CN109743314A - Monitoring method, device, computer equipment and its storage medium of Network Abnormal - Google Patents
Monitoring method, device, computer equipment and its storage medium of Network Abnormal Download PDFInfo
- Publication number
- CN109743314A CN109743314A CN201811634274.0A CN201811634274A CN109743314A CN 109743314 A CN109743314 A CN 109743314A CN 201811634274 A CN201811634274 A CN 201811634274A CN 109743314 A CN109743314 A CN 109743314A
- Authority
- CN
- China
- Prior art keywords
- user
- threshold value
- abnormal
- network
- number threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
This specification provides monitoring method, device, computer equipment and its storage medium of a kind of Network Abnormal, which comprises obtains the real-time traffic data of each user in network;When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Wherein, the connection number threshold value is by obtaining user's process intelligence learning;Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.The program can quickly and efficiently identify attack source, and corresponding abnormality processing strategy can be performed, and improve the monitoring efficiency of Network Abnormal, ensure that network security.
Description
Technical field
This specification is related to computer security technical field more particularly to a kind of monitoring method of Network Abnormal, device, meter
Calculate machine equipment and its storage medium.
Background technique
With information-based fast development, vital information is more and more stored by network, is transmitted
And processing, it is also accordingly steeply risen to obtain the various network crimes of these key messages.Currently, network security problem is got over
Carry out more attention.
In network security, as first, even most important one of defence line has importantly identity identifying technology
Position, reliable identity identifying technology may insure that information is only accessed by correct " people ".Identity identifying technology provide about
The guarantee of someone or some things identity, it means that when someone (or something) is claimed with a special identity, recognize
Card technology will provide some way to confirm that this statement is correct.
" broiler chicken " is also referred to as puppet's machine, refers to that the machine that can be remotely controlled by hacker, this kind of machine have often been planted by hacker
Enter wooden horse or stayed back door, can break out at any time or remotely controlled certain movement of execution by hacker, such as sends a large amount of attack
Message.In the real network of user, this kind of phenomenon is very common, such as certain server or the external mad text of transmitting messages of certain computer poisoning.
Common attack pattern has: DDos attack, SYN Flood attack, UDP/ICMP flood attack, Port Scan Attacks etc..It is black
Visitor exhausts the Session Resources of firewall box in user network using " broiler chicken ", causes firewall box to paralyse, can attack
Certain critical server, such as portal site server cause the externally service of server refusal, can also attack gateway, cause
Keep gateway CPU usage high, normal business etc. can not be handled immediately.
Under normal circumstances, the PC of Intranet in the equipment such as server after virus, often becomes the attack of Intranet
Source sends a large amount of attack message to Intranet, common are TCP SYN Flood message, UDP Flood message and ICMP
Flood message etc., these attack messages drag slow Intranet user business access speed or suspension, or even the service that Intranet can be made external
Device paralysis, can not provide service.
Conventional solution, in Network anomaly detection, mainly after network environment is under attack, for various types
Attack take corresponding passive protection measure, check each network node, find attack and user and blocked.This side
Troubleshooting procedure is cumbersome in case, and attack source can just be found by needing to take a significant amount of time, and efficiency is lower.
Summary of the invention
To overcome the problems in correlation technique, present description provides a kind of monitoring method of Network Abnormal, device,
Computer equipment and its storage medium.
According to this specification embodiment in a first aspect, providing a kind of link packet configuration method, which comprises
Obtain the real-time traffic data of each user in network;
When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Its
In, the connection number threshold value is by obtaining user's process intelligence learning;
Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.
In one embodiment, described when the real-time traffic data of the user are more than connection number threshold value, described in judgement
User occurred before the step of Network Abnormal, further includes:
Intelligence learning is carried out to the data on flows of user each in network, obtains the flow analysis model of each user;
The connection number threshold value of each user is calculated according to the flow analysis model.
In one embodiment, the data on flows to user each in network carries out intelligence learning, obtains each use
The step of flow analysis model at family, comprising:
The total session number and abnormal session number of each User IP are counted within the intelligence learning time;
The total session number and abnormal session number for periodically reading each User IP, establish the flow analysis model of the User IP.
In one embodiment, total session number refers to the User IP maintained real-time meeting within the intelligence learning time
Number is talked about, the exception session number refers to that the User IP establishes the session number of session but not up to total state.
In one embodiment, the step of the connection number threshold value that each user is calculated according to the flow analysis model
Suddenly, comprising:
According to each User IP flow analysis model of foundation, it is total within the intelligence learning time to calculate separately each user
Session number threshold value and abnormal session number threshold value.
In one embodiment, described when the real-time traffic data of the user are more than connection number threshold value, described in judgement
There is the step of Network Abnormal in user, comprising:
Whether the data on flows for judging the user is more than total session number threshold value or the abnormal session number threshold value, if
It is more than, then the real-time traffic data exception of the user.
In one embodiment, total session number that each User IP is counted within the intelligence learning time and abnormal session
Several steps, comprising:
When the newly-built reply of user, add 1 respectively in total session number of User IP and abnormal session number;
When User IP establishes session and reaches total state, abnormal session number subtracts 1;
After user, which disconnects, to be connected, subtract 1 to total session number of User IP, it is different if reaching total state when the session establishment
Normal session number remains unchanged, and otherwise abnormal session number subtracts 1.
In one embodiment, described that exception is carried out to the user according to the corresponding processing strategie of the connection number threshold value
The step of processing, comprising:
The corresponding processing strategie of the user is generated according to the connection number threshold value;
When Network Abnormal occurs in the user, the processing strategie is called to carry out abnormality processing to the user;Wherein,
The processing strategie includes generating abnormal log, packet loss, blocking any one or more in networking.
In one embodiment, the user includes Intranet Internet user and intranet server.
According to the second aspect of this specification embodiment, a kind of monitoring device of Network Abnormal is provided, comprising:
Module is obtained, for obtaining the real-time traffic data of each user in network;
Judgment module, for determining that the user goes out when the real-time traffic data of the user are more than connection number threshold value
Existing Network Abnormal;Wherein, the connection number threshold value is by obtaining user's process intelligence learning;
Processing module, for carrying out abnormality processing to the user according to the corresponding processing strategie of the connection number threshold value.
In one embodiment, the monitoring device of the Network Abnormal further include: intelligence learning module, for in network
The data on flows of each user carries out intelligence learning, obtains the flow analysis model of each user;According to the flow analysis mould
Type calculates the connection number threshold value of each user.
According to the third aspect of this specification embodiment, a kind of computer equipment is provided, comprising:
One or more processors;
Memory;
One or more application program, wherein one or more of application programs are stored in the memory and quilt
It is configured to be executed by one or more of processors, one or more of programs are configured to:
Obtain the real-time traffic data of each user in network;
When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Its
In, the connection number threshold value is by obtaining user's process intelligence learning;
Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.
According to the fourth aspect of this specification embodiment, a kind of computer storage medium is provided, computer is stored thereon with
Program realizes the link packet configuration method when program is executed by processor, comprising:
Obtain the real-time traffic data of each user in network;
When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Its
In, the connection number threshold value is by obtaining user's process intelligence learning;
Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.
The technical solution that the embodiment of this specification provides can include the following benefits:
In this specification embodiment, the behavior of intelligence learning customer flow is simultaneously used for flow analysis, obtains network in the application
The real-time traffic data of interior each user, detect customer flow abnormal conditions automatically, identify abnormal user, and execute corresponding
Abnormality processing strategy.The program can quickly and efficiently identify attack source, and corresponding abnormality processing strategy can be performed, and improve
The monitoring efficiency of Network Abnormal, ensure that network security.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
This specification can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the reality for meeting this specification
Example is applied, and is used to explain the principle of this specification together with specification.
Fig. 1 is the monitoring method application environment schematic diagram of Network Abnormal.
Fig. 2 is a kind of this specification flow chart of the monitoring method of Network Abnormal shown according to an exemplary embodiment.
Intelligence learning process when Fig. 3 is newly-built session.
Fig. 4 is intelligence learning process when session reaches total state.
Intelligence learning process when Fig. 5 is conversation aging.
Fig. 6 is intelligent recognition function module work flow chart.
Fig. 7 is customer flow monitoring flow chart.
Fig. 8 is a kind of this specification block diagram of the monitoring device of Network Abnormal shown according to an exemplary embodiment.
Fig. 9 is a kind of block diagram of the monitoring device for Network Abnormal that this specification is shown according to a further exemplary embodiment.
Figure 10 is a kind of hardware structure diagram of computer equipment where the monitoring device of this specification embodiment Network Abnormal.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with this specification.On the contrary, they are only and such as institute
The example of the consistent device and method of some aspects be described in detail in attached claims, this specification.
It is only to be not intended to be limiting this explanation merely for for the purpose of describing particular embodiments in the term that this specification uses
Book.The "an" of used singular, " described " and "the" are also intended to packet in this specification and in the appended claims
Most forms are included, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein is
Refer to and includes that one or more associated any or all of project listed may combine.
It will be appreciated that though various information may be described using term first, second, third, etc. in this specification, but
These information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not taking off
In the case where this specification range, the first information can also be referred to as the second information, and similarly, the second information can also be claimed
For the first information.Depending on context, word as used in this " if " can be construed to " ... when " or
" when ... " or " in response to determination ".
Next this specification embodiment is described in detail.
The monitoring method of the Network Abnormal of this specification embodiment can be applied to the embedded operation system of enterprise-level layout
In system, refering to what is shown in Fig. 1, Fig. 1 is the monitoring method application environment schematic diagram of Network Abnormal, wherein intranet shown in the figure
It include server and Internet user, including using the common online of PC, laptop, PDA, tablet device etc. to do in network
Public family, the monitoring method of the Network Abnormal can be in the network equipments in application drawing, such as interchanger, firewall or router
On, it is to realize this method process by adding a functional module in such devices;To server in Intranet and Internet user
Networking behavior be monitored, abnormal conditions are identified, so as to actively make defence, when intranet server, Internet user
Etc. equipment send the attacks reports such as a large amount of TCP SYN Flood message, UDP Flood message and ICMP Flood message to Intranet
Wen Shi can just complete the identification to attack source when attack just starts, and make corresponding strategy processing, improve abnormality processing effect
Rate and effect.
It is a kind of this specification monitoring method of Network Abnormal shown according to an exemplary embodiment with reference to Fig. 2, Fig. 2
Flow chart mainly includes the following steps:
In step S10, the real-time traffic data of each user in network are obtained.
In this step, the data on flows of real-time detection user, by the session feelings for detecting each user on network devices
Condition.Each Intranet user is assigned corresponding IP address of internal network, can detect the session number of each IP, on network with router
For, by router monitoring function, the session number of available each IP address connection.
Determine that net occurs in the user when the real-time traffic data of the user are more than connection number threshold value in step S20
Network is abnormal;Wherein, the connection number threshold value is by obtaining user's process intelligence learning.
In this step, the pre- real-time streams for first passing through the connection number threshold value that intelligence learning obtains and going judgement user be can use
Data are measured, are believed that Network Abnormal occurs in user when exceeding connection number threshold value, it may be possible to send message aggression after poisoning.
For connection number threshold value, can be arranged by carrying out intelligence learning within a certain period of time, under normal circumstances, for
For the common Internet user of Intranet or server, session number has certain regularity and quantity can maintain certain amount,
Assuming that occur uprushing session when, it is believed that be network abnormal situation.
As embodiment, for common Internet user, connection number threshold value corresponds to Intranet Internet user's connection number threshold value,
For or server, connection number threshold value correspond to intranet server connection number threshold value.
In step S30, abnormality processing is carried out to the user according to the corresponding processing strategie of the connection number threshold value.
In this step, there is Network Abnormal by determining user, handled using corresponding strategy, as implementation
Example can generate the corresponding processing strategie of the user in the process according to the connection number threshold value;When the user occurs
When Network Abnormal, the processing strategie is called to carry out abnormality processing to the user.
It is directed to processing strategie, may include generating abnormal log, packet loss, blocking any one or more in networking.
In order to be more clear this specification embodiment Network Abnormal monitoring method, illustrate with reference to the accompanying drawing more
Specific embodiment.
In one embodiment, before the real-time traffic data using connection number threshold decision user of step S20, also
It may include the scheme of intelligence learning, specific as follows:
A. intelligence learning is carried out to the data on flows of user each in network, obtains the flow analysis model of each user.
B. the connection number threshold value of each user is calculated according to the flow analysis model.
Further, for the flow analysis model of above-mentioned steps B, each user can be counted within the intelligence learning time
Total session number of IP and abnormal session number;The total session number and abnormal session number for periodically reading each User IP, establish the user
The flow analysis model of IP.
Wherein, total session number can refer to the User IP maintained real-time session number within the intelligence learning time,
The exception session number refers to that the User IP establishes the session number of session but not up to total state;For example, being assisted in UDP or ICMP
The session that reversed message is not received in parliament's words and the session number before the completion of Transmission Control Protocol session three-way handshake.
In one embodiment, for the process of the intelligence learning of above-mentioned steps A, scheme may include as follows:
(1) when the newly-built reply of user, add 1 respectively in total session number of User IP and abnormal session number.
Refering to what is shown in Fig. 3, intelligence learning process when Fig. 3 is newly-built session, by monitoring networking behavior, as every IP user
When newly-built session, in the IP flow of the user, increases total session number and add 1, while abnormal session number also adds 1, holds three times in TCP
Before hand success, which can be counted as in abnormal session.
(2) when User IP establishes session and reaches total state, abnormal session number subtracts 1.
Refering to what is shown in Fig. 4, Fig. 4 is intelligence learning process when session reaches total state, by monitoring networking behavior, when new
After building session, if UDP or ICMP protocol conversation receives reversed message or the success of Transmission Control Protocol session three-way handshake, in the user
IP flow in, abnormal session number subtracts 1.
(3) after user, which disconnects, to be connected, subtract 1 to total session number of User IP, if reaching total state when the session establishment,
Abnormal session number remains unchanged, and otherwise abnormal session number subtracts 1.
With reference to Fig. 5, intelligence learning process when Fig. 5 is conversation aging, by monitoring networking behavior, when user visits from one
When asking that link jumps to another link of access, need to carry out aging, after one session of aging, the User IP flow to session
Total session number subtract 1, judge whether UDP or ICMP protocol conversation receives reversed message or Transmission Control Protocol session is held three times for the session
Hand success, if it is, abnormal session number is not processed, otherwise abnormal session number subtracts 1.
In one embodiment, may include as follows for the connection number threshold method of each user of calculating of step B:
B1. according to each User IP flow analysis model of foundation, each user is calculated separately within the intelligence learning time
Total session number threshold value and abnormal session number threshold value.
B2. when judging whether user Network Abnormal occurs, it can be determined that whether the data on flows of the user is more than institute
It states total session number threshold value or the abnormal session number threshold value and judges the real-time traffic data exception of the user if being more than.
In summary the scheme of each embodiment, the attack condition being directed in Intranet, intelligence learning customer flow behavior, and
Flow analysis model is established, obtains the real-time traffic data of each user in network, automatic identification user's exception stream in the application
Amount, identifies abnormal user, and execute corresponding abnormality processing strategy.Such as when in the equipment such as computer user, the server of Intranet
After virus, become the attack source of Intranet, sends a large amount of TCP SYN Flood message, UDP Flood message and ICMP to Intranet
It is enough quickly and efficiently to identify attack source when the attack messages such as Flood message, corresponding abnormality processing strategy can be performed, attacking
The blocking of attack source is just completed when just starting, network administrator need to only check that log can confirm attack source, improve network
Abnormal monitoring efficiency ensure that network security to eliminate the time of a large amount of investigation Network Abnormal.
The monitoring method of the Network Abnormal of this specification embodiment, can be by developing intellectual resource identification function module come real
Existing, on network devices by intelligent recognition function module deployment, on interchanger, firewall or router, realizing should
Method flow specifically includes as follows refering to what is shown in Fig. 6, Fig. 6 is intelligent recognition function module work flow chart:
S601, intelligent recognition function enable, and it is raw to set intranet server address and strategy in learning time and user network
The processing of effect acts;
S602 starts study analysis user network session case, counts every User IP total sessions and abnormal total sessions,
Establish analysis model;
S603, study terminate, and obtain the user conversation analysis model of Internet user and intranet server;
S604 is alerted according to the abnormal flow that user network conversation analysis model calculates Internet user and intranet server
Threshold value, and generate corresponding strategy;
S605, subsequent flow matches strategy processing.
Based on above-mentioned intelligent recognition function module, subsequent user flow, which enters intelligent identification module and judges customer flow, is
It is no to exceed threshold value, if will strategically movement be handled beyond threshold value.Refering to what is shown in Fig. 7, Fig. 7 is customer flow monitoring process
Figure, detailed process are as follows:
S701, counting user flow;
Whether s702, intelligent recognition function module enable, if executing s703, otherwise execute s706;
S703 judges whether there is inspection policies, if so, executing s704, otherwise executes s705;
S704, matching strategy are handled by policy action;
S705 counts every User IP total sessions and abnormal total sessions, establishes flow analysis model, and on send flow number
According to;
S706 is not processed, and above send flow.
It in above-mentioned example scheme, by intelligent recognition function module, can be deployed on the various network equipments, there is intelligence
Study automatically analyzes modeling function, monitors network user flux situation in real time and above send flow, can be according to strategy when occurring abnormal
It immediately treats, improves abnormality processing efficiency and effect.
The above are the related embodiments of the monitoring method of the Network Abnormal of this specification, illustrate that network is different with reference to the accompanying drawing
The embodiment of normal monitoring device.
As shown in figure 8, Fig. 8 is a kind of this specification monitoring device of Network Abnormal shown according to an exemplary embodiment
Block diagram, described device includes:
Module 10 is obtained, for obtaining the real-time traffic data of each user in network;
Judgment module 20, for determining the user when the real-time traffic data of the user are more than connection number threshold value
There is Network Abnormal;Wherein, the connection number threshold value is by obtaining user's process intelligence learning;
Processing module 30, for carrying out exception to the user according to the corresponding processing strategie of the connection number threshold value
Reason.
Refering to what is shown in Fig. 9, Fig. 9 is a kind of monitoring for Network Abnormal that this specification is shown according to a further exemplary embodiment
The block diagram of device, described device further include:
Intelligence learning module 40 carries out intelligence learning for the data on flows to user each in network, obtains each use
The flow analysis model at family;The connection number threshold value of each user is calculated according to the flow analysis model.
The function of modules and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with
It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize this specification scheme.Those of ordinary skill in the art are not
In the case where making the creative labor, it can understand and implement.
This specification embodiment also provides a kind of computer equipment, comprising:
One or more processors;
Memory;
One or more application program, wherein one or more of application programs are stored in the memory and quilt
It is configured to be executed by one or more of processors, one or more of programs are configured to:
Obtain the real-time traffic data of each user in network;
When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Its
In, the connection number threshold value is by obtaining user's process intelligence learning;
Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.
The embodiment of the monitoring device of this specification Network Abnormal, can be real by way of hardware or software and hardware combining
It is existing.Taking software implementation as an example, as the device on a logical meaning, being will be non-by the processor of computer equipment where it
Corresponding computer program instructions are read into memory what operation was formed in volatile memory.For hardware view, such as scheme
Shown in 10, Figure 10 is a kind of hardware structure diagram of computer equipment where the monitoring device of this specification embodiment Network Abnormal,
It is real other than processor 1010 shown in Fig. 10, memory 1030, network interface 1020 and nonvolatile memory 1040
The computer equipment where the monitoring device 1031 of Network Abnormal in example is applied, generally according to the actual functional capability of the computer equipment,
It can also include other hardware, such as clock, network interface card, this is repeated no more.
This specification embodiment also provides a kind of computer storage medium, is stored thereon with computer program, the program quilt
The link packet configuration method is realized when processor executes, comprising:
Obtain the real-time traffic data of each user in network;
When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Its
In, the connection number threshold value is by obtaining user's process intelligence learning;
Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims
It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment
It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable
Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can
With or may be advantageous.
Those skilled in the art will readily occur to this specification after considering specification and practicing the invention applied here
Other embodiments.This specification is intended to cover any variations, uses, or adaptations of this specification, these modifications,
Purposes or adaptive change follow the general principle of this specification and do not apply in the art including this specification
Common knowledge or conventional techniques.The description and examples are only to be considered as illustrative, the true scope of this specification and
Spirit is indicated by the following claims.
It should be understood that this specification is not limited to the precise structure that has been described above and shown in the drawings,
And various modifications and changes may be made without departing from the scope thereof.The range of this specification is only limited by the attached claims
System.
The foregoing is merely the preferred embodiments of this specification, all in this explanation not to limit this specification
Within the spirit and principle of book, any modification, equivalent substitution, improvement and etc. done should be included in the model of this specification protection
Within enclosing.
Claims (11)
1. a kind of monitoring method of Network Abnormal, comprising:
Obtain the real-time traffic data of each user in network;
When the real-time traffic data of the user are more than connection number threshold value, determine that Network Abnormal occurs in the user;Wherein, institute
Connection number threshold value is stated by obtaining to user's process intelligence learning;
Abnormality processing is carried out to the user according to the connection number threshold value corresponding processing strategie.
2. the method according to claim 1, wherein described when the real-time traffic data of the user are more than connection
When number threshold value, before determining that the step of Network Abnormal occurs in the user, further includes:
Intelligence learning is carried out to the data on flows of user each in network, obtains the flow analysis model of each user;
The connection number threshold value of each user is calculated according to the flow analysis model.
3. according to the method described in claim 2, it is characterized in that, the data on flows to user each in network carries out intelligence
The step of capable of learning, obtain the flow analysis model of each user, comprising:
The total session number and abnormal session number of each User IP are counted within the intelligence learning time;
The total session number and abnormal session number for periodically reading each User IP, establish the flow analysis model of the User IP.
4. according to the method described in claim 3, it is characterized in that, total session number refers to the User IP in intelligence learning
Interior maintained real-time session number, the exception session number refer to that the User IP establishes the meeting of session but not up to total state
Talk about number.
5. according to the method described in claim 3, it is characterized in that, described calculate each user according to the flow analysis model
Connection number threshold value the step of, comprising:
According to each User IP flow analysis model of foundation, total session of each user within the intelligence learning time is calculated separately
Number threshold value and abnormal session number threshold value.
6. according to the method described in claim 5, it is characterized in that, described when the real-time traffic data of the user are more than connection
When number threshold value, determine that the step of Network Abnormal occurs in the user, comprising:
Whether the data on flows for judging the user is more than total session number threshold value or the abnormal session number threshold value, if super
It crosses, then the real-time traffic data exception of the user.
7. according to the method described in claim 3, it is characterized in that, described count each User IP within the intelligence learning time
The step of total session number and abnormal session number, comprising:
When the newly-built reply of user, add 1 respectively in total session number of User IP and abnormal session number;
When User IP establishes session and reaches total state, abnormal session number subtracts 1;
After user, which disconnects, to be connected, subtract 1 to total session number of User IP, if reaching total state when the session establishment, abnormal meeting
Words number remains unchanged, and otherwise abnormal session number subtracts 1.
8. the method according to claim 1, wherein described according to the corresponding processing strategie of the connection number threshold value
The step of abnormality processing is carried out to the user, comprising:
The corresponding processing strategie of the user is generated according to the connection number threshold value;
When Network Abnormal occurs in the user, the processing strategie is called to carry out abnormality processing to the user;Wherein, described
Processing strategie includes generating abnormal log, packet loss, blocking any one or more in networking.
9. the method according to claim 1, wherein the user includes Intranet Internet user and Intranet service
Device;
The connection number threshold value includes Intranet Internet user's connection number threshold value and intranet server connection number threshold value.
10. a kind of monitoring device of Network Abnormal, comprising:
Module is obtained, for obtaining the real-time traffic data of each user in network;
Judgment module, for determining that net occurs in the user when the real-time traffic data of the user are more than connection number threshold value
Network is abnormal;Wherein, the connection number threshold value is by obtaining user's process intelligence learning;
Processing module, for carrying out abnormality processing to the user according to the corresponding processing strategie of the connection number threshold value.
11. device according to claim 10, which is characterized in that further include: intelligence learning module, for each in network
The data on flows of a user carries out intelligence learning, obtains the flow analysis model of each user;According to the flow analysis model
Calculate the connection number threshold value of each user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811634274.0A CN109743314A (en) | 2018-12-29 | 2018-12-29 | Monitoring method, device, computer equipment and its storage medium of Network Abnormal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811634274.0A CN109743314A (en) | 2018-12-29 | 2018-12-29 | Monitoring method, device, computer equipment and its storage medium of Network Abnormal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109743314A true CN109743314A (en) | 2019-05-10 |
Family
ID=66362222
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811634274.0A Pending CN109743314A (en) | 2018-12-29 | 2018-12-29 | Monitoring method, device, computer equipment and its storage medium of Network Abnormal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109743314A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN112134723A (en) * | 2020-08-21 | 2020-12-25 | 杭州数梦工场科技有限公司 | Network anomaly monitoring method and device, computer equipment and storage medium |
| CN112866175A (en) * | 2019-11-12 | 2021-05-28 | 华为技术有限公司 | Method, device, equipment and storage medium for reserving abnormal traffic types |
| CN113194086A (en) * | 2021-04-27 | 2021-07-30 | 新华三信息安全技术有限公司 | Anti-attack method and device |
| US11368847B2 (en) | 2019-11-11 | 2022-06-21 | Institute For Information Industry | Networking behavior detector and networking behavior detection method thereof for indoor space |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453434A (en) * | 2016-12-20 | 2017-02-22 | 北京启明星辰信息安全技术有限公司 | Monitoring method and monitoring system for network traffic |
| US20170126745A1 (en) * | 2015-11-04 | 2017-05-04 | Monico Monitoring, Inc. | Industrial Network Security Translator |
| CN107872503A (en) * | 2016-11-07 | 2018-04-03 | 中国移动通信集团湖南有限公司 | A kind of firewall session number monitoring method and device |
| CN108933731A (en) * | 2017-05-22 | 2018-12-04 | 南京骏腾信息技术有限公司 | Intelligent gateway based on big data analysis |
-
2018
- 2018-12-29 CN CN201811634274.0A patent/CN109743314A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170126745A1 (en) * | 2015-11-04 | 2017-05-04 | Monico Monitoring, Inc. | Industrial Network Security Translator |
| CN107872503A (en) * | 2016-11-07 | 2018-04-03 | 中国移动通信集团湖南有限公司 | A kind of firewall session number monitoring method and device |
| CN106453434A (en) * | 2016-12-20 | 2017-02-22 | 北京启明星辰信息安全技术有限公司 | Monitoring method and monitoring system for network traffic |
| CN108933731A (en) * | 2017-05-22 | 2018-12-04 | 南京骏腾信息技术有限公司 | Intelligent gateway based on big data analysis |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| US11368847B2 (en) | 2019-11-11 | 2022-06-21 | Institute For Information Industry | Networking behavior detector and networking behavior detection method thereof for indoor space |
| TWI776094B (en) * | 2019-11-11 | 2022-09-01 | 財團法人資訊工業策進會 | Networking behavior detector and networking behavior detection method thereof for indoor space |
| CN112866175A (en) * | 2019-11-12 | 2021-05-28 | 华为技术有限公司 | Method, device, equipment and storage medium for reserving abnormal traffic types |
| CN112866175B (en) * | 2019-11-12 | 2022-08-19 | 华为技术有限公司 | Method, device, equipment and storage medium for reserving abnormal traffic types |
| CN112134723A (en) * | 2020-08-21 | 2020-12-25 | 杭州数梦工场科技有限公司 | Network anomaly monitoring method and device, computer equipment and storage medium |
| CN113194086A (en) * | 2021-04-27 | 2021-07-30 | 新华三信息安全技术有限公司 | Anti-attack method and device |
| CN113194086B (en) * | 2021-04-27 | 2022-05-27 | 新华三信息安全技术有限公司 | Anti-attack method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109743314A (en) | Monitoring method, device, computer equipment and its storage medium of Network Abnormal | |
| Dhawan et al. | Sphinx: detecting security attacks in software-defined networks. | |
| Deka et al. | Self‐similarity based DDoS attack detection using Hurst parameter | |
| US9992215B2 (en) | Network intrusion detection | |
| US20150052606A1 (en) | Method and a system to detect malicious software | |
| Mamolar et al. | Towards the transversal detection of DDoS network attacks in 5G multi-tenant overlay networks | |
| Morales et al. | Extending the floodlight controller | |
| Letteri et al. | Performance of Botnet Detection by Neural Networks in Software-Defined Networks. | |
| Patel et al. | Taxonomy and proposed architecture of intrusion detection and prevention systems for cloud computing | |
| Thomas et al. | DDOS detection and denial using third party application in SDN | |
| Singh et al. | Prevention mechanism for infrastructure based denial-of-service attack over software defined network | |
| Oujezsky et al. | Botnet C&C traffic and flow lifespans using survival analysis | |
| Gyamfi et al. | M-tads: A multi-trust dos attack detection system for mec-enabled industrial lot | |
| Webb et al. | Finding proxy users at the service using anomaly detection | |
| Sanz et al. | A cooperation-aware virtual network function for proactive detection of distributed port scanning | |
| Ponomarev | Intrusion Detection System of industrial control networks using network telemetry | |
| Ghasabi et al. | Using optimized statistical distances to confront distributed denial of service attacks in software defined networks | |
| Oujezsky et al. | Modeling botnet C&C traffic lifespans from NetFlow using survival analysis | |
| Bhale et al. | An adaptive and lightweight solution to detect mixed rate ip spoofed ddos attack in iot ecosystem | |
| El‒Hajj et al. | Real traffic logs creation for testing intrusion detection systems | |
| Xiong | An SDN-based IPS development framework in cloud networking environment | |
| Chaithanya et al. | Intelligent IDS: Venus Fly-trap Optimization with Honeypot Approach for Intrusion Detection and Prevention | |
| Silva et al. | A cooperative approach for a global intrusion detection system for internet service providers | |
| Gorbatiuk et al. | Method of detection of http attacks on a smart home using the algebraic matching method | |
| Yücebaş | An entropy based DDoS detection method and implementation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190510 |
|
| RJ01 | Rejection of invention patent application after publication |