[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN101753381B - Method for detecting network attack behaviors - Google Patents

Method for detecting network attack behaviors Download PDF

Info

Publication number
CN101753381B
CN101753381B CN200910273376A CN200910273376A CN101753381B CN 101753381 B CN101753381 B CN 101753381B CN 200910273376 A CN200910273376 A CN 200910273376A CN 200910273376 A CN200910273376 A CN 200910273376A CN 101753381 B CN101753381 B CN 101753381B
Authority
CN
China
Prior art keywords
window
sub
time series
network traffics
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910273376A
Other languages
Chinese (zh)
Other versions
CN101753381A (en
Inventor
胡汉平
杨越
熊伟
丁帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN200910273376A priority Critical patent/CN101753381B/en
Publication of CN101753381A publication Critical patent/CN101753381A/en
Application granted granted Critical
Publication of CN101753381B publication Critical patent/CN101753381B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for detecting network attack behaviors, which comprises the following steps: (1) reconstructing a network traffic time sequence to be detected to a multi-dimensional phase space according to the complicated non-linear property of network traffic, and establishing a statistic distribution module according to a normal network traffic time sequence; (2) carrying out smoothing treatment on the network traffic time sequence to be detected, and dividing into sub-windows; and (3) obtaining a parameter sequence according to parameters of all the sub-windows of the network traffic time sequence after the smoothing treatment according to the calculation of the statistic distribution module, and establishing a comprehensive decision module according to the parameter sequence for detecting abnormality. The network traffic is re-constructed to the multi-dimensional space, thereby fully displaying information hidden in a one-dimensional space, reducing the computational complexity of each dimensional space and improving the running speed; and the method can improve the robustness and the accuracy of a system and is characterized by low computational complexity, high detection rate and low false detection rate.

Description

A kind of method that detects attack
Technical field
The present invention relates to the network information security and mathematical statistics correlation theory; More particularly; Relate to a kind of method that detects attack; This method is carried out the attack detection based on phase space and ultra statistical theory, can in time find network failure and performance issue, and is significant to the availability, reliability and the assurance network service quality that improve network.
Background technology
Existing research shows that the various network services flow all has the chaotic dynamics characteristic.Phase space reconfiguration is the important method of research and analysis Time Chaotic Dynamical Systems.Containing attack network traffics (unusual network traffics) sequence has the interactional concentrated expression of many system factors often, and it is containing the vestige of whole variablees of participating in motion, and the true reflection of nonsystematic.The phase space reconfiguration theory that people such as Packard propose is thought; Because the time series data that observes is comprising the vestige of all variablees; The data point that successively obtains so in time is correlated with each other; Way with being reconfigured to higher dimensional space can better show the system information that contains in the time series fully.Verified, when the selection that embeds dimension m and time delay τ was suitable, the phase space of reconstruct can have and actual identical geometric properties and the information attribute of dynamical system, has all characteristics of real space.Therefore we adopt the method for phase space to come the research and analysis exception flow of network, and phase space can keep and the consistency of network traffics dynamical system immanent structure originally after the reconstruct.
Ultra statistical theory belongs to field, physical forward position and has remedied the deficiency of traditional statistical method.The implication of ultra statistics is meant " statistics of statistics ", is used to describe the compound of a plurality of dynamics subsystems.Consider the non-stationary and sudden of network traffics; And statistical distribution parameter is at random or complicated the variation, is easy to cause the existing problem of abnormality detection thus, adopts ultra statistical theory to challenge; The statistics of research statistics, the variation of statistical parameter is the most suitable.
Mutation analysis is a key areas of time series research.Middle 1960s is guide with the work of French mathematician Thom, has progressively formed catastrophe theory.So-called sudden change just is meant that unexpected variation has taken place in system, is system's smooth variation and unexpected response of making of condition to external world.Usually said sudden change refers generally to elementary catastrophe, like equal value mutation, frequency discontinuity, trend sudden change and variance sudden change etc.Network traffics often receive the control of a plurality of driving factors; That its behavior will show will be non-linear, non-stationary and complicated characteristic; Its inherent dynamic structure also possibly take place along with the change of driving factors to change fast, and promptly sudden change has taken place its inherent EVOLUTION EQUATION---the dynamic structure sudden change.
(publication number is CN101286897 to patent documentation " a kind of network flow abnormal detecting method based on ultra statistical theory "; Being 2008.10.15 in open day) actual characteristic of the network traffics of giving chapter and verse confirms a kind of distributed model; And according to this distributed model computing network flow seasonal effect in time series slow variable sequence, i.e. distributed constant sequence; Unusual fluctuations according to the slow variable sequence detect exception of network traffic.Its method is directly carried out statistical analysis to whole data on flows, and data volume is big, is difficult to find intrasystem information, and next relies on detecting of single slow variable sequence, reliability a little less than, false drop rate is high.
Summary of the invention
The object of the present invention is to provide a kind of method that detects attack, this method has the reliability height, the characteristics that false drop rate is low.
The method of detection attack provided by the invention, its step comprises:
The complex nonlinear characteristic of the 1st step according to network traffics is reconfigured to the multidimensional phase space with network traffics time series to be detected, and sets up statistical distribution pattern according to proper network flow time series;
The 2nd step was carried out the tranquilization processing to network traffics time series to be detected, was divided into sub-window;
The parameter of each the sub-window of network traffics seasonal effect in time series after the 3rd step handled according to statistical distribution pattern calculating tranquilization obtains an argument sequence, sets up comprehensive judgement model based on this argument sequence again, and detection is unusual.
The present invention expands to it in phase space of multidimensional earlier through phase space reconfiguration, and the information of containing former network traffics sequence fully reveals fully, has reduced the computation complexity of each dimension simultaneously.Used ultra statistical theory to these characteristics of network traffics non-stationary complex process again; Through seeking the argument sequence of reflection traffic statistics model; Conversion research object; To focus on research to the research of the network traffics data of complicacy, both consider the superiority of entire system, the computation complexity of having avoided tradition to have statistical model parametric test complexity of calculation further to reduce again the argument sequence of certain decision systems essential change.Obtain good experiment effect through experiment repeatedly, and directly surpass statistical test method with not advancing phase space reconfiguration and compare, find that this method can reduce false drop rate greatly in the assurance recall rate.
Compare with the technical scheme that documents is proposed; The present invention is reconfigured to network traffics in the hyperspace; Can fully show it contains the information in the one-dimensional space on the one hand, because reconstruct has reduced the computational complexity of each dimensional space, improves the speed of operation on the other hand; In research, not only utilize single slow variable sequence in addition, take all factors into consideration the comprehensive judgement model of multi-parameter series model, the robustness of the system of raising and accuracy the argument sequence of distributed model.Compare with other exception of network traffic detection models in addition, this method has characteristics such as computation complexity is low, and recall rate height and false drop rate are low.
Description of drawings
Fig. 1 is the flow chart of detection attack method provided by the invention.
The method figure that Fig. 2 handles network traffics for tranquilization provided by the invention releases
Embodiment
Below in conjunction with accompanying drawing and instance the present invention is done further detailed explanation:
(1) network traffics seasonal effect in time series phase space reconfiguration, and set up statistical distribution pattern according to proper network flow time series.
(1.1) according to the method for network traffics seasonal effect in time series complex nonlinear characteristic selection phase space reconfiguration, the network traffics time series is reconfigured to the multidimensional phase space.Verified, when confirming to embed dimension m and time delay τ, the phase space of reconstruct can have and actual identical geometric properties and the information attribute of dynamical system, has all characteristics of real space.Therefore we adopt the method for phase space to come the research and analysis exception flow of network, and phase space can keep and the consistency of network traffics dynamical system immanent structure originally after the reconstruct.The method commonly used of calculating time delay τ has: auto correlation function method, mutual information method, average displacement method etc.; Calculating embedding dimension m can select false nearest neighbour method, Lars Burger (P.Grassberger) and general Roc west Ya (I.Procaccia) algorithm methods such as (being called for short the G-P algorithm) to calculate.
(1.2) characteristic of research network traffics on each dimension, and according to the actual characteristic of network traffics research meets the model of its distribution character.All can choose a kind of suitable distributed model match localized network flow to the concrete characteristic of proper network flow; This distributed model must be able to describe localized network flow seasonal effect in time series characteristic and distributed model must be through the fitting of distribution check of localized network flow; Such as the method for inspection that general Pearson came match method of inspection, Ke's Er Monuofu-Smirnov test, coefficient correlation are checked and be directed against the specific distribution model, the for example W of normal distribution check, D check etc.Early stage network traffics are because network configuration is simple, and Network is less, some distributed models commonly used for example: Poisson distributed model, normal distribution model etc. can be used for local network traffics are carried out match; Discrete generalized Pareto distributed model, gamma distributed model etc. then can be used for the match networking flow in late period.
Order between step (1.1) and the step (1.2) can be exchanged, and also can carry out simultaneously.
(2) tranquilization of network traffics seasonal effect in time series is handled
The foundation of statistical distribution pattern all needs sequence to satisfy the requirement of stationarity; It is the complicated sequence of non-stationary that but existing research has shown the network traffics time series; At this moment at first should select appropriate method tranquilization network traffics time series, it steadily is wide sub-stably window sequence at least that the network traffics time series of non-stationary is become.
(3) calculate statistical distribution pattern parameter in the sub-window, set up comprehensive judgement model, detect unusual according to argument sequence.
Study the variation of the distributed model parameter of each dimension, confirm that according to the variation of its argument sequence comprehensive judgement model detects exception of network traffic.Calculate the parameter of the distributed model that meets the network traffics characteristic in each sub-window sequence research; The argument sequence that obtains according to the front; (control variables is also passable for other number to confirm the control variables number; The catastrophic model that just will sample is different), the state variable number is network traffics, so just can select suitable catastrophic model.Calculated characteristics amount P surpasses corresponding thresholding to the distance B of bifurcation set, has been unusual network behavior and has taken place.
Below in conjunction with an instance the inventive method is done further detailed explanation.
(1) network traffics seasonal effect in time series preliminary treatment
A) data obtains
The breadboard information systems technology group of Massachusetts science and engineering Lincoln is used data acquisition system for the computer network intrusion detection system assessment provides test under Advanced Research Projects administration of U.S. Department of Defense (DARPA) and the patronage of air research chamber.This data acquisition system has comprised rich data bag flow and many dissimilar invasions attack (mainly contains Denial of Service attack DoS; Distributed denial of service attack DDoS; Long-range attack R2L; The local user illegally promotes the attack U2R and four types of illegal monitoring and detections etc. of authority).Each data item comprises a part and the text of package number, packet.Wherein write down in the header file of packet this bag zero-time, with information such as time interval of first bag, source address, destination address, data packet length, procotol.Packet mainly is made up of following several types: IP, arp, netbeui.Wherein the length (bytes) of IP bag adds 40 (IP packet header is long) for the byte number in the bracket, and netbeui is the agreement of local area network (LAN), and the data packet length that meets this agreement is 14 bytes, arp (address resolution protocol) length of data package 28 bytes.
(b) the network traffics seasonal effect in time series produces
The periodic sampling method refers to the fixed frequency yardstick carries out the method for periodic samples to network traffics, byte number or data packet number that its expression time per unit arrives.This method was divided into groups to packet at interval according to regular time, then to the byte number of the packet in this group packet or wrap quantity and accumulate, and every group of cumulative data packet byte number or wrap time series of quantity composition.
The time series that bag buffering area formation queuing is constituted refers to according to the precedence of the arrival of the bag in the bag buffering area divides into groups; Quantity of data packets in every group is certain; Then the byte number of the packet in this group packet is accumulated, the data packet byte array of every group of accumulation becomes a time series.
(2) network traffics seasonal effect in time series phase space reconfiguration
For time series x (t), if can confirm to embed dimension m and time delays τ, can be according to formula (1) phase space reconstruction y (t).The phase space of reconstruct can have geometric properties and the information attribute identical with the dynamical system of former reality, has all characteristics of real space.
y(t i)=[x(t i),x(t i+τ),...,x(t i+(m-1)τ)]i=1,2,...n (1)
Wherein, the sample point of t express time sequence, i are the seasonal effect in time series number, and n is a positive integer.Provide time delay τ and the computational methods that embed dimension m below:
The computational methods of A time delay τ
Average mutual information method is to estimate a kind of effective ways of phase space reconstruction time delay, and it has in phase space reconfiguration very widely uses.The mutual information function method is by Shaw and Faster [FRASER A M; SWINNEY H L.Phys Rev A; 1986; 33:1134-1140.] provide, the pairing time of first local minizing point of promptly choosing the mutual information function of general dependence between time series successive point of expression is as time of delay.
For a variable S (l) who contains N element, l=1,2 ... N, note P S(S k) for variable S be in state Sk (k=1,2 ..., probability N), then the comentropy of variable S is defined as:
H ( S ) = - Σ k = 1 N P S ( S k ) Log P S ( S k )
Time-delay q (l)=S (l+ τ) of variable S (l)) conditional entropy for S (l) is defined as:
H ( q | S ) = Σ i P s ( s i ) H ( q | s i ) = - Σ i , j P q | s ( s i , q i ) log [ P sq ( s i , q i ) P s ( s i ) ] = H ( S , q ) - H ( S )
P wherein Sq(s i, q i) be that variable S and q get s respectively iAnd q iThe time joint probability, (S q) is the combination entropy of variable S and q to H.The mutual information of variable S and q is:
I(q,S)=H(q)-H(q|S)=H(q)+H(S)-H(q,S)=I(S,q)
For ordinary circumstance, time preface x (n) and its time-delay sequence x (n+ τ) mutual information I n(τ) can be expressed as:
I n(τ)=H(x)+H(x τ)-H(x,x τ) (2)
If vector is reconstruct time of delay, then an I nThe time that (τ) reaches for the first time minimum value can be used as the time delay τ of phase space reconfiguration.
B embeds the calculating of dimension m
Here the method that adopts is exactly the method that is embedded dimension by time series sequence computing time that Grassberger and Procaccia (abbreviation G-P algorithm) [Grassberger P and Procaccia I 1983 Phys.Rev.Lett.50 346] propose.
With one group of Measuring Time sequence x (i), i=1 ..., n} is embedded into m dimension Euclidean space R mIn (n is a positive integer), form a set.Key step is following:
1) earlier with time series x (i), i=1,2., n} is converted into m dimension Euclidean space R m, the phase space of a reconstruct obtains n mIndividual sample point, wherein n m=n-(m-1) τ
2) compute associations function
From this n mAn optional reference point x (i) calculates all the other n according to formula (2) in the individual point m-1 point to x (i) apart from r I, j
r i , j = d ( x ( i ) , x ( j ) ) = [ Σ i = 0 m - 1 | x ( i + 1 τ ) - x ( j + 1 τ ) | ] 1 / 2 - - - ( 3 )
To all x (i) (i=1,2 ..., n m) repeat this process, obtain correlation integral function C m (r)
C m ( r ) = 2 ( n m - 1 ) n m Σ j = 1 n m H ( r - r i , j ) - - - ( 4 )
H is the Heaviside function in the formula (3),
H ( k ) = 1 ( k > 0 ) 0 ( k ≤ 0 )
When r got abundant hour, correlation integral function approximation following formula, wherein C is a constant:
lnC m(r)=lnC+d(m)lnr
Therefore, the correlation dimension of m-dimensional space data
D ( m ) = lim r → 0 [ ∂ ln Cm ( r ) ∂ ln r ]
When D (m) does not change with the rising of dimension m, be exactly the dimension dd=lim of this system M → ∞D (m)
Be one section best-fitting straight line the most smooth in Practical Calculation, the slope of straight line is exactly d.
According to the above time delays that calculates with embed dimension, can confirm the phase space after the reconstruct.
(3) set up statistical distribution pattern according to proper network flow time series
A proper network flow goes out very strong sudden in topical manifestations, and can find out that from histogram real network shows tangible heavy-tailed characteristic.Therefore based on the These characteristics of proper network flow, select discrete generalized Pareto to distribute in this example local network traffics are analyzed.
The check of B distributed model
Model is carried out distribution inspection, with accuracy and the validity of verifying its method.Here we adopt with the figure method of inspection and the coefficient correlation method of inspection and test.Find that from the visual result of figure check institute have a few match basically point-blank, explain that the distribution map that meets discrete generalized Pareto distribution checks.In the result who further calculates the R^2 check, also relatively prove the accuracy that distributed model is set up from result calculated.
(4) tranquilization of network traffics seasonal effect in time series is handled
Because abnormal flow is a kind of change procedure of non-linear or randomness of complicacy, it generally is invalid that simple difference is changeed steady method; Thought according to calculus---divide window to handle and can effectively reduce it in sub-window conspicuousness and complexity; Adopt non-stationary series to be divided into steady sub-window; Confirming on the basis of corresponding statistical model according to the statistical property of flow own, carrying out the branch window by the wide stationarity principle of parameter in sub-window that keeps statistical model and handle.
With reference to heuristic partitioning algorithm is a kind of effective ways (being proposed in calendar year 2001 by Galvan) that can nonstationary time series be divided into steady subsequence according to average; But its method is divided window according to the whole sequence unification, rather than cuts apart according to the direction that the time series time increases.Its main thought introduction of method that we adopt is following, with reference to accompanying drawing 2:
Remember that network traffics time series to be measured is x (t), counting that it comprises is N; The note home window partly is L s, the initial sliding window is L m, L s+ L mThe zone be current window, establish the rest position that i is a current window, L s+ L mLength N 2 (i), its L sLength be N 1, calculate L respectively s(L s+ L m) part average value mu 1(i), μ 2And standard deviation s (i), 1(i) and s 2(i), the merging deviation S of current window then D(i) do
S D ( i ) = ( ( N 1 - 1 ) × s 1 ( i ) 2 + ( N 2 - 1 ) × s 2 ( i ) 2 N 1 + N 2 - 2 ) 1 / 2 × ( 1 N 1 + 1 N 2 ) - - - ( 5 )
Wherein, come quantization means L with statistical value T (i) s, L s+ L mDifference:
T ( i ) = | μ 1 ( i ) - μ 2 ( i ) s D ( i ) | - - - ( 6 )
The 2.2nd step, wherein G was for setting thresholding as if 3G>=T (i)>=G, and G=0.5 then got into for the 2.3rd step, otherwise, adjust L according to following rule mLength;
If T (i)<G, then further convergent-divergent sliding window L m=L m+ L f(L mInitial value is 10, L fBe the slip increment, scope is greater than 0, less than L m, initially can get 3~5), the step above repeating;
If T (i)>3G, then further convergent-divergent sliding window L m=L m-L f(L mInitial value is 10, L fBe the slip increment, scope is greater than 0, less than L m, initially can get 2~3), the step above repeating;
The 2.3rd step is according to L mLast some position is as first sub-window cut-point W 1After, from W 1The position goes out according to the 2.1st step calculating next T (i), obtains second sub-window cut-point W 2Ending up to sequence.
Can obtain the size of each sub-window successively, make sub-window sum with the nn note, promptly network traffics are made up of nn sub-window, note x{ (x 1, x 2... .x W1), (x W1+1... .., x W2) ... .., (...., x Wnn)=x{xw 1, xw 2..., xw Nn.
(5) calculate statistical distribution pattern parameter in the sub-window, set up comprehensive judgement model according to argument sequence and detect unusual.
The A method for parameter estimation
Adopt calendar year 2001 Rasmussen to propose a kind of new GPD method for parameter estimation broad sense probability right square and estimate (GPWM).The GPWM method:
α ~ v = 1 n Σ j = 1 n ( 1 - p j : n ) v x j : n
(x 1:n≤x 2:n≤...≤x N:n) be that v can get any real number through the sample of ordering, the GPWM method is got v usually 1=1, v 2=1.5.P J:nThe Kaplan-Meier that is sample cumulative distribution function estimates, i.e. experience cumulative distribution function, and scale parameter b and form parameter k can be through following two formulas calculating.
k = α ~ v 1 ( v 1 + 1 ) 2 - α ~ v 2 ( v 2 + 1 ) 2 α ~ v 2 ( v 2 + 1 ) - α ~ v 1 ( v 1 + 1 ) - - - ( 7 )
b = α ~ v 2 ( v 2 + 1 ) ( v 2 + 1 + k ) - - - ( 8 )
Through the computing that repeatedly superposes, form parameter and scale parameter that the discrete generalized pareto that can calculate distributes.Calculate the parameter value k and the b of each sub-window, the argument sequence { k that is formed for detecting according to formula (7) and (8) 1, k 2..., k NnAnd { b 1, b 2..., b Nn(nn is sub-window sum).
B is based on the Comprehensive Model of sudden change
Because the characteristics of non-linear, non-stationary and complexity that network traffics have; The ANOMALOUS VARIATIONS of network traffics is a kind of mutation processes; According to the number of control variables and state variable, just can select suitable catastrophic model to describe the behavioral characteristics of network traffics.Argument sequence { the k that obtains according to the front 1, k 2..., k NnAnd { b 1, b 2..., b Nn, the control variables number is 2 (control variables is also passable for other number, and the catastrophic model that just will sample is different), i.e. the form parameter of discrete generalized pareto model and scale parameter, and state variable is network traffics x{xw 1, xw 2..., xw Nn, so just can select Cusp Catastrophe Model.Cusp Catastrophe Model be by two groups of state variables (u, v) come descriptive system x one group of state variable (u, the parameter space of v) being formed be also referred to as control the space, its potential function can be represented as follows:
F(u,v,x)=x 4+aux 2+vbx (9)
A wherein, b is a coefficient, x is that state variable is network traffics x{xw 1, xw 2..., xw Nn, u, v are that control variables is the form parameter { k that previous calculations is come out 1, k 2..., k NnAnd scale parameter { b 1, b 2..., b Nn.The combinations of values of different Control Parameter can form the potential function of different structure, the stable curved surface that the stable solution that obtain these potential functions only need just can obtain them to its differential as shown in the formula.According to the front calculated all (v), the quadratic sum of computing formula 10 and formula 11 makes this and a, b, is the value of coefficient a, b for x, u
∂ F ∂ x = 0
M F:{(u,v,x)|4x 3+2aux+vb=} (10)
The erased condition variable can obtain by (u, the bifurcation set S that v) forms, as follows:
8a 3u 3+27b 2v 2=0 (11)
According to the catastrophic model of having set up, set a threshold xi,, utilize the network traffics data that newly observe; Use the phase space reconfiguration method, can calculate characteristic of correspondence amount P (u, v); Calculate the distance B of P according to formula 11,, then detect the unusual of network traffics as D≤ξ to bifurcation set S.The calculating of ξ threshold value can be done corresponding convergent-divergent according to the mean value of the characteristic quantity P that begins most 5 sub-windows to the distance of bifurcation set in Practical Calculation.
The above is preferred embodiment of the present invention, but the present invention should not be confined to the disclosed content of this embodiment and accompanying drawing.So everyly do not break away from the equivalence of accomplishing under the disclosed spirit of the present invention or revise, all fall into the scope of the present invention's protection.

Claims (4)

1. method that detects attack, its step comprises:
The complex nonlinear characteristic of the 1st step according to network traffics is reconfigured to the multidimensional phase space with network traffics time series to be detected, and sets up statistical distribution pattern according to proper network flow time series;
The 2nd step was carried out the tranquilization processing to network traffics time series to be detected, was divided into sub-window;
The parameter of each the sub-window of network traffics seasonal effect in time series after the 3rd step handled according to statistical distribution pattern calculating tranquilization obtains an argument sequence, sets up comprehensive judgement model based on this argument sequence again, and detection is unusual.
2. the method for detection attack according to claim 1 is characterized in that: the 1st step comprised following process:
(1.1) elder generation delays time and embed dimension computing time, with embedding to tie up network traffics time series to be checked is reconfigured to hyperspace based on time delays again;
(1.2) according to proper network flow seasonal effect in time series statistical property; Confirm a kind of distributed model match localized network flow, this distributed model can describe localized network flow seasonal effect in time series characteristic and this distributed model can pass through Ke's Er Monuofu-Smirnov test, coefficient correlation check fitting of distribution check.
3. the method for detection attack according to claim 2 is characterized in that: the 2nd step specifically comprised following process:
The 2.1st step, remember that network traffics time series to be measured is x (t), counting that it comprises is N; The note home window partly is L s, L sSpan 100~300, the length of initial sliding window are L m, L mInitial value is 8~15, L s+ L mThe zone be sub-window, establish the sequence number that i is sub-window, i is the positive integer since 1, L s+ L mLength N 2 (i), its L sLength be N 1, calculate L respectively s(L s+ L m) part average value mu 1(i), μ 2And standard deviation s (i), 1(i) and s 2(i), the merging deviation S of current window then D(i) do
S D ( i ) = ( ( N 1 - 1 ) × s 1 ( i ) 2 + ( N 2 ( i ) - 1 ) × s 2 ( i ) 2 N 1 + N 2 ( i ) - 2 ) 1 / 2 × ( 1 N 1 + 1 N 2 ( i ) ) - - - ( 5 )
Wherein, come quantization means L with statistical value T (i) s, L s+ L mDifference:
T ( i ) = | μ 1 ( i ) - μ 2 ( i ) s D ( i ) | - - - ( 6 )
The 2.2nd step, wherein G was a thresholding as if 3G>=T (i)>=G, and span is 0.3~0.6, then got into for the 2.3rd step, otherwise, adjust L according to the value of T (i) according to following rule mLength;
If T (i)<G, then further convergent-divergent sliding window L m=L m+ L f, L wherein mInitial value is 10, L fBe the slip increment, scope is greater than 0 and less than L m, L fInitially get 3~5, changed for the 2.1st step then over to;
If T (i)>3G, then further convergent-divergent sliding window L m=L m-L f, L mInitial value is 10, L fBe the slip increment, scope is greater than 0 and less than L m, L fInitially get 2~3, changed for the 2.1st step then over to;
The 2.3rd step is with L mLast some position is as the cut-point W of i sub-window i, again according to W iThe position calculate next T (i) according to the mode in the 2.1st step, obtain the cut-point W of i+1 sub-window 2, repeat ending up to sequence;
Obtain the size of each sub-window successively.
4. the method for detection attack according to claim 3 is characterized in that: the 3rd step comprised specifically that following process was:
The 3.1st step was adopted the broad sense probability right square estimation technique or probability right moments method, and the statistical distribution pattern that obtains according to the 1st step carries out parameter Estimation successively to all sub-windows, obtains yardstick and form parameter sequence { k 1, k 2..., k NnAnd { b 1, b 2..., b Nn, nn representes sub-window sum;
The 3.2nd step adopted Cusp Catastrophe Model to carry out abnormality detection;
Utilize Cusp Catastrophe Model, establishing form parameter and scale parameter is state variable, and state variable is network traffics, calculates the coefficient value of the potential function that is formed by state variable and control variables thus, calculates the bifurcation set that is formed by control variables and coefficient again;
According to the catastrophic model of having set up, and the 3.1st form parameter { k that calculates of step 1, k 2..., k NnAnd scale parameter { b 1, b 2..., b NnBe designated as u, v, i.e. u={k 1, k 2..., k Nn, v={b 1, b 2..., b Nn, by u, and v composition characteristic amount P (u, v); Set a threshold xi, the threshold xi value is for beginning most the mean value of the characteristic quantity P of 3~10 sub-windows to the distance of bifurcation set, and calculated characteristics amount P as D≤ξ, then detects the unusual of network traffics to the distance B of said bifurcation set.
CN200910273376A 2009-12-25 2009-12-25 Method for detecting network attack behaviors Expired - Fee Related CN101753381B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910273376A CN101753381B (en) 2009-12-25 2009-12-25 Method for detecting network attack behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910273376A CN101753381B (en) 2009-12-25 2009-12-25 Method for detecting network attack behaviors

Publications (2)

Publication Number Publication Date
CN101753381A CN101753381A (en) 2010-06-23
CN101753381B true CN101753381B (en) 2012-10-10

Family

ID=42479816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910273376A Expired - Fee Related CN101753381B (en) 2009-12-25 2009-12-25 Method for detecting network attack behaviors

Country Status (1)

Country Link
CN (1) CN101753381B (en)

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404164A (en) * 2011-08-09 2012-04-04 江苏欣网视讯科技有限公司 Flow analysis method based on ARMA model and chaotic time series model
CN102299829B (en) * 2011-09-01 2014-02-12 北京市天元网络技术股份有限公司 Network failure probing and positioning method
CN103001972B (en) * 2012-12-25 2015-11-25 山石网科通信技术有限公司 The recognition methods of DDOS attack and recognition device and fire compartment wall
CN103487783B (en) * 2013-10-11 2015-08-12 云南云电同方科技有限公司 A kind of intelligent electric meter system malicious node recognition methods based on potential function
US10069691B2 (en) * 2013-11-26 2018-09-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for anomaly detection in a network
CN103795590B (en) * 2013-12-30 2017-07-04 北京天融信软件有限公司 A kind of computational methods of network traffics detection threshold value
CN104866699B (en) * 2014-02-25 2017-07-14 上海征途信息技术有限公司 A kind of online game intelligent data analysis method
TWI534704B (en) * 2014-11-21 2016-05-21 財團法人資訊工業策進會 Processing method for time series and system thereof
CN104734916B (en) * 2015-03-10 2018-04-27 重庆邮电大学 A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol
CN105743913B (en) * 2016-03-31 2019-07-09 广州华多网络科技有限公司 The method and apparatus for detecting network attack
CN106375157B (en) * 2016-10-31 2019-11-12 华侨大学 A kind of network flow correlating method based on phase space reconfiguration
CN107481090A (en) * 2017-07-06 2017-12-15 众安信息技术服务有限公司 A kind of user's anomaly detection method, device and system
CN107563017B (en) * 2017-08-15 2021-02-05 华北电力大学 Optimal length selection method for online monitoring data of oil chromatography
CN107483455B (en) * 2017-08-25 2020-07-14 国家计算机网络与信息安全管理中心 Flow-based network node anomaly detection method and system
CN107566192B (en) * 2017-10-18 2019-09-20 中国联合网络通信集团有限公司 A kind of abnormal flow processing method and Network Management Equipment
CN109889470B (en) * 2017-12-06 2020-06-26 中国科学院声学研究所 Method and system for defending DDoS attack based on router
CN108198271B (en) * 2017-12-26 2020-09-18 卡斯柯信号有限公司 Train operation risk dynamic analysis method based on SEUM (remote intelligent management) utilization vehicle-mounted computer
CN110198294B (en) * 2018-04-11 2022-04-12 腾讯科技(深圳)有限公司 Security attack detection method and device
CN108429771B (en) * 2018-06-11 2021-02-05 中国人民解放军战略支援部队信息工程大学 Mutation theory-based software defined network security state evaluation method and device
CN109040084B (en) * 2018-08-13 2021-03-12 广东电网有限责任公司 Network flow abnormity detection method, device, equipment and storage medium
CN111200821B (en) 2018-11-16 2021-12-03 华为技术有限公司 Capacity planning method and device
CN109889366B (en) * 2019-01-04 2020-06-16 烽火通信科技股份有限公司 Network traffic increment counting and analyzing method and system
CN110083910B (en) * 2019-04-19 2020-11-17 西安交通大学 NSGA-II based chaotic time sequence prediction sample acquisition method
CN110647132B (en) * 2019-08-28 2021-02-26 浙江工业大学 Frequency domain partition attack detection method for networked motion control system
CN112839017B (en) * 2019-11-25 2022-06-03 中移(苏州)软件技术有限公司 Network attack detection method and device, equipment and storage medium thereof
CN112256791A (en) * 2020-10-27 2021-01-22 北京微步在线科技有限公司 Network attack event display method and storage medium
CN113364752B (en) * 2021-05-27 2023-04-18 鹏城实验室 Flow abnormity detection method, detection equipment and computer readable storage medium
CN118101281A (en) * 2024-02-28 2024-05-28 浙江省人力资源和社会保障信息中心 Risk detection method, device and equipment for network attack and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567853A (en) * 2004-03-29 2005-01-19 四川大学 Network safety risk detection system and method
CN101043329A (en) * 2006-06-15 2007-09-26 华为技术有限公司 Method and system for protecting network attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567853A (en) * 2004-03-29 2005-01-19 四川大学 Network safety risk detection system and method
CN101043329A (en) * 2006-06-15 2007-09-26 华为技术有限公司 Method and system for protecting network attack

Also Published As

Publication number Publication date
CN101753381A (en) 2010-06-23

Similar Documents

Publication Publication Date Title
CN101753381B (en) Method for detecting network attack behaviors
Chen et al. Short-time traffic flow prediction with ARIMA-GARCH model
Swany et al. Multivariate resource performance forecasting in the network weather service
Kaltenbrunner et al. Description and prediction of slashdot activity
CN101534305A (en) Method and system for detecting network flow exception
Bernacki et al. Anomaly detection in network traffic using selected methods of time series analysis
CN103546319B (en) The alarming flow method and system of the network equipment
CN105808368B (en) A kind of method and system of the information security abnormality detection based on random probability distribution
CN104573017A (en) Network water army group identifying method and system
Cui et al. An optimized swinging door algorithm for wind power ramp event detection
Seike et al. Fork rate-based analysis of the longest chain growth time interval of a pow blockchain
Vafeiadis et al. Real-time network data analysis using time series models
Eswaradass et al. Network bandwidth predictor (nbp): A system for online network performance forecasting
CN105654189B (en) Icing short-term prediction method based on time series analysis and Kalman filtering algorithm
JP4112584B2 (en) Abnormal traffic detection method and apparatus
CN103269337A (en) Data processing method and device
Carroll Detecting variation in chaotic attractors
CN105516164A (en) P2P botnet detection method based on fractal and self-adaptation fusion
CN106209868A (en) A kind of large-scale network traffic exception detecting method and system
Yan et al. Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy
CN104683137A (en) Abnormal flow detection method for periodic characteristic network
Rodriguez et al. Improving network security through traffic log anomaly detection using time series analysis
Yuan et al. Network anomaly detection based on multi-scale dynamic characteristics of traffic
Fras et al. Estimating the parameters of measured self similar traffic for modeling in OPNET
CN115310574A (en) Motion counting method and device, electronic equipment and computer readable medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121010

Termination date: 20131225