CN116471066B - Flow analysis method based on flow probe - Google Patents
Flow analysis method based on flow probe Download PDFInfo
- Publication number
- CN116471066B CN116471066B CN202310362224.6A CN202310362224A CN116471066B CN 116471066 B CN116471066 B CN 116471066B CN 202310362224 A CN202310362224 A CN 202310362224A CN 116471066 B CN116471066 B CN 116471066B
- Authority
- CN
- China
- Prior art keywords
- flow
- abnormal
- probe
- deployment
- deployment position
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 239000000523 sample Substances 0.000 title claims abstract description 121
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000005206 flow analysis Methods 0.000 title claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims abstract description 87
- 238000010586 diagram Methods 0.000 claims abstract description 37
- 238000001514 detection method Methods 0.000 claims abstract description 22
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 238000012937 correction Methods 0.000 claims description 28
- 230000015572 biosynthetic process Effects 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 8
- 238000003786 synthesis reaction Methods 0.000 claims description 8
- 238000012216 screening Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000010224 classification analysis Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a flow analysis method based on a flow probe, which relates to the technical field of flow analysis and comprises the steps of obtaining a network topology structure diagram, determining the deployment position and equipment asset fraction of the flow probe according to the network topology structure diagram, deploying the flow probe according to the deployment position, determining the deployment cost according to the deployment position of the flow probe, obtaining the use parameter of the flow probe, and establishing an updating rule based on the equipment asset fraction, the deployment cost and the use parameter of the flow probe so as to update the deployment position of the flow probe; acquiring flow characteristic attributes, calculating information entropy of the corresponding attributes, and establishing an abnormal flow detection rule according to the historical flow to detect whether abnormal flow exists or not; if the abnormal flow exists, backtracking analysis is carried out on the abnormal flow to determine the generation source. The accuracy of flow analysis is improved.
Description
Technical Field
The application relates to the technical field of flow analysis, in particular to a flow analysis method based on a flow probe.
Background
Under the comprehensive situation of the internet, an internal management system of the internet is gradually changed into a management system facing a large-scale network, various network types are very complex and chaotic, and a plurality of network devices can coexist at the same time. Such as a managed network, the interior of which may be formed of several sub-networks, and each of which is interconnected by a switch or router. Therefore, according to the deployment mode and the difference of the internet types, the network flow probe is selected to collect the flow data information, so that a solid data base is laid for the development of subsequent work.
In the prior art, the flow probe has no reasonable deployment mode, so that the flow detection accuracy is poor, the detected flow is only analyzed by a simple detection program in the probe, the analysis effect is poor, and the abnormal flow cannot be accurately determined.
Therefore, how to improve the accuracy of flow detection is a technical problem to be solved at present.
Disclosure of Invention
The invention provides a flow analysis method based on a flow probe, which is used for solving the technical problem of poor flow detection accuracy in the prior art. The method comprises the following steps:
acquiring a network topology structure diagram, determining a deployment position and equipment asset scores of a flow probe according to the network topology structure diagram, deploying the flow probe according to the deployment position, determining deployment cost according to the deployment position of the flow probe, acquiring a flow probe use parameter, and establishing an update rule based on the equipment asset scores, the deployment cost and the flow probe use parameter to update the deployment position of the flow probe;
acquiring flow characteristic attributes, calculating information entropy of the corresponding attributes, and establishing an abnormal flow detection rule according to the historical flow to detect whether abnormal flow exists or not;
If the abnormal flow exists, backtracking analysis is carried out on the abnormal flow to determine the generation source.
In some embodiments of the present application, determining deployment locations and equipment asset scores for flow probes from a network topology graph includes:
The network topology structure diagram comprises a device topology structure diagram and a logic topology structure diagram;
and obtaining a first deployment position of the flow probe and equipment asset scores according to the equipment topological structure diagram, and obtaining a second deployment position of the flow probe according to the logic topological structure diagram.
In some embodiments of the present application, obtaining a first deployment location and an equipment asset score for a flow probe from an equipment topology map includes:
acquiring attribute information of each device in a device topology structure chart, and determining initial device asset scores according to the attribute information of the device and a preset device attribute table;
acquiring the association degree of equipment in an equipment topological structure diagram, and correcting the initial equipment asset score based on the association degree to obtain the equipment asset score;
If the equipment asset score exceeds a preset asset score threshold, determining a first deployment position of the flow probe;
wherein, each piece of attribute information in the preset equipment attribute table is provided with a plurality of grades.
In some embodiments of the present application, obtaining a second deployment location of the flow probe according to the logical topology graph includes:
determining a starting end and a target end to divide a logic topology structure diagram into a plurality of paths, and dividing each path into a plurality of sub-paths;
and acquiring the passing flow of each sub-path to obtain the flow of each path, screening out paths meeting the flow requirement based on the flow of each path, and determining a second deployment position of the flow probe according to the screened paths.
In some embodiments of the application, the method further comprises:
judging whether the first deployment position and the second deployment position of the flow probe have coincidence conditions or not;
And if the first deployment position and the second deployment position are overlapped, deleting the overlapped position in the first deployment position or the second deployment position.
In some embodiments of the present application, establishing an update rule to update a deployment location of a flow probe based on equipment asset scores, deployment costs, and flow probe usage parameters includes:
obtaining a flow probe utilization rate based on the flow probe utilization parameters;
The strategic requirements are obtained, the distribution ratio of the equipment asset score, the deployment cost and the traffic probe usage is determined according to the strategic requirements, and the priority of the equipment asset score, the deployment cost and the traffic probe usage is determined to update the deployment location of the traffic probe.
In some embodiments of the present application, establishing an abnormal traffic detection rule according to a historical traffic to detect whether an abnormal traffic exists, including:
The historical flow comprises normal flow and abnormal flow, the characteristic attribute of the normal flow is obtained, the corresponding information entropy is calculated to obtain the normal information entropy, the characteristic attribute of the abnormal flow is obtained, the corresponding information entropy is calculated to obtain the abnormal information entropy, and the information entropy change is determined according to the normal information entropy and the abnormal information entropy;
And determining the change relation of the information entropy of each abnormal flow type to establish an abnormal flow detection rule, and judging whether the information entropy corresponding to each attribute of the flow meets the abnormal flow detection rule or not, thereby judging the abnormal flow and the abnormal flow type.
In some embodiments of the present application, if there is an abnormal flow, performing backtracking analysis on the abnormal flow to determine a source of generation, including:
And obtaining corresponding keywords according to the abnormal flow, detecting the keywords in the database to obtain corresponding statistical data, screening out multiple items of data from the statistical data to serve as evidence, and determining an abnormal flow generation source according to a preset synthesis rule according to the evidence and corresponding basic probability distribution.
In some embodiments of the application, the method further comprises:
if a conflict exists among a plurality of evidences and the conflict degree exceeds a preset conflict threshold, correcting the basic probability distribution according to the conflict degree to obtain a corrected basic probability distribution;
And determining a correction coefficient according to the abnormal flow type, correcting the first-repair basic probability distribution, obtaining second-repair basic probability distribution and carrying out evidence synthesis.
By applying the technical scheme, a network topology structure diagram is acquired, the deployment position and the equipment asset score of the flow probe are determined according to the network topology structure diagram, the deployment of the flow probe is carried out according to the deployment position, the deployment cost is determined according to the deployment position of the flow probe, the use parameter of the flow probe is acquired, and an update rule is established based on the equipment asset score, the deployment cost and the use parameter of the flow probe so as to update the deployment position of the flow probe; acquiring flow characteristic attributes, calculating information entropy of the corresponding attributes, and establishing an abnormal flow detection rule according to the historical flow to detect whether abnormal flow exists or not; if the abnormal flow exists, backtracking analysis is carried out on the abnormal flow to determine the generation source. The application improves the reliability of flow detection by reasonably setting the deployment mode of the flow probe, and updates the deployment position according to the balance equipment asset score, the deployment cost and the use parameters of the flow probe. Whether abnormal flow and abnormal flow types exist or not is determined through information entropy change of characteristic attributes of the flow, and finally, an abnormal flow generation source is positioned through evidence theory, so that accuracy of flow analysis is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a flow chart of a flow analysis method based on a flow probe according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment of the application provides a flow analysis method based on a flow probe, as shown in fig. 1, comprising the following steps:
Step S101, a network topology structure diagram is obtained, deployment positions and equipment asset scores of flow probes are determined according to the network topology structure diagram, deployment of the flow probes is performed according to the deployment positions, deployment cost is determined according to the deployment positions of the flow probes, flow probe use parameters are obtained, and an update rule is established based on the equipment asset scores, the deployment cost and the flow probe use parameters to update the deployment positions of the flow probes.
In this embodiment, the deployment position of the flow probe is determined according to the network topology structure diagram, so as to determine the number of probes and obtain the deployment cost. And establishing a deployment location for updating the flow probe according to the equipment asset score, the deployment cost and the flow probe usage parameters.
To enhance some embodiments of the present application, determining deployment locations and equipment asset scores for traffic probes from a network topology graph includes: the network topology structure diagram comprises a device topology structure diagram and a logic topology structure diagram; and obtaining a first deployment position of the flow probe and equipment asset scores according to the equipment topological structure diagram, and obtaining a second deployment position of the flow probe according to the logic topological structure diagram.
In this embodiment, the device topology structure is a topology structure of a real device, and the logical topology structure is a topology structure of virtual connection. The device asset score is obtained in the device topology map, from which a first deployment location of the flow probe is determined. Generally, the traffic probes are mainly deployed in the important areas of assets such as the maximum in-and-out position of network boundary traffic, the front end of a key service server area, a core switch area and the like. And obtaining a second deployment position of the flow probe according to the logic topology structure diagram.
It will be appreciated that the first deployment location is not one specific location, but rather is the flow probe location of a plurality of critical devices, and the second deployment location is the same.
In some embodiments of the present application, obtaining a first deployment location and an equipment asset score for a flow probe from an equipment topology map includes: acquiring attribute information of each device in a device topology structure chart, and determining initial device asset scores according to the attribute information of the device and a preset device attribute table; acquiring the association degree of equipment in an equipment topological structure diagram, and correcting the initial equipment asset score based on the association degree to obtain the equipment asset score; if the equipment asset score exceeds a preset asset score threshold, determining a first deployment position of the flow probe; wherein, each piece of attribute information in the preset equipment attribute table is provided with a plurality of grades.
In this embodiment, the attribute information of the device includes importance, confidentiality and availability, and a plurality of levels are set, and the initial device asset score is determined according to the level multiplication of the three levels and the corresponding constant, where the importance of the device is related to the association of the device in the graph, and generally the higher the association degree is, the greater the importance is. Thus, the initial equipment asset score needs to be revised based on the degree of association.
Setting the association degree of equipment as A, presetting an association degree array A0 (A1, A2, A3 and A4) of the equipment, wherein A1, A2, A3 and A4 are all preset values, and A1 is more than A2 and less than A3 and less than A4;
Setting the initial equipment asset fraction as P, and presetting a correction coefficient array F0 (F1, F2, F3 and F4), wherein F1, F2, F3 and F4 are all preset values, and F1 is more than 0.7 and less than F2 and F3 and F4 is more than 0.3;
determining a correction coefficient according to the relation between the equipment association degree and each preset equipment association degree to obtain equipment asset scores;
if A is less than A1, determining a first preset correction coefficient F1 as a correction coefficient, wherein the equipment asset fraction is P x F1;
if A1 is less than or equal to A2, determining a second preset correction coefficient F2 as a correction coefficient, wherein the equipment asset fraction is P.F2;
If A2 is less than or equal to A3, determining a third preset correction coefficient F3 as a correction coefficient, wherein the equipment asset fraction is P.times.F3;
if A3 is less than or equal to A4, determining a fourth preset correction coefficient F4 as a correction coefficient, wherein the equipment asset fraction is P.times.F4.
In some embodiments of the present application, obtaining a second deployment location of the flow probe according to the logical topology graph includes: determining a starting end and a target end to divide a logic topology structure diagram into a plurality of paths, and dividing each path into a plurality of sub-paths; and acquiring the passing flow of each sub-path to obtain the flow of each path, screening out paths meeting the flow requirement based on the flow of each path, and determining a second deployment position of the flow probe according to the screened paths.
In this embodiment, the nodes in the logical topology structure that may be the start end and the nodes of the target end (end) are regarded as the start and end of the path. The middle process from one node to another node is regarded as a sub-path, and a path meeting the flow requirement is obtained. For example, S0 is a start node and S9 is a target node. S0-S9, the paths S0-S9 are the paths through the nodes S1-S8, three paths S0-S1 are called sub-paths, the flow of the three paths is calculated, and the maximum value is selected. And calculating sub-paths existing in S1-S2, selecting the path of the maximum flow, and so on until S9, selecting the maximum value every time the sub-paths are selected. This results in a path of maximum flow of S0-S9, from which the position of the flow probe is determined.
In some embodiments of the application, the method further comprises: judging whether the first deployment position and the second deployment position of the flow probe have coincidence conditions or not; and if the first deployment position and the second deployment position are overlapped, deleting the overlapped position in the first deployment position or the second deployment position.
In this embodiment, the first deployment position and the second deployment position may have a superposition condition, and the flow probe in one party of superposition may be deleted, thereby improving accuracy.
In some embodiments of the present application, establishing an update rule to update a deployment location of a flow probe based on equipment asset scores, deployment costs, and flow probe usage parameters includes: obtaining a flow probe utilization rate based on the flow probe utilization parameters; the strategic requirements are obtained, the distribution ratio of the equipment asset score, the deployment cost and the traffic probe usage is determined according to the strategic requirements, and the priority of the equipment asset score, the deployment cost and the traffic probe usage is determined to update the deployment location of the traffic probe.
In this embodiment, the usage parameters of the flow probe include CPU usage and memory consumption (in%) and the flow probe is a hardware device that actually exists, and when the flow probe is working, if the usage is too low, it indicates that the flow is too low and the probe resource is wasted. At present, the relationships among equipment asset scores, deployment cost and flow probe utilization rate cannot be balanced, so that contradiction occurs, and therefore, priority needs to be determined, and the deployment mode needs to be updated. The strategic needs are whether the enterprise is cost-centric or equipment asset-centric. Each strategic requirement has the corresponding distribution ratio of the three in the warrior table, and the product of the three parameters and the corresponding distribution ratio is large and small, so that the priority (the larger the result is, the more priority is) is determined.
For example, the product of the three and the distribution ratio is the maximum deployment cost, the fractional number of equipment assets, and the minimum flow probe utilization. If the cost exceeds the threshold, the flow probe with low use rate is removed to ensure the cost. And if the cost is too high, deleting the probe corresponding to the minimum score of which the equipment asset score exceeds the corresponding threshold value so as to ensure the cost.
Step S102, obtaining flow characteristic attributes, calculating information entropy of the corresponding attributes, and establishing an abnormal flow detection rule according to the historical flow to detect whether abnormal flow exists.
In some embodiments of the present application, establishing an abnormal traffic detection rule according to a historical traffic to detect whether an abnormal traffic exists, including: the historical flow comprises normal flow and abnormal flow, the characteristic attribute of the normal flow is obtained, the corresponding information entropy is calculated to obtain the normal information entropy, the characteristic attribute of the abnormal flow is obtained, the corresponding information entropy is calculated to obtain the abnormal information entropy, and the information entropy change is determined according to the normal information entropy and the abnormal information entropy; and determining the change relation of the information entropy of each abnormal flow type to establish an abnormal flow detection rule, and judging whether the information entropy corresponding to each attribute of the flow meets the abnormal flow detection rule or not, thereby judging the abnormal flow and the abnormal flow type.
In this embodiment, the flow characteristic attribute includes a source ip, a destination ip, a source port, a destination port, and the like, for example, when the abnormal flow type is SINGLE SCAN, the abnormal source ip information entropy is reduced compared with the normal source ip information entropy, the abnormal destination ip information entropy is increased compared with the normal destination ip information entropy, the abnormal source port information entropy is increased compared with the normal source port information entropy, and the abnormal destination port information entropy is reduced compared with the normal port information entropy, thereby determining whether the abnormal flow and the abnormal flow type are the abnormal flow.
Step S103, if the abnormal flow exists, backtracking analysis is carried out on the abnormal flow to determine the generation source.
In some embodiments of the present application, if there is an abnormal flow, performing backtracking analysis on the abnormal flow to determine a source of generation, including: and obtaining corresponding keywords according to the abnormal flow, detecting the keywords in the database to obtain corresponding statistical data, screening out multiple items of data from the statistical data to serve as evidence, and determining an abnormal flow generation source according to a preset synthesis rule according to the evidence and corresponding basic probability distribution.
In this embodiment, the database is a database storing data in a period of time of the flow probe itself, searches for corresponding keywords to obtain statistical data, and screens out data serving as evidence, where the D-S evidence theory is adopted, and the D-S evidence theory simply judges the cause of occurrence of an event according to the occurrence result of the event. Firstly, a series of assumptions are needed to be made for the reasons of occurrence of the event to form an identification frame, each reason of the assumption is provided with independent basic probability distribution, then the probability distribution is fused by a fusion rule, the fused result is obtained to be subjected to probability analysis, and the main reason with the highest probability is obtained.
In the D-S evidence theory, the final cause is the source of abnormal traffic, and accordingly basic probability distribution and related evidence are established, and the synthesis rule of the basic probability distribution is determined, which is common knowledge in the art and is not described herein.
In some embodiments of the application, the method further comprises: if a conflict exists among a plurality of evidences and the conflict degree exceeds a preset conflict threshold, correcting the basic probability distribution according to the conflict degree to obtain a corrected basic probability distribution; and determining a correction coefficient according to the abnormal flow type, correcting the first-repair basic probability distribution, obtaining second-repair basic probability distribution and carrying out evidence synthesis.
In this embodiment, when there is a conflict among multiple evidences, the synthesis effect is poor, so that the basic probability distribution needs to be corrected, and different types of abnormal traffic can have different effects.
Setting the conflict degree as B, and presetting a conflict degree array B0 (B1, B2, B3 and B4), wherein B1, B2, B3 and B4 are all preset values, and B1 is more than B2 and less than B3 and less than B4;
Setting the basic probability distribution as L, and presetting a correction coefficient array G0 (G1, G2, G3 and G4), wherein G1, G2, G3 and G4 are all preset values, and G1 is more than G2 and less than G3 and less than G4;
determining a correction coefficient according to the relation between the conflict degree and each preset conflict degree to obtain a correction basic probability distribution;
if B is smaller than B1, determining a first preset correction coefficient G1 as a correction coefficient, and distributing a correction basic probability as L.g1;
If B1 is less than or equal to B2, determining a second preset correction coefficient G2 as a correction coefficient, wherein the first correction basic probability distribution is L G2;
if B2 is less than or equal to B3, determining a third preset correction coefficient G3 as a correction coefficient, wherein the first correction basic probability distribution is L G3;
if B3 is less than or equal to B4, determining a second preset correction coefficient G4 as a correction coefficient, wherein the first correction basic probability distribution is L x G4.
By applying the technical scheme, a network topology structure diagram is acquired, the deployment position and the equipment asset score of the flow probe are determined according to the network topology structure diagram, the deployment of the flow probe is carried out according to the deployment position, the deployment cost is determined according to the deployment position of the flow probe, the use parameter of the flow probe is acquired, and an update rule is established based on the equipment asset score, the deployment cost and the use parameter of the flow probe so as to update the deployment position of the flow probe; acquiring flow characteristic attributes, calculating information entropy of the corresponding attributes, and establishing an abnormal flow detection rule according to the historical flow to detect whether abnormal flow exists or not; if the abnormal flow exists, backtracking analysis is carried out on the abnormal flow to determine the generation source. The application improves the reliability of flow detection by reasonably setting the deployment mode of the flow probe, and updates the deployment position according to the balance equipment asset score, the deployment cost and the use parameters of the flow probe. Whether abnormal flow and abnormal flow types exist or not is determined through information entropy change of characteristic attributes of the flow, and finally, an abnormal flow generation source is positioned through evidence theory, so that accuracy of flow analysis is improved.
In order to further explain the technical idea of the invention, the technical scheme of the invention is described with specific application scenarios.
For ease of understanding, the basic principles and processes existing for flow probes are set forth herein.
In order to facilitate the collection of more comprehensive uplink and downlink traffic data, researchers mainly deploy traffic probes at the position of the network boundary where traffic is in and out the maximum, at the front end of a key service server area, at a core switch area, and the like. The port flow mirror technology is utilized to copy 1:1 full mirror of the data of the flow port into 1 part to access the flow probe, so that the real network environment is hardly affected, and the flow probe has sufficient performance to analyze and receive the flow data packet. The flow data packet of the port mirror image (networking) comprises session information of each layer such as a data link layer, a network layer, a transmission layer, a session layer, an application layer and the like, an application protocol analysis module is attached to the flow probe, and the head information of the data packet is obtained after the data packet is disassembled and is subjected to attribution classification analysis.
The flow probe is internally provided with a threat detection process, an IDS intrusion detection library, a Web application defense library and the like, can identify the known threat of a wide application layer, including Trojan horse, webshell, malicious advertisement, mining tool and the like, tags the suspected threat to generate an alarm, and meanwhile, the sensor can also track and analyze APT continuous attack events and transmit analysis data to a big data analysis platform for summarization for further relevance analysis.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be appreciated by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not drive the essence of the corresponding technical solutions to depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (5)
1. A flow probe-based flow analysis method, the method comprising:
acquiring a network topology structure diagram, determining a deployment position and equipment asset scores of a flow probe according to the network topology structure diagram, deploying the flow probe according to the deployment position, determining deployment cost according to the deployment position of the flow probe, acquiring a flow probe use parameter, and establishing an update rule based on the equipment asset scores, the deployment cost and the flow probe use parameter to update the deployment position of the flow probe;
acquiring flow characteristic attributes, calculating information entropy of the corresponding attributes, and establishing an abnormal flow detection rule according to the historical flow to detect whether abnormal flow exists or not;
if the abnormal flow exists, backtracking analysis is carried out on the abnormal flow to determine the generation source, and the method specifically comprises the following steps:
Acquiring corresponding keywords according to the abnormal flow, detecting the keywords in a database to obtain corresponding statistical data, screening multiple items of data in the statistical data to serve as evidence, and determining an abnormal flow generation source according to a preset synthesis rule according to the evidence and corresponding basic probability distribution;
The method for determining the deployment position and the equipment asset score of the flow probe according to the network topology structure chart specifically comprises the following steps:
The network topology structure diagram comprises a device topology structure diagram and a logic topology structure diagram;
Obtaining a first deployment position and equipment asset score of the flow probe according to the equipment topological structure diagram, and obtaining a second deployment position of the flow probe according to the logic topological structure diagram;
the method for obtaining the first deployment position and the equipment asset score of the flow probe according to the equipment topological structure diagram specifically comprises the following steps:
acquiring attribute information of each device in a device topology structure chart, and determining initial device asset scores according to the attribute information of the device and a preset device attribute table;
acquiring the association degree of equipment in an equipment topological structure diagram, and correcting the initial equipment asset score based on the association degree to obtain the equipment asset score;
If the equipment asset score exceeds a preset asset score threshold, determining a first deployment position of the flow probe;
wherein, each piece of attribute information in the preset equipment attribute table is provided with a plurality of grades;
the method for obtaining the second deployment position of the flow probe according to the logic topology structure diagram specifically comprises the following steps:
determining a starting end and a target end to divide a logic topology structure diagram into a plurality of paths, and dividing each path into a plurality of sub-paths;
and acquiring the passing flow of each sub-path to obtain the flow of each path, screening out paths meeting the flow requirement based on the flow of each path, and determining a second deployment position of the flow probe according to the screened paths.
2. The method of claim 1, wherein the method further comprises:
judging whether the first deployment position and the second deployment position of the flow probe have coincidence conditions or not;
And if the first deployment position and the second deployment position are overlapped, deleting the overlapped position in the first deployment position or the second deployment position.
3. The method of claim 1, wherein establishing an update rule to update a deployment location of a flow probe based on equipment asset score, deployment cost, and flow probe usage parameters comprises:
obtaining a flow probe utilization rate based on the flow probe utilization parameters;
The strategic requirements are obtained, the distribution ratio of the equipment asset score, the deployment cost and the traffic probe usage is determined according to the strategic requirements, and the priority of the equipment asset score, the deployment cost and the traffic probe usage is determined to update the deployment location of the traffic probe.
4. The method of claim 1, wherein establishing an abnormal traffic detection rule to detect whether abnormal traffic exists based on historical traffic comprises:
The historical flow comprises normal flow and abnormal flow, the characteristic attribute of the normal flow is obtained, the corresponding information entropy is calculated to obtain the normal information entropy, the characteristic attribute of the abnormal flow is obtained, the corresponding information entropy is calculated to obtain the abnormal information entropy, and the information entropy change is determined according to the normal information entropy and the abnormal information entropy;
And determining the change relation of the information entropy of each abnormal flow type to establish an abnormal flow detection rule, and judging whether the information entropy corresponding to each attribute of the flow meets the abnormal flow detection rule or not, thereby judging the abnormal flow and the abnormal flow type.
5. The method of claim 1, wherein the method further comprises:
if a conflict exists among a plurality of evidences and the conflict degree exceeds a preset conflict threshold, correcting the basic probability distribution according to the conflict degree to obtain a corrected basic probability distribution;
And determining a correction coefficient according to the abnormal flow type, correcting the first-repair basic probability distribution, obtaining second-repair basic probability distribution and carrying out evidence synthesis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310362224.6A CN116471066B (en) | 2023-04-06 | 2023-04-06 | Flow analysis method based on flow probe |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310362224.6A CN116471066B (en) | 2023-04-06 | 2023-04-06 | Flow analysis method based on flow probe |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116471066A CN116471066A (en) | 2023-07-21 |
| CN116471066B true CN116471066B (en) | 2024-09-24 |
Family
ID=87174563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310362224.6A Active CN116471066B (en) | 2023-04-06 | 2023-04-06 | Flow analysis method based on flow probe |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116471066B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112651435A (en) * | 2020-12-22 | 2021-04-13 | 中国南方电网有限责任公司 | Self-learning-based detection method for flow abnormity of power network probe |
| CN112866116A (en) * | 2020-12-31 | 2021-05-28 | 平安科技(深圳)有限公司 | Network access detection method, device, equipment and storage medium |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519010B (en) * | 2013-09-27 | 2018-01-16 | 中国电信股份有限公司 | The dispositions method and device of network security probe |
| US11563741B2 (en) * | 2015-10-28 | 2023-01-24 | Qomplx, Inc. | Probe-based risk analysis for multi-factor authentication |
| CN108923975B (en) * | 2018-07-05 | 2021-08-10 | 中山大学 | Traffic behavior analysis method for distributed network |
| US10867105B2 (en) * | 2018-12-19 | 2020-12-15 | Synopsys, Inc. | Real-time interactive routing using topology-driven line probing |
| CN111092862B (en) * | 2019-11-29 | 2023-06-02 | 中国电力科学研究院有限公司 | Method and system for detecting communication traffic abnormality of power grid terminal |
| CN111031025B (en) * | 2019-12-07 | 2022-04-29 | 杭州安恒信息技术股份有限公司 | Method and device for automatically detecting and verifying Webshell |
| CN111935172B (en) * | 2020-08-25 | 2023-09-05 | 广东一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
| CN114584401B (en) * | 2022-05-06 | 2022-07-12 | 国家计算机网络与信息安全管理中心江苏分中心 | Tracing system and method for large-scale network attack |
-
2023
- 2023-04-06 CN CN202310362224.6A patent/CN116471066B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112651435A (en) * | 2020-12-22 | 2021-04-13 | 中国南方电网有限责任公司 | Self-learning-based detection method for flow abnormity of power network probe |
| CN112866116A (en) * | 2020-12-31 | 2021-05-28 | 平安科技(深圳)有限公司 | Network access detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116471066A (en) | 2023-07-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tian et al. | A data-driven method for future Internet route decision modeling | |
| US7546609B2 (en) | Method and apparatus for determining monitoring locations in distributed systems | |
| US7483972B2 (en) | Network security monitoring system | |
| EP3167571B1 (en) | Network topology estimation based on event correlation | |
| US7568232B2 (en) | Malicious access-detecting apparatus, malicious access-detecting method, malicious access-detecting program, and distributed denial-of-service attack-detecting apparatus | |
| US7917393B2 (en) | Probabilistic alert correlation | |
| US7043661B2 (en) | Topology-based reasoning apparatus for root-cause analysis of network faults | |
| US20060265416A1 (en) | Method and apparatus for analyzing ongoing service process based on call dependency between messages | |
| CN116015983B (en) | Network security vulnerability analysis method and system based on digital twin | |
| US6639900B1 (en) | Use of generic classifiers to determine physical topology in heterogeneous networking environments | |
| Santos et al. | Assessment of connectivity-based resilience to attacks against multiple nodes in SDNs | |
| CN106874423B (en) | Search control method and system | |
| CN111064817A (en) | City-level IP positioning method based on node sorting | |
| US7646729B2 (en) | Method and apparatus for determination of network topology | |
| Tati et al. | Adaptive algorithms for diagnosing large-scale failures in computer networks | |
| CN117891641A (en) | Fault object positioning method and device, storage medium and electronic device | |
| CN111565124B (en) | Topology analysis method and device | |
| CN116471066B (en) | Flow analysis method based on flow probe | |
| Comarela et al. | Detecting unusually-routed ases: Methods and applications | |
| JP6467365B2 (en) | Failure analysis apparatus, failure analysis program, and failure analysis method | |
| WO2023093527A1 (en) | Alarm association rule generation method and apparatus, and electronic device and storage medium | |
| JP7208600B2 (en) | Network scanning device, computer-readable recording medium recording programs and programs to be executed by a computer | |
| JP2020154637A (en) | Network scanning apparatus, program executed by computer, and computer-readable recording medium recording program | |
| JP2010057158A (en) | Route fault location estimation device and computer program | |
| CN111767571B (en) | Detection method for medical data leakage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |