CN107276808A - A kind of optimization method of Traffic Anomaly monitoring - Google Patents
A kind of optimization method of Traffic Anomaly monitoring Download PDFInfo
- Publication number
- CN107276808A CN107276808A CN201710476359.XA CN201710476359A CN107276808A CN 107276808 A CN107276808 A CN 107276808A CN 201710476359 A CN201710476359 A CN 201710476359A CN 107276808 A CN107276808 A CN 107276808A
- Authority
- CN
- China
- Prior art keywords
- value
- learning
- traffic anomaly
- flow
- learning parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
Abstract
The invention discloses a kind of optimization method of Traffic Anomaly monitoring, including:Learning table is read, learning parameter is obtained, if learning parameter is sky, learning parameter is calculated and database is stored in;Current real-time traffic on network is read, learning parameter value is constantly updated according to current real-time flows amount;According to current base flow value=(1 a) × last time reference flow value+a × current real-time flows amount, current base flow value is determined;According to threshold value=intermediate value × (sample high level/sample low value), threshold value;Judge current real-time flows amount whether in the range of current base flow value ± threshold value;If within the range, not showing, present flow rate is abnormal, abnormal just alarm, and carry out learning parameter renewal occurs;Flow sample table is updated, learning table data are write.The present invention can effectively improve the accuracy of daily or identical sampling frequency down-off monitoring, it is ensured that the validity of Traffic Anomaly monitoring.
Description
Technical field
The present invention relates to industrial control system Traffic Anomaly monitoring technical field, more particularly to a kind of monitoring of Traffic Anomaly
Optimization method.
Background technology
Network Traffic Monitoring is predominantly continuously gathered to network data, passes through continuous acquisition network data monitoring net
The flow of network.It is counted and calculated after obtaining network flow data, so as to obtain the performance of network and its main component
Index, Network Traffic Monitoring System can also be alerted to network manager in the case of exception of network traffic, make failure and
When handled.
In recent years, occur industrial control system (hereinafter referred to as " industry control ") network safety event again and again both at home and abroad, trigger complete
Ball is paid close attention to.The characteristics of industry control network is that odd-numbered day flow is not high, but non-intermitten service for a long time, can cause accumulation total flow compared with
It is high.Because the safety of industry control network is directly related to numerous people property safety, and the statistics of network traffics directly reaction network
And its performance indications of main component.So, Network traffic anomaly monitor be industrial control network management in one it is very basic
Also a very important link, optimization Network traffic anomaly monitor algorithm is significantly.
But some of products, only simple data collection, statistics are calculated through further at all, let alone
Traffic Anomaly is monitored;Also the flow monitoring algorithm of some products lacks amendment, and sample data is excessively relied on, does not learn sample
Variation tendency between this, only uses single formula, can not so ensure relatively accurate result.
Therefore, the technical problem urgently solved is needed to be exactly instantly:The proposition how to innovate is a kind of effective
Measure, to solve the problem of prior art is present, meets the greater demand of practical application.
The content of the invention
Weak point present in regarding to the issue above, the present invention provides what a kind of industrial control system was monitored based on Traffic Anomaly
Optimization method, can effectively improve the accuracy of daily or identical sampling frequency down-off monitoring, it is ensured that Traffic Anomaly is monitored
Validity.
To achieve the above object, the present invention provides a kind of optimization method of Traffic Anomaly monitoring, including:
Learning table is read, learning parameter is obtained, if learning parameter is sky, learning parameter is calculated and data are stored in
Storehouse;The learning parameter includes:Reference flow value, learning rate a, threshold value, intermediate value, peak and minimum;
Current real-time traffic on network is read, learning parameter value is constantly updated according to the current real-time flows amount;
According to current base flow value=(1-a) × last time reference flow value+a × current real-time flows amount, it is determined that current base
Quasi- flow value;
According to threshold value=intermediate value × (sample high level/sample low value), threshold value;
Judge current real-time flows amount whether in the range of current base flow value ± threshold value;
If within the range, not showing, present flow rate is abnormal, abnormal just alarm, and carry out learning parameter renewal occurs;
Flow sample table is updated, learning table data are write.
As a further improvement on the present invention, the learning rate a is sensitive according to the actual sampling period, and for algorithm
Degree and the break even income of stability go out.
As a further improvement on the present invention, 0≤a≤1.
As a further improvement on the present invention, a takes 1/7.
As a further improvement on the present invention, according to the computational methods of reference flow value, threshold values, Traffic Anomaly judgement side
Method, and constantly update the adaptivity that a reference value, the method for threshold values realize Traffic Anomaly judgement.
Compared with prior art, beneficial effects of the present invention are:
The present invention provides a kind of optimization method of Traffic Anomaly monitoring, is protected using the fundamental formular of reference flow value and threshold value
The variation of Traffic Anomaly decision element is demonstrate,proved, the quantization and assessment to each attribute meet reality, relatively more reasonable;Can be effective
Improve the accuracy of daily or identical sampling frequency down-off monitoring, it is ensured that the validity of Traffic Anomaly monitoring.
Brief description of the drawings
The flow chart for the optimization method that Fig. 1 monitors for Traffic Anomaly disclosed in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
The present invention is described in further detail below in conjunction with the accompanying drawings:
The present invention provides a kind of optimization method of Traffic Anomaly monitoring, and its design principle is:
(1) alarm algorithm is determined, specifically, the judgement of Traffic Anomaly is by contrasting the critical flow in certain period on the same day
Determined with the actual flow of same day time period;I.e.
(present flow rate>Reference flow value+threshold value) or (present flow rates<Reference flow value-threshold value), represent Traffic Anomaly;
(2) reference flow value (newbase) learning algorithm is determined, i.e.,
Newbase=(1-a) × oldbase+a × sample
In formula:Oldbase is Historical baseline flow, refers to the standard flow of last computation, to judge that flow is different as this
Normal important parameter;A is learning parameter, and 0≤a≤1, a value is bigger, and base values update faster, in order that reference flow value exists
Basic in one week to realize stepped flow excessively, a of the invention value takes 1/7=0.14;Sample is present flow rate value, i.e., current
The uninterrupted sample collected.
(3) threshold value acquisition algorithm, i.e.,
The intermediate value of threshold value=sample set × (sample high level/sample low value);
(4) samples selection
Sample set quantity takes 14, is used as sliding window, the traffic environment of adaptation nearly two weeks or so;
(5) there is a table in database table, database, be exactly learning table, stored in this table and judge Traffic Anomaly
The information such as parameter (reference flow value, learning rate a, threshold value, intermediate value, peak, minimum);Also have some its in other database
His tables of data, such as:History template data etc..
(6) flow sample table, stores the flow in 14 days;
(7) learning table, stores reference flow value, learning rate a, threshold value, intermediate value, peak, the minimum of each equipment.
As shown in figure 1, the present invention provides a kind of optimization method of Traffic Anomaly monitoring, including:
1st, learning table is read, the learning parameter in learning table is obtained, if learning parameter is NULL (sky), to learning parameter
Calculated and by the parameter value of generation and be stored in database;Learning parameter, which includes learning table, will store the reference flow of each equipment
Value, learning rate a, threshold value, intermediate value, peak, minimum, above-mentioned learning parameter are the parameter for judging Traffic Anomaly.
2nd, current real-time traffic on network is read, learning parameter is constantly updated according to current real-time flows amount and historical traffic
Value;
According to current base flow value=(1-a) × last time reference flow value+a × current real-time flows amount, it is determined that current base
Quasi- flow value;
According to threshold value=intermediate value × (sample high level/sample low value), threshold value;The parameters such as this threshold values calculated,
The input parameter of Traffic Anomaly is judged as next time;Only in this way, undated parameter is constantly learnt, this method just possesses flow adaptation
Property.
3rd, judge current real-time flows amount whether in the range of current base flow value ± threshold value;
If within the range, showing that present flow rate is normal;If within the range, not showing, present flow rate is abnormal, goes out
It is now abnormal just to alert, and carry out learning parameter renewal;
4th, daily 0 point, flow sample table is updated, learning table data are write.
The learning rate a of the present invention is according to the actual sampling period, and for the balance institute of algorithm susceptibility and stability
Draw.
The present invention is according to the computational methods of reference flow value, threshold values, Traffic Anomaly decision method, and constantly updates benchmark
Value, the method for threshold values realize the adaptivity that Traffic Anomaly judges.
The output valve of the invention for realizing this standard flow simultaneously depends primarily on the output valve of last time standard flow, and
Non- is the sampled value of last time, can preferably learn the rule of last time flow.
Compared with prior art, the present invention has advantages below:
The variation of Traffic Anomaly decision element is ensure that in the present invention using the fundamental formular of reference flow value and threshold value,
Quantization and assessment to each attribute meet reality, relatively more reasonable.Standard flow make use of first-order lag filtering algorithm, Ke Yizhi
Connected software programming and realize the function of common hardware RC low pass filters, while realizing the output valve master of this standard flow
The output valve of last time standard flow is depended on, rather than is the sampled value of last time, so can preferably inherit, learn the last period
Sample properties in frequency.
If from formula as can be seen that a take closer to 1, the sensitivity of this algorithm is higher, that is, most
Post filtering result with sampled value closer to;If a is closer to 0, the stationarity of the algorithm is higher.The attribute causes budgetary estimate
Instead can be while held stationary, the significantly change to sample flow keeps enough sensitive.A is that 1/7=0.14 then enters
One step make a reference value in one week the basic flow for realizing stepped mobilism excessively, effectively balance it is steady with it is sensitive.
Threshold value takes into full account overall data excursion in the period when choosing so that threshold value is in dynamic change but can be complete
The state of integral representation sample data.The addition of threshold value causes the critical value of abnormal flow to become clear, final new Flow datum
Value is drawn by the old +/- threshold value of a reference value, and the work of amendment in the case of clear and definite current sample value, can be played to critical value
With whether extremely accurate calculates current flow.
This algorithm is in use, the selection for needing to ensure a values is, based in practice, to be made for stable and sensitive balance
Selection.To ensure that sampling frequency when new and old a reference value is calculated in a reference value is consistent simultaneously.
The preferred embodiments of the present invention are these are only, are not intended to limit the invention, for those skilled in the art
For member, the present invention can have various modifications and variations.Any modification within the spirit and principles of the invention, being made,
Equivalent substitution, improvement etc., should be included in the scope of the protection.
Claims (5)
1. a kind of optimization method of Traffic Anomaly monitoring, it is characterised in that including:
Learning table is read, learning parameter is obtained, if learning parameter is sky, learning parameter is calculated and database is stored in;
The learning parameter includes:Reference flow value, learning rate a, threshold value, intermediate value, peak and minimum;
Current real-time traffic on network is read, learning parameter value is constantly updated according to the current real-time flows amount;
According to current base flow value=(1-a) × last time reference flow value+a × current real-time flows amount, current base stream is determined
Value;
According to threshold value=intermediate value × (sample high level/sample low value), threshold value;
Judge current real-time flows amount whether in the range of current base flow value ± threshold value;
If within the range, not showing, present flow rate is abnormal, abnormal just alarm, and carry out learning parameter renewal occurs;
Flow sample table is updated, learning table data are write.
2. the optimization method of Traffic Anomaly monitoring as claimed in claim 1, it is characterised in that the learning rate a is according to reality
The border sampling period, and go out for the break even income of algorithm susceptibility and stability.
3. the optimization method of Traffic Anomaly monitoring as claimed in claim 1, it is characterised in that 0≤a≤1.
4. the optimization method of Traffic Anomaly monitoring as claimed in claim 3, it is characterised in that a takes 1/7.
5. the optimization method of Traffic Anomaly monitoring as claimed in claim 1, it is characterised in that according to reference flow value, threshold values
Computational methods, Traffic Anomaly decision method, and constantly update that a reference value, the method for threshold values realize that Traffic Anomaly judges from
Adaptability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710476359.XA CN107276808A (en) | 2017-06-21 | 2017-06-21 | A kind of optimization method of Traffic Anomaly monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710476359.XA CN107276808A (en) | 2017-06-21 | 2017-06-21 | A kind of optimization method of Traffic Anomaly monitoring |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107276808A true CN107276808A (en) | 2017-10-20 |
Family
ID=60069327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710476359.XA Pending CN107276808A (en) | 2017-06-21 | 2017-06-21 | A kind of optimization method of Traffic Anomaly monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107276808A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110134665A (en) * | 2019-04-17 | 2019-08-16 | 北京百度网讯科技有限公司 | Database self-learning optimization method and device based on traffic mirroring |
| CN111817896A (en) * | 2020-07-16 | 2020-10-23 | 中国民航信息网络股份有限公司 | Interface monitoring method and device |
| CN112953903A (en) * | 2021-01-27 | 2021-06-11 | 南方电网科学研究院有限责任公司 | Abnormity monitoring method, device and medium |
| CN113157505A (en) * | 2021-04-07 | 2021-07-23 | 苏州瑞立思科技有限公司 | Bandwidth self-adaptive abnormal flow detection method |
| CN113194086A (en) * | 2021-04-27 | 2021-07-30 | 新华三信息安全技术有限公司 | Anti-attack method and device |
| CN113454950A (en) * | 2019-05-15 | 2021-09-28 | 阿里巴巴集团控股有限公司 | Network equipment and link real-time fault detection method and system based on flow statistics |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155085A (en) * | 2006-09-29 | 2008-04-02 | 中兴通讯股份有限公司 | Method and device for real-time flux prediction and real-time flux monitoring and early warning |
| CN103281293A (en) * | 2013-03-22 | 2013-09-04 | 南京江宁台湾农民创业园发展有限公司 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
| CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
-
2017
- 2017-06-21 CN CN201710476359.XA patent/CN107276808A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155085A (en) * | 2006-09-29 | 2008-04-02 | 中兴通讯股份有限公司 | Method and device for real-time flux prediction and real-time flux monitoring and early warning |
| CN103281293A (en) * | 2013-03-22 | 2013-09-04 | 南京江宁台湾农民创业园发展有限公司 | Network flow rate abnormity detection method based on multi-dimension layering relative entropy |
| CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
Non-Patent Citations (1)
| Title |
|---|
| 郭炜: ""基于动态基线的业务运营支撑网异常流量监测研究"", 《"智慧城市和绿色IT"2011年通信与信息技术新进展——第八届中国通信学会学术年会》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110134665A (en) * | 2019-04-17 | 2019-08-16 | 北京百度网讯科技有限公司 | Database self-learning optimization method and device based on traffic mirroring |
| CN113454950A (en) * | 2019-05-15 | 2021-09-28 | 阿里巴巴集团控股有限公司 | Network equipment and link real-time fault detection method and system based on flow statistics |
| CN111817896A (en) * | 2020-07-16 | 2020-10-23 | 中国民航信息网络股份有限公司 | Interface monitoring method and device |
| CN111817896B (en) * | 2020-07-16 | 2023-04-18 | 中国民航信息网络股份有限公司 | Interface monitoring method and device |
| CN112953903A (en) * | 2021-01-27 | 2021-06-11 | 南方电网科学研究院有限责任公司 | Abnormity monitoring method, device and medium |
| CN113157505A (en) * | 2021-04-07 | 2021-07-23 | 苏州瑞立思科技有限公司 | Bandwidth self-adaptive abnormal flow detection method |
| CN113194086A (en) * | 2021-04-27 | 2021-07-30 | 新华三信息安全技术有限公司 | Anti-attack method and device |
| CN113194086B (en) * | 2021-04-27 | 2022-05-27 | 新华三信息安全技术有限公司 | Anti-attack method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107276808A (en) | A kind of optimization method of Traffic Anomaly monitoring | |
| US11443610B2 (en) | Systems and methods for managing smart alarms | |
| CN111984503B (en) | Method and device for identifying abnormal data of monitoring index data | |
| CN103744389B (en) | A kind of method for early warning of production of hydrocarbons equipment running status | |
| CN105406991A (en) | Method and system for generating service threshold by historical data based on network monitoring indexes | |
| CN103208091B (en) | A kind of method of opposing electricity-stealing excavated based on power load Management System Data | |
| JP4965064B2 (en) | Self-learning method and system for anomaly detection | |
| CN104407268A (en) | Abnormal electricity utilization judgment method based on abnormal analysis of electric quantity, voltage and current | |
| KR100982034B1 (en) | Monitoring method and system for database performance | |
| CN106802616B (en) | Building energy consumption comprehensive management system and method | |
| CN108206747A (en) | Method for generating alarm and system | |
| CN108965055A (en) | A kind of network flow abnormal detecting method taking a method based on historical time | |
| CN103454991A (en) | Process monitoring system, device and method | |
| CN106254137B (en) | The alarm root analysis system and method for supervisory systems | |
| CN105515820A (en) | Health analysis method for operation and maintenance management | |
| Ghosh et al. | Consumer profiling for demand response programs in smart grids | |
| CN104820884A (en) | Power network dispatching real-time data inspection method combined with characteristics of power system | |
| CN110247474A (en) | A kind of statistics method of summary and system based on D5000 system operation of power networks state | |
| KR100689844B1 (en) | Realtime detection and analysis method and systems of infiltration/inflow and leakage in the sewer | |
| CN115049410A (en) | Electricity stealing behavior identification method and device, electronic equipment and computer readable storage medium | |
| CN114443437A (en) | Alarm root cause output method, apparatus, device, medium, and program product | |
| CN108108665B (en) | Multivariable-based safety early warning method for gas pressure regulator | |
| CN106709623B (en) | Power grid marketing inspection risk control method based on risk calculation model | |
| CN101782763A (en) | Method for monitoring statistical process control | |
| CN202798762U (en) | Alarm device for power communication failure information analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Hou Zhanying Inventor after: Zhou Wenjun Inventor before: Zhou Lei Inventor before: Zhou Wenjun Inventor before: Jiang Shuanglin |
|
| CB03 | Change of inventor or designer information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171020 |
|
| RJ01 | Rejection of invention patent application after publication |