CN104796301A - Network traffic abnormity judgment and device - Google Patents

Network traffic abnormity judgment and device Download PDF

Info

Publication number
CN104796301A
CN104796301A CN201510149442.7A CN201510149442A CN104796301A CN 104796301 A CN104796301 A CN 104796301A CN 201510149442 A CN201510149442 A CN 201510149442A CN 104796301 A CN104796301 A CN 104796301A
Authority
CN
China
Prior art keywords
network traffic
time
hurst
time series
index
Prior art date
Application number
CN201510149442.7A
Other languages
Chinese (zh)
Inventor
朱柏涛
Original Assignee
北京奇艺世纪科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇艺世纪科技有限公司 filed Critical 北京奇艺世纪科技有限公司
Priority to CN201510149442.7A priority Critical patent/CN104796301A/en
Publication of CN104796301A publication Critical patent/CN104796301A/en

Links

Abstract

The invention discloses a network traffic abnormity judgment and device, and relates to the technical field of computers. The method includes the steps of obtaining network traffic in real time, establishing a time sequence of the network traffic according to the collection moment of the network traffic, calculating William Randolph hearst indexes of sub-time-sequences newly added to the time sequence, and judging whether network traffic abnormity happens according to the relations between the William Randolph hearst indexes and threshold value ranges. Abnormal traffic and abnormal traffic can be distinguished according to the changes of the William Randolph hearst indexes of the network traffic, the method is different from a traditional detection algorithm achieved according to characteristic value matching, the method starts from the network traffic itself, no huge characteristic libraries need to be established, the detection time is greatly shortened, and the detection cost is greatly reduced.

Description

网络流量异常判断方法和装置 Network traffic abnormality determination apparatus and method

技术领域 FIELD

[0001] 本发明涉及计算机技术领域,具体涉及一种网络流量异常判断方法和装置。 [0001] The present invention relates to computer technologies, and particularly relates to a network traffic anomaly determination method and apparatus.

背景技术 Background technique

[0002] 随着网络技术的不断提高和应用领域的不断普及,网络攻击等恶意行为已经严重威胁了计算机网络的安全,网络异常行为会导致网络流量异常,因此能够及时准确的检测出网络异常对于维护网络安全有着十分重要的意义。 [0002] With the growing popularity of malicious activity and constantly improve the applications of network technology, network attacks have been a serious threat to the security of computer networks, network anomaly behavior causes network traffic anomaly, it is possible to timely and accurate detection of network anomalies for maintaining network security is of great significance.

[0003] 当前主要的网络流量检测方法是进行特征匹配,也就是说在检测之前要建立一个表征网络特征的模型,然后采集实时的网络流量进行处理,得到的特征值与事先建立的流量模型进行匹配,检测当前的网络是否异常。 [0003] The current primary network traffic detection method is feature matching, that is to say prior to detection of a model characterizing feature of the network, and network traffic in real-time acquisition processing, characteristic values ​​obtained with the previously established traffic model match, to detect the current network is abnormal. 该方法的主要缺点是,由于网络的千变万化, 流量模型也是不断的变化的,那么特征库就需要不断的更新来保证检测的精确度,这种检测方法需要建立一个庞大的特征库,且需要对特征库进行不断地更新,如果更新不及时,那就有可能造成检测结果出错,并且该方法无法对突发性的网络异常做出快速的检测。 The main disadvantage of this method is that, due to the ever-changing network traffic model is constantly changing, so you need to keep the signature database updates to ensure the accuracy of detection, this detection method requires the establishment of a large signature database, and the need for features constantly updated library, if not updating, it may cause an error detection result, and the method can not be an exception made rapid detection of sudden network.

发明内容 SUMMARY

[0004] 鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的网络流量异常判断装置和相应的网络流量异常判断方法。 [0004] In view of the above problems, the present invention is proposed in order to overcome the above problems or to provide an at least partially solve the above problems of network traffic abnormality judging means and a corresponding network traffic abnormality determination method.

[0005] 依据本发明的一个方面,提供了一种网络流量异常判断方法,包括: [0005] According to an aspect of the present invention, there is provided an abnormality determination method for network traffic, comprising:

[0006] 实时获取网络流量; [0006] Real-time access to network traffic;

[0007] 根据网络流量的采集时刻,构造网络流量的时间序列; [0007] The acquisition time network traffic, network traffic time series configuration;

[0008] 对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; [0008] The time series of the new sub-time series, calculating the Hurst index sub-time sequence;

[0009] 根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常。 [0009] The relationship of the Hurst index with a threshold value range, it is determined whether the abnormal network traffic.

[0010] 优选地,所述根据网络流量的采集时间,构造网络流量的时间序列包括: [0010] Preferably, the acquisition time according to network traffic, network traffic time series configuration comprising:

[0011] 针对网络流量器中的各数据包,获取数据包的数据大小和采集时刻; [0011] For each data packet of the network traffic control, and acquires the data size of the collection time data packet;

[0012] 统计同一采集时刻下的总数据大小,并将总数据大小按采集时刻的顺序放入时间序列。 [0012] The total size of the data in the same acquisition time statistics, and the total data size in the order of acquisition time into a time series.

[0013] 优选地,所述对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数之后,还包括: After [0013] Preferably, the time sequence of the new sub-time series, calculating the Hurst index sub-time sequence, further comprising:

[0014] 记录每次计算的赫斯特指数,得到针对赫斯特指数的时间序列。 [0014] Hurst index records each calculation, the time series obtained for the Hurst index.

[0015] 优选地,判断网络流量出现异常包括: [0015] Preferably, determining abnormal network traffic comprises:

[0016] 根据已记录的赫斯特指数的时间序列,对网络流量进行异常检测。 [0016] The time series of the recorded Hurst, network traffic abnormality detection.

[0017] 优选地,还包括: [0017] Preferably, further comprising:

[0018] 根据已记录的赫斯特指数的时间序列,计算每个赫斯特指数所在采集时刻的的方差; [0018] The time series of the recorded Hurst exponent, calculate the variance of each Hurst where the timing acquisition;

[0019] 根据所述各个采集时刻的赫斯特指数的方差,对网络流量进行异常检测。 [0019] The variance of the time of acquisition of each Hurst exponent, network traffic abnormality detection.

[0020] 优选地,还包括: [0020] Preferably, further comprising:

[0021] 当网络流量进入高峰情况,根据所述赫斯特指数与阀值范围的关系,判断所述高峰时段的网络流量是否为正常的网络流量。 [0021] When the network traffic into the peak situation, according to the relationship of the Hurst index threshold range, the network traffic during peak hours is determined whether the normal network traffic.

[0022] 优选地,所述根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常包括: [0022] Preferably, according to the relationship of the Hurst index with a threshold value range, it is determined whether there is abnormal network traffic comprises:

[0023] 判断所述赫斯特指数是否在阀值范围之内;如果所述赫斯特指数不在阀值范围之内,则判断网络流量出现异常。 [0023] Analyzing the Hurst index is within the threshold range; if within the threshold range of not Hurst, network traffic is determined abnormal.

[0024] 优选地,所述阀值范围包括:至少大于0. 5并且至少小于1。 [0024] Preferably, said threshold range comprising: at least at least greater than 0.5 and less than 1.

[0025] 优选地,所述对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数包括: [0025] Preferably, the time sequence of the new sub-time series, calculating the time-series sub-Hurst exponent comprises:

[0026] 判断是否为初次计算赫斯特指数;如果是,则对赫斯特指数进行初始化,根据初次的时间序列确定赫斯特函数中的系数;如果不是,则利用确定了系数的赫斯特函数,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数。 [0026] determines whether the initial calculation Hurst; if so, the index is initialized to Hurst, Hurst coefficients determined in the function of the first time series; if not, using the determined coefficients Hess Laid function, the time series of the new sub-time series, calculating the Hurst index sub-time sequence.

[0027] 本发明还提供了一种网络流量异常判断装置,其特征在于,包括: [0027] The present invention further provides a network traffic abnormality determination apparatus characterized by comprising:

[0028] 流量获取模块,适于实时获取网络流量; [0028] Acquisition module adapted to acquire real-time network traffic;

[0029] 时间序列构造模块,适于根据网络流量的采集时刻,构造网络流量的时间序列; [0029] Time series configuration module, adapted to collect time network traffic, network traffic time series configuration;

[0030] 赫斯特指数计算模块,适于对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; [0030] Hurst index calculation module adapted to add the time series of sub-time series, calculating the Hurst index sub-time sequence;

[0031] 流量异常判断模块,适于根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常。 [0031] The abnormal traffic judging module, adapted according to the relationship of the Hurst index threshold range, it is determined whether the abnormal network traffic. .

[0032] 相对背景技术,本发明具有以下优点: [0032] relative to the background art, the present invention has the following advantages:

[0033] 本发明对采集的网络流量的时间序列,渐进式的对时间序列中新增的部分,计算赫斯特指数。 [0033] The present invention is collected network traffic time series, the progressive portion of the new time series, calculating Hurst exponent. 比如,当前获取到网络流量的时间序列ml,计算出其赫斯特指数,当时间序列的长度增加到m2时,前面的ml不会被用来计算赫斯特指数,此时计算m2-ml部分的赫斯特指数,当序列长度逐渐增加时,重复上述步骤,通过计算增加部分的时间序列的赫斯特指数得到一系列渐进的赫斯特指数。 For example, the current time series acquired ml of network traffic, which is calculated Hurst exponent, when the length of the time series is increased M2, the foregoing will not be used to calculate ml Hurst index, calculated at this m2-ml Hurst exponent part, when the sequence length is gradually increased, repeating the above steps to obtain a series of progressive Hurst exponent calculated by increasing the time series Hurst exponent portion. 那么,一旦检测到赫斯特指数与预置的阀值范围之间的关系符合预置条件,比如赫斯特指数大于设置的上阀值或小于下阀值,就可以认为当前网络流量异常,反之,当赫斯特指数位于设定的阀值范围内,则认为当前网络流量正常。 Then, upon detection of the relationship between threshold range and Hurst preset meets a preset condition, the threshold is set such Hurst index greater than or less than the lower threshold, the current network traffic can be considered abnormal, Conversely, when positioned within the Hurst exponent set threshold range, this is considered a normal network traffic. 因此,本发明可以利用网络流量的赫斯特指数的变化来区分异常的流量和正常的流量,这种方法有别于传统的根据特征值匹配的检测算法,从网络流量的本身出发,不需要建立一个庞大的特征库,大大减少了检测的时间和成本。 Accordingly, the present invention may utilize variations Hurst network traffic flow to distinguish between normal and abnormal flow, this method is different from the conventional detection algorithm according to the characteristic values ​​match, the traffic from the network itself, no build a huge library feature, greatly reducing the time and cost of testing.

[0034] 上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段, 而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。 [0034] The above description is only an overview of the technical solution of the present invention, in order to more fully understood from the present invention, but may be implemented in accordance with the contents of the specification, and in order to make the aforementioned and other objects, features and advantages of the present invention can be more apparent from the following specific embodiments cite Patent of the present invention.

附图说明 BRIEF DESCRIPTION

[0035] 通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。 [0035] By reading the following detailed description of preferred embodiments Hereinafter, a variety of other advantages and benefits to those of ordinary skill in the art will become apparent. 附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。 The drawings are only for purposes of illustrating a preferred embodiment and are not to be considered limiting of the present invention. 而且在整个附图中,用相同的参考符号表示相同的部件。 But throughout the drawings, like parts with the same reference symbols. 在附图中: In the drawings:

[0036] 图1示出了根据本发明一个实施例的一种网络流量异常判断方法的流程示意图; [0036] FIG. 1 shows a schematic flowchart of a traffic network in accordance with one embodiment of the present invention is a method of determining abnormality;

[0037] 图IA示出了根据本发明一个实施例的赫斯特采集点时间序列示例; [0037] FIG IA shows a sequence example of a collection point of time according to Hearst embodiment of the present invention;

[0038] 图2示出了根据本发明一个实施例的一种网络流量异常判断方法的流程示意图; [0038] FIG. 2 shows a schematic flowchart of a traffic network in accordance with one embodiment of the present invention is a method of determining abnormality;

[0039] 图2A示出了根据本发明一个实施例的正常流量的赫斯特值曲线示例; [0039] FIG 2A shows an example of a graph the value of a normal traffic Hearst embodiment of the embodiment of the present invention;

[0040] 图2B示出了根据本发明一个实施例的正常流量的赫斯特值曲线和在某个时间点加入攻击流量后的赫斯特值曲线对比示例; [0040] FIG 2B shows a graph of a comparative example according to a normal flow curve value Hearst embodiment of the present invention and the value added Hirst attack traffic at a point in time;

[0041] 图2C示出了根据图2B的正常流量的赫斯特值的方差曲线和在某个时间点加入攻击流量后的赫斯特值的方差曲线对比示例; [0041] FIG 2C shows a comparative example of the variance value curve variance of the normal flow curve Hirst FIG. 2B and Hearst value after addition of attack traffic at some point;

[0042] 图2D示出了根据本发明一个实施例的正常流量的赫斯特值曲线和在某个时间点加入视频流量后的赫斯特值曲线对比示例; [0042] FIG 2D shows a graph of a comparative example according to a normal flow curve value Hearst embodiment of the present invention and the value added Hirst video traffic at some point in time;

[0043] 图2E示出了根据图2D的正常流量的赫斯特值的方差曲线和在某个时间点加入视频流量后的赫斯特值的方差曲线对比示例; [0043] Figure 2E shows a comparison of the variance value curve variance of the normal flow curve Hirst FIG. 2D and Hearst value after addition of video traffic at some point exemplary;

[0044] 图3示出了根据本发明一个实施例的一种网络流量异常判断装置的结构示意图; [0044] FIG. 3 shows a schematic structural diagram of a network traffic in accordance with one embodiment of the present invention, the abnormality judging means;

[0045] 图4示出了根据本发明一个实施例的一种网络流量异常判断装置的结构示意图。 [0045] FIG. 4 shows a schematic structural diagram of a network traffic in accordance with one embodiment of the present invention, the abnormality determination means.

具体实施方式 Detailed ways

[0046] 下面将参照附图更详细地描述本公开的示例性实施例。 [0046] The following exemplary embodiments of the present disclosure will be described in more detail with reference to the drawings. 虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。 While the exemplary embodiment shows an exemplary embodiment of the present disclosure in the drawings, it should be understood that the present disclosure may be implemented embodiments and should not be set forth herein to limit in various forms. 相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。 Rather, these embodiments are able to more thorough understanding of the present disclosure, and the scope of the present disclosure can be completely conveying to those skilled in the art.

[0047] 首先,为了便于理解本发明的技术方案,下面介绍本发明实施例涉及的技术术语: [0047] First, the technical solutions in order to facilitate understanding of the invention, the following technical terms described embodiment according to the present invention:

[0048] 1、时间序列:是按照时间顺序取得的一系列观测值.按照研宄的现象或问题的不同,可以得到各种时间序列。 [0048] 1, time series: a series of observations made in chronological order according to different phenomena or a Subsidiary of problems, you can be a variety of time series. 时间序列典型的一个本质特征就是相邻观测值的依赖性.时间序列观测值之间的这种依赖特征具有很大的实际意义。 The essential features of a typical time series of observations is dependent neighbor. This dependence between the time series of feature observations have great practical significance.

[0049] 2、赫斯特指数:基于重标极差(R/S)分析方法基础上的赫斯特指数(H)的研宄是由英国水文专家Η. E. Hurst (1900-1978)在研宄尼罗河水库水流量和贮存能力的关系时, 发现用有偏的随机游走(分形布朗运动)能够更好地描述水库的长期存贮能力,并在此基础上提出了用重标极差(R/S)分析方法来建立赫斯特指数(H),作为判断时间序列数据遵从随机游走还是有偏的随机游走过程的指标。 [0049] 2, Hurst: based Hurst (H) on the rescaled range (R / S) based study based on analysis by the British hydrologists Η E. Hurst (1900-1978) when the relationship between water flow and storage capacity of a Subsidiary Nile reservoir, found biased random walk with long term storage capacity (FBM) to better describe the reservoir, and puts forward the pole rescaling the difference (R / S) analysis to establish the Hurst index (H), as time-series data is determined to comply with the random walk indicators still biased random walk process. 赫斯特指数存在多种计算方法,其思路之一比如: There is a variety of Hurst index calculation method, one of the ideas, such as:

[0050] 设Xi= X i,…XnS-时间序列的η个连续值,取对数并进行一次差分后的数据划分为长度为H的相邻的子区间Α,即AXH = η。 [0050] provided Xi = X i, ... η XnS- successive values ​​of the time series, and a logarithmic data after dividing the difference of length H of the adjacent sub-interval [alpha], i.e. AXH = η. 贝IJ : Tony IJ:

[0051] 每个子区间的均值为:Xm = (X1+…+Xh)/H [0051] Mean of each subinterval: Xm = (X1 + ... + Xh) / H

[0052] 标准差为: [0052] The standard deviation is:

[0053] [0053]

Figure CN104796301AD00051

[0054] 均值的累积横距为: [0054] Mean cumulative horizontal distance of:

[0055] [0055]

Figure CN104796301AD00061

[0056] 组内极差为: The [0056] group is poor:

[0057] Rh =max (Xr'A) -mix (Xr'A) [0057] Rh = max (Xr'A) -mix (Xr'A)

[0058] 赫斯特指数(H)为: [0058] Hurst index (H) is:

[0059] [0059]

Figure CN104796301AD00062

[0060] Hurst推出的关系为: [0060] Hurst introduced the relationship:

[0061] Rn/Sn= cXn H [0061] Rn / Sn = cXn H

[0062] 其中c为常数,η为观察值的个数,H为赫斯特指数。 [0062] where c is a constant, η is the number of observations, H is the Hurst exponent.

[0063] 那么对于网络流量新增的时间序列中,已知的m2-ml个部分的网络流量值,那么在获得c的数值之后,即可计算H值。 [0063] So for the new time series of network traffic, network traffic is known m2-ml portions value, then the value obtained after c, the value of H can be calculated.

[0064] 赫斯特指数有三种形式: [0064] Hurst three forms:

[0065] 1.如果H = 0. 5,表明时间序列可以用随机游走来描述; [0065] 1. If H = 0. 5, show that the time series can be described by a random walk;

[0066] 2.如果0. 5〈H彡1,表明自相似的记忆时间序列; [0066] 2. If the 0. 5 <H San 1, showing that memory self-similar time series;

[0067] 3.如果0 < H〈0. 5,表明时间序列处于粉红噪声(反持续性)即均值回复过程。 [0067] 3. If 0 <H <0. 5, shows that the time sequence is pink noise (trans persistent) Mean i.e. reverting process.

[0068] 其次,对本发明的发明思路之一予以介绍: [0068] Secondly, to be introduced one idea of ​​the invention:

[0069] 发明人通过研宄发现,当发生DDOS攻击时,攻击包会将网络中正常传输的包阻塞,导致了流量自相似性减弱,也就是赫斯特指数值变小,甚至破坏了网络流量的自相似特性,具体的,假设有网络流量的离散的时间序列为: [0069] The inventors discovered by study based, DDOS attack occurs when an attacker packet network will normally transmitted packet blocked, resulting in diminished self-similarity of the flow, i.e. the Hurst exponent value becomes small, even destroy the network self-similarity of the flow, particularly, network traffic assuming discrete time sequence:

[0070] X = (X1,1 e 1,2, ... n}, Y = (Y1, Ie 1,2, ... n}, Z = (Z1,1 e 1,2, ... η} [0070] X = (X1,1 e 1,2, ... n}, Y = (Y1, Ie 1,2, ... n}, Z = (Z1,1 e 1,2, ... η}

[0071] 其中,X为网络正常时的流量,Y为攻击网络的异常流量,并且X与Y是互相独立的,Z为网络遭受到攻击时所产生的总流量,有Z = Χ+Υ。 [0071] wherein X is the total flow during normal network traffic, Y is an abnormal traffic attacking the network, and X and Y are independent from each other, Z is generated by the network vulnerable to attacks with Z = Χ + Υ.

[0072] 设X、Y、Z的自相关函数分别是rxx、rYY、r zz,当网络遭受异常流量攻击时时, |rzz-rxx| I的值会有很明显的变化。 [0072] The set X, Y, Z are the autocorrelation function rxx, rYY, r zz, when the abnormal traffic attacking the network from time to time, | rzz-rxx | I value change will be very obvious. 经过发明人的验证,对任何一个自相似系数He (0.5, 1]的自相似过程,有并且只有一个自相关函数和其对应,因此,当网络流量异常时, |HZ-HX| I得值会有显著的变化,影响网络流量的自相似性,其中,Hz和Hx分别为流量X、Y的自相似参数。从另外一个角度说,在没有攻击网络的异常流量时,Z = X,Hz的值表示的自相似性不会受到影响,而当出现攻击网络的异常流量(一般来说攻击网络的异常流量大, 会影响网络的正常通信)时,氏的值表示的自相似会变化较大,其自相似性会受到影响。 After the inventors verified for any self-similar process a self-similar coefficients He (0.5, 1], there is and only a self correlation function and the corresponding, therefore, when the network traffic anomalies, | HZ-HX | I Found there is a significant change, it affects the self-similarity of network traffic, wherein, Hz and Hx are flow X, self-similarity parameter Y. from another perspective, when no attack abnormal traffic network, Z = X, Hz since similar changes will not be self-similarity values ​​represent are affected, and the attacks occur when abnormal traffic network (generally a large network of abnormal traffic attacks, will affect the normal communication network), the value's representation than large, it will be influenced by self-similarity.

[0073] 因此,本发明所以提出了通过渐进式的方式,检测网络流量的赫斯特指数是否低于某一阀值的方法,来实时检测网络流量的异常异常。 [0073] Accordingly, the present invention therefore proposes a progressive manner by detecting network traffic Hurst exponent method is below a certain threshold, to real-time detection of abnormal network traffic anomalies. 即利用赫斯特指数来判断网络流量的异常,通过采集最新的网络数据流量,求解赫斯特指数,通过赫斯特指数的变化,基于异常判断阀值,直接进行网络流量异常判断和检测。 I.e. using Hurst network traffic to detect an abnormality, the latest network by collecting traffic data, solving Hurst exponent, Hurst index by a change, abnormality determination threshold based on direct network traffic and detect abnormality determination.

[0074] 具体的,在实际的处理过程中,可以把网络流量看成是长度渐增的时间序列,对每一个增加的部分估算出一个赫斯特参数,如此,赫斯特指数的集合可以反映出网络流量自相似性的变化过程。 [0074] Specifically, in the actual processing, network traffic can be seen as increasing the length of time series, each part of the increase estimate a Hurst parameter, so, can set Hurst network traffic reflects the changing process of self-similarity. 即在收集到第一个初始的时间序列后,计算出该序列的赫斯特指数,而后随着时间序列的不断增加,本发明仅仅计算相邻两次计算时间点的增量部分的时间序列的赫斯特指数,并且用增量部分时间序列的赫斯特指数表征当下网络流量的自相似特性, 直接通过赫斯特指数判断网络流量的异常。 That is collected after the first initial time series calculated Hurst index of the sequence, and then with the increasing time series, the present invention is calculated only two time series calculated increment of time points adjacent Hurst exponent, and the sequence of incremental part-time Hurst exponent represents the current self-similarity of network traffic, network traffic abnormality is determined directly by Hurst. 上述方式极大的减少了海量数据而带来的计算复杂度,并且节省了时间。 The above-described embodiment greatly reduces the computational complexity caused by the massive data, and saves time.

[0075] 实施例一 [0075] Example a

[0076] 参照图1,其示出了本发明一种网络流量异常判断方法的流程示意图,具体可以包括: [0076] Referring to FIG. 1, which shows a flow diagram of a network traffic abnormality determination method of the present invention may specifically include:

[0077] 步骤110,实时获取网络流量; [0077] Step 110, real-time access network traffic;

[0078] 在本发明实施例中,其可应用于服务器侧,比如视频网站的服务器,以监控服务器接收到的网络流量是否正常。 [0078] In an embodiment of the present invention, which can be applied on the server side, such as a video web server to monitor network traffic received by the server is normal.

[0079] 那么在本发明在启动后,会实时获取网络流量。 [0079] In the present invention, then start, will get real-time network traffic. 当然,在实际应用中,获取网络流量不会连续获取,而是打点获取,比如每个〇. 1秒获取一次当前的网络流量。 Of course, in practical applications, the network traffic will not be acquired continuously acquired, but acquiring dot, such as each square. 1 second acquisition time of the current network traffic.

[0080] 在实际采集过程中,一般是在网卡中采集网络流量的,其实际上是获取对接收的所有IP数据包。 [0080] In the actual collection process, generally in network traffic capture card, which is actually to obtain all IP packets received.

[0081] 步骤120,根据网络流量的采集时刻,构造网络流量的时间序列; [0081] Step 120, according to the collected time network traffic, network traffic time series configuration;

[0082] 那么前述打点获取,每次采集会对应一个采集时刻,比如0s,2s,3s,4s,5s……, 每个采集时刻均有一个流量值,比如对应35Mbps,40Mbps,33Mbps,30Mbps,42Mbps, 37Mbps……,由此得到一个的时间序列X = 35,40, 33, 30,42, 37……,其可如图IA所示,图中横轴表示时间,纵轴表示流量,黑色点表示采集时间点的具体流量值。 [0082] so obtaining the RBI, each acquisition time will correspond to a collection, such as 0s, 2s, 3s, 4s, 5s ......, each acquisition time has a flow value, for example corresponding to 35Mbps, 40Mbps, 33Mbps, 30Mbps, 42Mbps, 37Mbps ......, thereby obtaining a time series X = 35,40, 33, 30,42, 37 ......, which may be as shown in FIG IA, FIG horizontal axis represents time and the vertical axis represents the flow rate, black point represents a specific point in time flow rate value acquisition. 当然,实际中,可能时采集的间间隔更低。 Of course, in practice, the interval between collection time may be less.

[0083] 优选的,所述根据网络流量的采集时间,构造网络流量的时间序列包括: [0083] Preferably, according to the time series of acquisition time network traffic, network traffic structure comprising:

[0084] 子步骤S122,针对网络流量器中的各数据包,获取数据包的数据大小和采集时刻; [0084] The sub-step S122, the data for each packet of the network traffic control, and acquires the data size of the collection time data packet;

[0085] 在实际应用中,对于获取到的IP数据包,本发明实施例中则会提取每个IP数据包的相关参数,比如采集时间和包的大小。 [0085] In practice, for the acquired IP packets, embodiments of the present invention will extract the relevant parameters of each IP packet, such as acquisition time and the size of the package.

[0086] 子步骤S124,统计同一采集时刻下的总数据大小,并将总数据大小按采集时刻的顺序放入时间序列。 [0086] Sub-step S124, the total data size statistics collected at the same time, and the total data size in the order of acquisition time into a time series.

[0087] 对于收集到的各个IP数据包,可以按统一采集时刻,将其大小进行统计,比如在Is时刻,收到IP数据包100个,那么可将这100个IP数据包的大小累加,可以获得Is时刻网络流量值。 [0087] collected for each IP packet, the acquisition time can be unified by the size statistics, such as moment Is, receives an IP packet 100, the IP 100 may convert the size of accumulated packets, Is time network traffic can get value.

[0088] 那么,对于每次计算得到的网络流量值,按时间顺序放入时间序列,则时间序列则逐渐增加。 [0088] Then, the network traffic for each calculated value, placed in chronological order of time series, the time series is gradually increased.

[0089] 步骤130,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; [0089] Step 130, the time series of the new sub-time series, calculating the Hurst index sub-time sequence;

[0090] 在本发明实施例中,对于网络流量的,时间序列Xi= X1,…Xn,可以利用前述公式: _] Rn/Sn= cXn η [0090] In an embodiment of the present invention, the network traffic, the time series Xi = X1, ... Xn, the formula may be utilized: _] Rn / Sn = cXn η

[0092] 计算赫斯特指数H的值。 [0092] H is the Hurst exponent Calcd.

[0093] 优选的,所述对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数包括: [0093] Preferably, the time series of the new sub-time series, calculating the time-series sub-Hurst exponent comprises:

[0094] 步骤132,判断是否为初次计算赫斯特指数;如果是,则对赫斯特指数进行初始化,根据初次的时间序列确定赫斯特函数中的系数;如果不是,则利用确定了系数的赫斯特函数,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数。 [0094] Step 132, it is determined whether the initial calculation of Hurst; if so, the index is initialized to Hurst, Hurst coefficients determined in the function of the first time series; if not, using the determined coefficients Hearst function, the time series of the new sub-time series, calculating the Hurst index sub-time sequence.

[0095] 对于第一次计算的时刻,比如在i = 5的值所对应的时刻计算,即以Xjlj X 5的时间序列计算,由于前述公式中常数c未定,那么可以预先设置一个初始H值,初始的H值可以根据经验取值,一般取(〇. 5, 1)之间的值。 [0095] For the first calculation of the time, such a value of i = 5 corresponding to the calculated time, i.e. time series Xjlj X 5 is calculated, because the equation undetermined constant c, you can set a predetermined initial value H , the initial value of the H values ​​can be empirically, typically takes a value between (square. 5, 1). 通过该初始的H值和第一次计算的时间序列, 带入前述公式,计算出c。 By this initial value H calculated in the first time series, into the formula to calculate c. 那么后续子时间序列即可直接带入前述公式计算H值,比如对于X6到X 1(1,将该子时间序列带入c确定的前述公式计算。 Then the subsequent sub-time-series can be brought directly into the formula H value, for example, to X6 X 1 (1, into the sub-time-series calculation to determine the formula c.

[0096] 步骤140,根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常。 [0096] Step 140, based on the relationship with the Hurst index threshold range, it is determined whether the abnormal network traffic.

[0097] 那么对于每次计算得到的赫斯特指数,将其与阀值范围比较,根据比较结果判断网络流量是否出现异常。 [0097] Then for each calculated Hurst exponent, which is compared with the threshold range, it is determined whether the network traffic is abnormal based on the comparison.

[0098] 优选的,所述根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常包括: [0098] Preferably, according to the relationship of the Hurst index with a threshold value range, it is determined whether there is abnormal network traffic comprises:

[0099] 步骤S142,判断所述赫斯特指数是否在阀值范围之内;如果所述赫斯特指数不在阀值范围之内,则判断网络流量出现异常。 [0099] step S142, the determination whether the Hurst index within the threshold range; if within the threshold range of not Hurst, network traffic is determined abnormal.

[0100] 在本发明实施例中,在赫斯特指数H不在阈值范围之内时,则检测网络流量的异常,比如异常时间,强度等。 [0100] In an embodiment of the present invention, when the threshold is not H Hurst range, the abnormality detecting network traffic anomalies such as time and strength.

[0101] 根据赫斯特指数H与时间序列的自相似性关系,即H在(0.5, 1)中说明书时间序列自相似度高。 [0101] The similarity relationship from H and Hurst time series, i.e. time series from H specification in a high similarity (0.5, 1). 在本发明实施例中,H值的阀值范围少大于0.5并且至少小于1。 In an embodiment of the present invention, the range of the threshold value H is less than 0.5 and less than at least 1. 其中H不取1,取1意味着网络流量长时间未变,其基本上也意味着网络流量异常。 Wherein H 1 is not taken, it takes a long time means that the network traffic has not changed, which also means substantially network traffic anomalies. 为上阀值b可以小于1,下阀值a可以大于0. 5,其可以根据实际情况调整。 B may be less than the upper threshold value 1, a lower threshold may be greater than 0.5, which can be adjusted according to actual situation.

[0102] 那么当H在(a,b)中,即可判断网络流量正常。 [0102] Then when the H (a, b), the network traffic can be judged normal. 当H不在(a,b)中,则判断网络流量出现异常。 When not H (a, b), then the network traffic is determined abnormal.

[0103] 当然,在本发明实施例中,还可以 [0103] Of course, in the embodiment of the present invention may also be

[0104] 在本发明实施例中,由于网络流量的短时间的突发会对网络流量的自相似性产生很大的影响。 [0104] In an embodiment of the present invention, a great effect due to the similarity resulting from the short burst of network traffic will have network traffic. 在正常的网络状况下,赫斯特值位于(a,b)中(其中0. 5 < a,b < 1),赫斯特值越大表示网络流量的自相似性越高。 Under normal network conditions, Hurst value is (a, b) (where 0. 5 <a, b <1), Hoechst greater value means the higher the self-similarity of network traffic. 当流量突发的时候,网络流量的自相似性会变化, 赫斯特值会减小。 When the traffic burst, the similarity vary from network traffic, Hearst value decreases. 那么本发明对采集的网络流量的时间序列,渐进式的对时间序列中新增的部分,计算赫斯特指数。 The present invention is then collected network traffic time series, the progressive portion of the new time series, calculating Hurst exponent. 因此,本发明可以利用网络流量的赫斯特指数的变化来区分异常的流量和正常的流量,这种方法有别于传统的根据特征值匹配的检测算法,从网络流量的本身出发,不需要建立一个庞大的特征库,大大减少了检测的时间和成本。 Accordingly, the present invention may utilize variations Hurst network traffic flow to distinguish between normal and abnormal flow, this method is different from the conventional detection algorithm according to the characteristic values ​​match, the traffic from the network itself, no build a huge library feature, greatly reducing the time and cost of testing.

[0105] 实施例二 [0105] Second Embodiment

[0106] 参照图2,其示出了本发明一种网络流量异常判断方法的流程示意图,具体可以包括: [0106] Referring to Figure 2, which shows a schematic flow chart of a method of determining abnormality according to the present invention, network traffic, specifically comprising:

[0107] 步骤210,实时获取网络流量; [0107] Step 210, real-time access network traffic;

[0108] 步骤212,根据网络流量的采集时刻,构造网络流量的时间序列; [0108] Step 212, according to the collected time network traffic, network traffic time series configuration;

[0109] 步骤214,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数时,判断是否为初次计算赫斯特指数;如果是初次计算赫斯特指数,则进入步骤216 ;如果不是初次计算赫斯特指数,则进入步骤218 ; When [0109] Step 214, the time series of the new sub-time series, calculating the Hurst index sub-time sequence, determines whether the initial calculation Hurst; if the initial calculated Hurst exponent, the proceeds to step 216; if not the first calculation Hurst exponent, the process proceeds to step 218;

[0110] 步骤216,对赫斯特指数进行初始化,根据初次的时间序列确定赫斯特函数中的系数; [0110] Step 216, to initialize the Hurst exponent, Hurst coefficient sequence determination functions according to the time of the first;

[0111] 步骤218,利用确定了系数的赫斯特函数,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; [0111] Step 218, determined using the Hoechst function coefficients, the time series of the new sub-time series, calculating the Hurst index sub-time sequence;

[0112] 步骤220,记录每次计算的赫斯特指数,得到针对赫斯特指数的时间序列,并判断所述赫斯特指数是否在阀值范围之内;如果所述赫斯特指数在阀值范围之内,则认为网络流量未收到攻击,如果所述赫斯特指数不在阀值范围之内,则进入步骤222 ; [0112] Step 220, each record Hurst exponent calculation, the time series for the Hurst index, and determines whether the Hurst index within a threshold range; if the Hurst index within the threshold range, the attack that does not receive the network traffic, if within the threshold range of Hurst not, the process proceeds to step 222;

[0113] 步骤222,根据已记录的赫斯特指数的时间序列,对网络流量进行异常检测。 [0113] Step 222, the recorded time series Hurst exponent, network traffic abnormality detection.

[0114] 在网络流量正常时,其赫斯特指数H值在(0.5, 1)范围之内,其变化量不大,如图2A。 [0114] In the normal network traffic, which is the Hurst exponent H value in the range (0.5, 1), the small amount of change, as shown in FIG 2A. 但是网络受到攻击时,其H值明显变化,如图2B。 However, when the network is under attack, the value of H which significant changes in FIG. 2B. 图2B中,"〇"点连接得到正常流量的H值曲线," X "点连接得到包括受到攻击后的H值曲线。 In FIG. 2B, "square" point of attachment to give H values ​​of the normal flow curve, "X" point of attachment to give H values ​​by curve comprises post-challenge. 如果不加入攻击流量,则正常流量的示意图如〇连接的曲线。 If not added attack traffic, normal traffic is a schematic diagram of the curve connecting square. X连接的曲线是在908秒是正常流量,908秒后则网络受到攻击。 X is a curve connecting the normal traffic in 908 seconds, 908 seconds after the network is under attack. 那么通过正常流量的曲线和受到攻击的曲线对比可知,当在908秒开始攻击网络(即加入攻击流量)后,赫斯特指数开始下降,并逐渐超出了赫斯特指数的正常范围,在攻击结束后,赫斯特指数回归到正常水平。 By contrast normal flow curve then curves and the apparent attack, when 908 seconds after the start to attack the network (i.e., addition of attack traffic), Hurst index began to decline, and gradually beyond the normal range Hurst index attack When finished, Hurst returned to normal levels. 没有攻击时赫斯特的值变化很小,在加入攻击流量时, 赫斯特的变化比较大,波动幅度随攻击流的增大而增大,当攻击流量占有较大比例时,破坏了网络流量的自相似性,此时网络流量已经不再具有自相似性。 When there is no change in Hearst attack value is small, when added to attack traffic, relatively large changes in Hurst, with the fluctuations of the attack traffic increases, when a high proportion of the attack traffic, network destroyed self-similar traffic, when the network traffic is no longer self-similar.

[0115] 因此,在本发明中,可以根据记录的赫斯特指数赫斯特指数的时间序列,在确定某个第一个小于下阀值H值后,即可从该H值开始,根据记录的各H值大致确定何时开始受到网络攻击,以及持续大概多长时间。 [0115] Accordingly, in the present invention, the recorded time series Hurst Hurst index, after determining a first value H is less than the threshold, to start from the H-value, according to H value of each record to determine approximately when to start network attack, and continued about how long.

[0116] 和/或者,优选的,还包括: [0116] and / or, preferably, further comprising:

[0117] 步骤226,根据已记录的赫斯特指数的时间序列,计算每个赫斯特指数所在采集时刻的的方差; [0117] Step 226, the recorded time series Hurst exponent, calculate the variance of each Hurst where the timing acquisition;

[0118] 步骤228,根据所述各个采集时刻的赫斯特指数的方差,对网络流量进行异常检测。 [0118] Step 228, the variance of the time of acquisition of each Hurst exponent, network traffic abnormality detection.

[0119] 对于图2B中的两种H值曲线,各自对其计算方差,得到如图2C。 [0119] H values ​​for the two curves of FIG. 2B, the variance of each of its calculation, obtained as shown in 2C. 图2C中," X "采集节点连接的曲线是正常流量的H值方差曲线," •"采集节点连接的曲线是加入攻击流量后的H值方差曲线。 2C, the curve "X" is a collection of nodes connected curve H of the variance of the normal flow, "•" curve acquisition nodes connected to the variance curve H is added after the attack traffic. 从图2C可以看出,由于第一个时间的方差为0,因此从第二个时间点开始考察方差变化情况。 As can be seen 2C, the first time since the variance is 0, so the second time starting from the point of change of variance investigated. 在没有加入攻击流量时,赫斯特指数方差的曲线很平缓,变化幅度不大,在加入攻击流量后,由于赫斯特指数变化较大,基本上呈现出垂直上升的趋势,所以赫斯特指数方差在短时间内产生跃变,变化幅度很大,并且在攻击持续的时间里,赫斯特指数的方差持续变大。 In the absence of added attack traffic, the Hurst exponent variance curve is very flat, little change in amplitude, after the addition of attack traffic, since the Hurst exponent vary widely, showing a substantially vertical rise, so Hearst index variance in short time duration to generate jump, fluctuated widely, and in the attack, the variance of Hurst index steadily larger. 总的来看,在发生流量攻击的时间里,赫斯特指数方差大约是正常流量的2到13倍,通过对赫斯特指数方差的分析可快速检测出攻击流量,比如攻击时间范围、强度等。 Generally speaking, the time of occurrence of the attack traffic, the Hurst exponent variance of about 2 to 13 times the normal flow rate, through the analysis of variance Hurst rapidly detected attack traffic, such as attack time range, the strength Wait.

[0120] 因此,本发明可以通过前述记录的赫斯特指数的时间序列,计算每个采集时间点的方差。 [0120] Accordingly, the present invention may be of the time series records Hurst, the variance calculated for each collection time point. 然后根据方差的变化,即可快速检测出攻击流量。 Then according to changes in variance, it can quickly detect attack traffic.

[0121] 和/或者,优选的,还包括: [0121] and / or, preferably, further comprising:

[0122] 步骤230,当网络流量进入高峰情况,根据所述赫斯特指数与阀值范围的关系,判断所述高峰时段的网络流量是否为正常的网络流量。 [0122] Step 230, when the network traffic into the peak situation, according to the relationship of the Hurst index threshold range, the network traffic during peak hours is determined whether the normal network traffic.

[0123] 在本发明实施例中,对于网络服务器本身来说,其本身可能存在流量的高峰期,比如对于视频服务器,那么晚上8-10点,大多数人已经下班,其很多会访问视频网站观看视频,那么,相对于上班时段,其流量会增加很多,产生网络流量高峰。 [0123] In an embodiment of the present invention, it is for the network server itself, there may be the peak of its own traffic, such as for video servers, 8-10 o'clock at night, most people have to work, it will be a lot of video sites access Watch the video, then, with respect to work hours that traffic will increase a lot, generating network traffic spikes.

[0124] 那么高峰时段的网络流量,本发明也可对于H值根据所述赫斯特指数与阀值范围的关系,判断所述高峰时段的网络流量是否为正常的网络流量。 [0124] then the network traffic during peak periods, the present invention may also be a value for H from the relationship with a threshold value of the Hurst index range, the network determines whether the peak traffic normal network traffic. 比如高峰时段H值还一直在前述(a,b)范围之内,那么网络流量虽然处于高峰,但是未受到攻击,属于正常的网络流量。 H such as peak time value has also been in the (a, b) range, then although the network traffic at the peak, but is not under attack, is a normal network traffic.

[0125] 当然,优选的,对于网络流量高峰,也可以根据已记录的赫斯特指数的时间序列, 对网络流量进行异常检测。 [0125] Of course, preferably, the network traffic peaks, may be, for network traffic abnormality detection time series Hurst index recorded.

[0126] 如图2D,其中,"〇"是正常流量采集节点,"☆"是第二个点开始加入视频流量后的采集节点(即加入高峰视频流量的采集节点),"〇"点连接得到正常流量的H值曲线, "☆"点连接得到第二个点开始进入高峰流量的H值曲线。 [0126] 2D, the wherein "square" is the normal flow collection node, "☆" is collected after the second node of the start point to a video traffic (i.e., addition of the peak video acquisition node traffic), "square" point of attachment to give H values ​​of normal flow curve, "☆" point of attachment point to obtain a second value entered H curve of peak traffic. 从2D可以看出,在网络流量高峰时,赫斯特指数明显变大,这表明网络流量的自相似性增强,但赫斯特值得范围在区间[0. 72, 0. 85]之间,表明网络流量的自相似特性并没有消失,此时虽然网络繁忙但并没有受到攻击。 Can be seen. 2D, network traffic peak, Hurst index significantly larger, indicating that enhanced self-similarity of network traffic, but a range between Hearst worth [0.72, 0.85] interval, show self-similarity of network traffic has not disappeared, although the network is busy at this time but did not attack.

[0127] 当然,优选的,对于网络流量高峰,也可以根据已记录的赫斯特指数的时间序列, 计算每个赫斯特指数所在采集时刻的的方差;再根据所述各个采集时刻的赫斯特指数的方差,对网络流量进行异常检测。 [0127] Of course, preferably, the network traffic peaks, may be recorded time series Hurst exponent, calculate the variance of each Hurst where the acquisition time; He then according to the time of acquisition of each Manchester variance index, network traffic anomaly detection.

[0128] 如图2E,其是图2D中分别对正常流量H值曲线的每个点和加入视频流量H值曲线的每个点计算方差后得到的曲线。 [0128] FIG. 2E, in which each point in FIG. 2D are normal flow value curve H and curve after each point is calculated variance value of H was added video flow curve. 其中," X"采集节点连接的曲线是正常流量的H值方差曲线," •"采集节点连接的曲线是加入视频流量后网络流量高峰时的H值方差曲线。 Where, curve "X" is a collection of nodes connected curve H of the variance of the normal flow, "•" curve acquisition node is connected to the variance value curve H is added after the video peak traffic network traffic. 如图2D,可以看出赫斯特指数方差变化的幅度很小,从以上的分析可以看出,在网络处于忙碌时,业务流量的突然增大会造成流量的异常的表象,这很容易导致把正常的网络流量当做异常流量,引起误判。 2D, the variance can be seen Hurst index changes slightly, it can be seen from the above analysis, when the network is busy, the sudden increase in traffic will cause the appearance of abnormal traffic, which can easily lead to normal network traffic as abnormal traffic, causing a miscarriage of justice. 通过分析发现,在网络高峰时,网络流量的自相似特性并没有变化,所以流量的变化并没有引起赫斯特参数的变化。 The analysis revealed that the peak in the network, network traffic self-similarity does not change, so changes in traffic did not cause changes in Hurst parameters. 通过求解赫斯特参数来区分高峰流量和异常流量,因为在实际的网络中,高峰流量发生的概率远大于异常流量。 To distinguish between peak traffic and abnormal traffic by solving the Hurst parameter, as in the actual network, it is much greater than the probability of occurrence of abnormal peak traffic flow.

[0129] 因此,本发明还可根据所述各个采集时刻的赫斯特指数的方差,对网络流量进行异常检测。 [0129] Accordingly, the present invention may also be the variance of the time of acquisition of each Hurst exponent, network traffic abnormality detection. 判断网络流量是否为高峰流量,以及高峰流量的持续时间范围,和/或强度等情况。 Determine whether the network peak traffic flow, and the peak flow duration range, and / or intensity conditions.

[0130] 实施例三 [0130] Example three

[0131] 参照图3,其示出了本发明一种网络流量异常判断装置的结构示意图,具体可以包括: [0131] Referring to Figure 3, which shows the structure diagram of a network traffic abnormality determination apparatus according to the present invention, specifically comprising:

[0132] 流量获取模块310,适于实时获取网络流量; [0132] Acquisition module 310, adapted to acquire real-time network traffic;

[0133] 时间序列构造模块320,适于根据网络流量的采集时刻,构造网络流量的时间序列; [0133] Time series configuration module 320, adapted according to the collected time network traffic, network traffic time series configuration;

[0134] 赫斯特指数计算模块330,适于对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; [0134] Hurst index calculation module 330, adapted to the new time series of sub-time series, calculating the Hurst index sub-time sequence;

[0135] 流量异常判断模块340,适于根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常。 [0135] traffic abnormality determining module 340, adapted according to the relationship of the Hurst index threshold range, it is determined whether the abnormal network traffic.

[0136] 优选的,所述时间序列构造模块包括: [0136] Preferably, the time series configuration module comprises:

[0137] 数据包参数获取模块,适于针对网络流量器中的各数据包,获取数据包的数据大小和米集时刻; [0137] Data packets parameter obtaining module, adapted for each data packet in the network traffic control, and acquires the data size m of the current time data packet;

[0138] 统计模块,适于统计同一采集时刻下的总数据大小,并将总数据大小按采集时刻的顺序放入时间序列。 [0138] Statistics module adapted to count the total data size in the same acquisition time and the total data size in the order of acquisition time into a time series.

[0139] 优选的,所述赫斯特指数计算模块之后,还包括: [0139] Preferably, after the Hurst index calculation module, further comprising:

[0140] 赫斯特指数存储模块,适于记录每次计算的赫斯特指数,得到针对赫斯特指数的时间序列。 [0140] Hurst index storage module is adapted to record each of the Hurst index calculation, the time series obtained for the Hurst index.

[0141] 优选的,流量异常判断模块包括: [0141] Preferably, the flow rate abnormality determination module comprises:

[0142] 第一流量异常判断模块,适于根据已记录的赫斯特指数的时间序列,对网络流量进行异常检测。 [0142] a first flow rate abnormality determining module, adapted to time-series recorded Hurst exponent, network traffic abnormality detection.

[0143] 优选的,还包括: [0143] Preferably, further comprising:

[0144] 赫斯特指数方差计算模块,适于根据已记录的赫斯特指数的时间序列,计算每个赫斯特指数所在采集时刻的的方差; [0144] Hurst variance calculation module, adapted according to the time series of the recorded Hurst exponent, calculate the variance of each Hurst where the timing acquisition;

[0145] 第二流量异常判断模块,适于根据所述各个采集时刻的赫斯特指数的方差,对网络流量进行异常检测。 [0145] The second flow rate abnormality determining module, adapted according to the respective acquisition time variance Hurst exponent, network traffic abnormality detection.

[0146] 优选的,还包括: [0146] Preferably, further comprising:

[0147] 高峰流量判断模块,适于当网络流量进入高峰情况,根据所述赫斯特指数与阀值范围的关系,判断所述高峰时段的网络流量是否为正常的网络流量。 [0147] peak traffic determining module, adapted to circumstances when network traffic into the peak, according to the relationship of the Hurst index threshold range, the network traffic during peak hours is determined whether the normal network traffic.

[0148] 优选的,所述流量异常判断模块包括: [0148] Preferably, the flow rate abnormality determination module comprises:

[0149] 范围判断模块,适于判断所述赫斯特指数是否在阀值范围之内;如果所述赫斯特指数不在阀值范围之内,则判断网络流量出现异常。 [0149] range determination module adapted to determine whether the Hurst index is within the threshold range; if within the threshold range of not Hurst, network traffic is determined abnormal.

[0150] 优选的,所述阀值范围包括:至少大于0. 5并且至少小于1。 [0150] Preferably, said threshold range comprising: at least at least greater than 0.5 and less than 1.

[0151] 优选的,所述赫斯特指数计算模块包括: [0151] Preferably, the Hurst index calculation module comprises:

[0152] 判断是否为初次计算赫斯特指数;如果是,则对赫斯特指数进行初始化,根据初次的时间序列确定赫斯特函数中的系数;如果不是,则利用确定了系数的赫斯特函数,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数。 [0152] determines whether the initial calculation Hurst; if so, the index is initialized to Hurst, Hurst coefficients determined in the function of the first time series; if not, using the determined coefficients Hess Laid function, the time series of the new sub-time series, calculating the Hurst index sub-time sequence.

[0153] 实施例四 [0153] Fourth Embodiment

[0154] 参照图4,其示出了本发明一种网络流量异常判断装置的结构示意图,具体可以包括: [0154] Referring to Figure 4, which shows the structure diagram of a network traffic abnormality determination apparatus according to the present invention, specifically comprising:

[0155] 流量获取模块410,适于实时获取网络流量; [0155] Acquisition module 410, adapted to acquire real-time network traffic;

[0156] 时间序列构造模块412,适于根据网络流量的采集时刻,构造网络流量的时间序列; [0156] Time series configuration module 412, adapted according to the collected time network traffic, network traffic time series configuration;

[0157] 初次判断模块414,适于对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数时,判断是否为初次计算赫斯特指数;如果是初次计算赫斯特指数,则进入初始化模块416 ;如果不是初次计算赫斯特指数,则进入指数计算模块418 ; [0157] first determining module 414, adapted to the new time series of sub-time-series, calculates the time when the sub-series Hurst, determines whether the initial calculation Hurst; if the initial calculated Hess special index, then enter the initialization module 416; if not the first to calculate Hurst exponent, then enter the index calculation module 418;

[0158] 初始化模块416,适于对赫斯特指数进行初始化,根据初次的时间序列确定赫斯特函数中的系数; [0158] Initialization module 416, adapted to initialize the Hurst exponent, Hurst coefficient sequence determination function in accordance with the first time;

[0159] 指数计算模块418,适于利用确定了系数的赫斯特函数,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; [0159] index calculation module 418, adapted to use the determined coefficients Hearst function, the time series of the new sub-time series, calculating the Hurst index sub-time sequence;

[0160] 记录模块420,适于记录每次计算的赫斯特指数,得到针对赫斯特指数的时间序列,并判断所述赫斯特指数是否在阀值范围之内,如果所述赫斯特指数在阀值范围之内,则认为认为网络流量未收到攻击,如果所述赫斯特指数不在阀值范围之内,则进入异常检测模块422 ; [0160] The recording module 420, adapted to record each of the Hurst exponent calculation, the time series for the Hurst index, and determines whether the Hurst index within the range of the threshold, if the Hess Laid index within the threshold range, it is considered that network traffic is not received attack, if within the threshold range of Hurst not, the process proceeds to the abnormality detection module 422;

[0161] 异常检测模块422,适于根据已记录的赫斯特指数的时间序列,对网络流量进行异常检测。 [0161] The abnormality detection module 422, adapted according to the time sequence recorded Hurst exponent, network traffic abnormality detection.

[0162] 在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。 [0162] The algorithms and displays are not provided, the virtual system or other device inherently related to any particular computer. 各种通用系统也可以与基于在此的示教一起使用。 Various general-purpose systems may also be used with the teachings herein based. 根据上面的描述,构造这类系统所要求的结构是显而易见的。 According to the above description, the configuration of such a system requires a structure will be apparent. 此外,本发明也不针对任何特定编程语言。 Further, the present invention is not to any particular programming language. 应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。 It should be appreciated that a variety of programming languages ​​may be utilized to achieve the present invention described herein, the above description and specific language is made to the disclosure of preferred embodiments of the present invention.

[0163] 在此处所提供的说明书中,说明了大量具体细节。 [0163] In the description provided herein, numerous specific details are described. 然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。 However, it can be understood that the embodiments of the present invention may be practiced without these specific details. 在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。 In some examples, not shown in detail in well-known methods, structures and techniques, so as not to obscure the understanding of this description.

[0164] 类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。 [0164] Similarly, it should be understood that the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects in the description of exemplary embodiments of the present invention, various features of the invention are sometimes grouped into a single together embodiment, FIG, or the description thereof. 然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。 However, the methods disclosed herein should not be interpreted as reflecting an intention: that the claimed invention requires more features than in each of the claims expressly recited. 更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。 More specifically, as reflected in the book as the following claims, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. 因此, 遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。 Thus, the claims following the specific embodiments are hereby incorporated into this Detailed Description explicitly, with each claim itself as a separate embodiment of the present invention.

[0165] 本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。 [0165] Those skilled in the art can appreciate that embodiments of the device modules adaptively changed and set them in one or more devices different from this embodiment of the. 可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。 The embodiments may be modules or units into one module or component or components or units, and in addition they can be divided into a plurality of sub-modules or sub-units or sub-assemblies. 除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。 Any method other than such features and / or process, or at least some of the units are mutually exclusive, any combination of the present specification (including the accompanying claims, abstract and drawings) All of the features disclosed in, or disclosed herein and such All process units or equipment combination. 除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。 Unless expressly stated otherwise, each feature of the present specification (including the accompanying claims, abstract and drawings) may be provided by the same disclosed, characterized equivalents or similar purpose may be substituted.

[0166] 此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。 [0166] Moreover, those skilled in the art will appreciate that although in some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant in the present within the scope of the invention and form different embodiments. 例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。 For example, in one embodiment any forth in the following claims, it may be claimed in any combination used.

[0167] 本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。 Various components of embodiments [0167] of the present invention may be implemented in hardware, or as software modules running on one or more processors, or in a combination thereof. 本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的网络流量异常判断设备中的一些或者全部部件的一些或者全部功能。 Those skilled in the art will appreciate that a microprocessor may be used or a digital signal processor (DSP) to implement in practice, according to the present embodiment of the invention network traffic abnormality determination function of some or all of some or all of the device components. 本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。 The present invention may also be implemented as a part or all of the device or apparatus programs for performing the methods described herein (e.g., computer programs and computer program products). 这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。 Such a program implementing the present invention may be stored on a computer-readable medium, or may have the form of one or more signals. 这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。 Such signals can be downloaded from the Internet website, or provided on a carrier signal, or in any other form.

[0168] 应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。 [0168] It should be noted that the embodiments of the present invention, the above-described embodiments illustrate rather than limit the invention, and those skilled in the art without departing from the scope of the appended claims may be devised alternative embodiments. 在权利要求中, 不应将位于括号之间的任何参考符号构造成对权利要求的限制。 In the claims, should not be limited by any reference signs located claimed configured to claims between parentheses. 单词"包含"不排除存在未列在权利要求中的元件或步骤。 The word "comprising" does not exclude the presence of elements or steps not listed in the appended claims. 位于元件之前的单词"一"或"一个"不排除存在多个这样的元件。 Preceding an element of the word "a" or "an" does not exclude the presence of a plurality of such elements. 本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。 The present invention by means of hardware comprising several distinct elements, and by means of a suitably programmed computer implemented. 在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。 Unit claims enumerating several means, several of these means may be embodied by the same item of hardware. 单词第一、第二、以及第三等的使用不表示任何顺序。 Word of the first, second, and third, etc. does not denote any order. 可将这些单词解释为名称。 These words can be interpreted as names.

Claims (10)

1. 一种网络流量异常判断方法,其特征在于,包括: 实时获取网络流量; 根据网络流量的采集时刻,构造网络流量的时间序列; 对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; 根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常。 A network traffic abnormality determination method comprising: obtaining real-time network traffic; The acquisition time network traffic, network traffic time series configuration; the time series of the new sub-time-series, computing the sub- Hurst time series; the relationship of the Hurst index with a threshold value range, it is determined whether the abnormal network traffic.
2. 如权利要求1所述的方法,其特征在于,所述根据网络流量的采集时间,构造网络流量的时间序列包括: 针对网络流量器中的各数据包,获取数据包的数据大小和采集时刻; 统计同一采集时刻下的总数据大小,并将总数据大小按采集时刻的顺序放入时间序列。 2. The method according to claim 1, characterized in that the time series of acquisition time according to network traffic, network traffic structure comprising: for each packet of the network traffic control, data acquisition and collection packet size time; total data size statistics collected at the same time, and the total data size in the order of acquisition time into a time series.
3. 如权利要求1所述的方法,其特征在于,所述对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数之后,还包括: 记录每次计算的赫斯特指数,得到针对赫斯特指数的时间序列。 After 3. The method according to claim 1, characterized in that the time sequence of the new sub-time series, calculating the Hurst index sub-time sequence, further comprising: recording each calculation He Manchester index, obtained for time series Hurst index.
4. 如权利要求3所述的方法,其特征在于,判断网络流量出现异常包括: 根据已记录的赫斯特指数的时间序列,对网络流量进行异常检测。 4. The method according to claim 3, wherein determining abnormal network traffic comprising: time series recorded Hurst exponent, network traffic abnormality detection.
5. 如权利要求3所述的方法,其特征在于,还包括: 根据已记录的赫斯特指数的时间序列,计算每个赫斯特指数所在采集时刻的的方差; 根据所述各个采集时刻的赫斯特指数的方差,对网络流量进行异常检测。 5. The method according to claim 3, characterized in that, further comprising: time series recorded Hurst exponent, calculate the variance of each Hurst where the acquisition time; acquisition time according to the respective variance of Hurst exponent, network traffic anomaly detection.
6. 如权利要求1或3所述的方法,其特征在于,还包括: 当网络流量进入高峰情况,根据所述赫斯特指数与阀值范围的关系,判断所述高峰时段的网络流量是否为正常的网络流量。 6. The method according to claim 13, characterized in that, further comprising: when the network traffic into the peak situation, according to the relationship of the threshold range Hurst, network traffic is determined whether the peak hours normal network traffic.
7. 如权利要求1所述的方法,其特征在于,所述根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常包括: 判断所述赫斯特指数是否在阀值范围之内;如果所述赫斯特指数不在阀值范围之内, 则判断网络流量出现异常。 7. The method according to claim 1, characterized in that, according to the relationship of the Hurst index with a threshold value range, it is determined whether there is abnormal network traffic comprises: determining whether the valve Hurst the value range; if within the threshold range of not Hurst, network traffic is determined abnormal.
8. 如权利要求1所述的方法,其特征在于,所述阀值范围包括:至少大于0.5并且至少小于1。 8. The method according to claim 1, wherein said threshold range comprising: at least at least greater than 0.5 and less than 1.
9. 如权利要求1所述的方法,其特征在于,所述对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数包括: 判断是否为初次计算赫斯特指数;如果是,则对赫斯特指数进行初始化,根据初次的时间序列确定赫斯特函数中的系数;如果不是,则利用确定了系数的赫斯特函数,对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数。 9. The method according to claim 1, characterized in that the time sequence of the new sub-time series, calculating the time-series sub-Hurst exponent comprises: determining whether the initial calculation of Hurst ; if so, the index is initialized to Hurst, Hurst coefficients determined in accordance with the function of the first time series; if not, it is determined using the Hoechst function coefficients, the time series of the new sub-time sequence, calculating the Hurst index sub-time sequence.
10. -种网络流量异常判断装置,其特征在于,包括: 流量获取模块,适于实时获取网络流量; 时间序列构造模块,适于根据网络流量的采集时刻,构造网络流量的时间序列; 赫斯特指数计算模块,适于对时间序列中新增的子时间序列,计算所述子时间序列的赫斯特指数; 流量异常判断模块,适于根据所述赫斯特指数与阀值范围的关系,则判断网络流量是否出现异常。 10. - types of network traffic abnormality determination apparatus characterized by comprising: flow obtaining module, adapted to acquire real-time network traffic; time series configuration module, adapted to collect time network traffic, network traffic time series configuration; Hess Laid-index calculation module adapted to add the time series of sub-time series, calculating the Hurst index sub-time sequence; flow rate abnormality determination module adapted Hurst relationship of the threshold range in accordance with , it is determined whether abnormal network traffic.
CN201510149442.7A 2015-03-31 2015-03-31 Network traffic abnormity judgment and device CN104796301A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510149442.7A CN104796301A (en) 2015-03-31 2015-03-31 Network traffic abnormity judgment and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510149442.7A CN104796301A (en) 2015-03-31 2015-03-31 Network traffic abnormity judgment and device

Publications (1)

Publication Number Publication Date
CN104796301A true CN104796301A (en) 2015-07-22

Family

ID=53560829

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510149442.7A CN104796301A (en) 2015-03-31 2015-03-31 Network traffic abnormity judgment and device

Country Status (1)

Country Link
CN (1) CN104796301A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105119919A (en) * 2015-08-22 2015-12-02 西安电子科技大学 Attack behavior detection method based on flow abnormity and feature analysis
CN105262647A (en) * 2015-11-27 2016-01-20 广州神马移动信息科技有限公司 Abnormal index detection method and device
CN107370766A (en) * 2017-09-07 2017-11-21 杭州安恒信息技术有限公司 A kind of network flow abnormal detecting method and system
CN107438262A (en) * 2016-05-25 2017-12-05 中国移动通信集团设计院有限公司 A kind of abnormal user recognition methods and device
CN108880945A (en) * 2018-08-02 2018-11-23 浙江口碑网络技术有限公司 A kind of cloud monitoring system and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060010389A1 (en) * 2004-07-09 2006-01-12 International Business Machines Corporation Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack
CN1764126A (en) * 2005-11-11 2006-04-26 上海交通大学 Method for detecting and monitoring gusty abnormal network flow
CN101217377A (en) * 2008-01-18 2008-07-09 南京邮电大学 A detecting method of distributed denial of service attacking based on improved sequence scale regulation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060010389A1 (en) * 2004-07-09 2006-01-12 International Business Machines Corporation Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack
CN1764126A (en) * 2005-11-11 2006-04-26 上海交通大学 Method for detecting and monitoring gusty abnormal network flow
CN101217377A (en) * 2008-01-18 2008-07-09 南京邮电大学 A detecting method of distributed denial of service attacking based on improved sequence scale regulation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
蒲儒峰: ""基于网络流量分形特性的DDoS攻击检测"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
蒲儒峰: ""基于网络流量分形特性的DDoS攻击检测"", 《西华大学学报(自然科学版)》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105119919A (en) * 2015-08-22 2015-12-02 西安电子科技大学 Attack behavior detection method based on flow abnormity and feature analysis
CN105262647A (en) * 2015-11-27 2016-01-20 广州神马移动信息科技有限公司 Abnormal index detection method and device
CN107438262A (en) * 2016-05-25 2017-12-05 中国移动通信集团设计院有限公司 A kind of abnormal user recognition methods and device
CN107370766A (en) * 2017-09-07 2017-11-21 杭州安恒信息技术有限公司 A kind of network flow abnormal detecting method and system
CN108880945A (en) * 2018-08-02 2018-11-23 浙江口碑网络技术有限公司 A kind of cloud monitoring system and method

Similar Documents

Publication Publication Date Title
Zhao et al. Botnet detection based on traffic behavior analysis and flow intervals
EP2769508B1 (en) System and method for detection of denial of service attacks
EP1995929B1 (en) Distributed system for the detection of eThreats
Xie et al. Monitoring the application-layer DDoS attacks for popular websites
US20170243003A1 (en) Identifying bots
Jiang et al. Identifying suspicious activities through dns failure graph analysis
Gavrilis et al. Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features
US20120317306A1 (en) Statistical Network Traffic Signature Analyzer
Stinson et al. Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods.
CN102801697B (en) Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
Shah et al. Fuzzy clustering for intrusion detection
Thapngam et al. Discriminating DDoS attack traffic from flash crowd through packet arrival patterns
Yadav et al. Winning with DNS failures: Strategies for faster botnet detection
Zhou et al. Detection and defense of application-layer DDoS attacks in backbone web traffic
US9032521B2 (en) Adaptive cyber-security analytics
Brauckhoff et al. Anomaly extraction in backbone networks using association rules
CN102594825B (en) An internal network method and apparatus for detecting Trojan
Dainotti et al. Nis04-1: Wavelet-based detection of dos attacks
US20030159069A1 (en) Network-based attack tracing system and method using distributed agent and manager system
KR20120068612A (en) Dns query traffic monitoring and processing method and apparatus
US20110185422A1 (en) Method and system for adaptive anomaly-based intrusion detection
Tjhai et al. A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm
US20130318615A1 (en) Predicting attacks based on probabilistic game-theory
CN101702660B (en) Anomaly detection method and the domain name system
CN101834866A (en) CC (Communication Center) attack protective method and system thereof

Legal Events

Date Code Title Description
C06 Publication
EXSB Decision made by sipo to initiate substantive examination