Host network abnormal behavior detection and classification method under large flow environment

Abstract

The invention discloses a host network abnormal behavior detection and classification method under a large flow environment, and belongs to the technical field of the Internet. The method comprises a first steps of creating and maintaining a network connection table; a second step of creating a connection record table; a third step of traversing a transcript of the network connection table; a fourth step of calculating the entropy and the largest proportion of a source/destination port of a host; and a fifth step of identifying abnormal network behaviors of the host. The method determines whether a node behaves abnormally or not based on several factors including the entropy and the largest proportion of the source/destination port of the source node, and further classifies the abnormal behaviors. The abnormal behavior detection method provided by the invention is practical, capable of adapting to large flow environments, simple in algorithm and easy to implement in various network devices, has certain real-time property, meets the accuracy requirement at the same time, can identify a variety of network scanning and DoS/DDoS attack traffic, provides detailed information and assists in further accurate interception.

Description

technical field [0001] The invention belongs to the technical field of the Internet, and more specifically relates to a method for detecting and classifying abnormal behavior of a host network in a large traffic environment. Background technique [0002] With the rapid development of the Internet, new network technologies continue to emerge, network bandwidth continues to increase, and network security issues are increasingly diverse. The attack behavior of the new technology of network attack is more concealed, and it is more and more harmful to security. At the same time, the improvement of network bandwidth leads to the diversification of business types carried on the network, which increases the probability of network failure and performance problems. Network users also pay more attention to the quality of network services. This requires that when a network anomaly occurs, the anomaly can be detected as soon as possible and the anomaly can be eliminated after analysis ...

AI Technical Summary

Problems solved by technology

The limitations of this detection method are:

[0017] (2) Because the detection target is too complex, complex data mining and machine learning algorithms are often used for analysis, and the amount of calculation is large, which is difficult to realize in real-time network environment and network equipment;

[0018] (3) The detection results are not fine enough to give detailed details of the abnormalities, for example: what traffic abnormalities are they? What are the source and destination IP addresses, ports, and protocols? Effective interception cannot be made without specific details

This detection method is simple and easy to implement. It can identify some typical DoS attacks and network scanning behaviors, but it will cause misjudgment for some network applications involving high-speed download or upload (such as P2P and network video), and it will not detect disguised DDoS attacks. and scanning behavior will form a missed judgment

Images