CN111614634A - Flow detection method, device, equipment and storage medium - Google Patents
Flow detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111614634A CN111614634A CN202010367557.4A CN202010367557A CN111614634A CN 111614634 A CN111614634 A CN 111614634A CN 202010367557 A CN202010367557 A CN 202010367557A CN 111614634 A CN111614634 A CN 111614634A
- Authority
- CN
- China
- Prior art keywords
- flow
- target
- time point
- detection
- historical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 288
- 238000003860 storage Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 47
- 230000002159 abnormal effect Effects 0.000 claims description 60
- 230000015654 memory Effects 0.000 claims description 18
- 238000009499 grossing Methods 0.000 claims description 17
- 238000012549 training Methods 0.000 claims description 14
- 238000004422 calculation algorithm Methods 0.000 description 31
- 238000005516 engineering process Methods 0.000 description 24
- 238000010586 diagram Methods 0.000 description 19
- 230000008569 process Effects 0.000 description 13
- 238000013473 artificial intelligence Methods 0.000 description 12
- 238000001595 flow curve Methods 0.000 description 11
- 230000002093 peripheral effect Effects 0.000 description 10
- 230000001133 acceleration Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000010606 normalization Methods 0.000 description 7
- 238000010801 machine learning Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 6
- 238000011160 research Methods 0.000 description 6
- 241000282414 Homo sapiens Species 0.000 description 5
- 230000008859 change Effects 0.000 description 5
- 230000001965 increasing effect Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 239000000919 ceramic Substances 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000035772 mutation Effects 0.000 description 2
- 238000007637 random forest analysis Methods 0.000 description 2
- 238000011946 reduction process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 238000013526 transfer learning Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
Abstract
The embodiment of the application discloses a flow detection method, a flow detection device, flow detection equipment and a storage medium, and belongs to the technical field of computers. The method comprises the following steps: the method comprises the steps of obtaining historical flow of a plurality of historical time points and target flow of a target time point behind the historical time points, carrying out fitting processing according to the historical flow of the historical time points and the target flow of the target time point, obtaining first relation data, determining a flow range corresponding to the target time point according to the first relation data, and carrying out state detection on the target flow under the condition that the target flow does not belong to the flow range to obtain the detection state of the target flow. In network attack and equipment fault detection, whether the target flow belongs to the flow range or not is determined, so that preliminary detection of the target flow is realized, the detection accuracy is improved, the state detection is performed on the target flow which does not belong to the flow range, and the detection accuracy and the detection efficiency are further improved.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a flow detection method, a flow detection device, flow detection equipment and a storage medium.
Background
With the development of computer technology, data transmission through a network is increasingly performed, traffic is generated in the data transmission process, and when the network is abnormal, if a network attack is encountered or a device is in a problem, the generated traffic is subjected to sudden change. Therefore, whether the network is abnormal or not can be found in time by detecting the flow.
Currently, in the process of detecting a flow rate, the flow rate at a certain time point is predicted according to the historical flow rate at the historical time point to obtain a predicted flow rate, a target flow rate actually generated at the time point is detected, and whether the target flow rate is abnormal or not is determined by comparing the target flow rate with the predicted flow rate. However, the above method depends on the predicted flow, and if the accuracy of the predicted flow is low, the detection accuracy of the target flow is low.
Disclosure of Invention
The embodiment of the application provides a flow detection method, a flow detection device, flow detection equipment and a storage medium, and the detection accuracy of target flow is improved. The technical scheme is as follows:
in one aspect, a traffic detection method is provided, and the method includes:
acquiring historical flow of a plurality of historical time points and target flow of target time points behind the historical time points;
fitting according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data, wherein the first relation data is used for indicating the relation between any time point and the flow of any time point;
determining a flow range corresponding to the target time point according to the first relation data;
and under the condition that the target flow does not belong to the flow range, carrying out state detection on the target flow to obtain the detection state of the target flow.
In a possible implementation manner, before the invoking a traffic detection model and performing state detection on the target traffic to obtain a detection state of the target traffic when the target traffic does not belong to the traffic range, the method further includes:
obtaining sample flow rates of a plurality of first sample time points and sample flow rates of a second sample time point, wherein the second sample time point is positioned after the plurality of first sample time points;
acquiring a sample detection state of the sample flow at the second sample time point;
and training the flow detection model according to the sample flow of the plurality of first sample time points, the sample flow of the second sample time point and the sample detection state.
In another possible implementation manner, after determining, according to the first relationship data, a traffic range corresponding to the target time point, the method further includes:
and determining that the detection state of the target flow is a normal state under the condition that the target flow belongs to the flow range.
In another possible implementation manner, after performing state detection on the target traffic and obtaining a detection state of the target traffic when the target traffic does not belong to the traffic range, the method further includes:
determining that the detection state is a low flow state when the target flow is smaller than the minimum value of the flow range and the detection state is an abnormal state; alternatively, the first and second electrodes may be,
and determining that the detection state is a high flow rate state when the target flow rate is greater than the maximum value of the flow rate range and the detection state is the abnormal state.
In another aspect, a flow detection apparatus is provided, the apparatus comprising:
the flow acquisition module is used for acquiring historical flow of a plurality of historical time points and target flow of target time points behind the historical time points;
a first relation obtaining module, configured to perform fitting processing according to historical flow rates of the multiple historical time points and a target flow rate of the target time point to obtain first relation data, where the first relation data is used to indicate a relation between any time point and the flow rate of the any time point;
the flow range determining module is used for determining the flow range corresponding to the target time point according to the first relation data;
and the flow detection module is used for carrying out state detection on the target flow under the condition that the target flow does not belong to the flow range to obtain the detection state of the target flow.
In one possible implementation, the traffic range determination module includes:
a reference flow acquiring unit, configured to query, according to the first relationship data, a flow corresponding to the target time point, as a reference flow;
a reference flow adjusting unit, configured to adjust the reference flow to obtain a first flow greater than the reference flow and a second flow smaller than the reference flow;
and the first range determining unit is used for obtaining the flow range by taking the first flow as the maximum value of the flow range and taking the second flow as the minimum value of the flow range.
In another possible implementation manner, the flow range determining module further includes:
a second relation obtaining unit, configured to obtain second relation data according to the first relation data, where a flow rate corresponding to any one time point in the second relation data is greater than a flow rate corresponding to the same time point in the first relation data;
a third relation obtaining unit, configured to obtain third relation data according to the first relation data, where a flow rate corresponding to any time point in the third relation data is smaller than a flow rate corresponding to the same time point in the first relation data;
the flow query unit is used for querying a third flow corresponding to the target time point according to the second relation data and querying a fourth flow corresponding to the target time point according to the third relation data;
and the second range determining unit is used for taking the third flow as the maximum value of the flow range and taking the fourth flow as the minimum value of the flow range to obtain the flow range.
In another possible implementation manner, the traffic detection module is further configured to:
and calling a flow detection model under the condition that the target flow does not belong to the flow range, and carrying out state detection on the target flow to obtain the detection state of the target flow.
In another possible implementation manner, the apparatus further includes:
a sample flow rate obtaining module, configured to obtain sample flow rates of a plurality of first sample time points and a sample flow rate of a second sample time point, where the second sample time point is located after the plurality of first sample time points;
a sample state obtaining module, configured to obtain a sample detection state of the sample flow at the second sample time point;
and the model training module is used for training the flow detection model according to the sample flow of the plurality of first sample time points, the sample flow of the second sample time point and the sample detection state.
In another possible implementation manner, the apparatus further includes:
the sample flow obtaining module is further configured to obtain sample historical flows at a plurality of sample historical time points and sample target flows at sample target time points, where the sample target time points are located after the plurality of sample historical time points;
the sample state acquisition module is further configured to acquire a sample detection state of the sample target flow at the sample target time point;
the model training module is further configured to continue training the flow detection model according to the sample historical flow rates at the plurality of sample historical time points, the sample target flow rate at the sample target time point, and the sample detection state.
In another possible implementation manner, the apparatus further includes:
and the normal state determining module is used for determining that the detection state of the target flow is a normal state under the condition that the target flow belongs to the flow range.
In another possible implementation manner, the apparatus further includes:
the first state determination module is used for determining that the detection state is a low flow state under the condition that the target flow is smaller than the minimum value of the flow range and the detection state is an abnormal state; alternatively, the first and second electrodes may be,
and the second state determination module is used for determining that the detection state is a high flow state under the condition that the target flow is larger than the maximum value of the flow range and the detection state is the abnormal state.
In another possible implementation manner, the apparatus further includes:
a fourth relation obtaining module, configured to, when the detection state is an abnormal state, select a first number of time points from the multiple historical time points and the target time point, perform smoothing on traffic of the first number of time points, and obtain fourth relation data according to the traffic after the smoothing of the first number of time points, where the fourth relation data is used to indicate a relation between any time point and the traffic corresponding to any time point;
a fifth relation obtaining module, configured to obtain a second number of time points according to the fourth relation data, perform smoothing on the traffic of the second number of time points, and obtain fifth relation data according to the traffic after the smoothing of the second number of time points, where the fifth relation data is used to indicate a relation between any time point and the traffic corresponding to the any time point;
the flow query module is used for querying a fifth flow corresponding to the target time point according to the fourth relational data and querying a sixth flow corresponding to the target time point according to the fifth relational data;
the first state determination module is further configured to determine that the target flow rate is in a low flow rate state when a difference between the fifth flow rate and the sixth flow rate is smaller than a first preset value; alternatively, the first and second electrodes may be,
the second state determination module is further configured to determine that the target flow rate is in a high flow rate state when a difference between the fifth flow rate and the sixth flow rate is greater than a second preset value.
In another possible implementation manner, the apparatus further includes:
and the warning display module is used for displaying warning information when the detection state of the target flow is an abnormal state and the detection states of the historical flows of a plurality of continuous historical time points before the target time point are abnormal states.
In another aspect, a computer device is provided, which includes a processor and a memory, where at least one instruction is stored, and loaded and executed by the processor to implement the operations as performed in the traffic detection method.
In another aspect, a computer-readable storage medium is provided, in which at least one instruction is stored, and the at least one instruction is loaded and executed by a processor to implement the operations as performed in the traffic detection method.
The method, the device, the equipment and the storage medium provided by the embodiment of the application obtain historical flow of a plurality of historical time points and target flow of a target time point behind the plurality of historical time points, perform fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data, determine a flow range corresponding to the target time point according to the first relation data, and perform state detection on the target flow to obtain a detection state of the target flow under the condition that the target flow does not belong to the flow range. The flow detection method provided by the embodiment of the application does not depend on flow prediction, but determines the flow range according to the flows of a plurality of historical time points and the target time point, improves the accuracy of the flow range, realizes primary detection on the target flow by determining whether the target flow belongs to the flow range, and improves the accuracy of detection. And only the target flow which does not belong to the flow range is subjected to state detection subsequently, so that the detection accuracy and the detection efficiency are further improved.
In addition, when only the unsupervised learning algorithm is used, the detection accuracy is low, and when only the supervised learning algorithm is used, each target flow needs to be detected, so that the detection efficiency is low. The method combines the unsupervised learning algorithm and the supervised learning algorithm together, avoids using only one algorithm for flow detection, can filter part of target flow by adopting the unsupervised learning algorithm, reduces the target flow to be detected by the supervised learning algorithm, improves the detection accuracy and improves the detection efficiency.
And in a fault detection scene, after a detection result is obtained, alarm information is displayed, and technicians are reminded to maintain the target equipment in time.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a flow detection method provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of an outgoing flow curve and an incoming flow curve provided by an embodiment of the present application;
FIG. 3 is a schematic view of a flow curve provided by an embodiment of the present application;
fig. 4 is a flowchart of another flow rate detection method provided in an embodiment of the present application;
fig. 5 is a schematic diagram of a manner of obtaining traffic data according to an embodiment of the present application;
fig. 6 is a schematic diagram of a flow rate curve before fitting processing and a fitted curve after fitting processing according to an embodiment of the present application;
fig. 7 is a schematic diagram of a flow curve in a normal state and a flow curve in an abnormal state according to an embodiment of the present application;
fig. 8 is a schematic view of a flow curve and a histogram corresponding to the flow curve provided in the embodiment of the present application;
FIG. 9 is a schematic diagram of an alert display interface provided by an embodiment of the present application;
FIG. 10 is a schematic diagram of another alert information display interface provided by an embodiment of the present application;
fig. 11 is a flowchart of another flow rate detection method provided in the embodiment of the present application;
fig. 12 is a schematic structural diagram of a flow rate detection device according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of another flow rate detection device provided in the embodiment of the present application;
fig. 14 is a schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail with reference to the accompanying drawings.
It will be understood that the terms "first," "second," and "third," etc., as used herein, may be used herein to describe various concepts, which are not limited by these terms, unless otherwise specified. These terms are only used to distinguish one concept from another. For example, the first relationship data may be referred to as second relationship data, and the second relationship data may be referred to as first relationship data without departing from the scope of the present application.
As used herein, the terms "each," "plurality," and "any," and the like, a plurality includes two or more, each referring to each of the corresponding plurality, and any referring to any one of the corresponding plurality. For example, the plurality of time points includes 5 time points, each time point refers to each of the 5 time points, and any time point refers to any one of the 5 time points.
In order to facilitate understanding of the traffic detection method provided in the embodiment of the present application, the keywords related to the embodiment of the present application are explained:
time series: the time sequence is a group of data point sequences arranged according to the time sequence, the interval time between any two adjacent data points in the group of time sequences is a preset time, and the preset time can be 1 second, 1 minute, 1 hour or other time. In a flow detection scene, a time sequence belongs to a monitoring type time sequence, a target flow and a plurality of historical flows are spliced according to the time sequence, and an obtained group of data is the time sequence, wherein the time sequence comprises flows corresponding to a plurality of time points arranged according to the time sequence.
Network flow: network traffic refers to the amount of data transmitted during the transmission of data over a network. The network flow comprises: for the target device, the outgoing flow refers to a flow generated in a process of sending data to other devices by the target device, the incoming flow refers to a flow generated in a process of receiving data sent by other devices by the target device, and a state of the network flow may reflect a current state of the network.
Abnormality detection: the anomaly detection refers to a process of detecting anomalous data from a plurality of data. The abnormal data refers to data different from most data, and the variation trend of the abnormal data is obviously different from that of other data. In the flow detection scene, the abnormal detection is to determine whether the target flow is in an abnormal state.
And (4) alarming: the alarm means that when the flow is in an abnormal state, the computer equipment displays alarm information or sends the alarm information to other equipment.
Cloud Technology refers to a hosting Technology for unifying resources of hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied in the cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms for Cloud-based business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
The flow detection method provided by the embodiment of the application adopts a cloud security technology to detect the state of the flow.
Artificial Intelligence (AI) is a theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and expand human Intelligence, perceive the environment, acquire knowledge and use the knowledge to obtain the best results. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the realization method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making.
The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operations, interactive systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning, deep learning and the like.
Machine Learning (ML) is a multi-domain cross discipline, and relates to a plurality of disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory and the like. The special research on how a computer simulates or realizes the learning behavior of human beings so as to acquire new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the computer. Machine learning is the core of artificial intelligence, is the fundamental approach for computers to have intelligence, and is applied to all fields of artificial intelligence. Machine learning and deep learning generally include techniques such as artificial neural networks, belief networks, reinforcement learning, transfer learning, inductive learning, and teaching learning.
The flow detection method provided by the embodiment of the application adopts an artificial intelligence technology to detect the flow.
The embodiment of the application provides a flow detection method, and an execution main body is computer equipment. The computer equipment acquires historical flow of a plurality of historical time points and target flow of a target time point behind the historical time points, acquires first relation data according to the historical flow of the historical time points and the target flow of the target time point, determines a flow range corresponding to the target time point according to the first relation data, and performs state detection processing on the target flow to obtain a detection state of the target flow under the condition that the target flow does not belong to the flow range.
In one possible implementation, the computer device is a terminal, and the terminal may be various types of terminals such as a portable terminal, a pocket terminal, a handheld terminal, and the like, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like.
In another possible implementation manner, the computer device is a server, which may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like.
In addition, the terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited thereto.
The flow detection method provided by the embodiment of the application can be applied to various scenes.
For example, in a network security scenario.
When a network is attacked by the network, the generated traffic can generate mutation, and by adopting the traffic detection method provided by the embodiment of the application, the traffic state can be detected, and whether the traffic has mutation or not can be determined, so that whether the network is attacked or not can be determined.
For example, in a fault detection scenario.
In the data transmission process, if any one of a sending device for sending data, a receiving device for receiving data or a transmission device for transmitting data fails, normal transmission of the data cannot be guaranteed.
Fig. 1 is a flowchart of a traffic detection method according to an embodiment of the present application. An execution subject of the embodiment of the application is a computer device, and referring to fig. 1, the method includes:
101. the computer device obtains historical traffic for a plurality of historical time points and target traffic for a target time point located after the plurality of historical time points.
In the embodiment of the application, the computer device obtains the historical flow and the target flow, and performs state detection on the target flow to obtain the detection state of the target flow, wherein the target flow and the historical flow can be flows of any device. The embodiment of the present application is only described by taking a target flow of a target device as an example, and the target device may be any device that sends or receives data, for example, a terminal, a server, and the like; the target device may also be a device that forwards signals, e.g., a switch; the target device may also be a device that transmits data, such as an optical cable. The target of the traffic detection may be a certain interface of a certain device or a certain IP (Internet Protocol) address.
In one possible implementation, a connection is established between the computer device and the target device, and the computer device may monitor a traffic of the target device or a traffic of the target interface; alternatively, the target device sends the traffic to the computer device. After receiving the flow of the target device, the computer device stores the flow of the target device in a time sequence form, that is, the flow is arranged according to the sequence of the corresponding time points.
Alternatively, the computer device may store traffic using an infiluxdb (time series database), a drive (an efficient database), or the like database that can store time series, or a Redis (Remote Dictionary Server) or other memory type database.
In the embodiment of the application, the target flow may be either an outgoing flow or an incoming flow, and the type of the target flow is consistent with that of the historical flow, that is, if the target flow is the outgoing flow, the historical flow is also the outgoing flow; if the target flow is an ingress flow, the historical flow is also an ingress flow. The target flow rate is a flow rate at a target time point, and the target time point may be a current time point or any historical time point before the current time point.
In addition, the computer device may configure the flow rates at a plurality of consecutive time points into a time series, and the flow rates at the plurality of time points may be represented in the form of a flow rate curve, and the flow rate curve includes an inflow flow rate curve and an outflow flow rate curve. For example, referring to fig. 2, a solid line represents a flow curve, a dashed line represents an inflow curve, an abscissa represents time, and an ordinate represents flow, fig. 2 shows flow curves of two different devices, a graph 201 is a flow curve of a first device during a certain period of time, and a graph 202 is a flow curve of a second device during a certain period of time.
In this embodiment of the application, the detection state of the flow includes a normal state or an abnormal state, the normal state refers to a state in which a difference between the flow at the target time point and the flow at the other time points is small, and the abnormal state refers to a state in which a difference between the flow at the current time point and the flow at the other time points is large. From the flow rate curve, the flow rate of the flow rate curve in the normal state at a plurality of continuous time points does not obviously fluctuate, and the flow rate of the flow rate curve in the abnormal state at a certain time point greatly fluctuates. For example, referring to fig. 3, the abscissa is the time point, the ordinate is the flow rate, and the graph 301 shown in fig. 3 shows that the flow rate at two time points is in an abnormal state, the flow rate at 6:00 has a small fluctuation, and the flow rate at 22:00 has a large fluctuation.
102. And the computer equipment performs fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data.
In the embodiment of the application, the first relation data acquired by the computer device is used for indicating a relation between any time point and the flow at any time point, wherein any time point is any one of a plurality of historical time points and a target time point. Since the first relation data is obtained by performing fitting processing on the historical flow rates at the plurality of historical time points and the target flow rate at the target time point, the flow rate at any time point indicated by the first relation data may be the same as or different from the flow rate at any time point before the fitting processing.
In one possible implementation manner, after the computer device acquires the first relationship data, the first relationship data is stored, wherein the first relationship data may be stored in a form of a description statement, a formula or a function, or other manners.
103. And the computer equipment determines the flow range corresponding to the target time point according to the first relation data.
The computer equipment firstly carries out filtering processing on the target flow of the target time point, judges whether the target flow belongs to the flow range corresponding to the target time point or not in the filtering processing process, filters the target flow if the target flow belongs to the flow range, and carries out subsequent state detection on the target flow if the target flow does not belong to the flow range.
The target flow belongs to the flow range, which means that the target flow is in a normal state, and the target flow does not need to be subjected to state detection, the target flow does not belong to the flow range, which means that the target flow is possibly in an abnormal state to a greater extent, and a more accurate state detection mode needs to be adopted to perform state detection on the target flow again, so as to determine whether the target flow is in the abnormal state. By adopting the mode, the target flow for state detection can be reduced, and the detection efficiency is improved.
In one possible implementation manner, the computer device queries, according to the first relationship data, traffic corresponding to the target time point as reference traffic; adjusting the reference flow to obtain a first flow larger than the reference flow and a second flow smaller than the reference flow; the flow rate range is obtained by taking the first flow rate as the maximum value of the flow rate range and the second flow rate as the minimum value of the flow rate range. The reference flow rate is a flow rate at a target time point in a normal state.
The reference flow rate may be adjusted in various ways, for example, the reference flow rate is increased by a preset value to obtain a first flow rate, the reference flow rate is decreased by a preset value to obtain a second flow rate, and the preset value is greater than 0; or, the reference flow is multiplied by a preset proportion to obtain a first flow, the reference flow is divided by the preset proportion to obtain a second flow, and the preset proportion is greater than 1, or other manners can be adopted to obtain the first flow and the second flow.
In another possible implementation manner, the computer device obtains second relationship data according to the first relationship data, obtains third relationship data according to the first relationship data, and queries a third flow corresponding to the target time point according to the second relationship data, where a flow corresponding to any time point in the second relationship data is greater than a flow corresponding to the same time point in the first relationship data, and a flow corresponding to any time point in the third relationship data is smaller than a flow corresponding to the same time point in the first relationship data.
Inquiring fourth flow corresponding to the target time point according to a third relation coefficient; and taking the third flow as the maximum value of the flow range and taking the fourth flow as the minimum value of the flow range to obtain the flow range. That is, after the first relation data is obtained, the first relation data is adjusted to obtain the flow range corresponding to the target time point.
Optionally, adding the same value to the flow rate corresponding to each time point in the first relational data to obtain second relational data, and subtracting the same value from the flow rate corresponding to each time point in the first relational data to obtain third relational data; or multiplying the flow corresponding to each time point in the first relational data by a numerical value larger than 1 to obtain second relational data, and multiplying the flow corresponding to each time point in the first relational data by a numerical value smaller than 1 to obtain third relational data; or, the flow corresponding to each time point in the first relational data may be adjusted in other manners.
104. And the computer equipment carries out state detection on the target flow under the condition that the target flow does not belong to the flow range, so as to obtain the detection state of the target flow.
In the embodiment of the application, the target flow does not belong to the flow range, which means that the target flow is possibly in an abnormal state with a large value, and the computer device performs more accurate state detection on the target flow to determine whether the detection state of the target flow is in the abnormal state.
The method provided by the embodiment of the application comprises the steps of obtaining historical flow of a plurality of historical time points and target flow of a target time point behind the plurality of historical time points, carrying out fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point, obtaining first relation data, determining a flow range corresponding to the target time point according to the first relation data, and carrying out state detection on the target flow to obtain a detection state of the target flow under the condition that the target flow does not belong to the flow range. The flow detection method provided by the embodiment of the application does not depend on flow prediction, but determines the flow range according to the flows of a plurality of historical time points and the target time point, improves the accuracy of the flow range, realizes primary detection on the target flow by determining whether the target flow belongs to the flow range, and improves the accuracy of detection. And only the target flow which does not belong to the flow range is subjected to state detection subsequently, so that the detection accuracy and the detection efficiency are further improved.
Fig. 4 is a schematic diagram of a traffic detection method according to an embodiment of the present application. The execution subject of the embodiment of the application is computer equipment, and referring to fig. 4, the method includes:
401. the computer device obtains historical traffic for a plurality of historical time points and target traffic for a target time point located after the plurality of historical time points.
The embodiment of step 401 is similar to the embodiment of step 101, except that step 401 also describes the manner in which the target flow rate and the historical flow rate are obtained.
In one possible implementation manner, when the computer device performs state detection on the target flow at the target time point, the flow at a plurality of historical time points in a plurality of historical time periods before the target time point is acquired as the historical flow. The historical time period may be any time period before the target time point, or may be a time period separated from the target time point by a preset period, where the preset period may be 1 hour, one day, one week, or other time periods.
Optionally, the computer device obtains a target time point and the flow of a preset number of time points before the target time point and adjacent to the target time point; acquiring a first historical time point separated from a target time point by a preset period, flow rates of a preset number of time points adjacent to the first historical time point before the first historical time point and flow rates of a preset number of time points adjacent to the first historical time point after the first historical time point; and acquiring the flow of a second historical time point which is separated from the target time point by a plurality of preset periods, the flow of a preset number of time points which are before the second historical time point and are adjacent to the second historical time point, and the flow of a preset number of time points which are after the second historical time point and are adjacent to the second historical time point.
For example, referring to fig. 5, the preset number is 180, the interval between each time point is 1 minute, the first historical time point is a time point spaced 1 day apart from the target time point, and the second historical time point is a time point spaced 7 days apart from the target time point.
In one possible implementation manner, the computer device performs normalization processing on historical flow rates of a plurality of historical time points and target flow rates of target time points, so as to avoid the problem that in the subsequent detection process, the flow rate in one time period is too high, and the flow rate in another time period is too low, so that the detection is inaccurate.
Optionally, the computer device obtains an average value of the flow rates of the target time point and the plurality of historical time points in the first time period, an average value of the flow rates of the plurality of historical time points in the second time period, and an average value of the flow rates of the plurality of historical time points in the third time period, respectively obtains ratios between the flow rates of the plurality of time points in each time period and the average values, and takes the obtained ratios as the flow rates of the time points after the normalization processing.
For example, based on the example of fig. 5, dataA represents the flow rate at 181 time points in the first time period, dataB represents the flow rate at 361 time points in the second time period, dataC represents the flow rate at 361 time points in the third time period, meanA represents the average value of 181 time points corresponding to dataA, meanB represents the average value of 361 time points corresponding to dataB, meanC represents the average value of 361 time points corresponding to dataC, and the flow rate in each time period after the normalization process is expressed as follows:
dataA_normalized=dataA/meanA;
dataB_normalized=dataB/meanB;
dataC_normalized=dataC/meanC;
wherein dataA _ normalized is the flow at 181 time points in the first time period after the normalization process; the dataB _ normalized is the flow rate at 361 time points in the second time period after the normalization processing; dataC normalized is the flow rate at 361 time points in the third time period after normalization.
In another embodiment, the computer device may also perform normalization processing on the target flow and the historical flow in other manners.
402. And the computer equipment performs fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data.
403. And the computer equipment determines the flow range corresponding to the target time point according to the first relation data.
The embodiment of steps 402 to 403 is similar to the embodiment of steps 102 to 103, except that step 402 describes acquiring the first relational data in combination with the historical flow rates at the plurality of historical time points acquired in step 401.
In one possible implementation, the computer device performs the fitting process according to the historical flow rates of the plurality of historical time points and the target flow rate of the target time point by using the following polynomials:
P(x)=anxn+an-1xn-1+…+a1x+a0
wherein a represents the coefficient of the polynomial to be determined, n represents the polynomial of degree n, x represents the time point, and p (x) represents the flow rate.
For example, based on the example shown in fig. 5, the first time period is a time period corresponding to a certain time point on the same day, the second time period is a time period corresponding to the same time point on the previous day, the third time period is a time period corresponding to the same time point on the same day before the week, and the three time periods are time periods corresponding to the same time points on different dates, respectively, referring to fig. 6, in two graphs shown in fig. 6, an abscissa represents a time point, an ordinate represents a flow rate, a graph 1 is a graph corresponding to flow rates of a plurality of time points in the first time period, a graph 2 is a graph corresponding to the second time period, a graph 3 is a graph corresponding to the third time period, where graphs 1 to 3 in the graph 601 are graphs corresponding to three time periods before the fitting process, and graphs 1 to 3 in the graph 602 are graphs corresponding to three time periods before the fitting process, the curve 4 is a fitting curve obtained by fitting the target flow and the historical flow.
It should be noted that, in the embodiment of the present application, the above formula is merely used as an example for description, in another embodiment, the computer device may perform fitting processing on the historical flow rates of the multiple historical time points and the target flow rate of the target time point by using other formulas to obtain the first relation data, which is not limited in the embodiment of the present application.
It should be noted that, in this embodiment, only the example of obtaining the first relationship data and obtaining the flow range corresponding to the target time point according to the first relationship data is described, and in another embodiment, the computer may also obtain the flow range corresponding to the target time point by using other manners.
In one possible implementation, the computer device obtains an average value and a standard deviation of historical flow rates at a plurality of historical time points and a target flow rate at a target time point, takes the obtained average value as a reference flow rate, takes a value obtained by adding a standard deviation of a preset multiple to the average value as a maximum value of a flow rate range, and takes a value obtained by subtracting the standard deviation of the preset multiple from the average value as a minimum value of the flow rate range, thereby obtaining the flow rate range.
Optionally, the following formula is adopted to obtain an average value and a standard deviation of the historical flow rates at the plurality of historical time points and the target flow rate at the target time point:
where n denotes the number of time points, x denotes the flow rate, μ denotes the mean value, σ denotes2Represents variance and σ standard deviation.
It can be determined that the middle Line (Center Line), i.e. the reference flow, is μ, the upper bound (UpCenter Line, UCL), i.e. the maximum value, is μ + L σ, and the lower bound (LowCenter Line, LCL), i.e. the minimum value, is μ -L σ. Wherein L is a positive integer. When L is 3, the above algorithm for obtaining the flow rate range is a 3 σ algorithm.
In another possible implementation manner, the computer device may further use an algorithm such as a moving average algorithm, an exponential moving average algorithm, and the like in a control map algorithm, and may further use an algorithm such as an isolated Forest (Isolation Forest) or an One Class Support Vector Machine (One Class Support Vector Machine), and the like, to obtain a flow range corresponding to the target time point.
In addition, if multiple algorithms are adopted, multiple flow ranges corresponding to the target time points are respectively obtained, when the target flow is preliminarily detected, if the target flow does not belong to any flow range, the detection state of the target flow is considered to be possibly an abnormal state, and then the state of the target flow is detected again; or if the target flow does not belong to the preset number of flow ranges, the detection state of the target flow is considered to be possibly an abnormal state, and then the state detection is carried out on the target flow again.
In the embodiment of the application, the manners of acquiring the flow range all belong to an unsupervised learning algorithm, the unsupervised learning algorithm can quickly process the target flow and the historical flow to obtain the flow range, and the acquisition efficiency of the flow range is improved. And for any algorithm, the algorithm cannot be guaranteed to have high recall rate and accuracy at the same time, and in the steps 402 to 403, the flow range is obtained, the target flow is subjected to primary state detection according to the flow range, so that the target flow which is possibly in an abnormal state can be detected, namely the detection accuracy is low, but the recall rate is improved.
404. And the computer equipment calls the flow detection model to perform state detection on the target flow to obtain the detection state of the target flow under the condition that the target flow does not belong to the flow range.
The flow detection model can detect the target flow of any equipment.
In a possible implementation manner, the computer device obtains feature data of the target flow and the historical flow, calls a flow detection model, and performs detection processing on the feature data to obtain a detection state of the target flow. The characteristic data comprises statistical characteristic data, time characteristic data and other characteristic data, the statistical characteristic data comprises at least one of maximum flow, minimum flow, fluctuation rate, mean, variance, standard deviation, difference, integral, same proportion or ring proportion, and the time characteristic data comprises a time interval between any two continuous time points.
The maximum flow rate refers to the maximum flow rate in the target flow rate and the historical flow rate, the minimum flow rate refers to the minimum flow rate in the target flow rate and the historical flow rate, the fluctuation rate refers to the numerical fluctuation condition of the target flow rate and the historical flow rate, and can be represented by variance or standard deviation, the mean value refers to the average value of the target flow rate and the historical flow rate, the difference and the integral can represent the variation trend of the target flow rate and the historical flow rate, the unity ratio refers to the ratio of the target flow rate of the current period to the historical flow rate of the previous period, and the ring ratio refers to the ratio of the target flow rate of the current period to the historical flow rate of a plurality.
Before the computer device calls the flow detection model, the trained flow detection model needs to be obtained, and the flow detection model can be trained by the computer device or sent to the computer device after being trained by other devices.
The flow detection model may be trained in the following way: obtaining a plurality of sample flow rates of a first sample time point and a plurality of sample flow rates of a second sample time point; acquiring a sample detection state of the sample flow at a second sample time point; and training a flow detection model according to the sample flow of the plurality of first sample time points, the sample flow of the second sample time point and the sample detection state. Wherein the second sample time point is located after the plurality of first sample time points.
In one possible implementation, the computer device obtains a plurality of sample flows for a first sample time point and a second sample time point; processing the sample flow of the plurality of first sample time points and the sample flow of the second sample time point to obtain corresponding sample characteristic data; acquiring a sample detection state of the sample flow at a second sample time point; and training a flow detection model according to the sample characteristic data and the sample detection state.
For example, the computer apparatus inputs the acquired sample flow rates at the plurality of first sample time points and the sample flow rate at the second sample time point to the flow rate detection model, obtains a predicted detection state of the sample flow rate at the second sample time point by the flow rate detection model, compares the predicted detection state and the sample detection state to obtain a difference between the predicted detection state and the sample detection state, adjusts a parameter of the flow rate detection model according to the difference between the predicted detection state and the sample detection state to reduce the difference between the predicted detection state and the sample detection state, and causes the flow rate detection model to learn the capability of obtaining a detection state of a target flow rate from the historical flow rates at the plurality of historical time points and the target flow rate at the target time point.
In addition, after the computer equipment obtains the detection state of the target flow, the target flow is used as a sample target flow, and a flow detection model is trained. Acquiring sample historical flow of a plurality of sample historical time points and sample target flow of a sample target time point; obtaining a sample detection state of sample target flow at a sample target time point; and continuing training the flow detection model according to the sample historical flow of the plurality of sample historical time points, the sample target flow of the sample target time point and the sample detection state.
In one possible implementation, the detection state may be represented by a probability, where the probability is used to represent the probability that the target traffic is in an abnormal state, and a higher probability represents a higher probability that the target traffic is in an abnormal state. Wherein the probability ranges from 0 to 1.
Optionally, a preset probability is set, when the probability of the target flow is greater than the preset probability, the target flow is represented as an abnormal state, and when the probability of the target flow is not greater than the preset probability, the target flow is represented as a normal state. If the accuracy of the detection result is high, a larger preset probability can be set, and if the accuracy of the detection result is not high, a smaller preset probability can be set, so that the method is more flexible.
In another possible implementation manner, the detection state may be represented by a first value or a second value, and when the detection state is the first value, the target flow rate is represented as an abnormal state, and when the detection state is the second value, the target flow rate is represented as a normal state.
In addition, the traffic detection model in the embodiment of the present application may be a two-class model, such as XGBoost, Random Forest (Random Forest), logistic regression, decision tree, LightGBM (gradient boosting framework based on decision tree), catboost (probabilistic boosting), a gradient boosting algorithm, or other two-class models; or may be a convolutional neural network or other neural network.
In addition, since the detection state of the target flow in step 404 is very likely to be an abnormal state, the flow detection model, i.e., the supervised learning algorithm, is adopted, so that the state detection of the target flow can be further performed, and the accuracy of the detection result can be improved. In combination with the implementation manner in step 403, the initial detection is performed in the flow range, so that the recall rate of the whole flow detection is improved, and the accuracy of the whole flow detection is improved by using the flow detection model, so that the recall rate is improved and the accuracy is improved by using the flow detection manner in the embodiment of the present application.
405. The computer device determines whether the detection state is a low flow state or a high flow state in a case where the detection state of the target flow is an abnormal state.
In the embodiment of the application, the abnormal state includes two types, namely a low flow state and a high flow state, and the computer device further detects monotonicity of the target flow and determines whether the target flow is in the low flow state or the high flow state under the condition that the target flow is determined to be in the abnormal state. The low flow rate state is a state in which the target flow rate is suddenly reduced as compared with other flow rates before, and the high flow rate state is a state in which the target flow rate is suddenly increased as compared with other flow rates before.
For example, referring to fig. 7, the flow rates corresponding to the curves 701 and 702 at the time point 300 are both small, but the flow rate corresponding to the curve 701 is gradually reduced from a large flow rate to a small flow rate, the flow rate reduction process is slow, the detection state of the flow rate corresponding to the curve 701 is a normal state, the flow rate corresponding to the curve 702 is suddenly reduced from a large flow rate to a small flow rate, the flow rate reduction process is fast, and the detection state of the flow rate corresponding to the curve 702 is an abnormal state.
In a possible implementation manner, the computer device determines whether the detection state of the target flow is a high flow state or a low flow state according to a flow range corresponding to the target time point, and determines that the detection state is the low flow state when the target flow is smaller than the minimum value of the flow range and the detection state is the abnormal state; alternatively, in the case where the target flow rate is larger than the maximum value of the flow rate range and the detection state is an abnormal state, it is determined that the detection state is a high flow rate state. The flow range may be a flow range obtained by using any algorithm in step 403.
In another possible implementation manner, when the detected state is the abnormal state, the computer device selects a first number of time points from the plurality of historical time points and the target time points, smoothes the flow rates of the first number of time points, and acquires the fourth relationship data according to the flow rates after the smoothing of the first number of time points. The fourth relational data is used for indicating the relation between the flow corresponding to any time point and any time point, and the fourth relational data is used for representing the historical flow of a plurality of historical time points and the change trend of the target flow of the target time point.
And the computer equipment acquires a second number of time points according to the fourth relational data, smoothes the flow of the second number of time points, and acquires fifth relational data according to the flow after the smoothing of the second number of time points. The second number of time points is selected from the fourth relational data, the flow rates of the second number of time points are flow rates corresponding to corresponding time points in the fourth relational data, the first number is larger than the second number, the fifth relational data are used for indicating the relation between any time point and the flow rate corresponding to any time point, and the fifth relational data are used for representing the historical flow rates of a plurality of historical time points and the reference change trend of the target flow rate of the target time point.
The computer equipment queries a fifth flow corresponding to the target time point according to the fourth relational data and queries a sixth flow corresponding to the target time point according to the fifth relational data; determining that the target flow is in a low flow state under the condition that the difference value between the fifth flow and the sixth flow is smaller than a first preset value; or determining that the target flow rate is in a high flow rate state under the condition that the difference value between the fifth flow rate and the sixth flow rate is larger than a second preset value.
Optionally, an exponential moving Weighted average (EWMA) algorithm may be adopted to smooth the traffic of the first number of time points, obtain the fourth relational data according to the traffic after the smoothing processing of the first number of time points, process the second number of time points, and obtain the fifth relational data according to the traffic after the smoothing processing of the second number of time points.
Optionally, the computer device determines whether the detected state of the target flow is a high flow state or a low flow state by using a MACD (Moving Average change/change) histogram. The computer device may further select a third number of time points from the plurality of historical time points and the target time points, smooth the traffic of the third number of time points, and obtain sixth relationship data according to the traffic after the smoothing of the third number of time points, where the sixth relationship data is used to indicate a relationship between any time point and the traffic corresponding to any time point.
The computer device obtains a difference between the flow corresponding to any time point in the fourth relational data and the flow corresponding to the same time point in the sixth relational data, obtains a difference value (diff) corresponding to the flow at each time point, and determines the seventh relational data according to the difference values corresponding to the plurality of historical time points and the target time points. The third number is different from the first number, and the difference between the first number and the third number is larger. And the computer equipment performs subsequent processing according to the seventh relation data.
For example, the first number is 12, the third number is 26, for a plurality of historical time points and target time points, 12 time points are selected from the plurality of historical time points and the target time points, an exponential moving weighted average of the flow rates of the 12 time points is obtained, and fourth relational data, namely EWMA (x, 12), is obtained according to the exponential moving weighted average of the flow rates of the 12 time points; and then selecting 26 time points from the plurality of historical time points and the target time points, taking the exponential moving weighted average of the flow of the 26 time points, and obtaining sixth relational data, namely EWMA (x, 26), according to the exponential moving weighted average of the flow of the 26 time points, wherein x represents the plurality of historical time points and the target time points. Then, the seventh relationship data is DIF ═ EWMA (x, 12) -EWMA (x, 26).
The computer equipment selects 9 time points from the seventh relational data, calculates an exponential moving weighted average of the flow at the 9 time points, and obtains fifth relational data, namely EWMA (DIF, 9), according to the exponential moving weighted average of the flow at the 9 time points, the flow corresponding to each time point in the fifth relational data is a reference value (DEM), and the difference value between the difference value corresponding to each time point and the reference value is MACD (DIF-DEM).
When the difference is smaller than 0, a histogram of the corresponding area is plotted in the negative semi-axis region in the coordinate system shown in fig. 8, when the difference is larger than 0, a histogram of the corresponding area is plotted in the positive semi-axis region, and if the area of the histogram of the negative semi-axis increases rapidly, it is determined that the target flow rate is in the low flow rate state; if the area of the histogram of the positive half axis increases rapidly, it is determined that the target flow rate is in the high flow rate state.
For example, as shown in fig. 8, a diagram 801 is a graph illustrating historical flow rates at a plurality of historical time points and target flow rates at target time points, and a diagram 802 is a graph illustrating historical flow rates at a plurality of historical time points and target flow rates at target time points after smoothing processing is performed on the flow rate at each time point, wherein a solid line represents a reference value, and a dotted line represents a difference value, and as can be seen from the diagram 802, the area of the histogram at the negative half axis at the time point 5 is increased, that is, the detection state of the target flow rate corresponding to the time point 5 can be determined to be a low flow rate state.
The embodiment of the present application is only described by way of example in which the detection state is determined to be the high flow rate state or the low flow rate state, and in another embodiment, the computer device may also detect monotonicity of the target flow rate in other manners. For example, a polynomial fitting method, a linear fitting method, or the like may be employed.
406. The computer device displays the warning information.
In the embodiment of the application, after the computer device determines the detection state of the target flow, if the detection state of the target flow is an abnormal state, the computer device displays the alarm information.
In one possible implementation, the computer device displays the warning information in a case where the detected state of the target flow is a low flow state. That is, if the detection state of the target flow is a high flow state, although the target flow is abnormal, the high flow state has no influence on the normal use of the target device and may not display the warning information, whereas if the detection state of the target flow is a low flow state, the target device may not be normally used and the warning information needs to be displayed.
In one possible implementation, the computer device displays the warning information in a case where the detected state of the target flow rate is an abnormal state and the detected states of the historical flow rates at a plurality of consecutive historical time points before the target time point are abnormal states. That is, if the detected state of the traffic of the target device is an abnormal state for a certain period of time, the warning information is transmitted. If the detection state of the flow at the time points of the continuous preset number is an abnormal state, the computer equipment displays the alarm information, so that unnecessary alarms can be reduced, the alarm quality is improved, and excessive alarm disturbance is avoided.
In one possible implementation manner, the alarm information includes a target flow at a target time point and historical flows at a plurality of historical time points, the target flow and the historical flows are displayed, and the detection state of the target flow is reflected to be an abnormal state more intuitively by comparing the target flow with the historical flows.
In one possible implementation, the computer device displays alert information in response to a received alert query instruction. Wherein, the alarm inquiry command at least carries the equipment identifier. If the alarm information in a certain time period needs to be inquired, the alarm inquiry instruction also carries time information; and if the alarm information of a certain interface of the target equipment needs to be inquired, the alarm inquiry instruction also carries an interface identifier.
In one possible implementation, the computer device is a terminal, the terminal is installed with a flow detection application, alarm information is displayed through the flow detection application, the alarm information includes a target flow at a target time point and historical flows at a plurality of historical time points, and in response to receiving a sample setting instruction for the alarm information, the flow included in the displayed alarm information is set as a sample flow, and the sample setting instruction includes a positive sample setting instruction and a negative sample setting instruction. And the terminal responds to the received positive sample setting instruction, sets the displayed flow as the positive sample flow, and responds to the received negative sample setting instruction, and sets the flow included in the displayed alarm information as the negative sample flow. The positive sample flow refers to a flow in which the detection state of the target flow is actually an abnormal state and the detection state is also an abnormal state, and the negative sample flow refers to a flow in which the detection state of the target flow is actually a normal state and the detection state is an abnormal state.
For example, referring to fig. 9, the flow rates displayed on the display interface are all in abnormal states, a positive sample setting button and a negative sample setting button are arranged below each flow rate, and by performing a trigger operation on the negative sample setting button below the curve 901, the flow rate corresponding to the curve 901 is set as a negative sample, and by performing a trigger operation on the positive sample setting button below the curve 902, the flow rate corresponding to the curve 902 is set as a positive sample. In addition, the display interface also comprises an equipment option, an interface option, a time option and a search button, after the equipment type, the interface option and the time option are set, the search button is triggered to query the alarm information corresponding to the set equipment type, the interface option and the time option.
Optionally, the state detection of the target traffic, the display of the warning information, and the labeling of the warning information may be performed by the same application program or by different application programs.
In one possible implementation, the computer device may send the warning information to other devices in addition to displaying the warning information, and the other devices display the warning information. Wherein, the sending can be carried out by adopting the modes of mails, short messages and the like.
Optionally, in a fault detection scenario, the computer device stores other devices associated with the target device, the computer device sends the alarm information to the other devices, and a technician can check the alarm information sent by the computer device through the other devices, check and maintain the target device in time, and remove a fault of the target device.
For example, referring to the display interface diagram 1001 of the alarm information shown in fig. 10, the computer device sends the alarm information to other devices in a mail manner, where the alarm information includes a target device identifier, an interface identifier, a traffic type, a time point, and a diagram of a target traffic and a historical traffic.
The method provided by the embodiment of the application comprises the steps of obtaining historical flow of a plurality of historical time points and target flow of a target time point behind the plurality of historical time points, carrying out fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point, obtaining first relation data, determining a flow range corresponding to the target time point according to the first relation data, and carrying out state detection on the target flow to obtain a detection state of the target flow under the condition that the target flow does not belong to the flow range. The flow detection method provided by the embodiment of the application does not depend on flow prediction, but determines the flow range according to the flows of a plurality of historical time points and the target time point, improves the accuracy of the flow range, realizes primary detection on the target flow by determining whether the target flow belongs to the flow range, and improves the accuracy of detection. And only the target flow which does not belong to the flow range is subjected to state detection subsequently, so that the detection accuracy and the detection efficiency are further improved.
And in a fault detection scene, after a detection result is obtained, alarm information is displayed, and technicians are reminded to maintain the target equipment in time.
In addition, when only the unsupervised learning algorithm is used, the detection accuracy is low, and when only the supervised learning algorithm is used, each target flow needs to be detected, so that the detection efficiency is low. The method combines the unsupervised learning algorithm and the supervised learning algorithm together, avoids using only one algorithm for flow detection, can filter part of target flow by adopting the unsupervised learning algorithm, reduces the target flow to be detected by the supervised learning algorithm, improves the detection accuracy and improves the detection efficiency.
Fig. 11 is a flowchart of a traffic detection method according to an embodiment of the present application. Referring to fig. 11, an execution subject of the embodiment of the present application is a computer device, and the method includes:
1101. the computer device obtains historical traffic for a plurality of historical time points and target traffic for a target time point located after the plurality of historical time points.
1102. And the computer equipment performs fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data.
1103. And the computer equipment determines the flow range corresponding to the target time point according to the first relation data.
1104. And the computer equipment carries out state detection on the target flow under the condition that the target flow does not belong to the flow range, so as to obtain the detection state of the target flow.
1105. The computer device determines whether the detection state is a low flow state or a high flow state in a case where the detection state of the target flow is an abnormal state.
1106. The computer device displays the warning information.
1107. The computer equipment responds to the received sample setting instruction of the alarm information, sets the target flow included in the displayed alarm information as a sample target flow, sets the historical flow as a sample historical flow and sets the detection state of the target flow as a sample detection state.
1108. And training a flow detection model by the computer equipment according to the sample target flow, the sample historical flow and the sample detection result. After the computer device trains the flow detection model, the target flow can be detected by using the flow detection model obtained by training.
The implementation of the embodiment shown in fig. 11 is similar to the implementation of the embodiment shown in fig. 1 or fig. 4, and is not repeated herein.
Fig. 12 is a schematic structural diagram of a flow rate detection device according to an embodiment of the present application. Referring to fig. 12, the apparatus includes:
a traffic obtaining module 1201, configured to obtain historical traffic of a plurality of historical time points and target traffic of a target time point located after the plurality of historical time points;
a first relation obtaining module 1202, configured to perform fitting processing according to historical traffic of a plurality of historical time points and target traffic of a target time point, and obtain first relation data, where the first relation data is used to indicate a relation between any time point and traffic of any time point;
a flow range determining module 1203, configured to determine, according to the first relationship data, a flow range corresponding to the target time point;
and a flow detection module 1204, configured to perform state detection on the target flow to obtain a detection state of the target flow when the target flow does not belong to the flow range.
The device provided by the embodiment of the application obtains historical flow of a plurality of historical time points and target flow of a target time point behind the plurality of historical time points, performs fitting processing according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data, determines a flow range corresponding to the target time point according to the first relation data, and performs state detection on the target flow to obtain a detection state of the target flow under the condition that the target flow does not belong to the flow range. The device does not rely on predicted flow, but determines the flow range according to the flow of a plurality of historical time points and target time points, improves the accuracy of the flow range, realizes primary detection of the target flow by determining whether the target flow belongs to the flow range, and improves the accuracy of the detection. And only the target flow which does not belong to the flow range is subjected to state detection subsequently, so that the detection accuracy and the detection efficiency are further improved.
In one possible implementation, referring to fig. 13, the traffic range determination module 1203 includes:
a reference flow acquiring unit 12031, configured to query, according to the first relationship data, a flow corresponding to the target time point, as a reference flow;
a reference flow adjusting unit 12032, configured to adjust a reference flow to obtain a first flow greater than the reference flow and a second flow smaller than the reference flow;
the first range determining unit 12033 is configured to obtain the flow rate range by using the first flow rate as a maximum value of the flow rate range and using the second flow rate as a minimum value of the flow rate range.
In another possible implementation manner, referring to fig. 13, the flow range determining module 1203 further includes:
a second relation obtaining unit 12034, configured to obtain second relation data according to the first relation data, where a flow rate corresponding to any time point in the second relation data is greater than a flow rate corresponding to the same time point in the first relation data;
a third relation obtaining unit 12035, configured to obtain third relation data according to the first relation data, where a flow rate corresponding to any time point in the third relation data is smaller than a flow rate corresponding to the same time point in the first relation data;
a flow rate query unit 12036, configured to query a third flow rate corresponding to the target time point according to the second relationship data, and query a fourth flow rate corresponding to the target time point according to the third relationship data;
the second range determining unit 12037 is configured to obtain the flow range by taking the third flow as the maximum value of the flow range and the fourth flow as the minimum value of the flow range.
In another possible implementation manner, the traffic detection module 1204 is further configured to:
and calling a flow detection model under the condition that the target flow does not belong to the flow range, and carrying out state detection on the target flow to obtain the detection state of the target flow.
In another possible implementation, referring to fig. 13, the apparatus further includes:
a sample flow obtaining module 1205, configured to obtain sample flows at a plurality of first sample time points and a sample flow at a second sample time point, where the second sample time point is located after the plurality of first sample time points;
a sample state obtaining module 1206, configured to obtain a sample detection state of the sample flow at the second sample time point;
the model training module 1207 is configured to train a flow detection model according to the sample flows at the multiple first sample time points, the sample flows at the second sample time points, and the sample detection states.
In another possible implementation, referring to fig. 13, the apparatus further includes:
the sample flow obtaining module 1205 is further configured to obtain sample historical flows at a plurality of sample historical time points and sample target flows at sample target time points, where the sample target time points are located after the plurality of sample historical time points;
the sample state obtaining module 1206 is further configured to obtain a sample detection state of the sample target flow at the sample target time point;
the model training module 1207 is further configured to continue training the flow detection model according to the sample historical flow at the multiple sample historical time points, the sample target flow at the sample target time point, and the sample detection state.
In another possible implementation, referring to fig. 13, the apparatus further includes:
a normal state determining module 1208, configured to determine that the detection state of the target flow is a normal state when the target flow belongs to the flow range.
In another possible implementation, referring to fig. 13, the apparatus further includes:
a first state determining module 1209, configured to determine that the detection state is a low flow state when the target flow is smaller than the minimum value of the flow range and the detection state is an abnormal state; alternatively, the first and second electrodes may be,
the second state determination module 1210 is configured to determine that the detection state is the high flow rate state if the target flow rate is greater than the maximum value of the flow rate range and the detection state is the abnormal state.
In another possible implementation, referring to fig. 13, the apparatus further includes:
a fourth relation obtaining module 1211, configured to, when the detected state is the abnormal state, select a first number of time points from the multiple historical time points and the target time point, smooth traffic of the first number of time points, and obtain fourth relation data according to the traffic after the smoothing of the first number of time points, where the fourth relation data is used to indicate a relation between any time point and traffic corresponding to any time point;
a fifth relationship obtaining module 1212, configured to obtain a second number of time points according to the fourth relationship data, perform smoothing on the traffic of the second number of time points, and obtain fifth relationship data according to the traffic after the smoothing of the second number of time points, where the fifth relationship data is used to indicate a relationship between any time point and the traffic corresponding to any time point;
a traffic query module 1213, configured to query a fifth traffic corresponding to the target time point according to the fourth relational data, and query a sixth traffic corresponding to the target time point according to the fifth relational data;
the first state determining module 1209 is further configured to determine that the target flow rate is in a low flow rate state when a difference between the fifth flow rate and the sixth flow rate is smaller than a first preset value; alternatively, the first and second electrodes may be,
the second state determining module 1210 is further configured to determine that the target flow rate is in a high flow rate state when a difference between the fifth flow rate and the sixth flow rate is greater than a second preset value.
In another possible implementation, referring to fig. 13, the apparatus further includes:
and an alarm display module 1214, configured to display alarm information when the detected state of the target flow rate is an abnormal state and the detected states of the historical flow rates at a plurality of consecutive historical time points before the target time point are abnormal states.
Fig. 14 shows a schematic structural diagram of a terminal 1400 according to an exemplary embodiment of the present application. The terminal 1400 of the embodiment of the present application is configured to perform the operations performed by the terminal in the image detection method.
In general, terminal 1400 includes: a processor 1401, and a memory 1402.
In some embodiments, terminal 1400 may further optionally include: a peripheral device interface 1403 and at least one peripheral device. The processor 1401, the memory 1402, and the peripheral device interface 1403 may be connected by buses or signal lines. Each peripheral device may be connected to the peripheral device interface 1403 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1404, a touch display 1405, a camera 1406, audio circuitry 1407, a positioning component 1408, and a power supply 1409.
The peripheral device interface 1403 can be used to connect at least one peripheral device related to I/O (Input/Output) to the processor 1401 and the memory 1402. In some embodiments, the processor 1401, memory 1402, and peripheral interface 1403 are integrated on the same chip or circuit board; in some other embodiments, any one or both of the processor 1401, the memory 1402, and the peripheral device interface 1403 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.
The Radio Frequency circuit 1404 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 1404 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 1404 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 1404 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuit 1404 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the radio frequency circuit 1404 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.
The display screen 1405 is used to display a UI (user interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 1405 is a touch display screen, the display screen 1405 also has the ability to capture touch signals at or above the surface of the display screen 1405. The touch signal may be input to the processor 1401 for processing as a control signal. At this point, the display 1405 may also be used to provide virtual buttons and/or virtual keyboards, also referred to as soft buttons and/or soft keyboards. In some embodiments, the display 1405 may be one, providing the front panel of the terminal 1400; in other embodiments, display 1405 may be at least two, respectively disposed on different surfaces of terminal 1400 or in a folded design; in still other embodiments, display 1405 may be a flexible display disposed on a curved surface or on a folded surface of terminal 1400. Even further, the display 1405 may be arranged in a non-rectangular irregular figure, i.e., a shaped screen. The Display 1405 can be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), and the like.
The camera assembly 1406 is used to capture images or video. Optionally, camera assembly 1406 includes a front camera and a rear camera. Typically, the front camera is disposed at the front panel of the terminal 1400, and the rear camera is disposed at the rear of the terminal 1400. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 1406 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.
The audio circuit 1407 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 1401 for processing or inputting the electric signals to the radio frequency circuit 1404 to realize voice communication. For stereo capture or noise reduction purposes, multiple microphones may be provided, each at a different location of terminal 1400. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is then used to convert electrical signals from the processor 1401 or the radio frequency circuit 1404 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuit 1407 may also include a headphone jack.
The positioning component 1408 serves to locate the current geographic position of the terminal 1400 for navigation or LBS (location based Service). The positioning component 1408 may be a positioning component based on the GPS (global positioning System) of the united states, the beidou System of china, the graves System of russia, or the galileo System of the european union.
In some embodiments, terminal 1400 also includes one or more sensors 1410. The one or more sensors 1410 include, but are not limited to: acceleration sensor 1411, gyroscope sensor 1412, pressure sensor 1413, fingerprint sensor 1414, optical sensor 1415, and proximity sensor 1416.
The acceleration sensor 1411 may detect the magnitude of acceleration on three coordinate axes of a coordinate system established with the terminal 1400. For example, the acceleration sensor 1411 may be used to detect components of the gravitational acceleration in three coordinate axes. The processor 1401 can control the touch display 1405 to display a user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 1411. The acceleration sensor 1411 may also be used for acquisition of motion data of an application or a user.
The gyro sensor 1412 may detect a body direction and a rotation angle of the terminal 1400, and the gyro sensor 1412 and the acceleration sensor 1411 may cooperate to collect a 3D motion of the user on the terminal 1400. The processor 1401 can realize the following functions according to the data collected by the gyro sensor 1412: motion sensing (such as changing the UI according to a tilt operation of the user), image stabilization at the time of photographing, application control, and inertial navigation.
Pressure sensors 1413 may be disposed on the side bezel of terminal 1400 and/or underlying touch display 1405. When the pressure sensor 1413 is disposed on the side frame of the terminal 1400, the user's holding signal of the terminal 1400 can be detected, and the processor 1401 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 1413. When the pressure sensor 1413 is disposed at the lower layer of the touch display 1405, the processor 1401 controls the operability control on the UI interface according to the pressure operation of the user on the touch display 1405. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.
The fingerprint sensor 1414 is used for collecting a fingerprint of a user, and the processor 1401 identifies the user according to the fingerprint collected by the fingerprint sensor 1414, or the fingerprint sensor 1414 identifies the user according to the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, processor 1401 authorizes the user to have relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. Fingerprint sensor 1414 may be disposed on the front, back, or side of terminal 1400. When a physical button or vendor Logo is provided on the terminal 1400, the fingerprint sensor 1414 may be integrated with the physical button or vendor Logo.
The optical sensor 1415 is used to collect ambient light intensity. In one embodiment, processor 1401 can control the display brightness of touch display 1405 based on the ambient light intensity collected by optical sensor 1415. Specifically, when the ambient light intensity is high, the display luminance of the touch display 1405 is increased; when the ambient light intensity is low, the display brightness of the touch display 1405 is turned down. In another embodiment, the processor 1401 can also dynamically adjust the shooting parameters of the camera assembly 1406 according to the intensity of the ambient light collected by the optical sensor 1415.
Proximity sensor 1416, also known as a distance sensor, is typically disposed on the front panel of terminal 1400. The proximity sensor 1416 is used to collect the distance between the user and the front surface of the terminal 1400. In one embodiment, when proximity sensor 1416 detects that the distance between the user and the front face of terminal 1400 is gradually decreased, processor 1401 controls touch display 1405 to switch from a bright screen state to a dark screen state; when proximity sensor 1416 detects that the distance between the user and the front face of terminal 1400 is gradually increasing, processor 1401 controls touch display 1405 to switch from a breath-screen state to a bright-screen state.
Those skilled in the art will appreciate that the configuration shown in fig. 14 is not intended to be limiting with respect to terminal 1400 and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be employed.
Fig. 15 is a schematic structural diagram of a server 1500 according to an embodiment of the present application, where the server 1500 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 1501 and one or more memories 1502, where the memory 1502 stores at least one instruction, and the at least one instruction is loaded and executed by the processor 1501 to implement the methods provided by the foregoing method embodiments. Of course, the server may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input/output, and the server may also include other components for implementing the functions of the device, which are not described herein again.
The server 1500 may be used to perform the steps performed by the server in the traffic detection method described above.
The embodiment of the present application further provides a computer device, where the computer device includes a processor and a memory, where the memory stores at least one instruction, and the at least one instruction is loaded and executed by the processor, so as to implement the operations executed in the flow detection method of the foregoing embodiment.
The embodiment of the present application further provides a computer-readable storage medium, where at least one instruction is stored in the computer-readable storage medium, and the at least one instruction is loaded and executed by a processor to implement the operations performed in the traffic detection method in the foregoing embodiment.
The embodiment of the present application further provides a computer program, where at least one instruction is stored in the computer program, and the at least one instruction is loaded and executed by the processor, so as to implement the operations executed in the flow detection method in the foregoing embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only an alternative embodiment of the present application and is not intended to limit the present application, and any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method of traffic detection, the method comprising:
acquiring historical flow of a plurality of historical time points and target flow of target time points behind the historical time points;
fitting according to the historical flow of the plurality of historical time points and the target flow of the target time point to obtain first relation data, wherein the first relation data is used for indicating the relation between any time point and the flow of any time point;
determining a flow range corresponding to the target time point according to the first relation data;
and under the condition that the target flow does not belong to the flow range, carrying out state detection on the target flow to obtain the detection state of the target flow.
2. The method according to claim 1, wherein the determining the flow range corresponding to the target time point according to the first relationship data comprises:
inquiring the flow corresponding to the target time point according to the first relation data to be used as a reference flow;
adjusting the reference flow to obtain a first flow larger than the reference flow and a second flow smaller than the reference flow;
and taking the first flow as the maximum value of the flow range and the second flow as the minimum value of the flow range to obtain the flow range.
3. The method according to claim 1, wherein the determining the flow range corresponding to the target time point according to the first relationship data comprises:
acquiring second relation data according to the first relation data, wherein the flow corresponding to any time point in the second relation data is larger than the flow corresponding to the same time point in the first relation data;
acquiring third relation data according to the first relation data, wherein the flow corresponding to any time point in the third relation data is smaller than the flow corresponding to the same time point in the first relation data;
inquiring a third flow corresponding to the target time point according to the second relation data, and inquiring a fourth flow corresponding to the target time point according to the third relation data;
and taking the third flow as the maximum value of the flow range and taking the fourth flow as the minimum value of the flow range to obtain the flow range.
4. The method according to claim 1, wherein the performing state detection on the target traffic to obtain the detection state of the target traffic when the target traffic does not belong to the traffic range comprises:
and calling a flow detection model under the condition that the target flow does not belong to the flow range, and carrying out state detection on the target flow to obtain the detection state of the target flow.
5. The method according to claim 4, wherein when the target traffic does not belong to the traffic range, a traffic detection model is called, and after the target traffic is subjected to state detection to obtain a detection state of the target traffic, the method further comprises:
acquiring sample historical flow of a plurality of sample historical time points and sample target flow of a sample target time point, wherein the sample target time point is positioned behind the plurality of sample historical time points;
acquiring a sample detection state of the sample target flow at the sample target time point;
and continuously training the flow detection model according to the sample historical flow of the plurality of sample historical time points, the sample target flow of the sample target time point and the sample detection state.
6. The method according to claim 1, wherein after the status detection of the target traffic is performed when the target traffic does not belong to the traffic range, and the detection status of the target traffic is obtained, the method further comprises:
under the condition that the detection state is an abnormal state, selecting a first number of time points from the plurality of historical time points and the target time point, smoothing the flow of the first number of time points, and acquiring fourth relation data according to the flow after smoothing processing of the first number of time points, wherein the fourth relation data is used for indicating the relation between any time point and the flow corresponding to any time point;
acquiring a second number of time points according to the fourth relational data, smoothing the flow of the second number of time points, and acquiring fifth relational data according to the flow after smoothing of the second number of time points, wherein the fifth relational data is used for indicating the relationship between any time point and the flow corresponding to any time point;
inquiring a fifth flow corresponding to the target time point according to the fourth relational data, and inquiring a sixth flow corresponding to the target time point according to the fifth relational data;
determining that the target flow is in a low flow state when the difference between the fifth flow and the sixth flow is smaller than a first preset value; alternatively, the first and second electrodes may be,
and under the condition that the difference value between the fifth flow and the sixth flow is larger than a second preset value, determining that the target flow is in a high-flow state.
7. The method according to claim 1, wherein after the status detection of the target traffic is performed when the target traffic does not belong to the traffic range, and the detection status of the target traffic is obtained, the method further comprises:
and displaying alarm information when the detection state of the target flow is an abnormal state and the detection states of the historical flows at a plurality of continuous historical time points before the target time point are abnormal states.
8. A flow sensing device, the device comprising:
the flow acquisition module is used for acquiring historical flow of a plurality of historical time points and target flow of target time points behind the historical time points;
a first relation obtaining module, configured to perform fitting processing according to historical flow rates of the multiple historical time points and a target flow rate of the target time point to obtain first relation data, where the first relation data is used to indicate a relation between any time point and the flow rate of the any time point;
the flow range determining module is used for determining the flow range corresponding to the target time point according to the first relation data;
and the flow detection module is used for carrying out state detection on the target flow under the condition that the target flow does not belong to the flow range to obtain the detection state of the target flow.
9. A computer device comprising a processor and a memory, the memory having stored therein at least one instruction, the at least one instruction being loaded and executed by the processor to perform operations performed in the flow detection method of any one of claims 1 to 7.
10. A computer-readable storage medium having stored therein at least one instruction, which is loaded and executed by a processor, to perform operations performed in the flow detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010367557.4A CN111614634B (en) | 2020-04-30 | 2020-04-30 | Flow detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010367557.4A CN111614634B (en) | 2020-04-30 | 2020-04-30 | Flow detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111614634A true CN111614634A (en) | 2020-09-01 |
| CN111614634B CN111614634B (en) | 2024-01-23 |
Family
ID=72198071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010367557.4A Active CN111614634B (en) | 2020-04-30 | 2020-04-30 | Flow detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111614634B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112583635A (en) * | 2020-11-24 | 2021-03-30 | 视联动力信息技术股份有限公司 | Method and device for detecting network state of video network, terminal equipment and storage medium |
| CN112994978A (en) * | 2021-02-25 | 2021-06-18 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN113949678A (en) * | 2021-09-15 | 2022-01-18 | 北京三快在线科技有限公司 | Flow control method and device, electronic equipment and computer readable storage medium |
| WO2022053070A1 (en) * | 2020-09-10 | 2022-03-17 | 中兴通讯股份有限公司 | Traffic mode determination method, electronic device, and storage medium |
| CN114449569A (en) * | 2020-11-02 | 2022-05-06 | 中国移动通信集团广东有限公司 | User traffic usage processing method, network device and service processing system |
| CN114785588A (en) * | 2022-04-20 | 2022-07-22 | 中国工商银行股份有限公司 | Flow detection method and device |
| CN115037528A (en) * | 2022-05-24 | 2022-09-09 | 天翼云科技有限公司 | Abnormal flow detection method and device |
| CN117692350A (en) * | 2024-02-04 | 2024-03-12 | 中国人民解放军军事科学院系统工程研究院 | Fingerprint-based flow prediction method and system |
| CN117692350B (en) * | 2024-02-04 | 2024-04-30 | 中国人民解放军军事科学院系统工程研究院 | Fingerprint-based flow prediction method and system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8682812B1 (en) * | 2010-12-23 | 2014-03-25 | Narus, Inc. | Machine learning based botnet detection using real-time extracted traffic features |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| WO2018090544A1 (en) * | 2016-11-15 | 2018-05-24 | 平安科技(深圳)有限公司 | Method and device for detecting dos/ddos attack, server, and storage medium |
| CN108255681A (en) * | 2018-02-09 | 2018-07-06 | 腾讯科技(北京)有限公司 | Task alarm method and device |
| CN108880931A (en) * | 2018-05-29 | 2018-11-23 | 北京百度网讯科技有限公司 | Method and apparatus for output information |
| CN109032829A (en) * | 2018-07-23 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Data exception detection method, device, computer equipment and storage medium |
| EP3502889A1 (en) * | 2017-12-21 | 2019-06-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd | Method and device for preloading application, storage medium, and terminal device |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN110377447A (en) * | 2019-07-17 | 2019-10-25 | 腾讯科技(深圳)有限公司 | A kind of abnormal deviation data examination method, device and server |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
-
2020
- 2020-04-30 CN CN202010367557.4A patent/CN111614634B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8682812B1 (en) * | 2010-12-23 | 2014-03-25 | Narus, Inc. | Machine learning based botnet detection using real-time extracted traffic features |
| WO2018090544A1 (en) * | 2016-11-15 | 2018-05-24 | 平安科技(深圳)有限公司 | Method and device for detecting dos/ddos attack, server, and storage medium |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| EP3502889A1 (en) * | 2017-12-21 | 2019-06-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd | Method and device for preloading application, storage medium, and terminal device |
| CN108255681A (en) * | 2018-02-09 | 2018-07-06 | 腾讯科技(北京)有限公司 | Task alarm method and device |
| CN108880931A (en) * | 2018-05-29 | 2018-11-23 | 北京百度网讯科技有限公司 | Method and apparatus for output information |
| US20190370163A1 (en) * | 2018-05-29 | 2019-12-05 | Beijing Baidu Netcom Science And Technology Co., L | Method and apparatus for outputting information |
| CN109032829A (en) * | 2018-07-23 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Data exception detection method, device, computer equipment and storage medium |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN110377447A (en) * | 2019-07-17 | 2019-10-25 | 腾讯科技(深圳)有限公司 | A kind of abnormal deviation data examination method, device and server |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022053070A1 (en) * | 2020-09-10 | 2022-03-17 | 中兴通讯股份有限公司 | Traffic mode determination method, electronic device, and storage medium |
| CN114449569A (en) * | 2020-11-02 | 2022-05-06 | 中国移动通信集团广东有限公司 | User traffic usage processing method, network device and service processing system |
| CN114449569B (en) * | 2020-11-02 | 2024-01-16 | 中国移动通信集团广东有限公司 | User traffic usage processing method, network equipment and service processing system |
| CN112583635A (en) * | 2020-11-24 | 2021-03-30 | 视联动力信息技术股份有限公司 | Method and device for detecting network state of video network, terminal equipment and storage medium |
| CN112994978A (en) * | 2021-02-25 | 2021-06-18 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN113949678A (en) * | 2021-09-15 | 2022-01-18 | 北京三快在线科技有限公司 | Flow control method and device, electronic equipment and computer readable storage medium |
| CN113949678B (en) * | 2021-09-15 | 2023-09-01 | 北京三快在线科技有限公司 | Flow control method, flow control device, electronic equipment and computer readable storage medium |
| CN114785588A (en) * | 2022-04-20 | 2022-07-22 | 中国工商银行股份有限公司 | Flow detection method and device |
| CN115037528A (en) * | 2022-05-24 | 2022-09-09 | 天翼云科技有限公司 | Abnormal flow detection method and device |
| CN115037528B (en) * | 2022-05-24 | 2023-11-03 | 天翼云科技有限公司 | Abnormal flow detection method and device |
| CN117692350A (en) * | 2024-02-04 | 2024-03-12 | 中国人民解放军军事科学院系统工程研究院 | Fingerprint-based flow prediction method and system |
| CN117692350B (en) * | 2024-02-04 | 2024-04-30 | 中国人民解放军军事科学院系统工程研究院 | Fingerprint-based flow prediction method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111614634B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614634B (en) | Flow detection method, device, equipment and storage medium | |
| CN108306771B (en) | Log reporting method, device and system | |
| CN108924737B (en) | Positioning method, device, equipment and computer readable storage medium | |
| CN111262887B (en) | Network risk detection method, device, equipment and medium based on object characteristics | |
| CN110839128B (en) | Photographing behavior detection method and device and storage medium | |
| CN111104980B (en) | Method, device, equipment and storage medium for determining classification result | |
| CN111818050B (en) | Target access behavior detection method, system, device, equipment and storage medium | |
| CN111738365B (en) | Image classification model training method and device, computer equipment and storage medium | |
| CN112163406A (en) | Interactive message display method and device, computer equipment and storage medium | |
| CN110890969B (en) | Method and device for mass-sending message, electronic equipment and storage medium | |
| CN112714294B (en) | Alarm preview method, device and computer readable storage medium | |
| CN110768843B (en) | Network problem analysis method, device, terminal and storage medium | |
| CN113570510A (en) | Image processing method, device, equipment and storage medium | |
| CN114143280B (en) | Session display method and device, electronic equipment and storage medium | |
| CN112329909B (en) | Method, apparatus and storage medium for generating neural network model | |
| CN114093360A (en) | Calling method, calling device, electronic equipment and storage medium | |
| CN112231666A (en) | Illegal account processing method, device, terminal, server and storage medium | |
| CN111259252A (en) | User identification recognition method and device, computer equipment and storage medium | |
| CN112990424A (en) | Method and device for training neural network model | |
| CN111897709A (en) | Method, device, electronic equipment and medium for monitoring user | |
| CN115296978B (en) | Root cause positioning method, root cause positioning device and root cause positioning equipment | |
| CN112308104A (en) | Abnormity identification method and device and computer storage medium | |
| CN112764824A (en) | Method, device, equipment and storage medium for triggering identity authentication in application program | |
| CN111860030A (en) | Behavior detection method, behavior detection device, behavior detection equipment and storage medium | |
| CN112579661B (en) | Method and device for determining specific target pair, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |