CN110784458B - Flow abnormity detection method and device and network equipment - Google Patents
Flow abnormity detection method and device and network equipment Download PDFInfo
- Publication number
- CN110784458B CN110784458B CN201911001121.7A CN201911001121A CN110784458B CN 110784458 B CN110784458 B CN 110784458B CN 201911001121 A CN201911001121 A CN 201911001121A CN 110784458 B CN110784458 B CN 110784458B
- Authority
- CN
- China
- Prior art keywords
- flow
- current
- traffic
- target service
- historical average
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and a device for detecting abnormal flow and network equipment, and relates to the technical field of network security. The method and the device obtain at least one of historical average flow of the target service and total flow of the service borne by the network equipment by obtaining the current flow of the target service, and finally determine whether the current flow of the target service is abnormal or not according to the current flow, the historical average flow and/or the total flow of the service borne by the network equipment. In consideration of the fact that the traffic characteristics of different types of services are different, the method and the device for detecting the current traffic of the specific service have higher pertinence compared with the prior art by directly detecting the current traffic of the specific service; meanwhile, in the process of judging whether the current flow is abnormal, the historical average flow and/or the total flow also need to be referred, namely whether the current flow is abnormal is determined through multiple dimensions, so that a more accurate judgment result can be obtained, the robustness of the process of abnormality detection is improved, and the false alarm rate is reduced.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting abnormal flow and network equipment.
Background
Network scanning, distributed denial of service attack (DDOS), network worm virus, malicious downloading, improper use of network resources, etc. occurring in the network all cause performance degradation of the network, and may interfere with normal network use in severe cases, even cause network interruption or paralysis of network equipment, causing severe economic loss, so how to quickly discover abnormal traffic in the network is one of the key points for ensuring network security.
Conventionally, it is generally determined whether or not a flow rate is abnormal based on a result of comparison between the flow rate and a predetermined fixed threshold value. However, the method does not consider the rule that the flow changes along with the time, nor the characteristic that the flows of different types of services cannot be summarized, and only depends on the dimension of the flow size to detect the flow abnormity, so that the robustness is poor, the false alarm rate is high, and the network safety cannot be well guaranteed.
Disclosure of Invention
In view of the above, the present invention provides a method, an apparatus, a network device and a computer-readable storage medium for detecting traffic anomalies, so as to solve the above problems.
In order to achieve the above object, the embodiments of the present invention adopt the following technical solutions:
in a first aspect, an embodiment of the present invention provides a method for detecting traffic anomaly, where the method is applied to a network device, and the method for detecting traffic anomaly includes:
acquiring the current flow of a target service;
obtaining at least one of historical average flow of the target service and total flow of the service carried by the network equipment;
and determining whether the current flow of the target service is abnormal or not according to the current flow, the historical average flow and/or the total flow of the service borne by the network equipment.
In a second aspect, an embodiment of the present invention provides a traffic anomaly detection apparatus, where the apparatus is applied to a network device, and the traffic anomaly detection apparatus includes:
the flow acquisition module is used for acquiring the current flow of the target service;
the traffic obtaining module is further configured to obtain at least one of a historical average traffic of the target service and a total traffic of a service carried by the network device;
and the anomaly detection module is used for determining whether the current flow of the target service is abnormal or not according to the current flow, the historical average flow and/or the total flow of the service carried by the network equipment.
In a third aspect, an embodiment of the present invention provides a network device, including a processor and a memory, where the memory stores machine executable instructions that can be executed by the processor, and the processor can execute the machine executable instructions to implement the traffic anomaly detection method described in any one of the foregoing embodiments.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the flow anomaly detection method according to any one of the foregoing embodiments.
The method and the device for detecting traffic anomaly provided by the embodiment of the invention obtain at least one of the historical average traffic of the target service and the total traffic of the service carried by the network equipment by obtaining the current traffic of the target service, and finally determine whether the current traffic of the target service is anomalous or not according to the current traffic, the historical average traffic and/or the total traffic of the service carried by the network equipment. In consideration of the fact that the traffic characteristics of different types of services are different, the method and the device for detecting the current traffic of the specific service have higher pertinence compared with the prior art by directly detecting the current traffic of the specific service; meanwhile, in the process of judging whether the current flow is abnormal, the historical average flow and/or the total flow also need to be referred, namely whether the current flow is abnormal is determined through multiple dimensions, so that a more accurate judgment result can be obtained, the robustness of the process of abnormality detection is improved, and the false alarm rate is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic diagram of a flow collection system.
Fig. 2 is a block schematic diagram of a network device.
Fig. 3 is a flowchart of a flow anomaly detection method provided by the present invention.
Fig. 4 is an exemplary diagram of a traffic collection system.
Fig. 5 is a further flowchart of the flow anomaly detection method provided by the present invention.
Fig. 6 is a functional block diagram of a flow anomaly detection device according to the present invention.
Icon: 100-a flow collection system; 110-a first network device; 112-a first port; 120-a second network device; 122-a second port; 130-a flow collection module; 200-a network device; 210-a memory; 220-a processor; 230-a communication unit; 300-flow anomaly detection means; 310-a traffic acquisition module; 320-anomaly detection module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined or explained in subsequent figures. Furthermore, the appearances of the terms "first," "second," and the like, if any, are only used to distinguish one description from another and are not to be construed as indicating or implying relative importance.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
With the continuous progress of the technology, the means of network attack by hackers is expanded from the initial attack on individual servers and enterprise websites to attack on the whole internet infrastructure, thereby causing the whole paralysis of the whole internet and the key services carried by the internet. The attack mode with great harm mainly comprises the following steps: DDoS attacks and worm viruses. Although the attack principles of the network attack on the operator network are different, the attack shows that the network flow is suddenly and rapidly increased, the network bandwidth resources are rapidly exhausted, the normal communication blockage of a common user is caused, and the user service and even the whole internet are paralyzed. Therefore, how to quickly find abnormal traffic in the network, locate and respond in time, and guarantee effective operation of key services is the key to guarantee safety and stability of the internet.
In the prior art, the widely adopted method is as follows: a single-dimension fixed threshold (such as the flow size) is set, and whether the flow is abnormal or not is judged according to the comparison result of the flow and the fixed threshold. However, such a method often does not consider a rule that the flow rate changes with time, and does not consider the characteristic that the flow rates of different types of services cannot be summarized, and sometimes, in order to prevent a large amount of useless false alarm information from occurring, a fixed threshold value is set to be higher, so that an abnormal flow rate sometimes cannot be detected, and the method is low in flexibility and high in false judgment rate.
Please refer to fig. 1, which is a schematic diagram of a traffic collection system 100. The traffic collection system 100 includes a first network device 110, a second network device 120, and a traffic collection module 130. Specifically, the first network device 110 includes a first port 112, the second network device 120 includes a second port 122, and the first network device 110 and the second network device 120 can perform data transmission through the first port 112 and the second port 122.
The first ports 112 correspond to the second ports 122 one to one. A connection for transmitting the service data can be established between the first port 112 and the second port 122, the connection established between the two ports is referred to as a target connection in the present invention, and the connection established between the first port 112 and the second port 122 is taken as an example of the target connection in this embodiment. Typically, a connection established between two ports typically carries one type of traffic.
If the first network device 110 transmits the service data to the second port 122 of the second network device 120 through the first port 112, the first port 112 is a source port, and the second port 122 is a destination port; on the contrary, if the second network device 120 transmits the traffic data to the first port 112 of the first network device 110 through the second port 122, the second port 122 is a source port, and the first port 112 is a destination port.
It should be noted that the ports in this embodiment refer to application ports, that is, the first port 112 and the second port 122 are both logical ports. The first network device 110 and the second network device 120 may be computers, servers, routers, switches, and the like.
The traffic collection module 130 may be configured to collect the current traffic of the target connection. Thus, the current traffic of the target connection is the current traffic of the traffic transported by the connection.
In addition, it should be noted that the traffic collection module 130 may be disposed independently from the first network device 110 and the second network device 120, or may be integrated with the first network device 110 and the second network device 120.
The present invention further provides a network device 200, where the network device 200 is configured to obtain a current traffic of each service, and determine whether the current traffic is abnormal. Fig. 2 is a block diagram of a network device 200. The network device 200 includes a memory 210, a processor 220, and a communication unit 230. The memory 210, the processor 220, and the communication unit 230 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 210 is used for storing programs or data. The Memory 210 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 220 is used to read/write data or programs stored in the memory 210 and perform corresponding functions.
The communication unit 230 is used for establishing a communication connection between the network device 200 and another communication terminal through a network, and for transceiving data through the network.
The network device 200 may be any one of the first network device 110 and the second network device 120, or may be a device independent of the first network device 110 and the second network device 120.
It should be understood that the configuration shown in fig. 2 is merely a schematic diagram of the configuration of network device 200, and that network device 200 may include more or fewer components than shown in fig. 2, or have a different configuration than shown in fig. 2. The components shown in fig. 2 may be implemented in hardware, software, or a combination thereof.
The invention also provides a traffic anomaly detection method, which is applied to the network equipment 200. Fig. 3 is a flowchart of a method for detecting traffic anomaly according to the present invention. The flow anomaly detection method comprises the following steps:
s301, obtaining the current flow of the target service.
It should be noted that the network device may bear multiple services, and the target service may be any one of the services borne by the network device, which refers to a service to be collected in this embodiment. In actual application, different services can be distinguished from a destination port (or a destination IP) through a source port (or a source IP), and a target service is selected from all the services. Specifically, the target service can be determined by matching the quintuple information of the message, and then the current flow of the target service is counted.
In an alternative embodiment, the network device 200 may obtain the current traffic of the target service according to a preset third time interval. For example, the network device 200 may obtain the current traffic of the target service every 10 minutes, that is, determine whether the current traffic is abnormal every 10 minutes.
S302, at least one of historical average flow of the target service and total flow of the service carried by the network equipment is obtained.
It should be noted that only the historical average traffic of the target service may be obtained, only the total traffic of the services carried by the network device may be obtained, and the historical average traffic of the target service and the total traffic of the services carried by the network device may also be obtained at the same time. Which parameters need to be acquired can be set according to the specific requirements of the user. In an optional embodiment, when the current traffic of the target service is collected, the traffic collection module 130 stores the current traffic in the database. The network device 200 may directly read the traffic corresponding to the historical time from the database, and calculate the historical average traffic according to the traffic corresponding to the historical time. For example, the network device 200 may use an average of traffic of a plurality of time instants collected by the target service within 5 minutes before the current time instant as the historical average traffic.
The total traffic is the sum of the current traffic of all services carried by the network device. For example, referring to fig. 4, if port 1 in fig. 4 transmits destination traffic to port 2, port 2 transmits traffic 1 to port 5, and port 3 transmits traffic 2 to port 6. At this time, the total traffic is the sum of the current traffic of the target service and the 3 services, i.e., service 1 and service 2.
And S303, determining whether the current flow of the target service is abnormal or not according to the current flow, the historical average flow and/or the total flow of the service borne by the network equipment.
It can be understood that there are actually three ways to determine whether the current traffic of the target service is abnormal in S303, which are respectively:
firstly, determining whether the current flow of a target service is abnormal or not according to the current flow and historical average flow;
secondly, determining whether the current flow of the target service is abnormal or not according to the current flow and the total flow of the services borne by the network equipment;
and thirdly, determining the current flow of the target service according to the current flow, the historical average flow and the total flow of the services borne by the network equipment.
It should be noted that the current ratio threshold and the current ratio threshold referred to in the following embodiments are named for distinguishing the two thresholds. Since the ratio threshold and the duty threshold may change over time, "current" characterizes the threshold that is currently being used.
Further, based on the above three cases, S303 specifically includes different determination manners, and as shown in fig. 5:
the first method comprises the following steps: determining whether the current traffic of the target service is abnormal according to the current traffic and the historical average traffic, and then S303 includes:
s3031, calculating a difference between the current traffic of the target service and the historical average traffic to determine a floating value of the current traffic of the target service relative to the historical average traffic.
And S3032, calculating the flow floating proportion of the target service according to the difference and the historical average flow.
Specifically, the ratio of the difference between the current traffic and the historical average traffic to the historical average traffic is determined as the traffic floating proportion of the target service. That is, the current flow, the historical average flow and the flow floating proportion satisfy the following formula:
wherein M is 1 The traffic floating ratio is defined as the current traffic of the target service, and the AP is the historical average traffic of the target service.
S3033, judging whether the flow floating proportion is larger than a predetermined current proportion threshold value, if so, executing S3034.
It should be noted that the current ratio threshold may be changed with time. Therefore, when determining whether the current flow of the target service is abnormal, it is necessary to determine the current proportional threshold in advance.
In an alternative embodiment, the network device 200 may update the current ratio threshold value according to a preset first time interval. It should be noted that, when the current proportional threshold is updated, the scene requirement and the service type requirement at the current time need to be met. Therefore, the current proportion threshold is the threshold which is most suitable for the current flow state, and the problem of inaccurate detection result caused by improper setting of the current proportion threshold is avoided.
For example, within 24 hours of a day, 3: the flow float ratio of 00 is typically below 22: a flow floating ratio of 00, in which if the current ratio threshold is set to the same threshold, and if the current ratio threshold is set to be higher, it is difficult to set the ratio in the early morning at 3:00 detecting abnormal flow; conversely, if the current scale threshold is set low, then it is easy to do so at 22: flow anomalies are frequently detected when 00. However, the detection result is not accurate, and therefore, a 3: current scale threshold of 00 is k1, 22: the current proportion threshold value of 00 is k2, and k1 is enabled to be less than k2, so that the problems can be effectively avoided, and whether the current flow is abnormal or not can be more accurately judged.
It should be noted that the first time interval can be set according to the actual requirements of the user, the service or the scene. It may be 1 minute, 10 minutes or any other number.
S3034, determining that the current flow of the target service is abnormal.
If the floating proportion of the flow is larger than the predetermined current proportion threshold value, the flow of the source port is indicated to have larger jitter, and the possibility of abnormal flow exists, so that the current flow of the target service is determined to be abnormal.
And the second method comprises the following steps: determining whether the current traffic of the target service is abnormal according to the current traffic and the total traffic of the services carried by the network device, S303 includes:
s3035, calculating the total ratio of the current flow to the total flow.
Specifically, the total occupancy, the current flow rate, and the total flow rate satisfy the equation:
wherein M is 2 For the overall occupancy, CP is the current traffic of the target service, and Σ CP is the total traffic of the service carried by the network device.
S3036, judging whether the total ratio is larger than a predetermined current ratio threshold value, if so, executing S3034.
It should be noted that the current duty threshold may be changed with time. Therefore, when determining whether the current traffic of the target service is abnormal, it is necessary to determine the current duty threshold in advance.
In an alternative embodiment, the network device 200 may update the current duty ratio threshold according to the preset second time interval. It should be noted that, when the current occupancy threshold is updated, the scene requirement at the current time needs to be met. Therefore, the current proportion threshold is the threshold which is most suitable for the current flow state, the missing alarm caused by the overlarge current proportion threshold is avoided, and the frequent alarm caused by the overlarge current proportion threshold is avoided.
It should be noted that the second time interval can be set according to the actual requirements of the user, the service or the scene. It may be 1 minute, or 10 minutes or any other number. In addition, in an alternative embodiment, the second time interval may be equal to the first time interval. Of course, in other embodiments, the second time interval may not be equal to the first time interval.
S3034, determining that the current flow of the target service is abnormal.
If the total occupation ratio is greater than the predetermined current occupation ratio threshold, it indicates that the traffic transmitted from the source port to the destination port is large, and there is a possibility of traffic abnormality, so that it is determined that the current traffic of the target service is abnormal.
And the third is that: determining the current traffic of the target service according to the current traffic, the historical average traffic, and the total traffic of the services carried by the network device, then S303 includes:
s3037, calculating a difference between the current traffic of the target service and the historical average traffic to determine a floating value of the current traffic of the target service relative to the historical average traffic.
And S3038, calculating the flow floating proportion of the target service according to the difference value and the historical average flow.
S3039, calculating the total ratio of the current flow to the total flow.
S3040, determining whether the floating ratio of the flow rate is greater than the predetermined current ratio threshold and whether the total ratio is greater than the predetermined current ratio threshold, if yes, performing S3034.
Likewise, the network device 200 may update the current ratio threshold value according to a preset first time interval, and update the current ratio threshold value according to a preset second time interval. The first time interval and the second time interval may be equal or different.
S3034, determining that the current flow of the target service is abnormal.
And if the flow floating proportion is larger than the predetermined current proportion threshold value and the total proportion is larger than the predetermined current proportion threshold value, determining that the current flow of the target service is abnormal.
It should be noted that, in this manner, only when the two conditions that the traffic floating ratio is greater than the predetermined current ratio threshold and the total ratio is greater than the predetermined current ratio threshold are simultaneously satisfied, the current traffic of the target service is determined to be abnormal. The method has the advantages that more dimensions are considered, more parameter types are relied on for judging whether the current flow of the target service is abnormal, and the obtained judgment result is more accurate.
In addition, it should be noted that, when the target service includes a plurality of services, each service corresponds to a respective ratio threshold and a ratio threshold. That is, when the network device 200 detects whether the current flows of multiple services are abnormal at the same time, each service corresponds to its own proportional threshold and duty threshold.
Therefore, the proportion threshold and the proportion threshold are associated with the service types, so that each service has the proportion threshold and the proportion threshold which accord with the self traffic change characteristic, and the effect of enabling the traffic abnormity detection result to be more accurate is achieved.
For example, the traffic of service 1 floats more stably, while the traffic of service 2 floats more strongly, and at this time, if the current ratio thresholds of service 1 and service 2 are set to the same value, and if the current ratio threshold is set to be higher, it is difficult to detect that the traffic of service 1 is abnormal; on the contrary, if the current ratio threshold is set to be lower, it is easy to detect that the traffic of the service 1 is abnormal. However, the detection result is not accurate, and therefore, the current proportion threshold k1 and the current proportion threshold k2 can be set for the service 1 and the service 2 respectively, and k1 is smaller than k2, so that the above problem can be effectively avoided, and whether the current flow is abnormal or not can be judged more accurately.
In fact, the historical average traffic of the target service and the total traffic of the service carried by the network device are service traffic parameters. S303 is actually a step of determining whether the current traffic of the target service is abnormal according to the current traffic and the service traffic parameter, as long as the service traffic parameter includes at least one of the historical average traffic and the total traffic of the service carried by the network device.
In order to perform the corresponding steps in the above embodiments and various possible manners, an implementation manner of the flow anomaly detection apparatus 300 is given below, and optionally, the flow anomaly detection apparatus 300 may adopt the device structure of the processor 220 shown in fig. 2. Further, referring to fig. 6, fig. 6 is a functional block diagram of a flow anomaly detection apparatus 300 according to an embodiment of the present invention. It should be noted that the basic principle and the generated technical effect of the flow rate abnormality detection apparatus 300 provided in the present embodiment are the same as those of the above embodiments, and for the sake of brief description, no part of the present embodiment is mentioned, and corresponding contents in the above embodiments may be referred to. The flow abnormality detection device 300 includes: a traffic acquisition module 310 and an anomaly detection module 320.
The traffic obtaining module 310 is configured to obtain a current traffic of the target service.
It is understood that in an alternative embodiment, the traffic obtaining module 310 may be configured to execute S301.
The traffic obtaining module 310 is further configured to obtain at least one of a historical average traffic of the target service and a total traffic of the services carried by the network device.
It is understood that in an alternative embodiment, the traffic obtaining module 310 may be configured to perform S302.
The anomaly detection module 320 is configured to determine whether the current traffic of the target service is abnormal according to the current traffic, the historical average traffic, and/or the total traffic of the services carried by the network device.
Specifically, the anomaly detection module 320 is configured to calculate a difference between a current traffic of the target service and a historical average traffic to determine a floating value of the current traffic of the target service relative to the historical average traffic, then calculate a traffic floating ratio of the target service according to the difference and the historical average traffic, and determine whether the traffic floating ratio is greater than a predetermined current ratio threshold, if so, determine that the current traffic of the target service is anomalous.
The anomaly detection module 320 is further configured to calculate a total ratio of the current traffic to the total traffic, determine whether the total ratio is greater than a predetermined current ratio threshold, and if so, determine that the current traffic of the target service is anomalous.
The anomaly detection module 320 is further configured to calculate a difference between the current traffic of the target service and the historical average traffic to determine a floating value of the current traffic of the target service relative to the historical average traffic, then calculate a traffic floating ratio of the target service according to the difference and the historical average traffic, calculate an overall ratio of the current traffic to the overall traffic, and determine whether the traffic floating ratio is greater than a predetermined current ratio threshold and whether the overall ratio is greater than a predetermined current ratio threshold, if so, determine that the current traffic of the target service is anomalous.
It is understood that in an alternative embodiment, the anomaly detection module 320 may be configured to perform steps S303, S3031, S3032, S3033, S3034, S3035, S3036, S3037, and S3038.
Alternatively, the modules may be stored in the memory 210 shown in fig. 2 in the form of software or Firmware (Firmware) or be fixed in an Operating System (OS) of the network device 200, and may be executed by the processor 220 in fig. 1. Meanwhile, data, codes of programs, and the like required to execute the above-described modules may be stored in the memory 210.
The present invention also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by the processor 220, implements the flow anomaly detection method according to any one of the preceding embodiments.
In summary, the method and the device for detecting traffic anomaly provided by the present invention obtain at least one of the historical average traffic of the target service and the total traffic of the service carried by the network device by obtaining the current traffic of the target service, and finally determine whether the current traffic of the target service is anomalous according to the current traffic, the historical average traffic and/or the total traffic of the service carried by the network device. In consideration of the fact that the traffic characteristics of different types of services are different, the method and the device for detecting the current traffic of the specific service have higher pertinence compared with the prior art by directly detecting the current traffic of the specific service; meanwhile, in the process of judging whether the current flow is abnormal or not, the historical average flow and/or the total flow also need to be referred to, namely whether the current flow is abnormal or not is determined through multiple dimensions, so that a more accurate judgment result can be obtained, the robustness of the process of abnormality detection is improved, and the false alarm rate is reduced.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are also within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (5)
1. A traffic anomaly detection method is applied to network equipment and is characterized by comprising the following steps:
acquiring the current flow of a target service;
acquiring historical average flow of the target service, or acquiring the historical average flow and total flow of the service carried by the network equipment;
determining whether the current flow of the target service is abnormal or not according to the current flow, the historical average flow and the total flow of the service borne by the network equipment, or determining whether the current flow of the target service is abnormal or not according to the current flow and the historical average flow;
the step of determining whether the current traffic of the target service is abnormal according to the current traffic and the historical average traffic includes:
calculating a difference value between the current flow of the target service and the historical average flow to determine a floating value of the current flow of the target service relative to the historical average flow;
calculating the flow floating proportion of the target service according to the difference value and the historical average flow;
updating a predetermined current proportion threshold value according to a first preset time interval; if the flow floating proportion at the first moment is lower than that at the second moment, the current proportion threshold corresponding to the first moment is smaller than that at the second moment;
if the flow floating proportion is larger than a predetermined current proportion threshold value, determining that the current flow of the target service is abnormal;
determining whether the current flow of the target service is abnormal according to the current flow, the historical average flow and the total flow of the service carried by the network equipment, wherein the step comprises the following steps: calculating a difference value between the current flow of the target service and the historical average flow to determine a floating value of the current flow of the target service relative to the historical average flow; calculating the flow floating proportion of the target service according to the difference value and the historical average flow; calculating the total ratio of the current flow to the total flow; and if the flow floating proportion is larger than a predetermined current proportion threshold value and the overall proportion is larger than a predetermined proportion threshold value, determining that the current flow of the target service is abnormal.
2. The method of claim 1, further comprising: when the target service comprises a plurality of services, each service corresponds to a respective proportion threshold and a proportion threshold.
3. A traffic anomaly detection device is applied to network equipment, and is characterized by comprising:
the flow acquisition module is used for acquiring the current flow of the target service;
the traffic obtaining module is further configured to obtain a historical average traffic of the target service, or obtain the historical average traffic and a total traffic of the service carried by the network device;
an anomaly detection module, configured to determine whether a current traffic of the target service is abnormal according to the current traffic, the historical average traffic, and a total traffic of a service carried by the network device, or determine whether the current traffic of the target service is abnormal according to the current traffic and the historical average traffic;
the anomaly detection module is used for calculating a difference value between the current flow of the target service and the historical average flow so as to determine a floating value of the current flow of the target service relative to the historical average flow;
the anomaly detection module is also used for calculating the flow floating proportion of the target service according to the difference value and the historical average flow;
the abnormality detection module is further used for updating a predetermined current proportion threshold value according to a first preset time interval; if the flow floating proportion at the first moment is lower than that at the second moment, the current proportion threshold corresponding to the first moment is smaller than that at the second moment;
the abnormal detection module is further used for determining that the current flow of the target service is abnormal if the flow floating proportion is larger than a predetermined current proportion threshold;
the anomaly detection module is specifically configured to: calculating a difference value between the current flow of the target service and the historical average flow to determine a floating value of the current flow of the target service relative to the historical average flow; calculating the flow floating proportion of the target service according to the difference value and the historical average flow; calculating the total ratio of the current flow to the total flow; and if the flow floating proportion is larger than a predetermined current proportion threshold value and the overall proportion is larger than a predetermined proportion threshold value, determining that the current flow of the target service is abnormal.
4. A network device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to implement the traffic anomaly detection method of any one of claims 1-2.
5. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a method of flow anomaly detection according to any one of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911001121.7A CN110784458B (en) | 2019-10-21 | 2019-10-21 | Flow abnormity detection method and device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911001121.7A CN110784458B (en) | 2019-10-21 | 2019-10-21 | Flow abnormity detection method and device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110784458A CN110784458A (en) | 2020-02-11 |
| CN110784458B true CN110784458B (en) | 2023-04-18 |
Family
ID=69386181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911001121.7A Active CN110784458B (en) | 2019-10-21 | 2019-10-21 | Flow abnormity detection method and device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110784458B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111614634B (en) * | 2020-04-30 | 2024-01-23 | 腾讯科技(深圳)有限公司 | Flow detection method, device, equipment and storage medium |
| CN111669383B (en) * | 2020-05-28 | 2022-04-12 | 中国联合网络通信集团有限公司 | Method and device for determining safety baseline |
| CN112099983A (en) * | 2020-09-22 | 2020-12-18 | 北京知道创宇信息技术股份有限公司 | Service exception handling method and device, electronic equipment and computer readable storage medium |
| CN112232643A (en) * | 2020-09-25 | 2021-01-15 | 上海淇毓信息科技有限公司 | Method and device for managing business strategy and electronic equipment |
| CN113259943B (en) * | 2021-04-28 | 2022-12-20 | 国网江苏省电力有限公司信息通信分公司 | Method and system for analyzing and blocking abnormal flow of power wireless private network |
| CN114221850A (en) * | 2021-12-22 | 2022-03-22 | 广东安创信息科技开发有限公司 | Flow monitoring method based on server |
| CN114531374B (en) * | 2022-02-25 | 2023-08-25 | 深圳平安智慧医健科技有限公司 | Network monitoring method, device, equipment and storage medium |
| CN114745304B (en) * | 2022-04-27 | 2024-02-27 | 北京广通优云科技股份有限公司 | Service mutation point identification method based on network behavior parameters in IT operation and maintenance system |
| CN115412326A (en) * | 2022-08-23 | 2022-11-29 | 天翼安全科技有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
| CN115664869B (en) * | 2022-12-28 | 2023-05-16 | 北京六方云信息技术有限公司 | Method, device and storage medium for processing false identification of intrusion prevention system |
| CN116112380B (en) * | 2023-02-13 | 2024-02-02 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
| CN116132170B (en) * | 2023-02-13 | 2023-09-29 | 山东云天安全技术有限公司 | Industrial control equipment safety prevention and control system |
| CN117294657B (en) * | 2023-11-24 | 2024-02-13 | 杭银消费金融股份有限公司 | Flow control method and device |
| CN117834386A (en) * | 2023-12-20 | 2024-04-05 | 北京联广通网络科技有限公司 | Automatic alarm system and method for flow chart network monitoring faults |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107231344A (en) * | 2017-05-04 | 2017-10-03 | 杭州迪普科技股份有限公司 | Flow cleaning method and apparatus |
| CN109413071A (en) * | 2018-10-31 | 2019-03-01 | 新华三信息安全技术有限公司 | A kind of anomalous traffic detection method and device |
| CN109495343A (en) * | 2018-11-20 | 2019-03-19 | 网宿科技股份有限公司 | Processing method, device and the server of abnormal flow data |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100617310B1 (en) * | 2004-09-25 | 2006-08-30 | 한국전자통신연구원 | Apparatus for detecting abnormality of traffic in network and method thereof |
| JP4952437B2 (en) * | 2007-08-14 | 2012-06-13 | 沖電気工業株式会社 | Network monitoring device, network monitoring system |
| CN101741847B (en) * | 2009-12-22 | 2012-11-07 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN103532776B (en) * | 2013-09-30 | 2016-06-22 | 广东电网公司电力调度控制中心 | Service traffics detection method and system |
| CN105049291B (en) * | 2015-08-20 | 2019-01-04 | 广东睿江云计算股份有限公司 | A method of detection exception of network traffic |
| JP6993559B2 (en) * | 2017-05-16 | 2022-01-13 | 富士通株式会社 | Traffic management equipment, traffic management methods and programs |
-
2019
- 2019-10-21 CN CN201911001121.7A patent/CN110784458B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107231344A (en) * | 2017-05-04 | 2017-10-03 | 杭州迪普科技股份有限公司 | Flow cleaning method and apparatus |
| CN109413071A (en) * | 2018-10-31 | 2019-03-01 | 新华三信息安全技术有限公司 | A kind of anomalous traffic detection method and device |
| CN109495343A (en) * | 2018-11-20 | 2019-03-19 | 网宿科技股份有限公司 | Processing method, device and the server of abnormal flow data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110784458A (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110784458B (en) | Flow abnormity detection method and device and network equipment | |
| EP3356985B1 (en) | Detection of security incidents with low confidence security events | |
| US9548961B2 (en) | Detecting adverse network conditions for a third-party network site | |
| JP5264470B2 (en) | Attack determination device and program | |
| US9130982B2 (en) | System and method for real-time reporting of anomalous internet protocol attacks | |
| US20170195351A1 (en) | Detecting malicious resources in a network based upon active client reputation monitoring | |
| CN105049291A (en) | Method for detecting network traffic anomaly | |
| EP2835948A1 (en) | Method for processing a signature rule, server and intrusion prevention system | |
| KR100651746B1 (en) | Apparatus for visualizing network state by using traffic flow-radar and method thereof | |
| EP2845349B1 (en) | Network access apparatus having a control module and a network access module | |
| CN115277490B (en) | Network target range evaluation method, system, equipment and storage medium | |
| WO2019136954A1 (en) | Method for detecting network compliance, apparatus, device and medium | |
| CN114143071A (en) | Brute force cracking detection method and device, electronic equipment and storage medium | |
| JP2009049490A (en) | Network monitoring device, and network monitoring system | |
| CN103001958A (en) | Exception transmission control protocol (TCP) message processing method and device | |
| US20120110665A1 (en) | Intrusion Detection Within a Distributed Processing System | |
| CN114301644B (en) | Network anomaly detection system and method | |
| CN109462503B (en) | Data detection method and device | |
| CN117424762B (en) | DDOS attack detection method, medium and device | |
| KR20200071793A (en) | Block Chain Solution Providing System to Ensure Data Integrity of Private Data-set, and Process Method thereof | |
| JP2019200670A (en) | Abnormality detection device and abnormality detection method for detecting cyber attack | |
| JP2005229234A (en) | Network attack detection method, network attack source identification method, network apparatus, network attack detecting program, and network attack source identification program | |
| WO2023233711A1 (en) | Information processing method, abnormality determination method, and information processing device | |
| RU2800739C1 (en) | System and method for determining the level of danger of information security events | |
| KR100809422B1 (en) | Intrusion prevention apparatus based on alert severity of signiture detection and abnormal traffic and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |