CN114389881A - Network abnormal flow detection method and device, electronic equipment and storage medium - Google Patents
Network abnormal flow detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114389881A CN114389881A CN202210040094.XA CN202210040094A CN114389881A CN 114389881 A CN114389881 A CN 114389881A CN 202210040094 A CN202210040094 A CN 202210040094A CN 114389881 A CN114389881 A CN 114389881A
- Authority
- CN
- China
- Prior art keywords
- characteristic data
- flow
- network
- traffic
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 145
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 41
- 230000015654 memory Effects 0.000 claims description 34
- 238000004422 calculation algorithm Methods 0.000 claims description 22
- 238000012549 training Methods 0.000 claims description 18
- 238000007619 statistical method Methods 0.000 claims description 14
- 238000000605 extraction Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000007637 random forest analysis Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to a method and a device for detecting network abnormal flow, electronic equipment and a storage medium, wherein the method comprises the following steps: extracting flow characteristic data from network flow acquired by flow acquisition equipment, wherein the flow acquisition equipment is used for acquiring the flow of a network to be detected; comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively; and when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal network flow, and inputting the flow characteristic data into a trained recognition model to obtain the abnormal category of the network flow. Therefore, the accuracy of the network abnormal flow detection result can be improved.
Description
Technical Field
The embodiment of the invention relates to the field of computers, in particular to a method and a device for detecting network abnormal flow, electronic equipment and a storage medium.
Background
The sources of network abnormal traffic include computer viruses, hacker intrusion, network worms, denial of network services, use of illegal software, network equipment failures, illegal occupation of network bandwidth and the like, and the detection of network abnormal traffic is an important branch of the current intrusion detection system research.
In the prior art, a network manager sets a baseline threshold as a criterion for determining abnormal network traffic according to experience and observation and analysis of historical network data, for example, when it is detected that the bit rate of the network traffic is higher than a corresponding threshold, it is determined that abnormal traffic occurs.
However, on one hand, since the baseline threshold is set manually, the subjective selectivity of the baseline threshold is large, and the accuracy of the network abnormal traffic detection result based on the baseline threshold needs to be improved, and on the other hand, for the network traffic with complex behavior, the network abnormal traffic detection is performed only by one baseline threshold, and it is easy to identify the normal network traffic as the abnormal network traffic.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for detecting network abnormal traffic, an electronic device, and a storage medium.
In a first aspect, an embodiment of the present invention provides a method for detecting network abnormal traffic, including:
extracting flow characteristic data from network flow acquired by flow acquisition equipment, wherein the flow acquisition equipment is used for acquiring the flow of a network to be detected;
comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively, wherein the plurality of normal flow characteristic data ranges are obtained by performing statistical analysis on the flow characteristic data acquired in a set historical time period by adopting an unsupervised learning algorithm;
and when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal network flow, and inputting the flow characteristic data into a trained recognition model to obtain the abnormal category of the network flow.
In one possible embodiment, the comparing the flow characteristic data with a plurality of normal flow characteristic data ranges includes:
determining a time slice to which the network traffic belongs according to the acquisition time of the network traffic;
and comparing the flow characteristic data with a plurality of normal flow characteristic data ranges corresponding to the time segments to which the network flow belongs respectively.
In a possible embodiment, in a case that the flow characteristic data includes a plurality of characteristic dimensions, the comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively includes:
comparing the flow characteristic data under the characteristic dimension with a plurality of normal flow characteristic data ranges under the characteristic dimension respectively aiming at each characteristic dimension in the flow characteristic data;
when the flow characteristic data is not in any normal flow characteristic data range, the determining that the network flow is abnormal network flow includes:
and when the flow characteristic data with any characteristic dimension is not in any normal flow characteristic data range under the characteristic dimension, determining that the network flow is abnormal network flow.
In one possible embodiment, the method further comprises:
acquiring a training sample set, wherein the training sample comprises traffic characteristic data and a corresponding label, and the label is used for representing whether network traffic corresponding to the traffic characteristic data is abnormal network traffic and representing an abnormal category to which the abnormal network traffic belongs;
and training an initial model by utilizing the training sample set according to a supervised learning mode to obtain the recognition model.
In one possible embodiment, the method further comprises:
and outputting an alarm message for indicating the abnormal network flow when the network flow is determined to be the abnormal network flow.
In a second aspect, an embodiment of the present invention provides a network abnormal traffic detection apparatus, including:
the system comprises a characteristic extraction module, a traffic characteristic data acquisition module and a traffic characteristic data acquisition module, wherein the characteristic extraction module is used for extracting traffic characteristic data from network traffic acquired by traffic acquisition equipment, and the traffic acquisition equipment is used for acquiring traffic aiming at a network to be detected;
the abnormal recognition module is used for respectively comparing the flow characteristic data with a plurality of normal flow characteristic data ranges, and the plurality of normal flow characteristic data ranges are obtained by carrying out statistical analysis on the flow characteristic data acquired in a set historical time period by adopting an unsupervised learning algorithm; when the flow characteristic data is not in any normal flow characteristic data range, determining that the network flow is abnormal;
and the category identification module is used for inputting the flow characteristic data into a trained identification model when the flow characteristic data is compared out of any normal flow characteristic data range, so as to obtain the abnormal category to which the network flow belongs.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a processor and a memory, wherein the processor is configured to execute a network abnormal traffic detection program stored in the memory to implement the network abnormal traffic detection method according to any one of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a storage medium, where the storage medium stores one or more programs, and the one or more programs are executable by one or more processors to implement the network abnormal traffic detection method according to any one of the first aspects.
According to the technical scheme provided by the embodiment of the invention, the flow characteristic data collected in the set historical time period are subjected to statistical analysis by adopting the unsupervised learning algorithm to obtain a plurality of normal flow characteristic data ranges, on one hand, the normal flow characteristic data ranges are obtained by adopting the unsupervised learning algorithm to perform statistical analysis on the flow characteristic data collected in the set historical time period, compared with a mode of manually setting a baseline threshold value, the method abandons the subjective selectivity of manual setting so that the normal flow characteristic data ranges are more accurate, on the other hand, the method can accurately carve the flow characteristics of services with complex behaviors compared with a single baseline threshold value due to the fact that a plurality of normal flow characteristic data ranges are obtained by carving; furthermore, the flow characteristic data is compared with a plurality of normal flow characteristic data ranges respectively, and when the flow characteristic data is not in any normal flow characteristic data range, the network flow is determined to be abnormal network flow, so that the accuracy of the network abnormal flow detection result can be improved. Moreover, when the network traffic is determined to be abnormal network traffic, the traffic characteristic data is input into the trained identification model, so that the abnormal category to which the network traffic belongs is obtained, thereby comprehensively detecting the network abnormal traffic, and particularly, the abnormal category of the abnormal network traffic is further identified when the abnormal network traffic is identified as the abnormal category identification result and the abnormal category identification result are obtained by the same machine learning model.
Drawings
Fig. 1 is a flowchart of an embodiment of a method for detecting abnormal network traffic according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for detecting abnormal network traffic according to an embodiment of the present invention;
fig. 3 is a flowchart of another method for detecting abnormal traffic in a network according to an embodiment of the present invention;
fig. 4 is a block diagram of an embodiment of a network abnormal traffic detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following further explains the network abnormal traffic detection method provided by the present invention with specific embodiments in conjunction with the drawings, and the embodiments do not limit the embodiments of the present invention.
Referring to fig. 1, a flowchart of an embodiment of a method for detecting abnormal network traffic according to an embodiment of the present invention is shown. As shown in fig. 1, the method may include the steps of:
In some embodiments, a traffic collection device (or a traffic collection system) may be disposed at a mirror port of a switch in the network to be detected, so that the traffic collection device performs traffic collection on the network to be detected.
In the embodiment of the present invention, traffic feature data is extracted from network traffic collected by a traffic collection device, where the traffic feature data may include one or more of the following feature dimensions: bit rate, packet rate, TCP traffic fraction, UDP traffic fraction, etc. Therefore, in the embodiment of the invention, the network traffic does not need to be deeply analyzed, and the method and the device are suitable for a real-time network abnormal traffic detection scene.
And 103, when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal network flow, and inputting the flow characteristic data into the trained recognition model to obtain the abnormal category of the network flow.
As can be seen from the description of step 102 and step 103, in the embodiment of the present invention, a plurality of normal flow characteristic data ranges are obtained by performing statistical analysis on the flow characteristic data collected in the set historical time period by using an unsupervised learning algorithm. When the network abnormal flow detection is carried out, the flow characteristic data is respectively compared with a plurality of normal flow characteristic data ranges, and when the flow characteristic data is not in any one normal flow characteristic data range, the network flow is determined to be the abnormal network flow. In addition, when the compared flow characteristic data is in any normal flow characteristic data range, the network flow is determined to be normal network flow.
For example, the flow characteristic data collected in a set historical time period is statistically analyzed by adopting an unsupervised learning algorithm, so that A, B, C three normal flow characteristic data ranges are obtained. According to the description, when the flow characteristic data is compared to be in A, B or C, determining that the network flow is normal network flow; and when the flow characteristic data is compared to be neither in A, B or C, determining that the network flow is abnormal.
Through the processing, the traffic characteristics of the services with complex behaviors can be accurately described, for example, for periodic services, a higher traffic peak value or a lower traffic peak value appears in a certain time period and is a normal traffic characteristic, when the traffic characteristics of the services are described in the above mode, the higher traffic peak value and the lower traffic peak value can be divided into two normal traffic characteristic clusters, so that the traffic characteristics can be accurately described, the accuracy of network abnormal traffic identification can be improved, and the normal network traffic is prevented from being mistakenly identified as abnormal network traffic.
Furthermore, as can be seen from the above description, the flow characteristic data may include a plurality of characteristic dimensions, and correspondingly, the normal flow characteristic data range may also include a plurality of characteristic dimensions. Based on this, under the condition that the flow characteristic data includes a plurality of characteristic dimensions, the flow characteristic data under the characteristic dimension is respectively compared with a plurality of normal flow characteristic data ranges under the characteristic dimension aiming at each characteristic dimension in the flow characteristic data, and when the flow characteristic data under any one characteristic dimension is not in any one normal flow characteristic data range under the characteristic dimension, the network flow is determined to be abnormal network flow. In addition, when the compared flow characteristic data under any characteristic dimension is in any normal flow characteristic data range under the characteristic dimension, the network flow is determined to be normal network flow.
For example, it is assumed that the traffic characteristic data includes two characteristic dimensions of bit rate and packet speed, and it is assumed that statistical analysis is performed on the traffic characteristic data acquired in a set historical time period by using an unsupervised learning algorithm, so as to obtain two normal traffic characteristic data ranges of a and B in the characteristic dimension of bit rate and two normal traffic characteristic data ranges of C and D in the characteristic dimension of packet speed. According to the above description, it is assumed that the traffic characteristic data in the characteristic dimension of the bit rate is compared to a or B, but the traffic characteristic data in the characteristic dimension of the packet speed is neither C nor D, and therefore, the network traffic is determined as abnormal network traffic.
Through the processing, the network abnormal flow detection can be carried out from a plurality of characteristic dimensions, and the accuracy of the network abnormal flow detection result is improved.
In the embodiment of the present invention, when it is compared that the traffic characteristic data is not in any normal traffic characteristic data range, that is, when it is determined that the network traffic is abnormal network traffic, the traffic characteristic data is further input to the trained recognition model, so as to obtain an abnormal category to which the network traffic belongs, where the abnormal category includes, but is not limited to: various network attacks, network worms, computer viruses, hacker intrusions, denial of network services, use of illegal software, network device failures, illegal occupation of network bandwidth, etc.
Therefore, in the embodiment of the invention, not only the abnormal network traffic can be identified, but also the abnormal category of the abnormal network traffic can be identified, so that the comprehensive detection of the abnormal network traffic is realized. And because the identification of the abnormal network traffic and the identification of the abnormal category of the abnormal network traffic are implemented in steps, specifically, the abnormal category of the abnormal network traffic is further identified when the abnormal network traffic is identified, compared with the prior art that the same machine learning model is adopted to simultaneously obtain the abnormal identification result and the abnormal category identification result, the identification result of the abnormal network traffic can be timely output without waiting for the abnormal category identification result under the condition of the abnormal network traffic, and the timeliness of the identification of the abnormal network traffic is improved.
Further, in some embodiments, upon determining that the network traffic is abnormal network traffic, an alarm message indicating the occurrence of the abnormal network traffic is output. Optionally, the alarm message may be implemented by an event push manner.
In some embodiments, when the network traffic is determined to be abnormal network traffic, the abnormal network traffic may be separated, so as to perform further operations such as message analysis on the abnormal network traffic.
According to the technical scheme provided by the embodiment of the invention, the flow characteristic data collected in the set historical time period are subjected to statistical analysis by adopting the unsupervised learning algorithm to obtain a plurality of normal flow characteristic data ranges, on one hand, the normal flow characteristic data ranges are obtained by adopting the unsupervised learning algorithm to perform statistical analysis on the flow characteristic data collected in the set historical time period, compared with a mode of manually setting a baseline threshold value, the method abandons the subjective selectivity of manual setting so that the normal flow characteristic data ranges are more accurate, on the other hand, the method can accurately carve the flow characteristics of services with complex behaviors compared with a single baseline threshold value due to the fact that a plurality of normal flow characteristic data ranges are obtained by carving; furthermore, the flow characteristic data is compared with a plurality of normal flow characteristic data ranges respectively, and when the flow characteristic data is not in any normal flow characteristic data range, the network flow is determined to be abnormal network flow, so that the accuracy of the network abnormal flow detection result can be improved. Moreover, when the network traffic is determined to be abnormal network traffic, the traffic characteristic data is input into the trained identification model, so that the abnormal category to which the network traffic belongs is obtained, thereby comprehensively detecting the network abnormal traffic, and particularly, the abnormal category of the abnormal network traffic is further identified when the abnormal network traffic is identified as the abnormal category identification result and the abnormal category identification result are obtained by the same machine learning model.
Referring to fig. 2, a flowchart of another method for detecting abnormal network traffic according to an embodiment of the present invention is provided, where the method shown in fig. 2 may include the following steps based on the method shown in fig. 1:
For detailed description of this step, reference may be made to the related description in the flow shown in fig. 1, which is not described herein again.
For example, assume that the set time period includes the following 6 time slices: 0 hour-4 hour, 4 hour-8 hour, 8 hour-12 hour, 12 hour-16 hour, 16 hour-20 hour, 20 hour-24 hour, and assuming that the collection time of the network traffic is 9 am, the time slice to which the network traffic belongs can be determined to be the time slice of 8 hour-12 hour.
And 204, when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal, and inputting the flow characteristic data into the trained recognition model to obtain the abnormal category of the network flow.
As can be seen from the above description of steps 201 to 204, in the embodiment of the present invention, the network traffic characteristics are distinguished by using the time slice as the granularity, so that respective network traffic characteristics can be accurately depicted for each stage of the network service (e.g., a high traffic period, a balance period, and a low traffic period), so as to more accurately determine whether there is network abnormal traffic.
Referring to fig. 3, a flowchart of another embodiment of a method for detecting abnormal traffic in a network according to an embodiment of the present invention is provided, where the method shown in fig. 3 describes how to train to obtain a recognition model based on the methods shown in fig. 1 and fig. 2, and may include the following steps:
301, obtaining a training sample set, where the training sample includes traffic characteristic data and a corresponding label, and the label is used to characterize whether a network traffic corresponding to the traffic characteristic data is an abnormal network traffic, and characterize an abnormal category to which the abnormal network traffic belongs.
The training sample set comprises traffic characteristic data of normal network traffic and traffic characteristic data of abnormal network traffic. Further, the traffic characteristic data of the abnormal network traffic includes traffic characteristic data of various abnormal classes of abnormal network traffic.
And step 302, training the initial model by utilizing the training sample set according to a supervised learning mode to obtain a recognition model.
In some embodiments, the concept of ensemble learning may be used to select a random forest algorithm (a supervised learning algorithm), train an initial classifier, and then integrate a plurality of trained classifiers to obtain a recognition model.
It should be noted that, in practice, other supervised learning algorithms besides the random forest algorithm, for example, a K-nearest neighbor algorithm, may also be used, and the embodiment of the present invention is not limited thereto.
Through the process shown in fig. 3, an identification model for identifying an anomaly class to which the abnormal network traffic belongs can be trained.
Corresponding to the embodiment of the foregoing network abnormal traffic detection method, the present invention also provides an embodiment of a network abnormal traffic detection apparatus.
Referring to fig. 4, a block diagram of an embodiment of a network abnormal traffic detection apparatus according to an embodiment of the present invention is provided. As shown in fig. 4, the apparatus includes: a feature extraction module 41, an anomaly identification module 42, and a category identification module 43.
The feature extraction module 41 is configured to extract traffic feature data from network traffic acquired by traffic acquisition equipment, where the traffic acquisition equipment is configured to perform traffic acquisition on a network to be detected;
the anomaly identification module 42 is configured to compare the flow characteristic data with a plurality of normal flow characteristic data ranges, where the plurality of normal flow characteristic data ranges are obtained by performing statistical analysis on flow characteristic data acquired in a set historical time period by using an unsupervised learning algorithm; when the flow characteristic data is not in any normal flow characteristic data range, determining that the network flow is abnormal;
and the category identification module 43 is configured to, when the traffic characteristic data is compared to find that the traffic characteristic data is not in any normal traffic characteristic data range, input the traffic characteristic data into a trained identification model to obtain an abnormal category to which the network traffic belongs.
In a possible embodiment, the anomaly identification module 42 comprises (not shown in the figures):
the time determining unit is used for determining the time slice to which the network traffic belongs according to the acquisition time of the network traffic;
and the comparison unit is used for respectively comparing the flow characteristic data with a plurality of normal flow characteristic data ranges corresponding to the time segments to which the network flows belong.
In a possible implementation, the anomaly identification module 42 is specifically configured to:
under the condition that the flow characteristic data comprises a plurality of characteristic dimensions, aiming at each characteristic dimension in the flow characteristic data, respectively comparing the flow characteristic data under the characteristic dimension with a plurality of normal flow characteristic data ranges under the characteristic dimension;
and when the flow characteristic data with any characteristic dimension is not in any normal flow characteristic data range under the characteristic dimension, determining that the network flow is abnormal network flow.
In a possible embodiment, the device further comprises (not shown in the figures):
the system comprises a sample acquisition module, a data processing module and a data processing module, wherein the sample acquisition module is used for acquiring a training sample set, the training sample comprises traffic characteristic data and a corresponding label, and the label is used for representing whether network traffic corresponding to the traffic characteristic data is abnormal network traffic or not and representing an abnormal category to which the abnormal network traffic belongs;
and the model training module is used for training the initial model by utilizing the training sample set according to a supervised learning mode to obtain the recognition model.
In a possible embodiment, the device further comprises (not shown in the figures):
and the alarm module is used for outputting an alarm message for indicating the abnormal network flow when the network flow is determined to be the abnormal network flow.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, where the electronic device 500 shown in fig. 5 includes: at least one processor 501, memory 502, at least one network interface 504, and other user interfaces 503. The various components in the electronic device 500 are coupled together by a bus system 505. It is understood that the bus system 505 is used to enable connection communications between these components. The bus system 505 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 505 in FIG. 5.
The user interface 503 may include, among other things, a display, a keyboard, or a pointing device (e.g., a mouse, trackball, touch pad, or touch screen, among others.
It is to be understood that the memory 502 in embodiments of the present invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a Read-only memory (ROM), a programmable Read-only memory (PROM), an erasable programmable Read-only memory (erasabprom, EPROM), an electrically erasable programmable Read-only memory (EEPROM), or a flash memory. The volatile memory may be a Random Access Memory (RAM) which functions as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (staticiram, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (syncronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced synchronous dynamic random access memory (EnhancedSDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM), and direct memory bus random access memory (DRRAM). The memory 502 described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
In some embodiments, memory 502 stores elements, executable units or data structures, or a subset thereof, or an expanded set thereof as follows: an operating system 5021 and application programs 5022.
The operating system 5021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, and is used for implementing various basic services and processing hardware-based tasks. The application 5022 includes various applications, such as a media player (MediaPlayer), a Browser (Browser), and the like, for implementing various application services. The program for implementing the method according to the embodiment of the present invention may be included in the application program 5022.
In the embodiment of the present invention, by calling a program or an instruction stored in the memory 502, specifically, a program or an instruction stored in the application 5022, the processor 501 is configured to execute the method steps provided by the method embodiments, for example, including:
extracting flow characteristic data from network flow acquired by flow acquisition equipment, wherein the flow acquisition equipment is used for acquiring the flow of a network to be detected;
comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively, wherein the plurality of normal flow characteristic data ranges are obtained by performing statistical analysis on the flow characteristic data acquired in a set historical time period by adopting an unsupervised learning algorithm;
and when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal network flow, and inputting the flow characteristic data into a trained recognition model to obtain the abnormal category of the network flow.
The method disclosed by the above-mentioned embodiments of the present invention may be applied to the processor 501, or implemented by the processor 501. The processor 501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 501. The processor 501 may be a general-purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software elements in the decoding processor. The software elements may be located in ram, flash, rom, prom, or eprom, registers, among other storage media that are well known in the art. The storage medium is located in the memory 502, and the processor 501 reads the information in the memory 502 and completes the steps of the method in combination with the hardware.
It is to be understood that the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or any combination thereof. For a hardware implementation, the processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units configured to perform the functions described herein, or a combination thereof.
For a software implementation, the techniques described herein may be implemented by means of units performing the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.
The electronic device provided in this embodiment may be the electronic device shown in fig. 5, and may execute all the steps of the network abnormal traffic detection method shown in fig. 1 to 3, so as to achieve the technical effect of the network abnormal traffic detection method shown in fig. 1 to 3, and please refer to the description related to fig. 1 to 3 for brevity, which is not described herein again.
The embodiment of the invention also provides a storage medium (computer readable storage medium). The storage medium herein stores one or more programs. Among others, the storage medium may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk; the memory may also comprise a combination of memories of the kind described above.
When one or more programs in the storage medium can be executed by one or more processors, the method for detecting network abnormal traffic executed on the electronic device side is realized.
The processor is used for executing the network abnormal flow detection program stored in the memory so as to realize the following steps of the network abnormal flow detection method executed on the electronic equipment side:
extracting flow characteristic data from network flow acquired by flow acquisition equipment, wherein the flow acquisition equipment is used for acquiring the flow of a network to be detected;
comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively, wherein the plurality of normal flow characteristic data ranges are obtained by performing statistical analysis on the flow characteristic data acquired in a set historical time period by adopting an unsupervised learning algorithm;
and when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal network flow, and inputting the flow characteristic data into a trained recognition model to obtain the abnormal category of the network flow.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for detecting network abnormal flow is characterized by comprising the following steps:
extracting flow characteristic data from network flow acquired by flow acquisition equipment, wherein the flow acquisition equipment is used for acquiring the flow of a network to be detected;
comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively, wherein the plurality of normal flow characteristic data ranges are obtained by performing statistical analysis on the flow characteristic data acquired in a set historical time period by adopting an unsupervised learning algorithm;
and when the flow characteristic data is not in any normal flow characteristic data range through comparison, determining that the network flow is abnormal network flow, and inputting the flow characteristic data into a trained recognition model to obtain the abnormal category of the network flow.
2. The method of claim 1, wherein comparing the flow characteristic data to a plurality of normal flow characteristic data ranges comprises:
determining a time slice to which the network traffic belongs according to the acquisition time of the network traffic;
and comparing the flow characteristic data with a plurality of normal flow characteristic data ranges corresponding to the time segments to which the network flow belongs respectively.
3. The method according to claim 1, wherein in a case that the flow characteristic data includes a plurality of characteristic dimensions, the comparing the flow characteristic data with a plurality of normal flow characteristic data ranges respectively comprises:
comparing the flow characteristic data under the characteristic dimension with a plurality of normal flow characteristic data ranges under the characteristic dimension respectively aiming at each characteristic dimension in the flow characteristic data;
when the flow characteristic data is not in any normal flow characteristic data range, the determining that the network flow is abnormal network flow includes:
and when the flow characteristic data with any characteristic dimension is not in any normal flow characteristic data range under the characteristic dimension, determining that the network flow is abnormal network flow.
4. The method of claim 1, further comprising:
acquiring a training sample set, wherein the training sample comprises traffic characteristic data and a corresponding label, and the label is used for representing whether network traffic corresponding to the traffic characteristic data is abnormal network traffic and representing an abnormal category to which the abnormal network traffic belongs;
and training an initial model by utilizing the training sample set according to a supervised learning mode to obtain the recognition model.
5. The method of claim 1, further comprising:
and outputting an alarm message for indicating the abnormal network flow when the network flow is determined to be the abnormal network flow.
6. A network abnormal traffic detection device, comprising:
the system comprises a characteristic extraction module, a traffic characteristic data acquisition module and a traffic characteristic data acquisition module, wherein the characteristic extraction module is used for extracting traffic characteristic data from network traffic acquired by traffic acquisition equipment, and the traffic acquisition equipment is used for acquiring traffic aiming at a network to be detected;
the abnormal recognition module is used for respectively comparing the flow characteristic data with a plurality of normal flow characteristic data ranges, and the plurality of normal flow characteristic data ranges are obtained by carrying out statistical analysis on the flow characteristic data acquired in a set historical time period by adopting an unsupervised learning algorithm; when the flow characteristic data is not in any normal flow characteristic data range, determining that the network flow is abnormal;
and the category identification module is used for inputting the flow characteristic data into a trained identification model when the flow characteristic data is compared out of any normal flow characteristic data range, so as to obtain the abnormal category to which the network flow belongs.
7. The apparatus of claim 6, wherein the anomaly identification module comprises:
the time determining unit is used for determining the time slice to which the network traffic belongs according to the acquisition time of the network traffic;
and the comparison unit is used for respectively comparing the flow characteristic data with a plurality of normal flow characteristic data ranges corresponding to the time segments to which the network flows belong.
8. The apparatus of claim 6, wherein the anomaly identification module is specifically configured to:
under the condition that the flow characteristic data comprises a plurality of characteristic dimensions, aiming at each characteristic dimension in the flow characteristic data, respectively comparing the flow characteristic data under the characteristic dimension with a plurality of normal flow characteristic data ranges under the characteristic dimension;
and when the flow characteristic data with any characteristic dimension is not in any normal flow characteristic data range under the characteristic dimension, determining that the network flow is abnormal network flow.
9. An electronic device, comprising: the processor is used for executing a network abnormal traffic detection program stored in the memory so as to realize the network abnormal traffic detection method of any one of claims 1-5.
10. A storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the method for detecting abnormal traffic in a network according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210040094.XA CN114389881A (en) | 2022-01-13 | 2022-01-13 | Network abnormal flow detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210040094.XA CN114389881A (en) | 2022-01-13 | 2022-01-13 | Network abnormal flow detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114389881A true CN114389881A (en) | 2022-04-22 |
Family
ID=81201156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210040094.XA Pending CN114389881A (en) | 2022-01-13 | 2022-01-13 | Network abnormal flow detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114389881A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174254A (en) * | 2022-07-22 | 2022-10-11 | 科来网络技术股份有限公司 | Flow abnormity warning method and device, electronic equipment and storage medium |
| CN115242427A (en) * | 2022-06-08 | 2022-10-25 | 浪潮通信信息系统有限公司 | Network flow abnormity detection method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014031A (en) * | 2010-12-31 | 2011-04-13 | 湖南神州祥网科技有限公司 | Method and system for network flow anomaly detection |
| CN107733737A (en) * | 2017-10-10 | 2018-02-23 | 国网天津市电力公司 | A kind of abnormal method of monitoring traffic in network |
| CN110166418A (en) * | 2019-03-04 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Attack detection method, device, computer equipment and storage medium |
| GB202004740D0 (en) * | 2020-03-31 | 2020-05-13 | British Telecomm | Network Anomaly Detection |
| CN111314294A (en) * | 2020-01-15 | 2020-06-19 | 福建奇点时空数字科技有限公司 | Abnormal flow detection method based on periodic and moving window baseline algorithm |
| CN112448947A (en) * | 2020-11-10 | 2021-03-05 | 奇安信科技集团股份有限公司 | Network anomaly determination method, equipment and storage medium |
| CN113645215A (en) * | 2021-08-03 | 2021-11-12 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for detecting abnormal network traffic data |
-
2022
- 2022-01-13 CN CN202210040094.XA patent/CN114389881A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014031A (en) * | 2010-12-31 | 2011-04-13 | 湖南神州祥网科技有限公司 | Method and system for network flow anomaly detection |
| CN107733737A (en) * | 2017-10-10 | 2018-02-23 | 国网天津市电力公司 | A kind of abnormal method of monitoring traffic in network |
| CN110166418A (en) * | 2019-03-04 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Attack detection method, device, computer equipment and storage medium |
| CN111314294A (en) * | 2020-01-15 | 2020-06-19 | 福建奇点时空数字科技有限公司 | Abnormal flow detection method based on periodic and moving window baseline algorithm |
| GB202004740D0 (en) * | 2020-03-31 | 2020-05-13 | British Telecomm | Network Anomaly Detection |
| CN112448947A (en) * | 2020-11-10 | 2021-03-05 | 奇安信科技集团股份有限公司 | Network anomaly determination method, equipment and storage medium |
| CN113645215A (en) * | 2021-08-03 | 2021-11-12 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for detecting abnormal network traffic data |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242427A (en) * | 2022-06-08 | 2022-10-25 | 浪潮通信信息系统有限公司 | Network flow abnormity detection method and system |
| CN115174254A (en) * | 2022-07-22 | 2022-10-11 | 科来网络技术股份有限公司 | Flow abnormity warning method and device, electronic equipment and storage medium |
| CN115174254B (en) * | 2022-07-22 | 2023-10-31 | 科来网络技术股份有限公司 | Flow abnormality warning method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114389881A (en) | Network abnormal flow detection method and device, electronic equipment and storage medium | |
| EP3422262A1 (en) | Method of monitoring the performance of a machine learning algorithm | |
| CN108965340B (en) | Industrial control system intrusion detection method and system | |
| CN108600172B (en) | Method, device and equipment for detecting database collision attack and computer readable storage medium | |
| CN106294219B (en) | Equipment identification and data processing method, device and system | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| US11575688B2 (en) | Method of malware characterization and prediction | |
| Bridges et al. | Towards malware detection via cpu power consumption: Data collection design and analytics | |
| CN111294233A (en) | Network alarm statistical analysis method, system and computer readable storage medium | |
| CN114205212A (en) | Network security early warning method, device, equipment and readable storage medium | |
| CN110830483B (en) | Webpage log attack information detection method, system, equipment and readable storage medium | |
| CN111064719B (en) | Method and device for detecting abnormal downloading behavior of file | |
| CN114944957A (en) | Abnormal data detection method and device, computer equipment and storage medium | |
| CN113282920A (en) | Log abnormity detection method and device, computer equipment and storage medium | |
| CN111224919B (en) | DDOS (distributed denial of service) identification method and device, electronic equipment and medium | |
| CN111352820A (en) | Method, equipment and device for predicting and monitoring running state of high-performance application | |
| CN116389148A (en) | Network security situation prediction system based on artificial intelligence | |
| EP3841504B1 (en) | System and method for cyber attack detection based on rapid unsupervised recognition of recurring signal patterns | |
| CN113688240B (en) | Threat element extraction method, threat element extraction device, threat element extraction equipment and storage medium | |
| US11256806B2 (en) | System and method for cyber attack detection based on rapid unsupervised recognition of recurring signal patterns | |
| CN114218569A (en) | Data analysis method, device, equipment, medium and product | |
| US11222113B1 (en) | Automatically generating malware definitions using word-level analysis | |
| Malviya et al. | An Efficient Network Intrusion Detection Based on Decision Tree Classifier & Simple K-Mean Clustering using Dimensionality Reduction-A Review | |
| JP7075362B2 (en) | Judgment device, judgment method and judgment program | |
| CN111832030A (en) | Data security audit device and method based on domestic password data identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |