CN112333155A - Abnormal flow detection method and system, electronic equipment and storage medium - Google Patents
Abnormal flow detection method and system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112333155A CN112333155A CN202011112722.8A CN202011112722A CN112333155A CN 112333155 A CN112333155 A CN 112333155A CN 202011112722 A CN202011112722 A CN 202011112722A CN 112333155 A CN112333155 A CN 112333155A
- Authority
- CN
- China
- Prior art keywords
- flow
- detected
- abnormal
- data
- channel image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 115
- 238000001514 detection method Methods 0.000 title claims abstract description 100
- 238000000034 method Methods 0.000 claims abstract description 47
- 238000012549 training Methods 0.000 claims description 24
- 238000013500 data storage Methods 0.000 claims description 22
- 238000012360 testing method Methods 0.000 claims description 13
- 238000010606 normalization Methods 0.000 claims description 12
- 238000007726 management method Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 238000013527 convolutional neural network Methods 0.000 claims description 7
- 238000013135 deep learning Methods 0.000 claims description 5
- 230000001502 supplementing effect Effects 0.000 claims description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000013528 artificial neural network Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 10
- 238000012544 monitoring process Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2218/00—Aspects of pattern recognition specially adapted for signal processing
- G06F2218/12—Classification; Matching
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Molecular Biology (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Mathematical Physics (AREA)
- Computer Hardware Design (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Image Analysis (AREA)
Abstract
The application discloses a method for detecting abnormal flow, which comprises the following steps: acquiring flow to be detected, and converting the flow to be detected into decimal target data; taking the value of each byte in the target data as a gray value to generate three-channel image data; and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model. The method and the device can improve the detection efficiency of the abnormal flow detection model on the flow to be detected. The application also discloses a system for detecting abnormal flow, an electronic device and a storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting abnormal traffic, an electronic device, and a storage medium.
Background
With the development of cloud computing and the internet, abnormal traffic existing in the network is multiplied, which is a great test for the security protection of the cloud server. Currently, intrusion detection on network traffic is being widely applied to various large data centers as an active security protection measure. The machine learning method is a commonly used method at present for detecting and classifying network abnormal traffic, but the machine learning method needs to manually extract data features for a machine learning algorithm to use, so that a detection system seriously depends on the experience of manual feature extraction, and the overall performance of network abnormal traffic detection is seriously restricted.
Therefore, how to improve the detection efficiency of the network abnormal traffic is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a method and a system for detecting abnormal traffic, an electronic device and a storage medium, which can improve the detection efficiency of the abnormal traffic of a network.
In order to solve the above technical problem, the present application provides a method for detecting abnormal traffic, where the method for detecting abnormal traffic includes:
acquiring flow to be detected, and converting the flow to be detected into decimal target data;
taking the value of each byte in the target data as a gray value to generate three-channel image data;
and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
Optionally, converting the flow to be detected into decimal target data includes:
dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8;
and converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
Optionally, before dividing the traffic to be detected into a plurality of data blocks, the method further includes:
judging whether the byte number of the flow to be detected is an integral multiple of 8 or not;
if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
Optionally, the generating three-channel image data by using the value of each byte in the target data as a gray value includes:
taking the value of each byte in the target data as a gray value;
selecting a data storage area in a three-channel image, and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; the number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one;
and setting the gray value of the pixel points in other areas except the data storage area in the three-channel image as 0, and taking the gray value distribution information of the three-channel image as three-channel image data.
Optionally, before inputting the three-channel image data into the abnormal flow detection model, the method further includes:
converting an abnormal flow sample into a three-channel image data sample, and dividing the three-channel image data sample into a training set and a test set according to a preset proportion;
and training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
Optionally, the abnormal traffic detection model is a model based on a fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization.
Optionally, after determining whether the flow to be detected is an abnormal flow according to the output result of the abnormal flow detection model, the method further includes:
writing the detection result of the flow to be detected into a log file;
and if the flow to be detected is judged to be abnormal, sending prompt information to a management platform.
The present application further provides a system for detecting abnormal traffic, the system including:
the system comprises a binary conversion module, a flow rate detection module and a flow rate detection module, wherein the binary conversion module is used for acquiring the flow rate to be detected and converting the flow rate to be detected into decimal target data;
the image data generation module is used for generating three-channel image data by taking the value of each byte in the target data as a gray value;
and the judging module is used for inputting the three-channel image data into an abnormal flow detection model and judging whether the flow to be detected is abnormal according to the output result of the abnormal flow detection model.
The application also provides a storage medium, on which a computer program is stored, and the computer program realizes the steps executed by the detection method of the abnormal flow when executed.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the abnormal flow detection method when calling the computer program in the memory.
The application provides a method for detecting abnormal flow, which comprises the following steps: acquiring flow to be detected, and converting the flow to be detected into decimal target data; taking the value of each byte in the target data as a gray value to generate three-channel image data; and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
The method and the device convert the flow to be detected into decimal target data, obtain three-channel image data corresponding to the flow to be detected by taking the value of each byte in the target data as a gray value, further perform anomaly detection on the three-channel image data by using an anomaly flow monitoring model, and judge whether the flow to be detected is the anomaly flow according to the output result of the anomaly flow monitoring model. The method and the device convert the flow to be detected into the three-channel image data, realize abnormal flow detection based on image characteristics, and can improve the detection efficiency of the abnormal flow detection model on the flow to be detected because the information content contained in the three-channel image is three times of the data content of the single-channel gray image. The application also provides a detection system for abnormal flow, an electronic device and a storage medium, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of three-channel image data storage according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a principle of an abnormal traffic detection scheme of a cloud server management platform according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a system for detecting abnormal traffic according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present disclosure.
The specific steps may include:
s101: acquiring flow to be detected, and converting the flow to be detected into decimal target data;
the embodiment can be applied to devices with an abnormal flow monitoring function, such as a firewall, an equal protection all-in-one machine and the like, and the flow to be detected can be the flow received or sent by one or more target hosts. After the flow rate to be detected is obtained, this embodiment may convert each byte in the flow rate to be detected into a decimal number (0-255), so as to obtain the flow rate to be detected in a decimal form, that is: target data.
S102: taking the value of each byte in the target data as a gray value to generate three-channel image data;
the gray value is 0-255, so that each decimal byte in the target data just corresponds to the gray value of one pixel point. A gray image can be obtained by using the value of each byte in the target data as a gray value, and three-channel image data can be obtained by performing zero filling processing on the gray image.
As a possible implementation, the process of generating three-channel image data in this embodiment may include the following processes: taking the value of each byte in the target data as a gray value; selecting a data storage area in a three-channel image, and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; and setting the gray value of the pixel points in other areas except the data storage area in the three-channel image as 0, and taking the gray value distribution information of the three-channel image as three-channel image data. The number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one. The data storage area may be an area in any channel in the three-channel image, or may be a combination of a plurality of channel areas.
S103: and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
The abnormal traffic detection model in this embodiment may be a trained deep neural network model, and the process of training the abnormal traffic detection model may include: and obtaining an abnormal flow sample, converting the abnormal flow sample into a decimal training sample, generating three-channel image data corresponding to the decimal training sample, and training an abnormal flow detection model. In the embodiment, the physical network card flow can be cached by using storage media such as a hard disk, the cached data can be detected by using a trained abnormal flow detection model, the detection result is stored in a log file, and if the abnormal data exists, the cloud management platform is notified. The embodiment can input the three-channel image data into the abnormal flow detection model so that the abnormal flow detection model outputs the detection result.
As a feasible implementation manner, after judging whether the flow to be detected is an abnormal flow according to the output result of the abnormal flow detection model, the detection result of the flow to be detected can be written into a log file; and if the flow to be detected is judged to be abnormal, sending prompt information to a management platform. If the flow to be detected is not abnormal, the flow to be detected can be put through so that other equipment can receive the flow to be detected.
In the embodiment, the flow to be detected is converted into decimal target data, the value of each byte in the target data is used as a gray value to obtain three-channel image data corresponding to the flow to be detected, an abnormal flow monitoring model is further used for performing abnormal detection on the three-channel image data, and whether the flow to be detected is abnormal flow is judged according to the output result of the abnormal flow monitoring model. In the embodiment, the one-dimensional flow data is converted into the three-channel image data, so that the flow detection is suitable for a target detection network based on a convolutional neural network, such as fast rcnn, the three-channel data amount is large, and the detection speed is increased. The embodiment converts the flow to be detected into three-channel image data, realizes abnormal flow detection based on image characteristics, and can improve the detection efficiency of the abnormal flow detection model on the flow to be detected because the information content contained in the three-channel image is three times of the data content of the single-channel gray image.
As a further introduction to the corresponding embodiment of fig. 1, the abnormal traffic detection model may be a model based on the fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization. The traditional scheme mainly uses Batch Normalization (BN) for deep learning, but BN has disadvantages due to the unique behavior of normalizing different Batch sizes. Batch normalization requires the use of a sufficiently large batch size (e.g., 32 for each workstation). A small batch can result in inaccurate estimated batch statistics, and reducing the batch size for batch normalization can greatly increase the model error rate, resulting in excessive memory consumption. Instead of Batch Normalization (BN), Group Normalization (GN) is used in this example. Group normalization does not utilize the dimensions of the batch, and its calculation is independent of batch size. GNs can perform more consistently over a wide range of batch sizes. The above scheme of using the group normalization function to replace the original batch normalization function can accelerate the network training speed and the convergence speed.
As a further description of the corresponding embodiment of fig. 1, the process of converting the flow rate to be detected into decimal target data in S101 includes: dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8; and converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
Of course, before dividing the flow to be detected into a plurality of data blocks, whether the byte number of the flow to be detected is an integral multiple of 8 can also be judged; if so, the step of dividing the flow to be detected into a plurality of data blocks can be carried out; if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
As a further introduction to the embodiment corresponding to fig. 1, before the three-channel image data is input into the abnormal flow detection model, the abnormal flow sample may be converted into a three-channel image data sample, and the three-channel image data sample is divided into a training set and a test set according to a preset proportion; and training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
The flow described in the above embodiment is described below by using an abnormal traffic detection scheme in a cloud server based on a convolutional neural network in practical application.
The method can comprise the operations of constructing a data set, training a neural network model, collecting/detecting flow in a cloud server and the like. The data set is a three-channel image data set made of an open source flow data set, an improved fast RCNN network is adopted for a neural network, a hard disk is used in a server to store network card flow, a trained model is used to detect stored data, a detection result is stored in a log file, and a cloud server management platform is informed of abnormal conditions.
In the process of constructing the data set, the open source data sets such as CICIDS2017, ISCX2012 and the like can be converted into three-channel image data, as shown in fig. 2, the image blocks corresponding to the oblique line regions are converted data, any position of the three-channel image is randomly stored, and 0 is supplemented to other image blocks except the oblique line regions. In the embodiment, network traffic is converted into three-channel image data, the data processing capacity is three times that of single-channel image data, the current three-channel image detection is very mature, a mature neural network can be utilized, a fast RCNN target detection network is adopted in the embodiment, the network can generate two thousand candidate frames with different sizes in one image, targets with different sizes can be captured, and the method is suitable for network traffic data packets with different sizes. The data packets in the public data set are generally small and uneven in size distribution, the input image data of the fast RCNN can store 1M to 3M data, the data packets are distributed at any position of three-channel data in a random distribution mode, and the method is very suitable for a target detection network.
In the process of training the neural network, the data set can be divided into a training set and a test set, and the test result is obtained by training the network. Specifically, the size of the fast RCNN processing image can be in the range of 600 to 1000 in the present embodiment, and a three-channel image can store 1.08M to 3M data size. The data packet in the open source data set is generally very small and can be stored in any position of a three-channel image, and 0 can be written in other positions. After the source data set is converted into three-channel image data, dividing the three-channel image data into a training set and a testing set according to a ratio of 6:4, and respectively training a neural network and testing the neural network.
In the process of collecting and detecting network traffic, the present embodiment may use a hard disk to cache network traffic data, then use a neural network to detect the data, store the detection result in a log file, and notify the cloud server management platform of an abnormal condition. Referring to fig. 3, fig. 3 is a schematic diagram illustrating a principle of an abnormal traffic detection scheme of a cloud server management platform according to an embodiment of the present application. By the method, the neural network detection module can detect the network flow of the physical network card in the cloud server, alarm prompt is carried out when abnormal flow is detected, and the safety of the whole cloud management platform is improved. The embodiment may store the prediction result in the node log so as to be displayed to the cloud management platform or the user interface. The data preprocessing in fig. 3 may be to convert the decimal data into three-channel image data.
At present, the deep neural network is developed rapidly, and particularly, the deep neural network is highlighted in the field of image processing. The detection of network abnormal traffic becomes possible by using a neural network and an image processing technology. In the embodiment, the network traffic is converted into three-channel image data, the neural network for detecting three channels is very mature at present, the network traffic data is converted into the three-channel image data, so that the information content is improved by 3 times, the detection speed is accelerated, the three-channel image is detected by using the convolutional neural network, the end-to-end detection technology can effectively avoid manual intervention, and the overall detection level is improved. The detection technology is applied to the cloud server, and the safety of the server can be effectively improved by detecting the flow of the physical network card.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a system for detecting abnormal traffic according to an embodiment of the present disclosure;
the system may include:
a binary conversion module 100, configured to obtain a flow rate to be detected, and convert the flow rate to be detected into decimal target data;
an image data generating module 200, configured to generate three-channel image data by using a value of each byte in the target data as a gray value;
the judging module 300 is configured to input the three-channel image data into an abnormal flow detection model, and judge whether the flow to be detected is an abnormal flow according to an output result of the abnormal flow detection model.
In the embodiment, the flow to be detected is converted into decimal target data, the value of each byte in the target data is used as a gray value to obtain three-channel image data corresponding to the flow to be detected, an abnormal flow monitoring model is further used for performing abnormal detection on the three-channel image data, and whether the flow to be detected is abnormal flow is judged according to the output result of the abnormal flow monitoring model. The embodiment converts the flow to be detected into three-channel image data, realizes abnormal flow detection based on image characteristics, and can improve the detection efficiency of the abnormal flow detection model on the flow to be detected because the information content contained in the three-channel image is three times of the data content of the single-channel gray image.
Further, the binary conversion module 100 includes:
the data block dividing unit is used for dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8;
and the conversion unit is used for converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
Further, the method also comprises the following steps:
the bit complementing module is used for judging whether the byte number of the flow to be detected is an integral multiple of 8 or not before dividing the flow to be detected into a plurality of data blocks; if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
Further, the image data generating module 200 is configured to use a value of each byte in the target data as a gray scale value; the three-channel image acquisition device is also used for selecting a data storage area in the three-channel image and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; the number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one; and the three-channel image processing device is also used for setting the gray value of the pixel points in other areas except the data storage area in the three-channel image to be 0 and taking the gray value distribution information of the three-channel image as three-channel image data.
Further, the method also comprises the following steps:
the model training module is used for converting the abnormal flow sample into a three-channel image data sample before inputting the three-channel image data into the abnormal flow detection model, and dividing the three-channel image data sample into a training set and a test set according to a preset proportion; and the method is also used for training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
Further, the abnormal flow detection model is a model based on a fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization.
Further, the method also comprises the following steps:
the recording module is used for writing the detection result of the flow to be detected into a log file after judging whether the flow to be detected is abnormal according to the output result of the abnormal flow detection model;
and the prompt module is used for sending prompt information to the management platform if the flow to be detected is judged to be abnormal.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
The present application also provides a storage medium having a computer program stored thereon, which when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for detecting abnormal traffic, comprising:
acquiring flow to be detected, and converting the flow to be detected into decimal target data;
taking the value of each byte in the target data as a gray value to generate three-channel image data;
and inputting the three-channel image data into an abnormal flow detection model, and judging whether the flow to be detected is abnormal according to an output result of the abnormal flow detection model.
2. The method for detecting abnormal flow according to claim 1, wherein converting the flow to be detected into decimal target data comprises:
dividing the flow to be detected into a plurality of data blocks; wherein, the byte number corresponding to each data block is 8;
and converting each data block into decimal numbers, and arranging the decimal numbers according to the sequence of the data blocks to obtain the target data.
3. The method according to claim 2, wherein before dividing the traffic to be detected into a plurality of data blocks, the method further comprises:
judging whether the byte number of the flow to be detected is an integral multiple of 8 or not;
if not, the number of bytes of the flow to be detected after 0 is supplemented is made to be an integral multiple of 8 by supplementing 0 at the last bit of the flow to be detected.
4. The method for detecting abnormal traffic according to claim 1, wherein generating three-channel image data using a value of each byte in the target data as a gray value comprises:
taking the value of each byte in the target data as a gray value;
selecting a data storage area in a three-channel image, and taking the value of each byte in the target data as the gray value of a pixel point in the data storage area; the number of pixel points in the data storage area is greater than or equal to the number of bytes of the target data, and the pixel points in the data storage area correspond to the bytes in the target data one to one;
and setting the gray value of the pixel points in other areas except the data storage area in the three-channel image as 0, and taking the gray value distribution information of the three-channel image as three-channel image data.
5. The abnormal flow detection method according to claim 1, further comprising, before inputting the three-channel image data into an abnormal flow detection model:
converting an abnormal flow sample into a three-channel image data sample, and dividing the three-channel image data sample into a training set and a test set according to a preset proportion;
and training an initial model by utilizing the training set and the test set to obtain an abnormal flow detection model.
6. The method according to claim 1, wherein the abnormal traffic detection model is a model based on a fast RCNN target detection network; wherein the Faster RCNN target detection network is a convolutional neural network for deep learning by using group normalization.
7. The abnormal flow detection method according to any one of claims 1 to 6, further comprising, after determining whether the flow to be detected is an abnormal flow based on an output result of the abnormal flow detection model:
writing the detection result of the flow to be detected into a log file;
and if the flow to be detected is judged to be abnormal, sending prompt information to a management platform.
8. A system for detecting abnormal traffic, comprising:
the system comprises a binary conversion module, a flow rate detection module and a flow rate detection module, wherein the binary conversion module is used for acquiring the flow rate to be detected and converting the flow rate to be detected into decimal target data;
the image data generation module is used for generating three-channel image data by taking the value of each byte in the target data as a gray value;
and the judging module is used for inputting the three-channel image data into an abnormal flow detection model and judging whether the flow to be detected is abnormal according to the output result of the abnormal flow detection model.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the abnormal traffic detection method according to any one of claims 1 to 7 when calling the computer program in the memory.
10. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out the steps of the method for detecting abnormal traffic as claimed in any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011112722.8A CN112333155B (en) | 2020-10-16 | 2020-10-16 | Abnormal flow detection method and system, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011112722.8A CN112333155B (en) | 2020-10-16 | 2020-10-16 | Abnormal flow detection method and system, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112333155A true CN112333155A (en) | 2021-02-05 |
CN112333155B CN112333155B (en) | 2022-07-22 |
Family
ID=74313600
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011112722.8A Active CN112333155B (en) | 2020-10-16 | 2020-10-16 | Abnormal flow detection method and system, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112333155B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113222930A (en) * | 2021-05-08 | 2021-08-06 | 厦门服云信息科技有限公司 | Malicious flow detection method based on image analysis, terminal device and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900546A (en) * | 2018-08-13 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | The method and apparatus of time series Network anomaly detection based on LSTM |
CN109919251A (en) * | 2019-03-21 | 2019-06-21 | 腾讯科技(深圳)有限公司 | A kind of method and device of object detection method based on image, model training |
WO2020052436A1 (en) * | 2018-09-12 | 2020-03-19 | 杭州海康威视数字技术股份有限公司 | Vehicle overload alarming method and apparatus, electronic device, and storage medium |
CN111340727A (en) * | 2020-02-26 | 2020-06-26 | 电子科技大学 | Abnormal flow detection method based on GBR image |
CN111343182A (en) * | 2020-02-26 | 2020-06-26 | 电子科技大学 | Abnormal flow detection method based on gray level graph |
CN111447190A (en) * | 2020-03-20 | 2020-07-24 | 北京观成科技有限公司 | Encrypted malicious traffic identification method, equipment and device |
CN111524113A (en) * | 2020-04-17 | 2020-08-11 | 中冶赛迪重庆信息技术有限公司 | Lifting chain abnormity identification method, system, equipment and medium |
CN111526119A (en) * | 2020-03-19 | 2020-08-11 | 北京三快在线科技有限公司 | Abnormal flow detection method and device, electronic equipment and computer readable medium |
CN111625826A (en) * | 2020-05-28 | 2020-09-04 | 浪潮电子信息产业股份有限公司 | Malicious software detection method and device in cloud server and readable storage medium |
CN112953924A (en) * | 2021-02-04 | 2021-06-11 | 西安电子科技大学 | Network abnormal flow detection method, system, storage medium, terminal and application |
-
2020
- 2020-10-16 CN CN202011112722.8A patent/CN112333155B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900546A (en) * | 2018-08-13 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | The method and apparatus of time series Network anomaly detection based on LSTM |
WO2020052436A1 (en) * | 2018-09-12 | 2020-03-19 | 杭州海康威视数字技术股份有限公司 | Vehicle overload alarming method and apparatus, electronic device, and storage medium |
CN109919251A (en) * | 2019-03-21 | 2019-06-21 | 腾讯科技(深圳)有限公司 | A kind of method and device of object detection method based on image, model training |
CN111340727A (en) * | 2020-02-26 | 2020-06-26 | 电子科技大学 | Abnormal flow detection method based on GBR image |
CN111343182A (en) * | 2020-02-26 | 2020-06-26 | 电子科技大学 | Abnormal flow detection method based on gray level graph |
CN111526119A (en) * | 2020-03-19 | 2020-08-11 | 北京三快在线科技有限公司 | Abnormal flow detection method and device, electronic equipment and computer readable medium |
CN111447190A (en) * | 2020-03-20 | 2020-07-24 | 北京观成科技有限公司 | Encrypted malicious traffic identification method, equipment and device |
CN111524113A (en) * | 2020-04-17 | 2020-08-11 | 中冶赛迪重庆信息技术有限公司 | Lifting chain abnormity identification method, system, equipment and medium |
CN111625826A (en) * | 2020-05-28 | 2020-09-04 | 浪潮电子信息产业股份有限公司 | Malicious software detection method and device in cloud server and readable storage medium |
CN112953924A (en) * | 2021-02-04 | 2021-06-11 | 西安电子科技大学 | Network abnormal flow detection method, system, storage medium, terminal and application |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113222930A (en) * | 2021-05-08 | 2021-08-06 | 厦门服云信息科技有限公司 | Malicious flow detection method based on image analysis, terminal device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112333155B (en) | 2022-07-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112003870B (en) | Network encryption traffic identification method and device based on deep learning | |
CN113378899B (en) | Abnormal account identification method, device, equipment and storage medium | |
CN113344826B (en) | Image processing method, device, electronic equipment and storage medium | |
KR20230031889A (en) | Anomaly detection in network topology | |
US11762730B2 (en) | Selection of outlier-detection programs specific to dataset meta-features | |
CN110222795A (en) | The recognition methods of P2P flow based on convolutional neural networks and relevant apparatus | |
CN111010387B (en) | Illegal replacement detection method, device, equipment and medium for Internet of things equipment | |
CN116150191A (en) | Data operation acceleration method and system for cloud data architecture | |
CN112333155B (en) | Abnormal flow detection method and system, electronic equipment and storage medium | |
CN117749800B (en) | Method and related device for realizing edge data storage and transmission on new energy power generation side | |
CN114826681A (en) | DGA domain name detection method, system, medium, equipment and terminal | |
CN113630425B (en) | Financial data safe transmission method for multiple power bodies | |
CN116228429A (en) | Method and device for detecting transaction data | |
CN113052509B (en) | Model evaluation method, model evaluation device, electronic apparatus, and storage medium | |
CN115037791A (en) | Event pushing method, device and system, electronic equipment and storage medium | |
CN111431909B (en) | Method and device for detecting grouping abnormity in user entity behavior analysis and terminal | |
CN111935279B (en) | Internet of things network maintenance method based on block chain and big data and computing node | |
CN112750047A (en) | Behavior relation information extraction method and device, storage medium and electronic equipment | |
CN113868660B (en) | Training method, device and equipment for malicious software detection model | |
CN114548765B (en) | Method and device for risk identification | |
CN114710354B (en) | Abnormal event detection method and device, storage medium and electronic equipment | |
CN118396039B (en) | Self-attention mechanism calculation method and reasoning method | |
US20240112053A1 (en) | Determination of an outlier score using extreme value theory (evt) | |
CN116881915A (en) | File detection method, electronic device and storage medium | |
CN117375994A (en) | Intrusion detection method for electric power Internet of things |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |