Nothing Special   »   [go: up one dir, main page]

TW200833015A - Method and system for detecting network anomaly events - Google Patents

Method and system for detecting network anomaly events Download PDF

Info

Publication number
TW200833015A
TW200833015A TW96103074A TW96103074A TW200833015A TW 200833015 A TW200833015 A TW 200833015A TW 96103074 A TW96103074 A TW 96103074A TW 96103074 A TW96103074 A TW 96103074A TW 200833015 A TW200833015 A TW 200833015A
Authority
TW
Taiwan
Prior art keywords
network
traffic
flow
traffic information
condition
Prior art date
Application number
TW96103074A
Other languages
Chinese (zh)
Inventor
Chia-Chi Chiang
Shen-Pyng Wang
Original Assignee
Genie Networks Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Genie Networks Ltd filed Critical Genie Networks Ltd
Priority to TW96103074A priority Critical patent/TW200833015A/en
Publication of TW200833015A publication Critical patent/TW200833015A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and system for detecting network anomaly events are disclosed. Traffic information is utilized to detect network addresses of anomaly events. A detection system includes a signal receiving module and a processing module. The signal receiving module receives traffic information and the processing module is coupled to the signal receiving module. A user respectively sets a traffic comparison condition and a traffic accumulation condition upon demands. The traffic comparison condition is an assembly of filter element for determining whether traffic information matches the traffic comparison condition. The traffic accumulation condition classifies traffic information matching the traffic comparison condition. Next, the system then decides whether or not network addresses of the anomaly event can be selected. If the scope covered by selected network addresses is too big, the system can increase the filter element into the traffic comparison condition, and perform repeat determination until the network addresses of the anomaly event is selected.

Description

200833015 九、發明說明: 【發明所屬之技術領域】 一種偵測網路異常事件之方法及系統,特別有關於一種利用 流量資訊來偵測網路中發生異常事件的網路位址之偵測方法及系 統。 【先前技術】 發生網路異常(Network Anomalies)的原因通常是網路遭受到 駭客(hacker)的網路攻擊,例如阻斷式服務攻擊①邱如〇f Seryice, DOS)、H(worm)攻擊、整體網路規劃失當或者内部使用者的濫 用(networkabuse)所造成。當網路發生異常時,網路内部的使用者 會面臨網路隸以及網路應舰務無法運作的情況。這對於企業 或其他單位而言,將造成其生產力的降低與網路資源的浪費。舉 例來說,在 2004 年的美國 FBI(FederalBu刪 〇fInvestigati〇n) ^ 腦縛與安全触中,光是阻斷服務攻擊—摘造成財務的損^ 就高達二千六百多萬美元,這·次於病毒所造成職損失。對 於其他網料f所造成的損失更遠大於上述之數目,所以如何快 速地找出網路異常是一項重要的課題。 、 傳統债_路異常的方法是錢似造成晴異常的節 腦)中安裝網路流通刺探程式㈣ffer)或是設置網路流通刺探壯 置。網路流通刺探程式/裝置能夠擷取流經此節點的封包内容,2 這些封包的内容記錄下來,這種監測流經實谷亚 又備的方法稱為 m_lmem〇de」。最後操作人員分析所擷取到的封包内容,#、… 斷此節點是否造成網路異常以及發生異常的原因。在八析::判 200833015 系的過程中,僅能憑藉著操作人員過去的經驗來找出造成網路異 常的節點及分析發生網路異常的原因。 第1圖係為網際網路之連結示意圖。網際網路1〇是由許多大 小不等的網域100所構成,在各網域中是由許多網路設備來 配發其連結路徑,例如,路由器13Q或交換機丨4◦等。通常較具 規核的企㈣部都會建置專屬的網路雜,所以在第丨圖中為了 方便說明所以將每台電腦視為-節點11G、異常的節點120則以 方才[圈選。另外,路由器13〇或交換機14〇則是用以連結其他網 路設備與其所屬中的各節點⑽或120)。在大型規模的網路卿 ^ ^ $日守操作人員光是逐一判斷疑似發生異常的節點120 就付耗費許多時間。更何況需在對每一個疑似發生異常的節點创 刀別安衣網路流通刺探程式/裝置,並分析此節點的封包内容。操 作人員需要花詩多的時間在安錄體及解析封包内容,如此一 來使得操作人員判斷發生異常的節點12()的效率難以提昇而且不 易掌握檢測的進度。 【發明内容】 鑒於以上的問題’本發明的主要目的在於提供—種網路異常 事件之偵測方法及系統,利用t集各個節點間傳遞的流量資訊來 偵測網路中發生異常事件的網路位址,提升判斷發生異常事件的 網路位址之效率。 為達上述目的,本發明所揭露之侧網路異常事件之方法至 =含下列步驟:首先,設定一流量時間區段,操取此流量時間 4又中之流量育訊。接下來,選擇過濾元素,而且至少有一個過 200833015 應於&些屬性的其中之—。將這些過濾元素組合成一組 ^木件,其用以判斷符合此流量比對條件的流量資訊。再 、計條件,其肋分類統計符合這些流量比對條件 =里貝2。職合這些流量比對條件的流量資訊輸出為一統計 艮、接著,依據一匈斷策略選取出此統計報表中異常事件之網 路位址。若無法選取出此統計報表中異常事件之網路位址時,則 統計報表再選出過濾騎,並將其加人流纽對條件,並重 j仃刀雜指合這些流量崎條件的流量資賴步驟,直至 月成:出該統計報表中異常事件之網路位址為止。 ~ 乂本的另—觀點’本發明提出—種制網路異常事件之 t用多個流量資訊來細發生異常事件的網路位址,其 k些流1魏分別具有多種屬性。此網路異常事件躺系統包 I錄接收模組以及處理模組。信號接收模組用以接收流量資 冷旦處理板組输於錢接收模組,其㈣設定流量比對條件與 =ί計條Γ。處理模組將所擷取到的流量資訊,藉由流量比對 ^方“進仃㈣。再將_後的流量資訊,藉由該流量累計條件 I式進行分_計。處理模崎後依據此分舰計結果輸出一 =十報表。峨輯龍表巾選取出發生異t事件之網路位址。 選取出此統計報表中異常事件之網路健時,則依據統計 f再選出過濾元素,並將其加人流量比對條件,處理模組在重 =行分麵計符合這钱量比雜件的流量#_步驟,直至 心取出該統計報表中異常事件之網路位址為止。 *本!X月之^例,上述方法及系統是採用流量比對條件 200833015 與流量累計斜的設計。利岐量輯齡龍量魏進 的動作’再將篩選後的流量資訊,藉由該流量累計條件的方式進 行排序,隨細ί鱗赌讀出-麟報表,最聽根觀統 計報表用以決定是魏定其中發生異f事件之網路位址。 若網路位址賴過大導致無法敍時,驗據統計報表中選 出其他的過滤7G素,並將其加人至流量比對條件中,使其成為次 回新的流量比對條件。再重複進行篩選的動作,直到能鎖定出2 生異常事件的網路位址。 本發明因採用流量比對條件與流量累計條件,針對流量資訊 先後分別進行_及排序的動作,再藉由排序後的流量資訊選擇 出更加的過濾元素’使其新增至次回流量比對條件中之—°,並重 複進行篩選鋪序_作’藉明定出發生異轉件_路位址。 如此-來’操作人員不僅能節省絲及檢_時間,更可以 透過此偵啦_流量輯條件與流量累計條件對網路狀態逐一 分析。操作人員再依據流量比對條件與流量累計條件的反饋,進 一步深入網路異常事件發生之原因。 、 有關本發明的特徵與實作,兹配合圖示作最佳實施例詳細說 【實施方式】 第2圖係為本實施例之網路架翻。請參考第2圖所示,封 包在網路的傳遞過程中是藉由許多的路㈣13G(R_)歧換機 14〇(Switch)相互傳遞。通過路由器13〇或交換機14〇的封包,可 以利用「流量」(flow)的概念用以觀察在一定時間長度中所流經路 200833015 由器130或交換機⑽的封包。對於流經路由器13〇或交換機14〇 的封包,路由器130或交換140機會將這些封包資訊做一摘要整 理。最後經由各種不同的流量資訊格式輸出(例如NetFlow、 sFlow、cFlow 或 NetStream) 〇 /瓜里資31 〇内容主要是包含傳輸層(TranSp〇rt Layer)中相關 基本流量的資訊。流量資訊310中具有多項不同的屬性,這些屬 t生包括有封包的來源位址(source ip(lntemet pr〇t〇c〇i) address)、封 包的目的地位址(destination IP address)、來源埠號(source TCP(Transmission Control Protocol)AJDP(User Datagram Protocol) P〇rt)、目的地埠號(destination TCP/UDP port)、通訊協定200833015 IX. Description of the invention: [Technical field of invention] A method and system for detecting network anomaly events, in particular, a method for detecting network address using network traffic information to detect an abnormal event in a network And system. [Prior Art] Network Anomalies occur because the network is subject to hacker cyber attacks, such as blocking service attacks. 1 Qiu Ruyi f Seryice, DOS), H (worm) Attacks, improper overall network planning, or internal user abuse (networkabuse). When an abnormality occurs in the network, users inside the network will face the situation that the network and the network should be inoperable. This will result in a reduction in productivity and waste of network resources for businesses or other organizations. For example, in 2004, the US FBI (FederalBu deleted fInvestigati〇n) ^ shackles and security hits, just blocking service attacks - the financial damage is up to more than 26 million US dollars, which · Second to the loss caused by the virus. The damage caused by other network materials f is much larger than the above, so how to quickly find network anomalies is an important issue. The traditional debt _ road abnormal method is to install a network circulation sniffer program (4) ffer in the money that causes the weather to be abnormal, or to set up the network circulation spying. The network traffic sniffer/device can capture the contents of the packet flowing through the node, and the contents of these packets are recorded. This monitoring method is called m_lmem〇de. Finally, the operator analyzes the contents of the captured packet, #,... Whether this node is causing network anomalies and the cause of the exception. In the process of analysis: 200833015, only the past experience of the operator can be used to find out the nodes causing network anomalies and analyze the causes of network anomalies. Figure 1 is a schematic diagram of the connection of the Internet. The Internet 1 is composed of a plurality of domains 100 ranging in size, and in each domain, a plurality of network devices allocate their connection paths, for example, a router 13Q or a switch. Usually, the enterprise (4) with a more regulated core will build a dedicated network. Therefore, in the figure, for convenience of explanation, each computer is regarded as a node 11G and an abnormal node 120. In addition, the router 13 or the switch 14 is used to connect other network devices and each node (10) or 120 to which it belongs. In the large-scale network of the network ^ ^ $ day guard operators are one by one to determine the node 120 suspected of an abnormality to spend a lot of time. What's more, you need to create a network of sniffer programs/devices for each node that is suspected of being abnormal, and analyze the packet content of this node. The operator needs to spend more time on the recording body and parsing the contents of the package, which makes it difficult for the operator to judge the efficiency of the node 12() which is abnormal and it is not easy to grasp the progress of the detection. SUMMARY OF THE INVENTION In view of the above problems, the main purpose of the present invention is to provide a method and system for detecting network anomaly events, and use the traffic information transmitted between the nodes of the t set to detect an abnormal event network in the network. The location of the road enhances the efficiency of the network address that determines the occurrence of an abnormal event. In order to achieve the above objective, the method for the side network abnormal event disclosed in the present invention includes the following steps: First, a flow time period section is set, and the traffic time of the traffic time 4 is fetched. Next, select the filter element, and at least one of them should be in the & These filter elements are combined into a set of wood pieces that are used to determine traffic information that meets this flow comparison condition. Then, the condition of the ribs is statistically consistent with these flow comparison conditions = Ribe 2. The traffic information output of these traffic comparison conditions is a statistic 艮, and then the network address of the abnormal event in the statistical report is selected according to an arbitrage strategy. If it is not possible to select the network address of the abnormal event in this statistical report, then the statistical report selects the filter ride, and adds it to the condition of the flow, and emphasizes the traffic flow steps of these traffic conditions. Until the month: the network address of the abnormal event in the statistical report. ~ Another view of the ’ ’ ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” This network abnormal event lies in the system package I record receiving module and processing module. The signal receiving module is configured to receive the flow rate of the cold processing board group and the money receiving module, and (4) set the flow comparison condition and the parameter. The processing module will take the traffic information obtained by the traffic comparison, and then the traffic information after the _ is divided into _ by the traffic accumulation condition I. The result of this sub-ship is output as a = ten report. The network of the singular dragon towel selects the network address where the t event occurs. When the network health time of the abnormal event in this statistical report is selected, the filtering element is selected according to the statistics f. And add the flow comparison condition, the processing module in the heavy = line facet meter meets the amount of traffic than the miscellaneous pieces #_ step, until the heart takes out the network address of the abnormal event in the statistical report. *This! X month ^ example, the above method and system is to use the flow comparison condition 200833015 and the flow accumulation oblique design. The amount of the age of the dragon Wei Jin's action 're-filtered traffic information, by the The way of accumulating the traffic conditions is sorted, and the lining report is read out with the fine-grained gambling report. The most observable statistical report is used to determine the network address where Wei Ding occurs. If the network address is too large, Unable to describe the time, select other ones in the statistical report 7G prime, and add it to the flow comparison condition, making it a new traffic comparison condition. Repeat the screening action until the network address of the 2 abnormal event can be locked out. Using the traffic comparison condition and the traffic accumulation condition, the _ and sorting actions are respectively performed for the traffic information, and then the more filtered elements are selected by the sorted traffic information to be added to the secondary traffic comparison condition- °, and repeat the screening of the shop order _ for 'borrowing to determine the occurrence of abnormal parts _ road address. So - come' operators can not only save silk and check _ time, but also through this detect _ traffic series conditions and flow The cumulative condition analyzes the network status one by one. The operator further deepens the cause of the network anomaly event based on the feedback of the traffic comparison condition and the traffic accumulation condition. The features and implementations of the present invention are most consistent with the illustration. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS [Embodiment] FIG. 2 is a network frame flipping of this embodiment. Please refer to FIG. 2, the packet is transmitted through the network by many (4) The 13G (R_) changer 14〇 (Switch) is transmitted to each other. Through the packet of the router 13〇 or the switch 14〇, the concept of “flow” can be used to observe the flow through the road 200833015 for a certain length of time. The packet of the device 130 or the switch (10). For packets flowing through router 13 or switch 14A, router 130 or switch 140 will perform a summary of these packet information. Finally, it is output via various traffic information formats (such as NetFlow, sFlow, cFlow or NetStream). The content of the 31 / 瓜 资 31 〇 is mainly the information about the basic traffic in the transport layer (TranSp〇rt Layer). The traffic information 310 has a plurality of different attributes, including the source ip (lntemet pr〇t〇c〇i) address, the destination IP address of the packet, and the source 埠No. (source TCP (Transmission Control Protocol) AJDP (User Datagram Protocol) P〇rt), destination nickname (destination TCP/UDP port), communication protocol

(Protocol)、服務類別(Type 〇f services,t〇S)、TCP 旗標内容(TCP flag)、該筆流量連結所帶的流量位元數(byte c〇unt)、該筆流量連 結所帶的封包個數(packet count)等。操作人員可以利用這些流量 資訊310針對網路的流量進行分析以及網路異常的除錯。 第3圖係為本發明實施例之網路異常事件之偵測系統示意 圖。請參考第3圖所示,網路異常事件之偵測系統23〇包括信號 接收模組320以及處理模組330。信號接收模組320用以接收流 量貧訊310。處理模組330耦接於信號接收模組320,用以處理信 號接收模組320所接收到的流量資訊。此外處理模組會根據 操作人員的要求分別設定一組流量比對條件(Matching &如邮與 流量累計條件(Aggregation Criteria)。流量比對條件為過濾元素 (Factor Types)之集合。過濾元素是分別對應流量資訊31〇的各種 屬性,其中,過濾元素包括網際網路協定位址、網際網路協定前 200833015 置(Internet Protocol Prefix,IP preflx)、通訊協定(protoc〇1)、埠號 (Port)、網路介面(Interface)、TCP旗標值(TCP flag)、服務類別值 (Type of Service,ToS)、次一節點(Next Hop)以及封包大小等。舉例 來說,當操作人員選擇通訊協定”TCP”作為過濾元素時,偵測系 統230會將通訊協定’’TCP”視為流量比對條件,並且彳貞測系統230 會把所擷取到的流量資訊中為通訊協定TCP的流量資訊310分別 取出。 /瓜里累计條件疋將付合流量比對條件的流量資訊進行分類統 计。流S累計條件的組成單位型態主要包括網際網路協定位址、 網際網路協定前置、通訊協定、琿號、網路介面、TCp旗標值、 服務類別值以及Next Hop等。處理模組33〇會根據所設定的流量 比對條件對所擷取到的流量資訊310進行篩選的動作。處理模組 330藉由流量累計條件將篩選過後的流量資訊31〇進行分類統 计。延續上述的例子,操作人員選擇來源位址” 192·168·〇·χ”作為 流量累計條件,則處理模、组33〇會將通協定為Tcp白勺流量資訊 31〇且來源位址為’’192·168·0·Χ”的流量資訊31〇依序排列出來。 。處理模組330依據分類統計後的結果輸出一統計報表·。 I作人貝可以選擇僅輸出分類統計巾的前幾項排名作為統計報表 ^例如’輸出分類統計的前50名)。操作人員在依據統計報表 〇找出發生網路異常_路位址。若操作人M認為統計報表· 圍補精確,無法有效分析發生網路異常的網路位址, =人貝可以選擇_過濾元素,將其新增至流量比對條 理模、組伽會根據新的流量轉條件,再對前—回所得到的流量 200833015 資訊進行篩選的動作。 第4圖係為本發明實施例之偵測網路異常事件之偵測流程示 思圖。清同時苓考第3圖及第4圖所示,為方便解說本實施例中 系統與方法的運作方式,在此以操作人㈣為選取比對條件之依 據,並非僅紐於此。首先,操作人員設定-流量時間區段(Time Range),信號接收模組32〇則擷取設定流量時間區段中之流量資 訊310,並交由處理模組33〇進行處理(步驟S41〇)。舉例來說, 操作人員發現中發生有異常流量的情況,操作人紐對可疑 流量發生的流量時間區段精監控。接下來,人魏擇若干 個過濾7G素,14些魏元素分獅應於流量資訊的屬性(步驟 S420)。處理模組33〇在將這些過濾、元素組合成一組流量比對條 件’並且根據流量比對條件進行_賴取的流量資訊(步驟 “作人貞針財g求設定流量科條件(倾_)。處理模 組33M艮據此流量累計條件排列出符合流量比對條件的流量資訊 310(步驟S·)。接著,處理模組依據步驟_所得到的流量資 訊31〇 ’將其依照比流量累計條件進行次數的累計並進行項次排 名,然後輸出-統計報表34〇(步驟S46〇)。例如,選取流量並依 遞減排序,則統計報表34G會將流量資訊依照將流量由大至 小依序排舰統計報表細。操作人員依據此統計報表推估 出-_朿略’用以判斷是否可以選取出發生網路異常的網路位 址(步驟S470)。若選取出的網路位址範圍過大時,操作人員可以 依據統計報表34G中的流量資訊31G中另外選擇其他的過滤元 200833015 件偵測系 '統230利用新的流量比對條件,重複執行步驟, 直至作人員月b夠鎖定出異常事件之網路位址為止(步驟料⑽)。 最後將找到異常的網路位址加以鎖定(步驟§49〇)。 為更能清楚說明本實施例之债測系統23〇運作的方式,在此 -=例作為_。如果在時,操作人員發現網路出現異 常的流量、。首先,操作人員根據步驟S410來設定細系統230所 要偵、!ί的/,IL里日守間區段,偵測系统23〇會擷取此流量時間區段内 網路的所有的流量=#訊。在系麟成此流量時間區段巾的流量資 1、域人貞便開始設定選騎要的過濾元素(對應步驟 遲屮^ Γ初期#作人M無法掌握網路異常之可能原因時將無法選 旦比濾元素,鱗可料選擇過濾元素,意即不設定流 里1 木件,也就是後續處理模組330將對所有流量資 理賺步_〇)。偵測系統23〇再依據 _ 定的時間純巾觸取_流量資輯行靖_作對^ 接下來,㈣人員域麵$設定— 埠號為流量_並遞軸:= 號做— 進行統計分__(難麵卿)^^^1量資訊310 協定與埠號做為圖係為利用目的端之 合統計報表。^伟、° 1木牛、’且取其前1〇名的項次之第一回 一回人物^ 制系統现將分析的結果輸出第 口口、切報表5K)。但因網路涵蓋 二出弟 12 200833015 —十報表510選定發生網路異常的網路位址的範圍。所以 驟_,操作人員再設定新的過濾、元素,然後偵測系 、洗230將再次執行步驟弘3〇。 ⑽2 圖所件到之第一回合統計報表51G為例,操作人員若 回°、、先口十報表510中判斷網路異常流量的發生原因,則 據第回合統計報表510中‘‘ UDp/1434,,(此其為 · redQUeryLangUage)祠服器常用的協定埠號)有不合理 < =J見的比例。因此操作人員懷疑可能是受到「观此咖沈」 絲擊料致的網路流量異f。根據「观sl_er」的另 項特被··封包大小為44位元組”。所以操作人員可以依據這 兩項特徵:通訊協定及埠號為“卿1434,,以及封包大小為‘‘私位 兀組'T定對應的_策略,並將過濾元素加人次-回合的流量比 對條件中。“而且為能找出攻擊者的網路位址,可以在流量累計條 牛中力纟源立而網路位址”,並取前5名的項次(依遞減排序)兩 項條:作林分類統計之依據。在交由侧系統挪作分類統計 可、㈣第—回合的統什報表52〇。第%圖係為利用來源端網路 位址為流量累計條件並且取其前5名的項次的第二回合統計報 表0 在第二回合的分析過後,操作人i已經可以清楚祕定網路 異常的發生賴以及網路攻擊者的來源位址。如果操作人員需要 更進-步的資簡話,可以在進行第三回合的分析。例如,摔作 員想得知各網路攻擊者對於轉㈣所影響_路設備為何。 ‘作人員並新增過紅素.來源端_路位址。流量累計條件設 13 200833015 rf-路由& ’亚取两】名的項次。第三回合的統計報表(圖尹 曰不卿可找讀邮陶路切響最顧重_路設備。 依f本發明之實施例’上述方法及系統是在-集中系統中, 力上級里比對條件無量累計條件的設計。如此設計可使得操作 j不需對於四處絲晴流通猶財/設備,這樣4可以節 痛,衣了的㈣與搬似備的人力。並且透過侧祕所歸納的 =計報表,將每一次分析所得到的結果作為次回分析的比對條 件’如此可逐步深層挖職_路巾紅發生異轉件的網路位 址。 M此外’熟習本領域之技藝者,亦可以利用類神經網路(NeumI e=〇rk)、專家系統(Εχ_細咖)、人工智慧 *勝騰)或模糊系統(Fuzzy System)來取代操作人員對於流量 =對條件與流量累計條件的反饋機制設計,其亦不脫離本發明之 精神。 精神 以限 雖然本發明贿述之較佳實施例揭露如上,然其並非用_ f伽’任何熟f相像鄕者,在不本刺之精神和範圍 二、虽可作些許之更動與潤飾,因此本發明之專利保護範圍須視 本况明書所附之申請專利範圍所界定者為準。 、 【圖式簡單說明】 第1圖係為網際網路之連結示意圖。 第2圖係為本實施例之網路組成架構圖。 圖係為本實_之_網路異常事件之偵_統示意 第3 圖 14 200833015 第4圖 係為本 實 知例之侦 4 ’路異”件之伽流程示意 取苴前〗〇名&係為利用目的端之協定與埠f卢IA ☆ 取"月J川名的項次之第一回人衾▲ 早琥做為流量累計條件並 第5b圖係Ά 〜統計報表。 圖 第5a圖 前5名的項次的第二回合位址為流量累計條件並且取其 【主要元件符號說明】 010 網際網路 100 網域 110 節點 120 異常的節點 130 路由器 140 交換機 230 網路異常事件偵測系統 310 流量資訊 320 信號接收模組 330 處理模組 340 統計報表 S410 設定流量時間區段 S420 選擇若于個過濾元素 S430 依據這呰過滤元素組成流量比對條件 S440 設定流量累計條件 S450 根據流*累計條件對流量資訊作分類統計 15 200833015 S480 S490 510 520 選擇其他的過濾元素 鎖定異常的網路位址 第一回合的統計報表 第二回合的統計報表 16(Protocol), service category (Type 〇f services, t〇S), TCP flag content (TCP flag), the number of traffic bits (byte c〇unt) carried by the traffic connection, and the traffic link The number of packets (packet count) and so on. Operators can use these traffic information 310 to analyze traffic on the network and debug network exceptions. Figure 3 is a schematic diagram of a network abnormality detecting system according to an embodiment of the present invention. Referring to FIG. 3, the network abnormal event detection system 23 includes a signal receiving module 320 and a processing module 330. The signal receiving module 320 is configured to receive the traffic message 310. The processing module 330 is coupled to the signal receiving module 320 for processing the traffic information received by the signal receiving module 320. In addition, the processing module will respectively set a set of flow matching conditions according to the operator's requirements (Matching & such as postal and traffic accumulation conditions (Aggregation Criteria). The flow comparison condition is a collection of filter elements (Factor Types). The filter element is Corresponding to various attributes of the traffic information 31〇, the filtering elements include the Internet Protocol Address, the Internet Protocol Prefix (IP preflx), the communication protocol (protoc〇1), and the nickname (Port). ), network interface (Interface), TCP flag value (TCP flag), service class value (Type of Service, ToS), next-hop (Next Hop) and packet size, etc. For example, when the operator chooses communication When the protocol "TCP" is used as the filtering element, the detection system 230 regards the communication protocol 'TCP' as the traffic comparison condition, and the detection system 230 will use the traffic information captured as the communication protocol TCP traffic. The information 310 is taken out separately. / The cumulative condition of the guay will classify and collect the flow information of the combined flow ratio condition. The constituent unit type of the cumulative condition of the flow S mainly includes the internet. Road protocol address, internet protocol preamble, protocol, nickname, network interface, TCp flag value, service class value, and Next Hop. The processing module 33 will compare the condition according to the set traffic. The collected traffic information 310 performs filtering. The processing module 330 classifies and statistics the filtered traffic information 31 by the traffic accumulation condition. Continuing the above example, the operator selects the source address 192.168 ·〇·χ” as the traffic accumulation condition, the processing mode, group 33〇 will pass the flow information of the Tcp flow information 31〇 and the source address is ''192·168·0·Χ” The processing module 330 outputs a statistical report according to the result of the classification and statistics. I can choose to output only the first few rankings of the classified statistical towel as a statistical report ^ For example, the top 50 of the output classification statistics ). The operator finds out the network abnormality_road address based on the statistical report. If the operator M thinks that the statistical report is too precise and can not effectively analyze the network address where the network abnormality occurs, the person can select the _filter element and add it to the traffic comparison module, and the group will be based on the new The traffic flow conditions, and then the filtering of the traffic 200833015 obtained from the previous-return. FIG. 4 is a schematic diagram of a detection process for detecting a network abnormal event according to an embodiment of the present invention. At the same time, as shown in Fig. 3 and Fig. 4, in order to facilitate the explanation of the operation mode of the system and method in the embodiment, the operator (4) is selected as the basis for the comparison condition, and this is not only the case. First, the operator sets a time range, and the signal receiving module 32 captures the traffic information 310 in the set traffic time zone and passes it to the processing module 33 for processing (step S41). . For example, if the operator finds that there is abnormal traffic, the operator carefully monitors the traffic time zone in which the suspicious traffic occurs. Next, the person selects a number of 7G elements, and 14 pieces of Wei elements are attributed to the flow information (step S420). The processing module 33 is configured to combine the filters and elements into a set of flow comparison conditions 'and to perform flow information according to the flow ratio comparison condition (step "to make a person's request for a flow rate condition (pour_) The processing module 33M arranges the flow information 310 conforming to the flow comparison condition according to the flow accumulation condition (step S·). Then, the processing module accumulates the flow information according to the flow information 31〇' obtained according to the step _ The number of conditional times is accumulated and the item ranking is performed, and then the output-statistical report 34〇 is output (step S46〇). For example, if the traffic is selected and sorted by decrement, the statistical report 34G will follow the flow information according to the flow rate from large to small. According to the statistical report, the operator estimates that -_朿" is used to determine whether the network address where the network abnormality occurs can be selected (step S470). If the selected network address range is selected When it is too large, the operator can select another filter element according to the traffic information 31G in the statistical report 34G. The 200833015 detection system uses the new traffic comparison condition and repeats the steps. Until the staff month b is enough to lock out the network address of the abnormal event (step (10)). Finally, the abnormal network address will be locked (step §49〇). To more clearly explain the debt of this embodiment The method of measuring the operation of the system 23 is here - the example is _. If at the time, the operator finds abnormal traffic on the network. First, the operator sets the fine system 230 to be detected according to step S410. , IL Liri Shou section, the detection system 23 〇 will capture all traffic in the network within this traffic time zone = #讯. In the line of this flow time section of the towel traffic 1, domain people贞 开始 设定 设定 设定 设定 设定 设定 选 选 选 ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( In the flow of 1 wood, that is, the subsequent processing module 330 will earn a profit for all traffic _ 〇. The detection system 23 〇 according to the _ time of the pure towel touch _ traffic _ _ _ _ Down, (4) Personnel area $ setting - nickname for flow _ and recursive axis: = number to do Statistical scores __(Difficult to face) ^^^1 Quantity information 310 Agreement and nickname as the graph is the use of the target end of the statistical report. ^ Wei, ° 1 wooden cattle, 'and take the first one The first time of the second round of the project ^ system will now analyze the results of the output of the mouth, cut the report 5K). But because the network covers the second brother 12 200833015 - ten report 510 selected network abnormal network The range of the address. Therefore, the operator will set a new filter, element, and then the detection system, wash 230 will perform the steps again. (10) 2 Figure 1 to the first round of the statistical report 51G as an example, operation If the person judges the cause of the abnormal network traffic in the report 510, the UDp/1434, (this is the redQUeryLangUage) protocol commonly used in the first round of the statistical report 埠No.) There is an unreasonable ratio of =J. Therefore, the operator suspects that the network traffic may be affected by the "spotting". According to "Sl_er", the special size of the packet is 44 bytes. So the operator can base on these two characteristics: the communication protocol and nickname is "Qing 1434, and the packet size is ''private The group 'T' corresponds to the _policy and adds the filter element to the person-round traffic comparison condition. "And in order to find out the attacker's network address, you can force the source and network address in the traffic accumulation", and take the top 5 items (in descending order) two items: for forest classification The basis of statistics. In the cross-side system, the classification statistics can be moved, and (4) the first-round report is 52〇. The first figure is the second round statistical report using the source network address as the traffic accumulation condition and taking the top 5 items. After the analysis of the second round, the operator i can clearly define the network. The occurrence of anomalies and the source address of the network attacker. If the operator needs more advanced steps, he can perform the third round of analysis. For example, the faller wants to know what the attackers of each network are affecting. ‘Become a staff member and add a red pigment. Source _ road address. The traffic accumulation condition is set to 13 200833015 rf-route & ‘sub-take two】name of the line. The statistical report of the third round (Figure Yin Yiweiqing can find the most important _ road equipment for the ping Tao Road. According to the embodiment of the invention, the above method and system are in the centralized system, the power upper level The design of the conditional infinite accumulation condition. This design can make the operation j not need to flow around the money/equipment, so that the 4 can be painful, the clothes are (4) and the manpower is moved. = report, the results obtained by each analysis as a comparison condition of the second analysis 'so can gradually deepen the _ _ road towel red occurrence of the network address of the different parts. M in addition to familiar with the field of art, You can also use the neural network (NeumI e=〇rk), expert system (Εχ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The feedback mechanism is designed without departing from the spirit of the invention. Although the preferred embodiment of the bribe of the present invention is disclosed above, it is not the use of _f gamma, and the temperament and scope of the thorn, although some modifications and refinements can be made, Therefore, the scope of patent protection of the present invention is subject to the definition of the scope of the patent application attached to the specification. [Simplified description of the diagram] Figure 1 is a schematic diagram of the connection of the Internet. Figure 2 is a diagram showing the network composition of the present embodiment. The diagram is based on the actual _ _ network anomaly _ _ _ _ _ 3 Figure 14 200833015 The fourth diagram is the Detective 4 'road of the Detective ; is the use of the agreement of the destination end and 埠f Lu IA ☆ Take " month J Chuan name of the first person 衾 ▲ early ab as a traffic accumulation condition and the 5th figure Ά ~ statistical report. Figure 5a The second round address of the top five items in the figure is the traffic accumulation condition and is taken as the [main component symbol description] 010 Internet 100 domain 110 node 120 abnormal node 130 router 140 switch 230 network abnormal event detection System 310 Flow Information 320 Signal Receiving Module 330 Processing Module 340 Statistical Report S410 Set Flow Time Period S420 Select if the filter element S430 is based on this filter element composition flow comparison condition S440 Set the flow accumulation condition S450 According to the flow * accumulation Conditional classification of traffic information 15 200833015 S480 S490 510 520 Select other filter elements to lock abnormal network addresses. The first round of statistical reports for the second round Total Reports 16

Claims (1)

200833015 十、申請專利範圍: 1.二種網路異常事件之侧方法,槪·巾傳遞之複數個流量 貧絲偵咖路巾發生異常事件賴路位址,該些流量資訊中 具有複數個雜,該方法包括下列步驟: 双疋級1%間區段,擷取該流量時間區段中於網路 傳遞之該些流量資訊; &2逆擇至少一過濾元素,且該至少一過濾元素可對應至 少該些屬性之一; a3·心該至過濾元素組成—流量比對條件,用以筛選 符合該流量比對條件之該些流量資訊; 叹疋-流1累計條件,用以分類統計符合該流量比對 條件的該些流量資訊; a5·右該些流f魏巾該些屬性之—符合誠量比對條件 時,則將該流量資訊分類統計後再輸出至一統計報表中: %•依據一判斷策略選取出該統計報表中異常事件之網路 位址;以及 a7·若無法選取出該簡絲巾異常事件之網路位址時, 則自該統計報表中選擇該些過濾元素加人先該流量比對 條件中’並重複執行步驟a5,直至可選取出該統計報表中異 常事件之網路位址為止。 2.如申料利細第〗項所述之網路異常事件之制方法,其中 該統計報表可依照遞減方式或遞增方式對該些流量資訊進 排序。 、σ 17 200833015 3·如申請專利範圍第1項所述之網路異常事件之偵測方法,其中 該些過濾元素至少包括一網際網路協定位址(Intemet Pr〇t〇c〇1, IP)、一網際網路協定前置(Internet pr〇t〇c〇i prefix,Ip prefix)、 -通訊協定(Protocol)、-埠號(Port)、一,路介面(1_仏十 - TCP 旗標值(TCP flag)、-服務類別值(Type 〇f Service, ToS)、一次一節點(NextH〇p)以及一封包大小。 4·如申請專利範圍第3項所述之網路異常事件之制方法,其中 該流量累計條件為該些過濾元素的集合之任一。 5.如申請專利範圍第3項所述之網路異常事件之偵測方法,其中 該判斷策略為該些過濾元素的集合之任一。 ^ 6· 1罔路*彳事件之偵鱗統,其彻網路中傳遞之複數個流 量資訊來_發生異常料_馳址,轉流 複數個屬性統包括·· 、 號接收模組’用以接收該些流量資訊;以及 •一處理模組,耦接於該信號接收模組; 此沒旦財,該處理模組勤'"流量比對條件進行_符合的該 1=貧Γ,流量比對條件是依據若干個過濾元素所組成,該 應於該些屬性所設置,該處理模組將篩選後的該 言^表 量累計條件的方式分類統計,並輸出成一統 7·如申請專利範圍第6項 網路中傳遞之該此产量m 件之_系統,其中 如申,專利若干個網路設傷所傳遞。 1翻補P賴狀纟_異轉叙侧 18 200833015 該些網路設備包括有至少一路由器或至少一交換機。 9·如申請專利範圍第6項所述之網路異常事件之偵測系統,其中 該處理模組用以設定一流量時間區段,使得該處理模組僅針對 該流量時間區段中之該些流量資訊進行處理。 10·如申請專利範圍第6項所述之網路異常事件之偵測系統,其中 該流量比對條件的依據是對應於該些屬性之任一。 11·如申請專利範圍第6項所述之網路異常事件之偵測系統,其中 違過濾、元素包括一網際網路協定位址(Intemet Pr〇t〇c〇1,JP>、一 網際網路協定前置(Internet Protocol Prefix,IP Prefix)、一 通訊協 疋(ProtoW)、一埠號(p〇rt)、一網路介面(^伽也⑽、一 Tcp旗 丨示值(TCP flag)、一服務類別值(Type 0f Service,ToS)、一次一 節點(Next Hop)以及一封包大小。 12·如申請專利範圍第6項所述之網路異常事件之偵測系統,其中 定1累計條件為該些過濾元素的集合之任一。 13·如申睛專利範圍第6項所述之網路異常事件之偵測系統,其中 該系統根據該統計報表的流量資訊之過濾元素,將其新增至該 流量比對條件。 4·如申明專利範圍第6項所述之網路異常事件之偵測系統,其中 該統計報表可依照遞減方式或遞增方式對該些流量資訊進行 排序。 19200833015 X. The scope of application for patents: 1. The method of the two kinds of network anomalies, the multiple traffic flow of the 贫·巾 towel is abnormal, and the traffic information has multiple miscellaneous The method includes the following steps: a dual-level 1% inter-section, extracting the traffic information transmitted by the network in the traffic time segment; & 2 deselecting at least one filtering element, and the at least one filtering element Corresponding to at least one of the attributes; a3·heart to filter element composition-flow comparison condition for filtering the flow information that meets the flow comparison condition; sigh-flow 1 accumulation condition for classification The traffic information that meets the traffic comparison condition is counted; a5·the right flow of the flow f-wei towel--in accordance with the honest comparison condition, the traffic information is classified and then output to a statistical report. : %•Select the network address of the abnormal event in the statistical report according to a judgment strategy; and a7·If the network address of the simple scarf abnormal event cannot be selected, select these from the statistical report. Over The addition of elements to match the flow conditions' and repeat step a5, optionally taken until the network address of the statistical report of the abnormal event so far. 2. The method for preparing a network anomaly event as described in the claim, wherein the statistical report can sort the traffic information in a decreasing manner or in an incremental manner. σ 17 200833015 3. The method for detecting a network anomaly as described in claim 1, wherein the filtering elements include at least one internet protocol address (Intemet Pr〇t〇c〇1, IP) ), an Internet Protocol Premise (Internet pr〇t〇c〇i prefix, Ip prefix), - Protocol (Protocol), - 埠 (Port), one, road interface (1_仏十-TCP flag TCP flag, - Service class value (Type 〇f Service, ToS), one node at a time (NextH〇p), and a packet size. 4. The network anomaly event as described in claim 3 The method for detecting a network abnormality as described in claim 3, wherein the determining method is the filtering element Any of the collections. ^ 6· 1罔路彳彳 之 侦 , , , , , , , , , , , , , 彳 彳 彳 彳 彳 彳 彳 彳 彳 彳 彳 彳 彳 彳 复 复 复 复 复 复 复 复 复 复 复 复 复 复 复 复a receiving module 'for receiving the traffic information; and a processing module coupled to the letter Receiving module; this is not a good fortune, the processing module is '" traffic comparison condition _ compliant with the 1 = barren, the flow comparison condition is composed of several filtering elements, which should be The processing module classifies and counts the filtered condition of the cumulative condition of the vocabulary, and outputs the statistic, and outputs the _ system of the output m, which is transmitted in the network of the sixth item of the patent application scope. Among them, such as Shen, a number of patents transmitted by the network. 1 翻 补 纟 _ 转 转 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 2008 The detection system of the network abnormal event described in the above, wherein the processing module is configured to set a traffic time segment, so that the processing module processes only the traffic information in the traffic time segment. The detection system for network anomaly events as described in claim 6 wherein the flow comparison condition is based on any of the attributes. 11. As described in claim 6 Network anomaly The measurement system, in which the violation filter, the element includes an internet protocol address (Intemet Pr〇t〇c〇1, JP>, an Internet Protocol Prefix (IP Prefix), a communication protocol ( ProtoW), a nickname (p〇rt), a network interface (^ gamma also (10), a Tcp flag value (TCP flag), a service class value (Type 0f Service, ToS), one node at a time (Next) Hop) and a packet size. 12. The system for detecting a network anomaly as described in claim 6 wherein the cumulative condition is one of the set of filter elements. 13. The detection system for network anomaly events as described in claim 6 of the scope of the patent application, wherein the system adds the traffic information to the traffic comparison condition according to the filtering element of the traffic information of the statistical report. 4. The detection system for network anomaly events as described in claim 6 of the patent scope, wherein the statistical report may sort the traffic information in a decreasing manner or in an incremental manner. 19
TW96103074A 2007-01-26 2007-01-26 Method and system for detecting network anomaly events TW200833015A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW96103074A TW200833015A (en) 2007-01-26 2007-01-26 Method and system for detecting network anomaly events

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW96103074A TW200833015A (en) 2007-01-26 2007-01-26 Method and system for detecting network anomaly events

Publications (1)

Publication Number Publication Date
TW200833015A true TW200833015A (en) 2008-08-01

Family

ID=44819015

Family Applications (1)

Application Number Title Priority Date Filing Date
TW96103074A TW200833015A (en) 2007-01-26 2007-01-26 Method and system for detecting network anomaly events

Country Status (1)

Country Link
TW (1) TW200833015A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI617939B (en) * 2016-12-01 2018-03-11 財團法人資訊工業策進會 Attacking node detection apparatus, method, and computer program product thereof
US10742668B2 (en) 2016-12-05 2020-08-11 Institute For Information Industry Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI617939B (en) * 2016-12-01 2018-03-11 財團法人資訊工業策進會 Attacking node detection apparatus, method, and computer program product thereof
US10250626B2 (en) 2016-12-01 2019-04-02 Institute For Information Industry Attacking node detection apparatus, method, and non-transitory computer readable storage medium thereof
US10742668B2 (en) 2016-12-05 2020-08-11 Institute For Information Industry Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof

Similar Documents

Publication Publication Date Title
CN110149343B (en) Abnormal communication behavior detection method and system based on flow
Lakhina et al. Characterization of network-wide anomalies in traffic flows
Barford et al. Characteristics of network traffic flow anomalies
Gogoi et al. Packet and flow based network intrusion dataset
Callado et al. A survey on internet traffic identification
CN102315974B (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
US7440409B2 (en) Network traffic monitoring system and monitoring method
CN104115463B (en) For processing the streaming method and system of network metadata
CN107733937A (en) A kind of Abnormal network traffic detection method
US8769091B2 (en) Method, device and medium for determining operations performed on a packet
CN107645542A (en) A kind of data acquisition device applied to cloud auditing system
CN101803312A (en) Abnormal traffic detection device, abnormal traffic detection method, and abnormal traffic detection program
CN106953833A (en) A kind of ddos attack detecting system
CN106663040A (en) Method and system for confident anomaly detection in computer network traffic
CN109922048A (en) One kind serially dispersing concealed threat Network Intrusion detection method and system
Song et al. Flow-based statistical aggregation schemes for network anomaly detection
CN107689958A (en) A kind of network audit subsystem applied to cloud auditing system
Amrutkar et al. Why is my smartphone slow? on the fly diagnosis of underperformance on the mobile internet
Brownlee Using NeTraMet for production traffic measurement
CN104079452A (en) Data monitoring technology and network traffic abnormality classifying method
TW200833015A (en) Method and system for detecting network anomaly events
McHugh et al. Passive network forensics: behavioural classification of network hosts based on connection patterns
D’Antonio et al. High-speed intrusion detection in support of critical infrastructure protection
Lu et al. Detecting network anomalies using CUSUM and EM clustering
JP4246238B2 (en) Traffic information distribution and collection method