CN109218321A - A kind of network inbreak detection method and system - Google Patents
A kind of network inbreak detection method and system Download PDFInfo
- Publication number
- CN109218321A CN109218321A CN201811116207.XA CN201811116207A CN109218321A CN 109218321 A CN109218321 A CN 109218321A CN 201811116207 A CN201811116207 A CN 201811116207A CN 109218321 A CN109218321 A CN 109218321A
- Authority
- CN
- China
- Prior art keywords
- data
- cluster
- terminal behavior
- terminal
- vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of network inbreak detection methods, comprising the following steps: (1) carries out data processing to history terminal behavior data;(2) Kmeans Clustering Model is judged whether there is, if it does not, establishing the Kmeans Clustering Model based on spark according to history terminal behavior data, enters step (3), if it does, directly carrying out step (3);(3) the terminal behavior data newly received are analyzed according to the Kmeans Clustering Model;(4) network intrusions and suspicious connection behavior are detected, and carries out attack chain map and shows.Function Extension and timeliness are improved, rate of failing to report is reduced, keeps man-machine interface more friendly.
Description
Technical field
The invention belongs to technical field of the computer network, are related to a kind of terminal abnormal behavior analysis method.
Background technique
Analysing terminal abnormal behaviour, detection network intrusions are to find normally to connect different connections from the past seen,
It is most important to guaranteeing network security.The method of existing common detection network intrusions is based on abnormal network invasion monitoring system
It unites (A-NIDS).A-NIDS is divided into the intrusion detection based on abnormal data packet and the intrusion detection based on Abnormal network traffic again.
In intrusion detection based on abnormal data packet, data source is obtained from network, it is right according to the feature of abnormal data packet feature database
The data packet captured is analyzed in real time, if data packet matches with a certain feature in abnormal data packet feature database, then it is assumed that
It is an abnormal data packet.The shortcomings that intrusion detection based on abnormal data packet is to need to constantly update abnormal data packet feature
Library is then difficult to abnormal data packet else if the feature of abnormal data packet is not collected in abnormal data packet feature database.It is based on
In the intrusion detection of Abnormal network traffic, the flow of current network is predicted according to obtained sample is sampled, if current network
Flow has larger difference compared with prediction, is embodied in sudden network flow and increases sharply, it is believed that network flow occurs different
Often.When being determined as invasion extremely, alarm will be generated.The shortcomings that intrusion detection based on Abnormal network traffic is under small flow
Invasion cannot be detected, and if normal discharge behavior increases suddenly, will lead to system erroneous judgement.
Cluster is exactly the data set to a large amount of unknown marks, and data set is divided into multiple classes by the inherent similitude of data
Not, make that the data similarity in classification is larger and the data similarity between classification is smaller.Cluster is most notable unsupervised learning
Algorithm, Kmeans are most widely used clustering algorithms, it attempts to find out k cluster in data set.In Kmeans algorithm,
The feature vector that data point is made of all numeric type features, abbreviation vector.Data point mutual distance generally use Euclidean away from
From such as 1 (x11, x12, x13 ..., x1n) of point, the distance between 2 (x21, x22, x23 ..., x2n) of point calculate as follows:
Cluster is substantially a point in Kmeans algorithm, that is, forms the center (referred to as mass center) of all the points of the cluster,
It is the arithmetic mean of instantaneous value of all the points in cluster, therefore algorithm is named Kmeans.K number strong point is randomly choosed when algorithm starts to make
For the mass center of cluster, then each data point is distributed to nearest mass center, all numbers of the cluster then are calculated to each cluster
The average value at strong point, and as the new mass center of the cluster, it then constantly repeats the process and no longer changes until mass center is stable,
Thus k cluster is obtained.It is three-dimensional with data acquisition system, is two o'clock in cluster, two o'clock is respectively X=(x1, x2, x3), Y=(y1,
Y2, y3) for, central point Z becomes Z=(z1, z2, z3), wherein z1=(x1+y1)/2, z2=(x2+y2)/2, z3=(x3+
y3)/2.Kmeans clustering algorithm has the advantage that 1. as a kind of classic algorithm for solving clustering problem, has simple, quick
The characteristics of;2. a pair processing large data sets have scalability and high efficiency;3. effect is preferable when result cluster is intensive.Although at present
Has the method (such as CN 107895171A) that Kmeans model is used for network invasion monitoring, but this method passes through depth confidence
Network and Kmeans algorithm combining classification, algorithm is complicated, and the training data of Kmeans model is the exception of several attack types
Data, when abnormal data collects imperfect in the presence of there is the risk failed to report.
Summary of the invention
The problem of for existing intrusion detection method, is based on Kmeans algorithm characteristic, and the present invention provides one kind
The terminal abnormal behavior analysis method of machine learning Kmeans analysis model based on spark.Detect network intrusions and suspicious company
The essence connect is to find normally to connect different connections from what is met in the past, and the present invention is according to the statistics category of each network connection
Property is clustered, and the result cluster of cluster defines normal history connection type, defines the region normally connected, any in area
Point except domain be all it is abnormal, suspicious, the point except normal join domain is regarded as into network intrusions.The present invention will also
Terminal behavior analyzes the attack chain of result by map denotation, and provides corresponding analysis system.
In order to solve the above technical problems, one embodiment of the invention provides a kind of network inbreak detection method, including following
Step: (1) data processing are carried out to history terminal behavior data;(2) Kmeans Clustering Model is judged whether there is, if
It is not present, establishes the Kmeans Clustering Model based on spark according to history terminal behavior data, enter step (3), if
In the presence of directly progress step (3);(3) according to the Kmeans Clustering Model to the terminal behavior data newly received into
Row analysis;(4) network intrusions and suspicious connection behavior are detected, and carries out attack chain map and shows.
With the method for the invention it is preferred to, wherein the terminal behavior data of step (1) are recorded often using log mode
The case where primary network connected reference, the primary fields in log include: source IP address, purpose IP address, destination slogan, ask
Interface, action type, the time of request generation, operation duration are asked, the log can characterize the behavioural characteristic of access, can use
The data identify the attribute of terminal access.
With the method for the invention it is preferred to, the terminal behavior data of access server are acquired, and to acquisition
Data are normalized to be handled with vectorization, converts a terminal row relevant to request for every terminal behavior record
For vector.
With the method for the invention it is preferred to, wherein step (2) establishes the Kmeans Clustering Model based on spark
For, model is trained using history terminal behavior vector as input data, obtains convergent cluster result, it will be trained
The step of Clustering Model preserves, and is trained to Clustering Model is as follows: step a: selecting the number k of cluster simultaneously
The data that training vector is concentrated are normalized and vectorization is handled;Step b: randomly select the k of training vector concentration to
Amount is used as cluster centre;Step c: it calculates training vector and concentrates each vector at a distance from k cluster centre, and the vector is divided
With it is given apart from nearest cluster centre, to obtain k cluster;Step d: all data of the cluster are calculated to each cluster
The average value of point, and as the new cluster centre of the cluster;Step e: step c-d is repeated, until cluster centre no longer changes
Become, thus to obtain k cluster;
Wherein k >=1.
With the method for the invention it is preferred to, step (3) are as follows: to new collected terminal behavior data, calculate its with it is each
The distance at clustering center is judged as that the new collected terminal behavior data are suspicious row when distance is more than the threshold values
For data.
With the method for the invention it is preferred to, step (4) specifically, to the suspicious actions data found in step (3) into
Row analysis, finds the suspicious actions data address corresponding source ip and the address purpose ip, by the source address ip and the address purpose ip with
Corresponding location information association, is shown on map in the form of attacking chain.
In order to solve the above technical problems, further embodiment of this invention provides a kind of Network Intrusion Detection System, comprising:
Data processing unit, for carrying out data processing to terminal behavior data;
Judging unit judges whether there is Kmeans Clustering Model;
Clustering Model establishes unit, poly- for establishing the Kmeans based on spark according to history terminal behavior data
Alanysis model;
Data analysis unit, for analyzing the terminal behavior data newly received;
Abnormal behaviour analysis result display unit is attacked when for detecting network intrusions and suspicious connection behavior
Chain map is shown.
The system according to the present invention, it is preferred that wherein data processing unit is used to take access by data acquisition module
Business device terminal behavior data be acquired, and the data of acquisition are normalized and vectorization processing, by every end
End behavior record is converted into a terminal behavior vector relevant to request.
The system according to the present invention, it is preferred that wherein Clustering Model establish unit for history terminal behavior to
Amount is used as input data, is trained by a large amount of training datas to Clustering Model, obtains convergent cluster result, saves
Trained Clustering Model.
The system according to the present invention, it is preferred that data analysis unit is for analyzing terminal behavior data, specially
To new collected terminal behavior data vector, it is calculated at a distance from each clustering center, a threshold values is set, works as distance
When more than the threshold values, it is judged as that the terminal behavior data are suspicious actions data.
The system according to the present invention, it is preferred that abnormal behaviour analyzes result display unit to finding in data analysis unit
Suspicious data analyzed, find the suspicious actions data address corresponding source ip and the address purpose ip, by the source address ip and
The address purpose ip is associated with corresponding location information, is shown on map in the form of attacking chain.
The present invention achieve it is following the utility model has the advantages that
1. Function Extension and timeliness: the machine learning threat detection method based on terminal behavior data on flows can be quick
It was found that the abnormal behaviour data in network are alarmed to user in time, are mentioned so that the analysis of data is completed with intimate speed in real time
High disposal threatens discovery treatment effeciency, enhances the timeliness of system audit function and alarm function.
2. rate of failing to report is low: modeling to history terminal data, be greater than the set value with cluster centre distance threshold as abnormal number
According to rate of failing to report can be substantially reduced.
3. man-machine interface friendly: being shown entire attack chain in map by the location information of the address ip with intuitive way
On, so that user quickly navigates to the place of problem.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is network invasion monitoring flow and method flow chart of the invention;
Fig. 2 is that network invasion monitoring flow system of the invention forms figure;
Fig. 3 is the establishment process schematic diagram of the Kmeans Clustering Model based on spark.
Specific embodiment
Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described herein
Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hair
The feature in embodiment and embodiment in bright can be combined with each other.
The essence for detecting network intrusions and suspicious connection is to find the connection different from the connection met in the past.It can basis
The statistical attribute of each network connection is clustered, and as a result cluster defines history connection type, us is helped to define normal connection
Region.Any point except region be all it is abnormal, it is suspicious.
Terminal behavior records the case where accessing each time, primary fields in log using log mode are as follows: source IP address,
Time, the operation duration etc. that purpose IP address, destination slogan, request interface, action type, request occur.Output
Log can characterize the behavioural characteristic of access well, and the attribute of terminal access can be identified with the data.
Kmeans attempts to find out k cluster in data set, and the point in data set is exactly by all numeric type features in fact
The feature vector of composition, abbreviation vector.Cluster is a point in fact in Kmeans algorithm, that is, in all the points for forming the cluster
The heart.Such as: data acquisition system is three-dimensional, is clustered with two o'clock: X=(x1, x2, x3), Y=(y1, y2, y3).Central point Z becomes Z=
(z1, z2, z3), wherein z1=(x1+y1)/2, z2=(x2+y2)/2, z3=(x3+y3)/2.
Embodiment 1
The foundation of Kmeans analysis model and behavioural analysis deterministic process are as shown in Figure 1, comprising the following steps:
(1) terminal historical behavior data are carried out with the process of data processing
Terminal historical behavior records the case where accessing each time, primary fields in log are as follows: source IP using log mode
Time, the operation duration etc. that address, purpose IP address, destination slogan, request interface, action type, request occur.It is right
The terminal historical behavior data of acquisition are normalized, and treated, and message field is as follows:
type TerminalAction struct{
Var treceived string//server receives the time of terminal request
Var duration int//operation duration
The val sip string//address terminal i p
Val dip string//terminal request address ip
Val dport string//terminal request port numbers
Val interface string//interface name
Var action int//action type (0: increasing, 1: deleting, 2: looking into, 3: changing)
Val reqLen int64//request packet length (byte number)
Val resLen int64//response bag length (byte number)
(2) vectorization processing is carried out for the terminal historical behavior data after normalized
By every terminal historical behavior record (TerminalAction) be converted into a vector relevant to request (to
Amount),
(terminalId,deviceId,dport,action,interface,treceived,duration,
resLen,reqLen)。
The specific creation rule of vector is as follows:
TerminalId (terminal number)
It is associated with out corresponding terminal i d according to the sip field in data (unique number for identifying the sip is numbered).
The number is Custom Number, as long as being used for one terminal of unique identification or server.
DestinationIp (purpose ip)
It is associated with out corresponding server id according to the dip field in data (unique number for identifying the dip is numbered).
The number is Custom Number, as long as being used for one terminal of unique identification or server.
DestinationPort (destination port)
Use the dport field in data.
Time of day (time)
Use the treceived field in data.The corresponding hour numerical value for generating time when operating.
Request Bytes (size of required parameter)
Use the number of respective bins corresponding to the resLen field respective value in data.As follows [0,512,
1024,2048,4096 ...], unit is byte number.That is corresponding 1, the 512-1024 corresponding 2 of 0-512, and so on, if
ResLen is equal to 256 bytes, then corresponding value is 1;If resLen is equal to 760 bytes, corresponding value is 2.
Response Bytes (sizes of response results)
Use the number of respective bins corresponding to the reqLen field respective value in data.As follows [0,512,
1024,2048,4096 ...], unit is byte number.That is corresponding 1, the 512-1024 corresponding 2 of 0-512, and so on, if
ResLen is equal to 256 bytes, then corresponding value is 1;If resLen is equal to 760 bytes, corresponding value is 2.
Interface (action type)
The corresponding coding of interface name of access.Relationship between interface and coding defines according to the actual situation.Such as
/ szga/login is corresponding to be encoded to 0001;/ terminals/create is corresponding to be encoded to 0002..
Action (action type)
0 corresponding increase;1 corresponding deletion;2 corresponding inquiries;3 corresponding modifications.
Duration (operation duration)
The number in section where time of the whole operation from request to response is corresponding, as follows [0,10,20,30,40,
50,60,70 ...], unit is the second, i.e. corresponding 1, the 10-20 corresponding 2 of 0-10, and so on, if duration is equal to 10 seconds,
Corresponding value is 2.
Following terminal behavior data after being normalized for one,
Sip:192.168.130.241dip:192.168.131.125, dport:3306, trhour:10, resLen:
1026,reqLen:10,interface:0001,action:0,duration:10
Its vector generated are as follows:
(1,1,3306,0,0001,10,12,4)。
(3) foundation of the Kmeans Clustering Model based on spark
Such as Fig. 3, historical behavior vector set is as shown in Figure 3a.Step a: the number for selecting cluster is 4, and to training dataset
In data be normalized and vectorization processing;Step b: 4 vectors of training vector concentration are randomly selected as in cluster
The heart, the cluster centre randomly selected is as shown in "+" in Fig. 3 b;Step c: it calculates training data and concentrates each vector and 4 clusters
The distance at center, and the vector is distributed to it apart from nearest cluster centre, to obtain 4 clusters;Step d: to every
A cluster calculates the average value of all data points of the cluster, and as the new cluster centre of the cluster;Step e: c- is repeated
D stablizes 4 points in such as Fig. 3 c, thus to obtain 4 clusters until cluster centre no longer changes.
Judge that Kmeans Clustering Model whether there is, if it does not, with the terminal historical behavior data of input (to
Amount) it is used as input data, model is trained by mass data, obtains convergent cluster result, establishes Kmeans cluster
Analysis model.
Trained Kmeans Clustering Model is preserved, to new collected terminal behavior data calculate its with
The distance at each clustering center sets a threshold values, when distance is more than the threshold values, is judged as that the sip and dip is suspicious row
For data.
(4) the attack chain map of abnormal behaviour analysis result is shown
The suspicious data found in (3) step is analyzed, the ip address chain of the suspicious address sip, dip is found, and
The address ip is associated with corresponding location information, and the attack chain is shown on map.
Embodiment 2
Such as Fig. 2, the invention discloses a kind of Network Intrusion Detection System, comprising:
Data processing unit, for carrying out data processing to terminal behavior data;
Judging unit judges whether there is Kmeans Clustering Model;
Clustering Model establishes unit, poly- for establishing the Kmeans based on spark according to history terminal behavior data
Alanysis model;
Data analysis unit, for analyzing the terminal behavior data newly received;
Abnormal behaviour analysis result display unit is attacked when for detecting network intrusions and suspicious connection behavior
Chain map is shown.
Wherein data processing unit is used to adopt by terminal behavior data of the data acquisition module to access server
Collection, and the data of acquisition are normalized and vectorization processing, by every terminal behavior record be converted into one with ask
Seek relevant terminal behavior vector.
Wherein Clustering Model is established unit and is used for using history terminal behavior vector as input data, by largely instructing
Practice data to be trained Clustering Model, obtains convergent cluster result, save trained Clustering Model.
Data analysis unit is for analyzing terminal behavior data, specially to new collected terminal behavior data
Vector calculates it at a distance from each clustering center, sets a threshold values, when distance is more than the threshold values, is judged as the end
End behavioral data is suspicious actions data.
Abnormal behaviour analysis result display unit analyzes the suspicious data found in data analysis unit, and finding can
The behavioral data address corresponding source ip and the address purpose ip are doubted, by the source address ip and the address purpose ip and corresponding location information
Association is shown on map in the form of attacking chain.
The threat detection based on terminal behavior data on flows is analyzed in the big data analysis system of certain financial institution
In applied, alarm effectively has been carried out to abnormal flow and attack chain has been shown based on geographical location information.
It is obvious to a person skilled in the art that the embodiment of the present invention is not limited to the details of above-mentioned exemplary embodiment,
And without departing substantially from the spirit or essential attributes of the embodiment of the present invention, this hair can be realized in other specific forms
Bright embodiment.Therefore, in all respects, the present embodiments are to be considered as illustrative and not restrictive, this
The range of inventive embodiments is indicated by the appended claims rather than the foregoing description, it is intended that being equal for claim will be fallen in
All changes in the meaning and scope of important document are included in the embodiment of the present invention.It should not be by any attached drawing mark in claim
Note is construed as limiting the claims involved.Furthermore, it is to be understood that one word of " comprising " does not exclude other units or steps, odd number is not excluded for
Plural number.Multiple units, module or the device stated in system, device or terminal claim can also be by the same units, mould
Block or device are implemented through software or hardware.The first, the second equal words are used to indicate names, and are not offered as any specific
Sequence.
Finally it should be noted that embodiment of above is only to illustrate the technical solution of the embodiment of the present invention rather than limits,
Although the embodiment of the present invention is described in detail referring to the above better embodiment, those skilled in the art should
Understand, can modify to the technical solution of the embodiment of the present invention or equivalent replacement should not all be detached from the skill of the embodiment of the present invention
The spirit and scope of art scheme.
Claims (11)
1. a kind of network inbreak detection method, comprising the following steps: (1) carry out data processing to history terminal behavior data;(2)
Kmeans Clustering Model is judged whether there is, if it does not, establishing according to history terminal behavior data based on spark's
Kmeans Clustering Model enters step (3), if it does, directly carrying out step (3);(3) it is clustered according to the Kmeans
Analysis model analyzes the terminal behavior data newly received;(4) network intrusions and suspicious connection behavior are detected, are gone forward side by side
Row attack chain map is shown.
2. the method as described in claim 1, wherein the terminal behavior data of step (1) are recorded each time using log mode
The case where network connection access, the primary fields in log include: that source IP address, purpose IP address, destination slogan, request connect
Mouth, action type, the time of request generation, operation duration, the log can characterize the behavioural characteristic of access, can use the number
According to come the attribute that identifies terminal access.
3. the method according to claim 1, the terminal behavior data of access server are acquired, and to adopting
The data of collection are normalized to be handled with vectorization, converts an end relevant to request for every terminal behavior record
End behavior vector.
4. the method according to claim 1, wherein step (2) establishes the Kmeans clustering based on spark
Model is to be trained using history terminal behavior vector as input data to model, obtain convergent cluster result, will train
The step of good Clustering Model is preserved, is trained to Clustering Model is as follows: step a: selecting of cluster
Number k and the data concentrated to training vector are normalized and vectorization is handled;Step b: the k of training vector concentration is randomly selected
A vector is as cluster centre;Step c: calculate training vector concentrate each vector at a distance from k cluster centre, and by this to
Amount is distributed to it apart from nearest cluster centre, to obtain k cluster;Step d: it is all that the cluster is calculated to each cluster
The average value of data point, and as the new cluster centre of the cluster;Step e: repeat step c-d, until cluster centre not
Change again, thus to obtain k cluster;
Wherein k >=1.
5. method according to any of claims 1-4, step (3) are as follows: to new collected terminal behavior data, calculate it
At a distance from each clustering center, when distance is more than the threshold values, being judged as that the new collected terminal behavior data are can
Doubt behavioral data.
6. the method according to claim 1 to 5, step (4) is specifically, to the suspicious actions number found in step (3)
According to being analyzed, the suspicious actions data address corresponding source ip and the address purpose ip are found, by the source address ip and purpose ip
Location is associated with corresponding location information, is shown on map in the form of attacking chain.
7. a kind of Network Intrusion Detection System, comprising:
Data processing unit, for carrying out data processing to terminal behavior data;
Judging unit judges whether there is Kmeans Clustering Model;
Clustering Model establishes unit, for establishing the Kmeans cluster point based on spark according to history terminal behavior data
Analyse model;
Data analysis unit, for analyzing the terminal behavior data newly received;
Abnormal behaviour analyzes result display unit, when for detecting network intrusions and suspicious connection behavior, with carrying out attack chain
Figure is shown.
8. system as claimed in claim 7, wherein data processing unit is used for through data acquisition module to access server
Terminal behavior data be acquired, and the data of acquisition are normalized and vectorization processing, by every terminal row
A terminal behavior vector relevant to request is converted into for record.
9. wherein Clustering Model establishes unit for history terminal row such as the described in any item systems of claim 7-8
It is vector as input data, Clustering Model is trained by a large amount of training datas, obtains convergent cluster result,
Save trained Clustering Model.
10. such as claim 7-9 described in any item systems, data analysis unit is used to analyze terminal behavior data,
Specially to new collected terminal behavior data vector, it is calculated at a distance from each clustering center, sets a threshold values,
When distance is more than the threshold values, it is judged as that the terminal behavior data are suspicious actions data.
11. abnormal behaviour analyzes result display unit to data analysis unit such as claim 7-10 described in any item systems
The suspicious data of middle discovery is analyzed, and the suspicious actions data address corresponding source ip and the address purpose ip are found, by source ip
Address and the address purpose ip are associated with corresponding location information, are shown on map in the form of attacking chain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811116207.XA CN109218321A (en) | 2018-09-25 | 2018-09-25 | A kind of network inbreak detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811116207.XA CN109218321A (en) | 2018-09-25 | 2018-09-25 | A kind of network inbreak detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109218321A true CN109218321A (en) | 2019-01-15 |
Family
ID=64985186
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811116207.XA Pending CN109218321A (en) | 2018-09-25 | 2018-09-25 | A kind of network inbreak detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109218321A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110276195A (en) * | 2019-04-25 | 2019-09-24 | 北京邮电大学 | A kind of smart machine intrusion detection method, equipment and storage medium |
| CN110493176A (en) * | 2019-07-02 | 2019-11-22 | 北京科东电力控制系统有限责任公司 | A kind of user's suspicious actions analysis method and system based on non-supervisory machine learning |
| CN110493264A (en) * | 2019-09-18 | 2019-11-22 | 北京工业大学 | It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain |
| CN110505202A (en) * | 2019-07-12 | 2019-11-26 | 中国科学院信息工程研究所 | A kind of attack tissue discovery method and system |
| CN110753065A (en) * | 2019-10-28 | 2020-02-04 | 国网河南省电力公司信息通信公司 | Network behavior detection method, device, equipment and storage medium |
| CN110944016A (en) * | 2019-12-25 | 2020-03-31 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, network equipment and storage medium |
| CN111107102A (en) * | 2019-12-31 | 2020-05-05 | 上海海事大学 | Real-time network flow abnormity detection method based on big data |
| CN111935175A (en) * | 2020-09-14 | 2020-11-13 | 华芯生物科技(武汉)有限公司 | Data encryption transmission method of detection equipment |
| CN117614746A (en) * | 2024-01-23 | 2024-02-27 | 湖南恒茂信息技术有限公司 | Switch defense attack method based on historical statistics for judging deviation behaviors |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
| CN105376255A (en) * | 2015-12-08 | 2016-03-02 | 国网福建省电力有限公司 | Android platform intrusion detection method based on K-means cluster |
| CN106330906A (en) * | 2016-08-23 | 2017-01-11 | 上海海事大学 | Method for detecting DDoS (Distributed Denial of Service) attack in big data environment |
| CN107895171A (en) * | 2017-10-31 | 2018-04-10 | 天津大学 | A kind of intrusion detection method based on K averages Yu depth confidence network |
| CN108040053A (en) * | 2017-12-13 | 2018-05-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on DNS daily record datas |
| CN108173818A (en) * | 2017-12-13 | 2018-06-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on Proxy daily record datas |
| CN108509793A (en) * | 2018-04-08 | 2018-09-07 | 北京明朝万达科技股份有限公司 | A kind of user's anomaly detection method and device based on User action log data |
-
2018
- 2018-09-25 CN CN201811116207.XA patent/CN109218321A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
| CN105376255A (en) * | 2015-12-08 | 2016-03-02 | 国网福建省电力有限公司 | Android platform intrusion detection method based on K-means cluster |
| CN106330906A (en) * | 2016-08-23 | 2017-01-11 | 上海海事大学 | Method for detecting DDoS (Distributed Denial of Service) attack in big data environment |
| CN107895171A (en) * | 2017-10-31 | 2018-04-10 | 天津大学 | A kind of intrusion detection method based on K averages Yu depth confidence network |
| CN108040053A (en) * | 2017-12-13 | 2018-05-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on DNS daily record datas |
| CN108173818A (en) * | 2017-12-13 | 2018-06-15 | 北京明朝万达科技股份有限公司 | A kind of network security threats analysis method and system based on Proxy daily record datas |
| CN108509793A (en) * | 2018-04-08 | 2018-09-07 | 北京明朝万达科技股份有限公司 | A kind of user's anomaly detection method and device based on User action log data |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110276195A (en) * | 2019-04-25 | 2019-09-24 | 北京邮电大学 | A kind of smart machine intrusion detection method, equipment and storage medium |
| CN110493176A (en) * | 2019-07-02 | 2019-11-22 | 北京科东电力控制系统有限责任公司 | A kind of user's suspicious actions analysis method and system based on non-supervisory machine learning |
| CN110505202A (en) * | 2019-07-12 | 2019-11-26 | 中国科学院信息工程研究所 | A kind of attack tissue discovery method and system |
| CN110493264B (en) * | 2019-09-18 | 2021-12-24 | 北京工业大学 | Internal threat discovery method based on internal network entity relationship and behavior chain |
| CN110493264A (en) * | 2019-09-18 | 2019-11-22 | 北京工业大学 | It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain |
| CN110753065B (en) * | 2019-10-28 | 2022-03-01 | 国网河南省电力公司信息通信公司 | Network behavior detection method, device, equipment and storage medium |
| CN110753065A (en) * | 2019-10-28 | 2020-02-04 | 国网河南省电力公司信息通信公司 | Network behavior detection method, device, equipment and storage medium |
| CN110944016A (en) * | 2019-12-25 | 2020-03-31 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, network equipment and storage medium |
| CN110944016B (en) * | 2019-12-25 | 2022-06-14 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, network equipment and storage medium |
| CN111107102A (en) * | 2019-12-31 | 2020-05-05 | 上海海事大学 | Real-time network flow abnormity detection method based on big data |
| CN111935175A (en) * | 2020-09-14 | 2020-11-13 | 华芯生物科技(武汉)有限公司 | Data encryption transmission method of detection equipment |
| CN117614746A (en) * | 2024-01-23 | 2024-02-27 | 湖南恒茂信息技术有限公司 | Switch defense attack method based on historical statistics for judging deviation behaviors |
| CN117614746B (en) * | 2024-01-23 | 2024-04-05 | 湖南恒茂信息技术有限公司 | Switch defense attack method based on historical statistics for judging deviation behaviors |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109218321A (en) | A kind of network inbreak detection method and system | |
| CN109615116B (en) | Telecommunication fraud event detection method and system | |
| Gogoi et al. | MLH-IDS: a multi-level hybrid intrusion detection method | |
| Janarthanan et al. | Feature selection in UNSW-NB15 and KDDCUP'99 datasets | |
| Sahu et al. | Network intrusion detection system using J48 Decision Tree | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN107517216B (en) | Network security event correlation method | |
| US20070289013A1 (en) | Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms | |
| CN104660594A (en) | Method for identifying virtual malicious nodes and virtual malicious node network in social networks | |
| CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
| CN109150859B (en) | Botnet detection method based on network traffic flow direction similarity | |
| CN112153221B (en) | Communication behavior identification method based on social network diagram calculation | |
| CN109951462B (en) | Application software flow anomaly detection system and method based on holographic modeling | |
| CN113420802B (en) | Alarm data fusion method based on improved spectral clustering | |
| CN105635085A (en) | Security big data analysis system and method based on dynamic health degree model | |
| CN109325232A (en) | A kind of user behavior exception analysis method, system and storage medium based on LDA | |
| Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
| Perona et al. | Service-independent payload analysis to improve intrusion detection in network traffic | |
| Corchado et al. | Detecting compounded anomalous SNMP situations using cooperative unsupervised pattern recognition | |
| CN115085948A (en) | Network security situation assessment method based on improved D-S evidence theory | |
| Martins et al. | Automatic detection of computer network traffic anomalies based on eccentricity analysis | |
| KR102609592B1 (en) | Method and apparatus for detecting abnormal behavior of IoT system | |
| CN114362972B (en) | Botnet hybrid detection method and system based on flow abstract and graph sampling | |
| CN116527307A (en) | Botnet detection algorithm based on community discovery | |
| Sulaiman et al. | Big data analytic of intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190115 |
|
| RJ01 | Rejection of invention patent application after publication |