CN112202771B - Network flow detection method, system, electronic device and storage medium - Google Patents
Network flow detection method, system, electronic device and storage medium Download PDFInfo
- Publication number
- CN112202771B CN112202771B CN202011050487.6A CN202011050487A CN112202771B CN 112202771 B CN112202771 B CN 112202771B CN 202011050487 A CN202011050487 A CN 202011050487A CN 112202771 B CN112202771 B CN 112202771B
- Authority
- CN
- China
- Prior art keywords
- matrix
- flow
- global
- local
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Abstract
The embodiment of the invention relates to the technical field of network security, and discloses a network flow detection method, a network flow detection system, electronic equipment and a storage medium. The network flow detection method comprises the following steps: acquiring a global flow matrix and a local flow matrix; acquiring a first test statistic of the global flow according to the global flow matrix; detecting whether the network flow is normal or not according to the first test statistic of the global flow; and if the network traffic is abnormal, performing abnormal positioning according to the global traffic matrix and the local traffic matrix. The method achieves the purpose of detecting whether the network flow is abnormal and positioning the abnormal area without constructing a network flow model in a normal state.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a network flow detection method, a network flow detection system, electronic equipment and a storage medium.
Background
Network traffic anomaly detection is an important technology in the field of network security. At present, a method for detecting network traffic anomaly is as follows: firstly, a network flow model is established according to the network flow under the normal condition, and then the established network flow model is utilized to detect the current network flow.
However, with the development of cloud computing and internet services, the network scale is larger and larger, and the network traffic is also larger and larger, so that in the face of large and complex network global traffic data, it is difficult to establish a network traffic model under normal conditions, and further, the network traffic cannot be detected through the network traffic model.
Disclosure of Invention
An object of embodiments of the present invention is to provide a method, a system, an electronic device, and a storage medium for detecting network traffic, so that it is possible to detect whether network traffic is abnormal and locate an abnormal area without constructing a network traffic model in a normal state.
In order to solve the above technical problem, an embodiment of the present invention provides a network traffic detection method, including the following steps: acquiring a global flow matrix and a local flow matrix; acquiring a first test statistic of the global flow according to the global flow matrix; detecting whether the network flow is normal or not according to the first test statistic of the global flow; and if the network traffic is abnormal, performing abnormal positioning according to the global traffic matrix and the local traffic matrix.
The embodiment of the present invention further provides a network traffic detection system, including: the data acquisition module is used for acquiring a global flow matrix and a local flow matrix; the detection module is used for acquiring first test statistic of the global flow according to the global flow matrix acquired by the data acquisition module and detecting whether the network flow is normal or not according to the first test statistic of the global flow; and the positioning module is used for positioning the abnormity according to the global traffic matrix and the local traffic matrix if the detection result of the detection module is that the network traffic is abnormal.
An embodiment of the present invention also provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the network traffic detection method described above.
The embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program, wherein the computer program is executed by a processor to implement the network traffic detection method described above.
Compared with the prior art, the method and the device have the advantages that the global flow matrix and the local flow matrix are obtained, the first test statistic of the global flow is obtained according to the global flow matrix, a quantized numerical value of flow data can be obtained to reflect the current state of the flow, then whether the network flow is normal or not is detected according to the first test statistic of the global flow, whether the network flow is normal or not can be detected without establishing a model, if the network flow is abnormal, abnormal positioning is carried out according to the global flow matrix and the local flow matrix, and an abnormal area is positioned after the network flow is detected to be abnormal, so that the purposes that whether the network flow is abnormal or not can be detected and the abnormal area is positioned without establishing a network flow model in a normal state are achieved, and the problem that the network flow cannot be detected through the network flow model under a normal condition in the prior art is solved.
In addition, the network flow detection method provided by the embodiment of the invention acquires time sequence data of network flow; and windowing the time sequence data to obtain the global flow matrix and the local flow matrix. And data are acquired in real time, so that the detection of network flow is more efficient and quicker.
In addition, the network traffic detection method provided by the embodiment of the present invention performs hilbert transform on the global traffic matrix to obtain a global traffic complex matrix; performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix; obtaining a first test statistic of the global flow of the global standard flow matrix. The flow matrix is subjected to Hilbert change and standardization, so that test statistics obtained at different periods can be compared, normalized and unified in numerical value, and therefore the calculation amount and the consumed time in the detection process are reduced.
In addition, according to the network traffic detection method provided by the embodiment of the invention, a global traffic eigenvalue equivalent matrix is obtained according to the Ha Eryou matrix and the global standard traffic matrix; normalizing the global flow characteristic value equivalent matrix to obtain a characteristic value of the normalized global flow matrix; and acquiring a first test statistic of the global flow according to a pre-selected statistical distribution function and the characteristic value of the normalized global flow matrix. The characteristic value equivalent matrix is obtained, the characteristic of data in the matrix is guaranteed to be unchanged, normalization processing further improves the normalization and the uniformity of test statistics, a threshold value does not need to be set for multiple times according to actual requirements in the detection process, and the calculated amount and the consumed time in the detection process are further reduced.
In addition, according to the network traffic detection method provided by the embodiment of the invention, a global traffic amplification matrix and a local traffic amplification matrix are constructed according to the global traffic matrix and the local traffic matrix; calculating a characteristic value according to the global flow amplification matrix and the local flow amplification matrix, and acquiring a second test statistic of global flow and a test statistic of local flow; detecting whether the difference between the second test statistic of the global flow and the test statistic of the local flow is larger than a preset local flow abnormal threshold value or not, and obtaining a local flow detection result; and carrying out abnormal positioning according to the local flow detection result. A quantitative numerical value of the flow data is obtained by obtaining the test statistic to reflect the current state of the flow, so that the abnormal flow area is conveniently positioned.
In addition, the method for detecting network traffic according to an embodiment of the present invention, where the constructing a global traffic amplification matrix and a local traffic amplification matrix according to the global traffic matrix and the local traffic matrix includes: performing Hilbert transform on the global flow matrix and the local flow matrix to obtain a global flow complex matrix and a local flow complex matrix; performing matrix standardization on the global flow complex matrix and the local flow complex matrix to obtain a global flow standard matrix and a local flow standard matrix; obtaining the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix according to a Ha Eryou matrix, the global standard flow matrix and the local flow standard matrix; normalizing the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix; and constructing the global flow amplification matrix and the local flow amplification matrix according to the normalized global flow eigenvalue equivalent matrix, the normalized local flow eigenvalue equivalent matrix and the Gaussian white noise matrix. The method has the advantages that the standard and uniform test statistic on the numerical value is obtained, the subsequent detection of the abnormal flow area is facilitated, and the calculated amount and the consumed time in the positioning process are reduced.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is a flowchart of a network traffic detection method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a network traffic detection method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a network traffic detection method according to a third embodiment of the present invention;
fig. 4 is a flowchart of step 303 in the network traffic detection method according to the third embodiment of the present invention shown in fig. 3;
fig. 5 is a flowchart of a network traffic detection method according to a fourth embodiment of the present invention;
fig. 6 is a flowchart of step 501 in the network traffic detection method according to the fourth embodiment of the present invention shown in fig. 5;
fig. 7 is a schematic structural diagram of a network traffic detection system according to a fifth embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments.
The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
It should be noted that the global traffic matrix and the local traffic matrix are matrices formed by acquiring network traffic data within a period of time, and a plurality of local traffic matrices can be obtained by dividing the global traffic matrix.
And 102, acquiring a first test statistic of the global flow according to the global flow matrix.
In this embodiment, the first test statistic is a statistical average of features reflecting global flow obtained from the global flow matrix.
And 104, performing exception positioning according to the global traffic matrix and the local traffic matrix.
Compared with the prior art, the method and the device have the advantages that the global flow matrix and the local flow matrix are obtained, the first test statistic of the global flow is obtained according to the global flow matrix, a quantized numerical value of flow data can be obtained to reflect the current state of the flow, then whether the network flow is normal or not is detected according to the first test statistic of the global flow, whether the network flow is normal or not can be detected without establishing a model, if the network flow is abnormal, abnormal positioning is carried out according to the global flow matrix and the local flow matrix, and an abnormal area is positioned after the network flow is detected to be abnormal, so that the purposes that whether the network flow is abnormal or not can be detected and the abnormal area is positioned without establishing a network flow model in a normal state are achieved, and the problem that the network flow cannot be detected through the network flow model under a normal condition in the prior art is solved.
A second embodiment of the present invention relates to a network traffic detection method. The second embodiment is substantially the same as the first embodiment, and differs therefrom in that, as shown in fig. 2, step 101 includes:
In this embodiment, a network traffic probe may be installed in a network, and time series data of network traffic may be acquired by using the probe. Specifically, the global network has p monitoring nodes which can be divided into r areas, and the observed data of the network link flow of the ith node at the time t is represented as y i (t),i=1,…,p。
In this embodiment, the windowing process is to construct a window with a window size of N, and then process time series data using this window, and acquire N sample data as one cycle. Specifically, the sample data of the ith node after windowing is y i =[y i (T),y i (T-1)…,y i (T-N+1)]I =1, …, p, global traffic matrix Y = [ Y = 1 ;…;y p ]The local traffic matrix is a matrix formed by the traffic data of each divided region, and the local traffic matrices corresponding to all the regions form a global traffic matrix.
Compared with the prior art, the method and the device have the advantages that the network flow can be detected more efficiently and rapidly by acquiring the data in real time on the basis of realizing the beneficial effects brought by the first embodiment.
A third embodiment of the present invention relates to a network traffic detection method. The third embodiment is substantially the same as the first embodiment, and differs therefrom in that, as shown in fig. 3, step 102 includes:
In this embodiment, the global traffic complex matrix may be represented by the formula:obtained wherein Y is T Is the global traffic matrix, the corner mark T indicates the time at which the matrix was acquired, j is the complex unit, hilbel (Y) T ) Is Y T And (4) performing Hilbert transform on the matrix.
And 302, performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix.
In this embodiment, the matrix normalization may be by the formula:the process can obtain, in which,is a matrixThe ith row and the jth column of (c),is a matrixThe average value of the ith row is,is a matrixStandard deviation of ith row.
Specifically, as shown in fig. 4, step 303 may include:
In this embodiment, the global flow eigenvalue equivalent matrix may be according to the formula:the process can be carried out in such a way that, among others,andare mutually conjugate and transposed, U harr Is a haar unitary matrix. The matrix of arrival calculated according to the above formulaAnd a global standard traffic matrixHave the same characteristic value distribution characteristics.
And 402, normalizing the global traffic eigenvalue equivalent matrix to obtain the normalized eigenvalue of the global traffic matrix.
In this embodiment, the normalization may be performed on the data in each row, and the specific calculation method is as follows:wherein the content of the first and second substances, respectively normalized matrix Z T And the matrix before normalizationP is the number of columns of the matrix,is a matrixThe standard deviation of the ith line of data (c).
And 403, acquiring a first test statistic of the global flow according to the pre-selected statistical distribution function and the feature value of the normalized global flow matrix.
In this embodiment, the distribution function may have two selection modes, so the first test statistic of the global flow is obtained by two acquisition modes:
one is that: and selecting the average spectrum radius as a distribution function to obtain a first test statistic of the global flow.
Specifically, the formula may be employed:obtaining a first test statistic of global flow, wherein Ti Is Z T P is the matrix Z T The number of eigenvalues of (c).
Alternatively, an empirical distribution function is selected to obtain the first test statistic for global flow.
Specifically, the formula may be employed:obtaining a first test statistic of global flow, wherein Ti Is Z T P is the matrix Z T Number of characteristic values of p i Is the function value of the ith eigenvalue in the empirical distribution function, indicating the probability of the eigenvalue appearing.
Of course, the above two methods are only specific examples, and in the actual using process, the distribution function bin may also be selected in step 403 by other manners to obtain the first statistical value of the global flow, which is not described in detail here.
In this embodiment, the detection method is to determine a magnitude relationship between a first test statistic of the global traffic and a preset network traffic anomaly threshold, where the network traffic is normal if the preset network traffic anomaly threshold is smaller than the first test statistic of the global traffic, and the network traffic is abnormal if the preset network traffic anomaly threshold is greater than or equal to the first test statistic of the global traffic. The threshold is not limited, and in the actual use process, the threshold may be an empirical value obtained from experience, or may be a numerical value obtained through machine learning.
Compared with the prior art, the embodiment of the invention has the advantages that on the basis of realizing the beneficial effects brought by the first embodiment, the Hilbert change and the standardization processing are carried out on the flow matrix, so that the test statistics obtained at different periods can be compared in a standard and unified manner in numerical value, and the calculation amount and the consumed time in the detection process are reduced. The characteristic value equivalent matrix is obtained, the characteristic of data in the matrix is guaranteed to be unchanged, normalization processing further improves the normalization and the uniformity of test statistics, a threshold value does not need to be set for multiple times according to actual requirements in the detection process, and the calculated amount and the consumed time in the detection process are further reduced. Meanwhile, the mathematical method adopted in the whole detection process utilizes the advantage that the high-dimensional random matrix theory has good statistical characteristics on the high-dimensional low-sample data matrix, and can obtain more accurate characteristic value distribution without acquiring a large amount of sampling data, thereby shortening the sampling period and saving the storage space occupied by the data.
A fourth embodiment of the present invention relates to a network traffic detection method. The fourth embodiment is substantially the same as the first embodiment, and differs therefrom in that, as shown in fig. 5, step 104 includes:
and step 501, constructing a global traffic amplification matrix and a local traffic amplification matrix according to the global traffic matrix and the local traffic matrix.
Specifically, as shown in fig. 6, step 501 further includes:
Specifically, it is substantially the same as step 301, and is not described in detail here.
Specifically, the method is substantially the same as step 302, and is not described in detail here.
Specifically, the method is substantially the same as step 401, and is not repeated herein.
Specifically, the method is substantially the same as step 402, and is not described in detail here.
And 605, constructing a global flow amplification matrix and a local flow amplification matrix according to the normalized global flow eigenvalue equivalent matrix, the normalized local flow eigenvalue equivalent matrix and the gaussian white noise matrix.
In this embodiment, the augmentation matrix may be according to the formula:wherein, Z T Is an eigenvalue equivalent matrix of a global traffic matrix, Z kT Is an eigenvalue equivalent matrix of the local flow matrix of the kth region, D kT Is a gaussian white noise matrix of the same dimension as the local flow matrix of the kth region. F kT As a reference augmentation matrix, if the k local area traffic matrix has no abnormality, E kT And F kT Should have similar eigenvalue distribution characteristics; if there is an abnormality, E kT And F kT The characteristic value distribution characteristics of (a) are greatly different. The larger of the distribution characteristics should be determined according to actual conditions, for example, when the network traffic detection requirement is strict, the distribution characteristics are different and considered to be abnormal.
And 502, calculating a characteristic value according to the global flow amplification matrix and the local flow amplification matrix, and acquiring a second test statistic of the global flow and a test statistic of the local flow.
The threshold value is not limited in the present embodiment, and may be an empirical value obtained from experience or a numerical value obtained by machine learning in an actual use process. Specifically, taking the test statistic as the one obtained from the mean spectral radius as an example, whenWhen the network flow state of the kth area is abnormal at the time t, whenAt time t, the network traffic status of the kth zone is abnormal, wherein,β kT the second detection statistic of the global flow augmentation matrix and the detection statistic of the local flow augmentation matrix are respectively, and epsilon is a preset local flow anomaly threshold.
And step 504, performing abnormal positioning according to the local flow detection result.
It should be noted that, in the present embodiment, the local traffic matrices corresponding to all the regions are detected one by one, and all the local traffic detection results are obtained, so that the obtained traffic positioning result is more accurate and comprehensive.
Compared with the prior art, the embodiment of the invention has the advantages that on the basis of realizing the beneficial effect brought by the first embodiment, the current state of the flow is reflected by obtaining a quantized numerical value of the flow data through obtaining the test statistic, so that the abnormal flow area is conveniently positioned. And by acquiring the numerically standard and uniform test statistic, the flow abnormal area can be conveniently detected subsequently, and the calculated amount and the consumed time in the positioning process are reduced.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A fifth embodiment of the present invention relates to a network traffic detection system, as shown in fig. 7, including:
a data obtaining module 701, configured to obtain a global traffic matrix and a local traffic matrix;
a detecting module 702, configured to obtain a first test statistic of global traffic according to the global traffic matrix obtained by the data obtaining module, and detect whether the network traffic is normal according to the first test statistic of global traffic;
and a positioning module 703 for performing anomaly positioning according to the global traffic matrix and the local traffic matrix if the detection result of the detection module is that the network traffic is abnormal.
It should be understood that this embodiment is a system example corresponding to the first embodiment, and may be implemented in cooperation with the first embodiment. The related technical details mentioned in the first embodiment are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first embodiment.
It should be noted that, in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may also be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
A sixth embodiment of the present invention relates to an electronic apparatus, as shown in fig. 8, including:
at least one processor 801; and (c) a second step of,
a memory 802 communicatively coupled to the at least one processor 801; wherein the content of the first and second substances,
the memory 802 stores instructions executable by the at least one processor 801, so that the at least one processor 801 can execute the network traffic detection method according to the first to fourth embodiments of the present invention.
The memory and the processor are connected by a bus, which may include any number of interconnected buses and bridges, linking together one or more of the various circuits of the processor and the memory. The bus may also link various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over a wireless medium through an antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
Those skilled in the art can understand that all or part of the steps in the method of the foregoing embodiments may be implemented by a program to instruct related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, etc.) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (8)
1. A network traffic detection method is characterized by comprising the following steps:
acquiring a global flow matrix and a local flow matrix;
acquiring a first test statistic of the global flow according to the global flow matrix;
detecting whether the network flow is normal or not according to the first test statistic of the global flow;
if the network traffic is abnormal, performing abnormal positioning according to the global traffic matrix and the local traffic matrix;
wherein, the obtaining of the first test statistic of the global flow according to the global flow matrix includes:
performing Hilbert transform on the global flow matrix to obtain a global flow complex matrix;
performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix;
obtaining a global flow characteristic value equivalent matrix according to the Ha Eryou matrix and the global flow standard matrix;
normalizing the global flow characteristic value equivalent matrix to obtain a characteristic value of the normalized global flow matrix;
and acquiring a first test statistic of the global flow according to a pre-selected statistical distribution function and the eigenvalue of the normalized global flow matrix.
2. The method of claim 1, wherein obtaining the global traffic matrix and the local traffic matrix comprises:
acquiring time sequence data of network flow;
and windowing the time sequence data to obtain the global flow matrix and the local flow matrix.
3. The method of claim 1, wherein detecting whether the network traffic is normal based on the first test statistic of the global traffic comprises:
detecting whether a preset network flow abnormal threshold value is smaller than a first test statistic of the global flow;
if the preset network flow abnormal threshold value is smaller than the first test statistic of the global flow, the network flow is normal;
and if the preset network flow abnormal threshold value is larger than or equal to the first test statistic of the global flow, the network flow is abnormal.
4. The method of claim 1, wherein if the network traffic is abnormal, performing abnormal localization according to the global traffic matrix and the local traffic matrix comprises:
constructing a global flow augmentation matrix and a local flow augmentation matrix according to the global flow matrix and the local flow matrix;
calculating a characteristic value according to the global flow amplification matrix and the local flow amplification matrix, and acquiring a second test statistic of global flow and a test statistic of local flow;
detecting whether the difference between the second test statistic of the global flow and the test statistic of the local flow is larger than a preset local flow abnormal threshold value or not, and obtaining a local flow detection result;
and carrying out abnormal positioning according to the local flow detection result.
5. The method of claim 4, wherein constructing a global traffic augmentation matrix and a local traffic augmentation matrix from the global traffic matrix and the local traffic matrix comprises:
performing Hilbert transform on the global flow matrix and the local flow matrix to obtain a global flow complex matrix and a local flow complex matrix;
performing matrix standardization on the global flow complex matrix and the local flow complex matrix to obtain a global flow standard matrix and a local flow standard matrix;
obtaining the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix according to a Ha Eryou matrix, the global flow standard matrix and the local flow standard matrix;
normalizing the global flow characteristic value equivalent matrix and the local flow characteristic value equivalent matrix;
and constructing the global flow amplification matrix and the local flow amplification matrix according to the normalized global flow eigenvalue equivalent matrix, the normalized local flow eigenvalue equivalent matrix and the Gaussian white noise matrix.
6. A network traffic detection system, comprising:
the data acquisition module is used for acquiring a global flow matrix and a local flow matrix;
the detection module is used for acquiring first test statistic of the global flow according to the global flow matrix acquired by the data acquisition module and detecting whether the network flow is normal or not according to the first test statistic of the global flow;
the positioning module is used for carrying out abnormal positioning according to the global flow matrix and the local flow matrix if the detection result of the detection module is that the network flow is abnormal;
wherein, the obtaining of the first test statistic of the global flow according to the global flow matrix includes:
performing Hilbert transform on the global flow matrix to obtain a global flow complex matrix;
performing matrix standardization on the global flow complex matrix to obtain a global flow standard matrix;
obtaining a global flow characteristic value equivalent matrix according to the Ha Eryou matrix and the global flow standard matrix;
normalizing the global flow characteristic value equivalent matrix to obtain a characteristic value of the normalized global flow matrix;
and acquiring a first test statistic of the global flow according to a pre-selected statistical distribution function and the characteristic value of the normalized global flow matrix.
7. An electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of network traffic detection as recited in any of claims 1-5.
8. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the network traffic detection method according to any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011050487.6A CN112202771B (en) | 2020-09-29 | 2020-09-29 | Network flow detection method, system, electronic device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011050487.6A CN112202771B (en) | 2020-09-29 | 2020-09-29 | Network flow detection method, system, electronic device and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112202771A CN112202771A (en) | 2021-01-08 |
CN112202771B true CN112202771B (en) | 2022-10-14 |
Family
ID=74006802
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011050487.6A Active CN112202771B (en) | 2020-09-29 | 2020-09-29 | Network flow detection method, system, electronic device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112202771B (en) |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017067615A1 (en) * | 2015-10-23 | 2017-04-27 | Nec Europe Ltd. | Method and system for supporting detection of irregularities in a network |
US10079768B2 (en) * | 2016-07-07 | 2018-09-18 | Cisco Technology, Inc. | Framework for joint learning of network traffic representations and traffic classifiers |
CN107404471A (en) * | 2017-04-05 | 2017-11-28 | 青海民族大学 | One kind is based on ADMM algorithm network flow abnormal detecting methods |
CN108650218B (en) * | 2018-03-22 | 2019-10-08 | 平安科技(深圳)有限公司 | Network Traffic Monitoring method, apparatus, computer equipment and storage medium |
CN110505179B (en) * | 2018-05-17 | 2021-02-09 | 中国科学院声学研究所 | Method and system for detecting network abnormal flow |
US11108795B2 (en) * | 2018-05-25 | 2021-08-31 | At&T Intellectual Property I, L.P. | Intrusion detection using robust singular value decomposition |
CN110602029B (en) * | 2019-05-15 | 2022-06-28 | 上海云盾信息技术有限公司 | Method and system for identifying network attack |
CN110719299A (en) * | 2019-11-18 | 2020-01-21 | 中国移动通信集团内蒙古有限公司 | Honeypot construction method, device, equipment and medium for defending network attack |
CN110868431A (en) * | 2019-12-24 | 2020-03-06 | 华北电力大学 | Network flow abnormity detection method |
CN111262851A (en) * | 2020-01-14 | 2020-06-09 | 中移(杭州)信息技术有限公司 | DDOS attack detection method and device, electronic equipment and storage medium |
-
2020
- 2020-09-29 CN CN202011050487.6A patent/CN112202771B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN112202771A (en) | 2021-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Yang et al. | Selective inference for group-sparse linear models | |
WO2018157752A1 (en) | Approximate random number generator by empirical cumulative distribution function | |
CN111796233B (en) | Method for evaluating secondary errors of multiple voltage transformers in double-bus connection mode | |
CN111290967A (en) | Software defect prediction method, device, equipment and storage medium | |
Xin et al. | Identifying the dynamics of a system by leveraging data from similar systems | |
WO2020215748A1 (en) | Method for testing task execution capability of electrical energy meter, and device | |
CN112566170B (en) | Network quality evaluation method, device, server and storage medium | |
CN113110961B (en) | Equipment abnormality detection method and device, computer equipment and readable storage medium | |
US20220382833A1 (en) | Methods and apparatus for automatic anomaly detection | |
CN112202771B (en) | Network flow detection method, system, electronic device and storage medium | |
Feng et al. | A setwise EWMA scheme for monitoring high-dimensional datastreams | |
CN116109988B (en) | Anomaly monitoring method and system based on artificial intelligence and unmanned aerial vehicle | |
Bedbur et al. | Inference from multiple samples of Weibull sequential order statistics | |
CN116467665A (en) | Fault diagnosis method, device, computer equipment and storage medium for nuclear reactor | |
CN115359846A (en) | Batch correction method and device for group data, storage medium and electronic equipment | |
He et al. | On control charts based on the generalized Poisson model | |
CN115270861A (en) | Product composition data monitoring method and device, electronic equipment and storage medium | |
CN116821141A (en) | Data updating method, fault diagnosis method, electronic device, and storage medium | |
Wang et al. | Confidence graphs for graphical model selection | |
CN114398228A (en) | Method and device for predicting equipment resource use condition and electronic equipment | |
Khademnoe et al. | On properties of percentile bootstrap confidence intervals for prediction in functional linear regression | |
Liu et al. | Siamese DeNPE network framework for fault detection of batch process | |
CN114817189A (en) | Log detection method and device and computer readable storage medium | |
Mies et al. | Projection inference for high-dimensional covariance matrices with structured shrinkage targets | |
CN114663074B (en) | Product data analysis method and system based on digital twins |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |