CN112291213A - Abnormal flow analysis method and device based on intelligent terminal - Google Patents

Abstract

The application discloses an abnormal flow analysis method and device based on an intelligent terminal. The method comprises the following steps: collecting flow data of the Internet of things equipment; processing the flow data to obtain a prediction data set; analyzing the prediction data set by using a preset flow analysis model to determine whether the flow data is abnormal or not; and when the traffic data is determined to be abnormal, determining a malicious network traffic topological graph according to malicious control terminal information corresponding to the traffic data. The device comprises an initial search set module, a processing module, an analysis module and a topology module. The DDoS attack can be identified by analyzing the abnormal flow.

Description

Abnormal flow analysis method and device based on intelligent terminal

Technical Field

The application relates to the field of security management of the Internet of things, in particular to an abnormal traffic analysis method and device based on an intelligent terminal.

Background

The Internet of things (IOT) is an Internet-based information carrier, and is an extension and extension of the traditional Internet. Because the internet of things equipment is usually unmanned and monitored, version updating is delayed, and virus defense capacity is poor, the internet of things equipment is easily controlled maliciously to become a botnet node of the internet of things, and then Distributed Denial of service (DDoS) attack is executed, thereby causing serious threat to the safety of the whole internet environment. In 2016, tens of thousands of internet of things devices controlled by Mirai botnet are the main culprits of paralysis of half of American internet.

In the prior art, the method for detecting the DDoS attack of the Internet of things comprises the following steps: identifying by setting a flow threshold value, and identifying as an attack flow when the actual flow value is greater than the set threshold value; using an agile internet of things solution provided by a third party.

Because the internet of things equipment is often installed once and used for a long time and lacks of monitoring and maintenance in the later period, the mode of setting the flow threshold value to carry out DDoS attack detection is not flexible enough, the threshold value is difficult to grasp, and the accuracy rate is low; and purchasing a third party solution requires more expense.

Disclosure of Invention

It is an object of the present application to overcome the above problems or to at least partially solve or mitigate the above problems. An abnormal traffic analysis method and device based on an intelligent terminal are provided, and DDoS attacks are identified by analyzing abnormal traffic.

According to one aspect of the application, an abnormal traffic analysis method based on an intelligent terminal is provided, and comprises the following steps:

collecting flow data of the Internet of things equipment;

processing the flow data to obtain a prediction data set;

analyzing the prediction data set by using a preset flow analysis model to determine whether the flow data is abnormal or not;

and when the traffic data is determined to be abnormal, determining a malicious network traffic topological graph according to malicious control terminal information corresponding to the traffic data.

Preferably, the preset flow analysis model obtaining method includes:

reporting flow data to a cloud server in real time or at regular time in a mode of installing an agent at an equipment end;

the method comprises the steps that a cloud server collects flow data of equipment in a normal running state and flow data of the equipment in a DDoS attack state after being controlled maliciously;

recording the category of the collected flow data;

respectively processing the flow data in a normal running state and the flow data in a DDoS attack state initiated after malicious control, completing feature extraction and obtaining a feature data set;

splitting the characteristic data set to obtain a training set and a test set;

and training and verifying a flow analysis model by using the training set and the testing set to obtain a preset flow analysis model.

Preferably, the processing of the traffic data in the normal operation state and the traffic data in the DDoS attack state initiated after being maliciously controlled includes:

cleaning the collected flow data in the normal operation state and the flow data in the DDoS attack state initiated after being maliciously controlled;

carrying out format conversion on the cleaned flow data, and converting the flow data into description data of each flow packet;

and converging the converted description data according to a preset dimension.

Preferably, the training and verifying the flow analysis model by using the feature data to obtain the preset flow analysis model comprises:

training the flow analysis model by using the characteristic data of the training set; recording various evaluation indexes of the flow analysis model;

adjusting parameters of the flow analysis model according to the quality of the evaluation index to obtain a test flow analysis model;

verifying the test flow analysis model by using the characteristic data of the test set;

if all evaluation indexes of the test flow analysis model reach expected values, taking the test flow analysis model as a preset flow analysis model; otherwise, readjusting the algorithm and parameters of the flow analysis model to obtain a preset flow analysis model with each evaluation index reaching the expected value.

Preferably, the method further comprises: and when the flow data is determined to be abnormal, sending an alarm.

Preferably, the determining a malicious network traffic topological graph according to the malicious control end information corresponding to the traffic data includes:

analyzing the collected attack data algorithm to obtain a malicious control end ip and an attack target ip;

confirming and optimizing the analyzed malicious control end ip and attack target ip data through an ip white list;

counting parameters and attack types in the traffic interaction process of the equipment, the malicious control end ip and the attack target ip, and drawing a malicious network traffic topological graph;

the parameters in the traffic interaction process include one or more of the following:

the type of the data packet, the flow size, the attack starting time and the attack ending time.

According to another aspect of the present application, there is also provided an abnormal traffic analyzing apparatus based on an intelligent terminal, including:

the collecting module is used for collecting flow data of the Internet of things equipment;

the processing module is used for processing the flow data to obtain a prediction data set;

the analysis module is used for analyzing the prediction data set by utilizing a preset flow analysis model and determining whether the flow data is abnormal or not;

and the topology module is set to determine a malicious network traffic topological graph according to malicious control terminal information corresponding to the traffic data when the traffic data is determined to be abnormal.

Preferably, the obtaining method of the preset flow analysis model in the analysis module includes:

reporting flow data to a cloud server in real time or at regular time in a mode of installing an agent at an equipment end;

the method comprises the steps that a cloud server collects flow data of equipment in a normal running state and flow data of the equipment in a DDoS attack state after being controlled maliciously;

recording the category of the collected flow data;

respectively processing the flow data in a normal running state and the flow data in a DDoS attack state initiated after malicious control, completing feature extraction and obtaining a feature data set;

splitting the characteristic data set to obtain a training set and a test set;

and training and verifying a flow analysis model by using the training set and the testing set to obtain a preset flow analysis model.

Preferably, the processing, by the analysis module, of the traffic data in the normal operation state and the traffic data in the DDoS attack state initiated after being maliciously controlled includes:

cleaning the collected flow data in the normal operation state and the flow data in the DDoS attack state initiated after being maliciously controlled;

carrying out format conversion on the cleaned flow data, and converting the flow data into description data of each flow packet;

and converging the converted description data according to a preset dimension.

Preferably, the training and verifying the flow analysis model by using the feature data in the analysis module to obtain a preset flow analysis model includes:

training the flow analysis model by using the characteristic data of the training set; recording various evaluation indexes of the flow analysis model;

adjusting parameters of the flow analysis model according to the quality of the evaluation index to obtain a test flow analysis model;

verifying the test flow analysis model by using the characteristic data of the test set;

if all evaluation indexes of the test flow analysis model reach expected values, taking the test flow analysis model as a preset flow analysis model; otherwise, readjusting the algorithm and parameters of the flow analysis model to obtain a preset flow analysis model with each evaluation index reaching the expected value.

According to the abnormal traffic analysis method and device based on the intelligent terminal, a DDoS attack detection method of the Internet of things is carried out through machine learning algorithm modeling, and DDoS attacks are identified through abnormal traffic analysis. The method includes reporting device flow in real time or in fixed time on the Internet of things device; processing, classifying and marking the collected equipment flow according to the DDoS attack type to obtain characteristic data; performing model training and tuning on the characteristic data to obtain an optimal model; predicting the flow data reported by the equipment in real time by using an optimal model; and when the DDoS attack is predicted as a result, alarming is carried out, and a traffic topological graph of the equipment is obtained through analysis, so that a user can find the abnormal behavior of the equipment and the specific traffic situation of the equipment in time.

The method has the advantages that the flow analysis model obtained by training and tuning through the machine learning classification algorithm is universal for all devices under the same Internet of things product; category data can be added at the later stage to improve the identification capability of the model on different DDoS attacks; the prediction result processing logic can be dynamically adjusted to reduce the false alarm rate of the model; the detection system is separated from the equipment, and the normal operation of the equipment is not influenced.

The above and other objects, advantages and features of the present application will become more apparent to those skilled in the art from the following detailed description of specific embodiments thereof, taken in conjunction with the accompanying drawings.

Drawings

Some specific embodiments of the present application will be described in detail hereinafter by way of illustration and not limitation with reference to the accompanying drawings. The same reference numbers in the drawings identify the same or similar elements or components. Those skilled in the art will appreciate that the drawings are not necessarily drawn to scale. In the drawings:

fig. 1 is a network topology diagram of an internet of things according to an embodiment of the application;

fig. 2 is a schematic flow chart of an abnormal traffic analysis method based on an intelligent terminal according to an embodiment of the present application;

FIG. 3 is a schematic flow chart diagram of the acquisition of a preset flow analysis model according to an embodiment of the present application;

FIG. 4 is a schematic flow chart diagram of processing the traffic data according to an embodiment of the present application;

FIG. 5 is a schematic flow chart diagram of a preset flow analysis model obtained by training and verifying a flow analysis model using the feature data according to an embodiment of the present application;

fig. 6 is a schematic flowchart of determining a malicious network traffic topological graph according to malicious control end information corresponding to the traffic data according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of an abnormal traffic analysis device based on an intelligent terminal according to an embodiment of the present application;

FIG. 8 is a schematic flow chart diagram of traffic analysis model training according to an embodiment of the present application;

FIG. 9 is a schematic flow chart diagram of real-time prediction of traffic data in accordance with an embodiment of the present application;

FIG. 10 is a botnet traffic topology diagram according to an embodiment of the present application;

FIG. 11 is a schematic block diagram of a computing device in accordance with embodiments of the present application;

fig. 12 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present application.

Detailed Description

Fig. 1 is a network topology diagram of an internet of things according to an embodiment of the application; the agent is installed at the equipment end of the Internet of things, and the flow generated by the equipment end is reported to the cloud server.

Fig. 2 is a schematic flow chart of an abnormal traffic analysis method based on an intelligent terminal according to an embodiment of the present application. The abnormal traffic analysis method based on the intelligent terminal can generally comprise the following steps S1 to S4:

s1, collecting flow data of the Internet of things equipment;

s2, processing the flow data to obtain a prediction data set;

s3, analyzing the prediction data set by using a preset flow analysis model, and determining whether the flow data is abnormal;

and S4, when the traffic data are determined to be abnormal, determining a malicious network traffic topological graph according to the malicious control terminal information corresponding to the traffic data.

In the embodiment of the invention, the agent can be installed at the equipment end of the Internet of things, and the agent reports the flow of the equipment of the Internet of things according to a preset strategy, for example, reports the flow at regular time.

As shown in fig. 3, in the embodiment of the present invention, the obtaining manner of the preset flow analysis model in step S3 includes:

s301, reporting flow data to a cloud server in real time or at regular time in a mode of installing an agent at an equipment end;

s302, a cloud server collects flow data in a normal running state of the equipment and flow data in a DDoS attack state after being maliciously controlled;

s303, recording the category of the collected flow data;

s304, processing the flow data in a normal running state and the flow data in a DDoS attack state initiated after malicious control respectively, and finishing feature extraction to obtain a feature data set;

s305, splitting the characteristic data set to obtain a training set and a test set;

and S306, training and verifying the flow analysis model by using the training set and the test set to obtain a preset flow analysis model.

In the embodiment of the invention, the flow analysis model processes, classifies and marks the collected equipment flow according to the DDoS attack type to obtain the characteristic data, and model training and tuning are carried out on the characteristic data to obtain an optimal model.

In the embodiment of the invention, two places need to perform feature extraction on the collected flow data. One is to perform feature extraction on collected previous flow data to obtain a feature data set during the process of obtaining a preset flow analysis model, and generally perform simple quantitative splitting on the feature data set obtained here to obtain a training set and a test set. And secondly, in the process of using the model to predict in real time, extracting the characteristics of the flow data reported by the equipment in real time to obtain a characteristic data set, wherein the characteristic data set obtained here is generally called a prediction data set and is put into the model to predict in real time. The feature extraction is logically the same for both cases, i.e. the resulting feature data sets are consistent in format, with the difference that the resulting training set and test set can be processed off-line, and the prediction process is typically real-time.

The general situation reporting flow of the Internet of things equipment in the embodiment of the invention is reported in real time;

the process of obtaining the preset flow analysis model is generally off-line processing, and the processing is the collected flow data which is collected before;

the traffic analysis model is generally used for real-time processing, namely, the model is used for predicting the traffic data reported by the equipment in real time.

As shown in fig. 4, in the embodiment of the present invention, the processing, in step S303, of the traffic data in the normal operation state and the traffic data in the state of initiating a DDoS attack after being maliciously controlled includes:

s3031, cleaning the collected flow data in the normal running state and the flow data in the DDoS attack state initiated after malicious control;

s3032, carrying out format conversion on the cleaned flow data, and converting the flow data into description data of each flow packet;

and S3033, converging the converted description data according to a preset dimension.

As shown in fig. 5, in the embodiment of the present invention, the step S305 of training and verifying the flow analysis model by using the feature data to obtain the preset flow analysis model includes:

s3051, training a flow analysis model by using the characteristic data of the training set; recording various evaluation indexes of the flow analysis model;

s3052, adjusting parameters of the flow analysis model according to the quality of the evaluation index to obtain a test flow analysis model;

s3053, verifying the test flow analysis model by using the characteristic data of the test set;

s3054, if each evaluation index of the test flow analysis model reaches an expected value, taking the test flow analysis model as a preset flow analysis model;

and S3055, if not, readjusting the algorithm and the parameters of the flow analysis model to obtain a preset flow analysis model with each evaluation index reaching the expected value.

In the embodiment of the present invention, the method further includes: and when the flow data is determined to be abnormal, sending an alarm.

The embodiment of the invention uses the optimal model to predict the flow data reported by the equipment in real time; and when the DDoS attack is predicted as a result, alarming is carried out, and a traffic topological graph of the equipment is obtained through analysis, so that a user can find the abnormal behavior of the equipment and the specific traffic situation of the equipment in time.

As shown in fig. 6, in the embodiment of the present invention, the determining, according to the malicious control end information corresponding to the traffic data, a malicious network traffic topological graph in step S4 includes:

s401, carrying out algorithm analysis on the collected attack data to obtain a malicious control end ip and an attack target ip;

s402, confirming and optimizing the analyzed malicious control end ip and attack target ip data through an ip white list;

s403, counting to obtain parameters and attack types in the traffic interaction process of the equipment, the malicious control end ip and the attack target ip, and drawing a malicious network traffic topological graph;

the parameters in the traffic interaction process include one or more of the following:

the type of the data packet, the flow size, the attack starting time and the attack ending time.

As shown in fig. 7, an embodiment of the present invention further provides an abnormal traffic analysis apparatus based on an intelligent terminal, including:

a collection module 100 configured to collect traffic data of the internet of things devices;

a processing module 200 configured to process the traffic data to obtain a prediction data set;

an analysis module 300 configured to analyze the prediction data set by using a preset flow analysis model to determine whether the flow data is abnormal;

the topology module 400 is configured to determine a malicious network traffic topological graph according to malicious control end information corresponding to the traffic data when it is determined that the traffic data is abnormal.

In the embodiment of the present invention, the obtaining manner of the preset flow analysis model in the analysis module 300 includes:

reporting flow data to a cloud server in real time or at regular time in a mode of installing an agent at an equipment end;

the method comprises the steps that a cloud server collects flow data of equipment in a normal running state and flow data of the equipment in a DDoS attack state after being controlled maliciously;

recording the category of the collected flow data;

respectively processing the flow data in a normal running state and the flow data in a DDoS attack state initiated after malicious control, completing feature extraction and obtaining a feature data set;

splitting the characteristic data set to obtain a training set and a test set;

and training and verifying a flow analysis model by using the training set and the testing set to obtain a preset flow analysis model.

In the embodiment of the present invention, the processing, by the analysis module 300, of the traffic data in the normal operation state and the traffic data in the DDoS attack state initiated after being maliciously controlled includes:

cleaning the collected flow data in the normal operation state and the flow data in the DDoS attack state initiated after being maliciously controlled;

carrying out format conversion on the cleaned flow data, and converting the flow data into description data of each flow packet;

and converging the converted description data according to a preset dimension.

In an embodiment of the present invention, the obtaining of the preset flow analysis model by training and verifying the flow analysis model by using the feature data in the analysis module 300 includes:

training the flow analysis model by using the characteristic data of the training set; recording various evaluation indexes of the flow analysis model;

adjusting parameters of the flow analysis model according to the quality of the evaluation index to obtain a test flow analysis model;

verifying the test flow analysis model by using the characteristic data of the test set;

if all evaluation indexes of the test flow analysis model reach expected values, taking the test flow analysis model as a preset flow analysis model; otherwise, readjusting the algorithm and parameters of the flow analysis model to obtain a preset flow analysis model with each evaluation index reaching the expected value.

In the embodiment of the present invention, the apparatus further includes: and the alarm module is set to send out an alarm when the flow data is determined to be abnormal.

In the embodiment of the present invention, the process of obtaining the flow analysis model may be performed offline, and the process may include:

1. collecting flow data

As shown in fig. 1, by installing an agent at an equipment end of the internet of things, a flow generated by the equipment end is reported to a cloud server;

the method comprises the steps that a cloud server collects flow data of equipment in a normal running state and flow data of the equipment in a DDoS attack state after being controlled maliciously;

the traffic generated by the device in the normal running state and the DDoS attack state is different in many aspects, such as:

in a DDoS attack state, the number of flow packets generated in unit time of equipment is more, and the inter-packet interval is shorter;

the size of a traffic packet generated by a device in a DDoS attack state is usually smaller;

the size of the flow packets generated by the equipment in the DDoS attack state is more balanced;

the number of packets corresponding to a particular attack is significantly increased, for example, the number of UDP (User Datagram Protocol) packets is suddenly increased in UDP Flood.

Due to the complexity of DDoS attacks themselves, as many cases as possible should be considered when collecting traffic data, such as: attack types (e.g., SYN Flood (synchronization Sequence Numbers), ackflow (Acknowledge character), UDP Flood, etc.), whether to use a random source IP, whether to use a random source port, whether to use a random destination port, whether to specify a packet size, and so on;

for the collected flow data, the category to which the data belongs should be accurately recorded.

2. Processing flow data

As shown in fig. 8, the collected flow data is first cleaned, and incomplete data or data with obvious errors are processed;

format conversion is carried out on the cleaned data, and the data are converted into specific description data (such as protocol type, source/destination ip, source/destination port, packet size and the like) of each flow packet;

the converted data are converged according to a certain dimension, and the convergence result includes but is not limited to:

the Hip is the number of source ip/the number of target ip, and the internet of things equipment usually interacts with other fixed equipment in a normal state, so that the value is stable; in an attack state, the value will fluctuate significantly;

the port of the internet of things device interacting with other devices is usually fixed in a certain range in a normal state, and the value is stable; in an attack state, the value will fluctuate significantly;

the average value of avgPay is a traffic packet payload, the standard deviation of stdPay is a traffic packet payload, the traffic packet payload generated by the internet of things equipment in a normal state is large, and certain fluctuation exists in various aspects such as a network; in an attack state, the traffic packet payload is small to send as many traffic packets as possible, and generally tends to a fixed value;

the average value of the avgnt and the standard deviation of the stdInt are the flow packet interval, the rate of the internet of things equipment generating the flow packets is low in a normal state, the inter-packet interval is large, and certain fluctuation exists in various aspects such as a network; in an attack state, the flow packet generation rate is high, the inter-packet interval is small, and the fluctuation is small;

each column of the converged data represents a feature, each row represents a feature vector, and the difference between normal data flow and abnormal data flow is embodied through the feature vectors;

marking the feature vectors, and identifying which category data each feature vector belongs to (such as normal, SYN Flood, ACKFlood, UDP Flood, etc.), and obtaining the feature data.

3. Training model

Randomly dividing the characteristic data set into a training set and a testing set, and putting the training set into a machine learning classification algorithm for model training;

testing the test set by using the trained model, and recording various evaluation indexes (such as accuracy, precision, recall rate, F1-Score and the like) of the model;

and adjusting the parameters to obtain a model with better evaluation indexes.

4. Verification model

And extracting a new characteristic data set containing each category, predicting the data set by using a model, and recording each evaluation index of the model.

5. Optimization model

If each evaluation index of the model reaches the expected value, the model is used; otherwise, readjusting the algorithm and the parameters thereof to obtain a model meeting the conditions.

The flow analysis process by using the flow analysis model in the embodiment of the present invention may include:

1. model real-time prediction

As shown in fig. 9, the traffic data reported by the device end is collected in real time, and the data is processed correspondingly to obtain a predictable data set;

putting the predictable data set into an optimized flow analysis model for real-time prediction;

the data predicted as attack is written into the database, a reasonable threshold can be set before the data is written into the database to reduce the false alarm rate, and the written data includes but is not limited to:

the device id and the mac address thereof, the attack type, the attack start time, the attack end time, the flow generated in the attack time period and the like;

2. prediction result reprocessing

Further processing the collected attack data, and analyzing according to a certain algorithm to obtain a malicious Control end ip (Command and and Control server, C & C server) and an attack target ip;

confirming and optimizing the collected ip data through an ip white list function;

as shown in fig. 10, traffic interaction and attack types between the device and the C & C and the attack target ip are obtained through statistics, and a botnet traffic topological graph is drawn.

Further provided is a computing device, referring to fig. 11, comprising a memory 1120, a processor 1110 and a computer program stored in said memory 1120 and executable by said processor 1110, the computer program being stored in a space 1130 for program code in the memory 1120, the computer program, when executed by the processor 1110, implementing the method steps 1131 for performing any of the methods according to the invention.

The embodiment of the application also provides a computer readable storage medium. Referring to fig. 12, the computer readable storage medium comprises a storage unit for program code provided with a program 1131' for performing the steps of the method according to the invention, which program is executed by a processor.

The embodiment of the application also provides a computer program product containing instructions. Which, when run on a computer, causes the computer to carry out the steps of the method according to the invention.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed by a computer, cause the computer to perform, in whole or in part, the procedures or functions described in accordance with the embodiments of the application. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, and the program may be stored in a computer-readable storage medium, where the storage medium is a non-transitory medium, such as a random access memory, a read only memory, a flash memory, a hard disk, a solid state disk, a magnetic tape (magnetic tape), a floppy disk (floppy disk), an optical disk (optical disk), and any combination thereof.

The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An abnormal flow analysis method based on an intelligent terminal is characterized by comprising the following steps:

collecting flow data of the Internet of things equipment;

processing the flow data to obtain a prediction data set;

analyzing the prediction data set by using a preset flow analysis model to determine whether the flow data is abnormal or not;

and when the traffic data is determined to be abnormal, determining a malicious network traffic topological graph according to malicious control terminal information corresponding to the traffic data.

2. The method of claim 1, wherein the obtaining of the predetermined flow analysis model comprises:

reporting flow data to a cloud server in real time or at regular time in a mode of installing an agent at an equipment end;

the method comprises the steps that a cloud server collects flow data of equipment in a normal running state and flow data of the equipment in a DDoS attack state after being controlled maliciously;

recording the category of the collected flow data;

respectively processing the flow data in a normal running state and the flow data in a DDoS attack state initiated after malicious control, completing feature extraction and obtaining a feature data set;

splitting the characteristic data set to obtain a training set and a test set;

and training and verifying a flow analysis model by using the training set and the testing set to obtain a preset flow analysis model.

3. The method of claim 2, wherein processing the traffic data in a normal operating state and in a state of initiating a DDoS attack after being maliciously controlled comprises:

cleaning the collected flow data in the normal operation state and the flow data in the DDoS attack state initiated after being maliciously controlled;

carrying out format conversion on the cleaned flow data, and converting the flow data into description data of each flow packet;

and converging the converted description data according to a preset dimension.

4. The method of claim 2, wherein training and validating the flow analysis model using the feature data to obtain a preset flow analysis model comprises:

training the flow analysis model by using the characteristic data of the training set; recording various evaluation indexes of the flow analysis model;

adjusting parameters of the flow analysis model according to the quality of the evaluation index to obtain a test flow analysis model;

verifying the test flow analysis model by using the characteristic data of the test set;

if all evaluation indexes of the test flow analysis model reach expected values, taking the test flow analysis model as a preset flow analysis model; otherwise, readjusting the algorithm and parameters of the flow analysis model to obtain a preset flow analysis model with each evaluation index reaching the expected value.

5. The method of claim 2, further comprising: and when the flow data is determined to be abnormal, sending an alarm.

6. The method of claim 1, wherein determining a malicious network traffic topology map according to malicious control side information corresponding to the traffic data comprises:

analyzing the collected attack data algorithm to obtain a malicious control end ip and an attack target ip;

confirming and optimizing the analyzed malicious control end ip and attack target ip data through an ip white list;

counting parameters and attack types in the traffic interaction process of the equipment, the malicious control end ip and the attack target ip, and drawing a malicious network traffic topological graph;

the parameters in the traffic interaction process include one or more of the following:

the type of the data packet, the flow size, the attack starting time and the attack ending time.

7. The utility model provides an unusual flow analysis device based on intelligent terminal which characterized in that includes:

the collecting module is used for collecting flow data of the Internet of things equipment;

the processing module is used for processing the flow data to obtain a prediction data set;

the analysis module is used for analyzing the prediction data set by utilizing a preset flow analysis model and determining whether the flow data is abnormal or not;

and the topology module is set to determine a malicious network traffic topological graph according to malicious control terminal information corresponding to the traffic data when the traffic data is determined to be abnormal.

8. The apparatus according to claim 7, wherein the obtaining manner of the preset flow analysis model in the analysis module comprises:

reporting flow data to a cloud server in real time or at regular time in a mode of installing an agent at an equipment end;

the method comprises the steps that a cloud server collects flow data of equipment in a normal running state and flow data of the equipment in a DDoS attack state after being controlled maliciously;

recording the category of the collected flow data;

respectively processing the flow data in a normal running state and the flow data in a DDoS attack state initiated after malicious control, completing feature extraction and obtaining a feature data set;

splitting the characteristic data set to obtain a training set and a test set;

and training and verifying a flow analysis model by using the training set and the testing set to obtain a preset flow analysis model.

9. The apparatus of claim 8, wherein the analyzing module processes the traffic data in a normal operation state and the traffic data in a state of initiating a DDoS attack after being controlled maliciously, and comprises:

cleaning the collected flow data in the normal operation state and the flow data in the DDoS attack state initiated after being maliciously controlled;

carrying out format conversion on the cleaned flow data, and converting the flow data into description data of each flow packet;

and converging the converted description data according to a preset dimension.

10. The apparatus of claim 8, wherein the training and verifying of the flow analysis model by the analysis module using the feature data to obtain a preset flow analysis model comprises:

training the flow analysis model by using the characteristic data of the training set; recording various evaluation indexes of the flow analysis model;

adjusting parameters of the flow analysis model according to the quality of the evaluation index to obtain a test flow analysis model;

verifying the test flow analysis model by using the characteristic data of the test set;

if all evaluation indexes of the test flow analysis model reach expected values, taking the test flow analysis model as a preset flow analysis model; otherwise, readjusting the algorithm and parameters of the flow analysis model to obtain a preset flow analysis model with each evaluation index reaching the expected value.

Images