CN112202771B - Network flow detection method, system, electronic device and storage medium - Google Patents

Network flow detection method, system, electronic device and storage medium Download PDF

Info

Publication number
CN112202771B
CN112202771B CN202011050487.6A CN202011050487A CN112202771B CN 112202771 B CN112202771 B CN 112202771B CN 202011050487 A CN202011050487 A CN 202011050487A CN 112202771 B CN112202771 B CN 112202771B
Authority
CN
China
Prior art keywords
matrix
flow
global
local
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011050487.6A
Other languages
Chinese (zh)
Other versions
CN112202771A (en
Inventor
刘妍妍
梅铮
吴洁璇
柯于皇
黄治移
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011050487.6A priority Critical patent/CN112202771B/en
Publication of CN112202771A publication Critical patent/CN112202771A/en
Application granted granted Critical
Publication of CN112202771B publication Critical patent/CN112202771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Abstract

The embodiment of the invention relates to the technical field of network security, and discloses a network flow detection method, a network flow detection system, electronic equipment and a storage medium. The network flow detection method comprises the following steps: acquiring a global flow matrix and a local flow matrix; acquiring a first test statistic of the global flow according to the global flow matrix; detecting whether the network flow is normal or not according to the first test statistic of the global flow; and if the network traffic is abnormal, performing abnormal positioning according to the global traffic matrix and the local traffic matrix. The method achieves the purpose of detecting whether the network flow is abnormal and positioning the abnormal area without constructing a network flow model in a normal state.

Description

Network flow detection method, system, electronic device and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a network flow detection method, a network flow detection system, electronic equipment and a storage medium.
Background
Network traffic anomaly detection is an important technology in the field of network security. At present, a method for detecting network traffic anomaly is as follows: firstly, a network flow model is established according to the network flow under the normal condition, and then the established network flow model is utilized to detect the current network flow.
However, with the development of cloud computing and internet services, the network scale is larger and larger, and the network traffic is also larger and larger, so that in the face of large and complex network global traffic data, it is difficult to establish a network traffic model under normal conditions, and further, the network traffic cannot be detected through the network traffic model.
Disclosure of Invention
An object of embodiments of the present invention is to provide a method, a system, an electronic device, and a storage medium for detecting network traffic, so that it is possible to detect whether network traffic is abnormal and locate an abnormal area without constructing a network traffic model in a normal state.
In order to solve the above technical problem, an embodiment of the present invention provides a network traffic detection method, including the following steps: acquiring a global flow matrix and a local flow matrix; acquiring a first test statistic of the global flow according to the global flow matrix; detecting whether the network flow is normal or not according to the first test statistic of the global flow; and if the network traffic is abnormal, performing abnormal positioning according to the global traffic matrix and the local traffic matrix.
The embodiment of the present invention further provides a network traffic detection system, including: the data acquisition module is used for acquiring a global flow matrix and a local flow matrix; the detection module is used for acquiring first test statistic of the global flow according to the global flow matrix acquired by the data acquisition module and detecting whether the network flow is normal or not according to the first test statistic of the global flow; and the positioning module is used for positioning the abnormity according to the global traffic matrix and the local traffic matrix if the detection result of the detection module is that the network traffic is abnormal.
An embodiment of the present invention also provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the network traffic detection method described above.
The embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program, wherein the computer program is executed by a processor to implement the network traffic detection method described above.
Compared with the prior art, the method and the device have the advantages that the global flow matrix and the local flow matrix are obtained, the first test statistic of the global flow is obtained according to the global flow matrix, a quantized numerical value of flow data can be obtained to reflect the current state of the flow, then whether the network flow is normal or not is detected according to the first test statistic of the global flow, whether the network flow is normal or not can be detected without establishing a model, if the network flow is abnormal, abnormal positioning is carried out according to the global flow matrix and the local flow matrix, and an abnormal area is positioned after the network flow is detected to be abnormal, so that the purposes that whether the network flow is abnormal or not can be detected and the abnormal area is positioned without establishing a network flow model in a normal state are achieved, and the problem that the network flow cannot be detected through the network flow model under a normal condition in the prior art is solved.
In addition, the network flow detection method provided by the embodiment of the invention acquires time sequence data of network flow; and windowing the time sequence data to obtain the global flow matrix and the local flow matrix. And data are acquired in real time, so that the detection of network flow is more efficient and quicker.
In addition, the network traffic detection method provided by the embodiment of the present invention performs hilbert transform on the global traffic matrix to obtain a global traffic complex matrix; performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix; obtaining a first test statistic of the global flow of the global standard flow matrix. The flow matrix is subjected to Hilbert change and standardization, so that test statistics obtained at different periods can be compared, normalized and unified in numerical value, and therefore the calculation amount and the consumed time in the detection process are reduced.
In addition, according to the network traffic detection method provided by the embodiment of the invention, a global traffic eigenvalue equivalent matrix is obtained according to the Ha Eryou matrix and the global standard traffic matrix; normalizing the global flow characteristic value equivalent matrix to obtain a characteristic value of the normalized global flow matrix; and acquiring a first test statistic of the global flow according to a pre-selected statistical distribution function and the characteristic value of the normalized global flow matrix. The characteristic value equivalent matrix is obtained, the characteristic of data in the matrix is guaranteed to be unchanged, normalization processing further improves the normalization and the uniformity of test statistics, a threshold value does not need to be set for multiple times according to actual requirements in the detection process, and the calculated amount and the consumed time in the detection process are further reduced.
In addition, according to the network traffic detection method provided by the embodiment of the invention, a global traffic amplification matrix and a local traffic amplification matrix are constructed according to the global traffic matrix and the local traffic matrix; calculating a characteristic value according to the global flow amplification matrix and the local flow amplification matrix, and acquiring a second test statistic of global flow and a test statistic of local flow; detecting whether the difference between the second test statistic of the global flow and the test statistic of the local flow is larger than a preset local flow abnormal threshold value or not, and obtaining a local flow detection result; and carrying out abnormal positioning according to the local flow detection result. A quantitative numerical value of the flow data is obtained by obtaining the test statistic to reflect the current state of the flow, so that the abnormal flow area is conveniently positioned.
In addition, the method for detecting network traffic according to an embodiment of the present invention, where the constructing a global traffic amplification matrix and a local traffic amplification matrix according to the global traffic matrix and the local traffic matrix includes: performing Hilbert transform on the global flow matrix and the local flow matrix to obtain a global flow complex matrix and a local flow complex matrix; performing matrix standardization on the global flow complex matrix and the local flow complex matrix to obtain a global flow standard matrix and a local flow standard matrix; obtaining the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix according to a Ha Eryou matrix, the global standard flow matrix and the local flow standard matrix; normalizing the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix; and constructing the global flow amplification matrix and the local flow amplification matrix according to the normalized global flow eigenvalue equivalent matrix, the normalized local flow eigenvalue equivalent matrix and the Gaussian white noise matrix. The method has the advantages that the standard and uniform test statistic on the numerical value is obtained, the subsequent detection of the abnormal flow area is facilitated, and the calculated amount and the consumed time in the positioning process are reduced.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is a flowchart of a network traffic detection method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a network traffic detection method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a network traffic detection method according to a third embodiment of the present invention;
fig. 4 is a flowchart of step 303 in the network traffic detection method according to the third embodiment of the present invention shown in fig. 3;
fig. 5 is a flowchart of a network traffic detection method according to a fourth embodiment of the present invention;
fig. 6 is a flowchart of step 501 in the network traffic detection method according to the fourth embodiment of the present invention shown in fig. 5;
fig. 7 is a schematic structural diagram of a network traffic detection system according to a fifth embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments.
The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
Step 101, a global traffic matrix and a local traffic matrix are obtained.
It should be noted that the global traffic matrix and the local traffic matrix are matrices formed by acquiring network traffic data within a period of time, and a plurality of local traffic matrices can be obtained by dividing the global traffic matrix.
And 102, acquiring a first test statistic of the global flow according to the global flow matrix.
In this embodiment, the first test statistic is a statistical average of features reflecting global flow obtained from the global flow matrix.
Step 103, detecting whether the network flow is normal according to the first test statistic of the global flow, if so, executing step 104, and if not, executing step 101.
And 104, performing exception positioning according to the global traffic matrix and the local traffic matrix.
Compared with the prior art, the method and the device have the advantages that the global flow matrix and the local flow matrix are obtained, the first test statistic of the global flow is obtained according to the global flow matrix, a quantized numerical value of flow data can be obtained to reflect the current state of the flow, then whether the network flow is normal or not is detected according to the first test statistic of the global flow, whether the network flow is normal or not can be detected without establishing a model, if the network flow is abnormal, abnormal positioning is carried out according to the global flow matrix and the local flow matrix, and an abnormal area is positioned after the network flow is detected to be abnormal, so that the purposes that whether the network flow is abnormal or not can be detected and the abnormal area is positioned without establishing a network flow model in a normal state are achieved, and the problem that the network flow cannot be detected through the network flow model under a normal condition in the prior art is solved.
A second embodiment of the present invention relates to a network traffic detection method. The second embodiment is substantially the same as the first embodiment, and differs therefrom in that, as shown in fig. 2, step 101 includes:
step 201, obtaining time sequence data of network traffic.
In this embodiment, a network traffic probe may be installed in a network, and time series data of network traffic may be acquired by using the probe. Specifically, the global network has p monitoring nodes which can be divided into r areas, and the observed data of the network link flow of the ith node at the time t is represented as y i (t),i=1,…,p。
Step 202, performing windowing processing on the time sequence data to obtain a global traffic matrix and a local traffic matrix.
In this embodiment, the windowing process is to construct a window with a window size of N, and then process time series data using this window, and acquire N sample data as one cycle. Specifically, the sample data of the ith node after windowing is y i =[y i (T),y i (T-1)…,y i (T-N+1)]I =1, …, p, global traffic matrix Y = [ Y = 1 ;…;y p ]The local traffic matrix is a matrix formed by the traffic data of each divided region, and the local traffic matrices corresponding to all the regions form a global traffic matrix.
Compared with the prior art, the method and the device have the advantages that the network flow can be detected more efficiently and rapidly by acquiring the data in real time on the basis of realizing the beneficial effects brought by the first embodiment.
A third embodiment of the present invention relates to a network traffic detection method. The third embodiment is substantially the same as the first embodiment, and differs therefrom in that, as shown in fig. 3, step 102 includes:
step 301, performing hilbert transform on the global traffic matrix to obtain a global traffic complex matrix.
In this embodiment, the global traffic complex matrix may be represented by the formula:
Figure BDA0002709391080000051
obtained wherein Y is T Is the global traffic matrix, the corner mark T indicates the time at which the matrix was acquired, j is the complex unit, hilbel (Y) T ) Is Y T And (4) performing Hilbert transform on the matrix.
And 302, performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix.
In this embodiment, the matrix normalization may be by the formula:
Figure BDA0002709391080000052
the process can obtain, in which,
Figure BDA0002709391080000053
is a matrix
Figure BDA0002709391080000054
The ith row and the jth column of (c),
Figure BDA0002709391080000055
is a matrix
Figure BDA0002709391080000056
The average value of the ith row is,
Figure BDA0002709391080000057
is a matrix
Figure BDA0002709391080000058
Standard deviation of ith row.
Step 303, obtaining a first test statistic of the global flow of the global standard flow matrix.
Specifically, as shown in fig. 4, step 303 may include:
step 401, obtaining a global flow eigenvalue equivalent matrix according to the haar unitary matrix and the global standard flow matrix.
In this embodiment, the global flow eigenvalue equivalent matrix may be according to the formula:
Figure BDA0002709391080000059
the process can be carried out in such a way that, among others,
Figure BDA00027093910800000510
and
Figure BDA00027093910800000511
are mutually conjugate and transposed, U harr Is a haar unitary matrix. The matrix of arrival calculated according to the above formula
Figure BDA00027093910800000512
And a global standard traffic matrix
Figure BDA00027093910800000513
Have the same characteristic value distribution characteristics.
And 402, normalizing the global traffic eigenvalue equivalent matrix to obtain the normalized eigenvalue of the global traffic matrix.
In this embodiment, the normalization may be performed on the data in each row, and the specific calculation method is as follows:
Figure BDA0002709391080000061
wherein the content of the first and second substances,
Figure BDA0002709391080000062
Figure BDA0002709391080000063
respectively normalized matrix Z T And the matrix before normalization
Figure BDA0002709391080000064
P is the number of columns of the matrix,
Figure BDA0002709391080000065
is a matrix
Figure BDA0002709391080000066
The standard deviation of the ith line of data (c).
And 403, acquiring a first test statistic of the global flow according to the pre-selected statistical distribution function and the feature value of the normalized global flow matrix.
In this embodiment, the distribution function may have two selection modes, so the first test statistic of the global flow is obtained by two acquisition modes:
one is that: and selecting the average spectrum radius as a distribution function to obtain a first test statistic of the global flow.
Specifically, the formula may be employed:
Figure BDA0002709391080000067
obtaining a first test statistic of global flow, wherein Ti Is Z T P is the matrix Z T The number of eigenvalues of (c).
Alternatively, an empirical distribution function is selected to obtain the first test statistic for global flow.
Specifically, the formula may be employed:
Figure BDA0002709391080000068
obtaining a first test statistic of global flow, wherein Ti Is Z T P is the matrix Z T Number of characteristic values of p i Is the function value of the ith eigenvalue in the empirical distribution function, indicating the probability of the eigenvalue appearing.
Of course, the above two methods are only specific examples, and in the actual using process, the distribution function bin may also be selected in step 403 by other manners to obtain the first statistical value of the global flow, which is not described in detail here.
Step 103, detecting whether the network flow is normal according to the first test statistic of the global flow, if so, executing step 104, and if not, executing step 101.
In this embodiment, the detection method is to determine a magnitude relationship between a first test statistic of the global traffic and a preset network traffic anomaly threshold, where the network traffic is normal if the preset network traffic anomaly threshold is smaller than the first test statistic of the global traffic, and the network traffic is abnormal if the preset network traffic anomaly threshold is greater than or equal to the first test statistic of the global traffic. The threshold is not limited, and in the actual use process, the threshold may be an empirical value obtained from experience, or may be a numerical value obtained through machine learning.
Compared with the prior art, the embodiment of the invention has the advantages that on the basis of realizing the beneficial effects brought by the first embodiment, the Hilbert change and the standardization processing are carried out on the flow matrix, so that the test statistics obtained at different periods can be compared in a standard and unified manner in numerical value, and the calculation amount and the consumed time in the detection process are reduced. The characteristic value equivalent matrix is obtained, the characteristic of data in the matrix is guaranteed to be unchanged, normalization processing further improves the normalization and the uniformity of test statistics, a threshold value does not need to be set for multiple times according to actual requirements in the detection process, and the calculated amount and the consumed time in the detection process are further reduced. Meanwhile, the mathematical method adopted in the whole detection process utilizes the advantage that the high-dimensional random matrix theory has good statistical characteristics on the high-dimensional low-sample data matrix, and can obtain more accurate characteristic value distribution without acquiring a large amount of sampling data, thereby shortening the sampling period and saving the storage space occupied by the data.
A fourth embodiment of the present invention relates to a network traffic detection method. The fourth embodiment is substantially the same as the first embodiment, and differs therefrom in that, as shown in fig. 5, step 104 includes:
and step 501, constructing a global traffic amplification matrix and a local traffic amplification matrix according to the global traffic matrix and the local traffic matrix.
Specifically, as shown in fig. 6, step 501 further includes:
step 601, performing hilbert transform on the global flow matrix and the local flow matrix to obtain a global flow complex matrix and a local flow complex matrix.
Specifically, it is substantially the same as step 301, and is not described in detail here.
Step 602, performing matrix standardization on the global traffic complex matrix and the local traffic complex matrix to obtain a global traffic standard matrix and a local traffic standard matrix.
Specifically, the method is substantially the same as step 302, and is not described in detail here.
Step 603, obtaining a global flow eigenvalue equivalent matrix and a local flow eigenvalue equivalent matrix according to the haar unitary matrix, the global standard flow matrix and the local flow standard matrix.
Specifically, the method is substantially the same as step 401, and is not repeated herein.
Step 604, normalize the global traffic eigenvalue equivalent matrix and the local traffic eigenvalue equivalent matrix.
Specifically, the method is substantially the same as step 402, and is not described in detail here.
And 605, constructing a global flow amplification matrix and a local flow amplification matrix according to the normalized global flow eigenvalue equivalent matrix, the normalized local flow eigenvalue equivalent matrix and the gaussian white noise matrix.
In this embodiment, the augmentation matrix may be according to the formula:
Figure BDA0002709391080000071
wherein, Z T Is an eigenvalue equivalent matrix of a global traffic matrix, Z kT Is an eigenvalue equivalent matrix of the local flow matrix of the kth region, D kT Is a gaussian white noise matrix of the same dimension as the local flow matrix of the kth region. F kT As a reference augmentation matrix, if the k local area traffic matrix has no abnormality, E kT And F kT Should have similar eigenvalue distribution characteristics; if there is an abnormality, E kT And F kT The characteristic value distribution characteristics of (a) are greatly different. The larger of the distribution characteristics should be determined according to actual conditions, for example, when the network traffic detection requirement is strict, the distribution characteristics are different and considered to be abnormal.
And 502, calculating a characteristic value according to the global flow amplification matrix and the local flow amplification matrix, and acquiring a second test statistic of the global flow and a test statistic of the local flow.
Step 503, detecting whether the difference between the second test statistic of the global flow and the test statistic of the local flow is greater than a preset local flow abnormal threshold, and obtaining a local flow detection result.
The threshold value is not limited in the present embodiment, and may be an empirical value obtained from experience or a numerical value obtained by machine learning in an actual use process. Specifically, taking the test statistic as the one obtained from the mean spectral radius as an example, when
Figure BDA0002709391080000081
When the network flow state of the kth area is abnormal at the time t, when
Figure BDA0002709391080000082
At time t, the network traffic status of the kth zone is abnormal, wherein,
Figure BDA0002709391080000083
β kT the second detection statistic of the global flow augmentation matrix and the detection statistic of the local flow augmentation matrix are respectively, and epsilon is a preset local flow anomaly threshold.
And step 504, performing abnormal positioning according to the local flow detection result.
It should be noted that, in the present embodiment, the local traffic matrices corresponding to all the regions are detected one by one, and all the local traffic detection results are obtained, so that the obtained traffic positioning result is more accurate and comprehensive.
Compared with the prior art, the embodiment of the invention has the advantages that on the basis of realizing the beneficial effect brought by the first embodiment, the current state of the flow is reflected by obtaining a quantized numerical value of the flow data through obtaining the test statistic, so that the abnormal flow area is conveniently positioned. And by acquiring the numerically standard and uniform test statistic, the flow abnormal area can be conveniently detected subsequently, and the calculated amount and the consumed time in the positioning process are reduced.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A fifth embodiment of the present invention relates to a network traffic detection system, as shown in fig. 7, including:
a data obtaining module 701, configured to obtain a global traffic matrix and a local traffic matrix;
a detecting module 702, configured to obtain a first test statistic of global traffic according to the global traffic matrix obtained by the data obtaining module, and detect whether the network traffic is normal according to the first test statistic of global traffic;
and a positioning module 703 for performing anomaly positioning according to the global traffic matrix and the local traffic matrix if the detection result of the detection module is that the network traffic is abnormal.
It should be understood that this embodiment is a system example corresponding to the first embodiment, and may be implemented in cooperation with the first embodiment. The related technical details mentioned in the first embodiment are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first embodiment.
It should be noted that, in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may also be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
A sixth embodiment of the present invention relates to an electronic apparatus, as shown in fig. 8, including:
at least one processor 801; and (c) a second step of,
a memory 802 communicatively coupled to the at least one processor 801; wherein the content of the first and second substances,
the memory 802 stores instructions executable by the at least one processor 801, so that the at least one processor 801 can execute the network traffic detection method according to the first to fourth embodiments of the present invention.
The memory and the processor are connected by a bus, which may include any number of interconnected buses and bridges, linking together one or more of the various circuits of the processor and the memory. The bus may also link various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over a wireless medium through an antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
Those skilled in the art can understand that all or part of the steps in the method of the foregoing embodiments may be implemented by a program to instruct related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, etc.) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.

Claims (8)

1. A network traffic detection method is characterized by comprising the following steps:
acquiring a global flow matrix and a local flow matrix;
acquiring a first test statistic of the global flow according to the global flow matrix;
detecting whether the network flow is normal or not according to the first test statistic of the global flow;
if the network traffic is abnormal, performing abnormal positioning according to the global traffic matrix and the local traffic matrix;
wherein, the obtaining of the first test statistic of the global flow according to the global flow matrix includes:
performing Hilbert transform on the global flow matrix to obtain a global flow complex matrix;
performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix;
obtaining a global flow characteristic value equivalent matrix according to the Ha Eryou matrix and the global flow standard matrix;
normalizing the global flow characteristic value equivalent matrix to obtain a characteristic value of the normalized global flow matrix;
and acquiring a first test statistic of the global flow according to a pre-selected statistical distribution function and the eigenvalue of the normalized global flow matrix.
2. The method of claim 1, wherein obtaining the global traffic matrix and the local traffic matrix comprises:
acquiring time sequence data of network flow;
and windowing the time sequence data to obtain the global flow matrix and the local flow matrix.
3. The method of claim 1, wherein detecting whether the network traffic is normal based on the first test statistic of the global traffic comprises:
detecting whether a preset network flow abnormal threshold value is smaller than a first test statistic of the global flow;
if the preset network flow abnormal threshold value is smaller than the first test statistic of the global flow, the network flow is normal;
and if the preset network flow abnormal threshold value is larger than or equal to the first test statistic of the global flow, the network flow is abnormal.
4. The method of claim 1, wherein if the network traffic is abnormal, performing abnormal localization according to the global traffic matrix and the local traffic matrix comprises:
constructing a global flow augmentation matrix and a local flow augmentation matrix according to the global flow matrix and the local flow matrix;
calculating a characteristic value according to the global flow amplification matrix and the local flow amplification matrix, and acquiring a second test statistic of global flow and a test statistic of local flow;
detecting whether the difference between the second test statistic of the global flow and the test statistic of the local flow is larger than a preset local flow abnormal threshold value or not, and obtaining a local flow detection result;
and carrying out abnormal positioning according to the local flow detection result.
5. The method of claim 4, wherein constructing a global traffic augmentation matrix and a local traffic augmentation matrix from the global traffic matrix and the local traffic matrix comprises:
performing Hilbert transform on the global flow matrix and the local flow matrix to obtain a global flow complex matrix and a local flow complex matrix;
performing matrix standardization on the global flow complex matrix and the local flow complex matrix to obtain a global flow standard matrix and a local flow standard matrix;
obtaining the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix according to a Ha Eryou matrix, the global flow standard matrix and the local flow standard matrix;
normalizing the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix;
and constructing the global flow amplification matrix and the local flow amplification matrix according to the normalized global flow eigenvalue equivalent matrix, the normalized local flow eigenvalue equivalent matrix and the Gaussian white noise matrix.
6. A network traffic detection system, comprising:
the data acquisition module is used for acquiring a global flow matrix and a local flow matrix;
the detection module is used for acquiring first test statistic of the global flow according to the global flow matrix acquired by the data acquisition module and detecting whether the network flow is normal or not according to the first test statistic of the global flow;
the positioning module is used for carrying out abnormal positioning according to the global flow matrix and the local flow matrix if the detection result of the detection module is that the network flow is abnormal;
wherein, the obtaining of the first test statistic of the global flow according to the global flow matrix includes:
performing Hilbert transform on the global flow matrix to obtain a global flow complex matrix;
performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix;
obtaining a global flow characteristic value equivalent matrix according to the Ha Eryou matrix and the global flow standard matrix;
normalizing the global flow characteristic value equivalent matrix to obtain a characteristic value of the normalized global flow matrix;
and acquiring a first test statistic of the global flow according to a pre-selected statistical distribution function and the characteristic value of the normalized global flow matrix.
7. An electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of network traffic detection as recited in any of claims 1-5.
8. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the network traffic detection method according to any one of claims 1 to 5.
CN202011050487.6A 2020-09-29 2020-09-29 Network flow detection method, system, electronic device and storage medium Active CN112202771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011050487.6A CN112202771B (en) 2020-09-29 2020-09-29 Network flow detection method, system, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011050487.6A CN112202771B (en) 2020-09-29 2020-09-29 Network flow detection method, system, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN112202771A CN112202771A (en) 2021-01-08
CN112202771B true CN112202771B (en) 2022-10-14

Family

ID=74006802

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011050487.6A Active CN112202771B (en) 2020-09-29 2020-09-29 Network flow detection method, system, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN112202771B (en)

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017067615A1 (en) * 2015-10-23 2017-04-27 Nec Europe Ltd. Method and system for supporting detection of irregularities in a network
US10079768B2 (en) * 2016-07-07 2018-09-18 Cisco Technology, Inc. Framework for joint learning of network traffic representations and traffic classifiers
CN107404471A (en) * 2017-04-05 2017-11-28 青海民族大学 One kind is based on ADMM algorithm network flow abnormal detecting methods
CN108650218B (en) * 2018-03-22 2019-10-08 平安科技(深圳)有限公司 Network Traffic Monitoring method, apparatus, computer equipment and storage medium
CN110505179B (en) * 2018-05-17 2021-02-09 中国科学院声学研究所 Method and system for detecting network abnormal flow
US11108795B2 (en) * 2018-05-25 2021-08-31 At&T Intellectual Property I, L.P. Intrusion detection using robust singular value decomposition
CN110602029B (en) * 2019-05-15 2022-06-28 上海云盾信息技术有限公司 Method and system for identifying network attack
CN110719299A (en) * 2019-11-18 2020-01-21 中国移动通信集团内蒙古有限公司 Honeypot construction method, device, equipment and medium for defending network attack
CN110868431A (en) * 2019-12-24 2020-03-06 华北电力大学 Network flow abnormity detection method
CN111262851A (en) * 2020-01-14 2020-06-09 中移(杭州)信息技术有限公司 DDOS attack detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112202771A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
Yang et al. Selective inference for group-sparse linear models
WO2018157752A1 (en) Approximate random number generator by empirical cumulative distribution function
CN111796233B (en) Method for evaluating secondary errors of multiple voltage transformers in double-bus connection mode
CN111290967A (en) Software defect prediction method, device, equipment and storage medium
Xin et al. Identifying the dynamics of a system by leveraging data from similar systems
WO2020215748A1 (en) Method for testing task execution capability of electrical energy meter, and device
CN112566170B (en) Network quality evaluation method, device, server and storage medium
CN113110961B (en) Equipment abnormality detection method and device, computer equipment and readable storage medium
US20220382833A1 (en) Methods and apparatus for automatic anomaly detection
CN112202771B (en) Network flow detection method, system, electronic device and storage medium
Feng et al. A setwise EWMA scheme for monitoring high-dimensional datastreams
CN116109988B (en) Anomaly monitoring method and system based on artificial intelligence and unmanned aerial vehicle
Bedbur et al. Inference from multiple samples of Weibull sequential order statistics
CN116467665A (en) Fault diagnosis method, device, computer equipment and storage medium for nuclear reactor
CN115359846A (en) Batch correction method and device for group data, storage medium and electronic equipment
He et al. On control charts based on the generalized Poisson model
CN115270861A (en) Product composition data monitoring method and device, electronic equipment and storage medium
CN116821141A (en) Data updating method, fault diagnosis method, electronic device, and storage medium
Wang et al. Confidence graphs for graphical model selection
CN114398228A (en) Method and device for predicting equipment resource use condition and electronic equipment
Khademnoe et al. On properties of percentile bootstrap confidence intervals for prediction in functional linear regression
Liu et al. Siamese DeNPE network framework for fault detection of batch process
CN114817189A (en) Log detection method and device and computer readable storage medium
Mies et al. Projection inference for high-dimensional covariance matrices with structured shrinkage targets
CN114663074B (en) Product data analysis method and system based on digital twins

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant