200833015 九、發明說明: 【發明所屬之技術領域】 一種偵測網路異常事件之方法及系統,特別有關於一種利用 流量資訊來偵測網路中發生異常事件的網路位址之偵測方法及系 統。 【先前技術】 發生網路異常(Network Anomalies)的原因通常是網路遭受到 駭客(hacker)的網路攻擊,例如阻斷式服務攻擊①邱如〇f Seryice, DOS)、H(worm)攻擊、整體網路規劃失當或者内部使用者的濫 用(networkabuse)所造成。當網路發生異常時,網路内部的使用者 會面臨網路隸以及網路應舰務無法運作的情況。這對於企業 或其他單位而言,將造成其生產力的降低與網路資源的浪費。舉 例來說,在 2004 年的美國 FBI(FederalBu刪 〇fInvestigati〇n) ^ 腦縛與安全触中,光是阻斷服務攻擊—摘造成財務的損^ 就高達二千六百多萬美元,這·次於病毒所造成職損失。對 於其他網料f所造成的損失更遠大於上述之數目,所以如何快 速地找出網路異常是一項重要的課題。 、 傳統债_路異常的方法是錢似造成晴異常的節 腦)中安裝網路流通刺探程式㈣ffer)或是設置網路流通刺探壯 置。網路流通刺探程式/裝置能夠擷取流經此節點的封包内容,2 這些封包的内容記錄下來,這種監測流經實谷亚 又備的方法稱為 m_lmem〇de」。最後操作人員分析所擷取到的封包内容,#、… 斷此節點是否造成網路異常以及發生異常的原因。在八析::判 200833015 系的過程中,僅能憑藉著操作人員過去的經驗來找出造成網路異 常的節點及分析發生網路異常的原因。 第1圖係為網際網路之連結示意圖。網際網路1〇是由許多大 小不等的網域100所構成,在各網域中是由許多網路設備來 配發其連結路徑,例如,路由器13Q或交換機丨4◦等。通常較具 規核的企㈣部都會建置專屬的網路雜,所以在第丨圖中為了 方便說明所以將每台電腦視為-節點11G、異常的節點120則以 方才[圈選。另外,路由器13〇或交換機14〇則是用以連結其他網 路設備與其所屬中的各節點⑽或120)。在大型規模的網路卿 ^ ^ $日守操作人員光是逐一判斷疑似發生異常的節點120 就付耗費許多時間。更何況需在對每一個疑似發生異常的節點创 刀別安衣網路流通刺探程式/裝置,並分析此節點的封包内容。操 作人員需要花詩多的時間在安錄體及解析封包内容,如此一 來使得操作人員判斷發生異常的節點12()的效率難以提昇而且不 易掌握檢測的進度。 【發明内容】 鑒於以上的問題’本發明的主要目的在於提供—種網路異常 事件之偵測方法及系統,利用t集各個節點間傳遞的流量資訊來 偵測網路中發生異常事件的網路位址,提升判斷發生異常事件的 網路位址之效率。 為達上述目的,本發明所揭露之侧網路異常事件之方法至 =含下列步驟:首先,設定一流量時間區段,操取此流量時間 4又中之流量育訊。接下來,選擇過濾元素,而且至少有一個過 200833015 應於&些屬性的其中之—。將這些過濾元素組合成一組 ^木件,其用以判斷符合此流量比對條件的流量資訊。再 、計條件,其肋分類統計符合這些流量比對條件 =里貝2。職合這些流量比對條件的流量資訊輸出為一統計 艮、接著,依據一匈斷策略選取出此統計報表中異常事件之網 路位址。若無法選取出此統計報表中異常事件之網路位址時,則 統計報表再選出過濾騎,並將其加人流纽對條件,並重 j仃刀雜指合這些流量崎條件的流量資賴步驟,直至 月成:出該統計報表中異常事件之網路位址為止。 ~ 乂本的另—觀點’本發明提出—種制網路異常事件之 t用多個流量資訊來細發生異常事件的網路位址,其 k些流1魏分別具有多種屬性。此網路異常事件躺系統包 I錄接收模組以及處理模組。信號接收模組用以接收流量資 冷旦處理板組输於錢接收模組,其㈣設定流量比對條件與 =ί計條Γ。處理模組將所擷取到的流量資訊,藉由流量比對 ^方“進仃㈣。再將_後的流量資訊,藉由該流量累計條件 I式進行分_計。處理模崎後依據此分舰計結果輸出一 =十報表。峨輯龍表巾選取出發生異t事件之網路位址。 選取出此統計報表中異常事件之網路健時,則依據統計 f再選出過濾元素,並將其加人流量比對條件,處理模組在重 =行分麵計符合這钱量比雜件的流量#_步驟,直至 心取出該統計報表中異常事件之網路位址為止。 *本!X月之^例,上述方法及系統是採用流量比對條件 200833015 與流量累計斜的設計。利岐量輯齡龍量魏進 的動作’再將篩選後的流量資訊,藉由該流量累計條件的方式進 行排序,隨細ί鱗赌讀出-麟報表,最聽根觀統 計報表用以決定是魏定其中發生異f事件之網路位址。 若網路位址賴過大導致無法敍時,驗據統計報表中選 出其他的過滤7G素,並將其加人至流量比對條件中,使其成為次 回新的流量比對條件。再重複進行篩選的動作,直到能鎖定出2 生異常事件的網路位址。 本發明因採用流量比對條件與流量累計條件,針對流量資訊 先後分別進行_及排序的動作,再藉由排序後的流量資訊選擇 出更加的過濾元素’使其新增至次回流量比對條件中之—°,並重 複進行篩選鋪序_作’藉明定出發生異轉件_路位址。 如此-來’操作人員不僅能節省絲及檢_時間,更可以 透過此偵啦_流量輯條件與流量累計條件對網路狀態逐一 分析。操作人員再依據流量比對條件與流量累計條件的反饋,進 一步深入網路異常事件發生之原因。 、 有關本發明的特徵與實作,兹配合圖示作最佳實施例詳細說 【實施方式】 第2圖係為本實施例之網路架翻。請參考第2圖所示,封 包在網路的傳遞過程中是藉由許多的路㈣13G(R_)歧換機 14〇(Switch)相互傳遞。通過路由器13〇或交換機14〇的封包,可 以利用「流量」(flow)的概念用以觀察在一定時間長度中所流經路 200833015 由器130或交換機⑽的封包。對於流經路由器13〇或交換機14〇 的封包,路由器130或交換140機會將這些封包資訊做一摘要整 理。最後經由各種不同的流量資訊格式輸出(例如NetFlow、 sFlow、cFlow 或 NetStream) 〇 /瓜里資31 〇内容主要是包含傳輸層(TranSp〇rt Layer)中相關 基本流量的資訊。流量資訊310中具有多項不同的屬性,這些屬 t生包括有封包的來源位址(source ip(lntemet pr〇t〇c〇i) address)、封 包的目的地位址(destination IP address)、來源埠號(source TCP(Transmission Control Protocol)AJDP(User Datagram Protocol) P〇rt)、目的地埠號(destination TCP/UDP port)、通訊協定200833015 IX. Description of the invention: [Technical field of invention] A method and system for detecting network anomaly events, in particular, a method for detecting network address using network traffic information to detect an abnormal event in a network And system. [Prior Art] Network Anomalies occur because the network is subject to hacker cyber attacks, such as blocking service attacks. 1 Qiu Ruyi f Seryice, DOS), H (worm) Attacks, improper overall network planning, or internal user abuse (networkabuse). When an abnormality occurs in the network, users inside the network will face the situation that the network and the network should be inoperable. This will result in a reduction in productivity and waste of network resources for businesses or other organizations. For example, in 2004, the US FBI (FederalBu deleted fInvestigati〇n) ^ shackles and security hits, just blocking service attacks - the financial damage is up to more than 26 million US dollars, which · Second to the loss caused by the virus. The damage caused by other network materials f is much larger than the above, so how to quickly find network anomalies is an important issue. The traditional debt _ road abnormal method is to install a network circulation sniffer program (4) ffer in the money that causes the weather to be abnormal, or to set up the network circulation spying. The network traffic sniffer/device can capture the contents of the packet flowing through the node, and the contents of these packets are recorded. This monitoring method is called m_lmem〇de. Finally, the operator analyzes the contents of the captured packet, #,... Whether this node is causing network anomalies and the cause of the exception. In the process of analysis: 200833015, only the past experience of the operator can be used to find out the nodes causing network anomalies and analyze the causes of network anomalies. Figure 1 is a schematic diagram of the connection of the Internet. The Internet 1 is composed of a plurality of domains 100 ranging in size, and in each domain, a plurality of network devices allocate their connection paths, for example, a router 13Q or a switch. Usually, the enterprise (4) with a more regulated core will build a dedicated network. Therefore, in the figure, for convenience of explanation, each computer is regarded as a node 11G and an abnormal node 120. In addition, the router 13 or the switch 14 is used to connect other network devices and each node (10) or 120 to which it belongs. In the large-scale network of the network ^ ^ $ day guard operators are one by one to determine the node 120 suspected of an abnormality to spend a lot of time. What's more, you need to create a network of sniffer programs/devices for each node that is suspected of being abnormal, and analyze the packet content of this node. The operator needs to spend more time on the recording body and parsing the contents of the package, which makes it difficult for the operator to judge the efficiency of the node 12() which is abnormal and it is not easy to grasp the progress of the detection. SUMMARY OF THE INVENTION In view of the above problems, the main purpose of the present invention is to provide a method and system for detecting network anomaly events, and use the traffic information transmitted between the nodes of the t set to detect an abnormal event network in the network. The location of the road enhances the efficiency of the network address that determines the occurrence of an abnormal event. In order to achieve the above objective, the method for the side network abnormal event disclosed in the present invention includes the following steps: First, a flow time period section is set, and the traffic time of the traffic time 4 is fetched. Next, select the filter element, and at least one of them should be in the & These filter elements are combined into a set of wood pieces that are used to determine traffic information that meets this flow comparison condition. Then, the condition of the ribs is statistically consistent with these flow comparison conditions = Ribe 2. The traffic information output of these traffic comparison conditions is a statistic 艮, and then the network address of the abnormal event in the statistical report is selected according to an arbitrage strategy. If it is not possible to select the network address of the abnormal event in this statistical report, then the statistical report selects the filter ride, and adds it to the condition of the flow, and emphasizes the traffic flow steps of these traffic conditions. Until the month: the network address of the abnormal event in the statistical report. ~ Another view of the ’ ’ ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” This network abnormal event lies in the system package I record receiving module and processing module. The signal receiving module is configured to receive the flow rate of the cold processing board group and the money receiving module, and (4) set the flow comparison condition and the parameter. The processing module will take the traffic information obtained by the traffic comparison, and then the traffic information after the _ is divided into _ by the traffic accumulation condition I. The result of this sub-ship is output as a = ten report. The network of the singular dragon towel selects the network address where the t event occurs. When the network health time of the abnormal event in this statistical report is selected, the filtering element is selected according to the statistics f. And add the flow comparison condition, the processing module in the heavy = line facet meter meets the amount of traffic than the miscellaneous pieces #_ step, until the heart takes out the network address of the abnormal event in the statistical report. *This! X month ^ example, the above method and system is to use the flow comparison condition 200833015 and the flow accumulation oblique design. The amount of the age of the dragon Wei Jin's action 're-filtered traffic information, by the The way of accumulating the traffic conditions is sorted, and the lining report is read out with the fine-grained gambling report. The most observable statistical report is used to determine the network address where Wei Ding occurs. If the network address is too large, Unable to describe the time, select other ones in the statistical report 7G prime, and add it to the flow comparison condition, making it a new traffic comparison condition. Repeat the screening action until the network address of the 2 abnormal event can be locked out. Using the traffic comparison condition and the traffic accumulation condition, the _ and sorting actions are respectively performed for the traffic information, and then the more filtered elements are selected by the sorted traffic information to be added to the secondary traffic comparison condition- °, and repeat the screening of the shop order _ for 'borrowing to determine the occurrence of abnormal parts _ road address. So - come' operators can not only save silk and check _ time, but also through this detect _ traffic series conditions and flow The cumulative condition analyzes the network status one by one. The operator further deepens the cause of the network anomaly event based on the feedback of the traffic comparison condition and the traffic accumulation condition. The features and implementations of the present invention are most consistent with the illustration. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS [Embodiment] FIG. 2 is a network frame flipping of this embodiment. Please refer to FIG. 2, the packet is transmitted through the network by many (4) The 13G (R_) changer 14〇 (Switch) is transmitted to each other. Through the packet of the router 13〇 or the switch 14〇, the concept of “flow” can be used to observe the flow through the road 200833015 for a certain length of time. The packet of the device 130 or the switch (10). For packets flowing through router 13 or switch 14A, router 130 or switch 140 will perform a summary of these packet information. Finally, it is output via various traffic information formats (such as NetFlow, sFlow, cFlow or NetStream). The content of the 31 / 瓜 资 31 〇 is mainly the information about the basic traffic in the transport layer (TranSp〇rt Layer). The traffic information 310 has a plurality of different attributes, including the source ip (lntemet pr〇t〇c〇i) address, the destination IP address of the packet, and the source 埠No. (source TCP (Transmission Control Protocol) AJDP (User Datagram Protocol) P〇rt), destination nickname (destination TCP/UDP port), communication protocol
(Protocol)、服務類別(Type 〇f services,t〇S)、TCP 旗標内容(TCP flag)、該筆流量連結所帶的流量位元數(byte c〇unt)、該筆流量連 結所帶的封包個數(packet count)等。操作人員可以利用這些流量 資訊310針對網路的流量進行分析以及網路異常的除錯。 第3圖係為本發明實施例之網路異常事件之偵測系統示意 圖。請參考第3圖所示,網路異常事件之偵測系統23〇包括信號 接收模組320以及處理模組330。信號接收模組320用以接收流 量貧訊310。處理模組330耦接於信號接收模組320,用以處理信 號接收模組320所接收到的流量資訊。此外處理模組會根據 操作人員的要求分別設定一組流量比對條件(Matching &如邮與 流量累計條件(Aggregation Criteria)。流量比對條件為過濾元素 (Factor Types)之集合。過濾元素是分別對應流量資訊31〇的各種 屬性,其中,過濾元素包括網際網路協定位址、網際網路協定前 200833015 置(Internet Protocol Prefix,IP preflx)、通訊協定(protoc〇1)、埠號 (Port)、網路介面(Interface)、TCP旗標值(TCP flag)、服務類別值 (Type of Service,ToS)、次一節點(Next Hop)以及封包大小等。舉例 來說,當操作人員選擇通訊協定”TCP”作為過濾元素時,偵測系 統230會將通訊協定’’TCP”視為流量比對條件,並且彳貞測系統230 會把所擷取到的流量資訊中為通訊協定TCP的流量資訊310分別 取出。 /瓜里累计條件疋將付合流量比對條件的流量資訊進行分類統 计。流S累計條件的組成單位型態主要包括網際網路協定位址、 網際網路協定前置、通訊協定、琿號、網路介面、TCp旗標值、 服務類別值以及Next Hop等。處理模組33〇會根據所設定的流量 比對條件對所擷取到的流量資訊310進行篩選的動作。處理模組 330藉由流量累計條件將篩選過後的流量資訊31〇進行分類統 计。延續上述的例子,操作人員選擇來源位址” 192·168·〇·χ”作為 流量累計條件,則處理模、组33〇會將通協定為Tcp白勺流量資訊 31〇且來源位址為’’192·168·0·Χ”的流量資訊31〇依序排列出來。 。處理模組330依據分類統計後的結果輸出一統計報表·。 I作人貝可以選擇僅輸出分類統計巾的前幾項排名作為統計報表 ^例如’輸出分類統計的前50名)。操作人員在依據統計報表 〇找出發生網路異常_路位址。若操作人M認為統計報表· 圍補精確,無法有效分析發生網路異常的網路位址, =人貝可以選擇_過濾元素,將其新增至流量比對條 理模、組伽會根據新的流量轉條件,再對前—回所得到的流量 200833015 資訊進行篩選的動作。 第4圖係為本發明實施例之偵測網路異常事件之偵測流程示 思圖。清同時苓考第3圖及第4圖所示,為方便解說本實施例中 系統與方法的運作方式,在此以操作人㈣為選取比對條件之依 據,並非僅紐於此。首先,操作人員設定-流量時間區段(Time Range),信號接收模組32〇則擷取設定流量時間區段中之流量資 訊310,並交由處理模組33〇進行處理(步驟S41〇)。舉例來說, 操作人員發現中發生有異常流量的情況,操作人紐對可疑 流量發生的流量時間區段精監控。接下來,人魏擇若干 個過濾7G素,14些魏元素分獅應於流量資訊的屬性(步驟 S420)。處理模組33〇在將這些過濾、元素組合成一組流量比對條 件’並且根據流量比對條件進行_賴取的流量資訊(步驟 “作人貞針財g求設定流量科條件(倾_)。處理模 組33M艮據此流量累計條件排列出符合流量比對條件的流量資訊 310(步驟S·)。接著,處理模組依據步驟_所得到的流量資 訊31〇 ’將其依照比流量累計條件進行次數的累計並進行項次排 名,然後輸出-統計報表34〇(步驟S46〇)。例如,選取流量並依 遞減排序,則統計報表34G會將流量資訊依照將流量由大至 小依序排舰統計報表細。操作人員依據此統計報表推估 出-_朿略’用以判斷是否可以選取出發生網路異常的網路位 址(步驟S470)。若選取出的網路位址範圍過大時,操作人員可以 依據統計報表34G中的流量資訊31G中另外選擇其他的過滤元 200833015 件偵測系 '統230利用新的流量比對條件,重複執行步驟, 直至作人員月b夠鎖定出異常事件之網路位址為止(步驟料⑽)。 最後將找到異常的網路位址加以鎖定(步驟§49〇)。 為更能清楚說明本實施例之债測系統23〇運作的方式,在此 -=例作為_。如果在時,操作人員發現網路出現異 常的流量、。首先,操作人員根據步驟S410來設定細系統230所 要偵、!ί的/,IL里日守間區段,偵測系统23〇會擷取此流量時間區段内 網路的所有的流量=#訊。在系麟成此流量時間區段巾的流量資 1、域人貞便開始設定選騎要的過濾元素(對應步驟 遲屮^ Γ初期#作人M無法掌握網路異常之可能原因時將無法選 旦比濾元素,鱗可料選擇過濾元素,意即不設定流 里1 木件,也就是後續處理模組330將對所有流量資 理賺步_〇)。偵測系統23〇再依據 _ 定的時間純巾觸取_流量資輯行靖_作對^ 接下來,㈣人員域麵$設定— 埠號為流量_並遞軸:= 號做— 進行統計分__(難麵卿)^^^1量資訊310 協定與埠號做為圖係為利用目的端之 合統計報表。^伟、° 1木牛、’且取其前1〇名的項次之第一回 一回人物^ 制系統现將分析的結果輸出第 口口、切報表5K)。但因網路涵蓋 二出弟 12 200833015 —十報表510選定發生網路異常的網路位址的範圍。所以 驟_,操作人員再設定新的過濾、元素,然後偵測系 、洗230將再次執行步驟弘3〇。 ⑽2 圖所件到之第一回合統計報表51G為例,操作人員若 回°、、先口十報表510中判斷網路異常流量的發生原因,則 據第回合統計報表510中‘‘ UDp/1434,,(此其為 · redQUeryLangUage)祠服器常用的協定埠號)有不合理 < =J見的比例。因此操作人員懷疑可能是受到「观此咖沈」 絲擊料致的網路流量異f。根據「观sl_er」的另 項特被··封包大小為44位元組”。所以操作人員可以依據這 兩項特徵:通訊協定及埠號為“卿1434,,以及封包大小為‘‘私位 兀組'T定對應的_策略,並將過濾元素加人次-回合的流量比 對條件中。“而且為能找出攻擊者的網路位址,可以在流量累計條 牛中力纟源立而網路位址”,並取前5名的項次(依遞減排序)兩 項條:作林分類統計之依據。在交由侧系統挪作分類統計 可、㈣第—回合的統什報表52〇。第%圖係為利用來源端網路 位址為流量累計條件並且取其前5名的項次的第二回合統計報 表0 在第二回合的分析過後,操作人i已經可以清楚祕定網路 異常的發生賴以及網路攻擊者的來源位址。如果操作人員需要 更進-步的資簡話,可以在進行第三回合的分析。例如,摔作 員想得知各網路攻擊者對於轉㈣所影響_路設備為何。 ‘作人員並新增過紅素.來源端_路位址。流量累計條件設 13 200833015 rf-路由& ’亚取两】名的項次。第三回合的統計報表(圖尹 曰不卿可找讀邮陶路切響最顧重_路設備。 依f本發明之實施例’上述方法及系統是在-集中系統中, 力上級里比對條件無量累計條件的設計。如此設計可使得操作 j不需對於四處絲晴流通猶財/設備,這樣4可以節 痛,衣了的㈣與搬似備的人力。並且透過侧祕所歸納的 =計報表,將每一次分析所得到的結果作為次回分析的比對條 件’如此可逐步深層挖職_路巾紅發生異轉件的網路位 址。 M此外’熟習本領域之技藝者,亦可以利用類神經網路(NeumI e=〇rk)、專家系統(Εχ_細咖)、人工智慧 *勝騰)或模糊系統(Fuzzy System)來取代操作人員對於流量 =對條件與流量累計條件的反饋機制設計,其亦不脫離本發明之 精神。 精神 以限 雖然本發明贿述之較佳實施例揭露如上,然其並非用_ f伽’任何熟f相像鄕者,在不本刺之精神和範圍 二、虽可作些許之更動與潤飾,因此本發明之專利保護範圍須視 本况明書所附之申請專利範圍所界定者為準。 、 【圖式簡單說明】 第1圖係為網際網路之連結示意圖。 第2圖係為本實施例之網路組成架構圖。 圖係為本實_之_網路異常事件之偵_統示意 第3 圖 14 200833015 第4圖 係為本 實 知例之侦 4 ’路異”件之伽流程示意 取苴前〗〇名&係為利用目的端之協定與埠f卢IA ☆ 取"月J川名的項次之第一回人衾▲ 早琥做為流量累計條件並 第5b圖係Ά 〜統計報表。 圖 第5a圖 前5名的項次的第二回合位址為流量累計條件並且取其 【主要元件符號說明】 010 網際網路 100 網域 110 節點 120 異常的節點 130 路由器 140 交換機 230 網路異常事件偵測系統 310 流量資訊 320 信號接收模組 330 處理模組 340 統計報表 S410 設定流量時間區段 S420 選擇若于個過濾元素 S430 依據這呰過滤元素組成流量比對條件 S440 設定流量累計條件 S450 根據流*累計條件對流量資訊作分類統計 15 200833015 S480 S490 510 520 選擇其他的過濾元素 鎖定異常的網路位址 第一回合的統計報表 第二回合的統計報表 16(Protocol), service category (Type 〇f services, t〇S), TCP flag content (TCP flag), the number of traffic bits (byte c〇unt) carried by the traffic connection, and the traffic link The number of packets (packet count) and so on. Operators can use these traffic information 310 to analyze traffic on the network and debug network exceptions. Figure 3 is a schematic diagram of a network abnormality detecting system according to an embodiment of the present invention. Referring to FIG. 3, the network abnormal event detection system 23 includes a signal receiving module 320 and a processing module 330. The signal receiving module 320 is configured to receive the traffic message 310. The processing module 330 is coupled to the signal receiving module 320 for processing the traffic information received by the signal receiving module 320. In addition, the processing module will respectively set a set of flow matching conditions according to the operator's requirements (Matching & such as postal and traffic accumulation conditions (Aggregation Criteria). The flow comparison condition is a collection of filter elements (Factor Types). The filter element is Corresponding to various attributes of the traffic information 31〇, the filtering elements include the Internet Protocol Address, the Internet Protocol Prefix (IP preflx), the communication protocol (protoc〇1), and the nickname (Port). ), network interface (Interface), TCP flag value (TCP flag), service class value (Type of Service, ToS), next-hop (Next Hop) and packet size, etc. For example, when the operator chooses communication When the protocol "TCP" is used as the filtering element, the detection system 230 regards the communication protocol 'TCP' as the traffic comparison condition, and the detection system 230 will use the traffic information captured as the communication protocol TCP traffic. The information 310 is taken out separately. / The cumulative condition of the guay will classify and collect the flow information of the combined flow ratio condition. The constituent unit type of the cumulative condition of the flow S mainly includes the internet. Road protocol address, internet protocol preamble, protocol, nickname, network interface, TCp flag value, service class value, and Next Hop. The processing module 33 will compare the condition according to the set traffic. The collected traffic information 310 performs filtering. The processing module 330 classifies and statistics the filtered traffic information 31 by the traffic accumulation condition. Continuing the above example, the operator selects the source address 192.168 ·〇·χ” as the traffic accumulation condition, the processing mode, group 33〇 will pass the flow information of the Tcp flow information 31〇 and the source address is ''192·168·0·Χ” The processing module 330 outputs a statistical report according to the result of the classification and statistics. I can choose to output only the first few rankings of the classified statistical towel as a statistical report ^ For example, the top 50 of the output classification statistics ). The operator finds out the network abnormality_road address based on the statistical report. If the operator M thinks that the statistical report is too precise and can not effectively analyze the network address where the network abnormality occurs, the person can select the _filter element and add it to the traffic comparison module, and the group will be based on the new The traffic flow conditions, and then the filtering of the traffic 200833015 obtained from the previous-return. FIG. 4 is a schematic diagram of a detection process for detecting a network abnormal event according to an embodiment of the present invention. At the same time, as shown in Fig. 3 and Fig. 4, in order to facilitate the explanation of the operation mode of the system and method in the embodiment, the operator (4) is selected as the basis for the comparison condition, and this is not only the case. First, the operator sets a time range, and the signal receiving module 32 captures the traffic information 310 in the set traffic time zone and passes it to the processing module 33 for processing (step S41). . For example, if the operator finds that there is abnormal traffic, the operator carefully monitors the traffic time zone in which the suspicious traffic occurs. Next, the person selects a number of 7G elements, and 14 pieces of Wei elements are attributed to the flow information (step S420). The processing module 33 is configured to combine the filters and elements into a set of flow comparison conditions 'and to perform flow information according to the flow ratio comparison condition (step "to make a person's request for a flow rate condition (pour_) The processing module 33M arranges the flow information 310 conforming to the flow comparison condition according to the flow accumulation condition (step S·). Then, the processing module accumulates the flow information according to the flow information 31〇' obtained according to the step _ The number of conditional times is accumulated and the item ranking is performed, and then the output-statistical report 34〇 is output (step S46〇). For example, if the traffic is selected and sorted by decrement, the statistical report 34G will follow the flow information according to the flow rate from large to small. According to the statistical report, the operator estimates that -_朿" is used to determine whether the network address where the network abnormality occurs can be selected (step S470). If the selected network address range is selected When it is too large, the operator can select another filter element according to the traffic information 31G in the statistical report 34G. The 200833015 detection system uses the new traffic comparison condition and repeats the steps. Until the staff month b is enough to lock out the network address of the abnormal event (step (10)). Finally, the abnormal network address will be locked (step §49〇). To more clearly explain the debt of this embodiment The method of measuring the operation of the system 23 is here - the example is _. If at the time, the operator finds abnormal traffic on the network. First, the operator sets the fine system 230 to be detected according to step S410. , IL Liri Shou section, the detection system 23 〇 will capture all traffic in the network within this traffic time zone = #讯. In the line of this flow time section of the towel traffic 1, domain people贞 开始 设定 设定 设定 设定 设定 设定 选 选 选 ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( In the flow of 1 wood, that is, the subsequent processing module 330 will earn a profit for all traffic _ 〇. The detection system 23 〇 according to the _ time of the pure towel touch _ traffic _ _ _ _ Down, (4) Personnel area $ setting - nickname for flow _ and recursive axis: = number to do Statistical scores __(Difficult to face) ^^^1 Quantity information 310 Agreement and nickname as the graph is the use of the target end of the statistical report. ^ Wei, ° 1 wooden cattle, 'and take the first one The first time of the second round of the project ^ system will now analyze the results of the output of the mouth, cut the report 5K). But because the network covers the second brother 12 200833015 - ten report 510 selected network abnormal network The range of the address. Therefore, the operator will set a new filter, element, and then the detection system, wash 230 will perform the steps again. (10) 2 Figure 1 to the first round of the statistical report 51G as an example, operation If the person judges the cause of the abnormal network traffic in the report 510, the UDp/1434, (this is the redQUeryLangUage) protocol commonly used in the first round of the statistical report 埠No.) There is an unreasonable ratio of =J. Therefore, the operator suspects that the network traffic may be affected by the "spotting". According to "Sl_er", the special size of the packet is 44 bytes. So the operator can base on these two characteristics: the communication protocol and nickname is "Qing 1434, and the packet size is ''private The group 'T' corresponds to the _policy and adds the filter element to the person-round traffic comparison condition. "And in order to find out the attacker's network address, you can force the source and network address in the traffic accumulation", and take the top 5 items (in descending order) two items: for forest classification The basis of statistics. In the cross-side system, the classification statistics can be moved, and (4) the first-round report is 52〇. The first figure is the second round statistical report using the source network address as the traffic accumulation condition and taking the top 5 items. After the analysis of the second round, the operator i can clearly define the network. The occurrence of anomalies and the source address of the network attacker. If the operator needs more advanced steps, he can perform the third round of analysis. For example, the faller wants to know what the attackers of each network are affecting. ‘Become a staff member and add a red pigment. Source _ road address. The traffic accumulation condition is set to 13 200833015 rf-route & ‘sub-take two】name of the line. The statistical report of the third round (Figure Yin Yiweiqing can find the most important _ road equipment for the ping Tao Road. According to the embodiment of the invention, the above method and system are in the centralized system, the power upper level The design of the conditional infinite accumulation condition. This design can make the operation j not need to flow around the money/equipment, so that the 4 can be painful, the clothes are (4) and the manpower is moved. = report, the results obtained by each analysis as a comparison condition of the second analysis 'so can gradually deepen the _ _ road towel red occurrence of the network address of the different parts. M in addition to familiar with the field of art, You can also use the neural network (NeumI e=〇rk), expert system (Εχ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The feedback mechanism is designed without departing from the spirit of the invention. Although the preferred embodiment of the bribe of the present invention is disclosed above, it is not the use of _f gamma, and the temperament and scope of the thorn, although some modifications and refinements can be made, Therefore, the scope of patent protection of the present invention is subject to the definition of the scope of the patent application attached to the specification. [Simplified description of the diagram] Figure 1 is a schematic diagram of the connection of the Internet. Figure 2 is a diagram showing the network composition of the present embodiment. The diagram is based on the actual _ _ network anomaly _ _ _ _ _ 3 Figure 14 200833015 The fourth diagram is the Detective 4 'road of the Detective ; is the use of the agreement of the destination end and 埠f Lu IA ☆ Take " month J Chuan name of the first person 衾 ▲ early ab as a traffic accumulation condition and the 5th figure Ά ~ statistical report. Figure 5a The second round address of the top five items in the figure is the traffic accumulation condition and is taken as the [main component symbol description] 010 Internet 100 domain 110 node 120 abnormal node 130 router 140 switch 230 network abnormal event detection System 310 Flow Information 320 Signal Receiving Module 330 Processing Module 340 Statistical Report S410 Set Flow Time Period S420 Select if the filter element S430 is based on this filter element composition flow comparison condition S440 Set the flow accumulation condition S450 According to the flow * accumulation Conditional classification of traffic information 15 200833015 S480 S490 510 520 Select other filter elements to lock abnormal network addresses. The first round of statistical reports for the second round Total Reports 16