CN111131290B - Flow data processing method and device - Google Patents
Flow data processing method and device Download PDFInfo
- Publication number
- CN111131290B CN111131290B CN201911400067.3A CN201911400067A CN111131290B CN 111131290 B CN111131290 B CN 111131290B CN 201911400067 A CN201911400067 A CN 201911400067A CN 111131290 B CN111131290 B CN 111131290B
- Authority
- CN
- China
- Prior art keywords
- flow
- baseline
- abnormal
- target object
- extended period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method and a device for processing flow data. The method comprises the following steps: when the flow of the target object is detected to be abnormal based on the week baseline, detecting the flow of the target object again through the extended period baseline to obtain a detection result again, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal. According to the invention, the effect of improving the accuracy of abnormal flow judgment is achieved.
Description
Technical Field
The invention relates to the field of computers, in particular to a method and a device for processing flow data.
Background
Network Traffic Analysis (Network Traffic Analysis) checks the status of the Network in terms of security, operation, management or Network health status by recording, reviewing and analyzing Network Traffic data, the Network Traffic Analysis system learns the detected Traffic within a period of time, constructs a Traffic characteristic baseline model thereof, and compares the actual Traffic with the baseline model in the subsequent detection process to find abnormal Traffic and malicious Network behaviors, the periodic baseline model is a commonly used model, since enterprise business and staff work in many weeks, the week is taken as a periodic unit of the periodic model, but a considerable part of business cycle still exceeds a range of one week, such as early month, late month, every two weeks, last week of each month and the like, the business can generate abnormal Traffic alarm on a system directly using the baseline model with the week as a period, namely, false alarm, and long-term repeated false alarm can cause a security administrator to ignore the alarm, thereby omitting the attention research on the real threat on the related equipment and reducing the protection efficiency of the network flow analysis system.
Network traffic analysis requires a use period to define a baseline model, the period can be selected in various ways, and the traffic difference between a working day and a double-holiday cannot be reflected by taking a 24-hour period as the period; a large amount of traffic baseline data needs to be stored in a month-by-month basis and there is a large amount of data redundancy, which is currently a more general and reasonable choice in weeks.
The enterprise business still has the repetitive business with the period larger than the week, on a system only providing the cycle with the week as a base line, the business is detected as abnormal flow behavior and becomes false alarm which occurs regularly, an administrator needs to repeatedly ignore the alarm or is classified as normal periodic flow, the week base line is corrected by the flow data, when the flow of the abnormal business occurs in a non-business time period, the alarm is not generated, the false alarm becomes the false alarm of suspicious flow, and the safety early warning effect of the network flow analysis system is reduced due to the long-term false alarm and the false alarm.
The existing system carries out flow detection and reports flow abnormity based on a weekly baseline, and aiming at the flow abnormity caused by normal flow with a repetition period larger than one week, a system administrator generally has two options, one is to ignore abnormal alarm, the alarm can repeatedly appear in the next flow period, and the other is to process the abnormal alarm according to false alarm, and the flow characteristics of the abnormal alarm are quoted by the baseline automatic updating function, so that the weekly model is inaccurate.
Aiming at the problem of judgment error caused by unreasonable flow period determination in the related art, an effective solution is not provided at present.
Disclosure of Invention
The invention mainly aims to provide a method and a device for processing flow data, which aim to solve the problem of judgment errors caused by unreasonable flow period determination.
In order to achieve the above object, according to an aspect of the present invention, there is provided a traffic data processing method, including: when the flow of a target object is detected to be abnormal based on a weekly baseline, detecting the flow of the target object again through an extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
Further, the method further comprises: and if the re-detection result is not abnormal, updating the extended period baseline based on the flow of the target object.
Further, before the flow of the target object is detected again through the extended period baseline to obtain a detection result again, the method further includes: judging whether the extended period baseline exists or not; and if not, outputting a second message, wherein the second message is used for prompting that the extension period baseline does not exist.
Further, after outputting the second message, the method further comprises: sending prompt information, wherein the prompt information is used for prompting whether an extension period baseline is added or not; upon receiving an add instruction, adding the extended period baseline based on the add instruction.
Further, the method further comprises: after receiving an instruction not added, judging the flow of the currently detected target object as abnormal flow; and sending a flow abnormity prompt.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a traffic data processing apparatus, including: the detection unit is used for detecting the flow of the target object again through an extended period baseline when the flow of the target object is detected to be abnormal based on the period baseline, so as to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week; a first judgment unit for judging whether the re-detection result is abnormal or not; and a first output unit, configured to output a first message when the retest result is abnormal, where the first message is used to prompt that the traffic of the target object is abnormal, and if matching between any one of the extended period baselines and the traffic of the target object is successful, the retest result is not abnormal.
Further, the apparatus further comprises: and the updating unit is used for updating the extended period baseline based on the flow of the target object when the re-detection result is not abnormal.
Further, the apparatus further comprises: the second judgment unit is used for judging whether the extended period baseline exists or not before the flow of the target object is detected again through the extended period baseline to obtain a detection result again; and a second output unit, configured to output a second message if the extension period baseline does not exist, where the second message is used to prompt that the extension period baseline does not exist.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a storage medium including a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the traffic data processing method according to the present invention.
In order to achieve the above object, according to another aspect of the present invention, there is also provided an apparatus, which includes at least one processor, and at least one memory and a bus connected to the processor, wherein the processor and the memory complete communication with each other through the bus, and the processor is configured to call program instructions in the memory to execute the traffic data processing method according to the present invention.
When the flow of the target object is detected to be abnormal based on the periodic baseline, the flow of the target object is detected again through the extended periodic baseline to obtain a re-detection result, wherein the flow period corresponding to the extended periodic baseline is more than one week; judging whether the re-detection result is abnormal or not; if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal, so that the problem of judgment error caused by unreasonable flow period determination is solved, and the effect of improving the accuracy of abnormal flow judgment is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flow chart of a traffic data processing method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of traffic anomaly detection according to an embodiment of the present invention;
FIG. 3 is a flow diagram of extended traffic anomaly detection, according to an embodiment of the present invention;
Fig. 4 is a schematic diagram of a traffic data processing device according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides a flow data processing method.
Fig. 1 is a flowchart of a traffic data processing method according to an embodiment of the present invention, as shown in fig. 1, the method including the steps of:
step S102: when the flow of the target object is detected to be abnormal based on the weekly baseline, detecting the flow of the target object again through the extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week;
step S104: judging whether the re-detection result is abnormal or not;
step S106: and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
The embodiment adopts that when the flow of the target object is detected to be abnormal based on the week baseline, the flow of the target object is detected again through the extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal, so that the problem of judgment error caused by unreasonable flow period determination is solved, and the effect of improving the accuracy of abnormal flow judgment is achieved.
In the embodiment of the invention, when the flow detection is carried out based on the weekly base line, if abnormal flow is found, the abnormal flow can be based on data flow with a longer period, such as data flow which occurs once per month or data flow which occurs once every quarter, the change of the flow with the period longer than the week can detect whether abnormality exists again through the extended period base line, if the abnormality still exists through the extended period base line detection, an abnormal prompt is sent, and by adding the step of the extended period base line detection, false alarm can be reduced, and the extended period flow in the abnormal flow can be identified.
Optionally, if there is no anomaly in the redetection result, the extended period baseline is updated based on the traffic of the target object.
If the abnormal flow detected based on the weekly baseline is successfully matched through the extended period baseline, the abnormal flow is not indicated, and the extended period baseline is updated according to the current flow data, so that the baseline data are more accurate.
Optionally, before the flow of the target object is detected again through the extended period baseline to obtain a detection result again, whether the extended period baseline exists is judged; and if not, outputting a second message, wherein the second message is used for prompting that the extension period baseline does not exist.
If an extended period baseline has not been added, a prompt message may be issued to prompt the user.
Optionally, after outputting the second message, sending a prompt message, where the prompt message is used to prompt whether to add the extended period baseline; after receiving an add instruction, an extended period baseline is added based on the add instruction.
And prompting whether the user adds the extension period baseline or not again after prompting that the user does not have the extension period baseline, and if the user sends an adding instruction, adding the extension period baseline based on the adding instruction.
Optionally, after receiving an instruction not to be added, determining the currently detected flow of the target object as an abnormal flow; and sending a flow abnormity prompt.
If the user does not add the extended period baseline, the weekly baseline detection result can be directly adopted as the current flow detection result, and a flow abnormity prompt is sent to prompt the user that abnormity exists.
In addition, if it is shown that there is no abnormality in the current flow based on the weekly baseline detection result, the weekly baseline may be updated with the current flow data to make the weekly baseline more accurate.
The embodiment of the present invention also provides a preferred embodiment, and the present application will be described based on the preferred embodiment.
The present embodiment provides a baseline construction technique for an arbitrary period (less than one year), and a flow rate detection technique and system design based on this baseline, which can allow an administrator to set an arbitrary period less than one year for a specific flow rate, and the system automatically learns and adjusts the baseline according to this period, and performs abnormal flow rate detection according to this period.
The method mainly comprises the following steps: an extended period baseline data structure, an extended period baseline management module, an extended flow anomaly detection process and the like.
1. Extended period baseline data structure
A conventional weekly baseline in cycles of weeks selects a certain point in time within a week as a starting point. And calculating time offset between the real-time and the starting point, and searching the corresponding baseline flow characteristics by using the time offset. And comparing the actual flow characteristic with the baseline characteristic to judge whether the flow is normal or abnormal. The simplified data structure of the weekly baseline is shown in the following table.
TABLE 1 simplified data Structure of week Baseline
Since the specific contents of TimeStamp (TimeStamp) and BaseLineData (baseline data) are not relevant to the present invention and are not defined in detail herein, TimeStamp may be a relative time from the beginning of a cycle, in minutes, hours, or days. The BaseLineData may also be a time period defined by the start time and the end time, and the BaseLineData should include, but is not limited to, traffic identification data such as IP addresses, ports, services, and the like of the traffic, traffic characteristic data, traffic statistics data, and the like.
Since the TimeStamp in the cycle baseline table is recorded relative to the starting point of the cycle every week, and the repeated events with a period greater than one week cannot be included in the table, the embodiment proposes a data structure of the extended cycle baseline to store any periodic baseline data less than one year, and the data structure of the extended cycle baseline is shown in the following table.
Table 2 data structure for extended period baseline
| TimeStamp | Pattern | BaseLineData |
| T1 | P1 | Data1 |
| T2 | P2 | Data2 |
| T3 | P3 | Data3 |
Each item in the data structure is specifically defined as:
timestamp: the time stamp, unlike the above definition, records the time period from the beginning of the first day of each year from which the month, week, day of the week, hour, minute, etc. information of the event time can be determined.
BaseLineData: baseline data, as defined above.
Pattern: repetitive pattern
And the Pattern expands new entries in the data structure of the periodic baseline to record the repeated mode of the flow corresponding to the current baseline. The values of Pattern include but are not limited to:
the medicine is repeated in a certain day in two weeks,
the operation is repeated on a certain day of the month,
the working days are repeated at the beginning of the month,
the working days at the end of the month are repeated,
repeating every year on calendar days.
The network traffic analysis system may add or delete supported repeating patterns according to the service operation characteristics of its target customers.
2. Extended period baseline management module
As a large amount of flow characteristic data needs to be found and stored in the weekly baseline, baselines in the weekly baseline data structure are obtained through automatic learning of the system and are adjusted in real time according to actual flow, and an administrator can achieve the available purpose only by finely adjusting the weekly baseline.
The extended period baseline includes a traffic baseline which cannot be included in the weekly baseline, the number of the traffic baseline is far lower than that of the weekly baseline, and the creation, modification and deletion of the extended period baseline require direct participation of an administrator.
Baseline addition: if the normal flow cannot be covered by the weekly flow baseline, the flow detection module can generate abnormal flow alarm for the flow. When handling an abnormal alarm, the administrator can distinguish whether the traffic is abnormal traffic or normal traffic that is repeatable and has a period longer than one week. In response to the latter, the administrator may add the corresponding traffic characteristics, time of occurrence, and traffic repetition pattern to the extended period baseline through the baseline addition functionality of the management module. The baseline adding function needs to be integrated into the processing flow of the abnormal traffic of the network traffic analysis system.
Automatic baseline adjustment: the baseline is consistent with the baseline in the week baseline, and the extended period baseline also needs to be automatically adjusted along with the actual flow. The tuning algorithm and implementation here is consistent with the function of the weekly baseline. This functionality can be implemented in a multiplexed system.
And (3) base line display: the baseline exhibition function provides an exhibition and management operation and maintenance entrance for the added baseline.
Manual baseline adjustment: the traffic represented by the extended period baseline may change as traffic changes. The timestamps and repetition patterns within the existing baselines can be manually adjusted by an administrator to accommodate changes in traffic.
Baseline manual deletion: as baselines in the extended period baselines have longer repetition time periods, the automatic aging mechanism based on time is difficult to realize, and the management module can realize a manual deleting function so as to assist an administrator to clear useless baselines.
The above design describes the basic functions of the management module, and different network traffic analysis systems can implement part of the above functions or add more management functions according to the design of their customer groups.
Fig. 2 is a flow chart of flow anomaly detection according to an embodiment of the present invention, and as shown in fig. 2, if flow anomaly is detected and reported only based on a weekly baseline, a system administrator generally has two options for flow anomaly caused by normal flow with a repetition period greater than one week, one of which is to ignore an anomaly alarm, which will repeatedly appear in the next flow period, and the other is to treat the alarm as a false alarm, and its flow characteristics will be referred to by a baseline automatic update function, resulting in inaccuracy of the weekly model.
This embodiment further proposes creating an extended period baseline data structure and a management module for the structure, and fig. 3 is a flow chart of extended traffic anomaly detection according to an embodiment of the present invention, as shown in fig. 3: if the flow is judged to be abnormal based on the detection of the weekly baseline, the flow continues to refer to the extended period baseline for secondary detection, the design of the detection function is that firstly, network parameters (IP, ports, application and the like) of the flow are used for being matched with the baseline, if no baseline is matched, if some baselines are successfully matched, whether the flow time period meets the definition of a repeated time period in the baseline is verified one by one, a timestamp and a repeated mode in the baseline can be used for calculating the effective time period of the baseline, if no time period is successfully matched, the query result is still matched without the baseline, if the baseline time period is successfully matched, the flow network parameters are further compared with the baseline, the comparison result can be normal flow or abnormal flow, and the detection function is completely completed.
The final detection results may be three types as follows: and if the flow is matched with a certain baseline in the extended period baseline and is judged to be normal, the baseline is automatically updated by using the characteristics of the flow, and the flow detection process is completed.
If the flow is matched with a certain baseline in the extended period baseline and is judged to be abnormal, setting the judgment result to be an abnormal state and waiting for manual analysis by an administrator.
And if no baseline matching exists in the extended date baseline, setting the judgment result as no baseline abnormal, and waiting for manual analysis by an administrator.
The next step of the flow is that an administrator manually analyzes the abnormity, the step does not need to be synchronously carried out with the real-time flow, the administrator combs abnormal events at a proper time, and artificially judges whether a certain flow abnormity is real abnormity or normal flow with the period larger than one week according to the conclusion obtained by the previous flow, and for the latter, the administrator adds an extended period baseline by utilizing a baseline adding function provided by an extended period baseline management module and by utilizing the characteristic data of the flow.
The above completely presents the extended period baseline data structure, the extended period baseline management module function, and the extension of the flow detection process, which are provided by the embodiment, so as to realize the creation and maintenance of any period flow baseline, and the extended detection process of performing secondary detection on abnormal flow by using the extended period baseline.
The application scenario of this embodiment is as follows: after the system is deployed, an administrator can establish an extended period baseline for network behaviors, so that data is ensured not to be subjected to outward transmission in a specified time period to generate false alarm, and suspicious data transmission in other time periods can generate alarm.
The network flow analysis system of the embodiment has the capability of recording, tracking and detecting network flow behaviors of any repetition period, is not limited by time of one week, is consistent with high-frequency network behaviors, can effectively monitor large-period network behaviors, can not ignore defects realized by the design of an intranet system by an administrator, effectively reduces false reports and false reports generated aiming at the large-period network behaviors, and improves the working efficiency of the administrator and the attention degree to real threats.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than here.
The embodiment of the invention provides a flow data processing device, which can be used for executing the flow data processing method of the embodiment of the invention.
Fig. 4 is a schematic diagram of a traffic data processing apparatus according to an embodiment of the present invention, as shown in fig. 4, the apparatus including:
the detection unit 10 is configured to detect the flow of the target object again through the extended period baseline when the flow of the target object is detected to be abnormal based on the weekly baseline, and obtain a re-detection result, where a flow period corresponding to the extended period baseline is longer than one week;
a first judgment unit 20 for judging whether there is an abnormality in the retest result;
and the first output unit 30 is configured to output a first message when the redetection result is abnormal, where the first message is used to prompt that the traffic of the target object is abnormal, and if matching between any one of the extended period baselines and the traffic of the target object is successful, the redetection result is not abnormal.
In the embodiment, when detecting that the flow of the target object is abnormal based on the periodic baseline, the detection unit 10 performs secondary detection on the flow of the target object through the extended periodic baseline to obtain a secondary detection result, wherein the flow period corresponding to the extended periodic baseline is more than one week; the first judgment unit 20 judges whether or not there is an abnormality in the re-detection result; the first output unit 30 outputs a first message when the retest result is abnormal, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal, so that the problem of judgment error caused by unreasonable flow period determination is solved, and the effect of improving the accuracy of abnormal flow judgment is achieved.
Optionally, the apparatus further comprises: and the updating unit is used for updating the extended period baseline based on the flow of the target object when the redetection result does not have the abnormity.
Optionally, the apparatus further comprises: the second judgment unit is used for judging whether the extended period baseline exists or not before the flow of the target object is detected again through the extended period baseline to obtain a detection result again; and a second output unit, configured to output a second message if the extended period baseline does not exist, where the second message is used to prompt that the extended period baseline does not exist.
The flow data processing device comprises a processor and a memory, wherein the detection unit, the first judgment unit and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, and the accuracy of judging the abnormal flow is improved by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium, on which a program is stored, and the program implements the traffic data processing method when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the flow data processing method is executed when the program runs.
The embodiment of the invention provides equipment, which comprises at least one processor, at least one memory and a bus, wherein the memory and the bus are connected with the processor; the processor and the memory complete mutual communication through a bus; the processor is used for calling the program instructions in the memory so as to execute the flow data processing method. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: when the flow of the target object is detected to be abnormal based on the week baseline, detecting the flow of the target object again through the extended period baseline to obtain a detection result again, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art to which the present application pertains. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (8)
1. A method for processing traffic data, comprising:
when the flow of a target object is detected to be abnormal based on a weekly baseline, detecting the flow of the target object again through an extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week;
Judging whether the re-detection result is abnormal or not;
if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the flow of any one of the extended period baselines is successfully matched with the flow of the target object, the retest result is not abnormal;
and if the re-detection result is not abnormal, updating the extended period baseline based on the flow of the target object.
2. The method of claim 1, wherein before re-detecting the target subject's flow by extending the periodic baseline to obtain a re-detection result, the method further comprises:
judging whether the extended period baseline exists or not;
and if not, outputting a second message, wherein the second message is used for prompting that the extension period baseline does not exist.
3. The method of claim 2, wherein after outputting the second message, the method further comprises:
sending prompt information, wherein the prompt information is used for prompting whether an extension period baseline is added or not;
upon receiving an add instruction, adding the extended period baseline based on the add instruction.
4. The method of claim 3, further comprising:
after receiving an instruction not added, judging the flow of the currently detected target object as abnormal flow;
and sending a flow abnormity prompt.
5. A traffic data processing apparatus, comprising:
the detection unit is used for detecting the flow of the target object again through an extended period baseline when the flow of the target object is detected to be abnormal based on the period baseline, so as to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week;
a first judgment unit for judging whether the re-detection result is abnormal or not;
a first output unit, configured to output a first message when the retest result is abnormal, where the first message is used to prompt that the traffic of the target object is abnormal, and if matching between any one of the extended period baselines and the traffic of the target object is successful, the retest result is not abnormal;
wherein the apparatus further comprises:
and the updating unit is used for updating the extended period baseline based on the flow of the target object when the re-detection result is not abnormal.
6. The apparatus of claim 5, further comprising:
the second judgment unit is used for judging whether the extended period baseline exists or not before the flow of the target object is detected again through the extended period baseline to obtain a detection result again;
and a second output unit, configured to output a second message if the extension period baseline does not exist, where the second message is used to prompt that the extension period baseline does not exist.
7. A storage medium, characterized in that the storage medium comprises a stored program, wherein when the program runs, a device where the storage medium is located is controlled to execute the flow data processing method according to any one of claims 1 to 4.
8. An apparatus, characterized in that the apparatus comprises at least one processor, and at least one memory and a bus connected with the processor, wherein the processor and the memory are used for completing mutual communication through the bus, and the processor is used for calling program instructions in the memory to execute the traffic data processing method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911400067.3A CN111131290B (en) | 2019-12-30 | 2019-12-30 | Flow data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911400067.3A CN111131290B (en) | 2019-12-30 | 2019-12-30 | Flow data processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131290A CN111131290A (en) | 2020-05-08 |
| CN111131290B true CN111131290B (en) | 2022-06-10 |
Family
ID=70505639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911400067.3A Active CN111131290B (en) | 2019-12-30 | 2019-12-30 | Flow data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131290B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113391983A (en) * | 2021-06-07 | 2021-09-14 | 北京达佳互联信息技术有限公司 | Alarm information generation method, device, server and storage medium |
| CN113655724B (en) * | 2021-07-12 | 2023-07-14 | 江苏美的清洁电器股份有限公司 | Control method, control device, household electrical appliance and storage medium |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3868939B2 (en) * | 2003-08-20 | 2007-01-17 | 富士通株式会社 | Device for detecting a failure in a communication network |
| CN101355463B (en) * | 2008-08-27 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for judging network attack |
| CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
| CN107104848B (en) * | 2016-02-19 | 2020-06-09 | 中国移动通信集团浙江有限公司 | Information technology system monitoring method and device |
| CN107733921A (en) * | 2017-11-14 | 2018-02-23 | 深圳中兴网信科技有限公司 | Network flow abnormal detecting method, device, computer equipment and storage medium |
| CN108259263A (en) * | 2017-12-01 | 2018-07-06 | 国家电网公司 | Data analysing method, apparatus and system |
| CN109164786B (en) * | 2018-08-24 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
| CN109743187B (en) * | 2018-11-23 | 2021-11-16 | 奇安信科技集团股份有限公司 | Industrial control network anomaly detection method and device |
| CN110166418B (en) * | 2019-03-04 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Attack detection method and device, computer equipment and storage medium |
-
2019
- 2019-12-30 CN CN201911400067.3A patent/CN111131290B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131290A (en) | 2020-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11645293B2 (en) | Anomaly detection in big data time series analysis | |
| CN111131290B (en) | Flow data processing method and device | |
| AU2019232865B2 (en) | Systems and methods for detecting and scoring anomalies | |
| CN110535864B (en) | Service abnormity detection method, device, equipment and storage medium | |
| US10437831B2 (en) | Identifying insider-threat security incidents via recursive anomaly detection of user behavior | |
| US10248528B2 (en) | System monitoring method and apparatus | |
| CN106656536A (en) | Method and device for processing service invocation information | |
| US7936260B2 (en) | Identifying redundant alarms by determining coefficients of correlation between alarm categories | |
| KR100841876B1 (en) | Automatic monitoring and statistical analysis of dynamic process metrics to expose meaningful changes | |
| US10127255B1 (en) | Computer system and method of initiative analysis using outlier identification | |
| CN110245049B (en) | Monitoring method, device, equipment and storage medium for product configuration data | |
| CN109947079A (en) | Region method for detecting abnormality and edge calculations equipment based on edge calculations | |
| CN113765881A (en) | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium | |
| CN104731816A (en) | Method and device for processing abnormal business data | |
| CN111400367B (en) | Service report generation method, device, computer equipment and storage medium | |
| CN111163073A (en) | Flow data processing method and device | |
| CN110363381B (en) | Information processing method and device | |
| CN105429792A (en) | User behavior flow obtaining method and device and user behavior analysis method and system | |
| CN111885064B (en) | Security event analysis method and device based on multi-source data, electronic device and storage medium | |
| CN110362459B (en) | System performance monitoring method and device based on SpringAop and electronic equipment | |
| CN116680147A (en) | Operation monitoring method and device of LED display screen and electronic equipment | |
| CN115757318A (en) | Log query method and device, storage medium and electronic equipment | |
| CN110633165B (en) | Fault processing method, device, system server and computer readable storage medium | |
| CN111222928A (en) | Method and system for monitoring enterprise standard invoicing | |
| CN114647555B (en) | Data early warning method, device, equipment and medium based on multi-service system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |