CN117579344B - Network structure characteristic abnormality detection system - Google Patents
Network structure characteristic abnormality detection system Download PDFInfo
- Publication number
- CN117579344B CN117579344B CN202311543874.7A CN202311543874A CN117579344B CN 117579344 B CN117579344 B CN 117579344B CN 202311543874 A CN202311543874 A CN 202311543874A CN 117579344 B CN117579344 B CN 117579344B
- Authority
- CN
- China
- Prior art keywords
- analysis
- transmission
- characteristic
- module
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 47
- 230000005856 abnormality Effects 0.000 title claims abstract description 22
- 238000004458 analytical method Methods 0.000 claims abstract description 179
- 230000005540 biological transmission Effects 0.000 claims abstract description 136
- 238000013507 mapping Methods 0.000 claims abstract description 64
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000005457 optimization Methods 0.000 claims abstract description 26
- 230000002159 abnormal effect Effects 0.000 claims abstract description 20
- 238000004364 calculation method Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a network structure characteristic abnormity detection system, in particular to the technical field of computer networks, which comprises an information acquisition module, a network transmission module and a network processing module, wherein the information acquisition module is used for periodically acquiring user information, transmission information, router information and server information in network transmission; the mapping analysis module is used for analyzing the transmission connection relation; the mapping storage module is used for storing the transmission connection relation; the structure identification module is used for analyzing the transmission structure according to the user information, the transmission information and the stored transmission connection relation; the characteristic analysis module is used for analyzing, adjusting and optimizing characteristic parameters; the abnormality detection module is used for analyzing the network structure state; and the adjustment and optimization module is used for adjusting and optimizing the analysis process of the network structure state. The invention realizes the detection of the transmission structure and the transmission data in the network transmission, and solves the problems of low detection efficiency and inaccurate analysis of the abnormal state of the network structure.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to a network structural feature abnormality detection system.
Background
With the rapid development of network technology, the use of networks for data exchange provides convenience for people, and when the network technology is used for data transmission, malicious attacks of other people can be suffered, but users can not be well aware of the malicious attacks, so that the network transmission needs to be detected to identify abnormal situations in the transmission.
Chinese patent publication No.: CN109951499a discloses an anomaly detection method based on network structure characteristics, comprising: (1) Extracting network characteristic parameters, (2) establishing a network topology characteristic model; (3) performing network feature matching, including: matching the network structure characteristics to be detected at the time t with the normal network structure characteristics obtained by analysis, and if the deviation degree of the network characteristics at the time t from the normal network structure characteristics is large, indicating that the network at the current time t is abnormal; if the deviation degree is not large, judging that the network at the time t is normal; and updating the network characteristic model, and detecting the network behavior to be detected through the updated network model. The invention realizes the analysis of the data in the network topological graph, does not realize the real-time detection of each transmission data in the network transmission, and has the problems of low detection efficiency and inaccurate analysis of the abnormal state of the network structure.
Disclosure of Invention
Therefore, the invention provides a network structure characteristic abnormality detection system which is used for solving the problems of low detection efficiency and inaccurate analysis of network structure state abnormality in the prior art.
In order to achieve the above object, the present invention provides a network structural feature anomaly detection system, including:
the information acquisition module is used for periodically acquiring user information, transmission information, router information and server information in network transmission;
The mapping analysis module is used for analyzing the transmission connection relation according to the user information, the router information and the server information;
The mapping storage module is used for storing the transmission connection relation;
The structure identification module is used for analyzing the transmission structure according to the user information, the transmission information and the stored transmission connection relation;
The characteristic analysis module is used for analyzing characteristic parameters according to the transmission information and the transmission structure, adjusting the analysis process of the characteristic parameters according to the router information and optimizing the adjustment process of the characteristic parameters according to the server information;
the abnormality detection module is used for analyzing the network structure state according to the characteristic parameters;
The adjustment optimization module is used for adjusting the analysis process of the network structure state according to the server information, analyzing the characteristic fluctuation according to the characteristic parameter and optimizing the adjustment process of the network structure state according to the characteristic fluctuation.
Further, the mapping analysis module is provided with a route analysis unit, which is used for matching the user information with the route mapping relation and analyzing the intranet connection relation according to the matching result and the route i p address, wherein:
When the user i p address and the user port exist in the route mapping relation, the route analysis unit analyzes the intranet connection relation, and the intranet connection relation is set as a1:a2-b1:b2;
When the user i p address and the user port do not exist in the route mapping relation, the route analysis unit does not analyze the intranet connection relation;
The mapping analysis module is further provided with a service analysis unit, which is used for matching the routing information with the mapping relation of the server, and analyzing the public network connection relation according to the matching result and the address of the server i p, wherein:
When the router i p address exists in the server mapping relationship, the service analysis unit analyzes the public network connection relationship, and sets the public network connection relationship as follows: b1:b2i-c1:c2;
When the mapping relation of the server does not have the route i p address, the service analysis unit does not analyze the public network connection relation;
The mapping analysis module is further provided with a connection analysis unit for analyzing the transmission connection relation according to the intranet connection relation and the public network connection relation, the connection analysis unit compares a route i p address and a route port in the intranet connection relation with a route i p address and a route port in the public network connection relation, connects the intranet connection relation and the public network connection relation which are the same in comparison, and uses the connected data as the transmission connection relation, and sets the transmission connection relation as follows: a1:a2-b1:b2-c1:c2.
Further, the structure identification module analyzes the transmission structure according to the address of the user i p, the address of the transmission target i p and the stored transmission connection relationship, extracts the transmission connection relationship including the address of the user i p or the address of the transmission target i p from the transmission connection relationship as the analysis connection relationship, compares the addresses of the servers i p in the analysis connection relationship, and analyzes the transmission structure according to the comparison result, wherein:
When the addresses of the servers i p in the analysis connection relationship are the same, the structure identification module judges that the transmission structure is penetrated by the intranet;
When the ip addresses of the servers in the analysis connection relationship are different, the structure identification module determines that the transmission structure is not penetrated by the intranet.
Further, the characteristic analysis module is provided with a first analysis unit for analyzing characteristic parameters according to the user uplink speed and the transmission quantity, wherein:
when v1×T×NT < M, the first analysis unit sets the characteristic parameter to Q=M/NT-v1×T;
When v1×T×NT is equal to or greater than M, the first analysis unit sets the characteristic parameter to Q=v1 NT -1×T-v1×T.
Further, the feature analysis module is further provided with a second analysis unit, which is configured to analyze the feature parameters according to the user uplink speed, the target downlink speed and the transmission quantity, wherein:
when (v1+v2)/2×t×nt < M, the second analysis unit sets the characteristic parameter to q=v1-v 2;
when (v1+v2)/2×t×nt++m, the second analysis unit sets the characteristic parameter to q=v2-v1.
Further, the feature analysis module is further provided with a feature adjustment unit, which is configured to adjust an analysis process of the feature parameter according to the number of different user ip addresses in the routing mapping relationship, where:
When j=1, the characteristic adjustment unit judges that the quantity is normal, and does not adjust the analysis process of the characteristic parameters;
When j is more than 1, the characteristic adjustment unit judges a plurality of characteristic parameters, adjusts the analysis process of the characteristic parameters, and sets Q1=Q/2-e -j, wherein the adjusted characteristic parameters are Q1;
where j represents the number of different user i p addresses in the routing mapping.
Further, the feature analysis module is further provided with a feature optimization unit, which is used for comparing the uplink speed of the user, the target downlink speed with the bandwidth of the server, and optimizing the adjustment process of the feature parameters according to the comparison result, wherein:
When v1+v2 is less than or equal to P, the characteristic optimization unit judges that the transmission is stable, and does not optimize the adjustment process of the characteristic parameters;
When v1+v2 > P, the characteristic optimization unit judges transmission fluctuation, optimizes the characteristic parameter adjusting process, and sets Q2=Q1×lOg (v1+v2-P) for the optimized characteristic parameter Q2;
where P represents the server bandwidth.
Further, the anomaly detection module compares the characteristic parameter with a characteristic threshold value, and analyzes the network transmission condition according to the comparison result, wherein:
when Q is more than Q, the abnormality detection module judges that the network structure state is normal;
when Q is smaller than Q, the abnormality detection module judges that the network structure state is abnormal;
where q represents a feature threshold, q=log v1 (M/NT) is set.
Further, the adjustment optimization module is provided with an analysis adjustment unit, which is configured to adjust the feature threshold according to the number of different routing i p addresses in the server mapping relationship, where:
When k=2, the analysis and adjustment unit judges that the number is normal, and does not adjust the characteristic threshold;
When k is more than 2, the analysis and adjustment unit judges that the number is more, adjusts the characteristic threshold, the adjusted characteristic threshold is q1, and q1=q/2-e -k is set;
where k represents the number of different routing i p addresses in the server mapping.
Further, the adjustment optimization module is further provided with a fluctuation analysis unit which is used for calculating the variance of the characteristic parameters of each period and taking the calculation result as characteristic fluctuation;
The adjustment optimization module is further provided with an analysis optimization unit, which is used for optimizing the adjustment process of the characteristic threshold according to the characteristic fluctuation, wherein the optimized characteristic threshold is q2, and q2=q1×e S/2/(s+1), wherein S represents the characteristic fluctuation.
Compared with the prior art, the invention has the advantages that the periodic acquisition of the user information, the transmission information, the router information and the server information is carried out through the information acquisition module, so as to improve the accuracy of data acquisition, thereby improving the network structure state anomaly detection efficiency of the system, improving the accuracy of analysis, analyzing the user information, the router information and the server information through the mapping analysis module, so as to analyze the transmission connection relation, representing a channel formed in data transmission through the transmission connection relation, thereby improving the network structure state anomaly detection efficiency of the system, improving the accuracy of analysis, storing the transmission connection relation through the mapping storage module, improving the diversity of system analysis data, thereby improving the network structure state anomaly detection efficiency of the system, improving the accuracy of analysis, judging whether the network has penetrated through the user information, the transmission communication core and the stored transmission connection relation, thereby improving the accuracy of analysis, analyzing the transmission information and the transmission structure through the characteristic analysis module, analyzing the characteristic parameters, detecting the network structure anomaly state anomaly detection efficiency of the system through the network structure, optimizing the characteristic of the network structure by the characteristic analysis module, improving the characteristic parameter, and realizing the characteristic anomaly detection efficiency of the network structure anomaly detection through the network structure of the system, and improving the network structure anomaly detection efficiency of the system through the network structure, the analysis process of the network structure state is adjusted and optimized, so that the diversity of system analysis is increased, the detection efficiency of the system on network structure state abnormality is improved, and the analysis accuracy is improved.
Drawings
FIG. 1 is a block diagram of a network feature anomaly detection system according to the present embodiment;
FIG. 2 is a block diagram of a mapping analysis module according to the present embodiment;
FIG. 3 is a block diagram showing a feature analysis module according to the present embodiment;
Fig. 4 is a block diagram of the structure of the adjustment optimizing module according to the present embodiment.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Referring to fig. 1, a system for detecting abnormality of network structure features according to the present embodiment includes:
The information acquisition module is configured to periodically acquire user information, transmission information, router information and server information in network transmission, where the user information includes a user i p address and a user port, the transmission information includes a transmission target i p address, a transmission amount, a user uplink speed and a target downlink speed, the router information includes a router i p address and a router mapping relation, the server information includes a server i p address, a server mapping relation and a server bandwidth, the router mapping relation refers to a transmission relation established between a user i p address and a user port and a router i p address and a router port, the server mapping relation refers to a transmission relation established between a router i p address and a router port and a server i p address and a server port, the acquisition mode of the user information, the transmission information and the router information is acquired through a router background data packet, the acquisition mode of the server information is acquired through a server background data packet, in this embodiment, the period is 1 second, and in this embodiment, the period is not specifically set, and the period is set to be defined, and can be set to a free period of time, and can be set to be equal to or less than 0.3 seconds, and can be set to 0.5 seconds;
The mapping analysis module is used for analyzing the transmission connection relation according to the user information, the router information and the server information, and is connected with the information acquisition module;
The mapping storage module is used for storing the transmission connection relation and is connected with the mapping analysis module;
the structure identification module is used for analyzing the transmission structure according to the user information, the transmission information and the stored transmission connection relation, and is connected with the mapping storage module;
The characteristic analysis module is used for analyzing characteristic parameters according to the transmission information and the transmission structure, adjusting the analysis process of the characteristic parameters according to the router information, optimizing the adjustment process of the characteristic parameters according to the server information, and connecting with the structure identification module;
The abnormality detection module is used for analyzing the network structure state according to the characteristic parameters and is connected with the characteristic analysis module;
The adjustment optimization module is used for adjusting the analysis process of the network structure state according to the server information, analyzing the characteristic fluctuation according to the characteristic parameter, optimizing the adjustment process of the network structure state according to the characteristic fluctuation, and connecting the adjustment optimization module with the abnormality detection module.
Referring to fig. 2, the mapping analysis module includes:
The route analysis unit is used for analyzing the intranet connection relation according to the user information and the router information;
The service analysis unit is used for analyzing the public network connection relation according to the route information and the server information, and is connected with the route analysis unit;
And the connection analysis unit is used for analyzing the transmission connection relation according to the intranet connection relation and the public network connection relation, and is connected with the service analysis unit.
Referring to fig. 3, the feature analysis module includes:
The first analysis unit is used for analyzing the characteristic parameters according to the uplink speed and the transmission quantity of the user when the transmission structure is not penetrated by the intranet;
The second analysis unit is used for analyzing the characteristic parameters according to the uplink speed of the user, the downlink speed of the target and the transmission quantity when the transmission structure is penetrated by the intranet;
the characteristic adjustment unit is used for adjusting the analysis process of the characteristic parameters according to the route mapping relation and is connected with the first analysis unit and the second analysis unit;
And the characteristic optimization unit is used for optimizing the characteristic parameter adjusting process according to the bandwidth of the server when the transmission structure is penetrated by the intranet, and is connected with the characteristic adjusting unit.
Referring to fig. 4, the adjustment optimization module includes:
the analysis and adjustment unit is used for adjusting the analysis process of the network structure state according to the server mapping relation;
The fluctuation analysis unit is used for analyzing characteristic fluctuation according to characteristic parameters of each period and is connected with the analysis adjustment unit;
The analysis optimizing unit is used for optimizing the adjustment process of the network structure state according to the characteristic fluctuation, and is connected with the fluctuation analyzing unit.
Specifically, in this embodiment, the periodic acquisition of the user information, the transmission information, the router information and the server information by the information acquisition module is used to improve the accuracy of data acquisition, thereby improving the detection efficiency of the system on the abnormal state of the network structure, improving the accuracy of analysis, analyzing the user information, the router information and the server information by the mapping analysis module is used to analyze the transmission connection relationship, and represents the path formed in the data transmission by the transmission connection relationship, thereby improving the detection efficiency of the system on the abnormal state of the network structure, improving the accuracy of analysis, storing the transmission connection relationship by the mapping storage module to increase the diversity of the analysis data of the system, thereby improving the detection efficiency of the system on the abnormal state of the network structure, improving the accuracy of analysis by the structure identification module, analyzing the transmission structure, judging whether the network has been penetrated by the network, thereby improving the detection efficiency of the abnormal state of the network structure by the system, improving the accuracy of analysis by the feature analysis module on the transmission information and the transmission structure, analyzing the characteristic parameters by the feature analysis module to analyze the transmission structure, optimizing the detection efficiency of the abnormal state of the network structure by the system, thereby improving the detection efficiency of the network structure by the system on the network structure, and improving the detection accuracy of the abnormal state by the analysis module is improved, the analysis process of the network structure state is adjusted and optimized, so that the diversity of system analysis is increased, the detection efficiency of the system on network structure state abnormality is improved, and the analysis accuracy is improved.
Specifically, in this embodiment, the route analysis unit matches the user information with the route mapping relationship, and analyzes the intranet connection relationship according to the matching result and the route i p address, where:
When the user i p address and the user port exist in the route mapping relation, the route analysis unit analyzes the intranet connection relation, and the intranet connection relation is set as a1:a2-b1:b2;
When the user i p address and the user port do not exist in the route mapping relation, the route analysis unit does not analyze the intranet connection relation;
wherein a1 represents a user i p address, a2 represents a user port, b1 represents a route i p address, and b2 represents a route port matched with user information in a route mapping relation.
Specifically, in this embodiment, the routing analysis unit analyzes the user information and the routing information to analyze an intranet connection relationship, and the intranet connection relationship is used to represent a path for data transmission between the user and the router, so as to improve the efficiency of detecting the abnormal state of the network structure by the system and improve the accuracy of analysis.
Specifically, in this embodiment, the service analysis unit matches the routing information with the mapping relationship of the server, and analyzes the public network connection relationship according to the matching result and the address of the server i p, where:
When the router i p address exists in the server mapping relationship, the service analysis unit analyzes the public network connection relationship, and sets the public network connection relationship as follows: b1:b2i-c1:c2;
When the mapping relation of the server does not have the route i p address, the service analysis unit does not analyze the public network connection relation;
Wherein b2 i represents a routing port, c1 represents a server i p address, and c2 represents a server port matched with the routing information in the server mapping relationship.
Specifically, in this embodiment, the service analysis unit analyzes the routing information and the server information to analyze a public network connection relationship, and the public network connection relationship is used to represent a path for performing data transmission between the router and the server, so as to improve the efficiency of detecting the abnormal state of the network structure by the system and improve the accuracy of analysis.
Specifically, in this embodiment, the connection analysis unit analyzes the transmission connection relationship according to the intranet connection relationship and the public network connection relationship, and the connection analysis unit compares a route i p address and a route port in the intranet connection relationship with a route i p address and a route port in the public network connection relationship, connects the same intranet connection relationship and the public network connection relationship, uses the connected data as the transmission connection relationship, and sets the transmission connection relationship as follows: a1:a2-b1:b2-c1:c2.
Specifically, in this embodiment, the connection analysis unit analyzes the intranet connection relationship and the extranet connection relationship to analyze a transmission connection relationship, and the transmission connection relationship is used to represent a path of a user for network data transmission, so as to improve the efficiency of detecting the abnormal state of the network structure by the system and improve the accuracy of analysis.
Specifically, in this embodiment, the structure identification module analyzes a transmission structure according to a user ip address, a transmission target ip address, and a stored transmission connection relationship, extracts a transmission connection relationship including the user ip address or the transmission target ip address from the transmission connection relationship as an analysis connection relationship, compares a server ip address in the analysis connection relationship, and analyzes the transmission structure according to a comparison result, where:
when the ip addresses of the servers in the analysis connection relationship are the same, the structure identification module judges that the transmission structure is penetrated by the intranet;
When the ip addresses of the servers in the analysis connection relationship are different, the structure identification module determines that the transmission structure is not penetrated by the intranet.
Specifically, in this embodiment, the first analysis unit analyzes the characteristic parameter according to the uplink speed and the transmission amount of the user, where:
when v1×T×NT < M, the first analysis unit sets the characteristic parameter to Q=M/NT-v1×T;
when v1×T×NT is greater than or equal to M, the first analysis unit sets the characteristic parameter to Q=v1 NT -1×T-v1×T;
wherein v1 represents the user uplink speed of the current period, v1 NT-1 represents the user uplink speed of the previous period, T represents the period duration, NT represents the number of periods, and M represents the transmission amount.
Specifically, in this embodiment, the first analysis unit analyzes the uplink speed and the transmission amount of the user to analyze the characteristic parameter, so that the characteristic parameter is related to the difference value between the uplink speed and the transmission amount of the user in the analysis period, thereby improving the detection efficiency of the system on the abnormal state of the network structure and improving the accuracy of analysis.
Specifically, in this embodiment, the second analysis unit analyzes the characteristic parameters according to the user uplink speed, the target downlink speed, and the transmission amount, where:
when (v1+v2)/2×t×nt < M, the second analysis unit sets the characteristic parameter to q=v1-v 2;
when (v1+v2)/2×T×NT is larger than or equal to M, the second analysis unit sets the characteristic parameter to Q=v2-v1;
where v2 represents the target downstream speed.
Specifically, in this embodiment, the second analysis unit analyzes the uplink speed, the downlink speed and the transmission amount of the user to analyze the characteristic parameter, so that the characteristic parameter is related to the difference value between the uplink speed and the downlink speed of the user, thereby improving the detection efficiency of the system on the abnormal state of the network structure and improving the accuracy of analysis.
Specifically, the feature adjustment unit in this embodiment adjusts the analysis process of the feature parameter according to the number of different user ip addresses in the routing mapping relationship, where:
When j=1, the characteristic adjustment unit judges that the quantity is normal, and does not adjust the analysis process of the characteristic parameters;
When j is more than 1, the characteristic adjustment unit judges a plurality of characteristic parameters, adjusts the analysis process of the characteristic parameters, and sets Q1=Q/2-e -j, wherein the adjusted characteristic parameters are Q1;
where j represents the number of different user i p addresses in the routing mapping.
Specifically, the feature adjustment unit in this embodiment adjusts the analysis process of the feature parameters according to the route mapping relationship, so that the adjusted feature parameters are related to the number of device connections in the router, and the influence of simultaneous access of multiple devices on the analysis data of the router is reduced, thereby improving the detection efficiency of the system on the network structure state abnormality and improving the analysis accuracy.
Specifically, in this embodiment, the feature optimization unit compares the uplink speed of the user, the target downlink speed and the bandwidth of the server, and optimizes the adjustment process of the feature parameters according to the comparison result, where:
When v1+v2 is less than or equal to P, the characteristic optimization unit judges that the transmission is stable, and does not optimize the adjustment process of the characteristic parameters;
When v1+v2 > P, the characteristic optimization unit judges transmission fluctuation, optimizes the characteristic parameter adjusting process, and sets Q2=Q1×lOg (v1+v2-P) for the optimized characteristic parameter Q2;
where P represents the server bandwidth.
Specifically, in this embodiment, the feature optimization unit performs analysis on the uplink speed, the target downlink speed and the server bandwidth of the user, so as to optimize the adjustment process of the feature parameter, make the feature parameter related to the server bandwidth, limit the maximum speed of data transmission, and determine whether the transmission fluctuates, thereby improving the efficiency of detecting the abnormal state of the network structure by the system and improving the accuracy of analysis.
Specifically, in this embodiment, the anomaly detection module compares the characteristic parameter with the characteristic threshold, and analyzes the network transmission condition according to the comparison result, where:
when Q is more than Q, the abnormality detection module judges that the network structure state is normal;
when Q is smaller than Q, the abnormality detection module judges that the network structure state is abnormal;
where q represents a feature threshold, q=log v1 (M/NT) is set.
Specifically, in this embodiment, the analysis adjustment unit adjusts the feature threshold according to the number of different ip addresses in the server mapping relationship, where:
When k=2, the analysis and adjustment unit judges that the number is normal, and does not adjust the characteristic threshold;
When k is more than 2, the analysis and adjustment unit judges that the number is more, adjusts the characteristic threshold, the adjusted characteristic threshold is q1, and q1=q/2-e -k is set;
where k represents the number of different routing i p addresses in the server mapping.
Specifically, in this embodiment, the analysis adjustment unit is configured to analyze the mapping relationship of the server to adjust the feature threshold, so that the feature threshold is related to the number of devices connected to the server, thereby improving the efficiency of detecting the network structure state abnormality by the system and improving the accuracy of analysis.
Specifically, the fluctuation analyzing unit in the present embodiment calculates the variance of the characteristic parameter of each cycle, and takes the calculation result as the characteristic fluctuation.
Specifically, in this embodiment, the variance of the characteristic parameter is calculated by analyzing the characteristic parameter of each period by the fluctuation analysis unit, and the stability of the data is represented by the data calculated by mathematical statistics, so as to increase the diversity of system analysis, thereby improving the efficiency of detecting the abnormal state of the network structure by the system and improving the accuracy of analysis.
Specifically, in this embodiment, the analysis optimizing unit optimizes the adjustment process of the feature threshold according to the feature fluctuation, where the feature threshold after optimization is q2, and q2=q1×e S/2/(s+1), where S represents the feature fluctuation.
Specifically, in this embodiment, the analysis optimizing unit optimizes the characteristic fluctuation analysis to optimize the characteristic threshold adjustment process, so that the optimized characteristic threshold is related to the stability of the characteristic threshold of each period, and the influence of the data fluctuation on the network structure state is increased, thereby improving the detection efficiency of the system on the network structure state abnormality and improving the accuracy of analysis.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
Claims (1)
1. A network structural feature anomaly detection system, comprising:
the information acquisition module is used for periodically acquiring user information, transmission information, router information and server information in network transmission;
The mapping analysis module is used for analyzing the transmission connection relation according to the user information, the router information and the server information;
The mapping storage module is used for storing the transmission connection relation;
The structure identification module is used for analyzing the transmission structure according to the user information, the transmission information and the stored transmission connection relation;
The characteristic analysis module is used for analyzing characteristic parameters according to the transmission information and the transmission structure, adjusting the analysis process of the characteristic parameters according to the router information and optimizing the adjustment process of the characteristic parameters according to the server information;
the abnormality detection module is used for analyzing the network structure state according to the characteristic parameters;
the adjustment optimization module is used for adjusting the analysis process of the network structure state according to the server information, analyzing the characteristic fluctuation according to the characteristic parameter and optimizing the adjustment process of the network structure state according to the characteristic fluctuation;
The mapping analysis module is provided with a route analysis unit which is used for matching the user information with the route mapping relation and analyzing the intranet connection relation according to the matching result and the route ip address, wherein:
When the user ip address and the user port exist in the route mapping relation, the route analysis unit analyzes the intranet connection relation, and the intranet connection relation is set as a1:a2-b1:b2;
When the user ip address and the user port do not exist in the route mapping relation, the route analysis unit does not analyze the intranet connection relation;
wherein a1 represents a user ip address, a2 represents a user port, b1 represents a route ip address, and b2 represents a route port matched with user information in a route mapping relation;
the mapping analysis module is further provided with a service analysis unit, which is used for matching the routing information with the mapping relation of the server and analyzing the public network connection relation according to the matching result and the ip address of the server, wherein:
When the router ip address exists in the server mapping relationship, the service analysis unit analyzes the public network connection relationship, and sets the public network connection relationship as follows: b1:b2i-c1:c2;
When the mapping relation of the server does not have the routing ip address, the service analysis unit does not analyze the public network connection relation;
wherein b2i represents a route port, c1 represents a server ip address, and c2 represents a server port matched with route information in a server mapping relation;
the mapping analysis module is further provided with a connection analysis unit for analyzing the transmission connection relation according to the intranet connection relation and the public network connection relation, the connection analysis unit compares the route ip address and the route port in the intranet connection relation with the route ip address and the route port in the public network connection relation, connects the same intranet connection relation with the public network connection relation, uses the connected data as the transmission connection relation, and sets the transmission connection relation as follows: a1:a2-b1:b2-c1:c2;
the structure identification module analyzes the transmission structure according to the user ip address, the transmission target ip address and the stored transmission connection relation, extracts the transmission connection relation containing the user ip address or the transmission target ip address from the transmission connection relation as the analysis connection relation, compares the server ip address in the analysis connection relation, and analyzes the transmission structure according to the comparison result, wherein:
when the ip addresses of the servers in the analysis connection relationship are the same, the structure identification module judges that the transmission structure is penetrated by the intranet;
When the ip addresses of the servers in the analysis connection relationship are different, the structure identification module judges that the transmission structure is not penetrated by the intranet;
the characteristic analysis module is provided with a first analysis unit which is used for analyzing characteristic parameters according to the uplink speed and the transmission quantity of a user, wherein:
when v1×T×NT < M, the first analysis unit sets the characteristic parameter to Q=M/NT-v1×T;
When v1×T×NT is equal to or greater than M, the first analysis unit sets a characteristic parameter of Q=v1 NT-1 ×T-v1×T;
wherein v1 represents the user uplink speed of the current period, v1 NT-1 represents the user uplink speed of the previous period, T represents the period duration, NT represents the number of periods, and M represents the transmission quantity;
The characteristic analysis module is also provided with a second analysis unit which is used for analyzing characteristic parameters according to the uplink speed of the user, the target downlink speed and the transmission quantity, wherein:
When (v1+v2)/2×t×nt < M, the second analysis unit sets the characteristic parameter to q=v1-v 2;
When (v1+v2)/2×T×NT is larger than or equal to M, the second analysis unit sets the characteristic parameter to Q=v2-v1;
Wherein v2 represents a target downlink speed;
The feature analysis module is further provided with a feature adjustment unit for adjusting the analysis process of the feature parameters according to the number of different user ip addresses in the route mapping relation, wherein:
when j=1, the characteristic adjustment unit judges that the quantity is normal, and does not adjust the analysis process of the characteristic parameters;
When j is more than 1, the characteristic adjustment unit judges a plurality of characteristic parameters, adjusts the analysis process of the characteristic parameters, and sets Q1=Q/2-e -j, wherein the adjusted characteristic parameters are Q1;
wherein j represents the number of different user ip addresses in the routing mapping relationship;
The feature analysis module is further provided with a feature optimization unit for comparing the uplink speed of the user, the target downlink speed with the bandwidth of the server and optimizing the adjustment process of the feature parameters according to the comparison result, wherein:
When v1+v2 is less than or equal to P, the characteristic optimization unit judges that the transmission is stable, and does not optimize the adjustment process of the characteristic parameters;
when v1+v2 > P, the characteristic optimization unit judges transmission fluctuation, optimizes the characteristic parameter adjusting process, and sets Q2=Q1×log (v1+v2-P) for the optimized characteristic parameter Q2;
wherein P represents the server bandwidth;
The anomaly detection module compares the characteristic parameters with the characteristic threshold values and analyzes the network transmission condition according to the comparison result, wherein:
when Q is more than Q, the abnormality detection module judges that the network structure state is normal;
when Q is smaller than Q, the abnormality detection module judges that the network structure state is abnormal;
where q represents a characteristic threshold, q=log v1 (M/NT) is set;
the adjustment optimization module is provided with an analysis adjustment unit which is used for adjusting the characteristic threshold according to the number of different routing ip addresses in the server mapping relation, wherein:
When k=2, the analysis and adjustment unit judges that the number is normal, and does not adjust the characteristic threshold;
When k is more than 2, the analysis and adjustment unit judges that the number is more, adjusts the characteristic threshold, the adjusted characteristic threshold is q1, and q1=q/2-e -k is set;
wherein k represents the number of different routing ip addresses in the server mapping relationship;
The adjustment optimization module is also provided with a fluctuation analysis unit which is used for calculating the variance of the characteristic parameters of each period and taking the calculation result as characteristic fluctuation;
The adjustment optimization module is further provided with an analysis optimization unit, which is used for optimizing the adjustment process of the characteristic threshold according to the characteristic fluctuation, wherein the optimized characteristic threshold is q2, and q2=q1×e S/2/(s+1), wherein S represents the characteristic fluctuation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311543874.7A CN117579344B (en) | 2023-11-20 | 2023-11-20 | Network structure characteristic abnormality detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311543874.7A CN117579344B (en) | 2023-11-20 | 2023-11-20 | Network structure characteristic abnormality detection system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117579344A CN117579344A (en) | 2024-02-20 |
| CN117579344B true CN117579344B (en) | 2024-06-07 |
Family
ID=89889411
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311543874.7A Active CN117579344B (en) | 2023-11-20 | 2023-11-20 | Network structure characteristic abnormality detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117579344B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118317353B (en) * | 2024-05-09 | 2024-10-11 | 徐州信智科技有限公司 | Mining intrinsic safety type WiFi6 ad hoc network base station |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103178979A (en) * | 2011-12-23 | 2013-06-26 | 北京亿阳信通科技有限公司 | Identification method of anomalous structure of transmission network |
| CN107222359A (en) * | 2017-04-19 | 2017-09-29 | 中国科学院计算技术研究所 | Link method for detecting abnormality and system in a kind of IS IS networks |
| CN109951499A (en) * | 2019-04-25 | 2019-06-28 | 北京计算机技术及应用研究所 | A kind of method for detecting abnormality based on network structure feature |
| CN114650167A (en) * | 2022-02-08 | 2022-06-21 | 联想(北京)有限公司 | Abnormity detection method, device, equipment and computer readable storage medium |
| CN115801590A (en) * | 2022-12-07 | 2023-03-14 | 天津安锐捷技术有限公司 | Real-time analysis method for topological relation and abnormal node and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI538441B (en) * | 2013-11-05 | 2016-06-11 | 衛信科技有限公司 | Process system for constructing network structure deployment diagram and the method thereof and computer program product storing network structure deployment analysis program are provided to analyze the network structure deployment of target network |
-
2023
- 2023-11-20 CN CN202311543874.7A patent/CN117579344B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103178979A (en) * | 2011-12-23 | 2013-06-26 | 北京亿阳信通科技有限公司 | Identification method of anomalous structure of transmission network |
| CN107222359A (en) * | 2017-04-19 | 2017-09-29 | 中国科学院计算技术研究所 | Link method for detecting abnormality and system in a kind of IS IS networks |
| CN109951499A (en) * | 2019-04-25 | 2019-06-28 | 北京计算机技术及应用研究所 | A kind of method for detecting abnormality based on network structure feature |
| CN114650167A (en) * | 2022-02-08 | 2022-06-21 | 联想(北京)有限公司 | Abnormity detection method, device, equipment and computer readable storage medium |
| CN115801590A (en) * | 2022-12-07 | 2023-03-14 | 天津安锐捷技术有限公司 | Real-time analysis method for topological relation and abnormal node and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117579344A (en) | 2024-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1335525B1 (en) | Method for probing the peer-to-peer quality of service (QOS) | |
| EP2661049B1 (en) | System and method for malware detection | |
| US10135844B2 (en) | Method, apparatus, and device for detecting e-mail attack | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| CN110225037B (en) | DDoS attack detection method and device | |
| US8055759B2 (en) | Determination of link qualities between an access point and a plurality of clients | |
| CN117579344B (en) | Network structure characteristic abnormality detection system | |
| CN116192888A (en) | Network state monitoring and management method and system based on Internet of things | |
| US11501106B2 (en) | Anomaly factor estimation device, anomaly factor estimation method, and storage medium | |
| EP3771152B1 (en) | Network analysis program, network analysis device, and network analysis method | |
| CN111835681B (en) | Large-scale flow abnormal host detection method and device | |
| CN116723136A (en) | Network data detection method applying FCM clustering algorithm | |
| CN112134875A (en) | IoT network abnormal flow detection method and system | |
| CN113543188B (en) | Wireless network signal quality detection method, terminal equipment and storage medium | |
| CN111565124B (en) | Topology analysis method and device | |
| US20240154964A1 (en) | Device authentication method and system, and apparatus | |
| CN115622720B (en) | Network anomaly detection method, device and detection equipment | |
| CN112367311B (en) | DDoS attack detection method, device, equipment and storage medium | |
| CN112000085B (en) | Network transmission performance diagnosis system based on 5G big data | |
| EP4084408A1 (en) | Fault detection method, apparatus and system | |
| CN109120637B (en) | Network security supervision platform and method | |
| CN117768165B (en) | Network anomaly detection method, device, computer equipment and storage medium | |
| US20240283803A1 (en) | System and method for detecting and mitigating data security attacks | |
| CN112422568B (en) | Method for identifying illegal network channel of new energy station and station system | |
| KR100643215B1 (en) | Analyzing system for network device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |