An Adaptive Boundary Anomaly Detection Method Based on Multi-level Strategies

Abstract

The invention relates to an adaptive boundary abnormity detection method based on multistage strategies. The method comprises steps that, a peak value and a valley value of a network flow at each time segment in a normal operation state are taken as acquisition bases, log information and network flow data of equipment are acquired; according to the message type of the network flow data, a datum line of the network flow data in the normal index operation state is established, and whether the network flow data is abnormal is determined; the abnormal network flow data and the log information corresponding to the abnormal network flow data are stored by employing an HASH algorithm; a normal network behavior database and an abnormal network behavior database are established, and matching for the abnormal network flow data is carried out; the network flow data which can not be matched is analyzed by employing a BP nerve network method, and network behaviors of the network flow data are determined and are stored to the corresponding behavior database. Through the method, a step-by-step progressive discrimination mode is employed to realize detection on abnormal boundary behaviors, and thereby the error reporting rate and the report missing rate of abnormality detection are reduced.

Description

technical field [0001] The invention relates to the field of information network security, in particular to an adaptive boundary anomaly detection method based on multi-level strategies. Background technique [0002] With the rapid development of technologies such as computers, the Internet, information communication and control, the innovation of industrial chains such as mobile applications and smart terminals, and the continuous emergence of new technologies such as cloud computing, the Internet of Things and big data, network security threats and security issues are constantly increasing. Come on. Aiming at the vulnerability of basic network equipment in the network environment, malicious attacks by hackers and the wanton proliferation of viruses and Trojan horses, network equipment has become a springboard for attacks, paralyzing important information systems and stealing data. All kinds of security incidents are common, the security situation is worrying, and informat...

AI Technical Summary

Problems solved by technology

The detection based on traffic size generally adopts the threshold-based detection method, which needs to manually set the threshold, and cannot adjust the threshold according to the peak and trough of network traffic, lacks intelligent dynamic update, and only monitors traffic; Detection, to find out the data packets that meet the characteristics. This method needs to know the characteristics of each abnormal traffic in advance, and the characteristics of new abnormal data packets cannot be detected; the detection of network bandwidth contours is performed by analyzing the data packets during network operation. Analyze traffic, ports, and number of connections to establish a reference range of parameters under normal conditions or construct a normal operating curve in units of cycles. For behaviors that exceed the set threshold or are not within the range of the normal curve, it is judged that there is an abnormality. Abnormal behaviors at this identified boundary, this method lacks a scientific and comprehensive warning mechanism, and cannot identify the actual attack category

Existing boundary anomaly detection methods mainly focus on the analysis of network abnormal flow, the determination of the threshold benchmark is subjectivity, the data analysis source and the extracted feature value are relatively one-sided, the false negative rate and false positive rate are high, and they cannot be comprehensive and accurate. Accurate detection of boundary state anomalies

Images