CN108881326A - Determine method, system, medium and the equipment of exception of network traffic behavior - Google Patents

Determine method, system, medium and the equipment of exception of network traffic behavior Download PDF

Info

Publication number
CN108881326A
CN108881326A CN201811130727.6A CN201811130727A CN108881326A CN 108881326 A CN108881326 A CN 108881326A CN 201811130727 A CN201811130727 A CN 201811130727A CN 108881326 A CN108881326 A CN 108881326A
Authority
CN
China
Prior art keywords
data
flows
detected
time window
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811130727.6A
Other languages
Chinese (zh)
Inventor
郭景楠
王建磊
何华荣
王志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen United Soft Polytron Technologies Inc
Original Assignee
Shenzhen United Soft Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen United Soft Polytron Technologies Inc filed Critical Shenzhen United Soft Polytron Technologies Inc
Priority to CN201811130727.6A priority Critical patent/CN108881326A/en
Publication of CN108881326A publication Critical patent/CN108881326A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The present invention provides method, system, medium and the equipment of a kind of determining exception of network traffic behavior, the method, including:Judge that the special time period corresponding date is working day or nonworkdays;According to judging result, the data on flows to be detected in the special time period and corresponding historical traffic data are obtained;Based on the data on flows to be detected and historical traffic data, the data on flows to be detected is detected with the presence or absence of abnormal using time window algorithm.Compared to traditional network flow abnormal detecting method, the present invention uses the Time series analysis method based on time window, working day and nonworkdays both of which can be handled, and the present invention considers across comparison and the longitudinal direction comparison of changes in flow rate simultaneously, so that more accurately whether identification outflow deviates historical pattern.

Description

Determine method, system, medium and the equipment of exception of network traffic behavior
Technical field
The present invention relates to field of information security technology, and in particular to a kind of method of determining exception of network traffic behavior is System, medium and equipment.
Background technique
Fast development with computer and internet technique be widely applied, the safety of computer network system by Serious challenge, the threat from computer virus and hacker attack and other aspects is increasing, therefore detects network flow Abnormal behaviour is necessary.
Network flow is mainly analyzed using descriptive method in the prior art, alternatively, judging using rule or strategy Whether network flow is abnormal, more mechanical, and the accuracy detected is poor.
Summary of the invention
For the defects in the prior art, the present invention provides method, the system, Jie of a kind of determining exception of network traffic behavior Matter and equipment are capable of handling working day and nonworkdays both of which, automatically, more accurately can identify whether outflow is inclined From historical pattern.
In a first aspect, the present invention provides a kind of methods of determining exception of network traffic behavior, including:
Judge that the special time period corresponding date is working day or nonworkdays;
According to judging result, the data on flows to be detected in the special time period and corresponding historical traffic number are obtained According to;
Based on the data on flows to be detected and historical traffic data, the flow measurement to be checked is detected using time window algorithm Data are measured with the presence or absence of abnormal.
Optionally, according to judging result, data on flows to be detected and the historical traffic in the special time period are obtained Before the step of data, further include:
The data on flows of acquisition user terminal in real time;
It is spaced at preset timed intervals and the data on flows is summarized and stored, history of forming data on flows.
Optionally, it if it is working day that the judging result, which is the special time period corresponding date, according to judging result, obtains Take the special time period data on flows to be detected and corresponding historical traffic data, including:
User terminal is obtained in the first data of the corresponding actual time window of special time period;Wherein, the first data packet Containing the data on flows to be detected in special time period;
User terminal is obtained in the second data of the corresponding upper cycle time window of special time period;
User terminal is obtained in the third data of a upper workaday actual time window;
User terminal is obtained in the 4th data of upper one workaday upper cycle time window;
It is described to be based on the data on flows to be detected and historical traffic data, it is detected using time window algorithm described to be checked Measurement of discharge data whether there is exception, including:
According to first data, the second data, third data and the 4th data, detecting the data on flows to be detected is It is no to there is exception.
Optionally, if it is nonworkdays that the judging result, which is the special time period corresponding date, according to judging result, The data on flows to be detected in the special time period and corresponding historical traffic data are obtained, including:
User terminal is obtained in the first data of the corresponding actual time window of special time period;Wherein, the first data packet Containing the data on flows to be detected in special time period;
User terminal is obtained in the second data of the corresponding upper cycle time window of special time period;
User terminal is obtained in the third data of the actual time window of a upper nonworkdays;
User terminal is obtained in the 4th data of the upper cycle time window of a upper nonworkdays;
It is described to be based on the data on flows to be detected and historical traffic data, it is detected using time window algorithm described to be checked Measurement of discharge data whether there is exception, including:
According to first data, the second data, third data and the 4th data, detecting the data on flows to be detected is It is no to there is exception.
Optionally, described according to first data, the second data, third data and the 4th data, it detects described to be checked Measurement of discharge data whether there is exception, including:
Time window longitudinal comparison is carried out to first data and third data, obtains first longitudinal direction comparison result;
Time window longitudinal comparison is carried out to second data and the 4th data, obtains second longitudinal direction comparison result;
According to the first longitudinal direction comparison result and second longitudinal direction comparison result, whether the data on flows to be detected is judged There are exceptions.
Optionally, described according to the first longitudinal direction comparison result and second longitudinal direction comparison result, judge described to be detected Data on flows whether there is exception, including:
Across comparison is carried out to the first longitudinal direction comparison result and second longitudinal direction comparison result, obtains comparison ratio;
Judge whether the comparison ratio is greater than preset threshold;
If so, judging the data on flows to be detected for abnormal flow;
If it is not, then judging that the data on flows to be detected is normal.
Optionally, the special time period is the same day current preset period.
Second aspect, the present invention provide a kind of system of determining exception of network traffic behavior, including:
Date judgment module, for judging that the special time period corresponding date is working day or nonworkdays;
Flow obtains module, for according to judging result, obtain data on flows to be detected in the special time period and Corresponding historical traffic data;
Flow detection module is done a sum orally for being based on the data on flows to be detected and historical traffic data using time window Method detects the data on flows to be detected with the presence or absence of abnormal.
The third aspect, the present invention provide a kind of computer readable storage medium, are stored thereon with computer program, the program The method that one of first aspect determines exception of network traffic behavior is realized when being executed by processor.
Fourth aspect, the present invention provide a kind of equipment of determining exception of network traffic behavior, including:Memory, processor And storage is on a memory and the computer program that can run on a processor, when processor execution described program, realizes the The method that one of one side determines exception of network traffic behavior.
The present invention is by judging that the special time period corresponding date is working day or nonworkdays, according to judging result, Obtain the data on flows to be detected in special time period and corresponding historical traffic data;Based on data on flows to be detected and history Data on flows is able to detect data on flows to be detected with the presence or absence of exception, compared to traditional network using time window algorithm Traffic anomaly detection method, the present invention use the Time series analysis method based on time window, can handle working day and inoperative Day both of which, and the present invention consider simultaneously changes in flow rate across comparison and longitudinal comparison, to more accurately identify stream Whether amount deviates historical pattern.
A kind of system of determining exception of network traffic behavior provided by the invention, a kind of computer readable storage medium and one Kind of the equipment for determining exception of network traffic behavior, with a kind of above-mentioned method of determining exception of network traffic behavior for identical hair Bright design, beneficial effect having the same.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art are briefly described.In all the appended drawings, similar element Or part is generally identified by similar appended drawing reference.In attached drawing, each element or part might not be drawn according to actual ratio.
Fig. 1 is a kind of flow chart of the method for determining exception of network traffic behavior provided by the invention;
Fig. 2 is a kind of flow chart of the method for determining working day exception of network traffic behavior provided by the invention;
Fig. 3 is a kind of schematic diagram of the data on flows of acquisition provided by the invention;
Fig. 4 is a kind of schematic diagram of the system of determining exception of network traffic behavior provided by the invention.
Specific embodiment
It is described in detail below in conjunction with embodiment of the attached drawing to technical solution of the present invention.Following embodiment is only used for Clearly illustrate technical solution of the present invention, therefore be intended only as example, and cannot be used as a limitation and limit protection of the invention Range.
It should be noted that unless otherwise indicated, technical term or scientific term used in this application should be this hair The ordinary meaning that bright one of ordinary skill in the art are understood.
The present invention provides method, system, medium and the equipment of a kind of determining exception of network traffic behavior.Below with reference to attached Figure is illustrated the embodiment of the present invention.
Referring to FIG. 1, Fig. 1 is a kind of method for determining exception of network traffic behavior that the specific embodiment of the invention provides Flow chart, a kind of method of determining exception of network traffic behavior provided in this embodiment, including:
Step S101:Judge that the special time period corresponding date is working day or nonworkdays.
Step S102:According to judging result, obtains the data on flows to be detected in the special time period and go through accordingly History data on flows.
Step S103:Based on the data on flows to be detected and historical traffic data, institute is detected using time window algorithm Data on flows to be detected is stated with the presence or absence of abnormal.
Wherein, special time period can be the current preset period on the same day, be also possible to any one special time period section, This is all within the scope of the present invention.
By judging that the special time period corresponding date is working day or nonworkdays, working day can be distinguished well With the data on flows of nonworkdays, and then improve detection accuracy.Determine the method for working day exception of network traffic behavior such as Shown in Fig. 2.
Wherein, data on flows may include:The data on flows of Intranet or outer net, the data on flows for uploading or downloading.
Wherein, data on flows to be detected refers to the data on flows of the user terminal in special time period.Special time period can To be any time periods such as 1 minute, 2 minutes.
Wherein, special time period can be the same day current preset period.It, then can be with if the current preset period on the same day The data on flows of user terminal is detected in real time.
The present invention is by judging that the special time period corresponding date is working day or nonworkdays, according to judging result, Obtain the data on flows to be detected in special time period and corresponding historical traffic data;Based on data on flows to be detected and history Data on flows is able to detect data on flows to be detected with the presence or absence of abnormal using time window algorithm, compared to the prior art in Network flow abnormal detecting method, the present invention is capable of handling working day and nonworkdays both of which, by using time window Mental arithmetic method can more accurately identify whether outflow is abnormal.
In a specific embodiment provided by the invention, according to judging result, obtain in the special time period Before the step of data on flows to be detected and historical traffic data, further include:The data on flows of acquisition user terminal in real time;By pre- If time interval is summarized and is stored to the data on flows, history of forming data on flows.
In the present invention, the data on flows for needing to acquire user terminal in real time can be with after having acquired historical traffic data Historical traffic data is summarized according to prefixed time interval, wherein prefixed time interval can with special time period when Between equal length, for example, can summarize according to 1 minute time interval to data on flows.That is by data on flows It is divided as unit of the time.
When the time span of period for needing to detect is greater than prefixed time interval, the period that will can need detect Interval is divided at preset timed intervals, is divided into multistage special time period, separate detection;It is long when the time for the period for needing to detect When degree is less than prefixed time interval, can directly it be detected using this method.
By being divided to data traffic according to time interval, the extraction convenient for the later period to data traffic.
In the present invention, the data on flows to be detected in the special time period and corresponding according to judging result, is being obtained Historical traffic data when, following two situation can be divided into:
The first:The special time period corresponding date is working day, then corresponding historical traffic data also must be upper one A workaday data on flows, specifically needing the historical traffic data obtained includes the following aspects:
User terminal is obtained in the first data of the corresponding actual time window of special time period;Wherein, the first data packet Containing the data on flows to be detected in special time period.
User terminal is obtained in the second data of the corresponding upper cycle time window of special time period;
User terminal is obtained in the third data of a upper workaday actual time window;
User terminal is obtained in the 4th data of upper one workaday upper cycle time window.
Wherein, each time window may include multiple continuous prefixed time intervals, for example, prefixed time interval is 1 Minute, each time window can be one of 2 minutes, 3 minutes or 4 minutes etc..Correspondingly, the flow of each time window Data include the data on flows of multiple continuous prefixed time intervals.
Wherein, actual time window refers to using special time period as the time window of the last one time interval.For example, Each time window includes 4 prefixed time intervals, and each time interval is 1 minute, and special time period is the 5th minute, then Actual time window just refers to 2-5 minutes time intervals.Upper cycle time window refers to removing special time period, when will be specific Between section time window of the previous interval as the last one time interval.For example, each time window includes 4 default Time interval, each time interval are 1 minute, and special time period is the 5th minute, then upper cycle time window just refers to 1-4 The time interval of minute.
A upper workaday actual time window referred in a upper working day, the current time at identical time point Window.For example, the corresponding actual time window of special time period is:9:31-9:35, then upper one workaday current time window Mouth is also upper one workaday 9:31-9:35.A upper workaday upper cycle time window refers to a working day In, the period identical with the upper cycle time window of special time period.For example, when special time period corresponding upper period Between window be:9:30-9:34;Then upper one workaday upper cycle time window is also upper one workaday 9:30-9: 34。
It wherein, is all spy in addition to data on flows to be detected in the first data, the second data, third data and the 4th data The corresponding historical traffic data of section of fixing time.
Second:The special time period corresponding date is nonworkdays, then on corresponding historical traffic data also must be The data on flows of one nonworkdays, specifically needing the historical traffic data obtained includes the following aspects:
User terminal is obtained in the first data of the corresponding actual time window of special time period;Wherein, the first data packet Containing the data on flows to be detected in special time period;
User terminal is obtained in the second data of the corresponding upper cycle time window of special time period;
User terminal is obtained in the third data of the actual time window of a upper nonworkdays;
User terminal is obtained in the 4th data of the upper cycle time window of a upper nonworkdays;
It wherein, is all spy in addition to data on flows to be detected in the first data, the second data, third data and the 4th data The corresponding historical traffic data of section of fixing time.
Wherein, actual time window and upper cycle time window are identical as the definition in first method.Upper one non- Workaday actual time window refers in a upper nonworkdays, the actual time window at identical time point.For example, special The corresponding actual time window of section of fixing time is:9:31-9:35, then the actual time window of a upper nonworkdays is also upper one A workaday 9:31-9:35.The upper cycle time window of a upper nonworkdays refers in a nonworkdays, with spy The upper cycle time window identical period for section of fixing time.For example, the corresponding upper cycle time window of special time period For:9:30-9:34;Then the upper cycle time window of a upper nonworkdays is also the 9 of a upper nonworkdays:30-9:34.
Therefore, it for the data on flows on working day and nonworkdays, can be carried out accurately detecting.Wherein, it is based on institute Data on flows to be detected and historical traffic data are stated, detecting the data on flows to be detected using time window algorithm whether there is It is abnormal, including:According to first data, the second data, third data and the 4th data, the data on flows to be detected is detected With the presence or absence of exception.
It is described according to first data, the second data, third data in a specific embodiment provided by the invention With the 4th data, the data on flows to be detected is detected with the presence or absence of exception, including:To first data and third data into Row time window longitudinal comparison obtains first longitudinal direction comparison result;It is longitudinal that time window is carried out to second data and the 4th data Compare, obtains second longitudinal direction comparison result;According to the first longitudinal direction comparison result and second longitudinal direction comparison result, described in judgement Data on flows to be detected is with the presence or absence of abnormal.
Wherein, according to the first longitudinal direction comparison result and second longitudinal direction comparison result, judge the flow number to be detected According to the presence or absence of exception, may include:
Across comparison is carried out to the first longitudinal direction comparison result and second longitudinal direction comparison result, obtains comparison ratio;Sentence Whether the comparison ratio that breaks is greater than preset threshold;If so, judging the data on flows to be detected for abnormal flow;If it is not, Then judge that the data on flows to be detected is normal.
No matter the method for detection is identical for the data on flows on working day or nonworkdays.Explain have below with example Body calculating process.
Example:If each time window includes n continuous prefixed time intervals, then:
User terminal is denoted as in the first data of the corresponding actual time window of special time period:x1t(1≤t≤n);With Family terminal is denoted as in the second data of the corresponding upper cycle time window of special time period:x2t(1≤t≤n);User terminal In the third data of the actual time window of a upper nonworkdays, it is denoted as:y1t(1≤t≤n);User terminal is non-at upper one 4th data of workaday upper cycle time window, are denoted as:y2t(1≤t≤n).The data on flows of n=4 is as shown in Figure 3.
After the data for obtaining four time windows, following calculating is done:
Wherein, λ1Value reaction current time window and upper working day/nonworkdays actual time window flow Amplification situation is first longitudinal direction comparison result, and λ2What is reflected was the amplification situation of two time windows of a upper period, was second Longitudinal comparison is as a result, pass through comparison λ1And λ2Ratio, obtain comparison ratio λ, be lateral comparison as a result, reflect a period of time Whether normal carry out network flow.
In the present invention, when whether abnormal according to comparison ratio in judgement network flow, the side of threshold comparison can be used Formula carries out.
Specially:Judge whether the comparison ratio is greater than preset threshold;If so, judging data on flows to be detected to be different Normal flow;If it is not, then judging that data on flows to be detected is normal.
Judgement finishes after fruit, judging result can be exported to user terminal, so as to the timely awareness network situation of user.
Compared to traditional network flow abnormal detecting method, the present invention uses the time series analysis side based on time window Method can handle working day and nonworkdays both of which, and the present invention considers that the across comparison of changes in flow rate and longitudinal direction are right simultaneously Than so that more accurately whether identification outflow deviates historical pattern.
It is corresponding based on inventive concept identical with a kind of above-mentioned method of determining exception of network traffic behavior, The embodiment of the invention also provides a kind of systems of determining exception of network traffic behavior, as shown in Figure 4.Due to system embodiment base This similar and embodiment of the method, so describing fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
A kind of system of determining exception of network traffic behavior provided by the invention, including:
Date judgment module 101, for judging that the special time period corresponding date is working day or nonworkdays;
Flow obtains module 102, for obtaining the data on flows to be detected in the special time period according to judging result With corresponding historical traffic data;
Flow detection module 103 utilizes time window for being based on the data on flows to be detected and historical traffic data Algorithm detects the data on flows to be detected with the presence or absence of abnormal.
In a specific embodiment provided by the invention, the system further includes:
Flow collection module, for acquiring the data on flows of user terminal in real time;
Summarizing module is summarized and is stored to the data on flows for being spaced at preset timed intervals, history of forming flow Data.
In a specific embodiment provided by the invention, if the judging result is the special time period corresponding date to be Working day, then flow obtains module 102, including:
First data capture unit, for obtaining user terminal the first of the corresponding actual time window of special time period Data;Wherein, the first data include the data on flows to be detected in special time period;
Second data capture unit, for obtaining user terminal in the corresponding upper cycle time window of special time period Second data;
Third data capture unit, for obtaining user terminal in the third number of a upper workaday actual time window According to;
4th data capture unit, for obtaining user terminal the of upper one workaday upper cycle time window Four data;
The flow detection module 103, including:Flow detection unit;
The flow detection unit is used for according to first data, the second data, third data and the 4th data, detection The data on flows to be detected is with the presence or absence of abnormal.
In a specific embodiment provided by the invention, if the judging result is the special time period corresponding date to be Nonworkdays, then flow obtains module 102, including:
First data capture unit is also used to obtain user terminal the of the corresponding actual time window of special time period One data;Wherein, the first data include the data on flows to be detected in special time period;
Second data capture unit is also used to obtain user terminal in the corresponding upper cycle time window of special time period The second data;
Third data capture unit, be also used to obtain user terminal a upper nonworkdays actual time window Three data;
4th data capture unit is also used to obtain user terminal in the upper cycle time window of a upper nonworkdays The 4th data;
The flow detection module 103, including:Flow detection unit;
The flow detection unit is used for according to first data, the second data, third data and the 4th data, detection The data on flows to be detected is with the presence or absence of abnormal.
In a specific embodiment provided by the invention, the flow detection unit, including:
First longitudinal direction comparing subunit is obtained for carrying out time window longitudinal comparison to first data and third data Obtain first longitudinal direction comparison result;
Second longitudinal direction comparing subunit is obtained for carrying out time window longitudinal comparison to second data and third data Obtain second longitudinal direction comparison result;
Judgment sub-unit, for according to the first longitudinal direction comparison result and second longitudinal direction comparison result, judgement it is described to Detection flows data are with the presence or absence of abnormal.
In a specific embodiment provided by the invention, the judgment sub-unit is specifically used for:
Across comparison is carried out to the first longitudinal direction comparison result and second longitudinal direction comparison result, obtains comparison ratio;
Judge whether the comparison ratio is greater than preset threshold;
If so, judging the data on flows to be detected for abnormal flow;
If it is not, then judging that the data on flows to be detected is normal.
In a specific embodiment provided by the invention, the special time period is the same day current preset period.
More than, it is a kind of system of determining exception of network traffic behavior provided by the invention.
It is corresponding based on inventive concept identical with a kind of above-mentioned method of determining exception of network traffic behavior, The embodiment of the invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, and the program is processed The method that device realizes a kind of above-mentioned determining exception of network traffic behavior when executing.
As shown from the above technical solution, a kind of computer readable storage medium provided in this embodiment, is stored thereon with meter Calculation machine program, when which is executed by processor, by judging that the special time period corresponding date is working day or inoperative Day, according to judging result, obtain the data on flows to be detected in special time period and corresponding historical traffic data;Based on to be checked Measurement of discharge data and historical traffic data, being able to detect data on flows to be detected using time window algorithm whether there is exception, Work can be handled using the Time series analysis method based on time window compared to traditional network flow abnormal detecting method Day and nonworkdays both of which, and the present invention considers that the across comparison of changes in flow rate and longitudinal direction compare simultaneously, thus more accurate Identification outflow whether deviate historical pattern.
It is corresponding based on inventive concept identical with a kind of above-mentioned method of determining exception of network traffic behavior, The embodiment of the invention also provides a kind of equipment of determining exception of network traffic behavior, including:It memory, processor and is stored in On memory and the computer program that can run on a processor, the processor realized when executing described program it is above-mentioned it is a kind of really Determine the method for exception of network traffic behavior.
As shown from the above technical solution, the equipment of a kind of determining exception of network traffic behavior provided in this embodiment, passes through Judge that the special time period corresponding date is that working day or nonworkdays obtain in special time period according to judging result Data on flows to be detected and corresponding historical traffic data;Based on data on flows to be detected and historical traffic data, the time is utilized Window algorithm is able to detect data on flows to be detected with the presence or absence of abnormal, compared to traditional network flow abnormal detecting method, Using the Time series analysis method based on time window, working day and nonworkdays both of which can be handled, and the present invention is simultaneously Across comparison and the longitudinal direction comparison for considering changes in flow rate, so that more accurately whether identification outflow deviates historical pattern.
In specification of the invention, numerous specific details are set forth.It is to be appreciated, however, that the embodiment of the present invention can be with It practices without these specific details.In some instances, well known method, structure and skill is not been shown in detail Art, so as not to obscure the understanding of this specification.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples It closes and combines.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Present invention has been described in detail with reference to the aforementioned embodiments for pipe, those skilled in the art should understand that:Its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme should all cover within the scope of the claims and the description of the invention.

Claims (10)

1. a kind of method of determining exception of network traffic behavior, which is characterized in that including:
Judge that the special time period corresponding date is working day or nonworkdays;
According to judging result, the data on flows to be detected in the special time period and corresponding historical traffic data are obtained;
Based on the data on flows to be detected and historical traffic data, the flow number to be detected is detected using time window algorithm According to the presence or absence of abnormal.
2. the method according to claim 1, wherein being obtained in the special time period according to judging result Data on flows to be detected and the step of historical traffic data before, further include:
The data on flows of acquisition user terminal in real time;
It is spaced at preset timed intervals and the data on flows is summarized and stored, history of forming data on flows.
3. the method according to claim 1, wherein if the judging result is the special time period corresponding date Working day, then according to judging result, obtain the special time period data on flows to be detected and corresponding historical traffic number According to, including:
User terminal is obtained in the first data of the corresponding actual time window of special time period;Wherein, the first data include spy The data on flows to be detected fixed time in section;
User terminal is obtained in the second data of the corresponding upper cycle time window of special time period;
User terminal is obtained in the third data of a upper workaday actual time window;
User terminal is obtained in the 4th data of upper one workaday upper cycle time window;
It is described to be based on the data on flows to be detected and historical traffic data, the flow measurement to be checked is detected using time window algorithm Data are measured with the presence or absence of exception, including:
According to first data, the second data, third data and the 4th data, detect whether the data on flows to be detected deposits In exception.
4. the method according to claim 1, wherein if the judging result is the special time period corresponding date It is nonworkdays, then according to judging result, obtains the data on flows to be detected in the special time period and corresponding history stream Data are measured, including:
User terminal is obtained in the first data of the corresponding actual time window of special time period;Wherein, the first data include spy The data on flows to be detected fixed time in section;
User terminal is obtained in the second data of the corresponding upper cycle time window of special time period;
User terminal is obtained in the third data of the actual time window of a upper nonworkdays;
User terminal is obtained in the 4th data of the upper cycle time window of a upper nonworkdays;
It is described to be based on the data on flows to be detected and historical traffic data, the flow measurement to be checked is detected using time window algorithm Data are measured with the presence or absence of exception, including:
According to first data, the second data, third data and the 4th data, detect whether the data on flows to be detected deposits In exception.
5. the method according to claim 3 or 4, which is characterized in that described according to first data, the second data, Three data and the 4th data detect the data on flows to be detected with the presence or absence of exception, including:
Time window longitudinal comparison is carried out to first data and third data, obtains first longitudinal direction comparison result;
Time window longitudinal comparison is carried out to second data and the 4th data, obtains second longitudinal direction comparison result;
According to the first longitudinal direction comparison result and second longitudinal direction comparison result, judge that the data on flows to be detected whether there is It is abnormal.
6. according to the method described in claim 5, it is characterized in that, described vertical according to the first longitudinal direction comparison result and second To comparison result, it is abnormal to judge that the data on flows to be detected whether there is, including:
Across comparison is carried out to the first longitudinal direction comparison result and second longitudinal direction comparison result, obtains comparison ratio;
Judge whether the comparison ratio is greater than preset threshold;
If so, judging the data on flows to be detected for abnormal flow;
If it is not, then judging that the data on flows to be detected is normal.
7. the method according to claim 1, wherein the special time period is the same day current preset period.
8. a kind of system of determining exception of network traffic behavior, which is characterized in that including:
Date judgment module, for judging that the special time period corresponding date is working day or nonworkdays;
Flow obtains module, for according to judging result, obtains data on flows to be detected in the special time period and corresponding Historical traffic data;
Flow detection module is examined for being based on the data on flows to be detected and historical traffic data using time window algorithm The data on flows to be detected is surveyed with the presence or absence of abnormal.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor Method described in one of claim 1-7 is realized when row.
10. a kind of equipment of determining exception of network traffic behavior, including:Memory, processor and storage are on a memory and can The computer program run on a processor, which is characterized in that the processor realizes claim 1-7 when executing described program One of described in method.
CN201811130727.6A 2018-09-27 2018-09-27 Determine method, system, medium and the equipment of exception of network traffic behavior Pending CN108881326A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811130727.6A CN108881326A (en) 2018-09-27 2018-09-27 Determine method, system, medium and the equipment of exception of network traffic behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811130727.6A CN108881326A (en) 2018-09-27 2018-09-27 Determine method, system, medium and the equipment of exception of network traffic behavior

Publications (1)

Publication Number Publication Date
CN108881326A true CN108881326A (en) 2018-11-23

Family

ID=64324740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811130727.6A Pending CN108881326A (en) 2018-09-27 2018-09-27 Determine method, system, medium and the equipment of exception of network traffic behavior

Country Status (1)

Country Link
CN (1) CN108881326A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109858821A (en) * 2019-02-14 2019-06-07 金瓜子科技发展(北京)有限公司 A kind of influence feature determines method, apparatus, equipment and medium
CN110166418A (en) * 2019-03-04 2019-08-23 腾讯科技(深圳)有限公司 Attack detection method, device, computer equipment and storage medium
CN110852802A (en) * 2019-11-08 2020-02-28 咪咕文化科技有限公司 Abnormal behavior recognition method, communication device and computer-readable storage medium
CN111199417A (en) * 2019-11-29 2020-05-26 北京深演智能科技股份有限公司 Identification method and device for virtual equipment ID
CN112165471A (en) * 2020-09-22 2021-01-01 杭州安恒信息技术股份有限公司 Industrial control system flow abnormity detection method, device, equipment and medium
CN112751869A (en) * 2020-12-31 2021-05-04 中国人民解放军战略支援部队航天工程大学 Network abnormal flow detection method and device based on sliding window group
CN113949652A (en) * 2021-10-12 2022-01-18 平安普惠企业管理有限公司 User abnormal behavior detection method and device based on artificial intelligence and related equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
US20180019932A1 (en) * 2016-07-12 2018-01-18 At&T Intellectual Property I, L.P. Enterprise server behavior profiling
CN108347355A (en) * 2017-01-22 2018-07-31 腾讯科技(深圳)有限公司 A kind of detection method and its equipment of application state

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
US20180019932A1 (en) * 2016-07-12 2018-01-18 At&T Intellectual Property I, L.P. Enterprise server behavior profiling
CN108347355A (en) * 2017-01-22 2018-07-31 腾讯科技(深圳)有限公司 A kind of detection method and its equipment of application state

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张瑞: "网络异常流量检测模型设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
邱雪松等: "企业IT网络异常流量综合检测模型", 《北京邮电大学学报》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109858821A (en) * 2019-02-14 2019-06-07 金瓜子科技发展(北京)有限公司 A kind of influence feature determines method, apparatus, equipment and medium
CN110166418A (en) * 2019-03-04 2019-08-23 腾讯科技(深圳)有限公司 Attack detection method, device, computer equipment and storage medium
CN110852802A (en) * 2019-11-08 2020-02-28 咪咕文化科技有限公司 Abnormal behavior recognition method, communication device and computer-readable storage medium
CN111199417A (en) * 2019-11-29 2020-05-26 北京深演智能科技股份有限公司 Identification method and device for virtual equipment ID
CN112165471A (en) * 2020-09-22 2021-01-01 杭州安恒信息技术股份有限公司 Industrial control system flow abnormity detection method, device, equipment and medium
CN112751869A (en) * 2020-12-31 2021-05-04 中国人民解放军战略支援部队航天工程大学 Network abnormal flow detection method and device based on sliding window group
CN112751869B (en) * 2020-12-31 2023-07-14 中国人民解放军战略支援部队航天工程大学 Method and device for detecting abnormal network traffic based on sliding window group
CN113949652A (en) * 2021-10-12 2022-01-18 平安普惠企业管理有限公司 User abnormal behavior detection method and device based on artificial intelligence and related equipment

Similar Documents

Publication Publication Date Title
CN108881326A (en) Determine method, system, medium and the equipment of exception of network traffic behavior
CN106506556B (en) A kind of network flow abnormal detecting method and device
CN104202329B (en) Ddos attack detection method and device
GB2594396A (en) Cryptocurrency based malware and ransomware detection systems and methods
CN105354912B (en) A kind of method and device for detecting bank note
CN101833631B (en) Pointer analysis-combined software security hole dynamic detection method
CN104849360B (en) System for monitoring chromatographic mode of operation
CN105279386A (en) Method and device for determining abnormal index data
CN110519208A (en) Method for detecting abnormality, device and computer-readable medium
CN103544091A (en) Method and device for monitoring Windows process
CN108896804A (en) Stealing detection method, device and electronic equipment
CN108107086A (en) A kind of gas detection method and gas sensor based on array gas sensor
RU2017139547A (en) ANALYZER OF EXHAUSTED AIR AND METHOD FOR DETERMINING DISTURBANCES IN ITS WORK
CN107255526A (en) A kind of temperature checking method, detection module and detecting system
CN107569739A (en) Detection method and device for the capacitance inductor of woven hose liquid detecting
CN111679657A (en) Attack detection method and system based on industrial control equipment signals
CN105825576B (en) A kind of the card paper money method for early warning and system of withdrawal equipment
CN114065627A (en) Temperature abnormality detection method, temperature abnormality detection device, electronic apparatus, and medium
CN109948436A (en) The method and device of vehicle on a kind of monitoring road
CN104486353B (en) A kind of security incident detection method and device based on flow
CN109413108A (en) A kind of WAF detection method and system based on safety
CN110138812B (en) Network Safety Analysis system
CN106845244A (en) A kind of detection method and device
CN109167773A (en) A kind of access exception detection method and system based on Markov model
CN109409094A (en) A kind of method, system and the electronic equipment of router automation vulnerability exploit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181123

RJ01 Rejection of invention patent application after publication