CN107579981A - A kind of network flow monitoring method and system - Google Patents

A kind of network flow monitoring method and system Download PDF

Info

Publication number
CN107579981A
CN107579981A CN201710806994.XA CN201710806994A CN107579981A CN 107579981 A CN107579981 A CN 107579981A CN 201710806994 A CN201710806994 A CN 201710806994A CN 107579981 A CN107579981 A CN 107579981A
Authority
CN
China
Prior art keywords
network
model
flow
sample time
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710806994.XA
Other languages
Chinese (zh)
Inventor
刘文辉
赵跃明
樊宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201710806994.XA priority Critical patent/CN107579981A/en
Publication of CN107579981A publication Critical patent/CN107579981A/en
Pending legal-status Critical Current

Links

Abstract

The embodiment of the present invention provides a kind of network flow monitoring method and system, the technical problem relatively low to exception of network traffic whether detection efficiency for solving safeguard.Method includes:Build multiple Model of network traffic corresponding to multiple sample time sections of the network traffics in the first preset time period, each Model of network traffic in multiple Model of network traffic is used to characterize changes in flow rate trend of the network traffics in corresponding sample time section;Judge whether the first-class value of the first sampling time in the first sample time section in the second preset time period corresponding with the first preset time period is located at first flow scope, first flow scope is related to second value corresponding with the first sampling time in first network discharge model corresponding with the first sample time section in multiple Model of network traffic;If it is determined that first-class value exceedes first flow scope, export for characterizing the prompt message that state of the network traffics in the first sample time section is state to be assessed.

Description

A kind of network flow monitoring method and system
Technical field
The present invention relates to network communication technology field, more particularly to a kind of network flow monitoring method and system.
Background technology
In distributed denial of service (Distributed Denial of Service, DDoS) safeguard in bypass section During administration, if finding to have exception or have the flow of threat, DDoS safeguards can clean to these flows, i.e., handle has exception Or the flow for having threat is rejected, and leaves normal service traffics;After the completion of to be cleaned, DDoS safeguards are again leaving just Normal service traffics are returned on original path, are ultimately routed to destination.And disposed due to being bypassed in DDoS safeguards In often can because of grouting socket unreasonable allocation or bypass deployment side configuration of routers change, cause grouting socket Failure, or flow winding, ultimately result in flow re-injection failure, i.e., normal service traffics can not return to original path On, normal discharge business is influenceed, is failed influence to user traffic to reduce grouting socket, checking promptly and accurately Whether grouting socket configuration is normally very necessary.
In the prior art, when checking whether grouting socket fails, typically after grouting socket is configured, by artificial hand Dynamic check whether generates media access control (Media Access Control, MAC) corresponding with the grouting socket configured Address, think that grouting socket fails if not generating.Because the failure of grouting socket is random and uncertain, only pass through people Work carries out the detection of not timing, less efficient.Also, when judging whether flow winding occurs, typically staff exists Extraction feature packet on DDoS safeguards, and the life span (Time To Live, TTL) for passing through this feature packet is It is no successively decrease judge flow whether winding, because staff is in extraction feature packet, in network server and client it Between data interaction be not off, therefore have other substantial amounts of packets in the process and produce so that for judging flow Whether the characteristic bag of winding is submerged in other substantial amounts of packets so that and the lookup difficulty to characteristic bag is larger, Search efficiency is relatively low.
In summary, safeguard in the prior art be present can not promptly and accurately detect that the technology of exception of network traffic is asked Topic.
The content of the invention
The embodiment of the present invention provides a kind of network flow monitoring method and system, to solve to prevent present in prior art The problem of shield equipment can not promptly and accurately detect exception of network traffic.
First aspect
The embodiment of the present invention provides a kind of network flow monitoring method, including:
Build multiple Model of network traffic corresponding to multiple sample time sections of the network traffics in the first preset time period; Wherein, each Model of network traffic in the multiple Model of network traffic is sampled for characterizing the network traffics accordingly The changes in flow rate trend of period;
Judge to be in the of the first sample time section in corresponding with first preset time period the second preset time period Whether the first-class value of one sampling time is located at first flow scope;Wherein, the first flow scope and second value Correlation, the second value are first network corresponding with the first sample time section in the multiple Model of network traffic Flow value corresponding with first sampling time in discharge model;
If it is determined that the first-class value exceedes the first flow scope, export for characterizing the network traffics in institute State the prompt message that the state in the first sample time section is state to be assessed.
Optionally, multiple nets corresponding to multiple sample time sections of the structure network traffics in the first preset time period Network discharge model, including:
Determine each to sample in multiple sampling times that each sample time section in the multiple sample time section includes Flow value corresponding to moment, there is prefixed time interval between two neighboring sampling time in the multiple sampling time;
Determine the network traffics described based on each flow value corresponding to sampling time in the multiple sampling time The variation tendency of each sample time section in first preset time period, build each sample time in first preset time period At least one Model of network traffic corresponding to section.
Optionally, it is described that the network is determined based on flow value corresponding to each sampling time in the multiple sampling time The variation tendency of flow each sample time section in first preset time period, build every in first preset time period At least one Model of network traffic corresponding to individual sample time section, including:
Judge to whether there is in the multiple sampling time the adjacent samples moment of flow value identical at least two, it is described extremely Flow value corresponding to few two adjacent samples moment is the 3rd flow value;
If the adjacent samples moment of flow value identical at least two in the multiple sampling time be present, it is determined that it is described extremely A few Model of network traffic includes constant Model of network traffic, and the constant Model of network traffic is true by the 3rd flow value It is fixed;Otherwise, it determines at least one Model of network traffic corresponding to each sample time section is normal distribution Model of network traffic.
Optionally, it is to be assessed to be used to characterize state of the network traffics in the first sample time section in output After the prompt message of state, methods described also includes:
The prompting that is directed to that the network state processing equipment being connected with the network flow monitoring system is sent is received to believe The result of breath, the result are used to indicate that the state to be assessed is normal discharge state or abnormal flow state.
Optionally, when in judging the second preset time period corresponding with first preset time period in the first sampling Between section the first sampling time first-class value whether be located at first flow scope after, methods described includes:
If it is determined that the first-class value is located at first flow scope, if or receiving with the network flow monitoring system The result for the prompt message that the network state processing equipment of system connection is sent indicates the network traffics in institute It is normal discharge state to state in the first sample time section, determines the 4th stream of the second sampling time in the first sample time section Value;
Based on the first-class value, first sampling time, the 4th flow value and second sampling time, It is determined that the first model parameter and the second model for updating first network discharge model corresponding to the first sample time section Parameter;
It is second to update the first network discharge model based on first model parameter and second model parameter Model of network traffic.
Second aspect
The embodiment of the present invention provides a kind of network flow monitoring system, including:
Model construction module, for building corresponding to multiple sample time sections of the network traffics in the first preset time period Multiple Model of network traffic;Wherein, each Model of network traffic in the multiple Model of network traffic is used to characterize the net Changes in flow rate trend of the network flow in corresponding sample time section;
Judge module, for judging to take out in first in the second preset time period corresponding with first preset time period Whether the first-class value of the first sampling time of sample period is located at first flow scope;Wherein, the first flow scope Related to second value, the second value is right with the first sample time section in the multiple Model of network traffic Flow value corresponding with first sampling time in the first network discharge model answered;
Output module, for if it is determined that the first-class value exceedes the first flow scope, exporting for characterizing institute State the prompt message that state of the network traffics in the first sample time section is state to be assessed.
Optionally, the model construction module is used for:
Determine each to sample in multiple sampling times that each sample time section in the multiple sample time section includes Flow value corresponding to moment, there is prefixed time interval between two neighboring sampling time in the multiple sampling time;
Determine the network traffics described based on each flow value corresponding to sampling time in the multiple sampling time The variation tendency of each sample time section in first preset time period, build each sample time in first preset time period At least one Model of network traffic corresponding to section.
Optionally, the model construction module is specifically used for:
Judge to whether there is in the multiple sampling time the adjacent samples moment of flow value identical at least two, it is described extremely Flow value corresponding to few two adjacent samples moment is the 3rd flow value;
If the adjacent samples moment of flow value identical at least two in the multiple sampling time be present, it is determined that it is described extremely A few Model of network traffic includes constant Model of network traffic, and the constant Model of network traffic is true by the 3rd flow value It is fixed;Otherwise, it determines at least one Model of network traffic corresponding to each sample time section is normal distribution Model of network traffic.
Optionally, the system also includes:
Receiving module, it is for being used to characterize state of the network traffics in the first sample time section in output After the prompt message of state to be assessed, receive the network state processing equipment being connected with the network flow monitoring system and send The result for the prompt message, the result be used for indicate that the state to be assessed is normal discharge state Or abnormal flow state.
Optionally, the system also includes update module, and the update module is used for:
If it is determined that the first-class value is located at first flow scope, if or receiving with the network flow monitoring system The result for the prompt message that the network state processing equipment of system connection is sent indicates the network traffics It is normal discharge state in the first sample time section, determines of the second sampling time in the first sample time section Four flow values;
Based on the first-class value, first sampling time, the 4th flow value and second sampling time, It is determined that the first model parameter and the second model for updating first network discharge model corresponding to the first sample time section Parameter;
It is second to update the first network discharge model based on first model parameter and second model parameter Model of network traffic.
The third aspect
The embodiment of the present invention provides a kind of computer installation, and the computer installation includes processor, and the processor is used Method as described in relation to the first aspect is realized when the computer program stored in memory is performed.
Fourth aspect
The embodiment of the present invention provides a kind of computer-readable recording medium, and the computer-readable recording medium storage has meter Calculation machine instructs, when the instruction is run on computers so that computer performs method as described in relation to the first aspect.
One or more of above-mentioned technical proposal technical scheme, has the following technical effect that or advantage:
Firstth, network flow monitoring method provided in an embodiment of the present invention, applied to network flow monitoring system, first structure Multiple Model of network traffic corresponding to multiple sample time sections of the establishing network flow in the first preset time period, wherein, each Model of network traffic is used to characterize changes in flow rate trend of the network traffics in corresponding sample time section;Then judge that first is default Whether the first-class value of the first sampling time in the first sample time section in second preset time period corresponding to period Positioned at first flow scope;Wherein, first flow scope is related to second value, and second value is multiple network traffics Flow value corresponding with the first sampling time in first network discharge model corresponding with the first sample time section in model;If really Fixed first-class value exceedes first flow scope, then exports and be for characterizing state of the network traffics in the first sample time section The prompt message of state to be assessed.It is more in the first preset time period by building network traffics i.e. in the embodiment of the present invention Multiple Model of network traffic corresponding to individual sample time section, and then the first-class value in the second preset time period is taken out with first First flow scope is contrasted corresponding to Model of network traffic corresponding to the sample period, with automatic decision network traffics first Whether there is Traffic Anomaly in sample time section, so as to improve to the promptness of exception of network traffic whether judgement with it is accurate Property.
Secondth, because in the embodiment of the present invention, network flow monitoring system can be according to more in the first preset time period The variation tendency of each sample time section of individual sample time section, builds at least one network flow corresponding to each sample time section Measure model so that in the second preset time period, network flow monitoring system can be according to building in the first preset time period Model of network traffic is automatically monitored to the network traffics of the second preset time period, and the degree of accuracy is higher.
3rd, due in the embodiment of the present invention, as long as to determine that first-class value exceedes first-class for network flow monitoring system When measuring scope, the prompt message that state of the network traffics in the first sample time section is state to be assessed will be exported, i.e., it is defeated Go out network traffics and abnormal possible prompt message in the first sample time section be present so that be connected with network flow monitoring system Network state processing equipment whether network traffics can be made extremely in time it is further judge, if in the first sample time section There is exception in network traffics, then network state processing sets timely prompting staff to further process, if being not present different Often, then result is returned into network flow monitoring system so that network flow monitoring system can sample to first in time Model of network traffic is updated corresponding to period, it is ensured that network flow monitoring system is to the network in next preset time period The accuracy of the whether abnormal monitoring of flow.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, it will make below to required in the embodiment of the present invention Accompanying drawing is briefly described, it should be apparent that, accompanying drawing described below is only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is the schematic flow sheet of network flow monitoring method in the embodiment of the present invention;
Fig. 2 is the module diagram of network flow monitoring system in the embodiment of the present invention;
Fig. 3 is the structural representation of Computer device of the embodiment of the present invention.
Embodiment
In order that the purpose, technical scheme and advantage of the embodiment of the present invention are clearer, implement below in conjunction with the present invention Accompanying drawing in example, the technical scheme in the embodiment of the present invention is clearly and completely described.
First, the part term in the embodiment of the present invention is simply introduced, so as to skilled artisan understands that.
Network traffics, the data volume of transmission over networks can be construed to, the data can include the access number of user terminal The business datums such as the data fed back according to, server for accesss of user terminal, can also be including there is threat to network, such as Carry the abnormal datas such as virulent data.
Network flow monitoring system can be located in the safeguard of bypass deployment, for being supervised in real time to network traffics Control.When judging that network traffics there may be abnormal flow, network flow monitoring system can generate prompt message and send To the network state processing equipment being connected with network flow monitoring system in safeguard so that network state processing equipment can Whether further to be judged exception of network traffic according to prompt message.The protection that deployment is bypassed in the embodiment of the present invention is set Standby can be DDoS safeguards.
The preferred embodiment of the present invention is described in detail below in conjunction with the accompanying drawings.
Embodiment one
Fig. 1 is referred to, the embodiment of the present invention provides a kind of network flow monitoring method, can apply to network flow monitoring System, wherein, the process of network flow monitoring method can be described as follows:
S100:Build multiple network traffics corresponding to multiple sample time sections of the network traffics in the first preset time period Model;Wherein, each Model of network traffic in multiple Model of network traffic is used to characterize network traffics in corresponding sampling Between section changes in flow rate trend;
S200:Judge to be in the of the first sample time section in corresponding with the first preset time period the second preset time period Whether the first-class value of one sampling time is located at first flow scope;Wherein, first flow scope is related to second value, Second value be in multiple Model of network traffic in first network discharge model corresponding with the first sample time section with first Flow value corresponding to sampling time;
S300:If it is determined that first-class value exceedes first flow scope, export for characterizing network traffics in the first sampling State in period is the prompt message of state to be assessed.
In S100, in order to be automatically monitored to network traffics, network flow monitoring system can be built Multiple Model of network traffic corresponding to multiple sample time sections in one preset time period.
Wherein, the first preset time period can carry out self-defined set by staff according to the uninterrupted of network traffics Put, as when data interaction amount is larger in network, the first preset time period be could be arranged to one day, and such as morning, 8 points are arrived at 8 points at night, When data interaction amount is smaller in network, the first preset time period could be arranged to half a day, and such as 8 points of morning arrives 12 noon; Or first preset time period can also be set automatically according to the uninterrupted of current network flow by network flow monitoring system Put, specifically using which kind of set-up mode, can be selected according to actual conditions, the embodiment of the present invention is not restricted.
In the embodiment of the present invention, fluctuation status can be presented in flow in a network, and may exist under fluctuation status Of short duration is steady.Fluctuation status are presented in flow in a network, i.e., from mathematical modeling, the state of network traffics be considered as be in Waveform state, but the waveform of network traffics may have one two-by-two without the cycle of fixation between adjacent trough Crest, but the duration of each crest may be different.
Therefore, the division of the sample time section of the first preset time period can be according to the crest between trough adjacent two-by-two Duration is carried out, for example primary peak continues 1 hour, then sample time section corresponding to primary peak is 1 hour, and second Crest continues 30 minutes, then sample time section corresponding to secondary peak is 30 minutes etc..And some divided according to preceding method Network traffics corresponding to sample time section, it is understood that there may be flow exist it is of short duration steady, such as when being sampled corresponding to primary peak Between section be 1 hour, it is consistent that may have 1 minute network flow value in this hour.
After this, network flow monitoring system can give each sample time section structure Model of network traffic, the network Discharge model can be mathematical modeling, and each Model of network traffic can be used for characterizing network traffics in corresponding sample time section Changes in flow rate trend.
Optionally, multiple Model of network traffic of network flow monitoring system constructing network traffics can by but not only limit Carried out in the following manner.
First, each sample time section that network flow monitoring system can determine in multiple sample time sections includes more Each flow value corresponding to sampling time in individual sampling time, have between two neighboring sampling time in multiple sampling times pre- If time interval.
And network flow monitoring system can by but be not limited only to following two modes to obtain each sampling time corresponding Flow value.
Mode one, network flow monitoring system can be according to prefixed time intervals, to the network flow of the first preset time period Amount is sampled, then according to corresponding to each sampling time obtained after sampling flow value variation tendency, first is preset Period is divided into multiple sample time sections, and it is more that subsequent network flux monitoring system can determine that each sample time section includes Each flow value corresponding to sampling time in individual sampling time.
Mode two, network flow monitoring system are first according to the fluctuation status of network traffics, i.e. network traffics are pre- first If the overall variation trend of period, the first preset time period is divided into multiple sample time sections, then according to preset time Network traffics corresponding to each sample time section of multiple sample time sections are sampled, obtain each sample time by interval Flow value corresponding to each sampling time in multiple sampling times that section includes.
Wherein, the setting of prefixed time interval can be self-defined by staff, or network flow monitoring system according to The uninterrupted of network traffics is set automatically, such as 5s, i.e., is spaced 5s between two neighboring sampling time in multiple sampling times.
Then, network flow monitoring system can the flow value according to corresponding to each sampling time in multiple sampling times it is true Determine the variation tendency of network traffics each sample time section in first preset time period, build in the first preset time period At least one Model of network traffic corresponding to each sample time section.
Optionally, at least one Model of network traffic corresponding to each sample time section in the first preset time period is built Process can be described as follows:
Network flow monitoring system, which may determine that, whether there is the phase of flow value identical at least two in multiple sampling times Adjacent sampling time, flow value corresponding at least two adjacent samples moment are the 3rd flow value.
By taking first network discharge model corresponding to the first sample time section for building the first preset time period as an example, network flow Amount monitoring system can determine multiple flow values of multiple sampling times in the first sample time section, and such as the first sample time section is [8:00am, 9:00am], the flow value of the sampling of the first sample time section includes:A sampling times correspond to flow value X, successively B sampling times correspond to flow value Y, C sampling time and correspond to flow value Z etc., network flow monitoring system determines whether to deposit At least two flow values are identical in X, Y, Z, and whether sampling time corresponding at least two flow value is adjacent.
If the adjacent samples moment of flow value identical at least two in multiple sampling times be present, it is determined that at least one net Network discharge model includes the constant Model of network traffic determined by the 3rd flow value.Even network flow monitoring system is judged [8:00am, 9:00am] between exist X, Y, Z value it is identical, and X, Y, Z respectively corresponding to sampling time A, B, C it is adjacent, then basis X, any value in Y, Z determines constant Model of network traffic.Certainly, network flow monitoring system can be according to the first sample time Except flow value structure normal distribution Model of network traffic corresponding to X, Y, Z other sampling times in section.
That is, exist when in multiple sampling times that network flow monitoring system determines in a sample time section During at least two adjacent samples moment of flow value identical, then at least one network flow corresponding to the sample time section can be built Model is measured, at least one Model of network traffic includes constant Model of network traffic.
And if Model of network traffic determine in multiple sampling times be not present flow value identical at least two it is adjacent Sampling time, then the corresponding Model of network traffic of each sample time section can be only built, such as normal distribution network traffics mould Type.
In the embodiment of the present invention, because fluctuation status are presented in proper network flow in a network, and under fluctuation status It is possible that of short duration steady, but the overall state that normal distribution is presented, therefore, in order to can be with accurate description proper network stream Amount, can by but be not limited only at least one Model of network traffic that in the following manner builds each sample time section.
Mode one, when network traffics are when the variation tendency of the first preset time period is in normal distribution, network flow monitoring System can build Model of network traffic corresponding to each sample time section, i.e. normal distribution network traffics by below equation Model.
In formula 1, M characterizes the sample time section that the first preset time period can divide according to network traffics variation tendency Number, wherein, it is a sample time section between trough and trough;When m characterizes one of sampling in M sample time section Between section;tiCharacterize i-th of sampling time in m-th of sample time section;N be characterized in m-th of sample time section to network The sampling number of flow;σmCharacterize standard deviation corresponding to m-th of sample time section, umCharacterize and taken out corresponding to m-th of sample time section Sample sample average.Because the duration of crest corresponding to sample time section may be different two-by-two in M sample time section, because This, may also be different to the sampling number n of network traffics in m-th of sample time section.
Mode two, lasting steady of w in m-th of sample time section of the first preset time period be present when network traffics During flow value, then the Model of network traffic that establish in the sample time section of formula 2, that is, constant network traffics mould can be used Type, i.e.,
f(tj)m=Constj(0 < m < M, 0 < j < w<N) (formula 2)
In formula 2, tjCharacterize sampling time corresponding to w lasting steady flow values, ConstjCharacterize steady flow value, w For the number for the continuous steady flow value sampled out in m-th of sample time section.
Mode three, in actual applications, changes in flow rate trend of the network traffics in m-th of sample time section may be in just State is distributed, and at this moment, can establish the sample time section using formula 3 it is possible that of short duration steady under fluctuation status Model of network traffic, including normal distribution Model of network traffic and constant Model of network traffic, i.e.,
In formula 3, the common n of sampled flows value in m-th of sample time section, wherein, preceding x sampled flows value is in normal state point Cloth variation tendency, there is stationary value to n-th of sampled flows value since x-th of sampled flows value, i.e., from x-th of sampling time Into n-th of sampling time, each flow value corresponding to sampling time is Consti
Therefore, network flow monitoring system can will drop to the point of flow rising transition in flow in sampled flows value As trough point, then the sampled flows value of the interlude of adjacent wave valley point two-by-two can be divided into a sample time section, Further according to the variation tendency of sampled flows value in each sample time section, by taking out for network traffics corresponding to each sample time section Sample flow value valley value (including sampled flows value and corresponding sampling time corresponding to trough point) and crest value (including Sampled flows value corresponding to crest and corresponding sampling time) formula one is substituted into, calculate parameter σmAnd um, then by σm And umValue be updated to the normal distribution Model of network traffic that each sample time section is established in formula one again.
Or if network traffics level off, network flow monitoring system can establish constant according to formula two Model of network traffic;If normal distribution is integrally presented in the variation tendency of certain section of sample time section in network traffics, and in the change Under change trend it is possible that of short duration steady, at this moment, network flow monitoring system can build the sample time according to formula three The normal distribution Model of network traffic and constant Model of network traffic of section.
In S200, network flow monitoring system may determine that in the second preset time period corresponding with the first preset time period Whether the first-class value of the first sampling time in the first sample time section is located at first flow scope, wherein, it is first-class It is related to second value to measure scope, second value is in multiple Model of network traffic corresponding with the first sample time section the Flow value corresponding with the first sampling time in one Model of network traffic.
In the embodiment of the present invention, the second preset time period is corresponding, i.e. the second preset time with the first preset time period The time span of time span and the first preset time period of section can be identical, and during sampling in the second preset time period Between sample time section in section and the first preset time period it is corresponding.
For example, if 8 points to 8 points at night, and the first preset time period of the morning that the first preset time period is first day In multiple sample time sections be respectively [8:00,9:00], [9:00,11:00] ... ..., [14:00,16:00], [16:00, 20:00], then the second preset time period can be 8 points of the next morning after first day to 8 points at night, and second it is default when Between multiple sample time sections in section correspond to respectively second day [8:00,9:00], [9:00,11:00] ... ..., [14:00, 16:00], [16:00,20:00].
Network flow monitoring system can be built according to the above method to each sample time section of the first preset time period At least one Model of network traffic, then when the second preset time period is monitored to network traffics, network flow monitoring system System can determine the first-class value of the first sampling time in the first sample time section, it is then determined that the first preset time period Multiple Model of network traffic in first network discharge model corresponding with the first sample time section.
First sampling time corresponding to first-class value can be substituted into first network flow mould by network flow monitoring system In type, it may be determined that go out theoretical delivery value corresponding with the first sampling time, i.e. second value in first network discharge model, First flow scope can be determined according to the second value.
In actual applications, first flow may range from (Ti- σ, Ti+ σ), wherein, σ is in first network discharge model σ, Ti is second value, it is believed that the flow value in the range of first flow is normal stream value, and more than The flow value of one range of flow there may be Traffic Anomaly situation, be needed for the situation of the flow value more than first flow scope Make further judgement.
Therefore, in S300, if network flow monitoring system determines that first-class value exceedes first flow scope, output is used In the prompt message that state of the sign network traffics in the first sample time section is state to be assessed.
In the embodiment of the present invention, for convenience of describing, it is Tc to make first-class value, then prompt message can be divided into two kinds of feelings Condition:
If the first, first-class value Tc exceed first flow scope, and first-class value Tc<Ti- σ, then it can consider The injection port of DDoS safeguards there may be failure, then prompt message can be that notice is connected with network flow monitoring system The information that whether fails of network state processing equipment detection injection port.
The secondth, if first-class value Tc exceedes first flow scope, and first-class value Tc>Ti+ σ, then it can consider Flow winding is there may be between DDoS safeguards and next-hop route, at this moment, prompt message can be notice and network flow Measure monitoring system connection network state processing equipment detection flows whether the information of winding.
Optionally, the state for characterizing network traffics in the first sample time section is exported in network flow monitoring system After prompt message for state to be assessed, it can also include:Receive at the network state being connected with network flow monitoring system Manage equipment send the result for prompt message, result be used for indicate state to be assessed be normal discharge state or Abnormal flow state.
Here, because the prompt message that network state processing equipment receives is divided into two kinds of situations, network state processing equipment The result sent to network flow monitoring system can also be divided into two kinds of situations.
For example if whether prompt message instruction network state processing equipment detection injection port fails, at network state IP address of the equipment by the Internet packets survey meter (Packet Internet Groper, PING) grouting socket is managed, if energy Enough PING lead to, then illustrate that grouting socket is normal, the result that network state processing equipment returns to network flow monitoring system Middle instruction state to be assessed is normal discharge state;If can not PING lead to, then it is assumed that grouting socket fail, produce alarm log And result can be returned to network flow monitoring system, and indicate that state to be assessed is abnormal flow shape in result State.
Or if prompt message instruction network state processing equipment detection flows whether winding, network state processing sets Standby down hop route sending destination location is Internet Control Message Protocol (the Internet Control of the IP address of server Message Protocol, ICMP) request echo message, if network state processing equipment can not receive the ICMP request echoes Message, then illustrate to produce without winding, indicated in the result that network state processing equipment returns to network flow monitoring system State to be assessed is normal discharge state;Otherwise, produce alarm log and processing knot can be returned to network flow monitoring system Fruit, and indicate that state to be assessed is abnormal flow state in result.
Optionally, judge to locate in the second preset time period corresponding with the first preset time period in network flow monitoring system , may be to the after whether the first-class value of the first sampling time of the first sample time section is located at first flow scope First network discharge model corresponding to one sample time section is updated, and is existed here but is not limited only to following two situations:
It is if situation one, network flow monitoring system determine that first-class value is located at first flow scope, i.e., current first-class When value is located at the range of flow of normal condition, it can continue to determine the 4th stream of the second sampling time in the first sample time section Value.
Then, network flow monitoring system can be according to first-class value, the first sampling time, the 4th flow value and second Sampling time, it is determined that for update the first model parameter of first network discharge model corresponding to the first sample time section and Second model parameter, finally, it is the second net to update first network discharge model according to the first model parameter and the second model parameter Network discharge model.
If at the network state being connected with the network flow monitoring system that situation two, network flow monitoring system receive The result for prompt message that equipment is sent is managed, instruction network traffics are normal discharge shape in the first sample time section State, determine the 4th flow value of the second sampling time in the first sample time section;
Then according to first-class value, the first sampling time, the 4th flow value and the second sampling time, it is determined that for updating The first model parameter and the second model parameter of first network discharge model corresponding to first sample time section;Finally, according to One model parameter and the second model parameter renewal first network discharge model are the second Model of network traffic.
In above-mentioned two situations, two normal flow value points, and the two normal flow value points pair be present accumulative Then the two normal flow value points should can be updated to corresponding Model of network traffic when same Model of network traffic In, recalculate the first model parameter, such as average u, and the second model parameter, such as standard deviation sigma, and by the first model parameter and Second model parameter is updated in corresponding Model of network traffic, Model of network traffic corresponding to renewal.
Embodiment two
Based on same inventive concept, Fig. 2 is referred to, the embodiment of the present invention provides a kind of network flow monitoring system 20, net Network flux monitoring system 20 includes:Model construction module 21, judge module 22 and output module 23.
Wherein, model construction module 21, for building multiple sample times of the network traffics in the first preset time period Multiple Model of network traffic corresponding to section;Wherein, each Model of network traffic in the multiple Model of network traffic is used for table Levy changes in flow rate trend of the network traffics in corresponding sample time section;
Judge module 22, for judging to be in first in the second preset time period corresponding with first preset time period Whether the first-class value of the first sampling time of sample time section is located at first flow scope;Wherein, the first flow model Enclose it is related to second value, the second value be the multiple Model of network traffic in the first sample time section Flow value corresponding with first sampling time in corresponding first network discharge model;
Output module 23, for if it is determined that the first-class value exceedes the first flow scope, exporting for characterizing State of the network traffics in the first sample time section is the prompt message of state to be assessed.
Optionally, the model construction module 21 is used for:
Determine each to sample in multiple sampling times that each sample time section in the multiple sample time section includes Flow value corresponding to moment, there is prefixed time interval between two neighboring sampling time in the multiple sampling time;
Determine the network traffics described based on each flow value corresponding to sampling time in the multiple sampling time The variation tendency of each sample time section in first preset time period, build each sample time in first preset time period At least one Model of network traffic corresponding to section.
Optionally, the model construction module 21 is specifically used for:
Judge to whether there is in the multiple sampling time the adjacent samples moment of flow value identical at least two, it is described extremely Flow value corresponding to few two adjacent samples moment is the 3rd flow value;
If the adjacent samples moment of flow value identical at least two in the multiple sampling time be present, it is determined that it is described extremely A few Model of network traffic includes constant Model of network traffic, and the constant Model of network traffic is true by the 3rd flow value It is fixed;Otherwise, it determines at least one Model of network traffic corresponding to each sample time section is normal distribution Model of network traffic.
Optionally, the network flow monitoring system 20 also includes:
Receiving module, it is for being used to characterize state of the network traffics in the first sample time section in output After the prompt message of state to be assessed, receive the network state processing equipment being connected with the network flow monitoring system and send The result for the prompt message, the result be used for indicate that the state to be assessed is normal discharge state Or abnormal flow state.
Optionally, the network flow monitoring system 20 also includes update module, and the update module is used for:
If it is determined that the first-class value is located at first flow scope, if or receiving with the network flow monitoring system The result for the prompt message that the network state processing equipment of system connection is sent indicates the network traffics It is normal discharge state in the first sample time section, determines of the second sampling time in the first sample time section Four flow values;
Based on the first-class value, first sampling time, the 4th flow value and second sampling time, It is determined that the first model parameter and the second model for updating first network discharge model corresponding to the first sample time section Parameter;
It is second to update the first network discharge model based on first model parameter and second model parameter Model of network traffic.
Embodiment three
A kind of computer installation is also provided in the embodiment of the present invention, refer to shown in Fig. 3, the computer installation includes processing Device 31 and memory 32, wherein, processor 31 realizes that the present invention is real when being used to perform the computer program stored in memory 32 The step of network flow monitoring method provided in example is provided.
Optionally, processor 31 can be specifically central processing unit, ASIC (Application Specific Integrated Circuit, ASIC), can be one or more integrated circuits for being used for control program and performing, Can be the hardware circuit developed using field programmable gate array (Field Programmable Gate Array, FPGA), It can be BBP.
Optionally, processor 31 can include at least one process cores.
Optionally, electronic equipment also includes memory 32, and memory 32 can include read-only storage (Read Only Memory, ROM), random access memory (Random Access Memory, RAM) and magnetic disk storage.Memory 32 is used for Store data required when processor 31 is run.The quantity of memory 32 is one or more.
Example IV
A kind of computer-readable recording medium is also provided in the embodiment of the present invention, the computer-readable recording medium storage has Computer instruction, it can be realized such as network flow provided in an embodiment of the present invention when computer instruction instruction is run on computers The step of measuring monitoring method.
In embodiments of the present invention, it should be understood that disclosed network flow monitoring method and network flow monitoring system, It can realize by another way.For example, apparatus embodiments described above are only schematical, for example, unit Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, equipment or unit Close or communicate to connect, can be electrical or other forms.
Each functional unit in embodiments of the present invention can be integrated in a processing unit, or unit also may be used To be independent physical module.
If integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can To be stored in a computer read/write memory medium.Based on such understanding, the technical scheme of the embodiment of the present invention it is complete Portion or part can be embodied in the form of software product, and the computer software product is stored in a storage medium, bag Some instructions are included to cause a computer equipment, such as can be personal computer, server, or network equipment etc., Or processor (Processor) performs all or part of step of the method for each embodiment of the present invention.And foregoing storage is situated between Matter includes:It is general serial bus USB (Universal Serial Bus flash drive, USB), mobile hard disk, read-only Memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or Person's CD etc. is various can be with the medium of store program codes.
Above example is only used for that technical scheme is described in detail, but the explanation of above example is only It is the method for being used to help understand the embodiment of the present invention, should not be construed as the limitation to the embodiment of the present invention.The art The change or replacement that technical staff can readily occur in, it should all cover within the protection domain of the embodiment of the present invention.

Claims (12)

  1. A kind of 1. network flow monitoring method, applied to network flow monitoring system, it is characterised in that methods described includes:
    Build multiple Model of network traffic corresponding to multiple sample time sections of the network traffics in the first preset time period;Its In, each Model of network traffic in the multiple Model of network traffic is used to characterize the network traffics in corresponding sampling Between section changes in flow rate trend;
    Judge that the first of the first sample time section is in the second preset time period corresponding with first preset time period takes out Whether the first-class value at sample moment is located at first flow scope;Wherein, the first flow scope is related to second value, The second value is first network flow corresponding with the first sample time section in the multiple Model of network traffic Flow value corresponding with first sampling time in model;
    If it is determined that the first-class value exceedes the first flow scope, export for characterizing the network traffics described the State in one sample time section is the prompt message of state to be assessed.
  2. 2. the method as described in claim 1, it is characterised in that the structure network traffics are more in the first preset time period Multiple Model of network traffic corresponding to individual sample time section, including:
    Determine each sampling time in multiple sampling times that each sample time section in the multiple sample time section includes Corresponding flow value, there is prefixed time interval between two neighboring sampling time in the multiple sampling time;
    Determine the network traffics described first based on each flow value corresponding to sampling time in the multiple sampling time The variation tendency of each sample time section in preset time period, it is right to build each sample time section in first preset time period At least one Model of network traffic answered.
  3. 3. method as claimed in claim 2, it is characterised in that described to be based on each sampling time in the multiple sampling time Corresponding flow value determines the variation tendency of the network traffics each sample time section in first preset time period, structure Each at least one Model of network traffic corresponding to sample time section in first preset time period is built, including:
    Judge to whether there is in the multiple sampling time the adjacent samples moment of flow value identical at least two, described at least two Flow value corresponding to the individual adjacent samples moment is the 3rd flow value;
    If the adjacent samples moment of flow value identical at least two in the multiple sampling time be present, it is determined that described at least one Individual Model of network traffic includes constant Model of network traffic, and the constant Model of network traffic is determined by the 3rd flow value; Otherwise, it determines at least one Model of network traffic corresponding to each sample time section is normal distribution Model of network traffic.
  4. 4. method as claimed in claim 3, it is characterised in that taken out in output for characterizing the network traffics described first After state in the sample period is the prompt message of state to be assessed, methods described also includes:
    What the network state processing equipment that reception is connected with the network flow monitoring system was sent is directed to the prompt message Result, the result are used to indicate that the state to be assessed is normal discharge state or abnormal flow state.
  5. 5. the method as described in any claim in claim 1 or 4, it is characterised in that judging and first preset time Whether the first-class value of the first sampling time in the first sample time section is located in second preset time period corresponding to section After first flow scope, methods described includes:
    If it is determined that the first-class value is located at first flow scope, if or what is received connect with the network flow monitoring system The result instruction network traffics for the prompt message that the network state processing equipment that connects is sent are described the It is normal discharge state in one sample time section, determines the 4th flow of the second sampling time in the first sample time section Value;
    Based on the first-class value, first sampling time, the 4th flow value and second sampling time, it is determined that For updating the first model parameter and the second model parameter of first network discharge model corresponding to the first sample time section;
    It is the second network to update the first network discharge model based on first model parameter and second model parameter Discharge model.
  6. 6. a kind of network flow monitoring system, it is characterised in that the system includes:
    Model construction module, it is multiple corresponding to multiple sample time sections of the network traffics in the first preset time period for building Model of network traffic;Wherein, each Model of network traffic in the multiple Model of network traffic is used to characterize the network flow Measure the changes in flow rate trend in corresponding sample time section;
    Judge module, when being sampled for being in first in judgement the second preset time period corresponding with first preset time period Between the first-class value of the first sampling time of section whether be located at first flow scope;Wherein, the first flow scope and the Two flow values are related, and the second value is corresponding with the first sample time section in the multiple Model of network traffic Flow value corresponding with first sampling time in first network discharge model;
    Output module, for if it is determined that the first-class value exceedes the first flow scope, exporting for characterizing the net State of the network flow in the first sample time section is the prompt message of state to be assessed.
  7. 7. system as claimed in claim 6, it is characterised in that the model construction module is used for:
    Determine each sampling time in multiple sampling times that each sample time section in the multiple sample time section includes Corresponding flow value, there is prefixed time interval between two neighboring sampling time in the multiple sampling time;
    Determine the network traffics described first based on each flow value corresponding to sampling time in the multiple sampling time The variation tendency of each sample time section in preset time period, it is right to build each sample time section in first preset time period At least one Model of network traffic answered.
  8. 8. system as claimed in claim 7, it is characterised in that the model construction module is specifically used for:
    Judge to whether there is in the multiple sampling time the adjacent samples moment of flow value identical at least two, described at least two Flow value corresponding to the individual adjacent samples moment is the 3rd flow value;
    If the adjacent samples moment of flow value identical at least two in the multiple sampling time be present, it is determined that described at least one Individual Model of network traffic includes constant Model of network traffic, and the constant Model of network traffic is determined by the 3rd flow value; Otherwise, it determines at least one Model of network traffic corresponding to each sample time section is normal distribution Model of network traffic.
  9. 9. system as claimed in claim 8, it is characterised in that the system also includes:
    Receiving module, it is to be evaluated for being used to characterize state of the network traffics in the first sample time section in output After the prompt message for estimating state, the pin that the network state processing equipment being connected with the network flow monitoring system is sent is received To the result of the prompt message, the result is used to indicate that the state to be assessed is normal discharge state or different Normal flow state.
  10. 10. the system as described in any claim in claim 6 or 9, it is characterised in that the system also includes update module, The update module is used for:
    If it is determined that the first-class value is located at first flow scope, if or what is received connect with the network flow monitoring system The result for the prompt message that the network state processing equipment connect is sent indicates the network traffics in institute It is normal discharge state to state in the first sample time section, determines the 4th stream of the second sampling time in the first sample time section Value;
    Based on the first-class value, first sampling time, the 4th flow value and second sampling time, it is determined that For updating the first model parameter and the second model parameter of first network discharge model corresponding to the first sample time section;
    It is the second network to update the first network discharge model based on first model parameter and second model parameter Discharge model.
  11. 11. a kind of computer installation, it is characterised in that the computer installation includes processor, and the processor is used to perform The method as any one of claim 1-5 is realized during the computer program stored in memory.
  12. 12. a kind of computer-readable recording medium, it is characterised in that the computer-readable recording medium storage has computer to refer to Order, when the instruction is run on computers so that computer performs the method as described in claim any one of 1-5.
CN201710806994.XA 2017-09-08 2017-09-08 A kind of network flow monitoring method and system Pending CN107579981A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710806994.XA CN107579981A (en) 2017-09-08 2017-09-08 A kind of network flow monitoring method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710806994.XA CN107579981A (en) 2017-09-08 2017-09-08 A kind of network flow monitoring method and system

Publications (1)

Publication Number Publication Date
CN107579981A true CN107579981A (en) 2018-01-12

Family

ID=61033035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710806994.XA Pending CN107579981A (en) 2017-09-08 2017-09-08 A kind of network flow monitoring method and system

Country Status (1)

Country Link
CN (1) CN107579981A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309591A (en) * 2018-10-31 2019-02-05 掌阅科技股份有限公司 Data on flows statistical method, electronic equipment and storage medium
CN110445680A (en) * 2019-07-29 2019-11-12 新华三大数据技术有限公司 Network flow abnormal detecting method, device and server
CN111314169A (en) * 2020-01-15 2020-06-19 Oppo广东移动通信有限公司 Network state detection method and device, electronic equipment and readable storage medium
CN112202739A (en) * 2020-09-17 2021-01-08 腾讯科技(深圳)有限公司 Flow monitoring method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155085A (en) * 2006-09-29 2008-04-02 中兴通讯股份有限公司 Method and device for real-time flux prediction and real-time flux monitoring and early warning
CN102882895A (en) * 2012-10-31 2013-01-16 杭州迪普科技有限公司 Method and device for identifying message attack
CN104202329A (en) * 2014-09-12 2014-12-10 北京神州绿盟信息安全科技股份有限公司 DDoS (distributed denial of service) attack detection method and device
CN104753863A (en) * 2013-12-26 2015-07-01 中国移动通信集团公司 DDoS (Distributed Denial of Service) attack prevention method, device and system
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155085A (en) * 2006-09-29 2008-04-02 中兴通讯股份有限公司 Method and device for real-time flux prediction and real-time flux monitoring and early warning
CN102882895A (en) * 2012-10-31 2013-01-16 杭州迪普科技有限公司 Method and device for identifying message attack
CN104753863A (en) * 2013-12-26 2015-07-01 中国移动通信集团公司 DDoS (Distributed Denial of Service) attack prevention method, device and system
CN104202329A (en) * 2014-09-12 2014-12-10 北京神州绿盟信息安全科技股份有限公司 DDoS (distributed denial of service) attack detection method and device
CN105577608A (en) * 2014-10-08 2016-05-11 腾讯科技(深圳)有限公司 Network attack behavior detection method and network attack behavior detection device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309591A (en) * 2018-10-31 2019-02-05 掌阅科技股份有限公司 Data on flows statistical method, electronic equipment and storage medium
CN109309591B (en) * 2018-10-31 2021-10-22 掌阅科技股份有限公司 Traffic data statistical method, electronic device and storage medium
CN110445680A (en) * 2019-07-29 2019-11-12 新华三大数据技术有限公司 Network flow abnormal detecting method, device and server
CN111314169A (en) * 2020-01-15 2020-06-19 Oppo广东移动通信有限公司 Network state detection method and device, electronic equipment and readable storage medium
CN112202739A (en) * 2020-09-17 2021-01-08 腾讯科技(深圳)有限公司 Flow monitoring method and device

Similar Documents

Publication Publication Date Title
CN107579981A (en) A kind of network flow monitoring method and system
EP3512131B1 (en) Connectivity fault management (cfm) in networks with link aggregation group connections
CN109495322A (en) Network failure locating method, relevant device and computer storage medium
CN102868553B (en) Fault Locating Method and relevant device
Sommers et al. Efficient network-wide flow record generation
CN110430096A (en) A kind of gateway test method and equipment
Basat et al. Memento: Making sliding windows efficient for heavy hitters
CN104486236B (en) The method and routing device of load balancing
CN110011915A (en) SDN network framework, flow transmission control method and device based on SDN
CN110311812A (en) A kind of network analysis method, device and storage medium
CN106533973A (en) Method and system for distributing service message, and equipment
CN106656643A (en) Measuring method of segmental calculation of network delay
CN109639535A (en) A kind of routing relation detection method and device
Huang et al. Flashroute: Efficient traceroute on a massive scale
CN106302001A (en) Traffic failure detection method, relevant apparatus and system in data communication network
CN105871661A (en) Public network server detection method and detection server
TW200412069A (en) Apparatus and method for a network testing system
Johnsson et al. Online network performance degradation localization using probabilistic inference and change detection
CN109617972A (en) A kind of connection method for building up, device, electronic equipment and storage medium
Genin et al. Where in the Internet is congestion?
CN108768794A (en) A kind of flow rate testing methods of network cluster, device, equipment and medium
CN108111423A (en) Flow transfer management method, apparatus and network derived channel equipment
CN108809765A (en) Network quality test method and device
CN106161124B (en) Message test processing method and device
CN107612764A (en) A kind of transmission network management data acquisition device and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180112