CN1968180A - Multilevel aggregation-based abnormal flow control method and system - Google Patents
Multilevel aggregation-based abnormal flow control method and system Download PDFInfo
- Publication number
- CN1968180A CN1968180A CNA2005100954491A CN200510095449A CN1968180A CN 1968180 A CN1968180 A CN 1968180A CN A2005100954491 A CNA2005100954491 A CN A2005100954491A CN 200510095449 A CN200510095449 A CN 200510095449A CN 1968180 A CN1968180 A CN 1968180A
- Authority
- CN
- China
- Prior art keywords
- module
- rule
- address
- abnormal
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to an abnormal flux control system based on multistage accumulation, wherein it comprises following subsystems: abnormal flux recognize subsystem for sampling data and accumulating address; abnormal flux classifying rule automatic generating subsystem for designing accumulation mode, accumulating second mode, packing class and data management; abnormal flux match and reject method executing subsystem for based on the result of second mode accumulation setting different priorities on the speed limit of each accumulation, and using quick method to limit the abnormal accumulation. The invention also provides a relative control method. The invention process first address accumulation and second mode accumulation analysis on the data, to reduce the bandwidth waste on transmission attach flux, to improve utilization of route and bandwidth utilization.
Description
Technical field
The present invention relates to the route technology in computer network and the telecommunications network, particularly detect and take precautions against the technology of abnormal flow on the router.
Background technology
Along with the expansion of network size, because the Open architecture of network, and the ICP/IP protocol of formation Internet (internet) itself is not enough to security consideration, network security problem has become the significant problem that Virtual network operator must be faced and solve.The hack tool of various openings spreads unchecked on the network at present, only needs network knowledge seldom, just can finish the destruction to network easily.Therefore, the use of monitoring and Control Network bandwidth is a crucial problem.
Traditional network security technology lays particular emphasis on the aspects such as system-level intrusion detection, anti-virus and fire compartment wall of user network, this class safety measure can not reduce the improper flow in the carrier network usually, particularly the DOS/DDOS in the face of constantly development attacks, and user network can only be in a kind of status of Passive Defence.If allow a large amount of improper flows to exist in the carrier network, provide condition for the malicious attack behavior on the one hand, influence the network user's normal use; On the other hand, this a large amount of improper flow may cause the decreased performance even the service disruption of the network equipment so if directly at network and route exchange device.So consider from security standpoint, reduce the abnormal flow in the network, the Denial of Service attack of containment user oriented network or intermediate equipment, network and route exchange device possess the abnormal flow monitoring and serve attacking ability extremely with resistance significance is arranged.
Router in the network needs and can monitor and make a response aggressive abnormal flow, according to the statistical nature of message, adopts certain intervention rule, and these illegitimate traffic are suppressed or refuse.Router requires to carry out the high speed forwarding in addition, therefore need the very high algorithm of catching, analyzing and intervene of a kind of efficient, when exceeding consume system resources, can carry out rapid analysis and decision-making, and complement filter rule generation filtration clauses and subclauses are carried out the abnormal flow intervention.Prior art can't satisfy above requirement.
Summary of the invention
The purpose of this invention is to provide a kind of abnormal flow control (Aggregates-Oriented Multi-Levels Anomaly Traffic ControlMechanism in Router based on multilevel aggregation, be called for short A.M.A.T) method and system, can on router, detect and take precautions against abnormal flow, and all satisfy requirement of actual application aspect resource use, detection efficiency and the accuracy rate.
The present invention is by the following technical solutions:
A kind of abnormal flow control system based on multilevel aggregation comprises following subsystem:
The abnormal flow recognition subsystem is used for carrying out the sampling of data row address of going forward side by side at different occasions and assembles;
The abnormal flow classifying rules generates subsystem automatically, and design, the quadratic modes that is used for accumulation mode assembled, bag is classified and data management;
Abnormal flow coupling and refusal method are implemented subsystem, be used for the result that assembles according to quadratic modes the rate limit of each gathering be provided with different priority levels, and use fair and reasonable and fast and effectively method unusual aggregate flow is limited.
Further, the abnormal flow recognition subsystem is by recognizer, and adopts history information table to increase the accuracy rate of judging attacking, simultaneously also in the aggregation algorithms of address in conjunction with adopting anti-shake algorithm, judge unusually with aggregate-value, increase the recognition capability that paired pulses is attacked.
Further, the abnormal flow classifying rules generates subsystem automatically according to concrete agreement statistical nature, proposes different accumulation mode.
A kind of abnormal flow control system based on multilevel aggregation comprises with lower module:
Module a, packet sampling module: be used for packet is sampled;
Module b, flow intensity concentrating module: be used to find that the high-intensity purpose IP in the certain hour cycle assembles;
Module c, abnormal patterns concentrating module: abnormal flow is assembled classification by the quadratic modes gathering, so that defend regular generation module that the gathering that flows to this address is analyzed, create-rule, and notification rule is carried out and feedback module is made suitable response;
Module d, defend regular generation module: according to the resulting attack of abnormal patterns concentrating module IP address and attack agreement, statistics flows to the feature of the packet of this IP address, generation attack defending rule, and it is passed to rule carry out and feedback module, make rule execution and feedback module can make suitable response;
Module e, the destination address identification module: the purpose IP that judges IP bag that is used for whether with the inspection rule match of attack defending rule;
Module f, rule is carried out and feedback module: after being used for the IP bag that receives judged according to the agreement of its purpose IP address and use, carry out the execution result of defence rule and feedback rule.
Further, native system also comprises: module g, system information output module: be used for the output information of correlation module is write journal file.
Further, native system also comprises: module h, the performance monitoring module is used for trigger data bag sampling module.
Further, the distributed sample algorithm that the packet sampling module adopts content to excite automatically switched to the fixed intervals sampling when this algorithm lost efficacy.
Further, flow intensity concentrating module adopts Hash table directly sampled data to be assembled.
Further, flow intensity concentrating module uses the 4*256 two-dimensional array that Hash calculation is carried out in purpose IP address; Promptly purpose IP is divided into four parts, four positions in the corresponding position of byte of each part, four corresponding two-dimensional arrays of byte, thresholding and regularly cleaning mechanism are overflowed in system's setting, when four thresholdings all are broken, judge that promptly the high strength flow appears in this purpose IP.
A kind of abnormal flow control method based on multilevel aggregation may further comprise the steps:
Step 1 is sampled to packet;
Step 2, the high-intensity purpose IP in the cycle assembles to certain hour;
Step 3 is assembled classification by the quadratic modes gathering to abnormal flow, obtains attacking the IP address and attacks agreement;
Step 4, according to the resulting attack of step 3 IP address and attack agreement, statistics flows to the feature of the packet of this IP address, generates the attack defending rule;
Step 5, the purpose IP that judges IP bag whether with the attack defending rule in the inspection rule match;
Step 6 after the IP that receives bag judged according to the agreement of its purpose IP address and use, is carried out the execution result of defence rule and feedback rule.
Further, the present invention also comprises step 7: the output information of correlation module is write journal file.
Further, the distributed sample algorithm that the packet sampling adopts content to excite automatically switched to the fixed intervals sampling when this algorithm lost efficacy.
Further, step 2 adopts Hash table directly sampled data to be assembled.
Further, step 2 is assembled sampled data and is used the 4*256 two-dimensional array that Hash calculation is carried out in purpose IP address; Promptly purpose IP is divided into four parts, four positions in the corresponding position of byte of each part, four corresponding two-dimensional arrays of byte, thresholding and regularly cleaning mechanism are overflowed in system's setting, when four thresholdings all are broken, judge that promptly the high strength flow appears in this purpose IP.
Further, in the step 5, check that rule is relevant with concrete agreement, an IP is had three protocol testing rule: TCP, UDP and ICMP; After checking that IP meets, the agreement that also will check this IP whether with check that the corresponding protocol rule that comes into force in the rule matches, if all consistent, then collect this IP information to handling formation.
Compare with prior art, the present invention adopts foreground image data bag, and directly on the foreground data is carried out primary address and assemble and the quadratic modes analysis of agglomeration.The analysis strategy based on the aggregate flow of purpose IP address of this multilayer, the clearer and more definite gathering that flow attacking takes place, on router, directly attack traffic is carried out certain filtering policy, reduce network effectively in the bandwidth waste that transmits on the attack traffic, improved the service efficiency and the utilization of network bandwidth of router.
Description of drawings
Fig. 1 is the overview flow chart of the inventive method;
Fig. 2 is the module data flow graph of system of the present invention;
Fig. 3 is system process figure of the present invention;
Fig. 4 is the kernel spacing data flow diagram of system of the present invention;
Fig. 5 is the user's space data flow diagram of system of the present invention;
Fig. 6 uses edge network figure of the present invention;
Fig. 7 uses backbone network figure of the present invention.
Embodiment
The invention provides a kind of brand-new abnormal flow control (A.M.A.T based on multilevel aggregation, Aggregates-Oriented Multi-Levels Anomaly Traffic ControlMechanism in Router) method and system has very high detection efficiency and detects accuracy rate.Below in conjunction with accompanying drawing, the specific embodiment of the present invention is elaborated.
Abnormal flow control system based on multilevel aggregation of the present invention comprises following subsystem:
The abnormal flow recognition subsystem: be primarily aimed at different occasions and carry out sampling of data, by primary address assemble and improve algorithm, the cusum algorithm carries out the address and assembles.This subsystem is by advanced recognizer, and adopts history information table to increase the accuracy rate of judging attacking, simultaneously also in the aggregation algorithms of address in conjunction with having adopted anti-shake algorithm, judge unusually with aggregate-value, increase the recognition capability of paired pulses attack.
The abnormal flow classifying rules generates subsystem automatically: mainly comprise design, quadratic modes aggregation algorithms, the bag classification of accumulation mode and based on the data management algorithm of Adapted-MULTOPS.The agreement statistical nature that the classification criterion of abnormal flow is concrete proposed different accumulation mode, and these accumulation mode are based on statistical property, and therefore this method has good resistivity to the variation of attack means.The gathering of different agreement is actually the isolation that has produced between each agreement in addition, that is to say, a kind of attack of agreement can not influence the flow of other agreement.All provide multiple different classification mode at TCP, UDP with the ICMP bag.
Abnormal flow coupling and refusal method are implemented subsystem: the result who assembles according to quadratic modes is provided with different priority levels to the rate limit of each gathering, and use fair and reasonable and fast and effectively method unusual aggregate flow is limited.The coupling of abnormal flow and refusal are taked different aggressive reaction strategies according to the result of sort module, its objective is and can adjust to reasonable range to the state of router fast, guarantee the survival rate of normal bag simultaneously.
In the above on the basis of three subsystems, A.M.A.T of the present invention system can be subdivided into 7 modules again, is respectively: packet sampling module, flow intensity concentrating module, abnormal patterns concentrating module, defend regular generation module, destination address identification module, regular execution and feedback module and system information output module.Below narration respectively:
Module a, the packet sampling module: the distributed sample algorithm that the packet sampling module adopts content to excite, guaranteed simultaneously that efficiently the sampling flow waveform is undistorted, reduced the burden of system to all bag statistics.In some attack means, this sampling algorithm may lose efficacy, and at this moment system can automatically switch to the fixed intervals sampling, promptly simply every N IP bag once sampling.
Module b, flow intensity concentrating module: intensity is assembled the processing of use Hash table, mainly is to find that the high-intensity purpose IP in the certain hour cycle assembles.It is directly assembled sampled data, so in actual use, has not only reduced the requirement to data storage and calculating, and can guarantee the undistorted of flow intensity.Hash table is a kind of method for rapidly positioning, the A.M.A.T use 4*256 of system two-dimensional array of the present invention comes Hash calculation is carried out in purpose IP address, at first purpose IP is divided into four parts, a byte of each part (8bit), four positions in corresponding position of each byte like this, four corresponding two-dimensional arrays of byte, thresholding and regularly cleaning mechanism are overflowed in system's setting, when four thresholdings all are broken, just think that high strength appears in this purpose IP.
Module c, the abnormal patterns concentrating module: the primary address of flow intensity concentrating module is assembled the address set that can draw abnormal flow.The purpose that quadratic modes is assembled is exactly further abnormal flow to be assembled classification, dwindle the abnormal flow scope, accurately find IP address and the attack type of being attacked main frame, so that regular generation module analyzing to the gathering that flows to this address, create-rule, and the push-notification-answer module is made suitable response.
Module d, defend regular generation module: the purpose of design of regular generation module is according to the resulting attack of secondary concentrating module IP address and attacks agreement, statistics flows to the feature of the packet of this IP address, generation attack defending rule, and it is passed to the attack-response module, make the attack-response module can make suitable response.Rule can be the generation of dynamic ACL, or dynamic Limit Rate.
Module e, the destination address identification module: the defence rule of A.M.A.T of the present invention system is a set, to the judgement of IP bag is to judge that whether and an inspection rule match wherein purpose IP, if coupling, also not explanation just necessarily need not checked this IP bag, because the rule of the inspection among the A.M.A.T is also with concrete protocol-dependent.A.M.A.T of the present invention system has three protocol testing rule: TCP, UDP and ICMP (can do protocol extension as required) to an IP.So after checking that IP meets, the agreement that also will check this IP whether with rule in the corresponding protocol rule that comes into force match.If all consistent, collect this IP information to handling formation.
Module f, rule is carried out and feedback module: rule execution module is the key modules of A.M.A.T system, after it is judged according to the agreement of its purpose IP address and use the IP bag that receives, carries out the execution result of defence rule and feedback rule.
Module g, the system information output module: the A.M.A.T system design system information output module, be responsible for the output information of relevant module is write journal file.
Above-mentioned module has following characteristics: in module a and module b, primary address is assembled the distributed sample algorithm that adopts content to excite, and the efficient height satisfies the randomness of message sample statistics, and can guarantee that the network traffics waveform is undistorted.In module b, primary address is assembled the improved Counter Bloom Filter table of employing, increase a record sheet structure, write down some necessary historical informations, filter through the hash mapping table on the one hand and do not cause the flow that overflows, keep the historical continuity of hash mapping, filter process hash mapping table on the other hand and cause the flow that overflows, the false gathering flow of letting pass.The anti-accumulation algorithm of assembling shake, pulse attack take place in, Bloom filtering algorithm will be swung, can not be stable judgement is assembled in attack.For being makes this algorithm more stable, get rid of because attack strength in time shake and the accumulation algorithm of anti-gathering shake has been adopted in the influence that produces here.In module c, primary address is assembled the suspicious IP address that draws abnormal flow carry out the quadratic modes gathering, further abnormal flow is assembled classification, dwindle the abnormal flow scope, find the malice abnormal flow more accurately, so that the malice degree that response policy is assembled according to difference is made appropriate response.The data message of secondary being assembled the unusual IP address that produces carries out the data management mode of data management employing based on Adapted-MULTOPS.It can quick search be located in the space of a fixed size, and can stretch in allowed limits and shrink.Multilayered schema is assembled, and protocal analysis is divided three classes meeting the IP bag that primary address filters: TCP bag, UDP bag and ICMP bag (be not the IP bag of this three quasi-protocol do not do to assemble handle).Consider that this gathering might cause by normal data burst (flash crowd), for this reason, the present invention is according to the statistical property design accumulation mode table of different agreements, to reach accurate judgement and the filtration to attack traffic.
Fig. 1 is the overview flow chart of the inventive method.The major function of router is a data forwarding, consider performance, all bags all can not be added up or detected, the present invention is provided with a performance monitor module, trigger point as the packet sampling module, the performance monitoring module uses the relevant parameter of SNMP (such as packet loss, resource utilization etc.), in case the performance monitoring module is found the performance parameter variations of router and is reached certain thresholding, just think and the abnormal flow load occurs, at this moment with log-on data bag sampling module, the packet sampling module is sampled to data according to correspondent frequency and method, and offers flow intensity concentrating module.Flow intensity concentrating module is the core of system, and it judges whether abnormal flow has taken place on the router, and unusual location of assembling.When doing this judgement, the data parameters of binding ability monitor module is carried out analysis-by-synthesis simultaneously.Flow intensity concentrating module is at first once assembled destination address, draw the very big destination address set of bag intensity, the abnormal patterns concentrating module carries out quadratic modes at this address set again to be assembled, gathering is segmented, determined that different different malice degree of assembling decide the rate limit priority level of gathering.After reaching a conclusion, by the aggressive reaction policy calculation and distribute the limiting speed of each gathering, come flow is filtered according to attack mode, at last attack traffic is abandoned, normal discharge consigns to router and carries out other processing, and this is a process of constantly feeding back and circulating.
Fig. 2 is the module data flow graph of system of the present invention.Among the embodiment, A.M.A.T system design of the present invention is on router, and the abnormal flow on the network is monitored and refused to the address gathering of use A.M.A.T, pattern recognition and a series of technology such as rule generation and execution.Specific implementation is divided into user's space part and kernel spacing part, carries out communication by message mechanism in the middle of the two.The packet sampling module is sampled to packet, when not consuming excessive system resource, truly reflects the changes in flow rate in the network, and algorithm is simply efficient, and operand is little, realizes at kernel spacing.The identical IP bag of purpose IP is assembled counting in the packet that flow intensity concentrating module use Counter Bloom Filter table comes out to sampling, draw high-intensity purpose IP, algorithm is simply efficient, needs the data packet number of processing huge, realizes at kernel spacing.Whether the abnormal patterns concentrating module further identifies high-intensity purpose IP is to attack unusually, calculation of complex, and the space that needs is also bigger, realizes at user's space.DOS/DDOS defends the feature of regular generation module according to abnormal flow, adopts sliding window mechanism to carry out statistical analysis and generate defending rule.Calculate relative complex, the space that needs is also bigger, realizes at user's space.The destination address identification module is purpose IP simply relatively, and whether need be uploaded to concrete request module, to the requirement height of speed, realize at kernel spacing if discerning concrete IP bag.Rule execution and feedback module filter abnormal flow, and implementation effect are fed back to regular generation module according to the defence rule.To the rate request height, can influence efficient greatly in the user's space realization, so realize at kernel spacing.The system information output module relates to file system, writes down the output information of each module and saves as daily record, realizes at user's space.
Fig. 3 is system process figure of the present invention.Mainly contain three processes at kernel spacing: go into process, go out process and messenger service process.Wherein going into process mainly carries out: the sampling of IP bag, primary address are assembled, are sent packet information unit, log information and gathering IP information and enter custom queuing to user's space with the purpose IP of high strength gathering.Going out process mainly carries out: give regular generation module according to rule-based filtering IP bag and feedback implementation effect message.The messenger service process mainly receives the message that various consumer process send, and it is a Message Processing circulation.The main message of handling is as follows: 1) require kernel not send the IP details again to user's space, this function keeps at present; 2) consumer process sends new defence rule, requires kernel process to increase or the old and new's regular collection more; 3) self PID of start sending of consumer process, notice kernel consumer process starts; 4) self PID of sending of daily record process initiation, notice kernel log process starts, at present the daily record process not as one independently process occur, but be in the same place with other consumer process of A.M.A.T; 5) consumer process withdraws from the message that withdraws from of transmission, and notice kernel consumer process withdraws from.
Fig. 4 is the kernel spacing data flow diagram of system of the present invention, and the messenger service process uses message pool to receive all client layer message, and according to message content configuration global parameter.All enter the IP bag of router and are at first gone into the process intercepting and capturing, and shunting then carries abnormal flow the process that provides to continue to handle.Go into process and go out process to use some global parameters, in needs, use message pool to send message to client layer.Message pool is one section shared memory field, and the data that send are sent to message pool, is transmitted to corresponding client layer process by message pool again.The messenger service process is handled the message that all client layers send over, and comprises parameter configuration, and carries out different processing.Go into process and intercept and capture all IP that enters bags, its Core Feature is as follows: 1) handle traffic statistics information; 2) send to user's space writing full log information; 3) sampling and the IP that samples bag is carried out the address assemble; 4) destination address that gathering is overflowed is issued user's space; 5) shunt according to the current record rule list; 6) collect necessary flow information and it is sent to user's space; 7) process of will giving out is unusually handled; 8) normal discharge is injected normal route.
Go out process and handle abnormal flow according to filtering rule, its Core Feature is as follows: the 1) IP of buffer memory some bag; 2) the bag number when buffer memory reaches detectable amount, then according to rule detection; 3) which bag decision abandons according to testing result; 4) handle traffic statistics information.
Fig. 5 is the user's space system data flow graph of system of the present invention, and message procedure receives all message from kernel spacing, and carries out subsequent treatment for corresponding process according to the data allocations that type of message carries message.Configuration and flow treatment progress directly send configuration messages to message pool.Four data treatment progress are shared some global parameters, realize the mutual transmission of message.Message procedure is according to the type of message assignment messages; The flow treatment progress is handled present flow rate information; Feedback pattern treatment progress is handled the bad filter rule information that the reason kernel sends; The unusual IP of gathering treatment progress is handled the unusual gathering IP information that kernel sends over; The daily record output process is handled the traffic statistics information that kernel sends over, and output journal information is to file.
Fig. 6 is the application example of the present invention at edge network, and the A.M.A.T technology stops by using on low end router, restriction abnormal flow target of attack network.
Fig. 7 is the application example of the present invention at core network, by on each high-end P, all using the A.M.A.T technology, adopt distributed frame, screen abnormal flow effectively, guarantee the unimpeded of network backbone layer, improve utilization of network bandwidth.
In sum, abnormal flow control (A.M.A.T) method and system based on multilevel aggregation that is built in router that the present invention proposes adopts foreground image data bag, and directly on the foreground data is carried out primary address and assemble and the quadratic modes analysis of agglomeration.The analysis strategy based on the aggregate flow of purpose IP address of this multilayer, the clearer and more definite gathering that flow attacking takes place, on router, directly attack traffic is carried out certain filtering policy, reduce network effectively in the bandwidth waste that transmits on the attack traffic, improved the service efficiency and the utilization of network bandwidth of router.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (15)
1. the abnormal flow control system based on multilevel aggregation is characterized in that, comprises following subsystem:
The abnormal flow recognition subsystem is used for carrying out the sampling of data row address of going forward side by side at different occasions and assembles;
The abnormal flow classifying rules generates subsystem automatically, and design, the quadratic modes that is used for accumulation mode assembled, bag is classified and data management;
Abnormal flow coupling and refusal method are implemented subsystem, be used for the result that assembles according to quadratic modes the rate limit of each gathering be provided with different priority levels, and use fair and reasonable and fast and effectively method unusual aggregate flow is limited.
2. system according to claim 1, it is characterized in that, the abnormal flow recognition subsystem passes through recognizer, and adopt history information table to increase the accuracy rate of judging attacking, simultaneously also in the aggregation algorithms of address in conjunction with adopting anti-shake algorithm, judge unusually with aggregate-value, increase the recognition capability that paired pulses is attacked.
3. system according to claim 1 and 2 is characterized in that, the abnormal flow classifying rules generates subsystem automatically according to concrete agreement statistical nature, proposes different accumulation mode.
4. the abnormal flow control system based on multilevel aggregation is characterized in that, comprises with lower module:
Module a, packet sampling module: be used for packet is sampled;
Module b, flow intensity concentrating module: be used to find that the high-intensity purpose IP in the certain hour cycle assembles;
Module c, abnormal patterns concentrating module: abnormal flow is assembled classification by the quadratic modes gathering, so that defend regular generation module that the gathering that flows to this address is analyzed, create-rule, and notification rule is carried out and feedback module is made suitable response;
Module d, defend regular generation module: according to the resulting attack of abnormal patterns concentrating module IP address and attack agreement, statistics flows to the feature of the packet of this IP address, generation attack defending rule, and it is passed to rule carry out and feedback module, make rule execution and feedback module can make suitable response;
Module e, the destination address identification module: the purpose IP that judges IP bag that is used for whether with the inspection rule match of attack defending rule;
Module f, rule is carried out and feedback module: after being used for the IP bag that receives judged according to the agreement of its purpose IP address and use, carry out the execution result of defence rule and feedback rule.
5. system according to claim 4 is characterized in that native system also comprises: module g, system information output module: be used for the output information of correlation module is write journal file.
6. according to claim 4 or 5 described systems, it is characterized in that native system also comprises: module h, the performance monitoring module is used for trigger data bag sampling module.
7. according to claim 4 or 5 described systems, it is characterized in that native system also comprises: the distributed sample algorithm that the packet sampling module adopts content to excite automatically switched to the fixed intervals sampling when this algorithm lost efficacy.
8. according to claim 4 or 5 described systems, it is characterized in that flow intensity concentrating module adopts Hash table directly sampled data to be assembled.
9. system according to claim 8 is characterized in that, flow intensity concentrating module uses the 4*256 two-dimensional array that Hash calculation is carried out in purpose IP address; Promptly purpose IP is divided into four parts, four positions in the corresponding position of byte of each part, four corresponding two-dimensional arrays of byte, thresholding and regularly cleaning mechanism are overflowed in system's setting, when four thresholdings all are broken, judge that promptly the high strength flow appears in this purpose IP.
10. abnormal flow control method based on multilevel aggregation may further comprise the steps:
Step 1 is sampled to packet;
Step 2, the high-intensity purpose IP in the cycle assembles to certain hour;
Step 3 is assembled classification by the quadratic modes gathering to abnormal flow, obtains attacking the IP address and attacks agreement;
Step 4, according to the resulting attack of step 3 IP address and attack agreement, statistics flows to the feature of the packet of this IP address, generates the attack defending rule;
Step 5, the purpose IP that judges IP bag whether with the attack defending rule in the inspection rule match;
Step 6 after the IP that receives bag judged according to the agreement of its purpose IP address and use, is carried out the execution result of defence rule and feedback rule.
11. method according to claim 10 is characterized in that, the present invention also comprises step 7: the output information of correlation module is write journal file.
12., it is characterized in that the distributed sample algorithm that the packet sampling adopts content to excite automatically switched to the fixed intervals sampling according to claim 10 or 11 described methods when this algorithm lost efficacy.
13., it is characterized in that step 2 adopts Hash table directly sampled data to be assembled according to claim 10 or 11 described methods.
14. method according to claim 13 is characterized in that, step 2 is assembled use 4*256 two-dimensional array to sampled data Hash calculation is carried out in purpose IP address; Promptly purpose IP is divided into four parts, four positions in the corresponding position of byte of each part, four corresponding two-dimensional arrays of byte, thresholding and regularly cleaning mechanism are overflowed in system's setting, when four thresholdings all are broken, judge that promptly the high strength flow appears in this purpose IP.
15., it is characterized in that according to claim 10 or 11 described methods, in the step 5, check that rule is relevant with concrete agreement, an IP is had three protocol testing rule: TCP, UDP and ICMP; After checking that IP meets, the agreement that also will check this IP whether with check that the corresponding protocol rule that comes into force in the rule matches, if all consistent, then collect this IP information to handling formation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100954491A CN100502356C (en) | 2005-11-16 | 2005-11-16 | Multilevel aggregation-based abnormal flow control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100954491A CN100502356C (en) | 2005-11-16 | 2005-11-16 | Multilevel aggregation-based abnormal flow control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1968180A true CN1968180A (en) | 2007-05-23 |
| CN100502356C CN100502356C (en) | 2009-06-17 |
Family
ID=38076738
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100954491A Expired - Fee Related CN100502356C (en) | 2005-11-16 | 2005-11-16 | Multilevel aggregation-based abnormal flow control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100502356C (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883054A (en) * | 2010-07-09 | 2010-11-10 | 北京星网锐捷网络技术有限公司 | Multicast message processing method and device and equipment |
| CN104038372A (en) * | 2014-05-30 | 2014-09-10 | 国家电网公司 | Power wide area network (WAN) flow monitoring method |
| CN105391646A (en) * | 2015-10-19 | 2016-03-09 | 上海斐讯数据通信技术有限公司 | Method and device for performing early-warning processing on link layer equipment |
| CN105493450A (en) * | 2013-04-29 | 2016-04-13 | 瑞典爱立信有限公司 | A method and system to dynamically detect traffic anomalies in a network |
| CN111198805A (en) * | 2018-11-20 | 2020-05-26 | 北京京东尚科信息技术有限公司 | Abnormity monitoring method and device |
| CN112866179A (en) * | 2019-11-27 | 2021-05-28 | 北京沃东天骏信息技术有限公司 | Current limiting method and current limiting device |
| CN114095255A (en) * | 2021-11-22 | 2022-02-25 | 安徽健坤通信股份有限公司 | Network security monitoring method, device and storage medium |
| CN114726633A (en) * | 2022-04-14 | 2022-07-08 | 中国电信股份有限公司 | Flow data processing method and device, storage medium and electronic equipment |
-
2005
- 2005-11-16 CN CNB2005100954491A patent/CN100502356C/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883054B (en) * | 2010-07-09 | 2013-07-24 | 北京星网锐捷网络技术有限公司 | Multicast message processing method and device and equipment |
| CN101883054A (en) * | 2010-07-09 | 2010-11-10 | 北京星网锐捷网络技术有限公司 | Multicast message processing method and device and equipment |
| CN105493450A (en) * | 2013-04-29 | 2016-04-13 | 瑞典爱立信有限公司 | A method and system to dynamically detect traffic anomalies in a network |
| CN105493450B (en) * | 2013-04-29 | 2019-04-23 | 瑞典爱立信有限公司 | The method and system of service exception in dynamic detection network |
| CN104038372B (en) * | 2014-05-30 | 2016-03-09 | 国家电网公司 | Electric power wide area flux monitoring method |
| CN104038372A (en) * | 2014-05-30 | 2014-09-10 | 国家电网公司 | Power wide area network (WAN) flow monitoring method |
| CN105391646A (en) * | 2015-10-19 | 2016-03-09 | 上海斐讯数据通信技术有限公司 | Method and device for performing early-warning processing on link layer equipment |
| CN111198805A (en) * | 2018-11-20 | 2020-05-26 | 北京京东尚科信息技术有限公司 | Abnormity monitoring method and device |
| CN111198805B (en) * | 2018-11-20 | 2024-02-02 | 北京京东尚科信息技术有限公司 | Abnormality monitoring method and device |
| CN112866179A (en) * | 2019-11-27 | 2021-05-28 | 北京沃东天骏信息技术有限公司 | Current limiting method and current limiting device |
| CN114095255A (en) * | 2021-11-22 | 2022-02-25 | 安徽健坤通信股份有限公司 | Network security monitoring method, device and storage medium |
| CN114726633A (en) * | 2022-04-14 | 2022-07-08 | 中国电信股份有限公司 | Flow data processing method and device, storage medium and electronic equipment |
| CN114726633B (en) * | 2022-04-14 | 2023-10-03 | 中国电信股份有限公司 | Traffic data processing method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100502356C (en) | 2009-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100502356C (en) | Multilevel aggregation-based abnormal flow control method and system | |
| Kim et al. | A flow-based method for abnormal network traffic detection | |
| US8634717B2 (en) | DDoS attack detection and defense apparatus and method using packet data | |
| US7623466B2 (en) | Symmetric connection detection | |
| US8001601B2 (en) | Method and apparatus for large-scale automated distributed denial of service attack detection | |
| CN1878082A (en) | Protective method for network attack | |
| CN1794661A (en) | Network performance analysis report system based on IPv6 and its implementing method | |
| CN1655518A (en) | Network security system and method | |
| CN1720459A (en) | Active network defense system and method | |
| CN1905555A (en) | Fire wall controlling system and method based on NGN service | |
| CN1874303A (en) | Method for implementing black sheet | |
| CN1578227A (en) | Dynamic IP data packet filtering method | |
| CN101039326A (en) | Service flow recognition method, apparatus and method and system for defending distributed refuse attack | |
| US20090240804A1 (en) | Method and apparatus for preventing igmp packet attack | |
| CN101079746A (en) | Secure implementation method and device of broadband access device | |
| CN1282331C (en) | Device and method for realizing abnormal flow control | |
| CN101064597A (en) | Network security device and method for processing packet data using the same | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| CN1906905A (en) | Service disabling attack protecting system, service disabling attack protecting method, and service disabling attack protecting program | |
| Matrawy et al. | Mitigating network denial-of-service through diversity-based traffic management | |
| Shomura et al. | Analyzing the number of varieties in frequently found flows | |
| CN101789885B (en) | Network intrusion detection system | |
| KR20110070182A (en) | Botnet group detecting system using group behavior matrix based on network and botnet group detecting method using group behavior matrix based on network | |
| KR101587845B1 (en) | Method for detecting distributed denial of services attack apparatus thereto | |
| Prathibha et al. | A comparative study of defense mechanisms against SYN flooding attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090617 Termination date: 20151116 |