CN108965055A - A kind of network flow abnormal detecting method taking a method based on historical time - Google Patents
A kind of network flow abnormal detecting method taking a method based on historical time Download PDFInfo
- Publication number
- CN108965055A CN108965055A CN201810782516.4A CN201810782516A CN108965055A CN 108965055 A CN108965055 A CN 108965055A CN 201810782516 A CN201810782516 A CN 201810782516A CN 108965055 A CN108965055 A CN 108965055A
- Authority
- CN
- China
- Prior art keywords
- network
- time
- abnormal
- network flow
- network behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of network flow abnormal detecting methods that a method is taken based on historical time, include the following steps: 1. in network flow collection point deployment Port Mirroring routing, capture full flow data packet, form network flow time series data source;2. counting using the behavioural characteristic that set time window carries out network flow to network flow time series data source, network behavior temporal aspect vector is formed;3. the Witt vector of each network behavior temporal aspect vector takes a method to select historical data as input, with historical time, is accumulated respectively using the quantization method of absolute change, opposite variation and Long-term change trend and calculate abnormal deviation angle value;4. abnormal deviation angle value is accumulated with evidence accumulation method, according to abnormal deviation degree according to distribution trend given threshold, abnormal decision is realized to the state of actual time window network behavior.The present invention reduces calculating cost while realizing the threat event and trend of lasting monitoring network, improves the accuracy of Network anomalous behaviors monitoring.
Description
Technical field
The present invention relates to a kind of network flow abnormal detecting methods, specifically, being to be related to one kind to take based on historical time
The network flow abnormal detecting method of point method.
Background technique
With the development of internet, network environment is more and more diversified, complicates, other than network normal discharge, net
Various abnormal flows on network threaten the safety and use of subscriber's main station.How real-time monitoring and pipe are carried out to network flow
Reason, detects Network anomalous behaviors, has become problem to be solved in network security.
However, due to huge, analysis, storage, calculating of the real time monitoring analysis flow for computer of web database technology
There are high requirement, network flow abnormal detecting method ever more important, current exception of network traffic detection technique is mostly deposited
In some disadvantages, such as abnormality detection technology based on signature, to analyze and identify undesirable network behavior, and this detection skill
Art can only rely on predefined signature rule library discovery Network anomalous behaviors, be unable to monitor unknown Network anomalous behaviors;Equally
It is widely used to be based on machine learning algorithm, it is normal or abnormal by net flow assorted, however this classification method faces
The problem of training sample difficulty is big, to calculate at high cost and rate of false alarm high etc. is obtained, the complex network ring of dynamic change can not be adapted to
Border.
Summary of the invention
The purpose of the present invention is to provide a kind of network flow abnormal detecting methods that a method is taken based on historical time, to net
Network flow is monitored in real time and analysis detection, solves the sudden change of network behavior timing portrait and the detection of Long-term change trend
Problem, while the algorithm used reduces calculating cost, improves the accuracy of Network anomalous behaviors monitoring.
To achieve the above object, The technical solution adopted by the invention is as follows:
A kind of network flow abnormal detecting method being taken a method based on historical time, is included the following steps:
(1) in network flow collection point deployment Port Mirroring routing, full flow data packet is captured, ordinal number when forming network flow
According to source;
(2) it is counted, is formed using the behavioural characteristic that set time window carries out network flow to network flow time series data source
Network behavior temporal aspect vector depicts the network behavior portrait of actual time window, passes through the network of multiple time windows
Behavior temporal aspect vector constructs the timing portrait of network behavior;
(3) using each behavioural characteristic of actual time window network behavior temporal aspect vector successively as input, with going through
The history time takes a method selection historical data, is quantified using absolute change quantization method, relative variation method and Long-term change trend
Method accumulates the network behavior for calculating actual time window network behavior temporal aspect vector and corresponding historical data respectively
The abnormal deviation angle value of temporal aspect vector obtains the situation of change of actual time window network behavior portrait;
(4) evidence accumulation method is used, step (3) are calculated into resulting abnormal deviation angle value and are accumulated, behavior is obtained
Timing portrait irrelevance, by behavior timing portrait irrelevance data distribution trend given threshold, to actual time window network
The state of behavior realizes abnormal decision, and sounds an alarm to abnormal flow.
The multidimensional behavioural characteristic of the network flow includes directly observing and counting obtained direct feature by network flow
With the indirect feature by being obtained to the direct feature secondary calculating.
Historical time takes a method that historical data is divided into working days evidence and weekend data, respectively in vertical time axis and water
It carries out taking a little on flat time shaft;The horizontal time axis is fixed intraday data, and chronomere is hour or minute;It is described
Vertical time axis specifically takes point mode as unit of day are as follows: the current time of set time window is denoted as time t, water
The continuous λ point that time t is adjacent is taken on flat time shaft, takes point data by symbol 1×λIt indicates;It include two on vertical time axis
Kind takes point mode: the first, k week t adjacent continuous λ point, takes point data by symbol before takingIt indicates;The
Two kinds, λ point for taking the previous day time t adjacent takes the last week, and λ time t adjacent point, respectively constitutes two sons on the same day
Sequence, subsequence is by symbol ¤2×λIt indicates;Its described λ is the natural number greater than 1, and the k is the natural number greater than 2, the λ
It is configured with k according to actual environment.
Absolute change quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively
As input, accumulation calculates horizontal time axis in actual time window network behavior temporal aspect vector and historical data and takes a little
Network behavior temporal aspect vector between abnormal deviation angle value, calculate abnormal deviation angle value algorithm it is as follows:
Wherein | fi(t)-fi(x) | indicate ith feature in the value of current time x and the absolute value of adjacent time characteristic value,
wiIndicate the weight of characteristic value i,M indicates behavioural characteristic number.
Relative variation method each behavioural characteristic of actual time window network behavior temporal aspect vector successively
As input, accumulation calculates vertical time axis first in actual time window network behavior temporal aspect vector and historical data
Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the algorithm of abnormal deviation angle value such as
Under:
Wherein λ=5, k=3, fi(t)/max(fi(t),fi(t-1),L,fi(t- λ)) indicate K week t it is adjacent before
The ratio of the maximum value of λ data point, wiIndicate the weight of characteristic value i, m indicates behavioural characteristic number.
Long-term change trend quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively
As input, accumulation calculates vertical time axis second in actual time window network behavior temporal aspect vector and historical data
Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the abnormal deviation degree of Long-term change trend
The algorithm of value is as follows:
WhereinIndicate the characteristic value subsequence that current time t is established,Indicate characteristic value of history same time point
Sequence,It indicatesWithSimilitude, w is the weighted value of feature, and α is the current sub- sequence of subsequence distance
Arrange the weight of time distance.
The formula for being accumulated abnormal deviation angle value using evidence integrating method in the step (4) are as follows: EA=θ1EA(1)+θ2EA(2)+θ3EA(3)。
Compared with prior art, the invention has the following advantages:
(1) present invention takes a method take a little to historical data by historical time, solves real-time monitoring flow rate calculation amount
Problem huge, memory requirement is high reduces the calculating cost and carrying cost that time series data exception is detected according to historical data.
(2) present invention is calculated separately out corresponding real by the quantization method of absolute change, opposite variation and Long-term change trend
When data and historical data evidence accumulated value, absolute change accumulation focus on adjacent data situation of change, it is intended to discovery it is more
Dimensional feature increases or decreases suddenly, solves the problems, such as that network behavior profile is mutated;Periodical phase is focused in opposite variation accumulation
Pass data situation, it is intended to which situations such as reducing wrong report, discovery service disruption solves user's visit of timing, periodicity, centrality
The problem of asking wrong report caused by behavior;Long-term change trend accumulation concern tendency, periodic data situation of change, it is intended to which discovery is not inconsistent
The case where closing temporal evolution trend solves the problems, such as that attack is intended to low frequency, low-intensity and means at a slow speed.
Detailed description of the invention
Fig. 1 is flow diagram of the invention.
Fig. 2 is that historical time of the invention takes a method schematic diagram (working day).
Fig. 3 is that historical time of the invention takes a method schematic diagram (weekend).
Specific embodiment
The invention will be further described with embodiment for explanation with reference to the accompanying drawing, and mode of the invention includes but not only limits
In following embodiment.
As shown in Figure 1, a kind of network flow abnormal detecting method for taking a method based on historical time disclosed by the invention, institute
The method of stating includes the following steps:
(1) in network flow collection point deployment Port Mirroring routing, full flow data packet is captured, ordinal number when forming network flow
According to source;
(2) it is counted, is formed using the behavioural characteristic that set time window carries out network flow to network flow time series data source
Network behavior temporal aspect vector depicts the network behavior portrait of actual time window, passes through the network of multiple time windows
Behavior temporal aspect vector constructs the timing portrait of network behavior;
Here flow is counted essentially according to time window, statistical nature includes port numbers, number-of-packet, agreement
(TCP, UDP, ICMP etc.), long data packet, ttl value, SYN packet number etc., are broadly divided into and directly observe and count by network flow
To direct feature and the indirect feature by being obtained to the direct feature secondary calculating.When each time window terminates
It waits, the unified characteristic value drawn a portrait to behavior calculates.
(3) using each behavioural characteristic of actual time window network behavior temporal aspect vector successively as input, with going through
The history time takes a method selection historical data, is quantified using absolute change quantization method, relative variation method and Long-term change trend
Method accumulates the network behavior for calculating actual time window network behavior temporal aspect vector and corresponding historical data respectively
The abnormal deviation angle value of temporal aspect vector obtains the situation of change of actual time window network behavior portrait.
As shown in Figure 2 and Figure 3, historical time takes a method that time series data is divided into working days evidence and weekend data, exists respectively
It carries out taking a little on vertical time axis and horizontal time axis.Its vertical time axis is as unit of day, and day is same time type
(being all working day or weekend) constructs vertical range;Horizontal time axis is fixed intraday data, and chronomere can basis
Need to be customized to hour or minute etc..
Adjacent data correlation is focused on, there are also cycle data correlations.Wherein detection time is t, time reference line frame
Each symbol and respective value definition it is as shown in table 1:
1 Time Correlation Data of table and symbol
3 kinds of history point values obtain data acquisition system above, by the historical data as the evidence accumulation method proposed in text,
It whether is abnormal with detection time.
(4) evidence accumulation method is used, step (3) are calculated into resulting abnormal deviation angle value and are accumulated, behavior is obtained
Timing portrait irrelevance, by behavior timing portrait irrelevance data distribution trend given threshold, to actual time window network
The state of behavior realizes abnormal decision, sounds an alarm to abnormal flow.
Each behavioural characteristic of the absolute change quantization method actual time window network behavior temporal aspect vector
Successively as input, accumulation calculates horizontal time axis in actual time window network behavior temporal aspect vector and historical data
The abnormal deviation angle value between network behavior temporal aspect vector a little is taken, the algorithm for calculating abnormal deviation angle value is as follows:
Wherein | fi(t)-fi(x) | indicate ith feature in the value of current time x and the absolute value of adjacent time characteristic value,
wiIndicate the weight of characteristic value,M indicates behavioural characteristic number.
Each behavioural characteristic of the relative variation method actual time window network behavior temporal aspect vector
Successively as input, accumulation calculates vertical time axis in actual time window network behavior temporal aspect vector and historical data
First way takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the calculation of abnormal deviation angle value
Method is as follows:
Wherein λ=5, k=3, fi(t)/max(fi(t),fi(t-1),L,fi(t- λ)) indicate K week t it is adjacent before
The ratio of the maximum value of λ data point, m indicate behavioural characteristic number.
A kind of network flow abnormal detecting method taking a method based on historical time, Long-term change trend quantization method meter
Calculate tendency, periodic data situation of change.On time series approximate representation, the symbolism aggregation for introducing time series is approximate
Representation method (Symbolic Aggregate Approximation, SAX).First with the historical time off-take point method proposed
Then the time series for the N number of data point for taking time series and current time to be compared adjacent is distinguished time series
Normalization, PAA dimensionality reduction and symbolism, to calculate two character string sequencesWithSimilitude, use
It indicates.Subsequence comparison is carried out using SAX, obtains the accumulated value of the similitude of the SAX sequence of current time each characteristic value.Shape
Shape changing value has periodically when mainly paying close attention to server access, and user access activity is work.Focus on this period
Character shape trend, be not concerned with specific characteristic value size, using SAX calculate feature set aggregate-value.It is the character of Q
String formIt is constructed by ¤ time series data.Wherein, w is the weighted value of feature, and α is the current sub- sequence of subsequence distance
The weight of time distance is arranged, the algorithm for calculating the abnormal deviation angle value of Long-term change trend is as follows:
The formula for being accumulated abnormal deviation angle value using evidence integrating method in the step (4) are as follows: EA=θ1EA(1)+θ2EA(2)+θ3EA(3)。
The present invention carries out real-time monitoring and analysis detection by above-mentioned design, to network flow, can detect Network Abnormal
Behavior, to abnormal flow issue alert, protect the safety and use of subscriber's main station, solve timing portrait sudden change and
The test problems of Long-term change trend, while the algorithm used reduces calculating cost, improves the accuracy of network behavior monitoring.
Above-described embodiment is only one of the preferred embodiment of the present invention, should not be taken to limit protection model of the invention
It encloses, as long as that in body design thought of the invention and mentally makes has no the change of essential meaning or polishing, is solved
The technical issues of it is still consistent with the present invention, should all be included within protection scope of the present invention.
Claims (8)
1. a kind of network flow abnormal detecting method for taking a method based on historical time, which is characterized in that include the following steps:
(1) in network flow collection point deployment Port Mirroring routing, full flow data packet is captured, network flow time series data is formed
Source;
(2) it is counted using the behavioural characteristic that set time window carries out network flow to network flow time series data source, multidimensional behavior
Feature forms network behavior temporal aspect vector, depicts the network behavior portrait of actual time window, passes through multiple time windows
The network behavior temporal aspect vector of mouth constructs the timing portrait of network behavior;
(3) using each behavioural characteristic of actual time window network behavior temporal aspect vector successively as input, when with history
Between take method selection historical data, use absolute change quantization method, relative variation method and Long-term change trend quantization method
Accumulation calculates the network behavior timing of actual time window network behavior temporal aspect vector with corresponding historical data respectively
The abnormal deviation angle value of feature vector obtains the situation of change of actual time window network behavior portrait;
(4) evidence accumulation method is used, step (3) are calculated into resulting abnormal deviation angle value and are accumulated, behavior timing is obtained
Portrait irrelevance, by behavior timing portrait irrelevance data distribution trend given threshold, to actual time window network behavior
State realize abnormal decision, and abnormal flow is sounded an alarm.
2. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 1, feature
It is, the multidimensional behavioural characteristic of the network flow includes directly observing and counting obtained direct feature by network flow and lead to
Cross the indirect feature obtained to the direct feature secondary calculating.
3. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 2, feature
Be, the historical time takes a method that historical data is divided into working days evidence and weekend data, respectively in vertical time axis and
It carries out taking a little on horizontal time axis.
4. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 3, feature
It is, the horizontal time axis is fixed intraday data, and chronomere is hour or minute;The vertical time axis is with day
For unit, point mode is specifically taken are as follows: the current time of set time window is denoted as time t, when taking on horizontal time axis
Between the adjacent continuous λ point of t, take point data by symbolIt indicates;Include two kinds on vertical time axis and takes point mode: the
One kind, k week t adjacent continuous λ point, takes point data by symbol ¢ before takingK×λIt indicates;Second, when taking the previous day
Between the adjacent continuous λ point of t, take the last week, time t adjacent continuous λ point, respectively constitutes two sub- sequences on the same day
Column, subsequence is by symbol ¤2×λIt indicates;Its described λ is the natural number greater than 1, and the k is the natural number greater than 2.
5. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 4, feature
Be, the absolute change quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively
As input, accumulation calculates horizontal time axis in actual time window network behavior temporal aspect vector and historical data and takes a little
Network behavior temporal aspect vector between abnormal deviation angle value, calculate abnormal deviation angle value algorithm it is as follows:
Wherein | fi(t)-fi(x) | indicate i-th of behavioural characteristic in the value of current time x and the absolute value of adjacent time characteristic value,
wiIndicate the weight of characteristic value i,M indicates behavioural characteristic number.
6. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 5, feature
Be, the relative variation method each behavioural characteristic of actual time window network behavior temporal aspect vector successively
As input, accumulation calculates vertical time axis first in actual time window network behavior temporal aspect vector and historical data
Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the algorithm of abnormal deviation angle value such as
Under:
Wherein λ=5, k=3, fi(t)/max(fi(t),fi(t-1),L,fi(t- λ)) indicate the adjacent preceding λ number of K week t
The ratio of the maximum value at strong point, wiIndicate the weight of characteristic value i, m indicates behavioural characteristic number.
7. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 6, feature
Be, the Long-term change trend quantization method each behavioural characteristic of actual time window network behavior temporal aspect vector successively
As input, accumulation calculates vertical time axis second in actual time window network behavior temporal aspect vector and historical data
Kind mode takes the abnormal deviation angle value between network behavior temporal aspect vector a little, calculates the abnormal deviation degree of Long-term change trend
The algorithm of value is as follows:
WhereinIndicate the characteristic value subsequence that current time t is established,Indicate the characteristic value subsequence of history same time point,It indicatesWithSimilitude, w is the weighted value of feature, α be subsequence apart from current subsequence when
Between far and near weight.
8. a kind of network flow abnormal detecting method for taking a method based on historical time according to claim 7, feature
It is, the formula for being accumulated abnormal deviation angle value using evidence integrating method in the step (4) are as follows: EA=θ1EA(1)+θ2EA(2)+θ3EA(3)。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810782516.4A CN108965055B (en) | 2018-07-17 | 2018-07-17 | Network flow abnormity detection method based on historical time point taking method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810782516.4A CN108965055B (en) | 2018-07-17 | 2018-07-17 | Network flow abnormity detection method based on historical time point taking method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108965055A true CN108965055A (en) | 2018-12-07 |
CN108965055B CN108965055B (en) | 2021-07-13 |
Family
ID=64481530
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810782516.4A Active CN108965055B (en) | 2018-07-17 | 2018-07-17 | Network flow abnormity detection method based on historical time point taking method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108965055B (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109936578A (en) * | 2019-03-21 | 2019-06-25 | 西安电子科技大学 | The detection method of HTTPS tunnel traffic in a kind of network-oriented |
CN110855663A (en) * | 2019-11-12 | 2020-02-28 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
CN111092891A (en) * | 2019-12-20 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Method, system and related device for detecting abnormal point in network |
CN111131314A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
CN111556345A (en) * | 2020-03-19 | 2020-08-18 | 视联动力信息技术股份有限公司 | Network quality detection method and device, electronic equipment and storage medium |
WO2021017284A1 (en) * | 2019-07-30 | 2021-02-04 | 平安科技(深圳)有限公司 | Cortex-learning-based anomaly detection method and apparatus, terminal device, and storage medium |
CN112751869A (en) * | 2020-12-31 | 2021-05-04 | 中国人民解放军战略支援部队航天工程大学 | Network abnormal flow detection method and device based on sliding window group |
CN113722383A (en) * | 2021-09-13 | 2021-11-30 | 福韵数据服务有限公司 | Investigation device and method based on time sequence information |
CN114547145A (en) * | 2022-02-21 | 2022-05-27 | 苏州浪潮智能科技有限公司 | Method, system, storage medium and equipment for detecting time sequence data abnormity |
WO2022142494A1 (en) * | 2020-12-30 | 2022-07-07 | 京东城市(北京)数字科技有限公司 | Anomaly monitoring method and apparatus for timing data, electronic device, and storage medium |
TWI789219B (en) * | 2022-01-21 | 2023-01-01 | 友訊科技股份有限公司 | Monitoring control assisting and leading method for network devices, its terminal equipment and readable storage medium |
CN116155426A (en) * | 2023-04-19 | 2023-05-23 | 恩平市奥新电子科技有限公司 | Sound console operation abnormity monitoring method based on historical data |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103200039A (en) * | 2012-01-09 | 2013-07-10 | 阿里巴巴集团控股有限公司 | Data monitoring method and device |
CN105071985A (en) * | 2015-07-24 | 2015-11-18 | 四川大学 | Server network behavior description method |
CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
CN105406991A (en) * | 2015-10-26 | 2016-03-16 | 上海华讯网络系统有限公司 | Method and system for generating service threshold by historical data based on network monitoring indexes |
CN105610647A (en) * | 2015-12-30 | 2016-05-25 | 华为技术有限公司 | Service abnormity detection method and server |
CN105681063A (en) * | 2014-11-18 | 2016-06-15 | 中国移动通信集团北京有限公司 | Method and apparatus for monitoring network index |
US20170063911A1 (en) * | 2015-08-31 | 2017-03-02 | Splunk Inc. | Lateral Movement Detection for Network Security Analysis |
CN107086944A (en) * | 2017-06-22 | 2017-08-22 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
EP3259881A1 (en) * | 2015-03-24 | 2017-12-27 | Huawei Technologies Co. Ltd. | Adaptive, anomaly detection based predictor for network time series data |
CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
-
2018
- 2018-07-17 CN CN201810782516.4A patent/CN108965055B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103200039A (en) * | 2012-01-09 | 2013-07-10 | 阿里巴巴集团控股有限公司 | Data monitoring method and device |
CN105681063A (en) * | 2014-11-18 | 2016-06-15 | 中国移动通信集团北京有限公司 | Method and apparatus for monitoring network index |
EP3259881A1 (en) * | 2015-03-24 | 2017-12-27 | Huawei Technologies Co. Ltd. | Adaptive, anomaly detection based predictor for network time series data |
CN105071985A (en) * | 2015-07-24 | 2015-11-18 | 四川大学 | Server network behavior description method |
US20170063911A1 (en) * | 2015-08-31 | 2017-03-02 | Splunk Inc. | Lateral Movement Detection for Network Security Analysis |
CN105208040A (en) * | 2015-10-12 | 2015-12-30 | 北京神州绿盟信息安全科技股份有限公司 | Network attack detection method and device |
CN105406991A (en) * | 2015-10-26 | 2016-03-16 | 上海华讯网络系统有限公司 | Method and system for generating service threshold by historical data based on network monitoring indexes |
CN105610647A (en) * | 2015-12-30 | 2016-05-25 | 华为技术有限公司 | Service abnormity detection method and server |
CN107086944A (en) * | 2017-06-22 | 2017-08-22 | 北京奇艺世纪科技有限公司 | A kind of method for detecting abnormality and device |
CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
Non-Patent Citations (2)
Title |
---|
KONSTANTINOS G: "Using Wavelets for Compression and Detecting Events in Anomalous Network Traffic", 《2009 FOURTH INTERNATIONAL CONFERENCE ON SYSTEMS AND NETWORKS COMMUNICATIONS》 * |
胡洋瑞等: "基于流量行为特征的异常流量检测", 《信息网络安全》 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109936578A (en) * | 2019-03-21 | 2019-06-25 | 西安电子科技大学 | The detection method of HTTPS tunnel traffic in a kind of network-oriented |
WO2021017284A1 (en) * | 2019-07-30 | 2021-02-04 | 平安科技(深圳)有限公司 | Cortex-learning-based anomaly detection method and apparatus, terminal device, and storage medium |
CN110855663B (en) * | 2019-11-12 | 2021-12-14 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
CN110855663A (en) * | 2019-11-12 | 2020-02-28 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
CN111092891A (en) * | 2019-12-20 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Method, system and related device for detecting abnormal point in network |
CN111131314A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
CN111131314B (en) * | 2019-12-31 | 2022-04-12 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
CN111556345A (en) * | 2020-03-19 | 2020-08-18 | 视联动力信息技术股份有限公司 | Network quality detection method and device, electronic equipment and storage medium |
CN111556345B (en) * | 2020-03-19 | 2023-08-29 | 视联动力信息技术股份有限公司 | Network quality detection method and device, electronic equipment and storage medium |
WO2022142494A1 (en) * | 2020-12-30 | 2022-07-07 | 京东城市(北京)数字科技有限公司 | Anomaly monitoring method and apparatus for timing data, electronic device, and storage medium |
CN112751869A (en) * | 2020-12-31 | 2021-05-04 | 中国人民解放军战略支援部队航天工程大学 | Network abnormal flow detection method and device based on sliding window group |
CN112751869B (en) * | 2020-12-31 | 2023-07-14 | 中国人民解放军战略支援部队航天工程大学 | Method and device for detecting abnormal network traffic based on sliding window group |
CN113722383A (en) * | 2021-09-13 | 2021-11-30 | 福韵数据服务有限公司 | Investigation device and method based on time sequence information |
TWI789219B (en) * | 2022-01-21 | 2023-01-01 | 友訊科技股份有限公司 | Monitoring control assisting and leading method for network devices, its terminal equipment and readable storage medium |
US11784896B2 (en) | 2022-01-21 | 2023-10-10 | D-Link Corporation | Network equipment for monitoring user's network activity behavior and quantative analysis aid and guidance method, and terminal device and readable storage medium thereof |
CN114547145A (en) * | 2022-02-21 | 2022-05-27 | 苏州浪潮智能科技有限公司 | Method, system, storage medium and equipment for detecting time sequence data abnormity |
CN114547145B (en) * | 2022-02-21 | 2024-01-26 | 苏州浪潮智能科技有限公司 | Time sequence data anomaly detection method, system, storage medium and equipment |
CN116155426A (en) * | 2023-04-19 | 2023-05-23 | 恩平市奥新电子科技有限公司 | Sound console operation abnormity monitoring method based on historical data |
Also Published As
Publication number | Publication date |
---|---|
CN108965055B (en) | 2021-07-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108965055A (en) | A kind of network flow abnormal detecting method taking a method based on historical time | |
JP6184270B2 (en) | System and method for creating index profiles related to attacks by correlating various indices with past attack cases in order to detect and predict future network attacks | |
Erez et al. | Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems | |
Carter et al. | Probabilistic reasoning for streaming anomaly detection | |
CN105376260B (en) | A kind of exception flow of network monitoring system based on density peaks cluster | |
US10498585B2 (en) | Sensor data analytics and alarm management | |
CN113518011B (en) | Abnormality detection method and apparatus, electronic device, and computer-readable storage medium | |
CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
CN105071985B (en) | A kind of server network behavior description method | |
CN104639388B (en) | A kind of dns server method for detecting availability perceived based on user | |
CN105208040A (en) | Network attack detection method and device | |
CN110895526A (en) | Method for correcting data abnormity in atmosphere monitoring system | |
Ye et al. | EWMA forecast of normal system activity for computer intrusion detection | |
CN109981328A (en) | A kind of fault early warning method and device | |
CN108667856A (en) | A kind of network anomaly detection method, device, equipment and storage medium | |
Coluccia et al. | Distribution-based anomaly detection via generalized likelihood ratio test: A general maximum entropy approach | |
CN111092862A (en) | Method and system for detecting abnormal communication flow of power grid terminal | |
CN104660464A (en) | Network anomaly detection method based on non-extensive entropy | |
Tehrani et al. | Online electricity theft detection framework for large-scale smart grid data | |
US10681059B2 (en) | Relating to the monitoring of network security | |
CN109951420A (en) | A kind of multistage flow method for detecting abnormality based on entropy and dynamic linear relationship | |
US11657148B2 (en) | Event analysis in an electric power system | |
EP2882139B1 (en) | System and method for IT servers anomaly detection using incident consolidation | |
Banik et al. | Anomaly detection techniques in smart grid systems: A review | |
CN109768995B (en) | Network flow abnormity detection method based on cyclic prediction and learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20210618 Address after: No.24, Xuefu Road Section 1, Southwest Airport Economic Development Zone, Shuangliu District, Chengdu, Sichuan 610200 Applicant after: Chengdu University of Information Technology Applicant after: CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd. Address before: No.69, Tianfu Third Street, Tianfu New District, Chengdu, Sichuan 610000 Applicant before: CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |