CN101729301B - Monitor method and monitor system of network anomaly traffic - Google Patents

Monitor method and monitor system of network anomaly traffic Download PDF

Info

Publication number
CN101729301B
CN101729301B CN2008101722599A CN200810172259A CN101729301B CN 101729301 B CN101729301 B CN 101729301B CN 2008101722599 A CN2008101722599 A CN 2008101722599A CN 200810172259 A CN200810172259 A CN 200810172259A CN 101729301 B CN101729301 B CN 101729301B
Authority
CN
China
Prior art keywords
data
sampled point
flows
short
term prediction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008101722599A
Other languages
Chinese (zh)
Other versions
CN101729301A (en
Inventor
陈昊
谭晖
郭颖丽
周江伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Hubei Co Ltd
Original Assignee
China Mobile Group Hubei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Hubei Co Ltd filed Critical China Mobile Group Hubei Co Ltd
Priority to CN2008101722599A priority Critical patent/CN101729301B/en
Publication of CN101729301A publication Critical patent/CN101729301A/en
Application granted granted Critical
Publication of CN101729301B publication Critical patent/CN101729301B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a monitor method and a monitor system of a network anomaly traffic, wherein the monitor method of the network anomaly traffic comprises the following steps of calculating a related coefficient IP traffic data of a short time sampling point and k sampling points before the short time sampling point, comparing the related coefficient of the sampling points with a preset first related coefficient threshold value, and determining the sampling point bigger than the first related coefficient threshold value to be a sample of a first sample space; calculating a short time predictive value of the IP traffic data according to the first sample space; and monitoring new IP traffic data according to the short time predictive value. The monitor method and the monitor system of the network anomaly traffic monitor an IP traffic through the short time predictive value and a long time predictive value, can trace the anomaly random variation condition of the IP traffic, also can trace IP traffic variation as the time goes on, and catch slow anomaly variation of the IP traffic, thereby realizing the purposes of avoiding false alarm and missed alarm and accurately monitoring anomaly traffic data in a network.

Description

Exception flow of network monitoring method and monitoring system
Technical field
The present invention relates to a kind of network monitor technology, relate in particular to a kind of exception flow of network monitoring method and monitoring system.
Background technology
Along with soft switch signaling traffic and traffic, speech business adopt the IP bearer network to carry, getting in touch of soft switch and IP is tight day by day.The service quality of IP bearer network guarantees will be closely bound up with soft switch service; The introducing of IP network has simultaneously also brought many safety problems; Soft switch signaling traffic and voice flux monitoring through the IP bearer network carries can provide a kind of effective monitoring means for the network after merging.
There is following defective in the technology that existing IP traffic analyzer adopts: traffic analyzer adopts fixed threshold monitoring abnormal flow; For having complicated nonlinear characteristic and randomness; And in time, bigger soft switch signaling traffic or the voice fluxes of factor affecting such as incident, user behavior, the method for fixed threshold is also inapplicable.Because soft switch signaling traffic or voice flux are not an invariable constant,,, cause the unnecessary workload of attendant when the too small meeting of the threshold value range of definition frequently produces false-alarm if adopt fixed threshold monitoring abnormal flow; Cross senior general when the threshold value range of definition and can't capture the IP abnormal flow rapidly, cause false dismissal, influence customer service.
Summary of the invention
The objective of the invention is to, the defective of false-alarm and false dismissal in use occurs, abnormal flow data in a kind of accurate monitoring network are provided, avoid the exception flow of network monitoring method and the monitoring system of false-alarm and false dismissal problem to IP traffic analyzer in the prior art.
This exception flow of network monitoring method comprises: the IP data on flows is carried out the sampling of constant duration; The sampled point of every day is divided into a plurality of trend sections according to the time; The IP data on flows integral body of said sampled point is rising or downward trend in each trend section, in same trend section, selects sampled point and k sampled point before it in short-term; Calculate sampled point in short-term respectively with its before the coefficient correlation of IP data on flows of k sampled point; The coefficient correlation of sampled point is compared with the first preset correlation coefficient threshold, confirm that the sampled point greater than first correlation coefficient threshold is the sample of first sample space of said sampled point in short-term; Calculate the short-term prediction value of IP data on flows according to first sample space; According to the short-term prediction value new IP data on flows is monitored.
This exception flow of network monitoring system comprises: the Monitoring and Controlling module is used for the data on flows from network sampled I P, and generates the short-term prediction request; IP data on flows storehouse is used for the storing IP data on flows; Sample space is selected module; Be used for the IP data on flows is carried out the sampling of constant duration; The sampled point of every day is divided into a plurality of trend sections according to the time; The IP data on flows integral body of said sampled point is rising or downward trend in each trend section, in same trend section, selects sampled point and k sampled point before it in short-term; Calculate the coefficient correlation of the IP data on flows of sampled point decibel in short-term and k sampled point before it; The coefficient correlation of sampled point is compared with the first preset correlation coefficient threshold, confirm that the sampled point greater than first correlation coefficient threshold is the sample of first sample space of said sampled point in short-term; The short-term prediction module is used for feeding back to the Monitoring and Controlling module according to short-term prediction request and first sample space generation short-term prediction value; The Monitoring and Controlling module also is used for the new IP data on flows and the short-term prediction value that receive are compared, and judges whether new IP data on flows is abnormal data.
Exception flow of network monitoring method of the present invention and monitoring system are monitored the IP flow through short-term prediction value and long-term prediction value, not only can follow the tracks of the unusual change at random situation of IP flow; Can also pass in time and trace into the IP changes in flow rate, capture the unusual of IP flow and slowly change.Thereby realize avoiding false-alarm and false dismissal, accurately abnormal flow data in the monitoring network.
Description of drawings
Fig. 1 is the structure chart of first embodiment of the invention exception flow of network monitoring system;
Fig. 2 is the structure chart of Monitoring and Controlling module in the first embodiment of the invention exception flow of network monitoring system;
Fig. 3 is the structure chart that sample space is selected module in the first embodiment of the invention exception flow of network monitoring system;
Fig. 4 is a second embodiment of the invention exception flow of network monitoring method flow chart;
Fig. 5 is the diurnal variation curve figure of the second embodiment of the invention IP of same end office (EO) flow;
Fig. 6 is the coefficient correlation curve chart of each sampled point in each trend section in the second embodiment of the invention one day;
Fig. 7 is the coefficient correlation curve chart of second embodiment of the invention IP every day flow;
Fig. 8 a is the curve values of surveying IP flow and short-term prediction value under the second embodiment of the invention normal condition;
Fig. 8 b is the curve values of surveying IP flow and long-term prediction value under the second embodiment of the invention normal condition;
Fig. 9 a is the curve values of surveying IP flow and short-term prediction value under the second embodiment of the invention abnormal conditions;
Fig. 9 b is the curve values of surveying IP flow and long-term prediction value under the second embodiment of the invention abnormal conditions;
Figure 10 is the structure chart of Monitoring and Controlling module in the third embodiment of the invention exception flow of network monitoring system.
Embodiment
Below in conjunction with accompanying drawing the present invention is elaborated.
As shown in Figure 1, the exception flow of network monitoring system comprises in the first embodiment of the invention:
Monitoring and Controlling module 11 is used for the flow from network monitor IP, generates the IP data on flows, and generates short-term prediction request and long-term prediction request;
IP data on flows storehouse 12 receives and the storing IP data on flows;
Sample space is selected module 13; Read the IP data on flows of storage in the IP data on flows storehouse 12; Calculate the coefficient correlation of the IP data on flows of sampled point in short-term and k sampled point before it; The coefficient correlation of sampled point is compared with the first preset correlation coefficient threshold, confirm that the sampled point greater than first correlation coefficient threshold is the sample of first sample space;
Short-term prediction module 14 reads the corresponding IP data on flows of first sample space according to the short-term prediction request from IP data on flows storehouse, and generation short-term prediction value feeds back to Monitoring and Controlling module 11;
Monitoring and Controlling module 11 is monitored the new IP data on flows that receives according to the short-term prediction value, judges whether new IP data on flows is abnormal data.
Preferably, as depicted in figs. 1 and 2, the exception flow of network monitoring system also comprises long-term prediction module 15 among first embodiment.Wherein, Monitoring and Controlling module 11 comprises that also the long-term prediction request generates submodule, is used to generate the long-term prediction request.Sample space selects module 13 also to comprise the second sample space chooser module, is used for confirming the sample of second sample space.Long-term prediction module 15 reads the corresponding IP data on flows of second sample space according to the long-term prediction request from IP data on flows storehouse, and generation long-term prediction value feeds back to Monitoring and Controlling module 11.New IP data on flows and long-term prediction value that Monitoring and Controlling module 11 will receive compare, and judge whether new IP data on flows is abnormal data.
Wherein, as shown in Figure 2, Monitoring and Controlling module 11 comprises:
Sampling submodule 112, from network monitor IP flow, constant duration sampled I P flow generates the IP data on flows; In the present embodiment, the time interval of sampling is 5 minutes;
The short-term prediction request generates submodule 114, generates the short-term prediction request, and among first embodiment, the cycle that generates the short-term prediction request is 5 minutes;
The long-term prediction request generates submodule 116, generates the long-term prediction request, and among first embodiment, the cycle that generates the long-term prediction request is 24 hours;
Comparison sub-module 118 compares the new IP data on flows that receives and short-term prediction value and long-term prediction value, judges whether new IP data on flows is abnormal data.
As shown in Figure 3, sample space selects module 13 to comprise:
The trend section is divided submodule 132, is used for by time and changes in flow rate the sampled point of every day being divided the trend section, and the IP data on flows integral body of sampled point is rising or downward trend in each trend section;
Coefficient correlation calculating sub module 134; Be used to calculate in n the trend section each coefficient correlation of the IP data on flows of sampled point and k sampled point of its hysteresis in short-term; The coefficient correlation
Figure GSB00000811021300051
of n interior i sampled point of trend section and i-k sampled point is i=1 wherein; 2; ..., m-k; K=1,2 ..., m-1; M is sampled point number in n the trend section,
Figure GSB00000811021300052
be sampled point IP data on flows mean value in n the trend section;
The first sample space chooser module 136; Comprise first comparator, (i i-k) compares with preset correlation coefficient threshold r ' with the correlation coefficient r of each sampled point in the trend section; As r (i; I-k)>and r ' time, confirm that this sampled point is the sample of first sample space, confirm that first sample space size of this trend section is K;
The second sample space chooser module 138 comprises: second comparator, be used for correlation coefficient r (i is i-k) with the second preset correlation coefficient threshold r " compare, when r (i, i-k)>r " time, confirm that this sampled point is the sample of second sample space; Selector, the identical sampled point of choosing in the same trend section in a plurality of dates is as the sample of said second sample space.
Preferably, be to guarantee the accuracy of sample, the first sample space chooser module 136 also comprises first filter, is used for this K sample averaged, and filtering is wherein greater than the sample data of this mean value 80% and less than the sample data of this mean value 80%.
Preferably; For guaranteeing the accuracy of sample; The second sample space chooser module 138 also comprises second filter, be used for this K*M sample averaged, in the filtering K*M sample greater than the sample data of this mean value 80% and less than the sample data of this mean value 80%.
Among first embodiment; Short-term prediction module 14 is calculated in n trend section according to the short-term prediction request and first sample space, and the short-term prediction value that i is ordered is:
Figure GSB00000811021300061
K is the number of sample in first sample space.For example, select module 136 to obtain number of samples K=5 in first sample space through first sample space, when the value of the 10th point in the anticipation trend section; When being i=10, the short-term prediction value of the 10th point for get the 9th point (j=1, i-j=10-1=9); The 8th point (j=2, i-j=10-2=8) ...; The 5th point (j=5, i-j=10-5=5), the arithmetic average of these five points.
Preferably, short-term prediction module 14 is also carried out fault-tolerant calculation S to the short-term prediction value Ni* (1 ± tn%), t nGeneral value is 20~30, can get the short-term prediction zone of i point.
Among first embodiment, long-term prediction module 15 is calculated the long-term prediction value according to the long-term prediction request and second sample space, and second sample space is expressed as Z i={ z 1, z 2..., z l, i is an i time point, and l is the sample space size of this time point, and then the i long-term prediction value of ordering does
Figure GSB00000811021300071
That is the arithmetic mean of sample in second sample space.
More preferably, long-term prediction module 15 is also carried out fault-tolerant calculation T to the long-term prediction value i* (1 ± t n%), t nGeneral value is 20~30, can get the long-term prediction zone of i point.Above long-term prediction is equally applicable to festivals or holidays, i.e. the historical data of Sample selection festivals or holidays.
Comparison sub-module 128 in the Monitoring and Controlling module 11 compares with new IP data on flows according to the short-term prediction zone and the long-term prediction zone of above calculating, judges whether new IP data on flows is abnormal data.
As shown in Figure 4, the exception flow of network monitoring method of second embodiment of the invention is characterized in that, comprising:
Step 402, calculate the IP data on flows of sampled point in short-term and k sampled point before it correlation coefficient r (i, i-k);
Step 404, relatively whether the coefficient correlation of sampled point greater than the first preset correlation coefficient threshold r ', if, execution in step 406;
Step 406 confirms that the sampled point greater than the first correlation coefficient threshold r ' is the sample of first sample space;
Step 408 is according to the short-term prediction value of first sample space calculating IP data on flows;
Step 410 is monitored new IP data on flows according to the short-term prediction value.
Wherein, also comprise before the step 402:
Step 402a carries out the sampling of constant duration to the IP data on flows;
Step 402b is divided into a plurality of trend sections with the sampled point of every day according to the time, and the IP data on flows integral body of sampled point is and rises or downward trend in each trend section.
IP data on flows with a certain end office (EO) is an example, and one day IP data on flows of a certain end office (EO) was arranged by the time, and data sampling was got 5 minutes at interval, obtained one group of time series.As shown in Figure 5, same end office (EO) following every day sometime in the section Changing Pattern of IP flow approximate rising or decline rule are arranged, so IP data on flows sequence has tendency.
Whole day is divided into a plurality of trend sections, IP changes in flow rate trend approximately linear in each segmentation, and data have similar short-term correlation in the trend section.Among second embodiment, whole day is divided into 5 trend sections, first trend section 23:00~5:00, second trend section 5:00~11:00, the 3rd trend section 11:00~14:00, the 4th trend section 14:00~19:00, the 5th trend section 19:00~23:00.Whole data is linear rising (or decline) trend in the same trend section.
In the step 402, the coefficient correlation of calculating the IP data on flows of sampled point in short-term and k sampled point before it specifically comprises:
Calculate the coefficient correlation of the IP data on flows of interior each sampled point of n trend section and k sampled point of its hysteresis, the correlation coefficient r of i sampled point and i-k sampled point in the trend section (i, i-k) computing formula is following:
Figure GSB00000811021300081
be i=1 wherein; 2; ..., m; K=1,2 ..., m-1; M is a sampled point number in the trend section;
Figure GSB00000811021300082
is sampled point IP data on flows mean value in the trend section.
As shown in Figure 6, be IP data on flows coefficient correlation distribution map in each trend section in this end office (EO) one day.Data correlation coefficient r in the same trend section kCurve form is similar, and data dependence approaching more on the time is big more.Coefficient correlation difference to some extent between the different trend sections simultaneously, data dependence is stronger in these two trend sections of 23:00~5:00 and 5:00~11:00, and the interior data dependence of other trend sections relatively a little less than.
Among second embodiment, be to guarantee the accuracy of sample, step 404 confirms that first sample space of IP data on flows also comprises: filtering is wherein greater than this mean value 80% and less than the sample data of this mean value 80%.
In the step 406, in n trend section, the short-term prediction value that i is ordered is:
S ni = Σ j = 1 K x i - j K
Through in selected n the trend section with i K the point that spot correlation property is stronger, and carry out smothing filtering, obtained i short-term prediction value S that puts Ni, carry out fault-tolerant calculation S again Ni* (1 ± t n%), t nGeneral value is 20~30, can get the short-term prediction zone of i point.
Through track algorithm in short-term, we can trace into the variation of IP flow comparatively accurately, and utilize the sudden change of control window monitoring IP flow.But only utilizing in short-term, track algorithm can't capture because the flow that network device problem is brought slowly worsens situation; Therefore we also need confirm the long-term prediction value through historical data; Occur slowly worsening at flow; Be continuous multiple spot when exceeding the long-term prediction window, the alarm of prompting Traffic Anomaly.
Preferably, also comprise after the second embodiment exception flow of network monitoring method step 410:
Step a1; Calculate when long sample point in same trend section before the coefficient correlation of k sampled point IP data on flows of sampled point during with length; For example, the correlation coefficient r of i sampled point and i+k sampled point in the calculating trend section (i, i-k) computing formula is following:
Figure GSB00000811021300101
be i=1 wherein; 2; ..., m; K=1,2 ..., m-1; M is a sampled point number in the trend section; is sampled point IP data on flows mean value in the trend section;
Step a2, relatively whether the coefficient correlation of sampled point is greater than the second preset correlation coefficient threshold r ", if, execution in step a4;
Step a3 confirms greater than the second correlation coefficient threshold r " sampled point be the sample of second sample space;
Step a4, the identical sampled point of choosing in the same trend section in a plurality of dates is as the sample of second sample space;
Step a5 calculates the long-term prediction value according to second sample space;
Step a6 monitors new IP data on flows according to the long-term prediction value.
The IP data on flows of this end office (EO) every day as one group of stochastic variable, is analyzed the correlation between IP flow every day.The same day IP changes in flow rate and historical IP flow degree of correlation size, can use coefficient R IjExpression is for given sample X={X 1, X 2..., X n, X wherein iBe this end office (EO) IP flow of every day, i=1,2 ..., n; X i∈ R n, and X i={ X I1, X I2..., X Im, X iAnd X jBetween coefficient correlation be R Ij, through computes:
R ij = | Σ k = 1 m ( x ik - x i ‾ ) ( x jk - x j ‾ ) | Σ k = 1 m ( x ik - x i ‾ ) 2 × Σ k = 1 m ( x jk - x j ‾ ) 2
In the formula x i ‾ = 1 m Σ k = 1 m x Ik , x j ‾ = 1 m Σ k = 1 m x Jk .
Coefficient R IjNear 1, explain that the degree of correlation of two groups of stochastic variables is high more more.As shown in Figure 7, choose 26 days IP data on flows and carry out correlation analysis, can find out that the degree of correlation between data has shown certain rules property, promptly the coefficient correlation between working day is higher than the coefficient correlation between working day and festivals or holidays.
Among second embodiment, choose a historical M working day, K the IP data on flows that correlation is stronger before and after the same time point in the every workday promptly is total to K*M sample as sample.In the present embodiment, for guaranteeing the accuracy of sample, this K*M sample is averaged, filtering is wherein greater than this mean value 80% and less than the sample data of this mean value 80%.The long-term prediction schedule of samples is shown Z i={ z 1, z 2..., z l, i is an i time point, l is the sample space size of this time point.Then the i long-term prediction value of ordering is: T i
T i = Σ j = 1 l z j l
Through long-term prediction value T i, carry out the fault-tolerant calculation T of different periods again i* (1 ± t n%), t nGeneral value is 20~30, can get the long-term prediction zone of i point.Above long-term prediction algorithm is equally applicable to festivals or holidays, i.e. the historical data of Sample selection festivals or holidays.
Shown in Fig. 8 a and Fig. 8 b, short-term prediction upper curve 80a and short-term prediction lower curve short-term prediction that 80b forms zone, long-term prediction upper curve 90a and long-term prediction lower curve long-term prediction that 90b forms zone.When the actual measurement new IP data on flows curve 70 in short-term prediction zone and long-term prediction zone, then this new IP data on flows is a normal data.
Shown in Fig. 9 a and Fig. 9 b, short-term prediction upper curve 80a ' and short-term prediction lower curve short-term prediction that 80b ' forms zone, long-term prediction upper curve 90a ' and long-term prediction lower curve long-term prediction that 90b ' forms zone.If the new IP data on flows curve 70 ' not of actual measurement is in this short-term prediction zone or long-term prediction zone, then this IP data on flows is an abnormal data.
Shown in figure 10, the Monitoring and Controlling module 11 of third embodiment of the invention also comprises alarm submodule 119, when receiving new IP data on flows when being abnormal data, generates alarm signal.
Monitoring and Controlling module 11 also comprises alarm threshold sub module stored 117, and the table of alarm threshold in short-term of different periods of storage is the alarm threshold table when long, and the different periods of record surpass the threshold value of window and surpass the corresponding alarm of threshold value in the table.Comparison sub-module 118 judges according to the alarm threshold table when long of alarm threshold table in short-term whether the new IP data on flows that receives is abnormal data.
For short-term prediction; Shown in Fig. 9 a, be example with 14:00~19:00, once surmount the data in short-term prediction zone 50% when new IP data on flows; Or the double data that surmount short-term prediction zone 30%-50%, comparison sub-module judges that this new IP data on flows is an abnormal data.
For long-term prediction, shown in Fig. 9 b, be example with 14:00~19:00 period threshold value equally; Surpass long-term prediction zone 30% o'clock as first IP data on flows; System begins counting, when having u IP data on flows out-of-limit continuously, then can produce the abnormal flow alarm.The u value is generally less than 4, can find gradual abnormal flow with interior in promptly 20 minutes.
Exception flow of network monitoring method of the present invention and monitoring system, the change at random situation that can follow the tracks of the IP flow through short-term prediction; And can also pass in time through the long-term prediction value and to trace into the IP changes in flow rate, capture the unusual of IP flow and slowly change.
Owing to utilize switch self historical data, therefore the different period changes in flow rate rules of self adaptation can guarantee the algorithm versatility.Through alarm threshold table alarm threshold table when long is set in short-term, can dynamically adjust the condition that alarm produces, when equipment and professional actual motion environment change, only need adjust the alarm threshold table, customization that just can be convenient and simple.
Exception flow of network monitoring method of the present invention and monitoring system complexity are lower, realize that simply cost is lower.
What should explain is: above embodiment is only unrestricted in order to explanation the present invention, and the present invention also is not limited in above-mentioned giving an example, and all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the claim scope of the present invention.

Claims (15)

1. an exception flow of network monitoring method is characterized in that, comprising:
The IP data on flows is carried out the sampling of constant duration; The sampled point of every day is divided into a plurality of trend sections according to the time; The IP data on flows integral body of said sampled point is rising or downward trend in each trend section, in same trend section, selects sampled point and k sampled point before it in short-term;
Calculate sampled point in short-term respectively with its before the coefficient correlation of IP data on flows of k sampled point; The coefficient correlation of said sampled point is compared with the first preset correlation coefficient threshold, confirm that the sampled point greater than said first correlation coefficient threshold is the sample of first sample space of said sampled point in short-term;
Calculate the short-term prediction value of said IP data on flows according to said first sample space;
According to said short-term prediction value new IP data on flows is monitored.
2. exception flow of network monitoring method according to claim 1 is characterized in that, also comprises after the operation of the sample that said definite said sampled point greater than first correlation coefficient threshold is first sample space:
IP data on flows in said first sample space is averaged;
Delete IP data on flows in said first sample space greater than the sampled point of said mean value 80% and less than the sampled point of said mean value 80%.
3. exception flow of network monitoring method according to claim 1 and 2 is characterized in that, said short-term prediction value is calculated through following formula: calculate in n trend section, the short-term prediction value that i is ordered does
Figure FSB00000811021200011
K is the number of sample in first sample space, x I-jIt is the IP data on flows of i-j sampled point.
4. exception flow of network monitoring method according to claim 1 is characterized in that, also comprises:
Calculate respectively when long sample point in same trend section before k sampled point and the said coefficient correlation of sampled point when long; Said coefficient correlation and the second preset correlation coefficient threshold are compared, confirm that the said sampled point greater than said second correlation coefficient threshold is the sample of second sample space;
The identical sampled point of choosing in the same trend section in a plurality of dates is as the sample of said second sample space;
Calculate the long-term prediction value of IP data on flows according to said second sample space;
According to said long-term prediction value new IP data on flows is monitored.
5. exception flow of network monitoring method according to claim 4 is characterized in that, the said identical sampled point of in the same trend section on a plurality of dates, choosing comprises as the concrete operations of the sample of said second sample space:
Choose the sampled point in the workaday same trend section, or choose the interior sampled point of same trend section on day off.
6. exception flow of network monitoring method according to claim 4 is characterized in that, also comprises after the operation of identical sampled point as the sample of said second sample space of choosing in the said same trend section in a plurality of dates:
IP data on flows in second sample space is averaged;
Deletion IP data on flows is greater than the sampled point of said mean value 80% and less than the sampled point of said mean value 80%.
7. according to any described exception flow of network monitoring method in the claim 4 to 6, it is characterized in that said long-term prediction value is calculated through following formula: second sample space is expressed as Z i={ z 1, z 2..., z l, i is an i time point, and l is the sample space size of this time point, and then the i long-term prediction value of ordering does
Figure FSB00000811021200031
8. exception flow of network monitoring method according to claim 4 is characterized in that, said concrete operations of new IP data on flows being monitored according to said short-term prediction value and said long-term prediction value comprise:
Judge according to said short-term prediction value and said long-term prediction value whether said new IP data on flows is abnormal data;
When said new IP data on flows is abnormal data, alarm.
9. exception flow of network monitoring method according to claim 8 is characterized in that, also comprises before the said operation of alarming:
Judge according to the tables of alarm threshold in short-term of preset different periods alarm threshold table when long whether said abnormal data is the abnormal data of needs alarm.
10. an exception flow of network monitoring system is characterized in that, comprising:
The Monitoring and Controlling module is used for the data on flows from network sampled I P, and generates the short-term prediction request;
IP data on flows storehouse is used to store said IP data on flows;
Sample space is selected module; Be used for the IP data on flows is carried out the sampling of constant duration; The sampled point of every day is divided into a plurality of trend sections according to the time; The IP data on flows integral body of said sampled point is rising or downward trend in each trend section, in same trend section, selects sampled point and k sampled point before it in short-term; Calculate sampled point in short-term respectively with its before the coefficient correlation of IP data on flows of k sampled point; The coefficient correlation of said sampled point is compared with the first preset correlation coefficient threshold, confirm that the sampled point greater than said first correlation coefficient threshold is the sample of first sample space of said sampled point in short-term;
The short-term prediction module is used for feeding back to said Monitoring and Controlling module according to said short-term prediction request and said first sample space generation short-term prediction value;
Said Monitoring and Controlling module also is used for new IP data on flows that receives and said short-term prediction value are compared, and judges whether new IP data on flows is abnormal data.
11. exception flow of network monitoring system according to claim 10 is characterized in that, said Monitoring and Controlling module comprises:
The sampling submodule is used for the data on flows from network constant duration sampled I P;
The short-term prediction request generates submodule, is used to generate said short-term prediction request;
Comparison sub-module is used for new IP data on flows that receives and said short-term prediction value are compared, and judges whether new IP data on flows is abnormal data.
12. exception flow of network monitoring system according to claim 11 is characterized in that, said sample space selects module to comprise:
The trend section is divided submodule, is used for by time and changes in flow rate the sampled point of every day being divided the trend section;
The coefficient correlation calculating sub module, be used to calculate in n the trend section each in short-term sampled point respectively with its before the coefficient correlation of IP data on flows of k sampled point;
The first sample space chooser module; Be used for the coefficient correlation of each sampled point is compared with the first preset correlation coefficient threshold; When the coefficient correlation of sampled point during, confirm that said sampled point is the sample of first sample space greater than said first correlation coefficient threshold.
13. exception flow of network monitoring system according to claim 12 is characterized in that, also comprises the long-term prediction module,
Said Monitoring and Controlling module comprises that also the long-term prediction request generates submodule, is used to generate said long-term prediction request;
Said sample space selects module also to comprise the second sample space chooser module; Be used to calculate when long sample point in same trend section before k sampled point and the said coefficient correlation of sampled point when long; Said coefficient correlation and the second preset correlation coefficient threshold are compared; Confirm that the said sampled point greater than said second correlation coefficient threshold is the sample of second sample space, and the identical sampled point of choosing in the same trend section in a plurality of dates is as the sample of said second sample space;
Said long-term prediction module is used for feeding back to said Monitoring and Controlling module according to said long-term prediction request and second sample space generation long-term prediction value;
Said Monitoring and Controlling module also is used for new IP data on flows that receives and said long-term prediction value are compared, and judges whether new IP data on flows is abnormal data.
14., it is characterized in that said Monitoring and Controlling module also comprises according to any described exception flow of network monitoring system in the claim 11 to 13: the alarm submodule, be used for when new IP data on flows is abnormal data, generate alarm signal.
15. exception flow of network monitoring system according to claim 14 is characterized in that, said Monitoring and Controlling module also comprises:
Alarm threshold sub module stored, the table of alarm threshold in short-term that is used to store the different periods be the alarm threshold table when long;
Said comparison sub-module according to the said table of alarm threshold in short-term and said when long the alarm threshold table judge whether said new IP data on flows is abnormal data.
CN2008101722599A 2008-11-03 2008-11-03 Monitor method and monitor system of network anomaly traffic Expired - Fee Related CN101729301B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008101722599A CN101729301B (en) 2008-11-03 2008-11-03 Monitor method and monitor system of network anomaly traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008101722599A CN101729301B (en) 2008-11-03 2008-11-03 Monitor method and monitor system of network anomaly traffic

Publications (2)

Publication Number Publication Date
CN101729301A CN101729301A (en) 2010-06-09
CN101729301B true CN101729301B (en) 2012-08-15

Family

ID=42449573

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101722599A Expired - Fee Related CN101729301B (en) 2008-11-03 2008-11-03 Monitor method and monitor system of network anomaly traffic

Country Status (1)

Country Link
CN (1) CN101729301B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102547789B (en) * 2010-12-30 2014-10-01 中国移动通信集团河北有限公司 Early warning method, device and system for quality of peer-to-peer service
CN102355452B (en) * 2011-08-09 2014-11-26 北京网御星云信息技术有限公司 Method and device for filtering network attack traffic
CN102495851B (en) * 2011-11-17 2014-11-05 百度在线网络技术(北京)有限公司 Method, system and device for storing and querying timing sequence data
CN103780445B (en) * 2012-10-22 2017-10-27 北京临近空间飞行器系统工程研究所 A kind of network flow monitoring system and method for threshold adaptive amendment
CN104753733B (en) * 2013-12-31 2019-08-13 南京中兴软件有限责任公司 The detection method and device of exception of network traffic data
CN104394538B (en) * 2014-11-28 2017-10-17 重庆大学 A kind of mobile network data flow analysis and Forecasting Methodology
CN106209404B (en) * 2015-04-30 2019-05-03 华为技术有限公司 Analyzing abnormal network flow method and system
CN106126391A (en) 2016-06-28 2016-11-16 北京百度网讯科技有限公司 System monitoring method and apparatus
CN106383766B (en) * 2016-09-09 2018-09-11 北京百度网讯科技有限公司 System monitoring method and apparatus
CN108023741B (en) * 2016-10-31 2020-11-27 腾讯科技(深圳)有限公司 Monitoring resource use method and server
CN107579995A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 The network protection method and device of onboard system
CN109962903B (en) * 2017-12-26 2022-01-28 中移(杭州)信息技术有限公司 Home gateway security monitoring method, device, system and medium
CN110945484B (en) * 2018-06-08 2024-01-19 北京嘀嘀无限科技发展有限公司 System and method for anomaly detection in data storage
CN109040084B (en) * 2018-08-13 2021-03-12 广东电网有限责任公司 Network flow abnormity detection method, device, equipment and storage medium
CN110753041A (en) * 2019-09-30 2020-02-04 华为技术有限公司 Source station state detection method and equipment based on CDN system
CN111147899B (en) * 2019-12-16 2023-05-23 南京亚信智网科技有限公司 Fault early warning method and device
CN112073393B (en) * 2020-08-27 2021-03-19 上海品付信息科技股份有限公司 Flow detection method based on cloud computing and user behavior analysis
CN114741377B (en) * 2022-04-01 2023-07-21 深圳市爱路恩济能源技术有限公司 Method and device for identifying and processing natural gas abnormal data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1507233A (en) * 2002-12-11 2004-06-23 中国科学院研究生院 Firm gateway system and its attack detecting method
CN1617512A (en) * 2004-11-25 2005-05-18 中国科学院计算技术研究所 Adaptive network flow forecasting and abnormal alarming method
CN101252482A (en) * 2008-04-07 2008-08-27 华为技术有限公司 Network flow abnormity detecting method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1507233A (en) * 2002-12-11 2004-06-23 中国科学院研究生院 Firm gateway system and its attack detecting method
CN1617512A (en) * 2004-11-25 2005-05-18 中国科学院计算技术研究所 Adaptive network flow forecasting and abnormal alarming method
CN101252482A (en) * 2008-04-07 2008-08-27 华为技术有限公司 Network flow abnormity detecting method and device

Also Published As

Publication number Publication date
CN101729301A (en) 2010-06-09

Similar Documents

Publication Publication Date Title
CN101729301B (en) Monitor method and monitor system of network anomaly traffic
CN102111307B (en) Method and device for monitoring and controlling network risks
CN108537544B (en) Real-time monitoring method and monitoring system for transaction system
CN111984503B (en) Method and device for identifying abnormal data of monitoring index data
US10248528B2 (en) System monitoring method and apparatus
McCall The economics of information and optimal stopping rules
CN105956734A (en) Method and system for dynamically setting performance index threshold of IT equipment
CN101764893B (en) Communication traffic fluctuation monitoring method based on data intermediate layer
CN107292501B (en) Method and equipment for evaluating quality of wastewater monitoring data
US9547710B2 (en) Methods for the cyclical pattern determination of time-series data using a clustering approach
US20110161048A1 (en) Method to Optimize Prediction of Threshold Violations Using Baselines
CN106598822B (en) A kind of abnormal deviation data examination method and device for Capacity Assessment
RU92643U1 (en) DEVICE FOR MONITORING THE STATE OF THE RAIL LINE AND FILLING THE WAY
CN102082703A (en) Method and device for monitoring equipment performance of service supporting system
CN104636874A (en) Method and equipment for detecting business exception
CN110188793B (en) Data anomaly analysis method and device
CN106843111A (en) The accurate source tracing method of hydrocarbon production system alarm signal root primordium and device
CN108737164B (en) Method and device for filtering real-time alarm of telecommunication network
CN102547789B (en) Early warning method, device and system for quality of peer-to-peer service
DE102012025178A1 (en) Method for automatic characterization and monitoring of electrical system by comparing correlations between measured values, involves performing comparison through evaluation of mutual correlations of pairs of measurement variables
CN113593397B (en) Historical track data loading method, device and system
Wood Optimal maintenance policies for constantly monitored systems
CN112905958B (en) Short-time data window telemetry data state identification method and system based on measurement and control device
CN102184638A (en) Method for preprocessing pedestrian traffic data
CN113409566A (en) Method and device for acquiring road traffic state and server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120815

Termination date: 20201103

CF01 Termination of patent right due to non-payment of annual fee