CN109873790A - Network security detection method, device and computer readable storage medium - Google Patents
Network security detection method, device and computer readable storage medium Download PDFInfo
- Publication number
- CN109873790A CN109873790A CN201711257651.9A CN201711257651A CN109873790A CN 109873790 A CN109873790 A CN 109873790A CN 201711257651 A CN201711257651 A CN 201711257651A CN 109873790 A CN109873790 A CN 109873790A
- Authority
- CN
- China
- Prior art keywords
- flow value
- flow
- regression model
- value
- local weighted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This disclosure relates to which a kind of network security detection method, device and computer readable storage medium, are related to Internet technical field.Disclosed method includes: the flow value for obtaining current sample time in network;Utilize the flow value of local weighted forecast of regression model current sample time corresponding with the flow value of preceding sampling instant;The flow value that will acquire is compared with the flow value of prediction, in the case where the difference of the flow value of acquisition and the flow value of prediction is more than threshold value, determines that there are risks in network.Disclosed method predicts that the flow value of current sample time all can be using the flow value re -training model at the history samples moment closed on every time, it being capable of dynamic corrections local weighted regression model in real time, it was found that the potential risk in network, improves the accuracy and timeliness of detection.
Description
Technical field
This disclosure relates to Internet technical field, in particular to a kind of network security detection method, device and computer
Readable storage medium storing program for executing.
Background technique
With the development of internet technology, in order to prevent hostile network access it is broken to the data bring in network system
Bad, change and leakage guarantee that network system security is reliably run, and need to access network progress safety detection.
Currently used Intrusion Detection Technique mainly collects the behavioural characteristic of improper network access, establishes behavioural characteristic
The access of this network is just defined as invasion access when monitoring to access with matched network in behavioural characteristic library by library.
Summary of the invention
Inventor's discovery: existing network safety detection technology, there is new network attack pre-alerting ability deficiency, Bu Nengshi
The problems such as Shi Xiuzheng detected rule model, it is unable to satisfy the demand for security of high precision and high-timeliness.
A disclosure technical problem to be solved is: proposing a kind of new network security detection method, improves detection
Accuracy and timeliness.
According to some embodiments of the present disclosure, a kind of network security detection method for providing, comprising: obtain current in network
The flow value of sampling instant;When using local weighted forecast of regression model present sample corresponding with the flow value of preceding sampling instant
The flow value at quarter;The flow value that will acquire is compared with the flow value of prediction, in the flow value of acquisition and the flow value of prediction
Difference be more than threshold value in the case where, determine that there are risks in network.
In some embodiments, local weighted recurrence corresponding with the flow value of preceding sampling instant is determined using following methods
Model: parsing the flow of current sample time, obtains the characteristic information of flow, and characteristic information includes: IP five-tuple letter
At least one of breath, user information and user's operation information;According to the determining stream with current sample time of the characteristic information of flow
The corresponding local weighted regression model of magnitude.
In some embodiments, determine that corresponding local weighted regression model includes: that will flow according to the characteristic information of flow
The characteristic information of amount is matched with application scenarios, determines the corresponding application scenarios of flow;It will be local weighted under application scenarios
Regression model is determined as corresponding local weighted regression model.
In some embodiments, working as using local weighted forecast of regression model corresponding with the flow value of preceding sampling instant
The flow value of preceding sampling instant includes: to obtain each history samples moment corresponding with the flow value of current sample time in network
Flow value;Local Weight Regression Model is trained according to the flow value at each history samples moment;Using trained
The flow value of the current sample time of local weighted forecast of regression model.
In some embodiments, each history samples moment corresponding with the flow value of current sample time is obtained in network
Flow value include: to be parsed to the flow at each history samples moment, obtain the spy of the flow at each history samples moment
Reference breath;The flow value at each history samples moment is divided into not according to the characteristic information of the flow at each history samples moment
Under same application scenarios, and it is corresponding with the local weighted regression model under the application scenarios;According to current sample time
The corresponding local weighted regression model of flow value determines each history samples moment corresponding with the flow value of current sample time
Flow value.
In some embodiments, training data is generated according to each history samples moment and corresponding flow value, use with
Lower method portion's Weight Regression Model of playing a game is trained: the loss function of local weighted regression model indicates are as follows:
J (θ)=∑iω(i)(y(i)-θTx(i))2
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is
The corresponding weight of i training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is
Positive integer, different sampling instants correspond to different training datas;Keep loss function J (θ) minimum by adjusting θ, obtains trained
Local weighted regression model.
In some embodiments, flow value includes: flow value and public network flowing of access value between user's flowing of access value, system
At least one of.
According to other embodiments of the disclosure, a kind of network security detection device for providing, comprising: sampling module is used
In the flow value for obtaining current sample time in network;Prediction module, it is corresponding with the flow value of preceding sampling instant for utilizing
The flow value of local weighted forecast of regression model current sample time;Risk determining module, flow value for will acquire and pre-
The flow value of survey is compared, and in the case where the difference of the flow value of acquisition and the flow value of prediction is more than threshold value, determines net
There are risks in network.
In some embodiments, prediction module obtains the spy of flow for parsing to the flow of current sample time
Reference breath, characteristic information includes: at least one of IP five-tuple information, user information and user's operation information, according to flow
Characteristic information determines local weighted regression model corresponding with the flow value of current sample time.
In some embodiments, prediction module determines stream for matching the characteristic information of flow with application scenarios
Corresponding application scenarios are measured, the local weighted regression model under application scenarios is determined as corresponding local weighted regression model.
In some embodiments, prediction module is corresponding with the flow value of current sample time each in network for obtaining
The flow value at history samples moment is trained local Weight Regression Model according to the flow value at each history samples moment,
Utilize the flow value of the current sample time of trained local weighted forecast of regression model.
In some embodiments, prediction module obtains each for parsing to the flow at each history samples moment
The characteristic information of the flow at history samples moment adopts each history according to the characteristic information of the flow at each history samples moment
The flow value at sample moment is divided under different application scenarios, and opposite with the local weighted regression model under the application scenarios
It answers, according to the determining flow value with current sample time of local weighted regression model corresponding with the flow value of current sample time
The flow value at corresponding each history samples moment.
In some embodiments, prediction module is used to generate training according to each history samples moment and corresponding flow value
Data are trained local Weight Regression Model using following methods: the loss function of local weighted regression model indicates are as follows:
J (θ)=∑iω(i)(y(i)-θTx(i))2
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is
The corresponding weight of i training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is
Positive integer, different sampling instants correspond to different training datas;Keep loss function J (θ) minimum by adjusting θ, obtains trained
Local weighted regression model.
In some embodiments, flow value includes: flow value and public network flowing of access value between user's flowing of access value, system
At least one of.
According to the other embodiment of the disclosure, a kind of network security detection device for providing, comprising: memory;And
It is coupled to the processor of memory, processor is configured as executing such as aforementioned based on the instruction being stored in memory devices
The network security detection method of one embodiment.
According to the other embodiment of the disclosure, a kind of computer readable storage medium provided is stored thereon with calculating
Machine program, wherein the program realizes the step of network security detection method of any one aforementioned embodiment when being executed by processor.
The disclosure predicted using flow value of the local weighted regression model to current sample time, will be currently true
Flow value is compared with the flow value of prediction, to judge in network with the presence or absence of risk.Local weighted regression model is every
The data that meeting re -training closes on when secondary prediction new samples obtain new parameter value, that is, the stream of prediction current sample time every time
Magnitude all can be using the flow value re -training model at the history samples moment closed on, can in real time dynamic corrections local weighted time
Return model, finds the potential risk in network, improve the accuracy and timeliness of detection.
By the detailed description referring to the drawings to the exemplary embodiment of the disclosure, the other feature of the disclosure and its
Advantage will become apparent.
Detailed description of the invention
In order to illustrate more clearly of the embodiment of the present disclosure or technical solution in the prior art, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Disclosed some embodiments for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 shows the flow diagram of the network security detection method of some embodiments of the present disclosure.
Fig. 2 shows the flow diagrams of the network security detection method of other embodiments of the disclosure.
Fig. 3 shows the structural schematic diagram of the network security detection device of some embodiments of the present disclosure.
Fig. 4 shows the structural schematic diagram of the network security detection device of other embodiments of the disclosure.
Fig. 5 shows the structural schematic diagram of the network security detection device of the other embodiment of the disclosure.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present disclosure, the technical solution in the embodiment of the present disclosure is carried out clear, complete
Site preparation description, it is clear that described embodiment is only disclosure a part of the embodiment, instead of all the embodiments.Below
Description only actually at least one exemplary embodiment be it is illustrative, never as to the disclosure and its application or making
Any restrictions.Based on the embodiment in the disclosure, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, belong to the disclosure protection range.
The disclosure proposes a kind of network security detection method, dynamic can carried out in real time using local weighted regression model
Model parameter is updated when risk supervision, improves the accuracy and timeliness of detection.
The network security detection method of the disclosure is described below with reference to Fig. 1.
Fig. 1 is the flow chart of some embodiments of disclosure network security detection method.As shown in Figure 1, the side of the embodiment
Method includes: step S102~S106.
Step S102 obtains the flow value of current sample time in network.
Sampling interval duration can be preset, the flow value in network is sampled every default sampling interval duration.Stream
Magnitude includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.Flow value, that is, flow
Size.
After being acquired in real time to the data flow in network, deep layer Packet analyzing, acquisition packet can be carried out to the flow of acquisition
Include the information such as network layer, application layer, comprising: the characteristic informations such as IP five-tuple, user information and user's operation information.User information
For example including identification informations such as user accounts, user's operation information for example including URL (Uniform Resource Locator,
Uniform resource locator etc..Therefore, it can be distinguished between different customer flows, system and be flowed according to the characteristic information of above-mentioned flow
Amount, public network flowing of access etc., obtain the flow value of various flows.
Flow value can also further be segmented according to the characteristic information of flow, different discharge pattern is pacified respectively
Full inspection is surveyed.For example, distinguishing the flow of different user;Distinguish the flow of the different operation behavior of different user;Distinguish different time
Flow between the system of section;The flow of different operation behavior between compartment system;Distinguish the public network flowing of access of different time;It distinguishes not
The flow etc. of same public network access behavior.
Step S104, when using local weighted forecast of regression model present sample corresponding with the flow value of preceding sampling instant
The flow value at quarter.
In some embodiments, the different local weighted regression model of various flow sets can be directed to.Further, it is possible to
Distributed Detection is carried out parallel to various flow rate.The flow of current sample time is parsed, the characteristic information of flow is obtained,
Local weighted regression model corresponding with the flow value of current sample time is determined according to the characteristic information of flow.
Further, it is possible to which different application scenarios are arranged according to actual needs corresponds to different traffic characteristic information, utilize
Flow under local weighted regression model detection different application scene whether there is risk.By the characteristic information and applied field of flow
Scape is matched, and determines the corresponding application scenarios of flow, the local weighted regression model under application scenarios is determined as corresponding
Local weighted regression model.
Before the flow value using local weighted forecast of regression model current sample time, need to utilize historical data pair
Local weighted regression model is trained.In some embodiments, firstly, obtaining the flow value in network with current sample time
The flow value at corresponding each history samples moment.Further according to each history samples moment flow value to local weighted regression mould
Type is trained;Utilize the flow value of the current sample time of trained local weighted forecast of regression model.
Further, when acquiring the flow at each history samples moment, the flow at each history samples moment is solved
Analysis, obtains the characteristic information of the flow at each history samples moment;According to the characteristic information of the flow at each history samples moment
The flow value at each history samples moment is divided under different application scenarios, and with local weighted time under the application scenarios
Return model corresponding;When according to local weighted regression model determination corresponding with the flow value of current sample time with present sample
The flow value at the flow value at quarter corresponding each history samples moment.
Specific application scenarios can be corresponded to according to the characteristic information of flow after the flow for acquiring each sampling instant
Under, further, the information such as flow value under different application scene are stored respectively in different storage locations, it is pre- when needing to carry out
Then call the historical data under the respective application scene of storage and corresponding local weighted regression model then can be to working as when survey
The flow value of preceding sampling instant is predicted.
The principle of local weighted regression model is described below.
Training sample can be generated according to the flow value that each sampling instant obtains, the trained number of i-th in training sample
According to (x can be expressed as(i), y(i)), x(i)For the time vector of i-th of training data, For example, xm, it is the m power item of sampling instant value x, m is natural number.y(i)For the flow value of i-th of training data.
The parameter of local weighted regression model can be expressed as θ=(θ0... ..., θm), local weighted regression model it is linear
Equation is expressed as follows.
hθ(x(i))=θTx(i) (1)
The loss function of local weighted regression model is indicated using following formula.
J (θ)=∑iω(i)(y(i)-θTx(i))2 (2)
ω(i)For the corresponding weight of i-th of training data, k is function of wavelength, and x is current time value.It can by above-mentioned formula
To find out x(i)Distance to current time x is bigger, and weight is smaller.The weight of training data arrives sampling instant to be predicted with it
Distance it is related, predict the flow value at current time every time, require the weight for redefining each training data, again basis
Above-mentioned formula is trained.Keep loss function J (θ) minimum by adjusting θ, obtains trained local weighted regression model.
Obtain trained local weighted regression model hθ(x(i)) after, it inputs, then can be obtained current time value as x
The flow value of prediction.
Step S106, the flow value that will acquire are compared with the flow value of prediction, in flow value and the prediction of acquisition
In the case that the difference of flow value is more than threshold value, determine that there are risks in network.
There are larger differences for the time of network attack and flow value and the access of the network of normal users under normal conditions.Example
Such as, DDoS (Distributed Denial of Service, distributed denial of service), by largely being asked to server transmission
Asking makes flow uprush, and makes server excess load that can not work.Therefore, by a large amount of historical data by local weighted recurrence mould
Type can be fitted the trend of various flows at various moments in network, further, can predict subsequent time according to this trend
Flow value, the flow value of prediction is compared with the flow value actually obtained, may determine that network if deviation is excessive
In there are risks, can alarm.
The method of above-described embodiment is predicted using flow value of the local weighted regression model to current sample time, is incited somebody to action
Current true flow value is compared with the flow value of prediction, to judge in network with the presence or absence of risk.Local weighted time
The model data that meeting re -training closes in prediction new samples every time are returned to obtain new parameter value, that is, prediction is currently adopted every time
The flow value at sample moment all can be using the flow value re -training model at the history samples moment closed on, being capable of real-time dynamic corrections
Local weighted regression model finds the potential risk in network, improves the accuracy and timeliness of detection.
Other embodiments of disclosure network security detection method are described below with reference to Fig. 2.
Fig. 2 is the flow chart of other embodiments of disclosure network security detection method.As shown in Fig. 2, the embodiment
Method includes: step S202~S214.
Step S202 obtains the flow of current sample time in network.
Sampling interval duration can be set according to the actual situation, for example, sampling interval duration is 1 minute, 1 hour, 1 day
Deng.
Step S204 carries out deep layer Packet analyzing to the flow of acquisition, obtains the characteristic information of flow.
Step S206, according to the characteristic information of flow by traffic partition to different application scenarios.
Application scenarios construct according to actual needs, for example, the access request of a certain IP address of pre-monitoring whether there is
It is abnormal, then the demand can be set to a kind of application scenarios, be believed after obtaining flow according to the IP five-tuple of flow, user's operation
The access request that destination address is the IP address is divided under the application scenarios by breath etc..In another example each user of pre-monitoring
Situation is accessed, then, according to the user information of flow after acquisition flow, can will be flowed for a kind of application scenarios of each user setting
Amount is divided under the application scenarios of corresponding each user.Can according to address, port, user, operation, temporal information (such as
Festivals or holidays, non-working time) etc. various information divide different application scenarios, same flow can be divided into a variety of different
Under application scenarios.
Above-mentioned deep layer Packet analyzing is executed to the data flow of magnanimity in network, divides the processes such as application scenarios, it can be to acquisition
Data carry out piecemeal, execute the above process parallel.
Following procedure can be executed for the corresponding flow of every kind of application scenarios.Further, it is possible to be directed to each applied field
Scape executes following procedure parallel.
Step S208 obtains the flow value of current sample time under current application scene.
For the flow value at every kind of application scenarios statistic sampling moment.The flow value of each sampling instant is stored,
It can be stored, can be called directly when to use, and can be to various applied fields respectively for every kind of application scenarios
The flow of scape is detected parallel.
Step S210 utilizes the flow at the local weighted forecast of regression model currently employed moment under current application scene
Value.
The corresponding local weighted regression model of different application scene can be different, such as x(i)Expression-form it is different.It utilizes
The process that local weighted regression model is predicted can refer to step S104.
Step S212 judges whether the difference of the flow value of the flow value obtained under current application scene and prediction is more than threshold
Value, if it exceeds the threshold, thening follow the steps S214, otherwise, waits next sampling instant to re-execute the steps S202.
Step S214, alert.
For example, it is smaller according to the flow value of the currently employed moment port of local weighted forecast of regression model, but actually obtain
It takes the port a large amount of flowing of access occur, then judges that there are risks in network.Using the above method it has also been found that same user
Situations such as short time largely logs in the exception of flow, and same system amount of access is abnormal.
The method of above-described embodiment targetedly carries out network under traffic partition to different application scenarios respectively
Safety detection can further increase the accuracy of detection.
The disclosure also provides a kind of network security detection device, is described below with reference to Fig. 3.
Fig. 3 is the structure chart of some embodiments of disclosure network security detection device.As shown in figure 3, the embodiment
Device 30 includes: sampling module 302, prediction module 304, risk determining module 306.
Sampling module 302, for obtaining the flow value of current sample time in network.
Flow value includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.
Prediction module 304, for being worked as using local weighted forecast of regression model corresponding with the flow value of preceding sampling instant
The flow value of preceding sampling instant.
In some embodiments, prediction module 304 obtains flow for parsing to the flow of current sample time
Characteristic information, characteristic information includes: at least one of IP five-tuple information, user information and user's operation information, according to flow
Characteristic information determine corresponding with the flow value of current sample time local weighted regression model.
Further, prediction module 304 determines that flow is corresponding for matching the characteristic information of flow with application scenarios
Application scenarios, the local weighted regression model under application scenarios is determined as corresponding local weighted regression model.
In some embodiments, prediction module 304 is corresponding with the flow value of current sample time in network for obtaining
The flow value at each history samples moment instructs local Weight Regression Model according to the flow value at each history samples moment
Practice, utilizes the flow value of the current sample time of trained local weighted forecast of regression model.
Further, prediction module 304 obtains each history and adopts for parsing to the flow at each history samples moment
The characteristic information of the flow at sample moment, according to the characteristic information of the flow at each history samples moment by each history samples moment
Flow value be divided under different application scenarios, and it is corresponding with the local weighted regression model under the application scenarios, according to
And the corresponding local weighted regression model determination of the flow value of current sample time is corresponding with the flow value of current sample time
The flow value at each history samples moment.
Further, prediction module 304 is used to generate training data according to each history samples moment and corresponding flow value,
Local Weight Regression Model is trained using following methods:
The loss function of local weighted regression model indicates are as follows:
J (θ)=∑iω(i)(y(i)-θTx(i))2
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is
The corresponding weight of i training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is
Positive integer, different sampling instants correspond to different training datas;Keep loss function J (θ) minimum by adjusting θ, obtains trained
Local weighted regression model.
Risk determining module 306, the flow value for will acquire is compared with the flow value of prediction, in the flow of acquisition
In the case that value and the difference of the flow value of prediction are more than threshold value, determine that there are risks in network.
Network security detection device can also comprise the following modules.
Distributed message middleware, for scheduling and transmitting real-time data between acquired original program and each analysis module
Stream.
Index creation module, for creating index in real time for mass data, with the distributed organization for follow-up data.
Distributed search module, real-time query and displaying for mass data in hind computation and page interactive process.
Batch processing module, for carrying out the batch processing based on preset rules for data.
Statistical module, for the initial data based on different dimensions and analysis result data is for statistical analysis, to
The generation of support section alarm and the interactive display of the page.
Real time aggregation module is different to support for mass data to be carried out the polymerization based on different time granularity
The model of application scenarios, such as the minute grade polymerization for the application scenarios based on single user minute grade operation behavior.
Network security detection device in embodiment of the disclosure can be respectively by various calculating equipment or computer system Lai real
It is existing, it is described below with reference to Fig. 4 and Fig. 5.
Fig. 4 is the structure chart of some embodiments of disclosure network security detection device.As shown in figure 4, the embodiment
Device 40 includes: memory 410 and the processor 420 for being coupled to the memory 410, and processor 420 is configured as being based on depositing
The instruction of storage in store 410 executes the network security detection method in the disclosure in any some embodiments.
Wherein, memory 410 is such as may include system storage, fixed non-volatile memory medium.System storage
Device is for example stored with operating system, application program, Boot loader (Boot Loader), database and other programs etc..
Fig. 5 is the structure chart of other embodiments of disclosure network security detection device.As shown in figure 5, the embodiment
Device 50 include: memory 510 and processor 520, it is similar with memory 410 and processor 420 respectively.It can also wrap
Include input/output interface 530, network interface 540, memory interface 550 etc..These interfaces 530,540,550 and memory 510
It can for example be connected by bus 560 between processor 520.Wherein, input/output interface 530 is display, mouse, key
The input-output equipment such as disk, touch screen provide connecting interface.Network interface 540 provides connecting interface, example for various networked devices
It such as may be coupled to database server or cloud storage server.Memory interface 550 is the external storages such as SD card, USB flash disk
Equipment provides connecting interface.
Those skilled in the art should be understood that embodiment of the disclosure can provide as method, system or computer journey
Sequence product.Therefore, complete hardware embodiment, complete software embodiment or combining software and hardware aspects can be used in the disclosure
The form of embodiment.Moreover, it wherein includes the calculating of computer usable program code that the disclosure, which can be used in one or more,
Machine can use the meter implemented in non-transient storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of calculation machine program product.
The disclosure is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present disclosure
Figure and/or block diagram describe.It is interpreted as to be realized by computer program instructions each in flowchart and/or the block diagram
The combination of process and/or box in process and/or box and flowchart and/or the block diagram.It can provide these computer journeys
Sequence instruct to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with
A machine is generated, so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for
Realize the dress for the function of specifying in one or more flows of the flowchart and/or one or more blocks of the block diagram
It sets.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
The foregoing is merely the preferred embodiments of the disclosure, not to limit the disclosure, all spirit in the disclosure and
Within principle, any modification, equivalent replacement, improvement and so on be should be included within the protection scope of the disclosure.
Claims (16)
1. a kind of network security detection method, comprising:
Obtain the flow value of current sample time in network;
Utilize the flow of local weighted forecast of regression model current sample time corresponding with the flow value of the preceding sampling instant
Value;
The flow value that will acquire is compared with the flow value of prediction, in the flow value of the acquisition and the flow value of the prediction
Difference be more than threshold value in the case where, determine that there are risks in network.
2. network security detection method according to claim 1, wherein when using following methods determination with the preceding sampling
The corresponding local weighted regression model of the flow value at quarter:
The flow of current sample time is parsed, the characteristic information of flow is obtained, the characteristic information includes: IP five-tuple
At least one of information, user information and user's operation information;
Local weighted regression model corresponding with the flow value of current sample time is determined according to the characteristic information of the flow.
3. network security detection method according to claim 2, wherein described to be determined according to the characteristic information of the flow
Corresponding local weighted regression model includes:
The characteristic information of the flow is matched with application scenarios, determines the corresponding application scenarios of the flow;
Local weighted regression model under the application scenarios is determined as corresponding local weighted regression model.
4. network security detection method according to claim 1, the flow value pair using with the preceding sampling instant
The flow value of the current sample time for the local weighted forecast of regression model answered includes:
Obtain the flow value at each history samples moment corresponding with the flow value of current sample time in network;
The local weighted regression model is trained according to the flow value at each history samples moment;
Utilize the flow value of the current sample time of the trained local weighted forecast of regression model.
5. network security detection method according to claim 4, wherein in the acquisition network with current sample time
The flow value at flow value corresponding each history samples moment includes:
The flow at each history samples moment is parsed, the characteristic information of the flow at each history samples moment is obtained;
The flow value at each history samples moment is divided into according to the characteristic information of the flow at each history samples moment
Under different application scenarios, and it is corresponding with the local weighted regression model under the application scenarios;
According to local weighted regression model determination corresponding with the flow value of the current sample time and current sample time
The flow value at flow value corresponding each history samples moment.
6. network security detection method according to claim 4, wherein according to each history samples moment and corresponding stream
Magnitude generates training data, is trained using following methods to local Weight Regression Model:
The loss function of local weighted regression model indicates are as follows:
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is i-th
The corresponding weight of training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is positive
Integer, different sampling instants correspond to different training datas;
Keep loss function J (θ) minimum by adjusting θ, obtains trained local weighted regression model.
7. network security detection method according to claim 1-6, wherein
The flow value includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.
8. a kind of network security detection device, comprising:
Sampling module, for obtaining the flow value of current sample time in network;
Prediction module, for currently being adopted using local weighted forecast of regression model corresponding with the flow value of the preceding sampling instant
The flow value at sample moment;
Risk determining module, the flow value for will acquire is compared with the flow value of prediction, in the flow value of the acquisition
In the case where being more than threshold value with the difference of the flow value of the prediction, determine that there are risks in network.
9. network security detection device according to claim 8, wherein
The prediction module obtains the characteristic information of flow, the feature for parsing to the flow of current sample time
Information includes: at least one of IP five-tuple information, user information and user's operation information, according to the characteristic information of the flow
Determine local weighted regression model corresponding with the flow value of current sample time.
10. network security detection device according to claim 9, wherein
The prediction module determines that the flow is corresponding for matching the characteristic information of the flow with application scenarios
Local weighted regression model under the application scenarios is determined as corresponding local weighted regression model by application scenarios.
11. network security detection device according to claim 8, wherein
The prediction module is for obtaining each history samples moment corresponding with the flow value of current sample time in network
Flow value is trained the local weighted regression model according to the flow value at each history samples moment, utilizes instruction
The flow value of the current sample time for the local weighted forecast of regression model perfected.
12. network security detection device according to claim 11, wherein
The prediction module obtains the stream at each history samples moment for parsing to the flow at each history samples moment
The characteristic information of amount, according to the characteristic information of the flow at each history samples moment by the flow at each history samples moment
Value is divided under different application scenarios, and corresponding with the local weighted regression model under the application scenarios, according to it is described
The corresponding local weighted regression model of the flow value of current sample time determines corresponding with the flow value of current sample time each
The flow value at a history samples moment.
13. network security detection device according to claim 11, wherein the prediction module is used for according to each history
Sampling instant and corresponding flow value generate training data, are trained using following methods to local Weight Regression Model:
The loss function of local weighted regression model indicates are as follows:
Wherein, x(i)For the time vector of i-th of training data, y(i)For the flow value of i-th of training data, ω(i)It is i-th
The corresponding weight of training data, k are function of wavelength, and x is current time value, and θ is the parameter of local weighted regression model, and i is positive
Integer, different sampling instants correspond to different training datas;
Keep loss function J (θ) minimum by adjusting θ, obtains trained local weighted regression model.
14. according to the described in any item network security detection devices of claim 8-13, wherein
The flow value includes: at least one of flow value and public network flowing of access value between user's flowing of access value, system.
15. a kind of network security detection device characterized by comprising
Memory;And
It is coupled to the processor of the memory, the processor is configured to based on the finger being stored in the memory devices
It enables, executes such as the described in any item network security detection methods of claim 1-7.
16. a kind of computer readable storage medium, is stored thereon with computer program, wherein when the program is executed by processor
The step of realizing any one of claim 1-7 the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711257651.9A CN109873790A (en) | 2017-12-04 | 2017-12-04 | Network security detection method, device and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711257651.9A CN109873790A (en) | 2017-12-04 | 2017-12-04 | Network security detection method, device and computer readable storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109873790A true CN109873790A (en) | 2019-06-11 |
Family
ID=66914439
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711257651.9A Pending CN109873790A (en) | 2017-12-04 | 2017-12-04 | Network security detection method, device and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109873790A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111163073A (en) * | 2019-12-24 | 2020-05-15 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
CN111818017A (en) * | 2020-06-11 | 2020-10-23 | 中国铁道科学研究院集团有限公司电子计算技术研究所 | Railway network security prediction method and system and electronic equipment |
CN112769733A (en) * | 2019-11-05 | 2021-05-07 | 中国电信股份有限公司 | Network early warning method, device and computer readable storage medium |
CN113300905A (en) * | 2021-04-16 | 2021-08-24 | 广州技象科技有限公司 | Flow prediction self-adaptive adjusting method, device, equipment and storage medium |
CN113691529A (en) * | 2021-08-24 | 2021-11-23 | 珠海市鸿瑞信息技术股份有限公司 | Industrial control system and method based on network security of power industry |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
CN102355381A (en) * | 2011-08-18 | 2012-02-15 | 网宿科技股份有限公司 | Method and system for predicting flow of self-adaptive differential auto-regression moving average model |
CN105718432A (en) * | 2016-03-16 | 2016-06-29 | 北京睿新科技有限公司 | Information mining and data quality verification method for power grid operation equipment |
CN105989441A (en) * | 2015-02-11 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Model parameter adjustment method and device |
US9582667B2 (en) * | 2013-09-30 | 2017-02-28 | Globalfoundries Inc. | Detecting vulnerability to resource exhaustion |
CN106815255A (en) * | 2015-11-27 | 2017-06-09 | 阿里巴巴集团控股有限公司 | The method and device of detection data access exception |
CN106992994A (en) * | 2017-05-24 | 2017-07-28 | 腾讯科技(深圳)有限公司 | A kind of automatically-monitored method and system of cloud service |
-
2017
- 2017-12-04 CN CN201711257651.9A patent/CN109873790A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102130800A (en) * | 2011-04-01 | 2011-07-20 | 苏州赛特斯网络科技有限公司 | Device and method for detecting network access abnormality based on data stream behavior analysis |
CN102355381A (en) * | 2011-08-18 | 2012-02-15 | 网宿科技股份有限公司 | Method and system for predicting flow of self-adaptive differential auto-regression moving average model |
US9582667B2 (en) * | 2013-09-30 | 2017-02-28 | Globalfoundries Inc. | Detecting vulnerability to resource exhaustion |
CN105989441A (en) * | 2015-02-11 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Model parameter adjustment method and device |
CN106815255A (en) * | 2015-11-27 | 2017-06-09 | 阿里巴巴集团控股有限公司 | The method and device of detection data access exception |
CN105718432A (en) * | 2016-03-16 | 2016-06-29 | 北京睿新科技有限公司 | Information mining and data quality verification method for power grid operation equipment |
CN106992994A (en) * | 2017-05-24 | 2017-07-28 | 腾讯科技(深圳)有限公司 | A kind of automatically-monitored method and system of cloud service |
Non-Patent Citations (1)
Title |
---|
徐晓丹等: "一种基于局部加权回归的分类方法", 《计算机工程与科学》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112769733A (en) * | 2019-11-05 | 2021-05-07 | 中国电信股份有限公司 | Network early warning method, device and computer readable storage medium |
CN112769733B (en) * | 2019-11-05 | 2023-04-07 | 中国电信股份有限公司 | Network early warning method, device and computer readable storage medium |
CN111163073A (en) * | 2019-12-24 | 2020-05-15 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
CN111818017A (en) * | 2020-06-11 | 2020-10-23 | 中国铁道科学研究院集团有限公司电子计算技术研究所 | Railway network security prediction method and system and electronic equipment |
CN111818017B (en) * | 2020-06-11 | 2021-08-17 | 中国铁道科学研究院集团有限公司电子计算技术研究所 | Railway network security prediction method and system and electronic equipment |
CN113300905A (en) * | 2021-04-16 | 2021-08-24 | 广州技象科技有限公司 | Flow prediction self-adaptive adjusting method, device, equipment and storage medium |
CN113691529A (en) * | 2021-08-24 | 2021-11-23 | 珠海市鸿瑞信息技术股份有限公司 | Industrial control system and method based on network security of power industry |
CN113691529B (en) * | 2021-08-24 | 2022-03-11 | 珠海市鸿瑞信息技术股份有限公司 | Industrial control system and method based on network security of power industry |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109873790A (en) | Network security detection method, device and computer readable storage medium | |
CN111614690B (en) | Abnormal behavior detection method and device | |
CN104750768B (en) | Method and system for identification, monitoring and ranking event from social media | |
CN109948669A (en) | A kind of abnormal deviation data examination method and device | |
CN106982230B (en) | Flow detection method and system | |
CN103870751A (en) | Method and system for intrusion detection | |
CN110445801B (en) | Situation sensing method and system of Internet of things | |
CN108989136A (en) | Business end to end performance monitoring method and device | |
CN110287316A (en) | A kind of Alarm Classification method, apparatus, electronic equipment and storage medium | |
CN110493043B (en) | Distributed situation awareness calling method and device | |
CN110445939B (en) | Capacity resource prediction method and device | |
CN108960520A (en) | A kind of Methods of electric load forecasting, system, computer equipment, medium | |
CN113688957A (en) | Target detection method, device, equipment and medium based on multi-model fusion | |
CN109325193A (en) | WAF normal discharge modeling method and device based on machine learning | |
CN107704387A (en) | For the method, apparatus of system early warning, electronic equipment and computer-readable medium | |
CN112233428B (en) | Traffic flow prediction method, device, storage medium and equipment | |
CN112288163A (en) | Target factor prediction method of target object and related equipment | |
CN110348508A (en) | Examine the data checking method and its system, electronic equipment of exceptional value | |
CN110460608B (en) | Situation awareness method and system including correlation analysis | |
CN113886181A (en) | Dynamic threshold prediction method, device and medium applied to AIOps fault early warning | |
CN112395351A (en) | Visual identification group complaint risk method, device, computer equipment and medium | |
CN111897700A (en) | Application index monitoring method and device, electronic equipment and readable storage medium | |
CN110322153A (en) | Monitor event processing method and system | |
CN114978877A (en) | Exception handling method and device, electronic equipment and computer readable medium | |
CN112925634A (en) | Heterogeneous resource scheduling method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190611 |