CN102821002A - Method and system for network flow anomaly detection - Google Patents

Abstract

The invention discloses a method and a system for network flow anomaly detection. The method includes: monitoring network flow, and extracting basic characteristic data of the network flow; determining combination characteristic data of selected aggressive behaviors according to the extracted basic characteristic data, wherein the combination characteristic data are subsets of the basic characteristic data; inputting the determined combination characteristic data into corresponding flow models of the selected aggressive behaviors to obtain output results, wherein the flow models are preset according to sample data of the selected aggressive behaviors in a sample characteristic library; and determining whether the selected aggressive behaviors exist in the network flow or not according to the obtained output results. Using the method and the system for network flow anomaly detection can realize diversification in flow detection, more accuracy in identification and high extensibility.

Description

Network flow abnormal detecting method and system

Technical field

The present invention relates to the network information security technology field, refer to a kind of network flow abnormal detecting method and system that is applicable to High Speed IP Metropolitan Area Network especially.

Background technology

Along with the development of Internet, network traffics rapidly increase, and the Internet has become indispensable information carrier.Meanwhile, the abnormal flow of normal range (NR) also appears departing from network traffics through regular meeting, mainly is to be caused by malicious network attacks behaviors such as worm propagation, dos attack, DDOS attack, Botnet and network configuration error, sporadic line interruption etc.These abnormal flows tend to cause whole network service quality sharply to descend, and the end main frame of being injured, network are directly paralysed.Therefore, how under large-scale network environment, to carry out the network abnormality detection and early warning information in time is provided, significant to ensureing the normal operation of network.

Simultaneously; Along with improving constantly of the network bandwidth, exception of network traffic detects and faces new problem: on the one hand, network transmission speed increases substantially; Identical network attack; Very obvious in the local area network (LAN) performance, and in high-speed line, maybe and be not easy to find, need the exception of network traffic detection model of high accuracy; On the other hand, the network bandwidth has also been accelerated the speed of network attack when improving, be example with the internet worm eruption, and it can infect most of fragile main frame in the Internet in 10min even shorter time.This just requires abnormality detection system when rapidly and efficiently identifying abnormal flow, can also implement blocking strategy in real time.

Therefore, the key of abnormality detection is through the abnormal behaviour of the description of network traffics normal behaviour being analyzed and found possibly occur in network or the system, and sounds a warning to the keeper, or initiatively reacts.

Existing method for detecting abnormality mainly contains: the statistics abnormal detection method; Abnormal detection method based on thresholding; Abnormal detection method based on small echo; Based on immunologic abnormal detection method, based on the abnormal detection method of machine learning, data mining and neural net and based on abnormal detection method of flow information entropy etc.

But mainly there is following problem in these methods:

(1) warning interrogatory is true.Because above-mentioned method for detecting abnormality only detects one or more characteristic vectors in the network traffics; And the characteristic vector of choosing does not have specific attack implication; Thereby detection system can only know that some characteristic vector has occurred unusually in the network when reporting to the police, and still can not judge which type of attack to have occurred.

(2) shared data of synthetic operation can not be provided.Because Internet is the internet of a plurality of management domains of centralized management not, is synthetic operation but abnormality detection requires between each detection system, thereby just seem extremely important as the providing of shared data of the main contents of synthetic operation.

(3) extensibility is relatively poor: because existing abnormality detection system adopts the foundation of one or more single network characterization vectors as study and judgement mostly, comparatively thin to the non-conformance description of network traffics; In the abnormality detection system synthetic operation network characterization vector choose the less extensibility that just may influence detection system.

(4) accuracy of detection, real-time, comprehensive and new abnormal behaviour recognition capability can not satisfy the test request of abnormality detection.

Accuracy of detection, real-time, comprehensive and new abnormal behaviour recognition capability are to estimate four big key indexs of abnormality detection system.And present method for detecting abnormality is because the real-time measurement of the high-speed network flow of can not loading still can not realize real-time abnormality detection; And generally adopt the cluster sampling formula to handle,, cause accuracy of detection and accuracy to reduce, can not satisfy the accuracy requirement of high speed traffic monitoring because sampling can be lost flow information inevitably; Existing in addition abnormality detection means are single, and recognition capability is limited, and it is all poor that it detects comprehensive ability with the new abnormal behaviour of identification.

It is thus clear that existing Traffic Anomaly detects implementation, there are many factors that cause detecting poor effect such as accuracy of detection, real-time, comprehensive and warning interrogatory be true; Simultaneously, single characteristic vector detects, control strategy is single owing to be directed against, and causes the poor expandability of abnormality detection, and recognition capability is limited.And because the software processes recognition rate is low, cause when abnormality detection, only sending warning, can not realize the blocking-up of abnormal flow to the keeper.

Summary of the invention

The embodiment of the invention provides a kind of network flow abnormal detecting method and system, exists Traffic Anomaly to detect the problem of poor effect, flexibility and poor expandability in the prior art in order to solve.

A kind of network flow abnormal detecting method comprises:

Flow in the monitor network, the essential characteristic data of extraction network traffics;

According to the essential characteristic data of extracting, confirm the assemblage characteristic data of selected attack, wherein, said assemblage characteristic data are the subclass of essential characteristic data;

The discharge model of the said selected attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result; Said discharge model is to set up in advance according to the sample data of the selected attack in the sample characteristics storehouse;

According to the output result who obtains, confirm whether there is selected attack in the network traffics.

A kind of exception of network traffic detection system comprises: traffic statistics filter subsystem and webmaster analyzing subsystem;

The traffic statistics filter subsystem is used for the flow of monitor network, extracts the essential characteristic data of network traffics;

The webmaster analyzing subsystem is used for confirming the assemblage characteristic data of selected attack according to the essential characteristic data of extracting that wherein, said assemblage characteristic data are the subclass of essential characteristic data; The discharge model of the said selected attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result; Said discharge model is to set up in advance according to the sample data of the selected attack in the sample characteristics storehouse; Output result according to the discharge model of said selected attack confirms whether to exist in the network traffics this selected attack.

Beneficial effect of the present invention is following:

Network flow abnormal detecting method that the embodiment of the invention provides and system; Through the flow in the real-time monitor network; Extract the essential characteristic data of network traffics, confirm the assemblage characteristic data of selected attack, the assemblage characteristic data of confirming are imported successively the discharge model of corresponding said selected attack; Obtain exporting the result, thereby confirm to exist in the network traffics this selected attack.This method is set up model respectively to different attacks, is which kind of attack thereby can detect accurately, the warning univocal, and accuracy of detection is high; Essential characteristic data in these method extract real-time network traffics, and to the definite targetedly assemblage characteristic data of different attacks, thereby can comprehensively detect the various attack behavior, be beneficial to the cooperation management of a plurality of management domains.This method can be expanded detectable attack easily, when the new attack behavior, can set up its discharge model, and it is detected, and expansion is convenient.This method can be obtained good detection effect, higher detection precision.

Description of drawings

Fig. 1 is the structural representation of exception of network traffic detection system in the embodiment of the invention;

Fig. 2 is the flow chart of network flow abnormal detecting method in the embodiment of the invention;

Fig. 3 builds the structure chart based on the discharge model of quantum wavelet neural network in the embodiment of the invention;

Fig. 4 is the deployment diagram of exception of network traffic detection system in MAN in the embodiment of the invention;

Fig. 5 is the concrete structure sketch map of exception of network traffic detection system in the embodiment of the invention;

Fig. 6 is the concrete structure sketch map of webmaster analyzing subsystem in the embodiment of the invention.

Embodiment

In prior art; Exception of network traffic detects some problems such as poor effect, flexibility and poor expandability; The embodiment of the invention provides a kind of network flow abnormal detecting method, realizes that based on the characteristic of the network traffics of extract real-time Traffic Anomaly detects, owing to considered the combination of corresponding various features data to the different anomalies attack; Real-time, accuracy, comprehensive all acquisition of detection are improved, and detect flexibility and can expand also relatively good.

The network flow abnormal detecting method that the embodiment of the invention provides is realized through exception of network traffic detection system as shown in Figure 1.This system comprises: traffic statistics filter subsystem 1 and webmaster analyzing subsystem 2.

Traffic statistics filter subsystem 1 is used for the traffic statistics filter subsystem, is used for the flow of monitor network, extracts the essential characteristic data of network traffics.

Webmaster analyzing subsystem 2 is used for confirming the assemblage characteristic data of selected attack according to the essential characteristic data of extracting that wherein, said assemblage characteristic data are the subclass of essential characteristic data; The discharge model of the said selected attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result; Said discharge model is to set up in advance according to the sample data of the selected attack in the sample characteristics storehouse; Output result according to the discharge model of said selected attack confirms to exist in the network traffics this selected attack.

Preferably, webmaster analyzing subsystem 2 is used for also confirming that there is this selected attack in network traffics, and the attribute information according to this selected attack is provided with the flow control parameter;

Traffic statistics filter subsystem 1 also is used for according to the flow control parameter that is provided with network traffics being filtered control.

The flow process of above-mentioned network flow abnormal detecting method based on High Speed IP Metropolitan Area Network is as shown in Figure 2, comprises the steps:

Step S11: the flow in the monitor network, the essential characteristic data of extraction network traffics.

Flow in the real-time monitor network; Extract to set the characteristic information of quantity in following at least one information from network traffics, as the essential characteristic data: the relevant information of flow relevant information, packet relevant information, agreement relevant information, port relevant information, port flow relevant information, address relevant information, TCP flag bit.

Concrete; From above-mentioned information, extract to set the quantative attribute data, specifically comprise some kinds in the following data: stream packet number, stream byte number, stream time started, stream concluding time, the long concussion of bag frequency, packet equispaced, average packet are long, SYN bag number, protocol type, source port, destination interface, each second are sent data packet number, source address, destination address.Can be through these essential characteristic data than the running status that has described network traffics in greater detail.

For example: the essential characteristic data that count on can be designated as the essential characteristic collection X that comprises n essential characteristic variable ₁, X ₂, L L X _nWherein, n representes the quantity of the essential characteristic variable that essential characteristic is concentrated, and is preferred, n=256.

Step S12: according to the essential characteristic data of extracting, confirm the assemblage characteristic data of selected attack, wherein, the assemblage characteristic data are the subclass of essential characteristic data.

The classification cross-entropy is carried out in essential characteristic data of extracting and selected attack; According to the cross-entropy result, confirm the significance level of each essential characteristic data to selected attack; According to the significance level of each essential characteristic data, from the essential characteristic data, confirm the assemblage characteristic data of selected attack to selected attack.

Promptly carry out choosing of assemblage characteristic data to every kind of attack that possibly exist.When carrying out the yojan of characteristic, exploit information entropy correlation theory is through calculating each essential characteristic variable X that essential characteristic is concentrated ₁, X ₂, L L X _nCarry out key character with the cross-entropy of different attack and choose, confirm the essential characteristic variable X according to the size of cross-entropy _i(i=1,2 ..., significance level λ n) _i

Choose important essential characteristic set of variables according to significance level and become combination feature set X ₁, X ₂... X _m, m＜n wherein.And then obtain assemblage characteristic data

Exploit information entropy correlation theory; Carry out choosing of key character data through essential characteristic data that calculate to extract with the cross-entropy of different attack; Set up the assemblage characteristic set that accurately to represent each attack according to the key character data of choosing, realize effective yojan the essential characteristic data of network flow calculation.

Step S13: the discharge model of the selected attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result.

To various possible attacks, after the extraction assemblage characteristic data, in the discharge model of the attack that the assemblage characteristic data input of extracting is corresponding.

Discharge model is to set up in advance according to the sample data of the selected attack in the sample characteristics storehouse.Be based on specifically that the quantum wavelet neural network carries out obtaining after the learning training to the characteristic of the attack in the sample characteristics storehouse.

The foundation of discharge model and use traffic model are handled the process that obtains exporting the result to the assemblage characteristic data of statistics, are described in detail below.

Step S14:, confirm whether to exist in the network traffics type of attack and attack according to the output result of the discharge model of selected attack.

According to the output result who obtains; The type of confirming whether there is attack in the network traffics and confirming attack; Specifically comprise: according to the discharge model of the attack of exporting said output result, the type of the attack that the said output result's of definite output discharge model is corresponding; And according to output result's the output valve of output, confirm this output valve corresponding be to exist to attack or do not have attack, realize confirming whether to exist in the network traffics type of attack and attack.

If the discharge model of the said output result's of output attack is the discharge model of ddos attack, when the output result is the output valve of normal discharge, confirm not exist ddos attack; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is a ddos attack;

If the discharge model of the said output result's of output attack is the discharge model of trojan horse, when the output result is the output valve of normal discharge, confirm not exist trojan horse; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is a trojan horse;

If the discharge model of the said output result's of output attack is the discharge model of malicious code, when the output result is the output valve of normal discharge, confirm not exist malicious code; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is a malicious code;

If the discharge model of the said output result's of output attack is the discharge model of ossified virus, when the output result is the output valve of normal discharge, confirm not exist ossified virus; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is ossified virus.

Promptly, can judge whether there is this attack in the network traffics according to the output result of the discharge model of certain attack.For example: behind the discharge model of this attack of assemblage characteristic data input that certain selected attack-wooden horse is attacked, the output result is A, then shows not exist wooden horse to attack, and the output result is B, then shows to exist wooden horse to attack.

Preferably, above-mentioned network flow abnormal detecting method also comprises:

Step S15: when in confirming network traffics, having certain selected attack, the attribute information according to this selected attack is provided with the flow control parameter.

In case when having certain attack in the discovery network traffics,, confirm the flow control parameter of this attack, for example: port, address or other Control Parameter etc. promptly according to the assemblage characteristic data of this attack of from network traffics, extracting.

Preferably, when in determining network traffics, having this selected attack, the alarm exhibition information is provided to the user.

Step S16: the flow-control parameter based on being provided with is filtered control to network traffics.

According to flow control parameters such as the port that is provided with, addresses, network traffics are filtered control, realize that interception has the network traffics of the flow control parameter of setting.Thereby realize the interception and the blocking-up of the attack in the network traffics are filtered.

In the said method, the process of setting up discharge model specifically comprises:

1) according to the desired output and actual output of sample data, confirms model parameter weights based on the discharge model of quantum wavelet neural network.To the adjustment of model parameter weights, the input data can be corresponded in the different space-likes.

According to the desired output and actual output of sample data, the mean square error function of training sample, wherein the mean square error function of sample is:

$E_k=\frac{1}{2}\underset{k=1}{\overset{2}{\mathrm{\Σ}}}{(y_k^s-c_k^s)}^2$

$=\frac{1}{2}\underset{k=1}{\overset{2}{\mathrm{\Σ}}}{(y_k^s-\underset{j=1}{\overset{u}{\mathrm{\Σ}}}{v}_{\mathrm{jk}}\left(\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left(\frac{(\mathrm{\β}\left(\underset{i=1}{\overset{m}{\mathrm{\Σ}}}{w}_{\mathrm{ij}}{\mathrm{\λ}}_i{X}_i\right)-{\mathrm{\θ}}_j^q)-b_j}{a_j}\right)\right))}^2$

Wherein,

is the desired output of this k output neuron of s lot sample,

be the actual output of this k output neuron of s lot sample.

The wavelet basis of supposing the quantum wavelet neural network adopts two to advance the orthogonal wavelet function, can train the model parameter weight w that obtains based on the discharge model of quantum wavelet neural network according to above-mentioned mean square error function _Ij, v _Jk, a _j, b _j, in the quantum wavelet network, these neuron weight w _Ij, v _Jk, a _j, b _jBe adjustable parameter.

Concrete, can realize mean square error function Ek minimization based on Fast Newton's (FN) algorithm based on sample data, carry out neural metwork training, obtain w _Ij, v _Jk, a _j, b _jCorrection.

2) according to the model parameter weights of confirming based on the discharge model of quantum wavelet neural network, the quantum of adjustment quantum wavelet-neural network model at interval.

In each cycle of training, upgrade the quantum interval that layer quantum neuron weighed and concealed in the connection between different layers, specifically according to obtaining the neuron weight w _Ij, v _Jk, a _jAnd b _j, to the neuronic quantum of the latent layer of neural network model quantum small echo at interval through corresponding algorithm

Adjust.The quantum at interval thought of adjustment algorithm is to make in the quantum wavelet neural network output based on the hidden neuron of same type of flow behavior sample data change minimum.

3) set up discharge model at interval according to model parameter weights and the adjusted quantum confirmed based on the quantum wavelet neural network.The discharge model of setting up based on the quantum wavelet neural network is:

$c_k^s=\underset{j=1}{\overset{u}{\mathrm{\Σ}}}{v}_{\mathrm{jk}}\left(\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left(\frac{(\mathrm{\β}\left(\underset{i=1}{\overset{m}{\mathrm{\Σ}}}{w}_{\mathrm{ij}}{\mathrm{\λ}}_i{X}_i\right)-{\mathrm{\θ}}_j^q)-b_j}{a_j}\right)\right)$ k＝1，2

Wherein: is the desired output of this k output neuron of s lot sample;

is the actual output of this k output neuron of s lot sample;

X _iBe the characteristic vector in the assemblage characteristic data;

λ _iRepresentation feature vector X _iSignificance level;

w _IjBe input layer P _iTo hidden layer neuron S _jConnection power;

β is a slope factor;

is the quantum interval;

a _jFor hiding layer excitation function scale factor;

b _jFor hiding layer excitation function wavelet function shift factor;

H () is for hiding layer excitation function, wherein

n ^qBe quantum number at interval;

v _JkHidden layer neuron is to the interneuronal connection power of output layer;

Through adopting the quantum wavelet neural network that the sample data of network traffics is carried out training study, set up discharge model based on the various dimensions characteristic, be used for detecting the network abnormal flow.

Because online remote upgrade is supported in the sample characteristics storehouse, utilizes the quantum wavelet neural network can in time set up the detection model of cognition of new abnormal behaviour, be convenient to the real-time update abnormal flow and detect model of cognition.

The structure of setting up based on the discharge model of quantum wavelet neural network is as shown in Figure 3.In this discharge model, input layer L _InM node arranged, respectively m of corresponding assemblage characteristic collection vector; Hidden layer L _hInterstitial content be u; Output layer L _Out2 nodes are arranged.The corresponding a kind of output result of each node, the normal and unusual two states of map network flow respectively.The adjacent layer node is totally interconnected, and does not have connection between every layer of neuron.

(1) input layer can be imported assemblage characteristic collection X ₁, X ₂, L L X _m, calculate the input layer output function that is used to import hidden layer through input layer:

P _i＝λ _iX _i?i＝1，2，L，m；

(2) with input layer output function input hidden layer, calculate the hidden layer node output function that is used for the input and output layer through hidden layer:

$S_j=\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left[\mathrm{\β}(W^{T}P-{{\mathrm{\θ}}_j}^q)\right]$ j＝1，2，L，u；

That is to say that the hidden layer excitation function does

This is one and contains scale factor a _jWith shift factor b _jWavelet function.β is a slope factor; W ^TP is the neuronic input stimulus of quantum small echo;

Be quantum interval (s=1,2, L, n _q); n _qBe quantum number at interval.W ^TFor comprising w _IjVector, be the network weight vector; P is for comprising P _i=λ _iX _iI=1,2, L, the vector of m for the network input vector, obtains from Access Layer.

(3) hidden layer node output function input and output layer obtains exporting c1 and c2 as a result after output layer calculates.

The calculating of comprehensive input layer, hidden layer and output layer, promptly pass through the calculating of following discharge model:

$c_k^s=\underset{j=1}{\overset{u}{\mathrm{\Σ}}}{v}_{\mathrm{Jk}}\left(\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left(\frac{(\mathrm{\β}\left(\underset{i=1}{\overset{m}{\mathrm{\Σ}}}{w}_{\mathrm{Ij}}{\mathrm{\λ}}_i{X}_i\right)-{\mathrm{\θ}}_j^q)-b_j}{a_j}\right)\right)$ K=1,2, finally can obtain exporting the result, promptly export the result and satisfy above-mentioned formula.

Wherein, v _JkBe hidden layer neuron S _jTo output layer neuron C _kBetween connection power.

Above-mentioned model adopts the quantum wavelet neural network; Wherein the hidden neuron of quantum wavelet neural network has been used for reference the thought of the quantum state stack in the quantum theory; The linear superposition that adopts a plurality of wavelet basis functions is as excitation function, and each wavelet function of stack has different quantum at interval.

Step S13 and step S14; The assemblage characteristic data of confirming are imported successively the discharge model of corresponding selected attack; Confirm whether to exist in the network process of selected attack; Promptly above-mentioned based on the discharge model of quantum wavelet neural network in input assemblage characteristic data, last output result's process.

To pass through the assemblage characteristic collection X that obtains after the comentropy yojan ₁, X ₂, L L X _mAs the assemblage characteristic data of describing selected attack, import the discharge model of this attack, can confirm whether had this attack in the network traffics.

The quantum wavelet neural network structurally is a kind of multilayer feedforward neural network, is similar to the BP network.Because the way of realization of quantum wavelet neural network is varied; Above-mentionedly only enumerated a kind of way of realization; Key of the present invention is the assemblage characteristic data to each attack based on Dynamic Extraction; Determine whether to exist this kind attack; Realize that attack confirms to consider the characteristic of diversification, so the discharge model that the present invention set up being not limited to the above-mentioned discharge model of being set up based on the quantum wavelet neural network, also can be the neural network model of existing maturation based on wavelet theory.

The deployment scenario of above-mentioned exception of network traffic detection system in MAN is as shown in Figure 4.Wherein High Speed IP Metropolitan Area Network comprises transmission network, core layer, service access control layer and broadband access network.As can be seen from Figure 4; The exception of network traffic detection system that the embodiment of the invention provides can be deployed on the trunk link of High Speed IP Metropolitan Area Network; Abnormal flow (wooden horse, virus etc.) on the trunk link at a high speed carries out Real time identification and control, reaches the function to the Real-time Alarm and the real time filtering of abnormal flow.For example be deployed on the couple in router or the link between exchange of secondary Ethernet and the service access control layer of broadband access network.

The concrete structure of above-mentioned exception of network traffic detection system is as shown in Figure 5.This system comprises traffic statistics filter subsystem 1 and webmaster analyzing subsystem 2.Wherein:

Traffic statistics filter subsystem 1 specifically comprises: traffic statistics identification module 11 and on-line filtration module 12.Preferably, flow measurement module 13 before traffic statistics identification module 11 also is connected with and detects also is connected with after the on-line filtration module 12 and detects back flow measurement module 14.

Traffic statistics identification module 11 is used for the flow of monitor network, extracts the essential characteristic data of network traffics.

On-line filtration module 12, when being used for obtaining the webmaster analyzing subsystem and confirming that there is selected attack in network traffics, the attribute information according to this selected attack is provided with the flow control parameter; And network traffics are filtered control according to the flow control parameter of obtaining.

Webmaster analyzing subsystem 2 specifically comprises: model building module 21, data extraction module 22, data analysis module 23 and flow identification module 24.

Model building module 21 is used for setting up the discharge model of selected attack in advance according to the sample data of the selected attack in sample characteristics storehouse.

Preferably, above-mentioned model building module 21 specifically is used for: according to the desired output and the actual output of sample data, confirm the model parameter weights based on the discharge model of quantum wavelet neural network; According to the model parameter weights of confirming based on the discharge model of quantum wavelet neural network, the quantum of adjustment quantum wavelet-neural network model at interval; Model parameter weights and adjusted quantum according to confirming are set up the discharge model based on the quantum wavelet neural network at interval.

Data extraction module 22 is used for confirming the assemblage characteristic data of selected attack according to the essential characteristic data of extracting that wherein, said assemblage characteristic data are the subclass of essential characteristic data.

Preferably, above-mentioned data extraction module 22 specifically is used for: the classification cross-entropy is carried out in essential characteristic data of extracting and selected attack; According to the cross-entropy result, confirm the significance level of each essential characteristic data to said selected attack; According to the significance level of each essential characteristic data, from the essential characteristic data, confirm the assemblage characteristic data of said selected attack to said selected attack.

Data analysis module 23 is used for the discharge model with the said selected attack of the assemblage characteristic data input correspondence of confirming, obtains exporting the result.

Preferably, above-mentioned data analysis module 23 specifically is used for: input layer input assemblage characteristic collection X ₁, X ₂, L L X _m, calculate the input layer output function that is used to import hidden layer through input layer; Input layer output function input hidden layer with obtaining calculates the hidden layer node output function through hidden layer; With the hidden layer node output function input and output layer that obtains,, output layer obtains exporting the result after calculating.

Flow identification module 24 is used for the output result based on the discharge model of said selected attack, confirms to exist in the network traffics this selected attack.

Preferably, above-mentioned webmaster analyzing subsystem 2 also comprises: rule digging module 25, be used for when determining this selected attack of network traffics existence, and the attribute information according to this selected attack is provided with the flow control parameter.

Preferably; Above-mentioned webmaster analyzing subsystem 2 also comprises: message output module is used for to every kind of attack; The definite result who shows flow identification module 24 to the user; The user just can know which kind of attack of existence and not have which kind of attack according to output information, and when having selected attack, to the user alarm exhibition information is provided.

Above-mentioned traffic statistics filter subsystem 1 adopts high-speed hardware circuit forwarding engine; Can carry out the parallel identification of multi-service to network traffics; The recognition performance of this subsystem can not increased because of the kind quantity of business descend, disposal ability does not rely on user, business and tactful complexity yet.The network flow statistic of this subsystem is discerned in each of flow Network Based essential characteristic and is discerned; Realized network flow characteristic statistics based on the link overall situation; Integrated use deep-packet detection (Deep Packet Inspection; DPI), deep stream detect (Deep Flow Inspection, DFI) etc. recognition technology is carried out characteristic statistics one by one to message; For example: protocol characteristic identification, flow behavioural analysis, business diagnosis and statistics, can realize real-time statistics and packet level or other Intelligent Recognition of stream level to network traffics multidimensional characteristic (for example 256 kinds of characteristic informations).

When above-mentioned traffic statistics filter subsystem 1 realizes the network flow statistic function, can comprise the function of following aspect: all types of user and professional traffic statistics; The traffic statistics of all kinds of Flow Control strategies; Set the traffic statistics of strategy stream flexibly; The traffic statistics of assigned ip address or groups of users; Real-time and historical traffic statistics or the like are enumerated at this no longer one by one.When above-mentioned traffic statistics filter subsystem 1 realizes network traffics traffic identification function; The function that can comprise following aspect: can realize to encrypt, mutation carry out effective recognition and control or the like with the emerging business conduct of the unknown, also enumerate no longer one by one here.

The flow control parameter that above-mentioned traffic statistics filter subsystem 1 is provided with according to webmaster analyzing subsystem 2; Realize flow control; The Control Parameter that is provided with can be port, address etc., when message is carried out ONLINE RECOGNITION, utilizes the string matching engine of colleges and universities to realize the examination to the data content in the network traffics; Data flow for carrying malicious code is filtered blocking-up, has cut off the route of transmission of trojan horse.Traffic statistics filter subsystem 1 can start on-line filtration identification according to the transmitting order to lower levels of webmaster analyzing subsystem 2.

Above-mentioned webmaster analyzing subsystem 2 is mainly realized through back-end software design, the statistics that reports according to traffic statistics filter subsystem 1; Obtain the essential characteristic data of network traffics; Obtain the assemblage characteristic data through the comentropy yojan, carry out data analysis based on quantum wavelet neural network discharge model then, detect the abnormal flow in the network; And can confirm it is which kind of attack; And then excavate filtering rule, and the flow control parameter is set, indication traffic statistics filter subsystem 1 realizes online virus filtration function.Webmaster analyzing subsystem 2 can make up a plurality of discharge models to multiple attack; After getting access to the essential characteristic data; Obtain the assemblage characteristic data to multiple attack yojan successively, import corresponding discharge model successively respectively, thereby determine whether to exist corresponding attack.This method can be set up discharge model analysis and get final product when having the new attack behavior to analyze, and makes things convenient for expanded application.

Wherein the concrete structure of webmaster analyzing subsystem is as shown in Figure 6, the traffic statistics filter subsystem is obtained data from the internet after, sends the webmaster analyzing subsystem to.The webmaster analyzing subsystem can be disposed several parts such as data storage cell, data analysis unit and application program unit when actual deployment.

The storage of from the internet, obtaining is in data storage cell; Specifically can lay a plurality of databases in the data storage cell, for example: the database of traffic statistics database, link-layer statistics storehouse, flow behavioural characteristic storehouse, alarm log database, policy rule database and other statisticss.Be respectively applied for the various characteristics that storage extracts, discharge model of foundation etc. from network traffics; And the filtering rule of excavating; The information such as flow control parameter that for example are provided with to certain attack can also be stored warning information when detecting abnormal flow, alarm exhibition information etc.Wherein, the attack of selecting comprises one or more in the following attack: ddos attack, trojan horse, malicious code and ossified virus etc.The alarm exhibition information comprises one or more in the following exhibition information: the chart displaying of information is showed, is attacked in the classification alarm of each attack and the policing rule of abnormality detection is showed.

This data storage cell is mainly accomplished storage and is handled all data resources, administers and maintains standard through unified data, realizes the data resource management.And according to the type of resource and towards different application, different storage, processing and access strategies is provided, for types of applications provides the unified data view.The data owner of this unit will come from the traffic statistics data that traffic statistics filter subsystem that bottom hardware forms reports, and the flow behavior sample feature database in this unit is supported online remote upgrade, to support the identification to new abnormal behaviour.

Above-mentioned data analysis unit can realize from essential characteristic extracting data assemblage characteristic data, the concrete feature reduction mode that adopts based on comentropy.And, carry out data analysis with the discharge model of assemblage characteristic data input based on the quantum wavelet neural network.Specifically can data extraction module 22, data analysis module 23 and flow identification module 24.

In addition, data analysis unit can also implementation model be set up the function of module 21, sets up discharge model and transfers to the data storage cell storage.

During the data analysis unit abnormal flow that analyzing and testing implies from a large amount of network traffics data; Problem for fear of the detection accuracy difference of selecting for use one or more characteristics to cause; Adopted the layering of traffic characteristic data to divide thought: from network traffics, to extract the essential characteristic data that contain the full detail in the network traffics basically earlier, make the running status of the reaction network flow that the characteristic of extraction can be detailed.If but all essential characteristic data were all carried out real-time storage, maintenance and analyzing and testing, for high speed network environment, its complexity would be high, realizes that difficulty is very big.Therefore when analyzing, analyze to the characteristic after the different yojan of different attack employings.

The yojan from the essential characteristic data of above-mentioned data analysis unit goes out the assemblage characteristic data, is used for analyzing whether have abnormal flow.The set of assemblage characteristic data real time altering according to actual needs is provided with.To certain specific attack, the subclass of essential characteristic that will be referred to this attack is as the assemblage characteristic data of describing this kind attack.The optimum of the essential characteristic data of network traffics is selected and effectively yojan about theory through comentropy; The cross-entropy of each essential characteristic in the essential characteristic data and selected attack is chosen in calculating; The realization key character is chosen, and makes the assemblage characteristic data of choosing for can accurately representing the validity feature data of selected attack.These validity feature data load in the discharge model of setting up to corresponding attack based on the quantum wavelet neural network, just can be determined whether to exist abnormal flow according to the output result, and can confirm that abnormal flow is caused by the sort of attack.

Above-mentioned data analysis unit is carried out policing rule and is excavated when detecting attack, confirms to filter the flow control parameter of this attack of interception, and in time is handed down to the traffic statistics filter subsystem, realizes blocking in real time abnormal flow.

The exception of network traffic detection system that the embodiment of the invention provides also comprises an application program unit, is used to realize the function of message output module.For example: application program unit can be directed against ddos attack, malicious code attack, trojan horse, ossified virus detects and show testing result to the user, and the multidimensional displaying of warning information and the blocking-up of abnormal flow etc. are provided.Wherein:

(Distributed Denial of service, DDoS) attack utilizes rational services request to take too much Service Source, causes the service overload, can't respond other request in distributed denial of service.These Service Sources comprise the network bandwidth, file system space capacity, open process or inside connection.System mainly attacks (Land attack) from the attack of following aspect monitoring DDoS:SYN flood (SYN flooding), smurf attack (Smurf attack), UDP flood (Udp flooding) attack, assembly (the Ping of death) attack of death, tear (TearDrop) attack, Land; The assemblage characteristic data of its extraction can be purpose IP address and source IP address, realize interception and blocking-up according to the identical purpose IP address and the source IP address of the data of network traffics.

Trojan horse utilizes the leak of Windows, invades subscriber computer, and the control subscriber computer is stolen subscriber data, and its hazard area is very wide, the extent of injury is very dark.Can filter trojan horse as the assemblage characteristic Data Detection with IP address, port numbers etc.Can detected wooden horse type comprise: hang horse network address, Trojan for stealing numbers, Long-distance Control wooden horse, the wooden horse of damage type, denial of service (Denial of Service; DoS) attack wooden horse, rebound ports Trojan horse, program killer's type, act on behalf of wooden horse, FTP (File Transfer Protocol, FTP) many types such as wooden horse.

The detection of malicious code, relatively realizes detecting with condition code through the network traffics packet is carried out data analysis through the mass data of network traffics being carried out refinement and association analysis detects.

Ossified virus; Be that Botnet (English name is Botnet) is development on the basis of traditional malicious code forms such as network worm, Trojan Horse, back door instrument on the Internet, merges and a kind of novel attack method of generation; Often be used for initiating large-scale network attack by the hacker; Like distributed denial of service attack (DDoS), magnanimity spam etc., the information that these computers of hacker's control are simultaneously preserved also all can be by hacker random " taking ".Therefore, no matter be concerning the Cybersecurity Operation or the protection of secure user data, Botnet all is the hidden danger that has threat.Can adopt the Botnet detection mode of agreement and structurally associated to the detection of ossified virus, can be with domain name as characteristic, and combine log analysis, determine position and scale, the distribution etc. of Botnet.

The exhibition information of above-mentioned various attack behavior can adopt the form of chart to show the user visually; The displaying content that can show the incident that comprises attack source, victim, attack time, attack, filtration, successful attack number, attack number of failure or the like, and read with the user.

Warning information is showed the effect realized existing when attacking to user's alarm.In real time alarm log being classified by various conditions helps to help the keeper promptly to find some particular attack.Generally can be by the dynamically classification of switching alarm daily record of multiple standards.Can be for every attack logs by prior definition with the high bright demonstration of various colors.

The displaying of all right support policy rule of application program unit; Support is carried out edit-modify with the form of policy groups, and the keeper can revise whole group regular attribute quickly, comprises whether activating, and various system actings etc.; User Defined policing rule function is provided, and has supported regular expression.

Traffic statistics filter subsystem in the said system, based on " devices at full hardwareization " and processing mode, add up, discern and filter specifying the message on the high-speed link; The webmaster analyzing subsystem is showed the timely alarm of the safe condition and the Virus Info of whole network with functions such as integrated viral rule digging, data analysis, information exhibition, system's O&M and strategy maintenances with various ways such as form, curve charts.The intruding detection system framework of this layering can be integrated effectively the identification of 40Gbps link linear speed virus rule, abnormal flow filter, functions such as warning message statistics and network equipment maintenance; This architecture adopts the mode that the front end hardware platform combines with the daemon software system simultaneously; Accomplish preliminary treatment by the front end hardware platform to service traffics information; The daemon software system focuses on front terminal system reporting information again; Significantly reduce the processing time, can identify the abnormal flow that exists in the network fast, efficiently and accurately.

It is example that the SYN FLOOD that comprises with ddos attack below attacks, and explains that the network flow abnormal detecting method and the system that provide through the embodiment of the invention realize the detailed process that exception of network traffic detects.

Attack for SYN FLOOD; The assemblage characteristic vector that after the comentropy yojan, obtains is 6, long 6 assemblage characteristic vectors such as frequency, bag equispaced, SYN bag number, stream beginning/concluding time that shake of stream packet number, stream byte number, bag that example is as shown in table 1 below.The discharge model of being set up based on the quantum wavelet neural network to SYN FLOOD attack is as shown in Figure 3, and wherein the network topology structure of this model is 6-12-2.Input layer is 6, respectively corresponding after effective yojan 6 assemblage characteristic vectors; Hidden neuron is 12; The output layer neuron is 2, respectively normal, unusual two states, i.e. c of corresponding flow ₁c ₂Represent flow normal condition, c during=10 (c1 is 1, and c2 is 0) ₁c ₂Represent the Traffic Anomaly state during=01 (c1 is 0, and c2 is 1), expression exists SYN FLOOD to attack.The weights of quantum wavelet neural network and the learning rate of threshold value elect 0.02 as; Quantum learning rate at interval is 0.02; Select the slope factor of multilayer small echo excitation function to equal 0.95; Selecting the neuronic quantum number of plies of quantum is 4.When all parameters are provided with identically, promptly to learn to accomplish up to the study number of times of setting under the situation that error precision do not set, learning rate is 0.02, maximum iteration time is set at 580,2500 respectively.Train 580 times, the quantum wavelet neural network error of this patent is 8.8761 * 10 ^-4When training 2500 times, the quantum wavelet neural network error of this patent is 1.8978 * 10 ^-5

Part training sample data (not before the normalization) are as shown in table 1 below.

Table 1

Network flow abnormal detecting method that the embodiment of the invention provides and system are applicable to High Speed IP Metropolitan Area Network backbone network environment, and its single-pass process ability is not less than 40Gbps, also can smooth compatible 10Gbps interface when supporting the 40Gbps LI(link interface).Can effectively realize the identification and the blocking-up of the abnormal flow in the network traffics; Can real-time and dynamic monitor attack; And dynamically update database mining on-line filtration rule, and confirm the flow control parameter, protean attack is in time discerned, alarms, filters, blocked.

Which kind of attack discharge model is set up in different attacks respectively realized discerning different attacks, be thereby can detect what exist in the network traffics accurately, the warning univocal, and accuracy of detection is high.

Integrated use DPI and two kinds of recognition technologies of DFI; Message carries out protocol characteristic identification, flow behavioural analysis, business diagnosis and statistics one by one one by one; Essential characteristic data in these method extract real-time network traffics, the characteristic of its extraction is more comprehensive, and confirms the assemblage characteristic data targetedly to different attacks; Thereby can comprehensively detect the various attack behavior, be beneficial to the cooperation management of a plurality of management domains.And because the characteristic in the extract real-time network traffics, can satisfy preferably high-speed network flow monitoring in real time requirement, can satisfy the service application kind and application scale is pushed the speed comparatively fast, 7 * 24 hours requirements such as high available and high real-time of service application.

Can expand detectable attack easily, when the new attack behavior, can set up its discharge model, it is detected, expansion is convenient.This method can be obtained good detection effect, higher detection precision.Whole system adopts a plurality of independently functional modules and subsystem to realize that framework is flexible, and structure is unified, is with good expansibility and re-configurability.

Because the characteristic of extracting can be than the actual conditions of more comprehensive reaction network flow; Avoided existing mode to adopt the problem of single characteristic as the detection poor effect that basis for estimation caused; And can add easily and the discharge model that reduces to different attacks, obtain and detect effect comprehensively and accurately.To certain attack; Choose wherein key character through the cross-entropy of each essential characteristic and this attack in the calculation training sample and set up the assemblage characteristic set; And utilize the quantum wavelet-neural network model that assemblage characteristic is gathered and carry out learning training with the classification of realization to the flow behavior, fast convergence rate, the flow information of containing is comprehensive and accurate; Under high speed network environment, can effectively improve accuracy of detection and the new unusual capacity of identification in real time; Make and under the abnormality detection framework of whole flow model Network Based, can realize detection more easily, and can obtain reasonable detection effect different types of unusual attack.

Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (25)

1. a network flow abnormal detecting method is characterized in that, comprising:

Flow in the monitor network, the essential characteristic data of extraction network traffics;

According to the essential characteristic data of extracting, confirm the assemblage characteristic data of selected attack, wherein, said assemblage characteristic data are the subclass of essential characteristic data;

The discharge model of the attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result; Said discharge model is what set up in advance according to the sample data of each attack in the sample characteristics storehouse;

Based on the output result who obtains, the type of confirming whether there is attack in the network traffics and confirming attack.

2. the method for claim 1 is characterized in that, the essential characteristic data of said extraction network traffics specifically comprise:

Extract to set the characteristic information of quantity in following at least one information from network traffics, as the essential characteristic data: the relevant information of flow relevant information, packet relevant information, agreement relevant information, port relevant information, port flow relevant information, address relevant information, TCP flag bit.

3. method as claimed in claim 2 is characterized in that, the setting quantative attribute data of said extraction network traffics specifically comprise some kinds in the following data:

Stream packet number, stream byte number, stream time started, stream concluding time, the long concussion of bag frequency, packet equispaced, average packet are long, SYN bag number, protocol type, source port, destination interface, each second are sent data packet number, source address, destination address.

4. the method for claim 1 is characterized in that, and is said according to the essential characteristic data of extracting, and confirms the assemblage characteristic data of selected attack, specifically comprises:

The classification cross-entropy is carried out in essential characteristic data of extracting and selected attack;

Based on the cross-entropy result, confirm the significance level of each essential characteristic data to said selected attack;

According to the significance level of each essential characteristic data, from the essential characteristic data, confirm the assemblage characteristic data of said selected attack to said selected attack.

5. the method for claim 1 is characterized in that, the process of setting up discharge model according to the sample data of the selected attack in the sample characteristics storehouse comprises:

According to the desired output and actual output of sample data, confirm model parameter weights based on the discharge model of quantum wavelet neural network;

According to the model parameter weights of confirming based on the discharge model of quantum wavelet neural network, the quantum of adjustment quantum wavelet-neural network model at interval;

Model parameter weights and adjusted quantum according to confirming are set up the discharge model based on the quantum wavelet neural network at interval.

6. method as claimed in claim 5 is characterized in that, said desired output and actual output according to sample data are confirmed the model parameter weights based on the discharge model of quantum wavelet neural network; Specifically comprise:

According to the desired output and actual output of sample data, the mean square error function of training sample:

$E_k=\frac{1}{2}\underset{k=1}{\overset{2}{\mathrm{\Σ}}}{(y_k^s-c_k^s)}^2$

$=\frac{1}{2}\underset{k=1}{\overset{2}{\mathrm{\Σ}}}{(y_k^s-\underset{j=1}{\overset{u}{\mathrm{\Σ}}}{v}_{\mathrm{jk}}\left(\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left(\frac{(\mathrm{\β}\left(\underset{i=1}{\overset{m}{\mathrm{\Σ}}}{w}_{\mathrm{ij}}{\mathrm{\λ}}_i{X}_i\right)-{\mathrm{\θ}}_j^q)-b_j}{a_j}\right)\right))}^2$

Wherein,

is the desired output of this k output neuron of s lot sample;

is the actual output of this k output neuron of s lot sample;

X _iBe the characteristic vector in the assemblage characteristic data;

λ _iRepresentation feature vector X _iSignificance level;

w _IjBe input layer P _iTo hidden layer neuron S _jConnection power;

β is a slope factor;

is the quantum interval;

a _jFor hiding layer excitation function scale factor;

b _jFor hiding layer excitation function wavelet function shift factor;

H () is for hiding layer excitation function, wherein

n ^qBe quantum number at interval;

v _JkHidden layer neuron is to the interneuronal connection power of output layer;

Through realizing that mean square error function minimization is obtained the model parameter weight w _Ij, v _Jk, a _j, b _j

7. method as claimed in claim 6 is characterized in that, the model parameter weights that said basis is confirmed based on the discharge model of quantum wavelet neural network, and the quantum of adjustment quantum wavelet-neural network model specifically comprises at interval:

According to the model parameter weight w that obtains _Ij, v _Jk, a _j, b _j, the quantum of adjustment adjustment quantum wavelet-neural network model at interval

8. method as claimed in claim 7 is characterized in that, the discharge model based on the quantum wavelet neural network of said foundation is:

$c_k^s=\underset{j=1}{\overset{u}{\mathrm{\Σ}}}{v}_{\mathrm{jk}}\left(\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left(\frac{(\mathrm{\β}\left(\underset{i=1}{\overset{m}{\mathrm{\Σ}}}{w}_{\mathrm{ij}}{\mathrm{\λ}}_i{X}_i\right)-{\mathrm{\θ}}_j^q)-b_j}{a_j}\right)\right)$ k＝1，2。

9. the method for claim 1 is characterized in that, the discharge model of the said selected attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result, specifically comprises:

Input layer input assemblage characteristic collection X ₁, X ₂, L L X _m, calculate the input layer output function that is used to import hidden layer through input layer;

Input layer output function input hidden layer with obtaining calculates the hidden layer node output function through hidden layer;

With the hidden layer node output function input and output layer that obtains,, output layer obtains exporting the result after calculating.

10. method as claimed in claim 9 is characterized in that, said input layer output function is P _i=λ _iX _iI=1,2, L, m;

Wherein: X _iBe the characteristic vector in the assemblage characteristic data;

λ _iRepresentation feature vector X _iSignificance level.

11. method as claimed in claim 10 is characterized in that, said hidden layer node output function does $S_j=\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left[\mathrm{\β}(W^{T}P-{{\mathrm{\θ}}_j}^q)\right]$ J=1,2, L, u;

Wherein: W ^TFor comprising w _IjVector, w _IjBe input layer P _iTo hidden layer neuron S _jConnection power;

P is for comprising P _i=λ _iX _iI=1,2, L, the vector of m;

β is a slope factor;

is the quantum interval;

H () is for hiding layer excitation function, wherein

n ^qBe quantum number at interval.

12. method as claimed in claim 11 is characterized in that, the output result satisfies formula: $c_k^s=\underset{j=1}{\overset{u}{\mathrm{\Σ}}}{v}_{\mathrm{Jk}}\left(\frac{1}{n_q}\underset{q=1}{\overset{n_q}{\mathrm{\Σ}}}h\left(\frac{(\mathrm{\β}\left(\underset{i=1}{\overset{m}{\mathrm{\Σ}}}{w}_{\mathrm{Ij}}{\mathrm{\λ}}_i{X}_i\right)-{\mathrm{\θ}}_j^q)-b_j}{a_j}\right)\right)$ K=1,2;

Wherein, is the desired output of this k output neuron of s lot sample;

is the actual output of this k output neuron of s lot sample;

X _iBe the characteristic vector in the assemblage characteristic data;

λ _iRepresentation feature vector X _iSignificance level;

w _IjBe input layer P _iTo hidden layer neuron S _jConnection power;

β is a slope factor;

is the quantum interval;

a _jFor hiding layer excitation function scale factor;

b _jFor hiding layer excitation function wavelet function shift factor;

H () is for hiding layer excitation function, wherein

n ^qBe quantum number at interval;

v _JkHidden layer neuron is to the interneuronal connection power of output layer.

13. the method for claim 1 is characterized in that, said selected attack comprises one or more in the following attack: ddos attack, trojan horse, malicious code and ossified virus.

14. method as claimed in claim 13 is characterized in that, the output result that said basis obtains, and the type of confirming whether there is attack in the network traffics and confirming attack specifically comprises:

If the discharge model of the said output result's of output attack is the discharge model of ddos attack, when the output result is the output valve of normal discharge, confirm not exist ddos attack; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is a ddos attack;

If the discharge model of the said output result's of output attack is the discharge model of trojan horse, when the output result is the output valve of normal discharge, confirm not exist trojan horse; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is a trojan horse;

If the discharge model of the said output result's of output attack is the discharge model of malicious code, when the output result is the output valve of normal discharge, confirm not exist malicious code; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is a malicious code;

If the discharge model of the said output result's of output attack is the discharge model of ossified virus, when the output result is the output valve of normal discharge, confirm not exist ossified virus; When its output result is the output valve of abnormal flow, confirm that the type of the attack of existence is ossified virus.

15. like the arbitrary described method of claim 1-14, it is characterized in that, also comprise:

When in determining network traffics, having this selected attack, the attribute information based on this selected attack is provided with the flow-control parameter, and network traffics are filtered control.

16. method as claimed in claim 15 is characterized in that, also comprises, when in determining network traffics, having this selected attack, to the user alarm exhibition information is provided;

Said alarm exhibition information comprises one or more in the following exhibition information: the chart displaying of information is showed, is attacked in the classification alarm of each attack and the policing rule of abnormality detection is showed.

17. an exception of network traffic detection system is characterized in that, comprising: traffic statistics filter subsystem and webmaster analyzing subsystem;

The traffic statistics filter subsystem is used for the flow of monitor network, extracts the essential characteristic data of network traffics;

The webmaster analyzing subsystem is used for confirming the assemblage characteristic data of selected attack according to the essential characteristic data of extracting that wherein, said assemblage characteristic data are the subclass of essential characteristic data; The discharge model of the said selected attack that the assemblage characteristic data input of confirming is corresponding obtains exporting the result; Said discharge model is to set up in advance according to the sample data of the selected attack in the sample characteristics storehouse; According to the output result of the discharge model of said selected attack, the type of confirming whether there is attack in the network traffics and confirming attack.

18. system as claimed in claim 17 is characterized in that, said webmaster analyzing subsystem also is used for: confirm that there is this selected attack in network traffics, the attribute information according to this selected attack is provided with the flow control parameter;

The traffic statistics filter subsystem also is used for: the flow-control parameter based on being provided with is filtered control to network traffics.

19. system as claimed in claim 17 is characterized in that, said traffic statistics filter subsystem specifically comprises:

The traffic statistics identification module is used for the flow of monitor network, extracts the essential characteristic data of network traffics;

The on-line filtration module, when being used for obtaining the webmaster analyzing subsystem and confirming that there is selected attack in network traffics, the attribute information according to this selected attack is provided with the flow control parameter; And network traffics are filtered control according to the flow control parameter of obtaining.

20. system as claimed in claim 17 is characterized in that, said webmaster analyzing subsystem specifically comprises:

Model building module is used for setting up the discharge model of selected attack in advance according to the sample data of the selected attack in sample characteristics storehouse;

Data extraction module is used for confirming the assemblage characteristic data of selected attack according to the essential characteristic data of extracting that wherein, said assemblage characteristic data are the subclass of essential characteristic data;

Data analysis module is used for the discharge model with the said selected attack of the assemblage characteristic data input correspondence of confirming, obtains exporting the result;

The flow identification module is used for the output result based on the discharge model of said selected attack, confirms to exist in the network traffics this selected attack.

21. system as claimed in claim 20 is characterized in that, said data extraction module specifically is used for:

The classification cross-entropy is carried out in essential characteristic data of extracting and selected attack; According to the cross-entropy result, confirm the significance level of each essential characteristic data to said selected attack; According to the significance level of each essential characteristic data, from the essential characteristic data, confirm the assemblage characteristic data of said selected attack to said selected attack.

22. system as claimed in claim 20 is characterized in that, said model building module specifically is used for:

According to the desired output and actual output of sample data, confirm model parameter weights based on the discharge model of quantum wavelet neural network;

According to the model parameter weights of confirming based on the discharge model of quantum wavelet neural network, the quantum of adjustment quantum wavelet-neural network model at interval;

Model parameter weights and adjusted quantum according to confirming are set up the discharge model based on the quantum wavelet neural network at interval.

23. system as claimed in claim 20 is characterized in that, said data analysis module specifically is used for:

Input layer input assemblage characteristic collection X ₁, X ₂, L L X _m, calculate the input layer output function that is used to import hidden layer through input layer;

Input layer output function input hidden layer with obtaining calculates the hidden layer node output function through hidden layer;

With the hidden layer node output function input and output layer that obtains,, output layer obtains exporting the result after calculating.

24., it is characterized in that said webmaster analyzing subsystem also comprises like the arbitrary described system of claim 20-23:

The rule digging module is used for when determining this selected attack of network traffics existence, and the attribute information according to this selected attack is provided with the flow control parameter.

25., it is characterized in that said webmaster analyzing subsystem also comprises like the arbitrary described system of claim 20-23:

Message output module is used for to every kind of attack, the definite result who shows the flow identification module to the user, and when having the attack of selecting, the alarm exhibition information is provided to the user.

Images