CN104734916B - A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol - Google Patents

Abstract

A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol is claimed in the present invention, and a kind of multistage abnormality detection mechanism is added during traditional abnormal traffic detection.This method is the abnormality detection of the data traffic sent to client in network, the original flow that it produces client using the method for difference average carries out difference tranquilization processing, analyzed, counted according to existing flow in network at the same time, dynamically one adaptive threshold section of setting, adaptive threshold difference flow detection is carried out to the flow after tranquilization, and further abnormality detection is carried out to the data packet by primary detection.This further abnormality detection is mainly that the data packet to come by routing forwarding is parsed, and extracts its critical field, according to the judgement to critical field, determines whether from the data packet that client sends over be abnormal.The present invention improves accuracy of detection and simplicity is easily achieved.

Description

A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol

Technical field

The invention belongs to communication abnormality detection technique field, it is related to the quick, different in real time of all kinds of abnormality detections on internet Normal detection technique, specifically designs a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol.

Background technology

Exception flow of network detection is exactly a part and parcel in network monitor.Exception flow of network refers in network Traffic behavior deviate normal behaviour situation.In network, the reason for causing exception of network traffic have it is very much, such as, in network Equipment break down, cause to communicate abnormal, cause exception；Network operation is abnormal, the access (Flash crowd) of burst, Network intrusions etc. can all cause Network Abnormal.Meanwhile Network anomaly detection is that network continues to develop growth, network topology structure Planning becomes increasingly complex, and the network equipment is more and more diversified, in the increasing evolution of network user's scale, communication security An important leverage.The network user is while the convenient communication of network is sought and to network trust, the network prestige of new type The side of body is also being continuously increased.How to find and exclude the vital task that these Cyberthreats are Network anomaly detections, and ensure ne The important component of network normal communication.

The attack and threat of network faces are mainly derived from network internal, such as the active of host in a large amount of internet worms, net Attack and uprushing for exception flow of network will all cause network equipment overload, so that cause network congestion, and may be into one Step causes network paralysis.SYN Flood ddos attacks, are exactly that the bad user of network is deposited using the three-way handshake connection of Transmission Control Protocol The defects of, the IP address of normal users, the attack of generation are forged, so as to give Netowrk tape to carry out immeasurable loss.Therefore, when When having abnormal in network, primary measure is to find out these exceptions, and produces abnormal alarm.Meanwhile Network Abnormal will not be only To being attacked for certain, but as wide as possible can be spread to surrounding.Its final purpose is to involve maximum magnitude Network, produce polytype exception.For such case, it is necessary to it is a kind of in real time, the detection method that quickly notes abnormalities, Note abnormalities, block exception, so that network is able to normal communication.

The characteristics of exception flow of network is bursts of traffic change, and Premonitory Characters of Doppler Radar is unknown, can be given within the of short duration time Computer on network or network brings great harm, therefore in real time, rapidly detects the abnormal behaviour of network traffics, judges Cause the reason for abnormal, it is to ensure one of premise that network is effectively run to make rational response, and reduces network malicious attack The loss brought is another importance to guarantee network security.

At present, it has been suggested that method for detecting abnormality, such as non-linear anomalous traffic detection method (NLPP), based on wavelet analysis Anomalous traffic detection method, anomalous traffic detection method based on arma modeling etc., although can detect real-time It is abnormal, but computation complexity is higher, while the result detected is not accurate enough, often there are larger rate of false alarm, and the side of detection Method needs that there are could be used during long correlation properties when data on flows.And most of datas on flows collection when, the correlation of presentation Property feature and unobvious, fluctuation tendency often shows unstable condition so that the use scope limitation of detection method is very big.This The method for detecting abnormality proposed is invented, before flow detection is carried out, data on flows is pre-processed, so as to overcome detection The problem of limitation.Meanwhile on the basis of the detection of traditional detection method, the multistage testing mechanism of proposition, effectively reduces The rate of false alarm of detection.

The content of the invention

For deficiency of the prior art, ensure to reduce wrong report while accuracy it is an object of the invention to provide one kind Rate, method is simple and the method that is easily achieved, technical scheme are as follows：A kind of high-efficiency multi-stage based on Transmission Control Protocol is different Permanent current quantity measuring method, it comprises the following steps：

101st, the collection network data on flows in period T, then for the original flow sequence in network flow data R, in the observation x of moment t_tRepresent, x_t∈ R, t=1,2 ..., T, according to | x_t|>Kvar_R criterions remove disabled stream Measure data value x_t, what wherein k was represented is Grubbs test method coefficient, and var_R represents the variance of the sequence R, will remain Data on flows, as a Flow Observation sequence X；

102nd, difference smoothing preprocessing being carried out to Flow Observation sequence X, the difference flow sequence pre-processed is D, Wherein difference value d_t=x_t-x_t-1,t>1, d_t∈ D, t=1,2 ... N, after obtaining difference flow sequence D, in input step 103；

103rd, the average value and variance of sequence X and sequence D are calculated respectively, and according to average value and variance, estimate t moment Difference flow value where section [l_t,h_t],Wherein p_tRepresent t moment Threshold value predicted value, l_tAnd h_tIt is illustrated respectively in the minimum value and maximum of the difference flow of t moment permission, var_d_tWhen representing t The variance of difference flow is carved, after the difference flow sequence D input in step 102 is detected, fire wall opens primary inspection Defense function is surveyed, to the data sent, according to the threshold value predicted value p of t moment_tIt is detected, when the difference flow of t moment Section [l of the data value in difference traffic prediction value_t,h_t] in the range of when, determine that it is normal discharge, and forward it to service Device；When beyond section [l_t,h_t] scope when, be determined as abnormal flow, jump to step 104；

104th, the multi-stage detection system of fire wall decomposes the data packet forwarded, extracts the key in data packet Field key_field, and these critical fielies key_field is judged, if not noting abnormalities field, it is forwarded To server；If detecting exception field, by the data packet discarding；

105th, after the detection again in step 104, normal data packet is transmitted to server so that server with Client establishes connection of shaking hands for the first time；

106th, after connection of shaking hands for the first time is established, server will send return information M_responseTo client, together When wait client confirmation message ACK, when client receives the return information M of server_responseAfterwards, both ends establish second Secondary connection of shaking hands；After server have received confirmation message ACK, server and client establish the third time company of shaking hands Connect, can communicate between the two.

Further, the step of difference smoothing preprocessing described in step 102 is：

S21, to the network communication data sequence { x in collected period T₁,x₂,…,x_T, analysis removes outlier, Retain normal value, here, if | x_t|>Kvar_R then represents x_iWhat outlier, wherein k represented is Grubbs test method coefficient, Var_R represents the variance of the sequence R；Using the sequence of observations remained as observation sequence X；

S22：Its average value is calculated to the original series RWith its variance var_R；

S23：To the observation sequence X, difference pretreatment is carried out, there is d_t∈ D, t=1,2 ... T, wherein d_t=x_t- x_t-1,t>1；

S24：To the difference sequence D, its average value is calculatedWith variance var_D.

Further, the average value of original series RFormula is：Var_R represents their variance,

Advantages of the present invention and have the beneficial effect that：

The present invention carries out data on flows using a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol multiple Detection and judgement.Since existing abnormality detection technology is during detection, the rate of false alarm of detection is higher so that the standard of detection Exactness receives very big influence.In order to ensure the security of the accuracy of detection and network service.Proposing multistage herein The method of abnormality detection.First, it is online lower to be based on statistics, using the method for adaptive threshold to the flow institute at next moment Estimated in section；Then the flow rate zone estimated according to this, is detected judgement on line；When judgement result is exception When, then multistage detection is carried out, in multistage detection process, the key message in data packet is extracted, and judged.This multistage inspection The mechanism of survey, effectively reduces the rate of false alarm of abnormality detection.The present invention is abnormal using a kind of high-efficiency multi-stage based on Transmission Control Protocol Flow rate testing methods, using the method for difference mean variance, obtain the difference flow that tranquilization is presented in trend, the calculating of this method Complexity is relatively low, utilizes the mode for calculating under line, being detected on line so that detection speed is fast, and can reach real-time detection It is required that.Meanwhile the multistage testing mechanism of addition, both reach the requirement for reducing rate of false alarm, also ensure Network Communicate Security.

Brief description of the drawings

Fig. 1 is the multistage abnormality detection flow diagram of the present invention；

Fig. 2 is inventive flow data screening schematic diagram；

Fig. 3 is the sequence stationary schematic diagram of the present invention；

Fig. 4 is the adaptive threshold schematic diagram calculation of the present invention；

Fig. 5 is the multistage abnormality detection schematic diagram of the present invention.

Embodiment

Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Whole description.Obviously, described embodiment is only one embodiment of the present of invention, instead of all the embodiments.

Fig. 1 is the multistage abnormality detection flow diagram of the present invention.The present invention, be the TCP based on internet communication three times What connection protocol of shaking hands proposed.In communication process, client is filed a request, and request accesses server, establishes connection.Work as access When normal, the flow of access is following steps：

S1：Client initiates request, and the request data package of transmission is transmitted to fire wall by router, and fire wall is receiving To after request data package, flow is counted, and carries out primary detection, is i.e. difference flow detection；If detect flow in difference Section [the l of shunt volume predicted value_t,h_t] in, fire wall will judge the data packet for normal data packet, and forward it to service Device；Otherwise, which will be judged as abnormal data bag；At this time, fire wall will open further detection；Further different Often in detection, data packet is analyzed, and extracts critical field key_field, further detection is done to key_field, this When, if testing result is still exception, do discard processing；If normal, then labeled as erroneous judgement, and server is forwarded it to； At this time, client will be established to shake hands for the first time and is connected with server；

S2：Server sends a return information M while First Contact Connections are established with client_responseTo client End, and the confirmation message ACK of client is waited, while open and wait timing T_wait, when client computer receives return information M_responseWhen, second handshake connection is established；

S3：Exceed maximum latency when the stand-by period of server, server will make discard processing to the data packet； Otherwise, after server receives the confirmation message ACK of client transmission, connection of shaking hands for the third time is established.At this time, both sides can be into Row communication.

Fig. 2 is the data on flows screening schematic diagram of the present invention.The data on flows in one section of T time is collected, between sampled data 1s is divided into, then the original flow sequence collected is represented with R, in the observation x of moment t_tRepresent, wherein x_t∈ R, t=1, 2,…,T；WithRepresent original series { x₁,x₂,…,x_TAverage value,Var_R represents their variance,

Before flow data screening, observation sequenceEach value in sequence R is judged successively, works as t moment Value x_tMeet | x_t|>During kvar_R, x is rejected_t, what wherein k was represented is Grubbs test method coefficient, otherwise observation sequence X=X ∪x_t, wherein x_t∈ X, t=1,2 ..., N.

Fig. 3 is the sequence stationary schematic diagram of the present invention.In order to enable the difference sequence of original series preferably to reflect The trend of data fluctuations, the difference sequence for defining original series is D, i.e., to observation sequence { x₁,x₂,…,x_NPre-process, i.e., Use d_tRepresent the difference value of t moment, d_t=x_t-x_t-1,t>1, d_t∈ D, t=1,2 ... N.WithRepresent being averaged for difference sequence D Value, and haveThen the difference average of t moment isDifference sequence is represented with var_D The variance of D, hasAs N → ∞, haveThus may be used Draw, difference tending to be steady of flow.

Fig. 4 is the adaptive threshold schematic diagram calculation of the present invention.When into real-time abnormality detection on line, it is necessary first to Carry out the calculating of adaptive threshold.When determining adaptive threshold, l is used_tAnd h_tIt is illustrated respectively in the difference flow of t moment permission Minimum value and maximum.The present invention carries out the calculating of adaptive threshold by flush mechanism, main as follows：

Difference flow by being superimposed previous moment obtains the threshold value predicted value p of t moment_t, Wherein α represents weighting constant, is mainly determined according to host number is given out a contract for a project in model, that is, controls new data shared in a model Proportion, Controlling model adapts to the speed degree of local behavior, so as to establish the flush mechanism of normal model.If current observation Value complies fully with normal model, then thinks that observation at this time is normal.But since actual conditions are difficult to meet theory Model, then sets a confidential interval with the standard deviation of observation, and different according to the number of the standard deviation of addition, obtains The rank of range of tolerable variance also differ, under normal circumstances using 2 to 3 times of standard deviation, due to being carried out to data Difference pre-processes, and is judged herein using 2 times of standard deviation, so obtained threshold range isWherein n represents the quantity of client computer.Thus adaptive threshold area is obtained Between be [l_t,h_t]。

Fig. 5 is the multistage abnormality detection schematic diagram of the present invention.The request data package that client is sent is forwarded by router To fire wall, fire wall carries out the calculating in adaptive threshold section according to existing observation sequence after data packet is received.It is main The calculation wanted is progress first time adaptive threshold detection first.In the detection, mainly according to the statistical number of network traffics According to being detected to the data on flows at next moment.If in the detection, judge that data packet is normal, be then directly forwarded To server；If it is determined that to be abnormal, then multistage detection, further confirms that whether the data packet is abnormal bag.

In further abnormality detection, data packet is analyzed, and extract critical field key_field.To key_field Further detection is done, if normal, then labeled as erroneous judgement, and forwards it to server；If testing result is still exception, do Go out the action of discard processing.Next data packet in queue queue Q is handled at the same time.

The above embodiment is interpreted as being merely to illustrate the present invention rather than limits the scope of the invention. After the content for having read the record of the present invention, technical staff can make various changes or modifications the present invention, these equivalent changes Change and modification equally falls into the scope of the claims in the present invention.

Claims (3)

1. a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol, it is characterised in that comprise the following steps：

101st, the collection network data on flows in period T, then for the original series R in network flow data, in moment t Observation x_tRepresent, x_t∈ R, t=1,2 ..., T, according to | x_t| ＞ kvar_R criterions remove disabled flor rate data value x_t, what wherein k was represented is Grubbs test method coefficient, and var_R represents the variance of original series R, the flow number that will be remained According to as an observation sequence X；

102nd, difference smoothing preprocessing is carried out to observation sequence X, the difference sequence pre-processed is D, wherein difference value d_t= x_t-x_t-1, t ＞ 1, d_t∈ D, t=1,2 ... N, after obtaining difference sequence D, in input step 103；

103rd, the average value and variance of observation sequence X and difference sequence D are calculated respectively, and according to average value and variance, estimate t Section [l where the difference flow value at moment_t,h_t],N represents client Quantity, wherein p_tRepresent the threshold value predicted value of t moment, l_tAnd h_tIt is illustrated respectively in the minimum value of the difference flow of t moment permission And maximum, var_d_tRepresent the variance in the difference flow of t moment, the difference sequence D inputs in step 102 is detected Afterwards, fire wall opens primary detection defense function, to the data sent, according to the threshold value predicted value p of t moment_tCarry out Detection, when t moment difference flor rate data value difference traffic prediction value section [l_t,h_t] in the range of when, determine that it is normal Flow, and forward it to server；When beyond section [l_t,h_t] scope when, be determined as abnormal flow, jump to step 104；

104th, the multi-stage detection system of fire wall decomposes the data packet forwarded, extracts the critical field in data packet Key_field, and these critical fielies key_field is judged, if not noting abnormalities field, forward it to clothes Business device；If detecting exception field, by the data packet discarding；

105th, after the detection again in step 104, normal data packet is transmitted to server so that server and client Connection of shaking hands for the first time is established at end；

106th, after connection of shaking hands for the first time is established, server will send return information M_responseTo client, while etc. The confirmation message ACK of client is treated, when client receives the return information M of server_responseAfterwards, both ends establish holds for the second time Hand connects；After server have received confirmation message ACK, the third time that establishes of server and client is shaken hands connection, and two It can communicate between person.

2. the high-efficiency multi-stage anomalous traffic detection method according to claim 1 based on Transmission Control Protocol, it is characterised in that step The step of difference smoothing preprocessing described in rapid 102 is：

S21, to the network communication data sequence { x in collected period T₁,x₂,…,x_T, analysis removes outlier, retains Normal value, here, if | x_t| ＞ kvar_R then represent x_tWhat outlier, wherein k represented is Grubbs test method coefficient, Var_R represents the variance of original series R；Using the sequence of observations remained as observation sequence X；

S22：Its average value is calculated to the original series RWith its variance var_R；

S23：To the observation sequence X, difference pretreatment is carried out, there is d_t∈ D, t=1,2 ... T, wherein d_t=x_t-x_t-1, t ＞ 1；

S24：To the difference sequence D, its average value is calculatedWith variance var_D.

3. the high-efficiency multi-stage anomalous traffic detection method according to claim 2 based on Transmission Control Protocol, it is characterised in that former The average value of beginning sequence RFormula is：Var_R represents the variance of original series,