Anomaly detection and attack initiator analysis system based on network flow message
A network traffic and anomaly detection technology, which is applied in the field of network traffic anomaly detection and analysis, can solve the problems of high cost of attack protection, inability to obtain enough information, and do not mention the traceability of network attacks, etc., to achieve the effect of reducing capacity
Active Publication Date: 2021-02-26
ZHEJIANG UNIV +1
View PDF9 Cites 3 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
Due to the extremely high network flow rate, both storage of data and real-time analysis will cause unacceptable space / time consumption, resulting in a higher cost of attack protection than the enterprise accepts
[0003] At the same time, due to the special nature of online assets, they often attract attacks from competitors or hackers. However, due to the free nature of the Internet, all messages in legal formats can be forwarded and circulated on the Internet, so conventional protection work Unidentifiable initiators and real sources, not to mention traceability of cyber attacks
It makes it impossible for enterprises to obtain enough information to find out the suspects of the attackers, so as to further improve the defense or obtain evidence of their attacks
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0039] For the most common and widespread DDOS attack, there are two common manifestations of this attack:
[0040] 1. DDOS attacks often show a very high attack rate and a long attack duration, which leads to paralysis of servers with weak processing capabilities and cannot normally process normal requests.
[0041] 2. The attack packets of DDOS attacks are often wrong and repeated. Even if IP masquerading is performed to bypass interception, the content is chaotic and disorderly.
[0042] If the attacker comes from the same initiator, who kidnaps many zombie machines to launch the attack, conventional attack detection can only find that the flow rate of the attack is abnormal and block some abnormal IPs, but the attacker can use camouflage to change Its own IP even signs to bypass the blocking of the blacklist, so as to ensure that the DDOS attack can last for a long time.
[0043] In order to find out the attack suspects of the above-mentioned attacks, through the database...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses an anomaly detection and attack initiator analysis system based on a network flow message, which comprises a data attribute extraction module used for intercepting original message data of network flow from a firewall gateway, extracting a network flow rate according to the intercepted original message data, analyzing message information to generate basic attribute characteristics, and storing the attribute characteristics in a database; an attacker group feature generation module used for sequentially standardizing original data, calculating complex attributes of the data, distributing weights of the attributes, adopting cross validation of a clustering algorithm, introducing an unsupervised machine learning clustering index and adopting a clustering model with thehighest clustering index score to obtain attacker group characteristic clusters; and an attack detection module used for carrying out matching analysis of attack group characteristics and incrementalcorrection of attacker group features on all network attack messages triggering the custom rules. The system can mine characteristics of an initiator in a single attack and locate an initiator suspect of the attack.
Description
technical field [0001] The invention belongs to the field of abnormal detection and analysis of network traffic, and in particular relates to an abnormal detection and attack initiator analysis system based on network traffic messages. Background technique [0002] With the popularity of mobile devices and the massive growth of IOT devices, the rate of network traffic is increasing exponentially, and it is also accompanied by the flood of network attacks. In today's network environment, the abnormal traffic of network attacks is mixed with massive regular traffic, which poses a severe test to the protection of network assets of enterprises. As a key facility for protecting corporate network property, the enterprise firewall, all messages transmitted from the external network to the internal server will first be sent to the firewall gateway, and then forwarded to different internal business servers through the firewall gateway, so the firewall gateway will often receive Unco...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06K9/62G06N20/00
CPCH04L63/1416H04L63/1425H04L63/1458H04L63/306G06N20/00H04L2463/144G06F18/23213
Inventor 陈卓吴磊周亚金任奎赵俊单夏烨任新新段吉瑞
Owner ZHEJIANG UNIV