Method for screening abnormal traffic based on steady-state model of office local area network

The invention discloses a method for screening abnormal traffic based on a steady-state model of an office local area network, and aims at effectively responding to increasing APT (Advanced Persistent Threat) attacks based on a user controllable method for screening unknown attack traffic. The technical scheme comprises the following steps of constructing a multi-dimension steady-state model based on the office local area network, utilizing information entropy to describe a steady state of a network environment, constructing a traffic model from two dimensions including the link frequency and the link traffic, obtaining the information entropy of the network environment by fusing the two dimensions through dimensional fusion, and judging whether a target host is in the steady state according to an information entropy amplitude of variation. According to the method, the user requirements are reasonably comprehensively consideredand a user defined screening probability value is utilized to adjust detection dimensions of the abnormal traffic to screen the abnormal traffic based on the existing steady state model. In comparison with the existing method, the method fully embodies the characteristics of the network environment and responds to the unknown APT attacks of the office local area network well, and furthermore, the screening scale is artificially controllable, and the abnormal traffic is effectively screened.