CN111818097A - Traffic monitoring method and device based on behaviors - Google Patents

Traffic monitoring method and device based on behaviors Download PDF

Info

Publication number
CN111818097A
CN111818097A CN202010900845.1A CN202010900845A CN111818097A CN 111818097 A CN111818097 A CN 111818097A CN 202010900845 A CN202010900845 A CN 202010900845A CN 111818097 A CN111818097 A CN 111818097A
Authority
CN
China
Prior art keywords
behavior
access
alarm
traffic source
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010900845.1A
Other languages
Chinese (zh)
Other versions
CN111818097B (en
Inventor
宋贤飞
姜双林
周磊
饶志波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Andi Technology Co Ltd
Original Assignee
Beijing Andi Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Andi Technology Co Ltd filed Critical Beijing Andi Technology Co Ltd
Priority to CN202010900845.1A priority Critical patent/CN111818097B/en
Publication of CN111818097A publication Critical patent/CN111818097A/en
Application granted granted Critical
Publication of CN111818097B publication Critical patent/CN111818097B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a flow monitoring method and a device based on behaviors, which comprises the following steps: when monitoring that a flow source initiates access, establishing a time window aiming at the flow source, wherein the time window can contain data with preset duration; writing the access behavior after the traffic source initiates the access into a time window; determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element characterizes a behavior feature; generating a current behavior chain of the traffic source according to the at least one behavior element; judging whether the access behavior is abnormal or not according to the current behavior chain; and when the access behavior is judged to be abnormal, triggering an alarm event. The scheme can help an analyst to quickly determine whether the flow source is abnormal.

Description

Traffic monitoring method and device based on behaviors
Technical Field
The invention relates to the technical field of computers, in particular to a flow monitoring method and device based on behaviors.
Background
The flow analysis refers to statistics and analysis of related data under the condition of obtaining basic data of website access amount, and finds out the rule of the user accessing the website.
Most of the current traffic analysis technologies are based on single traffic packet judgment, for example, after one IP interacts with another IP once, if an interaction abnormality is found, an alarm is triggered.
However, the above analysis method is easy to trigger a large number of alarm events due to misoperation of the user, so that a large amount of interference data is brought to an analyst, and it is difficult for the analyst to quickly determine whether the flow source is abnormal or not through a large amount of data.
Therefore, in view of the above shortcomings, it is desirable to provide a method and apparatus for behavior-based traffic monitoring.
Disclosure of Invention
The invention provides a flow monitoring method and device based on behaviors, which can help an analyst to quickly determine whether a flow source is abnormal.
In a first aspect, the present invention provides a method for behavior-based traffic monitoring, comprising:
when monitoring that a flow source initiates access, creating a time window for the flow source, wherein the time window can contain data of preset duration;
writing the access behavior after the traffic source initiates the access into the time window;
determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element represents a behavior feature;
generating a current behavior chain of the traffic source according to the at least one behavior element;
judging whether the access behavior is abnormal or not according to the current behavior chain;
and triggering an alarm event when the access behavior is judged to be abnormal.
Preferably, the first and second electrodes are formed of a metal,
writing the access behavior after the traffic source initiates access into the time window, and determining at least one behavior element of the traffic source according to the access behavior in the time window, including:
a1: acquiring an access behavior of the flow source after initiating access according to a preset acquisition period;
a2: determining whether the capacity remained in the time window is smaller than a preset capacity threshold, wherein the capacity threshold is smaller than the data volume of the access behaviors collected in the collection period, if so, executing A3, otherwise, executing A5;
a3: determining at least one behavioral element of the traffic source according to the access behavior in the time window;
a4: deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is data with the longest storage time in the time window;
a5: writing the collected access behavior into the time window.
Preferably, the first and second electrodes are formed of a metal,
after the monitoring that the traffic source initiates the access, before the writing the access behavior after the traffic source initiates the access into the time window, further comprising:
s1: taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source, and executing S2;
s2: determining whether a marked session exists in prestored data, wherein the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is less than or equal to a preset time threshold, if so, executing S4, otherwise, executing S3;
s3: creating a session for the traffic source, marking the session;
s4: recording the access behavior in the session;
s5: deleting the indicia of the session when the access behavior is not received within the time threshold.
Preferably, the first and second electrodes are formed of a metal,
when the access behavior is judged to be abnormal, triggering an alarm event, including:
d1: determining whether a historical alarm record exists in a pre-created alarm queue, if so, executing D2, otherwise, executing D6;
d2: determining an abnormal time point corresponding to the abnormal access behavior;
d3: determining an enqueuing time point when a first historical alarm record in the alarm queue is added into the alarm queue;
d4: determining whether the time length between the abnormal time point and the listing time point is greater than a preset alarm time length, if so, executing D5, otherwise, executing D7;
d5: deleting the historical alarm records in the alarm queue;
d6: triggering an alarm event;
d7: and generating a new alarm record corresponding to the access behavior, and adding the new alarm record serving as a historical alarm record into the alarm queue.
Preferably, the first and second electrodes are formed of a metal,
after the adding the new alarm record as a historical alarm record into the alarm queue, further comprising:
determining whether the number of the historical alarm records in the alarm queue is equal to a preset alarm number;
when the number of historical alarm records in the alarm queue is equal to the alarm number, D5 is executed.
Preferably, the first and second electrodes are formed of a metal,
the generating the current behavior chain of the traffic source according to the at least one behavior element comprises:
determining the number of occurrences of each of the behavioral elements;
generating a current behavior chain of the traffic source according to the time sequence and the occurrence frequency of each behavior element;
the judging whether the access behavior is abnormal according to the current behavior chain comprises the following steps:
when the behavior element comprises a web page, calculating a similarity value of the current behavior chain and an abnormal behavior chain for characterizing access anomalies according to the following formula:
Figure DEST_PATH_IMAGE001
the S represents a similarity value between the current behavior chain and an abnormal behavior chain, the Q represents a first total number of requested web pages in the current behavior chain, the W represents a second total number of requested web pages in the abnormal behavior chain, the E represents a third total number of different web pages of a requested main directory in the current behavior chain, the R represents a fourth total number of different web pages of the requested main directory in the abnormal behavior chain, the T represents a fifth total number of different web pages of the requested directory tree in the current behavior chain, the Y represents a sixth total number of different web pages of the requested directory tree in the abnormal behavior chain, a represents a first weight value corresponding to the requested web page, b represents a second weight value corresponding to the different web pages of the requested main directory, and c represents a third weight value of the different web pages of the requested directory;
and executing the triggering alarm event when the similarity value is larger than a preset similarity threshold value.
In a second aspect, the present invention also provides a behavior-based traffic monitoring device, comprising:
the system comprises a window creating module, a time window setting module and a time window setting module, wherein the window creating module is used for creating a time window aiming at a flow source when monitoring that the flow source initiates access, and the time window can contain data with preset duration;
the data processing module is used for writing the access behavior after the traffic source initiates the access into the time window created by the window creating module; determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element represents a behavior feature; generating a current behavior chain of the traffic source according to the at least one behavior element;
the alarm management module is used for judging whether the access behavior is abnormal or not according to the current behavior chain generated by the data processing module; and triggering an alarm event when the access behavior is judged to be abnormal.
Preferably, the first and second electrodes are formed of a metal,
the data processing module is used for executing the following operations:
a1: acquiring an access behavior of the flow source after initiating access according to a preset acquisition period;
a2: determining whether the capacity remained in the time window is smaller than a preset capacity threshold, wherein the capacity threshold is smaller than the data volume of the access behaviors collected in the collection period, if so, executing A3, otherwise, executing A5;
a3: determining at least one behavioral element of the traffic source according to the access behavior in the time window;
a4: deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is data with the longest storage time in the time window;
a5: writing the collected access behavior into the time window.
Preferably, the first and second electrodes are formed of a metal,
the flow monitoring device based on the behaviors further comprises a session establishing module;
the session creation module is used for executing the following operations:
s1: taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source, and executing S2;
s2: determining whether a marked session exists in prestored data, wherein the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is less than or equal to a preset time threshold, if so, executing S4, otherwise, executing S3;
s3: creating a session for the traffic source, marking the session;
s4: recording the access behavior in the session;
s5: deleting the indicia of the session when the access behavior is not received within the time threshold.
Preferably, the first and second electrodes are formed of a metal,
the alarm management module is used for executing the following operations:
d1: determining whether a historical alarm record exists in a pre-created alarm queue, if so, executing D2, otherwise, executing D6;
d2: determining an abnormal time point corresponding to the abnormal access behavior;
d3: determining an enqueuing time point when a first historical alarm record in the alarm queue is added into the alarm queue;
d4: determining whether the time length between the abnormal time point and the listing time point is greater than a preset alarm time length, if so, executing D5, otherwise, executing D7;
d5: deleting the historical alarm records in the alarm queue;
d6: triggering an alarm event;
d7: and generating a new alarm record corresponding to the access behavior, and adding the new alarm record serving as a historical alarm record into the alarm queue.
Preferably, the first and second electrodes are formed of a metal,
the data processing module is used for determining the occurrence frequency of each behavior element; generating a current behavior chain of the traffic source according to the time sequence and the occurrence frequency of each behavior element;
the alarm management module is used for calculating a similarity value of the current behavior chain and an abnormal behavior chain for representing access abnormity according to the following formula when the behavior element comprises a web page, and executing the trigger alarm event when the similarity value is greater than a preset similarity threshold;
Figure 704503DEST_PATH_IMAGE001
the method includes the steps that S represents similar values of a current behavior chain and an abnormal behavior chain, Q represents a first total number of requested web pages in the current behavior chain, W represents a second total number of the requested web pages in the abnormal behavior chain, E represents a third total number of the different web pages of a requested main directory in the current behavior chain, R represents a fourth total number of the different web pages of the requested main directory in the abnormal behavior chain, T represents a fifth total number of the different web pages of the requested directory tree in the current behavior chain, Y represents a sixth total number of the different web pages of the requested directory tree in the abnormal behavior chain, a represents a first weight value corresponding to the requested web pages, b represents a second weight value corresponding to the different web pages of the requested main directory, and c represents a third weight value of the different web pages of the requested directory.
In a third aspect, the present invention further provides an intelligent device, including: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform the behavior-based traffic monitoring method according to any of the first aspect.
In a fourth aspect, the present invention also provides a computer readable medium having stored thereon computer instructions, which, when executed by a processor, cause the processor to perform the method of behavior-based flow monitoring according to any one of the first aspect.
The invention provides a behavior-based traffic monitoring method and a behavior-based traffic monitoring device, wherein when a traffic source initiates access, the traffic source generates corresponding access behavior, the access behavior of the traffic source is written into a corresponding time window, and the access behavior of the traffic source can be recorded through the time window; the time window can contain data of preset duration, so that the behavior elements determined from the access behaviors are behavior characteristics of the traffic source in the preset duration, and behavior expression of the traffic source in the preset duration can be seen based on a current behavior chain generated by the behavior elements; therefore, whether the traffic source is abnormal or not is judged according to the behavior of the traffic source within a certain time, missing alarm caused by continuous attack of the traffic source based on a normal access mode can be avoided, alarm caused by access abnormality due to one false triggering of the traffic source can be avoided, and therefore an analyst can be helped to quickly determine whether the traffic source is abnormal or not.
Drawings
FIG. 1 is a flow diagram of a method for behavior-based traffic monitoring provided by one embodiment of the present invention;
FIG. 2 is a flow chart of a method for behavior-based traffic monitoring provided by another embodiment of the present invention;
fig. 3 is a schematic structural diagram of a behavior-based flow monitoring device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1, a method for monitoring traffic based on behavior according to an embodiment of the present invention includes:
step 101: when monitoring that a flow source initiates access, creating a time window for the flow source, wherein the time window can contain data of preset duration;
step 102: writing the access behavior after the traffic source initiates the access into the time window;
step 103: determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element represents a behavior feature;
step 104: generating a current behavior chain of the traffic source according to the at least one behavior element;
step 105: judging whether the access behavior is abnormal or not according to the current behavior chain;
step 106: and triggering an alarm event when the access behavior is judged to be abnormal.
In the embodiment of the invention, after the traffic source initiates access, the traffic source generates corresponding access behaviors, the access behaviors of the traffic source are written into the corresponding time window, and the access behaviors of the traffic source can be recorded through the time window; the time window can contain data of preset duration, so that the behavior elements determined from the access behaviors are behavior characteristics of the traffic source in the preset duration, and behavior expression of the traffic source in the preset duration can be seen based on a current behavior chain generated by the behavior elements; therefore, whether the traffic source is abnormal or not is judged according to the behavior of the traffic source within a certain time, missing alarm caused by continuous attack of the traffic source based on a normal access mode can be avoided, alarm caused by access abnormality due to one false triggering of the traffic source can be avoided, and therefore an analyst can be helped to quickly determine whether the traffic source is abnormal or not.
It should be noted that the behavior element represents information of a certain operation of the traffic source, such as time q-login system x, time w-xxx information of the requesting system e.
In an embodiment of the present invention, the writing the access behavior after the traffic source initiates the access into the time window, and determining at least one behavior element of the traffic source according to the access behavior in the time window includes:
a1: acquiring an access behavior of the flow source after initiating access according to a preset acquisition period;
a2: determining whether the capacity remained in the time window is smaller than a preset capacity threshold, wherein the capacity threshold is smaller than the data volume of the access behaviors collected in the collection period, if so, executing A3, otherwise, executing A5;
a3: determining at least one behavioral element of the traffic source according to the access behavior in the time window;
a4: deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is data with the longest storage time in the time window;
a5: writing the collected access behavior into the time window.
In the embodiment of the present invention, after the traffic source generates the access behavior, the access behavior may be collected according to a collection period (e.g., 5s, 3min, or 10 min). At this time, if the data acquired in the acquisition period can be written in the time window, the acquired access behavior is written in the time window; and if the data with the duration corresponding to one acquisition cycle cannot be written in the time window, determining the behavior elements in the access behaviors in the time window, and then deleting the data with the longest storage time from the time window, so that whether the access behaviors acquired in one acquisition cycle can be written in the time window after the data is deleted can be avoided. The behavior of the traffic source within the preset duration can be monitored through the time window to judge whether the traffic source initiates an attack.
For example, a time window may hold data for a duration of 60 min;
after the access behavior of the traffic source is acquired in the acquisition period with the time length of 5min, if data with the total time length of 58min is stored in the time window at this time, the access information of the acquisition period cannot be recorded at this time, so that the longest storage time for deleting the data from the time window and the corresponding time length range of the deleted data need to be 5min to ensure that the access behavior of one acquisition period can be stored in the time window after the data is deleted.
In an embodiment of the present invention, after the monitoring that the traffic source initiates the access, before the writing the access behavior after the traffic source initiates the access into the time window, further includes:
s1: taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source, and executing S2;
s2: determining whether a marked session exists in prestored data, wherein the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is less than or equal to a preset time threshold, if so, executing S4, otherwise, executing S3;
s3: creating a session for the traffic source, marking the session;
s4: recording the access behavior in the session;
s5: deleting the indicia of the session when the access behavior is not received within the time threshold.
In the embodiment of the present invention, after the traffic source sends the first information, there may not be second information returned to the traffic source for the first information, or there may be second information returned to the traffic source for the first information, and therefore, the access behavior of the traffic source includes the first information, or a combination of the first information and the second information. After initiating access, the traffic source may first determine whether a session for the traffic source exists within a preset time threshold, and the session is not yet completed. And if so, recording all the interactive data of the traffic source in the session to form an access record for the traffic source. If the traffic source does not perform any operation within the time threshold, the session is closed, and the mark of the session is deleted to represent that the session is finished. So that when the traffic source is accessed again, the session is reestablished and marked. All behaviors of the traffic source in a certain time can be recorded through the session, and data disorder caused by the behavior of storing the traffic source in the form of multiple records is avoided.
In an embodiment of the present invention, the triggering an alarm event when it is determined that the access behavior is abnormal includes:
d1: determining whether a historical alarm record exists in a pre-created alarm queue, if so, executing D2, otherwise, executing D6;
d2: determining an abnormal time point corresponding to the abnormal access behavior;
d3: determining an enqueuing time point when a first historical alarm record in the alarm queue is added into the alarm queue;
d4: determining whether the time length between the abnormal time point and the listing time point is greater than a preset alarm time length, if so, executing D5, otherwise, executing D7;
d5: deleting the historical alarm records in the alarm queue;
d6: triggering an alarm event;
d7: and generating a new alarm record corresponding to the access behavior, and adding the new alarm record serving as a historical alarm record into the alarm queue.
In the embodiment of the invention, when the access behavior of the traffic source is found to be abnormal, if the historical alarm records exist in the alarm queue, then the flow source is characterized that the abnormality does not occur for the first time, in order to reduce the alarm quantity, the time length between the abnormal time point corresponding to the abnormal access behavior and the enqueue time point corresponding to the first historical alarm record in the alarm queue can be determined, then judging whether the time length reaches the preset alarm time length, if so, indicating that the preset alarm period is reached, therefore, the alarm queue can be emptied first, and then triggering an alarm event, and adding the corresponding newly added alarm record into an alarm queue, so that only the alarm record generated aiming at the access behavior exists in the alarm queue at the moment, and whether the alarm event is triggered or not is judged based on the historical alarm record in the alarm queue when the access abnormality occurs again in the flow source. And if the abnormal behavior of the flow source at the moment does not meet the triggering alarm event, adding a newly added alarm record corresponding to the behavior into an alarm queue so as to record the behavior expression of the flow source through the alarm queue.
In an embodiment of the present invention, after adding the newly added alarm record as a historical alarm record into the alarm queue, the method further includes:
determining whether the number of the historical alarm records in the alarm queue is equal to a preset alarm number;
when the number of historical alarm records in the alarm queue is equal to the alarm number, D5 is executed.
In the embodiment of the invention, when the current access behavior of the traffic source does not meet the condition of triggering the alarm event, the quantity of the historical alarm records with abnormal access behavior of the traffic source needs to be judged, so that the alarm event is triggered when the historical alarm records of the traffic source reach the preset alarm quantity, and the loss caused by multiple attacks initiated by the traffic source in a short time is reduced to the maximum extent.
In an embodiment of the present invention, the generating the current behavior chain of the traffic source according to the at least one behavior element includes:
determining the number of occurrences of each of the behavioral elements;
generating a current behavior chain of the traffic source according to the time sequence and the occurrence frequency of each behavior element;
the judging whether the access behavior is abnormal according to the current behavior chain comprises the following steps:
when the behavior element comprises a web page, calculating a similarity value of the current behavior chain and an abnormal behavior chain for characterizing access anomalies according to the following formula:
Figure 896450DEST_PATH_IMAGE001
the S represents a similarity value between the current behavior chain and an abnormal behavior chain, the Q represents a first total number of requested web pages in the current behavior chain, the W represents a second total number of requested web pages in the abnormal behavior chain, the E represents a third total number of different web pages of a requested main directory in the current behavior chain, the R represents a fourth total number of different web pages of the requested main directory in the abnormal behavior chain, the T represents a fifth total number of different web pages of the requested directory tree in the current behavior chain, the Y represents a sixth total number of different web pages of the requested directory tree in the abnormal behavior chain, a represents a first weight value corresponding to the requested web page, b represents a second weight value corresponding to the different web pages of the requested main directory, and c represents a third weight value of the different web pages of the requested directory;
and executing the triggering alarm event when the similarity value is larger than a preset similarity threshold value.
In the embodiment of the present invention, the behavior elements extracted from the access behavior may appear once or multiple times within a period of time, and in order to facilitate to clarify the behavior performance of the traffic source, the current behavior chain may be generated according to the number of times each behavior element appears and the time sequence. If the behavior elements of the traffic source include access to the web pages, the similarity between the current behavior chain and a preset abnormal behavior chain can be determined based on the number of the web pages requested by the traffic source, the number of different web pages requested by the main directory, and the number of different web pages in the request directory, so as to determine whether the access behavior of the traffic source is abnormal.
For example, the behavioral elements of the traffic source are as follows:
7:00 failure to log in to system a; 7, 03 fails to log in the system b; 7:05 failing to log in the system a; 09 log in the system a fails; 7:12 login to system b failed.
The current behavior chain may be generated according to the number of occurrences of the behavior elements and the chronological order as:
7:00 failure to log in to system a; 7:05 failing to log in the system a; 09 log in the system a fails;
7, 03 fails to log in the system b; 7:12 login to system b failed.
It will be appreciated that at least one directory tree may be built under each primary directory.
The scheme comprises at least one home directory, wherein each home directory corresponds to a web page.
As shown in fig. 2, in order to more clearly illustrate the technical solution and advantages of the present invention, the following describes in detail a flow monitoring method based on behavior provided by an embodiment of the present invention, and specifically includes the following steps:
step 201: when monitoring that a flow source initiates access, creating a time window for the flow source, wherein the time window can contain data with preset duration.
Step 202: and step 203 is executed by taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source.
Specifically, when the traffic source initiates access, the first information sent from the traffic source may be used as an access behavior of the traffic source, the second information returned to the traffic source from the first information sent from the traffic source may also be used as an access behavior of the traffic source, and the first information and the second information may be combined to be used as an access behavior of the traffic source.
In order to make the behavior of each traffic source more clear, after a traffic source initiates an access, a time window only for the traffic source needs to be created, where the time window may accommodate data with a certain duration, for example, the time window may accommodate data with a duration of 3 hours, and if data of 8:00 a.m. is stored in the time window, the time window may store data within a duration of 8:00 to 11:00 a maximum.
Step 203: it is determined whether there is a marked session for the traffic source and if so, step 205 is performed, otherwise, step 204 is performed.
And the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is smaller than or equal to a preset time threshold.
Specifically, if a traffic source has been accessed within a short time before this time, there will be a session for the traffic source, and the session is in a marked state, i.e. it is characterized that the session has not been completed. If the traffic source is accessed for the first time or the time interval from the last access is long, an incomplete session does not exist, and therefore, in order to record the behavior of the traffic source, a session for the traffic source needs to be created again.
Step 204: a session for the traffic source is created, the session is marked, and step 205 is performed.
Specifically, after the session is created, in order to facilitate management of access behavior generated by the traffic source within a certain time, the session may be marked to represent that the session is in an incomplete state, and data may still be written into the session.
Step 205: the access behavior is recorded in the session.
Step 206: when no access activity is received within a time threshold, the indicia of the session is deleted.
Specifically, in order to facilitate to clarify the behavior of the traffic source in a period of time, for each created session, if the time interval between the time point corresponding to the last written data in the session and the current time point is greater than the time threshold, it is characterized that the traffic source has no activity for a long time, and therefore, the flag of the session may be deleted to characterize that the session is finished.
Step 207: and acquiring the access behavior according to a preset acquisition period.
Specifically, in order to clarify which operations are performed by the traffic source, the access behavior in the session currently not completed by the traffic source may be collected according to a preset collection period of 5min, 10min, or 1 h.
Step 208: it is determined whether the remaining capacity in the time window is less than a preset capacity threshold, if so, step 209 is performed, otherwise, step 211 is performed.
Wherein the capacity threshold is smaller than the data volume of the access behavior collected in the collection period.
Step 209: at least one behavioral element of the traffic source is determined from the access behavior in the time window.
Step 210: and deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is the data with the longest storage time in the time window.
Step 211: writing the collected access behaviors into a time window, wherein each behavior element represents a behavior feature.
Specifically, after the access behavior of the traffic source is collected, it is necessary to first determine whether data collected in the collection period can be written in a time window for the traffic source, and if the remaining capacity in the time window is not enough to write the data in the collection period, it is necessary to first determine a behavior element that is used for characterizing the access characteristics of the traffic source and is determined based on the access behavior in the time window, and then delete the historical data of one collection period in the time window, and the deleted data is stored in the time window for the longest time. For example, data with a duration of only 5min can be stored in the time window, and the time length of the data acquired in one acquisition cycle is 30min, the data with a time interval of 30min needs to be deleted from the time window, and the storage time of the deleted data in the time window is longer than that of the data which is not deleted from the time window. And if the data acquired in the acquisition period can be written into the time window, writing the acquired access behavior into the time window.
Step 212: and generating a current behavior chain of the traffic source according to the time sequence and the occurrence times of each behavior element.
Step 213: and calculating a similarity value of the current behavior chain and an abnormal behavior chain for representing the access abnormity, and judging the access behavior abnormity when the similarity value is greater than a preset similarity threshold value.
Specifically, for the current access of the traffic source, a corresponding current behavior chain composed of at least one behavior element exists, and whether the traffic source is abnormal in access can be determined by comparing the current behavior chain with an abnormal behavior chain corresponding to the abnormal access.
Step 214: it is determined whether there are historical alarm records in the alarm queue and if so, step 215 is performed, otherwise, step 219 is performed.
Specifically, after determining that the access of the traffic source is abnormal, it is also necessary to determine whether to trigger an alarm event immediately or trigger the alarm event after a period of time.
Step 215: and determining an abnormal time point corresponding to the abnormal access behavior.
Step 216: and determining the enqueue time point when the first historical alarm record in the alarm queue is added into the alarm queue.
Step 217: it is determined whether the time period between the exception time point and the enqueue time point is greater than a preset alarm time period, if so, step 218 is performed, otherwise, step 220 is performed.
Step 218: and deleting the historical alarm records in the alarm queue.
Step 219: triggering an alarm event.
Step 220: and generating a newly added alarm record corresponding to the access behavior, and adding the newly added alarm record into an alarm queue as a historical alarm record.
Specifically, the condition for triggering the alarm event includes whether a history alarm record already exists in an alarm queue for the traffic source, if the history alarm record exists, determining an enqueue time point at which a first history alarm record in the alarm queue is added to the alarm queue, that is, the first history alarm record with the longest time is added to the alarm queue, then obtaining a time length between the enqueue time point and an abnormal time point corresponding to the time point when the access behavior of the traffic source is determined to be abnormal, and if the time length is greater than the alarm time length, representing that an alarm period has been reached, so that the alarm event can be triggered to remind an analyst that the traffic source is abnormal, and meanwhile, clearing data in the alarm queue to complete the alarm of one alarm period. If the calculated time length is less than or equal to the alarm time length, the representation does not reach an alarm period, the abnormal behavior of the flow source may be caused by misoperation of a user, and if an alarm event is triggered immediately, the alarm quantity is increased, so that excessive useless data is increased, and the difficulty is increased for an analyst to determine the abnormal flow source. Therefore, a new alarm record can be generated for the current behavior of the traffic source, and then the new alarm record is added into the alarm queue to record the current behavior of the traffic source.
Specifically, in order to reduce the loss caused by the continuous attack of the traffic source, when the number of the historical alarm records in the alarm queue reaches a certain number, it is determined whether the number of the historical alarm records in the alarm queue is equal to the preset alarm number. When the number of the historical alarm records in the alarm queue is equal to the alarm number, it is characterized that the traffic source continues to attack for a certain time, and step 218 is executed, so that an alarm event can be triggered to take corresponding measures for the traffic source.
In conclusion, the scheme can maintain the analysis based on the conversation and reduce the false alarm generated by simple rule matching; the number of alarm events may be reduced based on the alarm frequency; behavior proceeding steps can be recorded, and only an abnormal behavior chain is met, an alarm is given; and a single flow source can be used as a unit to detect various behaviors, so that omission caused by single protocol analysis is avoided. The analyst can more directly discover the network threat and respond in time.
As shown in fig. 3, the present invention also provides a behavior-based flow monitoring device, comprising:
a window creating module 301, configured to create a time window for a traffic source when it is monitored that the traffic source initiates access, where the time window can contain data of a preset duration;
a data processing module 302, configured to write an access behavior after the traffic source initiates an access into the time window created by the window creating module; determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element represents a behavior feature; generating a current behavior chain of the traffic source according to the at least one behavior element;
the alarm management module 303 is configured to determine whether the access behavior is abnormal according to the current behavior chain generated by the data processing module; and triggering an alarm event when the access behavior is judged to be abnormal.
In the embodiment of the invention, after the traffic source initiates access, the traffic source generates corresponding access behaviors, the access behaviors of the traffic source are written into the corresponding time window, and the access behaviors of the traffic source can be recorded through the time window; the time window can contain data of preset duration, so that the behavior elements determined from the access behaviors are behavior characteristics of the traffic source in the preset duration, and behavior expression of the traffic source in the preset duration can be seen based on a current behavior chain generated by the behavior elements; therefore, whether the traffic source is abnormal or not is judged according to the behavior of the traffic source within a certain time, missing alarm caused by continuous attack of the traffic source based on a normal access mode can be avoided, alarm caused by access abnormality due to one false triggering of the traffic source can be avoided, and therefore an analyst can be helped to quickly determine whether the traffic source is abnormal or not.
In an embodiment of the present invention, the data processing module is configured to perform the following operations:
a1: acquiring an access behavior of the flow source after initiating access according to a preset acquisition period;
a2: determining whether the capacity remained in the time window is smaller than a preset capacity threshold, wherein the capacity threshold is smaller than the data volume of the access behaviors collected in the collection period, if so, executing A3, otherwise, executing A5;
a3: determining at least one behavioral element of the traffic source according to the access behavior in the time window;
a4: deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is data with the longest storage time in the time window;
a5: writing the collected access behavior into the time window.
In an embodiment of the present invention, the behavior-based traffic monitoring apparatus further includes a session creation module;
the session creation module is used for executing the following operations:
s1: taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source, and executing S2;
s2: determining whether a marked session exists in prestored data, wherein the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is less than or equal to a preset time threshold, if so, executing S4, otherwise, executing S3;
s3: creating a session for the traffic source, marking the session;
s4: recording the access behavior in the session;
s5: deleting the indicia of the session when the access behavior is not received within the time threshold.
In an embodiment of the present invention, the alarm management module is configured to perform the following operations:
d1: determining whether a historical alarm record exists in a pre-created alarm queue, if so, executing D2, otherwise, executing D6;
d2: determining an abnormal time point corresponding to the abnormal access behavior;
d3: determining an enqueuing time point when a first historical alarm record in the alarm queue is added into the alarm queue;
d4: determining whether the time length between the abnormal time point and the listing time point is greater than a preset alarm time length, if so, executing D5, otherwise, executing D7;
d5: deleting the historical alarm records in the alarm queue;
d6: triggering an alarm event;
d7: and generating a new alarm record corresponding to the access behavior, and adding the new alarm record serving as a historical alarm record into the alarm queue.
In an embodiment of the present invention, the data processing module is configured to determine the number of occurrences of each behavior element; generating a current behavior chain of the traffic source according to the time sequence and the occurrence frequency of each behavior element;
the alarm management module is used for calculating a similarity value of the current behavior chain and an abnormal behavior chain for representing access abnormity according to the following formula when the behavior element comprises a web page, and executing the trigger alarm event when the similarity value is greater than a preset similarity threshold;
Figure 241981DEST_PATH_IMAGE001
the method includes the steps that S represents similar values of a current behavior chain and an abnormal behavior chain, Q represents a first total number of requested web pages in the current behavior chain, W represents a second total number of the requested web pages in the abnormal behavior chain, E represents a third total number of the different web pages of a requested main directory in the current behavior chain, R represents a fourth total number of the different web pages of the requested main directory in the abnormal behavior chain, T represents a fifth total number of the different web pages of the requested directory tree in the current behavior chain, Y represents a sixth total number of the different web pages of the requested directory tree in the abnormal behavior chain, a represents a first weight value corresponding to the requested web pages, b represents a second weight value corresponding to the different web pages of the requested main directory, and c represents a third weight value of the different web pages of the requested directory.
It is to be understood that the illustrated configuration of the embodiments of the present invention does not constitute a specific limitation on the behavior-based flow monitoring device. In other embodiments of the invention, the behavior-based flow monitoring device may include more or fewer components than shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
An embodiment of the present invention further provides an intelligent device, including: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform the behavior-based traffic monitoring method in any of the embodiments described above.
Embodiments of the present invention further provide a computer-readable medium, where computer instructions are stored, and when executed by a processor, cause the processor to execute the behavior-based flow monitoring method described in any of the above embodiments.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion unit connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion unit to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A behavior-based traffic monitoring method, comprising:
when monitoring that a flow source initiates access, creating a time window for the flow source, wherein the time window can contain data of preset duration;
writing the access behavior after the traffic source initiates the access into the time window;
determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element represents a behavior feature;
generating a current behavior chain of the traffic source according to the at least one behavior element;
judging whether the access behavior is abnormal or not according to the current behavior chain;
and triggering an alarm event when the access behavior is judged to be abnormal.
2. The behavior-based traffic monitoring method according to claim 1, characterized in that:
writing the access behavior after the traffic source initiates access into the time window, and determining at least one behavior element of the traffic source according to the access behavior in the time window, including:
a1: acquiring an access behavior of the flow source after initiating access according to a preset acquisition period;
a2: determining whether the capacity remained in the time window is smaller than a preset capacity threshold, wherein the capacity threshold is smaller than the data volume of the access behaviors collected in the collection period, if so, executing A3, otherwise, executing A5;
a3: determining at least one behavioral element of the traffic source according to the access behavior in the time window;
a4: deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is data with the longest storage time in the time window;
a5: writing the collected access behavior into the time window.
3. The behavior-based traffic monitoring method according to claim 1, characterized in that:
after the monitoring that the traffic source initiates the access and before the writing the access behavior after the traffic source initiates the access into the time window, further comprising:
s1: taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source, and executing S2;
s2: determining whether a marked session exists in prestored data, wherein the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is less than or equal to a preset time threshold, if so, executing S4, otherwise, executing S3;
s3: creating a session for the traffic source, marking the session;
s4: recording the access behavior in the session;
s5: deleting the indicia of the session when the access behavior is not received within the time threshold.
4. The behavior-based traffic monitoring method according to claim 1, characterized in that:
when the access behavior is judged to be abnormal, triggering an alarm event, including:
d1: determining whether a historical alarm record exists in a pre-created alarm queue, if so, executing D2, otherwise, executing D6;
d2: determining an abnormal time point corresponding to the abnormal access behavior;
d3: determining an enqueuing time point when a first historical alarm record in the alarm queue is added into the alarm queue;
d4: determining whether the time length between the abnormal time point and the listing time point is greater than a preset alarm time length, if so, executing D5, otherwise, executing D7;
d5: deleting the historical alarm records in the alarm queue;
d6: triggering an alarm event;
d7: and generating a new alarm record corresponding to the access behavior, and adding the new alarm record serving as a historical alarm record into the alarm queue.
5. The behavior-based traffic monitoring method according to claim 4, characterized in that:
after the adding the new alarm record as a historical alarm record into the alarm queue, further comprising:
determining whether the number of the historical alarm records in the alarm queue is equal to a preset alarm number;
when the number of historical alarm records in the alarm queue is equal to the alarm number, D5 is executed.
6. The behavior-based flow monitoring method according to any one of claims 1 to 5, characterized in that:
the generating the current behavior chain of the traffic source according to the at least one behavior element comprises:
determining the number of occurrences of each of the behavioral elements;
generating a current behavior chain of the traffic source according to the time sequence and the occurrence frequency of each behavior element;
the judging whether the access behavior is abnormal according to the current behavior chain comprises the following steps:
when the behavior element comprises a web page, calculating a similarity value of the current behavior chain and an abnormal behavior chain for characterizing access anomalies according to the following formula:
Figure 101132DEST_PATH_IMAGE001
the method comprises the following steps that S represents similar values of a current behavior chain and an abnormal behavior chain, Q represents a first total number of web pages requested in the current behavior chain, W represents a second total number of the web pages requested in the abnormal behavior chain, E represents a third total number of the web pages requested to be different from a main directory in the current behavior chain, R represents a fourth total number of the web pages requested to be different from the main directory in the abnormal behavior chain, T represents a fifth total number of the web pages requested to be different from the directory tree in the current behavior chain, Y represents a sixth total number of the web pages requested to be different from the directory tree in the abnormal behavior chain, a represents a first weight value corresponding to the web pages requested, b represents a second weight value corresponding to the web pages requested to be different from the main directory, and c represents a third weight value of the web pages requested to be different from the directory;
and executing the triggering alarm event when the similarity value is larger than a preset similarity threshold value.
7. Behavior-based flow monitoring device, comprising:
the system comprises a window creating module, a time window setting module and a time window setting module, wherein the window creating module is used for creating a time window aiming at a flow source when monitoring that the flow source initiates access, and the time window can contain data with preset duration;
the data processing module is used for writing the access behavior after the traffic source initiates the access into the time window created by the window creating module; determining at least one behavior element of the traffic source according to the access behavior in the time window, wherein each behavior element represents a behavior feature; generating a current behavior chain of the traffic source according to the at least one behavior element;
the alarm management module is used for judging whether the access behavior is abnormal or not according to the current behavior chain generated by the data processing module; and triggering an alarm event when the access behavior is judged to be abnormal.
8. The behavior-based flow monitoring device of claim 7, wherein:
the data processing module is used for executing the following operations:
a1: acquiring an access behavior of the flow source after initiating access according to a preset acquisition period;
a2: determining whether the capacity remained in the time window is smaller than a preset capacity threshold, wherein the capacity threshold is smaller than the data volume of the access behaviors collected in the collection period, if so, executing A3, otherwise, executing A5;
a3: determining at least one behavioral element of the traffic source according to the access behavior in the time window;
a4: deleting historical data in a time length corresponding to one acquisition period in the time window, wherein the historical data is data with the longest storage time in the time window;
a5: writing the acquired access behavior into the time window;
and/or the presence of a gas in the gas,
the flow monitoring device based on the behaviors further comprises a session establishing module;
the session creation module is used for executing the following operations:
s1: taking the first information sent by the traffic source and the second information returned to the traffic source aiming at the first information as the access behavior of the traffic source, and executing S2;
s2: determining whether a marked session exists in prestored data, wherein the difference between a first time point corresponding to the latest information in the marked session and a second time point corresponding to the time when the traffic source initiates access is less than or equal to a preset time threshold, if so, executing S4, otherwise, executing S3;
s3: creating a session for the traffic source, marking the session;
s4: recording the access behavior in the session;
s5: deleting the indicia of the session when the access behavior is not received within the time threshold;
and/or the presence of a gas in the gas,
the alarm management module is used for executing the following operations:
d1: determining whether a historical alarm record exists in a pre-created alarm queue, if so, executing D2, otherwise, executing D6;
d2: determining an abnormal time point corresponding to the abnormal access behavior;
d3: determining an enqueuing time point when a first historical alarm record in the alarm queue is added into the alarm queue;
d4: determining whether the time length between the abnormal time point and the listing time point is greater than a preset alarm time length, if so, executing D5, otherwise, executing D7;
d5: deleting the historical alarm records in the alarm queue;
d6: triggering an alarm event;
d7: generating a new alarm record corresponding to the access behavior, and adding the new alarm record into the alarm queue as a historical alarm record;
and/or the presence of a gas in the gas,
the data processing module is used for determining the occurrence frequency of each behavior element; generating a current behavior chain of the traffic source according to the time sequence and the occurrence frequency of each behavior element;
the alarm management module is used for calculating a similarity value of the current behavior chain and an abnormal behavior chain for representing access abnormity according to the following formula when the behavior element comprises a web page, and executing the trigger alarm event when the similarity value is greater than a preset similarity threshold;
Figure 611747DEST_PATH_IMAGE001
the method comprises the following steps that S represents similar values of a current behavior chain and an abnormal behavior chain, Q represents a first total number of requested web pages in the current behavior chain, W represents a second total number of the requested web pages in the abnormal behavior chain, E represents a third total number of the different web pages of a requested main directory in the current behavior chain, R represents a fourth total number of the different web pages of the requested main directory in the abnormal behavior chain, T represents a fifth total number of the different web pages of the requested directory tree in the current behavior chain, Y represents a sixth total number of the different web pages of the requested directory tree in the abnormal behavior chain, a represents a first weight value corresponding to the requested web pages, b represents a second weight value corresponding to the different web pages of the requested main directory, and c represents a third weight value of the different web pages of the requested directory.
9. Smart device, characterized in that it comprises: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor configured to invoke the machine readable program to perform the behavior-based traffic monitoring method of any of claims 1 to 6.
10. A computer readable medium having stored thereon computer instructions which, when executed by a processor, cause the processor to perform the method of behavior-based flow monitoring of any of claims 1 to 6.
CN202010900845.1A 2020-09-01 2020-09-01 Traffic monitoring method and device based on behaviors Active CN111818097B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010900845.1A CN111818097B (en) 2020-09-01 2020-09-01 Traffic monitoring method and device based on behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010900845.1A CN111818097B (en) 2020-09-01 2020-09-01 Traffic monitoring method and device based on behaviors

Publications (2)

Publication Number Publication Date
CN111818097A true CN111818097A (en) 2020-10-23
CN111818097B CN111818097B (en) 2020-12-22

Family

ID=72860645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010900845.1A Active CN111818097B (en) 2020-09-01 2020-09-01 Traffic monitoring method and device based on behaviors

Country Status (1)

Country Link
CN (1) CN111818097B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333168A (en) * 2020-10-27 2021-02-05 杭州安恒信息技术股份有限公司 Attack identification method, device, equipment and computer readable storage medium
CN114037286A (en) * 2021-11-10 2022-02-11 国网天津市电力公司 Big data based automatic sensitive data detection method and system for power dispatching

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841435A (en) * 2010-01-18 2010-09-22 中国科学院计算机网络信息中心 Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow
CN101945112A (en) * 2010-09-21 2011-01-12 四川通信科研规划设计有限责任公司 ISP anomalous traffic detection method and system
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN106027546A (en) * 2016-06-28 2016-10-12 华为技术有限公司 Network attack detection method, device and system
US20170099309A1 (en) * 2015-10-05 2017-04-06 Cisco Technology, Inc. Dynamic installation of behavioral white labels
CN108040074A (en) * 2018-01-26 2018-05-15 华南理工大学 A kind of real-time network unusual checking system and method based on big data
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN109120592A (en) * 2018-07-09 2019-01-01 四川大学 A kind of Web abnormality detection system based on user behavior
US20190095518A1 (en) * 2017-09-27 2019-03-28 Johnson Controls Technology Company Web services for smart entity creation and maintenance using time series data

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841435A (en) * 2010-01-18 2010-09-22 中国科学院计算机网络信息中心 Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow
CN101945112A (en) * 2010-09-21 2011-01-12 四川通信科研规划设计有限责任公司 ISP anomalous traffic detection method and system
US20170099309A1 (en) * 2015-10-05 2017-04-06 Cisco Technology, Inc. Dynamic installation of behavioral white labels
CN105208040A (en) * 2015-10-12 2015-12-30 北京神州绿盟信息安全科技股份有限公司 Network attack detection method and device
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN106027546A (en) * 2016-06-28 2016-10-12 华为技术有限公司 Network attack detection method, device and system
US20190095518A1 (en) * 2017-09-27 2019-03-28 Johnson Controls Technology Company Web services for smart entity creation and maintenance using time series data
CN108040074A (en) * 2018-01-26 2018-05-15 华南理工大学 A kind of real-time network unusual checking system and method based on big data
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN109120592A (en) * 2018-07-09 2019-01-01 四川大学 A kind of Web abnormality detection system based on user behavior

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333168A (en) * 2020-10-27 2021-02-05 杭州安恒信息技术股份有限公司 Attack identification method, device, equipment and computer readable storage medium
CN114037286A (en) * 2021-11-10 2022-02-11 国网天津市电力公司 Big data based automatic sensitive data detection method and system for power dispatching

Also Published As

Publication number Publication date
CN111818097B (en) 2020-12-22

Similar Documents

Publication Publication Date Title
CN107992398A (en) The monitoring method and monitoring system of a kind of operation system
US8516499B2 (en) Assistance in performing action responsive to detected event
CN111818097B (en) Traffic monitoring method and device based on behaviors
JP2005259140A5 (en)
CN112528279B (en) Method and device for establishing intrusion detection model
JP4823813B2 (en) Abnormality detection device, abnormality detection program, and recording medium
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN114443441B (en) Storage system management method, device and equipment and readable storage medium
CN110502581B (en) Distributed database system monitoring method and device
CN110191097B (en) Method, system, equipment and storage medium for detecting security of login page
CN110737565B (en) Data monitoring method and device, electronic equipment and storage medium
CN110134340B (en) Method, device, equipment and storage medium for updating metadata
US20100325726A1 (en) Unauthorized operation monitoring program, unauthorized operation monitoring method, and unauthorized operation monitoring system
JP6876307B2 (en) Independent SQL injection defense analysis notification method based on php and its system
CN112000623A (en) Metadata access method and device and computer readable storage medium
CN115297104B (en) File uploading method and device, electronic equipment and storage medium
TWI640891B (en) Method and apparatus for detecting malware
CN111741029B (en) Log data processing method, processing device and storage medium
CN116185785A (en) Early warning method and device for file abnormal change
CN115065558A (en) Attack flow tracing method and device for APT attack
CN113392079B (en) Distributed storage cluster log storage optimization method, system and terminal
CN105912929B (en) A kind of dynamic measurement method based on domestic TCM
CN114281769A (en) Method and device for managing files on disk, computer equipment and storage medium
CN114186278A (en) Database abnormal operation identification method and device and electronic equipment
KR101329976B1 (en) Method and system for reporting the result of analyzing log

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant