CN103532776A - Service flow detection method and system - Google Patents

Service flow detection method and system Download PDF

Info

Publication number
CN103532776A
CN103532776A CN201310461794.7A CN201310461794A CN103532776A CN 103532776 A CN103532776 A CN 103532776A CN 201310461794 A CN201310461794 A CN 201310461794A CN 103532776 A CN103532776 A CN 103532776A
Authority
CN
China
Prior art keywords
data
flows
flow
business
described
Prior art date
Application number
CN201310461794.7A
Other languages
Chinese (zh)
Other versions
CN103532776B (en
Inventor
苏扬
邓大为
周安
Original Assignee
广东电网公司电力调度控制中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 广东电网公司电力调度控制中心 filed Critical 广东电网公司电力调度控制中心
Priority to CN201310461794.7A priority Critical patent/CN103532776B/en
Publication of CN103532776A publication Critical patent/CN103532776A/en
Application granted granted Critical
Publication of CN103532776B publication Critical patent/CN103532776B/en

Links

Abstract

The invention discloses a service flow detection method and system. The method comprises the following steps of collecting the flow data of each piece of equipment; carrying out normalization processing on each piece of flow data to obtain an equipment data flow containing space information, time information and technical index information; on the basis of the space information, polymerizing the equipment data flow to obtain a service flow tree; according to the relationship between sub service data flow and the equipment data flow in the service flow tree as well as the equipment data flow, determining the sub service data flow; comparing the service data flow, the equipment data flow and a preset service behavior rule to obtain the abnormal state of the equipment data flow and the sub service data flow; according to the abnormal state of the equipment data flow, the abnormal state of the sub service data flow, the service flow tree, the abnormal weight of the preset equipment data flow and the abnormal weight of the preset sub service data flow, obtaining a main service health degree index; according to the main service health degree index, determining whether the main service data flow is abnormal or not. By adopting the scheme, the detection accuracy is improved.

Description

Service traffics detection method and system

Technical field

The present invention relates to network communications technology field, particularly relate to service traffics detection method and system.

Background technology

Raising along with power automation level, the development of the communication technology and network technology, electric power system more and more relies on Power Information Network and ensures its safety, reliably and efficiently moves, the safety of information network is directly connected to the safety of electric power system, therefore guarantees that power system information seems safely particularly important.

Along with the deep development of the research and development of integral intelligent operational system and application, the mutual rapid growth between the various application based on OSB bus, safety problem is outstanding gradually, and traditional electric power secondary system security protection faces huge new challenge.Independently application system is different from tradition, and the system boundary between each application of integral intelligent operational system is fuzzyyer, more complicated alternately between application.Network and service feature in conjunction with production control system, the multiple advanced person's of integrated use information security technology means, the application service feature recognition and application interbehavior analytical system of use reasonable in design, in reply secondary Safe Protection new problem, guarantee that system safety stable operation aspect is significant.

Be accompanied by the increase of bandwidth, the application on electric power secondary system network and business are also constantly abundant, as service control flow, and monitoring business flow and other misoperation flow etc.Meanwhile, cost and the technical threshold of network attack decline to a great extent, and there will be various attack and abnormal flow on network.Day by day complicated at this flow composition, in the situation that abnormal flow magnanimity is emerged in large numbers, thereby various distributions and the variation tendency of the in-depth analysis overall understanding service traffics of business conduct interactive mode are just seemed to very necessary.

Conventional method is to adopt IDS technology (Intrusion Detection System, intrusion detection detects), exactly realizing intrusion behavior.Whether he passes through some key points in computer network or computer system to collect information, and it is carried out to keyword judgement, therefrom in discovering network or system, have and violate the behavior of security strategy and the sign of being attacked.Also can, by each equipment judgement flow, when flow is greater than threshold value, be judged as abnormal.Yet when often some equipment flow is larger, business data flow belongs to normal condition, adopt the judgment mode of keyword or threshold value, often normal business data flow is mistaken for extremely, detect accuracy low.

Summary of the invention

Based on this, being necessary, for detecting the low problem of accuracy, provides a kind of service traffics detection method and system.

A detection method, comprises step:

Gather the data on flows of each equipment, data on flows described in each is normalized, obtain the device data stream with spatial information, temporal information and technical indicator information;

Based on spatial information, device data stream is carried out to polymerization, obtain Business Stream tree, wherein, described Business Stream tree comprises the relation of relation, subservice data flow and the device data stream of main business data flow and subservice data flow;

According to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream, determine subservice data flow;

According to subservice data flow, device data stream, compare the abnormality of equipment data flow and subservice data flow with the business conduct rule prestoring;

According to the abnormality of the abnormality of device data stream, subservice data flow, Business Stream tree, default device data, flow abnormal weights and default subservice data flow anomaly weights, obtain main business health degree index, according to described main business health degree index, determine that whether this main business data flow is abnormal.

A detection system, comprising:

Acquisition module, for gathering the data on flows of each equipment;

Normalization module, for data on flows described in each is normalized, obtains the device data stream with spatial information, temporal information and technical indicator information;

Polymerization module, for based on spatial information, device data stream being carried out to polymerization, obtains Business Stream tree, and wherein, described Business Stream tree comprises the relation of relation, subservice data flow and the device data stream of main business data flow and subservice data flow;

Business data flow determination module, for determining subservice data flow according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;

Abnormal judge module, for comparing with the business conduct rule prestoring according to subservice data flow, device data stream, the abnormality of equipment data flow and subservice data flow; According to the abnormality of the abnormality of device data stream, subservice data flow, Business Stream tree, default device data, flow abnormal weights and default subservice data flow anomaly weights, obtain main business health degree index, according to described main business health degree index, determine that whether this main business data flow is abnormal.

Above-mentioned service traffics detection method and system, by device data stream is carried out to polymerization, association goes out the interbehavior between each business and each business, thereby obtains business data flow.The abnormal conditions of judgment device data flow and the abnormal conditions of business data flow, the abnormal conditions of the abnormal conditions of bonding apparatus data flow and the abnormal conditions of business data flow judgement main business, so just, having avoided equipment of single consideration to cause judging by accident business data flow is abnormal situation, improves accuracy in detection.The present invention proposes the technology that a kind of unusual fluctuations by monitoring traffic behavior carry out detection of grid service exception, from the visual angle of macroscopic behavior, find service exception, greatly improved the accuracy rate of service alarm.

Accompanying drawing explanation

Fig. 1 is the schematic flow sheet of service traffics detection method of the present invention;

Fig. 2 is the structural representation of service traffics detection system of the present invention.

Embodiment

Each embodiment for service traffics detection method of the present invention and system is described in detail below.

First each embodiment for service traffics detection method is described.

Referring to Fig. 1, the schematic flow sheet for service traffics detection method of the present invention, comprises step:

Step S101: the data on flows that gathers each equipment.

Data acquisition is the basis of all analysis business, is the entrance of whole system data flow.Data acquisition can be divided into substantially Netflow, sFlow, SPAN, tetra-kinds of modes of SNMP/RMON.These modes are device-dependent.Be that some equipment can only be supported a certain or several acquisition modes.Every kind of acquisition mode has its inherent advantages and limitation.

In an embodiment, adopt the compound acquisition scheme of flow flow and mirror image adaptive-flow therein, both gathered mirror image data, also can directly gather flow data.Mirror image data is the flow backup that a port produces, as analyzing data number.Flow flow comprises the information such as the network information, time, quantity.

Step S102: each data on flows is normalized, obtains the device data stream with spatial information, temporal information and technical indicator information.

After the various datas on flows that gather, this programme can be normalized to unified form, is convenient to subsequent analysis and storage.Therein in an embodiment, data on flows is stored according to vFlow form, vFlow form comprises header data and data portion data, wherein, header data comprises version, stream records number, system starts the time so far, system time, stream sequence number, engine type, engine sequence number, sample rate, data portion data comprise source IP address, object IP address, the IP address of next hop router, input interface index, output interface index, message in stream, the sum of the 3rd layer of byte in the message of stream, the time that stream starts, time when last message is received in stream, source port, destination interface, untapped byte, TCP flag bit, IP agreement, send TCP check and errors number, send TCP number of retransmissions, send TCP zero window number of times, send RST bag number, send FIN bag book, send SYN bag number, successful connection number of times, connection failure number of times.For example, vFlow form can be defined as follows:

The vFlow data on flows that the present embodiment collects, the information comprising can be divided three classes: spatial information, temporal information, technical indicator information.Spatial information is the place that flow occurs, and comprising: router, physical port, IP address (section), No. AS, region name etc.Temporal information is the time that flow occurs: with minute, timeslice, hour, day, week, month, year measures.Technical indicator provides the information of the service feature of flow: application type, TCP-flag, ToS, bag size etc.The comprehensive possibility that has guaranteed network traffics to carry out precision, multianalysis of these information.

Step S103: based on spatial information, device data stream is carried out to polymerization, obtain Business Stream tree, wherein, Business Stream tree comprises the relation of relation, subservice data flow and the device data stream of main business data flow and subservice data flow.

Service interaction Behavior mining adopts cluster analysis thought, and service interaction behavior possible in industrial control network is carried out to intelligentized arrangement and excavation.The data on flows collecting, the information comprising can be divided three classes: spatial information, temporal information, technical indicator information.The excavation of service interaction behavior is mainly carried out polymerization to the spatial information in data, thereby finds the interbehavior between each business.Such as, can adopt the Map data structure based on Hash table to process, this data structure provides all optional map operations, but does not guarantee the order of mapping.When carrying out service interaction Behavior mining, it 60 seconds is analytical cycle that the present embodiment adopts, each cycle generates such Map data structure, the vFlow data of obtaining for buffer memory and analysis acquisition module, in scheme, the key of this Map structure is designed to String word string, and concrete structure is: the sequential combination of IPV4_SRC_ADDR, IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL.

Therein in an embodiment, based on spatial information, device data stream is carried out to polymerization, obtain Business Stream tree step, comprise step: according to the IP address in spatial information and port and the Business Stream that prestores tree Corresponding matching, acquisition Business Stream tree, wherein, prestore Business Stream tree is to set up according to the IP address of spatial information and port.According to IP address and the port of each equipment, such as source IP address and object IP address, source port and destination interface etc., association goes out the relation between each equipment in advance, obtains subservice, according to the association that is related between subservice, goes out main business, generates a Business Stream tree.Wherein, some equipment may singly not belong to a subservice, but a plurality of subservice is shared.

In an embodiment, based on spatial information, device data stream is carried out to polymerization therein, obtain Business Stream tree step, comprise step: according to the protocol contents association in spatial information, go out the ownership of device data stream, obtain Business Stream tree.According to the protocol contents of each equipment, make a concrete analysis of out this equipment and belong to which business, thereby association goes out Business Stream tree.

Step S104: determine subservice data flow according to the relation of Business Stream tree neutron business data flow and device data stream, device data stream.Because a plurality of device datas stream forms a sub-business data flow, therefore can be according to the relation between equipment and subservice in Business Stream tree, the data flow of equipment corresponding to this subservice is carried out to association, obtain subservice data flow.

In an embodiment, after step S104, also comprise therein: storage service data flow and device data stream, can be used as historical data so that subsequent query is used, the historical data while also can be used as data flow judgement is used.Can be independent storage service data flow, device data stream, also can be according to the form responding storage service data flow of Business Stream tree and device data stream, simultaneously also can corresponding Business Stream tree generating report forms, show that in real time this Business Stream sets corresponding business data flow and device data flowable state.

In another embodiment, also comprise step:

According to spatial information, temporal information, default polymerizing condition and Preset Time granularity, device data stream is carried out to flow stack, data on flows and polymerization item after storage stack; Receive query statement, according to time granularity and polymerization item, inquire about and analyze corresponding data stream.Polymerizing condition can comprise the Business Stream tree obtaining in step S103, can be also according to class of service, data stream to be divided, can also be according to the information category division after normalized etc.Polymerization item refers to those data flow is superposeed.According to predefined polymerizing condition, by after data on flows stack, follow-uply can trace back to the network data within the scope of random time according to polymerization item, then analyze.

In network, vflow data volume is very huge, all being stored into database is all very large challenge for data storage and analysis, hardware specification for most of equipment cannot realize, and also there is no need data granularity to design so littlely in overwhelming majority application.And the application is by the form of polymerizing condition, primary flow is compressed to arrangement, then be kept in database with comparatively rational file layout.The core mechanism of data compression is flow polymerization.Flow polymerization refers to carries out flow merging to meeting the primary flow record of flow data format according to certain condition, realizes many streams and merges into the process of, to realize the compression of primary flow, arranges.Flow polymerization has three key elements: polymerizing condition (F), time granularity (T) and polymerization item (C).The stream that meets same polymeric condition and time granularity carries out flow stack, and retains polymerization item.Utilize query function can trace back to fast the network communication data within the scope of random time, comprise real-time and recall, and the communication data associated with it excavated and multianalysis fast, realize quick positioning analysis network and application problem, find and analyze security attack.Meanwhile, this storage data can also flow as historical data, for the abnormal judgement of device data stream and business data flow.

In the process of flow analysis, present technique adopts the Stakeout & Homicide Preservation Strategy of flow level, has guaranteed accuracy and the efficiency analyzed, realizes the full storage of flow behavior data simultaneously.Due to this method, set up the data of service traffics behavior based on flow level and entirely stored, thereby can realize the behavior of electrical network service exception, recalled analysis.

Therein in an embodiment, after device data stream being carried out to flow stack step according to default polymerizing condition and Preset Time granularity, also comprise step: according to the data on flows generating report forms after default polymerizing condition, Preset Time granularity, stack, real-time update also shows form.According to polymerizing condition, data on flows is carried out, after polymerization classification, service interaction situation being performed an analysis, can daily production report table or the information such as month form, to aggregation information, can implement to show and analysis.

Step S105: compare the abnormality of equipment data flow and subservice data flow according to subservice data flow, device data stream with the business conduct rule prestoring.

Business conduct rule can be keyword, can be also threshold value, and whether normal according to keyword or threshold decision device data stream, whether subservice data flow is normal.In an embodiment, step S105 comprises therein:

If data on flows belongs to the first achievement data, data on flows and default feature baseline are compared, if do not meet, data on flows is abnormal; Wherein, some data flow can not surpass default fixed threshold or self-defining characteristic range, then or met some keywords, this class data class is set to the first achievement data.

If data on flows belongs to the second achievement data, according to historical data on flows, determine the periodicity baseline of data on flows, if do not meet cyclic swing, data on flows is abnormal; Wherein, the variation of some data flow has periodically, and such as the traffic trends of port total flow ,Mou IP group, this class data flow is set to the second achievement data.

If data on flows belongs to the 3rd achievement data, according to normal historical data on flows, determine the mean value of data on flows in Preset Time, calculate the fluctuation range of this data on flows and mean value, if fluctuation range does not meet default fluctuation range, data on flows is abnormal, and wherein, the normal value of some data flow does not have obvious cyclic variation, but fluctuate in a less scope, this class data flow is set to the 3rd achievement data.Normal historical data on flows refers in historical data on flows, these datas on flows are all normal, not sudden change or super scope.

Wherein, data on flows comprises business data flow and device data stream.The first achievement data can also be User Defined characteristic fingerprint, and the second achievement data, the 3rd achievement data can also as required, be set as other achievement datas.

In another embodiment, can according to spatial information, temporal information, default polymerizing condition and Preset Time granularity, device data stream be carried out to flow stack, data on flows and polymerization item after storage stack.For the data of this storage mode storage, the determination methods that this programme adopts is:

If data on flows belongs to the first achievement data, described data on flows and default feature baseline compare, if do not meet default feature baseline, this data on flows is abnormal.

If data on flows belongs to the second achievement data, inquire about historical data on flows corresponding to this data on flows, according to historical data on flows, determine the periodicity baseline of data on flows, if this data on flows does not meet cyclic swing, this data on flows is abnormal.In an embodiment, periodically baseline can be identical with cyclic swing therein, and device data stream must meet periodically baseline completely, otherwise device data stream is abnormal.In another embodiment, cyclic swing can be in a fluctuation range of periodically baseline, and device data stream needs only within the scope of one that fluctuates up and down at periodicity baseline, all calculates normal.

If data on flows belongs to the 3rd achievement data, inquire about normal historical data on flows corresponding to this data on flows, according to historical data on flows, determine the mean value of data on flows in Preset Time, calculate the fluctuation range of this data on flows and mean value, if described fluctuation range does not meet default fluctuation range, data on flows is abnormal

Wherein, described data on flows comprises business data flow and device data stream, and historical business data flow obtains according to described Business Stream tree and historical device data stream.

Specific as follows:

Service interaction behavior model explanation is in the feature of an operation system flow, business conduct rule description be the legitimacy rule of Business Stream interbehavior, such rule can define according to expertise or industry standard.

Business conduct rule is based on the definition of service interaction behavior model, and each service interaction behavior model can have one or more rule of conduct.Being designed to of business conduct rule retrains following condition in specified services interbehavior model: time-constrain, port constraint, agreement constraint, flow, flow velocity constraint, packet rate constraint.These constraintss be combined to form business conduct rule.For not meeting regular flow, need to carry out early warning.

The vFlow data that abnormal behaviour warning module obtains flow acquisition module, in conjunction with business conduct rule, find the service exception behavior in industrial control network, and carry out early warning.It is Main Means that the present embodiment flow detection adopts Baseline, take characteristic fingerprint detection as auxiliary.The data analysis process of abnormal traffic detection is divided into three steps: detect the calculating of index measured value, the comparison of calculating, measured value and the baseline value of detection index baseline value.

The principle of abnormal traffic detection is exactly relatively to detect the size of index actual measured value and baseline value, and the former is greater than latter and produces alarm.As can be seen here, detect index choose and the generation of calculating and base-line data model is two the most key processes of abnormal traffic detection.Must guarantee that the independent of base-line data model generates, guarantee detects the independence of plug-in unit, avoids a large amount of double countings simultaneously.

Because the variation characteristic of abnormality detection index is different, should compare with different baselines.System has adopted four kinds of different baselines.The first is baseline periodically, is used for checking its variation tendency obviously with periodic index, port total flow for example, the traffic trends of the total flow of certain application, certain IP group.The second is moving window baseline, there is no obvious cyclic variation, and fluctuate in a less scope if detect the normal value of index, uses moving window baseline effect relatively good.Baseline value is to utilize the algorithm of weighted average and confidential interval to obtain according to one group of historical data on flows.The historical data that exceeds credible scope does not participate in the calculating of baseline (abnormal data does not participate in calculating in this time period), thereby has guaranteed the validity of baseline.The third is feature baseline, and feature baseline normally rule of thumb or the result of the experiment measuring abnormality detection pattern that must fix.The 4th kind is customed baseline, by User Defined characteristic fingerprint, is detected.Such as according to business different situations, different baseline values are set.For example, access number surpasses at 100 o'clock, can not be greater than certain threshold value, and access number does not surpass at 100 o'clock, can not be greater than another threshold value.

These four kinds of baseline determination methods, can be for the judgement to device data stream, and the while also can be for the judgement to business data flow.The present embodiment is made as the first achievement data by data on flows corresponding to periodicity baseline, and data on flows corresponding to moving window baseline is made as to the second achievement data, and feature baseline and data on flows corresponding to customed baseline are made as to the 3rd achievement data.Therefore, in deterministic process, first identify data on flows and belong to which kind of data, then carry out corresponding deterministic process.

After device data stream and business data flow are judged, can store judged result, can also adopt syslog agreement to report and submit, what wherein business conduct early warning was recorded is designed to:

Journal format matched character string:

Explanation

Field name Type Describe mod %s Module name, the name that this module is used is attack Sa %s Source IP address sport %d Source port (ICMP agreement is type&code) Da %s Object IP address Dport %d Destination interface proto %d Protocol type type %s Attack type count %d Number of repetition msg %s Message act %s Concrete action, comprises abandoning, by, evidence, preserving, add blacklist etc.

Daily record is given an example:

Step S106: flow abnormal weights and default subservice data flow anomaly weights according to the abnormality of the abnormality of device data stream, subservice data flow, Business Stream tree, default device data, obtain main business health degree index, according to main business health degree index, determine that whether this main business data flow is abnormal.

The security postures that represents business in the mode of business health degree system, Main Basis is frequency, the order of severity and the range computation business health degree index of service early warning information.All data are carried out periodic data acquisition, analysis and calculation automatically by system.By system automatic acquisition index basic data, and automatically carry out analysis and calculation.The security information calculating K PI index that system can be obtained according to business rule testing result.Such as, according to the abnormality of device data stream, default device data, flow the abnormality of equipment and subservice relation in abnormal weights, Business Stream tree, subservice data flow and determine that whether subservice data flow is abnormal.According to subservice and main business relation in definite subservice data flow anomaly situation, default subservice data flow anomaly weights, Business Stream tree, obtain main business health degree index, according to main business health degree index, determine that whether this main business data flow is abnormal.For example, have a plurality of subservice data flow under a main business data flow, one of them subservice data flow m comprises device A, equipment B, equipment C.Suppose that device A flow is bigger than normal, equipment B flow is less than normal, and equipment C flow is normal, and device A, B, C total flow are normal.When device A, B are key equipment, can judge that subservice data flow m is abnormal, if when device A, B are non-critical devices, can judge that subservice data flow m is normal.

The healthy scale of business can represent according to the architecture classification of index.Provide the service security situation of overall traffic security postures, various dimensions to represent.Supporting business health degree analysis of trend, as tendency chart, ideal value, value up to standard, chain rate value etc.Support visual business health indicator to represent.

Route exchange device place in industrial control network gathers the whole network data on flows information, by the traffic behavior analytical technology of flow level, set up three kinds of baseline models, business in network is carried out to real-time monitoring analysis, intelligence is found the unusual fluctuations of service traffics, thereby determines the abnormal of the proprietary business of electrical network.Meanwhile, by the storage to flow behavior data, realize electrical network traffic failure history and recall analysis ability.

This programme also provides a kind of service traffics detection system, shown in Figure 2, and the structural representation for service traffics detection system embodiment of the present invention, comprising:

Acquisition module 201, for gathering the data on flows of each equipment;

Normalization module 202, for each data on flows is normalized, obtains the device data stream with spatial information, temporal information and technical indicator information;

Polymerization module 203, for based on spatial information, device data stream being carried out to polymerization, obtains Business Stream tree, and wherein, Business Stream tree comprises the relation of relation, subservice data flow and the device data stream of main business data flow and subservice data flow;

Business data flow determination module 204, for determining subservice data flow according to the relation of Business Stream tree neutron business data flow and device data stream, device data stream;

Abnormal judge module 205, for comparing with the business conduct rule prestoring according to subservice data flow, device data stream, the abnormality of equipment data flow and subservice data flow; According to the abnormality of the abnormality of device data stream, subservice data flow, Business Stream tree, default device data, flow abnormal weights and default subservice data flow anomaly weights, obtain main business health degree index, according to main business health degree index, determine that whether this main business data flow is abnormal.

In one of them embodiment, polymerization module also for: according to the IP address of spatial information and port and the Business Stream that prestores tree Corresponding matching, obtain Business Stream tree, wherein, the Business Stream that prestores tree is to set up according to the IP address of spatial information and port.

In one of them embodiment, polymerization module also for: according to the protocol contents association of spatial information, go out the ownership of device data stream, obtain Business Stream tree.

In one of them embodiment, also comprise the first memory module, for storage service data flow and device data stream;

Abnormal judge module, for:

If data on flows belongs to the first achievement data, data on flows and default feature baseline are compared, if do not meet, this data on flows is abnormal;

If data on flows belongs to the second achievement data, inquire about historical data on flows corresponding to this data on flows, according to historical data on flows, determine the periodicity baseline of data on flows, if this data on flows does not meet cyclic swing, this data on flows is abnormal;

If data on flows belongs to the 3rd achievement data, inquire about normal historical data on flows corresponding to this data on flows, according to historical data on flows, determine the mean value of data on flows in Preset Time, calculate the fluctuation range of this data on flows and mean value, if fluctuation range does not meet default fluctuation range, data on flows is abnormal

Wherein, data on flows comprises business data flow and device data stream.

In an embodiment, polymerization module, also for carrying out flow stack according to spatial information, temporal information, default polymerizing condition and Preset Time granularity by device data stream therein;

Also comprise the second memory module, for storing data on flows and the polymerization item after stack;

Also comprise enquiry module, for receiving query statement, according to time granularity and polymerization item, inquire about and analyze corresponding data stream.

In an embodiment, also comprise display module therein, for the data on flows generating report forms after the default polymerizing condition of basis, Preset Time granularity, stack, real-time update also shows form.

Specific implementation, above-mentioned service traffics detection method is described, does not repeat them here.

The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.

Claims (13)

1. a service traffics detection method, is characterized in that, comprises step:
Gather the data on flows of each equipment, data on flows described in each is normalized, obtain the device data stream with spatial information, temporal information and technical indicator information;
Based on spatial information, device data stream is carried out to polymerization, obtain Business Stream tree, wherein, described Business Stream tree comprises the relation of relation, subservice data flow and the device data stream of main business data flow and subservice data flow;
According to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream, determine subservice data flow;
According to subservice data flow, device data stream, compare the abnormality of equipment data flow and subservice data flow with the business conduct rule prestoring;
According to the abnormality of the abnormality of device data stream, subservice data flow, Business Stream tree, default device data, flow abnormal weights and default subservice data flow anomaly weights, obtain main business health degree index, according to described main business health degree index, determine that whether this main business data flow is abnormal.
2. service traffics detection method according to claim 1, is characterized in that, describedly based on spatial information, device data stream is carried out to polymerization, obtains Business Stream tree step, comprises step:
According to the IP address in described spatial information and port and the Business Stream that prestores tree Corresponding matching, obtain Business Stream tree, wherein, described in the Business Stream tree that prestores be to set up according to the IP address of spatial information and port.
3. service traffics detection method according to claim 1, is characterized in that, describedly based on spatial information, device data stream is carried out to polymerization, obtains Business Stream tree step, comprises step:
According to the protocol contents association in described spatial information, go out the ownership of device data stream, obtain Business Stream tree.
4. according to the service traffics detection method described in claims 1 to 3 any one, it is characterized in that,
Described according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream, determine subservice data flow step after, also comprise: store described business data flow and described device data and flow;
Describedly according to subservice data flow, device data stream and the business conduct rule prestoring, compare, the abnormality step of equipment data flow and business data flow, comprises step:
If data on flows belongs to the first achievement data, described data on flows and default feature baseline are compared, if do not meet, this data on flows is abnormal;
If data on flows belongs to the second achievement data, inquire about historical data on flows corresponding to this data on flows, according to historical data on flows, determine the periodicity baseline of data on flows, if this data on flows does not meet cyclic swing, this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, inquire about normal historical data on flows corresponding to this data on flows, according to historical data on flows, determine the mean value of data on flows in Preset Time, calculate the fluctuation range of this data on flows and mean value, if described fluctuation range does not meet default fluctuation range, data on flows is abnormal
Wherein, described data on flows comprises business data flow and device data stream.
5. according to the service traffics detection method described in claims 1 to 3 any one, it is characterized in that, the data on flows of described each equipment of collection, data on flows described in each is normalized, acquisition also comprises step after having the device data flow step of spatial information, temporal information and technical indicator information:
According to spatial information, temporal information, default polymerizing condition and Preset Time granularity, device data stream is carried out to flow stack, data on flows and polymerization item after storage stack;
Receive query statement, according to time granularity and polymerization item, inquire about and analyze corresponding device data flow.
6. service traffics detection method according to claim 5, is characterized in that,
Describedly according to subservice data flow, device data stream and the business conduct rule prestoring, compare, the abnormality step of equipment data flow and business data flow, comprises step:
If data on flows belongs to the first achievement data, whether more described data on flows meets default feature baseline, if do not meet, this data on flows is abnormal;
If data on flows belongs to the second achievement data, inquire about historical data on flows corresponding to this data on flows, according to historical data on flows, determine the periodicity baseline of data on flows, if this data on flows does not meet cyclic swing, this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, inquire about normal historical data on flows corresponding to this data on flows, according to historical data on flows, determine the mean value of data on flows in Preset Time, calculate the fluctuation range of this data on flows and mean value, if described fluctuation range does not meet default fluctuation range, data on flows is abnormal
Wherein, described data on flows comprises business data flow and device data stream, and historical business data flow obtains according to described Business Stream tree and historical device data stream.
7. service traffics detection method according to claim 5, it is characterized in that, describedly according to spatial information, temporal information, default polymerizing condition and Preset Time granularity, device data stream is carried out to flow stack, after data on flows and polymerization item step after storage stack, also comprises step:
According to the data on flows generating report forms after described default polymerizing condition, Preset Time granularity, stack, real-time update also shows described form.
8. a service traffics detection system, is characterized in that, comprising:
Acquisition module, for gathering the data on flows of each equipment;
Normalization module, for data on flows described in each is normalized, obtains the device data stream with spatial information, temporal information and technical indicator information;
Polymerization module, for based on spatial information, device data stream being carried out to polymerization, obtains Business Stream tree, and wherein, described Business Stream tree comprises the relation of relation, subservice data flow and the device data stream of main business data flow and subservice data flow;
Business data flow determination module, for determining subservice data flow according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;
Abnormal judge module, for comparing with the business conduct rule prestoring according to subservice data flow, device data stream, the abnormality of equipment data flow and subservice data flow; According to the abnormality of the abnormality of device data stream, subservice data flow, Business Stream tree, default device data, flow abnormal weights and default subservice data flow anomaly weights, obtain main business health degree index, according to described main business health degree index, determine that whether this main business data flow is abnormal.
9. service traffics detection system according to claim 8, is characterized in that, described polymerization module also for:
According to the IP address in described spatial information and port and the Business Stream that prestores tree Corresponding matching, obtain Business Stream tree, wherein, described in the Business Stream tree that prestores be to set up according to the IP address of spatial information and port.
10. service traffics detection system according to claim 8, is characterized in that, described polymerization module also for:
According to the protocol contents association in described spatial information, go out the ownership of device data stream, obtain Business Stream tree.
Service traffics detection system described in 11. according to Claim 8 to 10 any one, is characterized in that,
Also comprise the first memory module, for storing described business data flow and described device data stream;
Described abnormal judge module, for:
If data on flows belongs to the first achievement data, whether more described data on flows meets default feature baseline, if do not meet, this data on flows is abnormal;
If data on flows belongs to the second achievement data, inquire about historical data on flows corresponding to this data on flows, according to historical data on flows, determine the periodicity baseline of data on flows, if this data on flows does not meet cyclic swing, this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, inquire about normal historical data on flows corresponding to this data on flows, according to historical data on flows, determine the mean value of data on flows in Preset Time, calculate the fluctuation range of this data on flows and mean value, if described fluctuation range does not meet default fluctuation range, data on flows is abnormal
Wherein, described data on flows comprises business data flow and device data stream.
Service traffics detection system described in 12. according to Claim 8 to 10 any one, is characterized in that,
Described polymerization module, also for carrying out flow stack according to spatial information, temporal information, default polymerizing condition and Preset Time granularity by device data stream;
Also comprise the second memory module, for storing data on flows and the polymerization item after stack;
Also comprise enquiry module, for receiving query statement, according to time granularity and polymerization item, inquire about and analyze corresponding device data flow.
13. service traffics detection systems according to claim 12, is characterized in that, also comprise display module, and for according to the data on flows generating report forms after described default polymerizing condition, Preset Time granularity, stack, real-time update also shows described form.
CN201310461794.7A 2013-09-30 2013-09-30 Service traffics detection method and system CN103532776B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310461794.7A CN103532776B (en) 2013-09-30 2013-09-30 Service traffics detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310461794.7A CN103532776B (en) 2013-09-30 2013-09-30 Service traffics detection method and system

Publications (2)

Publication Number Publication Date
CN103532776A true CN103532776A (en) 2014-01-22
CN103532776B CN103532776B (en) 2016-06-22

Family

ID=49934475

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310461794.7A CN103532776B (en) 2013-09-30 2013-09-30 Service traffics detection method and system

Country Status (1)

Country Link
CN (1) CN103532776B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104636874A (en) * 2015-02-12 2015-05-20 北京嘀嘀无限科技发展有限公司 Method and equipment for detecting business exception
WO2015165229A1 (en) * 2014-04-28 2015-11-05 华为技术有限公司 Method, device, and system for identifying abnormal ip data stream
CN105320585A (en) * 2014-07-08 2016-02-10 北京启明星辰信息安全技术有限公司 Method and device for achieving application fault diagnosis
CN105447323A (en) * 2015-12-11 2016-03-30 百度在线网络技术(北京)有限公司 Data abnormal fluctuations detecting method and apparatus
CN105721498A (en) * 2016-04-07 2016-06-29 周文奇 Industrial control network security early-warning system
CN106034131A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Business compliance detecting method and system based on Flow analysis
CN106100937A (en) * 2016-08-17 2016-11-09 北京百度网讯科技有限公司 System monitoring method and apparatus
CN106534110A (en) * 2016-11-08 2017-03-22 南京南瑞继保电气有限公司 Three-in-one security protection system architecture for substation secondary system
CN107491505A (en) * 2017-07-31 2017-12-19 北京市天元网络技术股份有限公司 A kind of common index processing method and system
US9923794B2 (en) 2014-04-28 2018-03-20 Huawei Technologies Co., Ltd. Method, apparatus, and system for identifying abnormal IP data stream

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1507360A1 (en) * 2003-08-14 2005-02-16 AT&T Corp. Method and apparatus for sketch-based detection of changes in network traffic
CN101741628A (en) * 2008-11-13 2010-06-16 比蒙新帆(北京)通信技术有限公司 Application layer service analysis-based network flow analysis method
CN102609346A (en) * 2012-01-16 2012-07-25 深信服网络科技(深圳)有限公司 Monitoring method and monitoring device on basis of service operation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1507360A1 (en) * 2003-08-14 2005-02-16 AT&T Corp. Method and apparatus for sketch-based detection of changes in network traffic
CN101741628A (en) * 2008-11-13 2010-06-16 比蒙新帆(北京)通信技术有限公司 Application layer service analysis-based network flow analysis method
CN102609346A (en) * 2012-01-16 2012-07-25 深信服网络科技(深圳)有限公司 Monitoring method and monitoring device on basis of service operation

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9923794B2 (en) 2014-04-28 2018-03-20 Huawei Technologies Co., Ltd. Method, apparatus, and system for identifying abnormal IP data stream
WO2015165229A1 (en) * 2014-04-28 2015-11-05 华为技术有限公司 Method, device, and system for identifying abnormal ip data stream
CN105320585A (en) * 2014-07-08 2016-02-10 北京启明星辰信息安全技术有限公司 Method and device for achieving application fault diagnosis
CN105320585B (en) * 2014-07-08 2019-04-02 北京启明星辰信息安全技术有限公司 A kind of method and device for realizing application failure diagnosis
CN104636874A (en) * 2015-02-12 2015-05-20 北京嘀嘀无限科技发展有限公司 Method and equipment for detecting business exception
CN104636874B (en) * 2015-02-12 2019-04-16 北京嘀嘀无限科技发展有限公司 Detect the method and apparatus of service exception
CN106034131A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Business compliance detecting method and system based on Flow analysis
CN105447323A (en) * 2015-12-11 2016-03-30 百度在线网络技术(北京)有限公司 Data abnormal fluctuations detecting method and apparatus
CN105721498A (en) * 2016-04-07 2016-06-29 周文奇 Industrial control network security early-warning system
CN106100937A (en) * 2016-08-17 2016-11-09 北京百度网讯科技有限公司 System monitoring method and apparatus
CN106100937B (en) * 2016-08-17 2019-05-10 北京百度网讯科技有限公司 System monitoring method and apparatus
CN106534110A (en) * 2016-11-08 2017-03-22 南京南瑞继保电气有限公司 Three-in-one security protection system architecture for substation secondary system
CN107491505A (en) * 2017-07-31 2017-12-19 北京市天元网络技术股份有限公司 A kind of common index processing method and system

Also Published As

Publication number Publication date
CN103532776B (en) 2016-06-22

Similar Documents

Publication Publication Date Title
Shafiq et al. A first look at cellular machine-to-machine traffic: large scale measurement and characterization
CN105493450B (en) The method and system of service exception in dynamic detection network
KR101709795B1 (en) Intelligent monitoring of an electrical utility grid
JP5921531B2 (en) Malicious attack detection and analysis
US20160359701A1 (en) Parallel coordinate charts for flow exploration
Zhang et al. Distributed intrusion detection system in a multi-layer network architecture of smart grids
Yu et al. Profiling Network Performance for Multi-tier Data Center Applications.
US20170163733A1 (en) System and method for data management structure using auditable delta records in a distributed environment
US8391157B2 (en) Distributed flow analysis
JP4727275B2 (en) High-speed traffic measurement and analysis methodologies and protocols
Ghosh et al. Modeling and characterization of large-scale Wi-Fi traffic in public hot-spots
US8634314B2 (en) Reporting statistics on the health of a sensor node in a sensor network
US10505824B2 (en) Explorative visualization of complex networks in constrained spaces
KR100617310B1 (en) Apparatus for detecting abnormality of traffic in network and method thereof
US8095635B2 (en) Managing network traffic for improved availability of network services
KR20080031177A (en) Distributed traffic analysis
CN102130800B (en) Device and method for detecting network access abnormality based on data stream behavior analysis
Vacirca et al. Large-scale RTT measurements from an operational UMTS/GPRS network
CN101562534A (en) Network behavior analytic system
CN103457791B (en) A kind of intelligent substation network samples and the self-diagnosing method of control link
Li et al. Theoretical basis for intrusion detection
US10230599B2 (en) System and method for network traffic profiling and visualization
US7924739B2 (en) Method and apparatus for one-way passive loss measurements using sampled flow statistics
Liu et al. Achieving accountability in smart grid
KR20140119561A (en) System and method for big data aggregaton in sensor network

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model