CN110033130A

CN110033130A - The monitoring method and device of abnormal traffic

Info

Publication number: CN110033130A
Application number: CN201910241926.2A
Authority: CN
Inventors: 霍扬扬; 周扬; 杨树波; 于君泽
Original assignee: Alibaba Group Holding Ltd
Current assignee: Advanced New Technologies Co Ltd; Advantageous New Technologies Co Ltd
Priority date: 2019-03-28
Filing date: 2019-03-28
Publication date: 2019-07-19

Abstract

This specification embodiment provides the monitoring method and device of a kind of abnormal traffic, this method comprises: obtaining the prediction data that the achievement data using prediction model to the index to be predicted of each sample business at the setting moment is predicted, and obtain index to be predicted truthful data corresponding to the setting moment of above-mentioned each sample business；According to prediction data and truthful data corresponding to each sample business, prediction difference data corresponding to each sample business are determined；Based on prediction difference data corresponding to each sample business, the alert threshold that rule determines that service monitoring system is used to be monitored abnormal traffic is determined according to the threshold value of setting；Wherein, above-mentioned prediction model is the model in service monitoring system for being predicted the index to be predicted of target service.

Description

The monitoring method and device of abnormal traffic

Technical field

This application involves computer and technical field of data processing more particularly to the monitoring methods and dress of a kind of abnormal traffic It sets.

Background technique

With the fast development of internet and information technology, more and more business need to be done by operation system Reason, for example, fee payment service, transferred account service, payment transaction etc..In general, the normal operation in order to ensure business, needs to business Certain indexs be monitored, so as to the abnormal conditions in discovery business in time, e.g., business processing stroke count is abnormal, business funds Situations such as total value is abnormal.

Currently, generally realizing the monitoring of service exception by monitor supervision platform, business monitoring is provided on business monitoring platform Model predicted by a certain index of the business monitoring model to business, and by the difference of predicted value and practical business value with Alert threshold is compared, and detects abnormal traffic with this.Therefore, monitor supervision platform needs to set to realize the monitoring of abnormal traffic Set alert threshold.

But how the threshold value on business monitoring platform is accurately set, to improve the accuracy rate of monitoring exceptional service The technical issues of as current urgent need to resolve.

Summary of the invention

The purpose of this specification embodiment is to provide the monitoring method and device of a kind of abnormal traffic, is determining business monitoring When being used for the alert threshold of monitoring exceptional service in system, based on prediction model to the index to be predicted of sample business in setting The index to be predicted of prediction data and the sample business that the achievement data at quarter is predicted setting the moment corresponding to it is true Prediction difference data between real data are determined；In this way, the prediction error of the prediction model in service monitoring system is considered Inside, the accuracy of alert threshold determined by improving, so as to improve the accuracy rate of monitoring exceptional service；In addition, this Specification embodiment realize alert threshold automation determine, compared with determining alert threshold by manual type, efficiency with Accuracy is all improved.

In order to solve the above technical problems, this specification embodiment is achieved in that

This specification embodiment provides a kind of monitoring method of abnormal traffic, which comprises

The achievement data using prediction model to the index to be predicted of each sample business at the setting moment is obtained to predict Prediction data, and, it is true corresponding to the setting moment to obtain the index to be predicted of each sample business Data；Wherein, the prediction model is in service monitoring system for predicting the index to be predicted of target service Model；

According to prediction data and truthful data corresponding to each sample business, determine corresponding to each sample business Prediction difference data；

Based on prediction difference data corresponding to each sample business, determined described in regular determine according to the threshold value of setting Service monitoring system is used for the alert threshold being monitored to abnormal traffic.

This specification embodiment additionally provides a kind of monitoring method of abnormal traffic, which comprises

The actual services amount data of operation system to be monitored target service handled by the setting moment are obtained, and, it obtains Prediction model is taken to predict the operation system to be monitored target service handled by the setting moment pre- Survey traffic data；

Determine the prediction difference data of the prediction traffic data and the actual services amount data；

The prediction difference data are compared with predetermined alert threshold, with the determination target service in institute State whether the setting moment exception occurs；Wherein, the alert threshold be based on the prediction model to each sample business when specified The prediction data and each sample business that the business datum at quarter is predicted are between the truthful data of the given time Prediction difference data are determined.

This specification embodiment additionally provides a kind of monitoring device of abnormal traffic, and described device includes:

Module is obtained, for obtaining the index to be predicted for using prediction model to each sample business in the index at setting moment The prediction data that data are predicted, and, the index to be predicted of each sample business is obtained at the setting moment Corresponding truthful data；Wherein, the prediction model is in service monitoring system for the described to be predicted of target service The model that index is predicted；

First determining module determines institute for prediction data and truthful data according to corresponding to each sample business State prediction difference data corresponding to each sample business；

Second determining module, for based on prediction difference data corresponding to each sample business, according to the threshold of setting Value determines the alert threshold that rule determines that the service monitoring system is used to be monitored abnormal traffic.

Module is obtained, for obtaining the actual services number of operation system to be monitored target service handled by the setting moment According to, and, obtain prediction model to the operation system to be monitored target service handled by the setting moment into The prediction business datum of row prediction；

Determining module, for determining the prediction difference data of the prediction business datum and the actual services data；

Comparison module, for the prediction difference data to be compared with predetermined alert threshold, to determine It states target service and whether exception occurs at the setting moment；Wherein, the alert threshold is based on the prediction model to various kinds The prediction data and each sample business that this business is predicted in the business datum of given time are in the given time Prediction difference data between actual services data are determined.

This specification embodiment additionally provides a kind of monitoring device of abnormal traffic, comprising:

Processor；And

It is arranged to the memory of storage computer executable instructions, the executable instruction makes the place when executed Manage device:

Processor；And

The actual services data of operation system to be monitored target service handled by the setting moment are obtained, and, it obtains The prediction that prediction model predicts the operation system to be monitored target service handled by the setting moment Business datum；

Determine the prediction difference data of the prediction business datum and the actual services data；

The prediction difference data are compared with predetermined alert threshold, with the determination target service in institute State whether the setting moment exception occurs；Wherein, the alert threshold be based on the prediction model to each sample business when specified The prediction data and each sample business that the business datum at quarter is predicted the given time actual services data it Between prediction difference data determined.

This specification embodiment additionally provides a kind of storage medium, described to hold for storing computer executable instructions Following below scheme is realized in row instruction when executed:

Technical solution in the present embodiment is used for the alert threshold of monitoring exceptional service in determining service monitoring system When, the prediction data that the achievement data based on prediction model to the index to be predicted of sample business at the setting moment is predicted, And prediction difference data of the index to be predicted of the sample business between the truthful data corresponding to the setting moment are determined； In this way, the prediction error of the prediction model in service monitoring system is taken into account, the standard of identified alert threshold is improved True property, so as to improve the accuracy rate of monitoring exceptional service；In addition, this specification embodiment realizes the automatic of alert threshold Change and determine, compared with determining alert threshold by manual type, efficiency and accuracy are all improved.

Detailed description of the invention

In order to illustrate more clearly of this specification embodiment or technical solution in the prior art, below will to embodiment or Attached drawing needed to be used in the description of the prior art is briefly described, it should be apparent that, the accompanying drawings in the following description is only Some embodiments as described in this application, for those of ordinary skill in the art, in the premise not made the creative labor Under, it is also possible to obtain other drawings based on these drawings.

Fig. 1 is one of the method flow diagram for the monitoring exceptional service method that this specification embodiment provides；

Fig. 2 is the two of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides；

Fig. 3 is the three of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides；

Fig. 4 is the four of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides；

Fig. 5 is the five of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides；

Fig. 6 is one of the module composition schematic diagram of monitoring device of abnormal traffic that this specification embodiment provides；

Fig. 7 is the two of the module composition schematic diagram of the monitoring device for the abnormal traffic that this specification embodiment provides

Fig. 8 is the structural schematic diagram of the monitoring device for the abnormal traffic that this specification embodiment provides.

Specific embodiment

In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with this specification Attached drawing in embodiment is clearly and completely described the technical solution in this specification embodiment, it is clear that described Embodiment is merely a part but not all of the embodiments of the present application.Based on the embodiment in the application, this field Those of ordinary skill's every other embodiment obtained without creative efforts, all should belong to the application The range of protection.

The thought of this specification embodiment is, the alarm threshold of monitoring exceptional service is used in determining service monitoring system When value, the prediction error of prediction model in service monitoring system is taken into account, identified alert threshold can be improved in this way Accuracy, also, determine by way of automation the alert threshold that monitoring exceptional service is used in service monitoring system, also The determination efficiency and accuracy of alert threshold can be improved.Based on this, this specification embodiment provides a kind of abnormal traffic Monitoring method, device, equipment and storage medium, it is following to be described in detail one by one.

The method that this specification embodiment provides can be applied to the terminal devices such as computer, computer, i.e. this method is held Row main body can be terminal device, specifically, executing subject can be the monitoring dress for the abnormal traffic being mounted on terminal device It sets.

Fig. 1 is one of the method flow diagram of monitoring method of abnormal traffic that this specification embodiment provides, shown in FIG. 1 Method includes at least following steps:

Step 102, it obtains using prediction model to the index to be predicted of each sample business in the achievement data for setting the moment The prediction data predicted, and, obtain index to be predicted truthful data corresponding to the setting moment of each sample business； Wherein, above-mentioned prediction model is the model in service monitoring system for being predicted the index to be predicted of target service.

In general, in order to realize the monitoring to the abnormal traffic in business handled by operation system, in service monitoring system In be provided with the prediction model predicted certain indexs to be predicted of business, service monitoring system can be set one or Multiple prediction models, different prediction models predicts the achievement data of the different indexs of different business, therefore, to industry Before business is monitored, need to carry out the training of prediction model using a large amount of business sample.

In this specification embodiment, can complete prediction model training after, to prediction model tested when It waits and executes method provided by this specification embodiment.Therefore, mentioned in step 102 to sample business can be to prediction The test sample that model is tested, it is of course also possible to be other sample business, this specification embodiment is limited not to this It is fixed.

It in a specific embodiment, can be by the related data input prediction model of each sample business, to various kinds Achievement data of this index to be predicted at the setting moment is predicted, and obtains output as a result, the output knot from prediction model Fruit is then prediction data corresponding to each sample business.Wherein, the related data of above-mentioned each sample business can be the business Index to be predicted corresponding true value at various moments, by true value input prediction model corresponding to each moment, thus The index value at some setting moment after each moment is predicted.In addition, in this specification embodiment, due to using Be sample business, therefore, the index to be predicted of each sample business truthful data corresponding to the setting moment be then it is known, Therefore, index to be predicted true value corresponding to the setting moment of each sample business can be directly acquired.

For example, the related data of input prediction model can be portfolio, t2 moment handled by t1 moment operation system Portfolio handled by operation system, portfolio handled by t3 moment operation system, need to predict t4 moment operation system institute Therefore portfolio input prediction model corresponding to t1, t2 and t3 moment can be carried out t4 moment institute by the portfolio of processing The prediction of corresponding portfolio.

Certainly, when being predicted using prediction model, the data inputted may be multiple, it is not limited to 3, this Place is exemplary illustration, does not constitute the restriction to this specification embodiment.

Wherein, in this specification embodiment, above-mentioned prediction model can be shot and long term memory network (long short Term memory, LSTM) prediction model.

In addition, it is necessary to explanation, above-mentioned index to be predicted can be the index arbitrarily predicted in business, example It such as, can be handled portfolio, business funds total value etc..

Step 104, prediction data and truthful data according to corresponding to each sample business determines corresponding to each sample business Prediction difference data.

In this specification embodiment, above-mentioned prediction data then refers to the prediction index to each sample business in setting The predicted value that the achievement data at quarter is predicted, truthful data then refer to the index to be predicted of each sample business at the setting moment Corresponding true value.

In above-mentioned steps 104, when determining prediction difference data corresponding to each sample business, then various kinds is calculated separately The difference of predicted value corresponding to this business and true value, using the difference as prediction difference data corresponding to sample business.

For example, prediction data corresponding to sample business 1 is x₁, truthful data corresponding to sample business 1 is y₁, can be with Prediction difference data corresponding to sample business 1 are calculated by following formula；

z₁=| x₁-y₁|

Wherein, in above-mentioned formula, z₁Indicate prediction difference data corresponding to sample business 1.

Step 106, based on prediction difference data corresponding to each sample business, determine that rule determines according to the threshold value of setting Service monitoring system is used for the alert threshold being monitored to abnormal traffic.

In this specification embodiment, after having obtained prediction difference data corresponding to each sample business, then being based on should Prediction difference data determine the alert threshold that monitoring exceptional service is used in service monitoring system.

In a specific embodiment, in above-mentioned steps 106, based on prediction difference number corresponding to each sample business According to alert threshold corresponding to the determining service monitoring system of threshold value determination rule according to setting specifically comprises the following steps one And step 2:

Step 1: determining the mean value and standard deviation of prediction difference data corresponding to each sample business；

Step 2: being based on above-mentioned mean value and standard deviation, alert threshold corresponding to service monitoring system is determined.

Specifically, in this specification embodiment, according to mean value and standard deviation, above-mentioned police can be calculated by following formula Report threshold value；

T=μ+N* σ

Wherein, in above-mentioned formula, T indicates that alert threshold corresponding to service monitoring system, μ indicate mean value, and σ indicates mark Quasi- poor, N indicates constant.

In this specification embodiment, when carrying out the adjustment of alert threshold, it is only necessary to carry out the adjustment of above-mentioned N value i.e. Can, it is simple to operate.

In the specific implementation, the value of above-mentioned N can be 3, it is of course also possible to according to practical business demand to the value of N It is adjusted, this specification embodiment is not defined the specific value of above-mentioned N.

The method that this specification embodiment provides for ease of understanding, it is following that the above-mentioned alert threshold provided will be provided Specific method of determination.

For example, in the specific implementation, the number of used sample business is n, wherein n is positive integer, accessed Prediction data corresponding to n sample business is denoted as x=[x₁,x₂,...,x_n], wherein x₁It is pre- corresponding to sample business 1 Measured data, x₂For prediction data corresponding to sample business 2, x_nIt is then prediction data corresponding to sample business n.N sample industry The corresponding truthful data of business is denoted as y=[y₁,y₂,...,y_n], wherein y₁For truthful data corresponding to sample business 1, y₂For Truthful data corresponding to sample business 2, y_nIt is then truthful data corresponding to sample business n, corresponding to n sample business Prediction difference data are denoted as: z=[z₁,z₂,...,z_n], wherein z_i=| x_i-y_i|, the value of i is 1,2 ..., n, wherein z₁For Prediction difference data, z corresponding to sample business 1₂For prediction difference data, z corresponding to sample business 2_nFor sample business n Corresponding prediction difference data；

After prediction difference data corresponding to n sample business have been determined, then need to calculate n prediction difference data Mean value and standard deviation, specifically, prediction difference data corresponding to n sample business can be calculated by following formula respectively Mean value and standard deviation；

Wherein, in above-mentioned formula, μ indicates the mean value of prediction difference data corresponding to n sample business, and σ indicates n The standard deviation of prediction difference data corresponding to sample business.

After calculating mean value and standard deviation by above-mentioned formula, then service monitoring system is calculated by formula T=μ+N* σ In be used for monitoring exceptional service alert threshold.

Fig. 2 is the two of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides, shown in Fig. 2 Method includes at least following steps:

Step 202, it obtains using prediction model to the index to be predicted of each sample business in the achievement data for setting the moment The prediction data predicted, and, obtain index to be predicted truthful data corresponding to the setting moment of each sample business.

Step 204, prediction data and truthful data according to corresponding to each sample business determines corresponding to each sample business Prediction difference data.

Step 206, the mean value and standard deviation of prediction difference data corresponding to each sample business are determined.

Step 210, it is based on above-mentioned mean value and standard deviation, determines what service monitoring system was used to be monitored abnormal traffic Alert threshold.

The method that this specification embodiment provides, when determining the alert threshold for being monitored to abnormal traffic, meter The prediction data of prediction model and the prediction difference data of truthful data are calculated, and according to the mean value and mean difference of prediction difference data It determines alert threshold, in this way, the prediction error of prediction model is taken into account, improves the accurate of identified alert threshold Property, and then improve the accuracy rate of service monitoring system monitoring exceptional service；In addition, also being realized in this specification embodiment The automation that alert threshold arrives determines, in this way, accuracy and efficiency must compared with determining alert threshold by manual type Raising is arrived.

Certainly, above describe the detailed process that the mean value and standard deviation according to prediction difference data determine alert threshold, In addition to this, in this specification embodiment, alert threshold, example can also be determined according to the other parameters of prediction difference data Such as, can the prediction difference data according to corresponding to each sample business median and median absolute deviation determine alarm threshold Value, specifically comprises the following steps (1) and step (2)；

Step (1), the median and median absolute deviation for determining prediction difference data corresponding to each sample business；

Step (2) is based on above-mentioned median and median absolute deviation, determines alarm threshold corresponding to service monitoring system Value.

In the specific implementation, can by prediction difference data corresponding to each sample business according to data height sequence into Row sequence, if the number of prediction difference data be odd number, then will be located in the middle after sequence a prediction difference data as Median will then be located in the middle the flat of two prediction difference data if the number of prediction difference data is even number after sequence Mean value is as median.

For ease of understanding, following to be illustrated citing.

For example, it is assumed that the quantity of sample business is 5, corresponding prediction difference data are respectively 100,128,97, 106,89, it can be according to sequence (it is of course also possible to according to sequence from low to high) from high to low to above-mentioned prediction difference number According to being ranked up, the prediction difference data after sequence are as follows: 128,106,100,97,89, coming intermediate prediction difference data is 100, therefore, median is then 100.If the quantity of sample business is 6, corresponding prediction difference data are respectively 100, 128,97,106,89,117, it can be according to sequence (it is of course also possible to according to sequence from low to high) from high to low to above-mentioned Prediction difference data are ranked up, the prediction difference data after sequence are as follows: and 128,117,106,100,97,89, due to pre- error of measurement The number of Value Data is therefore even number comes there are two most intermediate prediction difference data, respectively 106 and 100,106 Hes 100 average is 103, and therefore, available median is 103.

Wherein, median absolute deviation (Median Absolute Deviation, MAD) is referred to as position in absolutely Number is defined as the median that each data point (i.e. each prediction difference data) arrive the absolute deviation of median, as follows:

MAD=median (| z_i-m|)

In above-mentioned formula, z_iIndicate prediction difference data corresponding to i-th of sample business, m indicates each sample business The median of corresponding prediction difference data, MAD indicate median absolute deviation.

For ease of understanding, following specific calculating process that will illustrate above-mentioned median absolute deviation.

For example, continue to use the example above, the quantity of sample business is 5, corresponding prediction difference data are respectively 100, 128,97,106,89, median 100, the absolute deviation of each prediction difference data to median is respectively 0,28,3,6,11, Median corresponding to each absolute deviation is then 6, and therefore, corresponding median absolute deviation is then 6.

Specifically, being based on median and median absolute deviation in above-mentioned steps (2), determining above-mentioned business monitoring system The corresponding alert threshold of system, specifically includes:

According to median and median absolute deviation, above-mentioned alert threshold is calculated by following formula；

T=m+N*MAD

Wherein, in above-mentioned formula, T indicates that alert threshold corresponding to service monitoring system, m indicate median, MAD table Show median absolute deviation, N indicates constant.

Fig. 3 is the three of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides, shown in Fig. 3 Method includes at least following steps:

Step 302, it obtains using prediction model to the index to be predicted of each sample business in the achievement data for setting the moment The prediction data predicted, and, obtain index to be predicted truthful data corresponding to the setting moment of each sample business.

Step 304, prediction data and truthful data according to corresponding to each sample business determines corresponding to each sample business Prediction difference data.

Step 306, the median and median absolute deviation of prediction difference data corresponding to each sample business are determined.

Step 308, it is based on above-mentioned median and median absolute deviation, determines alarm threshold corresponding to service monitoring system Value.

In addition, in this specification embodiment, in addition to can the prediction difference data according to corresponding to each sample business Mean value and standard deviation, and the median and median absolute deviation of the prediction difference data according to corresponding to each sample business are true Surely except for the alert threshold of monitoring exceptional service, it is also based on setting for prediction difference data corresponding to each sample business Determine percentile and determines above-mentioned alert threshold.

Therefore, in above-mentioned steps 106, based on prediction difference data corresponding to each sample business, according to the threshold value of setting Determine the alert threshold that rule determines that service monitoring system is used to be monitored abnormal traffic, further includes:

Calculate the setting percentile of prediction difference data corresponding to each sample business；The setting percentile is determined For alert threshold corresponding to service monitoring system.

In this specification embodiment, due to having multiple sample business, available corresponding multiple prediction differences Data are properly termed as prediction difference data sequence.In the specific implementation, can by the prediction difference data sequence according to from it is small to Big sequence is ranked up, and then calculates the setting percentile of the prediction difference data sequence, will be corresponding to obtained serial number Prediction difference data be determined as alert threshold.For example, in the specific implementation, calculating the 95%00 of the prediction difference data sequence Any percentiles such as quantile, 80% percentile, can specifically be configured according to actual needs, and this specification is implemented Example is defined not to this.

Certainly, in some cases, the setting percentile of prediction difference data sequence calculated is not integer, such as The calculated percentile that set of institute is 2.56, at this moment will then be adjoined and greater than the determination of prediction difference data corresponding to the serial number For alert threshold, i.e., third prediction difference data are determined as alert threshold.

For ease of understanding, following to be illustrated citing.

For example, in a specific embodiment, obtained prediction difference data sequence are as follows: 156,176,145,124, 132,109,112,100,107,109,89,98,132,115,131,145,123,116,106,107；According to from small to large Sequence above-mentioned prediction difference data are ranked up, the prediction difference data sequence after obtained sequence are as follows: 89,98,100, 106,107,107,109,109,112,115,116,123,124,131,132,132,145,145,156,176；If pre- with this 95% percentile of error of measurement Value Data is as alert threshold, then serial number corresponding to 95 percentiles of the prediction difference data For 20*95%=19, i.e., the 19th prediction difference data after above-mentioned sequence are determined as alert threshold, i.e., the alert threshold is 156；If further for example, prediction difference sequence are as follows: 156,176,145,124,132,109,112,100,107,109,89,98, 132,115,131,145；After being ranked up according to sequence from small to large to above-mentioned prediction difference data, obtained pre- error of measurement Value Data are as follows: 89,98,100,107,109,109,112,115,124,131,132,132,145,145,156,176；If with this 95% percentile of prediction difference data is as alert threshold, then sequence corresponding to 95 percentiles of the prediction difference data Number be 15*95%=14.25, then the 15th prediction difference data after above-mentioned sequence are determined as alert threshold, i.e. the alarm Threshold value is 176.

Certainly, how above-mentioned be merely illustrative calculates the setting percentiles of prediction difference data and in addition to this passes through Other modes, which calculate percentile, can be applied to this specification embodiment, no longer repeat various calculating settings hundred one by one herein The specific implementation of quantile.

Certainly, the prediction difference data according to corresponding to each sample business are described respectively in this specification embodiment Mean value and standard deviation, the median of the prediction difference data according to corresponding to each sample business and median absolute deviation, and, The alarm threshold for being used for monitoring exceptional service is determined according to the setting percentile of prediction difference data corresponding to each sample business The detailed process of value still determines that the detailed process of alert threshold is not limited thereto, in addition to this it is possible to according to various kinds The other parameters of prediction difference data corresponding to this business determine alert threshold, and this specification embodiment will not enumerate.

The method that this specification embodiment provides for ease of understanding, it is following to handle certain using index to be predicted as operation system The portfolio of business for calculating alert threshold by mean value and standard deviation, introduces the method that this specification embodiment provides.

Fig. 4 is the four of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides, shown in Fig. 4 Method includes at least following steps:

Step 402, the prediction industry that the portfolio to each sample business at the setting moment is predicted is obtained from prediction model Business amount, and, each sample business is obtained in the actual services amount at setting moment.

Step 404, the difference for calculating separately prediction portfolio and actual services amount corresponding to each sample business obtains each Portfolio difference corresponding to sample business.

Step 406, mean value and standard deviation corresponding to each portfolio difference are calculated.

Step 408, calculate setting multiple standard deviation and mean value and value, this and value are determined as alert threshold so that The service monitoring system is monitored abnormal traffic according to the alert threshold.

The monitoring method for the abnormal traffic that this specification embodiment provides, for abnormal industry in determining service monitoring system When the alert threshold of business monitoring, the achievement data based on prediction model to the index to be predicted of sample business at the setting moment is carried out Prediction of the index to be predicted of the prediction data of prediction and the sample business between the truthful data corresponding to the setting moment Difference data is determined；In this way, the prediction error of the prediction model in service monitoring system is taken into account, improves and determine Alert threshold accuracy, so as to improve the accuracy rate of monitoring exceptional service；In addition, this specification embodiment realizes The automation of alert threshold determines that compared with determining alert threshold by manual type, efficiency and accuracy are all improved.

Corresponding to the monitoring method for the abnormal traffic that embodiment corresponding to this specification Fig. 1-Fig. 4 provides, based on identical Thinking, this specification embodiment additionally provide a kind of monitoring method of abnormal traffic, and this method is applied to service monitoring system, i.e., The executing subject of this method is service monitoring system, is specifically the monitoring for the abnormal traffic being set on service monitoring system Device.Fig. 5 is the five of the method flow diagram of the monitoring method for the abnormal traffic that this specification embodiment provides, side shown in fig. 5 Method includes at least following steps:

Step 502, the actual services data of operation system to be monitored target service handled by the setting moment are obtained, with And it obtains prediction model and treats the prediction business number that monitoring business system target service handled by the setting moment is predicted According to.

Wherein, above-mentioned actual services data can be operation system to be monitored target service handled by the setting moment The data such as portfolio or the business amount of money, specifically, can determine according to actual needs, this specification is not to above-mentioned The specific data of actual services data are defined.

It in the specific implementation, can be from business system to be monitored during operation system processing target business to be monitored System obtains its generated actual services data, it can also be obtained from database corresponding to operation system to be monitored and is being set Generated actual services data are carved in timing.Furthermore it is possible to obtain history from database corresponding to operation system to be monitored Actual services data corresponding to each moment, and by actual services data incoming traffic monitoring system corresponding to each moment Prediction model in, with by prediction model to above-mentioned operation system to be monitored setting the moment handled by target service industry Business data are predicted, to obtain prediction business datum.

In addition, it is necessary to which explanation, above-mentioned acquired actual services data and prediction business datum are target service Some operational indicator corresponding to business datum.For example, acquired actual services data and prediction business datum are mesh Mark business is in the business total value or target service for setting the moment in the portfolio etc. for setting the moment.

Specifically, above-mentioned prediction model can be LSTM prediction model, it is, of course, also possible to be other prediction models, this theory Bright book embodiment is defined not to this.

Step 504, the prediction difference data of above-mentioned prediction business datum and above-mentioned actual services data are determined.

Step 506, above-mentioned prediction difference data are compared with predetermined alert threshold, to determine target service Whether there is exception at the setting moment；Wherein, alert threshold based on prediction model to each sample business given time business Prediction difference of the prediction data and each sample business that data are predicted between the actual services data of above-mentioned given time Data are determined.

In the specific implementation, it can be when above-mentioned prediction difference data are greater than above-mentioned alert threshold, then it is assumed that the moment The processing of target service occurs abnormal, at this moment, can sound an alarm, for example, can send mail, short to relevant staff Letter, prompt information etc., to handle in time.

It should be noted that above-mentioned alert threshold can be the test rank in prediction model in this specification embodiment Determined by section；Above-mentioned each sample business for determining alert threshold can be each test specimens tested prediction model This.

In the specific implementation, available prediction model to each test sample setting the moment operational indicator to be predicted into The prediction data of row prediction, and truthful data of the operational indicator to be predicted of each test sample at the setting moment is obtained, it calculates The prediction difference data of each prediction data and truthful data, then, based on pre- error of measurement corresponding to obtained each forecast sample Value Data determines above-mentioned alert threshold.

Wherein, in this specification embodiment, above-mentioned alert threshold is based on pre- error of measurement corresponding to each sample business Determined by the mean value and standard deviation of Value Data, it can specifically determine as follows:

Determine the mean value and standard deviation of prediction difference data corresponding to each sample business；Based on above-mentioned mean value and standard Difference determines above-mentioned alert threshold.

Specifically, above-mentioned mean value and standard deviation can be based in this specification embodiment, determined by following formula State alert threshold:

T=μ+N* σ

Wherein, in above-mentioned formula, T indicates that alert threshold, μ indicate mean value, and σ indicates standard deviation, and N indicates constant.

In another embodiment, alert threshold is based on prediction difference data corresponding to each sample business Determined by median and median absolute deviation, it can specifically determine as follows:

Determine the median and median absolute deviation of prediction difference data corresponding to each sample business；Based among the above Digit and median absolute deviation, determine above-mentioned alert threshold.

Specifically, in this specification embodiment above-mentioned median and median absolute deviation can be based on, by as follows Formula determines above-mentioned alert threshold:

T=m+N*MAD

Wherein, in above-mentioned formula, T indicates that alert threshold, m indicate that median, MAD indicate median absolute deviation, N table Show constant.

Certainly, in this specification embodiment, above-mentioned alert threshold is also based on prediction corresponding to each sample business The setting percentile of difference data is determined.

It should be noted that the specific implementation process of above-mentioned each step can refer to embodiment of the method corresponding to Fig. 1-Fig. 4 In each step specific implementation process, details are not described herein again.

The monitoring method for the abnormal traffic that this specification embodiment provides is used when being monitored to abnormal traffic Alert threshold, then be that the achievement data based on prediction model to the operational indicator to be predicted of sample business at the setting moment carries out The operational indicator to be predicted of the prediction data of prediction and the sample business is between the truthful data corresponding to the setting moment Prediction difference data are determined；In this way, the prediction error of the prediction model in service monitoring system is taken into account, institute is improved The accuracy of determining alert threshold, so as to improve the accuracy rate of monitoring exceptional service.

Corresponding to the monitoring method for the abnormal traffic that embodiment corresponding to this specification Fig. 1-Fig. 4 provides, based on identical Thinking, this specification embodiment additionally provide a kind of monitoring device of abnormal traffic, right for executing this specification Fig. 1-Fig. 4 institute The method for answering embodiment, Fig. 6 are the module composition schematic diagram of the monitoring device for the abnormal traffic that this specification embodiment provides, figure Device shown in 6 includes:

Module 602 is obtained, for obtaining the index to be predicted for using prediction model to each sample business at the setting moment The prediction data that achievement data is predicted, and, the index to be predicted for obtaining each sample business was set corresponding to the moment Truthful data；Wherein, prediction model is the mould in service monitoring system for being predicted the index to be predicted of target service Type；

First determining module 604 determines various kinds for prediction data and truthful data according to corresponding to each sample business Prediction difference data corresponding to this business；

Second determining module 606, for based on prediction difference data corresponding to each sample business, according to the threshold value of setting Determine the alert threshold that rule determines that service monitoring system is used to be monitored abnormal traffic.

Optionally, above-mentioned second determining module 606, comprising:

First determination unit, for determining the mean value and standard deviation of prediction difference data corresponding to each sample business；

Second determination unit determines alert threshold corresponding to service monitoring system for being based on mean value and standard deviation.

Optionally, above-mentioned second determination unit, is specifically used for:

According to mean value and standard deviation, alert threshold is calculated by following formula；

T=μ+N* σ

Optionally, above-mentioned second determining module 606, further includes:

Third determination unit, the median and median for determining prediction difference data corresponding to each sample business are exhausted To deviation；

4th determination unit determines corresponding to service monitoring system for being based on median and median absolute deviation Alert threshold.

Optionally, above-mentioned 4th determination unit, is specifically used for:

According to median and median absolute deviation, alert threshold is calculated by following formula；

T=m+N*MAD

Optionally, above-mentioned second determining module 606, further includes:

Computing unit, for calculating the setting percentile of prediction difference data corresponding to each sample business；

5th determination unit, for above-mentioned setting percentile of stating to be determined as alarm threshold corresponding to service monitoring system Value.

Optionally, above-mentioned prediction model is LSTM prediction model.

The monitoring device of the abnormal traffic of this specification embodiment can also carry out the monitoring device of abnormal traffic in Fig. 1-Fig. 4 The method of execution, and the monitoring device of abnormal traffic is realized in Fig. 1-embodiment illustrated in fig. 4 function, details are not described herein.

The monitoring device for the abnormal traffic that this specification embodiment provides, for abnormal industry in determining service monitoring system When the alert threshold of business monitoring, the achievement data based on prediction model to the index to be predicted of sample business at the setting moment is carried out Prediction of the index to be predicted of the prediction data of prediction and the sample business between the truthful data corresponding to the setting moment Difference data is determined；In this way, the prediction error of the prediction model in service monitoring system is taken into account, improves and determine Alert threshold accuracy, so as to improve the accuracy rate of monitoring exceptional service；In addition, this specification embodiment realizes The automation of alert threshold determines that compared with determining alert threshold by manual type, efficiency and accuracy are all improved.

Corresponding to the monitoring method for the abnormal traffic that embodiment corresponding to this specification Fig. 5 provides, it is based on identical thinking, This specification embodiment additionally provides a kind of monitoring device of abnormal traffic, for executing embodiment corresponding to this specification Fig. 5 Method, Fig. 7 is the module composition schematic diagram for the monitoring device of abnormal traffic that this specification embodiment provides, shown in Fig. 7 Device includes:

Module 702 is obtained, for obtaining the true industry of operation system to be monitored target service handled by the setting moment Business data, and, prediction model is obtained to the operation system to be monitored target industry handled by the setting moment The prediction business datum that business is predicted；

Determining module 704, for determining the prediction difference data of the prediction business datum and the actual services data；

Comparison module 706, for the prediction difference data to be compared with predetermined alert threshold, with determination Whether the target service there is exception at the setting moment；Wherein, the alert threshold is based on the prediction model to each The prediction data and each sample business that sample business is predicted in the business datum of given time are in the true of given time Prediction difference data between real business datum are determined.

Optionally, above-mentioned alert threshold is determined in the test phase of prediction model；Above-mentioned each sample business is to prediction Each test sample that model is tested.

Optionally, mean value and standard deviation institute of the above-mentioned alert threshold based on prediction difference data corresponding to each sample business Determining.

Optionally, median and median of the above-mentioned alert threshold based on prediction difference data corresponding to each sample business Determined by absolute deviation.

Optionally, setting percentile institute of the above-mentioned alert threshold based on prediction difference data corresponding to each sample business Determining.

The monitoring device for the abnormal traffic that this specification embodiment provides can also carry out the monitoring device of abnormal traffic in Fig. 5 The method of execution, and realize the function of the monitoring device of abnormal traffic embodiment shown in Fig. 5, details are not described herein.

Further, based on method shown in above-mentioned Fig. 1 to Fig. 4, this specification embodiment additionally provides a kind of abnormal industry The monitoring device of business, as shown in Figure 8.

The monitoring device of abnormal traffic can generate bigger difference because configuration or performance are different, may include one or More than one processor 801 and memory 802 can store one or more storages in memory 802 using journey Sequence or data.Wherein, memory 802 can be of short duration storage or persistent storage.The application program for being stored in memory 802 can be with Including one or more modules (diagram is not shown), each module may include one in the monitoring device to abnormal traffic Family computer executable instruction information.Further, processor 801 can be set to communicate with memory 802, in exception The series of computation machine executable instruction information in memory 802 is executed in the monitoring device of business.The monitoring of abnormal traffic is set Standby can also include one or more power supplys 803, one or more wired or wireless network interfaces 804, one or More than one input/output interface 805, one or more keyboards 806 etc..

In a specific embodiment, the monitoring device of abnormal traffic include memory and one or one with On program, perhaps more than one program is stored in memory and one or more than one program can wrap for one of them Include one or more modules, and each module may include that series of computation machine in monitoring device to abnormal traffic can Information is executed instruction, and is configured to execute this by one or more than one processor or more than one program includes For carrying out following computer executable instructions information:

The achievement data using prediction model to the index to be predicted of each sample business at the setting moment is obtained to predict Prediction data, and, obtain the index to be predicted of each sample business truthful data corresponding to the setting moment；Wherein, in advance Surveying model is the model in service monitoring system for being predicted the index to be predicted of target service；

According to prediction data and truthful data corresponding to each sample business, pre- error of measurement corresponding to each sample business is determined Value Data；

Based on prediction difference data corresponding to each sample business, determine that rule determines business monitoring according to the threshold value of setting System is used for the alert threshold being monitored to abnormal traffic.

Optionally, computer executable instructions information when executed, based on prediction difference corresponding to each sample business Data determine that rule determines alert threshold corresponding to service monitoring system according to the threshold value of setting, comprising:

Determine the mean value and standard deviation of prediction difference data corresponding to each sample business；

Based on mean value and standard deviation, alert threshold corresponding to service monitoring system is determined.

Optionally, computer executable instructions information when executed, is based on mean value and standard deviation, determines business monitoring system The corresponding alert threshold of system, comprising:

T=μ+N* σ

Optionally, computer executable instructions information when executed, based on prediction difference corresponding to each sample business Data determine that rule determines that service monitoring system is used for the alert threshold of monitoring exceptional service according to the threshold value of setting, comprising:

Determine the median and median absolute deviation of prediction difference data corresponding to each sample business；

Based on median and median absolute deviation, alert threshold corresponding to service monitoring system is determined.

Optionally, computer executable instructions information when executed, is based on median and median absolute deviation, determines Alert threshold corresponding to service monitoring system, comprising:

T=m+N*MAD

Optionally, computer executable instructions information is when executed, above-mentioned based on prediction corresponding to each sample business Difference data determines the police that rule determines that above-mentioned service monitoring system is used to be monitored abnormal traffic according to the threshold value of setting Report threshold value, comprising:

Calculate the setting percentile of prediction difference data corresponding to each sample business；Above-mentioned setting percentile is true It is set to alert threshold corresponding to service monitoring system.

Optionally, when executed, above-mentioned prediction model is shot and long term memory network to computer executable instructions information LSTM prediction model.

Further, it is based on above-mentioned method shown in fig. 5, this specification embodiment additionally provides a kind of prison of abnormal traffic Equipment is controlled, the structure of the monitoring device of the abnormal traffic can refer to the monitoring device of abnormal traffic shown in Fig. 8.

The actual services data of operation system to be monitored target service handled by the setting moment are obtained, and, it obtains Prediction model treats the prediction business datum that monitoring business system target service handled by the setting moment is predicted；

Determine the prediction difference data of prediction business datum and actual services data；

Prediction difference data are compared with predetermined alert threshold, with determine target service setting the moment be No appearance is abnormal；Wherein, alert threshold predicts each sample business in the business datum of given time based on prediction model Prediction difference data between the actual services data of given time of prediction data and each sample business determined.

Optionally, computer executable instructions information when executed, test rank of the above-mentioned alert threshold in prediction model Section determines；

Above-mentioned each sample business is each test sample tested above-mentioned prediction model.

Optionally, when executed, it is right that above-mentioned alert threshold is based on each sample business institute to computer executable instructions information The mean value and standard deviation for the prediction difference data answered are determined.

Optionally, when executed, it is right that above-mentioned alert threshold is based on each sample business institute to computer executable instructions information The median and median absolute deviation for the prediction difference data answered are determined.

The monitoring device for the abnormal traffic that this specification embodiment provides is used when being monitored to abnormal traffic Alert threshold, then be that the achievement data based on prediction model to the operational indicator to be predicted of sample business at the setting moment carries out The operational indicator to be predicted of the prediction data of prediction and the sample business is between the truthful data corresponding to the setting moment Prediction difference data are determined；In this way, the prediction error of the prediction model in service monitoring system is taken into account, institute is improved The accuracy of determining alert threshold, so as to improve the accuracy rate of monitoring exceptional service.

Further, based on method shown in above-mentioned Fig. 1 to Fig. 4, this specification embodiment additionally provides a kind of storage Jie Matter, for storing computer executable instructions information, in a kind of specific embodiment, the storage medium can for USB flash disk, CD, Hard disk etc., the computer executable instructions information of storage medium storage are able to achieve following below scheme when being executed by processor:

Optionally, the computer executable instructions information of storage medium storage is based on various kinds when being executed by processor Prediction difference data corresponding to this business determine that rule determines alarm corresponding to service monitoring system according to the threshold value of setting Threshold value, comprising:

Optionally, the computer executable instructions information of storage medium storage is based on mean value when being executed by processor And standard deviation, determine alert threshold corresponding to service monitoring system, comprising:

T=μ+N* σ

Optionally, the computer executable instructions information of storage medium storage is based on various kinds when being executed by processor Prediction difference data corresponding to this business determine that rule determines that service monitoring system is used for abnormal traffic according to the threshold value of setting The alert threshold of monitoring, comprising:

Optionally, the computer executable instructions information of storage medium storage is based on middle position when being executed by processor Several and median absolute deviation, determines alert threshold corresponding to service monitoring system, comprising:

T=m+N*MAD

Optionally, the computer executable instructions information of storage medium storage is above-mentioned to be based on when being executed by processor Prediction difference data corresponding to each sample business determine that rule determines that above-mentioned service monitoring system is used for according to the threshold value of setting The alert threshold that abnormal traffic is monitored, comprising:

Optionally, the computer executable instructions information of storage medium storage is when being executed by processor, above-mentioned prediction Model is shot and long term memory network LSTM prediction model.

The computer executable instructions information for the storage medium storage that this specification embodiment provides is being executed by processor When, when being used for the alert threshold of monitoring exceptional service in determining service monitoring system, based on prediction model to sample business The index to be predicted of prediction data and the sample business that achievement data of the index to be predicted at the setting moment is predicted exists Prediction difference data between truthful data corresponding to the setting moment are determined；In this way, by the prediction in service monitoring system The prediction error of model is taken into account, and the accuracy of identified alert threshold is improved, so as to improve abnormal traffic prison The accuracy rate of control；In addition, the automation that this specification embodiment realizes alert threshold determines, warned with being determined by manual type Report threshold value is compared, and efficiency and accuracy are all improved.

Further, it is based on above-mentioned method shown in fig. 5, this specification embodiment additionally provides a kind of storage medium, uses In a kind of storage computer executable instructions information, specific embodiment, which can be USB flash disk, CD, hard disk Computer executable instructions information Deng the storage of, the storage medium is able to achieve following below scheme when being executed by processor:

Optionally, the computer executable instructions information of storage medium storage is when being executed by processor, above-mentioned alarm Threshold value is determined in the test phase of prediction model；

Optionally, the storage medium storage computer executable instructions information when being executed by processor, above-mentioned alarm Threshold value is determined based on the mean value and standard deviation of prediction difference data corresponding to each sample business.

Optionally, the storage medium storage computer executable instructions information when being executed by processor, above-mentioned alarm Threshold value is determined based on the median and median absolute deviation of prediction difference data corresponding to each sample business.

The computer executable instructions information for the storage medium storage that this specification embodiment provides is being executed by processor When, when being monitored to abnormal traffic, used alert threshold is then based on prediction model to the to be predicted of sample business The operational indicator to be predicted of prediction data and the sample business that achievement data of the operational indicator at the setting moment is predicted Prediction difference data between the truthful data corresponding to the setting moment are determined；In this way, by pre- in service monitoring system The prediction error for surveying model is taken into account, and the accuracy of identified alert threshold is improved, so as to improve abnormal traffic The accuracy rate of monitoring.

In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example, Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit. Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device (Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development, And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language (Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL (Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language) etc., VHDL (Very-High-Speed is most generally used at present Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages, The hardware circuit for realizing the logical method process can be readily available.

Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processing The computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor can Read medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit, ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontroller Device: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are deposited Memory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition to Pure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logic Controller is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc. Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in it The device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functions For either the software module of implementation method can be the structure in hardware component again.

System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play It is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipment The combination of equipment.

For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit can be realized in the same or multiple software and or hardware when application.

It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.

The application is reference according to the method for this specification embodiment, the stream of equipment (system) and computer program product Journey figure and/or block diagram describe.It should be understood that can be by computer program instructions information realization flowchart and/or the block diagram The combination of process and/or box in each flow and/or block and flowchart and/or the block diagram.It can provide these calculating Machine program instruction information is to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices Processor is to generate a machine, so that the instruction executed by computer or the processor of other programmable data processing devices Information generates specifies for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram Function device.

These computer program instructions information, which may also be stored in, is able to guide computer or other programmable data processing devices In computer-readable memory operate in a specific manner, so that command information stored in the computer readable memory produces Raw includes the manufacture of command information device, the command information device realize in one or more flows of the flowchart and/or The function of being specified in one or more blocks of the block diagram.

These computer program instructions information also can be loaded onto a computer or other programmable data processing device, so that Series of operation steps are executed on a computer or other programmable device to generate computer implemented processing, thus calculating The command information that is executed on machine or other programmable devices provide for realizing in one or more flows of the flowchart and/or The step of function of being specified in one or more blocks of the block diagram.

In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.

Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.

Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer-readable instruction information, data structure, the module of program or other numbers According to.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory techniques, CD-ROM are read-only Memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or Other magnetic storage devices or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to Herein defines, and computer-readable medium does not include temporary computer readable media (transitory media), such as modulation Data-signal and carrier wave.

It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want There is also other identical elements in the process, method of element, commodity or equipment.

It will be understood by those skilled in the art that embodiments herein can provide as method, system or computer program product. Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.

The application can computer executable instructions information it is general up and down described in the text, such as Program module.Generally, program module include routines performing specific tasks or implementing specific abstract data types, it is program, right As, component, data structure etc..The application can also be practiced in a distributed computing environment, in these distributed computing environment In, by executing task by the connected remote processing devices of communication network.In a distributed computing environment, program module It can be located in the local and remote computer storage media including storage equipment.

All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.

The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal Replacement, improvement etc., should be included within the scope of the claims of this application.

Claims

1. a kind of monitoring method of abnormal traffic, which comprises

Achievement data of the acquisition using prediction model to the index to be predicted of each sample business at the setting moment is predicted pre- Measured data, and, obtain the index to be predicted truthful data corresponding to the setting moment of each sample business； Wherein, the prediction model is the mould in service monitoring system for being predicted the index to be predicted of target service Type；

According to prediction data and truthful data corresponding to each sample business, determine pre- corresponding to each sample business Error of measurement Value Data；

Based on prediction difference data corresponding to each sample business, determine that rule determines the business according to the threshold value of setting Monitoring system is used for the alert threshold being monitored to abnormal traffic.

It is described based on prediction difference data corresponding to each sample business 2. the method as described in claim 1, according to setting Fixed threshold value determines the alert threshold that rule determines that the service monitoring system is used to be monitored abnormal traffic, comprising:

Based on the mean value and the standard deviation, alert threshold corresponding to the service monitoring system is determined.

3. method according to claim 2, described to be based on the mean value and the standard deviation, the service monitoring system is determined Corresponding alert threshold, comprising:

According to the mean value and the standard deviation, the alert threshold is calculated by following formula；

T=μ+N* σ

Wherein, in above-mentioned formula, T indicates that alert threshold corresponding to the service monitoring system, μ indicate the mean value, σ table Show the standard deviation, N indicates constant.

It is described based on prediction difference data corresponding to each sample business 4. the method as described in claim 1, according to setting Fixed threshold value determines the alert threshold that rule determines that the service monitoring system is used to be monitored abnormal traffic, comprising:

Based on the median and the median absolute deviation, alert threshold corresponding to the service monitoring system is determined.

5. method as claimed in claim 4, described to be based on the median and the median absolute deviation, the industry is determined Alert threshold corresponding to monitoring system of being engaged in, comprising:

According to the median and the median absolute deviation, the alert threshold is calculated by following formula；

T=m+N*MAD

Wherein, in above-mentioned formula, T indicates that alert threshold corresponding to the service monitoring system, m indicate the median, MAD indicates the median absolute deviation, and N indicates constant.

It is described based on prediction difference data corresponding to each sample business 6. the method as described in claim 1, according to setting Fixed threshold value determines the alert threshold that rule determines that the service monitoring system is used to be monitored abnormal traffic, comprising:

Calculate the setting percentile of prediction difference data corresponding to each sample business；

The setting percentile is determined as alert threshold corresponding to the service monitoring system.

7. a kind of monitoring method of abnormal traffic, which comprises

The actual services data of operation system to be monitored target service handled by the setting moment are obtained, and, obtain prediction The prediction business that model predicts the operation system to be monitored target service handled by the setting moment Data；

The prediction difference data are compared with predetermined alert threshold, are set with the determination target service described Timing carves whether exception occur；Wherein, the alert threshold based on the prediction model to each sample business in given time The prediction data and each sample business that business datum is predicted are between the actual services data of the given time Prediction difference data are determined.

8. the method for claim 7, the alert threshold is determined in the test phase of the prediction model；

Each sample business is each test sample tested the prediction model.

9. method as claimed in claim 7 or 8, the alert threshold is based on prediction difference corresponding to each sample business Determined by the mean value and standard deviation of data.

10. method as claimed in claim 7 or 8, the alert threshold is based on pre- error of measurement corresponding to each sample business Determined by the median and median absolute deviation of Value Data.

11. a kind of monitoring device of abnormal traffic, described device include:

Module is obtained, for obtaining the index to be predicted for using prediction model to each sample business in the achievement data at setting moment The prediction data predicted, and, the index to be predicted for obtaining each sample business is right in the setting moment institute The truthful data answered；Wherein, the prediction model is in service monitoring system for the index to be predicted to target service The model predicted；

First determining module determines described each for prediction data and truthful data according to corresponding to each sample business Prediction difference data corresponding to sample business；

Second determining module, it is true according to the threshold value of setting for based on prediction difference data corresponding to each sample business Set pattern then determines alert threshold of the service monitoring system for being monitored to abnormal traffic.

12. device as claimed in claim 11, second determining module, comprising:

Second determination unit determines police corresponding to the service monitoring system for being based on the mean value and the standard deviation Report threshold value.

13. device as claimed in claim 11, second determining module, comprising:

4th determination unit determines the service monitoring system for being based on the median and the median absolute deviation Corresponding alert threshold.

14. a kind of monitoring device of abnormal traffic, described device include:

Module is obtained, for obtaining the actual services data of operation system to be monitored target service handled by the setting moment, And it obtains prediction model and the operation system to be monitored target service handled by the setting moment is carried out in advance The prediction business datum of survey；

Comparison module, for the prediction difference data to be compared with predetermined alert threshold, with the determination mesh Whether mark business there is exception at the setting moment；Wherein, the alert threshold is based on the prediction model to each sample industry It is engaged in the prediction data predicted of business datum of given time and each sample business in the true of the given time Prediction difference data between business datum are determined.

15. a kind of monitoring device of abnormal traffic, comprising:

Processor；And

It is arranged to the memory of storage computer executable instructions, the executable instruction makes the processing when executed Device:

16. a kind of monitoring device of abnormal traffic, comprising:

Processor；And

17. a kind of storage medium, for storing computer executable instructions, the executable instruction is realized following when executed Process:

18. a kind of storage medium, for storing computer executable instructions, the executable instruction is realized following when executed Process: