CN111756706A - Abnormal flow detection method and device and storage medium - Google Patents
Abnormal flow detection method and device and storage medium Download PDFInfo
- Publication number
- CN111756706A CN111756706A CN202010504612.XA CN202010504612A CN111756706A CN 111756706 A CN111756706 A CN 111756706A CN 202010504612 A CN202010504612 A CN 202010504612A CN 111756706 A CN111756706 A CN 111756706A
- Authority
- CN
- China
- Prior art keywords
- sub
- detected
- target
- flow
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an abnormal flow detection method, an abnormal flow detection device and a storage medium, wherein the method comprises the following steps: acquiring network interconnection protocol information and identification information of each sub-object to be detected; acquiring target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected; carrying out flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period; and determining a target sub-object with abnormal flow from each sub-object to be detected based on the abnormal flow analysis result of each sub-object to be detected in the target time period. The invention can realize monitoring of abnormal flow under the condition of low cost and quickly position an abnormal machine with abnormal flow.
Description
Technical Field
The invention belongs to the technical field of abnormal flow detection, and particularly relates to an abnormal flow detection method, an abnormal flow detection device and a storage medium.
Background
The network abnormal traffic sudden increase is a common phenomenon in the enterprise information department, and may be caused by a sudden increase of the number of visitors, or may be caused by an abnormal network event (such as Denial of Service (DoS) attack, worm, etc.). The abnormal traffic burst causes great harm to the service system and the whole network. Therefore, how to quickly locate the abnormal machine is of great significance to network traffic management and monitoring.
A conventional network management and traffic monitoring system may monitor traffic trends in each host Internet Protocol (IP) machine. Operation and maintenance personnel can carry out rule configuration based on the experience and the strategy of operation and maintenance, thereby discovering abnormal trend of the flow. However, as the business is continuously expanded, the number of the sub-machines under each main machine is rapidly increased, and the continuous rule threshold configuration becomes more and more complex. In the prior art, the network flow is also considered to have certain periodicity, and the abnormal flow breaks through the rule to cause abnormal fluctuation of the flow, so that the network abnormality is detected by adopting a network flow (NetFlow) -based time sequence sliding window, but for many service systems, the periodicity is a very long time range, and the flow abnormality cannot be quickly detected in one period. In addition, the prior art also adopts the method of mining and extracting the basic characteristic data of the network flow to construct a flow model for flow detection, but for a service system with a large amount of IP network flow, the construction cost of the characteristic is higher, the real-time performance is lower, and the real-time rapid detection of abnormal flow cannot be realized.
Disclosure of Invention
The invention provides an abnormal flow detection method, an abnormal flow detection device and a storage medium, which aim to quickly locate an abnormal machine with abnormal flow under the condition of low cost.
In one aspect, the present invention provides an abnormal traffic detection method, including:
acquiring network interconnection protocol information and identification information of each sub-object to be detected;
acquiring target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected;
carrying out flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period;
and determining a target sub-object with abnormal flow from each sub-object to be detected based on the abnormal flow analysis result of each sub-object to be detected in the target time period.
In another aspect, the present invention provides an abnormal flow rate detecting device, including:
the information acquisition module is used for acquiring the network interconnection protocol information and the identification information of each sub-object to be detected;
the traffic data acquisition module is used for acquiring target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected;
the flow detection and analysis module is used for carrying out flow detection and analysis on target flow data and historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period;
and the target sub-object determining module is used for determining a target sub-object with abnormal flow from all the sub-objects to be detected based on the abnormal flow analysis result of all the sub-objects to be detected in the target time period.
In another aspect, the present invention provides an electronic device, which includes a processor and a memory, where at least one instruction or at least one program is stored in the memory, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the abnormal traffic detection method as described above.
In another aspect, the present invention provides a computer-readable storage medium, in which at least one instruction or at least one program is stored, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the abnormal traffic detection method as described above.
The embodiment of the invention provides an abnormal flow detection method, an abnormal flow detection device and a storage medium, wherein flow time sequence data (including target flow data in a target time period and historical flow data in a historical time period) of each sub-object to be detected is obtained through network interconnection protocol information and identification information of each sub-object to be detected, then the target flow data and the historical flow data are detected and analyzed to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period, and finally the target sub-object with abnormal flow is positioned according to the abnormal flow analysis result. In the process of determining the target sub-object with abnormal flow, the embodiment of the invention does not need to manually search the abnormal reason, does not need to perform feature labeling and feature extraction on network flow data, has lower labor cost and better timeliness, and can quickly position the abnormal machine with abnormal flow under the condition of low cost.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions and advantages of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is an architecture diagram of an abnormal flow rate detecting system according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of an implementation environment of an abnormal traffic detection method according to an embodiment of the present invention.
Fig. 3 is a schematic flow chart of an abnormal traffic detection method according to an embodiment of the present invention.
Fig. 4 is a schematic flowchart of another abnormal traffic detection method according to an embodiment of the present invention.
Fig. 5 is a schematic flow chart of another abnormal traffic detection method according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of an information input interface according to an embodiment of the present invention.
Fig. 7 is a schematic diagram of a fluctuation value sequence corresponding to a target parent object according to an embodiment of the present invention.
Fig. 8 is a schematic flowchart of another abnormal traffic detection method according to an embodiment of the present invention.
Fig. 9 is a schematic diagram of target traffic data for a target time period and historical traffic data for three hours prior to the target time period, according to an embodiment of the present invention.
Fig. 10 is a schematic diagram of the 3 σ criterion provided by the embodiment of the present invention.
Fig. 11 is a schematic flowchart of another abnormal traffic detection method according to an embodiment of the present invention.
Fig. 12 is a schematic flowchart of another abnormal traffic detection method according to an embodiment of the present invention.
Fig. 13 is a schematic diagram of an abnormal traffic sequence according to an embodiment of the present invention.
Fig. 14 is an alternative structure diagram of the blockchain system according to the embodiment of the present invention.
Fig. 15 is an alternative schematic diagram of a block structure according to an embodiment of the present invention.
Fig. 16 is a schematic structural diagram of an abnormal flow rate detection apparatus according to an embodiment of the present invention.
Fig. 17 is a schematic diagram of a server structure according to an embodiment of the present invention.
Detailed Description
With the research and development of Artificial Intelligence (AI), AI has been developed and applied in various fields. AI is an integrated technique of computer science that attempts to understand the essence of intelligence and produces a new intelligent machine that can react in a manner similar to human intelligence.
In particular, the solution provided by the embodiment of the present application relates to a Machine Learning (ML) technology of artificial intelligence. ML is a multi-domain interdiscipline, relates to a plurality of disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory and the like, and is specially used for researching how a computer simulates or realizes the learning behavior of human beings so as to obtain new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the ML. ML generally includes techniques such as deep learning, reinforcement learning, transfer learning, inductive learning, and teaching learning.
Specifically, the process of performing flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected based on the flow machine learning model to obtain the abnormal flow analysis result of each sub-object to be detected in the target time period relates to a deep learning technique in ML and the like.
Cloud technology refers to a hosting technology for unifying serial resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
The cloud technology is a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied based on a cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing. Specifically, cloud technologies include the technical fields of security, big data, databases, industrial applications, networks, storage, management tools, computing, and the like.
Specifically, the embodiment of the invention relates to the technical field of management tools in cloud technology.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is an architecture diagram of an abnormal flow rate detecting system according to an embodiment of the present invention, where the abnormal flow rate detecting system may be used as an implementation environment of an abnormal flow rate detecting method. As shown in fig. 1, the system may include at least: an application layer, an algorithm layer and a data layer.
Specifically, the data layer is configured to perform fluctuation value detection through a parent object IP, preliminarily screen the parent object IP with the abnormality, and obtain an IP and identification information of a child object through the parent object IP with the abnormality, where the identification information may be a Universal Unique Identifier (UUID). And acquiring the traffic time series data of the sub-object through the UUID. The data layer ensures that the flow time sequence data can be rapidly acquired and processed.
Specifically, the algorithm layer is configured to perform traffic surge detection on each child object under a parent object to be detected (for example, a parent object with an abnormality), and sort the abnormal child objects according to an abnormal value.
In particular, the application layer is used to quickly locate an exception sub-object.
It should be noted that fig. 1 is only an example.
Fig. 2 is a schematic diagram of an implementation environment of an abnormal traffic detection method according to an embodiment of the present invention. As shown in fig. 2, the implementation environment may include at least a first terminal 01, a server 02, and a second terminal 03.
The first terminal 01 may be a terminal with independent IP deployed in a single-tenant environment under the second terminal 03, and the second terminal 03 may be a multi-user computer or software providing services for the first terminal 01, or a computer device providing less or less power. Specifically, the first terminal 01 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart wearable device, and the like.
Specifically, the first terminal 01, the second terminal 03 and the server 02 may be directly or indirectly connected through wired or wireless communication, and the present invention is not limited thereto.
Specifically, the server 02 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like.
It should be noted that fig. 2 is only an example.
Fig. 3 is a schematic flow chart of an abnormal flow detection method provided by an embodiment of the present invention, and the present specification provides the operation steps of the method as described in the embodiment or the flowchart, but more or less operation steps may be included based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. In practice, the system or server product may be implemented in a sequential or parallel manner (e.g., parallel processor or multi-threaded environment) according to the embodiments or methods shown in the figures. Specifically, as shown in fig. 3, the method may include:
s101, acquiring network interconnection protocol information and identification information of each sub-object to be detected.
With the continuous expansion of services, the number of child objects under each parent object also increases rapidly. The embodiment of the invention can be used for quickly positioning the scene of the sub-object with the suddenly increased network abnormal flow from the sub-object with the quickly increased main object. Based on this, before S101, the method may further include: s100, carrying out abnormity detection on the parent object. Specifically, as shown in fig. 4, S100 may include:
s1001, responding to mother object detection parameter information input on an information input interface, and performing flow fluctuation value detection on flow of a mother object to be detected in the target time period, wherein the mother object detection parameter information at least comprises attribute information of the mother object to be detected and the target time period.
S1003, determining the mother object to be detected with the flow fluctuation value larger than a preset fluctuation threshold value as a target mother object with abnormal flow.
S1005, sequencing the target parent object based on the flow fluctuation value corresponding to the target parent object to obtain a fluctuation value sequence corresponding to the target parent object.
And S1007, displaying the fluctuation value sequence based on a mother object display interface.
Accordingly, as shown in fig. 4, S101 may include:
s10101, network interconnection protocol information of the target parent object is obtained.
S10103, acquiring the network interconnection protocol information and the identification information of each to-be-detected child object subordinate to the target parent object based on the network interconnection protocol information of the target parent object.
The sub-object to be detected in the embodiment of the present invention may be the first terminal in fig. 1, which includes but is not limited to a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart wearable device, and the like. Functionally, the sub-object to be detected includes, but is not limited to, a telex terminal with telex function or a video terminal with video playing function.
The parent object in the embodiments of the present invention may be a multi-user computer or software that provides services for the child object to be detected, or a computer device that provides less or less power. For example, when the child object to be detected is a telex terminal or a video terminal, the parent object may be a mainframe computer that provides services for the telex terminal or the video terminal.
The child object to be detected in the embodiment of the invention is deployed in a single-tenant environment of the parent object, and the child object to be detected has an independent IP. Wherein, the single-tenant environment means: a separate software application and support environment is created for each client individually. With the single-tenant mode, each customer has a database and operating system that are stored separately on separate servers, or the database and operating system of each customer are stored in a virtual network environment that is isolated using strong security measures.
In the following, taking the network interconnection protocol information as an IP, the identification information as a UUID, the parent object as a certain user computer device (called a parent machine for short) under a certain network operation and maintenance module, and the child object to be detected as a terminal device (called a child machine for short) deployed in a single-tenant environment of the parent machine, S100 to S101 are described in detail, where fig. 5 is a corresponding schematic flow diagram, and as shown in fig. 5, S100 to S101 may include:
1) first, the user enters the information input interface shown in fig. 6, and inputs the parent object detection parameter information in the information input interface to perform initialization. The parent object detection parameter information includes but is not limited to: attribute information (name, number, network card, incoming flow, outgoing flow, incoming packet amount, outgoing packet amount and the like) of the master machine to be detected, target time period (from start time to end time to be detected), the number of the master machines to be detected and the like. After the information entry is complete, the user clicks on a "query" in the interface to submit the entered information to the backend server.
2) And in S1001-S1007, the background server responds to the information input of the user on the information input interface, performs flow fluctuation value detection on the flow of the to-be-detected master machine in the target time period, determines the to-be-detected master machine with the flow fluctuation value larger than a preset fluctuation threshold as the target master machine with abnormal flow, and sorts the target master machine based on the flow fluctuation value corresponding to the target master machine to obtain a fluctuation value sequence corresponding to the target master object. As shown in fig. 7, the fluctuation value sequence may be a sequence that performs reverse sorting on the traffic fluctuation values, and the fluctuation value sequence may be embodied by the IPs of the target masters, for example, the IP of the target master with the largest fluctuation value is arranged at the front, and the IP of the target master with the smallest fluctuation value is arranged at the back, so as to form a master list as shown in fig. 7. And finally, displaying the IP list of the master machine on a master object display interface. The parent machine IP list can also comprise a view viewing option, and the view viewing option can be clicked in the parent object display interface to view the flow condition under the corresponding parent machine IP.
The step of detecting the flow fluctuation value of the flow of the mother machine to be detected in the target time period refers to detecting the fluctuation value of the total flow under the mother machine to be detected, and if the fluctuation value is larger than a pre-fluctuation threshold value, preliminarily determining that the mother machine is the mother machine with abnormal flow. And the master machine with possible abnormal flow is determined in advance through the fluctuation value detection, so that the subsequent detection range of the submachine is limited under the master machine with the abnormal flow, the detection of all the submachines under the network operation and maintenance module is avoided, the system calculation amount is reduced, and the speed and the accuracy of positioning the abnormal submachines are improved.
In addition, the fluctuation value sequence may be embodied by other attribute information of the target masters, for example, the names (or IDs) of the target masters with the largest fluctuation values are arranged at the top, and the names (or IDs) of the target masters with the smallest fluctuation values are arranged at the back, so as to form a corresponding master list.
3) As described in S10101-S10103, the user selects a target master machine (S) that needs to perform the abnormal traffic detection of the slave machines from the master machine list in the presentation interface, and the background server responds to the operation of the user and obtains the IP and UUID of each slave machine to be detected belonging to the target master machine according to the IP of the target master machine selected by the user. Because the corresponding mapping relation exists between the IP of the master machine and the IP of the submachine, the IP of each corresponding submachine can be obtained according to the mapping relation, and the UUID of each submachine is obtained.
S103, acquiring target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected.
Wherein the historical time period is a time period which is a preset time before the target time period.
In this embodiment of the present invention, S103 may include:
and pulling target traffic data of each sub-object to be detected in the target time period and historical traffic data of each sub-object to be detected in the historical time period from a preset database based on the network interconnection protocol information and the identification information of each sub-object to be detected.
In the embodiment of the invention, after the background server acquires the IP and the UUID of each sub-object to be detected, the flow data corresponding to each sub-object to be detected can be pulled from the corresponding preset database for storing the flow information according to the two fields of the IP and the UUID. The flow data comprises flow data in a target time period and flow data in a historical time period, which are input in the information input interface by a user, and the flow data comprises but is not limited to: the flow rate, the packet input amount, the packet output amount and the like.
The embodiment of the invention pulls the flow data corresponding to each sub-object to be detected through the two fields of the IP and the UUID, because each sub-object to be detected has an independent IP and a unique UUID, the pulling accuracy of the flow data is higher through the combined action of the IP and the UUID, the flow data comprises the flow data in a target time period and the flow data in a historical time period, the abnormal flow in the target time period is estimated through the flow data in the historical time period, the accuracy of abnormal flow detection in the target time period is improved, and the accuracy of abnormal sub-object positioning is further improved.
And S105, carrying out flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period.
In one possible embodiment, S105 may be implemented by mathematical statistical methods including, but not limited to, Lauder criteria (3 σ criteria), control charts of Exponentially Weighted Moving Averages (EWMA). Specifically, as shown in fig. 8, S105 may include:
and S10501, dividing the target time period according to a preset time granularity to obtain a plurality of target time points.
And S10503, dividing the historical time period according to the preset time granularity to obtain a plurality of historical time points.
S10505, determining target flow data points corresponding to the sub-objects to be detected based on the target flow data of the sub-objects to be detected and corresponding target time points.
S10507, determining historical flow data points corresponding to the sub-objects to be detected based on the historical flow data of the sub-objects to be detected and corresponding historical time points.
S10509, determining the flow mean value and the flow variance corresponding to each sub-object to be detected based on the historical flow data point corresponding to each sub-object to be detected.
S105011, based on the flow mean value and the flow variance corresponding to each sub-object to be detected, determining abnormal flow data points corresponding to each sub-object to be detected from the target flow data points corresponding to each sub-object to be detected.
S105013, determining the abnormal flow value corresponding to each sub-object to be detected based on the abnormal flow data point corresponding to each sub-object to be detected and the corresponding target flow data point.
S105015, taking the abnormal flow value corresponding to each sub-object to be detected as the abnormal flow analysis result of each sub-object to be detected in the target time period.
In the following description, taking a master object as a certain user computer device (called a master for short) under a certain network operation and maintenance module, taking a to-be-detected child object as a terminal device (called a slave for short) deployed in a single-tenant environment of the master, taking a statistical method as a forward 3 σ criterion and taking a historical time period of three hours as an example, S10501 to S105015 are described in detail, and continuing as shown in fig. 5, S10501 to S105015 may include:
1) data pre-processing
Performing data preprocessing on target flow data and historical flow data of each submachine to be detected, wherein the data preprocessing comprises but is not limited to: and removing the submachine to be detected without the flow data, and if a non (Not ANumber, NAN) exists in the flow data, replacing the NAN value with the mean value of the flow data.
2) The mean and variance of the flow data over the first three hours are calculated as described in S10501-S10509
Fig. 9 is a schematic diagram of target flow data of a target time period and historical flow data of three hours before the target time period, and as shown in fig. 9, for the historical flow data of the first three hours, the first three hours are divided according to a preset time granularity (for example, a time granularity of one minute), so that there are 180 historical time points in the first three hours, each historical time point corresponds to one flow data, a flow data point is formed, there are 180 historical flow data points in the first three hours, and a flow mean μ and a variance σ of the 180 historical flow data points in the first three hours are calculated2The calculation formula is as follows:
wherein n is the number of historical flow data points, xiAnd corresponding flow values for each historical flow data point.
3) And as shown in S105011, evaluating whether each target flow data point is abnormal in the target time period by using the forward 3 sigma criterion according to the obtained flow mean and variance. Fig. 10 shows a 3 σ diagram, and as shown in fig. 10, the theoretical basis of the 3 σ criterion is that 99.7% of the data distribution is included in the range of 3 σ from the mean value. If a value exceeds 3 sigma from the distribution of μ, then the value can simply be marked as an outlier. To determine a sudden increase in flow, the forward 3 σ determination equation is as follows:
normal point: x is the number ofi-μ<3σ,
Abnormal points are as follows: x is the number ofi-μ>3σ,
Wherein x isiAnd the flow value corresponding to each target flow data point in the target time period.
Through the formula, the abnormal flow data points corresponding to the sub-objects to be detected can be determined from the target flow data points corresponding to the sub-objects to be detected.
4) Calculating an abnormal flow rate value
As described in S105013-S105015, the abnormal flow value corresponding to each sub-object to be detected may be determined according to the number of the abnormal flow data points corresponding to each sub-object to be detected and the total number of the corresponding target flow data points, and the abnormal flow value corresponding to each sub-object to be detected is used as the abnormal flow analysis result of each sub-object to be detected in the target time period, and the calculation formula is as follows:
in addition, because the forward 3 sigma criterion does not need to manually check abnormal machines, and does not need to label or extract characteristics of flow data, the efficiency of monitoring the abnormal flow of a service system with a large amount of IP network flow can be effectively improved, and the second-level positioning to an abnormal submachine is realized.
In another feasible embodiment, S105 may also perform flow detection by using a machine learning method, for example, based on a flow machine learning model, perform flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected, so as to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period. Specifically, as shown in fig. 11, S105 may further include:
s10502, obtaining the sample network interconnection protocol information and the sample identification information of each sample sub-object.
S10504, acquiring target sample flow data of each sample sub-object in a target sample time period and historical sample flow data of each sample sub-object in a historical sample time period based on the sample network interconnection protocol information and the sample identification information of each sample sub-object. The historical sample time period is a time period which is a preset time before the target sample time period.
S10506, performing abnormal flow learning training on a preset machine learning model based on target sample flow data and historical sample flow data of each sample sub-object, and determining a model obtained through learning training as the flow machine learning model.
In practical applications, because a supervised machine learning model needs to mark or construct a feature for a sample, a large amount of IP network traffic exists for a service system (each IP has a corresponding network traffic), and the constructing of the feature or the standard has a certain influence on real-time performance, in order to improve the efficiency of abnormal traffic detection and reduce the cost of abnormal traffic detection, the unsupervised machine learning model may be used as the preset machine learning model, for example, an differential Integrated Moving Average Autoregressive model (ARIMA), a time series prediction model (fbProphet), and the like.
S107, determining a target sub-object with abnormal flow from each sub-object to be detected based on the abnormal flow analysis result of each sub-object to be detected in the target time period.
In this embodiment of the present invention, as shown in fig. 12, S107 may include:
s10701, comparing the abnormal flow value corresponding to each sub-object to be detected with a preset flow threshold value.
S10703, determining the sub-object to be detected with the abnormal flow value larger than the preset flow threshold value as the target sub-object.
In the embodiment of the present invention, after obtaining the abnormal flow value corresponding to each sub-object to be detected, the abnormal flow value may be compared with the preset flow threshold, and if the abnormal flow value is greater than the preset flow threshold, it is indicated that the sub-object to be detected is the target sub-object with abnormal flow.
In practical application, if the number of the abnormal flow data points corresponding to the to-be-detected sub-objects is 0, the corresponding abnormal flow value is 0, and therefore, the to-be-detected sub-objects with the abnormal flow values are all considered to be the target sub-objects.
In addition, the "determining that there is a target sub-object with abnormal traffic" in the embodiment of the present invention includes, but is not limited to: the location (such as the located area) of the target sub-object with abnormal traffic is located, the IP of the target sub-object, the UUID of the target sub-object, the identification number (ID) of the Application (APP) in the target sub-object, the ID of the virtual private cloud (Vpc) to which the target sub-object belongs, and the like.
In this embodiment of the present invention, as shown in fig. 12, after S107, the method may further include:
s109, sequencing the target sub-objects based on the abnormal flow values corresponding to the target sub-objects to obtain abnormal flow sequences corresponding to the target sub-objects.
S1011, displaying the abnormal flow sequence based on a sub-object display interface.
In the embodiment of the present invention, after the target sub-objects are obtained, the target sub-objects may be sorted in a reverse order according to the abnormal flow values corresponding to the target sub-objects, that is, the target sub-objects with the largest abnormal flow values are arranged at the forefront, and the target sub-objects with the smallest abnormal flow values are arranged at the rearmost, so as to obtain the abnormal flow sequence corresponding to the target sub-objects, and the abnormal flow sequence is displayed in the object display interface (of course, the target sub-objects may also be sorted in a sequential order).
Fig. 13 is a schematic diagram of an abnormal traffic sequence, which is exemplified by a parent object being a certain user computer device (called a parent machine for short) under a certain network operation and maintenance module, and a child object to be detected being a terminal device (called a child machine for short) deployed in a single-tenant environment of the parent machine, where the abnormal traffic sequence is embodied by a child machine IP, that is, an IP of a target child machine with a maximum abnormal traffic value is arranged at the forefront, and an IP of a target child machine with a minimum abnormal traffic value is arranged at the forefront. As shown in fig. 13, the information presented in the abnormal traffic sequence includes but is not limited to: the IP of the target sub machine with abnormal flow, the area where the target sub machine is located, the UUID of the target sub machine, the ID of the APP in the target sub machine, the ID of the Vpc to which the target sub machine belongs, the IP of the master machine of the target sub machine, corresponding operation and the like. The corresponding operation may be an operation performed on the target slave machine, for example, a speed limiting operation performed on the flow rate of the target slave machine.
The abnormal traffic sequence may be represented by other attribute information of the target slave unit, for example, by arranging the name (or ID) of the target slave unit having the largest abnormal traffic value at the head and arranging the name (or ID) of the target slave unit having the smallest abnormal traffic value at the head to form a corresponding abnormal traffic sequence.
And for the sub-objects to be detected with no abnormal flow value, calculating the flow fluctuation value of the sub-objects to be detected with no abnormal flow value in the target time period, sorting the sub-objects to be detected with no abnormal flow value according to the flow fluctuation value, and displaying and outputting the sorted sub-objects to be detected with no abnormal flow value (the sorted sub-objects to be detected with no abnormal flow value can be displayed through a corresponding IP, and can also be displayed through other attribute information).
In the embodiment of the present invention, after the abnormal sub-machines are sorted and displayed according to the abnormal values, the background server may further determine, according to the abnormal traffic value corresponding to the target sub-object, a cause of the abnormal traffic sudden increase, where the cause of the normal traffic sudden increase includes but is not limited to: a sudden increase in the number of visitors, abnormal network events (e.g., Denial of service (DoS) attacks, worms, etc.), etc.
In practical application, because the result of the traffic sudden increase caused by the abnormal network event is more serious than the result of the traffic sudden increase caused by the sudden increase of the number of visitors, and the abnormal traffic value corresponding to the abnormal network event is larger than the abnormal traffic value corresponding to the sudden increase of the number of visitors, the abnormal traffic value corresponding to the target sub-object can be judged again, when the abnormal traffic value corresponding to the target sub-object is larger than the preset abnormal threshold value, the abnormal traffic sudden increase of the target sub-object can be preliminarily judged to be caused by the abnormal network event, otherwise, the abnormal traffic sudden increase can be considered to be caused by the sudden increase of the number of visitors.
Further, after determining the cause of the abnormal traffic sudden increase, an alarm prompt message may be presented to the user, where the alarm prompt message may include, but is not limited to: an abnormal slave IP, a cause of an abnormal traffic surge, a policy for handling the cause of the abnormal traffic surge, and the like.
According to the embodiment of the invention, the abnormal submachine can be displayed to the user, and the abnormal reason and the corresponding solution strategy can be displayed, so that the user can conveniently take corresponding treatment measures according to the corresponding abnormal conditions, the intelligence is higher, and the user experience is better.
In one possible embodiment, at least one of the internetworking protocol information and identification information in S101, the target traffic data and historical traffic data in S103, the abnormal traffic analysis result in S105, or the traffic mean and traffic variance in S10509 may be stored in the blockchain system. Referring To fig. 14, fig. 14 is an optional structural diagram of the blockchain system according To the embodiment of the present invention, a point-To-point (P2P, Peer To Peer) network is formed among a plurality of nodes, and the P2P Protocol is an application layer Protocol operating on a Transmission Control Protocol (TCP). In the blockchain system, any machine such as a server and a terminal can be added to become a node, and the node comprises a hardware layer, a middle layer, an operating system layer and an application layer.
Referring to the functions of each node in the blockchain system shown in fig. 14, the functions involved include:
1) routing, a basic function that a node has, is used to support communication between nodes.
Besides the routing function, the node may also have the following functions:
2) the application is used for being deployed in a block chain, realizing specific services according to actual service requirements, recording data related to the realization functions to form recording data, carrying a digital signature in the recording data to represent a source of task data, and sending the recording data to other nodes in the block chain system, so that the other nodes add the recording data to a temporary block when the source and integrity of the recording data are verified successfully.
3) And the Block chain comprises a series of blocks (blocks) which are mutually connected according to the generated chronological order, new blocks cannot be removed once being added into the Block chain, and recorded data submitted by nodes in the Block chain system are recorded in the blocks.
Referring to fig. 15, fig. 15 is an optional schematic diagram of a Block Structure (Block Structure) according to an embodiment of the present invention, where each Block includes a hash value of a transaction record (hash value of the Block) stored in the Block and a hash value of a previous Block, and the blocks are connected by the hash values to form a Block chain. The block may include information such as a time stamp at the time of block generation. A Blockchain (Blockchain), which is essentially a decentralized database, is a string of data blocks, each of which is associated using cryptography.
According to the embodiment of the invention, the flow time sequence data of each sub-object to be detected, including the target flow data in the target time period and the historical flow data in the historical time period, is acquired through the network interconnection protocol information and the identification information of each sub-object to be detected, then the target flow data and the historical flow data are detected and analyzed to obtain the abnormal flow analysis result of each sub-object to be detected in the target time period, and finally, the target sub-object with the flow abnormal and sudden increase is rapidly screened out from hundreds of ip lists of sub-objects according to the abnormal flow analysis result, so that the time for positioning the abnormal and solving the problems is greatly shortened. In addition, the method avoids complex work such as pretreatment, characteristic engineering and the like, and has the advantages of low cost and good time effect.
As shown in fig. 16, an embodiment of the present invention provides an abnormal flow rate detection apparatus, which may include:
the information obtaining module 201 may be configured to obtain network interconnection protocol information and identification information of each sub-object to be detected.
The traffic data obtaining module 203 may be configured to obtain target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected.
Specifically, the traffic data obtaining module 203 may be configured to pull, from a preset database, target traffic data of each to-be-detected sub-object in the target time period and historical traffic data of each to-be-detected sub-object in the historical time period based on the network interconnection protocol information and the identification information of each to-be-detected sub-object.
The flow detection and analysis module 205 may be configured to perform flow detection and analysis on the target flow data and the historical flow data of each sub-object to be detected, so as to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period.
Specifically, the flow detection analysis module 205 may include:
the target time point determining unit may be configured to divide the target time period according to a preset time granularity to obtain a plurality of target time points.
The historical time point determining unit may be configured to divide the historical time period according to the preset time granularity to obtain a plurality of historical time points.
The target flow data point determining unit may be configured to determine a target flow data point corresponding to each sub-object to be detected based on the target flow data of each sub-object to be detected and the corresponding target time point.
The historical flow data point determining unit may be configured to determine, based on the historical flow data of each sub-object to be detected and the corresponding historical time point, a historical flow data point corresponding to each sub-object to be detected.
The mean variance determining unit may be configured to determine a flow mean and a flow variance corresponding to each sub-object to be detected based on the historical flow data point corresponding to each sub-object to be detected.
The abnormal flow data point determining unit may be configured to determine, based on the flow mean and the flow variance corresponding to each of the to-be-detected sub-objects, an abnormal flow data point corresponding to each of the to-be-detected sub-objects from the target flow data point corresponding to each of the to-be-detected sub-objects.
The abnormal flow value determining unit may be configured to determine the abnormal flow value corresponding to each to-be-detected sub-object based on the abnormal flow data point corresponding to each to-be-detected sub-object and the corresponding target flow data point.
The abnormal flow analysis result determining unit may be configured to use the abnormal flow value corresponding to each sub-object to be detected as the abnormal flow analysis result of each sub-object to be detected in the target time period.
The target sub-object determining module 207 may be configured to determine, based on an abnormal traffic analysis result of each sub-object to be detected in the target time period, a target sub-object with abnormal traffic from the each sub-object to be detected.
Specifically, the target sub-object determining module 207 may include:
and the comparison unit can be used for comparing the abnormal flow value corresponding to each sub-object to be detected with a preset flow threshold value.
The target sub-object obtaining unit may be configured to determine the sub-object to be detected whose abnormal flow value is greater than the preset flow threshold value as the target sub-object.
Further, the apparatus may further include:
the abnormal flow sequence obtaining module may be configured to sort the target sub-objects based on the abnormal flow values corresponding to the target sub-objects, so as to obtain an abnormal flow sequence corresponding to the target sub-objects.
And the abnormal flow sequence display module can be used for displaying the abnormal flow sequence based on a sub-object display interface.
Further, the apparatus may further include:
the response module may be configured to perform flow fluctuation value detection on the flow of the mother object to be detected in the target time period in response to the mother object detection parameter information input in the information input interface, where the mother object detection parameter information at least includes attribute information of the mother object to be detected and the target time period.
The target parent object determining module can be used for determining a parent object to be detected with a flow fluctuation value larger than a preset fluctuation threshold value as a target parent object with abnormal flow;
the fluctuation value sequence determining module may be configured to sort the target parent objects based on the flow fluctuation values corresponding to the target parent objects, so as to obtain a fluctuation value sequence corresponding to the target parent objects.
And the fluctuation value sequence display module can be used for displaying the fluctuation value sequence based on a mother object display interface.
Accordingly, the information acquisition module 201 may include:
the first information obtaining unit may be configured to obtain internetworking protocol information of the target parent object.
The second information obtaining unit may be configured to obtain, based on the network interconnection protocol information of the target parent object, network interconnection protocol information and identification information of each to-be-detected child object that belongs to the target parent object.
Specifically, the flow detection and analysis module 205 may be configured to perform flow detection and analysis on the target flow data and the historical flow data of each sub-object to be detected based on a flow machine learning model, so as to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period.
Accordingly, the apparatus may further include a traffic machine learning model acquisition module, which may include:
and the sample information acquisition unit is used for acquiring the sample network interconnection protocol information and the sample identification information of each sample sub-object.
And the sample traffic data acquisition unit may be configured to acquire target sample traffic data of each sample sub-object in the target sample time period and historical sample traffic data of each sample sub-object in the historical sample time period based on the sample internetworking protocol information and the sample identification information of each sample sub-object.
And the learning training unit can be used for performing abnormal flow learning training on a preset machine learning model based on the target sample flow data and the historical sample flow data of each sample sub-object, and determining the model obtained by learning training as the flow machine learning model.
It should be noted that the embodiments of the present invention provide embodiments of apparatuses based on the same inventive concept as the embodiments of the method described above.
The embodiment of the present invention further provides an electronic device for detecting abnormal traffic, where the electronic device includes a processor and a memory, where the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the abnormal traffic detection method provided in the foregoing method embodiment.
An embodiment of the present invention further provides a computer-readable storage medium, which may be disposed in a terminal to store at least one instruction or at least one program for implementing an abnormal traffic detection method in the method embodiment, where the at least one instruction or the at least one program is loaded and executed by a processor to implement the abnormal traffic detection method provided in the above method embodiment.
Alternatively, in the present specification embodiment, the storage medium may be located at least one network server among a plurality of network servers of a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
The memory of the embodiments of the present disclosure may be used to store software programs and modules, and the processor may execute various functional applications and data processing by operating the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the device, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.
The embodiment of the abnormal flow detection method provided by the embodiment of the invention can be executed in a terminal, a computer terminal, a server or a similar operation device. Taking the example of running on a server, fig. 17 is a block diagram of a hardware structure of the server of the abnormal traffic detection method according to the embodiment of the present invention. As shown in fig. 17, the server 300 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 310 (the processor 310 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 330 for storing data, and one or more storage media 320 (e.g., one or more mass storage devices) for storing applications 323 or data 322. Memory 330 and storage medium 320 may be, among other things, transient or persistent storage. The program stored in the storage medium 320 may include one or more modules, each of which may include a series of instruction operations for the server. Still further, the central processor 310 may be configured to communicate with the storage medium 320 to execute a series of instruction operations in the storage medium 320 on the server 300. The server 300 may also include one or more power supplies 360, one or more wired or wireless network interfaces 350, one or more inputsOutput interface 340, and/or one or more operating systems 321, such as Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMAnd so on.
The input output interface 340 may be used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server 300. In one example, the input/output Interface 340 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the input/output interface 340 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
It will be understood by those skilled in the art that the structure shown in fig. 17 is merely an illustration and is not intended to limit the structure of the electronic device. For example, server 300 may also include more or fewer components than shown in FIG. 17, or have a different configuration than shown in FIG. 17.
It should be noted that: the precedence order of the above embodiments of the present invention is only for description, and does not represent the merits of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the device and server embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.
It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent replacements, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An abnormal traffic detection method, characterized in that the method comprises:
acquiring network interconnection protocol information and identification information of each sub-object to be detected;
acquiring target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected;
carrying out flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period;
and determining a target sub-object with abnormal flow from each sub-object to be detected based on the abnormal flow analysis result of each sub-object to be detected in the target time period.
2. The method according to claim 1, wherein the obtaining target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the internetworking protocol information and the identification information of each sub-object to be detected comprises:
and pulling target traffic data of each sub-object to be detected in the target time period and historical traffic data of each sub-object to be detected in the historical time period from a preset database based on the network interconnection protocol information and the identification information of each sub-object to be detected.
3. The method according to claim 1, wherein the performing flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period includes:
dividing the target time period according to a preset time granularity to obtain a plurality of target time points;
dividing the historical time period according to the preset time granularity to obtain a plurality of historical time points;
determining target flow data points corresponding to the sub-objects to be detected based on the target flow data and the corresponding target time points of the sub-objects to be detected;
determining historical flow data points corresponding to the sub-objects to be detected respectively based on the historical flow data and the corresponding historical time points of the sub-objects to be detected;
determining a flow mean value and a flow variance corresponding to each sub-object to be detected based on the historical flow data point corresponding to each sub-object to be detected;
determining abnormal flow data points corresponding to the sub-objects to be detected from target flow data points corresponding to the sub-objects to be detected based on the flow mean value and the flow variance corresponding to the sub-objects to be detected;
determining an abnormal flow value corresponding to each sub-object to be detected based on the abnormal flow data point corresponding to each sub-object to be detected and the corresponding target flow data point;
and taking the abnormal flow value corresponding to each sub-object to be detected as the abnormal flow analysis result of each sub-object to be detected in the target time period.
4. The method according to claim 3, wherein the determining, from the target sub-objects to be detected, a target sub-object with abnormal traffic based on the abnormal traffic analysis result of each sub-object to be detected in the target time period includes:
comparing the abnormal flow value corresponding to each sub-object to be detected with a preset flow threshold value;
and determining the sub-object to be detected with the abnormal flow value larger than the preset flow threshold value as the target sub-object.
5. The method according to claim 4, wherein after determining the target sub-object with abnormal traffic from the sub-objects to be detected based on the abnormal traffic analysis result of the sub-object to be detected in the target time period, the method further comprises:
sequencing the target sub-objects based on the abnormal flow values corresponding to the target sub-objects to obtain abnormal flow sequences corresponding to the target sub-objects;
and displaying the abnormal flow sequence based on a sub-object display interface.
6. The method according to claim 1, wherein before the obtaining the internetworking protocol information and the identification information of each sub-object to be detected, the method further comprises:
responding to the mother object detection parameter information input on the information input interface, and performing flow fluctuation value detection on the flow of the mother object to be detected in the target time period, wherein the mother object detection parameter information at least comprises attribute information of the mother object to be detected and the target time period;
determining the mother object to be detected with the flow fluctuation value larger than a preset fluctuation threshold value as a target mother object with abnormal flow;
sequencing the target parent objects based on the flow fluctuation values corresponding to the target parent objects to obtain fluctuation value sequences corresponding to the target parent objects;
and displaying the fluctuation value sequence based on a mother object display interface.
7. The method according to claim 6, wherein the acquiring the internetworking protocol information and the identification information of each sub-object to be detected comprises:
acquiring the network interconnection protocol information of the target parent object;
and acquiring the network interconnection protocol information and the identification information of each to-be-detected child object subordinate to the target parent object based on the network interconnection protocol information of the target parent object.
8. The method according to claim 1, wherein the performing flow detection analysis on the target flow data and the historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period includes:
based on a flow machine learning model, carrying out flow detection analysis on target flow data and historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period;
accordingly, the method further comprises the step of obtaining the traffic machine learning model, the obtaining the traffic machine learning model comprising:
acquiring sample network interconnection protocol information and sample identification information of each sample sub-object;
acquiring target sample traffic data of each sample sub-object in a target sample time period and historical sample traffic data of each sample sub-object in a historical sample time period based on the sample internetworking protocol information and the sample identification information of each sample sub-object;
and performing abnormal flow learning training on a preset machine learning model based on the target sample flow data and the historical sample flow data of each sample sub-object, and determining the model obtained by learning training as the flow machine learning model.
9. An abnormal flow rate detecting apparatus, characterized in that the apparatus comprises:
the information acquisition module is used for acquiring the network interconnection protocol information and the identification information of each sub-object to be detected;
the traffic data acquisition module is used for acquiring target traffic data of each sub-object to be detected in a target time period and historical traffic data of each sub-object to be detected in a historical time period based on the network interconnection protocol information and the identification information of each sub-object to be detected;
the flow detection and analysis module is used for carrying out flow detection and analysis on target flow data and historical flow data of each sub-object to be detected to obtain an abnormal flow analysis result of each sub-object to be detected in the target time period;
and the target sub-object determining module is used for determining a target sub-object with abnormal flow from all the sub-objects to be detected based on the abnormal flow analysis result of all the sub-objects to be detected in the target time period.
10. A computer-readable storage medium, wherein at least one instruction or at least one program is stored in the computer-readable storage medium, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the abnormal traffic detection method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010504612.XA CN111756706A (en) | 2020-06-05 | 2020-06-05 | Abnormal flow detection method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010504612.XA CN111756706A (en) | 2020-06-05 | 2020-06-05 | Abnormal flow detection method and device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111756706A true CN111756706A (en) | 2020-10-09 |
Family
ID=72674743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010504612.XA Pending CN111756706A (en) | 2020-06-05 | 2020-06-05 | Abnormal flow detection method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111756706A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112383116A (en) * | 2020-11-27 | 2021-02-19 | 国网北京市电力公司 | Method, system and device for determining state of charging equipment |
| CN112615752A (en) * | 2020-12-29 | 2021-04-06 | 中通天鸿(北京)通信科技股份有限公司 | System for positioning traffic variable nodes of cloud communication platform through aggregation analysis |
| CN112994978A (en) * | 2021-02-25 | 2021-06-18 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN113037595A (en) * | 2021-03-29 | 2021-06-25 | 北京奇艺世纪科技有限公司 | Abnormal device detection method and device, electronic device and storage medium |
| CN113595784A (en) * | 2021-07-26 | 2021-11-02 | 招商银行股份有限公司 | Network flow detection method, device, equipment, storage medium and program product |
| CN113992396A (en) * | 2021-10-26 | 2022-01-28 | 深信服科技股份有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN115208741A (en) * | 2022-07-06 | 2022-10-18 | 中国联合网络通信集团有限公司 | Fault monitoring method, device, equipment and medium based on network equipment |
| CN115589310A (en) * | 2022-09-23 | 2023-01-10 | 中国电信股份有限公司 | Attack detection method, device and related equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8204720B2 (en) * | 2007-06-01 | 2012-06-19 | Alcatel Lucent | Graph-based modeling apparatus and techniques |
| CN106209404A (en) * | 2015-04-30 | 2016-12-07 | 华为技术有限公司 | Analyzing abnormal network flow method and system |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| CN110210508A (en) * | 2018-12-06 | 2019-09-06 | 北京奇艺世纪科技有限公司 | Model generating method, anomalous traffic detection method, device, electronic equipment, computer readable storage medium |
-
2020
- 2020-06-05 CN CN202010504612.XA patent/CN111756706A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8204720B2 (en) * | 2007-06-01 | 2012-06-19 | Alcatel Lucent | Graph-based modeling apparatus and techniques |
| CN106209404A (en) * | 2015-04-30 | 2016-12-07 | 华为技术有限公司 | Analyzing abnormal network flow method and system |
| CN107483455A (en) * | 2017-08-25 | 2017-12-15 | 国家计算机网络与信息安全管理中心 | A kind of network node abnormality detection method and system based on stream |
| CN110210508A (en) * | 2018-12-06 | 2019-09-06 | 北京奇艺世纪科技有限公司 | Model generating method, anomalous traffic detection method, device, electronic equipment, computer readable storage medium |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112383116A (en) * | 2020-11-27 | 2021-02-19 | 国网北京市电力公司 | Method, system and device for determining state of charging equipment |
| CN112615752A (en) * | 2020-12-29 | 2021-04-06 | 中通天鸿(北京)通信科技股份有限公司 | System for positioning traffic variable nodes of cloud communication platform through aggregation analysis |
| CN112994978A (en) * | 2021-02-25 | 2021-06-18 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN112994978B (en) * | 2021-02-25 | 2023-01-24 | 网宿科技股份有限公司 | Network traffic monitoring method and device |
| CN113037595A (en) * | 2021-03-29 | 2021-06-25 | 北京奇艺世纪科技有限公司 | Abnormal device detection method and device, electronic device and storage medium |
| CN113037595B (en) * | 2021-03-29 | 2022-11-01 | 北京奇艺世纪科技有限公司 | Abnormal device detection method and device, electronic device and storage medium |
| CN113595784A (en) * | 2021-07-26 | 2021-11-02 | 招商银行股份有限公司 | Network flow detection method, device, equipment, storage medium and program product |
| CN113595784B (en) * | 2021-07-26 | 2024-05-31 | 招商银行股份有限公司 | Network traffic detection method, device, equipment, storage medium and program product |
| CN113992396A (en) * | 2021-10-26 | 2022-01-28 | 深信服科技股份有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN113992396B (en) * | 2021-10-26 | 2024-05-28 | 深信服科技股份有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN115208741A (en) * | 2022-07-06 | 2022-10-18 | 中国联合网络通信集团有限公司 | Fault monitoring method, device, equipment and medium based on network equipment |
| CN115589310A (en) * | 2022-09-23 | 2023-01-10 | 中国电信股份有限公司 | Attack detection method, device and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111756706A (en) | Abnormal flow detection method and device and storage medium | |
| US11522881B2 (en) | Structural graph neural networks for suspicious event detection | |
| US10002144B2 (en) | Identification of distinguishing compound features extracted from real time data streams | |
| US10469344B2 (en) | Systems and methods for monitoring and analyzing performance in a computer system with state distribution ring | |
| US10205643B2 (en) | Systems and methods for monitoring and analyzing performance in a computer system with severity-state sorting | |
| US10439922B2 (en) | Service analyzer interface | |
| US10177998B2 (en) | Augmenting flow data for improved network monitoring and management | |
| US10592666B2 (en) | Detecting anomalous entities | |
| US20170277582A1 (en) | Identification of distinguishable anomalies extracted from real time data streams | |
| US10938683B2 (en) | Highly scalable distributed connection interface for data capture from multiple network service sources | |
| US11074652B2 (en) | System and method for model-based prediction using a distributed computational graph workflow | |
| JP5933463B2 (en) | Log occurrence abnormality detection device and method | |
| CN111090807B (en) | Knowledge graph-based user identification method and device | |
| US11469974B1 (en) | Analytics for edge devices to intelligently throttle data reporting | |
| US10320877B2 (en) | Systems and methods for indicating deployment of application features | |
| CN109815085B (en) | Alarm data classification method and device, electronic equipment and storage medium | |
| Vernekar et al. | MapReduce based log file analysis for system threats and problem identification | |
| CN112367337A (en) | Network security attack and defense method, device and medium | |
| Lee et al. | ATMSim: An anomaly teletraffic detection measurement analysis simulator | |
| US11005797B2 (en) | Method, system and server for removing alerts | |
| CN112437034A (en) | False terminal detection method and device, storage medium and electronic device | |
| Lee et al. | Detecting anomaly teletraffic using stochastic self-similarity based on Hadoop | |
| CN111666501A (en) | Abnormal community identification method and device, computer equipment and storage medium | |
| CN113553370A (en) | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium | |
| WO2021055964A1 (en) | System and method for crowd-sourced refinement of natural phenomenon for risk management and contract validation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201009 |