摘要:An enterprise intranet has the characteristics of service determination, limited network components, descriptive and observable characteristics, and the state of network components and network interaction behaviors need to strictly comply with security policies. Therefore, a variety of descriptive certainty can be used to describe the subject, object, and action of the network access. According to this important feature, the anomaly analysis method is simplified, and the abnormal discovery of the intranet is transformed into the problem of network dynamic feature collection and deterministic feature characterization. Based on the network state and behavior collection and analysis network dynamic characteristics, combined with the deterministic feature priori knowledge of the network, an anomaly analysis model which is especially suitable for deterministic intranet is proposed. Based on the model design, a traffic-based anomaly analysis system is implemented. The system can effectively find a variety of high-risk anomalies in the intranet.