Abnormal mainframe group detection method based on dynamic graph

Abstract

The invention discloses an abnormal mainframe group detection method based on a dynamic graph. The method comprises the steps of collecting flow, extracting a source IP address and a target IP address and converting the same into a graph model; recognizing a mainframe group set for each time snapshoot data set; setting an identification mainframe of each mainframe group, analyzing mainframe group data of adjacent time snapshots, and finding an abnormal mainframe group IP address set according to definition of abnormal events; performing detection according to a rule of the definition of the abnormal events, if abnormity does not belong to the abnormal events, the mainframe group is the sustained mainframe group which is regarded as the normal mainframe group, and otherwise, the mainframe group is regarded as the abnormal mainframe group. According to the method provided by the invention, the problem that mainframe network behaviors are difficult to describe in a formalized manner and high in abnormity detection complexity due to groupment, cooperativity and large-scale interaction behaviors of the mainframe network behaviors is solved, and a topological structure variation, such as the variation of network management configuration and group attack behaviors, of a network connection caused by the above problem can be detected; and real attack cases and the abnormal mainframe groups associated with the attacks can be accurately detected.

Description

technical field [0001] The present invention relates to the technical field of host network anomaly detection, in particular to a method for detecting an abnormal host group based on a dynamic graph, in particular to the IP address positioning of the network interaction behavior of a large-scale host with group and coordination abnormal detection. Background technique [0002] Host security is an important field of network security research. At present, the analysis of the behavior of hosts in the network is mainly carried out from the perspective of individual hosts, and the network behaviors of the social, functional, and application layers of each host in the network are studied. With the development of distributed computing technology, the service-oriented network application architecture provides network users such as Web services, forming network communication behaviors that aggregate services. A new type of coordinated attack mode, typical of distributed attacks, ha...

AI Technical Summary

Problems solved by technology

When a network anomaly occurs, it takes a lot of manpower and time to find the hosts associated with the anomaly. When the abnormal hosts have group, cooperative, and aggregation behaviors, the traditional research on the network behavior characteristics of hosts is very important for the communication of such host groups. Analysis of structural properties is no longer applicable

Only analyze the individual network behavior of the host, and cannot effectively analyze the host interaction relationship and detect anomalies

Most of these research works observe the behavior characteristics of individual hosts, and lack the analysis of network communication behavior from the overall network environment, as well as the group interaction relationship constructed by the interaction behavior between hosts in the network.

Images