CN112543199B - IP abnormal flow detection method, system, computer equipment and storage medium - Google Patents

IP abnormal flow detection method, system, computer equipment and storage medium Download PDF

Info

Publication number
CN112543199B
CN112543199B CN202011418675.XA CN202011418675A CN112543199B CN 112543199 B CN112543199 B CN 112543199B CN 202011418675 A CN202011418675 A CN 202011418675A CN 112543199 B CN112543199 B CN 112543199B
Authority
CN
China
Prior art keywords
flow
periodic
abnormal
obtaining
flow times
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011418675.XA
Other languages
Chinese (zh)
Other versions
CN112543199A (en
Inventor
韩坤
田丹丹
卫海天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Minglue Zhaohui Technology Co Ltd
Original Assignee
Beijing Minglue Zhaohui Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Minglue Zhaohui Technology Co Ltd filed Critical Beijing Minglue Zhaohui Technology Co Ltd
Priority to CN202011418675.XA priority Critical patent/CN112543199B/en
Publication of CN112543199A publication Critical patent/CN112543199A/en
Application granted granted Critical
Publication of CN112543199B publication Critical patent/CN112543199B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a system, a computer device and a storage medium for detecting IP abnormal flow, wherein the method comprises the following steps: acquiring average flow times: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times; obtaining ideal average flow times: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data; an abnormality degree acquisition step: processing the periodic IP flow times according to the ideal average flow times and the average flow times in the period, and obtaining IP abnormal degrees according to the processed periodic IP flow times and the estimated flow times; an identification step: and identifying IP abnormal flow according to the IP abnormal degree. The invention can remove the influence of normal fluctuation of the flow, thereby obtaining more accurate estimation of the abnormal degree of the IP.

Description

IP abnormal flow detection method, system, computer equipment and storage medium
Technical Field
The invention belongs to the field of IP abnormal flow detection methods, and particularly relates to an IP abnormal flow detection method, an IP abnormal flow detection system, computer equipment and a storage medium.
Background
Every day, the internet generates massive network data, the data records various information of daily life, work and the like of people, and people store own privacy and safety information on the internet. Meanwhile, the huge network data also brings a huge information market. Among them, there are black market which threaten our network security. Worm virus attacks and DDoS attacks occur every day, and daily internet use experience is seriously influenced. In the face of these threats, the fluctuation of the flow times of the IP is monitored to judge whether an IP address is abnormal. But merely by simply monitoring the fluctuations in the number of times the traffic is monitored is not sufficient to cope with the complex means of attack of hackers. The method calculates the estimated value of the IP flow times by counting the IP flow times and establishing a model, and evaluates the difference between the actual value and the estimated value to obtain the abnormal degree of the IP, so as to identify the abnormal IP flow.
At present, the technology for monitoring the IP by using a statistical mode is to observe the flow fluctuation condition of the IP according to the time sequence, and the abnormal phenomenon is that the IP flow fluctuates in a short time. Some of them observe the uncertainty of IP flow by calculating statistics such as entropy, etc., and if the entropy is large, the fluctuation range of IP flow is large. It also compares the data packet content with some known abnormal information, or uses the byte number and ASCII code distribution in the packet to distinguish the normal traffic and abnormal traffic.
The flow fluctuation of the IP is observed, and the statistics of entropy value are calculated, so that the flow change of the IP can be described to a certain extent. However, the above statistics do not take normal fluctuation of the IP into account, and do not eliminate the influence of the normal fluctuation of the IP on abnormal IP traffic monitoring.
Specific IP can be captured effectively by using methods such as packet content, but the collection of such information is difficult to implement in a large-scale communication network, and the data analysis is relatively difficult.
The method calculates the estimated value of the IP flow times by counting the IP flow times and establishing a model, considers the normal fluctuation of the IP flow, and estimates the difference between the actual value and the estimated value by correcting the IP flow times to obtain the abnormal degree of the IP for identifying the abnormal IP flow.
Disclosure of Invention
The embodiment of the application provides a method, a system and a computer storage device for detecting IP abnormal flow, which at least solve the problem of subjective factor influence in the related technology.
The invention provides an IP abnormal flow detection method, which comprises the following steps:
acquiring average flow times: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times;
obtaining ideal average flow times: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree acquisition step: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification step: identifying IP abnormal flow according to the IP abnormal degree
In the method, the step of obtaining the average traffic frequency includes constructing a first function, where the first function is a discrete function, counting the periodic IP traffic frequency through the discrete function, and obtaining the periodic IP traffic frequency of the IP in a period according to the periodic IP traffic frequency.
The method, wherein the step of obtaining the ideal average flow number includes:
abnormal value operation step: sampling the rest periods of the IP to obtain sampling data, and removing abnormal values from the sampling data;
an estimated flow frequency obtaining step: obtaining the estimated flow times of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
calculating the ideal average flow times: and obtaining the ideal average flow times according to the estimated flow times.
The method described above, wherein the abnormality degree acquiring step includes:
and (3) modifying: modifying the number of the periodic IP flows according to the following formula:
Figure GDA0003868525560000021
wherein f (t) is the number of periodic IP flows, avg e For ideal average flow times, avg is the average flow times in the period, f * (t k ) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
and IP abnormality degree calculation step: the IP abnormality degree is obtained according to the following formula:
Figure GDA0003868525560000031
wherein diff is the degree of IP abnormality, f * (t) number of processed periodic IP flows, F * And (t) is the estimated flow number.
The invention also provides an IP abnormal flow detection system, which comprises:
the average flow frequency acquiring module is used for counting the periodic IP flow frequency of any IP in a period and acquiring the average flow frequency in the period according to the periodic IP flow frequency;
the module for obtaining the ideal average flow times samples the rest periods of the IP to obtain sampling data, and obtains estimated flow times and ideal average flow times according to the sampling data;
an abnormal degree obtaining module, which processes the cycle IP flow times according to the ideal average flow times and the cycle average flow times, and obtains the IP abnormal degree according to the processed cycle IP flow times and the estimated flow times;
an identification module that identifies IP anomaly traffic based on the IP anomaly.
In the system, the average traffic frequency obtaining module constructs a first function, the first function is a discrete function, the periodic IP traffic frequency is counted through the discrete function, and the periodic IP traffic frequency of the IP in one period is obtained according to the periodic IP traffic frequency.
The system, wherein the module for obtaining the ideal average flow number includes:
an abnormal value operation unit which samples the rest periods of the IP to obtain sampling data and removes the abnormal value from the sampling data;
an estimated flow frequency obtaining unit which obtains the estimated flow frequency of any time point of the normal network IP according to the sampling data after removing the abnormal value;
and the ideal average flow frequency calculating unit is used for obtaining the ideal average flow frequency according to the estimated flow frequency.
The system, wherein the abnormality degree obtaining module includes:
a modification unit that modifies the number of periodic IP flows according to the following formula:
Figure GDA0003868525560000041
wherein f (t) is the number of periodic IP flows, avg e For ideal average flow times, avg is the average flow times in the period, f * (t k ) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
an IP abnormality degree calculation unit that obtains an IP abnormality degree according to the following formula:
Figure GDA0003868525560000042
wherein diff is the degree of IP abnormality, f * (t) number of processed periodic IP flows, F * And (t) is the estimated flow number.
The invention also provides computer equipment comprising a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to realize the IP abnormal traffic detection method.
The present invention also provides a storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the IP abnormal traffic detection method as described in any one of the above.
The invention has the beneficial effects that:
the invention provides an IP abnormal flow identification method, which calculates the abnormal degree of a certain IP in a period through the flow times in the period. The method comprises the steps of firstly counting the flow times of one period of the IP, secondly calculating the average flow times of the IP in the period, thirdly estimating the flow times according to the flow times of other periods, and finally calculating the difference between a statistic value and an estimated value through an abnormality algorithm to obtain the IP abnormality. Wherein the system isFlow rate counting time function f (t) k ) In the method, the flow of the IP can fluctuate normally, and the average number of times is estimated to be f (t) k ) And correction is carried out to remove the influence of normal fluctuation of the flow, so that more accurate estimation of the abnormal degree of the IP is obtained.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application.
In the drawings:
FIG. 1 is a flow chart of a method of IP anomaly traffic detection;
FIG. 2 is a flow chart of steps S2 of FIG. 1;
FIG. 3 is a flow chart illustrating the substeps of step S3 of FIG. 1;
FIG. 4 is a schematic structural diagram of an IP abnormal traffic identification system of the present invention;
fig. 5 is a block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the application, and that it is also possible for a person skilled in the art to apply the application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that such a development effort might be complex and tedious, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure, given the benefit of this disclosure, without departing from the scope of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by one of ordinary skill in the art that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means two or more. "and/or" describes the association relationship of the associated object, indicating that there may be three relationships, for example, "a and/or B" may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and that functional, methodological, or structural equivalents thereof, which are equivalent or substituted by those of ordinary skill in the art, are within the scope of the present invention.
Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.
Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.
Referring to fig. 1, fig. 1 is a flowchart of an IP abnormal traffic detection method. As shown in fig. 1, the IP abnormal traffic detection method of the present invention includes:
average flow rate acquisition step S1: counting the number of periodic IP flows of any IP in a period, and obtaining the number of average flows in the period according to the number of the periodic IP flows; wherein, the step S1 of obtaining the average flow number includes: constructing a first function which is a discrete function, counting the periodic IP flow times through the discrete function, and obtaining the periodic IP flow times of the IP in one period according to the periodic IP flow times
Obtaining ideal average flow times step S2: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data;
abnormality degree acquisition step S3: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification step S4: and identifying IP abnormal flow according to the IP abnormal degree.
Referring to fig. 2, fig. 2 is a flowchart illustrating steps of step S2 in fig. 1. As shown in fig. 2, the step S2 of obtaining the ideal average flow rate includes:
abnormal value operation step S21: sampling the rest periods of the IP to obtain sampling data, and removing abnormal values of the sampling data;
estimated flow number obtaining step S22: obtaining the estimated flow times of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
ideal average flow number calculation step S23: and obtaining the ideal average flow times according to the estimated flow times.
Referring to fig. 3, fig. 3 is a flowchart illustrating steps of step S3 in fig. 1. As shown in fig. 3, the abnormality degree acquisition step S3 includes:
modification step S31: modifying the number of the periodic IP flows according to the following formula:
Figure GDA0003868525560000071
wherein f (t) is the number of periodic IP flows, avg e For ideal average flow times, avg is the average flow times in the period, f * (t k ) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
IP abnormality degree calculation step S32: the IP abnormality degree is obtained according to the following formula:
Figure GDA0003868525560000072
wherein diff is the degree of IP abnormality, f * (t) number of processed periodic IP flows, F * And (t) is the estimated flow number.
The IP abnormal traffic detection method of the present invention will be specifically described below with reference to examples.
The first embodiment is as follows:
this example discloses a specific implementation of a statistical-based IP anomaly traffic detection method (hereinafter referred to as "method"). The invention first of allAccording to the step 1: let f (t) (t ∈ [0 0 ]) F (T) is a discrete function for the flow number of a certain IP at the time T, and the IP is counted in a period T by taking delta T as a time interval 0 Number of flows f (t) in k )(k∈[0,T 0 /Δt])。
Step 2, calculating the average flow frequency avg in a period, wherein the calculation formula is as follows:
Figure GDA0003868525560000081
wherein k is 0 =0,k m =T 0
Step 3, calculating the estimated value y and the ideal average flow times avg of each time point of the normal network IP e Sampling K periods to obtain K groups of data f i (t k )(i∈[0,K],k∈[0,T 0 /Δt]) For each t k The number of flows at that time removes outliers (differences from the mean greater than two standard deviations are considered outliers). From the K sets of data, f (t) can be calculated at time t k Estimated value of (a):
Figure GDA0003868525560000082
wherein K outlier Is t k A set of outliers of time instants. The ideal average flow times can thus be calculated:
Figure GDA0003868525560000083
and 4, processing the flow frequency function to eliminate the influence of normal fluctuation of the network flow. For f (t) k ) With slight modifications:
Figure GDA0003868525560000084
thus, the influence of normal fluctuation of network flow can be eliminated.
Step 5, calculating the abnormal degree of IP and enabling F * (t k )=y k To estimate the number of flows. The calculation formula of the degree of abnormality is as follows:
Figure GDA0003868525560000085
1. the number of independent IPs refers to the number of websites visited by users using different IP addresses. The number of independent IPs is 1 no matter the same IP visits a plurality of pages bai, and the current popular practice is that the same IP is visited only 1 time in 24 hours, which accords with the calculation habit of most advertisement investors at present.
2. PV (amount of browsing web site), that is, the number of people browsing a page, different statistical systems have more or less different definitions, and mainly adopt the following method, namely refresh a page, that is, increase the count 1, regardless of whether malicious refresh or continuous refresh; the real PV statistics should be IP-bound, i.e. the number of times that different pages are visited within 24 hours of a certain IP, which means that the same IP only counts 1 no matter how many times the same page is visited within 24 hours, and the PV count can be incremented only when different pages are visited.
3. The independent visitor means the count of different users, and it should be determined that the count should be increased for different users, but it is impossible or difficult to determine whether the visitor is an independent user from the current technical point of view, for example, in the following cases, multiple users share one IP to surf the internet, the same user dynamically surfs the internet, the same IP and different users of the same machine surf the internet, generally speaking, the website traffic and the IP can be understood equally.
IP is a code unique to each computer;
PV is the number of views, e.g., 10 pages viewed by one IP, then today's traffic is 1IP,10PV;
the higher the IP is, the more users are on the website, the higher the PV is, the more users are browsing the website content, generally speaking, the low IP and the high PV indicate that the website content attracts the users, the users can check your website continuously, and the website is a high-quality website;
if the quantity of the IP and the PV is not much different, the content of the website is enriched, and the flow refers to the number of data read from the server by the website accessed by the user;
the IP address is unique and can be replaced through the proxy server, and the IP address can also be replaced every second, so that the hacker can be prevented from being attacked if the hacker attacks the IP address;
each internet device has one IP, that is, how many devices access the site by receiving the IP;
as for the traffic, it is simply the page has pictures and texts, and if the sum is 2M, one user browses the whole page, the traffic is 2M.
Example two:
referring to fig. 4, fig. 4 is a schematic structural diagram of an IP abnormal traffic identification system according to the present invention. Fig. 4 shows a system for detecting abnormal IP traffic based on statistics, which includes:
the average flow frequency acquisition module is used for counting the periodic IP flow frequency of any IP in a period and acquiring the average flow frequency in the period according to the periodic IP flow frequency;
the module for obtaining the ideal average flow times samples the rest periods of the IP to obtain sampling data, and obtains estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree obtaining module, wherein the abnormality degree obtaining module processes the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtains the IP abnormality degree according to the processed periodic IP flow frequency and the estimated flow frequency;
and the identification module identifies the abnormal IP flow according to the abnormal IP degree.
The module for obtaining the average flow times constructs a first function, the first function is a discrete function, the periodic IP flow times are counted through the discrete function, and the periodic IP flow times of the IP in one period are obtained according to the periodic IP flow times.
Wherein, the module for obtaining the ideal average flow times comprises:
an abnormal value operation unit which samples the rest periods of the IP to obtain sampling data and removes the abnormal value from the sampling data;
an estimated flow frequency obtaining unit which obtains the estimated flow frequency of any time point of the normal network IP according to the sampling data after removing the abnormal value;
and the ideal average flow frequency calculating unit is used for obtaining the ideal average flow frequency according to the estimated flow frequency.
Wherein the abnormality degree acquisition module includes:
a modification unit that modifies the periodic IP traffic number according to the following formula:
Figure GDA0003868525560000101
wherein f (t) is the number of times of periodic IP flow, avg e For ideal average flow times, avg is the average flow times in the period, f * (t k ) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
an IP abnormality degree calculation unit that obtains an IP abnormality degree according to the following formula:
Figure GDA0003868525560000102
wherein diff is the degree of IP abnormality, f * (t) number of processed periodic IP flows, F * And (t) is the estimated flow number.
Example three:
referring to FIG. 5, this embodiment discloses an embodiment of a computer apparatus. The computer device may comprise a processor 81 and a memory 82 in which computer program instructions are stored.
Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.
The processor 81 reads and executes the computer program instructions stored in the memory 82 to implement any one of the IP abnormal traffic detection methods in the above embodiments.
In some of these embodiments, the computer device may also include a communication interface 83 and a bus 80. As shown in fig. 5, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.
The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 80 includes hardware, software, or both to couple the components of the computer device to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), address Bus (Address Bus), control Bus (Control Bus), expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example and not limitation, bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (PerIPheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a vlslave Bus, a Video Bus, or a combination of two or more of these suitable electronic buses. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The computer device can detect the network abnormal traffic based on the IP abnormal traffic detection method, thereby implementing the methods described in conjunction with fig. 1-3.
In addition, in combination with the IP abnormal traffic detection method in the foregoing embodiment, the embodiment of the present application may provide a computer-readable storage medium to implement the method. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the IP anomaly traffic detection methods in the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
In summary, the invention has the beneficial effects that the invention provides an IP abnormal traffic identification method, which calculates the abnormal degree of a certain IP in a period through the number of times of traffic in the period. The method comprises the steps of firstly counting the flow times of an IP in one period, secondly calculating the average flow times of the IP in the period, thirdly estimating the flow times according to the flow times of other periods, and finally calculating the difference between a statistic value and an estimated value through an abnormality degree algorithm to obtain the IP abnormality degree. Wherein the function f (t) of the number of statistical flows k ) In time, the patent considers that the flow of the IP has normal times fluctuation, and the average times is estimated to be f (t) k ) And correction is carried out to remove the influence of normal fluctuation of the flow, so that more accurate estimation of the IP abnormal degree is obtained.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (8)

1. An IP abnormal flow detection method is characterized by comprising the following steps:
acquiring average flow times: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times;
obtaining ideal average flow times: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree acquisition step: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification step: identifying abnormal IP flow according to the abnormal IP degree;
wherein the abnormality degree acquisition step includes:
and (3) modifying: modifying the number of the periodic IP flows according to the following formula:
Figure FDA0003868525550000011
wherein f (t) is the number of times of periodic IP flow, avg e For ideal average flow times, avg is the average flow times in the period, f * (t k ) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
IP abnormality degree calculation step: the IP abnormality degree is obtained according to the following formula:
Figure FDA0003868525550000012
wherein diff is the degree of IP abnormality, f * (t) number of processed periodic IP flows, F * (t) is the estimated flow times, f (t) (t ∈ [0 0 ]) F (T) is a discrete function for the flow number of a certain IP at the time T, and the IP is counted in a period T by taking delta T as a time interval 0 Number of flows f (t) in k )(k∈[0,T 0 /Δt])。
2. The IP abnormal traffic detection method according to claim 1,
the step of obtaining the average flow number comprises the following steps: and constructing a first function, wherein the first function is a discrete function, counting the periodic IP flow times through the discrete function, and obtaining the periodic IP flow times of the IP in one period according to the periodic IP flow times.
3. The IP abnormal traffic detection method according to claim 1, wherein the obtaining of the ideal average traffic number includes:
abnormal value operation step: sampling the rest periods of the IP to obtain sampling data, and removing abnormal values from the sampling data;
and an estimated flow frequency obtaining step: obtaining the estimated flow times of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
calculating the ideal average flow times: and obtaining the ideal average flow times according to the estimated flow times.
4. An IP abnormal traffic detection system, comprising:
the average flow frequency acquiring module is used for counting the periodic IP flow frequency of any IP in a period and acquiring the average flow frequency in the period according to the periodic IP flow frequency;
the module for obtaining the ideal average flow times samples the rest periods of the IP to obtain sampling data, and obtains estimated flow times and ideal average flow times according to the sampling data;
an abnormal degree obtaining module, which processes the cycle IP flow times according to the ideal average flow times and the cycle average flow times, and obtains the IP abnormal degree according to the processed cycle IP flow times and the estimated flow times;
the identification module identifies IP abnormal flow according to the IP abnormal degree;
wherein the abnormality degree acquisition module includes:
a modification unit that modifies the periodic IP traffic number according to the following formula:
Figure FDA0003868525550000021
wherein f (t) is the number of periodic IP flows, avg e For ideal average flow times, avg is the average flow times in the period, f * (t k ) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
an IP abnormality degree calculation unit that obtains an IP abnormality degree according to the following formula:
Figure FDA0003868525550000022
wherein diff is the degree of IP abnormality, f * (t) number of processed periodic IP flows, F * (t) is the estimated flow times, f (t) (t ∈ [0 0 ]) F (T) is a discrete function for the flow number of a certain IP at the time T, and the IP is counted in a period T by taking delta T as a time interval 0 Number of flows f (t) in k )(k∈[0,T 0 /Δt])。
5. The IP abnormal traffic detection system according to claim 4, wherein the average traffic obtaining time module constructs a first function, the first function is a discrete function, the periodic IP traffic times are counted by the discrete function, and the periodic IP traffic times of the IP in one period are obtained according to the periodic IP traffic times.
6. The IP anomaly traffic detection system according to claim 4, wherein said module for obtaining a desired average traffic number comprises:
the abnormal value operation unit is used for sampling the rest periods of the IP to obtain sampling data and removing the abnormal value of the sampling data;
the estimated flow frequency obtaining unit obtains the estimated flow frequency of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
and the ideal average flow frequency calculating unit is used for obtaining the ideal average flow frequency according to the estimated flow frequency.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the IP exception traffic detection method according to any of claims 1 to 3 when executing the computer program.
8. A storage medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the IP abnormal traffic detection method according to any one of claims 1 to 3.
CN202011418675.XA 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium Active CN112543199B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011418675.XA CN112543199B (en) 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011418675.XA CN112543199B (en) 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112543199A CN112543199A (en) 2021-03-23
CN112543199B true CN112543199B (en) 2022-12-23

Family

ID=75016311

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011418675.XA Active CN112543199B (en) 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112543199B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116723138B (en) * 2023-08-10 2023-10-20 杭银消费金融股份有限公司 Abnormal flow monitoring method and system based on flow probe dyeing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610616A (en) * 2015-12-29 2016-05-25 赛尔网络有限公司 Method and system for performing statistics to obtain average flow of single IP (Internet Protocol) of access network based on ICP (Internet Content Provider) activity
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN109639633A (en) * 2018-11-02 2019-04-16 平安科技(深圳)有限公司 Abnormal flow data identification method, device, medium and electronic equipment
CN111600865A (en) * 2020-05-11 2020-08-28 杭州安恒信息技术股份有限公司 Abnormal communication detection method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190333099A1 (en) * 2018-04-30 2019-10-31 Affle (India) Limited Method and system for ip address traffic based detection of fraud

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610616A (en) * 2015-12-29 2016-05-25 赛尔网络有限公司 Method and system for performing statistics to obtain average flow of single IP (Internet Protocol) of access network based on ICP (Internet Content Provider) activity
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN109639633A (en) * 2018-11-02 2019-04-16 平安科技(深圳)有限公司 Abnormal flow data identification method, device, medium and electronic equipment
CN111600865A (en) * 2020-05-11 2020-08-28 杭州安恒信息技术股份有限公司 Abnormal communication detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112543199A (en) 2021-03-23

Similar Documents

Publication Publication Date Title
CN108768943B (en) Method and device for detecting abnormal account and server
CN108965347B (en) Distributed denial of service attack detection method, device and server
KR102238612B1 (en) DoS/DDoS attack detection method, device, server and storage medium
US9900344B2 (en) Identifying a potential DDOS attack using statistical analysis
CN107770132B (en) Method and device for detecting algorithmically generated domain name
CN105577608B (en) Network attack behavior detection method and device
US10944784B2 (en) Identifying a potential DDOS attack using statistical analysis
CN108718298B (en) Malicious external connection flow detection method and device
CN109257390B (en) CC attack detection method and device and electronic equipment
CN110636068B (en) Method and device for identifying unknown CDN node in CC attack protection
CN109428857B (en) Detection method and device for malicious detection behaviors
CN113518064B (en) Defense method and device for challenging black hole attack, computer equipment and storage medium
CN108809943B (en) Website monitoring method and device
CN110941823B (en) Threat information acquisition method and device
CN112543199B (en) IP abnormal flow detection method, system, computer equipment and storage medium
CN107682341A (en) The means of defence and device of CC attacks
CN107231383B (en) CC attack detection method and device
CN110929129B (en) Information detection method, equipment and machine-readable storage medium
CN111064719A (en) Method and device for detecting abnormal downloading behavior of file
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
CN111885034A (en) Internet of things attack event tracking method and device and computer equipment
CN110198294B (en) Security attack detection method and device
CN111210070A (en) Data analysis method and device, electronic equipment and readable storage medium
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium
CN113630389B (en) User abnormal behavior identification method, system, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant