Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Host network abnormal behavior detection and classification method under large flow environment

A host network, high-traffic technology, applied in the Internet field, can solve problems such as large computational load, complex detection targets, and inability to intercept, and achieve the effect of meeting the accuracy requirements

Inactive Publication Date: 2015-08-12
HUAZHONG UNIV OF SCI & TECH
View PDF1 Cites 37 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The limitations of this detection method are:
[0017] (2) Because the detection target is too complex, complex data mining and machine learning algorithms are often used for analysis, and the amount of calculation is large, which is difficult to realize in real-time network environment and network equipment;
[0018] (3) The detection results are not fine enough to give detailed details of the abnormalities, for example: what traffic abnormalities are they? What are the source and destination IP addresses, ports, and protocols? Effective interception cannot be made without specific details
This detection method is simple and easy to implement. It can identify some typical DoS attacks and network scanning behaviors, but it will cause misjudgment for some network applications involving high-speed download or upload (such as P2P and network video), and it will not detect disguised DDoS attacks. and scanning behavior will form a missed judgment

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Host network abnormal behavior detection and classification method under large flow environment
  • Host network abnormal behavior detection and classification method under large flow environment
  • Host network abnormal behavior detection and classification method under large flow environment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0037] In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention. In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not constitute a conflict with each other.

[0038] The present invention proposes to conduct research on source / destination port distribution rules of source nodes with a high number of concurrent connections in a short period of time, establish a measurement model, calculate entropy values ​​and maximum proportions, and then perform abnormal detection and classification of various host network behaviors through thresholds. For ease of de...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a host network abnormal behavior detection and classification method under a large flow environment, and belongs to the technical field of the Internet. The method comprises a first steps of creating and maintaining a network connection table; a second step of creating a connection record table; a third step of traversing a transcript of the network connection table; a fourth step of calculating the entropy and the largest proportion of a source / destination port of a host; and a fifth step of identifying abnormal network behaviors of the host. The method determines whether a node behaves abnormally or not based on several factors including the entropy and the largest proportion of the source / destination port of the source node, and further classifies the abnormal behaviors. The abnormal behavior detection method provided by the invention is practical, capable of adapting to large flow environments, simple in algorithm and easy to implement in various network devices, has certain real-time property, meets the accuracy requirement at the same time, can identify a variety of network scanning and DoS / DDoS attack traffic, provides detailed information and assists in further accurate interception.

Description

technical field [0001] The invention belongs to the technical field of the Internet, and more specifically relates to a method for detecting and classifying abnormal behavior of a host network in a large traffic environment. Background technique [0002] With the rapid development of the Internet, new network technologies continue to emerge, network bandwidth continues to increase, and network security issues are increasingly diverse. The attack behavior of the new technology of network attack is more concealed, and it is more and more harmful to security. At the same time, the improvement of network bandwidth leads to the diversification of business types carried on the network, which increases the probability of network failure and performance problems. Network users also pay more attention to the quality of network services. This requires that when a network anomaly occurs, the anomaly can be detected as soon as possible and the anomaly can be eliminated after analysis ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/26H04L29/06
Inventor 周丽娟
Owner HUAZHONG UNIV OF SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com