CN113297241A - Method, device, equipment, medium and program product for judging network flow - Google Patents

Method, device, equipment, medium and program product for judging network flow Download PDF

Info

Publication number
CN113297241A
CN113297241A CN202110651005.0A CN202110651005A CN113297241A CN 113297241 A CN113297241 A CN 113297241A CN 202110651005 A CN202110651005 A CN 202110651005A CN 113297241 A CN113297241 A CN 113297241A
Authority
CN
China
Prior art keywords
real
time
preset
characteristic information
preset database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110651005.0A
Other languages
Chinese (zh)
Inventor
吴子凡
祝萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
ICBC Technology Co Ltd
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
ICBC Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC, ICBC Technology Co Ltd filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110651005.0A priority Critical patent/CN113297241A/en
Publication of CN113297241A publication Critical patent/CN113297241A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • G06F16/2358Change logging, detection, and notification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/211Selection of the most significant subset of features

Abstract

The invention provides a method, a device, equipment, a medium and a program product for judging network flow; the method for judging the network flow comprises the following steps: acquiring real-time flow data; extracting real-time characteristic information of the real-time flow data; and controlling the access mode of the real-time flow data according to the relation between the real-time characteristic information and a preset database, and controlling the update of the preset database. In the embodiment provided by the disclosure, the autonomous access control of real-time traffic data is ensured, the data is supplemented continuously, more sample data is accumulated, any equipment mark is not needed in advance, and the data completely passes through the network flow; the self-adaption and self-updating are carried out, the more the accumulated data along with the running time is, the more the information in the preset database is, and the higher the judgment accuracy is; in addition, aiming at real-time flow data generated by equipment, whether the equipment is abnormally accessed or not is judged in quasi real time (minute level), and timeliness is high.

Description

Method, device, equipment, medium and program product for judging network flow
Technical Field
The present invention relates to the field of big data, and in particular, to a method, an apparatus, a device, a medium, and a program product for determining network traffic.
Background
In the information-oriented era, the importance of network security is continuously improved, and the network traffic analysis technology is more and more emphasized. In the field of intranet security control, through network traffic analysis of each network area, which devices are accessed to an intranet and are normally accessed or suspected to be invaded can be obtained, and important technical means for intranet access control are gradually developed by utilizing a big data technology to analyze the network traffic.
The main means of abnormal flow detection and analysis at present comprises characteristic value matching, flow log analysis and the like. By means of a data mining technology, aiming at captured network flow data, performing work such as visual display, characteristic value matching, statistical analysis, post audit and the like, monitoring post analysis in the process, finding abnormal access equipment, and actively blocking and forbidding during next access; however, the above technical solutions have the following problems: firstly, the abnormal flow discovered through characteristic value matching can only be based on a universal and public characteristic library, firstly, unknown threats cannot be discovered, secondly, conflicts are easy to occur with normal business flow, false alarms are generated, and the research, judgment and disposal efficiency of real attacks is influenced; secondly, through statistics of historical data afterwards, equipment with abnormal access or suspected invasion is found, personnel are required to have professional experience, and more manpower is input; in addition, based on historical data analysis, some black and white lists are generated, only devices which are abnormally accessed in the early stage can be effectively organized, and devices which are invaded for the first time cannot be actively discovered.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment, a medium and a program product for judging network traffic, and aims to solve the problem of difficulty in identifying abnormal network traffic.
According to a first aspect of the present disclosure, a method for determining network traffic is provided, including:
acquiring real-time flow data;
extracting real-time characteristic information of the real-time flow data;
and controlling the access mode of the real-time flow data according to the relation between the real-time characteristic information and a preset database, and controlling the update of the preset database.
According to the embodiment of the present disclosure, the step of controlling the access mode of the real-time traffic data according to the relationship between the real-time feature information and a preset database, and controlling the update of the preset database includes:
when the real-time characteristic information is matched with a preset database, acquiring a corresponding preset access mode;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling not to update the preset database.
According to an embodiment of the present disclosure, when the database is preset in the real-time feature information matching, the step of obtaining the corresponding preset access mode includes:
when the real-time characteristic information is matched with normal characteristic information, the preset access mode is release access;
and when the real-time characteristic information is matched with the abnormal characteristic information, the preset access mode is a blocking access mode.
According to the embodiment of the present disclosure, the step of controlling the access mode of the real-time traffic data according to the relationship between the real-time feature information and a preset database, and controlling the update of the preset database includes:
when the real-time characteristic information cannot be matched with a preset database, acquiring the abnormal probability of the real-time characteristic information;
acquiring a corresponding preset access mode according to the abnormal probability;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling to update the preset database.
According to the embodiment of the present disclosure, the step of obtaining the abnormal probability of the real-time feature information further includes:
comparing the real-time characteristic information with the preset database to establish a characteristic model;
and acquiring the abnormal probability of the real-time characteristic information according to the characteristic model.
According to the embodiment of the disclosure, the step of obtaining the corresponding preset access mode according to the abnormal probability comprises the following steps:
when the abnormal probability is more than 50%, the preset access mode is blocking access;
and when the abnormal probability is less than 50%, the preset access mode is the access release mode.
According to an embodiment of the present disclosure, the step of controlling the update of the preset database includes:
and updating the real-time characteristic information and the access mode thereof to the preset database.
A second aspect of the present disclosure provides a device for determining network traffic, including:
the data acquisition module is used for acquiring real-time flow data;
the characteristic extraction module is used for extracting real-time characteristic information of the real-time flow data; and the number of the first and second groups,
and the service module is used for controlling the access mode of the real-time flow data according to the relation between the real-time characteristic information and a preset database and controlling the update of the preset database.
According to an embodiment of the present disclosure, the controlling, by the service module, an access manner of the real-time traffic data according to a relationship between the real-time feature information and a preset database, and controlling the update of the preset database further includes:
when the real-time characteristic information is matched with a preset database, acquiring a corresponding preset access mode;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling not to update the preset database.
According to an embodiment of the present disclosure, when the service module presets a database in the real-time feature information matching, acquiring a corresponding preset access manner includes:
when the real-time characteristic information is matched with normal characteristic information, the preset access mode is release access;
and when the real-time characteristic information is matched with the abnormal characteristic information, the preset access mode is a blocking access mode.
According to an embodiment of the present disclosure, the controlling, by the service module, an access manner of the real-time traffic data according to a relationship between the real-time feature information and a preset database, and controlling the updating of the preset database includes:
when the real-time characteristic information cannot be matched with a preset database, acquiring the abnormal probability of the real-time characteristic information;
acquiring a corresponding preset access mode according to the abnormal probability;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling to update the preset database.
According to an embodiment of the present disclosure, the obtaining, by the service module, the abnormal probability of the real-time feature information further includes:
comparing the real-time characteristic information with the preset database to establish a characteristic model;
and acquiring the abnormal probability of the real-time characteristic information according to the characteristic model.
According to the embodiment of the present disclosure, the obtaining, by the service module, the corresponding preset access mode according to the abnormal probability includes:
when the abnormal probability is more than 50%, the preset access mode is blocking access;
and when the abnormal probability is less than 50%, the preset access mode is the access release mode.
According to an embodiment of the present disclosure, the service module controlling the update of the preset database includes:
and updating the real-time characteristic information and the access mode thereof to the preset database.
A third aspect of the present disclosure provides an electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described method for determining network traffic.
The fourth aspect of the present disclosure also provides a computer-readable storage medium, on which executable instructions are stored, and when executed by a processor, the instructions cause the processor to execute the above-mentioned method for determining network traffic.
The fifth aspect of the present disclosure also provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the method for determining network traffic is implemented.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically shows a system architecture of a path planning method and apparatus according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flow chart of a method for determining network traffic according to an embodiment of the present disclosure;
fig. 3 schematically shows a flowchart of an embodiment of step S20 according to an embodiment of the present disclosure;
fig. 4 schematically shows a flowchart of another embodiment of step S20 according to an embodiment of the present disclosure;
fig. 5 schematically shows a flowchart of the next node of step S321 according to an embodiment of the present disclosure;
fig. 6 is a block diagram schematically illustrating a structure of a network traffic determination apparatus according to an embodiment of the present disclosure;
FIG. 7 is a block diagram that schematically illustrates the architecture of one embodiment of the service module of FIG. 6;
FIG. 8 is a block diagram schematically illustrating the structure of an embodiment of the first unit in FIG. 7;
FIG. 9 is a block diagram schematically illustrating the structure of a second embodiment of the service module of FIG. 6;
FIG. 10 is a block diagram schematically illustrating a third embodiment of the service module of FIG. 6;
FIG. 11 is a block diagram schematically illustrating the structure of an embodiment of the sixth unit in FIG. 9;
FIG. 12 is a block diagram schematically illustrating the structure of an embodiment of the seventh unit in FIG. 9;
fig. 13 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
The embodiment of the present disclosure provides a method for determining network traffic, including:
acquiring real-time flow data;
extracting real-time characteristic information of the real-time flow data;
and controlling the access mode of the real-time flow data according to the relation between the real-time characteristic information and the preset database, and controlling the update of the preset database.
Fig. 1 schematically shows an application scenario diagram of a method and an apparatus for determining network traffic according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include a financial service field. Network 102 is the medium used to provide communication links between terminal devices 101 and server 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal device 101 to interact with server 103 over network 102 to receive or send messages and the like. Various messaging client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on terminal device 101.
The terminal device 101 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 103 may be a server that provides various services, such as a background management server (for example only) that provides support for websites browsed by users using the terminal devices 101. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the method for determining network traffic provided by the embodiment of the present disclosure may be generally executed by the server 103. Accordingly, the network traffic determination device provided by the embodiment of the present disclosure may be generally disposed in the server 103. The method for determining network traffic provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 103 and is capable of communicating with the terminal device 101 and/or the server 103. Accordingly, the device for determining network traffic provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the server 103 and is capable of communicating with the terminal device 101 and/or the server 103.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The method for determining network traffic according to the disclosed embodiment will be described in detail with reference to fig. 2 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a method for determining network traffic according to an embodiment of the present disclosure.
As shown in fig. 2, the method for determining network traffic of this embodiment includes operations S10 through S30, and the transaction processing method may be performed by the network traffic determining apparatus.
Acquiring real-time traffic data in operation S10;
extracting real-time characteristic information of the real-time traffic data in operation S20;
in operation S30, the access method of the real-time traffic data is controlled according to the relationship between the real-time characteristic information and the preset database, and the preset database is controlled to be updated.
In the embodiment provided by the disclosure, accessed real-time traffic data is acquired, and real-time characteristic information of the traffic data is extracted so as to be compared with information in a preset database, and according to a comparison result with the preset database, the access of the real-time traffic data and the update of the preset database are controlled, so that the autonomous access control on the real-time traffic data is ensured, the data is supplemented continuously, more sample data is accumulated, no equipment mark is required to be made in advance, and the network flow data is completely passed through; the self-adaption and self-updating are carried out, the more the accumulated data along with the running time is, the more the information in the preset database is, and the higher the judgment accuracy is; in addition, aiming at real-time flow data generated by equipment, whether the equipment is abnormally accessed or not is judged in quasi real time (minute level), and timeliness is high.
It should be noted that the real-time feature information includes device fingerprint information (based on IP, port, MAC address, and protocol features) of the access source device, device fingerprint information of the destination device, and feature information such as access session metadata, and the real-time feature information is generated by using a feature engineering method.
It should be noted that a device fingerprint refers to a device characteristic or a unique device identification that can be used to uniquely identify the device.
Further, referring to fig. 3, in an embodiment of the present disclosure, the step S30 includes:
s311, when a database is preset in the real-time characteristic information matching, acquiring a corresponding preset access mode;
s312, controlling the access mode of the real-time flow data according to a preset access mode;
and S313, controlling not to update the preset database.
In the embodiment of the disclosure, when the database is preset in the real-time feature information matching process, the real-time feature information of the access device is shown to be disclosed by the existing feature library and the like, the preset access mode corresponding to the real-time feature information is directly inquired in the preset database, the flow data access is automatically controlled according to the preset access mode, the real-time response and the automatic control are realized, the manual intervention is not needed, and the access experience of operators is ensured.
Further, step S311 includes:
s3111, when the real-time characteristic information is matched with normal characteristic information, presetting an access mode as release access;
s3112, when the real-time characteristic information is matched with the abnormal characteristic information, presetting an access mode as a blocking access.
The access of the existing real-time traffic data is divided into normal access and abnormal attack access, and a white list and a black list are correspondingly arranged in a preset database; releasing the normal access real-time flow data of the matched normal characteristic information, so that an operator can normally perform network access operation; and when the data traffic is matched with the abnormal characteristic information, the access is indicated to be abnormal, so that the access is blocked, the real-time traffic data is refused to enter the server, and the server is prevented from being damaged.
Referring to fig. 4, in another embodiment of the present disclosure, step S30 includes:
s321, when the real-time characteristic information cannot be matched with a preset database, acquiring the abnormal probability of the real-time characteristic information;
s322, acquiring a corresponding preset access mode according to the abnormal probability;
s323, controlling the access mode of the real-time flow data according to a preset access mode;
and S324, controlling to update the preset database.
In the embodiment provided by the disclosure, when traffic data which is not in the preset database is encountered, whether the real-time traffic data is abnormal access is judged by judging the abnormal probability of the real-time characteristic information, access is controlled according to the abnormal probability, the new equipment is not simply and directly released to access or blocked from access, the abnormal probability judgment is carried out in advance, the real-time traffic data is autonomously operated, and the workload of operators is reduced while the network is completely protected.
Specifically, referring to fig. 5, in the present embodiment, the step S321 further includes:
s3211, comparing the real-time characteristic information with the preset database, and establishing a characteristic model;
s3212, acquiring the abnormal probability of the real-time characteristic information according to the characteristic model.
Since most of abnormal attack accesses have similar characteristics, in this embodiment, a clustering algorithm is used to perform clustering operation on data in a preset database, the clustering operation is divided into normal access and abnormal attack access, real-time characteristic information is compared with information in the preset database, the real-time characteristic information is automatically classified with a clustering family in the preset database, and then the deviation of real-time traffic data to the normal access or the abnormal attack access is judged, so as to control the access mode of the real-time traffic data.
In this embodiment, step S322 includes:
s3221, when the abnormal probability is larger than 50%, presetting an access mode as a blocking access;
s3222, when the abnormal probability is smaller than 50%, the access mode is preset to be the access release mode.
Therefore, access of real-time flow data is controlled, network safety is guaranteed, the control abnormal probability is divided by 50%, the situation that normal access cannot be achieved due to the fact that part of operations are determined to be abnormal attack access is avoided, and meanwhile control over the abnormal attack access is guaranteed to the maximum extent.
In addition, step S324 includes:
and S3241, updating the real-time characteristic information and the access mode thereof to a preset database.
In this embodiment, after the real-time traffic data completes the access request, the real-time characteristic information and the corresponding access method thereof are automatically updated and recorded in the preset database, so that the subsequent access is directly performed according to the information in the preset database without performing the judgment of the abnormal probability again, thereby increasing the response speed, and simultaneously, the preset database is continuously updated, the subsequent judgment accuracy on the new traffic data is higher and higher along with the increase of the accumulated data, and meanwhile, the information of the preset database is enriched by recording the real-time characteristic information, so that the accuracy of judging the abnormal rate is continuously improved.
Based on the above method for determining network traffic, the present disclosure further provides a device 200 for determining network traffic. The apparatus will be described in detail below with reference to fig. 6.
As shown in fig. 6, the device 200 for determining network traffic includes a data collection module 1, a feature extraction module 2, and a service module 3.
The data acquisition module 1 is used for acquiring real-time flow data;
the feature extraction module 2 is used for extracting real-time feature information of the real-time flow data;
the service module 3 is used for controlling the access mode of the real-time traffic data according to the relation between the real-time characteristic information and the preset database, and controlling the update of the preset database.
Fig. 7 to 8 schematically show block diagrams of a service module 3 according to an embodiment of the present disclosure.
The first unit 31 is configured to obtain a corresponding preset access mode when the real-time feature information matches with a preset database;
a second unit 32, configured to control an access manner of the real-time traffic data according to a preset access manner;
the third unit 33 is used for controlling not to update the preset database.
Further, the first unit 31 further includes:
the first subunit 311, configured to, when the real-time feature information matches the normal feature information, preset the access mode as a release access;
the second sub-unit 312 is configured to preset the access mode as blocked access when the real-time feature information matches the abnormal feature information.
Fig. 9 schematically shows a block diagram of a service module 3 according to another embodiment of the present disclosure.
A fourth unit 34, configured to obtain an abnormal probability of the real-time feature information when the real-time feature information cannot be matched with the preset database;
a fifth unit 35, configured to obtain a corresponding preset access manner according to the abnormal probability;
a sixth unit 36, configured to control an access manner of the real-time traffic data according to a preset access manner;
a seventh unit 37, configured to control updating the preset database.
In addition, referring to fig. 10, the service module 3 further includes:
an eighth unit 38, configured to compare the real-time feature information with a preset database, and establish a feature model;
a ninth unit 39, configured to obtain an abnormal probability of the real-time feature information according to the feature model.
Further, referring to fig. 11, the sixth unit 36 includes:
a third subunit 361, configured to, when the anomaly probability is greater than 50%, preset the access mode as blocking access;
and a fourth subunit 362, configured to set the access mode as the release access when the anomaly probability is less than 50%.
Further, referring to fig. 12, the seventh unit 37 includes:
the fifth subunit 371 is configured to update the real-time feature information and the access manner thereof to the preset database.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
Fig. 13 schematically illustrates a block diagram of an electronic device adapted to implement a method of determining network traffic according to an embodiment of the present disclosure.
As shown in fig. 13, the electronic apparatus 300 according to the embodiment of the present disclosure includes a processor 3001, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)3002 or a program loaded from a storage section 3008 into a Random Access Memory (RAM) 3003. The processor 3001 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 3001 may also include on-board memory for caching purposes. The processor 3001 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 3003, various programs and data necessary for the operation of the electronic apparatus 300 are stored. The processor 3001, the ROM3002, and the RAM 3003 are connected to each other by a bus 3004. The processor 3001 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM3002 and/or the RAM 3003. Note that the program may also be stored in one or more memories other than the ROM3002 and the RAM 3003. The processor 3001 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 300 may also include an input/output (I/O) interface 3005, input/output (I/O) interface 3005 also connected to bus 3004. The electronic device 300 may also include one or more of the following components connected to the I/O interface 3005: an input portion 3006 including a keyboard, a mouse, and the like; an output section 3007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 3008 including a hard disk and the like; and a communication section 3009 including a network interface card such as a LAN card, a modem, or the like. The communication section 3009 performs communication processing via a network such as the internet. Drivers 3010 are also connected to I/O interface 3005 as needed. A removable medium 3011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 3010 as necessary, so that a computer program read out therefrom is mounted in the storage section 3008 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include one or more memories other than the ROM3002 and/or the RAM 3003 and/or the ROM3002 and the RAM 3003 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 3001. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 3009, and/or installed from the removable medium 3011. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 3009, and/or installed from the removable medium 3011. The computer program performs the above-described functions defined in the system of the embodiment of the present disclosure when executed by the processor 3001. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. Procedural languages include, but are not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (17)

1. A method for judging network traffic is characterized by comprising the following steps:
acquiring real-time flow data;
extracting real-time characteristic information of the real-time flow data;
and controlling the access mode of the real-time flow data according to the relation between the real-time characteristic information and a preset database, and controlling the update of the preset database.
2. The method for determining network traffic according to claim 1, wherein the step of controlling the access manner of the real-time traffic data according to the relationship between the real-time feature information and a preset database, and controlling the update of the preset database comprises:
when the real-time characteristic information is matched with a preset database, acquiring a corresponding preset access mode;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling not to update the preset database.
3. The method for determining network traffic according to claim 2, wherein when the real-time feature information matches with a preset database, the step of obtaining the corresponding preset access manner includes:
when the real-time characteristic information is matched with normal characteristic information, the preset access mode is release access;
and when the real-time characteristic information is matched with the abnormal characteristic information, the preset access mode is a blocking access mode.
4. The method for determining network traffic according to claim 1, wherein the step of controlling the access manner of the real-time traffic data according to the relationship between the real-time feature information and a preset database, and controlling the update of the preset database comprises:
when the real-time characteristic information cannot be matched with a preset database, acquiring the abnormal probability of the real-time characteristic information;
acquiring a corresponding preset access mode according to the abnormal probability;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling to update the preset database.
5. The method for determining network traffic according to claim 4, wherein the step of obtaining the abnormal probability of the real-time feature information further comprises:
comparing the real-time characteristic information with the preset database to establish a characteristic model;
and acquiring the abnormal probability of the real-time characteristic information according to the characteristic model.
6. The method for determining network traffic according to claim 4, wherein the step of obtaining the corresponding preset access manner according to the abnormal probability comprises:
when the abnormal probability is more than 50%, the preset access mode is blocking access;
and when the abnormal probability is less than 50%, the preset access mode is the access release mode.
7. The method for determining network traffic according to claim 4, wherein the step of controlling the update of the preset database comprises:
and updating the real-time characteristic information and the access mode thereof to the preset database.
8. An apparatus for determining network traffic, comprising:
the data acquisition module is used for acquiring real-time flow data;
the characteristic extraction module is used for extracting real-time characteristic information of the real-time flow data; and the number of the first and second groups,
and the service module is used for controlling the access mode of the real-time flow data according to the relation between the real-time characteristic information and a preset database and controlling the update of the preset database.
9. The apparatus for determining network traffic according to claim 8, wherein the service module controls an access manner of the real-time traffic data according to a relationship between the real-time feature information and a preset database, and controls updating of the preset database further comprises:
when the real-time characteristic information is matched with a preset database, acquiring a corresponding preset access mode;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling not to update the preset database.
10. The apparatus for determining network traffic according to claim 9, wherein when the real-time feature information matches with a preset database, the service module obtains a corresponding preset access manner includes:
when the real-time characteristic information is matched with normal characteristic information, the preset access mode is release access;
and when the real-time characteristic information is matched with the abnormal characteristic information, the preset access mode is a blocking access mode.
11. The apparatus for determining network traffic according to claim 8, wherein the controlling, by the service module, the access manner of the real-time traffic data according to the relationship between the real-time feature information and a preset database, and controlling the update of the preset database comprises:
when the real-time characteristic information cannot be matched with a preset database, acquiring the abnormal probability of the real-time characteristic information;
acquiring a corresponding preset access mode according to the abnormal probability;
controlling the access mode of the real-time flow data according to the preset access mode;
and controlling to update the preset database.
12. The apparatus for determining network traffic according to claim 11, wherein the service module obtaining the abnormal probability of the real-time feature information further comprises:
comparing the real-time characteristic information with the preset database to establish a characteristic model;
and acquiring the abnormal probability of the real-time characteristic information according to the characteristic model.
13. The apparatus for determining network traffic according to claim 11, wherein the obtaining, by the service module, the corresponding preset access manner according to the abnormal probability includes:
when the abnormal probability is more than 50%, the preset access mode is blocking access;
and when the abnormal probability is less than 50%, the preset access mode is the access release mode.
14. The apparatus for determining network traffic according to claim 11, wherein the service module controlling and updating the preset database includes:
and updating the real-time characteristic information and the access mode thereof to the preset database.
15. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
16. A computer-readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any one of claims 1 to 7.
17. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 7.
CN202110651005.0A 2021-06-11 2021-06-11 Method, device, equipment, medium and program product for judging network flow Pending CN113297241A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110651005.0A CN113297241A (en) 2021-06-11 2021-06-11 Method, device, equipment, medium and program product for judging network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110651005.0A CN113297241A (en) 2021-06-11 2021-06-11 Method, device, equipment, medium and program product for judging network flow

Publications (1)

Publication Number Publication Date
CN113297241A true CN113297241A (en) 2021-08-24

Family

ID=77327950

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110651005.0A Pending CN113297241A (en) 2021-06-11 2021-06-11 Method, device, equipment, medium and program product for judging network flow

Country Status (1)

Country Link
CN (1) CN113297241A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114268957A (en) * 2021-11-30 2022-04-01 中国联合网络通信集团有限公司 Abnormal business data processing method, device, server and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733937A (en) * 2017-12-01 2018-02-23 广东奥飞数据科技股份有限公司 A kind of Abnormal network traffic detection method
CN108737406A (en) * 2018-05-10 2018-11-02 北京邮电大学 A kind of detection method and system of abnormal flow data
CN109040016A (en) * 2018-06-25 2018-12-18 深信服科技股份有限公司 A kind of information processing method, equipment and computer readable storage medium
CN110505630A (en) * 2019-03-12 2019-11-26 杭州海康威视数字技术股份有限公司 Wireless network intrusion detection method, device and electronic equipment
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN110943961A (en) * 2018-09-21 2020-03-31 阿里巴巴集团控股有限公司 Data processing method, device and storage medium
CN111224980A (en) * 2019-12-31 2020-06-02 奇安信科技集团股份有限公司 Detection method and device for denial of service attack, electronic equipment and medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733937A (en) * 2017-12-01 2018-02-23 广东奥飞数据科技股份有限公司 A kind of Abnormal network traffic detection method
CN108737406A (en) * 2018-05-10 2018-11-02 北京邮电大学 A kind of detection method and system of abnormal flow data
CN109040016A (en) * 2018-06-25 2018-12-18 深信服科技股份有限公司 A kind of information processing method, equipment and computer readable storage medium
CN110943961A (en) * 2018-09-21 2020-03-31 阿里巴巴集团控股有限公司 Data processing method, device and storage medium
CN110505630A (en) * 2019-03-12 2019-11-26 杭州海康威视数字技术股份有限公司 Wireless network intrusion detection method, device and electronic equipment
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN111224980A (en) * 2019-12-31 2020-06-02 奇安信科技集团股份有限公司 Detection method and device for denial of service attack, electronic equipment and medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
迪潘简·萨卡尔: "《数据科学与工程技术丛书 Python文本分析》", 31 October 2020 *
鄂大伟等: "《大学信息技术基础以Python为舟》", 31 August 2019 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114268957A (en) * 2021-11-30 2022-04-01 中国联合网络通信集团有限公司 Abnormal business data processing method, device, server and storage medium
CN114268957B (en) * 2021-11-30 2023-07-04 中国联合网络通信集团有限公司 Abnormal business data processing method, device, server and storage medium

Similar Documents

Publication Publication Date Title
US9306889B2 (en) Method and device for processing messages
CN111416811B (en) Unauthorized vulnerability detection method, system, equipment and storage medium
WO2020244307A1 (en) Vulnerability detection method and apparatus
CN114205216B (en) Root cause positioning method and device for micro service fault, electronic equipment and medium
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
CN111316272A (en) Advanced cyber-security threat mitigation using behavioral and deep analytics
CN113297241A (en) Method, device, equipment, medium and program product for judging network flow
US11750595B2 (en) Multi-computer processing system for dynamically evaluating and controlling authenticated credentials
CN113596012A (en) Method, device, equipment, medium and program product for identifying attack behavior
CN113495825A (en) Line alarm processing method and device, electronic equipment and readable storage medium
KR102516819B1 (en) Method for allowing threat events to be analyzed and handled based on big data and server using the same
CN110650126A (en) Method and device for preventing website traffic attack, intelligent terminal and storage medium
CN113037555B (en) Risk event marking method, risk event marking device and electronic equipment
CN114884748A (en) Network attack monitoring method and device, electronic equipment and storage medium
CN113704749B (en) Malicious mining detection processing method and device
US20220086183A1 (en) Enhanced network security based on inter-application data flow diagrams
CN115484174B (en) Intelligent recognition-based nano tube method, device, equipment and storage medium
CN113630415A (en) Network admission control method, apparatus, system, device, medium and product
US11811896B1 (en) Pre-fetch engine with security access controls for mesh data network
US11275367B2 (en) Dynamically monitoring system controls to identify and mitigate issues
US20230039079A1 (en) Tracking and Mitigating Security Threats and Vulnerabilities in Browser Extension Engines
CN115190008B (en) Fault processing method, fault processing device, electronic equipment and storage medium
CN112543203B (en) Terminal access method, device and system
US20230418949A1 (en) Multi-computer system for performing vulnerability analysis and alert generation
CN113392142A (en) Method, device, equipment, medium and product for calculating hit rate of IP address library

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210824