CN108965055B - Network flow abnormity detection method based on historical time point taking method - Google Patents
Network flow abnormity detection method based on historical time point taking method Download PDFInfo
- Publication number
- CN108965055B CN108965055B CN201810782516.4A CN201810782516A CN108965055B CN 108965055 B CN108965055 B CN 108965055B CN 201810782516 A CN201810782516 A CN 201810782516A CN 108965055 B CN108965055 B CN 108965055B
- Authority
- CN
- China
- Prior art keywords
- time
- network
- behavior
- historical
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
Abstract
The invention discloses a network flow abnormity detection method based on a historical time point taking method, which comprises the following steps: 1. deploying a port mirror image route at a network flow acquisition point, capturing a full-flow data packet, and forming a network flow time sequence data source; 2. performing behavior feature statistics of network flow on a network flow time sequence data source by using a fixed time window to form a network behavior time sequence feature vector; 3. selecting historical data by using a historical time point-taking method and respectively calculating abnormal deviation values in an accumulated mode by using quantification methods of absolute change, relative change and trend change by using a Viter vector of each network behavior time sequence feature vector as input; 4. and accumulating the abnormal deviation values by an evidence accumulation method, setting a threshold according to the distribution trend of the abnormal deviation data, and realizing abnormal decision on the state of the network behavior of the current time window. The invention realizes the purpose of continuously monitoring the threat events and trends of the network, reduces the calculation cost and improves the accuracy of monitoring the abnormal behavior of the network.
Description
Technical Field
The invention relates to a network flow abnormity detection method, in particular to a network flow abnormity detection method based on a historical time point taking method.
Background
With the development of the internet, the network environment is more and more diversified and complicated, and besides the normal traffic of the network, various abnormal traffic on the network threatens the security and the use of the user host. How to monitor and manage network flow in real time and detect abnormal network behavior becomes a problem to be solved in network security.
However, because of huge network data volume, real-time monitoring and analyzing traffic has extremely high requirements on analysis, storage and calculation of a computer, and a network traffic anomaly detection method is increasingly important, most of the existing network traffic anomaly detection technologies have some defects, such as an anomaly detection technology based on signatures to analyze and identify unexpected network behaviors, and the detection technology can only rely on a predefined signature rule base to find the network anomaly behaviors and cannot monitor unknown network anomaly behaviors; the network traffic is classified into normal or abnormal based on a machine learning algorithm which is widely applied, however, the classification method has the problems of high difficulty in obtaining training samples, high calculation cost, high false alarm rate and the like, and cannot adapt to a dynamically changing complex network environment.
Disclosure of Invention
The invention aims to provide a network flow abnormity detection method based on a historical time point-taking method, which is used for monitoring, analyzing and detecting network flow in real time, solving the detection problems of sudden change and trend change of a network behavior time sequence portrait, reducing the calculation cost and improving the accuracy of network abnormal behavior monitoring by adopting an algorithm.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a network flow abnormity detection method based on a historical time point taking method comprises the following steps:
(1) deploying a port mirror image route at a network flow acquisition point, capturing a full-flow data packet, and forming a network flow time sequence data source;
(2) performing behavior feature statistics of network traffic on a network flow time sequence data source by using a fixed time window to form a network behavior time sequence feature vector, depicting a network behavior portrait of a current time window, and constructing a time sequence portrait of network behavior through the network behavior time sequence feature vectors of a plurality of time windows;
(3) sequentially inputting each behavior feature of the network behavior time sequence feature vector of the current time window, selecting historical data by using a historical time point taking method, and respectively calculating the abnormal deviation value of the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the corresponding historical data in an accumulated mode by using an absolute change quantization method, a relative change quantization method and a trend change quantization method to obtain the change condition of the network behavior portrait of the current time window;
(4) and (3) accumulating the abnormal deviation value calculated in the step (3) by using an evidence accumulation method to obtain a behavior time sequence image deviation degree, setting a threshold value according to the data distribution trend of the behavior time sequence image deviation degree, realizing an abnormal decision on the state of the network behavior of the current time window, and giving an alarm to abnormal flow.
The multidimensional behavior characteristics of the network flow comprise direct characteristics obtained through direct observation and statistics of the network flow and indirect characteristics obtained through secondary calculation of the direct characteristics.
The historical time point-taking method divides historical data into weekday data and weekend data, and respectively takes points on a vertical time axis and a horizontal time axis; the horizontal time axis is data in a fixed day, and the time unit is hour or minute; the vertical time axis takes days as a unit, and the specific point taking mode is as follows: recording the current time of a fixed time window as time t, taking continuous lambda points adjacent to the time t on a horizontal time axis, wherein the data of the lambda points is represented by symbols
Represents; the vertical time axis comprises two point taking modes: first, take consecutive lambda points adjacent to k week time t, and take point data from symbol
Represents; second, take the lambda point adjacent to the time t of the previous day, take the lambda point adjacent to the time t of the previous week and the same day to respectively form two subsequences, and the subsequences are formed by symbols
Represents; the lambda is a natural number larger than 1, the k is a natural number larger than 2, and the lambda and the k are set according to the actual environment.
The absolute change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in sequence, and calculates the abnormal deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the horizontal time axis point in the historical data in an accumulated mode, wherein the algorithm for calculating the abnormal deviation value is as follows:
wherein | fi(t)-fi(x) I represents the absolute value of the ith feature at the current time x and the value of the feature at the adjacent time, wiThe weight representing the characteristic value i is,
m represents the number of behavior features.
The relative change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in sequence, and calculates the abnormal deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the point fetched by the first mode of the vertical time axis in the historical data in an accumulated mode, wherein the algorithm for calculating the abnormal deviation value is as follows:
where λ 5, k 3, fi(t)/max(fi(t),fi(t-1),…,fi(t- λ)) represents the ratio of the maximum of the first λ data points adjacent to the Kth week time t, wiThe weight of the feature value i is represented, and m represents the number of behavior features.
The trend change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in sequence, and calculates the abnormal deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the point which is taken by the second mode of the vertical time axis in the historical data in an accumulated mode, wherein the algorithm for calculating the abnormal deviation value of the trend change comprises the following steps:
wherein
Representing a sub-sequence of characteristic values established at the current time t,
a sub-sequence of feature values representing historical identical points in time,
to represent
And
w is the weight value of the feature, and α is the weight of the time distance of the subsequence from the current subsequence.
In the step (4), the formula for accumulating the abnormal deviation value by using the evidence accumulation method is as follows: EA is equal to theta1EA(1)+θ2EA(2)+θ3EA(3)。
Compared with the prior art, the invention has the following beneficial effects:
(1) according to the invention, the historical data is subjected to point taking by a historical time point taking method, so that the problems of huge calculated amount and high storage requirement of real-time monitoring of flow are solved, and the calculation cost and the storage cost for detecting the time sequence data abnormity according to the historical data are reduced.
(2) According to the method, the evidence accumulation values of corresponding real-time data and historical data are respectively calculated through a quantification method of absolute change, relative change and trend change, the absolute change accumulation focuses on the change condition of adjacent data, and the method aims to find sudden increase or decrease of multi-dimensional features and solve the problem of network behavior profile mutation; the relative change accumulation focuses on the change situation of the periodic related data, aims to reduce the situations of misinformation, service interruption discovery and the like, and solves the problem of misinformation caused by the access behaviors of the user in a timing, a periodic and a centralized manner; the trend change accumulates attention to trend and periodic data change conditions, aims to find the condition which is not in line with the time evolution trend, and solves the problem that the attack behavior tends to be a low-frequency, low-intensity and slow means.
Drawings
FIG. 1 is a block flow diagram of the present invention.
Fig. 2 is a schematic diagram of a historical time point-taking method (working day) according to the present invention.
FIG. 3 is a schematic diagram of the historical time point method of the present invention (weekend).
Detailed Description
The present invention will be further described with reference to the following description and examples, which include but are not limited to the following examples.
As shown in fig. 1, the method for detecting network traffic anomaly based on a historical time point-taking method disclosed by the invention comprises the following steps:
(1) deploying a port mirror image route at a network flow acquisition point, capturing a full-flow data packet, and forming a network flow time sequence data source;
(2) performing behavior feature statistics of network traffic on a network flow time sequence data source by using a fixed time window to form a network behavior time sequence feature vector, depicting a network behavior portrait of a current time window, and constructing a time sequence portrait of network behavior through the network behavior time sequence feature vectors of a plurality of time windows;
the flow is mainly counted according to a time window, the statistical characteristics include a port number, a packet number, a protocol (TCP, UDP, ICMP, etc.), a packet length, a TTL value, a SYN packet number, etc., and are mainly divided into direct characteristics obtained by direct observation and statistics of the network flow and indirect characteristics obtained by secondary calculation of the direct characteristics. And when each time window is finished, uniformly calculating the characteristic value of the behavior image.
(3) And sequentially taking each behavior feature of the network behavior time sequence feature vector of the current time window as input, selecting historical data by using a historical time point taking method, and respectively calculating the abnormal deviation value of the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the corresponding historical data in an accumulated mode by using an absolute change quantization method, a relative change quantization method and a trend change quantization method to obtain the change condition of the network behavior portrait of the current time window.
As shown in fig. 2 and 3, the historical time point-taking method divides time-series data into weekday data and weekend data, and performs point-taking on a vertical time axis and a horizontal time axis, respectively. The vertical time axis is in units of days, and the days are the same time type (the same is working day or weekend) to construct vertical distances; the horizontal time axis is data for a fixed day, and the time unit can be customized to an hour or a minute, etc., as needed.
Attention is paid to adjacent data dependencies, but also periodic data dependencies. Where the detection time is t, the definition of each symbol and corresponding value of the time base line frame is shown in table 1:
TABLE 1 time-related data and symbols
The values of the above 3 historical points are taken to obtain a data set, which is used as historical data of an evidence accumulation method provided in the text to detect whether the time is abnormal or not.
(4) And (3) accumulating the abnormal deviation value calculated in the step (3) by using an evidence accumulation method to obtain a behavior time sequence image deviation degree, setting a threshold value according to the data distribution trend of the behavior time sequence image deviation degree, realizing an abnormal decision on the state of the network behavior of the current time window, and giving an alarm on abnormal flow.
The absolute change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in sequence, and calculates the abnormal deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the horizontal time axis point in the historical data in an accumulated mode, wherein the algorithm for calculating the abnormal deviation value is as follows:
wherein | fi(t)-fi(x) I denotes the ith featureThe absolute value of the value at the current time x and the characteristic value of the adjacent time, wiThe weight representing the value of the feature is,
m represents the number of behavior features.
The relative change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in sequence, and calculates the abnormal deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the point fetched by the first mode of the vertical time axis in the historical data in an accumulated mode, wherein the algorithm for calculating the abnormal deviation value is as follows:
where λ 5, k 3, fi(t)/max(fi(t),fi(t-1),…,fi(t- λ)) represents the ratio of the maximum values of the preceding λ data points adjacent to the K-th week time t, and m represents the behavior feature number.
According to the network flow abnormity detection method based on the historical time point taking method, the trend change quantification method calculates the trend and periodic data change conditions. On the time series Approximation, a Symbolic Aggregate Approximation (SAX) of time series is introduced. Firstly, the time sequence to be compared and the time sequence of N data points adjacent to the current time are obtained by using the proposed historical time point-taking method, and then the time sequences are respectively normalized, PAA dimension reduction and symbolized, thereby calculating two character string sequences
And
similarity of (2) with
And (4) showing. Benefit toAnd performing subsequence comparison by using the SAX to obtain the cumulative value of the similarity of the SAX sequence of each characteristic value at the current moment. The shape change value is mainly concerned with periodicity when the server is accessed, and the user access behavior is work. Focusing on the characteristic shape trend of the time period, not focusing on the specific characteristic value size, and adopting SAX to calculate the accumulated value of the characteristic set.
Is a string form of Q
By passing
And (5) constructing time sequence data. Wherein w is the weight value of the feature, α is the weight of the subsequence in time distance from the current subsequence, and the algorithm for calculating the abnormal deviation value of the trend change is as follows:
in the step (4), the formula for accumulating the abnormal deviation value by using the evidence accumulation method is as follows: EA is equal to theta1EA(1)+θ2EA(2)+θ3EA(3)。
By the design, the network traffic is monitored, analyzed and detected in real time, abnormal network behaviors can be detected, an alarm is given to the abnormal traffic, the safety and the use of a user host are protected, the detection problems of sudden change and trend change of a time sequence portrait are solved, meanwhile, the calculation cost is reduced by adopting an algorithm, and the accuracy of monitoring the network behaviors is improved.
The above-mentioned embodiment is only one of the preferred embodiments of the present invention, and should not be used to limit the scope of the present invention, but all the insubstantial modifications or changes made within the spirit and scope of the main design of the present invention, which still solve the technical problems consistent with the present invention, should be included in the scope of the present invention.
Claims (8)
1. A network flow abnormity detection method based on a historical time point taking method is characterized by comprising the following steps:
(1) deploying a port mirror image route at a network flow acquisition point, capturing a full-flow data packet, and forming a network flow time sequence data source;
(2) performing behavior feature statistics of network traffic on a network flow time sequence data source by using a fixed time window, forming a network behavior time sequence feature vector by using multi-dimensional behavior features, depicting a network behavior portrait of the current time window, and constructing a time sequence portrait of network behavior through the network behavior time sequence feature vectors of a plurality of time windows;
(3) sequentially inputting each behavior feature of the network behavior time sequence feature vector of the current time window, selecting historical data by using a historical time point taking method, and respectively calculating the abnormal deviation value of the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the corresponding historical data in an accumulated mode by using an absolute change quantization method, a relative change quantization method and a trend change quantization method to obtain the change condition of the network behavior portrait of the current time window;
(4) and (3) accumulating the three abnormal deviation values calculated in the step (3) by using an evidence accumulation method to obtain a behavior time sequence image deviation degree, setting a threshold value according to the data distribution trend of the behavior time sequence image deviation degree, realizing abnormal decision on the state of the network behavior of the current time window, and giving an alarm on abnormal flow.
2. The method for detecting the network traffic anomaly based on the historical time point-taking method is characterized in that the multidimensional behavior characteristics of the network traffic comprise direct characteristics obtained through direct observation and statistics of network flow and indirect characteristics obtained through secondary calculation of the direct characteristics.
3. The method for detecting the network traffic abnormality based on the historical time point-taking method according to claim 2, wherein the historical time point-taking method divides the historical data into weekday data and weekend data, and performs point-taking on a vertical time axis and a horizontal time axis respectively.
4. The method for detecting the abnormal network traffic based on the historical time point-taking method according to claim 3, wherein the horizontal time axis is data in a fixed day, and the time unit is hour or minute; the vertical time axis takes days as a unit, and the specific point taking mode is as follows: recording the current time of a fixed time window as time t, taking continuous lambda points adjacent to the time t on a horizontal time axis, wherein the data of the lambda points is represented by symbols
Represents; the vertical time axis comprises two point taking modes: first, take consecutive lambda points adjacent to k week time t, and take point data from symbol
Represents; second, two sub-sequences are respectively formed by taking the consecutive lambda points adjacent to the time t of the previous day, the consecutive lambda points adjacent to the time t of the same day in the previous week and the consecutive lambda points adjacent to the time t of the same day, and the sub-sequences are formed by symbols
Represents; wherein λ is a natural number greater than 1, and k is a natural number greater than 2.
5. The method for detecting network traffic anomaly based on historical time point-taking method according to claim 4, wherein the absolute change quantization method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in turn, and cumulatively calculates the anomaly deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the horizontal time axis point-taking in the historical data, and the algorithm for calculating the anomaly deviation value is as follows:
wherein | fi(t)-fi(x) L represents the absolute value of the ith behavior feature at the current time x and the value of the feature at the adjacent time, wiThe weight representing the characteristic value i is,
m represents the number of behavior features.
6. The method for detecting network traffic anomaly based on historical time point-taking method according to claim 5, wherein the relative change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in turn, and cumulatively calculates the anomaly deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the first mode point-taking of the vertical time axis in the historical data, and the algorithm for calculating the anomaly deviation value is as follows:
where λ 5, k 3, fi(t)/max(fi(t),fi(t-1),…,fi(t- λ)) represents the ratio of the maximum of the first λ data points adjacent to the Kth week time t, wiThe weight of the feature value i is represented, and m represents the number of behavior features.
7. The method for detecting network traffic anomaly based on historical time point-taking method according to claim 6, wherein the trend change quantification method takes each behavior feature of the network behavior time sequence feature vector of the current time window as input in turn, and cumulatively calculates the anomaly deviation value between the network behavior time sequence feature vector of the current time window and the network behavior time sequence feature vector of the second mode point-taking of the vertical time axis in the historical data, and the algorithm for calculating the anomaly deviation value of the trend change is as follows:
wherein
Representing a sub-sequence of characteristic values established at the current time t,
a sub-sequence of feature values representing historical identical points in time,
to represent
And
w is the weight value of the feature, α is the weight of the subsequence in time proximity to the current subsequence, and ε represents the offset constant of the trend change.
8. The method for detecting network traffic anomaly based on historical time point taking method according to claim 7, wherein the formula for accumulating the anomaly deviation value in the step (4) by using the evidence accumulation method is as follows: EA is equal to theta1EA(1)+θ2EA(2)+θ3EA(3)Wherein, theta1、θ2、θ3And weight coefficients respectively representing the corresponding abnormal deviation values.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810782516.4A CN108965055B (en) | 2018-07-17 | 2018-07-17 | Network flow abnormity detection method based on historical time point taking method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810782516.4A CN108965055B (en) | 2018-07-17 | 2018-07-17 | Network flow abnormity detection method based on historical time point taking method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108965055A CN108965055A (en) | 2018-12-07 |
| CN108965055B true CN108965055B (en) | 2021-07-13 |
Family
ID=64481530
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810782516.4A Active CN108965055B (en) | 2018-07-17 | 2018-07-17 | Network flow abnormity detection method based on historical time point taking method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108965055B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109936578A (en) * | 2019-03-21 | 2019-06-25 | 西安电子科技大学 | The detection method of HTTPS tunnel traffic in a kind of network-oriented |
| CN110515796B (en) * | 2019-07-30 | 2022-07-01 | 平安科技(深圳)有限公司 | Cortex learning-based anomaly detection method and device and terminal equipment |
| CN110855663B (en) * | 2019-11-12 | 2021-12-14 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
| CN111092891B (en) * | 2019-12-20 | 2022-04-01 | 杭州安恒信息技术股份有限公司 | Method, system and related device for detecting abnormal point in network |
| CN111131314B (en) * | 2019-12-31 | 2022-04-12 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
| CN111556345B (en) * | 2020-03-19 | 2023-08-29 | 视联动力信息技术股份有限公司 | Network quality detection method and device, electronic equipment and storage medium |
| CN113723734A (en) * | 2020-12-30 | 2021-11-30 | 京东城市(北京)数字科技有限公司 | Method and device for monitoring abnormity of time series data, electronic equipment and storage medium |
| CN112751869B (en) * | 2020-12-31 | 2023-07-14 | 中国人民解放军战略支援部队航天工程大学 | Method and device for detecting abnormal network traffic based on sliding window group |
| CN113722383A (en) * | 2021-09-13 | 2021-11-30 | 福韵数据服务有限公司 | Investigation device and method based on time sequence information |
| TWI789219B (en) * | 2022-01-21 | 2023-01-01 | 友訊科技股份有限公司 | Monitoring control assisting and leading method for network devices, its terminal equipment and readable storage medium |
| CN114547145B (en) * | 2022-02-21 | 2024-01-26 | 苏州浪潮智能科技有限公司 | Time sequence data anomaly detection method, system, storage medium and equipment |
| CN116155426B (en) * | 2023-04-19 | 2023-06-30 | 恩平市奥新电子科技有限公司 | Sound console operation abnormity monitoring method based on historical data |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103200039B (en) * | 2012-01-09 | 2017-01-18 | 阿里巴巴集团控股有限公司 | Data monitoring method and device |
| CN105681063A (en) * | 2014-11-18 | 2016-06-15 | 中国移动通信集团北京有限公司 | Method and apparatus for monitoring network index |
| US10911318B2 (en) * | 2015-03-24 | 2021-02-02 | Futurewei Technologies, Inc. | Future network condition predictor for network time series data utilizing a hidden Markov model for non-anomalous data and a gaussian mixture model for anomalous data |
| CN105071985B (en) * | 2015-07-24 | 2018-04-06 | 四川大学 | A kind of server network behavior description method |
| US9699205B2 (en) * | 2015-08-31 | 2017-07-04 | Splunk Inc. | Network security system |
| CN105208040B (en) * | 2015-10-12 | 2019-03-26 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network attack detecting method and device |
| CN105406991A (en) * | 2015-10-26 | 2016-03-16 | 上海华讯网络系统有限公司 | Method and system for generating service threshold by historical data based on network monitoring indexes |
| CN105610647A (en) * | 2015-12-30 | 2016-05-25 | 华为技术有限公司 | Service abnormity detection method and server |
| CN107086944B (en) * | 2017-06-22 | 2020-04-21 | 北京奇艺世纪科技有限公司 | Anomaly detection method and device |
-
2018
- 2018-07-17 CN CN201810782516.4A patent/CN108965055B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108270620A (en) * | 2018-01-15 | 2018-07-10 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on Portrait brand technology |
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108965055A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965055B (en) | Network flow abnormity detection method based on historical time point taking method | |
| CN112257063B (en) | Cooperative game theory-based detection method for backdoor attacks in federal learning | |
| CN110895526A (en) | Method for correcting data abnormity in atmosphere monitoring system | |
| CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
| CN113518011B (en) | Abnormality detection method and apparatus, electronic device, and computer-readable storage medium | |
| CN109729090B (en) | Slow denial of service attack detection method based on WEDMS clustering | |
| CN110460458B (en) | Flow anomaly detection method based on multi-order Markov chain | |
| CN109960631B (en) | Real-time detection method for security event abnormity | |
| WO2013105164A1 (en) | Abnormal signal determining apparatus, abnormal signal determining method, and abnormal signal determining program | |
| JP2014060722A (en) | System and method for correlating historical attacks with diverse indicators to generate indicator profiles of attacks for detecting and predicting future network attacks | |
| JP2015011027A (en) | Method for detecting anomalies in time series data | |
| CN116418120B (en) | Intelligent early warning method applied to water-cooled power supply | |
| CN112183868B (en) | Traffic flow prediction model construction method and electronic equipment | |
| Xu et al. | A lof-based method for abnormal segment detection in machinery condition monitoring | |
| CN111241208A (en) | Method and device for monitoring abnormity of periodic time sequence data | |
| CN114881167A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and medium | |
| CN110839042A (en) | Flow-based self-feedback malicious software monitoring system and method | |
| CN109768995B (en) | Network flow abnormity detection method based on cyclic prediction and learning | |
| CN111258863B (en) | Data anomaly detection method, device, server and computer readable storage medium | |
| US11831527B2 (en) | Method for detecting anomalies in time series data produced by devices of an infrastructure in a network | |
| CN109831450A (en) | A kind of adaptive network flow abnormal detecting method | |
| CN115935285A (en) | Multi-element time series anomaly detection method and system based on mask map neural network model | |
| CN114692738A (en) | Lightweight real-time series anomaly detection method | |
| CN112862019A (en) | Method for dynamically screening aperiodic anomaly | |
| Ahmed et al. | Scaling up for high dimensional and high speed data streams: HSDStream |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210618 Address after: No.24, Xuefu Road Section 1, Southwest Airport Economic Development Zone, Shuangliu District, Chengdu, Sichuan 610200 Applicant after: Chengdu University of Information Technology Applicant after: CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd. Address before: No.69, Tianfu Third Street, Tianfu New District, Chengdu, Sichuan 610000 Applicant before: CHENGDU LIMING INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |