CN110830464B - Network flow abnormity detection system - Google Patents

Network flow abnormity detection system Download PDF

Info

Publication number
CN110830464B
CN110830464B CN201911050601.2A CN201911050601A CN110830464B CN 110830464 B CN110830464 B CN 110830464B CN 201911050601 A CN201911050601 A CN 201911050601A CN 110830464 B CN110830464 B CN 110830464B
Authority
CN
China
Prior art keywords
network
speed
network access
time
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911050601.2A
Other languages
Chinese (zh)
Other versions
CN110830464A (en
Inventor
黄永权
李锦基
李明东
刘家鑫
曾洋林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gold Sea Comm Corp
Original Assignee
Gold Sea Comm Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gold Sea Comm Corp filed Critical Gold Sea Comm Corp
Priority to CN201911050601.2A priority Critical patent/CN110830464B/en
Publication of CN110830464A publication Critical patent/CN110830464A/en
Application granted granted Critical
Publication of CN110830464B publication Critical patent/CN110830464B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The invention discloses a network flow abnormity detection system, and relates to the technical field of network detection. The system comprises a network access equipment group, a network speed monitoring unit, a data verification unit, a processor, a theft analysis unit, a display unit, an alarm unit and an input unit. The invention monitors the real-time network access speed of all the network access equipment through the network speed monitoring unit, the data verification unit analyzes the real-time network access speed Vij of each network access equipment to judge whether the network has an abnormal low speed phenomenon, the embezzlement analysis unit judges whether the network has a network speed surge and an abnormal high speed access phenomenon, and the alarm unit gives an early warning in time to find the flow abnormity in time, thereby avoiding serious faults or shortening the fault occurrence time and ensuring the safety of the network use.

Description

Network flow abnormity detection system
Technical Field
The invention belongs to the technical field of network detection, and particularly relates to a network flow abnormity detection system.
Background
As the requirement of the user on the network service quality is continuously increased, a large amount of data with different types exists in the network, and in order to complete the transmission task of the data, the network device has to consume more resources for calculation and processing, which has a certain influence on the stability of the overall performance of the network.
There are many possible sources of abnormal traffic, including new applications and business coming online, computer viruses, hacker intrusions, network worms, denial of network service, use of illegal software, network device failures, illegal occupation of network bandwidth, etc. Although the network traffic is abnormal, the traffic changes regularly most of the time, if the network traffic is abnormal, the whole network is more harmful, so the traffic abnormality must be found in time to minimize the loss.
The network flow abnormity detection system is provided, so that the network service condition can be dynamically detected in real time, classification early warning is realized, flow abnormity can be found in time, and serious faults can be avoided or the fault occurrence time can be shortened.
Disclosure of Invention
The invention aims to provide a network flow abnormity detection system, which monitors real-time network access speeds of all network access devices through a network speed monitoring unit, judges whether the network has an abnormal low-speed phenomenon or not through a data verification unit, judges whether the network has a network speed surge or an abnormal high-speed access phenomenon or not through a stealing analysis unit, and timely warns through an alarm unit to find flow abnormity in time, avoid serious faults or shorten fault occurrence time and ensure the safety of network use.
In order to solve the technical problems, the invention is realized by the following technical scheme:
the invention relates to a network flow abnormity detection system, which comprises a network access equipment group, a network speed monitoring unit, a data verification unit, a processor, a theft analysis unit, a display unit, an alarm unit and an input unit, wherein the network access equipment group is connected with the network speed monitoring unit; the network access equipment group comprises a plurality of network access equipment, the network access equipment is equipment needing to use a network in a detection area, and the network access equipment is respectively marked as Si; the network speed monitoring unit monitors the real-time network access speeds of all the network access devices, acquires the real-time access speed of each network access device every preset T time from the initial time, and marks the real-time access speeds as Vij respectively; wherein Vij represents the real-time network access speed of the j time interval of the device i; vim represents the latest real-time network access speed of the device i, i =1, 2, 3.. n, j =1, 2, 3.. m, and n and m are integers; the network speed monitoring unit transmits the real-time network access speed Vij of each network access device to the data verification unit and the theft analysis unit respectively; the data verification unit calculates and obtains real variation difference values Ci corresponding to the network access devices through the verification rules, and all the real variation difference values Ci are smaller than X1Is transmitted to the processor, wherein X1Less than 0; the processor marks the number of the received real variation values Ci as G, and when the number is equal to G
Figure DEST_PATH_IMAGE002
≥X2At this time, a network low speed signal is generated, which indicates the networkThe network access speed is abnormal, so that the overall access speed is limited;
the theft analysis unit acquires the real-time network access speed Vij of each network access device from the network speed monitoring unit, and calculates and acquires the real-time variation difference value Ci corresponding to each network access device through a check rule; when Ci is>X3If so, the stealing analysis unit generates a network speed surge signal and transmits the network speed surge signal to the controller; at this time, the theft analysis unit continuously acquires the real-time access speed of each network access device from the network speed monitoring unit, analyzes the real-time access speed of each network access device and judges whether abnormal high-speed access exists or not, and when the abnormal high-speed access exists, the theft analysis unit generates an abnormal high-speed access signal and transmits the abnormal high-speed access signal to the processor; the processor carries out early warning through the alarm unit.
Further, the check rule is:
SS 01: obtaining network access speed corresponding to each network access device
Figure DEST_PATH_IMAGE004
Figure DEST_PATH_IMAGE006
SS 02: according to the formula
Figure DEST_PATH_IMAGE008
And respectively calculating the real variation difference value Ci corresponding to each network access device.
Further, when the processor receives a network low-speed signal, a network speed surge signal and an abnormal high-speed access signal, the processor drives the alarm unit to send out acousto-optic early warning, and words of 'network low-speed', 'network speed surge', 'abnormal high-speed access' are correspondingly displayed through the display unit.
Further, the input unit is in communication with the processor, and the input unit is used for presetting time T, X1、X2、X3The setting of (2).
Further, the method for analyzing the real-time access speed of each network access device and judging whether abnormal high-speed access exists by the theft analysis unit comprises the following steps:
s001: obtaining corresponding to each network access device from network speed monitoring unit
Figure DEST_PATH_IMAGE010
Figure DEST_PATH_IMAGE012
Figure DEST_PATH_IMAGE014
Figure DEST_PATH_IMAGE016
Figure DEST_PATH_IMAGE018
S002: respectively calculate
Figure 145452DEST_PATH_IMAGE010
Figure 350169DEST_PATH_IMAGE012
Figure 741879DEST_PATH_IMAGE014
Figure 348441DEST_PATH_IMAGE016
Figure 528755DEST_PATH_IMAGE018
The difference with Vim;
s003: all the differences obtained in step S002 are greater than X3Then there is an abnormally high speed access.
The invention has the following beneficial effects:
the invention monitors the real-time network access speed of all the network access equipment through the network speed monitoring unit, the data verification unit analyzes the real-time network access speed Vij of each network access equipment to judge whether the network has an abnormal low speed phenomenon, the embezzlement analysis unit judges whether the network has a network speed surge and an abnormal high speed access phenomenon, and the alarm unit gives an early warning in time to find the flow abnormity in time, thereby avoiding serious faults or shortening the fault occurrence time and ensuring the safety of the network use.
Of course, it is not necessary for any product in which the invention is practiced to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a network traffic anomaly detection system according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the present invention is a system for detecting network traffic anomaly, which includes a network access device group, a network speed monitoring unit, a data verification unit, a processor, a theft analysis unit, a display unit, an alarm unit, and an input unit; the network access equipment group comprises a plurality of network access equipment, the network access equipment is equipment needing to use a network in a detection area, and the network access equipment is respectively marked as Si; the network speed monitoring unit monitors the real-time network access speed of all the network access equipment, acquires the real-time access speed of each network access equipment at intervals of preset T time from the initial time, and marks the real-time access speed as Vij; wherein Vij represents the real-time network access speed of the j time interval of the device i; vim denotes device imaxA new real-time network access speed, i =1, 2, 3.. n, j =1, 2, 3.. m, n, m being integers; the network speed monitoring unit transmits the real-time network access speed Vij of each network access device to the data verification unit and the stealing analysis unit respectively; the data verification unit calculates and obtains real variation difference values Ci corresponding to the network access equipment through the verification rule, and all the real variation difference values Ci are smaller than X1Is transmitted to the processor, wherein X1Less than 0; the processor marks the number of the received real variation values Ci as G, namely G suspected network speed reduction phenomena exist, and when the real variation values Ci are detected to be G, the processor marks the number of the received real variation values Ci as G, namely G suspected network speed reduction phenomena exist
Figure 220768DEST_PATH_IMAGE002
≥X2When the network access speed is abnormal, the whole access speed is limited;
the theft analysis unit acquires the real-time network access speed Vij of each network access device from the network speed monitoring unit, and calculates and acquires the real-time variation difference value Ci corresponding to each network access device through a check rule; when Ci is>X3If so, the stealing analysis unit generates a network speed surge signal and transmits the network speed surge signal to the controller; at the moment, the stealing analysis unit continuously acquires the real-time access speed of each network access device from the network speed monitoring unit, analyzes the real-time access speed of each network access device and judges whether abnormal high-speed access exists or not, when the abnormal high-speed access exists, the stealing analysis unit generates an abnormal high-speed access signal and transmits the abnormal high-speed access signal to the processor, and a background program possibly accesses the network under the unknown condition; the processor carries out early warning through the alarm unit.
Wherein, the check rule is as follows:
SS 01: obtaining network access speed corresponding to each network access device
Figure 144730DEST_PATH_IMAGE004
Figure 668116DEST_PATH_IMAGE006
SS 02: according to the formula
Figure 35643DEST_PATH_IMAGE008
And respectively calculating the real variation difference value Ci corresponding to each network access device.
When the processor receives a network low-speed signal, a network speed surge signal and an abnormal high-speed access signal, the processor drives the alarm unit to give out acousto-optic early warning, and words of 'network low-speed', 'network speed surge', 'abnormal high-speed access' are correspondingly displayed through the display unit.
Wherein the input unit is connected with the processor in communication, and is used for presetting time T, X1、X2、X3The setting of (2).
The method for analyzing the real-time access speed of each network access device and judging whether abnormal high-speed access exists by the stealing analysis unit comprises the following steps:
s001: obtaining corresponding to each network access device from network speed monitoring unit
Figure 588853DEST_PATH_IMAGE010
Figure 801660DEST_PATH_IMAGE012
Figure 632081DEST_PATH_IMAGE014
Figure 904931DEST_PATH_IMAGE016
Figure 758486DEST_PATH_IMAGE018
S002: respectively calculate
Figure 24251DEST_PATH_IMAGE010
Figure 459912DEST_PATH_IMAGE012
Figure 231559DEST_PATH_IMAGE014
Figure 386726DEST_PATH_IMAGE016
Figure 206914DEST_PATH_IMAGE018
The difference with Vim;
s003: all the differences obtained in step S002 are greater than X3Then there is an abnormally high speed access.
A network flow abnormity detection system monitors real-time network access speeds of all network access devices through a network speed monitoring unit, a data verification unit analyzes the real-time network access speeds Vij of all the network access devices to judge whether a network has an abnormal low speed phenomenon or not, an embezzlement analysis unit judges whether the network has a network speed surge phenomenon or an abnormal high speed access phenomenon or not, and an alarm unit gives an early warning in time to find flow abnormity in time, so that serious faults are avoided or fault occurrence time is shortened, and the safety of network use is ensured.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.

Claims (1)

1. A network flow abnormity detection system is characterized by comprising a network access equipment group, a network speed monitoring unit, a data verification unit, a processor, a theft analysis unit, a display unit, an alarm unit and an input unit;
the network access equipment group comprises a plurality of network access equipment, the network access equipment is equipment needing to use a network in a detection area, and the network access equipment is respectively marked as Si
The network speed monitoring unit monitors the real-time network access speed of all the network access equipment, acquires the real-time access speed of each network access equipment at preset T time intervals from the initial time, and marks the real-time access speed as Vij
Wherein, i is 1, 2, 3.. n, j is 1, 2, 3.. m, n, m are integers, VijRepresenting the real-time network access speed of the jth time interval of the device i; vimRepresenting the latest real-time network access speed of the device i;
the network speed monitoring unit monitors the real-time network access speed V of each network access deviceijRespectively transmitting the data to a data checking unit and a theft analysis unit;
the data verification unit calculates and obtains real variation difference values C corresponding to the network access devices through the verification rulesiAnd all are less than X1Real variation value of (C)iTransmitting to a processor, wherein X1<0;
The processor converts the received real variation value CiIs marked as G when
Figure RE-FDA0002911223810000011
Generating a network low-speed signal;
the theft analysis unit obtains the real-time network access speed V of each network access device from the network speed monitoring unitijAnd calculating and acquiring real variation difference values C corresponding to the network access equipment through the check rulei
When C is presenti >X3If so, the stealing analysis unit generates a network speed surge signal and transmits the network speed surge signal to the controller; at this timeThe theft analysis unit continuously acquires the real-time access speed of each network access device from the network speed monitoring unit, analyzes the real-time access speed of each network access device and judges whether abnormal high-speed access exists or not, and when the abnormal high-speed access exists, the theft analysis unit generates an abnormal high-speed access signal and transmits the abnormal high-speed access signal to the processor;
the processor carries out early warning through an alarm unit;
the check rule is as follows:
SS 01: obtaining network access speed V corresponding to each network access deviceim、Vi(m-1)
SS 02: according to formula Ci=Vim-Vi(m-1)Respectively calculating the real variation difference value C corresponding to each network access devicei
When the processor receives a network low-speed signal, a network speed surge signal and an abnormal high-speed access signal, the processor drives the alarm unit to send out acousto-optic early warning, and words of 'network low-speed', 'network speed surge', 'abnormal high-speed access' are correspondingly displayed through the display unit respectively;
the input unit is in communication connection with the processor and is used for presetting time T, X1、X2、X3Setting input of (1);
the method for analyzing the real-time access speed of each network access device and judging whether abnormal high-speed access exists by the theft analysis unit comprises the following steps:
s001: obtaining V corresponding to each network access device from network speed monitoring uniti(m+1)、Vi(m+2)、Vi(m+3)、Vi(m+4)、Vi(m+5)
S002: respectively calculate Vi(m+1)、Vi(m+2)、Vi(m+3)、Vi(m+4)、Vi(m+5)The difference with Vim;
s003: all the differences obtained in step S002 are greater than X3Then there is an abnormally high speed access.
CN201911050601.2A 2019-10-31 2019-10-31 Network flow abnormity detection system Active CN110830464B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911050601.2A CN110830464B (en) 2019-10-31 2019-10-31 Network flow abnormity detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911050601.2A CN110830464B (en) 2019-10-31 2019-10-31 Network flow abnormity detection system

Publications (2)

Publication Number Publication Date
CN110830464A CN110830464A (en) 2020-02-21
CN110830464B true CN110830464B (en) 2021-06-29

Family

ID=69551777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911050601.2A Active CN110830464B (en) 2019-10-31 2019-10-31 Network flow abnormity detection system

Country Status (1)

Country Link
CN (1) CN110830464B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114585013A (en) * 2022-03-01 2022-06-03 北京中网华通设计咨询有限公司 Network quality evaluation method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763387A (en) * 2016-05-16 2016-07-13 北京百度网讯科技有限公司 Network traffic monitoring method and device
CN109495893A (en) * 2018-12-13 2019-03-19 叶东海 A kind of mobile data Traffic Anomaly monitoring system
CN110086649A (en) * 2019-03-19 2019-08-02 深圳壹账通智能科技有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108777679B (en) * 2018-05-22 2021-09-17 深信服科技股份有限公司 Method and device for generating traffic access relation of terminal and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763387A (en) * 2016-05-16 2016-07-13 北京百度网讯科技有限公司 Network traffic monitoring method and device
CN109495893A (en) * 2018-12-13 2019-03-19 叶东海 A kind of mobile data Traffic Anomaly monitoring system
CN110086649A (en) * 2019-03-19 2019-08-02 深圳壹账通智能科技有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow

Also Published As

Publication number Publication date
CN110830464A (en) 2020-02-21

Similar Documents

Publication Publication Date Title
JP3968724B2 (en) Network security system and operation method thereof
US10257216B2 (en) Method and system for obtaining and analyzing forensic data in a distributed computer infrastructure
CN114584405B (en) Electric power terminal safety protection method and system
CN111309565B (en) Alarm processing method and device, electronic equipment and computer readable storage medium
CN101741633B (en) Association analysis method and system for massive logs
CN112162878A (en) Database fault discovery method and device, electronic equipment and storage medium
US20200302054A1 (en) Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus
Muhammad et al. Integrated security information and event management (siem) with intrusion detection system (ids) for live analysis based on machine learning
CN111342988B (en) Situation awareness-based network security early warning method and device
GB2532630A (en) Network intrusion alarm method and system for nuclear power station
CN112671767B (en) Security event early warning method and device based on alarm data analysis
US9674065B2 (en) Method, apparatus and system for detecting network element load imbalance
CN110830464B (en) Network flow abnormity detection system
CN111698209A (en) Network abnormal flow detection method and device
CN104901833B (en) A kind of method and device for the equipment that notes abnormalities
CN116127456A (en) Virus intrusion detection system and method based on network security situation awareness
CN117579401A (en) Energy data analysis method based on edge calculation
CN112650180B (en) Safety warning method, device, terminal equipment and storage medium
CN111030815A (en) Online detection method and device for commercial password application encryption effectiveness
CN114363212A (en) Equipment detection method, device, equipment and storage medium
US10972505B2 (en) Distributed behavioral monitoring
CN114301796B (en) Verification method, device and system for prediction situation awareness
CN110910027B (en) Network security situation assessment method based on security factors
CN114338221A (en) Network detection system based on big data analysis
TW201928747A (en) Server and monitoring method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant