CN109873790A - Network security detection method, device and computer readable storage medium - Google Patents

Network security detection method, device and computer readable storage medium Download PDF

Info

Publication number
CN109873790A
CN109873790A CN201711257651.9A CN201711257651A CN109873790A CN 109873790 A CN109873790 A CN 109873790A CN 201711257651 A CN201711257651 A CN 201711257651A CN 109873790 A CN109873790 A CN 109873790A
Authority
CN
China
Prior art keywords
flow value
flow
regression model
value
local weighted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711257651.9A
Other languages
Chinese (zh)
Inventor
高儒振
金潇
王井龙
陈存杨
黄东豫
姚文胜
陈春华
常琳
隋翔
任红伟
郝晓宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201711257651.9A priority Critical patent/CN109873790A/en
Publication of CN109873790A publication Critical patent/CN109873790A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This disclosure relates to which a kind of network security detection method, device and computer readable storage medium, are related to Internet technical field.Disclosed method includes: the flow value for obtaining current sample time in network;Utilize the flow value of local weighted forecast of regression model current sample time corresponding with the flow value of preceding sampling instant;The flow value that will acquire is compared with the flow value of prediction, in the case where the difference of the flow value of acquisition and the flow value of prediction is more than threshold value, determines that there are risks in network.Disclosed method predicts that the flow value of current sample time all can be using the flow value re -training model at the history samples moment closed on every time, it being capable of dynamic corrections local weighted regression model in real time, it was found that the potential risk in network, improves the accuracy and timeliness of detection.

Description

Network security detection method, device and computer readable storage medium
Technical field
This disclosure relates to Internet technical field, in particular to a kind of network security detection method, device and computer Readable storage medium storing program for executing.
Background technique
With the development of internet technology, in order to prevent hostile network access it is broken to the data bring in network system Bad, change and leakage guarantee that network system security is reliably run, and need to access network progress safety detection.
Currently used Intrusion Detection Technique mainly collects the behavioural characteristic of improper network access, establishes behavioural characteristic The access of this network is just defined as invasion access when monitoring to access with matched network in behavioural characteristic library by library.
Summary of the invention
Inventor's discovery: existing network safety detection technology, there is new network attack pre-alerting ability deficiency, Bu Nengshi The problems such as Shi Xiuzheng detected rule model, it is unable to satisfy the demand for security of high precision and high-timeliness.
A disclosure technical problem to be solved is: proposing a kind of new network security detection method, improves detection Accuracy and timeliness.
According to some embodiments of the present disclosure, a kind of network security detection method for providing, comprising: obtain current in network The flow value of sampling instant;When using local weighted forecast of regression model present sample corresponding with the flow value of preceding sampling instant The flow value at quarter;The flow value that will acquire is compared with the flow value of prediction, in the flow value of acquisition and the flow value of prediction Difference be more than threshold value in the case where, determine that there are risks in network.
In some embodiments, local weighted recurrence corresponding with the flow value of preceding sampling instant is determined using following methods Model: parsing the flow of current sample time, obtains the characteristic information of flow, and characteristic information includes: IP five-tuple letter At least one of breath, user information and user's operation information;According to the determining stream with current sample time of the characteristic information of flow The corresponding local weighted regression model of magnitude.
In some embodiments, determine that corresponding local weighted regression model includes: that will flow according to the characteristic information of flow The characteristic information of amount is matched with application scenarios, determines the corresponding application scenarios of flow;It will be local weighted under application scenarios Regression model is determined as corresponding local weighted regression model.
In some embodiments, working as using local weighted forecast of regression model corresponding with the flow value of preceding sampling instant The flow value of preceding sampling instant includes: to obtain each history samples moment corresponding with the flow value of current sample time in network Flow value;Local Weight Regression Model is trained according to the flow value at each history samples moment;Using trained The flow value of the current sample time of local weighted forecast of regression model.
In some embodiments, each history samples moment corresponding with the flow value of current sample time is obtained in network Flow value include: to be parsed to the flow at each history samples moment, obtain the spy of the flow at each history samples moment Reference breath;The flow value at each history samples moment is divided into not according to the characteristic information of the flow at each history samples moment Under same application scenarios, and it is corresponding with the local weighted regression model under the application scenarios;According to current sample time The corresponding local weighted regression model of flow value determines each history samples moment corresponding with the flow value of current sample time Flow value.
In some embodiments, training data is generated according to each history samples moment and corresponding flow value, use with Lower method portion's Weight Regression Model of playing a game is trained: the loss function of local weighted regression model indicates are as follows:
J (θ)=∑iω(i)(y(i)Tx(i))2
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is The corresponding weight of i training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is Positive integer, different sampling instants correspond to different training datas;Keep loss function J (θ) minimum by adjusting θ, obtains trained Local weighted regression model.
In some embodiments, flow value includes: flow value and public network flowing of access value between user's flowing of access value, system At least one of.
According to other embodiments of the disclosure, a kind of network security detection device for providing, comprising: sampling module is used In the flow value for obtaining current sample time in network;Prediction module, it is corresponding with the flow value of preceding sampling instant for utilizing The flow value of local weighted forecast of regression model current sample time;Risk determining module, flow value for will acquire and pre- The flow value of survey is compared, and in the case where the difference of the flow value of acquisition and the flow value of prediction is more than threshold value, determines net There are risks in network.
In some embodiments, prediction module obtains the spy of flow for parsing to the flow of current sample time Reference breath, characteristic information includes: at least one of IP five-tuple information, user information and user's operation information, according to flow Characteristic information determines local weighted regression model corresponding with the flow value of current sample time.
In some embodiments, prediction module determines stream for matching the characteristic information of flow with application scenarios Corresponding application scenarios are measured, the local weighted regression model under application scenarios is determined as corresponding local weighted regression model.
In some embodiments, prediction module is corresponding with the flow value of current sample time each in network for obtaining The flow value at history samples moment is trained local Weight Regression Model according to the flow value at each history samples moment, Utilize the flow value of the current sample time of trained local weighted forecast of regression model.
In some embodiments, prediction module obtains each for parsing to the flow at each history samples moment The characteristic information of the flow at history samples moment adopts each history according to the characteristic information of the flow at each history samples moment The flow value at sample moment is divided under different application scenarios, and opposite with the local weighted regression model under the application scenarios It answers, according to the determining flow value with current sample time of local weighted regression model corresponding with the flow value of current sample time The flow value at corresponding each history samples moment.
In some embodiments, prediction module is used to generate training according to each history samples moment and corresponding flow value Data are trained local Weight Regression Model using following methods: the loss function of local weighted regression model indicates are as follows:
J (θ)=∑iω(i)(y(i)Tx(i))2
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is The corresponding weight of i training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is Positive integer, different sampling instants correspond to different training datas;Keep loss function J (θ) minimum by adjusting θ, obtains trained Local weighted regression model.
In some embodiments, flow value includes: flow value and public network flowing of access value between user's flowing of access value, system At least one of.
According to the other embodiment of the disclosure, a kind of network security detection device for providing, comprising: memory;And It is coupled to the processor of memory, processor is configured as executing such as aforementioned based on the instruction being stored in memory devices The network security detection method of one embodiment.
According to the other embodiment of the disclosure, a kind of computer readable storage medium provided is stored thereon with calculating Machine program, wherein the program realizes the step of network security detection method of any one aforementioned embodiment when being executed by processor.
The disclosure predicted using flow value of the local weighted regression model to current sample time, will be currently true Flow value is compared with the flow value of prediction, to judge in network with the presence or absence of risk.Local weighted regression model is every The data that meeting re -training closes on when secondary prediction new samples obtain new parameter value, that is, the stream of prediction current sample time every time Magnitude all can be using the flow value re -training model at the history samples moment closed on, can in real time dynamic corrections local weighted time Return model, finds the potential risk in network, improve the accuracy and timeliness of detection.
By the detailed description referring to the drawings to the exemplary embodiment of the disclosure, the other feature of the disclosure and its Advantage will become apparent.
Detailed description of the invention
In order to illustrate more clearly of the embodiment of the present disclosure or technical solution in the prior art, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Disclosed some embodiments for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 shows the flow diagram of the network security detection method of some embodiments of the present disclosure.
Fig. 2 shows the flow diagrams of the network security detection method of other embodiments of the disclosure.
Fig. 3 shows the structural schematic diagram of the network security detection device of some embodiments of the present disclosure.
Fig. 4 shows the structural schematic diagram of the network security detection device of other embodiments of the disclosure.
Fig. 5 shows the structural schematic diagram of the network security detection device of the other embodiment of the disclosure.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present disclosure, the technical solution in the embodiment of the present disclosure is carried out clear, complete Site preparation description, it is clear that described embodiment is only disclosure a part of the embodiment, instead of all the embodiments.Below Description only actually at least one exemplary embodiment be it is illustrative, never as to the disclosure and its application or making Any restrictions.Based on the embodiment in the disclosure, those of ordinary skill in the art are not making creative work premise Under every other embodiment obtained, belong to the disclosure protection range.
The disclosure proposes a kind of network security detection method, dynamic can carried out in real time using local weighted regression model Model parameter is updated when risk supervision, improves the accuracy and timeliness of detection.
The network security detection method of the disclosure is described below with reference to Fig. 1.
Fig. 1 is the flow chart of some embodiments of disclosure network security detection method.As shown in Figure 1, the side of the embodiment Method includes: step S102~S106.
Step S102 obtains the flow value of current sample time in network.
Sampling interval duration can be preset, the flow value in network is sampled every default sampling interval duration.Stream Magnitude includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.Flow value, that is, flow Size.
After being acquired in real time to the data flow in network, deep layer Packet analyzing, acquisition packet can be carried out to the flow of acquisition Include the information such as network layer, application layer, comprising: the characteristic informations such as IP five-tuple, user information and user's operation information.User information For example including identification informations such as user accounts, user's operation information for example including URL (Uniform Resource Locator, Uniform resource locator etc..Therefore, it can be distinguished between different customer flows, system and be flowed according to the characteristic information of above-mentioned flow Amount, public network flowing of access etc., obtain the flow value of various flows.
Flow value can also further be segmented according to the characteristic information of flow, different discharge pattern is pacified respectively Full inspection is surveyed.For example, distinguishing the flow of different user;Distinguish the flow of the different operation behavior of different user;Distinguish different time Flow between the system of section;The flow of different operation behavior between compartment system;Distinguish the public network flowing of access of different time;It distinguishes not The flow etc. of same public network access behavior.
Step S104, when using local weighted forecast of regression model present sample corresponding with the flow value of preceding sampling instant The flow value at quarter.
In some embodiments, the different local weighted regression model of various flow sets can be directed to.Further, it is possible to Distributed Detection is carried out parallel to various flow rate.The flow of current sample time is parsed, the characteristic information of flow is obtained, Local weighted regression model corresponding with the flow value of current sample time is determined according to the characteristic information of flow.
Further, it is possible to which different application scenarios are arranged according to actual needs corresponds to different traffic characteristic information, utilize Flow under local weighted regression model detection different application scene whether there is risk.By the characteristic information and applied field of flow Scape is matched, and determines the corresponding application scenarios of flow, the local weighted regression model under application scenarios is determined as corresponding Local weighted regression model.
Before the flow value using local weighted forecast of regression model current sample time, need to utilize historical data pair Local weighted regression model is trained.In some embodiments, firstly, obtaining the flow value in network with current sample time The flow value at corresponding each history samples moment.Further according to each history samples moment flow value to local weighted regression mould Type is trained;Utilize the flow value of the current sample time of trained local weighted forecast of regression model.
Further, when acquiring the flow at each history samples moment, the flow at each history samples moment is solved Analysis, obtains the characteristic information of the flow at each history samples moment;According to the characteristic information of the flow at each history samples moment The flow value at each history samples moment is divided under different application scenarios, and with local weighted time under the application scenarios Return model corresponding;When according to local weighted regression model determination corresponding with the flow value of current sample time with present sample The flow value at the flow value at quarter corresponding each history samples moment.
Specific application scenarios can be corresponded to according to the characteristic information of flow after the flow for acquiring each sampling instant Under, further, the information such as flow value under different application scene are stored respectively in different storage locations, it is pre- when needing to carry out Then call the historical data under the respective application scene of storage and corresponding local weighted regression model then can be to working as when survey The flow value of preceding sampling instant is predicted.
The principle of local weighted regression model is described below.
Training sample can be generated according to the flow value that each sampling instant obtains, the trained number of i-th in training sample According to (x can be expressed as(i), y(i)), x(i)For the time vector of i-th of training data, For example, xm, it is the m power item of sampling instant value x, m is natural number.y(i)For the flow value of i-th of training data.
The parameter of local weighted regression model can be expressed as θ=(θ0... ..., θm), local weighted regression model it is linear Equation is expressed as follows.
hθ(x(i))=θTx(i) (1)
The loss function of local weighted regression model is indicated using following formula.
J (θ)=∑iω(i)(y(i)Tx(i))2 (2)
ω(i)For the corresponding weight of i-th of training data, k is function of wavelength, and x is current time value.It can by above-mentioned formula To find out x(i)Distance to current time x is bigger, and weight is smaller.The weight of training data arrives sampling instant to be predicted with it Distance it is related, predict the flow value at current time every time, require the weight for redefining each training data, again basis Above-mentioned formula is trained.Keep loss function J (θ) minimum by adjusting θ, obtains trained local weighted regression model.
Obtain trained local weighted regression model hθ(x(i)) after, it inputs, then can be obtained current time value as x The flow value of prediction.
Step S106, the flow value that will acquire are compared with the flow value of prediction, in flow value and the prediction of acquisition In the case that the difference of flow value is more than threshold value, determine that there are risks in network.
There are larger differences for the time of network attack and flow value and the access of the network of normal users under normal conditions.Example Such as, DDoS (Distributed Denial of Service, distributed denial of service), by largely being asked to server transmission Asking makes flow uprush, and makes server excess load that can not work.Therefore, by a large amount of historical data by local weighted recurrence mould Type can be fitted the trend of various flows at various moments in network, further, can predict subsequent time according to this trend Flow value, the flow value of prediction is compared with the flow value actually obtained, may determine that network if deviation is excessive In there are risks, can alarm.
The method of above-described embodiment is predicted using flow value of the local weighted regression model to current sample time, is incited somebody to action Current true flow value is compared with the flow value of prediction, to judge in network with the presence or absence of risk.Local weighted time The model data that meeting re -training closes in prediction new samples every time are returned to obtain new parameter value, that is, prediction is currently adopted every time The flow value at sample moment all can be using the flow value re -training model at the history samples moment closed on, being capable of real-time dynamic corrections Local weighted regression model finds the potential risk in network, improves the accuracy and timeliness of detection.
Other embodiments of disclosure network security detection method are described below with reference to Fig. 2.
Fig. 2 is the flow chart of other embodiments of disclosure network security detection method.As shown in Fig. 2, the embodiment Method includes: step S202~S214.
Step S202 obtains the flow of current sample time in network.
Sampling interval duration can be set according to the actual situation, for example, sampling interval duration is 1 minute, 1 hour, 1 day Deng.
Step S204 carries out deep layer Packet analyzing to the flow of acquisition, obtains the characteristic information of flow.
Step S206, according to the characteristic information of flow by traffic partition to different application scenarios.
Application scenarios construct according to actual needs, for example, the access request of a certain IP address of pre-monitoring whether there is It is abnormal, then the demand can be set to a kind of application scenarios, be believed after obtaining flow according to the IP five-tuple of flow, user's operation The access request that destination address is the IP address is divided under the application scenarios by breath etc..In another example each user of pre-monitoring Situation is accessed, then, according to the user information of flow after acquisition flow, can will be flowed for a kind of application scenarios of each user setting Amount is divided under the application scenarios of corresponding each user.Can according to address, port, user, operation, temporal information (such as Festivals or holidays, non-working time) etc. various information divide different application scenarios, same flow can be divided into a variety of different Under application scenarios.
Above-mentioned deep layer Packet analyzing is executed to the data flow of magnanimity in network, divides the processes such as application scenarios, it can be to acquisition Data carry out piecemeal, execute the above process parallel.
Following procedure can be executed for the corresponding flow of every kind of application scenarios.Further, it is possible to be directed to each applied field Scape executes following procedure parallel.
Step S208 obtains the flow value of current sample time under current application scene.
For the flow value at every kind of application scenarios statistic sampling moment.The flow value of each sampling instant is stored, It can be stored, can be called directly when to use, and can be to various applied fields respectively for every kind of application scenarios The flow of scape is detected parallel.
Step S210 utilizes the flow at the local weighted forecast of regression model currently employed moment under current application scene Value.
The corresponding local weighted regression model of different application scene can be different, such as x(i)Expression-form it is different.It utilizes The process that local weighted regression model is predicted can refer to step S104.
Step S212 judges whether the difference of the flow value of the flow value obtained under current application scene and prediction is more than threshold Value, if it exceeds the threshold, thening follow the steps S214, otherwise, waits next sampling instant to re-execute the steps S202.
Step S214, alert.
For example, it is smaller according to the flow value of the currently employed moment port of local weighted forecast of regression model, but actually obtain It takes the port a large amount of flowing of access occur, then judges that there are risks in network.Using the above method it has also been found that same user Situations such as short time largely logs in the exception of flow, and same system amount of access is abnormal.
The method of above-described embodiment targetedly carries out network under traffic partition to different application scenarios respectively Safety detection can further increase the accuracy of detection.
The disclosure also provides a kind of network security detection device, is described below with reference to Fig. 3.
Fig. 3 is the structure chart of some embodiments of disclosure network security detection device.As shown in figure 3, the embodiment Device 30 includes: sampling module 302, prediction module 304, risk determining module 306.
Sampling module 302, for obtaining the flow value of current sample time in network.
Flow value includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.
Prediction module 304, for being worked as using local weighted forecast of regression model corresponding with the flow value of preceding sampling instant The flow value of preceding sampling instant.
In some embodiments, prediction module 304 obtains flow for parsing to the flow of current sample time Characteristic information, characteristic information includes: at least one of IP five-tuple information, user information and user's operation information, according to flow Characteristic information determine corresponding with the flow value of current sample time local weighted regression model.
Further, prediction module 304 determines that flow is corresponding for matching the characteristic information of flow with application scenarios Application scenarios, the local weighted regression model under application scenarios is determined as corresponding local weighted regression model.
In some embodiments, prediction module 304 is corresponding with the flow value of current sample time in network for obtaining The flow value at each history samples moment instructs local Weight Regression Model according to the flow value at each history samples moment Practice, utilizes the flow value of the current sample time of trained local weighted forecast of regression model.
Further, prediction module 304 obtains each history and adopts for parsing to the flow at each history samples moment The characteristic information of the flow at sample moment, according to the characteristic information of the flow at each history samples moment by each history samples moment Flow value be divided under different application scenarios, and it is corresponding with the local weighted regression model under the application scenarios, according to And the corresponding local weighted regression model determination of the flow value of current sample time is corresponding with the flow value of current sample time The flow value at each history samples moment.
Further, prediction module 304 is used to generate training data according to each history samples moment and corresponding flow value, Local Weight Regression Model is trained using following methods:
The loss function of local weighted regression model indicates are as follows:
J (θ)=∑iω(i)(y(i)Tx(i))2
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is The corresponding weight of i training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is Positive integer, different sampling instants correspond to different training datas;Keep loss function J (θ) minimum by adjusting θ, obtains trained Local weighted regression model.
Risk determining module 306, the flow value for will acquire is compared with the flow value of prediction, in the flow of acquisition In the case that value and the difference of the flow value of prediction are more than threshold value, determine that there are risks in network.
Network security detection device can also comprise the following modules.
Distributed message middleware, for scheduling and transmitting real-time data between acquired original program and each analysis module Stream.
Index creation module, for creating index in real time for mass data, with the distributed organization for follow-up data.
Distributed search module, real-time query and displaying for mass data in hind computation and page interactive process.
Batch processing module, for carrying out the batch processing based on preset rules for data.
Statistical module, for the initial data based on different dimensions and analysis result data is for statistical analysis, to The generation of support section alarm and the interactive display of the page.
Real time aggregation module is different to support for mass data to be carried out the polymerization based on different time granularity The model of application scenarios, such as the minute grade polymerization for the application scenarios based on single user minute grade operation behavior.
Network security detection device in embodiment of the disclosure can be respectively by various calculating equipment or computer system Lai real It is existing, it is described below with reference to Fig. 4 and Fig. 5.
Fig. 4 is the structure chart of some embodiments of disclosure network security detection device.As shown in figure 4, the embodiment Device 40 includes: memory 410 and the processor 420 for being coupled to the memory 410, and processor 420 is configured as being based on depositing The instruction of storage in store 410 executes the network security detection method in the disclosure in any some embodiments.
Wherein, memory 410 is such as may include system storage, fixed non-volatile memory medium.System storage Device is for example stored with operating system, application program, Boot loader (Boot Loader), database and other programs etc..
Fig. 5 is the structure chart of other embodiments of disclosure network security detection device.As shown in figure 5, the embodiment Device 50 include: memory 510 and processor 520, it is similar with memory 410 and processor 420 respectively.It can also wrap Include input/output interface 530, network interface 540, memory interface 550 etc..These interfaces 530,540,550 and memory 510 It can for example be connected by bus 560 between processor 520.Wherein, input/output interface 530 is display, mouse, key The input-output equipment such as disk, touch screen provide connecting interface.Network interface 540 provides connecting interface, example for various networked devices It such as may be coupled to database server or cloud storage server.Memory interface 550 is the external storages such as SD card, USB flash disk Equipment provides connecting interface.
Those skilled in the art should be understood that embodiment of the disclosure can provide as method, system or computer journey Sequence product.Therefore, complete hardware embodiment, complete software embodiment or combining software and hardware aspects can be used in the disclosure The form of embodiment.Moreover, it wherein includes the calculating of computer usable program code that the disclosure, which can be used in one or more, Machine can use the meter implemented in non-transient storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of calculation machine program product.
The disclosure is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present disclosure Figure and/or block diagram describe.It is interpreted as to be realized by computer program instructions each in flowchart and/or the block diagram The combination of process and/or box in process and/or box and flowchart and/or the block diagram.It can provide these computer journeys Sequence instruct to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with A machine is generated, so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for Realize the dress for the function of specifying in one or more flows of the flowchart and/or one or more blocks of the block diagram It sets.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The foregoing is merely the preferred embodiments of the disclosure, not to limit the disclosure, all spirit in the disclosure and Within principle, any modification, equivalent replacement, improvement and so on be should be included within the protection scope of the disclosure.

Claims (16)

1. a kind of network security detection method, comprising:
Obtain the flow value of current sample time in network;
Utilize the flow of local weighted forecast of regression model current sample time corresponding with the flow value of the preceding sampling instant Value;
The flow value that will acquire is compared with the flow value of prediction, in the flow value of the acquisition and the flow value of the prediction Difference be more than threshold value in the case where, determine that there are risks in network.
2. network security detection method according to claim 1, wherein when using following methods determination with the preceding sampling The corresponding local weighted regression model of the flow value at quarter:
The flow of current sample time is parsed, the characteristic information of flow is obtained, the characteristic information includes: IP five-tuple At least one of information, user information and user's operation information;
Local weighted regression model corresponding with the flow value of current sample time is determined according to the characteristic information of the flow.
3. network security detection method according to claim 2, wherein described to be determined according to the characteristic information of the flow Corresponding local weighted regression model includes:
The characteristic information of the flow is matched with application scenarios, determines the corresponding application scenarios of the flow;
Local weighted regression model under the application scenarios is determined as corresponding local weighted regression model.
4. network security detection method according to claim 1, the flow value pair using with the preceding sampling instant The flow value of the current sample time for the local weighted forecast of regression model answered includes:
Obtain the flow value at each history samples moment corresponding with the flow value of current sample time in network;
The local weighted regression model is trained according to the flow value at each history samples moment;
Utilize the flow value of the current sample time of the trained local weighted forecast of regression model.
5. network security detection method according to claim 4, wherein in the acquisition network with current sample time The flow value at flow value corresponding each history samples moment includes:
The flow at each history samples moment is parsed, the characteristic information of the flow at each history samples moment is obtained;
The flow value at each history samples moment is divided into according to the characteristic information of the flow at each history samples moment Under different application scenarios, and it is corresponding with the local weighted regression model under the application scenarios;
According to local weighted regression model determination corresponding with the flow value of the current sample time and current sample time The flow value at flow value corresponding each history samples moment.
6. network security detection method according to claim 4, wherein according to each history samples moment and corresponding stream Magnitude generates training data, is trained using following methods to local Weight Regression Model:
The loss function of local weighted regression model indicates are as follows:
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is i-th The corresponding weight of training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is positive Integer, different sampling instants correspond to different training datas;
Keep loss function J (θ) minimum by adjusting θ, obtains trained local weighted regression model.
7. network security detection method according to claim 1-6, wherein
The flow value includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.
8. a kind of network security detection device, comprising:
Sampling module, for obtaining the flow value of current sample time in network;
Prediction module, for currently being adopted using local weighted forecast of regression model corresponding with the flow value of the preceding sampling instant The flow value at sample moment;
Risk determining module, the flow value for will acquire is compared with the flow value of prediction, in the flow value of the acquisition In the case where being more than threshold value with the difference of the flow value of the prediction, determine that there are risks in network.
9. network security detection device according to claim 8, wherein
The prediction module obtains the characteristic information of flow, the feature for parsing to the flow of current sample time Information includes: at least one of IP five-tuple information, user information and user's operation information, according to the characteristic information of the flow Determine local weighted regression model corresponding with the flow value of current sample time.
10. network security detection device according to claim 9, wherein
The prediction module determines that the flow is corresponding for matching the characteristic information of the flow with application scenarios Local weighted regression model under the application scenarios is determined as corresponding local weighted regression model by application scenarios.
11. network security detection device according to claim 8, wherein
The prediction module is for obtaining each history samples moment corresponding with the flow value of current sample time in network Flow value is trained the local weighted regression model according to the flow value at each history samples moment, utilizes instruction The flow value of the current sample time for the local weighted forecast of regression model perfected.
12. network security detection device according to claim 11, wherein
The prediction module obtains the stream at each history samples moment for parsing to the flow at each history samples moment The characteristic information of amount, according to the characteristic information of the flow at each history samples moment by the flow at each history samples moment Value is divided under different application scenarios, and corresponding with the local weighted regression model under the application scenarios, according to it is described The corresponding local weighted regression model of the flow value of current sample time determines corresponding with the flow value of current sample time each The flow value at a history samples moment.
13. network security detection device according to claim 11, wherein the prediction module is used for according to each history Sampling instant and corresponding flow value generate training data, are trained using following methods to local Weight Regression Model:
The loss function of local weighted regression model indicates are as follows:
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is i-th The corresponding weight of training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is positive Integer, different sampling instants correspond to different training datas;
Keep loss function J (θ) minimum by adjusting θ, obtains trained local weighted regression model.
14. according to the described in any item network security detection devices of claim 8-13, wherein
The flow value includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.
15. a kind of network security detection device characterized by comprising
Memory;And
It is coupled to the processor of the memory, the processor is configured to based on the finger being stored in the memory devices It enables, executes such as the described in any item network security detection methods of claim 1-7.
16. a kind of computer readable storage medium, is stored thereon with computer program, wherein when the program is executed by processor The step of realizing any one of claim 1-7 the method.
CN201711257651.9A 2017-12-04 2017-12-04 Network security detection method, device and computer readable storage medium Pending CN109873790A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711257651.9A CN109873790A (en) 2017-12-04 2017-12-04 Network security detection method, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711257651.9A CN109873790A (en) 2017-12-04 2017-12-04 Network security detection method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN109873790A true CN109873790A (en) 2019-06-11

Family

ID=66914439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711257651.9A Pending CN109873790A (en) 2017-12-04 2017-12-04 Network security detection method, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109873790A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111163073A (en) * 2019-12-24 2020-05-15 山石网科通信技术股份有限公司 Flow data processing method and device
CN111818017A (en) * 2020-06-11 2020-10-23 中国铁道科学研究院集团有限公司电子计算技术研究所 Railway network security prediction method and system and electronic equipment
CN112769733A (en) * 2019-11-05 2021-05-07 中国电信股份有限公司 Network early warning method, device and computer readable storage medium
CN113300905A (en) * 2021-04-16 2021-08-24 广州技象科技有限公司 Flow prediction self-adaptive adjusting method, device, equipment and storage medium
CN113691529A (en) * 2021-08-24 2021-11-23 珠海市鸿瑞信息技术股份有限公司 Industrial control system and method based on network security of power industry

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
CN102355381A (en) * 2011-08-18 2012-02-15 网宿科技股份有限公司 Method and system for predicting flow of self-adaptive differential auto-regression moving average model
CN105718432A (en) * 2016-03-16 2016-06-29 北京睿新科技有限公司 Information mining and data quality verification method for power grid operation equipment
CN105989441A (en) * 2015-02-11 2016-10-05 阿里巴巴集团控股有限公司 Model parameter adjustment method and device
US9582667B2 (en) * 2013-09-30 2017-02-28 Globalfoundries Inc. Detecting vulnerability to resource exhaustion
CN106815255A (en) * 2015-11-27 2017-06-09 阿里巴巴集团控股有限公司 The method and device of detection data access exception
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
CN102355381A (en) * 2011-08-18 2012-02-15 网宿科技股份有限公司 Method and system for predicting flow of self-adaptive differential auto-regression moving average model
US9582667B2 (en) * 2013-09-30 2017-02-28 Globalfoundries Inc. Detecting vulnerability to resource exhaustion
CN105989441A (en) * 2015-02-11 2016-10-05 阿里巴巴集团控股有限公司 Model parameter adjustment method and device
CN106815255A (en) * 2015-11-27 2017-06-09 阿里巴巴集团控股有限公司 The method and device of detection data access exception
CN105718432A (en) * 2016-03-16 2016-06-29 北京睿新科技有限公司 Information mining and data quality verification method for power grid operation equipment
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐晓丹等: "一种基于局部加权回归的分类方法", 《计算机工程与科学》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769733A (en) * 2019-11-05 2021-05-07 中国电信股份有限公司 Network early warning method, device and computer readable storage medium
CN112769733B (en) * 2019-11-05 2023-04-07 中国电信股份有限公司 Network early warning method, device and computer readable storage medium
CN111163073A (en) * 2019-12-24 2020-05-15 山石网科通信技术股份有限公司 Flow data processing method and device
CN111818017A (en) * 2020-06-11 2020-10-23 中国铁道科学研究院集团有限公司电子计算技术研究所 Railway network security prediction method and system and electronic equipment
CN111818017B (en) * 2020-06-11 2021-08-17 中国铁道科学研究院集团有限公司电子计算技术研究所 Railway network security prediction method and system and electronic equipment
CN113300905A (en) * 2021-04-16 2021-08-24 广州技象科技有限公司 Flow prediction self-adaptive adjusting method, device, equipment and storage medium
CN113691529A (en) * 2021-08-24 2021-11-23 珠海市鸿瑞信息技术股份有限公司 Industrial control system and method based on network security of power industry
CN113691529B (en) * 2021-08-24 2022-03-11 珠海市鸿瑞信息技术股份有限公司 Industrial control system and method based on network security of power industry

Similar Documents

Publication Publication Date Title
CN109873790A (en) Network security detection method, device and computer readable storage medium
CN111614690B (en) Abnormal behavior detection method and device
CN104750768B (en) Method and system for identification, monitoring and ranking event from social media
CN109948669A (en) A kind of abnormal deviation data examination method and device
CN106982230B (en) Flow detection method and system
CN103870751A (en) Method and system for intrusion detection
CN110445801B (en) Situation sensing method and system of Internet of things
CN108989136A (en) Business end to end performance monitoring method and device
CN110287316A (en) A kind of Alarm Classification method, apparatus, electronic equipment and storage medium
CN110493043B (en) Distributed situation awareness calling method and device
CN110445939B (en) Capacity resource prediction method and device
CN108960520A (en) A kind of Methods of electric load forecasting, system, computer equipment, medium
CN113688957A (en) Target detection method, device, equipment and medium based on multi-model fusion
CN109325193A (en) WAF normal discharge modeling method and device based on machine learning
CN107704387A (en) For the method, apparatus of system early warning, electronic equipment and computer-readable medium
CN112233428B (en) Traffic flow prediction method, device, storage medium and equipment
CN112288163A (en) Target factor prediction method of target object and related equipment
CN110348508A (en) Examine the data checking method and its system, electronic equipment of exceptional value
CN110460608B (en) Situation awareness method and system including correlation analysis
CN113886181A (en) Dynamic threshold prediction method, device and medium applied to AIOps fault early warning
CN112395351A (en) Visual identification group complaint risk method, device, computer equipment and medium
CN111897700A (en) Application index monitoring method and device, electronic equipment and readable storage medium
CN110322153A (en) Monitor event processing method and system
CN114978877A (en) Exception handling method and device, electronic equipment and computer readable medium
CN112925634A (en) Heterogeneous resource scheduling method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190611