CN101753381B - Method for detecting network attack behaviors - Google Patents
Method for detecting network attack behaviors Download PDFInfo
- Publication number
- CN101753381B CN101753381B CN200910273376A CN200910273376A CN101753381B CN 101753381 B CN101753381 B CN 101753381B CN 200910273376 A CN200910273376 A CN 200910273376A CN 200910273376 A CN200910273376 A CN 200910273376A CN 101753381 B CN101753381 B CN 101753381B
- Authority
- CN
- China
- Prior art keywords
- window
- sub
- time series
- network traffics
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for detecting network attack behaviors, which comprises the following steps: (1) reconstructing a network traffic time sequence to be detected to a multi-dimensional phase space according to the complicated non-linear property of network traffic, and establishing a statistic distribution module according to a normal network traffic time sequence; (2) carrying out smoothing treatment on the network traffic time sequence to be detected, and dividing into sub-windows; and (3) obtaining a parameter sequence according to parameters of all the sub-windows of the network traffic time sequence after the smoothing treatment according to the calculation of the statistic distribution module, and establishing a comprehensive decision module according to the parameter sequence for detecting abnormality. The network traffic is re-constructed to the multi-dimensional space, thereby fully displaying information hidden in a one-dimensional space, reducing the computational complexity of each dimensional space and improving the running speed; and the method can improve the robustness and the accuracy of a system and is characterized by low computational complexity, high detection rate and low false detection rate.
Description
Technical field
The present invention relates to the network information security and mathematical statistics correlation theory; More particularly; Relate to a kind of method that detects attack; This method is carried out the attack detection based on phase space and ultra statistical theory, can in time find network failure and performance issue, and is significant to the availability, reliability and the assurance network service quality that improve network.
Background technology
Existing research shows that the various network services flow all has the chaotic dynamics characteristic.Phase space reconfiguration is the important method of research and analysis Time Chaotic Dynamical Systems.Containing attack network traffics (unusual network traffics) sequence has the interactional concentrated expression of many system factors often, and it is containing the vestige of whole variablees of participating in motion, and the true reflection of nonsystematic.The phase space reconfiguration theory that people such as Packard propose is thought; Because the time series data that observes is comprising the vestige of all variablees; The data point that successively obtains so in time is correlated with each other; Way with being reconfigured to higher dimensional space can better show the system information that contains in the time series fully.Verified, when the selection that embeds dimension m and time delay τ was suitable, the phase space of reconstruct can have and actual identical geometric properties and the information attribute of dynamical system, has all characteristics of real space.Therefore we adopt the method for phase space to come the research and analysis exception flow of network, and phase space can keep and the consistency of network traffics dynamical system immanent structure originally after the reconstruct.
Ultra statistical theory belongs to field, physical forward position and has remedied the deficiency of traditional statistical method.The implication of ultra statistics is meant " statistics of statistics ", is used to describe the compound of a plurality of dynamics subsystems.Consider the non-stationary and sudden of network traffics; And statistical distribution parameter is at random or complicated the variation, is easy to cause the existing problem of abnormality detection thus, adopts ultra statistical theory to challenge; The statistics of research statistics, the variation of statistical parameter is the most suitable.
Mutation analysis is a key areas of time series research.Middle 1960s is guide with the work of French mathematician Thom, has progressively formed catastrophe theory.So-called sudden change just is meant that unexpected variation has taken place in system, is system's smooth variation and unexpected response of making of condition to external world.Usually said sudden change refers generally to elementary catastrophe, like equal value mutation, frequency discontinuity, trend sudden change and variance sudden change etc.Network traffics often receive the control of a plurality of driving factors; That its behavior will show will be non-linear, non-stationary and complicated characteristic; Its inherent dynamic structure also possibly take place along with the change of driving factors to change fast, and promptly sudden change has taken place its inherent EVOLUTION EQUATION---the dynamic structure sudden change.
(publication number is CN101286897 to patent documentation " a kind of network flow abnormal detecting method based on ultra statistical theory "; Being 2008.10.15 in open day) actual characteristic of the network traffics of giving chapter and verse confirms a kind of distributed model; And according to this distributed model computing network flow seasonal effect in time series slow variable sequence, i.e. distributed constant sequence; Unusual fluctuations according to the slow variable sequence detect exception of network traffic.Its method is directly carried out statistical analysis to whole data on flows, and data volume is big, is difficult to find intrasystem information, and next relies on detecting of single slow variable sequence, reliability a little less than, false drop rate is high.
Summary of the invention
The object of the present invention is to provide a kind of method that detects attack, this method has the reliability height, the characteristics that false drop rate is low.
The method of detection attack provided by the invention, its step comprises:
The complex nonlinear characteristic of the 1st step according to network traffics is reconfigured to the multidimensional phase space with network traffics time series to be detected, and sets up statistical distribution pattern according to proper network flow time series;
The 2nd step was carried out the tranquilization processing to network traffics time series to be detected, was divided into sub-window;
The parameter of each the sub-window of network traffics seasonal effect in time series after the 3rd step handled according to statistical distribution pattern calculating tranquilization obtains an argument sequence, sets up comprehensive judgement model based on this argument sequence again, and detection is unusual.
The present invention expands to it in phase space of multidimensional earlier through phase space reconfiguration, and the information of containing former network traffics sequence fully reveals fully, has reduced the computation complexity of each dimension simultaneously.Used ultra statistical theory to these characteristics of network traffics non-stationary complex process again; Through seeking the argument sequence of reflection traffic statistics model; Conversion research object; To focus on research to the research of the network traffics data of complicacy, both consider the superiority of entire system, the computation complexity of having avoided tradition to have statistical model parametric test complexity of calculation further to reduce again the argument sequence of certain decision systems essential change.Obtain good experiment effect through experiment repeatedly, and directly surpass statistical test method with not advancing phase space reconfiguration and compare, find that this method can reduce false drop rate greatly in the assurance recall rate.
Compare with the technical scheme that documents is proposed; The present invention is reconfigured to network traffics in the hyperspace; Can fully show it contains the information in the one-dimensional space on the one hand, because reconstruct has reduced the computational complexity of each dimensional space, improves the speed of operation on the other hand; In research, not only utilize single slow variable sequence in addition, take all factors into consideration the comprehensive judgement model of multi-parameter series model, the robustness of the system of raising and accuracy the argument sequence of distributed model.Compare with other exception of network traffic detection models in addition, this method has characteristics such as computation complexity is low, and recall rate height and false drop rate are low.
Description of drawings
Fig. 1 is the flow chart of detection attack method provided by the invention.
The method figure that Fig. 2 handles network traffics for tranquilization provided by the invention releases
Embodiment
Below in conjunction with accompanying drawing and instance the present invention is done further detailed explanation:
(1) network traffics seasonal effect in time series phase space reconfiguration, and set up statistical distribution pattern according to proper network flow time series.
(1.1) according to the method for network traffics seasonal effect in time series complex nonlinear characteristic selection phase space reconfiguration, the network traffics time series is reconfigured to the multidimensional phase space.Verified, when confirming to embed dimension m and time delay τ, the phase space of reconstruct can have and actual identical geometric properties and the information attribute of dynamical system, has all characteristics of real space.Therefore we adopt the method for phase space to come the research and analysis exception flow of network, and phase space can keep and the consistency of network traffics dynamical system immanent structure originally after the reconstruct.The method commonly used of calculating time delay τ has: auto correlation function method, mutual information method, average displacement method etc.; Calculating embedding dimension m can select false nearest neighbour method, Lars Burger (P.Grassberger) and general Roc west Ya (I.Procaccia) algorithm methods such as (being called for short the G-P algorithm) to calculate.
(1.2) characteristic of research network traffics on each dimension, and according to the actual characteristic of network traffics research meets the model of its distribution character.All can choose a kind of suitable distributed model match localized network flow to the concrete characteristic of proper network flow; This distributed model must be able to describe localized network flow seasonal effect in time series characteristic and distributed model must be through the fitting of distribution check of localized network flow; Such as the method for inspection that general Pearson came match method of inspection, Ke's Er Monuofu-Smirnov test, coefficient correlation are checked and be directed against the specific distribution model, the for example W of normal distribution check, D check etc.Early stage network traffics are because network configuration is simple, and Network is less, some distributed models commonly used for example: Poisson distributed model, normal distribution model etc. can be used for local network traffics are carried out match; Discrete generalized Pareto distributed model, gamma distributed model etc. then can be used for the match networking flow in late period.
Order between step (1.1) and the step (1.2) can be exchanged, and also can carry out simultaneously.
(2) tranquilization of network traffics seasonal effect in time series is handled
The foundation of statistical distribution pattern all needs sequence to satisfy the requirement of stationarity; It is the complicated sequence of non-stationary that but existing research has shown the network traffics time series; At this moment at first should select appropriate method tranquilization network traffics time series, it steadily is wide sub-stably window sequence at least that the network traffics time series of non-stationary is become.
(3) calculate statistical distribution pattern parameter in the sub-window, set up comprehensive judgement model, detect unusual according to argument sequence.
Study the variation of the distributed model parameter of each dimension, confirm that according to the variation of its argument sequence comprehensive judgement model detects exception of network traffic.Calculate the parameter of the distributed model that meets the network traffics characteristic in each sub-window sequence research; The argument sequence that obtains according to the front; (control variables is also passable for other number to confirm the control variables number; The catastrophic model that just will sample is different), the state variable number is network traffics, so just can select suitable catastrophic model.Calculated characteristics amount P surpasses corresponding thresholding to the distance B of bifurcation set, has been unusual network behavior and has taken place.
Below in conjunction with an instance the inventive method is done further detailed explanation.
(1) network traffics seasonal effect in time series preliminary treatment
A) data obtains
The breadboard information systems technology group of Massachusetts science and engineering Lincoln is used data acquisition system for the computer network intrusion detection system assessment provides test under Advanced Research Projects administration of U.S. Department of Defense (DARPA) and the patronage of air research chamber.This data acquisition system has comprised rich data bag flow and many dissimilar invasions attack (mainly contains Denial of Service attack DoS; Distributed denial of service attack DDoS; Long-range attack R2L; The local user illegally promotes the attack U2R and four types of illegal monitoring and detections etc. of authority).Each data item comprises a part and the text of package number, packet.Wherein write down in the header file of packet this bag zero-time, with information such as time interval of first bag, source address, destination address, data packet length, procotol.Packet mainly is made up of following several types: IP, arp, netbeui.Wherein the length (bytes) of IP bag adds 40 (IP packet header is long) for the byte number in the bracket, and netbeui is the agreement of local area network (LAN), and the data packet length that meets this agreement is 14 bytes, arp (address resolution protocol) length of data package 28 bytes.
(b) the network traffics seasonal effect in time series produces
The periodic sampling method refers to the fixed frequency yardstick carries out the method for periodic samples to network traffics, byte number or data packet number that its expression time per unit arrives.This method was divided into groups to packet at interval according to regular time, then to the byte number of the packet in this group packet or wrap quantity and accumulate, and every group of cumulative data packet byte number or wrap time series of quantity composition.
The time series that bag buffering area formation queuing is constituted refers to according to the precedence of the arrival of the bag in the bag buffering area divides into groups; Quantity of data packets in every group is certain; Then the byte number of the packet in this group packet is accumulated, the data packet byte array of every group of accumulation becomes a time series.
(2) network traffics seasonal effect in time series phase space reconfiguration
For time series x (t), if can confirm to embed dimension m and time delays τ, can be according to formula (1) phase space reconstruction y (t).The phase space of reconstruct can have geometric properties and the information attribute identical with the dynamical system of former reality, has all characteristics of real space.
y(t
i)=[x(t
i),x(t
i+τ),...,x(t
i+(m-1)τ)]i=1,2,...n (1)
Wherein, the sample point of t express time sequence, i are the seasonal effect in time series number, and n is a positive integer.Provide time delay τ and the computational methods that embed dimension m below:
The computational methods of A time delay τ
Average mutual information method is to estimate a kind of effective ways of phase space reconstruction time delay, and it has in phase space reconfiguration very widely uses.The mutual information function method is by Shaw and Faster [FRASER A M; SWINNEY H L.Phys Rev A; 1986; 33:1134-1140.] provide, the pairing time of first local minizing point of promptly choosing the mutual information function of general dependence between time series successive point of expression is as time of delay.
For a variable S (l) who contains N element, l=1,2 ... N, note P
S(S
k) for variable S be in state Sk (k=1,2 ..., probability N), then the comentropy of variable S is defined as:
Time-delay q (l)=S (l+ τ) of variable S (l)) conditional entropy for S (l) is defined as:
P wherein
Sq(s
i, q
i) be that variable S and q get s respectively
iAnd q
iThe time joint probability, (S q) is the combination entropy of variable S and q to H.The mutual information of variable S and q is:
I(q,S)=H(q)-H(q|S)=H(q)+H(S)-H(q,S)=I(S,q)
For ordinary circumstance, time preface x (n) and its time-delay sequence x (n+ τ) mutual information I
n(τ) can be expressed as:
I
n(τ)=H(x)+H(x
τ)-H(x,x
τ) (2)
If vector is reconstruct time of delay, then an I
nThe time that (τ) reaches for the first time minimum value can be used as the time delay τ of phase space reconfiguration.
B embeds the calculating of dimension m
Here the method that adopts is exactly the method that is embedded dimension by time series sequence computing time that Grassberger and Procaccia (abbreviation G-P algorithm) [Grassberger P and Procaccia I 1983 Phys.Rev.Lett.50 346] propose.
With one group of Measuring Time sequence x (i), i=1 ..., n} is embedded into m dimension Euclidean space R
mIn (n is a positive integer), form a set.Key step is following:
1) earlier with time series x (i), i=1,2., n} is converted into m dimension Euclidean space R
m, the phase space of a reconstruct obtains n
mIndividual sample point, wherein n
m=n-(m-1) τ
2) compute associations function
From this n
mAn optional reference point x (i) calculates all the other n according to formula (2) in the individual point
m-1 point to x (i) apart from r
I, j
To all x (i) (i=1,2 ..., n
m) repeat this process, obtain correlation integral function C m (r)
H is the Heaviside function in the formula (3),
When r got abundant hour, correlation integral function approximation following formula, wherein C is a constant:
lnC
m(r)=lnC+d(m)lnr
Therefore, the correlation dimension of m-dimensional space data
When D (m) does not change with the rising of dimension m, be exactly the dimension dd=lim of this system
M → ∞D (m)
Be one section best-fitting straight line the most smooth in Practical Calculation, the slope of straight line is exactly d.
According to the above time delays that calculates with embed dimension, can confirm the phase space after the reconstruct.
(3) set up statistical distribution pattern according to proper network flow time series
A proper network flow goes out very strong sudden in topical manifestations, and can find out that from histogram real network shows tangible heavy-tailed characteristic.Therefore based on the These characteristics of proper network flow, select discrete generalized Pareto to distribute in this example local network traffics are analyzed.
The check of B distributed model
Model is carried out distribution inspection, with accuracy and the validity of verifying its method.Here we adopt with the figure method of inspection and the coefficient correlation method of inspection and test.Find that from the visual result of figure check institute have a few match basically point-blank, explain that the distribution map that meets discrete generalized Pareto distribution checks.In the result who further calculates the R^2 check, also relatively prove the accuracy that distributed model is set up from result calculated.
(4) tranquilization of network traffics seasonal effect in time series is handled
Because abnormal flow is a kind of change procedure of non-linear or randomness of complicacy, it generally is invalid that simple difference is changeed steady method; Thought according to calculus---divide window to handle and can effectively reduce it in sub-window conspicuousness and complexity; Adopt non-stationary series to be divided into steady sub-window; Confirming on the basis of corresponding statistical model according to the statistical property of flow own, carrying out the branch window by the wide stationarity principle of parameter in sub-window that keeps statistical model and handle.
With reference to heuristic partitioning algorithm is a kind of effective ways (being proposed in calendar year 2001 by Galvan) that can nonstationary time series be divided into steady subsequence according to average; But its method is divided window according to the whole sequence unification, rather than cuts apart according to the direction that the time series time increases.Its main thought introduction of method that we adopt is following, with reference to accompanying drawing 2:
Remember that network traffics time series to be measured is x (t), counting that it comprises is N; The note home window partly is L
s, the initial sliding window is L
m, L
s+ L
mThe zone be current window, establish the rest position that i is a current window, L
s+ L
mLength N
2 (i), its L
sLength be N
1, calculate L respectively
s(L
s+ L
m) part average value mu
1(i), μ
2And standard deviation s (i),
1(i) and s
2(i), the merging deviation S of current window then
D(i) do
Wherein, come quantization means L with statistical value T (i)
s, L
s+ L
mDifference:
The 2.2nd step, wherein G was for setting thresholding as if 3G>=T (i)>=G, and G=0.5 then got into for the 2.3rd step, otherwise, adjust L according to following rule
mLength;
If T (i)<G, then further convergent-divergent sliding window L
m=L
m+ L
f(L
mInitial value is 10, L
fBe the slip increment, scope is greater than 0, less than L
m, initially can get 3~5), the step above repeating;
If T (i)>3G, then further convergent-divergent sliding window L
m=L
m-L
f(L
mInitial value is 10, L
fBe the slip increment, scope is greater than 0, less than L
m, initially can get 2~3), the step above repeating;
The 2.3rd step is according to L
mLast some position is as first sub-window cut-point W
1After, from W
1The position goes out according to the 2.1st step calculating next T (i), obtains second sub-window cut-point W
2Ending up to sequence.
Can obtain the size of each sub-window successively, make sub-window sum with the nn note, promptly network traffics are made up of nn sub-window, note x{ (x
1, x
2... .x
W1), (x
W1+1... .., x
W2) ... .., (...., x
Wnn)=x{xw
1, xw
2..., xw
Nn.
(5) calculate statistical distribution pattern parameter in the sub-window, set up comprehensive judgement model according to argument sequence and detect unusual.
The A method for parameter estimation
Adopt calendar year 2001 Rasmussen to propose a kind of new GPD method for parameter estimation broad sense probability right square and estimate (GPWM).The GPWM method:
(x
1:n≤x
2:n≤...≤x
N:n) be that v can get any real number through the sample of ordering, the GPWM method is got v usually
1=1, v
2=1.5.P
J:nThe Kaplan-Meier that is sample cumulative distribution function estimates, i.e. experience cumulative distribution function, and scale parameter b and form parameter k can be through following two formulas calculating.
Through the computing that repeatedly superposes, form parameter and scale parameter that the discrete generalized pareto that can calculate distributes.Calculate the parameter value k and the b of each sub-window, the argument sequence { k that is formed for detecting according to formula (7) and (8)
1, k
2..., k
NnAnd { b
1, b
2..., b
Nn(nn is sub-window sum).
B is based on the Comprehensive Model of sudden change
Because the characteristics of non-linear, non-stationary and complexity that network traffics have; The ANOMALOUS VARIATIONS of network traffics is a kind of mutation processes; According to the number of control variables and state variable, just can select suitable catastrophic model to describe the behavioral characteristics of network traffics.Argument sequence { the k that obtains according to the front
1, k
2..., k
NnAnd { b
1, b
2..., b
Nn, the control variables number is 2 (control variables is also passable for other number, and the catastrophic model that just will sample is different), i.e. the form parameter of discrete generalized pareto model and scale parameter, and state variable is network traffics x{xw
1, xw
2..., xw
Nn, so just can select Cusp Catastrophe Model.Cusp Catastrophe Model be by two groups of state variables (u, v) come descriptive system x one group of state variable (u, the parameter space of v) being formed be also referred to as control the space, its potential function can be represented as follows:
F(u,v,x)=x
4+aux
2+vbx (9)
A wherein, b is a coefficient, x is that state variable is network traffics x{xw
1, xw
2..., xw
Nn, u, v are that control variables is the form parameter { k that previous calculations is come out
1, k
2..., k
NnAnd scale parameter { b
1, b
2..., b
Nn.The combinations of values of different Control Parameter can form the potential function of different structure, the stable curved surface that the stable solution that obtain these potential functions only need just can obtain them to its differential as shown in the formula.According to the front calculated all (v), the quadratic sum of computing formula 10 and formula 11 makes this and a, b, is the value of coefficient a, b for x, u
M
F:{(u,v,x)|4x
3+2aux+vb=} (10)
The erased condition variable can obtain by (u, the bifurcation set S that v) forms, as follows:
8a
3u
3+27b
2v
2=0 (11)
According to the catastrophic model of having set up, set a threshold xi,, utilize the network traffics data that newly observe; Use the phase space reconfiguration method, can calculate characteristic of correspondence amount P (u, v); Calculate the distance B of P according to formula 11,, then detect the unusual of network traffics as D≤ξ to bifurcation set S.The calculating of ξ threshold value can be done corresponding convergent-divergent according to the mean value of the characteristic quantity P that begins most 5 sub-windows to the distance of bifurcation set in Practical Calculation.
The above is preferred embodiment of the present invention, but the present invention should not be confined to the disclosed content of this embodiment and accompanying drawing.So everyly do not break away from the equivalence of accomplishing under the disclosed spirit of the present invention or revise, all fall into the scope of the present invention's protection.
Claims (4)
1. method that detects attack, its step comprises:
The complex nonlinear characteristic of the 1st step according to network traffics is reconfigured to the multidimensional phase space with network traffics time series to be detected, and sets up statistical distribution pattern according to proper network flow time series;
The 2nd step was carried out the tranquilization processing to network traffics time series to be detected, was divided into sub-window;
The parameter of each the sub-window of network traffics seasonal effect in time series after the 3rd step handled according to statistical distribution pattern calculating tranquilization obtains an argument sequence, sets up comprehensive judgement model based on this argument sequence again, and detection is unusual.
2. the method for detection attack according to claim 1 is characterized in that: the 1st step comprised following process:
(1.1) elder generation delays time and embed dimension computing time, with embedding to tie up network traffics time series to be checked is reconfigured to hyperspace based on time delays again;
(1.2) according to proper network flow seasonal effect in time series statistical property; Confirm a kind of distributed model match localized network flow, this distributed model can describe localized network flow seasonal effect in time series characteristic and this distributed model can pass through Ke's Er Monuofu-Smirnov test, coefficient correlation check fitting of distribution check.
3. the method for detection attack according to claim 2 is characterized in that: the 2nd step specifically comprised following process:
The 2.1st step, remember that network traffics time series to be measured is x (t), counting that it comprises is N; The note home window partly is L
s, L
sSpan 100~300, the length of initial sliding window are L
m, L
mInitial value is 8~15, L
s+ L
mThe zone be sub-window, establish the sequence number that i is sub-window, i is the positive integer since 1, L
s+ L
mLength N
2 (i), its L
sLength be N
1, calculate L respectively
s(L
s+ L
m) part average value mu
1(i), μ
2And standard deviation s (i),
1(i) and s
2(i), the merging deviation S of current window then
D(i) do
Wherein, come quantization means L with statistical value T (i)
s, L
s+ L
mDifference:
The 2.2nd step, wherein G was a thresholding as if 3G>=T (i)>=G, and span is 0.3~0.6, then got into for the 2.3rd step, otherwise, adjust L according to the value of T (i) according to following rule
mLength;
If T (i)<G, then further convergent-divergent sliding window L
m=L
m+ L
f, L wherein
mInitial value is 10, L
fBe the slip increment, scope is greater than 0 and less than L
m, L
fInitially get 3~5, changed for the 2.1st step then over to;
If T (i)>3G, then further convergent-divergent sliding window L
m=L
m-L
f, L
mInitial value is 10, L
fBe the slip increment, scope is greater than 0 and less than L
m, L
fInitially get 2~3, changed for the 2.1st step then over to;
The 2.3rd step is with L
mLast some position is as the cut-point W of i sub-window
i, again according to W
iThe position calculate next T (i) according to the mode in the 2.1st step, obtain the cut-point W of i+1 sub-window
2, repeat ending up to sequence;
Obtain the size of each sub-window successively.
4. the method for detection attack according to claim 3 is characterized in that: the 3rd step comprised specifically that following process was:
The 3.1st step was adopted the broad sense probability right square estimation technique or probability right moments method, and the statistical distribution pattern that obtains according to the 1st step carries out parameter Estimation successively to all sub-windows, obtains yardstick and form parameter sequence { k
1, k
2..., k
NnAnd { b
1, b
2..., b
Nn, nn representes sub-window sum;
The 3.2nd step adopted Cusp Catastrophe Model to carry out abnormality detection;
Utilize Cusp Catastrophe Model, establishing form parameter and scale parameter is state variable, and state variable is network traffics, calculates the coefficient value of the potential function that is formed by state variable and control variables thus, calculates the bifurcation set that is formed by control variables and coefficient again;
According to the catastrophic model of having set up, and the 3.1st form parameter { k that calculates of step
1, k
2..., k
NnAnd scale parameter { b
1, b
2..., b
NnBe designated as u, v, i.e. u={k
1, k
2..., k
Nn, v={b
1, b
2..., b
Nn, by u, and v composition characteristic amount P (u, v); Set a threshold xi, the threshold xi value is for beginning most the mean value of the characteristic quantity P of 3~10 sub-windows to the distance of bifurcation set, and calculated characteristics amount P as D≤ξ, then detects the unusual of network traffics to the distance B of said bifurcation set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910273376A CN101753381B (en) | 2009-12-25 | 2009-12-25 | Method for detecting network attack behaviors |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910273376A CN101753381B (en) | 2009-12-25 | 2009-12-25 | Method for detecting network attack behaviors |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101753381A CN101753381A (en) | 2010-06-23 |
CN101753381B true CN101753381B (en) | 2012-10-10 |
Family
ID=42479816
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200910273376A Expired - Fee Related CN101753381B (en) | 2009-12-25 | 2009-12-25 | Method for detecting network attack behaviors |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101753381B (en) |
Families Citing this family (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102404164A (en) * | 2011-08-09 | 2012-04-04 | 江苏欣网视讯科技有限公司 | Flow analysis method based on ARMA model and chaotic time series model |
CN102299829B (en) * | 2011-09-01 | 2014-02-12 | 北京市天元网络技术股份有限公司 | Network failure probing and positioning method |
CN103001972B (en) * | 2012-12-25 | 2015-11-25 | 山石网科通信技术有限公司 | The recognition methods of DDOS attack and recognition device and fire compartment wall |
CN103487783B (en) * | 2013-10-11 | 2015-08-12 | 云南云电同方科技有限公司 | A kind of intelligent electric meter system malicious node recognition methods based on potential function |
US10069691B2 (en) * | 2013-11-26 | 2018-09-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for anomaly detection in a network |
CN103795590B (en) * | 2013-12-30 | 2017-07-04 | 北京天融信软件有限公司 | A kind of computational methods of network traffics detection threshold value |
CN104866699B (en) * | 2014-02-25 | 2017-07-14 | 上海征途信息技术有限公司 | A kind of online game intelligent data analysis method |
TWI534704B (en) * | 2014-11-21 | 2016-05-21 | 財團法人資訊工業策進會 | Processing method for time series and system thereof |
CN104734916B (en) * | 2015-03-10 | 2018-04-27 | 重庆邮电大学 | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol |
CN105743913B (en) * | 2016-03-31 | 2019-07-09 | 广州华多网络科技有限公司 | The method and apparatus for detecting network attack |
CN106375157B (en) * | 2016-10-31 | 2019-11-12 | 华侨大学 | A kind of network flow correlating method based on phase space reconfiguration |
CN107481090A (en) * | 2017-07-06 | 2017-12-15 | 众安信息技术服务有限公司 | A kind of user's anomaly detection method, device and system |
CN107563017B (en) * | 2017-08-15 | 2021-02-05 | 华北电力大学 | Optimal length selection method for online monitoring data of oil chromatography |
CN107483455B (en) * | 2017-08-25 | 2020-07-14 | 国家计算机网络与信息安全管理中心 | Flow-based network node anomaly detection method and system |
CN107566192B (en) * | 2017-10-18 | 2019-09-20 | 中国联合网络通信集团有限公司 | A kind of abnormal flow processing method and Network Management Equipment |
CN109889470B (en) * | 2017-12-06 | 2020-06-26 | 中国科学院声学研究所 | Method and system for defending DDoS attack based on router |
CN108198271B (en) * | 2017-12-26 | 2020-09-18 | 卡斯柯信号有限公司 | Train operation risk dynamic analysis method based on SEUM (remote intelligent management) utilization vehicle-mounted computer |
CN110198294B (en) * | 2018-04-11 | 2022-04-12 | 腾讯科技(深圳)有限公司 | Security attack detection method and device |
CN108429771B (en) * | 2018-06-11 | 2021-02-05 | 中国人民解放军战略支援部队信息工程大学 | Mutation theory-based software defined network security state evaluation method and device |
CN109040084B (en) * | 2018-08-13 | 2021-03-12 | 广东电网有限责任公司 | Network flow abnormity detection method, device, equipment and storage medium |
CN111200821B (en) | 2018-11-16 | 2021-12-03 | 华为技术有限公司 | Capacity planning method and device |
CN109889366B (en) * | 2019-01-04 | 2020-06-16 | 烽火通信科技股份有限公司 | Network traffic increment counting and analyzing method and system |
CN110083910B (en) * | 2019-04-19 | 2020-11-17 | 西安交通大学 | NSGA-II based chaotic time sequence prediction sample acquisition method |
CN110647132B (en) * | 2019-08-28 | 2021-02-26 | 浙江工业大学 | Frequency domain partition attack detection method for networked motion control system |
CN112839017B (en) * | 2019-11-25 | 2022-06-03 | 中移(苏州)软件技术有限公司 | Network attack detection method and device, equipment and storage medium thereof |
CN112256791A (en) * | 2020-10-27 | 2021-01-22 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
CN113364752B (en) * | 2021-05-27 | 2023-04-18 | 鹏城实验室 | Flow abnormity detection method, detection equipment and computer readable storage medium |
CN118101281A (en) * | 2024-02-28 | 2024-05-28 | 浙江省人力资源和社会保障信息中心 | Risk detection method, device and equipment for network attack and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1567853A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network safety risk detection system and method |
CN101043329A (en) * | 2006-06-15 | 2007-09-26 | 华为技术有限公司 | Method and system for protecting network attack |
-
2009
- 2009-12-25 CN CN200910273376A patent/CN101753381B/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1567853A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network safety risk detection system and method |
CN101043329A (en) * | 2006-06-15 | 2007-09-26 | 华为技术有限公司 | Method and system for protecting network attack |
Also Published As
Publication number | Publication date |
---|---|
CN101753381A (en) | 2010-06-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101753381B (en) | Method for detecting network attack behaviors | |
Chen et al. | Short-time traffic flow prediction with ARIMA-GARCH model | |
Swany et al. | Multivariate resource performance forecasting in the network weather service | |
Kaltenbrunner et al. | Description and prediction of slashdot activity | |
CN101534305A (en) | Method and system for detecting network flow exception | |
Bernacki et al. | Anomaly detection in network traffic using selected methods of time series analysis | |
CN103546319B (en) | The alarming flow method and system of the network equipment | |
CN105808368B (en) | A kind of method and system of the information security abnormality detection based on random probability distribution | |
CN104573017A (en) | Network water army group identifying method and system | |
Cui et al. | An optimized swinging door algorithm for wind power ramp event detection | |
Seike et al. | Fork rate-based analysis of the longest chain growth time interval of a pow blockchain | |
Vafeiadis et al. | Real-time network data analysis using time series models | |
Eswaradass et al. | Network bandwidth predictor (nbp): A system for online network performance forecasting | |
CN105654189B (en) | Icing short-term prediction method based on time series analysis and Kalman filtering algorithm | |
JP4112584B2 (en) | Abnormal traffic detection method and apparatus | |
CN103269337A (en) | Data processing method and device | |
Carroll | Detecting variation in chaotic attractors | |
CN105516164A (en) | P2P botnet detection method based on fractal and self-adaptation fusion | |
CN106209868A (en) | A kind of large-scale network traffic exception detecting method and system | |
Yan et al. | Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy | |
CN104683137A (en) | Abnormal flow detection method for periodic characteristic network | |
Rodriguez et al. | Improving network security through traffic log anomaly detection using time series analysis | |
Yuan et al. | Network anomaly detection based on multi-scale dynamic characteristics of traffic | |
Fras et al. | Estimating the parameters of measured self similar traffic for modeling in OPNET | |
CN115310574A (en) | Motion counting method and device, electronic equipment and computer readable medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121010 Termination date: 20131225 |