Server network behavior description method

Abstract

The invention discloses a server network behavior description method. The method comprises the steps that (1) traffic information in and out of a server is acquired; (2) according to traffic attributes, the traffic information is extracted, and according to a time window, traffic corresponding to each traffic attribute is counted to form historical data; (3) the historical data are calculated to acquire system parameters based on the traffic structure stability; (4) a dynamic normal traffic contour is built; (5) the current traffic structure is constructed; and (6) a difference measurement method is used to compare the normal traffic contour and the current traffic structure, and whether a network is normal is judged according to the size of a difference value. According to the invention, the server network behavior description method can adapt to an increasingly complex network environment, can detect a part of new network attacks, and can take initiative in detection.

Description

technical field [0001] The invention relates to a behavior description method for network abnormal traffic detection, in particular to a server network behavior description method based on traffic structure stability. Background technique [0002] The server is usually used as the core equipment in the IT system to provide network services, so the security protection of the server is particularly important; for the security protection of the server network, according to the characteristics of the protection means, it can be mainly divided into the following three categories: (1) Deploying intrusion detection based on the network boundary System, firewall and other protective equipment; (2) Correlation analysis and mining based on server logs; (3) Traffic analysis on servers. [0003] At present, the main means of server security protection is to deploy border devices such as IDS, IPS, and firewalls on the network border to detect and filter the traffic entering and leaving t...

AI Technical Summary

Problems solved by technology

This detection method is similar to the detection method of computer viruses, and its recall rate depends entirely on the coverage of the rule base. Once the attacker modifies the attack characteristic pattern to hide his behavior, this detection method is powerless. Therefore, for new attacks or The intrusion detection effect is very poor, which will result in a high rate of false positives; when new attack methods appear, new rules and detection methods need to be added to the signature database, so it is necessary to continuously update and maintain the signature database; in addition, in order to detect a variety of To detect attacks, the system needs to maintain a huge attack pattern library, and the detection must match the rules in the pattern library one by one, so the system cost is high

[0008] The current main methods of intrusion detection are based on the idea of ​​misuse detection. According to the characteristics of specific network attacks, specific traffic detection modes are written, and then the collected traffic data is matched with known attack modes; detection methods based on abnormal traffic characteristics The disadvantage is that it is necessary to write corresponding rules for each attack to detect anomalies. However, as the network and application environment become increasingly complex, it is difficult for the original strategy to detect emerging new types of network attacks. There are many differences in the definition of abnormal features, so the adaptability and scalability of detection methods based on abnormal features are increasingly difficult to meet the protection needs

Images