CN104734916A - Efficient multistage anomaly flow detection method based on TCP - Google Patents
Efficient multistage anomaly flow detection method based on TCP Download PDFInfo
- Publication number
- CN104734916A CN104734916A CN201510104409.2A CN201510104409A CN104734916A CN 104734916 A CN104734916 A CN 104734916A CN 201510104409 A CN201510104409 A CN 201510104409A CN 104734916 A CN104734916 A CN 104734916A
- Authority
- CN
- China
- Prior art keywords
- flow
- difference
- sequence
- value
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses an efficient multistage anomaly flow detection method based on a TCP. A multistage anomaly detection mechanism is added in a traditional anomaly flow detection process. The method is used for anomaly detection for data flow sent by a client side in the network, the difference mean value method is used for carrying out difference stabilization processing on original flow produced by the client side, meanwhile, analysis and statistics are carried out on existing flow in the network, a self-adaptive threshold value interval is dynamically set, self-adaptive threshold value difference flow detection is carried out on the stabilized flow, and further anomaly detection is carried out on a data package which passes primary detection. The further anomaly detection is mainly used for analyzing the data package transmitted by a router, the key field is extracted, and whether the data package sent by the client side is abnormal or not is judged further by judging the key field. The efficient multistage anomaly flow detection method improves detection precision, and is easy and convenient to implement.
Description
Technical field
The invention belongs to communication abnormality detection technique field, relate to quick, the real-time abnormality detection technology of all kinds of abnormality detection on the Internet, a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol of specific design.
Background technology
Exception flow of network detection is exactly a part and parcel in network monitor.Exception flow of network refers to that the traffic behavior in network departs from the situation of normal behaviour.In network, cause the reason of exception of network traffic to have a lot, such as, the equipment in network breaks down, and causes communication abnormal, causes exception; Network operation is abnormal, and the access (Flash crowd) of burst, network intrusions etc. all can cause Network Abnormal.Meanwhile, Network anomaly detection is that network development grows, and the planning of network topology structure becomes increasingly complex, and the network equipment is more and more diversified, in the evolution that network user's scale is increasing, and an important leverage of communication security.The network user seek network facility communication and to network trust while, the Cyberthreat of newtype is also in continuous increase.How finding and to get rid of the vital task that these Cyberthreats are Network anomaly detections, is also the important component part of Logistics networks proper communication.
Attack and the threat of network faces are mainly derived from network internal, as a large amount of internet worm, the active attack of netting interior main frame and uprushing of exception flow of network all will cause network equipment overload, thus cause network congestion, and network paralysis may be caused further.SYN Flood ddos attack, is exactly that the bad user of network utilizes the three-way handshake of Transmission Control Protocol to connect the defect existed, forges the IP address of normal users, the attack of generation, thus bring immeasurable loss to network.Therefore, when existing abnormal in network, primary measure is, finds out these extremely, and produces abnormal alarm.Meanwhile, Network Abnormal can not only be attacked for certain, but diffusion towards periphery that can be wide as far as possible.Its final object is the network involving maximum magnitude, produces polytype exception.For this situation, just need a kind of detection method noted abnormalities in real time, fast, note abnormalities, block exception, thus make network be able to proper communication.
The feature of exception flow of network is bursts of traffic change, Premonitory Characters of Doppler Radar is unknown, can great harm be brought within the of short duration time computer on network or network, therefore in real time, the abnormal behaviour of Sampling network flow rapidly, judge to cause abnormal reason, making reasonably response is one of prerequisite ensureing that network effectively runs, and to reduce the loss that network malicious attack brings be another importance guaranteed network security.
At present, the method for detecting abnormality proposed, as non-linear anomalous traffic detection method (NLPP), the anomalous traffic detection method based on wavelet analysis, the anomalous traffic detection method etc. based on arma modeling, although exception can be detected real-time, but computation complexity is higher, the result simultaneously detected is accurate not, often there is larger rate of false alarm, and detection method needs could use when data on flows exists long correlation characteristic.And most of data on flows is when gathering, the correlative character presented is also not obvious, and fluctuation tendency often presents unstable condition, makes the scope of application limitation of detection method very large.The method for detecting abnormality that the present invention proposes, before carrying out flow detection, carries out preliminary treatment to data on flows, thus can overcome the circumscribed problem of detection.Meanwhile, on the basis of the detection of traditional detection method, the multistage testing mechanism of proposition, effectively reduces the rate of false alarm of detection.
Summary of the invention
For deficiency of the prior art, the object of the present invention is to provide a kind of guarantee accuracy while reduce rate of false alarm, method is simple and be easy to the method that realizes, and technical scheme of the present invention is as follows: a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol, and it comprises the following steps:
101, in time period T, network flow data is collected, then for the original flow sequence R in network flow data, at the measured value x of moment t
trepresent, x
t∈ R, t=1,2 ..., T, according to | x
t| >kvar_R criterion removes disabled flor rate data value x
t, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R, by the data on flows remained, as a Flow Observation sequence X;
102, carry out difference tranquilization preliminary treatment to Flow Observation sequence X, the difference flow sequence that preliminary treatment obtains is D, wherein difference value d
t=x
t-x
t-1, t>1, d
t∈ D, t=1,2 ... N, after obtaining difference flow sequence D, in input step 103;
103, calculate mean value and the variance of sequence X and sequence D respectively, and according to mean value and variance, estimate the interval [l at the difference flow value place of t
t, h
t],
wherein p
trepresent the threshold value predicted value of t, l
tand h
tbe illustrated respectively in minimum value and the maximum of the difference flow that t allows, var_d
trepresent the variance of t difference flow, after the input of the difference flow sequence D in step 102 being detected, namely fire compartment wall opens elementary detection defense function, to the data sent, according to the threshold value predicted value p of t
tdetect, when the difference flor rate data value of t is at the interval [l of difference volume forecasting value
t, h
t] in scope time, determine that it is normal discharge, and be transmitted to server; When exceeding interval [l
t, h
t] scope time, be judged to be abnormal flow, jump to step 104;
104, the multi-stage detection system of fire compartment wall decomposes the packet forwarded, and extracts the critical field key_field in packet, and judges these critical field key_field, if do not note abnormalities field, be then transmitted to server; If exception field detected, then by this data packet discarding;
105, after the detection again in step 104, normal packet is transmitted to server, makes server and client set up first time and shake hands and be connected;
106, after establishing connection of shaking hands for the first time, server will send a reply information M
responseto client, wait for the confirmation ACK of client, when client receives the return information M of server simultaneously
responseafter, two ends establish second handshake and connect; After server have received confirmation ACK, the third time that establishes of server and client shakes hands and is connected, and can communicate between the two.
Further, the pretreated step of difference tranquilization described in step 102 is:
S21, to the network communication data sequence { x in collected time period T
1, x
2..., x
t, analyze and remove outlier, retain normal value, here, if | x
t| >kvar_R then represents x
ioutlier, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R; Using the sequence of observations that remains as observation sequence X;
S22: its mean value is calculated to described original series R
with its variance var_R;
S23: to described observation sequence X, carry out difference preliminary treatment, have d
t∈ D, t=1,2 ... T, wherein d
t=x
t-x
t-1, t>1;
S24: to described difference sequence D, calculates its mean value
with variance var_D.
Further, the mean value of original series R
formula is:
var_R represents their variance,
Advantage of the present invention and beneficial effect as follows:
The present invention uses a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol to carry out repeated detection and judgement to data on flows.Because existing abnormality detection technology is in the process detected, the rate of false alarm of detection is higher, makes the accuracy detected receive very large impact.In order to ensure the fail safe of accuracy and the network service detected.Herein in the method proposing multistage abnormality detection.First, online lower Corpus--based Method, utilizes the method for adaptive threshold to estimate between the flow location in next moment; Then according to the flow rate zone that this is estimated, carry out detection on line and judge; When result of determination is abnormal, then carry out multistage detection, in multistage detection process, extract the key message in packet, and judge.The mechanism of this multistage detection, effectively reduces the rate of false alarm of abnormality detection.The present invention adopts a kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol, utilize the method for difference mean variance, the trend of obtaining presents the difference flow of tranquilization, the computation complexity of the method is lower, utilize under line the mode calculating, line detects, make detection speed fast, and the requirement of real-time detection can be reached.Meanwhile, the multistage testing mechanism added, had both reached the requirement reducing rate of false alarm, had also ensured Network Communicate Security.
Accompanying drawing explanation
Fig. 1 is multistage abnormality detection schematic flow sheet of the present invention;
Fig. 2 is inventive flow data screening schematic diagram;
Fig. 3 is sequence stationary schematic diagram of the present invention;
Fig. 4 is adaptive threshold schematic diagram calculation of the present invention;
Fig. 5 is multistage abnormality detection schematic diagram of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, clear, complete description is carried out to the technical scheme in the embodiment of the present invention.Obviously, described embodiment is only one embodiment of the present of invention, instead of whole embodiments.
Fig. 1 is multistage abnormality detection schematic flow sheet of the present invention.The present invention proposes based on the TCP three-way handshake connection protocol of internet communication.In communication process, client is filed a request, and request access server, connects.When accessing normal, the flow process of access is following steps:
S1: client initiates request, and the request data package of transmission is transmitted to fire compartment wall through router, and fire compartment wall, after receiving request data package, is added up flow, and carries out elementary detection, i.e. difference flow detection; If the interval [l of flow in difference volume forecasting value detected
t, h
t] in, fire compartment wall will judge that this packet is as normal data packet, and is transmitted to server; Otherwise this packet will be judged as abnormal data bag; Now, fire compartment wall will be opened and detect further; In further abnormality detection, packet is analyzed, and extract critical field key_field, further detection is done to key_field, now, if testing result is still abnormal, then do discard processing; If normal, be then labeled as erroneous judgement, and be transmitted to server; Now, foundation first time shakes hands and is connected by client and server;
S2: server, while setting up First Contact Connections with client, sends a return information M
responseto client, and wait for the confirmation ACK of client, open simultaneously and wait for timing T
wait, when client computer receives return information M
responsetime, second handshake connection establishment;
S3: exceed maximum latency when the stand-by period of server, server will make discard processing to this packet; Otherwise, after server receives the confirmation ACK of client transmission, set up connection of shaking hands for the third time.Now, both sides can communicate.
Fig. 2 is data on flows of the present invention screening schematic diagram.Collect the data on flows in one section of T time, sampled data is spaced apart 1s, then the original flow sequence R collected represents, at the measured value x of moment t
trepresent, wherein x
t∈ R, t=1,2 ..., T; With
represent original series { x
1, x
2..., x
tmean value,
var_R represents their variance,
Before flow data screening, observation sequence
successively each value in sequence R is judged, as the value x of t
tmeet | x
t| during >kvar_R, reject x
t, what wherein k represented is Grubbs test method coefficient, otherwise observation sequence X=X ∪ x
t, wherein x
t∈ X, t=1,2 ..., N.
Fig. 3 is sequence stationary schematic diagram of the present invention.In order to the trend enabling the difference sequence of original series better reflect data fluctuations, the difference sequence of definition original series is D, namely to observation sequence { x
1, x
2..., x
ndo preliminary treatment, namely use d
trepresent the difference value of t, d
t=x
t-x
t-1, t>1, d
t∈ D, t=1,2 ... N.With
represent the mean value of difference sequence D, and have
then the difference average of t is
represent the variance of difference sequence D with var_D, have
As N → ∞, have
Can draw thus, tending to be steady of difference flow.
Fig. 4 is adaptive threshold schematic diagram calculation of the present invention.When carrying out abnormality detection real-time on line, first need the calculating carrying out adaptive threshold.When determining adaptive threshold, use l
tand h
tbe illustrated respectively in minimum value and the maximum of the difference flow that t allows.The present invention carries out the calculating of adaptive threshold by flush mechanism, mainly as follows:
The threshold value predicted value p of t is obtained by the difference flow superposing previous moment
t,
wherein α represents weighting constant, mainly determines according to host number of giving out a contract for a project in model, and namely control new data proportion shared in a model, Controlling model adapts to the speed degree of local behavior, thus establishes the flush mechanism of normal model.If current measured value meets normal model completely, so think that measured value is now normal.But, because actual conditions are difficult to coincidence theory model, so set a confidential interval by the standard deviation of measured value, and it is different according to the number of the standard deviation added, the rank of the range of tolerable variance obtained is not identical yet, and what generally adopt is 2 to 3 times of standard deviation, owing to having carried out difference preliminary treatment to data, 2 of standard deviation times are adopted to judge herein, so the threshold range obtained is
wherein n represents the quantity of client computer.Obtain adaptive threshold interval thus for [l
t, h
t].
Fig. 5 is multistage abnormality detection schematic diagram of the present invention.The request data package that client sends is forwarded to fire compartment wall through router, and fire compartment wall, after receiving packet, carries out the calculating in adaptive threshold interval according to existing observation sequence.Main account form first carries out first time adaptive threshold detection.In this detection, mainly according to the statistics of network traffics, the data on flows in next moment is detected.If in this detection, decision data bag is normal, then be directly transmitted to server; If be judged to be exception, then multistage detection, confirms whether this packet is abnormal bag further.
In further abnormality detection, packet is analyzed, and extract critical field key_field.Further detection is done to key_field, if normally, is then labeled as erroneous judgement, and is transmitted to server; If testing result is still abnormal, then make the action of discard processing.Process the next packet in queue queue Q simultaneously.
These embodiments are interpreted as only being not used in for illustration of the present invention limiting the scope of the invention above.After the content of reading record of the present invention, technical staff can make various changes or modifications the present invention, and these equivalence changes and modification fall into the scope of the claims in the present invention equally.
Claims (3)
1., based on a high-efficiency multi-stage anomalous traffic detection method for Transmission Control Protocol, it is characterized in that, comprise the following steps:
101, in time period T, network flow data is collected, then for the original flow sequence R in network flow data, at the measured value x of moment t
trepresent, x
t∈ R, t=1,2 ..., T, according to | x
t| >kvar_R criterion removes disabled flor rate data value x
t, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R, by the data on flows remained, as a Flow Observation sequence X;
102, carry out difference tranquilization preliminary treatment to Flow Observation sequence X, the difference flow sequence that preliminary treatment obtains is D, wherein difference value d
t=x
t-x
t-1, t>1, d
t∈ D, t=1,2 ... N, after obtaining difference flow sequence D, in input step 103;
103, calculate mean value and the variance of sequence X and sequence D respectively, and according to mean value and variance, estimate the interval [l at the difference flow value place of t
t, h
t],
wherein p
trepresent the threshold value predicted value of t, l
tand h
tbe illustrated respectively in minimum value and the maximum of the difference flow that t allows, var_d
trepresent the variance at the difference flow of t, after the input of the difference flow sequence D in step 102 being detected, namely fire compartment wall opens elementary detection defense function, to the data sent, according to the threshold value predicted value p of t
tdetect, when the difference flor rate data value of t is at the interval [l of difference volume forecasting value
t, h
t] in scope time, determine that it is normal discharge, and be transmitted to server; When exceeding interval [l
t, h
t] scope time, be judged to be abnormal flow, jump to step 104;
104, the multi-stage detection system of fire compartment wall decomposes the packet forwarded, and extracts the critical field key_field in packet, and judges these critical field key_field, if do not note abnormalities field, be then transmitted to server; If exception field detected, then by this data packet discarding;
105, after the detection again in step 104, normal packet is transmitted to server, makes server and client set up first time and shake hands and be connected;
106, after establishing connection of shaking hands for the first time, server will send a reply information M
responseto client, wait for the confirmation ACK of client, when client receives the return information M of server simultaneously
responseafter, two ends establish second handshake and connect; After server have received confirmation ACK, the third time that establishes of server and client shakes hands and is connected, and can communicate between the two.
2. the high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol according to claim 1, is characterized in that, the pretreated step of difference tranquilization described in step 102 is:
S21, to the network communication data sequence { x in collected time period T
1, x
2..., x
t, analyze and remove outlier, retain normal value, here, if | x
t| >kvar_R then represents x
ioutlier, what wherein k represented is Grubbs test method coefficient, and var_R represents the variance of described sequence R; Using the sequence of observations that remains as observation sequence X;
S22: its mean value is calculated to described original series R
with its variance var_R;
S23: to described observation sequence X, carry out difference preliminary treatment, have d
t∈ D, t=1,2 ... T, wherein d
t=x
t-x
t-1, t>1;
S24: to described difference sequence D, calculates its mean value
with variance var_D.
3. the high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol according to claim 2, is characterized in that, the mean value of original series R
formula is:
var_R represents their variance,
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510104409.2A CN104734916B (en) | 2015-03-10 | 2015-03-10 | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510104409.2A CN104734916B (en) | 2015-03-10 | 2015-03-10 | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104734916A true CN104734916A (en) | 2015-06-24 |
CN104734916B CN104734916B (en) | 2018-04-27 |
Family
ID=53458370
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510104409.2A Active CN104734916B (en) | 2015-03-10 | 2015-03-10 | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104734916B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107123113A (en) * | 2017-04-20 | 2017-09-01 | 北京工业大学 | A kind of GWAC light curve method for detecting abnormality based on Grubbs test method and ARIMA |
CN107124314A (en) * | 2017-05-12 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Data monitoring method and device |
CN108123843A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信有限公司研究院 | Flow rate testing methods, detection data processing method and processing device |
CN108429651A (en) * | 2018-06-06 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Data on flows detection method, device, electronic equipment and computer-readable medium |
CN108718257A (en) * | 2018-05-23 | 2018-10-30 | 浙江大学 | A kind of wireless camera detection and localization method based on network flow |
CN109951420A (en) * | 2017-12-20 | 2019-06-28 | 广东电网有限责任公司电力调度控制中心 | A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship |
CN110351163A (en) * | 2019-06-05 | 2019-10-18 | 华南理工大学 | A kind of OpenStack cloud host flow peak detection method |
CN111953504A (en) * | 2019-05-15 | 2020-11-17 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN117278290A (en) * | 2023-10-07 | 2023-12-22 | 广东励通信息技术有限公司 | Distributed data detection system and method under Internet |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101217378A (en) * | 2008-01-18 | 2008-07-09 | 南京邮电大学 | A wavelet analysis boundary processing method based on traffic statistics |
US20090034423A1 (en) * | 2007-07-30 | 2009-02-05 | Anthony Terrance Coon | Automated detection of TCP anomalies |
CN101753381A (en) * | 2009-12-25 | 2010-06-23 | 华中科技大学 | Method for detecting network attack behaviors |
-
2015
- 2015-03-10 CN CN201510104409.2A patent/CN104734916B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090034423A1 (en) * | 2007-07-30 | 2009-02-05 | Anthony Terrance Coon | Automated detection of TCP anomalies |
CN101217378A (en) * | 2008-01-18 | 2008-07-09 | 南京邮电大学 | A wavelet analysis boundary processing method based on traffic statistics |
CN101753381A (en) * | 2009-12-25 | 2010-06-23 | 华中科技大学 | Method for detecting network attack behaviors |
Non-Patent Citations (2)
Title |
---|
JUN ZHANG 等: "An Effective Network Traffic Classification Method with Unknown Flow Detection", 《IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT》 * |
赵月爱等: "基于网络处理器的高性能入侵防护系统研究", 《太原师范学院学报(自然科学版)》 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108123843A (en) * | 2016-11-28 | 2018-06-05 | 中国移动通信有限公司研究院 | Flow rate testing methods, detection data processing method and processing device |
CN108123843B (en) * | 2016-11-28 | 2020-04-14 | 中国移动通信有限公司研究院 | Flow detection method, detection data processing method and device |
CN107123113A (en) * | 2017-04-20 | 2017-09-01 | 北京工业大学 | A kind of GWAC light curve method for detecting abnormality based on Grubbs test method and ARIMA |
CN107123113B (en) * | 2017-04-20 | 2019-10-18 | 北京工业大学 | A kind of GWAC light curve method for detecting abnormality based on Grubbs test method and ARIMA |
CN107124314A (en) * | 2017-05-12 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Data monitoring method and device |
CN109951420B (en) * | 2017-12-20 | 2020-02-21 | 广东电网有限责任公司电力调度控制中心 | Multi-stage flow anomaly detection method based on entropy and dynamic linear relation |
CN109951420A (en) * | 2017-12-20 | 2019-06-28 | 广东电网有限责任公司电力调度控制中心 | A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship |
CN108718257A (en) * | 2018-05-23 | 2018-10-30 | 浙江大学 | A kind of wireless camera detection and localization method based on network flow |
CN108429651A (en) * | 2018-06-06 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Data on flows detection method, device, electronic equipment and computer-readable medium |
CN108429651B (en) * | 2018-06-06 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Flow data detection method and device, electronic equipment and computer readable medium |
CN111953504A (en) * | 2019-05-15 | 2020-11-17 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN111953504B (en) * | 2019-05-15 | 2023-03-24 | 中国电信股份有限公司 | Abnormal flow detection method and device, and computer readable storage medium |
CN110351163A (en) * | 2019-06-05 | 2019-10-18 | 华南理工大学 | A kind of OpenStack cloud host flow peak detection method |
CN110351163B (en) * | 2019-06-05 | 2022-11-18 | 华南理工大学 | OpenStack cloud host traffic peak detection method |
CN117278290A (en) * | 2023-10-07 | 2023-12-22 | 广东励通信息技术有限公司 | Distributed data detection system and method under Internet |
CN117278290B (en) * | 2023-10-07 | 2024-03-08 | 广东励通信息技术有限公司 | Distributed data detection system and method under Internet |
Also Published As
Publication number | Publication date |
---|---|
CN104734916B (en) | 2018-04-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104734916A (en) | Efficient multistage anomaly flow detection method based on TCP | |
CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
CN107040517B (en) | Cognitive intrusion detection method oriented to cloud computing environment | |
JP6258562B2 (en) | Relay device, network monitoring system, and program | |
WO2019200944A1 (en) | Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis | |
CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
CN101980506A (en) | Flow characteristic analysis-based distributed intrusion detection method | |
CN104009986B (en) | A kind of host-based network attacks springboard detection method and device | |
CN103001972B (en) | The recognition methods of DDOS attack and recognition device and fire compartment wall | |
RU133954U1 (en) | NETWORK SECURITY DEVICE | |
CN110493260A (en) | A kind of network flood model attack detection method | |
CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
CN111181930A (en) | DDoS attack detection method, device, computer equipment and storage medium | |
CN110224852A (en) | Network security monitoring method and device based on HTM algorithm | |
CN114513365A (en) | Detection and defense method for SYN Flood attack | |
CN107231377B (en) | BGP-LDoS attack detection method based on mutation equilibrium state theory | |
Lu et al. | Detecting network anomalies using CUSUM and EM clustering | |
Thorat et al. | SDN-based machine learning powered alarm manager for mitigating the traffic spikes at the IoT gateways | |
KR20110054537A (en) | Apparatus for detecting and filtering ddos attack based on distribution | |
CN103269337A (en) | Data processing method and device | |
CN113726724B (en) | Method and gateway for evaluating and detecting security risk of home network environment | |
Elbez et al. | Early Detection of GOOSE Denial of Service (DoS) Attacks in IEC 61850 Substations | |
Paulauskas et al. | Investigation of the intrusion detection system “snort” performance | |
Usuzaki et al. | A proposal of highly responsive distributed Denial-of-Service attacks detection using Real-Time burst detection method | |
CN109309679A (en) | A kind of Network scan detection method and detection system based on TCP flow state |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |