CN109067725A - Network flow abnormal detecting method and device - Google Patents
Network flow abnormal detecting method and device Download PDFInfo
- Publication number
- CN109067725A CN109067725A CN201810821544.2A CN201810821544A CN109067725A CN 109067725 A CN109067725 A CN 109067725A CN 201810821544 A CN201810821544 A CN 201810821544A CN 109067725 A CN109067725 A CN 109067725A
- Authority
- CN
- China
- Prior art keywords
- point
- default
- data
- algorithm
- data point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of network flow abnormal detecting method and devices, are related to field of information security technology, for solving the problems, such as that exception of network traffic detection accuracy and efficiency are relatively low.This method comprises: using default cluster algorithm analysis exception of network traffic detection sample and obtaining its data point distribution feature progress clustering, the density data point in cluster analysis result is rejected to obtain preliminary abnormality detection data set;Default cluster algorithm is that each data point increases a domain referrer to be directed toward the data point and it is at a distance of nearest most consecutive number strong point;The first of preliminary abnormality detection data set is obtained according to default Outlier Analysis algorithm to peel off point set and the points that peel off, and peeled off point set according to default Outlier Analysis algorithm, the points that peel off and the part factor number adjustment distance parameter value that peels off with obtaining second, using first peel off point set and second peel off point set intersection as exception of network traffic testing result.The present invention is used for the detection of exception of network traffic.
Description
Technology neighborhood
The present invention relates to field of information security technology more particularly to a kind of network flow abnormal detecting methods and device.
Background technique
Exception of network traffic refers to that the traffic behavior of network deviates the situation of normal behaviour, such as network service traffic is unexpected
There is abnormal great change etc..The reason of causing exception of network traffic has very much, such as the network equipment is abnormal, network behaviour
Make abnormal, unusually crowded, attack etc. of flashing.Exception of network traffic, which not only influences network and the normal of operation system, to be made
With, can also menace network user information safety, cause many hazards to the network user.
Currently, the network flow abnormal detecting method for being related to unsupervised learning in machine learning generallys use clustering calculation
Method and Outlier Analysis algorithm realize that existing defects are as follows: the cluster algorithm used in the prior art, which exists, joins input
Several sensibility is excessively high or realizes that the time complexity of process is excessively high while the problems such as occupy a large amount of memory spaces again, causes
The testing result accuracy of exception of network traffic is relatively low and detection efficiency is relatively low;Outlier Analysis algorithm in the prior art is
There is very high detection accuracy in the case where knowing abnormal point number, but can not know exception of network traffic point number in advance
In the case of, it usually can be by a large amount of normal datas as abnormal data, and when handling larger Network data set, the prior art
In the time complexity that calculates of Outlier Analysis algorithm it is excessively high, therefore also result in the accuracy of exception of network traffic testing result
Relatively low and detection efficiency is relatively low.
Summary of the invention
The embodiment of the present invention provides a kind of network flow abnormal detecting method and device, for solving net in the prior art
The relatively low problem of the detection accuracy and detection efficiency of network Traffic Anomaly.
In order to achieve the above object, the present invention adopts the following technical scheme:
In a first aspect, providing a kind of network flow abnormal detecting method, comprising:
Obtain the data point distribution feature of exception of network traffic detection sample and exception of network traffic detection sample;Its
In, network flow detection sample include network flow data and with the associated network behavior feature of network flow data;According to
Default cluster algorithm carries out clustering to data point distribution characteristics, will reject the density data point in cluster analysis result
Data set later is as preliminary abnormality detection data set;Wherein, preset in cluster algorithm is that each data point increases by one
A domain referrer is stored with directional information in the domain referrer being directed toward data point with the data point at a distance of nearest most phase
Adjacent data point;The first of preliminary abnormality detection data set is obtained according to default Outlier Analysis algorithm to peel off point set and outlier
Number, and according to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm part peel off the factor adjustment away from
It is peeled off point set from parameter value with obtaining the second of preliminary abnormality detection data set;First point set and second that peels off is obtained to peel off point set
Intersection as exception of network traffic testing result.
It, can be using default cluster algorithm pair in network flow abnormal detecting method provided in an embodiment of the present invention
The data point distribution feature of acquisition carries out clustering, by the data set after the density data point in rejecting cluster analysis result
As preliminary abnormality detection data set, wherein be that each data point increases a domain referrer in default cluster algorithm,
It is stored with directional information in the domain referrer being directed toward data point with the data point at a distance of nearest most consecutive number strong point, passes through
The above-mentioned domain referrer, which is arranged, to be put into the sparse data point in clustering far from each cluster with the data point at a distance of nearest
Cluster in, simplify the calculating process of clustering and promote the accuracy of cluster analysis result;It is peeled off after this by default
What parser obtained preliminary abnormality detection data set first peels off point set and the points that peel off, and is calculated according to default Outlier Analysis
The part of method, the points that peel off and default Outlier Analysis algorithm peels off the Outlier Analysis knot of the preliminary abnormality detection data set of factor pair
Fruit is corrected, and is obtained the second of preliminary abnormality detection data set by adjusting target distance parameter value and is peeled off point set, finally obtains
Take first peel off point set and second peel off point set intersection as exception of network traffic testing result.Above-mentioned Outlier Analysis process
In make exception of network traffic testing result that there is high accuracy without knowing abnormal point number, therefore using the above process;
Preliminary abnormality detection data set can effectively reduce Outlier Analysis process data volume to be dealt with simultaneously, improve detection efficiency.
Optionally, cluster algorithm is preset to realize based on OPTICS algorithm;According to default cluster algorithm to data
Point distribution characteristics carries out clustering and specifically includes:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to data point
The directional information in the domain referrer is updated;And it is right after data point is newly inserted into the orderly seed queue of cluster algorithm
The directional information in the domain referrer of data point is updated;
The result queue of default cluster algorithm is reorganized according to the directional information in the domain referrer.
Optionally, the directional information in the domain referrer of data point is updated specifically: be directed toward data point default
The end of the result queue of cluster algorithm.
Optionally, Outlier Analysis algorithm is preset to realize based on LOF algorithm, then it is preliminary according to the acquisition of Outlier Analysis algorithm is preset
The first of abnormality detection data set peels off point set and the points that peel off specifically:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, presetting field parameter includes: default field number
Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to default field parameter to obtain peeling off for preliminary abnormality detection data set
It points and first peels off point set;
According to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm part peel off the factor adjustment away from
It is peeled off point set from parameter value with obtaining the second of preliminary abnormality detection data set specifically:
Adjustment distance parameter value so that preliminary abnormality detection data set locally peels off data point number of the factor greater than 1 with from
Group's points are equal;
The point set that peels off corresponding with the factor that locally peels off is obtained to peel off point set as second.
Optionally, the data point distribution for obtaining exception of network traffic detection sample and exception of network traffic detection sample is special
Sign specifically:
It obtains exception of network traffic and detects sample, the comentropy for calculating network flow detection sample is different to obtain network flow
The often data point distribution feature of detection sample.
Second aspect provides a kind of exception of network traffic detection device, comprising:
Module is obtained, for obtaining the data point of exception of network traffic detection sample and exception of network traffic detection sample
Distribution characteristics;Wherein, network flow detection sample include network flow data and with the associated network row of network flow data
It is characterized;
Cluster Analysis module will for carrying out clustering to data point distribution characteristics according to default cluster algorithm
The data set after density data point in rejecting cluster analysis result is as preliminary abnormality detection data set;Wherein, it presets poly-
It is that each data point increases a domain referrer in alanysis algorithm, directional information is stored in the domain referrer with by data
Point is directed toward with the data point at a distance of nearest most consecutive number strong point;
Outlier Analysis module peels off for obtaining the first of preliminary abnormality detection data set according to default Outlier Analysis algorithm
Point set and the points that peel off, and the part according to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm
The factor that peels off adjusts distance parameter value and is peeled off point set with obtaining the second of preliminary abnormality detection data set;
Processing module, for obtain first peel off point set and second peel off point set intersection as exception of network traffic detect
As a result.
Optionally, cluster algorithm is preset to realize based on OPTICS algorithm;
Then Cluster Analysis module is specifically used for:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to data point
The directional information in the domain referrer is updated;And it is right after data point is newly inserted into the orderly seed queue of cluster algorithm
The directional information in the domain referrer of data point is updated;
The result queue of default cluster algorithm is reorganized according to the directional information in the domain referrer.
Optionally, Cluster Analysis module is specifically used for: data point is directed toward the result queue of default cluster algorithm
End.
Optionally, it presets Outlier Analysis algorithm and realizes that then Outlier Analysis module is specifically used for based on LOF algorithm:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, presetting field parameter includes: default field number
Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to default field parameter to obtain peeling off for preliminary abnormality detection data set
It points and first peels off point set;
Adjustment distance parameter value so that preliminary abnormality detection data set locally peels off data point number of the factor greater than 1 with from
Group's points are equal;
The point set that peels off corresponding with the factor that locally peels off is obtained to peel off point set as second.
Optionally, module is obtained to be specifically used for:
It obtains exception of network traffic and detects sample, the comentropy for calculating network flow detection sample is different to obtain network flow
The often data point distribution feature of detection sample.
It is to be appreciated that the exception of network traffic detection device of above-mentioned offer is for executing first aspect presented above
Corresponding method, therefore, attainable beneficial effect can refer to the method for first aspect above and implement in detail below
The beneficial effect of corresponding scheme in mode, details are not described herein again.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without creative efforts, can be with for this neighborhood those of ordinary skill
It obtains other drawings based on these drawings.
Fig. 1 a is the definition schematic diagram directly up to density;
Fig. 1 b is the reachable definition schematic diagram of density;
Fig. 1 c is the definition schematic diagram that density is connected;
Fig. 2 is a kind of method flow diagram for network flow abnormal detecting method that one embodiment of the invention provides;
Fig. 3 is a kind of method flow diagram for default clustering method that one embodiment of the invention provides;
Fig. 4 is the update schematic diagram in the domain referrer that one embodiment of the invention provides;
Fig. 5 is the reachability graph that the result queue that clustering method obtains is preset in the use that one embodiment of the invention provides;
Fig. 6 is the result that default cluster algorithm is reorganized according to the domain referrer that one embodiment of the invention provides
The method flow diagram of queue;
Fig. 7 is the cluster analysis result signal that the use that one embodiment of the invention provides presets that cluster algorithm obtains
Figure;
Fig. 8 is a kind of method flow diagram for default Outlier Analysis algorithm that one embodiment of the invention provides;
Fig. 9 is a kind of result schematic diagram for network flow abnormal detecting method that one embodiment of the invention provides;
Figure 10 is a kind of structural schematic diagram for exception of network traffic detection device that one embodiment of the invention provides;
Figure 11 is the structural schematic diagram for another exception of network traffic detection device that one embodiment of the invention provides.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiment is some embodiments of the present application, instead of all the embodiments.Based on this Shen
Please in embodiment, this neighborhood those of ordinary skill every other implementation obtained without creative efforts
Example, shall fall in the protection scope of this application.The use of term " first " and " second " etc. does not indicate any sequence, can be by above-mentioned art
Language is construed to the title of described object.In the embodiment of the present application, " illustrative " or " such as " etc. words for indicate make
Example, illustration or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or design
Scheme is not necessarily to be construed as than other embodiments or design scheme more preferably or more advantage.Specifically, it uses " exemplary
" or " such as " etc. words be intended to that related notion is presented in specific ways.In addition, in the description of the embodiment of the present application, unless
It is otherwise noted, the meaning of " plurality " is refer to two or more.
The embodiment of the present invention is used for the detection of exception of network traffic, mainly realizes a kind of network flow based on unsupervised learning
Measure abnormal detection.Wherein, exception of network traffic refers to that the traffic behavior of network deviates the situation of its normal behaviour, actual conditions
In, the reason of causing exception of network traffic, has very much, such as the software and hardware of the network equipment is abnormal, network operation is abnormal, flashes and gathers around
Squeeze abnormal, attack etc..Exception of network traffic can cause many hazards to user equipment and Web vector graphic, such as
Threaten Host Security, waste Internet resources, influence user's application etc..Unsupervised learning belongs to a kind of study side of machine learning
Formula, data are not particularly identified in unsupervised learning, and learning model is some immanent structures in order to be inferred to data, therefore non-
Often it is suitable for the detection for the exception of network traffic as caused by many reasons.In actual conditions, exception of network traffic can to
Family equipment and Web vector graphic cause many hazards, such as threaten Host Security, waste Internet resources, influence user's application etc.
Deng, thus in order to reduce user using network security risk and ensure user equipment safety, based on unsupervised learning come reality
A kind of existing efficient and accurate exception of network traffic detection is necessary.
Cluster algorithm is that a kind of common algorithm, cluster algorithm can not appoint in unsupervised learning algorithm
Unknown attack is found under the premise of what priori knowledge, is generallyd use density clustering parser and is carried out exception of network traffic
Detection, such as DBSCAN (Density-Based Spatial Clustering of Applications with Noise)
Algorithm and OPTICS (Ordering points to identify the clustering structure) algorithm etc..
The parameter that wherein DBSCAN algorithm can be inputted according to user generates cluster result, but DBSCAN algorithm needs user not having
Setup parameter radius of neighbourhood ε is used as with minimum intensive points MinPts and inputs parameter in the case where priori knowledge, in actual conditions
That there are problems is as follows for DBSCAN algorithm: firstly, DBSCAN algorithm is very sensitive to the value of input parameter, different parameter values will
Generate entirely different cluster result;Secondly, the determination of parameter generally requires the analysis or a large amount of experimental verification of expert, because
This needs to consume plenty of time and resource to obtain accurate parameter and cluster result, causes the waste of time and resource,
So that the detection efficiency of exception of network traffic is relatively low.OPTICS algorithm can be from a selected object, most towards data
For intensive zone broadening, the visualization that all object tissues are finally able to reflect network flow data structure at one is orderly
Sequence.That there are problems is as follows for OPTICS algorithm in actual conditions: although OPTICS algorithm can overcome DBSCAN algorithm to input
The sensibility of parameter, but OPTICS algorithm time complexity with higher when calculating, if such as the object chosen belong to core
Heart point p (if the sample points in the epsilon neighborhood of object p are greater than or equal to MinPts, object p is referred to as core point), then need
Object in the epsilon neighborhood of core point p is expanded, however epsilon neighborhood inquiry each time will scan whole network flow number
According to collection, if whole network data on flows collection shares n object, then the time complexity for scanning n data set just reaches T (n)
=O (n^2), time complexity is higher;In addition OPTICS algorithm also needs use space database index, this makes OPTICS
Algorithm also needs to establish spatial index to all data objects before clustering data set, thereby results in time and spatially
Serious waste;While the object of density regions is often accumulated in the end of result queue in OPTICS algorithm, this makes
OPTICS algorithm self performance fails to fully demonstrate.
Local Outlier Analysis algorithm is another commonly to the method for exception of network traffic detection, and common part peels off
Parser is LOF algorithm.LOF algorithm is a kind of abnormal point method of determining and calculating based on density, and LOF algorithm can investigate data pair
As the intensity of anomaly compared with adjacent object around it, but can not from the point of view of the overall situation data abnormal characteristic.LOF is calculated
Method calculates K reach distance and local reachability density when handling biggish network flow data collection (referring to defining 8 in subsequent introduction
With time complexity T (n)=O (N of definition 9)k^2), time complexity is higher, and needs successively to carry out total data
It calculates, without specific aim.Meanwhile LOF algorithm peels off factor values by the part of each data point in calculating data set to determine
The local biggish several points of the factor that peel off of abnormal point set, usually selection are this to peel off the factor with part come really as abnormal point
Determining the method for abnormal point, that accuracy is detected in the case where known exception point number is very high.But in practical application, usual abnormal point
Number can not know in advance, therefore using LOF algorithm come when determining abnormal point, the parameter selection of LOF algorithm will seem very
It is important.When the parameter selection of LOF algorithm is improper, may by a large amount of normal data points (or normal point) as abnormal point, or
Many abnormal points are classified as normal point, the accuracy for causing exception of network traffic to detect is relatively low.
In order to overcome the defect of above-mentioned algorithm, the present invention provides a kind of network flow abnormal detecting method, and this method is based on
Unsupervised learning is realized, can efficiently and accurately be detected for exception of network traffic.Next to provided by the invention
Network flow abnormal detecting method is introduced.
Specifically, referring to fig. 2, Fig. 2 is a kind of method flow of network anomaly detection method provided in an embodiment of the present invention
Figure, it is as follows that the method comprising the steps of:
Step S201: the data point distribution of exception of network traffic detection sample and exception of network traffic detection sample is obtained
Feature.
Wherein, network flow detection sample may include network flow data and with the associated network of network flow data
Behavioural characteristic.Network flow data can be a series of relevant field of the network flows obtained from raw network data stream,
Such as the relevant field that source IP, source port, Target IP, target port, byte number, number-of-packet and protocol type etc. are similar.
The associated network behavior feature of network flow data can according to network flow data introduce and network flow
Other indirectly effective network behavior features of data correlation.Such as the performance network flow such as " in-degree ", " out-degree " can be introduced
The information such as the measurement of flow direction are as above-mentioned network behavior feature.It is purpose address that wherein in-degree, which is using X (X is network access address),
The quantity of the different IP communicated, out-degree are that the quantity of different destination IPs is connected to by source address of X.
After obtaining exception of network traffic detection sample, the comentropy of sample can be detected by calculating exception of network traffic
To obtain data point (i.e. data object) distribution characteristics of exception of network traffic detection sample.In specific implementation, it can calculate pre-
If in the time in network flow data and network behavior feature each field comentropy, and by above-mentioned whole fields or part
Data point distribution feature of the calculated result of the comentropy of field as exception of network traffic detection sample.Preferably, Ke Yigen
According to above- mentioned information entropy calculated result and actual conditions be arranged field choose condition (such as according to the business of network flow pass through
The field for testing setting chooses condition), using selected part field is as final field from above-mentioned each field, and by final field
Data point distribution feature of the data point distribution feature as exception of network traffic detection sample.For example, 60 seconds Intranets can be calculated
Source IP, source port, Target IP, target port, byte number, number-of-packet and protocol type and network row in network data on flows
It is characterized the comentropy of the fields such as middle in-degree, out-degree, is then selected according to the calculated result of above-mentioned each field information entropy and field
It takes condition to choose source IP, target port, in-degree, the data point distribution feature of protocol type as exception of network traffic and detects sample
Data point distribution feature.It is understood that above-mentioned preset time and field selection condition can be by those skilled in the art
It is configured according to the actual situation, this is not limited by the present invention.
Step S202: clustering is carried out to data point distribution characteristics according to default cluster algorithm, is clustered rejecting
The data set after density data point in analysis result is as preliminary abnormality detection data set.
Wherein, a given set of data points can be divided by default cluster algorithm according to data point distribution feature
Different clusters has similitude with the data point in cluster, and the data point between different clusters is different.In default cluster algorithm
Increase a domain referrer for each data point, directional information is stored in the domain referrer so that data point to be directed toward and the number
Strong point is at a distance of nearest most consecutive number strong point.The domain referrer can be used for reorganizing the result team of default cluster algorithm
Sparse point in default cluster analysis result queue is put into and its cluster belonging to the nearest most consecutive number strong point by column
In.Wherein the update in the domain referrer is not necessarily to introduce additional calculating cost and time cost, simplifies the calculating of clustering
Process and the accuracy for promoting cluster analysis result.
Step S203: according to default Outlier Analysis algorithm obtain the first of preliminary abnormality detection data set peel off point set and
Peel off points, and is peeled off the factor according to the part of default Outlier Analysis algorithm, the points that peel off and default Outlier Analysis algorithm
Adjustment distance parameter value is peeled off point set with obtaining the second of preliminary abnormality detection data set.
Step S204: obtain first peel off point set with second peel off point set intersection as exception of network traffic detection knot
Fruit.
It, can be using default cluster algorithm pair in network flow abnormal detecting method provided in an embodiment of the present invention
The data point distribution feature of acquisition carries out clustering, by the data set after the density data point in rejecting cluster analysis result
As preliminary abnormality detection data set, wherein be that each data point increases a domain referrer in default cluster algorithm,
It is stored with directional information in the domain referrer being directed toward data point with the data point at a distance of nearest most consecutive number strong point, passes through
The above-mentioned domain referrer, which is arranged, to be put into the sparse point in default cluster analysis result queue with it at a distance of nearest most phase
In cluster belonging to adjacent data point, simplifies the calculating process of clustering and promote the accuracy of cluster analysis result;After this
It obtains the first of preliminary abnormality detection data set by default Outlier Analysis algorithm to peel off point set and the points that peel off, and according to pre-
The preliminary abnormality detection data set of factor pair if the part of Outlier Analysis algorithm, the points that peel off and default Outlier Analysis algorithm peels off
Outlier Analysis result corrected, obtain preliminary abnormality detection data set by adjusting target distance parameter value second peels off
Point set, finally obtain first peel off point set and second peel off point set intersection as exception of network traffic testing result.It is above-mentioned
It is not necessarily to know abnormal point number during Outlier Analysis, therefore using the above process exception of network traffic testing result is had
High accuracy;Outlier Analysis process data to be dealt with can be effectively reduced by filtering out preliminary abnormality detection data set simultaneously
Amount improves detection efficiency.
Cluster algorithm is preset in specific implementation, in step S202 can be realized based on OPTICS algorithm, be related to defining
It is as follows:
Define 1: direct density is up to (directly density-reachable): referring to shown in Fig. 1 a, if p is core
Heart point, q is in the epsilon neighborhood of p, then the direct density of p is up to q.
Define 2: density is up to (density-reachable): referring to shown in Fig. 1 b, if there is sequence p1, p2,
p3……pn, wherein p1=p, pn=q, and for any 1≤i < n, piDirect density is up to pi+1, then p density is up to q.
Define 3: density is connected (density-connected): referring to shown in Fig. 1 c, if o density up to p, and o density
Up to q, then p with q density is connected.
Define 4: core distance (core-distance): assumed position p includes the minimum of MinPts neighbour's (point of neighbour)
Radius is MinPts-distance (p), then the core distance definition of p are as follows:
That is, the core of p is apart from meaningless when p ≠ core-object, that is, p is not core point;Work as p=core-
When object, that is, p is core point, the core distance of p is the least radius for the MinPts neighbours (point of neighbour) that p includes
MinPts-distance(p)。
Definition 5: reach distance (reachability-distance): it is assumed that p is the point in the epsilon neighborhood of certain point o, then p
Reach distance relevant to o is defined as:
That is, p reach distance relevant to o is meaningless when p ≠ core-object, that is, p is not core point;Work as p
When=core-object, that is, p is core point, p reach distance relevant to o is to make " p core point " and " o can from the direct density of p
Up to " simultaneously set up the minimum radius of neighbourhood.
Wherein, by above-mentioned definition it is found that p reach distance relevant to o is somebody's turn to do i.e. from the direct density of o up to the minimum range of p
Distance is directly related with the space density of data point, i.e., if the space density of data point spatially is bigger, the data point
With the direct density of consecutive points it is reachable at a distance from it is smaller, vice versa.Therefore the default clustering based on OPTICS algorithm is calculated
The orderly seed queue (Orderseeds) that one reach distance ascending order of method arranges stores data point to be expanded, with fixed rapidly
The data object in the dense space in position.Referring specifically to shown in Fig. 3, the default cluster algorithm based on OPTICS algorithm includes as follows
Step:
Step S301: orderly seed queue is initially empty, and result queue is initially empty.
Step S302: judging whether all data points are disposed, if so, algorithm terminates;It thens follow the steps if not
S303。
Step S303: selection one untreatment data point be put into orderly seed queue, judge orderly seed queue whether be
Sky, if so, executing step S302;If it is not, thening follow the steps S304.
Step S304: one number of objects strong point p of selection is expanded, and judges whether p is core point, if so, executing step
Rapid S308;S305 is thened follow the steps if not.
Step S305: for unexpanded data point q any in the epsilon neighborhood of p, judge q whether in orderly seed queue,
If so, thening follow the steps S306;If it is not, thening follow the steps S307.
Step S306: it if reach distance of the q in orderly seed queue and from p to q is less than old reach distance, then updates
The reach distance of q, and q is adjusted and guarantees to corresponding position the order of orderly seed queue, update the finger in the domain referrer of q
To information.
Step S307: if q is inserted into orderly seed team not in orderly seed queue, according to the reach distance of p to q by q
Column, update the directional information in the domain referrer of q.
Step S308: p is deleted from orderly seed queue, result queue is written into p, returns to step S303.
The directional information for updating the domain referrer of q is specifically as follows: according to the orderly seed team of default cluster algorithm
The update of the reach distance of data point is updated the directional information in the domain referrer of data point in column;And default
The orderly seed queue of cluster algorithm is updated the directional information in the domain referrer of data point after being newly inserted into data point.
Specifically, it is assumed that two data point distances are closer, and the probability for belonging to same cluster is bigger.By the calculating of above-mentioned OPTICS algorithm
Journey is it is found that orderly the reach distance of each data point can dynamically update (corresponding step S306) in seed queue, after updating
Reach distance be specially minimum reach distance of the data point to all data points expanded.Therefore, if there is data
Point reach distance update, then illustrate exist the new data point closer away from the data point, i.e., away from the data point recently
Most consecutive number strong point changes.Since the directional information in the domain referrer is that data point is directed toward with the data point at a distance of nearest
Most consecutive number strong point need the referrer to the data point therefore when the reach distance there are data point updates
Domain is updated.It is above-mentioned due to causing if the reach distance in result queue there are data point changes under current state
The data point that reach distance changes must be the rigid data point for completing expansion, and above-mentioned rigid completion expansion should be placed on
The domain the referrer directional information for the data point that reach distance changes then is updated to point to default cluster by the end of result queue
The end of the result queue of parser.Similarly, if newly being inserted in the orderly seed queue of default cluster algorithm
Enter data point (corresponding step S307), can also according to upper identical mode to the directional information in the domain referrer of data point into
Row updates, i.e., the directional information for being newly inserted into the orderly domain seed team's column referrer is updated to point to default cluster algorithm
The end of result queue.
It specifically may refer to Fig. 4, include three row queues in Fig. 4, respectively from top to bottom be orderly seed queue L1, have
The queue L2 and result queue L3 in the domain referrer of each data point in sequence seed queue.Wherein, orderly seed queue L1 packet
It includes and has expanded knot data point and do not expanded knot data point, the data point in region shown in diagonal line hatches is to have expanded knot and Yi Nuoru result queue
Data point, rest part are not expand knot data point;In not expanding knot data point, data point 41 and data point 42 are reach distance hair
The raw data point changed.As seen from Figure 4, when the reach distance of data point changes, reach distance is changed
Data point the domain referrer be directed toward result queue end, with the referrer of the data point to change to reach distance
Domain is updated.
In specific implementation, the renewal process in the domain referrer is only that the data point referrer for changing reach distance is added
The operation of result queue's tail of the queue is directed toward in domain, during being somebody's turn to do and is not introduced into additional calculating cost.
After completing the above-mentioned treatment process for orderly seed queue, by the domain referrer of total data point and network
Flow number strong point is stored in result queue together, obtains the reachability graph of result queue.As shown in figure 5, Fig. 5 is in result queue
Sequence of data points is abscissa, and reach distance is the obtained reachability graph of ordinate.Wherein, in Fig. 5 reach distance trough area
Domain represents the data point in the dense cluster of network flow data, and peak regions represent the boundary point of Sparse.It is utilizing
During the domain referrer moves into the resulting sparse point of clustering with its most adjacent affiliated cluster, by traversing and distinguishing
Corresponding cluster is extracted in precipitous decline region and precipitous elevated areas in reachability graph.
To extract the potential cluster in reachability graph, presets cluster algorithm and usually require to carry out after the completion of operation
ExtractClusters operation, in the present invention it is possible in ExtractClusters operation according to the direction in the domain referrer
Information reorganizes the result queue of the default cluster algorithm.
It is shown in Figure 6, the result team of default cluster algorithm is reorganized according to the directional information in the domain referrer
Column specifically comprise the following steps:
Step S601: pointer to be processed is directed toward result queue's head of the queue.
Step S602: judging whether pointer to be processed is directed toward result queue's tail of the queue, if so, S608 is thened follow the steps, if it is not,
Then follow the steps S603.
Step S603: pointer is moved back.
Step S604: judge whether precipitous decline region occur, if so, thening follow the steps S605;If otherwise re-executing
This step.
Step S605: starting new cluster and extract, and the data point since precipitous decline region is stored in new cluster and moves back finger
Needle terminates new cluster when there is precipitous elevated areas and extracts, obtain by above-mentioned precipitous decline region and precipitous elevated areas it
Between group of data points at new cluster, and re-execute the steps S602.
Wherein, in this step, for current pending data point p, further judge pointed by the domain referrer of p
Whether most consecutive number strong point q belongs to above-mentioned new cluster, if so, p is inserted into above-mentioned new cluster;Otherwise by the p insertion affiliated cluster of q
Cluster tail.
It is precipitous decline region and precipitous elevated areas decision procedure by those skilled in the art according to the actual situation into
Row setting, this is not limited by the present invention.
Step S606: the data point head and the tail in all clusters are spliced, new reachability graph is formed.
If recording reduced data point in real time while the operation of default cluster algorithm corresponds to cluster to the data point
Mapping, then the affiliated cluster of above-mentioned lookup q and by p insertion the affiliated cluster of q cluster tail will be completed in constant time.
After completing the aforementioned steps, it obtains and uses the above-mentioned default resulting cluster analysis result of cluster algorithm, and
Using the data set after the density data point in rejecting cluster analysis result as preliminary abnormality detection data set.Specific implementation
In, the cluster analysis result obtained using above-mentioned default cluster algorithm is as shown in Figure 7.Wherein, round in Fig. 7 to be indicated
Data point is the normal data point of network flow, and the data point that triangle is indicated is the data point of exception of network traffic.
In specific implementation, step S203 can be realized based on LOF algorithm, and in particular to be defined as follows:
Define 6:k distance: the k distance definition of data object l is k-th to data object l distance recently in data set D
Point arrives the distance (Euclidean distance, that is, linear distance) of l, is denoted as k-distance (l).
Define 7:k apart from neighborhood: in data set at a distance from data object l no more than k distance group of data points at collection
It closes, it may be assumed that
Nk- distance (l) (h)={ h ∈ D { l } | d (l, h)≤k-distance (l) }
Define 8:k reach distance: l and h is any two points in data set, the reach distance reach-distk (l, h) of l to h
Is defined as:
Reach-distk (1, h)=Max { d (1, h), k-distance (l) }
Wherein, d (l, h) indicates the Euclidean distance between point l and h.
Define 9: local reachability density: the local reachability density of l refers to l to the average reach distance of all the points in its neighborhood
Inverse, local reachability density lrd (l) using following formula calculate:
Wherein NkFor the number of the point in the k neighborhood of l.Also, due to being equidistant there may be several points to 1,
Therefore the point of k neighbour may be one or more, then have | Nk(l)≥k|.If lrd (q) is bigger, show that the density of l is bigger, l
Point is more normal.
Define 10: the local factor that peels off: the dispersion degree of characterize data, the factor that locally peels off LOFk(l) using following public
Formula calculates:
Wherein, if LOFk(l) value is far longer than 1, then the density variation of the density and overall data that show l point is larger, can
L is regarded as outlier (abnormal point);Conversely, if LOFk(l) value is closer to 1, then show l point density and overall data it is close
Degree difference is smaller, and l point is more normal.
Define the field 11:R: centered on data point l, region that R is made of radius.
It defines 12:R field average distance distr (l): average value of the data point to data point l distance in the field R, meter
It is as follows to calculate formula:
Define data point density p in the field 13:Rl: the ratio of data point number and the field R average distance in the field R, meter
It is as follows to calculate formula:
Wherein | NR(l) | for data point number in the field R.
Referring to Fig. 8, step S203 specifically comprises the following steps:
Step S801: default field parameter is calculated according to default Outlier Analysis algorithm.
Specifically, it presets the i.e. definition 11- in field and defines the field R in 13.13 default fields are defined according to 11- is defined
Parameter may include: data point number in the default FIELD Data point number i.e. field R | NR(l)|;Default field average distance with
And data dot density in default field.
Step S802: data dot density jump position is determined according to default field parameter to obtain preliminary abnormality detection data
Peeling off for collection and first peels off point set at points.
Draw density number distribution map according to above-mentioned default field parameter, find in density number distribution map density jump compared with
The corresponding data point number of big or density jumps biggish position, which is determined as data dot density jump position, is obtained
It takes the data point set of whole density jump positions to peel off as first and point set and obtains the data points of whole density jump positions
Number is as the points that peel off.
It is, of course, understood that above-mentioned acquisition peel off points and first peel off point set mode it is only exemplary
, in specific implementation, those skilled in the art can also be peeled off using the other way acquisition in addition to above-mentioned cited mode
It points and first peels off point set, the present invention peels off points to acquisition and the first point set concrete mode that peels off is not construed as limiting.
Step S803: the adjustment distance parameter value number of the factor greater than the 1 so that part of preliminary abnormality detection data set peels off
Strong point number with it is described peel off count it is equal.
Specifically, the distance parameter value (defining the distance K in 8) in default Outlier Analysis algorithm is adjusted, is made preliminary different
The part of normal detection data collection peel off the factor count greater than peeling off of being obtained in the number and step S802 of 1 data point it is equal.
Step S804: it obtains and peels off the corresponding point set that peels off of the factor as second with above-mentioned part and peel off point set.
Obtain part peel off the factor greater than the number of 1 data point with it is above-mentioned peel off count equal when the corresponding point set that peels off
It peels off point set as second.
Fig. 9 is shown on the basis of based on cluster analysis result shown in Fig. 7 using provided in an embodiment of the present invention default
The testing result figure for the exception of network traffic detection that Outlier Analysis algorithm obtains, i.e., exception of network traffic detection provided by the invention
Method final detection result figure obtained.The round data point indicated is the normal data point of network flow, triangle in Fig. 9
The data point that shape is indicated is the data point of exception of network traffic.Comparison diagram 9 and Fig. 7 using the present invention, it is apparent that mentioned
The network flow abnormal detecting method of confession more precisely can filter out network flow from a large amount of network flow data point
Exceptional data point.
Table 1 shows the network flow abnormal detecting method provided according to the present invention and uses other algorithms in the prior art
The Contrast on effect for carrying out exception of network traffic detection, it is apparent that exception of network traffic provided by the invention is examined from table 1
Survey method is far superior to other algorithms in the parameters such as accurate rate, recall rate and runing time.
Table 1
Figure 10 shows a kind of structural block diagram of exception of network traffic detection device provided by the invention.It is provided by the invention
Exception of network traffic detection device is realized based on unsupervised learning, comprising:
Module 11 is obtained, for obtaining the data of exception of network traffic detection sample and exception of network traffic detection sample
Point distribution characteristics;Wherein, network flow detection sample include network flow data and with the associated network of network flow data
Behavioural characteristic.
Optionally, module 11 is obtained to be specifically used for:
It obtains exception of network traffic and detects sample, the comentropy for calculating network flow detection sample is different to obtain network flow
The often data point distribution feature of detection sample.
Cluster Analysis module 12, for carrying out clustering to data point distribution characteristics according to default cluster algorithm,
Using the data set after the density data point in rejecting cluster analysis result as preliminary abnormality detection data set;Wherein, it presets
It is that each data point increases a domain referrer in cluster algorithm, is stored with directional information in the domain referrer will count
Strong point is directed toward and data point is at a distance of nearest most consecutive number strong point.
Optionally, cluster algorithm is preset to realize based on OPTICS algorithm,
Then Cluster Analysis module 12 is specifically used for:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to data point
The directional information in the domain referrer is updated;And it is right after data point is newly inserted into the orderly seed queue of cluster algorithm
The directional information in the domain referrer of data point is updated;
The result queue of default cluster algorithm is reorganized according to the directional information in the domain referrer.
Optionally, Cluster Analysis module 12 is specifically used for: data point is directed toward to the result queue of default cluster algorithm
End.
Outlier Analysis module 13, for according to preset Outlier Analysis algorithm obtain the first of preliminary abnormality detection data set from
Group's point set and the points that peel off, and the office according to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm
Portion's factor adjustment distance parameter value that peels off is peeled off point set with obtaining the second of preliminary abnormality detection data set.
Optionally, it presets Outlier Analysis algorithm and realizes that then Outlier Analysis module 13 is specifically used for based on LOF algorithm:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, presetting field parameter includes: default field number
Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to default field parameter to obtain peeling off for preliminary abnormality detection data set
It points and first peels off point set;
Adjustment distance parameter value so that the part of preliminary abnormality detection data set peels off data point number of the factor greater than 1 with
Peeling off, it is equal to count;
The point set that peels off corresponding with the factor that locally peels off is obtained to peel off point set as second.
Processing module 14, for obtain first peel off point set and second peel off point set intersection as exception of network traffic examine
Survey result.
All related contents for each step that above method embodiment is related to can quote the function of corresponding function module
It can describe, details are not described herein for effect.
Using integrated module, exception of network traffic detection device include: storage unit, processing unit with
And interface unit.Processing unit is for carrying out control management to the movement of exception of network traffic detection device, for example, processing unit
For supporting exception of network traffic detection device to execute each step in Fig. 2, Fig. 3, Fig. 6 and Fig. 8.Interface unit is for branch
Hold the interaction of exception of network traffic detection device Yu other devices;Storage unit, for storing exception of network traffic detection device
Program code and data.
Wherein, using processing unit as processor, storage unit is memory, and interface unit is for communication interface.Wherein,
Exception of network traffic detection device is referring to Fig.1 shown in 1, including communication interface 1101, processor 1102, memory 1103 and total
Line 1104, communication interface 1101, processor 1102 are connected by bus 1104 with memory 1103.
Processor 1102 can be a general central processor (Central Processing Unit, CPU), micro- place
Manage device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or
Multiple integrated circuits executed for controlling application scheme program.
Memory 1103 can be read-only memory (Read-Only Memory, ROM) or can store static information and refer to
The other kinds of static storage device enabled, random access memory (Random Access Memory, RAM) or can store
The other kinds of dynamic memory of information and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory
(Electrically Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact
Disc Read-Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, light
Dish, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carry or
Store have instruction or data structure form desired program code and can by any other medium of computer access, but
It is without being limited thereto.Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor
Together.
Wherein, memory 1103 be used for store execution application scheme application code, and by processor 1102
Control executes.Communication interface 1101 is used to support the interaction of exception of network traffic detection device Yu other devices.Processor 1102
For executing the application code stored in memory 1103, to realize the exception of network traffic inspection in the embodiment of the present application
Survey method.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or device.
Through the above description of the embodiments, the technical staff of this neighborhood can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, the technical solution of the application substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as REOM/REAM, magnetic disk, CD), including some instructions are used so that a terminal (can be mobile phone, computer, service
Device, air conditioner or network equipment etc.) execute method described in each embodiment of the application.
Embodiments herein is described above in conjunction with attached drawing, but the application be not limited to it is above-mentioned specific
Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, the those of ordinary skill of this neighborhood
Under the enlightenment of the application, when not departing from the application objective and scope of the claimed protection, can also it make very much
Form belongs within the protection of the application.
Claims (10)
1. a kind of network flow abnormal detecting method characterized by comprising
Obtain the data point distribution feature of exception of network traffic detection sample and exception of network traffic detection sample;Its
In, network flow detection sample includes network flow data and special with the associated network behavior of the network flow data
Sign;
Clustering is carried out to the data point distribution feature according to default cluster algorithm, will be rejected in cluster analysis result
Density data point after data set as preliminary abnormality detection data set;Wherein, it is in the default cluster algorithm
Each data point increases a domain referrer, is stored with directional information in the domain referrer the data point to be directed toward
With the data point at a distance of nearest most consecutive number strong point;
The first of the preliminary abnormality detection data set is obtained according to default Outlier Analysis algorithm to peel off point set and the points that peel off,
And according to default Outlier Analysis algorithm, it is described peel off points and default Outlier Analysis algorithm part peel off the factor adjustment away from
It is peeled off point set from parameter value with obtaining the second of the preliminary abnormality detection data set;
Obtain described first peel off point set with described second peel off point set intersection as exception of network traffic testing result.
2. network flow abnormal detecting method according to claim 1, which is characterized in that the default cluster algorithm
It is realized based on OPTICS algorithm;Then the basis presets cluster algorithm and carries out clustering to the data point distribution feature
It specifically includes:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to the data point
The directional information in the domain referrer is updated;And in the default orderly new insert number of seed queue of cluster algorithm
The directional information in the domain referrer of the data point is updated behind strong point;
The result queue of the default cluster algorithm is reorganized according to the directional information in the domain referrer.
3. network flow abnormal detecting method according to claim 2, which is characterized in that described to the data point
The directional information in the domain referrer is updated specifically: the data point is directed toward to the result of the default cluster algorithm
The end of queue.
4. network flow abnormal detecting method according to claim 1 to 3, which is characterized in that described default to peel off point
It analyses algorithm to realize based on LOF algorithm, then the basis presets Outlier Analysis algorithm and obtains the preliminary abnormality detection data set
First peels off point set and the points that peel off specifically:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, the default field parameter includes: default field number
Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to the default field parameter to obtain the preliminary abnormality detection data set
It the points that peel off and first peels off point set;
The basis presets Outlier Analysis algorithm, the part of peel off points and the default Outlier Analysis algorithm peels off factor tune
Whole distance parameter value is peeled off point set with obtaining the second of the preliminary abnormality detection data set specifically:
Adjust distance parameter value so that the part of the preliminary abnormality detection data set peels off the factor greater than 1 data point number with
It is described peel off count it is equal;
It obtains and peels off the corresponding point set that peels off of the factor as second with the part and peel off point set.
5. network flow abnormal detecting method according to claim 1 to 3, which is characterized in that the acquisition network flow
Measure the data point distribution feature of abnormality detection sample and exception of network traffic detection sample specifically:
It obtains exception of network traffic and detects sample, calculate the comentropy of the network flow detection sample to obtain the network flow
Measure the data point distribution feature of abnormality detection sample.
6. a kind of exception of network traffic detection device characterized by comprising
Module is obtained, for obtaining the data point of exception of network traffic detection sample and exception of network traffic detection sample
Distribution characteristics;Wherein, the network flow detection sample includes network flow data and is associated with the network flow data
Network behavior feature;
Cluster Analysis module will for carrying out clustering to the data point distribution feature according to default cluster algorithm
The data set after density data point in rejecting cluster analysis result is as preliminary abnormality detection data set;Wherein, described pre-
If being that each data point increases a domain referrer in cluster algorithm, directional information is stored in the domain referrer
Being directed toward the data point with the data point at a distance of nearest most consecutive number strong point;
Outlier Analysis module peels off for obtaining the first of the preliminary abnormality detection data set according to default Outlier Analysis algorithm
Point set and the points that peel off, and according to default Outlier Analysis algorithm, points and the default Outlier Analysis algorithm of peeling off
The part factor adjustment distance parameter value that peels off is peeled off point set with obtaining the second of the preliminary abnormality detection data set;
Processing module, for obtain described first peel off point set with described second peel off point set intersection as exception of network traffic
Testing result.
7. exception of network traffic detection device according to claim 6, which is characterized in that the default cluster algorithm
It is realized based on OPTICS algorithm;
Then the Cluster Analysis module is specifically used for:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to the data point
The directional information in the domain referrer is updated;And data point is newly inserted into the orderly seed queue of the cluster algorithm
The directional information in the domain referrer of the data point is updated afterwards;
The result queue of the default cluster algorithm is reorganized according to the directional information in the domain referrer.
8. exception of network traffic detection device according to claim 7, which is characterized in that the Cluster Analysis module is specific
For: the data point is directed toward to the end of the result queue of the default cluster algorithm.
9. according to exception of network traffic detection device as claimed in claim 6 to 8, which is characterized in that described default to peel off point
It analyses algorithm and realizes that then the Outlier Analysis module is specifically used for based on LOF algorithm:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, the default field parameter includes: default field number
Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to the default field parameter to obtain peeling off for preliminary abnormality detection data set
It points and first peels off point set;
Adjust distance parameter value so that the part of the preliminary abnormality detection data set peels off the factor greater than 1 data point number with
It is described peel off count it is equal;
It obtains and peels off the corresponding point set that peels off of the factor as second with the part and peel off point set.
10. according to exception of network traffic detection device as claimed in claim 6 to 8, which is characterized in that the acquisition module
It is specifically used for:
It obtains exception of network traffic and detects sample, calculate the comentropy of the network flow detection sample to obtain the network flow
Measure the data point distribution feature of abnormality detection sample.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810821544.2A CN109067725B (en) | 2018-07-24 | 2018-07-24 | Network flow abnormity detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810821544.2A CN109067725B (en) | 2018-07-24 | 2018-07-24 | Network flow abnormity detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109067725A true CN109067725A (en) | 2018-12-21 |
CN109067725B CN109067725B (en) | 2021-05-14 |
Family
ID=64835341
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810821544.2A Active CN109067725B (en) | 2018-07-24 | 2018-07-24 | Network flow abnormity detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109067725B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109873832A (en) * | 2019-03-15 | 2019-06-11 | 北京三快在线科技有限公司 | Method for recognizing flux, device, electronic equipment and storage medium |
CN110417744A (en) * | 2019-06-28 | 2019-11-05 | 平安科技(深圳)有限公司 | The safe determination method and device of network access |
CN110532119A (en) * | 2019-07-26 | 2019-12-03 | 中国船舶重工集团公司第七一九研究所 | Power system operation abnormal point detecting method |
CN110889441A (en) * | 2019-11-19 | 2020-03-17 | 海南电网有限责任公司海南输变电检修分公司 | Distance and point density based substation equipment data anomaly identification method |
CN111556440A (en) * | 2020-05-07 | 2020-08-18 | 之江实验室 | Network anomaly detection method based on traffic pattern |
CN111786935A (en) * | 2019-11-08 | 2020-10-16 | 国网辽宁省电力有限公司电力科学研究院 | Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange |
CN112348817A (en) * | 2021-01-08 | 2021-02-09 | 深圳佑驾创新科技有限公司 | Parking space identification method and device, vehicle-mounted terminal and storage medium |
CN113347181A (en) * | 2021-06-01 | 2021-09-03 | 上海明略人工智能(集团)有限公司 | Abnormal advertisement flow detection method, system, computer equipment and storage medium |
CN113624219A (en) * | 2021-07-27 | 2021-11-09 | 北京理工大学 | Magnetic compass ellipse fitting error compensation method based on OPTICS algorithm |
CN113820333A (en) * | 2021-09-16 | 2021-12-21 | 无锡先导智能装备股份有限公司 | Battery pole piece abnormity detection method and device, upper computer and detection system |
CN113852629A (en) * | 2021-09-24 | 2021-12-28 | 重庆大学 | Network connection abnormity identification method based on natural neighbor self-adaptive weighted kernel density and computer storage medium |
CN114253168A (en) * | 2020-09-22 | 2022-03-29 | 南亚科技股份有限公司 | Machine monitoring system and machine monitoring method |
CN116628729B (en) * | 2023-07-25 | 2023-09-29 | 天津市城市规划设计研究总院有限公司 | Method and system for improving data security according to data characteristic differentiation |
CN116886453A (en) * | 2023-09-08 | 2023-10-13 | 湖北华中电力科技开发有限责任公司 | Network flow big data analysis method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104268188A (en) * | 2014-09-17 | 2015-01-07 | 广州迅云教育科技有限公司 | Method and system for classroom teaching and learning behavior analysis in informational environment |
CN106101102A (en) * | 2016-06-15 | 2016-11-09 | 华东师范大学 | A kind of exception flow of network detection method based on PAM clustering algorithm |
CN106503086A (en) * | 2016-10-11 | 2017-03-15 | 成都云麒麟软件有限公司 | The detection method of distributed local outlier |
US20170287128A1 (en) * | 2013-08-08 | 2017-10-05 | Kla-Tencor Corporation | Adaptive Local Threshold and Color Filtering |
-
2018
- 2018-07-24 CN CN201810821544.2A patent/CN109067725B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170287128A1 (en) * | 2013-08-08 | 2017-10-05 | Kla-Tencor Corporation | Adaptive Local Threshold and Color Filtering |
CN104268188A (en) * | 2014-09-17 | 2015-01-07 | 广州迅云教育科技有限公司 | Method and system for classroom teaching and learning behavior analysis in informational environment |
CN106101102A (en) * | 2016-06-15 | 2016-11-09 | 华东师范大学 | A kind of exception flow of network detection method based on PAM clustering algorithm |
CN106503086A (en) * | 2016-10-11 | 2017-03-15 | 成都云麒麟软件有限公司 | The detection method of distributed local outlier |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109873832A (en) * | 2019-03-15 | 2019-06-11 | 北京三快在线科技有限公司 | Method for recognizing flux, device, electronic equipment and storage medium |
CN110417744B (en) * | 2019-06-28 | 2021-12-24 | 平安科技(深圳)有限公司 | Security determination method and device for network access |
CN110417744A (en) * | 2019-06-28 | 2019-11-05 | 平安科技(深圳)有限公司 | The safe determination method and device of network access |
CN110532119A (en) * | 2019-07-26 | 2019-12-03 | 中国船舶重工集团公司第七一九研究所 | Power system operation abnormal point detecting method |
CN110532119B (en) * | 2019-07-26 | 2023-04-25 | 中国船舶重工集团公司第七一九研究所 | Method for detecting abnormal running point of power system |
CN111786935A (en) * | 2019-11-08 | 2020-10-16 | 国网辽宁省电力有限公司电力科学研究院 | Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange |
CN111786935B (en) * | 2019-11-08 | 2022-03-01 | 国网辽宁省电力有限公司电力科学研究院 | Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange |
CN110889441A (en) * | 2019-11-19 | 2020-03-17 | 海南电网有限责任公司海南输变电检修分公司 | Distance and point density based substation equipment data anomaly identification method |
CN111556440A (en) * | 2020-05-07 | 2020-08-18 | 之江实验室 | Network anomaly detection method based on traffic pattern |
CN114253168A (en) * | 2020-09-22 | 2022-03-29 | 南亚科技股份有限公司 | Machine monitoring system and machine monitoring method |
CN112348817A (en) * | 2021-01-08 | 2021-02-09 | 深圳佑驾创新科技有限公司 | Parking space identification method and device, vehicle-mounted terminal and storage medium |
CN113347181A (en) * | 2021-06-01 | 2021-09-03 | 上海明略人工智能(集团)有限公司 | Abnormal advertisement flow detection method, system, computer equipment and storage medium |
CN113624219A (en) * | 2021-07-27 | 2021-11-09 | 北京理工大学 | Magnetic compass ellipse fitting error compensation method based on OPTICS algorithm |
CN113820333A (en) * | 2021-09-16 | 2021-12-21 | 无锡先导智能装备股份有限公司 | Battery pole piece abnormity detection method and device, upper computer and detection system |
CN113852629A (en) * | 2021-09-24 | 2021-12-28 | 重庆大学 | Network connection abnormity identification method based on natural neighbor self-adaptive weighted kernel density and computer storage medium |
CN116628729B (en) * | 2023-07-25 | 2023-09-29 | 天津市城市规划设计研究总院有限公司 | Method and system for improving data security according to data characteristic differentiation |
CN116886453A (en) * | 2023-09-08 | 2023-10-13 | 湖北华中电力科技开发有限责任公司 | Network flow big data analysis method |
CN116886453B (en) * | 2023-09-08 | 2023-11-24 | 湖北华中电力科技开发有限责任公司 | Network flow big data analysis method |
Also Published As
Publication number | Publication date |
---|---|
CN109067725B (en) | 2021-05-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109067725A (en) | Network flow abnormal detecting method and device | |
CN107169768B (en) | Method and device for acquiring abnormal transaction data | |
CN102782673B (en) | For the system and method for object migration ripple | |
US11250250B2 (en) | Pedestrian retrieval method and apparatus | |
CN108805174A (en) | clustering method and device | |
CN108811028B (en) | Opportunity network link prediction method and device and readable storage medium | |
CN110276401A (en) | Sample clustering method, apparatus, equipment and storage medium | |
CN112052413B (en) | URL fuzzy matching method, device and system | |
CN110969200A (en) | Image target detection model training method and device based on consistency negative sample | |
CN108647727A (en) | Unbalanced data classification lack sampling method, apparatus, equipment and medium | |
CN108764307A (en) | The density peaks clustering method of natural arest neighbors optimization | |
CN109656898A (en) | Distributed large-scale complex community detection method and device based on node degree | |
CN112347100B (en) | Database index optimization method, device, computer equipment and storage medium | |
CN112215271B (en) | Anti-occlusion target detection method and equipment based on multi-head attention mechanism | |
Sáez et al. | Neuromuscular disease classification system | |
Yan et al. | Automatic virtual network embedding based on deep reinforcement learning | |
KR20190105147A (en) | Data clustering method using firefly algorithm and the system thereof | |
CN108228752B (en) | Data total export method, data export task allocation device and data export node device | |
KR20200103177A (en) | Market segmentation firefly algorithm method for big data analysis and the system thereof | |
CN113282686B (en) | Association rule determining method and device for unbalanced sample | |
CN105653355A (en) | Method and system for calculating Hadoop configuration parameters | |
CN109348288A (en) | A kind of processing method of video, device, storage medium and terminal | |
CN114610825A (en) | Method and device for confirming associated grid set, electronic equipment and storage medium | |
CN114820488A (en) | Sample component analysis method, device, equipment and storage medium | |
CN112784423A (en) | Urban area feature analysis method based on complex network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |