Method and device for monitoring abnormal network traffic

Abstract

The invention discloses a network anomaly traffic monitoring method, belonging to the technical filed of information security. The network anomaly traffic monitoring method comprises the steps of: capturing a network data stream passing by; according to generation time of the network data stream, selecting n network data streaming data which are closest to the current time, wherein n is determined according to the calculating capacity of a system; training the captured n network data streaming data as input of a relevance vector machine, establishing a data model; and monitoring the current network traffic data according to the data model. By the method and the device, the classifying monitoring precision can be improved so that anomaly traffic is monitored more rapidly and effectively, and lower false drop rate and fallout ratio are ensured.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a method and device for monitoring abnormal network traffic. Background technique [0002] Network traffic anomalies refer to significant changes in network traffic irregularities, such as local events such as transient network congestion, distributed denial of service attacks (DDoS, Distributed Denial of Service), large-scale scanning, or global events such as network routing anomalies. The monitoring and analysis of network traffic anomalies is very important for network security emergency response departments. However, due to the difficulty of macro-traffic anomaly monitoring, it is necessary to extract and explain abnormal patterns from a large number of high-dimensional and noisy data. Monitoring and analysis remains a great challenge. To this end, academic institutions and enterprises at home and abroad have proposed a variety of monitoring methods. [0003] ...

AI Technical Summary

Problems solved by technology

[0006] (1) The accuracy is not high, especially the accuracy of the threshold-based method is relatively poor

Since the processing in the case of network intrusion requires a considerable cost, the loss of missed detection and false detection is huge

[0007] (2) There is no confidence in the output result, and the risk difference between a state that is only 50% likely to be attacked and a state that is 99% likely to be attacked is huge

[0008] (3) Unable to cope with the massive network data flow accumulated by online collection, the increasing data will make the processing time of various data-driven methods infinitely increase, so that it is impossible to monitor the current network situation in real time

[0009] (4) Various parameters of the network monitoring system cannot be adaptively adjusted according to historical network conditions

Manual intervention setting not only consumes a lot of manpower, but also reduces the stability of the system. Once an error occurs, the result will be unpredictable

[0010] (5) Inefficiency in processing high-dimensional data

[0014] (1) When monitoring, the number of SVM support vectors grows linearly with the increase of training samples. When the training samples are large, on the one hand, it may cause over-fitting of historical data and weaken the generalization ability. Computational time is wasted

[0015] (2) Probabilistic monitoring output cannot be obtained, that is, the prediction result has no confidence, only a certain label or value

[0016] (3) The variation range of some parameters must be manually set. Improper setting will cause problems such as overfitting or underfitting. This parameter has a great impact on the results

[0019] In the existing technology, there is no low false detection rate, low false detection rate, output with result confidence, automatic parameter selection, and efficient network abnormal traffic monitoring scheme

Images