Network flow anomaly detection method

Abstract

The invention discloses a network traffic anomaly detection method. Quantitative expression of a network space safety situation comprises the following steps: (1) traffic feature collection and situation feature index extraction; (2) self-adaptive learning and anomaly analysis for situation features are carried out; and (3) detecting and alarming the abnormal situation of the network. The method is realized through a network boundary flow collection and feature depiction index system. According to the method, a plurality of dimension characteristic indexes are continuously mined from network traffic in real time, and network space and traffic characteristics thereof are described in real time; on one hand, real-time or quasi-real-time monitoring, early warning and emergency response requirements of a network situation can be ensured, on the other hand, fine-grained description of network traffic characteristics can be realized through a small log scale, and a high-quality basic information source is provided for subsequent traffic anomaly analysis and detection and safety early warning; compared with a traditional method, the method has obvious advantages in the aspects of real-time performance, description accuracy, data scale and data quality.

Description

technical field [0001] The invention relates to a network traffic abnormality detection method, which belongs to the field of network monitoring. Background technique [0002] Faced with the continuous growth of the current network scale, the increasingly complex network structure, and the diversity and heterogeneity of access network devices, network security issues are becoming more and more important. Anomaly detection in network security event flow is a proactive detection technology, which can not only detect external intrusion behavior, but also detect unauthorized behavior of internal users, which has become a very important part of network security technology. . Existing methods for network anomaly detection include the following: [0003] 1. Support vector machine (SVM) technology: [0004] The support vector machine method is a machine learning method based on the statistical learning theory VC dimension and the principle of structural risk minimum, and seeks th...

AI Technical Summary

Problems solved by technology

[0013] (1) The SVM algorithm is difficult to implement for large-scale training samples: because SVM uses quadratic programming to solve support vectors, and solving quadratic programming will involve the calculation of m-order matrices (m is the number of samples), when the number of m is very large The storage and calculation of the matrix will consume a lot of machine memory and computing time when it is large

[0014] (2) Traditional traffic modeling based on SVM only considers the modeling of a small number of dimensional features, and cannot adapt to the complex network traffic environment composed of multiple protocols, multiple applications, and multiple types of terminals

[0023] (2) It is difficult to determine the threshold to balance the false positive rate and false positive rate

[0024] (3) This type of method needs to obtain the statistical distribution of traffic data, but at present, the traffic data generated by many abnormal behaviors is difficult to simulate with pure statistical methods

[0025] (4) Most statistical anomaly detection techniques regard normal network behavior as a quasi-static process, and this assumption is not feasible in many network anomaly detection

Images