CN103532776B - Service traffics detection method and system - Google Patents
Service traffics detection method and system Download PDFInfo
- Publication number
- CN103532776B CN103532776B CN201310461794.7A CN201310461794A CN103532776B CN 103532776 B CN103532776 B CN 103532776B CN 201310461794 A CN201310461794 A CN 201310461794A CN 103532776 B CN103532776 B CN 103532776B
- Authority
- CN
- China
- Prior art keywords
- data
- flows
- stream
- business
- data stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
A kind of service traffics detection method and system, wherein method includes step: gather the data on flows of each equipment, each described data on flows is normalized, it is thus achieved that have the device data stream of spatial information, temporal information and technical specification information;Based on spatial information, device data stream is polymerized, it is thus achieved that Business Stream tree;Subservice data stream is determined according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;Compare according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream;According to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to described main business health degree index。Accuracy in detection is improved by this programme。
Description
Technical field
The present invention relates to technical field of network communication, particularly relate to service traffics detection method and system。
Background technology
Raising along with power automation level, the development of communication technology and network technology, power system becomes increasingly dependent on Power Information Network to ensure its safe and reliable and efficient operation, the safety of information network is directly connected to the safety of power system, thereby ensure that power system information is particularly important safely。
Along with integral intelligent runs the deep development of system research and development and application, based on the mutual quickly growth between the various application of OSB bus, safety problem highlights gradually, and traditional electric power secondary system security protection faces huge new challenge。The application system independent from tradition is different, integral intelligent run system respectively apply between system boundary fuzzyyer, mutual more complicated between application。Network and service feature in conjunction with production control system, the information security technology means of the multiple advanced person of integrated use, application service feature identification and the application interbehavior of use reasonable in design analyze system, in reply secondary Safe Protection new problem, it is ensured that security of system stable operation aspect is significant。
Along with the increase of bandwidth, application and business on electric power secondary system network are also constantly enriched, as controlled service traffics, monitoring business flow and other maloperation flow etc.。Meanwhile, cost and the technical threshold of network attack decline to a great extent, and network there will be various attack and abnormal flow。Day by day complicated at this flow composition, when abnormal flow magnanimity is emerged in large numbers, analysing in depth thus fully understanding that the various distributions of service traffics and variation tendency just seem very necessary business conduct interactive mode。
Traditional method is to adopt IDS technology (IntrusionDetectionSystem, intrusion detection detects), it is simply that realizing intrusion behavior。He passes through key point gather information some in computer network or computer system, and it is carried out keyword judgement, therefrom finds whether have the behavior violating security strategy and the sign being hacked in network or system。Can also pass through each equipment is judged flow, when flow is more than threshold value, then be judged as exception。But, when often some equipment flow is bigger, business data flow belongs to normal condition, adopts the judgment mode of keyword or threshold value, and normal business data flow is often mistaken for exception, and detection degree of accuracy is low。
Summary of the invention
Based on this, it is necessary to for the problem that detection degree of accuracy is low, it is provided that a kind of service traffics detection method and system。
A kind of service traffics detection method, including step:
Gather the data on flows of each equipment, each described data on flows is normalized, it is thus achieved that there is the device data stream of spatial information, temporal information and technical specification information;
Based on spatial information, device data stream being polymerized, it is thus achieved that Business Stream tree, wherein, described Business Stream tree includes the relation of main business data stream and the relation of subservice data stream, subservice data stream and device data stream;
Subservice data stream is determined according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;
Compare according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream;
According to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to described main business health degree index。
A kind of Business Stream amount detection systems, including:
Acquisition module, for gathering the data on flows of each equipment;
Normalization module, for being normalized each described data on flows, it is thus achieved that have the device data stream of spatial information, temporal information and technical specification information;
Aggregation module, for device data stream being polymerized based on spatial information, it is thus achieved that Business Stream tree, wherein, described Business Stream tree includes the relation of main business data stream and the relation of subservice data stream, subservice data stream and device data stream;
Business data flow determines module, for determining subservice data stream according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;
Abnormal judge module, for comparing according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream;According to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to described main business health degree index。
Above-mentioned service traffics detection method and system, by being polymerized by device data stream, associate out the interbehavior between each business and each business, thus obtaining business data flow。The abnormal conditions of judgment device data stream and the abnormal conditions of business data flow, the abnormal conditions of bonding apparatus data stream and the abnormal conditions of business data flow judge the abnormal conditions of main business, so just avoid one equipment of single consideration and cause that erroneous judgement business data flow is abnormal situation, improve accuracy in detection。Namely the present invention proposes a kind of technology detecting electrical network service exception by monitoring the unusual fluctuations of traffic behavior, finds service exception from the visual angle of molar behavior, substantially increases the accuracy rate of service alarm。
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of service traffics detection method of the present invention;
Fig. 2 is the structural representation of Business Stream amount detection systems of the present invention。
Detailed description of the invention
Each embodiment below for service traffics detection method of the present invention and system is described in detail。
Each embodiment first against service traffics detection method is described。
Referring to Fig. 1, for the schematic flow sheet of service traffics detection method of the present invention, including step:
Step S101: gather the data on flows of each equipment。
Data acquisition is the basis of all analysis business, is the entrance of whole system data stream。Data acquisition generally can be divided into tetra-kinds of modes of Netflow, sFlow, SPAN, SNMP/RMON。These modes are device-dependent。Namely some equipment can only support a certain or several acquisition mode。Every kind of acquisition mode has its inherent advantages and limitation。
Wherein in an embodiment, adopt the compound acquisition scheme of flow flow and mirror image adaptive-flow, both gathered mirror image data, it is also possible to directly gather flow data。Mirror image data is the flow backup that Single port produces, as analytical data number。Flow flow includes the information such as the network information, time, quantity。
Step S102: each data on flows is normalized, it is thus achieved that there is the device data stream of spatial information, temporal information and technical specification information。
After the various datas on flows gathered, this programme can be normalized to unified form, it is simple to subsequent analysis and storage。Wherein in an embodiment, data on flows is stored according to vFlow form, vFlow form includes header data and data portion data, wherein, header data includes version, stream record number, system start-up is the time so far, system time, stream serial number, engine type, engine sequence number, sample rate, data portion data include source IP address, purpose IP address, the IP address of next hop router, input interface index, output interface index, message in stream, the sum of third layer byte in the message of stream, the time that stream starts, time when last message is received in stream, source port, destination interface, untapped byte, TCP flag bit, IP agreement, send TCP check and errors number, send TCP number of retransmissions, send TCP zero window number of times, send RST bag number, send FIN bag book, send SYN bag number, successful connection number of times, connection failure number of times。Such as, vFlow form can be defined as follows:
The vFlow data on flows that the present embodiment collects, the information comprised can be divided into three classes: spatial information, temporal information, technical specification information。Spatial information is the place that flow occurs, including: router, physical port, IP address (section), No. AS, region name etc.。Temporal information is the time that flow occurs: with minute, timeslice, hour, day, week, month, year measures。Technical specification provides the information of the service feature of flow: application type, TCP-flag, ToS, bag size etc.。The comprehensive of these information ensure that probability network traffics carrying out precision, analyzing comprehensively。
Step S103: device data stream is polymerized based on spatial information, it is thus achieved that Business Stream tree, wherein, Business Stream tree includes the relation of main business data stream and the relation of subservice data stream, subservice data stream and device data stream。
Service interaction Behavior mining adopts cluster analysis thought, and service interaction behavior possible in industrial control network is carried out intelligentized arrangement and excavation。The data on flows collected, the information comprised can be divided into three classes: spatial information, temporal information, technical specification information。Spatial information in data is mainly polymerized by the excavation of service interaction behavior, thus the interbehavior found between each business。Such as, it is possible to adopt the Map data structure based on Hash table to process, this data structure provides all optional map operations, but does not ensure the order mapped。When carrying out service interaction Behavior mining, it 60 seconds is analytical cycle that the present embodiment adopts, each cycle generates such Map data structure, for buffer memory and the vFlow data analyzing acquisition module acquisition, in scheme, the key of this Map structure is designed as String word string, and concrete structure is: the sequential combination of IPV4_SRC_ADDR, IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL。
Wherein in an embodiment, based on spatial information, device data stream is polymerized, obtain Business Stream tree step, including step: according to the IP address in spatial information and port and the Business Stream tree Corresponding matching that prestores, acquisition Business Stream tree, wherein, the Business Stream tree that prestores is the IP address according to spatial information and port foundation。In advance according to the IP address of each equipment and port, such as source IP address and purpose IP address, source port and destination interface etc., associate out the relation between each equipment, it is thus achieved that subservice, go out main business according to the relationship between subservice, generate a Business Stream tree。Wherein, some equipment is likely to singly not belong to a subservice, but multiple subservice is shared。
Wherein in an embodiment, based on spatial information, device data stream is polymerized, it is thus achieved that Business Stream tree step, including step: associate out the ownership of device data stream according to the protocol contents in spatial information, it is thus achieved that Business Stream tree。Protocol contents according to each equipment, makes a concrete analysis of out which business this equipment belongs to, thus associating out Business Stream tree。
Step S104: determine subservice data stream according to Business Stream tree neutron business data flow and the relation of device data stream, device data stream。Owing to multiple device data streams form a sub-business data flow, therefore according to relation between equipment and subservice in Business Stream tree, the data stream of equipment corresponding for this subservice can be associated, obtains subservice data stream。
Wherein in an embodiment, after step S104, also include: storage service data stream and device data stream, it is possible to as historical data so that subsequent query uses, it is also possible to historical data when judging as data stream uses。Can be independent storage service data stream, device data stream, can also be the form correspondence storage service data stream according to Business Stream tree and device data stream, form can also be generated by corresponding Business Stream tree simultaneously, show business data flow and device data flowable state that this Business Stream tree is corresponding in real time。
In another embodiment, further comprise the steps of:
According to spatial information, temporal information, preset polymerization condition and Preset Time granularity, device data stream is carried out flow summation, store the data on flows after superposition and polymerization item;Receive query statement, inquire about and analyze corresponding data stream according to time granularity and polymerization item。Polymerizing condition can include the Business Stream tree obtained in step S103, it is also possible to is according to class of service, data stream is divided, it is also possible to according to the information category division etc. after normalized。Polymerization item refers to and those data stream has been carried out superposition。According to polymerizing condition set in advance by after data on flows superposition, follow-up can trace back to the network data within the scope of random time according to polymerization item, then be analyzed。
In network, vflow data volume is very huge, for data storage and to analyze be all very big challenge to be all stored into data base, hardware specification for most of equipment cannot realize, and data granularity is designed to so little also without necessity in the overwhelming majority is applied。And the form that the application is by polymerizing condition, it is compressed primary flow arranging, then is saved in data base with relatively reasonable storage form。The core mechanism of data compression is flow polymerization。Flow polymerization refers to that the primary flow record to meeting flow data form carries out flow merging according to certain condition, it is achieved a plurality of stream merges into the process of, and the compression to realize primary flow arranges。Flow polymerization has three key elements: polymerizing condition (F), time granularity (T) and polymerization item (C)。The stream meeting same polymeric condition and time granularity carries out flow summation, and retains polymerization item。Query function is utilized can quickly to trace back to the network communication data within the scope of random time, including real-time and backtracking, and communication data associated with it is carried out quickly excavation and analyzes comprehensively, it is achieved quickly positioning analysis network and application problem, it has been found that with analysis security attack。Meanwhile, this storage data are also used as historical data stream, and the exception for device data stream and business data flow judges。
In the process of flow analysis, this technology adopts the Stakeout & Homicide Preservation Strategy of flow level, it is ensured that the accuracy of analysis and efficiency, realizes the full storage of flow behavior data simultaneously。Entirely store based on the data of flow level owing to this method establishes service traffics behavior, analyze such that it is able to realize electrical network service exception behavior backtracking。
Wherein in an embodiment, after according to preset polymerization condition and Preset Time granularity device data stream being carried out flow summation step, further comprising the steps of: the data on flows after according to preset polymerization condition, Preset Time granularity, superposition and generate form, real-time update also shows form。Carry out data on flows after polymerization sorts out, service interaction situation being performed an analysis according to polymerizing condition, it is possible to daily production report table or the moon information such as form, can be carried out aggregation information showing and analyzing。
Step S105: compare according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream。
Business conduct rule can be keyword, it is also possible to be threshold value, and whether normal according to keyword or threshold decision device data stream, whether subservice data stream is normal。Wherein in an embodiment, step S105 includes:
If data on flows belongs to the first achievement data, then data on flows and default feature baseline being compared, if not meeting, then data on flows is abnormal;Wherein, some data streams not can exceed that default fixed threshold or self-defining characteristic range, then or met some keywords, this kind of data class is set to the first achievement data。
If data on flows belongs to the second achievement data, then determining the periodicity baseline of data on flows according to historical traffic data, if not meeting cyclic swing, then data on flows is abnormal;Wherein, the change of some data streams has periodically, and such as the traffic trends of port total flow, certain IP group, is set to the second achievement data by this class data flow。
If data on flows belongs to the 3rd achievement data, then determine the meansigma methods of data on flows in Preset Time according to normal historical traffic data, calculate the fluctuation range of this data on flows and meansigma methods, if fluctuation range does not meet default fluctuation range, then data on flows is abnormal, and wherein, the normal value of some data streams does not have obvious cyclically-varying, but fluctuate in a less scope, this class data flow is set to the 3rd achievement data。Normal historical traffic data refers in historical traffic data, these datas on flows are all normal, it does not have sudden change or over range。
Wherein, data on flows includes business data flow and device data stream。First achievement data can also is that user defined feature fingerprint, and the second achievement data, the 3rd achievement data as required, can also be set as other achievement datas。
In another embodiment, it is possible to according to spatial information, temporal information, preset polymerization condition and Preset Time granularity, device data stream is carried out flow summation, the data on flows after superposition and polymerization item are stored。For the data that this storage mode stores, the determination methods that this programme adopts is:
If data on flows belongs to the first achievement data, then described data on flows and default feature baseline compare, if not meeting default feature baseline, then this data on flows is abnormal。
If data on flows belongs to the second achievement data, then inquiring about the historical traffic data that this data on flows is corresponding, determine the periodicity baseline of data on flows according to historical traffic data, if this data on flows does not meet cyclic swing, then this data on flows is abnormal。Wherein in an embodiment, periodically baseline can be identical with cyclic swing, and namely device data stream must comply fully with periodically baseline, otherwise, and device data throat floater。In another embodiment, cyclic swing can be in a fluctuation range of periodically baseline, as long as namely device data stream is within the scope of one that periodicity baseline fluctuates up and down, all calculates normal。
If data on flows belongs to the 3rd achievement data, then inquire about the normal historical traffic data that this data on flows is corresponding, the meansigma methods of data on flows in Preset Time is determined according to historical traffic data, calculate the fluctuation range of this data on flows and meansigma methods, if described fluctuation range does not meet default fluctuation range, then data on flows is abnormal
Wherein, described data on flows includes business data flow and device data stream, and history service data stream obtains according to described Business Stream tree and historical equipment data stream。
Specific as follows:
Service interaction behavior model illustrates in the feature of operation system flow, and business conduct rule description is the legitimacy rule of Business Stream interbehavior, and such rule can define according to expertise or industry standard。
Business conduct rule is based on the definition of service interaction behavior model, and each service interaction behavior model can have one or more rule of conduct。Following condition is retrained by being designed as of business conduct rule in specified services interbehavior model: the constraint of time-constrain, port, protocol, flow, flow velocity constraint, packet rate constraint。These constraintss collectively form business conduct rule。For not meeting the flow of rule, it is necessary to carry out early warning。
The vFlow data that flow acquisition module is obtained by Deviant Behavior warning module, in conjunction with business conduct rule, it has been found that the service exception behavior in industrial control network, and carries out early warning。The present embodiment flow detection adopts Baseline to be Main Means, with characteristic fingerprint detection for auxiliary。The data analysis process of abnormal traffic detection is divided into three steps: the comparison of the calculating of Testing index measured value, the calculating of Testing index baseline value, measured value and baseline value。
The principle of abnormal traffic detection is exactly compare the size of Testing index actual measured value and baseline value, and the former then produces alarm more than the latter。As can be seen here, Testing index choose and calculate and the generation of base-line data model is the most key two processes of abnormal traffic detection。Must assure that independently generating of base-line data model, the independence of guarantee detection plug-in unit, avoid a large amount of double counting simultaneously。
Owing to the variation characteristic of abnormality detection index is different, it should compare with different baselines。System have employed baseline four kinds different。The first is periodically baseline, is used for checking its variation tendency substantially with periodic index, for instance port total flow, the total flow of certain application, certain IP group traffic trends。The second is moving window baseline, if the normal value of Testing index does not have obvious cyclically-varying, and fluctuates in a less scope, then use moving window baseline effects relatively good。Baseline value is to utilize the algorithm of weighted average and confidence interval to obtain according to one group of historical traffic data。The calculating (namely abnormal data is not involved in calculating in this time period) of baseline it is not involved in, thus ensure that the effectiveness of baseline beyond the historical data of credible scope。The third is feature baseline, the abnormality detection pattern that feature baseline is usually rule of thumb or the result of experiment measuring must fix。4th kind is customed baseline, user defined feature fingerprint detect。Such as according to business different situations, different baseline value is set。Such as, when accessing number more than 100, it is impossible to more than certain threshold value, when accessing number not above 100, it is impossible to more than another threshold value。
These four baseline determination methods, it is possible to for the judgement to device data stream, simultaneously can be used for the judgement to business data flow。Data on flows corresponding for periodicity baseline is set to the first achievement data by the present embodiment, and data on flows corresponding for moving window baseline is set to the second achievement data, and the data on flows that feature baseline is corresponding with customed baseline is set to the 3rd achievement data。Therefore, in judge process, first identify which kind of data is data on flows belong to, then carry out the judge process of correspondence。
After device data stream and business data flow are judged, it is possible to judged result is stored, it is also possible to adopt syslog agreement to report and submit, wherein being designed as of business conduct early warning record:
Journal format matched character string:
Explanation
| Field name | Type | Describe |
| mod | %s | Module name, the name that this module uses is attack |
| Sa | %s | Source IP address |
| sport | %d | Source port (ICMP agreement is type&code) |
| Da | %s | Purpose IP address |
| Dport | %d | Destination interface |
| proto | %d | Protocol type |
| type | %s | Attack type |
| count | %d | Number of repetition |
| msg | %s | Message |
| act | %s | Concrete action, including abandoning, pass through, evidence preserves, adds blacklist etc. |
Daily record is illustrated:
Step S106: according to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to main business health degree index。
Representing the security postures of business in the way of business health degree system, Main Basis is the frequency of service early warning information, the order of severity and range computation business health degree index。All data are automatically carried out periodic data acquisition, analysis and calculating by system。Automatically obtained index basic data by system, and be automatically analyzed and calculate。System can calculate KPI index according to the safety information that business rule testing result obtains。Such as, determine that whether subservice data stream is abnormal according to equipment and the abnormality of subservice relation, subservice data stream in the abnormality of device data stream, default device data throat floater weights, Business Stream tree。According to the subservice data flow anomaly situation determined, preset subservice and main business relation acquisition main business health degree index in subservice data flow anomaly weights, Business Stream tree, determine that whether this main business data stream is abnormal according to main business health degree index。Such as, main business data have flowed down multiple subservice data stream, and one of them subservice data stream m includes device A, equipment B, equipment C。Assuming that device A flow is bigger than normal, equipment B flow is less than normal, and equipment C flow is normal, and device A, B, C total flow are normal。When device A, B are key equipment, then may determine that subservice data stream m is abnormal, if when device A, B are non-critical devices, then may determine that subservice data stream m is normal。
Business health scale can be classified according to the architecture of index and be represented。There is provided overall traffic security postures, the service security situation of various dimensions represents。Support business health degree analysis of trend, such as trendgram, ideal value, value up to standard, chain rate value etc.。Support that visual business health indicator represents。
Route exchange device place in industrial control network gathers the whole network data on flows information, by the traffic behavior analytical technology of flow level, set up three kinds of baseline models, business in network is carried out monitor in real time analysis, intelligence finds the unusual fluctuations of service traffics, so that it is determined that the exception of the proprietary business of electrical network。Meanwhile, by the storage to flow behavior data, it is achieved electrical network traffic failure land parcel change trace analysis ability。
This programme also provides for a kind of Business Stream amount detection systems, shown in Figure 2, detects the structural representation of system embodiment for service traffics of the present invention, including:
Acquisition module 201, for gathering the data on flows of each equipment;
Normalization module 202, for being normalized each data on flows, it is thus achieved that have the device data stream of spatial information, temporal information and technical specification information;
Aggregation module 203, for device data stream being polymerized based on spatial information, it is thus achieved that Business Stream tree, wherein, Business Stream tree includes the relation of main business data stream and the relation of subservice data stream, subservice data stream and device data stream;
Business data flow determines module 204, for determining subservice data stream according to Business Stream tree neutron business data flow and the relation of device data stream, device data stream;
Abnormal judge module 205, for comparing according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream;According to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to main business health degree index。
In one of them embodiment, aggregation module is additionally operable to: according to the IP address in spatial information and port and the Business Stream tree Corresponding matching that prestores, it is thus achieved that Business Stream tree, wherein, and the Business Stream tree that prestores is the IP address according to spatial information and port is set up。
In one of them embodiment, aggregation module is additionally operable to: associate out the ownership of device data stream according to the protocol contents in spatial information, it is thus achieved that Business Stream tree。
In one of them embodiment, also include the first memory module, for storage service data stream and device data stream;
Abnormal judge module, is used for:
If data on flows belongs to the first achievement data, then data on flows and default feature baseline being compared, if not meeting, then this data on flows is abnormal;
If data on flows belongs to the second achievement data, then inquiring about the historical traffic data that this data on flows is corresponding, determine the periodicity baseline of data on flows according to historical traffic data, if this data on flows does not meet cyclic swing, then this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, then inquire about the normal historical traffic data that this data on flows is corresponding, the meansigma methods of data on flows in Preset Time is determined according to historical traffic data, calculate the fluctuation range of this data on flows and meansigma methods, if fluctuation range does not meet default fluctuation range, then data on flows is abnormal
Wherein, data on flows includes business data flow and device data stream。
Wherein in an embodiment, aggregation module, it is additionally operable to, according to spatial information, temporal information, preset polymerization condition and Preset Time granularity, device data stream is carried out flow summation;
Also include the second memory module, be used for the data on flows after storing superposition and polymerization item;
Also include enquiry module, be used for receiving query statement, inquire about and analyze corresponding data stream according to time granularity and polymerization item。
Wherein in an embodiment, also including display module, for generating form according to the data on flows after preset polymerization condition, Preset Time granularity, superposition, real-time update also shows form。
Specific implementation, above-mentioned service traffics detection method has described that, does not repeat them here。
Embodiment described above only have expressed the several embodiments of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention。It should be pointed out that, for the person of ordinary skill of the art, without departing from the inventive concept of the premise, it is also possible to making some deformation and improvement, these broadly fall into protection scope of the present invention。Therefore, the protection domain of patent of the present invention should be as the criterion with claims。
Claims (13)
1. a service traffics detection method, it is characterised in that include step:
Gather the data on flows of each equipment, each described data on flows is normalized, it is thus achieved that there is the device data stream of spatial information, temporal information and technical specification information;
Based on spatial information, device data stream being polymerized, it is thus achieved that Business Stream tree, wherein, described Business Stream tree includes the relation of main business data stream and the relation of subservice data stream, subservice data stream and device data stream;
Subservice data stream is determined according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;
Compare according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream;
According to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to described main business health degree index。
2. service traffics detection method according to claim 1, it is characterised in that described based on spatial information, device data stream is polymerized, it is thus achieved that Business Stream tree step, including step:
According to the IP address in described spatial information and port and the Business Stream tree Corresponding matching that prestores, it is thus achieved that Business Stream tree, wherein, the Business Stream tree that prestores described in is the IP address according to spatial information and port is set up。
3. service traffics detection method according to claim 1, it is characterised in that described based on spatial information, device data stream is polymerized, it is thus achieved that Business Stream tree step, including step:
The ownership of device data stream is associated out, it is thus achieved that Business Stream tree according to the protocol contents in described spatial information。
4. the service traffics detection method according to claims 1 to 3 any one, it is characterised in that
Described determine subservice data flow step according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream after, also include: store described business data flow and described device data stream;
Described compare according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality step of device data stream and business data flow, including step:
If data on flows belongs to the first achievement data, then described data on flows and default feature baseline being compared, if not meeting, then this data on flows is abnormal;
If data on flows belongs to the second achievement data, then inquiring about the historical traffic data that this data on flows is corresponding, determine the periodicity baseline of data on flows according to historical traffic data, if this data on flows does not meet cyclic swing, then this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, then inquire about the normal historical traffic data that this data on flows is corresponding, the meansigma methods of data on flows in Preset Time is determined according to normal historical traffic data, calculate the fluctuation range of this data on flows and meansigma methods, if described fluctuation range does not meet default fluctuation range, then data on flows is abnormal
Wherein, described data on flows includes business data flow and device data stream。
5. the service traffics detection method according to claims 1 to 3 any one, it is characterized in that, the data on flows of each equipment of described collection, each described data on flows is normalized, after obtaining the device data flow step with spatial information, temporal information and technical specification information, further comprise the steps of:
According to spatial information, temporal information, preset polymerization condition and Preset Time granularity, device data stream is carried out flow summation, store the data on flows after superposition and polymerization item;
Receive query statement, inquire about and analyze corresponding device data stream according to time granularity and polymerization item。
6. service traffics detection method according to claim 5, it is characterised in that
Described compare according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality step of device data stream and business data flow, including step:
If data on flows belongs to the first achievement data, then comparing whether described data on flows meets default feature baseline, if not meeting, then this data on flows is abnormal;
If data on flows belongs to the second achievement data, then inquiring about the historical traffic data that this data on flows is corresponding, determine the periodicity baseline of data on flows according to historical traffic data, if this data on flows does not meet cyclic swing, then this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, then inquire about the normal historical traffic data that this data on flows is corresponding, the meansigma methods of data on flows in Preset Time is determined according to normal historical traffic data, calculate the fluctuation range of this data on flows and meansigma methods, if described fluctuation range does not meet default fluctuation range, then data on flows is abnormal
Wherein, described data on flows includes business data flow and device data stream, and history service data stream obtains according to described Business Stream tree and historical equipment data stream。
7. service traffics detection method according to claim 5, it is characterized in that, after the described flow summation that device data stream carried out according to spatial information, temporal information, preset polymerization condition and Preset Time granularity, the data on flows after storage superposition and polymerization item step, further comprise the steps of:
Generating form according to the data on flows after described preset polymerization condition, Preset Time granularity, superposition, real-time update also shows described form。
8. a Business Stream amount detection systems, it is characterised in that including:
Acquisition module, for gathering the data on flows of each equipment;
Normalization module, for being normalized each described data on flows, it is thus achieved that have the device data stream of spatial information, temporal information and technical specification information;
Aggregation module, for device data stream being polymerized based on spatial information, it is thus achieved that Business Stream tree, wherein, described Business Stream tree includes the relation of main business data stream and the relation of subservice data stream, subservice data stream and device data stream;
Business data flow determines module, for determining subservice data stream according to described Business Stream tree neutron business data flow and the relation of device data stream, described device data stream;
Abnormal judge module, for comparing according to subservice data stream, device data stream and the business conduct rule prestored, it is thus achieved that the abnormality of device data stream and subservice data stream;According to the abnormality of device data stream, the abnormality of subservice data stream, Business Stream tree, preset device data throat floater weights and default subservice data flow anomaly weights, obtain main business health degree index, determine that whether this main business data stream is abnormal according to described main business health degree index。
9. Business Stream amount detection systems according to claim 8, it is characterised in that described aggregation module is additionally operable to:
According to the IP address in described spatial information and port and the Business Stream tree Corresponding matching that prestores, it is thus achieved that Business Stream tree, wherein, the Business Stream tree that prestores described in is the IP address according to spatial information and port is set up。
10. Business Stream amount detection systems according to claim 8, it is characterised in that described aggregation module is additionally operable to:
The ownership of device data stream is associated out, it is thus achieved that Business Stream tree according to the protocol contents in described spatial information。
11. according to Claim 8 to the Business Stream amount detection systems described in 10 any one, it is characterised in that
Also include the first memory module, be used for storing described business data flow and described device data stream;
Described abnormal judge module, is used for:
If data on flows belongs to the first achievement data, then comparing whether described data on flows meets default feature baseline, if not meeting, then this data on flows is abnormal;
If data on flows belongs to the second achievement data, then inquiring about the historical traffic data that this data on flows is corresponding, determine the periodicity baseline of data on flows according to historical traffic data, if this data on flows does not meet cyclic swing, then this data on flows is abnormal;
If data on flows belongs to the 3rd achievement data, then inquire about the normal historical traffic data that this data on flows is corresponding, the meansigma methods of data on flows in Preset Time is determined according to normal historical traffic data, calculate the fluctuation range of this data on flows and meansigma methods, if described fluctuation range does not meet default fluctuation range, then data on flows is abnormal
Wherein, described data on flows includes business data flow and device data stream。
12. according to Claim 8 to the Business Stream amount detection systems described in 10 any one, it is characterised in that
Described aggregation module, is additionally operable to, according to spatial information, temporal information, preset polymerization condition and Preset Time granularity, device data stream is carried out flow summation;
Also include the second memory module, be used for the data on flows after storing superposition and polymerization item;
Also include enquiry module, be used for receiving query statement, inquire about and analyze corresponding device data stream according to time granularity and polymerization item。
13. Business Stream amount detection systems according to claim 12, it is characterised in that also include display module, for generating form according to the data on flows after described preset polymerization condition, Preset Time granularity, superposition, real-time update also shows described form。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310461794.7A CN103532776B (en) | 2013-09-30 | 2013-09-30 | Service traffics detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310461794.7A CN103532776B (en) | 2013-09-30 | 2013-09-30 | Service traffics detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103532776A CN103532776A (en) | 2014-01-22 |
| CN103532776B true CN103532776B (en) | 2016-06-22 |
Family
ID=49934475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310461794.7A Active CN103532776B (en) | 2013-09-30 | 2013-09-30 | Service traffics detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103532776B (en) |
Families Citing this family (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099732B (en) * | 2014-04-28 | 2018-11-20 | 华为技术有限公司 | A kind of methods, devices and systems identifying abnormal IP traffic |
| US9923794B2 (en) | 2014-04-28 | 2018-03-20 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for identifying abnormal IP data stream |
| CN105320585B (en) * | 2014-07-08 | 2019-04-02 | 北京启明星辰信息安全技术有限公司 | A kind of method and device for realizing application failure diagnosis |
| CN104636874B (en) * | 2015-02-12 | 2019-04-16 | 北京嘀嘀无限科技发展有限公司 | Detect the method and apparatus of service exception |
| CN106034131A (en) * | 2015-03-18 | 2016-10-19 | 北京启明星辰信息安全技术有限公司 | Business compliance detecting method and system based on Flow analysis |
| CN105447323A (en) * | 2015-12-11 | 2016-03-30 | 百度在线网络技术(北京)有限公司 | Data abnormal fluctuations detecting method and apparatus |
| CN105721498A (en) * | 2016-04-07 | 2016-06-29 | 周文奇 | Industrial control network security early-warning system |
| CN106100937B (en) * | 2016-08-17 | 2019-05-10 | 北京百度网讯科技有限公司 | System monitoring method and apparatus |
| CN106534110B (en) * | 2016-11-08 | 2020-07-28 | 南京南瑞继保电气有限公司 | Trinity transformer substation secondary system safety protection system framework system |
| CN108241687B (en) * | 2016-12-26 | 2022-05-17 | 阿里巴巴集团控股有限公司 | Method and device for processing visual chart information |
| CN107358031B (en) * | 2017-06-19 | 2021-12-21 | 上海德启信息科技有限公司 | Client health degree determination method and device |
| CN107491505B (en) * | 2017-07-31 | 2020-06-16 | 北京市天元网络技术股份有限公司 | Universal index processing method and system |
| CN108683681A (en) * | 2018-06-01 | 2018-10-19 | 杭州安恒信息技术股份有限公司 | A kind of smart home intrusion detection method and device based on traffic policy |
| CN109040084B (en) * | 2018-08-13 | 2021-03-12 | 广东电网有限责任公司 | Network flow abnormity detection method, device, equipment and storage medium |
| CN109088797A (en) * | 2018-09-26 | 2018-12-25 | 赛尔网络有限公司 | The world communicates IPv6+ agreement monitoring method |
| CN109547283B (en) * | 2018-10-23 | 2022-06-14 | 日海通信服务有限公司 | Intelligent communication service method and system |
| CN109616213A (en) * | 2018-11-14 | 2019-04-12 | 金色熊猫有限公司 | Data processing method and device, storage medium and electronic equipment |
| WO2020113434A1 (en) * | 2018-12-04 | 2020-06-11 | 比特大陆科技有限公司 | Method and apparatus for processing time records |
| CN109919448A (en) * | 2019-02-01 | 2019-06-21 | 国网浙江省电力有限公司金华供电公司 | Method for the analysis application of power grid regulation operation data Intelligent statistical |
| CN110034977B (en) * | 2019-04-18 | 2021-11-09 | 浙江齐治科技股份有限公司 | Equipment safety monitoring method and safety monitoring equipment |
| CN110138600A (en) * | 2019-04-28 | 2019-08-16 | 北京大米科技有限公司 | A kind of prompt information output method, device, storage medium and server |
| CN110691081A (en) * | 2019-09-25 | 2020-01-14 | 南京源堡科技研究院有限公司 | Network information acquisition method based on big data platform |
| CN110784458B (en) * | 2019-10-21 | 2023-04-18 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN112819491B (en) * | 2019-11-15 | 2024-02-09 | 百度在线网络技术(北京)有限公司 | Method and device for converting data processing, electronic equipment and storage medium |
| CN111314121A (en) * | 2020-02-03 | 2020-06-19 | 支付宝(杭州)信息技术有限公司 | Link abnormity detection method and device |
| CN111343210B (en) * | 2020-05-21 | 2020-08-04 | 上海飞旗网络技术股份有限公司 | Encrypted flow detection method and device based on rapid pattern matching |
| CN112583825B (en) * | 2020-12-07 | 2022-09-27 | 四川虹微技术有限公司 | Method and device for detecting abnormality of industrial system |
| CN112615752A (en) * | 2020-12-29 | 2021-04-06 | 中通天鸿(北京)通信科技股份有限公司 | System for positioning traffic variable nodes of cloud communication platform through aggregation analysis |
| CN115515173A (en) * | 2021-06-04 | 2022-12-23 | 中兴通讯股份有限公司 | Method, system, electronic device and storage medium for analyzing performance of base station |
| CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
| CN113765720B (en) * | 2021-09-09 | 2023-10-24 | 国网湖南省电力有限公司 | Service interaction feature extraction method based on power communication network flow |
| CN115412427A (en) * | 2022-08-30 | 2022-11-29 | 梅州科捷电路有限公司 | Router safety monitoring early warning system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1507360A1 (en) * | 2003-08-14 | 2005-02-16 | AT&T Corp. | Method and apparatus for sketch-based detection of changes in network traffic |
| CN101741628A (en) * | 2008-11-13 | 2010-06-16 | 比蒙新帆(北京)通信技术有限公司 | Application layer service analysis-based network flow analysis method |
| CN102609346A (en) * | 2012-01-16 | 2012-07-25 | 深信服网络科技(深圳)有限公司 | Monitoring method and monitoring device on basis of service operation |
-
2013
- 2013-09-30 CN CN201310461794.7A patent/CN103532776B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1507360A1 (en) * | 2003-08-14 | 2005-02-16 | AT&T Corp. | Method and apparatus for sketch-based detection of changes in network traffic |
| CN101741628A (en) * | 2008-11-13 | 2010-06-16 | 比蒙新帆(北京)通信技术有限公司 | Application layer service analysis-based network flow analysis method |
| CN102609346A (en) * | 2012-01-16 | 2012-07-25 | 深信服网络科技(深圳)有限公司 | Monitoring method and monitoring device on basis of service operation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103532776A (en) | 2014-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103532776B (en) | Service traffics detection method and system | |
| CN103532940B (en) | network security detection method and device | |
| CN105429977B (en) | Deep packet inspection device abnormal flow monitoring method based on comentropy measurement | |
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| CN105376260B (en) | A kind of exception flow of network monitoring system based on density peaks cluster | |
| US11108619B2 (en) | Service survivability analysis method and apparatus | |
| US8634314B2 (en) | Reporting statistics on the health of a sensor node in a sensor network | |
| US8638680B2 (en) | Applying policies to a sensor network | |
| US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| US20120026938A1 (en) | Applying Policies to a Sensor Network | |
| Zhe et al. | DoS attack detection model of smart grid based on machine learning method | |
| Li et al. | Theoretical basis for intrusion detection | |
| CN106452941A (en) | Network anomaly detection method and device | |
| Niandong et al. | Detection of probe flow anomalies using information entropy and random forest method | |
| CN115038088B (en) | Intelligent network security detection early warning system and method | |
| CN110191024A (en) | Network flow monitoring method and device | |
| Ma et al. | BOND: Exploring hidden bottleneck nodes in large-scale wireless sensor networks | |
| CN109150920A (en) | A kind of attack detecting source tracing method based on software defined network | |
| CN104601567B (en) | A kind of indexing security measure method excavated based on information network security of power system event | |
| CN112055007B (en) | Programmable node-based software and hardware combined threat situation awareness method | |
| Li et al. | Covert timing channel detection method based on random forest algorithm | |
| CN105991623B (en) | A kind of services interconnection relationship auditing method and system | |
| CN106656647A (en) | Real-time flow monitoring method and real-time flow monitoring device | |
| Jindong et al. | Study and prediction of wireless link quality for adaptive channel hopping | |
| CN115175174A (en) | Method for realizing probe equipment management and control system based on Internet of things platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |