CN112333155A - Abnormal flow detection method and system, electronic equipment and storage medium - Google Patents

Abnormal flow detection method and system, electronic equipment and storage medium Download PDF

Info

Publication number
CN112333155A
CN112333155A CN202011112722.8A CN202011112722A CN112333155A CN 112333155 A CN112333155 A CN 112333155A CN 202011112722 A CN202011112722 A CN 202011112722A CN 112333155 A CN112333155 A CN 112333155A
Authority
CN
China
Prior art keywords
flow
detected
abnormal
data
channel image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011112722.8A
Other languages
Chinese (zh)
Other versions
CN112333155B (en
Inventor
晏海龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Data Technology Co Ltd
Original Assignee
Jinan Inspur Data Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Data Technology Co Ltd filed Critical Jinan Inspur Data Technology Co Ltd
Priority to CN202011112722.8A priority Critical patent/CN112333155B/en
Publication of CN112333155A publication Critical patent/CN112333155A/en
Application granted granted Critical
Publication of CN112333155B publication Critical patent/CN112333155B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2218/00Aspects of pattern recognition specially adapted for signal processing
    • G06F2218/12Classification; Matching

Abstract

The application discloses a method for detecting abnormal flow, which comprises the following steps: acquiring flow to be detected, and converting the flow to be detected into decimal target data; taking the value of each byte in the target data as a gray value to generate three-channel image data; and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model. The method and the device can improve the detection efficiency of the abnormal flow detection model on the flow to be detected. The application also discloses a system for detecting abnormal flow, an electronic device and a storage medium, which have the beneficial effects.

Description

Abnormal flow detection method and system, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting abnormal traffic, an electronic device, and a storage medium.
Background
With the development of cloud computing and the internet, abnormal traffic existing in the network is multiplied, which is a great test for the security protection of the cloud server. Currently, intrusion detection on network traffic is being widely applied to various large data centers as an active security protection measure. The machine learning method is a commonly used method at present for detecting and classifying network abnormal traffic, but the machine learning method needs to manually extract data features for a machine learning algorithm to use, so that a detection system seriously depends on the experience of manual feature extraction, and the overall performance of network abnormal traffic detection is seriously restricted.
Therefore, how to improve the detection efficiency of the network abnormal traffic is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a method and a system for detecting abnormal traffic, an electronic device and a storage medium, which can improve the detection efficiency of the abnormal traffic of a network.
In order to solve the above technical problem, the present application provides a method for detecting abnormal traffic, where the method for detecting abnormal traffic includes:
acquiring flow to be detected, and converting the flow to be detected into decimal target data;
taking the value of each byte in the target data as a gray value to generate three-channel image data;
and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
Optionally, converting the flow to be detected into decimal target data includes:
dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8;
and converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
Optionally, before dividing the traffic to be detected into a plurality of data blocks, the method further includes:
judging whether the byte number of the flow to be detected is an integral multiple of 8 or not;
if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
Optionally, the generating three-channel image data by using the value of each byte in the target data as a gray value includes:
taking the value of each byte in the target data as a gray value;
selecting a data storage area in a three-channel image, and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; the number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one;
and setting the gray value of the pixel points in other areas except the data storage area in the three-channel image as 0, and taking the gray value distribution information of the three-channel image as three-channel image data.
Optionally, before inputting the three-channel image data into the abnormal flow detection model, the method further includes:
converting an abnormal flow sample into a three-channel image data sample, and dividing the three-channel image data sample into a training set and a test set according to a preset proportion;
and training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
Optionally, the abnormal traffic detection model is a model based on a fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization.
Optionally, after determining whether the flow to be detected is an abnormal flow according to the output result of the abnormal flow detection model, the method further includes:
writing the detection result of the flow to be detected into a log file;
and if the flow to be detected is judged to be abnormal, sending prompt information to a management platform.
The present application further provides a system for detecting abnormal traffic, the system including:
the system comprises a binary conversion module, a flow rate detection module and a flow rate detection module, wherein the binary conversion module is used for acquiring the flow rate to be detected and converting the flow rate to be detected into decimal target data;
the image data generation module is used for generating three-channel image data by taking the value of each byte in the target data as a gray value;
and the judging module is used for inputting the three-channel image data into an abnormal flow detection model and judging whether the flow to be detected is abnormal according to the output result of the abnormal flow detection model.
The application also provides a storage medium, on which a computer program is stored, and the computer program realizes the steps executed by the detection method of the abnormal flow when executed.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the abnormal flow detection method when calling the computer program in the memory.
The application provides a method for detecting abnormal flow, which comprises the following steps: acquiring flow to be detected, and converting the flow to be detected into decimal target data; taking the value of each byte in the target data as a gray value to generate three-channel image data; and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
The method and the device convert the flow to be detected into decimal target data, obtain three-channel image data corresponding to the flow to be detected by taking the value of each byte in the target data as a gray value, further perform anomaly detection on the three-channel image data by using an anomaly flow monitoring model, and judge whether the flow to be detected is the anomaly flow according to the output result of the anomaly flow monitoring model. The method and the device convert the flow to be detected into the three-channel image data, realize abnormal flow detection based on image characteristics, and can improve the detection efficiency of the abnormal flow detection model on the flow to be detected because the information content contained in the three-channel image is three times of the data content of the single-channel gray image. The application also provides a detection system for abnormal flow, an electronic device and a storage medium, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of three-channel image data storage according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a principle of an abnormal traffic detection scheme of a cloud server management platform according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a system for detecting abnormal traffic according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present disclosure.
The specific steps may include:
s101: acquiring flow to be detected, and converting the flow to be detected into decimal target data;
the embodiment can be applied to devices with an abnormal flow monitoring function, such as a firewall, an equal protection all-in-one machine and the like, and the flow to be detected can be the flow received or sent by one or more target hosts. After the flow rate to be detected is obtained, this embodiment may convert each byte in the flow rate to be detected into a decimal number (0-255), so as to obtain the flow rate to be detected in a decimal form, that is: target data.
S102: taking the value of each byte in the target data as a gray value to generate three-channel image data;
the gray value is 0-255, so that each decimal byte in the target data just corresponds to the gray value of one pixel point. A gray image can be obtained by using the value of each byte in the target data as a gray value, and three-channel image data can be obtained by performing zero filling processing on the gray image.
As a possible implementation, the process of generating three-channel image data in this embodiment may include the following processes: taking the value of each byte in the target data as a gray value; selecting a data storage area in a three-channel image, and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; and setting the gray value of the pixel points in other areas except the data storage area in the three-channel image as 0, and taking the gray value distribution information of the three-channel image as three-channel image data. The number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one. The data storage area may be an area in any channel in the three-channel image, or may be a combination of a plurality of channel areas.
S103: and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
The abnormal traffic detection model in this embodiment may be a trained deep neural network model, and the process of training the abnormal traffic detection model may include: and obtaining an abnormal flow sample, converting the abnormal flow sample into a decimal training sample, generating three-channel image data corresponding to the decimal training sample, and training an abnormal flow detection model. In the embodiment, the physical network card flow can be cached by using storage media such as a hard disk, the cached data can be detected by using a trained abnormal flow detection model, the detection result is stored in a log file, and if the abnormal data exists, the cloud management platform is notified. The embodiment can input the three-channel image data into the abnormal flow detection model so that the abnormal flow detection model outputs the detection result.
As a feasible implementation manner, after judging whether the flow to be detected is an abnormal flow according to the output result of the abnormal flow detection model, the detection result of the flow to be detected can be written into a log file; and if the flow to be detected is judged to be abnormal, sending prompt information to a management platform. If the flow to be detected is not abnormal, the flow to be detected can be put through so that other equipment can receive the flow to be detected.
In the embodiment, the flow to be detected is converted into decimal target data, the value of each byte in the target data is used as a gray value to obtain three-channel image data corresponding to the flow to be detected, an abnormal flow monitoring model is further used for performing abnormal detection on the three-channel image data, and whether the flow to be detected is abnormal flow is judged according to the output result of the abnormal flow monitoring model. In the embodiment, the one-dimensional flow data is converted into the three-channel image data, so that the flow detection is suitable for a target detection network based on a convolutional neural network, such as fast rcnn, the three-channel data amount is large, and the detection speed is increased. The embodiment converts the flow to be detected into three-channel image data, realizes abnormal flow detection based on image characteristics, and can improve the detection efficiency of the abnormal flow detection model on the flow to be detected because the information content contained in the three-channel image is three times of the data content of the single-channel gray image.
As a further introduction to the corresponding embodiment of fig. 1, the abnormal traffic detection model may be a model based on the fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization. The traditional scheme mainly uses Batch Normalization (BN) for deep learning, but BN has disadvantages due to the unique behavior of normalizing different Batch sizes. Batch normalization requires the use of a sufficiently large batch size (e.g., 32 for each workstation). A small batch can result in inaccurate estimated batch statistics, and reducing the batch size for batch normalization can greatly increase the model error rate, resulting in excessive memory consumption. Instead of Batch Normalization (BN), Group Normalization (GN) is used in this example. Group normalization does not utilize the dimensions of the batch, and its calculation is independent of batch size. GNs can perform more consistently over a wide range of batch sizes. The above scheme of using the group normalization function to replace the original batch normalization function can accelerate the network training speed and the convergence speed.
As a further description of the corresponding embodiment of fig. 1, the process of converting the flow rate to be detected into decimal target data in S101 includes: dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8; and converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
Of course, before dividing the flow to be detected into a plurality of data blocks, whether the byte number of the flow to be detected is an integral multiple of 8 can also be judged; if so, the step of dividing the flow to be detected into a plurality of data blocks can be carried out; if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
As a further introduction to the embodiment corresponding to fig. 1, before the three-channel image data is input into the abnormal flow detection model, the abnormal flow sample may be converted into a three-channel image data sample, and the three-channel image data sample is divided into a training set and a test set according to a preset proportion; and training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
The flow described in the above embodiment is described below by using an abnormal traffic detection scheme in a cloud server based on a convolutional neural network in practical application.
The method can comprise the operations of constructing a data set, training a neural network model, collecting/detecting flow in a cloud server and the like. The data set is a three-channel image data set made of an open source flow data set, an improved fast RCNN network is adopted for a neural network, a hard disk is used in a server to store network card flow, a trained model is used to detect stored data, a detection result is stored in a log file, and a cloud server management platform is informed of abnormal conditions.
In the process of constructing the data set, the open source data sets such as CICIDS2017, ISCX2012 and the like can be converted into three-channel image data, as shown in fig. 2, the image blocks corresponding to the oblique line regions are converted data, any position of the three-channel image is randomly stored, and 0 is supplemented to other image blocks except the oblique line regions. In the embodiment, network traffic is converted into three-channel image data, the data processing capacity is three times that of single-channel image data, the current three-channel image detection is very mature, a mature neural network can be utilized, a fast RCNN target detection network is adopted in the embodiment, the network can generate two thousand candidate frames with different sizes in one image, targets with different sizes can be captured, and the method is suitable for network traffic data packets with different sizes. The data packets in the public data set are generally small and uneven in size distribution, the input image data of the fast RCNN can store 1M to 3M data, the data packets are distributed at any position of three-channel data in a random distribution mode, and the method is very suitable for a target detection network.
In the process of training the neural network, the data set can be divided into a training set and a test set, and the test result is obtained by training the network. Specifically, the size of the fast RCNN processing image can be in the range of 600 to 1000 in the present embodiment, and a three-channel image can store 1.08M to 3M data size. The data packet in the open source data set is generally very small and can be stored in any position of a three-channel image, and 0 can be written in other positions. After the source data set is converted into three-channel image data, dividing the three-channel image data into a training set and a testing set according to a ratio of 6:4, and respectively training a neural network and testing the neural network.
In the process of collecting and detecting network traffic, the present embodiment may use a hard disk to cache network traffic data, then use a neural network to detect the data, store the detection result in a log file, and notify the cloud server management platform of an abnormal condition. Referring to fig. 3, fig. 3 is a schematic diagram illustrating a principle of an abnormal traffic detection scheme of a cloud server management platform according to an embodiment of the present application. By the method, the neural network detection module can detect the network flow of the physical network card in the cloud server, alarm prompt is carried out when abnormal flow is detected, and the safety of the whole cloud management platform is improved. The embodiment may store the prediction result in the node log so as to be displayed to the cloud management platform or the user interface. The data preprocessing in fig. 3 may be to convert the decimal data into three-channel image data.
At present, the deep neural network is developed rapidly, and particularly, the deep neural network is highlighted in the field of image processing. The detection of network abnormal traffic becomes possible by using a neural network and an image processing technology. In the embodiment, the network traffic is converted into three-channel image data, the neural network for detecting three channels is very mature at present, the network traffic data is converted into the three-channel image data, so that the information content is improved by 3 times, the detection speed is accelerated, the three-channel image is detected by using the convolutional neural network, the end-to-end detection technology can effectively avoid manual intervention, and the overall detection level is improved. The detection technology is applied to the cloud server, and the safety of the server can be effectively improved by detecting the flow of the physical network card.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a system for detecting abnormal traffic according to an embodiment of the present disclosure;
the system may include:
a binary conversion module 100, configured to obtain a flow rate to be detected, and convert the flow rate to be detected into decimal target data;
an image data generating module 200, configured to generate three-channel image data by using a value of each byte in the target data as a gray value;
the judging module 300 is configured to input the three-channel image data into an abnormal flow detection model, and judge whether the flow to be detected is an abnormal flow according to an output result of the abnormal flow detection model.
In the embodiment, the flow to be detected is converted into decimal target data, the value of each byte in the target data is used as a gray value to obtain three-channel image data corresponding to the flow to be detected, an abnormal flow monitoring model is further used for performing abnormal detection on the three-channel image data, and whether the flow to be detected is abnormal flow is judged according to the output result of the abnormal flow monitoring model. The embodiment converts the flow to be detected into three-channel image data, realizes abnormal flow detection based on image characteristics, and can improve the detection efficiency of the abnormal flow detection model on the flow to be detected because the information content contained in the three-channel image is three times of the data content of the single-channel gray image.
Further, the binary conversion module 100 includes:
the data block dividing unit is used for dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8;
and the conversion unit is used for converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
Further, the method also comprises the following steps:
the bit complementing module is used for judging whether the byte number of the flow to be detected is an integral multiple of 8 or not before dividing the flow to be detected into a plurality of data blocks; if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
Further, the image data generating module 200 is configured to use a value of each byte in the target data as a gray scale value; the three-channel image acquisition device is also used for selecting a data storage area in the three-channel image and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; the number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one; and the three-channel image processing device is also used for setting the gray value of the pixel points in other areas except the data storage area in the three-channel image to be 0 and taking the gray value distribution information of the three-channel image as three-channel image data.
Further, the method also comprises the following steps:
the model training module is used for converting the abnormal flow sample into a three-channel image data sample before inputting the three-channel image data into the abnormal flow detection model, and dividing the three-channel image data sample into a training set and a test set according to a preset proportion; and the method is also used for training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
Further, the abnormal flow detection model is a model based on a fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization.
Further, the method also comprises the following steps:
the recording module is used for writing the detection result of the flow to be detected into a log file after judging whether the flow to be detected is abnormal according to the output result of the abnormal flow detection model;
and the prompt module is used for sending prompt information to the management platform if the flow to be detected is judged to be abnormal.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
The present application also provides a storage medium having a computer program stored thereon, which when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for detecting abnormal traffic, comprising:
acquiring flow to be detected, and converting the flow to be detected into decimal target data;
taking the value of each byte in the target data as a gray value to generate three-channel image data;
and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
2. The method for detecting abnormal flow according to claim 1, wherein converting the flow to be detected into decimal target data comprises:
dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8;
and converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
3. The method according to claim 2, wherein before dividing the traffic to be detected into a plurality of data blocks, the method further comprises:
judging whether the byte number of the flow to be detected is an integral multiple of 8 or not;
if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
4. The method for detecting abnormal traffic according to claim 1, wherein generating three-channel image data using a value of each byte in the target data as a gray value comprises:
taking the value of each byte in the target data as a gray value;
selecting a data storage area in a three-channel image, and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; the number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one;
and setting the gray value of the pixel points in other areas except the data storage area in the three-channel image as 0, and taking the gray value distribution information of the three-channel image as three-channel image data.
5. The abnormal flow detection method according to claim 1, further comprising, before inputting the three-channel image data into an abnormal flow detection model:
converting an abnormal flow sample into a three-channel image data sample, and dividing the three-channel image data sample into a training set and a test set according to a preset proportion;
and training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
6. The method according to claim 1, wherein the abnormal traffic detection model is a model based on a fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization.
7. The abnormal flow detection method according to any one of claims 1 to 6, further comprising, after determining whether the flow to be detected is an abnormal flow based on an output result of the abnormal flow detection model:
writing the detection result of the flow to be detected into a log file;
and if the flow to be detected is judged to be abnormal, sending prompt information to a management platform.
8. A system for detecting abnormal traffic, comprising:
the system comprises a binary conversion module, a flow rate detection module and a flow rate detection module, wherein the binary conversion module is used for acquiring the flow rate to be detected and converting the flow rate to be detected into decimal target data;
the image data generation module is used for generating three-channel image data by taking the value of each byte in the target data as a gray value;
and the judging module is used for inputting the three-channel image data into an abnormal flow detection model and judging whether the flow to be detected is abnormal according to the output result of the abnormal flow detection model.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the abnormal traffic detection method according to any one of claims 1 to 7 when calling the computer program in the memory.
10. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out the steps of the method for detecting abnormal traffic as claimed in any one of claims 1 to 7.
CN202011112722.8A 2020-10-16 2020-10-16 Abnormal flow detection method and system, electronic equipment and storage medium Active CN112333155B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011112722.8A CN112333155B (en) 2020-10-16 2020-10-16 Abnormal flow detection method and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011112722.8A CN112333155B (en) 2020-10-16 2020-10-16 Abnormal flow detection method and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112333155A true CN112333155A (en) 2021-02-05
CN112333155B CN112333155B (en) 2022-07-22

Family

ID=74313600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011112722.8A Active CN112333155B (en) 2020-10-16 2020-10-16 Abnormal flow detection method and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112333155B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113222930A (en) * 2021-05-08 2021-08-06 厦门服云信息科技有限公司 Malicious flow detection method based on image analysis, terminal device and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900546A (en) * 2018-08-13 2018-11-27 杭州安恒信息技术股份有限公司 The method and apparatus of time series Network anomaly detection based on LSTM
CN109919251A (en) * 2019-03-21 2019-06-21 腾讯科技(深圳)有限公司 A kind of method and device of object detection method based on image, model training
WO2020052436A1 (en) * 2018-09-12 2020-03-19 杭州海康威视数字技术股份有限公司 Vehicle overload alarming method and apparatus, electronic device, and storage medium
CN111340727A (en) * 2020-02-26 2020-06-26 电子科技大学 Abnormal flow detection method based on GBR image
CN111343182A (en) * 2020-02-26 2020-06-26 电子科技大学 Abnormal flow detection method based on gray level graph
CN111447190A (en) * 2020-03-20 2020-07-24 北京观成科技有限公司 Encrypted malicious traffic identification method, equipment and device
CN111526119A (en) * 2020-03-19 2020-08-11 北京三快在线科技有限公司 Abnormal flow detection method and device, electronic equipment and computer readable medium
CN111524113A (en) * 2020-04-17 2020-08-11 中冶赛迪重庆信息技术有限公司 Lifting chain abnormity identification method, system, equipment and medium
CN111625826A (en) * 2020-05-28 2020-09-04 浪潮电子信息产业股份有限公司 Malicious software detection method and device in cloud server and readable storage medium
CN112953924A (en) * 2021-02-04 2021-06-11 西安电子科技大学 Network abnormal flow detection method, system, storage medium, terminal and application

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900546A (en) * 2018-08-13 2018-11-27 杭州安恒信息技术股份有限公司 The method and apparatus of time series Network anomaly detection based on LSTM
WO2020052436A1 (en) * 2018-09-12 2020-03-19 杭州海康威视数字技术股份有限公司 Vehicle overload alarming method and apparatus, electronic device, and storage medium
CN109919251A (en) * 2019-03-21 2019-06-21 腾讯科技(深圳)有限公司 A kind of method and device of object detection method based on image, model training
CN111340727A (en) * 2020-02-26 2020-06-26 电子科技大学 Abnormal flow detection method based on GBR image
CN111343182A (en) * 2020-02-26 2020-06-26 电子科技大学 Abnormal flow detection method based on gray level graph
CN111526119A (en) * 2020-03-19 2020-08-11 北京三快在线科技有限公司 Abnormal flow detection method and device, electronic equipment and computer readable medium
CN111447190A (en) * 2020-03-20 2020-07-24 北京观成科技有限公司 Encrypted malicious traffic identification method, equipment and device
CN111524113A (en) * 2020-04-17 2020-08-11 中冶赛迪重庆信息技术有限公司 Lifting chain abnormity identification method, system, equipment and medium
CN111625826A (en) * 2020-05-28 2020-09-04 浪潮电子信息产业股份有限公司 Malicious software detection method and device in cloud server and readable storage medium
CN112953924A (en) * 2021-02-04 2021-06-11 西安电子科技大学 Network abnormal flow detection method, system, storage medium, terminal and application

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113222930A (en) * 2021-05-08 2021-08-06 厦门服云信息科技有限公司 Malicious flow detection method based on image analysis, terminal device and storage medium

Also Published As

Publication number Publication date
CN112333155B (en) 2022-07-22

Similar Documents

Publication Publication Date Title
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
KR102007809B1 (en) A exploit kit detection system based on the neural net using image
CN111767957B (en) Log abnormality detection method and device, storage medium and electronic equipment
KR20230031889A (en) Anomaly detection in network topology
CN110222795A (en) The recognition methods of P2P flow based on convolutional neural networks and relevant apparatus
CN112883990A (en) Data classification method and device, computer storage medium and electronic equipment
CN116150191A (en) Data operation acceleration method and system for cloud data architecture
CN112333155B (en) Abnormal flow detection method and system, electronic equipment and storage medium
CN114826681A (en) DGA domain name detection method, system, medium, equipment and terminal
US20220229721A1 (en) Selection of outlier-detection programs specific to dataset meta-features
CN116228429A (en) Method and device for detecting transaction data
CN111431909B (en) Method and device for detecting grouping abnormity in user entity behavior analysis and terminal
CN111935279B (en) Internet of things network maintenance method based on block chain and big data and computing node
CN113810342A (en) Intrusion detection method, device, equipment and medium
CN112750047A (en) Behavior relation information extraction method and device, storage medium and electronic equipment
CN113630425B (en) Financial data safe transmission method for multiple power bodies
CN114710354B (en) Abnormal event detection method and device, storage medium and electronic equipment
CN117749800B (en) Method and related device for realizing edge data storage and transmission on new energy power generation side
US20240112053A1 (en) Determination of an outlier score using extreme value theory (evt)
CN115859911B (en) Automatic label generation evolution method and device adapting to dynamic change of data
CN111143744B (en) Method, device and equipment for detecting web asset and readable storage medium
CN115037791A (en) Event pushing method, device and system, electronic equipment and storage medium
CN116881915A (en) File detection method, electronic device and storage medium
CN114548765A (en) Method and apparatus for risk identification
CN117375994A (en) Intrusion detection method for electric power Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant