CN111131290A - Flow data processing method and device - Google Patents
Flow data processing method and device Download PDFInfo
- Publication number
- CN111131290A CN111131290A CN201911400067.3A CN201911400067A CN111131290A CN 111131290 A CN111131290 A CN 111131290A CN 201911400067 A CN201911400067 A CN 201911400067A CN 111131290 A CN111131290 A CN 111131290A
- Authority
- CN
- China
- Prior art keywords
- flow
- baseline
- abnormal
- target object
- extended period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for processing flow data. The method comprises the following steps: when the flow of the target object is detected to be abnormal based on the week baseline, detecting the flow of the target object again through the extended period baseline to obtain a detection result again, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal. According to the invention, the effect of improving the accuracy of abnormal flow judgment is achieved.
Description
Technical Field
The invention relates to the field of computers, in particular to a method and a device for processing flow data.
Background
Network Traffic Analysis (Network Traffic Analysis) checks the status of the Network in terms of security, operation, management or Network health status by recording, reviewing and analyzing Network Traffic data, the Network Traffic Analysis system learns the detected Traffic within a period of time, constructs a Traffic characteristic baseline model thereof, and compares the actual Traffic with the baseline model in the subsequent detection process to find abnormal Traffic and malicious Network behaviors, the periodic baseline model is a commonly used model, since enterprise business and staff work in many weeks, the week is taken as a periodic unit of the periodic model, but a considerable part of business cycle still exceeds a range of one week, such as early month, late month, every two weeks, last week of each month and the like, the business can generate abnormal Traffic alarm on a system directly using the baseline model with the week as a period, namely, false alarm, and long-term repeated false alarm can cause a security administrator to ignore the alarm, thereby omitting the attention research on the real threat on the related equipment and reducing the protection efficiency of the network flow analysis system.
Network traffic analysis requires a period definition baseline model, the period can be selected in various ways, and the traffic difference between a working day and a double-holiday cannot be reflected by taking 24 hours as the period; a large amount of traffic baseline data needs to be stored in a month-by-month basis and there is a large amount of data redundancy, which is currently a more general and reasonable choice in weeks.
The enterprise business still has the repetitive business with the period larger than the week, on a system only providing the cycle with the week as a base line, the business is detected as abnormal flow behavior and becomes false alarm which occurs regularly, an administrator needs to repeatedly ignore the alarm or is classified as normal periodic flow, the week base line is corrected by the flow data, when the flow of the abnormal business occurs in a non-business time period, the alarm is not generated, the false alarm becomes the false alarm of suspicious flow, and the safety early warning effect of the network flow analysis system is reduced due to the long-term false alarm and the false alarm.
The existing system carries out flow detection and reports flow abnormity based on a weekly baseline, and aiming at the flow abnormity caused by normal flow with a repetition period larger than one week, a system administrator generally has two options, one is to ignore abnormal alarm, the alarm can repeatedly appear in the next flow period, and the other is to process the abnormal alarm according to false alarm, and the flow characteristics of the abnormal alarm are quoted by the baseline automatic updating function, so that the weekly model is inaccurate.
Aiming at the problem of judgment error caused by unreasonable flow period determination in the related art, an effective solution is not provided at present.
Disclosure of Invention
The invention mainly aims to provide a method and a device for processing flow data, which aim to solve the problem of judgment errors caused by unreasonable flow period determination.
In order to achieve the above object, according to an aspect of the present invention, there is provided a traffic data processing method, including: when the flow of a target object is detected to be abnormal based on a weekly baseline, detecting the flow of the target object again through an extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
Further, the method further comprises: and if the re-detection result is not abnormal, updating the extended period baseline based on the flow of the target object.
Further, before the flow of the target object is detected again through the extended period baseline to obtain a detection result again, the method further includes: judging whether the extended period baseline exists or not; and if not, outputting a second message, wherein the second message is used for prompting that the extension period baseline does not exist.
Further, after outputting the second message, the method further comprises: sending prompt information, wherein the prompt information is used for prompting whether an extension period baseline is added or not; upon receiving an add instruction, adding the extended period baseline based on the add instruction.
Further, the method further comprises: after receiving an instruction not added, judging the flow of the currently detected target object as abnormal flow; and sending a flow abnormity prompt.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a traffic data processing apparatus, including: the detection unit is used for detecting the flow of the target object again through an extended period baseline when the flow of the target object is detected to be abnormal based on the period baseline, so as to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week; a first judgment unit for judging whether the re-detection result is abnormal or not; and a first output unit, configured to output a first message when the retest result is abnormal, where the first message is used to prompt that the traffic of the target object is abnormal, and if matching between any one of the extended period baselines and the traffic of the target object is successful, the retest result is not abnormal.
Further, the apparatus further comprises: and the updating unit is used for updating the extended period baseline based on the flow of the target object when the re-detection result is not abnormal.
Further, the apparatus further comprises: the second judgment unit is used for judging whether the extended period baseline exists or not before the flow of the target object is detected again through the extended period baseline to obtain a detection result again; and a second output unit, configured to output a second message if the extension period baseline does not exist, where the second message is used to prompt that the extension period baseline does not exist.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a storage medium including a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the traffic data processing method according to the present invention.
In order to achieve the above object, according to another aspect of the present invention, there is also provided an apparatus, which includes at least one processor, and at least one memory and a bus connected to the processor, wherein the processor and the memory complete communication with each other through the bus, and the processor is configured to call program instructions in the memory to execute the traffic data processing method according to the present invention.
When the flow of the target object is detected to be abnormal based on the periodic baseline, the flow of the target object is detected again through the extended periodic baseline to obtain a re-detection result, wherein the flow period corresponding to the extended periodic baseline is more than one week; judging whether the re-detection result is abnormal or not; if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal, so that the problem of judgment error caused by unreasonable flow period determination is solved, and the effect of improving the accuracy of abnormal flow judgment is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flow chart of a traffic data processing method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of traffic anomaly detection according to an embodiment of the present invention;
FIG. 3 is a flow diagram of extended traffic anomaly detection, according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a traffic data processing apparatus according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides a flow data processing method.
Fig. 1 is a flowchart of a traffic data processing method according to an embodiment of the present invention, as shown in fig. 1, the method including the steps of:
step S102: when the flow of the target object is detected to be abnormal based on the weekly baseline, detecting the flow of the target object again through the extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week;
step S104: judging whether the re-detection result is abnormal or not;
step S106: and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
The embodiment adopts that when the flow of the target object is detected to be abnormal based on the week baseline, the flow of the target object is detected again through the extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal, so that the problem of judgment error caused by unreasonable flow period determination is solved, and the effect of improving the accuracy of abnormal flow judgment is achieved.
In the embodiment of the invention, when the flow detection is carried out based on the weekly base line, if abnormal flow is found, the abnormal flow can be based on data flow with a longer period, such as data flow which occurs once per month or data flow which occurs once every quarter, the change of the flow with the period longer than the week can detect whether abnormality exists again through the extended period base line, if the abnormality still exists through the extended period base line detection, an abnormal prompt is sent, and by adding the step of the extended period base line detection, false alarm can be reduced, and the extended period flow in the abnormal flow can be identified.
Optionally, if there is no anomaly in the re-detection result, the extended period baseline is updated based on the target object's traffic.
If the current abnormal flow detected based on the weekly base line is successfully matched with the extended period base line, the abnormal flow is not indicated, and the extended period base line is updated according to the current flow data, so that the base line data is more accurate.
Optionally, before the flow of the target object is detected again through the extended period baseline to obtain a detection result again, whether the extended period baseline exists is judged; if not, a second message is output, the second message being used to prompt that there is no extended period baseline.
If an extended period baseline has not been added, a prompt message may be issued to prompt the user.
Optionally, after outputting the second message, sending a prompt message, where the prompt message is used to prompt whether to add the extended period baseline; after receiving an add instruction, an extended period baseline is added based on the add instruction.
And prompting whether the user adds the extension period baseline or not again after prompting that the user does not have the extension period baseline, and if the user sends an adding instruction, adding the extension period baseline based on the adding instruction.
Optionally, after receiving an instruction not to be added, determining the currently detected flow of the target object as an abnormal flow; and sending a flow abnormity prompt.
If the user does not add the extended period baseline, the weekly baseline detection result can be directly adopted as the current flow detection result, and a flow abnormity prompt is sent to prompt the user that abnormity exists.
In addition, if it is shown that there is no abnormality in the current flow based on the weekly baseline detection result, the weekly baseline may be updated with the current flow data to make the weekly baseline more accurate.
The embodiment of the present invention also provides a preferred embodiment, and the present application will be described based on the preferred embodiment.
The present embodiment provides a baseline construction technique for an arbitrary period (less than one year), and a flow rate detection technique and system design based on this baseline, which can allow an administrator to set an arbitrary period less than one year for a specific flow rate, and the system automatically learns and adjusts the baseline according to this period, and performs abnormal flow rate detection according to this period.
The method mainly comprises the following steps: an extended period baseline data structure, an extended period baseline management module, an extended flow anomaly detection process and the like.
1. Extended period baseline data structure
A conventional weekly baseline in cycles of weeks selects a certain point in time within a week as a starting point. And calculating time offset between the real-time and the starting point, and searching the corresponding baseline flow characteristics by using the time offset. And comparing the actual flow characteristic with the baseline characteristic to judge whether the flow is normal or abnormal. The simplified data structure of the weekly baseline is shown in the following table.
TABLE 1 simplified data Structure of week Baseline
Since the specific contents of TimeStamp (TimeStamp) and BaseLineData (baseline data) are not relevant to the present invention and are not defined in detail herein, TimeStamp may be a relative time from the beginning of a cycle, in minutes, hours, or days. The BaseLineData may also be a time period defined by the start time and the end time, and the BaseLineData should include, but is not limited to, traffic identification data such as IP addresses, ports, services, and the like of the traffic, traffic characteristic data, traffic statistics data, and the like.
Since the TimeStamp in the cycle baseline table is recorded relative to the starting point of the cycle every week, and the repeated events with a period greater than one week cannot be included in the table, the embodiment proposes a data structure of the extended cycle baseline to store any periodic baseline data less than one year, and the data structure of the extended cycle baseline is shown in the following table.
Table 2 data structure for extended period baseline
| TimeStamp | Pattern | BaseLineData |
| T1 | P1 | Data1 |
| T2 | P2 | Data2 |
| T3 | P3 | Data3 |
Each item in the data structure is specifically defined as:
timestamp: the time stamp, unlike the above definition, records the time period from the beginning of the first day of each year from which the month, week, day of the week, hour, minute, etc. information of the event time can be determined.
BaseLineData: baseline data, as defined above.
Pattern: repetitive pattern
And the Pattern expands new entries in the data structure of the periodic baseline to record the repeated mode of the flow corresponding to the current baseline. The values of Pattern include but are not limited to:
the medicine is repeated in a certain day in two weeks,
the operation is repeated on a certain day of the month,
the working days are repeated at the beginning of the month,
the working days at the end of the month are repeated,
repeating every year on calendar days.
The network traffic analysis system may add or delete supported repeating patterns according to the service operation characteristics of its target customers.
2. Extended period baseline management module
As a large amount of flow characteristic data needs to be found and stored in the weekly baseline, baselines in the weekly baseline data structure are obtained through automatic learning of the system and are adjusted in real time according to actual flow, and an administrator can achieve the available purpose only by finely adjusting the weekly baseline.
The extended period baseline includes a traffic baseline which cannot be included in the weekly baseline, the number of the traffic baseline is far lower than that of the weekly baseline, and the creation, modification and deletion of the extended period baseline require direct participation of an administrator.
Baseline addition: if the normal flow cannot be covered by the weekly flow baseline, the flow detection module can generate abnormal flow alarm for the flow. When handling an abnormal alarm, the administrator can distinguish whether the traffic is abnormal traffic or normal traffic that is repeatable and has a period longer than one week. In response to the latter, the administrator may add the corresponding traffic characteristics, time of occurrence, and traffic repetition pattern to the extended period baseline through the baseline addition functionality of the management module. The baseline adding function needs to be integrated into the processing flow of the abnormal traffic of the network traffic analysis system.
Automatic baseline adjustment: the baseline is consistent with the baseline in the week baseline, and the extended period baseline also needs to be automatically adjusted along with the actual flow. The tuning algorithm and implementation here is consistent with the function of the weekly baseline. This functionality can be implemented in a multiplexed system.
And (3) base line display: the baseline exhibition function provides an exhibition and management operation and maintenance entrance for the added baseline.
Manual baseline adjustment: the traffic represented by the extended period baseline may change as traffic changes. The timestamps and repetition patterns within the existing baselines can be manually adjusted by an administrator to accommodate changes in traffic.
Baseline manual deletion: as baselines in the extended period baselines have longer repetition time periods, the automatic aging mechanism based on time is difficult to realize, and the management module can realize a manual deleting function so as to assist an administrator to clear useless baselines.
The above design describes the basic functions of the management module, and different network traffic analysis systems can implement part of the above functions or add more management functions according to the design of their customer groups.
Fig. 2 is a flow chart of flow anomaly detection according to an embodiment of the present invention, and as shown in fig. 2, if flow anomaly is detected and reported only based on a weekly baseline, a system administrator generally has two options for flow anomaly caused by normal flow with a repetition period greater than one week, one of which is to ignore an anomaly alarm, which will repeatedly appear in the next flow period, and the other is to treat the alarm as a false alarm, and its flow characteristics will be referred to by a baseline automatic update function, resulting in inaccuracy of the weekly model.
This embodiment further proposes to create an extended period baseline data structure and a management module for the structure, and fig. 3 is a flow chart of extended traffic anomaly detection according to an embodiment of the present invention, as shown in fig. 3: if the flow is judged to be abnormal based on the detection of the week base line, the flow continues to quote the extended period base line for secondary detection, the detection function is designed to firstly use the network parameters (IP, ports, application and the like) of the flow to match with the base line, if no base line is matched, if some base lines are successfully matched, whether the flow time period meets the definition of the repeated time period in the base line is verified one by one, the timestamp and the repeated mode in the base line can be used for calculating the effective time period of the base line, if no time period is successfully matched, the query result is still matched without the base line, if the base line time period is successfully matched, the flow network parameters are further compared with the base line, the comparison result can be normal flow or abnormal flow, and the detection function is completely finished.
The final detection results may be three as follows: and if the flow is matched with a certain base line in the extended period base line and is judged to be normal, the base line is automatically updated by using the characteristics of the flow and the flow detection process is completed.
And if the flow is matched with a certain baseline in the extended period baseline and is judged to be abnormal, setting the judgment result to be an abnormal state and waiting for manual analysis by an administrator.
And if no baseline is matched in the extended date baseline, setting the judgment result as no baseline abnormality, and waiting for manual analysis by an administrator.
The next step of the flow is that an administrator manually analyzes the abnormity, the step does not need to be synchronously carried out with the real-time flow, the administrator combs abnormal events at a proper time, and artificially judges whether a certain abnormal flow is a real abnormity or a normal flow with a period larger than one week according to the conclusion obtained by the previous flow, and for the latter, the administrator adds an extended period baseline by using a baseline adding function provided by an extended period baseline management module and by using the characteristic data of the flow.
The above completely presents the extended period baseline data structure, the extended period baseline management module function, and the extension of the flow detection process, which are provided by the embodiment, so as to realize the creation and maintenance of any period flow baseline, and the extended detection process of performing secondary detection on abnormal flow by using the extended period baseline.
The application scenario of this embodiment is as follows: after the system is deployed, an administrator can establish an extended period baseline for network behaviors, so that data is ensured not to be subjected to outward transmission in a specified time period to generate false alarm, and suspicious data transmission in other time periods can generate alarm.
The network flow analysis system of the embodiment has the capability of recording, tracking and detecting network flow behaviors of any repetition period, is not limited by time of one week, is consistent with high-frequency network behaviors, can effectively monitor large-period network behaviors, can not ignore defects realized by the design of an intranet system by an administrator, effectively reduces false reports and false reports generated aiming at the large-period network behaviors, and improves the working efficiency of the administrator and the attention degree to real threats.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the invention provides a flow data processing device, which can be used for executing the flow data processing method of the embodiment of the invention.
Fig. 4 is a schematic diagram of a traffic data processing apparatus according to an embodiment of the present invention, as shown in fig. 4, the apparatus including:
the detection unit 10 is configured to detect the flow of the target object again through the extended period baseline when the flow of the target object is detected to be abnormal based on the weekly baseline, and obtain a re-detection result, where a flow period corresponding to the extended period baseline is longer than one week;
a first judgment unit 20 for judging whether there is an abnormality in the retest result;
and the first output unit 30 is configured to output a first message when the redetection result is abnormal, where the first message is used to prompt that the traffic of the target object is abnormal, and if matching between any one of the extended period baselines and the traffic of the target object is successful, the redetection result is not abnormal.
In the embodiment, when detecting that the flow of the target object is abnormal based on the periodic baseline, the detection unit 10 performs secondary detection on the flow of the target object through the extended periodic baseline to obtain a secondary detection result, wherein the flow period corresponding to the extended periodic baseline is more than one week; the first judgment unit 20 judges whether or not there is an abnormality in the re-detection result; the first output unit 30 outputs a first message when the retest result is abnormal, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal, so that the problem of judgment error caused by unreasonable flow period determination is solved, and the effect of improving the accuracy of abnormal flow judgment is achieved.
Optionally, the apparatus further comprises: and the updating unit is used for updating the extended period baseline based on the flow of the target object when the redetection result is not abnormal.
Optionally, the apparatus further comprises: the second judgment unit is used for judging whether the extended period baseline exists or not before the flow of the target object is detected again through the extended period baseline to obtain a detection result again; and a second output unit, configured to output a second message if the extension period baseline does not exist, where the second message is used to prompt that the extension period baseline does not exist.
The flow data processing device comprises a processor and a memory, wherein the detection unit, the first judgment unit and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, and the accuracy of judging the abnormal flow is improved by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium on which a program is stored, the program implementing the traffic data processing method when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the flow data processing method is executed when the program runs.
The embodiment of the invention provides equipment, which comprises at least one processor, at least one memory and a bus, wherein the memory and the bus are connected with the processor; the processor and the memory complete mutual communication through a bus; the processor is used for calling the program instructions in the memory so as to execute the flow data processing method. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: when the flow of the target object is detected to be abnormal based on the week baseline, detecting the flow of the target object again through the extended period baseline to obtain a detection result again, wherein the flow period corresponding to the extended period baseline is more than one week; judging whether the re-detection result is abnormal or not; and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for processing traffic data, comprising:
when the flow of a target object is detected to be abnormal based on a weekly baseline, detecting the flow of the target object again through an extended period baseline to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week;
judging whether the re-detection result is abnormal or not;
and if the retest result is abnormal, outputting a first message, wherein the first message is used for prompting that the flow of the target object is abnormal, and if the matching between any one of the extended period baselines and the flow of the target object is successful, the retest result is not abnormal.
2. The method of claim 1, further comprising:
and if the re-detection result is not abnormal, updating the extended period baseline based on the flow of the target object.
3. The method of claim 1, wherein before re-detecting the target subject's flow by extending the periodic baseline to obtain a re-detection result, the method further comprises:
judging whether the extended period baseline exists or not;
and if not, outputting a second message, wherein the second message is used for prompting that the extension period baseline does not exist.
4. The method of claim 3, wherein after outputting the second message, the method further comprises:
sending prompt information, wherein the prompt information is used for prompting whether an extension period baseline is added or not;
upon receiving an add instruction, adding the extended period baseline based on the add instruction.
5. The method of claim 4, further comprising:
after receiving an instruction not added, judging the flow of the currently detected target object as abnormal flow;
and sending a flow abnormity prompt.
6. A traffic data processing apparatus, comprising:
the detection unit is used for detecting the flow of the target object again through an extended period baseline when the flow of the target object is detected to be abnormal based on the period baseline, so as to obtain a re-detection result, wherein the flow period corresponding to the extended period baseline is more than one week;
a first judgment unit for judging whether the re-detection result is abnormal or not;
and a first output unit, configured to output a first message when the retest result is abnormal, where the first message is used to prompt that the traffic of the target object is abnormal, and if matching between any one of the extended period baselines and the traffic of the target object is successful, the retest result is not abnormal.
7. The apparatus of claim 6, further comprising:
and the updating unit is used for updating the extended period baseline based on the flow of the target object when the re-detection result is not abnormal.
8. The apparatus of claim 6, further comprising:
the second judgment unit is used for judging whether the extended period baseline exists or not before the flow of the target object is detected again through the extended period baseline to obtain a detection result again;
and a second output unit, configured to output a second message if the extension period baseline does not exist, where the second message is used to prompt that the extension period baseline does not exist.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein when the program runs, a device where the storage medium is located is controlled to execute the flow data processing method according to any one of claims 1 to 5.
10. An apparatus, characterized in that the apparatus comprises at least one processor, and at least one memory and a bus connected with the processor, wherein the processor and the memory are used for completing mutual communication through the bus, and the processor is used for calling program instructions in the memory to execute the traffic data processing method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911400067.3A CN111131290B (en) | 2019-12-30 | 2019-12-30 | Flow data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911400067.3A CN111131290B (en) | 2019-12-30 | 2019-12-30 | Flow data processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131290A true CN111131290A (en) | 2020-05-08 |
| CN111131290B CN111131290B (en) | 2022-06-10 |
Family
ID=70505639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911400067.3A Active CN111131290B (en) | 2019-12-30 | 2019-12-30 | Flow data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131290B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112287390A (en) * | 2020-10-23 | 2021-01-29 | 杭州数梦工场科技有限公司 | Self-adaptive baseline adjusting method and device |
| CN113391983A (en) * | 2021-06-07 | 2021-09-14 | 北京达佳互联信息技术有限公司 | Alarm information generation method, device, server and storage medium |
| CN113655724A (en) * | 2021-07-12 | 2021-11-16 | 江苏美的清洁电器股份有限公司 | Control method, control device, household appliance and storage medium |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050041593A1 (en) * | 2003-08-20 | 2005-02-24 | Fujitsu Limited | Device for detecting failure of communication network |
| CN101355463A (en) * | 2008-08-27 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for judging network attack |
| CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
| CN107104848A (en) * | 2016-02-19 | 2017-08-29 | 中国移动通信集团浙江有限公司 | Information technology system monitoring method and device |
| CN107733921A (en) * | 2017-11-14 | 2018-02-23 | 深圳中兴网信科技有限公司 | Network flow abnormal detecting method, device, computer equipment and storage medium |
| CN108259263A (en) * | 2017-12-01 | 2018-07-06 | 国家电网公司 | Data analysing method, apparatus and system |
| CN109164786A (en) * | 2018-08-24 | 2019-01-08 | 杭州安恒信息技术股份有限公司 | A kind of anomaly detection method based on time correlation baseline, device and equipment |
| CN109743187A (en) * | 2018-11-23 | 2019-05-10 | 北京奇安信科技有限公司 | Industry control network method for detecting abnormality and device |
| CN110166418A (en) * | 2019-03-04 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Attack detection method, device, computer equipment and storage medium |
-
2019
- 2019-12-30 CN CN201911400067.3A patent/CN111131290B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050041593A1 (en) * | 2003-08-20 | 2005-02-24 | Fujitsu Limited | Device for detecting failure of communication network |
| CN101355463A (en) * | 2008-08-27 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for judging network attack |
| CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
| CN107104848A (en) * | 2016-02-19 | 2017-08-29 | 中国移动通信集团浙江有限公司 | Information technology system monitoring method and device |
| CN107733921A (en) * | 2017-11-14 | 2018-02-23 | 深圳中兴网信科技有限公司 | Network flow abnormal detecting method, device, computer equipment and storage medium |
| CN108259263A (en) * | 2017-12-01 | 2018-07-06 | 国家电网公司 | Data analysing method, apparatus and system |
| CN109164786A (en) * | 2018-08-24 | 2019-01-08 | 杭州安恒信息技术股份有限公司 | A kind of anomaly detection method based on time correlation baseline, device and equipment |
| CN109743187A (en) * | 2018-11-23 | 2019-05-10 | 北京奇安信科技有限公司 | Industry control network method for detecting abnormality and device |
| CN110166418A (en) * | 2019-03-04 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Attack detection method, device, computer equipment and storage medium |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112287390A (en) * | 2020-10-23 | 2021-01-29 | 杭州数梦工场科技有限公司 | Self-adaptive baseline adjusting method and device |
| CN112287390B (en) * | 2020-10-23 | 2024-05-10 | 杭州数梦工场科技有限公司 | Self-adaptive adjustment method and device for base line |
| CN113391983A (en) * | 2021-06-07 | 2021-09-14 | 北京达佳互联信息技术有限公司 | Alarm information generation method, device, server and storage medium |
| CN113655724A (en) * | 2021-07-12 | 2021-11-16 | 江苏美的清洁电器股份有限公司 | Control method, control device, household appliance and storage medium |
| CN113655724B (en) * | 2021-07-12 | 2023-07-14 | 江苏美的清洁电器股份有限公司 | Control method, control device, household electrical appliance and storage medium |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131290B (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131290B (en) | Flow data processing method and device | |
| US11645293B2 (en) | Anomaly detection in big data time series analysis | |
| CN110535864B (en) | Service abnormity detection method, device, equipment and storage medium | |
| US10437831B2 (en) | Identifying insider-threat security incidents via recursive anomaly detection of user behavior | |
| US10248528B2 (en) | System monitoring method and apparatus | |
| CN111143102B (en) | Abnormal data detection method and device, storage medium and electronic equipment | |
| CN105721187B (en) | A kind of traffic failure diagnostic method and device | |
| US10127255B1 (en) | Computer system and method of initiative analysis using outlier identification | |
| US7936260B2 (en) | Identifying redundant alarms by determining coefficients of correlation between alarm categories | |
| CN106656536A (en) | Method and device for processing service invocation information | |
| KR100841876B1 (en) | Automatic monitoring and statistical analysis of dynamic process metrics to expose meaningful changes | |
| CN113765881A (en) | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium | |
| CN109947079A (en) | Region method for detecting abnormality and edge calculations equipment based on edge calculations | |
| CN110942190A (en) | Queuing time prediction method and device, computer equipment and storage medium | |
| CN104731816A (en) | Method and device for processing abnormal business data | |
| CN108306846B (en) | Network access abnormity detection method and system | |
| CN107104848B (en) | Information technology system monitoring method and device | |
| CN111163073A (en) | Flow data processing method and device | |
| CN114201201A (en) | Method, device and equipment for detecting abnormity of business system | |
| CN117273429A (en) | Event monitoring method, system, electronic equipment and storage medium | |
| CN110363381B (en) | Information processing method and device | |
| CN105429792A (en) | User behavior flow obtaining method and device and user behavior analysis method and system | |
| CN118092970A (en) | Device updating method and device based on trust degree and computer device | |
| CN110362459B (en) | System performance monitoring method and device based on SpringAop and electronic equipment | |
| CN110633165B (en) | Fault processing method, device, system server and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |