CN108650218B - Network Traffic Monitoring method, apparatus, computer equipment and storage medium - Google Patents
Network Traffic Monitoring method, apparatus, computer equipment and storage medium Download PDFInfo
- Publication number
- CN108650218B CN108650218B CN201810239414.8A CN201810239414A CN108650218B CN 108650218 B CN108650218 B CN 108650218B CN 201810239414 A CN201810239414 A CN 201810239414A CN 108650218 B CN108650218 B CN 108650218B
- Authority
- CN
- China
- Prior art keywords
- application scenarios
- default application
- network flow
- flow
- vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of Network Traffic Monitoring method, apparatus, computer equipment and storage mediums.The Network Traffic Monitoring method includes: to obtain real network flow, obtains at least one corresponding default application scenarios and actual characteristic vector corresponding with default application scenarios based on real network flow;Application scenarios are preset based at least one and inquire preset normal discharge model library, obtain normal characteristics vector corresponding with each default application scenarios;If the intersection of the corresponding actual characteristic vector sum normal characteristics vector of same default application scenarios is less than first threshold, presetting the corresponding actual characteristic vector of application scenarios is exception stream quantity set;Statistics obtains the corresponding abnormal accounting of exception stream quantity set, if abnormal accounting is greater than second threshold, real network flow is Abnormal network traffic.This method passes through the method being simple and efficient and recognises that there are abnormal flow, is suitable for the biggish cloud security field of network flow operand.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of Network Traffic Monitoring method, apparatus, computer equipment and
Storage medium.
Background technique
The congestion that exception flow of network burst will cause network leads to network service to generate packet loss, delay and shake
Quality decline;Moreover, there is likely to be security risks for this exception flow of network of burst flow, such as: it is DDOS attack, compacted
It worm and steals secret information, network and operation system can be caused great harm.
" fingerprint " that common exception flow of network monitoring method generally includes to extract abnormal flow is identified or is led to
Machine learning model is crossed to identify abnormal flow.The former can not identify the exception flow of network not found;The latter then needs
Determined by complicated data mining algorithm.In the cloud security field for being related to big data operation, existing monitoring scheme
It is difficult to provide highly efficient, accurately exception flow of network monitoring scheme.
Summary of the invention
The embodiment of the present invention provides a kind of Network Traffic Monitoring method, apparatus, computer equipment and storage medium, to solve
In the cloud security field of big data operation, can not provide it is highly efficient, accurately exception flow of network monitoring scheme the problem of.
In a first aspect, the embodiment of the present invention provides a kind of Network Traffic Monitoring method, comprising:
Obtain real network flow, based on real network flow obtain at least one corresponding default application scenarios and with it is pre-
If the corresponding actual characteristic vector of application scenarios;
Application scenarios are preset based at least one and inquire preset normal discharge model library, are obtained and each default applied field
The corresponding normal characteristics vector of scape;
If the intersection of the corresponding actual characteristic vector sum normal characteristics vector of same default application scenarios is less than first threshold,
Then presetting the corresponding actual characteristic vector of application scenarios is exception stream quantity set;
Statistics obtains the corresponding abnormal accounting of exception stream quantity set, if abnormal accounting is greater than second threshold, real network
Flow is Abnormal network traffic.
Second aspect, the embodiment of the present invention provide a kind of Network Traffic Monitoring device, comprising:
Network flow module is obtained, it is corresponding at least based on the acquisition of real network flow for obtaining real network flow
One default application scenarios and actual characteristic vector corresponding with default application scenarios;
Feature vector module is obtained, for inquiring preset normal discharge model based at least one default application scenarios
Library obtains normal characteristics vector corresponding with each default application scenarios;
Character pair vector module, if for the corresponding actual characteristic vector sum normal characteristics of same default application scenarios to
The intersection of amount is less than first threshold, then presetting the corresponding actual characteristic vector of application scenarios is exception stream quantity set;
Abnormal accounting module is counted, for counting the corresponding abnormal accounting for obtaining exception stream quantity set, if abnormal accounting is big
In second threshold, then real network flow is Abnormal network traffic.
Third aspect present invention provides a kind of computer equipment, including memory, processor and is stored in the storage
In device and the computer program that can run on the processor, the processor are realized when executing the computer program such as this
Described in invention first aspect the step of Network Traffic Monitoring method.
Fourth aspect present invention provides a kind of computer readable storage medium, and the computer-readable recording medium storage has
Computer program realizes Network Traffic Monitoring side as described in the first aspect of the invention when the computer program is executed by processor
The step of method.
Network Traffic Monitoring method, apparatus, computer equipment and storage medium provided in an embodiment of the present invention, are by obtaining
Real network flow is taken, preset normal discharge model library is inquired based on the corresponding application scenarios of real network flow, to supervise
Survey whether real network flow is exception flow of network to realize.On the one hand, practical net is monitored by normal discharge model library
The exception flow of network not found also can be detected in network flow;On the other hand, by establishing normal discharge model library, this is just
Normal flow model library is applicable to the biggish cloud security field of network flow operand, for efficiently, rapidly identify network
It is abnormal.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by institute in the description to the embodiment of the present invention
Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the invention
Example, for those of ordinary skill in the art, without any creative labor, can also be according to these attached drawings
Obtain other attached drawings.
Fig. 1 is a flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 2 is another specific flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 3 is another specific flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 4 is another specific flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 5 is another specific flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 6 is another specific flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 7 is another specific flow chart of Network Traffic Monitoring method in the embodiment of the present invention 1.
Fig. 8 is a functional block diagram of Network Traffic Monitoring device in the embodiment of the present invention 2.
Fig. 9 is a schematic diagram of computer equipment in the embodiment of the present invention 4.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair
Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.
Accurate Model of network traffic can help people to design better network protocol, more reasonable network topology knot
Structure, more intelligent network monitoring system guarantee net to provide more efficient QOS (Quality of Service, service quality)
Network runs efficiently, is stable and safe.Network is complicated nonlinear system, while the shadow by various complicated extraneous factors again
It rings, discharge model (i.e. Model of network traffic) is also complicated and changeable.Existing most Model of network traffic is based on exception stream
Amount, and modeled after complicated machine learning.The embodiment of the present invention proposes that a kind of normal discharge that is based on is modeled,
To the method that network flow carries out traffic monitoring, this method, which is mainly used in, requires stronger big data operation neck for timeliness
Domain is especially applied in field of cloud calculation.
Traffic monitoring is managed and controls aiming at network communication data packet, while optimizing and limiting.Flow
The purpose of monitoring is to allow and guarantee the high efficiency of transmission of data packet, is prevented or restricted from the transmission of invalid data packet.
Cloud computing is that (resource includes network, server, storage, application software for a kind of configurable computing resources shared pool
And service), it is possible to provide available, convenient and fast, on-demand network access service.Due to deepening continuously for cloud computing application, and
Continuous expansion to big data process demand, requirement of the user to the performance and safety of cloud computing increase with it.This motion is held
Row main body is to provide the server in resource-sharing pond.
Embodiment 1
Fig. 1 shows the flow chart of Network Traffic Monitoring method in the present embodiment.The network flow monitoring method is applied to cloud
Calculate the server in environment.The server can provide different cloud services according to the demand of client, such as: it is virtual main
Machine, proprietary network and cloud storage etc..As shown in Figure 1, the Network Traffic Monitoring method includes the following steps:
S10. obtain real network flow, based on real network flow obtain at least one corresponding default application scenarios and
Actual characteristic vector corresponding with default application scenarios.
Real network flow refers to real-time collected network flow during this traffic monitoring.Wherein, network flow
Amount is exactly the data volume transmitted on network by data packet, and two computers carry out " communication " by network, specifically by hair
It send with received data packet and to complete.
Application scenarios are the business models built for different business based on cloud platform.Applied to the present embodiment, clothes
It is engaged in device preset application scenarios library, and corresponding business scenario in application scenarios library is increased and decreased according to the increase and decrease of business at any time, herein
The business scenario being stored in application scenarios library is default application scenarios.There are multiple business scenes in the resource pool of cloud computing
Corresponding network flow introduces upper layer network from resource pool, should carry out one by one to the corresponding network flow of multiple business scene
Differentiation, establish different business models, the corresponding underlying protocol type of different business found, so as to when cloud computing is broken out
It waits, so that each logic business network is more clear, heterogeneous networks flow is extracted in huge data flow.
The corresponding network flow of different business scene be it is different, reply various industries application under, system for cloud computing
The corresponding network flow of different business scene distinguishes, while carrying out pipe using feature extraction algorithm to these network flows
Reason.Feature vector obtains after network flow is distinguished and managed, the feature under application scenarios after corresponding differentiation
Data.Wherein, feature extraction algorithm, which refers to, realizes that the perspective to network internal flow and the control to Internet resources, resolution are provided
Data traffic of the body user under default application scenarios specifically can be DPI algorithm (Deep packet inspection, depth
Spend data packet detection algorithm).
Illustrate real network flow, default application scenarios and actual characteristic vector triadic relation: cloud platform server
All network flows for receiving of input port be real network flow.The real network flow may include at least three kinds
The network flow that default application scenarios need, these three default application scenarios are as follows:
(1) SaaS application scenarios:
Including a large amount of HTTP and HTTPS flow, it is distributed mainly on 80 and 443 ports.
(2) PaaS application scenarios:
PaaS, which belongs to, externally provides the software runtime environment of customization, often different from debugging stage generation in system development
Data traffic.
(3) IaaS application scenarios:
Flow caused by IaaS belongs to the service of on-line storage, the traffic differentiation that each memory channel also generates.
After server is divided the network flow for being belonging respectively to above-mentioned three kinds of default application scenarios, then it is default by every kind
The network flow that application scenarios divide carries out feature extraction algorithm to extract corresponding actual characteristic vector.
In this step, real network flow is obtained at least one default application scenarios by server after differentiation and management
With corresponding actual characteristic vector, huge cloud data are handled by imperceptibility, is based on the default applied field convenient for server
Scape and actual characteristic vector further determine whether the real network flow is abnormal flow, reduce the complexity of processing cloud data
Property.
S20. preset normal discharge model library is inquired based at least one default application scenarios, obtains and is answered with each preset
With the corresponding normal characteristics vector of scene.
Wherein, in the case that normal discharge model library is stored in proper network flow, all application scenarios are corresponding normal
The collective database that feature vector is formed, to compare real network flow with the presence or absence of abnormal.Wherein, proper network flow refers to
It is the transmission speed and quantity of the data on flows packet when network is in the state of safety and stability, in network.Wherein, normal characteristics
Vector is the characteristic for obtain after feature extraction algorithm to proper network flow.
In real network detection environment, each default application scenarios correspond to two feature vectors: normal characteristics vector sum
Actual characteristic vector.In the present embodiment, actual characteristic vector is to current collected real network flow in real time using feature
Extraction algorithm carries out treated feature vector.And normal characteristics vector is acquired and is stored in advance under any default application scenarios
Feature vector, can be used as judging actual characteristic vector with the presence or absence of abnormal index.In this step, server obtains current pre-
If the corresponding actual characteristic vector of application scenarios, and corresponding normal characteristics vector is extracted, so that server is further direct
Handle the normal characteristics vector sum actual characteristic vector under the default application scenarios.
If S30. the intersection of the corresponding actual characteristic vector sum normal characteristics vector of same default application scenarios is less than first
Threshold value, then presetting the corresponding actual characteristic vector of application scenarios is exception stream quantity set.
Wherein, since general generic sample has similitude namely actual characteristic vector sum normal characteristics vector
For sample if distribution has aggregation on feature space, the distance between sample is smaller, then illustrates that actual characteristic vector is positive
Normal feature vector.It is to be appreciated that when the distance between the sample of actual characteristic vector and normal characteristics vector sample are larger,
The default corresponding actual characteristic vector of application scenarios is exception stream quantity set.
First threshold is exactly to be delimited in advance in spatial distribution for measuring actual characteristic vector as normal feature vector
Minimum intersection range.
Further, the intersection of server comparison actual characteristic vector sum normal characteristics vector, for detecting abnormal flow
The algorithmic descriptions of collection are as follows:
In this step, normal characteristics vector sum actual characteristic in each default application scenarios can be obtained by simple algorithm
The intersection of both vectors improves the speed that server carries out abnormal determination to the actual characteristic vector of multiple default application scenarios.
S40. statistics obtains the corresponding abnormal accounting of exception stream quantity set, practical if abnormal accounting is greater than second threshold
Network flow is Abnormal network traffic.
Wherein, abnormal accounting is the percentage that the quantity of exception stream quantity set accounts for the sum of chief inspector's flow measurement quantity set.Second threshold
Be according to practical experience and it needs to be determined that, to divide the critical point of exception stream quantity set or non-exception stream quantity set.
In this step, by the quantity of the exception stream quantity set in statistics real network flow, and then abnormal flow can be obtained
Collect the abnormal accounting concentrated in chief inspector's measurement of discharge.If the exception accounting is greater than set second threshold, the real network flow
Belong to Abnormal network traffic, needs server that further treatment measures, such as locking is taken to receive the real network flow
Port etc..
Network Traffic Monitoring method, apparatus, computer equipment and storage medium provided in an embodiment of the present invention, are by obtaining
Real network flow is taken, preset normal discharge model library is inquired based on the corresponding application scenarios of real network flow, to supervise
Survey whether real network flow is exception flow of network to realize.On the one hand, practical net is monitored by normal discharge model library
The exception flow of network not found also can be detected in network flow;On the other hand, by establishing normal discharge model library, this is just
Normal flow model library is applicable to the biggish cloud security field of network flow operand, for efficiently, rapidly identify network
It is abnormal.
In a specific embodiment, as shown in Fig. 2, in step S10, i.e., corresponding extremely based on the acquisition of real network flow
Few default application scenarios and actual characteristic vector, specifically comprise the following steps:
S11. it is based on real network flow, preset application scenarios reference line is called to divide real network flow,
Obtain corresponding default application scenarios.
Wherein, application scenarios reference line delimited by presetting the behavioural characteristic of the corresponding proper network flow of application scenarios
, wherein behavioural characteristic includes network utilization, application response time, agreement distribution and user bandwidth consumption.
Network utilization: having used the measured value of how many bandwidth in specified time interval, can pass through protocol measure
Network utilization.
Which application response time: it is mainly used for showing the connection of Web site in network, such as computer in local area network
It is surfing the Internet, or which website is mainly browsed.
Agreement distribution: the service condition of network is reported according to the distribution of session layer, transport layer and application layer protocol.
User bandwidth consumption: bandwidth refers to that the unit time can use network referred to herein as user by the data volume of link
When occupied data volume size.
Further, there are different application scenarios reference lines for different default application scenarios, when new real network stream
Amount is not when on the application scenarios reference line that the application scenarios delimited, it can be determined that actual flow at this time is not belonging to originally default answer
Use scene.
In this step, real network traffic partition is gone out several default applications by using application scenarios reference line by server
Scene, so as to determine that the process of real network flow more has specific aim and logic.
S12. it is based on real network flow, using feature extraction algorithm corresponding with default application scenarios to real network
Flow carries out feature extraction and feature vector, obtains corresponding actual characteristic vector.
Wherein, feature extraction is carried out to real network flow using feature extraction algorithm corresponding with default application scenarios
Process with feature vector mainly includes with step:
(1) feature extraction is carried out to real network flow using feature extraction algorithm corresponding with default application scenarios.
In the present embodiment, DPI algorithm is specifically can be used in feature extraction algorithm corresponding with default application scenarios, can be adopted
With the application layer protocol of DPI algorithm (Deep packet inspection, depth data packet detection algorithm) detection data packet, with
Detection, parsing and discovery P2P data flow.DPI can help to realize the perspective to network internal flow and the control to Internet resources
System can tell data flow of the particular user under default application scenarios.
DPI algorithm stores load characteristic string using a load characteristic library, and the data packet for meeting load characteristic string is regarded
For P2P data flow.Almost the corresponding default application scenarios of every kind of P2P all have the application layer protocol of oneself, pass through data message
Message characteristic is analyzed in capture, then can define unique load characteristic string for every kind of P2P application layer protocol.Define load characteristic
The principle of string are as follows: select the agreement distinctive, must occur in interactive process and the highest field of the frequency of occurrences in actual environment
Load characteristic string as agreement.
Again from the validity feature extracted in the P2P data flow captured out in the default application scenarios, such as: the inbound of user
Path, the inbound page of user, user's view site general routes, the residence time of each access and user exit the page
Deng.
(2) feature vector is carried out to the feature extracted, obtains corresponding actual characteristic vector.
Wherein, feature vector be by feature obtained in step (1) carry out the calculating of multidimensional characteristic matrix after formed to
Duration set, can indicate the multidimensional characteristic under the default application scenarios, the multidimensional characteristic may include IP address to, port numbers, agreement
Type and the statistical information of TCP connection etc..It is to be appreciated that the feature under different default application scenarios is mostly different namely each
The corresponding feature vector of a default application scenarios is different.
Further, different application scene corresponds to different feature vectors, with protocol type for example:
The corresponding agreement of internetwork layer application scenarios: IP agreement, ICMP agreement, ARP protocol and RARP agreement.
The corresponding agreement of transport layer application scenarios: Transmission Control Protocol and udp protocol.
The corresponding agreement of application layer applications scene: FTP, Telnet, SMTP, HTTP, RIP, NFS and DNS.
It is calculated when server calculates the service of different layers application scenarios using different agreements according to above-mentioned agreement
Feature vector.
Bring the validity feature that step (1) obtains into invertible matrix.Invertible matrix can be decomposed into characteristic value and feature to
The product of amount, i.e. AV=lambaV, wherein V is eigenvectors matrix, matrix is changed base, i.e., is converted a matrix basis
For using another group using feature vector as the matrix of base, thus by matrix validity feature carry out dimensionality reduction.
Illustrate the process that validity feature is carried out to dimensionality reduction by matrix.By taking internetwork layer application scenarios as an example: existing
The set of the sample of 20 internetwork layer application scenarios acquired, each sample include IP agreement, ICMP agreement, ARP association
The corresponding four validity feature values of four kinds of agreements of negotiation RARP agreement.Two essential characteristics are extracted from four validity feature values
Value, when to provide real network flow next time, can judge the real network flow by the two essential characteristic values
Belong to internetwork layer application scenarios.For the former validity feature of internetwork layer application scenarios there are four there are redundancy, reduction data volume is most direct
Method be exactly dimensionality reduction.The process of matrix dimensionality reduction are as follows: the set of sample is assigned to the matrix R that 20 rows 4 arrange, cuts mean value simultaneously
Normalization, its covariance matrix C=RTR, C are the matrixes of 4 rows 4 column, carry out feature decomposition, diagonalization C=UDU to CT, wherein
U is the matrix of feature vector composition, and D is the diagonal matrix of the composition of feature, and presses descending arrangement.Then, R '=RU is enabled,
It is achieved that projection of the sample set on this group of orthogonal basis of feature vector.Data column in R ' are the sizes according to corresponding eigenvalue
Arrangement, subsequent column correspond to small characteristic value, and the influence after removing to entire data set is smaller.Directly remove subsequent 2
Column only retain preceding 2 column, complete dimensionality reduction just to realize feature vector.This dimension reduction method is also PCA algorithm
(Principal Component Analysis, Principal Component Analysis Algorithm).
In this step, the actual characteristic vector in real network flow is extracted come further base by feature extraction algorithm
Determine whether real network flow is abnormal flow, and server can be made more efficiently to determine practical net in the actual characteristic vector
Whether network flow is abnormal flow.
In a specific embodiment, as shown in figure 3, before step S10, i.e., the step of obtaining real network flow it
Before, Network Traffic Monitoring method further include:
S50. the corresponding application scenarios reference line of current preset application scenarios is generated.
Wherein, current preset application scenarios refer to default application scenarios belonging to current network flow.Application scenarios benchmark
Line delimited by presetting the behavioural characteristic of the corresponding proper network flow of application scenarios, and specifically, behavioural characteristic includes net
Network utilization rate, application response time, agreement distribution and user bandwidth consumption.
Application scenarios reference line can be divided the biggish real network flow of data volume by default application scenarios, be by
The necessary condition that default application scenarios are monitored real network flow.
In a specific embodiment, as shown in figure 4, in step S50, that is, generate that current preset application scenarios are corresponding answers
The step of with scene reference line, specifically further include following steps:
S51. acquire proper network flow, proper network flow include at least one default application scenarios and with default application
The corresponding normal behaviour feature of scene.
In this step, it is first determined at least one default application scenarios is normal in the default application scenarios by acquiring
Network flow, to obtain the default corresponding normal behaviour feature of application scenarios, such as: proper network utilization rate, normal use
Response time, normal protocol distribution and normal users bandwidth consumption etc..
By obtaining the value of the default corresponding multiple normal behaviour features of application scenarios, which can be described substantially
Scape presets application scenarios to this conducive to server and establishes normal discharge model.
S52. all normal behaviour features under same default application scenarios are calculated, obtain corresponding average value and
Standard deviation.
Wherein, average value is specially arithmetic average, and arithmetic average is quotient of the sum of all data with data total number
Value, average value can concentrate the integrality that variable is presented.Standard deviation is specially being averaged for the distance that each data deviate average
Number, is a kind of measurement of one group of statistical average degree of scatter, a biggish standard deviation, represent in data most of numerical value and
It differs greatly between the average value of data;One lesser standard deviation represents most of numerical value in data and is closer to the flat of data
Mean value, standard deviation can be as a kind of probabilistic measurements.
After the characteristic value for obtaining normal behaviour feature, the calculating of average and standard deviation is carried out to characteristic value.Average value mu
Calculation formula it is as follows:Wherein, n is characterized the number of value, and the value of i arrives n, x for 1iIt is characterized appointing in value
One item data.The calculation formula of standard deviation sigma is as follows:Wherein, N is characterized the number of value, the value of i
For 1-N, xiAny one of value data are characterized, μ is characterized the average value of value.
S53. it is based on average and standard deviation, obtains application scenarios reference line.
In the present embodiment, application scenarios reference line divides at least two reference line ranges, each reference line range corresponding one
Default application scenarios.Wherein, reference line range includes upper limit value and lower limit value, and upper limit value is the maximum value of benchmark line range, under
Limit value is the minimum value of benchmark line range.Default application scenarios are the corresponding state of data, the state being likely to occur according to data
Different default application scenarios, such as the default application of the first default application scenarios, the second default application scenarios, third can be divided into
Scene and the 4th default application scenarios etc..
Specifically, it is based on average and standard deviation, application scenarios reference line is obtained and specifically comprises the following steps:
(1) the standard deviation product of standard deviation and coefficient of standard deviation is obtained.
Wherein, coefficient of standard deviation is positive number, can be positive integer, be also possible to positive score.By standard deviation and standard deviation system
Number is multiplied, and can obtain corresponding standard deviation product.In the present embodiment, if coefficient of standard deviation is k, then the standard deviation product obtained
For k* σ.
(2) based on average and standard deviation product and value, determine the upper limit value of a reference line range.
The upper limit value of reference line range is the maximum value of reference line range, and the upper limit value of reference line range is dependent on corresponding
The average and standard deviation of characteristic value, circular are the average and standard deviation sum of products.Such as characteristic value is averaged
Value is that μ, standard deviation are σ, coefficient of standard deviation k, then the upper limit value of base line value corresponding to characteristic value is μ+k* σ.Each base
Historical baseline line value can be divided into two reference line ranges, corresponding different default application scenarios by the upper limit value of directrix range.
(3) difference based on average and standard deviation product determines the lower limit value of a reference line range.
The lower limit value of reference line range is the minimum value of reference line range, and the lower limit value of reference line range is dependent on corresponding
The average and standard deviation of characteristic value, circular are the difference of average and standard deviation product.Such as characteristic value is averaged
Value is that μ, standard deviation are σ, coefficient of standard deviation k, then the lower limit value of base line value corresponding to characteristic value is μ-k* σ.Each base
Historical baseline line value can be divided into two reference line ranges, corresponding different default application scenarios by the lower limit value of directrix range.
It is to be appreciated that coefficient of standard deviation value is bigger in the upper limit value of reference line range and the calculating process of lower limit value,
Reference line range is bigger.If being μ based on the calculated average value of characteristic value, standard deviation σ, coefficient of standard deviation k, then this feature
The upper limit value for being worth any reference line range in corresponding Historical baseline line value is μ+k* σ, and lower limit value is μ-k* σ, due to standard deviation
The biggish reference line range of coefficient includes the lesser reference line range of coefficient of standard deviation, shows different reference line ranges to become apparent from
Corresponding default application scenarios need to delete the lesser reference line range of coefficient of standard deviation from the biggish reference line range of standard deviation
It removes, with any reference line range of determination are as follows: [[μ-k* σ, μ-(k-1) * σ],
[μ+(k-1)*σ,μ+k*σ]]。
In the present embodiment, if each reference line range corresponds to a default application scenarios, such as the first default application scenarios, the
Two default application scenarios, third preset the default application scenarios such as application scenarios and the 4th default application scenarios.When k takes 1, benchmark
Line range are as follows: [[μ-σ, μ], [μ, μ+σ]], i.e.,
[μ-σ, μ+σ], the reference line range determine that the reference line range is corresponding closest to the corresponding average value of characteristic value
Default application scenarios be the first default application scenarios.When k takes 2, reference line range are as follows: [[μ -2 σ, μ-σ], [μ+σ, μ+2
σ]], which determines that the corresponding default application scenarios of the reference line range are second close to the first default application scenarios
Default application scenarios.When k takes 3, reference line range are as follows: [[μ -3 σ, μ -2 σ], [+3 σ of μ+2 σ, μ]], the reference line range are close
Second default application scenarios determine that the corresponding default application scenarios of the reference line range are that third presets application scenarios, and defines K
Default application scenarios other than the reference line range for taking 3 values to get are the 4th default application scenarios.
S60. continue to obtain the corresponding default application scenarios reference line of next default application scenarios, until completing to obtain all
Default application scenarios reference line.
The method for repeating step S50, can obtain the corresponding default application scenarios reference line of all default application scenarios, so as to
Default application scenarios reference line can be called directly in server, and accurately divides real network flow.
In the present embodiment, server by generating the corresponding default application scenarios benchmark of all default application scenarios in advance
Line can call directly default application scenarios reference line, and accurately in order to which server is when intercepting magnanimity real network flow
Divide real network flow.
Preferably, before step S10, i.e., before the step of obtaining real network flow, Network Traffic Monitoring method
Further include:
S70. normal discharge model library is created.
Wherein, in the case that normal discharge model library is stored in proper network flow, all application scenarios are corresponding normal
Feature vector formed collective database, to real network flow as a comparison whether be normal network flow judgement according to
According to.And proper network flow refer to be the transmission of data on flows packet when network is in the state of safety and stability, in network speed
Degree and quantity.
In a specific embodiment, as shown in figure 5, in step S70, i.e., creation normal discharge model library the step of,
Specifically comprise the following steps:
S71. proper network flow is obtained, proper network flow is divided based on preset application scenarios reference line, to obtain
Corresponding default application scenarios.
This step is similar to the step S11 in another specific embodiment, and which is not described herein again.This step S71 and step
The difference of S11 is that step S11 is that corresponding default application scenarios are obtained based on real network flow, in this step S71,
It is the corresponding default application scenarios obtained based on proper network flow.
Further, there are different application scenarios reference lines, this step only to acquire position for different default application scenarios
Proper network flow on the application scenarios reference line for presetting application scenarios delimitation, with to belonging to the default application scenarios
Proper network flow is modeled.
S72. feature extraction and feature vector are carried out to proper network flow, obtains corresponding normal characteristics vector.
This step is similar to the step S12 in another specific embodiment, and which is not described herein again.In this step S72, use
Feature extraction algorithm corresponding with default application scenarios carries out feature extraction and feature vector to proper network flow, obtains
Corresponding normal characteristics vector.
In this step, the corresponding normal characteristics vector of different default application scenarios is extracted by feature extraction algorithm and is made
For reference value, in order to which server determines to be referred to when real network flow.
S73. default application scenarios and the storage of normal characteristics vector association are formed into normal discharge model into database
Library.
It is to be appreciated that storing all default application scenarios and corresponding normal characteristics vector association to database
In, that is, normal discharge model library is formed, can be carried out when determining whether real network flow is abnormal flow in order to server
It calls and refers to, improve the speed of server process real network flow.
In a specific embodiment, as shown in fig. 6, in step S72, i.e., feature extraction is carried out to proper network flow
With feature vector, corresponding normal characteristics vector is obtained, is specifically comprised the following steps:
S721. feature extraction is carried out to proper network flow, obtains scene characteristic data.
S722. it is calculated using matrix and feature vector is carried out to scene characteristic data, obtain corresponding normal characteristics vector.
Specifically, the step S721 to step S722 in the present embodiment is similar to the step in another embodiment of the present invention
S11 is to step S12, and which is not described herein again.The difference of two embodiments is, is to carry out in the present embodiment to proper network flow
Processing obtains normal characteristics vector, and another embodiment is to be handled real network flow to obtain actual characteristic vector.
The normal characteristics vector that the present embodiment obtains is conducive to server as reference value and compares actual characteristic vector, to determine real network
Whether flow is exception stream quantity set.
In a specific embodiment, as shown in fig. 7, in step s 40, i.e., statistics obtains the corresponding of exception stream quantity set
Abnormal accounting, specifically comprises the following steps:
S41. initialization exception sum and flow sum.
Wherein, the abnormal total sum for referring to the exception stream quantity set in the real network flow for participating in this monitoring, flow
Sum is the sum for participating in all real network flows of this monitoring.
Initialization exception sum and flow sum are exactly to assign initial value to abnormal total and flow sum, can be arranged
It is 0.
If S42. presetting the corresponding actual characteristic vector of application scenarios is exception stream quantity set, abnormal total and flow sum
Plus 1.
It is to be appreciated that whether the current preset application scenarios no matter participated in the real network flow of this monitoring are different
Normal flow collection needs to add 1 to flow sum as long as one new default application scenarios of monitoring.Meanwhile if default applied field
Scape is exception stream quantity set after monitoring, then adds 1 to exception is total.
If S43. presetting the corresponding actual characteristic vector of application scenarios is not exception stream quantity set, flow sum adds 1.
As described in step S42, the current preset application scenarios in the real network flow of this monitoring no matter are participated in
Whether it is exception stream quantity set, needs to add 1 to flow sum as long as one new default application scenarios of monitoring.
S44. will be abnormal total divided by flow sum, obtain abnormal accounting.
Wherein, abnormal accounting is exactly the abnormal total percentage for accounting for flow sum.
This step is monitored by initialization initialization exception sum and flow sum with to real network flow
When real-time update the two data, can quickly and easily obtain current abnormal accounting.
Network Traffic Monitoring method provided in an embodiment of the present invention is to be based on real network by obtaining real network flow
The corresponding default application scenarios of flow inquire preset normal discharge model library, to monitor whether real network flow is network
Abnormal flow is realized.On the one hand, real network flow is monitored by normal discharge model library, also can be detected and did not found
Exception flow of network;On the other hand, normal discharge model library can be established by the algorithm being simple and efficient, is suitable for network flow
Measure the biggish cloud security field of operand.
Further, real network traffic partition is also gone out default applied field by using application scenarios reference line by server
Scape, so as to determine that the process of real network flow more has specific aim and logic;By generating all default applications in advance
The corresponding default application scenarios reference line of scene can call directly in order to which server is when intercepting magnanimity real network flow
Default application scenarios reference line, and accurately divide real network flow;It is total by initialization initialization exception sum and flow
Number, and with the two data of real-time update when being monitored to real network flow can be obtained quickly and easily current different
Normal accounting.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process
Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit
It is fixed.
Embodiment 2
Fig. 8 shows the principle frame with the one-to-one Network Traffic Monitoring device of Network Traffic Monitoring method in embodiment 1
Figure.As shown in figure 8, the Network Traffic Monitoring device includes obtaining network flow module 10, obtaining feature vector module 20, is corresponding
Feature vector module 30 and the abnormal accounting module 40 of statistics.Wherein, it obtains network flow module 10, obtain feature vector module
20, Network Traffic Monitoring method in the realization function and embodiment of character pair vector module 30 and the abnormal accounting module 40 of statistics
Corresponding step corresponds, and to avoid repeating, the present embodiment is not described in detail one by one.
Network flow module 10 is obtained, it is corresponding extremely based on the acquisition of real network flow for obtaining real network flow
Few default application scenarios and actual characteristic vector corresponding with default application scenarios.
Feature vector module 20 is obtained, for inquiring preset normal discharge model based at least one default application scenarios
Library obtains normal characteristics vector corresponding with each default application scenarios.
Character pair vector module 30, if being used for the corresponding actual characteristic vector sum normal characteristics of same default application scenarios
The intersection of vector is less than first threshold, then presetting the corresponding actual characteristic vector of application scenarios is exception stream quantity set.
Abnormal accounting module 40 is counted, for counting the corresponding abnormal accounting for obtaining exception stream quantity set, if abnormal accounting
Greater than second threshold, then real network flow is Abnormal network traffic.
Preferably, which includes obtaining application scenarios unit 21 and taking feature vector units 22.
Application scenarios unit 21 is obtained, for being based on real network flow, calls preset application scenarios reference line to reality
Internet flow is divided, and corresponding default application scenarios are obtained.
Feature vector units 22 are obtained, for being based on real network flow, using spy corresponding with default application scenarios
It levies extraction algorithm and feature extraction and feature vector is carried out to real network flow, obtain corresponding actual characteristic vector.
Preferably, which further includes generating reference line unit 50.
Reference line unit 50 is generated, for generating the corresponding application scenarios reference line of current preset application scenarios.
Preferably, which includes acquisition network flow subelement 51, obtains average value subelement 52
With acquisition reference line subelement 53.
Network flow subelement 51 is acquired, for acquiring proper network flow, proper network flow includes that at least one is pre-
If application scenarios and normal behaviour feature corresponding with default application scenarios.
Average value subelement 52 is obtained, based on carrying out to all normal behaviour features under same default application scenarios
It calculates, obtains corresponding average and standard deviation.
Reference line subelement 53 is obtained, for being based on average and standard deviation, obtains application scenarios reference line.
Reference line unit 60 is obtained, obtains the corresponding default application scenarios benchmark of next default application scenarios for continuing
Line, until completing to obtain all default application scenarios reference lines.
Preferably, which further includes creation model library unit 70, for creating normal discharge model
Library.
Preferably, creation model library unit 70 includes obtaining network flow subelement 71, obtaining feature vector subelement 72
With formation model library subelement 73.
Network flow subelement 71 is obtained, for obtaining proper network flow, is drawn based on preset application scenarios reference line
Divide proper network flow, to obtain corresponding default application scenarios.
Feature vector subelement 72 is obtained, for carrying out feature extraction and feature vector to proper network flow, is obtained
Corresponding normal characteristics vector.
Model library subelement 73 is formed, for storing default application scenarios and normal characteristics vector association to database
In, form normal discharge model library.
Preferably, which includes obtaining characteristic subelement 721 and acquisition feature vector
Subelement 722.
Characteristic subelement 721 is obtained, for carrying out feature extraction to proper network flow, obtains scene characteristic number
According to.
Feature vector subelement 722 is obtained, feature vector is carried out to scene characteristic data for calculating using matrix, is obtained
Obtain corresponding normal characteristics vector.
Preferably, the statistics exception accounting module 40 include initialize total counting unit 41, exception stream quantity set processing unit 42,
Add the total counting unit 43 of flow and obtains abnormal accounting unit 44.
Total counting unit 41 is initialized, for initialization exception sum and flow sum.
Exception stream quantity set processing unit 42, if being abnormal flow for the default corresponding actual characteristic vector of application scenarios
Collection, then abnormal total and flow sum adds 1.
Add the total counting unit 43 of flow, if not being exception stream quantity set for the default corresponding actual characteristic vector of application scenarios,
Then flow sum adds 1.
Abnormal accounting unit 44 is obtained, being used for will be abnormal total divided by flow sum, obtain exception accounting.
Embodiment 3
The present embodiment provides a computer readable storage medium, computer journey is stored on the computer readable storage medium
Sequence realizes Network Traffic Monitoring method in embodiment 1, to avoid repeating, here not when the computer program is executed by processor
It repeats again.Alternatively, realizing in embodiment 2 each module/unit in Network Traffic Monitoring when the computer program is executed by processor
Function, to avoid repeating, which is not described herein again.
It is to be appreciated that computer readable storage medium may include: that can carry appointing for the computer program code
What entity or device, recording medium, USB flash disk, mobile hard disk, magnetic disk, CD, computer storage, read-only memory (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), electric carrier signal and telecommunications letter
Number etc..
Embodiment 4
Fig. 9 is the schematic diagram for the computer equipment that one embodiment of the invention provides.As shown in figure 9, the calculating of the embodiment
Machine equipment 80 includes: processor 81, memory 82 and is stored in the calculating that can be run in memory 82 and on processor 81
Machine program 83.The step of processor 81 realizes Network Traffic Monitoring method in above-described embodiment 1 when executing computer program 83, example
Step S10 to S40 as shown in Figure 1.Alternatively, processor 81 is realized in above-mentioned each Installation practice when executing computer program 83
The function of each module, such as obtain network flow module 10 shown in Fig. 8, obtain feature vector module 20, character pair vector mould
Block 30 and the function of counting abnormal accounting module 40.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each function
Can unit, module division progress for example, in practical application, can according to need and by above-mentioned function distribution by different
Functional unit, module are completed, i.e., the internal structure of described device is divided into different functional unit or module, more than completing
The all or part of function of description.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although referring to aforementioned reality
Applying example, invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each
Technical solution documented by embodiment is modified or equivalent replacement of some of the technical features;And these are modified
Or replacement, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution should all
It is included within protection scope of the present invention.
Claims (9)
1. a kind of Network Traffic Monitoring method characterized by comprising
Acquire proper network flow, the proper network flow include at least one default application scenarios and with the default application
The corresponding normal behaviour feature of scene;
All normal behaviour features under the same default application scenarios are calculated, corresponding average value and standard are obtained
Difference;
Based on the average value and the standard deviation, the application scenarios reference line is obtained;
Continue to obtain the corresponding default application scenarios reference line of next default application scenarios, until completing to obtain all default applications
Scene reference line;
Real network flow is obtained, the default application scenarios reference line is called, divides the real network flow, acquisition and institute
State at least one corresponding default application scenarios of real network flow and actual characteristic corresponding with the default application scenarios
Vector;
Preset normal discharge model library is inquired based on default application scenarios described at least one, obtains and is answered with each described preset
With the corresponding normal characteristics vector of scene;
If the intersection of normal characteristics vector described in the corresponding actual characteristic vector sum of same default application scenarios is less than first
Threshold value, then the corresponding actual characteristic vector of the default application scenarios is exception stream quantity set;
Statistics obtains the corresponding abnormal accounting of the exception stream quantity set, described if the exception accounting is greater than second threshold
Real network flow is Abnormal network traffic.
2. Network Traffic Monitoring method as described in claim 1, which is characterized in that described to be obtained based on the real network flow
Take at least one corresponding default application scenarios and actual characteristic vector, comprising:
Based on the real network flow, preset application scenarios reference line is called to divide the real network flow,
Obtain corresponding default application scenarios;
Based on the real network flow, using feature extraction algorithm corresponding with the default application scenarios to the reality
Network flow carries out feature extraction and feature vector, obtains corresponding actual characteristic vector.
3. Network Traffic Monitoring method as described in claim 1, which is characterized in that in the step for obtaining real network flow
Before rapid, the Network Traffic Monitoring method further include: creation normal discharge model library;
The creation normal discharge model library, comprising:
Proper network flow is obtained, the proper network flow is divided based on preset application scenarios reference line, to obtain correspondence
Default application scenarios;
Feature extraction and feature vector are carried out to the proper network flow, obtain corresponding normal characteristics vector;
By the default application scenarios and normal characteristics vector association storage into database, normal discharge model is formed
Library.
4. Network Traffic Monitoring method as claimed in claim 3, which is characterized in that described to be carried out to the proper network flow
Feature extraction and feature vector obtain corresponding normal characteristics vector, comprising:
Feature extraction is carried out to the proper network flow, obtains scene characteristic data;
It is calculated using matrix and feature vector is carried out to the scene characteristic data, obtain corresponding normal characteristics vector.
5. Network Traffic Monitoring method as described in claim 1, which is characterized in that the statistics obtains the exception stream quantity set
Corresponding abnormal accounting, comprising:
Initialization exception sum and flow sum;
If the corresponding actual characteristic vector of the default application scenarios is exception stream quantity set, the exception is total and described
Flow sum adds 1;
If the corresponding actual characteristic vector of the default application scenarios is not exception stream quantity set, the flow sum adds 1;
The exception is total divided by the flow sum, obtain the abnormal accounting.
6. a kind of Network Traffic Monitoring device characterized by comprising
Network flow subelement is acquired, for acquiring proper network flow, the proper network flow includes that at least one is default
Application scenarios and normal behaviour feature corresponding with the default application scenarios;
Average value subelement is obtained, for calculating all normal behaviour features under the same default application scenarios,
Obtain corresponding average and standard deviation;
Reference line subelement is obtained, for being based on the average value and the standard deviation, obtains the application scenarios reference line;
Reference line unit is obtained, obtains the corresponding default application scenarios reference line of next default application scenarios for continuing, until
It completes to obtain all default application scenarios reference lines;
Network flow module is obtained, for obtaining real network flow, calls the default application scenarios reference line, described in division
Real network flow, obtain it is corresponding with the real network flow at least one preset application scenarios and with the default application
The corresponding actual characteristic vector of scene;
Feature vector module is obtained, for inquiring preset normal discharge model based at least one described default application scenarios
Library obtains normal characteristics vector corresponding with each default application scenarios;
Character pair vector module, if being used for normal special described in the corresponding actual characteristic vector sum of same default application scenarios
The intersection for levying vector is less than first threshold, then the corresponding actual characteristic vector of the default application scenarios is abnormal flow
Collection;
Abnormal accounting module is counted, for counting the corresponding abnormal accounting for obtaining the exception stream quantity set, if the exception accounts for
Than being greater than second threshold, then the real network flow is Abnormal network traffic.
7. Network Traffic Monitoring device as claimed in claim 6, which is characterized in that the acquisition feature vector module includes:
Application scenarios unit is obtained, for being based on the real network flow, calls preset application scenarios reference line to described
Real network flow is divided, and corresponding default application scenarios are obtained;
Feature vector units are obtained, for being based on the real network flow, using corresponding with the default application scenarios
Feature extraction algorithm carries out feature extraction and feature vector to the real network flow, obtain corresponding actual characteristic to
Amount.
8. a kind of computer equipment, including memory, processor and storage are in the memory and can be in the processor
The computer program of upper operation, which is characterized in that the processor realized when executing the computer program as claim 1 to
The step of any one of 5 Network Traffic Monitoring method.
9. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists
In realizing the Network Traffic Monitoring method as described in any one of claim 1 to 5 when the computer program is executed by processor
Step.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810239414.8A CN108650218B (en) | 2018-03-22 | 2018-03-22 | Network Traffic Monitoring method, apparatus, computer equipment and storage medium |
| PCT/CN2018/092654 WO2019178968A1 (en) | 2018-03-22 | 2018-06-25 | Network traffic monitoring method and apparatus, and computer device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810239414.8A CN108650218B (en) | 2018-03-22 | 2018-03-22 | Network Traffic Monitoring method, apparatus, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108650218A CN108650218A (en) | 2018-10-12 |
| CN108650218B true CN108650218B (en) | 2019-10-08 |
Family
ID=63744586
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810239414.8A Active CN108650218B (en) | 2018-03-22 | 2018-03-22 | Network Traffic Monitoring method, apparatus, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108650218B (en) |
| WO (1) | WO2019178968A1 (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450672B (en) * | 2018-10-22 | 2020-09-18 | 网宿科技股份有限公司 | Method and device for identifying bandwidth demand burst |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110445808A (en) * | 2019-08-26 | 2019-11-12 | 杭州迪普科技股份有限公司 | Abnormal flow attack guarding method, device, electronic equipment |
| CN111682975B (en) * | 2020-04-24 | 2023-05-16 | 视联动力信息技术股份有限公司 | Network state prediction method, device, electronic equipment and storage medium |
| CN112202771B (en) * | 2020-09-29 | 2022-10-14 | 中移(杭州)信息技术有限公司 | Network flow detection method, system, electronic device and storage medium |
| CN112367292B (en) * | 2020-10-10 | 2021-09-03 | 浙江大学 | Encrypted flow anomaly detection method based on deep dictionary learning |
| CN112019574B (en) * | 2020-10-22 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Abnormal network data detection method and device, computer equipment and storage medium |
| CN112291226B (en) * | 2020-10-23 | 2022-05-27 | 新华三信息安全技术有限公司 | Method and device for detecting abnormity of network flow |
| CN112380771B (en) * | 2020-11-17 | 2023-04-07 | 甘肃省祁连山水源涵养林研究院 | Soil erosion assessment method and device and server |
| CN112615738B (en) * | 2020-12-09 | 2023-02-28 | 四川迅游网络科技股份有限公司 | Network acceleration method based on flow characteristics |
| CN112994978B (en) * | 2021-02-25 | 2023-01-24 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN117061322A (en) * | 2023-09-27 | 2023-11-14 | 广东云百科技有限公司 | Internet of things flow pool management method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111312A (en) * | 2011-03-28 | 2011-06-29 | 钱叶魁 | Multi-scale principle component analysis-based network abnormity detection method |
| CN105553998A (en) * | 2015-12-23 | 2016-05-04 | 中国电子科技集团公司第三十研究所 | Network attack abnormality detection method |
| CN105915532A (en) * | 2016-05-23 | 2016-08-31 | 北京网康科技有限公司 | Method and device for recognizing fallen host |
| CN107370732A (en) * | 2017-07-14 | 2017-11-21 | 成都信息工程大学 | System is found based on neutral net and the industrial control system abnormal behaviour of optimal recommendation |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2884953B1 (en) * | 2005-04-22 | 2007-07-06 | Thales Sa | METHOD AND AIRBORNE DEVICE FOR AIRCRAFT, TRACK INCURSION ALERT |
| CN101252482A (en) * | 2008-04-07 | 2008-08-27 | 华为技术有限公司 | Network flow abnormity detecting method and device |
| CN101651568B (en) * | 2009-07-01 | 2011-12-07 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN105227548B (en) * | 2015-09-14 | 2018-06-26 | 中国人民解放军国防科学技术大学 | Abnormal flow screening technique based on ' Office LAN steady-state model |
-
2018
- 2018-03-22 CN CN201810239414.8A patent/CN108650218B/en active Active
- 2018-06-25 WO PCT/CN2018/092654 patent/WO2019178968A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111312A (en) * | 2011-03-28 | 2011-06-29 | 钱叶魁 | Multi-scale principle component analysis-based network abnormity detection method |
| CN105553998A (en) * | 2015-12-23 | 2016-05-04 | 中国电子科技集团公司第三十研究所 | Network attack abnormality detection method |
| CN105915532A (en) * | 2016-05-23 | 2016-08-31 | 北京网康科技有限公司 | Method and device for recognizing fallen host |
| CN107370732A (en) * | 2017-07-14 | 2017-11-21 | 成都信息工程大学 | System is found based on neutral net and the industrial control system abnormal behaviour of optimal recommendation |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019178968A1 (en) | 2019-09-26 |
| CN108650218A (en) | 2018-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108650218B (en) | Network Traffic Monitoring method, apparatus, computer equipment and storage medium | |
| EP3407562B1 (en) | Coflow recognition method and system, and server using method | |
| CN108900541B (en) | System and method for sensing security situation of SDN (software defined network) of cloud data center | |
| CN107864168B (en) | Method and system for classifying network data streams | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| CN108989136B (en) | Business end-to-end performance monitoring method and device | |
| US20150156086A1 (en) | Behavioral network intelligence system and method thereof | |
| CN106411828B (en) | The method, apparatus and system of quantization defence result | |
| CN111224940A (en) | Anonymous service traffic correlation identification method and system nested in encrypted tunnel | |
| CN112769633B (en) | Proxy traffic detection method and device, electronic equipment and readable storage medium | |
| CN101505314A (en) | P2P data stream recognition method, apparatus and system | |
| CN108600300A (en) | Daily record data processing method and processing device | |
| CN108985954A (en) | A kind of method and relevant device of incidence relation that establishing each mark | |
| CN109150859A (en) | A kind of Botnet detection method flowing to similitude based on network flow | |
| Li et al. | Cluster-based spatiotemporal background traffic generation for network simulation | |
| CN114205816B (en) | Electric power mobile internet of things information security architecture and application method thereof | |
| CN105515884B (en) | A kind of method and apparatus counting flow | |
| CN110471975B (en) | Internet of things situation awareness calling method and device | |
| CN110493218B (en) | Situation awareness virtualization method and device | |
| Iranmanesh et al. | A protocol for cluster confirmations of SDN controllers against DDoS attacks | |
| TWI704782B (en) | Method and system for backbone network flow anomaly detection | |
| WO2024007565A1 (en) | Network analysis using optical quantum computing | |
| CN114760216A (en) | Scanning detection event determination method and device and electronic equipment | |
| KR101326804B1 (en) | Distributed denial of service detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |