Efficient multistage anomaly flow detection method based on TCP

Abstract

The invention discloses an efficient multistage anomaly flow detection method based on a TCP. A multistage anomaly detection mechanism is added in a traditional anomaly flow detection process. The method is used for anomaly detection for data flow sent by a client side in the network, the difference mean value method is used for carrying out difference stabilization processing on original flow produced by the client side, meanwhile, analysis and statistics are carried out on existing flow in the network, a self-adaptive threshold value interval is dynamically set, self-adaptive threshold value difference flow detection is carried out on the stabilized flow, and further anomaly detection is carried out on a data package which passes primary detection. The further anomaly detection is mainly used for analyzing the data package transmitted by a router, the key field is extracted, and whether the data package sent by the client side is abnormal or not is judged further by judging the key field. The efficient multistage anomaly flow detection method improves detection precision, and is easy and convenient to implement.

Description

technical field [0001] The invention belongs to the technical field of communication anomaly detection, relates to fast and real-time anomaly detection technology for various anomalies on the Internet, and specifically designs a high-efficiency multi-level abnormal traffic detection method based on the TCP protocol. Background technique [0002] Network abnormal traffic detection is an important part of network monitoring. Abnormal network traffic refers to the situation where the traffic behavior in the network deviates from the normal behavior. In the network, there are many reasons for abnormal network traffic. For example, equipment failure in the network leads to abnormal communication and abnormality; abnormal network operation, sudden access (Flash crowd), network intrusion, etc. will cause network abnormality. At the same time, network anomaly detection is an important guarantee for communication security during the continuous development of the network, the plannin...

AI Technical Summary

Problems solved by technology

[0005] At present, the anomaly detection methods that have been proposed, such as the nonlinear abnormal flow detection method (NLPP), the abnormal flow detection method based on wavelet analysis, and the abnormal flow detection method based on the ARMA model, can detect the abnormality quickly in real time, but the computational The complexity is high, and the detection results are not accurate enough, and there is often a large false alarm rate, and the detection method can only be used when the traffic data has long-term correlation characteristics

However, when most flow data are collected, the correlation characteristics are not obvious, and the fluctuation trend often presents a non-stationary state, which makes the scope of use of the detection method very limited.

Images