CN112003850A - Flow monitoring method, device, equipment and storage medium based on cloud network - Google Patents

Flow monitoring method, device, equipment and storage medium based on cloud network Download PDF

Info

Publication number
CN112003850A
CN112003850A CN202010821167.XA CN202010821167A CN112003850A CN 112003850 A CN112003850 A CN 112003850A CN 202010821167 A CN202010821167 A CN 202010821167A CN 112003850 A CN112003850 A CN 112003850A
Authority
CN
China
Prior art keywords
traffic
current
service
type
service flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010821167.XA
Other languages
Chinese (zh)
Inventor
何亚明
颜秉珩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Inspur Data Technology Co Ltd
Original Assignee
Beijing Inspur Data Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Inspur Data Technology Co Ltd filed Critical Beijing Inspur Data Technology Co Ltd
Priority to CN202010821167.XA priority Critical patent/CN112003850A/en
Publication of CN112003850A publication Critical patent/CN112003850A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a flow monitoring method, a flow monitoring device, flow monitoring equipment and a computer readable storage medium based on a cloud network, wherein the method comprises the following steps: acquiring service flow on a monitored host; determining a traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; the traffic type comprises a safe traffic type and an unsafe traffic type; controlling the monitored host to discard a first service flow in the service flows; the traffic type corresponding to the first service traffic is an unsafe traffic type; according to the invention, the traffic type corresponding to each service traffic is determined according to the 5-tuple information of each service traffic, and the type of the service traffic needing to be forwarded on the cloud platform can be monitored, so that the condition that illegal information is transmitted and issued by accessing an illegal site is avoided by discarding unsafe service traffic, and the illegal behaviors such as abusing network resources, leaking sensitive information and the like are reduced.

Description

Flow monitoring method, device, equipment and storage medium based on cloud network
Technical Field
The invention relates to the technical field of cloud network platforms, in particular to a flow monitoring method, a flow monitoring device, flow monitoring equipment and a computer readable storage medium based on a cloud network.
Background
In the cloud computing era, a large number of virtual machines are communicated with one another, network services are various in types, and private protocols are various, so that the traffic (i.e., service traffic) of a cloud platform (i.e., a cloud network platform) is difficult to manage effectively, for example, a user of a computer abuses network resources and leaks illegal behaviors of sensitive information such as illegal information transmission and distribution by accessing an illegal site.
Therefore, how to monitor the service flow needing to be forwarded on the cloud platform can be avoided, the situations that illegal information is transmitted and issued by visiting illegal sites are avoided, and the illegal behaviors of abusing network resources, leaking sensitive information and the like are reduced.
Disclosure of Invention
The invention aims to provide a traffic monitoring method, a traffic monitoring device, traffic monitoring equipment and a computer readable storage medium based on a cloud network, so that traffic to be forwarded on a cloud platform can be monitored, and illegal behaviors such as abusing network resources and leaking sensitive information can be reduced.
In order to solve the technical problem, the invention provides a traffic monitoring method based on a cloud network, which comprises the following steps:
acquiring service flow on a monitored host;
determining a traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; wherein the traffic type comprises a secure traffic type and an insecure traffic type;
controlling the monitored host to discard a first service flow in the service flows; and the traffic type corresponding to the first service traffic is the non-secure traffic type.
Optionally, when the traffic type further includes a preset security behavior type with a preset number of security traffic types, after determining the traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic, the method further includes:
controlling the monitored host to forward a second service flow in the service flows according to the forwarding modes corresponding to the preset safety behavior types; and the flow type corresponding to each second service flow is any preset safety behavior type.
Optionally, the acquiring the service traffic on the monitored host includes:
and the monitoring host mirrors the service flow on the monitored host to obtain the mirrored service flow.
Optionally, the determining, according to the 5-tuple information of each service traffic, a traffic type corresponding to each service traffic includes:
judging whether the port number in the 5-tuple information of the current service flow is a known port or not; wherein, the current service flow is any one of the service flows;
if yes, determining the flow type corresponding to the current service flow by using a first mathematical model according to the 5-tuple information of the current service flow;
if not, determining the traffic type corresponding to the current traffic by using the second mathematical model according to the 5-tuple information of the current traffic.
Optionally, the determining, according to the 5-tuple information of the current service traffic, the traffic type corresponding to the current service traffic by using the first mathematical model includes:
judging whether a source ip and a destination ip in the 5-tuple information of the current service flow are both in a safe ip range corresponding to the port number;
if not, determining that the traffic type corresponding to the current service traffic is the unsafe traffic type;
if yes, judging whether a source mac and a destination mac in the 5-tuple information of the current service flow are both in a safety mac range corresponding to the port number;
if the traffic types are not in the safe mac range, determining that the traffic type corresponding to the current service traffic is the non-safe traffic type;
and if the traffic types are all in the safe mac range, determining that the traffic type corresponding to the current service traffic is the safe traffic type.
Optionally, the training process of the second mathematical model includes:
selecting a decision tree by using a base classifier according to the 5-tuple information of the current training service flow to train and obtain a classification result of each preset behavior type corresponding to the current iteration number;
by passing
Figure BDA0002634446760000031
Determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; wherein, Pmn(x) The probability that the current training service flow corresponding to the current iteration number belongs to the current preset behavior type is shown, m is the current iteration number, n is the current preset behavior type, Tn(x) The current iteration times are corresponding to the classification results of the current preset behavior types, K is the number of the preset behavior types, the current training service flow is any training service flow, and the current preset behavior type is any preset behavior type;
judging whether the current iteration number reaches a threshold value;
if so, determining a target preset behavior type according to the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; the target preset behavior type is a preset behavior type corresponding to the maximum value in the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type;
if not, pass
Figure BDA0002634446760000032
Determining a residual error corresponding to each preset behavior type in the current iteration times; wherein, ymnObtaining a residual error corresponding to a current preset behavior type in the current iteration times, wherein q is a preset real behavior type of the current training service flow, and the preset real behavior type is any one of the preset behavior types;
selecting a decision tree to train according to 5-tuple information of current training service flow and a residual error corresponding to each preset behavior type in current iteration times by using a base classifier to obtain a classification result of each preset behavior type corresponding to the next iteration time, taking the next iteration time as the current iteration time, and executing the passing
Figure BDA0002634446760000033
Determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type。
Optionally, the threshold is 4.
The invention also provides a flow monitoring device based on the cloud network, which comprises:
the acquisition module is used for acquiring the service flow on the monitored host;
the determining module is used for determining the traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; wherein the traffic type comprises a secure traffic type and an insecure traffic type;
the control module is used for controlling the monitored host to discard a first service flow in the service flows; and the traffic type corresponding to the first service traffic is the non-secure traffic type.
The invention also provides a flow monitoring device based on the cloud network, which comprises:
a memory for storing a computer program;
a processor, configured to implement the steps of the cloud network-based traffic monitoring method as described above when executing the computer program.
The present invention also provides a computer readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the cloud network-based traffic monitoring method as described above.
The invention provides a flow monitoring method based on a cloud network, which comprises the following steps: acquiring service flow on a monitored host; determining a traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; the traffic type comprises a safe traffic type and an unsafe traffic type; controlling the monitored host to discard a first service flow in the service flows; the traffic type corresponding to the first service traffic is an unsafe traffic type;
therefore, the invention can monitor the type of the service flow to be forwarded on the cloud platform by determining the flow type corresponding to each service flow according to the 5-tuple information of each service flow, thereby discarding the unsafe service flow by controlling the monitored host to discard the first service flow in the service flow, avoiding the occurrence of the conditions of transmitting and publishing the illegal information by accessing the illegal site, and reducing the occurrence of illegal behaviors such as abusing network resources, leaking sensitive information and the like. In addition, the invention also provides a flow monitoring device, equipment and a computer readable storage medium based on the cloud network, and the beneficial effects are also achieved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a traffic monitoring method based on a cloud network according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of another cloud network-based traffic monitoring method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating a traffic detection process of a known port of another cloud network-based traffic monitoring method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a training process of a mathematical model of another cloud network-based traffic monitoring method according to an embodiment of the present invention;
fig. 5 is a block diagram of a flow monitoring apparatus based on a cloud network according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a traffic monitoring device based on a cloud network according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart of a traffic monitoring method based on a cloud network according to an embodiment of the present invention. The method can comprise the following steps:
step 101: and acquiring the service flow on the monitored host.
The monitored host in this step may be a device, such as a server, in the cloud network platform for forwarding the service traffic. The traffic flow in this step may be a traffic flow (i.e., a traffic packet) of a corresponding service to be forwarded on the monitored host that needs to be monitored.
It can be understood that the purpose of this step may be to monitor the traffic flow on the monitored host by acquiring the traffic flow on the monitored host by the monitoring host or the processor on the monitored host. The monitoring host may be a device, such as a server, for monitoring the traffic flow on the monitoring host.
Specifically, the specific manner in which the processor acquires the service traffic on the monitored host in this step may be set by a designer according to a use scenario and a user requirement, for example, the processor of the monitored host may directly acquire the service traffic that the monitored host itself needs to forward; the processor of the monitoring host can capture the service flow from the monitored host; the processor of the monitoring host may also mirror the traffic flow on the monitored host, for example, the processor of the monitoring host may mirror the traffic flow on the monitored host to obtain the mirrored traffic flow. The embodiment is not limited to this, as long as the monitoring host or the processor on the monitored host can obtain the traffic flow on the monitored host.
Step 102: determining a traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; wherein the traffic type includes a secure traffic type and an unsecure traffic type.
It can be understood that the 5-tuple information in this step may be information of 5 elements, namely, source ip, destination ip, source mac, destination mac, and port number. The secure traffic type in this step may be a traffic type corresponding to the traffic determined to be secure, and the non-secure traffic type in this step may be a traffic type corresponding to the traffic determined to be non-secure. The purpose of this step may be that the processor determines the traffic type corresponding to each traffic flow by using the 5-tuple information of each traffic flow, so that the traffic flow can be correspondingly forwarded or discarded according to the determined traffic type.
Specifically, for the specific way in which the processor determines the traffic type corresponding to each traffic flow according to the 5-tuple information of each traffic flow in this step, the specific way may be set by a designer according to a use scenario and a user requirement, for example, in order to reduce the calculation amount required for determining the traffic type, as shown in fig. 2, in this embodiment, the traffic flow may be divided into two types, that is, a traffic flow corresponding to a known port (that is, a known port number) and a traffic flow corresponding to a non-known port according to a port number in the 5-tuple information of the traffic flow, so as to perform processing using two corresponding mathematical models; well-known port numbers (well-known port numbers) may be the port numbers reserved by the internet name and number assignment authority (ICANN) for use by the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). That is, this step may include determining whether the port number in the 5-tuple information of the current traffic is a known port; if yes, determining a traffic type corresponding to the current traffic by using a first mathematical model (for example, mathematical model 1 in fig. 2) according to the 5-tuple information of the current traffic; if not, determining the traffic type corresponding to the current traffic by using a second mathematical model (such as the mathematical model obtained by the traffic monitoring technology in fig. 2) according to the 5-tuple information of the current traffic; wherein, the current service flow is any service flow.
Correspondingly, for the specific way that the processor determines the traffic type corresponding to the current traffic flow by using the first mathematical model according to the 5-tuple information of the current traffic flow, that is, the monitoring flow of the first mathematical model on the traffic flow corresponding to the known port, may be set by a designer, for example, as the ip address and the mac address of the known port number corresponding to the cloud network both have specified ranges (that is, a secure ip range and a secure mac range), as shown in fig. 3, when the port number in the 5-tuple information of one traffic flow is a known port, if the source ip, the destination ip, the source mac, or the destination mac in the 5-tuple information of the traffic flow is not in the above-mentioned range, it may be determined that the traffic flow is not secure. That is, the process of determining, by the processor, the traffic type corresponding to the current service traffic by using the first mathematical model according to the 5-tuple information of the current service traffic may include: judging whether a source IP and a destination IP in the 5-tuple information of the current service flow are both in a safe IP range (namely a safe domain of an IP address) corresponding to the port number; if not, determining that the traffic type corresponding to the current service traffic is an unsafe traffic type, namely that the current service traffic is a first service traffic (namely, the unsafe traffic); if yes, judging whether a source mac and a destination mac in the 5-tuple information of the current service flow are both in a safety mac range (namely a safety domain of a mac address) corresponding to the port number; if the traffic types are not in the safe mac range, determining that the traffic type corresponding to the current service traffic is an unsafe traffic type; and if the traffic types are all in the safe mac range, determining that the traffic type corresponding to the current service traffic is the safe traffic type.
Correspondingly, the specific manner in which the processor determines the traffic type corresponding to the current traffic flow by using the second mathematical model according to the 5-tuple information of the current traffic flow may be set by a designer, as long as the processor can determine the traffic type corresponding to the current traffic flow by using the second mathematical model and using the 5-tuple information of the current traffic flow, which is not limited in this embodiment. For example, the second mathematical model may prepare a large amount of data (i.e., training traffic) required for training the model through a training obtaining process as shown in fig. 4, for example, greater than or equal to 10 ten thousand training traffic, each training traffic may need two characteristics, i.e., a feature value and a target value, the feature value may be quintuple information of the training traffic, and the target value may be a traffic type of the training traffic that is true, e.g., whether the training traffic is a traffic type of a safe traffic (1 or 0) (i.e., a safe traffic type or a non-safe traffic type); a part of training service flow with too large correlation is removed through data cleaning, and the part of training service flow does not play a great role in training and constructing the second mathematical model, so that unnecessary calculation amount can be saved; through data training, the cleaned training service flow is brought into a machine learning algorithm for training, so as to obtain a second mathematical model, specifically, the machine learning training can be performed in the following way:
assuming that the prediction result has K classes, that is, the traffic type determined by using the second mathematical model has K classes, and if the number of the preset behavior types is K, for the cleaned training sample x (that is, the current training traffic), the classification result may be represented by an N-dimensional vector, where 0 represents that the class does not belong to, and 1 represents that the class belongs to. Selecting a decision tree by using a base classifier according to 5-tuple information of the current training service flow, and generating K trees after training the current training service flow in the first iteration, namely K classification results of preset behavior types, T1(x),T2(x),...,TK(x) (ii) a Then, in this training, the probability that the current training service traffic belongs to the nth class may be:
Figure BDA0002634446760000081
in the above formula, P1n(x) The probability that the current training service flow corresponding to the first iteration belongs to the current preset behavior type, n is the current preset behavior type, and T isn(x) K is the number of the preset behavior types and the current preset behavior type is any one of the preset behavior types;
if the current training service flow really belongs to the preset behavior type (namely the preset real behavior type) of the qth class, namely q is more than or equal to 1 and less than or equal to K, then the current training service flow has
Figure BDA0002634446760000082
I.e. the first iterationGenerating a residual error corresponding to the current preset behavior type;
the second iteration may use the first iteration (x, y) on the basis of the first iteration1n) Continuing to train the K trees, and thus iterating until reaching the preset iteration number, for example, 3 rd iteration (to prevent overfitting), training the K trees in each round, wherein when a new sample comes after training is finished, the probability that the sample belongs to the nth category is
Figure BDA0002634446760000083
The category with the highest probability may be considered as 1 (i.e., the target preset behavior type), and the others may be considered as 0.
That is, the process of training the second mathematical model using machine learning in the present embodiment may include:
selecting a decision tree by using a base classifier according to the 5-tuple information of the current training service flow to train and obtain a classification result of each preset behavior type corresponding to the current iteration number;
by passing
Figure BDA0002634446760000084
Determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; wherein, Pmn(x) The probability that the current training service flow corresponding to the current iteration number belongs to the current preset behavior type is shown, m is the current iteration number, n is the current preset behavior type, Tn(x) The current iteration number is a classification result of a current preset behavior type corresponding to the current iteration number, K is the number of the preset behavior types, the current training service flow is any training service flow, and the current preset behavior type is any preset behavior type;
judging whether the current iteration number reaches a threshold value;
if so, determining a target preset behavior type according to the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; the target preset behavior type is a preset behavior type corresponding to the maximum value in the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type;
if not, pass
Figure BDA0002634446760000085
Determining a residual error corresponding to each preset behavior type in the current iteration times; wherein, ymnDetermining a residual error corresponding to a current preset behavior type in the current iteration times, wherein q is a preset real behavior type of the current training service flow, and the preset real behavior type is any preset behavior type;
selecting a decision tree to train according to 5-tuple information of current training service flow and a residual error corresponding to each preset behavior type in the current iteration times by using a base classifier to obtain a classification result of each preset behavior type corresponding to the next iteration time, taking the next iteration time as the current iteration time, and executing the next iteration time
Figure BDA0002634446760000091
And determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type.
Correspondingly, as shown in fig. 4, after the data training is performed in the above manner, the data can be put into the model obtained by training for verification; if the accuracy reaches the expectation, the model training is finished, and the model obtained by training is used as a second mathematical model; if the accuracy rate is not expected, the data cleaning step can be returned, and the model is corrected and then retrained.
It should be noted that, the process of determining the traffic type corresponding to each service traffic by the processor is shown by taking as an example that the first mathematical model and the second mathematical model are respectively used to determine the traffic type corresponding to the service traffic, or the process may directly determine the traffic type corresponding to the service traffic by using one mathematical model, that is, the service traffic is not divided into two types, namely, the service traffic corresponding to a known port and the service traffic corresponding to a non-known port, but the traffic type corresponding to each service traffic is determined by directly using the mathematical model which is constructed by training and can perform traffic type detection on all the service traffic; the training and constructing method of the mathematical model may be implemented in a manner similar to the training and constructing method of the second mathematical model, and this embodiment does not limit this.
Step 103: controlling the monitored host to discard a first service flow in the service flows; and the traffic type corresponding to the first service traffic is an unsafe traffic type.
It is understood that the first traffic flow in this step may be determined unsafe traffic flow, that is, the traffic flow of which the traffic type determined in step 102 is an unsafe traffic type. The purpose of this step may be that the processor controls the monitored host to discard (filter) unsafe traffic (i.e. the first traffic) in all traffic flows, so as to avoid the monitored host from forwarding the unsafe traffic, thereby reducing the occurrence of illegal behaviors such as misusing network resources and leaking sensitive information by accessing illegal sites to transmit and issue illegal information.
Specifically, the first service traffic in this step may include service traffic in which the traffic type determined by using the first mathematical model is an unsecure traffic type, and service traffic in which the traffic type determined by using the second mathematical model is a preset behavior type (i.e., a preset unsecure behavior type) corresponding to the unsecure traffic type or the unsecure traffic type; that is, if the traffic type determined by using the second mathematical model includes a plurality of preset behavior types (preset safe behavior types) corresponding to the safe traffic type and the safe traffic type or the preset non-safe behavior type, the processor may detect the behavior of the traffic, such as browsing a web page, a mail, a network attack, shopping, chatting, and the like, so that the processor may control the monitored host to forward the second traffic in the traffic according to the forwarding modes corresponding to the preset safe behavior types; the traffic type corresponding to each second service traffic is any preset security behavior type, for example, the preset behavior type corresponding to the security traffic type determined by using the second mathematical model. That is, when the service traffic is the service traffic of the non-secure traffic type determined by using the first mathematical model or the preset non-secure behavior type, the processor may control the monitored host to discard the service traffic; when the service flow is the service flow of the safety flow type determined by using the first mathematical model, the monitored host can be controlled to determine the behavior of the service flow according to the forwarding mode of the service flow of the existing known port, and the corresponding forwarding is carried out; when the service traffic is the preset security behavior type determined by using the second mathematical model, the processor may forward the service traffic according to a forwarding manner corresponding to the determined preset security behavior type, that is, by presetting the forwarding manner corresponding to each preset security behavior type, it is possible to perform corresponding forwarding after detecting the behavior of the service traffic of the unknown port.
In this embodiment, the traffic type corresponding to each service traffic is determined according to the 5-tuple information of each service traffic, and the type of the service traffic to be forwarded on the cloud platform can be monitored, so that the monitored host is controlled to discard the first service traffic in the service traffic and discard unsafe service traffic, situations of transmitting and issuing illegal information by accessing an illegal site are avoided, and illegal behaviors such as misusing network resources and leaking sensitive information are reduced.
Referring to fig. 5, fig. 5 is a block diagram illustrating a structure of a traffic monitoring apparatus based on a cloud network according to an embodiment of the present invention. The apparatus may include:
an obtaining module 10, configured to obtain a service flow on a monitored host;
the determining module 20 is configured to determine a traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; the traffic type comprises a safe traffic type and an unsafe traffic type;
the control module 30 is configured to control the monitored host to discard a first service traffic of the service traffic; and the traffic type corresponding to the first service traffic is an unsafe traffic type.
Optionally, when the traffic type further includes a preset safety behavior type with a preset number of safety traffic types, the apparatus may further include:
the forwarding control module is used for controlling the monitored host to forward a second service flow in the service flows according to respective corresponding forwarding modes of preset safety behavior types; and the flow type corresponding to each second service flow is any preset safety behavior type.
Optionally, the obtaining module 10 may be specifically configured to mirror the service traffic on the monitored host to obtain the mirrored service traffic.
Optionally, the determining module 20 may include:
the judging submodule is used for judging whether the port number in the 5-tuple information of the current service flow is a known port or not; wherein, the current service flow is any service flow;
the first determining submodule is used for determining the traffic type corresponding to the current traffic by using a first mathematical model according to the 5-tuple information of the current traffic if the port is a known port;
and the second determining submodule is used for determining the traffic type corresponding to the current traffic by using a second mathematical model according to the 5-tuple information of the current traffic if the port is not the known port.
Optionally, the first determining sub-module may include:
the first judging unit is used for judging whether a source ip and a destination ip in the 5-tuple information of the current service flow are both in a safe ip range corresponding to the port number;
the first determining unit is used for determining that the traffic type corresponding to the current service traffic is an unsafe traffic type if the traffic types are not all in the safe ip range corresponding to the port number;
a second judging unit, configured to judge whether a source mac and a destination mac in the 5-tuple information of the current service traffic are both within a secure mac range corresponding to the port number if both are within the secure ip range corresponding to the port number;
the second determining unit is used for determining that the traffic type corresponding to the current service traffic is an unsafe traffic type if the traffic types are not in the safe mac range;
and the third determining unit is used for determining that the traffic type corresponding to the current service traffic is the safe traffic type if the traffic types are all in the safe mac range.
Optionally, the apparatus may further include: a training module for training a second mathematical model;
the training module may include:
the classification submodule is used for selecting a decision tree to train according to the 5-tuple information of the current training service flow by using a base classifier to obtain a classification result of each preset behavior type corresponding to the current iteration times;
a probability determination submodule for passing
Figure BDA0002634446760000121
Determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; wherein, Pmn(x) The probability that the current training service flow corresponding to the current iteration number belongs to the current preset behavior type is shown, m is the current iteration number, n is the current preset behavior type, Tn(x) The current iteration number is a classification result of a current preset behavior type corresponding to the current iteration number, K is the number of the preset behavior types, the current training service flow is any training service flow, and the current preset behavior type is any preset behavior type;
the iteration judgment submodule is used for judging whether the current iteration number reaches a threshold value;
the behavior determining submodule is used for determining a target preset behavior type according to the probability that the current training service flow corresponding to the current iteration times belongs to each preset behavior type if the threshold is reached; the target preset behavior type is a preset behavior type corresponding to the maximum value in the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type;
a residual error determination submodule for passing if the threshold is not reached
Figure BDA0002634446760000122
Determining a residual error corresponding to each preset behavior type in the current iteration times; wherein, ymnFor the current iterationResidual errors corresponding to the current preset behavior type in the times, q is a preset real behavior type of the current training service flow, and the preset real behavior type is any preset behavior type;
and the iteration classification submodule is used for selecting a decision tree for training to obtain a classification result of each preset behavior type corresponding to the next iteration number by using the base classifier according to the 5-tuple information of the current training service flow and the residual error corresponding to each preset behavior type in the current iteration number, taking the next iteration number as the current iteration number, and sending a starting signal to the probability determination submodule.
Alternatively, the threshold may be specifically 4.
In this embodiment, the determining module 20 determines the traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic, and can monitor the type of the service traffic that needs to be forwarded on the cloud platform, so that the control module 30 controls the monitored host to discard the first service traffic in the service traffic, discard unsafe service traffic, avoid the occurrence of situations of transmitting and issuing illegal information by accessing an illegal site, and reduce the occurrence of illegal behaviors such as misusing network resources and leaking sensitive information.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a traffic monitoring device based on a cloud network according to an embodiment of the present invention. The device 1 may comprise:
a memory 11 for storing a computer program; a processor 12, configured to implement the steps of the cloud network-based traffic monitoring method provided in the above embodiment when executing the computer program.
The device 1 may include a memory 11, a processor 12 and a bus 13.
The memory 11 includes at least one type of readable storage medium, which includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 11 may in some embodiments be an internal storage unit of the device 1. The memory 11 may in other embodiments also be an external storage device of the device 1, such as a plug-in hard disk provided on a server, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like. Further, the memory 11 may also comprise both internal memory units of the device 1 and external memory devices. The memory 11 can be used not only for storing application software installed in the device 1 but also various types of data, such as: the code of the program or the like that executes the cloud network-based traffic monitoring method may also be used to temporarily store data that has been output or is to be output.
The processor 12 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor or other data Processing chip in some embodiments, and is used for running program codes stored in the memory 11 or Processing data, such as codes of a program executing a cloud network-based traffic monitoring method, and the like.
The bus 13 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 6, but this is not intended to represent only one bus or type of bus.
Further, the device may further comprise a network interface 14, and the network interface 14 may optionally comprise a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the device 1 and other electronic devices.
Optionally, the device 1 may further comprise a user interface 15, the user interface 15 may comprise a Display (Display), an input unit such as keys, and the optional user interface 15 may also comprise a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the device 1 and for displaying a visual user interface.
Fig. 6 only shows the device 1 with the components 11-15, and it will be understood by a person skilled in the art that the structure shown in fig. 6 does not constitute a limitation of the device 1, and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
In addition, a computer-readable storage medium is further disclosed, and a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the cloud network-based traffic monitoring method provided in the foregoing embodiment.
Wherein the storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device, the apparatus and the computer-readable storage medium disclosed in the embodiments correspond to the method disclosed in the embodiments, so that the description is simple, and the relevant points can be referred to the description of the method.
The flow monitoring method, the flow monitoring device, the flow monitoring equipment and the computer readable storage medium based on the cloud network provided by the invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (10)

1. A traffic monitoring method based on a cloud network is characterized by comprising the following steps:
acquiring service flow on a monitored host;
determining a traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; wherein the traffic type comprises a secure traffic type and an insecure traffic type;
controlling the monitored host to discard a first service flow in the service flows; and the traffic type corresponding to the first service traffic is the non-secure traffic type.
2. The traffic monitoring method based on the cloud network according to claim 1, wherein when the traffic types further include a preset security behavior type with a preset number of security traffic types, after determining the traffic type corresponding to each of the service flows according to the 5-tuple information of each of the service flows, the method further includes:
controlling the monitored host to forward a second service flow in the service flows according to the forwarding modes corresponding to the preset safety behavior types; and the flow type corresponding to each second service flow is any preset safety behavior type.
3. The traffic monitoring method based on the cloud network according to claim 1, wherein the acquiring the traffic flow on the monitored host includes:
and the monitoring host mirrors the service flow on the monitored host to obtain the mirrored service flow.
4. The traffic monitoring method based on the cloud network according to any one of claims 1 to 3, wherein the determining a traffic type corresponding to each of the service flows according to the 5-tuple information of each of the service flows includes:
judging whether the port number in the 5-tuple information of the current service flow is a known port or not; wherein, the current service flow is any one of the service flows;
if yes, determining the flow type corresponding to the current service flow by using a first mathematical model according to the 5-tuple information of the current service flow;
if not, determining the traffic type corresponding to the current traffic by using the second mathematical model according to the 5-tuple information of the current traffic.
5. The traffic monitoring method based on the cloud network according to claim 4, wherein the determining, according to the 5-tuple information of the current traffic, the traffic type corresponding to the current traffic by using the first mathematical model includes:
judging whether a source ip and a destination ip in the 5-tuple information of the current service flow are both in a safe ip range corresponding to the port number;
if not, determining that the traffic type corresponding to the current service traffic is the unsafe traffic type;
if yes, judging whether a source mac and a destination mac in the 5-tuple information of the current service flow are both in a safety mac range corresponding to the port number;
if the traffic types are not in the safe mac range, determining that the traffic type corresponding to the current service traffic is the non-safe traffic type;
and if the traffic type is in the safe mac range, determining that the traffic type corresponding to the current service traffic is the safe traffic type.
6. The cloud network-based traffic monitoring method according to claim 4, wherein the training process of the second mathematical model includes:
selecting a decision tree by using a base classifier according to the 5-tuple information of the current training service flow to train and obtain a classification result of each preset behavior type corresponding to the current iteration number;
by passing
Figure FDA0002634446750000021
Determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; wherein, Pmn(x) Is at presentThe probability that the current training service flow corresponding to the iteration times belongs to the current preset behavior type, m is the current iteration times, n is the current preset behavior type, Tn(x) The current iteration times are corresponding to the classification results of the current preset behavior types, K is the number of the preset behavior types, the current training service flow is any training service flow, and the current preset behavior type is any preset behavior type;
judging whether the current iteration number reaches a threshold value;
if so, determining a target preset behavior type according to the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type; the target preset behavior type is a preset behavior type corresponding to the maximum value in the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type;
if not, pass
Figure FDA0002634446750000022
Determining a residual error corresponding to each preset behavior type in the current iteration times; wherein, ymnObtaining a residual error corresponding to a current preset behavior type in the current iteration times, wherein q is a preset real behavior type of the current training service flow, and the preset real behavior type is any one of the preset behavior types;
selecting a decision tree to train according to 5-tuple information of current training service flow and a residual error corresponding to each preset behavior type in current iteration times by using a base classifier to obtain a classification result of each preset behavior type corresponding to the next iteration time, taking the next iteration time as the current iteration time, and executing the passing
Figure FDA0002634446750000031
And determining the probability that the current training service flow corresponding to the current iteration number belongs to each preset behavior type.
7. The cloud network-based traffic monitoring method according to claim 6, wherein the threshold is 4.
8. A traffic monitoring device based on a cloud network is characterized by comprising:
the acquisition module is used for acquiring the service flow on the monitored host;
the determining module is used for determining the traffic type corresponding to each service traffic according to the 5-tuple information of each service traffic; wherein the traffic type comprises a secure traffic type and an insecure traffic type;
the control module is used for controlling the monitored host to discard a first service flow in the service flows; and the traffic type corresponding to the first service traffic is the non-secure traffic type.
9. A traffic monitoring device based on a cloud network is characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the cloud network based traffic monitoring method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the cloud network-based traffic monitoring method according to any one of claims 1 to 7.
CN202010821167.XA 2020-08-14 2020-08-14 Flow monitoring method, device, equipment and storage medium based on cloud network Pending CN112003850A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010821167.XA CN112003850A (en) 2020-08-14 2020-08-14 Flow monitoring method, device, equipment and storage medium based on cloud network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010821167.XA CN112003850A (en) 2020-08-14 2020-08-14 Flow monitoring method, device, equipment and storage medium based on cloud network

Publications (1)

Publication Number Publication Date
CN112003850A true CN112003850A (en) 2020-11-27

Family

ID=73473194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010821167.XA Pending CN112003850A (en) 2020-08-14 2020-08-14 Flow monitoring method, device, equipment and storage medium based on cloud network

Country Status (1)

Country Link
CN (1) CN112003850A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101641933A (en) * 2006-12-22 2010-02-03 艾利森电话股份有限公司 Preventing of electronic deception
CN102315974A (en) * 2011-10-17 2012-01-11 北京邮电大学 Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
US20130100849A1 (en) * 2011-10-20 2013-04-25 Telefonaktiebolaget Lm Ericsson (Publ) Creating and using multiple packet traffic profiling models to profile packet flows
CN111224890A (en) * 2019-11-08 2020-06-02 北京浪潮数据技术有限公司 Traffic classification method and system of cloud platform and related equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101641933A (en) * 2006-12-22 2010-02-03 艾利森电话股份有限公司 Preventing of electronic deception
CN102315974A (en) * 2011-10-17 2012-01-11 北京邮电大学 Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
US20130100849A1 (en) * 2011-10-20 2013-04-25 Telefonaktiebolaget Lm Ericsson (Publ) Creating and using multiple packet traffic profiling models to profile packet flows
CN111224890A (en) * 2019-11-08 2020-06-02 北京浪潮数据技术有限公司 Traffic classification method and system of cloud platform and related equipment

Similar Documents

Publication Publication Date Title
CN109600336B (en) Verification code application method, device and computer readable storage medium
CN112861648B (en) Character recognition method, character recognition device, electronic equipment and storage medium
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
CN110808994B (en) Method and device for detecting brute force cracking operation and server
CN106549959B (en) Method and device for identifying proxy Internet Protocol (IP) address
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
CN109257390B (en) CC attack detection method and device and electronic equipment
CN109547426B (en) Service response method and server
CN111835763B (en) DNS tunnel traffic detection method and device and electronic equipment
CN107426136B (en) Network attack identification method and device
CN115664859B (en) Data security analysis method, device, equipment and medium based on cloud printing scene
CN111641619B (en) Method and device for constructing hacker portrait based on big data and computer equipment
CN113688291B (en) Method and device for detecting abnormal behavior of streaming media network data
CN108234516B (en) Method and device for detecting network flooding attack
CN113949526A (en) Access control method and device, storage medium and electronic equipment
CN104158792A (en) Spam zombie detection method and system
CN108282443A (en) A kind of reptile Activity recognition method and apparatus
CN111224865B (en) User identification method based on payment session, electronic device and storage medium
CN112003850A (en) Flow monitoring method, device, equipment and storage medium based on cloud network
RU83145U1 (en) DEVICE FOR VIRUS INFLUENCE DETECTION ON INFORMATION SYSTEMS
CN115119197B (en) Wireless network risk analysis method, device, equipment and medium based on big data
EP3799398A1 (en) Domain name identification
CN107995167B (en) Equipment identification method and server
CN114826727B (en) Flow data acquisition method, device, computer equipment and storage medium
CN108270746B (en) User access request processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201127