CN104734916A - Efficient multistage anomaly flow detection method based on TCP - Google Patents

Efficient multistage anomaly flow detection method based on TCP Download PDF

Info

Publication number
CN104734916A
CN104734916A CN201510104409.2A CN201510104409A CN104734916A CN 104734916 A CN104734916 A CN 104734916A CN 201510104409 A CN201510104409 A CN 201510104409A CN 104734916 A CN104734916 A CN 104734916A
Authority
CN
China
Prior art keywords
flow
difference
sequence
value
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510104409.2A
Other languages
Chinese (zh)
Other versions
CN104734916B (en
Inventor
徐光侠
吴群
刘宴兵
常光辉
李娜
梁绍飞
胡杰
李来军
高诗意
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201510104409.2A priority Critical patent/CN104734916B/en
Publication of CN104734916A publication Critical patent/CN104734916A/en
Application granted granted Critical
Publication of CN104734916B publication Critical patent/CN104734916B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses an efficient multistage anomaly flow detection method based on a TCP. A multistage anomaly detection mechanism is added in a traditional anomaly flow detection process. The method is used for anomaly detection for data flow sent by a client side in the network, the difference mean value method is used for carrying out difference stabilization processing on original flow produced by the client side, meanwhile, analysis and statistics are carried out on existing flow in the network, a self-adaptive threshold value interval is dynamically set, self-adaptive threshold value difference flow detection is carried out on the stabilized flow, and further anomaly detection is carried out on a data package which passes primary detection. The further anomaly detection is mainly used for analyzing the data package transmitted by a router, the key field is extracted, and whether the data package sent by the client side is abnormal or not is judged further by judging the key field. The efficient multistage anomaly flow detection method improves detection precision, and is easy and convenient to implement.

Description

A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol
Technical field
The invention belongs to communication abnormality detection technique field, relate to quick, the real-time abnormality detection technology of all kinds of abnormality detection on the Internet, a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol of specific design.
Background technology
Exception flow of network detection is exactly a part and parcel in network monitor.Exception flow of network refers to that the traffic behavior in network departs from the situation of normal behaviour.In network, cause the reason of exception of network traffic to have a lot, such as, the equipment in network breaks down, and causes communication abnormal, causes exception; Network operation is abnormal, and the access (Flash crowd) of burst, network intrusions etc. all can cause Network Abnormal.Meanwhile, Network anomaly detection is that network development grows, and the planning of network topology structure becomes increasingly complex, and the network equipment is more and more diversified, in the evolution that network user's scale is increasing, and an important leverage of communication security.The network user seek network facility communication and to network trust while, the Cyberthreat of newtype is also in continuous increase.How finding and to get rid of the vital task that these Cyberthreats are Network anomaly detections, is also the important component part of Logistics networks proper communication.
Attack and the threat of network faces are mainly derived from network internal, as a large amount of internet worm, the active attack of netting interior main frame and uprushing of exception flow of network all will cause network equipment overload, thus cause network congestion, and network paralysis may be caused further.SYN Flood ddos attack, is exactly that the bad user of network utilizes the three-way handshake of Transmission Control Protocol to connect the defect existed, forges the IP address of normal users, the attack of generation, thus bring immeasurable loss to network.Therefore, when existing abnormal in network, primary measure is, finds out these extremely, and produces abnormal alarm.Meanwhile, Network Abnormal can not only be attacked for certain, but diffusion towards periphery that can be wide as far as possible.Its final object is the network involving maximum magnitude, produces polytype exception.For this situation, just need a kind of detection method noted abnormalities in real time, fast, note abnormalities, block exception, thus make network be able to proper communication.
The feature of exception flow of network is bursts of traffic change, Premonitory Characters of Doppler Radar is unknown, can great harm be brought within the of short duration time computer on network or network, therefore in real time, the abnormal behaviour of Sampling network flow rapidly, judge to cause abnormal reason, making reasonably response is one of prerequisite ensureing that network effectively runs, and to reduce the loss that network malicious attack brings be another importance guaranteed network security.
At present, the method for detecting abnormality proposed, as non-linear anomalous traffic detection method (NLPP), the anomalous traffic detection method based on wavelet analysis, the anomalous traffic detection method etc. based on arma modeling, although exception can be detected real-time, but computation complexity is higher, the result simultaneously detected is accurate not, often there is larger rate of false alarm, and detection method needs could use when data on flows exists long correlation characteristic.And most of data on flows is when gathering, the correlative character presented is also not obvious, and fluctuation tendency often presents unstable condition, makes the scope of application limitation of detection method very large.The method for detecting abnormality that the present invention proposes, before carrying out flow detection, carries out preliminary treatment to data on flows, thus can overcome the circumscribed problem of detection.Meanwhile, on the basis of the detection of traditional detection method, the multistage testing mechanism of proposition, effectively reduces the rate of false alarm of detection.
Summary of the invention
For deficiency of the prior art, the object of the present invention is to provide a kind of guarantee accuracy while reduce rate of false alarm, method is simple and be easy to the method that realizes, and technical scheme of the present invention is as follows: a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol, and it comprises the following steps:
101, in time period T, network flow data is collected, then for the original flow sequence R in network flow data, at the measured value x of moment t trepresent, x t∈ R, t=1,2 ..., T, according to | x t| >kvar_R criterion removes disabled flor rate data value x t, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R, by the data on flows remained, as a Flow Observation sequence X;
102, carry out difference tranquilization preliminary treatment to Flow Observation sequence X, the difference flow sequence that preliminary treatment obtains is D, wherein difference value d t=x t-x t-1, t>1, d t∈ D, t=1,2 ... N, after obtaining difference flow sequence D, in input step 103;
103, calculate mean value and the variance of sequence X and sequence D respectively, and according to mean value and variance, estimate the interval [l at the difference flow value place of t t, h t], wherein p trepresent the threshold value predicted value of t, l tand h tbe illustrated respectively in minimum value and the maximum of the difference flow that t allows, var_d trepresent the variance of t difference flow, after the input of the difference flow sequence D in step 102 being detected, namely fire compartment wall opens elementary detection defense function, to the data sent, according to the threshold value predicted value p of t tdetect, when the difference flor rate data value of t is at the interval [l of difference volume forecasting value t, h t] in scope time, determine that it is normal discharge, and be transmitted to server; When exceeding interval [l t, h t] scope time, be judged to be abnormal flow, jump to step 104;
104, the multi-stage detection system of fire compartment wall decomposes the packet forwarded, and extracts the critical field key_field in packet, and judges these critical field key_field, if do not note abnormalities field, be then transmitted to server; If exception field detected, then by this data packet discarding;
105, after the detection again in step 104, normal packet is transmitted to server, makes server and client set up first time and shake hands and be connected;
106, after establishing connection of shaking hands for the first time, server will send a reply information M responseto client, wait for the confirmation ACK of client, when client receives the return information M of server simultaneously responseafter, two ends establish second handshake and connect; After server have received confirmation ACK, the third time that establishes of server and client shakes hands and is connected, and can communicate between the two.
Further, the pretreated step of difference tranquilization described in step 102 is:
S21, to the network communication data sequence { x in collected time period T 1, x 2..., x t, analyze and remove outlier, retain normal value, here, if | x t| >kvar_R then represents x ioutlier, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R; Using the sequence of observations that remains as observation sequence X;
S22: its mean value is calculated to described original series R with its variance var_R;
S23: to described observation sequence X, carry out difference preliminary treatment, have d t∈ D, t=1,2 ... T, wherein d t=x t-x t-1, t>1;
S24: to described difference sequence D, calculates its mean value with variance var_D.
Further, the mean value of original series R formula is: var_R represents their variance, var _ R = 1 T Σ t = 1 T ( x t - r ‾ ) 2 .
Advantage of the present invention and beneficial effect as follows:
The present invention uses a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol to carry out repeated detection and judgement to data on flows.Because existing abnormality detection technology is in the process detected, the rate of false alarm of detection is higher, makes the accuracy detected receive very large impact.In order to ensure the fail safe of accuracy and the network service detected.Herein in the method proposing multistage abnormality detection.First, online lower Corpus--based Method, utilizes the method for adaptive threshold to estimate between the flow location in next moment; Then according to the flow rate zone that this is estimated, carry out detection on line and judge; When result of determination is abnormal, then carry out multistage detection, in multistage detection process, extract the key message in packet, and judge.The mechanism of this multistage detection, effectively reduces the rate of false alarm of abnormality detection.The present invention adopts a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol, utilize the method for difference mean variance, the trend of obtaining presents the difference flow of tranquilization, the computation complexity of the method is lower, utilize under line the mode calculating, line detects, make detection speed fast, and the requirement of real-time detection can be reached.Meanwhile, the multistage testing mechanism added, had both reached the requirement reducing rate of false alarm, had also ensured Network Communicate Security.
Accompanying drawing explanation
Fig. 1 is multistage abnormality detection schematic flow sheet of the present invention;
Fig. 2 is inventive flow data screening schematic diagram;
Fig. 3 is sequence stationary schematic diagram of the present invention;
Fig. 4 is adaptive threshold schematic diagram calculation of the present invention;
Fig. 5 is multistage abnormality detection schematic diagram of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, clear, complete description is carried out to the technical scheme in the embodiment of the present invention.Obviously, described embodiment is only one embodiment of the present of invention, instead of whole embodiments.
Fig. 1 is multistage abnormality detection schematic flow sheet of the present invention.The present invention proposes based on the TCP three-way handshake connection protocol of internet communication.In communication process, client is filed a request, and request access server, connects.When accessing normal, the flow process of access is following steps:
S1: client initiates request, and the request data package of transmission is transmitted to fire compartment wall through router, and fire compartment wall, after receiving request data package, is added up flow, and carries out elementary detection, i.e. difference flow detection; If the interval [l of flow in difference volume forecasting value detected t, h t] in, fire compartment wall will judge that this packet is as normal data packet, and is transmitted to server; Otherwise this packet will be judged as abnormal data bag; Now, fire compartment wall will be opened and detect further; In further abnormality detection, packet is analyzed, and extract critical field key_field, further detection is done to key_field, now, if testing result is still abnormal, then do discard processing; If normal, be then labeled as erroneous judgement, and be transmitted to server; Now, foundation first time shakes hands and is connected by client and server;
S2: server, while setting up First Contact Connections with client, sends a return information M responseto client, and wait for the confirmation ACK of client, open simultaneously and wait for timing T wait, when client computer receives return information M responsetime, second handshake connection establishment;
S3: exceed maximum latency when the stand-by period of server, server will make discard processing to this packet; Otherwise, after server receives the confirmation ACK of client transmission, set up connection of shaking hands for the third time.Now, both sides can communicate.
Fig. 2 is data on flows of the present invention screening schematic diagram.Collect the data on flows in one section of T time, sampled data is spaced apart 1s, then the original flow sequence R collected represents, at the measured value x of moment t trepresent, wherein x t∈ R, t=1,2 ..., T; With represent original series { x 1, x 2..., x tmean value, var_R represents their variance, var _ R = 1 T Σ t = 1 T ( x t - r ‾ ) 2 .
Before flow data screening, observation sequence successively each value in sequence R is judged, as the value x of t tmeet | x t| during >kvar_R, reject x t, what wherein k represented is Grubbs test method coefficient, otherwise observation sequence X=X ∪ x t, wherein x t∈ X, t=1,2 ..., N.
Fig. 3 is sequence stationary schematic diagram of the present invention.In order to the trend enabling the difference sequence of original series better reflect data fluctuations, the difference sequence of definition original series is D, namely to observation sequence { x 1, x 2..., x ndo preliminary treatment, namely use d trepresent the difference value of t, d t=x t-x t-1, t>1, d t∈ D, t=1,2 ... N.With represent the mean value of difference sequence D, and have then the difference average of t is represent the variance of difference sequence D with var_D, have var _ D = 1 N - 1 Σ t = 2 N ( d t - d ‾ ) 2 . As N → ∞, have lim N → ∞ d ‾ = lim N → ∞ 1 N - 1 ( x N - x 1 ) = 0 , Can draw thus, tending to be steady of difference flow.
Fig. 4 is adaptive threshold schematic diagram calculation of the present invention.When carrying out abnormality detection real-time on line, first need the calculating carrying out adaptive threshold.When determining adaptive threshold, use l tand h tbe illustrated respectively in minimum value and the maximum of the difference flow that t allows.The present invention carries out the calculating of adaptive threshold by flush mechanism, mainly as follows:
The threshold value predicted value p of t is obtained by the difference flow superposing previous moment t, wherein α represents weighting constant, mainly determines according to host number of giving out a contract for a project in model, and namely control new data proportion shared in a model, Controlling model adapts to the speed degree of local behavior, thus establishes the flush mechanism of normal model.If current measured value meets normal model completely, so think that measured value is now normal.But, because actual conditions are difficult to coincidence theory model, so set a confidential interval by the standard deviation of measured value, and it is different according to the number of the standard deviation added, the rank of the range of tolerable variance obtained is not identical yet, and what generally adopt is 2 to 3 times of standard deviation, owing to having carried out difference preliminary treatment to data, 2 of standard deviation times are adopted to judge herein, so the threshold range obtained is wherein n represents the quantity of client computer.Obtain adaptive threshold interval thus for [l t, h t].
Fig. 5 is multistage abnormality detection schematic diagram of the present invention.The request data package that client sends is forwarded to fire compartment wall through router, and fire compartment wall, after receiving packet, carries out the calculating in adaptive threshold interval according to existing observation sequence.Main account form first carries out first time adaptive threshold detection.In this detection, mainly according to the statistics of network traffics, the data on flows in next moment is detected.If in this detection, decision data bag is normal, then be directly transmitted to server; If be judged to be exception, then multistage detection, confirms whether this packet is abnormal bag further.
In further abnormality detection, packet is analyzed, and extract critical field key_field.Further detection is done to key_field, if normally, is then labeled as erroneous judgement, and is transmitted to server; If testing result is still abnormal, then make the action of discard processing.Process the next packet in queue queue Q simultaneously.
These embodiments are interpreted as only being not used in for illustration of the present invention limiting the scope of the invention above.After the content of reading record of the present invention, technical staff can make various changes or modifications the present invention, and these equivalence changes and modification fall into the scope of the claims in the present invention equally.

Claims (3)

1., based on a high-efficiency multi-stage anomalous traffic detection method for Transmission Control Protocol, it is characterized in that, comprise the following steps:
101, in time period T, network flow data is collected, then for the original flow sequence R in network flow data, at the measured value x of moment t trepresent, x t∈ R, t=1,2 ..., T, according to | x t| >kvar_R criterion removes disabled flor rate data value x t, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R, by the data on flows remained, as a Flow Observation sequence X;
102, carry out difference tranquilization preliminary treatment to Flow Observation sequence X, the difference flow sequence that preliminary treatment obtains is D, wherein difference value d t=x t-x t-1, t>1, d t∈ D, t=1,2 ... N, after obtaining difference flow sequence D, in input step 103;
103, calculate mean value and the variance of sequence X and sequence D respectively, and according to mean value and variance, estimate the interval [l at the difference flow value place of t t, h t], wherein p trepresent the threshold value predicted value of t, l tand h tbe illustrated respectively in minimum value and the maximum of the difference flow that t allows, var_d trepresent the variance at the difference flow of t, after the input of the difference flow sequence D in step 102 being detected, namely fire compartment wall opens elementary detection defense function, to the data sent, according to the threshold value predicted value p of t tdetect, when the difference flor rate data value of t is at the interval [l of difference volume forecasting value t, h t] in scope time, determine that it is normal discharge, and be transmitted to server; When exceeding interval [l t, h t] scope time, be judged to be abnormal flow, jump to step 104;
104, the multi-stage detection system of fire compartment wall decomposes the packet forwarded, and extracts the critical field key_field in packet, and judges these critical field key_field, if do not note abnormalities field, be then transmitted to server; If exception field detected, then by this data packet discarding;
105, after the detection again in step 104, normal packet is transmitted to server, makes server and client set up first time and shake hands and be connected;
106, after establishing connection of shaking hands for the first time, server will send a reply information M responseto client, wait for the confirmation ACK of client, when client receives the return information M of server simultaneously responseafter, two ends establish second handshake and connect; After server have received confirmation ACK, the third time that establishes of server and client shakes hands and is connected, and can communicate between the two.
2. the high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol according to claim 1, is characterized in that, the pretreated step of difference tranquilization described in step 102 is:
S21, to the network communication data sequence { x in collected time period T 1, x 2..., x t, analyze and remove outlier, retain normal value, here, if | x t| >kvar_R then represents x ioutlier, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R; Using the sequence of observations that remains as observation sequence X;
S22: its mean value is calculated to described original series R with its variance var_R;
S23: to described observation sequence X, carry out difference preliminary treatment, have d t∈ D, t=1,2 ... T, wherein d t=x t-x t-1, t>1;
S24: to described difference sequence D, calculates its mean value with variance var_D.
3. the high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol according to claim 2, is characterized in that, the mean value of original series R formula is: var_R represents their variance, var _ R = 1 T Σ t = 1 T ( x t - r ‾ ) 2 .
CN201510104409.2A 2015-03-10 2015-03-10 A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol Active CN104734916B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510104409.2A CN104734916B (en) 2015-03-10 2015-03-10 A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510104409.2A CN104734916B (en) 2015-03-10 2015-03-10 A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol

Publications (2)

Publication Number Publication Date
CN104734916A true CN104734916A (en) 2015-06-24
CN104734916B CN104734916B (en) 2018-04-27

Family

ID=53458370

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510104409.2A Active CN104734916B (en) 2015-03-10 2015-03-10 A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol

Country Status (1)

Country Link
CN (1) CN104734916B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107123113A (en) * 2017-04-20 2017-09-01 北京工业大学 A kind of GWAC light curve method for detecting abnormality based on Grubbs test method and ARIMA
CN107124314A (en) * 2017-05-12 2017-09-01 腾讯科技(深圳)有限公司 Data monitoring method and device
CN108123843A (en) * 2016-11-28 2018-06-05 中国移动通信有限公司研究院 Flow rate testing methods, detection data processing method and processing device
CN108429651A (en) * 2018-06-06 2018-08-21 腾讯科技(深圳)有限公司 Data on flows detection method, device, electronic equipment and computer-readable medium
CN108718257A (en) * 2018-05-23 2018-10-30 浙江大学 A kind of wireless camera detection and localization method based on network flow
CN109951420A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN110351163A (en) * 2019-06-05 2019-10-18 华南理工大学 A kind of OpenStack cloud host flow peak detection method
CN111953504A (en) * 2019-05-15 2020-11-17 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN117278290A (en) * 2023-10-07 2023-12-22 广东励通信息技术有限公司 Distributed data detection system and method under Internet

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217378A (en) * 2008-01-18 2008-07-09 南京邮电大学 A wavelet analysis boundary processing method based on traffic statistics
US20090034423A1 (en) * 2007-07-30 2009-02-05 Anthony Terrance Coon Automated detection of TCP anomalies
CN101753381A (en) * 2009-12-25 2010-06-23 华中科技大学 Method for detecting network attack behaviors

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090034423A1 (en) * 2007-07-30 2009-02-05 Anthony Terrance Coon Automated detection of TCP anomalies
CN101217378A (en) * 2008-01-18 2008-07-09 南京邮电大学 A wavelet analysis boundary processing method based on traffic statistics
CN101753381A (en) * 2009-12-25 2010-06-23 华中科技大学 Method for detecting network attack behaviors

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JUN ZHANG 等: "An Effective Network Traffic Classification Method with Unknown Flow Detection", 《IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT》 *
赵月爱等: "基于网络处理器的高性能入侵防护系统研究", 《太原师范学院学报(自然科学版)》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108123843A (en) * 2016-11-28 2018-06-05 中国移动通信有限公司研究院 Flow rate testing methods, detection data processing method and processing device
CN108123843B (en) * 2016-11-28 2020-04-14 中国移动通信有限公司研究院 Flow detection method, detection data processing method and device
CN107123113A (en) * 2017-04-20 2017-09-01 北京工业大学 A kind of GWAC light curve method for detecting abnormality based on Grubbs test method and ARIMA
CN107123113B (en) * 2017-04-20 2019-10-18 北京工业大学 A kind of GWAC light curve method for detecting abnormality based on Grubbs test method and ARIMA
CN107124314A (en) * 2017-05-12 2017-09-01 腾讯科技(深圳)有限公司 Data monitoring method and device
CN109951420B (en) * 2017-12-20 2020-02-21 广东电网有限责任公司电力调度控制中心 Multi-stage flow anomaly detection method based on entropy and dynamic linear relation
CN109951420A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
CN108718257A (en) * 2018-05-23 2018-10-30 浙江大学 A kind of wireless camera detection and localization method based on network flow
CN108429651A (en) * 2018-06-06 2018-08-21 腾讯科技(深圳)有限公司 Data on flows detection method, device, electronic equipment and computer-readable medium
CN108429651B (en) * 2018-06-06 2022-02-25 腾讯科技(深圳)有限公司 Flow data detection method and device, electronic equipment and computer readable medium
CN111953504A (en) * 2019-05-15 2020-11-17 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN111953504B (en) * 2019-05-15 2023-03-24 中国电信股份有限公司 Abnormal flow detection method and device, and computer readable storage medium
CN110351163A (en) * 2019-06-05 2019-10-18 华南理工大学 A kind of OpenStack cloud host flow peak detection method
CN110351163B (en) * 2019-06-05 2022-11-18 华南理工大学 OpenStack cloud host traffic peak detection method
CN117278290A (en) * 2023-10-07 2023-12-22 广东励通信息技术有限公司 Distributed data detection system and method under Internet
CN117278290B (en) * 2023-10-07 2024-03-08 广东励通信息技术有限公司 Distributed data detection system and method under Internet

Also Published As

Publication number Publication date
CN104734916B (en) 2018-04-27

Similar Documents

Publication Publication Date Title
CN104734916A (en) Efficient multistage anomaly flow detection method based on TCP
CN111935170B (en) Network abnormal flow detection method, device and equipment
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
JP6258562B2 (en) Relay device, network monitoring system, and program
WO2019200944A1 (en) Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis
CN109600363A (en) A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method
CN101980506A (en) Flow characteristic analysis-based distributed intrusion detection method
CN104009986B (en) A kind of host-based network attacks springboard detection method and device
CN103001972B (en) The recognition methods of DDOS attack and recognition device and fire compartment wall
RU133954U1 (en) NETWORK SECURITY DEVICE
CN110493260A (en) A kind of network flood model attack detection method
CN106534068A (en) Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system
CN111181930A (en) DDoS attack detection method, device, computer equipment and storage medium
CN110224852A (en) Network security monitoring method and device based on HTM algorithm
CN114513365A (en) Detection and defense method for SYN Flood attack
CN107231377B (en) BGP-LDoS attack detection method based on mutation equilibrium state theory
Lu et al. Detecting network anomalies using CUSUM and EM clustering
Thorat et al. SDN-based machine learning powered alarm manager for mitigating the traffic spikes at the IoT gateways
KR20110054537A (en) Apparatus for detecting and filtering ddos attack based on distribution
CN103269337A (en) Data processing method and device
CN113726724B (en) Method and gateway for evaluating and detecting security risk of home network environment
Elbez et al. Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations
Paulauskas et al. Investigation of the intrusion detection system “snort” performance
Usuzaki et al. A proposal of highly responsive distributed Denial-of-Service attacks detection using Real-Time burst detection method
CN109309679A (en) A kind of Network scan detection method and detection system based on TCP flow state

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant