Eureka AIR delivers breakthrough ideas for toughest innovation challenges, trusted by R&D personnel around the world.

Abnormal traffic detection method

A technology of abnormal traffic and detection methods, applied in the field of computer systems, can solve the problems of network paralysis, inability to detect attacks, and missed judgments, and achieve the effect of reducing the false positive rate and the false negative rate.

Active Publication Date: 2016-02-03
GUANGDONG EFLYCLOUD COMPUTING CO LTD
View PDF4 Cites 12 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] Because the harm of DDOS attack is huge, it will not only quickly make the attacked server unable to provide services normally, but also cause the entire network to be congested. other servers, so it is especially important to find out the attacks in the network in time
[0004] Current attack detection methods generally use fixed thresholds or establish traffic dynamic baselines, both of which have obvious shortcomings
The fixed threshold will cause misjudgment and missed judgment because the threshold is set too large or too small; and if the traffic dynamic baseline is used, the target with a small traffic is prone to sudden situations due to the small base, resulting in misjudgment. Large targets may be missed due to small changes
It is a common defect of these two methods to falsely report the burst traffic of normal business
However, in the initial stage of establishing a traffic dynamic baseline for each new target, it is impossible to detect attacks, and if the attack traffic is used to establish a baseline, it may even become impossible to detect attacks that occur on this target in the future

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Abnormal traffic detection method
  • Abnormal traffic detection method
  • Abnormal traffic detection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0022] figure 1 It is a flowchart of a method for detecting abnormal traffic in Embodiment 1 of the present invention. This embodiment provides a method for detecting abnormal traffic. The method can be executed by any device that performs traffic detection. The device can use software and / or hardware implementation. Such as figure 1 As shown, the method includes:

[0023] S110. Receive a message;

[0024] S120. Perform quantity statistics according to the message type, store in the IP hash array, and store traffic characteristics in the IP hash array;

[0025] Exemplarily, a global IP hash array (HASH) is established to count information such as IP traffic, and the IP hash array may contain different variables to count information such as IP traffic. Preferably, the IP hash array can count the message information contained in the IP traffic, for example: the IP hash array can include variables SYN, ICMP and UDP, which are used to count synchronous messages (syn messages) ...

Embodiment 2

[0040] image 3 It is a flowchart of an abnormal flow detection method in Embodiment 2 of the present invention. The technical solution of this embodiment is based on the above-mentioned Embodiment 1, and is further optimized on the basis of Embodiment 1.

[0041] Further, according to the message quantity information stored in the IP hash array, according to the message type, store the IP information of the top N-bit messages in the form of the least binary heap in each sorted sub-array including :

[0042]S310. According to the message quantity information stored in the IP hash array, and according to the message type, adopt the first sorting function, and maintain the minimum binary heap characteristic of the sorting sub-array by traversing the sorting sub-array upwards;

[0043] S320. According to the message quantity information stored in the IP hash array and according to the message type, use a second sorting function to traverse the sorted sub-array downwards to maint...

Embodiment 3

[0052] Figure 4 It is a flow chart of an abnormal flow detection method in Embodiment 3 of the present invention. The technical solution of this embodiment is based on the above embodiments, and further optimizations are made on the basis of the above embodiments.

[0053] Further, receiving new IP information, updating the IP information of the top N packets and storing them in a sorted array includes:

[0054] S410. Create two threads;

[0055] S420, the first thread is responsible for extracting the IP address and message type (TYPE) from the incoming and outgoing messages, and storing them in the IP hash array;

[0056] Exemplarily, if the packet type is a synchronous packet, then HASH[IP]→SYN+1, that is, add 1 to the number of synchronous packets in the IP hash array;

[0057] Otherwise, if the packet type is a control information packet, then HASH[IP]→ICMP+1, that is, add 1 to the number of control information packets in the IP hash array;

[0058] Otherwise, if the ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an abnormal traffic detection method. The method comprises the following steps: receiving messages; counting the number of the messages according to a message type, storing the number in an IP hash array, and storing traffic characteristics in the IP hash array; storing IP information of the messages whose number ranks are in the former N positions in a sequencing array, wherein N is a natural number; receiving new IP information, updating the IP information of the messages in the former N positions, and storing the IP information in the sequencing array; and in the updated sequencing array, checking whether messages of corresponding types occur abnormal traffic behaviors according to set characteristic values. By adopting the abnormal traffic detection method in the technical scheme of the invention, the problem that the current abnormal traffic detection method cannot solve report leakage and wrong report, the abnormal traffic detection method in the technical scheme can be used for calculating targets with traffic and other indexes ranking in former positions in the entire network in real time and detecting detailed behaviors of these targets to accurately and timely find attacks and greatly reduce the report leakage rate and the wrong report rate.

Description

technical field [0001] The invention relates to the technical field of computer systems, in particular to an abnormal flow detection method. Background technique [0002] Botnets have the characteristics of simple attack methods, large impact, and difficulty in tracing, which makes distributed denial of service attacks (Distributed Denial of Service, DDoS,) rapidly grow and become increasingly rampant. A botnet composed of tens of thousands of hosts provides the required bandwidth and hosts for DDoS attacks, forming a huge attack and network traffic, causing great harm to the attacked network. With the continuous improvement and development of DDoS attack technology, operators such as Internet Service Provider (Internet Service Provider, ISP), Internet Content Provider (Internet Content Provider, ICP) and Internet Data Center (Internet Data Center, IDC) face security and operational challenges. Operators must detect and clean traffic before DDoS threats affect key services ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/1425
Inventor 梁润强史伟麦剑黄衍博闵宇易建仁
Owner GUANGDONG EFLYCLOUD COMPUTING CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com