CN112448919B - Network anomaly detection method, device and system and computer readable storage medium - Google Patents
Network anomaly detection method, device and system and computer readable storage medium Download PDFInfo
- Publication number
- CN112448919B CN112448919B CN201910811022.9A CN201910811022A CN112448919B CN 112448919 B CN112448919 B CN 112448919B CN 201910811022 A CN201910811022 A CN 201910811022A CN 112448919 B CN112448919 B CN 112448919B
- Authority
- CN
- China
- Prior art keywords
- network
- detection
- network flow
- strategy
- willingness
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Computational Biology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to a network anomaly detection method, device and system, and a computer readable storage medium. The network anomaly detection method comprises the following steps: analyzing a willingness request of a user for network traffic detection according to a preset willingness translation model to analyze key elements of the network traffic detection; matching a corresponding network flow detection strategy for key elements of network flow detection according to a preset strategy matching model; and sending the network flow detection strategy to the comprehensive network management system so that the comprehensive network management system controls the network to execute the network flow detection strategy. The method and the system can understand the service intention of users such as network management personnel for detecting the network flow abnormity, generate corresponding network strategies according to the service intention, and perform more targeted detection on the network flow in a specific area at a specific time.
Description
Technical Field
The present disclosure relates to the field of network detection, and in particular, to a method, an apparatus, and a system for detecting network anomalies, and a computer-readable storage medium.
Background
In recent years, the network security problem is increasingly highlighted due to the rapid development of internet technology. On an internet exit, a Border Gateway Protocol (BGP) for processing routing addressing between ases (Autonomous systems, ASs) has obvious security risks, so that the BGP faces security threats such AS route leakage, route hijacking and incapability of verifying the authenticity of the route for a long time.
Disclosure of Invention
The inventor finds out through research that: in order to deal with the routing addressing security threat between the ASs, the internet RPKI (Resource Public Key Infrastructure, basic Resource common Key certificate system) has also been introduced by the working group of the international standards organization IETF to solve the security threat, but the new standard system is slowly advanced.
In view of at least one of the above technical problems, the present disclosure provides a method, an apparatus, and a system for detecting network anomaly, and a computer readable storage medium, which can understand the service willingness of a user, such as a network administrator, to detect network traffic anomaly, and generate a corresponding network policy according to the service willingness.
According to an aspect of the present disclosure, there is provided a network anomaly detection method, including:
analyzing a willingness request of a user for network traffic detection according to a preset willingness translation model to analyze key elements of the network traffic detection;
matching a corresponding network flow detection strategy for key elements of network flow detection according to a preset strategy matching model;
and issuing the network flow detection strategy to the comprehensive network manager so as to control the network to execute the network flow detection strategy by the comprehensive network manager.
In some embodiments of the present disclosure, the network anomaly detection method further includes:
sensing feedback data collected by the comprehensive network management system, wherein the feedback data comprises real-time network flow data and strategy execution data;
and training and optimizing the preset willingness translation model and the preset strategy matching model according to the feedback data.
In some embodiments of the present disclosure, the network anomaly detection method further includes:
backtracking and analyzing the past network flow detection strategy according to the feedback data, and analyzing the network flow of the current network in real time;
and predicting the future network flow development trend, and submitting the prediction result to the user.
In some embodiments of the present disclosure, the network anomaly detection method further includes:
and optimizing the backtracking analysis capability of past network flow detection strategies, the real-time analysis capability of the current network flow and the trend prediction capability of the future network flow according to the feedback data, and assisting the preset strategy matching model to match corresponding network flow detection strategies for key elements of network flow detection.
In some embodiments of the present disclosure, the network anomaly detection method further includes:
optimizing the analysis experience of the willingness of the past user to detect the network traffic according to the feedback data, and assisting a preset willingness translation model to analyze key elements of the network traffic detection.
In some embodiments of the present disclosure, the parsing a willingness request of a user for network traffic detection according to a predetermined willingness translation model includes:
and analyzing the willingness request of the user for the network traffic detection according to a preset willingness translation model and the analysis experience of the willingness of the past user for detecting the network traffic.
In some embodiments of the present disclosure, said matching, according to a predetermined policy matching model, a corresponding network traffic detection policy for a key element of network traffic detection includes:
and matching the corresponding network traffic detection strategy for key elements of network traffic detection by combining the backtracking analysis of the past similar network traffic detection strategy, the backtracking analysis of the past network state and the trend prediction of the future network state according to a preset strategy matching model.
According to another aspect of the present disclosure, there is provided a network anomaly detection apparatus including:
the intention engine is used for analyzing an intention request of a user for network traffic detection according to a preset intention translation model to analyze key elements of the network traffic detection;
the strategy engine is used for matching the key elements of the network flow detection with the corresponding network flow detection strategies according to a preset strategy matching model; and sending the network flow detection strategy to the comprehensive network management system so that the comprehensive network management system controls the network to execute the network flow detection strategy.
In some embodiments of the present disclosure, the network anomaly detection apparatus is configured to perform an operation for implementing the network anomaly detection method according to any one of the above embodiments.
According to another aspect of the present disclosure, there is provided a network anomaly detection apparatus including:
a memory to store instructions;
a processor configured to execute the instructions to enable the network anomaly detection apparatus to perform operations for implementing the network anomaly detection method according to any of the above embodiments.
According to another aspect of the present disclosure, a network anomaly detection system is provided, which includes an integrated network manager and a network anomaly detection apparatus as described in any of the above embodiments.
According to another aspect of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions, which when executed by a processor, implement the network anomaly detection according to any one of the above embodiments.
The method and the system can understand the service intention of users such as network management personnel for detecting the network flow abnormity, generate corresponding network strategies according to the service intention, and perform more targeted detection on the network flow in a specific area at a specific time.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of some embodiments of a network anomaly detection method according to the present disclosure.
Fig. 2 is a schematic diagram of another embodiment of a network anomaly detection method according to the present disclosure.
Fig. 3 is a schematic diagram of some embodiments of the network anomaly detection system of the present disclosure.
Fig. 4 is a schematic diagram of some embodiments of the network anomaly detection apparatus of the present disclosure.
Fig. 5 is a schematic diagram of another embodiment of a network anomaly detection apparatus according to the present disclosure.
Fig. 6 is a schematic diagram of a network anomaly detection apparatus according to still other embodiments of the present disclosure.
Fig. 7 is a schematic diagram of a network anomaly detection method according to still other embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the embodiments described are only some embodiments of the present disclosure, rather than all embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of parts and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
The inventor also finds out through research that: the related technology can only remedy the abnormal problem of the network flow after the problem occurs, finds and checks the fault after the problem occurs, and lacks a system method for effectively analyzing the flow data characteristics of major events and holidays.
In view of at least one of the above technical problems, the present disclosure provides a network anomaly detection method, device and system, and computer readable storage medium, and the present invention is described below by way of specific embodiments
Fig. 1 is a schematic diagram of some embodiments of a network anomaly detection method according to the present disclosure. Preferably, this embodiment may be executed by the network anomaly detection apparatus of the present disclosure. The method comprises the following steps:
and 11, analyzing the intention request of the user for the network traffic detection according to a preset intention translation model to analyze key elements of the network traffic detection.
In some embodiments of the present disclosure, step 11 may comprise: and analyzing the willingness request of the user aiming at the network traffic detection according to a preset willingness translation model and the analysis experience of the willingness of the past user in detecting the network traffic, and analyzing key elements of the network traffic detection.
In some embodiments of the present disclosure, the key elements may include user, scene, business, and the like key elements.
In some embodiments of the present disclosure, the key elements may include key willingness elements such as network management personnel identity, time and space information, and a requirement for detecting network traffic.
In some embodiments of the present disclosure, the predetermined intent translation model may include a predetermined translation algorithm.
In some embodiments of the present disclosure, step 11 may comprise: and analyzing the user intention by using a natural language processing technology according to a preset translation algorithm and the analysis experience of the past user intention, and analyzing the user intention into key elements such as users, scenes, services and the like.
And step 12, matching the key elements of the network flow detection with corresponding network flow detection strategies according to a preset strategy matching model.
In some embodiments of the present disclosure, step 12 may comprise: and matching the corresponding network traffic detection strategy for key elements of network traffic detection by combining the backtracking analysis of the past similar network traffic detection strategy, the backtracking analysis of the past network state and the trend prediction of the future network state according to a preset strategy matching model.
And step 13, issuing the network flow detection strategy to the comprehensive network manager so that the comprehensive network manager controls the network to execute the network flow detection strategy.
Based on the network anomaly detection method provided by the embodiment of the disclosure, the service willingness of users such as network management personnel for detecting network traffic anomaly can be understood, and corresponding network strategies are generated according to the service willingness, so that the network traffic of a specific area at a specific time can be detected more specifically.
Fig. 2 is a schematic diagram of another embodiment of a network anomaly detection method according to the present disclosure. Preferably, the embodiment can be executed by the network anomaly detection system disclosed in the present disclosure, wherein the network anomaly detection system disclosed in the present disclosure includes the network anomaly detection apparatus disclosed in the present disclosure and a comprehensive network manager. The integrated Network Management includes EMS (Element Management System) and NMS (Network Management System). In the embodiment of fig. 2, steps 21 to 23, steps 26 to 27 are executed by the network anomaly detection apparatus of the present disclosure, and steps 24 to 25 are executed by the integrated network manager of the present disclosure.
Step 21 and step 22 of the embodiment of fig. 2 are the same as or similar to step 11 and step 22, respectively, of the embodiment of fig. 1. The network anomaly detection method as shown in fig. 2 may include the steps of:
and step 21, translating.
In some embodiments of the present disclosure, step 21 may comprise: and analyzing the user intention by using a natural language processing technology according to a preset translation algorithm and the analysis experience of the past user intention, and analyzing the user intention into key elements such as users, scenes, services and the like.
And step 22, matching.
In some embodiments of the present disclosure, step 22 may comprise: and according to a preset matching algorithm and the translated key elements, combining the feedback of past strategy execution, the backtracking analysis of past network states and the trend prediction of future network states provided by optimization analysis, and comprehensively matching the parameters into a strategy which can be executed by the network.
And step 23, issuing.
In some embodiments of the present disclosure, step 23 may comprise: and issuing the strategy to an integrated network management system (EMS/NMS).
And step 24, executing.
In some embodiments of the present disclosure, step 24 may comprise: and the comprehensive network management control network (including an Internet exit) executes the strategy.
And step 25, feeding back.
In some embodiments of the present disclosure, step 25 may comprise: after executing the strategy, the comprehensive network manager collects the flow data of the network, the flow and route data of the internet outlet, the feedback data of the strategy execution and the like.
And step 26, sensing.
In some embodiments of the present disclosure, step 26 may comprise: and sensing data acquired by the comprehensive network management system and transmitting the data to algorithm analysis.
In some embodiments of the present disclosure, step 26 may comprise: and sensing feedback data collected by the comprehensive network management system, wherein the feedback data comprises real-time network flow data and strategy execution data.
And 27, optimizing and analyzing.
In some embodiments of the present disclosure, step 27 may comprise: training and optimizing a translation model and a matching model according to historical data (including but not limited to network traffic data, internet outlet traffic and routing data, strategy execution feedback data and the like), analyzing past translation experience, strategy execution feedback and past network states, performing trend prediction on future network traffic and routing conditions, and assisting in willingness translation and strategy matching.
In some embodiments of the present disclosure, step 27 may further include: and training and optimizing the preset willingness translation model and the preset strategy matching model according to the feedback data.
In some embodiments of the present disclosure, step 27 may further comprise: backtracking and analyzing the past network flow detection strategy according to the feedback data, and analyzing the network flow of the current network in real time; and predicting the future network flow development trend, and submitting the prediction result to the user.
In some embodiments of the present disclosure, step 27 may further include: and optimizing the backtracking analysis capability of past network flow detection strategies, the real-time analysis capability of the current network flow and the trend prediction capability of the future network flow according to the feedback data, and assisting the preset strategy matching model to match corresponding network flow detection strategies for key elements of network flow detection.
In some embodiments of the present disclosure, step 27 may further comprise: optimizing the analysis experience of the willingness of the past user to detect the network traffic according to the feedback data, and assisting a preset willingness translation model to analyze key elements of the network traffic detection.
Based on the network anomaly detection method provided by the embodiment of the disclosure, the service willingness of users such as network management personnel for detecting network traffic anomaly can be understood, and corresponding network strategies are generated according to the service willingness, so that the network traffic of a specific area at a specific time can be detected more specifically.
According to the embodiment of the disclosure, the artificial intelligence technology can be utilized to perform backtracking analysis on historical data of the network and the internet outlet flow and route, detect the network and the internet outlet real-time flow and route and predict the future development trend, and discover potential security threats and give an early warning in time.
According to the embodiment of the disclosure, historical data can be collected to train an AI algorithm model, and backtracking analysis, detection and prediction of the traffic and the route of the network and the Internet are performed.
The embodiment of the disclosure realizes closed-loop self-optimization in the method system architecture, and the system can optimize the AI algorithm model according to the feedback data executed by the strategy, so that the system can more accurately translate the service requirements of network management personnel and generate the network strategy suitable for execution in a matching manner.
Fig. 3 is a schematic diagram of some embodiments of the disclosed network anomaly detection system. As shown in fig. 3, the network anomaly detection system of the present disclosure may include a network anomaly detection device 31 and an integrated network manager 32, where:
the network anomaly detection device 31 is used for analyzing the willingness request of the user for the network traffic detection according to a preset willingness translation model to analyze key elements of the network traffic detection; matching a corresponding network flow detection strategy for key elements of network flow detection according to a preset strategy matching model; and issuing the network flow detection strategy to the comprehensive network management.
And the comprehensive network management system 32 is configured to control the network to execute the network traffic detection policy issued by the network anomaly detection device 31.
Based on the network anomaly detection system provided by the embodiment of the disclosure, the service willingness of users such as network management personnel for detecting network traffic anomaly can be understood, and corresponding network strategies are generated according to the service willingness, so that the network traffic of a specific area at a specific time can be detected more specifically.
The structure and function of the network anomaly detection device in the above-mentioned of the present disclosure are explained by the following specific embodiments.
Fig. 4 is a schematic diagram of some embodiments of the network anomaly detection apparatus of the present disclosure. The network anomaly detection apparatus (e.g., the network anomaly detection apparatus 31 of the embodiment of fig. 3) of the present disclosure may include a willingness engine 311 and a policy engine 312, where:
and the intention engine 311 is configured to analyze an intention request of the user for network traffic detection according to a predetermined intention translation model, and analyze key elements of the network traffic detection.
In some embodiments of the present disclosure, willingness engine 311 may be configured to parse willingness requests of users for network traffic detection according to a predetermined willingness translation model and parsing experience of past users for detecting willingness of network traffic.
A policy engine 312, configured to match a corresponding network traffic detection policy for a key element of network traffic detection according to a predetermined policy matching model; and sending the network flow detection strategy to the comprehensive network management system so that the comprehensive network management system controls the network to execute the network flow detection strategy.
In some embodiments of the present disclosure, the policy engine 312 may be configured to match corresponding network traffic detection policies for key elements of network traffic detection according to a predetermined policy matching model, in combination with a backtracking analysis of past similar network traffic detection policies, a backtracking analysis of past network states, and a trend prediction of future network states.
In some embodiments of the present disclosure, the network anomaly detection apparatus is configured to perform an operation for implementing the network anomaly detection method according to any one of the above embodiments (e.g., the embodiment of fig. 1, step 21 to step 23, step 26 to step 27 in the embodiment of fig. 2, and step 1.1 to step 3, and step 6.1 to step 9.2 in the embodiment of fig. 7).
Based on the network anomaly detection device provided by the embodiment of the disclosure, the service willingness of users such as network management personnel for detecting network traffic anomaly can be understood, and corresponding network strategies are generated according to the service willingness to detect the network traffic in a specific area at a specific time in a more targeted manner.
Fig. 5 is a schematic diagram of another embodiment of a network anomaly detection apparatus according to the present disclosure. Fig. 5 also shows a schematic diagram of some embodiments of the network anomaly detection system of the present disclosure. As shown in fig. 5, the network anomaly detection apparatus (e.g., the network anomaly detection apparatus 31 in the embodiment of fig. 3) of the present disclosure may include a willingness engine 311, a policy engine 312, a perception engine 313, an analysis engine 314, and an AI (Artificial Intelligence) algorithm enabling platform 315, wherein:
and a perception engine 313 for perceiving the network data.
In some embodiments of the present disclosure, the awareness engine 313 may be configured to perceive feedback data collected by the integrated network management system, where the feedback data includes real-time network traffic data and policy enforcement data.
And the AI algorithm enabling platform 315 is used for executing partial functions of algorithm assistance on the translation will and the matching strategy in the optimization analysis of the step 27 in the embodiment of FIG. 2.
And the analysis engine 314 is used for performing part of functions of analyzing experience of willingness of past users, feedback of past policy execution, retrospective analysis of past network states and trend prediction of future network states in step 27 optimization analysis of the embodiment of fig. 2.
In some embodiments of the present disclosure, the analytics engine 314 may be used to train and optimize the predetermined intent translation model and the predetermined policy matching model according to the feedback data.
In some embodiments of the present disclosure, the analysis engine 314 may be configured to perform backtracking analysis on past network traffic detection policies according to the feedback data, and perform real-time analysis on the current network traffic; and predicting the future network flow development trend, and submitting the prediction result to the user.
In some embodiments of the present disclosure, the analysis engine 314 may be configured to optimize a backtracking analysis capability of past network traffic detection policies, a real-time analysis capability of current network traffic, and a trend prediction capability of future network traffic according to the feedback data, and assist the predetermined policy matching model in matching corresponding network traffic detection policies for key elements of network traffic detection.
In some embodiments of the present disclosure, the analysis engine 314 may be configured to optimize the parsing experience of willingness of past users to detect network traffic according to the feedback data, and assist the predetermined willingness translation model in parsing out key elements of network traffic detection.
And a willingness engine 311 for translating willingness of the user.
And the policy engine 312 is used for matching and issuing the policies.
The embodiment of the disclosure can collect historical data to train an AI algorithm model, and perform backtracking analysis, detection and prediction on the flow and route of the network and the Internet outlet.
The embodiment of the disclosure realizes closed-loop self-optimization in the method system architecture, and the system can optimize the AI algorithm model according to the feedback data executed by the strategy, so that the system can more accurately translate the service requirements of network management personnel and generate the network strategy suitable for execution in a matching manner.
Fig. 6 is a schematic diagram of some further embodiments of the network anomaly detection apparatus according to the present disclosure. The network anomaly detection apparatus (e.g., the network anomaly detection apparatus 31 of the embodiment of fig. 3) of the present disclosure may include a memory 318 and a processor 319, wherein:
a memory 318 for storing instructions;
a processor 319, configured to execute the instructions, so that the network anomaly detection apparatus performs operations to implement the network anomaly detection method according to any one of the embodiments (for example, the embodiment in fig. 1, step 21-step 23, step 26-step 27 in the embodiment in fig. 2, and step 1.1-step 3, and step 6.1-step 9.2 in the embodiment in fig. 7).
According to the embodiment of the disclosure, the artificial intelligence technology can be utilized to perform backtracking analysis on historical data of the network and the internet outlet flow and route, detect the network and the internet outlet real-time flow and route and predict the future development trend, and discover potential security threats and give an early warning in time.
Fig. 7 is a schematic diagram of a network anomaly detection method according to still other embodiments of the present disclosure. Preferably, this embodiment may be executed by the network anomaly detection system according to any of the above-mentioned embodiments (for example, the embodiment of fig. 5) of the present disclosure. As shown in fig. 7, the network anomaly detection method of the present disclosure may include:
step 1.1: collecting the willingness request of network management personnel for detecting the network traffic at a certain time and a certain place (the occurrence time and place of a major event, the holiday time and a specific area, etc.).
Step 1.2: the AI algorithm enabling platform provides willingness translation algorithm assistance for the willingness engine based on natural language processing technology.
In some embodiments of the present disclosure, the natural language processing technology may include RNN (Recurrent Neural Network), LSTM (Long Short-Term Memory), and other processing modes.
Step 1.3: the analysis engine provides analysis experience for willingness engine to detect willingness of network traffic at specific time and specific place by network management personnel.
Step 1.4: combining the translation algorithm and the analysis experience, the intention engine analyzes the intention of the network management personnel for detecting the network traffic at a certain place at a certain time into key intention elements such as the identity of the network management personnel, time and space information, the requirement for detecting the network traffic and the like.
Step 2.1: the analysis engine provides retrospective analysis of similar network traffic detection strategies (detection trends of different network traffic data characteristics including traffic data, user connection number in a certain time and a certain place, physical channel proportion, transmission packet size, various traffic proportions and the like) for the strategy engine.
Step 2.2: the AI algorithm enabling platform provides machine learning based strategy matching algorithm assistance for the strategy engine.
In some embodiments of the present disclosure, machine learning may include linear classification, SVM Support Vector Machine (SVM), deep learning, and the like.
Step 2.3: and matching an optimal network traffic detection strategy according to a strategy matching algorithm and the translated key will elements by combining backtracking analysis of the past similar network traffic detection strategy.
And step 3: and issuing the network flow detection strategy generated by the strategy engine in a matching way to the comprehensive network management.
And 4, step 4: and the comprehensive network management control network executes a network flow detection strategy.
And 5: the comprehensive network management collects real-time network traffic data (including traffic data, the number of user connections in a certain place at a certain time, the physical channel ratio, the size of a transmission packet, various traffic ratios and the like) of the existing network as data feedback after the traffic detection strategy is executed.
Step 6.1: and the perception engine carries out data sorting and feature extraction on the feedback data and then provides the feedback data to an AI algorithm enabling platform.
Step 6.2: and the perception engine carries out data sorting and feature extraction on the feedback data and then provides the feedback data to the analysis engine.
And 7: the analysis engine is used for analyzing the real-time network flow data of the existing network based on the algorithm provided by the AI algorithm enabling platform, predicting the network flow development trend of a certain place at a certain time in the future, submitting the prediction result to network management personnel and giving early warning in time.
Step 8.1: the AI algorithm enabling platform trains, updates and optimizes the willingness translation algorithm model according to the data provided by the perception engine, and provides algorithm assistance for the willingness engine.
Step 8.2: and the AI algorithm enabling platform trains, updates and optimizes the strategy matching algorithm model according to the data provided by the perception engine, and provides algorithm assistance for the strategy engine.
Step 9.1: the analysis engine updates and optimizes the analysis experience of network management personnel detecting network flow willingness according to the data provided by the perception engine, and provides assistance for the willingness engine.
Step 9.2: the analysis engine updates and optimizes the backtracking analysis capability of the past network flow detection strategy, the real-time analysis capability of the current network flow and the trend prediction capability of the future network flow according to the data provided by the perception engine, and provides assistance for the strategy engine.
The network anomaly detection method provided by the embodiment of the present disclosure is an intelligent network anomaly detection method process of service willingness, and includes, but is not limited to, the following key technologies: analyzing the service requirement of detecting network abnormality by network management personnel; network strategy matching generation based on specific detection requirements of network management personnel; closed-loop self-optimization of the method and system based on data feedback executed by network policies.
The intelligent network anomaly detection method based on the service willingness in the embodiments of the present disclosure can be applied to network anomaly detection, and can be applied to several application scenarios including but not limited to the following: detecting abnormal flow and route of an internet exit; and detecting and predicting flow abnormity of major events and holidays.
According to another aspect of the present disclosure, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores computer instructions, which when executed by a processor, implement the network anomaly detection according to any one of the embodiments (e.g., the embodiment of fig. 1, the embodiment of fig. 2, and the embodiment of fig. 7) above.
Based on the computer-readable storage medium provided by the above embodiment of the present disclosure, it is possible to understand a service intention of a user such as a network administrator to detect network traffic abnormality, and generate a corresponding network policy according to the service intention, so as to perform more targeted detection on network traffic in a specific area at a specific time.
According to the embodiment of the disclosure, the artificial intelligence technology can be utilized to perform backtracking analysis on historical data of the network and the internet outlet flow and route, detect the network and the internet outlet real-time flow and route and predict the future development trend, and discover potential security threats and early warning in time.
The functional units described above may be implemented as a general purpose processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any suitable combination thereof, for performing the functions described herein.
Thus far, the present disclosure has been described in detail. Some details well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware to implement the above embodiments, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk, an optical disk, or the like.
The description of the present disclosure has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure for various embodiments with various modifications as are suited to the particular use contemplated.
Claims (13)
1. A network anomaly detection method is characterized by comprising the following steps:
analyzing a willingness request of a user for network traffic detection according to a preset willingness translation model to analyze key elements of the network traffic detection;
matching a corresponding network flow detection strategy for key elements of network flow detection according to a preset strategy matching model;
the network flow detection strategy is issued to the comprehensive network management system, so that the comprehensive network management system controls the network to execute the network flow detection strategy;
sensing feedback data collected by a comprehensive network manager, wherein the feedback data comprises real-time network flow data and strategy execution data;
training and optimizing a preset willingness translation model and a preset strategy matching model according to the feedback data;
the network anomaly detection method further comprises the following steps:
and optimizing the analysis experience of the willingness of the past user to detect the network traffic according to the feedback data, and assisting a preset willingness translation model to analyze key elements of the network traffic detection.
2. The method of claim 1, further comprising:
backtracking and analyzing the past network flow detection strategy according to the feedback data, and analyzing the network flow of the current network in real time;
and predicting the future network flow development trend, and submitting the prediction result to the user.
3. The network anomaly detection method according to claim 2, further comprising:
and optimizing the backtracking analysis capability of past network flow detection strategies, the real-time analysis capability of the current network flow and the trend prediction capability of the future network flow according to the feedback data, and assisting the preset strategy matching model to match corresponding network flow detection strategies for key elements of network flow detection.
4. The method for detecting the network anomaly according to any one of claims 1-3, wherein the analyzing the willingness request of the user for detecting the network traffic according to a predetermined willingness translation model comprises:
and analyzing the willingness request of the user for the network traffic detection according to a preset willingness translation model and the analysis experience of the willingness of the past user for detecting the network traffic.
5. The method according to any one of claims 1 to 3, wherein the matching of the corresponding network traffic detection policy for the key elements of the network traffic detection according to the predetermined policy matching model comprises:
and matching a corresponding network flow detection strategy for key elements of network flow detection by combining backtracking analysis of past similar network flow detection strategies, backtracking analysis of past network states and trend prediction of future network states according to a preset strategy matching model.
6. A network anomaly detection device, comprising:
the intention engine is used for analyzing an intention request of a user for network traffic detection according to a preset intention translation model to analyze key elements of the network traffic detection;
the strategy engine is used for matching the key elements of the network flow detection with the corresponding network flow detection strategies according to a preset strategy matching model; the network flow detection strategy is issued to the comprehensive network manager so that the comprehensive network manager controls the network to execute the network flow detection strategy;
the system comprises a perception engine, a policy execution engine and a data processing engine, wherein the perception engine is used for perceiving feedback data collected by a comprehensive network management system, and the feedback data comprises real-time network flow data and policy execution data;
the analysis engine is used for training and optimizing the preset willingness translation model and the preset strategy matching model according to the feedback data;
the analysis engine is further used for optimizing the analysis experience of network flow detection willingness detected by past users according to the feedback data and assisting the preset willingness translation model in analyzing key elements of network flow detection.
7. The network anomaly detection device according to claim 6, characterized in that:
the analysis engine is also used for carrying out backtracking analysis on the past network flow detection strategy according to the feedback data and carrying out real-time analysis on the network flow of the current network; and predicting the future network flow development trend, and submitting the prediction result to the user.
8. The network anomaly detection device according to claim 7, characterized in that:
and the analysis engine is also used for optimizing the backtracking analysis capability of past network flow detection strategies, the real-time analysis capability of the current network flow and the trend prediction capability of the future network flow according to the feedback data, and assisting the preset strategy matching model to match the corresponding network flow detection strategies for the key elements of the network flow detection.
9. The network anomaly detection device according to any one of claims 6-8, characterized in that:
and the intention engine is used for analyzing the intention request of the user for the network flow detection according to a preset intention translation model and the analysis experience of the past user for detecting the network flow intention.
10. The network anomaly detection device according to any one of claims 6-8, characterized in that:
and the strategy engine is used for matching the corresponding network flow detection strategy for the key elements of the network flow detection according to a preset strategy matching model by combining the backtracking analysis of the past similar network flow detection strategy, the backtracking analysis of the past network state and the trend prediction of the future network state.
11. A network anomaly detection device, comprising:
a memory to store instructions;
a processor configured to execute the instructions to cause the network anomaly detection apparatus to perform operations to implement the network anomaly detection method according to any one of claims 1-5.
12. A network anomaly detection system comprising an integrated network manager and a network anomaly detection apparatus according to any one of claims 6-11.
13. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions, which when executed by a processor, implement the network anomaly detection method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910811022.9A CN112448919B (en) | 2019-08-30 | 2019-08-30 | Network anomaly detection method, device and system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910811022.9A CN112448919B (en) | 2019-08-30 | 2019-08-30 | Network anomaly detection method, device and system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112448919A CN112448919A (en) | 2021-03-05 |
| CN112448919B true CN112448919B (en) | 2023-04-07 |
Family
ID=74741357
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910811022.9A Active CN112448919B (en) | 2019-08-30 | 2019-08-30 | Network anomaly detection method, device and system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112448919B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113259367B (en) * | 2021-05-28 | 2022-05-06 | 苏州联电能源发展有限公司 | Industrial control network flow multistage anomaly detection method and device |
| CN114584391B (en) * | 2022-03-22 | 2024-02-09 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for generating abnormal flow processing strategy |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110098950A (en) * | 2018-01-31 | 2019-08-06 | 慧与发展有限责任合伙企业 | Network is verified to be intended to |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10205637B2 (en) * | 2015-01-27 | 2019-02-12 | Sri International | Impact analyzer for a computer network |
| US20180278459A1 (en) * | 2017-03-27 | 2018-09-27 | Cisco Technology, Inc. | Sharding Of Network Resources In A Network Policy Platform |
| US20180351806A1 (en) * | 2017-05-31 | 2018-12-06 | Cisco Technology, Inc. | Intent specification checks for inconsistencies |
| US10944793B2 (en) * | 2017-06-29 | 2021-03-09 | Juniper Networks, Inc. | Rules-based network security policy modification |
-
2019
- 2019-08-30 CN CN201910811022.9A patent/CN112448919B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110098950A (en) * | 2018-01-31 | 2019-08-06 | 慧与发展有限责任合伙企业 | Network is verified to be intended to |
Non-Patent Citations (1)
| Title |
|---|
| 基于意图的网络;思科;《https://www.cisco.com》;20180322;第1-10页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112448919A (en) | 2021-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220353286A1 (en) | Artificial intelligence cyber security analyst | |
| US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
| US9781139B2 (en) | Identifying malware communications with DGA generated domains by discriminative learning | |
| Saxena et al. | General study of intrusion detection system and survey of agent based intrusion detection system | |
| US11182163B1 (en) | Customizable courses of action for responding to incidents in information technology environments | |
| US11568277B2 (en) | Method and apparatus for detecting anomalies in mission critical environments using word representation learning | |
| CN113743542B (en) | Network asset identification method and system based on encrypted flow | |
| US9961047B2 (en) | Network security management | |
| CN112448919B (en) | Network anomaly detection method, device and system and computer readable storage medium | |
| Fallahi et al. | Automated flow-based rule generation for network intrusion detection systems | |
| CN109743286A (en) | A kind of IP type mark method and apparatus based on figure convolutional neural networks | |
| Garcia-Teodoro et al. | Automatic generation of HTTP intrusion signatures by selective identification of anomalies | |
| CN112350854A (en) | Flow fault positioning method, device, equipment and storage medium | |
| Yao et al. | Multi-source alert data understanding for security semantic discovery based on rough set theory | |
| Sen et al. | On using contextual correlation to detect multi-stage cyber attacks in smart grids | |
| CN112543170A (en) | Software-defined wide area network management method, device and system, and storage medium | |
| EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
| Killer et al. | Threat management dashboard for a blockchain collaborative defense | |
| CN116248346A (en) | Smart city-oriented CPS network security situation awareness establishing method and system | |
| Yu et al. | Mining anomaly communication patterns for industrial control systems | |
| Shi et al. | Checking network security policy violations via natural language questions | |
| Tafazzoli et al. | A proposed architecture for network forensic system in large-scale networks | |
| Skoumperdis et al. | A Novel Self-learning Cybersecurity System for Smart Grids | |
| GB2522433A (en) | Efficient decision making | |
| KR20200009939A (en) | Apparatus and method for deciding failure domain using failure alarm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |