attack threat statistics judgment method based on Markov process learning model

Also Published As

Publication number Publication date
CN100384149C (en) 2008-04-23

Similar Documents

Publication Publication Date Title
CN100384149C (en) Method for detecting and monitoring gusty abnormal network flow
CN109302378B (en) SDN network DDoS attack detection method
CN105208037B (en) A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection
CN107483455B (en) Flow-based network node anomaly detection method and system
WO2021088372A1 (en) Neural network-based ddos detection method and system in sdn network
CN101309179B (en) Real-time flux abnormity detection method on basis of host activity and communication pattern analysis
CN108040074B (en) Real-time network abnormal behavior detection system and method based on big data
CN105577679B (en) A kind of anomalous traffic detection method based on feature selecting and density peaks cluster
CN101980506A (en) Flow characteristic analysis-based distributed intrusion detection method
CN113079143A (en) Flow data-based anomaly detection method and system
CN1794661A (en) Network performance analysis report system based on IPv6 and its implementing method
CN102271068A (en) Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN102271091A (en) Method for classifying network abnormal events
CN103067192A (en) Analytic system and method of network flow
CN111600876B (en) Slow denial of service attack detection method based on MFOPA algorithm
CN106254318A (en) A kind of Analysis of Network Attack method
CN110162968A (en) A kind of Network Intrusion Detection System based on machine learning
CN110719270A (en) FCM algorithm-based slow denial of service attack detection method
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
Tran et al. One-class support vector machine for anomaly network traffic detection
Chiu et al. Semi-supervised learning for false alarm reduction
Onut et al. A Feature Classification Scheme For Network Intrusion Detection.
CN111490976B (en) Dynamic baseline management and monitoring method for industrial control network
CN113162939A (en) Detection and defense system for DDoS (distributed denial of service) attack under SDN (software defined network) based on improved k-nearest neighbor algorithm
Wei-wei et al. Prediction model of network security situation based on regression analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080423

Termination date: 20211111

CF01 Termination of patent right due to non-payment of annual fee