CN109067725A - Network flow abnormal detecting method and device - Google Patents

Network flow abnormal detecting method and device Download PDF

Info

Publication number
CN109067725A
CN109067725A CN201810821544.2A CN201810821544A CN109067725A CN 109067725 A CN109067725 A CN 109067725A CN 201810821544 A CN201810821544 A CN 201810821544A CN 109067725 A CN109067725 A CN 109067725A
Authority
CN
China
Prior art keywords
point
default
data
algorithm
data point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810821544.2A
Other languages
Chinese (zh)
Other versions
CN109067725B (en
Inventor
郭栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Original Assignee
Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd filed Critical Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority to CN201810821544.2A priority Critical patent/CN109067725B/en
Publication of CN109067725A publication Critical patent/CN109067725A/en
Application granted granted Critical
Publication of CN109067725B publication Critical patent/CN109067725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of network flow abnormal detecting method and devices, are related to field of information security technology, for solving the problems, such as that exception of network traffic detection accuracy and efficiency are relatively low.This method comprises: using default cluster algorithm analysis exception of network traffic detection sample and obtaining its data point distribution feature progress clustering, the density data point in cluster analysis result is rejected to obtain preliminary abnormality detection data set;Default cluster algorithm is that each data point increases a domain referrer to be directed toward the data point and it is at a distance of nearest most consecutive number strong point;The first of preliminary abnormality detection data set is obtained according to default Outlier Analysis algorithm to peel off point set and the points that peel off, and peeled off point set according to default Outlier Analysis algorithm, the points that peel off and the part factor number adjustment distance parameter value that peels off with obtaining second, using first peel off point set and second peel off point set intersection as exception of network traffic testing result.The present invention is used for the detection of exception of network traffic.

Description

Network flow abnormal detecting method and device
Technology neighborhood
The present invention relates to field of information security technology more particularly to a kind of network flow abnormal detecting methods and device.
Background technique
Exception of network traffic refers to that the traffic behavior of network deviates the situation of normal behaviour, such as network service traffic is unexpected There is abnormal great change etc..The reason of causing exception of network traffic has very much, such as the network equipment is abnormal, network behaviour Make abnormal, unusually crowded, attack etc. of flashing.Exception of network traffic, which not only influences network and the normal of operation system, to be made With, can also menace network user information safety, cause many hazards to the network user.
Currently, the network flow abnormal detecting method for being related to unsupervised learning in machine learning generallys use clustering calculation Method and Outlier Analysis algorithm realize that existing defects are as follows: the cluster algorithm used in the prior art, which exists, joins input Several sensibility is excessively high or realizes that the time complexity of process is excessively high while the problems such as occupy a large amount of memory spaces again, causes The testing result accuracy of exception of network traffic is relatively low and detection efficiency is relatively low;Outlier Analysis algorithm in the prior art is There is very high detection accuracy in the case where knowing abnormal point number, but can not know exception of network traffic point number in advance In the case of, it usually can be by a large amount of normal datas as abnormal data, and when handling larger Network data set, the prior art In the time complexity that calculates of Outlier Analysis algorithm it is excessively high, therefore also result in the accuracy of exception of network traffic testing result Relatively low and detection efficiency is relatively low.
Summary of the invention
The embodiment of the present invention provides a kind of network flow abnormal detecting method and device, for solving net in the prior art The relatively low problem of the detection accuracy and detection efficiency of network Traffic Anomaly.
In order to achieve the above object, the present invention adopts the following technical scheme:
In a first aspect, providing a kind of network flow abnormal detecting method, comprising:
Obtain the data point distribution feature of exception of network traffic detection sample and exception of network traffic detection sample;Its In, network flow detection sample include network flow data and with the associated network behavior feature of network flow data;According to Default cluster algorithm carries out clustering to data point distribution characteristics, will reject the density data point in cluster analysis result Data set later is as preliminary abnormality detection data set;Wherein, preset in cluster algorithm is that each data point increases by one A domain referrer is stored with directional information in the domain referrer being directed toward data point with the data point at a distance of nearest most phase Adjacent data point;The first of preliminary abnormality detection data set is obtained according to default Outlier Analysis algorithm to peel off point set and outlier Number, and according to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm part peel off the factor adjustment away from It is peeled off point set from parameter value with obtaining the second of preliminary abnormality detection data set;First point set and second that peels off is obtained to peel off point set Intersection as exception of network traffic testing result.
It, can be using default cluster algorithm pair in network flow abnormal detecting method provided in an embodiment of the present invention The data point distribution feature of acquisition carries out clustering, by the data set after the density data point in rejecting cluster analysis result As preliminary abnormality detection data set, wherein be that each data point increases a domain referrer in default cluster algorithm, It is stored with directional information in the domain referrer being directed toward data point with the data point at a distance of nearest most consecutive number strong point, passes through The above-mentioned domain referrer, which is arranged, to be put into the sparse data point in clustering far from each cluster with the data point at a distance of nearest Cluster in, simplify the calculating process of clustering and promote the accuracy of cluster analysis result;It is peeled off after this by default What parser obtained preliminary abnormality detection data set first peels off point set and the points that peel off, and is calculated according to default Outlier Analysis The part of method, the points that peel off and default Outlier Analysis algorithm peels off the Outlier Analysis knot of the preliminary abnormality detection data set of factor pair Fruit is corrected, and is obtained the second of preliminary abnormality detection data set by adjusting target distance parameter value and is peeled off point set, finally obtains Take first peel off point set and second peel off point set intersection as exception of network traffic testing result.Above-mentioned Outlier Analysis process In make exception of network traffic testing result that there is high accuracy without knowing abnormal point number, therefore using the above process; Preliminary abnormality detection data set can effectively reduce Outlier Analysis process data volume to be dealt with simultaneously, improve detection efficiency.
Optionally, cluster algorithm is preset to realize based on OPTICS algorithm;According to default cluster algorithm to data Point distribution characteristics carries out clustering and specifically includes:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to data point The directional information in the domain referrer is updated;And it is right after data point is newly inserted into the orderly seed queue of cluster algorithm The directional information in the domain referrer of data point is updated;
The result queue of default cluster algorithm is reorganized according to the directional information in the domain referrer.
Optionally, the directional information in the domain referrer of data point is updated specifically: be directed toward data point default The end of the result queue of cluster algorithm.
Optionally, Outlier Analysis algorithm is preset to realize based on LOF algorithm, then it is preliminary according to the acquisition of Outlier Analysis algorithm is preset The first of abnormality detection data set peels off point set and the points that peel off specifically:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, presetting field parameter includes: default field number Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to default field parameter to obtain peeling off for preliminary abnormality detection data set It points and first peels off point set;
According to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm part peel off the factor adjustment away from It is peeled off point set from parameter value with obtaining the second of preliminary abnormality detection data set specifically:
Adjustment distance parameter value so that preliminary abnormality detection data set locally peels off data point number of the factor greater than 1 with from Group's points are equal;
The point set that peels off corresponding with the factor that locally peels off is obtained to peel off point set as second.
Optionally, the data point distribution for obtaining exception of network traffic detection sample and exception of network traffic detection sample is special Sign specifically:
It obtains exception of network traffic and detects sample, the comentropy for calculating network flow detection sample is different to obtain network flow The often data point distribution feature of detection sample.
Second aspect provides a kind of exception of network traffic detection device, comprising:
Module is obtained, for obtaining the data point of exception of network traffic detection sample and exception of network traffic detection sample Distribution characteristics;Wherein, network flow detection sample include network flow data and with the associated network row of network flow data It is characterized;
Cluster Analysis module will for carrying out clustering to data point distribution characteristics according to default cluster algorithm The data set after density data point in rejecting cluster analysis result is as preliminary abnormality detection data set;Wherein, it presets poly- It is that each data point increases a domain referrer in alanysis algorithm, directional information is stored in the domain referrer with by data Point is directed toward with the data point at a distance of nearest most consecutive number strong point;
Outlier Analysis module peels off for obtaining the first of preliminary abnormality detection data set according to default Outlier Analysis algorithm Point set and the points that peel off, and the part according to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm The factor that peels off adjusts distance parameter value and is peeled off point set with obtaining the second of preliminary abnormality detection data set;
Processing module, for obtain first peel off point set and second peel off point set intersection as exception of network traffic detect As a result.
Optionally, cluster algorithm is preset to realize based on OPTICS algorithm;
Then Cluster Analysis module is specifically used for:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to data point The directional information in the domain referrer is updated;And it is right after data point is newly inserted into the orderly seed queue of cluster algorithm The directional information in the domain referrer of data point is updated;
The result queue of default cluster algorithm is reorganized according to the directional information in the domain referrer.
Optionally, Cluster Analysis module is specifically used for: data point is directed toward the result queue of default cluster algorithm End.
Optionally, it presets Outlier Analysis algorithm and realizes that then Outlier Analysis module is specifically used for based on LOF algorithm:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, presetting field parameter includes: default field number Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to default field parameter to obtain peeling off for preliminary abnormality detection data set It points and first peels off point set;
Adjustment distance parameter value so that preliminary abnormality detection data set locally peels off data point number of the factor greater than 1 with from Group's points are equal;
The point set that peels off corresponding with the factor that locally peels off is obtained to peel off point set as second.
Optionally, module is obtained to be specifically used for:
It obtains exception of network traffic and detects sample, the comentropy for calculating network flow detection sample is different to obtain network flow The often data point distribution feature of detection sample.
It is to be appreciated that the exception of network traffic detection device of above-mentioned offer is for executing first aspect presented above Corresponding method, therefore, attainable beneficial effect can refer to the method for first aspect above and implement in detail below The beneficial effect of corresponding scheme in mode, details are not described herein again.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without creative efforts, can be with for this neighborhood those of ordinary skill It obtains other drawings based on these drawings.
Fig. 1 a is the definition schematic diagram directly up to density;
Fig. 1 b is the reachable definition schematic diagram of density;
Fig. 1 c is the definition schematic diagram that density is connected;
Fig. 2 is a kind of method flow diagram for network flow abnormal detecting method that one embodiment of the invention provides;
Fig. 3 is a kind of method flow diagram for default clustering method that one embodiment of the invention provides;
Fig. 4 is the update schematic diagram in the domain referrer that one embodiment of the invention provides;
Fig. 5 is the reachability graph that the result queue that clustering method obtains is preset in the use that one embodiment of the invention provides;
Fig. 6 is the result that default cluster algorithm is reorganized according to the domain referrer that one embodiment of the invention provides The method flow diagram of queue;
Fig. 7 is the cluster analysis result signal that the use that one embodiment of the invention provides presets that cluster algorithm obtains Figure;
Fig. 8 is a kind of method flow diagram for default Outlier Analysis algorithm that one embodiment of the invention provides;
Fig. 9 is a kind of result schematic diagram for network flow abnormal detecting method that one embodiment of the invention provides;
Figure 10 is a kind of structural schematic diagram for exception of network traffic detection device that one embodiment of the invention provides;
Figure 11 is the structural schematic diagram for another exception of network traffic detection device that one embodiment of the invention provides.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiment is some embodiments of the present application, instead of all the embodiments.Based on this Shen Please in embodiment, this neighborhood those of ordinary skill every other implementation obtained without creative efforts Example, shall fall in the protection scope of this application.The use of term " first " and " second " etc. does not indicate any sequence, can be by above-mentioned art Language is construed to the title of described object.In the embodiment of the present application, " illustrative " or " such as " etc. words for indicate make Example, illustration or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or design Scheme is not necessarily to be construed as than other embodiments or design scheme more preferably or more advantage.Specifically, it uses " exemplary " or " such as " etc. words be intended to that related notion is presented in specific ways.In addition, in the description of the embodiment of the present application, unless It is otherwise noted, the meaning of " plurality " is refer to two or more.
The embodiment of the present invention is used for the detection of exception of network traffic, mainly realizes a kind of network flow based on unsupervised learning Measure abnormal detection.Wherein, exception of network traffic refers to that the traffic behavior of network deviates the situation of its normal behaviour, actual conditions In, the reason of causing exception of network traffic, has very much, such as the software and hardware of the network equipment is abnormal, network operation is abnormal, flashes and gathers around Squeeze abnormal, attack etc..Exception of network traffic can cause many hazards to user equipment and Web vector graphic, such as Threaten Host Security, waste Internet resources, influence user's application etc..Unsupervised learning belongs to a kind of study side of machine learning Formula, data are not particularly identified in unsupervised learning, and learning model is some immanent structures in order to be inferred to data, therefore non- Often it is suitable for the detection for the exception of network traffic as caused by many reasons.In actual conditions, exception of network traffic can to Family equipment and Web vector graphic cause many hazards, such as threaten Host Security, waste Internet resources, influence user's application etc. Deng, thus in order to reduce user using network security risk and ensure user equipment safety, based on unsupervised learning come reality A kind of existing efficient and accurate exception of network traffic detection is necessary.
Cluster algorithm is that a kind of common algorithm, cluster algorithm can not appoint in unsupervised learning algorithm Unknown attack is found under the premise of what priori knowledge, is generallyd use density clustering parser and is carried out exception of network traffic Detection, such as DBSCAN (Density-Based Spatial Clustering of Applications with Noise) Algorithm and OPTICS (Ordering points to identify the clustering structure) algorithm etc.. The parameter that wherein DBSCAN algorithm can be inputted according to user generates cluster result, but DBSCAN algorithm needs user not having Setup parameter radius of neighbourhood ε is used as with minimum intensive points MinPts and inputs parameter in the case where priori knowledge, in actual conditions That there are problems is as follows for DBSCAN algorithm: firstly, DBSCAN algorithm is very sensitive to the value of input parameter, different parameter values will Generate entirely different cluster result;Secondly, the determination of parameter generally requires the analysis or a large amount of experimental verification of expert, because This needs to consume plenty of time and resource to obtain accurate parameter and cluster result, causes the waste of time and resource, So that the detection efficiency of exception of network traffic is relatively low.OPTICS algorithm can be from a selected object, most towards data For intensive zone broadening, the visualization that all object tissues are finally able to reflect network flow data structure at one is orderly Sequence.That there are problems is as follows for OPTICS algorithm in actual conditions: although OPTICS algorithm can overcome DBSCAN algorithm to input The sensibility of parameter, but OPTICS algorithm time complexity with higher when calculating, if such as the object chosen belong to core Heart point p (if the sample points in the epsilon neighborhood of object p are greater than or equal to MinPts, object p is referred to as core point), then need Object in the epsilon neighborhood of core point p is expanded, however epsilon neighborhood inquiry each time will scan whole network flow number According to collection, if whole network data on flows collection shares n object, then the time complexity for scanning n data set just reaches T (n) =O (n^2), time complexity is higher;In addition OPTICS algorithm also needs use space database index, this makes OPTICS Algorithm also needs to establish spatial index to all data objects before clustering data set, thereby results in time and spatially Serious waste;While the object of density regions is often accumulated in the end of result queue in OPTICS algorithm, this makes OPTICS algorithm self performance fails to fully demonstrate.
Local Outlier Analysis algorithm is another commonly to the method for exception of network traffic detection, and common part peels off Parser is LOF algorithm.LOF algorithm is a kind of abnormal point method of determining and calculating based on density, and LOF algorithm can investigate data pair As the intensity of anomaly compared with adjacent object around it, but can not from the point of view of the overall situation data abnormal characteristic.LOF is calculated Method calculates K reach distance and local reachability density when handling biggish network flow data collection (referring to defining 8 in subsequent introduction With time complexity T (n)=O (N of definition 9)k^2), time complexity is higher, and needs successively to carry out total data It calculates, without specific aim.Meanwhile LOF algorithm peels off factor values by the part of each data point in calculating data set to determine The local biggish several points of the factor that peel off of abnormal point set, usually selection are this to peel off the factor with part come really as abnormal point Determining the method for abnormal point, that accuracy is detected in the case where known exception point number is very high.But in practical application, usual abnormal point Number can not know in advance, therefore using LOF algorithm come when determining abnormal point, the parameter selection of LOF algorithm will seem very It is important.When the parameter selection of LOF algorithm is improper, may by a large amount of normal data points (or normal point) as abnormal point, or Many abnormal points are classified as normal point, the accuracy for causing exception of network traffic to detect is relatively low.
In order to overcome the defect of above-mentioned algorithm, the present invention provides a kind of network flow abnormal detecting method, and this method is based on Unsupervised learning is realized, can efficiently and accurately be detected for exception of network traffic.Next to provided by the invention Network flow abnormal detecting method is introduced.
Specifically, referring to fig. 2, Fig. 2 is a kind of method flow of network anomaly detection method provided in an embodiment of the present invention Figure, it is as follows that the method comprising the steps of:
Step S201: the data point distribution of exception of network traffic detection sample and exception of network traffic detection sample is obtained Feature.
Wherein, network flow detection sample may include network flow data and with the associated network of network flow data Behavioural characteristic.Network flow data can be a series of relevant field of the network flows obtained from raw network data stream, Such as the relevant field that source IP, source port, Target IP, target port, byte number, number-of-packet and protocol type etc. are similar.
The associated network behavior feature of network flow data can according to network flow data introduce and network flow Other indirectly effective network behavior features of data correlation.Such as the performance network flow such as " in-degree ", " out-degree " can be introduced The information such as the measurement of flow direction are as above-mentioned network behavior feature.It is purpose address that wherein in-degree, which is using X (X is network access address), The quantity of the different IP communicated, out-degree are that the quantity of different destination IPs is connected to by source address of X.
After obtaining exception of network traffic detection sample, the comentropy of sample can be detected by calculating exception of network traffic To obtain data point (i.e. data object) distribution characteristics of exception of network traffic detection sample.In specific implementation, it can calculate pre- If in the time in network flow data and network behavior feature each field comentropy, and by above-mentioned whole fields or part Data point distribution feature of the calculated result of the comentropy of field as exception of network traffic detection sample.Preferably, Ke Yigen According to above- mentioned information entropy calculated result and actual conditions be arranged field choose condition (such as according to the business of network flow pass through The field for testing setting chooses condition), using selected part field is as final field from above-mentioned each field, and by final field Data point distribution feature of the data point distribution feature as exception of network traffic detection sample.For example, 60 seconds Intranets can be calculated Source IP, source port, Target IP, target port, byte number, number-of-packet and protocol type and network row in network data on flows It is characterized the comentropy of the fields such as middle in-degree, out-degree, is then selected according to the calculated result of above-mentioned each field information entropy and field It takes condition to choose source IP, target port, in-degree, the data point distribution feature of protocol type as exception of network traffic and detects sample Data point distribution feature.It is understood that above-mentioned preset time and field selection condition can be by those skilled in the art It is configured according to the actual situation, this is not limited by the present invention.
Step S202: clustering is carried out to data point distribution characteristics according to default cluster algorithm, is clustered rejecting The data set after density data point in analysis result is as preliminary abnormality detection data set.
Wherein, a given set of data points can be divided by default cluster algorithm according to data point distribution feature Different clusters has similitude with the data point in cluster, and the data point between different clusters is different.In default cluster algorithm Increase a domain referrer for each data point, directional information is stored in the domain referrer so that data point to be directed toward and the number Strong point is at a distance of nearest most consecutive number strong point.The domain referrer can be used for reorganizing the result team of default cluster algorithm Sparse point in default cluster analysis result queue is put into and its cluster belonging to the nearest most consecutive number strong point by column In.Wherein the update in the domain referrer is not necessarily to introduce additional calculating cost and time cost, simplifies the calculating of clustering Process and the accuracy for promoting cluster analysis result.
Step S203: according to default Outlier Analysis algorithm obtain the first of preliminary abnormality detection data set peel off point set and Peel off points, and is peeled off the factor according to the part of default Outlier Analysis algorithm, the points that peel off and default Outlier Analysis algorithm Adjustment distance parameter value is peeled off point set with obtaining the second of preliminary abnormality detection data set.
Step S204: obtain first peel off point set with second peel off point set intersection as exception of network traffic detection knot Fruit.
It, can be using default cluster algorithm pair in network flow abnormal detecting method provided in an embodiment of the present invention The data point distribution feature of acquisition carries out clustering, by the data set after the density data point in rejecting cluster analysis result As preliminary abnormality detection data set, wherein be that each data point increases a domain referrer in default cluster algorithm, It is stored with directional information in the domain referrer being directed toward data point with the data point at a distance of nearest most consecutive number strong point, passes through The above-mentioned domain referrer, which is arranged, to be put into the sparse point in default cluster analysis result queue with it at a distance of nearest most phase In cluster belonging to adjacent data point, simplifies the calculating process of clustering and promote the accuracy of cluster analysis result;After this It obtains the first of preliminary abnormality detection data set by default Outlier Analysis algorithm to peel off point set and the points that peel off, and according to pre- The preliminary abnormality detection data set of factor pair if the part of Outlier Analysis algorithm, the points that peel off and default Outlier Analysis algorithm peels off Outlier Analysis result corrected, obtain preliminary abnormality detection data set by adjusting target distance parameter value second peels off Point set, finally obtain first peel off point set and second peel off point set intersection as exception of network traffic testing result.It is above-mentioned It is not necessarily to know abnormal point number during Outlier Analysis, therefore using the above process exception of network traffic testing result is had High accuracy;Outlier Analysis process data to be dealt with can be effectively reduced by filtering out preliminary abnormality detection data set simultaneously Amount improves detection efficiency.
Cluster algorithm is preset in specific implementation, in step S202 can be realized based on OPTICS algorithm, be related to defining It is as follows:
Define 1: direct density is up to (directly density-reachable): referring to shown in Fig. 1 a, if p is core Heart point, q is in the epsilon neighborhood of p, then the direct density of p is up to q.
Define 2: density is up to (density-reachable): referring to shown in Fig. 1 b, if there is sequence p1, p2, p3……pn, wherein p1=p, pn=q, and for any 1≤i < n, piDirect density is up to pi+1, then p density is up to q.
Define 3: density is connected (density-connected): referring to shown in Fig. 1 c, if o density up to p, and o density Up to q, then p with q density is connected.
Define 4: core distance (core-distance): assumed position p includes the minimum of MinPts neighbour's (point of neighbour) Radius is MinPts-distance (p), then the core distance definition of p are as follows:
That is, the core of p is apart from meaningless when p ≠ core-object, that is, p is not core point;Work as p=core- When object, that is, p is core point, the core distance of p is the least radius for the MinPts neighbours (point of neighbour) that p includes MinPts-distance(p)。
Definition 5: reach distance (reachability-distance): it is assumed that p is the point in the epsilon neighborhood of certain point o, then p Reach distance relevant to o is defined as:
That is, p reach distance relevant to o is meaningless when p ≠ core-object, that is, p is not core point;Work as p When=core-object, that is, p is core point, p reach distance relevant to o is to make " p core point " and " o can from the direct density of p Up to " simultaneously set up the minimum radius of neighbourhood.
Wherein, by above-mentioned definition it is found that p reach distance relevant to o is somebody's turn to do i.e. from the direct density of o up to the minimum range of p Distance is directly related with the space density of data point, i.e., if the space density of data point spatially is bigger, the data point With the direct density of consecutive points it is reachable at a distance from it is smaller, vice versa.Therefore the default clustering based on OPTICS algorithm is calculated The orderly seed queue (Orderseeds) that one reach distance ascending order of method arranges stores data point to be expanded, with fixed rapidly The data object in the dense space in position.Referring specifically to shown in Fig. 3, the default cluster algorithm based on OPTICS algorithm includes as follows Step:
Step S301: orderly seed queue is initially empty, and result queue is initially empty.
Step S302: judging whether all data points are disposed, if so, algorithm terminates;It thens follow the steps if not S303。
Step S303: selection one untreatment data point be put into orderly seed queue, judge orderly seed queue whether be Sky, if so, executing step S302;If it is not, thening follow the steps S304.
Step S304: one number of objects strong point p of selection is expanded, and judges whether p is core point, if so, executing step Rapid S308;S305 is thened follow the steps if not.
Step S305: for unexpanded data point q any in the epsilon neighborhood of p, judge q whether in orderly seed queue, If so, thening follow the steps S306;If it is not, thening follow the steps S307.
Step S306: it if reach distance of the q in orderly seed queue and from p to q is less than old reach distance, then updates The reach distance of q, and q is adjusted and guarantees to corresponding position the order of orderly seed queue, update the finger in the domain referrer of q To information.
Step S307: if q is inserted into orderly seed team not in orderly seed queue, according to the reach distance of p to q by q Column, update the directional information in the domain referrer of q.
Step S308: p is deleted from orderly seed queue, result queue is written into p, returns to step S303.
The directional information for updating the domain referrer of q is specifically as follows: according to the orderly seed team of default cluster algorithm The update of the reach distance of data point is updated the directional information in the domain referrer of data point in column;And default The orderly seed queue of cluster algorithm is updated the directional information in the domain referrer of data point after being newly inserted into data point. Specifically, it is assumed that two data point distances are closer, and the probability for belonging to same cluster is bigger.By the calculating of above-mentioned OPTICS algorithm Journey is it is found that orderly the reach distance of each data point can dynamically update (corresponding step S306) in seed queue, after updating Reach distance be specially minimum reach distance of the data point to all data points expanded.Therefore, if there is data Point reach distance update, then illustrate exist the new data point closer away from the data point, i.e., away from the data point recently Most consecutive number strong point changes.Since the directional information in the domain referrer is that data point is directed toward with the data point at a distance of nearest Most consecutive number strong point need the referrer to the data point therefore when the reach distance there are data point updates Domain is updated.It is above-mentioned due to causing if the reach distance in result queue there are data point changes under current state The data point that reach distance changes must be the rigid data point for completing expansion, and above-mentioned rigid completion expansion should be placed on The domain the referrer directional information for the data point that reach distance changes then is updated to point to default cluster by the end of result queue The end of the result queue of parser.Similarly, if newly being inserted in the orderly seed queue of default cluster algorithm Enter data point (corresponding step S307), can also according to upper identical mode to the directional information in the domain referrer of data point into Row updates, i.e., the directional information for being newly inserted into the orderly domain seed team's column referrer is updated to point to default cluster algorithm The end of result queue.
It specifically may refer to Fig. 4, include three row queues in Fig. 4, respectively from top to bottom be orderly seed queue L1, have The queue L2 and result queue L3 in the domain referrer of each data point in sequence seed queue.Wherein, orderly seed queue L1 packet It includes and has expanded knot data point and do not expanded knot data point, the data point in region shown in diagonal line hatches is to have expanded knot and Yi Nuoru result queue Data point, rest part are not expand knot data point;In not expanding knot data point, data point 41 and data point 42 are reach distance hair The raw data point changed.As seen from Figure 4, when the reach distance of data point changes, reach distance is changed Data point the domain referrer be directed toward result queue end, with the referrer of the data point to change to reach distance Domain is updated.
In specific implementation, the renewal process in the domain referrer is only that the data point referrer for changing reach distance is added The operation of result queue's tail of the queue is directed toward in domain, during being somebody's turn to do and is not introduced into additional calculating cost.
After completing the above-mentioned treatment process for orderly seed queue, by the domain referrer of total data point and network Flow number strong point is stored in result queue together, obtains the reachability graph of result queue.As shown in figure 5, Fig. 5 is in result queue Sequence of data points is abscissa, and reach distance is the obtained reachability graph of ordinate.Wherein, in Fig. 5 reach distance trough area Domain represents the data point in the dense cluster of network flow data, and peak regions represent the boundary point of Sparse.It is utilizing During the domain referrer moves into the resulting sparse point of clustering with its most adjacent affiliated cluster, by traversing and distinguishing Corresponding cluster is extracted in precipitous decline region and precipitous elevated areas in reachability graph.
To extract the potential cluster in reachability graph, presets cluster algorithm and usually require to carry out after the completion of operation ExtractClusters operation, in the present invention it is possible in ExtractClusters operation according to the direction in the domain referrer Information reorganizes the result queue of the default cluster algorithm.
It is shown in Figure 6, the result team of default cluster algorithm is reorganized according to the directional information in the domain referrer Column specifically comprise the following steps:
Step S601: pointer to be processed is directed toward result queue's head of the queue.
Step S602: judging whether pointer to be processed is directed toward result queue's tail of the queue, if so, S608 is thened follow the steps, if it is not, Then follow the steps S603.
Step S603: pointer is moved back.
Step S604: judge whether precipitous decline region occur, if so, thening follow the steps S605;If otherwise re-executing This step.
Step S605: starting new cluster and extract, and the data point since precipitous decline region is stored in new cluster and moves back finger Needle terminates new cluster when there is precipitous elevated areas and extracts, obtain by above-mentioned precipitous decline region and precipitous elevated areas it Between group of data points at new cluster, and re-execute the steps S602.
Wherein, in this step, for current pending data point p, further judge pointed by the domain referrer of p Whether most consecutive number strong point q belongs to above-mentioned new cluster, if so, p is inserted into above-mentioned new cluster;Otherwise by the p insertion affiliated cluster of q Cluster tail.
It is precipitous decline region and precipitous elevated areas decision procedure by those skilled in the art according to the actual situation into Row setting, this is not limited by the present invention.
Step S606: the data point head and the tail in all clusters are spliced, new reachability graph is formed.
If recording reduced data point in real time while the operation of default cluster algorithm corresponds to cluster to the data point Mapping, then the affiliated cluster of above-mentioned lookup q and by p insertion the affiliated cluster of q cluster tail will be completed in constant time.
After completing the aforementioned steps, it obtains and uses the above-mentioned default resulting cluster analysis result of cluster algorithm, and Using the data set after the density data point in rejecting cluster analysis result as preliminary abnormality detection data set.Specific implementation In, the cluster analysis result obtained using above-mentioned default cluster algorithm is as shown in Figure 7.Wherein, round in Fig. 7 to be indicated Data point is the normal data point of network flow, and the data point that triangle is indicated is the data point of exception of network traffic.
In specific implementation, step S203 can be realized based on LOF algorithm, and in particular to be defined as follows:
Define 6:k distance: the k distance definition of data object l is k-th to data object l distance recently in data set D Point arrives the distance (Euclidean distance, that is, linear distance) of l, is denoted as k-distance (l).
Define 7:k apart from neighborhood: in data set at a distance from data object l no more than k distance group of data points at collection It closes, it may be assumed that
Nk- distance (l) (h)={ h ∈ D { l } | d (l, h)≤k-distance (l) }
Define 8:k reach distance: l and h is any two points in data set, the reach distance reach-distk (l, h) of l to h Is defined as:
Reach-distk (1, h)=Max { d (1, h), k-distance (l) }
Wherein, d (l, h) indicates the Euclidean distance between point l and h.
Define 9: local reachability density: the local reachability density of l refers to l to the average reach distance of all the points in its neighborhood Inverse, local reachability density lrd (l) using following formula calculate:
Wherein NkFor the number of the point in the k neighborhood of l.Also, due to being equidistant there may be several points to 1, Therefore the point of k neighbour may be one or more, then have | Nk(l)≥k|.If lrd (q) is bigger, show that the density of l is bigger, l Point is more normal.
Define 10: the local factor that peels off: the dispersion degree of characterize data, the factor that locally peels off LOFk(l) using following public Formula calculates:
Wherein, if LOFk(l) value is far longer than 1, then the density variation of the density and overall data that show l point is larger, can L is regarded as outlier (abnormal point);Conversely, if LOFk(l) value is closer to 1, then show l point density and overall data it is close Degree difference is smaller, and l point is more normal.
Define the field 11:R: centered on data point l, region that R is made of radius.
It defines 12:R field average distance distr (l): average value of the data point to data point l distance in the field R, meter It is as follows to calculate formula:
Define data point density p in the field 13:Rl: the ratio of data point number and the field R average distance in the field R, meter It is as follows to calculate formula:
Wherein | NR(l) | for data point number in the field R.
Referring to Fig. 8, step S203 specifically comprises the following steps:
Step S801: default field parameter is calculated according to default Outlier Analysis algorithm.
Specifically, it presets the i.e. definition 11- in field and defines the field R in 13.13 default fields are defined according to 11- is defined Parameter may include: data point number in the default FIELD Data point number i.e. field R | NR(l)|;Default field average distance with And data dot density in default field.
Step S802: data dot density jump position is determined according to default field parameter to obtain preliminary abnormality detection data Peeling off for collection and first peels off point set at points.
Draw density number distribution map according to above-mentioned default field parameter, find in density number distribution map density jump compared with The corresponding data point number of big or density jumps biggish position, which is determined as data dot density jump position, is obtained It takes the data point set of whole density jump positions to peel off as first and point set and obtains the data points of whole density jump positions Number is as the points that peel off.
It is, of course, understood that above-mentioned acquisition peel off points and first peel off point set mode it is only exemplary , in specific implementation, those skilled in the art can also be peeled off using the other way acquisition in addition to above-mentioned cited mode It points and first peels off point set, the present invention peels off points to acquisition and the first point set concrete mode that peels off is not construed as limiting.
Step S803: the adjustment distance parameter value number of the factor greater than the 1 so that part of preliminary abnormality detection data set peels off Strong point number with it is described peel off count it is equal.
Specifically, the distance parameter value (defining the distance K in 8) in default Outlier Analysis algorithm is adjusted, is made preliminary different The part of normal detection data collection peel off the factor count greater than peeling off of being obtained in the number and step S802 of 1 data point it is equal.
Step S804: it obtains and peels off the corresponding point set that peels off of the factor as second with above-mentioned part and peel off point set.
Obtain part peel off the factor greater than the number of 1 data point with it is above-mentioned peel off count equal when the corresponding point set that peels off It peels off point set as second.
Fig. 9 is shown on the basis of based on cluster analysis result shown in Fig. 7 using provided in an embodiment of the present invention default The testing result figure for the exception of network traffic detection that Outlier Analysis algorithm obtains, i.e., exception of network traffic detection provided by the invention Method final detection result figure obtained.The round data point indicated is the normal data point of network flow, triangle in Fig. 9 The data point that shape is indicated is the data point of exception of network traffic.Comparison diagram 9 and Fig. 7 using the present invention, it is apparent that mentioned The network flow abnormal detecting method of confession more precisely can filter out network flow from a large amount of network flow data point Exceptional data point.
Table 1 shows the network flow abnormal detecting method provided according to the present invention and uses other algorithms in the prior art The Contrast on effect for carrying out exception of network traffic detection, it is apparent that exception of network traffic provided by the invention is examined from table 1 Survey method is far superior to other algorithms in the parameters such as accurate rate, recall rate and runing time.
Table 1
Figure 10 shows a kind of structural block diagram of exception of network traffic detection device provided by the invention.It is provided by the invention Exception of network traffic detection device is realized based on unsupervised learning, comprising:
Module 11 is obtained, for obtaining the data of exception of network traffic detection sample and exception of network traffic detection sample Point distribution characteristics;Wherein, network flow detection sample include network flow data and with the associated network of network flow data Behavioural characteristic.
Optionally, module 11 is obtained to be specifically used for:
It obtains exception of network traffic and detects sample, the comentropy for calculating network flow detection sample is different to obtain network flow The often data point distribution feature of detection sample.
Cluster Analysis module 12, for carrying out clustering to data point distribution characteristics according to default cluster algorithm, Using the data set after the density data point in rejecting cluster analysis result as preliminary abnormality detection data set;Wherein, it presets It is that each data point increases a domain referrer in cluster algorithm, is stored with directional information in the domain referrer will count Strong point is directed toward and data point is at a distance of nearest most consecutive number strong point.
Optionally, cluster algorithm is preset to realize based on OPTICS algorithm,
Then Cluster Analysis module 12 is specifically used for:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to data point The directional information in the domain referrer is updated;And it is right after data point is newly inserted into the orderly seed queue of cluster algorithm The directional information in the domain referrer of data point is updated;
The result queue of default cluster algorithm is reorganized according to the directional information in the domain referrer.
Optionally, Cluster Analysis module 12 is specifically used for: data point is directed toward to the result queue of default cluster algorithm End.
Outlier Analysis module 13, for according to preset Outlier Analysis algorithm obtain the first of preliminary abnormality detection data set from Group's point set and the points that peel off, and the office according to default Outlier Analysis algorithm, peel off points and default Outlier Analysis algorithm Portion's factor adjustment distance parameter value that peels off is peeled off point set with obtaining the second of preliminary abnormality detection data set.
Optionally, it presets Outlier Analysis algorithm and realizes that then Outlier Analysis module 13 is specifically used for based on LOF algorithm:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, presetting field parameter includes: default field number Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to default field parameter to obtain peeling off for preliminary abnormality detection data set It points and first peels off point set;
Adjustment distance parameter value so that the part of preliminary abnormality detection data set peels off data point number of the factor greater than 1 with Peeling off, it is equal to count;
The point set that peels off corresponding with the factor that locally peels off is obtained to peel off point set as second.
Processing module 14, for obtain first peel off point set and second peel off point set intersection as exception of network traffic examine Survey result.
All related contents for each step that above method embodiment is related to can quote the function of corresponding function module It can describe, details are not described herein for effect.
Using integrated module, exception of network traffic detection device include: storage unit, processing unit with And interface unit.Processing unit is for carrying out control management to the movement of exception of network traffic detection device, for example, processing unit For supporting exception of network traffic detection device to execute each step in Fig. 2, Fig. 3, Fig. 6 and Fig. 8.Interface unit is for branch Hold the interaction of exception of network traffic detection device Yu other devices;Storage unit, for storing exception of network traffic detection device Program code and data.
Wherein, using processing unit as processor, storage unit is memory, and interface unit is for communication interface.Wherein, Exception of network traffic detection device is referring to Fig.1 shown in 1, including communication interface 1101, processor 1102, memory 1103 and total Line 1104, communication interface 1101, processor 1102 are connected by bus 1104 with memory 1103.
Processor 1102 can be a general central processor (Central Processing Unit, CPU), micro- place Manage device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or Multiple integrated circuits executed for controlling application scheme program.
Memory 1103 can be read-only memory (Read-Only Memory, ROM) or can store static information and refer to The other kinds of static storage device enabled, random access memory (Random Access Memory, RAM) or can store The other kinds of dynamic memory of information and instruction, is also possible to Electrically Erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-only Memory, EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, light Dish, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carry or Store have instruction or data structure form desired program code and can by any other medium of computer access, but It is without being limited thereto.Memory, which can be, to be individually present, and is connected by bus with processor.Memory can also be integrated with processor Together.
Wherein, memory 1103 be used for store execution application scheme application code, and by processor 1102 Control executes.Communication interface 1101 is used to support the interaction of exception of network traffic detection device Yu other devices.Processor 1102 For executing the application code stored in memory 1103, to realize the exception of network traffic inspection in the embodiment of the present application Survey method.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or device.
Through the above description of the embodiments, the technical staff of this neighborhood can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, the technical solution of the application substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in a storage medium In (such as REOM/REAM, magnetic disk, CD), including some instructions are used so that a terminal (can be mobile phone, computer, service Device, air conditioner or network equipment etc.) execute method described in each embodiment of the application.
Embodiments herein is described above in conjunction with attached drawing, but the application be not limited to it is above-mentioned specific Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, the those of ordinary skill of this neighborhood Under the enlightenment of the application, when not departing from the application objective and scope of the claimed protection, can also it make very much Form belongs within the protection of the application.

Claims (10)

1. a kind of network flow abnormal detecting method characterized by comprising
Obtain the data point distribution feature of exception of network traffic detection sample and exception of network traffic detection sample;Its In, network flow detection sample includes network flow data and special with the associated network behavior of the network flow data Sign;
Clustering is carried out to the data point distribution feature according to default cluster algorithm, will be rejected in cluster analysis result Density data point after data set as preliminary abnormality detection data set;Wherein, it is in the default cluster algorithm Each data point increases a domain referrer, is stored with directional information in the domain referrer the data point to be directed toward With the data point at a distance of nearest most consecutive number strong point;
The first of the preliminary abnormality detection data set is obtained according to default Outlier Analysis algorithm to peel off point set and the points that peel off, And according to default Outlier Analysis algorithm, it is described peel off points and default Outlier Analysis algorithm part peel off the factor adjustment away from It is peeled off point set from parameter value with obtaining the second of the preliminary abnormality detection data set;
Obtain described first peel off point set with described second peel off point set intersection as exception of network traffic testing result.
2. network flow abnormal detecting method according to claim 1, which is characterized in that the default cluster algorithm It is realized based on OPTICS algorithm;Then the basis presets cluster algorithm and carries out clustering to the data point distribution feature It specifically includes:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to the data point The directional information in the domain referrer is updated;And in the default orderly new insert number of seed queue of cluster algorithm The directional information in the domain referrer of the data point is updated behind strong point;
The result queue of the default cluster algorithm is reorganized according to the directional information in the domain referrer.
3. network flow abnormal detecting method according to claim 2, which is characterized in that described to the data point The directional information in the domain referrer is updated specifically: the data point is directed toward to the result of the default cluster algorithm The end of queue.
4. network flow abnormal detecting method according to claim 1 to 3, which is characterized in that described default to peel off point It analyses algorithm to realize based on LOF algorithm, then the basis presets Outlier Analysis algorithm and obtains the preliminary abnormality detection data set First peels off point set and the points that peel off specifically:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, the default field parameter includes: default field number Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to the default field parameter to obtain the preliminary abnormality detection data set It the points that peel off and first peels off point set;
The basis presets Outlier Analysis algorithm, the part of peel off points and the default Outlier Analysis algorithm peels off factor tune Whole distance parameter value is peeled off point set with obtaining the second of the preliminary abnormality detection data set specifically:
Adjust distance parameter value so that the part of the preliminary abnormality detection data set peels off the factor greater than 1 data point number with It is described peel off count it is equal;
It obtains and peels off the corresponding point set that peels off of the factor as second with the part and peel off point set.
5. network flow abnormal detecting method according to claim 1 to 3, which is characterized in that the acquisition network flow Measure the data point distribution feature of abnormality detection sample and exception of network traffic detection sample specifically:
It obtains exception of network traffic and detects sample, calculate the comentropy of the network flow detection sample to obtain the network flow Measure the data point distribution feature of abnormality detection sample.
6. a kind of exception of network traffic detection device characterized by comprising
Module is obtained, for obtaining the data point of exception of network traffic detection sample and exception of network traffic detection sample Distribution characteristics;Wherein, the network flow detection sample includes network flow data and is associated with the network flow data Network behavior feature;
Cluster Analysis module will for carrying out clustering to the data point distribution feature according to default cluster algorithm The data set after density data point in rejecting cluster analysis result is as preliminary abnormality detection data set;Wherein, described pre- If being that each data point increases a domain referrer in cluster algorithm, directional information is stored in the domain referrer Being directed toward the data point with the data point at a distance of nearest most consecutive number strong point;
Outlier Analysis module peels off for obtaining the first of the preliminary abnormality detection data set according to default Outlier Analysis algorithm Point set and the points that peel off, and according to default Outlier Analysis algorithm, points and the default Outlier Analysis algorithm of peeling off The part factor adjustment distance parameter value that peels off is peeled off point set with obtaining the second of the preliminary abnormality detection data set;
Processing module, for obtain described first peel off point set with described second peel off point set intersection as exception of network traffic Testing result.
7. exception of network traffic detection device according to claim 6, which is characterized in that the default cluster algorithm It is realized based on OPTICS algorithm;
Then the Cluster Analysis module is specifically used for:
According to the update of the reach distance of data point in the orderly seed queue of default cluster algorithm to the data point The directional information in the domain referrer is updated;And data point is newly inserted into the orderly seed queue of the cluster algorithm The directional information in the domain referrer of the data point is updated afterwards;
The result queue of the default cluster algorithm is reorganized according to the directional information in the domain referrer.
8. exception of network traffic detection device according to claim 7, which is characterized in that the Cluster Analysis module is specific For: the data point is directed toward to the end of the result queue of the default cluster algorithm.
9. according to exception of network traffic detection device as claimed in claim 6 to 8, which is characterized in that described default to peel off point It analyses algorithm and realizes that then the Outlier Analysis module is specifically used for based on LOF algorithm:
Default field parameter is calculated according to default Outlier Analysis algorithm;Wherein, the default field parameter includes: default field number Data dot density in strong point number, default field average distance and default field;
Data dot density jump position is determined according to the default field parameter to obtain peeling off for preliminary abnormality detection data set It points and first peels off point set;
Adjust distance parameter value so that the part of the preliminary abnormality detection data set peels off the factor greater than 1 data point number with It is described peel off count it is equal;
It obtains and peels off the corresponding point set that peels off of the factor as second with the part and peel off point set.
10. according to exception of network traffic detection device as claimed in claim 6 to 8, which is characterized in that the acquisition module It is specifically used for:
It obtains exception of network traffic and detects sample, calculate the comentropy of the network flow detection sample to obtain the network flow Measure the data point distribution feature of abnormality detection sample.
CN201810821544.2A 2018-07-24 2018-07-24 Network flow abnormity detection method and device Active CN109067725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810821544.2A CN109067725B (en) 2018-07-24 2018-07-24 Network flow abnormity detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810821544.2A CN109067725B (en) 2018-07-24 2018-07-24 Network flow abnormity detection method and device

Publications (2)

Publication Number Publication Date
CN109067725A true CN109067725A (en) 2018-12-21
CN109067725B CN109067725B (en) 2021-05-14

Family

ID=64835341

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810821544.2A Active CN109067725B (en) 2018-07-24 2018-07-24 Network flow abnormity detection method and device

Country Status (1)

Country Link
CN (1) CN109067725B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109873832A (en) * 2019-03-15 2019-06-11 北京三快在线科技有限公司 Method for recognizing flux, device, electronic equipment and storage medium
CN110417744A (en) * 2019-06-28 2019-11-05 平安科技(深圳)有限公司 The safe determination method and device of network access
CN110532119A (en) * 2019-07-26 2019-12-03 中国船舶重工集团公司第七一九研究所 Power system operation abnormal point detecting method
CN110889441A (en) * 2019-11-19 2020-03-17 海南电网有限责任公司海南输变电检修分公司 Distance and point density based substation equipment data anomaly identification method
CN111556440A (en) * 2020-05-07 2020-08-18 之江实验室 Network anomaly detection method based on traffic pattern
CN111786935A (en) * 2019-11-08 2020-10-16 国网辽宁省电力有限公司电力科学研究院 Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange
CN112348817A (en) * 2021-01-08 2021-02-09 深圳佑驾创新科技有限公司 Parking space identification method and device, vehicle-mounted terminal and storage medium
CN113347181A (en) * 2021-06-01 2021-09-03 上海明略人工智能(集团)有限公司 Abnormal advertisement flow detection method, system, computer equipment and storage medium
CN113624219A (en) * 2021-07-27 2021-11-09 北京理工大学 Magnetic compass ellipse fitting error compensation method based on OPTICS algorithm
CN113820333A (en) * 2021-09-16 2021-12-21 无锡先导智能装备股份有限公司 Battery pole piece abnormity detection method and device, upper computer and detection system
CN113852629A (en) * 2021-09-24 2021-12-28 重庆大学 Network connection abnormity identification method based on natural neighbor self-adaptive weighted kernel density and computer storage medium
CN114253168A (en) * 2020-09-22 2022-03-29 南亚科技股份有限公司 Machine monitoring system and machine monitoring method
CN116628729B (en) * 2023-07-25 2023-09-29 天津市城市规划设计研究总院有限公司 Method and system for improving data security according to data characteristic differentiation
CN116886453A (en) * 2023-09-08 2023-10-13 湖北华中电力科技开发有限责任公司 Network flow big data analysis method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104268188A (en) * 2014-09-17 2015-01-07 广州迅云教育科技有限公司 Method and system for classroom teaching and learning behavior analysis in informational environment
CN106101102A (en) * 2016-06-15 2016-11-09 华东师范大学 A kind of exception flow of network detection method based on PAM clustering algorithm
CN106503086A (en) * 2016-10-11 2017-03-15 成都云麒麟软件有限公司 The detection method of distributed local outlier
US20170287128A1 (en) * 2013-08-08 2017-10-05 Kla-Tencor Corporation Adaptive Local Threshold and Color Filtering

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170287128A1 (en) * 2013-08-08 2017-10-05 Kla-Tencor Corporation Adaptive Local Threshold and Color Filtering
CN104268188A (en) * 2014-09-17 2015-01-07 广州迅云教育科技有限公司 Method and system for classroom teaching and learning behavior analysis in informational environment
CN106101102A (en) * 2016-06-15 2016-11-09 华东师范大学 A kind of exception flow of network detection method based on PAM clustering algorithm
CN106503086A (en) * 2016-10-11 2017-03-15 成都云麒麟软件有限公司 The detection method of distributed local outlier

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109873832A (en) * 2019-03-15 2019-06-11 北京三快在线科技有限公司 Method for recognizing flux, device, electronic equipment and storage medium
CN110417744B (en) * 2019-06-28 2021-12-24 平安科技(深圳)有限公司 Security determination method and device for network access
CN110417744A (en) * 2019-06-28 2019-11-05 平安科技(深圳)有限公司 The safe determination method and device of network access
CN110532119A (en) * 2019-07-26 2019-12-03 中国船舶重工集团公司第七一九研究所 Power system operation abnormal point detecting method
CN110532119B (en) * 2019-07-26 2023-04-25 中国船舶重工集团公司第七一九研究所 Method for detecting abnormal running point of power system
CN111786935A (en) * 2019-11-08 2020-10-16 国网辽宁省电力有限公司电力科学研究院 Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange
CN111786935B (en) * 2019-11-08 2022-03-01 国网辽宁省电力有限公司电力科学研究院 Service flow abnormity detection method for optical cable fiber core remote intelligent scheduling exchange
CN110889441A (en) * 2019-11-19 2020-03-17 海南电网有限责任公司海南输变电检修分公司 Distance and point density based substation equipment data anomaly identification method
CN111556440A (en) * 2020-05-07 2020-08-18 之江实验室 Network anomaly detection method based on traffic pattern
CN114253168A (en) * 2020-09-22 2022-03-29 南亚科技股份有限公司 Machine monitoring system and machine monitoring method
CN112348817A (en) * 2021-01-08 2021-02-09 深圳佑驾创新科技有限公司 Parking space identification method and device, vehicle-mounted terminal and storage medium
CN113347181A (en) * 2021-06-01 2021-09-03 上海明略人工智能(集团)有限公司 Abnormal advertisement flow detection method, system, computer equipment and storage medium
CN113624219A (en) * 2021-07-27 2021-11-09 北京理工大学 Magnetic compass ellipse fitting error compensation method based on OPTICS algorithm
CN113820333A (en) * 2021-09-16 2021-12-21 无锡先导智能装备股份有限公司 Battery pole piece abnormity detection method and device, upper computer and detection system
CN113852629A (en) * 2021-09-24 2021-12-28 重庆大学 Network connection abnormity identification method based on natural neighbor self-adaptive weighted kernel density and computer storage medium
CN116628729B (en) * 2023-07-25 2023-09-29 天津市城市规划设计研究总院有限公司 Method and system for improving data security according to data characteristic differentiation
CN116886453A (en) * 2023-09-08 2023-10-13 湖北华中电力科技开发有限责任公司 Network flow big data analysis method
CN116886453B (en) * 2023-09-08 2023-11-24 湖北华中电力科技开发有限责任公司 Network flow big data analysis method

Also Published As

Publication number Publication date
CN109067725B (en) 2021-05-14

Similar Documents

Publication Publication Date Title
CN109067725A (en) Network flow abnormal detecting method and device
CN107169768B (en) Method and device for acquiring abnormal transaction data
CN102782673B (en) For the system and method for object migration ripple
US11250250B2 (en) Pedestrian retrieval method and apparatus
CN108805174A (en) clustering method and device
CN108811028B (en) Opportunity network link prediction method and device and readable storage medium
CN110276401A (en) Sample clustering method, apparatus, equipment and storage medium
CN112052413B (en) URL fuzzy matching method, device and system
CN110969200A (en) Image target detection model training method and device based on consistency negative sample
CN108647727A (en) Unbalanced data classification lack sampling method, apparatus, equipment and medium
CN108764307A (en) The density peaks clustering method of natural arest neighbors optimization
CN109656898A (en) Distributed large-scale complex community detection method and device based on node degree
CN112347100B (en) Database index optimization method, device, computer equipment and storage medium
CN112215271B (en) Anti-occlusion target detection method and equipment based on multi-head attention mechanism
Sáez et al. Neuromuscular disease classification system
Yan et al. Automatic virtual network embedding based on deep reinforcement learning
KR20190105147A (en) Data clustering method using firefly algorithm and the system thereof
CN108228752B (en) Data total export method, data export task allocation device and data export node device
KR20200103177A (en) Market segmentation firefly algorithm method for big data analysis and the system thereof
CN113282686B (en) Association rule determining method and device for unbalanced sample
CN105653355A (en) Method and system for calculating Hadoop configuration parameters
CN109348288A (en) A kind of processing method of video, device, storage medium and terminal
CN114610825A (en) Method and device for confirming associated grid set, electronic equipment and storage medium
CN114820488A (en) Sample component analysis method, device, equipment and storage medium
CN112784423A (en) Urban area feature analysis method based on complex network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant