Flow-based abnormal communication behavior detection method and system

Abstract

The invention provides a flow-based abnormal communication behavior detection method and system, and belongs to the field of passive discovery of network security abnormal events. The detection systemcomprises: a configuration management module used for configuring a white list IP, a key target IP and a general target IP, a data acquisition module and a storage module used for acquiring and storing network flow data information, a key target abnormity detection module and a general target abnormity detection module used for detecting key targets and general targets respectively, and an abnormity evaluation module. According to the detection method provided by the invention, different methods are adopted to construct flow models for important network nodes and common network nodes, networkanomaly detection is carried out respectively, network events of important targets and common targets are associated, and network intrusion behaviors and abnormal communication behaviors with certainhazards are mined. The method has good discovery capability for various types of traffic abnormal behaviors, and is low in computation complexity for flow data, and is high in abnormity discovery real-time performance.

Description

technical field [0001] The invention relates to the field of passive discovery of abnormal network security events, and is a method and system for abnormal detection of full-volume communication behaviors based on full-volume flow data and targeting an internal network to communicate with an external IP address system. Background technique [0002] With the rapid development of computer and network technology, the scale of Internet users is increasing day by day. According to a report released by China Internet Network Information Center (CNNIC), as of December 2015, the number of Internet users in my country has reached 688 million, and the Internet penetration rate is 50.3%. At the same time, 89.0% of enterprises across the country use the Internet for office work. The Internet has become an indispensable and important infrastructure in people's production and life. [0003] At the same time, network security issues have become increasingly prominent, and frequent network ...

AI Technical Summary

Problems solved by technology

[0011] Aiming at the problem of insufficient real-time performance and poor generality of detection in the current internal network anomaly detection, the present invention proposes a flow-based abnormal communication behavior detection method and system, relying on flow (flow) data, for important network Nodes and ordinary network nodes use different methods to construct traffic models, respectively conduct network anomaly detection, and then correlate network events of important targets and common targets, and dig out certain harmful network intrusion behaviors and abnormal communication behaviors

Images