CN1809000A - Network intrusion detection method - Google Patents
Network intrusion detection method Download PDFInfo
- Publication number
- CN1809000A CN1809000A CN 200610020268 CN200610020268A CN1809000A CN 1809000 A CN1809000 A CN 1809000A CN 200610020268 CN200610020268 CN 200610020268 CN 200610020268 A CN200610020268 A CN 200610020268A CN 1809000 A CN1809000 A CN 1809000A
- Authority
- CN
- China
- Prior art keywords
- detection
- data
- network
- detection method
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Alarm Systems (AREA)
Abstract
This invention discloses one network intruding testing method and to one safety test method and to the test method to judge whether the network data flow to be tested is intruding, wherein the method comprises the following steps: pre-processing; studying step, testing step data process structure, wherein, the studying and testing steps adopts BP network as module for data processing and for studying or testing steps according to different system status.
Description
Technical field
The present invention relates to a kind of safety detection method of internet, particularly a kind of by detecting the detection method that network traffic data judges whether network intrusions.
Background technology
In Network Intrusion Detection System, most critical be intrusion detection method.Detection method adopts characteristic matching to judge more and abnormality detection is judged.Characteristic matching judges it mainly is the keyword that detects in the network attack data, so the hacker is easy to reach the purpose of hiding detection by revising keyword; Abnormality detection judges that recognition network is attacked by various method for detecting abnormality differentiation normal behaviours and abnormal behaviour.Abnormality detection is not subjected to the constraint of keyword, and detection model is in case correct foundation just can be detected the attack of a certain class behavior feature similarity.But the correct foundation of model is influenced by several factors, if detection model and actual environment deviation are excessive, will cause and detect accuracy rate decline.
At present, in the intruding detection system of practicality, the method for detecting abnormality of using at most is to rely on statistical method, and it is theoretical ripe, and principle is simple, but adaptability is relatively poor.Other a lot of abnormality detection technology also are in conceptual phase, and wherein nerual network technique and data mining technology are comparatively ripe, but do not have total solution.
Summary of the invention
To the objective of the invention is to solve existing network intrusion detection method above shortcomings in order providing, a kind of exception flow of network that detects to be provided, have self-learning capability, adaptability is strong, detects the higher network inbreak detection method of accuracy rate.
The objective of the invention is to realize by following technical proposals:
A kind of detection method of network intrusions, the legitimacy of the data traffic feature judgment data by detecting Network Transmission, it is characterized in that: described detection method comprises data preliminary treatment, study and three steps of detection, data are at first passed through pre-treatment step, extract the network flow characteristic data that need detection, produce the data sample of learning or detecting usefulness; Learning procedure is collected through pretreated data sample, generates new detection model, is used for abnormality detection; Detect step and then use detection model to detect the sample data that preprocessing part transmits, judge that these data are for normal or unusual.
Above-mentioned study and detection step adopt neural net as model.
Described neural net is the BP neural net.
Described BP neural net adopts and becomes learning rate BP algorithm, is three-decker, and input layer and hidden layer node number determine that by the number of the traffic characteristic that is detected output layer node number is 1.
Comprise in the above-mentioned data pre-treatment step that traffic characteristic extracts and the traffic characteristic analysis.
Described traffic characteristic extracts the traffic characteristic data of being extracted and comprises:
The average message length of a.TCP;
SYN message flow in the b.TCP agreement;
The ratio of c.SYN message and SYN+ACK message;
The flow of d.RST message; The UDP message length;
E.UDP accounts for the ratio of total message number;
The f.ICMP message length;
G.ICMP accounts for the ratio of total message number;
The echo request of h.ICMP agreement and the ratio that echo replys;
I. the average length of session;
J. average time of session
Described traffic characteristic analysis is meant that the method that adopts statistics calculates the feature samples data of network traffics, and sample carried out preliminary detection, if be defined as unusually, then be labeled as exceptional sample, and send information, otherwise enter learning procedure or detect step to the abnormal alarm step.
Described detection method is provided with Status Flag, the corresponding learning state of difference, detected state, three kinds of states of detection model update mode, and when Status Flag was expressed as learning state, the dateout of pre-treatment step was imported learning procedure into; When Status Flag was represented detected state, the dateout of pre-treatment step was imported the detection step into; When Status Flag was represented the detection model update mode, the dateout of pre-treatment step was imported learning procedure respectively into and is detected step.
The invention has the beneficial effects as follows, after the neural net detection model is set up, can correctly detect unusual network traffics, can detect unusual network traffics effectively such as FLOOD attack, TCP; Distinctive learning procedure can be with the difference of network environment, adjust the detection model parameter, adapting to different network traffics environment, and produce new detection model by continuous study, the detection model of replace old, thus current state of network traffic reflected better.As seen, adopt the present invention of said method, compare with the method for detecting abnormality of traditional use statistical method, because the neural net self characteristics, it is littler to have a calculation cost, and real-time is better, the self-learning capability height, adaptability is strong, detects the high advantage of accuracy rate.Can be used for network measuring invasion signal or intrusion behavior.
Description of drawings
Fig. 1 is a schematic process flow diagram of the present invention;
Fig. 2 is a state exchange schematic block diagram of the present invention.
Embodiment
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Embodiment: network inbreak detection method is made up of data packet capturing step, decoding step, data pre-treatment step, learning procedure, detection step and abnormal alarm step, as shown in Figure 1, and data packet capturing collection step network raw data; Decoding step resolution data procotol; The data pre-treatment step is extracted the traffic characteristic of data; Learning procedure is collected enough traffic characteristic data, generates a new detection model, is used to replace original detection model; Detect the detection model detection network data that step uses learning procedure to produce; The abnormal alarm step obtains detecting the message generation abnormal alarm of step.
A complete testing process is as described below:
After data packet capturing step is caught network data, deliver to the procotol of decoding step resolution data bag; After decoding, send into pre-treatment step, in pre-treatment step, system extracts the information of packet, calculates traffic characteristic, enters different steps according to the current state of system.When system mode is 0, promptly during learning state, data are sent into learning procedure; When system mode is 1, i.e. detected state, data are sent into the detection step; When system mode is 2, i.e. detection model update mode, data are sent into learning procedure respectively and are detected step, learning procedure generates new detection model and sends into the alternative original detection model of detection step, detect step and detect this data, be considered as reporting to the police, then notify the abnormal alarm step.The abnormal alarm step obtains notice, produces abnormal alarm.
As Fig. 2, the flow path switch of system mode is as follows:
1. work as system and be installed in a new network environment, system mode is 0, i.e. learning state.At learning state, sample data is without detecting step;
2. after study finished, new detection model was installed to and detects in the step, and system mode becomes 1, i.e. detected state, and at this moment, sample data is without learning procedure;
3. in system's running, can regular or irregular renewal detection model.When upgrading detection model, system mode becomes 2, i.e. the detection model update mode.In update mode, sample data is delivered to learning procedure respectively and is detected step, detects step and uses current detection model to carry out abnormality detection.
The present invention is applicable to the intrusion detection of the abnormal flow of IP network, uses the network equipment of detection method disclosed in this invention, can be used as network equipment product independently or as the part of network invasion monitoring equipment.
Claims (8)
1, a kind of detection method of network intrusions, the legitimacy of the data traffic feature judgment data by detecting Network Transmission, it is characterized in that: described detection method comprises preliminary treatment, study and three steps of detection, data are at first passed through pre-treatment step, extract the network flow characteristic data that need detection, produce the data sample of learning or detecting usefulness; Learning procedure is collected through pretreated data sample, generates new detection model, is used for abnormality detection; Detect step and then use detection model to detect the sample data that pre-treatment step transmits, judge that these data are for normal or unusual.
2, the detection method of a kind of network intrusions as claimed in claim 1 is characterized in that: study and detection step adopt neural net as model.
3, the detection method of a kind of network intrusions as claimed in claim 2 is characterized in that: described neural net is the BP neural net.
4, the detection method of a kind of network intrusions as claimed in claim 3, it is characterized in that: described BP neural net adopts and becomes learning rate BP algorithm, be three-decker, input layer and hidden layer node number determine that by the quantity of selected traffic characteristic output layer node number is 1.
5, as the detection method of claim 1 or 4 described a kind of network intrusions, it is characterized in that: comprise in the pre-treatment step that traffic characteristic extracts and the traffic characteristic analysis.
6, the detection method of a kind of network intrusions as claimed in claim 5 is characterized in that: described traffic characteristic extracts the traffic characteristic data of being extracted and comprises,
The average message length of a.TCP;
SYN message flow in the b.TCP agreement;
The ratio of c.SYN message and SYN+ACK message;
The flow of d.RST message; The UDP message length;
E.UDP accounts for the ratio of total message number;
The f.ICMP message length;
G.ICMP accounts for the ratio of total message number;
The echo request of h.ICMP agreement and the ratio that echo replys;
I. the average length of session;
J. average time of session.
7, the detection method of a kind of network intrusions as claimed in claim 6, it is characterized in that: described traffic characteristic analysis is meant that the method that adopts statistics calculates the feature samples data of network traffics, and sample carried out preliminary detection, if be defined as unusual, then be labeled as exceptional sample, and send information, otherwise enter learning procedure or detect step to the abnormal alarm step.
8, as the detection method of claim 1 or 7 described a kind of network intrusions, it is characterized in that: described detection method is provided with Status Flag, the corresponding learning state of difference, detected state, three kinds of states of detection model update mode, when Status Flag was expressed as learning state, the dateout of pre-treatment step was imported learning procedure into; When Status Flag was represented detected state, the dateout of pre-treatment step was imported the detection step into; When Status Flag was represented the detection model update mode, the dateout of pre-treatment step was imported learning procedure respectively into and is detected step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610020268 CN1809000A (en) | 2006-02-13 | 2006-02-13 | Network intrusion detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610020268 CN1809000A (en) | 2006-02-13 | 2006-02-13 | Network intrusion detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1809000A true CN1809000A (en) | 2006-07-26 |
Family
ID=36840703
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610020268 Pending CN1809000A (en) | 2006-02-13 | 2006-02-13 | Network intrusion detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1809000A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257416B (en) * | 2008-03-11 | 2010-08-18 | 南京邮电大学 | Networking type abnormal flow defense method based on combining network with host computer |
| CN101399672B (en) * | 2008-10-17 | 2011-03-02 | 章毅 | Intrusion detection method for fusion of multiple neutral networks |
| CN102075383A (en) * | 2010-12-29 | 2011-05-25 | 深圳市永达电子股份有限公司 | Neural network-based low amplitude network flow anomaly detection method |
| CN101267353B (en) * | 2008-04-24 | 2011-12-21 | 北京大学 | A load-independent method for detecting network abuse |
| CN101523848B (en) * | 2006-09-29 | 2013-03-27 | 阿尔卡特朗讯公司 | Intelligence network anomaly detection using a type II fuzzy neural network |
| CN103152225A (en) * | 2013-03-22 | 2013-06-12 | 东华大学 | Flow monitoring and virus defense method based on VC++ and tshark |
| CN103731433A (en) * | 2014-01-14 | 2014-04-16 | 上海交通大学 | Thing network attack detection system and method |
| CN104123448A (en) * | 2014-07-14 | 2014-10-29 | 南京理工大学 | Multi-data-stream anomaly detection method based on context |
| CN104318304A (en) * | 2014-10-20 | 2015-01-28 | 上海电机学院 | BP network structure design method for pattern recognition and based on sample study |
| CN105577685A (en) * | 2016-01-25 | 2016-05-11 | 浙江海洋学院 | Intrusion detection independent analysis method and system in cloud calculation environment |
| CN107896229A (en) * | 2017-12-26 | 2018-04-10 | 黄河交通学院 | A kind of method, system and the mobile terminal of computer network abnormality detection |
| CN108353005A (en) * | 2015-09-22 | 2018-07-31 | 瑞博股份有限公司 | Method and apparatus for monitoring control system |
| CN110445808A (en) * | 2019-08-26 | 2019-11-12 | 杭州迪普科技股份有限公司 | Abnormal flow attack guarding method, device, electronic equipment |
| CN112291184A (en) * | 2019-07-24 | 2021-01-29 | 厦门雅迅网络股份有限公司 | Neural network cluster-based vehicle intranet intrusion detection method and terminal equipment |
| CN112929364A (en) * | 2021-02-05 | 2021-06-08 | 上海观安信息技术股份有限公司 | Data leakage detection method and system based on ICMP tunnel analysis |
-
2006
- 2006-02-13 CN CN 200610020268 patent/CN1809000A/en active Pending
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101523848B (en) * | 2006-09-29 | 2013-03-27 | 阿尔卡特朗讯公司 | Intelligence network anomaly detection using a type II fuzzy neural network |
| CN101257416B (en) * | 2008-03-11 | 2010-08-18 | 南京邮电大学 | Networking type abnormal flow defense method based on combining network with host computer |
| CN101267353B (en) * | 2008-04-24 | 2011-12-21 | 北京大学 | A load-independent method for detecting network abuse |
| CN101399672B (en) * | 2008-10-17 | 2011-03-02 | 章毅 | Intrusion detection method for fusion of multiple neutral networks |
| CN102075383A (en) * | 2010-12-29 | 2011-05-25 | 深圳市永达电子股份有限公司 | Neural network-based low amplitude network flow anomaly detection method |
| CN103152225A (en) * | 2013-03-22 | 2013-06-12 | 东华大学 | Flow monitoring and virus defense method based on VC++ and tshark |
| CN103731433A (en) * | 2014-01-14 | 2014-04-16 | 上海交通大学 | Thing network attack detection system and method |
| CN104123448B (en) * | 2014-07-14 | 2017-05-17 | 南京理工大学 | Multi-data-stream anomaly detection method based on context |
| CN104123448A (en) * | 2014-07-14 | 2014-10-29 | 南京理工大学 | Multi-data-stream anomaly detection method based on context |
| CN104318304A (en) * | 2014-10-20 | 2015-01-28 | 上海电机学院 | BP network structure design method for pattern recognition and based on sample study |
| CN108353005A (en) * | 2015-09-22 | 2018-07-31 | 瑞博股份有限公司 | Method and apparatus for monitoring control system |
| CN105577685A (en) * | 2016-01-25 | 2016-05-11 | 浙江海洋学院 | Intrusion detection independent analysis method and system in cloud calculation environment |
| CN107896229A (en) * | 2017-12-26 | 2018-04-10 | 黄河交通学院 | A kind of method, system and the mobile terminal of computer network abnormality detection |
| CN112291184A (en) * | 2019-07-24 | 2021-01-29 | 厦门雅迅网络股份有限公司 | Neural network cluster-based vehicle intranet intrusion detection method and terminal equipment |
| CN112291184B (en) * | 2019-07-24 | 2024-03-01 | 厦门雅迅网络股份有限公司 | Intra-vehicle network intrusion detection method and terminal equipment based on neural network cluster |
| CN110445808A (en) * | 2019-08-26 | 2019-11-12 | 杭州迪普科技股份有限公司 | Abnormal flow attack guarding method, device, electronic equipment |
| CN112929364A (en) * | 2021-02-05 | 2021-06-08 | 上海观安信息技术股份有限公司 | Data leakage detection method and system based on ICMP tunnel analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1809000A (en) | Network intrusion detection method | |
| CN109302378B (en) | SDN network DDoS attack detection method | |
| CN111614627B (en) | SDN-oriented cross-plane cooperation DDOS detection and defense method and system | |
| CN101051953A (en) | Abnormal detecting method based on fuzzy nervous network | |
| CN100384149C (en) | Method for detecting and monitoring gusty abnormal network flow | |
| CN105847283A (en) | Information entropy variance analysis-based abnormal traffic detection method | |
| CN110535878B (en) | Threat detection method based on event sequence | |
| CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
| CN103634296A (en) | Intelligent electricity network attack detection method based on physical system and information network abnormal data merging | |
| CN1949720A (en) | Distributed network invasion detecting system | |
| CN108573283A (en) | A kind of anti-design method failed to report of notch of switch machine monitoring | |
| CN104734916A (en) | Efficient multistage anomaly flow detection method based on TCP | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| TW200522627A (en) | Methodology of predicting distributed denial of service based on gray theory | |
| CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| CN1812394A (en) | Method for using immediate information software by data detection network address switching equipment | |
| CN108584588A (en) | A kind of tor door faults detection method based on extensive flow data | |
| CN1848745A (en) | Worm virus detecting method based on network flow characteristic | |
| CN111478925B (en) | Port scanning detection method and system applied to industrial control environment | |
| CN104796822A (en) | Audio howling detection method, video monitoring method and system using same | |
| CN112153076A (en) | Computer network safety intrusion detection system | |
| CN102104606A (en) | Worm detection method of intranet host | |
| CN202652243U (en) | Botnet detecting system based on node | |
| Wu et al. | Dynamic hierarchical distributed intrusion detection system based on multi-agent system | |
| CN112261009B (en) | Network intrusion detection method for railway dispatching centralized system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |