A method and system for detecting abnormal flow

Abstract

The invention discloses a method and system for detecting abnormal flow. The method includes: capturing IP packets in the network, collecting SYN packets satisfying preset conditions, and extracting the address information of the SYN packets as data items to form a data item set; mining the data item set within a preset time Frequently appearing data items are used as frequent items, and the address information corresponding to the frequent items is recorded, and the flow with abnormal behavior is located according to the frequent items; it also includes: calculating the entropy value of the frequent items to evaluate the abnormal situation of the network Provide evidence. It can quickly identify flows that try to frequently establish connections in the network on the premise of using only a small amount of computing and storage resources, which can help realize on-demand monitoring of abnormal flows and reduce the burden of network monitoring.

Description

technical field [0001] The invention relates to the field of network security, in particular to a method and system for detecting abnormal flows based on frequent item mining. Background technique [0002] In recent years, with the rapid development of the Internet, the types of services continue to increase, and various types of network threats emerge in an endless stream. Network data monitoring has become more and more important. With the rapid development of the Internet, the link bandwidth and business volume have increased exponentially, the network scale and complexity have continued to increase, and the improvement of semiconductor performance has relatively lagged behind, resulting in a prominent problem of mismatch between computing power and high-speed massive data. In a high-speed network environment, the new generation of network monitoring and security management system needs to consider adopting on-demand monitoring technology, so the data stream that does not...

AI Technical Summary

Problems solved by technology

[0004] The anomaly detection methods under the traditional high-speed network mainly include the analysis of the network traffic or the analysis of the distribution change of the address port. Although these methods can detect the anomalies under the high-speed network and give an alarm to the anomalies, they cannot locate the abnormal flow. Therefore, abnormal data cannot be exported to help further analysis

The packet classification technology based on static rule sets mainly relies on static classification rules for classification, and cannot be applied to the identification of abnormal traffic.

[0005] Although the frequent item mining technology in data flow research can be used to solve the problem of abnormal flow identification, there are still some limitations in the implementation of the technology in the actual network environment. On the one hand, due to the limited computing and storage resources, the calculation of flow identification technology There are strict requirements on performance and storage space consumption; on the other hand, network data has dynamic characteristics, and it is necessary to pay more attention to short-term situation changes in monitoring. These existing algorithms are difficult to solve this problem, and existing technologies need to be improved.

Images