Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Multi-measure network abnormity detection method based on relative entropy theory

A network anomaly and detection method technology, applied in the field of information security, can solve the problems of insufficient attack range detection and improvement of detection rate, etc.

Inactive Publication Date: 2010-02-10
XIAN UNIV OF TECH
View PDF0 Cites 49 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The purpose of the present invention is to provide a multi-measure network anomaly detection method based on relative entropy theory, which helps to solve two thorny problems that have been faced in the existing network anomaly detection: one is that the detection range of attacks is not comprehensive enough; The tension between detection rate and false positive rate reduction

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Multi-measure network abnormity detection method based on relative entropy theory
  • Multi-measure network abnormity detection method based on relative entropy theory
  • Multi-measure network abnormity detection method based on relative entropy theory

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0078] As a specific application, the present invention establishes a dual-measure network anomaly detection (RETDMAD) model based on relative entropy theory, and the measures adopted are packet length distribution and protocol distribution, and the feasibility of the RETDMAD method is verified through system implementation and testing. The two-sided degree network anomaly detection model with packet length distribution and protocol distribution as an anomaly detection measure is given below, and the model is implemented according to the following steps:

[0079] Step 1) Selection and quantification of dual measures

[0080] Divide all collected data packets into 7 categories according to the length of the packet (=1518), the first measure is each packet The ratio of data packets in the long segment to the total traffic (packet length distribution). All collected data packets are divided into four types (TCP, UDP, ICMP, and OTHER) according to the transport layer protocol. Th...

Embodiment 2

[0091] Three characteristics of packet length distribution, protocol distribution and TCP port traffic distribution are selected for network anomaly detection based on relative entropy.

[0092] When Internet users use download tools to download a large number of files, or copy files between different hosts, or send a large number of emails, etc., when these things happen, only the packet length distribution and protocol distribution are used as The measurement of anomaly detection is difficult to achieve the ideal effect of anomaly detection, and there is a high false alarm rate. When the above situation occurs, in order to accurately realize anomaly detection, the TCP port traffic distribution can be used as the third detection measure, and the commonly used TCP ports are divided into nine categories (No. 21, No. 23, No. 25, No. 53, No. 80, 4000, 8000, 6200 and others), the ratio of each type of port traffic to the total traffic is the port traffic distribution. The operati...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a multi-measure network abnormity detection method based on a relative entropy theory. In the detection method, an integrative relative entropy is obtained by weighting the relative entropy of a plurality of measures to judge network abnormity, thereby avoiding the problem of single-point malfunction of single-measure detection under a certain specific attack; simultaneously, abnormity detection based on the relative entropy is different from the abnormity detection of the flow rate, and the abnormity of the measures can be accurately reflected. The method is concretelyactualized according to the following steps: step 1, selecting and quantifying the measures for abnormity detection; step 2, preprocessing data; step 3, training a sample; step 4, detecting the single-measure relative entropy; step 5, calculating the multi-measure weighting relative entropy; and step 6, displaying an alarm mechanism and a detection result. The technical scheme provided by the method is beneficial to solving the problems of insufficient attack detection range and contravention between the detection rate and the misinformation lowering rate existing in the prior network abnormity detection technique and can provide various network environments, such as a host machine, a local area network, a wide area network and the like, to carry out network circuit abnormity detection.

Description

technical field [0001] The invention belongs to the technical field of information security, and relates to a method for detecting network anomalies, in particular to a multi-measure network anomaly detection method based on relative entropy theory. Background technique [0002] While computer networks bring convenience to people, they often face various security threats, such as computer viruses, Trojan horses, network monitoring, hacker attacks, and malicious software including rogue software, etc. These malicious attacks on the network A direct consequence of this is causing various anomalies in network usage. Network anomaly detection can enable people to discover network attacks early and take corresponding countermeasures to curb the further development of network anomalies. [0003] The research on network anomaly detection methods has been published since the first network intrusion detection system NSM in 1990. The proposed methods include probability statistics an...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L12/24
Inventor 张亚玲韩照国
Owner XIAN UNIV OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com