CN108965055A - A kind of network flow abnormal detecting method taking a method based on historical time - Google Patents

A kind of network flow abnormal detecting method taking a method based on historical time Download PDF

Info

Publication number
CN108965055A
CN108965055A CN201810782516.4A CN201810782516A CN108965055A CN 108965055 A CN108965055 A CN 108965055A CN 201810782516 A CN201810782516 A CN 201810782516A CN 108965055 A CN108965055 A CN 108965055A
Authority
CN
China
Prior art keywords
network
time
abnormal
network flow
network behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810782516.4A
Other languages
Chinese (zh)
Other versions
CN108965055B (en
Inventor
叶晓鸣
杨力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd.
Chengdu University of Information Technology
Original Assignee
Chengdu Liming Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liming Information Technology Co Ltd filed Critical Chengdu Liming Information Technology Co Ltd
Priority to CN201810782516.4A priority Critical patent/CN108965055B/en
Publication of CN108965055A publication Critical patent/CN108965055A/en
Application granted granted Critical
Publication of CN108965055B publication Critical patent/CN108965055B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of network flow abnormal detecting methods that a method is taken based on historical time, include the following steps: 1. in network flow collection point deployment Port Mirroring routing, capture full flow data packet, form network flow time series data source;2. counting using the behavioural characteristic that set time window carries out network flow to network flow time series data source, network behavior temporal aspect vector is formed;3. the Witt vector of each network behavior temporal aspect vector takes a method to select historical data as input, with historical time, is accumulated respectively using the quantization method of absolute change, opposite variation and Long-term change trend and calculate abnormal deviation angle value;4. abnormal deviation angle value is accumulated with evidence accumulation method, according to abnormal deviation degree according to distribution trend given threshold, abnormal decision is realized to the state of actual time window network behavior.The present invention reduces calculating cost while realizing the threat event and trend of lasting monitoring network, improves the accuracy of Network anomalous behaviors monitoring.

Description

A kind of network flow abnormal detecting method taking a method based on historical time
Technical field
The present invention relates to a kind of network flow abnormal detecting methods, specifically, being to be related to one kind to take based on historical time The network flow abnormal detecting method of point method.
Background technique
With the development of internet, network environment is more and more diversified, complicates, other than network normal discharge, net Various abnormal flows on network threaten the safety and use of subscriber's main station.How real-time monitoring and pipe are carried out to network flow Reason, detects Network anomalous behaviors, has become problem to be solved in network security.
However, due to huge, analysis, storage, calculating of the real time monitoring analysis flow for computer of web database technology There are high requirement, network flow abnormal detecting method ever more important, current exception of network traffic detection technique is mostly deposited In some disadvantages, such as abnormality detection technology based on signature, to analyze and identify undesirable network behavior, and this detection skill Art can only rely on predefined signature rule library discovery Network anomalous behaviors, be unable to monitor unknown Network anomalous behaviors;Equally It is widely used to be based on machine learning algorithm, it is normal or abnormal by net flow assorted, however this classification method faces The problem of training sample difficulty is big, to calculate at high cost and rate of false alarm high etc. is obtained, the complex network ring of dynamic change can not be adapted to Border.
Summary of the invention
The purpose of the present invention is to provide a kind of network flow abnormal detecting methods that a method is taken based on historical time, to net Network flow is monitored in real time and analysis detection, solves the sudden change of network behavior timing portrait and the detection of Long-term change trend Problem, while the algorithm used reduces calculating cost, improves the accuracy of Network anomalous behaviors monitoring.
To achieve the above object, The technical solution adopted by the invention is as follows:
A kind of network flow abnormal detecting method being taken a method based on historical time, is included the following steps:
(1) in network flow collection point deployment Port Mirroring routing, full flow data packet is captured, ordinal number when forming network flow According to source;
(2) it is counted, is formed using the behavioural characteristic that set time window carries out network flow to network flow time series data source Network behavior temporal aspect vector depicts the network behavior portrait of actual time window, passes through the network of multiple time windows Behavior temporal aspect vector constructs the timing portrait of network behavior;
(3) using each behavioural characteristic of actual time window network behavior temporal aspect vector successively as input, with going through The history time takes a method selection historical data, is quantified using absolute change quantization method, relative variation method and Long-term change trend Method accumulates the network behavior for calculating actual time window network behavior temporal aspect vector and corresponding historical data respectively The abnormal deviation angle value of temporal aspect vector obtains the situation of change of actual time window network behavior portrait;
(4) evidence accumulation method is used, step (3) are calculated into resulting abnormal deviation angle value and are accumulated, behavior is obtained Timing portrait irrelevance, by behavior timing portrait irrelevance data distribution trend given threshold, to actual time window network The state of behavior realizes abnormal decision, and sounds an alarm to abnormal flow.
The multidimensional behavioural characteristic of the network flow includes directly observing and counting obtained direct feature by network flow With the indirect feature by being obtained to the direct feature secondary calculating.
Historical time takes a method that historical data is divided into working days evidence and weekend data, respectively in vertical time axis and water It carries out taking a little on flat time shaft;The horizontal time axis is fixed intraday data, and chronomere is hour or minute;It is described Vertical time axis specifically takes point mode as unit of day are as follows: the current time of set time window is denoted as time t, water The continuous λ point that time t is adjacent is taken on flat time shaft, takes point data by symbol 1×λIt indicates;It include two on vertical time axis Kind takes point mode: the first, k week t adjacent continuous λ point, takes point data by symbol before takingIt indicates;The Two kinds, λ point for taking the previous day time t adjacent takes the last week, and λ time t adjacent point, respectively constitutes two sons on the same day Sequence, subsequence is by symbol ¤2×λIt indicates;Its described λ is the natural number greater than 1, and the k is the natural number greater than 2, the λ It is configured with k according to actual environment.
Absolute change quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively As input, accumulation calculates horizontal time axis in actual time window network behavior temporal aspect vector and historical data and takes a little Network behavior temporal aspect vector between abnormal deviation angle value, calculate abnormal deviation angle value algorithm it is as follows:
Wherein | fi(t)-fi(x) | indicate ith feature in the value of current time x and the absolute value of adjacent time characteristic value, wiIndicate the weight of characteristic value i,M indicates behavioural characteristic number.
Relative variation method each behavioural characteristic of actual time window network behavior temporal aspect vector successively As input, accumulation calculates vertical time axis first in actual time window network behavior temporal aspect vector and historical data Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the algorithm of abnormal deviation angle value such as Under:
Wherein λ=5, k=3, fi(t)/max(fi(t),fi(t-1),L,fi(t- λ)) indicate K week t it is adjacent before The ratio of the maximum value of λ data point, wiIndicate the weight of characteristic value i, m indicates behavioural characteristic number.
Long-term change trend quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively As input, accumulation calculates vertical time axis second in actual time window network behavior temporal aspect vector and historical data Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the abnormal deviation degree of Long-term change trend The algorithm of value is as follows:
WhereinIndicate the characteristic value subsequence that current time t is established,Indicate characteristic value of history same time point Sequence,It indicatesWithSimilitude, w is the weighted value of feature, and α is the current sub- sequence of subsequence distance Arrange the weight of time distance.
The formula for being accumulated abnormal deviation angle value using evidence integrating method in the step (4) are as follows: EA=θ1EA(1)2EA(2)3EA(3)
Compared with prior art, the invention has the following advantages:
(1) present invention takes a method take a little to historical data by historical time, solves real-time monitoring flow rate calculation amount Problem huge, memory requirement is high reduces the calculating cost and carrying cost that time series data exception is detected according to historical data.
(2) present invention is calculated separately out corresponding real by the quantization method of absolute change, opposite variation and Long-term change trend When data and historical data evidence accumulated value, absolute change accumulation focus on adjacent data situation of change, it is intended to discovery it is more Dimensional feature increases or decreases suddenly, solves the problems, such as that network behavior profile is mutated;Periodical phase is focused in opposite variation accumulation Pass data situation, it is intended to which situations such as reducing wrong report, discovery service disruption solves user's visit of timing, periodicity, centrality The problem of asking wrong report caused by behavior;Long-term change trend accumulation concern tendency, periodic data situation of change, it is intended to which discovery is not inconsistent The case where closing temporal evolution trend solves the problems, such as that attack is intended to low frequency, low-intensity and means at a slow speed.
Detailed description of the invention
Fig. 1 is flow diagram of the invention.
Fig. 2 is that historical time of the invention takes a method schematic diagram (working day).
Fig. 3 is that historical time of the invention takes a method schematic diagram (weekend).
Specific embodiment
The invention will be further described with embodiment for explanation with reference to the accompanying drawing, and mode of the invention includes but not only limits In following embodiment.
As shown in Figure 1, a kind of network flow abnormal detecting method for taking a method based on historical time disclosed by the invention, institute The method of stating includes the following steps:
(1) in network flow collection point deployment Port Mirroring routing, full flow data packet is captured, ordinal number when forming network flow According to source;
(2) it is counted, is formed using the behavioural characteristic that set time window carries out network flow to network flow time series data source Network behavior temporal aspect vector depicts the network behavior portrait of actual time window, passes through the network of multiple time windows Behavior temporal aspect vector constructs the timing portrait of network behavior;
Here flow is counted essentially according to time window, statistical nature includes port numbers, number-of-packet, agreement (TCP, UDP, ICMP etc.), long data packet, ttl value, SYN packet number etc., are broadly divided into and directly observe and count by network flow To direct feature and the indirect feature by being obtained to the direct feature secondary calculating.When each time window terminates It waits, the unified characteristic value drawn a portrait to behavior calculates.
(3) using each behavioural characteristic of actual time window network behavior temporal aspect vector successively as input, with going through The history time takes a method selection historical data, is quantified using absolute change quantization method, relative variation method and Long-term change trend Method accumulates the network behavior for calculating actual time window network behavior temporal aspect vector and corresponding historical data respectively The abnormal deviation angle value of temporal aspect vector obtains the situation of change of actual time window network behavior portrait.
As shown in Figure 2 and Figure 3, historical time takes a method that time series data is divided into working days evidence and weekend data, exists respectively It carries out taking a little on vertical time axis and horizontal time axis.Its vertical time axis is as unit of day, and day is same time type (being all working day or weekend) constructs vertical range;Horizontal time axis is fixed intraday data, and chronomere can basis Need to be customized to hour or minute etc..
Adjacent data correlation is focused on, there are also cycle data correlations.Wherein detection time is t, time reference line frame Each symbol and respective value definition it is as shown in table 1:
1 Time Correlation Data of table and symbol
3 kinds of history point values obtain data acquisition system above, by the historical data as the evidence accumulation method proposed in text, It whether is abnormal with detection time.
(4) evidence accumulation method is used, step (3) are calculated into resulting abnormal deviation angle value and are accumulated, behavior is obtained Timing portrait irrelevance, by behavior timing portrait irrelevance data distribution trend given threshold, to actual time window network The state of behavior realizes abnormal decision, sounds an alarm to abnormal flow.
Each behavioural characteristic of the absolute change quantization method actual time window network behavior temporal aspect vector Successively as input, accumulation calculates horizontal time axis in actual time window network behavior temporal aspect vector and historical data The abnormal deviation angle value between network behavior temporal aspect vector a little is taken, the algorithm for calculating abnormal deviation angle value is as follows:
Wherein | fi(t)-fi(x) | indicate ith feature in the value of current time x and the absolute value of adjacent time characteristic value, wiIndicate the weight of characteristic value,M indicates behavioural characteristic number.
Each behavioural characteristic of the relative variation method actual time window network behavior temporal aspect vector Successively as input, accumulation calculates vertical time axis in actual time window network behavior temporal aspect vector and historical data First way takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the calculation of abnormal deviation angle value Method is as follows:
Wherein λ=5, k=3, fi(t)/max(fi(t),fi(t-1),L,fi(t- λ)) indicate K week t it is adjacent before The ratio of the maximum value of λ data point, m indicate behavioural characteristic number.
A kind of network flow abnormal detecting method taking a method based on historical time, Long-term change trend quantization method meter Calculate tendency, periodic data situation of change.On time series approximate representation, the symbolism aggregation for introducing time series is approximate Representation method (Symbolic Aggregate Approximation, SAX).First with the historical time off-take point method proposed Then the time series for the N number of data point for taking time series and current time to be compared adjacent is distinguished time series Normalization, PAA dimensionality reduction and symbolism, to calculate two character string sequencesWithSimilitude, use It indicates.Subsequence comparison is carried out using SAX, obtains the accumulated value of the similitude of the SAX sequence of current time each characteristic value.Shape Shape changing value has periodically when mainly paying close attention to server access, and user access activity is work.Focus on this period Character shape trend, be not concerned with specific characteristic value size, using SAX calculate feature set aggregate-value.It is the character of Q String formIt is constructed by ¤ time series data.Wherein, w is the weighted value of feature, and α is the current sub- sequence of subsequence distance The weight of time distance is arranged, the algorithm for calculating the abnormal deviation angle value of Long-term change trend is as follows:
The formula for being accumulated abnormal deviation angle value using evidence integrating method in the step (4) are as follows: EA=θ1EA(1)2EA(2)3EA(3)
The present invention carries out real-time monitoring and analysis detection by above-mentioned design, to network flow, can detect Network Abnormal Behavior, to abnormal flow issue alert, protect the safety and use of subscriber's main station, solve timing portrait sudden change and The test problems of Long-term change trend, while the algorithm used reduces calculating cost, improves the accuracy of network behavior monitoring.
Above-described embodiment is only one of the preferred embodiment of the present invention, should not be taken to limit protection model of the invention It encloses, as long as that in body design thought of the invention and mentally makes has no the change of essential meaning or polishing, is solved The technical issues of it is still consistent with the present invention, should all be included within protection scope of the present invention.

Claims (8)

1. a kind of network flow abnormal detecting method for taking a method based on historical time, which is characterized in that include the following steps:
(1) in network flow collection point deployment Port Mirroring routing, full flow data packet is captured, network flow time series data is formed Source;
(2) it is counted using the behavioural characteristic that set time window carries out network flow to network flow time series data source, multidimensional behavior Feature forms network behavior temporal aspect vector, depicts the network behavior portrait of actual time window, passes through multiple time windows The network behavior temporal aspect vector of mouth constructs the timing portrait of network behavior;
(3) using each behavioural characteristic of actual time window network behavior temporal aspect vector successively as input, when with history Between take method selection historical data, use absolute change quantization method, relative variation method and Long-term change trend quantization method Accumulation calculates the network behavior timing of actual time window network behavior temporal aspect vector with corresponding historical data respectively The abnormal deviation angle value of feature vector obtains the situation of change of actual time window network behavior portrait;
(4) evidence accumulation method is used, step (3) are calculated into resulting abnormal deviation angle value and are accumulated, behavior timing is obtained Portrait irrelevance, by behavior timing portrait irrelevance data distribution trend given threshold, to actual time window network behavior State realize abnormal decision, and abnormal flow is sounded an alarm.
2. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 1, feature It is, the multidimensional behavioural characteristic of the network flow includes directly observing and counting obtained direct feature by network flow and lead to Cross the indirect feature obtained to the direct feature secondary calculating.
3. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 2, feature Be, the historical time takes a method that historical data is divided into working days evidence and weekend data, respectively in vertical time axis and It carries out taking a little on horizontal time axis.
4. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 3, feature It is, the horizontal time axis is fixed intraday data, and chronomere is hour or minute;The vertical time axis is with day For unit, point mode is specifically taken are as follows: the current time of set time window is denoted as time t, when taking on horizontal time axis Between the adjacent continuous λ point of t, take point data by symbolIt indicates;Include two kinds on vertical time axis and takes point mode: the One kind, k week t adjacent continuous λ point, takes point data by symbol ¢ before takingK×λIt indicates;Second, when taking the previous day Between the adjacent continuous λ point of t, take the last week, time t adjacent continuous λ point, respectively constitutes two sub- sequences on the same day Column, subsequence is by symbol ¤2×λIt indicates;Its described λ is the natural number greater than 1, and the k is the natural number greater than 2.
5. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 4, feature Be, the absolute change quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively As input, accumulation calculates horizontal time axis in actual time window network behavior temporal aspect vector and historical data and takes a little Network behavior temporal aspect vector between abnormal deviation angle value, calculate abnormal deviation angle value algorithm it is as follows:
Wherein | fi(t)-fi(x) | indicate i-th of behavioural characteristic in the value of current time x and the absolute value of adjacent time characteristic value, wiIndicate the weight of characteristic value i,M indicates behavioural characteristic number.
6. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 5, feature Be, the relative variation method each behavioural characteristic of actual time window network behavior temporal aspect vector successively As input, accumulation calculates vertical time axis first in actual time window network behavior temporal aspect vector and historical data Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the algorithm of abnormal deviation angle value such as Under:
Wherein λ=5, k=3, fi(t)/max(fi(t),fi(t-1),L,fi(t- λ)) indicate the adjacent preceding λ number of K week t The ratio of the maximum value at strong point, wiIndicate the weight of characteristic value i, m indicates behavioural characteristic number.
7. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 6, feature Be, the Long-term change trend quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively As input, accumulation calculates vertical time axis second in actual time window network behavior temporal aspect vector and historical data Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the abnormal deviation degree of Long-term change trend The algorithm of value is as follows:
WhereinIndicate the characteristic value subsequence that current time t is established,Indicate the characteristic value subsequence of history same time point,It indicatesWithSimilitude, w is the weighted value of feature, α be subsequence apart from current subsequence when Between far and near weight.
8. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 7, feature It is, the formula for being accumulated abnormal deviation angle value using evidence integrating method in the step (4) are as follows: EA=θ1EA(1)2EA(2)3EA(3)
CN201810782516.4A 2018-07-17 2018-07-17 Network flow abnormity detection method based on historical time point taking method Active CN108965055B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810782516.4A CN108965055B (en) 2018-07-17 2018-07-17 Network flow abnormity detection method based on historical time point taking method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810782516.4A CN108965055B (en) 2018-07-17 2018-07-17 Network flow abnormity detection method based on historical time point taking method

Publications (2)

Publication Number Publication Date
CN108965055A true CN108965055A (en) 2018-12-07
CN108965055B CN108965055B (en) 2021-07-13

Family

ID=64481530

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810782516.4A Active CN108965055B (en) 2018-07-17 2018-07-17 Network flow abnormity detection method based on historical time point taking method

Country Status (1)

Country Link
CN (1) CN108965055B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936578A (en) * 2019-03-21 2019-06-25 西安电子科技大学 The detection method of HTTPS tunnel traffic in a kind of network-oriented
CN110855663A (en) * 2019-11-12 2020-02-28 北京中安智达科技有限公司 Identification method and system based on time-space correlation analysis
CN111092891A (en) * 2019-12-20 2020-05-01 杭州安恒信息技术股份有限公司 Method, system and related device for detecting abnormal point in network
CN111131314A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111556345A (en) * 2020-03-19 2020-08-18 视联动力信息技术股份有限公司 Network quality detection method and device, electronic equipment and storage medium
WO2021017284A1 (en) * 2019-07-30 2021-02-04 平安科技(深圳)有限公司 Cortex-learning-based anomaly detection method and apparatus, terminal device, and storage medium
CN112751869A (en) * 2020-12-31 2021-05-04 中国人民解放军战略支援部队航天工程大学 Network abnormal flow detection method and device based on sliding window group
CN113722383A (en) * 2021-09-13 2021-11-30 福韵数据服务有限公司 Investigation device and method based on time sequence information
CN114547145A (en) * 2022-02-21 2022-05-27 苏州浪潮智能科技有限公司 Method, system, storage medium and equipment for detecting time sequence data abnormity
WO2022142494A1 (en) * 2020-12-30 2022-07-07 京东城市(北京)数字科技有限公司 Anomaly monitoring method and apparatus for timing data, electronic device, and storage medium
TWI789219B (en) * 2022-01-21 2023-01-01 友訊科技股份有限公司 Monitoring control assisting and leading method for network devices, its terminal equipment and readable storage medium
CN116155426A (en) * 2023-04-19 2023-05-23 恩平市奥新电子科技有限公司 Sound console operation abnormity monitoring method based on historical data

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200039A (en) * 2012-01-09 2013-07-10 阿里巴巴集团控股有限公司 Data monitoring method and device
CN105071985A (en) * 2015-07-24 2015-11-18 四川大学 Server network behavior description method
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device
CN105406991A (en) * 2015-10-26 2016-03-16 上海华讯网络系统有限公司 Method and system for generating service threshold by historical data based on network monitoring indexes
CN105610647A (en) * 2015-12-30 2016-05-25 华为技术有限公司 Service abnormity detection method and server
CN105681063A (en) * 2014-11-18 2016-06-15 中国移动通信集团北京有限公司 Method and apparatus for monitoring network index
US20170063911A1 (en) * 2015-08-31 2017-03-02 Splunk Inc. Lateral Movement Detection for Network Security Analysis
CN107086944A (en) * 2017-06-22 2017-08-22 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
EP3259881A1 (en) * 2015-03-24 2017-12-27 Huawei Technologies Co. Ltd. Adaptive, anomaly detection based predictor for network time series data
CN108234524A (en) * 2018-04-02 2018-06-29 广州广电研究院有限公司 Method, apparatus, equipment and the storage medium of network data abnormality detection
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200039A (en) * 2012-01-09 2013-07-10 阿里巴巴集团控股有限公司 Data monitoring method and device
CN105681063A (en) * 2014-11-18 2016-06-15 中国移动通信集团北京有限公司 Method and apparatus for monitoring network index
EP3259881A1 (en) * 2015-03-24 2017-12-27 Huawei Technologies Co. Ltd. Adaptive, anomaly detection based predictor for network time series data
CN105071985A (en) * 2015-07-24 2015-11-18 四川大学 Server network behavior description method
US20170063911A1 (en) * 2015-08-31 2017-03-02 Splunk Inc. Lateral Movement Detection for Network Security Analysis
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device
CN105406991A (en) * 2015-10-26 2016-03-16 上海华讯网络系统有限公司 Method and system for generating service threshold by historical data based on network monitoring indexes
CN105610647A (en) * 2015-12-30 2016-05-25 华为技术有限公司 Service abnormity detection method and server
CN107086944A (en) * 2017-06-22 2017-08-22 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology
CN108234524A (en) * 2018-04-02 2018-06-29 广州广电研究院有限公司 Method, apparatus, equipment and the storage medium of network data abnormality detection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
KONSTANTINOS G: "Using Wavelets for Compression and Detecting Events in Anomalous Network Traffic", 《2009 FOURTH INTERNATIONAL CONFERENCE ON SYSTEMS AND NETWORKS COMMUNICATIONS》 *
胡洋瑞等: "基于流量行为特征的异常流量检测", 《信息网络安全》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936578A (en) * 2019-03-21 2019-06-25 西安电子科技大学 The detection method of HTTPS tunnel traffic in a kind of network-oriented
WO2021017284A1 (en) * 2019-07-30 2021-02-04 平安科技(深圳)有限公司 Cortex-learning-based anomaly detection method and apparatus, terminal device, and storage medium
CN110855663B (en) * 2019-11-12 2021-12-14 北京中安智达科技有限公司 Identification method and system based on time-space correlation analysis
CN110855663A (en) * 2019-11-12 2020-02-28 北京中安智达科技有限公司 Identification method and system based on time-space correlation analysis
CN111092891A (en) * 2019-12-20 2020-05-01 杭州安恒信息技术股份有限公司 Method, system and related device for detecting abnormal point in network
CN111131314A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111131314B (en) * 2019-12-31 2022-04-12 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111556345A (en) * 2020-03-19 2020-08-18 视联动力信息技术股份有限公司 Network quality detection method and device, electronic equipment and storage medium
CN111556345B (en) * 2020-03-19 2023-08-29 视联动力信息技术股份有限公司 Network quality detection method and device, electronic equipment and storage medium
WO2022142494A1 (en) * 2020-12-30 2022-07-07 京东城市(北京)数字科技有限公司 Anomaly monitoring method and apparatus for timing data, electronic device, and storage medium
CN112751869A (en) * 2020-12-31 2021-05-04 中国人民解放军战略支援部队航天工程大学 Network abnormal flow detection method and device based on sliding window group
CN112751869B (en) * 2020-12-31 2023-07-14 中国人民解放军战略支援部队航天工程大学 Method and device for detecting abnormal network traffic based on sliding window group
CN113722383A (en) * 2021-09-13 2021-11-30 福韵数据服务有限公司 Investigation device and method based on time sequence information
TWI789219B (en) * 2022-01-21 2023-01-01 友訊科技股份有限公司 Monitoring control assisting and leading method for network devices, its terminal equipment and readable storage medium
US11784896B2 (en) 2022-01-21 2023-10-10 D-Link Corporation Network equipment for monitoring user's network activity behavior and quantative analysis aid and guidance method, and terminal device and readable storage medium thereof
CN114547145A (en) * 2022-02-21 2022-05-27 苏州浪潮智能科技有限公司 Method, system, storage medium and equipment for detecting time sequence data abnormity
CN114547145B (en) * 2022-02-21 2024-01-26 苏州浪潮智能科技有限公司 Time sequence data anomaly detection method, system, storage medium and equipment
CN116155426A (en) * 2023-04-19 2023-05-23 恩平市奥新电子科技有限公司 Sound console operation abnormity monitoring method based on historical data

Also Published As

Publication number Publication date
CN108965055B (en) 2021-07-13

Similar Documents

Publication Publication Date Title
CN108965055A (en) A kind of network flow abnormal detecting method taking a method based on historical time
JP6184270B2 (en) System and method for creating index profiles related to attacks by correlating various indices with past attack cases in order to detect and predict future network attacks
Erez et al. Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems
Carter et al. Probabilistic reasoning for streaming anomaly detection
CN105376260B (en) A kind of exception flow of network monitoring system based on density peaks cluster
US10498585B2 (en) Sensor data analytics and alarm management
CN113518011B (en) Abnormality detection method and apparatus, electronic device, and computer-readable storage medium
CN107493277B (en) Large data platform online anomaly detection method based on maximum information coefficient
CN105071985B (en) A kind of server network behavior description method
CN104639388B (en) A kind of dns server method for detecting availability perceived based on user
CN105208040A (en) Network attack detection method and device
CN110895526A (en) Method for correcting data abnormity in atmosphere monitoring system
Ye et al. EWMA forecast of normal system activity for computer intrusion detection
CN109981328A (en) A kind of fault early warning method and device
CN108667856A (en) A kind of network anomaly detection method, device, equipment and storage medium
Coluccia et al. Distribution-based anomaly detection via generalized likelihood ratio test: A general maximum entropy approach
CN111092862A (en) Method and system for detecting abnormal communication flow of power grid terminal
CN104660464A (en) Network anomaly detection method based on non-extensive entropy
Tehrani et al. Online electricity theft detection framework for large-scale smart grid data
US10681059B2 (en) Relating to the monitoring of network security
CN109951420A (en) A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship
US11657148B2 (en) Event analysis in an electric power system
EP2882139B1 (en) System and method for IT servers anomaly detection using incident consolidation
Banik et al. Anomaly detection techniques in smart grid systems: A review
CN109768995B (en) Network flow abnormity detection method based on cyclic prediction and learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20210618

Address after: No.24, Xuefu Road Section 1, Southwest Airport Economic Development Zone, Shuangliu District, Chengdu, Sichuan 610200

Applicant after: Chengdu University of Information Technology

Applicant after: CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd.

Address before: No.69, Tianfu Third Street, Tianfu New District, Chengdu, Sichuan 610000

Applicant before: CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant