CN113595820B - Flow monitoring method and device - Google Patents

Abstract

The invention provides a flow monitoring method and a device, wherein the method comprises the following steps: performing credibility evaluation on all devices related to each flow link in the plurality of flow links respectively, and judging the credibility level corresponding to each flow link according to the evaluation result; clustering the flow from each flow link with different credibility levels respectively to obtain one or more clusters; and respectively carrying out safety monitoring on the flow in each cluster. The method and the device can realize the graded monitoring of the mass flow, thereby improving the network safety protection capability.

Description

Flow monitoring method and device

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a traffic monitoring method and apparatus.

Background

With the rapid development of the 5G network, the network flow is increased rapidly, the functions and the performances of each device in the network are continuously impacted by mass flow, and the safety requirements are increased. At present, the technical means of traffic monitoring include, but are not limited to, port-based, DPI-based, machine learning-based, and other hybrid approaches, but the technical means is far from being updated in time with the change of traffic.

However, the existing traffic monitoring method does not consider the scene of complex and fine service under the existing 5G network environment, so that the subsequent network traffic monitoring analysis is not fine enough, and the obtained analysis result is still not satisfactory.

Disclosure of Invention

The technical problem to be solved by the present invention is to provide a traffic monitoring method and device to realize hierarchical monitoring of mass traffic and improve network security protection capability, aiming at the above-mentioned deficiencies in the prior art.

In a first aspect, the present invention provides a traffic monitoring method, which is applied to end-to-end traffic monitoring, and the method includes:

s1, performing credibility evaluation on all devices related to each flow link in the plurality of flow links respectively, and judging the credibility level corresponding to each flow link according to the evaluation result;

s3, clustering the flow from each flow link with different credibility levels respectively to obtain one or more cluster;

and S4, respectively carrying out safety monitoring on the flow in each cluster.

Preferably, step S1 specifically includes:

s1.1, selecting equipment characteristics as evaluation factors in advance, and setting a quantification standard according to the characteristics of each evaluation factor;

s1.2, acquiring a quantized numerical value of a corresponding evaluation factor for each equipment related to each flow link, calculating a credibility value Ts of each equipment according to the quantized numerical value of the evaluation factor of each equipment, and judging the credibility of the equipment according to the calculated credibility value Ts;

s1.3, respectively calculating the ratio of the number of devices with high reliability or/and the number of devices with low reliability on each flow link, and judging the reliability level of the flow link according to the ratio.

Preferably, the device involved in the traffic link comprises: the method comprises the following steps that source end equipment, all middle node equipment and destination end equipment are adopted;

the evaluation factor includes: whether equipment is embedded with a trusted chip or not, whether the equipment is localized or not, the safety level of the equipment and the performance parameters of the equipment;

whether the equipment is embedded into a credible chip or not and whether the equipment is localized realize quantization according to the fact that whether the two states respectively correspond to binary values or not;

the equipment security level sets a quantization standard according to a network security level protection standard;

the performance parameters of the equipment set the quantization standard according to the performance of a CPU and a memory of the equipment.

Preferably, in step S1.2, the confidence measure Ts is the sum of quantized values of all evaluation factors of the device;

the determining the reliability of the device according to the calculated reliability metric value Ts specifically includes:

presetting a credibility measurement reference value ut;

and comparing Ts with ut, if the Ts is more than or equal to ut, judging that the reliability of the equipment is high, and otherwise, judging that the reliability of the equipment is low.

Preferably, in step S1.3, the ratio of the number of devices with high reliability on each traffic link is respectively calculated, and the reliability level of the traffic link is determined according to the ratio, which specifically includes:

presetting credibility grade division parameters Y1, Y2 epsilon (0,1), and Y1 > Y2;

respectively calculating the ratio X of the number of devices with high reliability on each flow link to the number of all devices on the flow link;

judging the credibility level of the flow link according to the proportion X, and when X is more than Y1, judging the credibility level of the flow link to be A level; when the X is more than or equal to Y2 and less than or equal to Y1, the credibility level of the flow link is judged to be B level; and when X is less than Y2, judging the credibility level of the traffic link to be C level.

Preferably, the method further comprises:

s2, obtaining security levels corresponding to the traffic from each traffic link with different credibility levels, determining the priority of the traffic entering the step S3 and the step S4 according to the security levels, and preferentially processing the traffic with low security level, wherein the traffic with low security level at least comprises all the traffic from the traffic link with the lowest credibility level.

Preferably, step S3 specifically includes:

and (3) clustering the flow from each flow link with different credibility levels by adopting a K-Means algorithm, inputting K values to the flow from the flow links with the same credibility level, and outputting K clusters.

Preferably, step S4 includes:

and a flow safety baseline is defined for each cluster, whether the flow in the cluster exceeds the safety baseline or not is monitored, and if yes, early warning information is sent out.

Preferably, step S4 includes:

and establishing a flow analysis model aiming at the flow in each cluster, extracting flow information by using the corresponding flow analysis model to analyze whether abnormal flow exists or not, and actively unloading the flow if the abnormal flow exists.

In a second aspect, the present invention provides a flow monitoring device, comprising:

the grading module is used for respectively evaluating the credibility of all the equipment related to each flow link in the plurality of flow links and judging the credibility grade corresponding to each flow link according to the evaluation result;

the clustering module is connected with the grading module and is used for respectively clustering the flow from each flow link with different credibility grades to obtain one or more clusters;

and the monitoring module is connected with the clustering module and is used for respectively carrying out safety monitoring on the flow in each cluster.

According to the traffic monitoring method and the traffic monitoring device, the credibility of all devices related in a traffic link generated by traffic is evaluated, and credibility grade division is performed on the traffic link according to the evaluation result, so that the hierarchical clustering and monitoring of the traffic are realized, a premise and a basis are provided for quickly finishing clustering and realizing refined traffic monitoring, and the network safety protection capability is improved.

Drawings

Fig. 1 is a flow chart of a flow monitoring method according to embodiment 1 of the present invention;

FIG. 2 is a flow chart of the traffic classification method of step S1 in FIG. 1;

FIG. 3 is a flow rate monitoring method block diagram according to embodiment 1 of the present invention;

FIG. 4 is a flow chart of the flow monitoring method of FIG. 1 with the addition of step S2;

fig. 5 is a schematic structural diagram of a flow rate monitoring device according to embodiment 2 of the present invention.

Detailed Description

In order to make those skilled in the art better understand the technical solution of the present invention, the following detailed description will be made with reference to the accompanying drawings.

It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention and are not limiting of the invention.

It is to be understood that the embodiments and features of the embodiments can be combined with each other without conflict.

It is to be understood that, for the convenience of description, only parts related to the present invention are shown in the drawings of the present invention, and parts not related to the present invention are not shown in the drawings.

It should be understood that each unit and module related in the embodiments of the present invention may correspond to only one physical structure, may also be composed of multiple physical structures, or multiple units and modules may also be integrated into one physical structure.

It will be understood that, without conflict, the functions, steps, etc. noted in the flowchart and block diagrams of the present invention may occur in an order different from that noted in the figures.

It is to be understood that the flowchart and block diagrams of the present invention illustrate the architecture, functionality, and operation of possible implementations of systems, apparatus, devices and methods according to various embodiments of the present invention. Each block in the flowchart or block diagrams may represent a unit, module, segment, code, which comprises executable instructions for implementing the specified function(s). Furthermore, each block or combination of blocks in the block diagrams and flowchart illustrations can be implemented by a hardware-based system that performs the specified functions or by a combination of hardware and computer instructions.

It is to be understood that the units and modules involved in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware, for example, the units and modules may be located in a processor.

Example 1:

as shown in fig. 1, an embodiment 1 of the present invention provides a traffic monitoring method, which is applied to end-to-end traffic monitoring, and the method includes:

and S1, performing credibility evaluation on all devices related to each of the plurality of flow links respectively, and judging the credibility level corresponding to each flow link according to the evaluation result.

In this embodiment, the method is applied to monitoring traffic from a source end to a destination end of traffic generation, and by performing reliability evaluation on all devices involved in each traffic link respectively and determining a reliability level corresponding to each traffic link according to an evaluation result, if a network architecture has a higher percentage of devices with a reliability mechanism, the network is relatively less likely to be attacked, and the network can be considered to be safer, and traffic is classified for distribution in the face of continuously increasing traffic, which is a precondition and a basis for further analysis.

In a specific embodiment, as shown in fig. 2, step S1 specifically includes:

s1.1, selecting equipment characteristics in advance as evaluation factors, and setting a quantification standard according to the characteristics of each evaluation factor.

Specifically, which device features are selected as evaluation factors can be selected according to the actual network environment, and the specific quantization standard can be set according to the credibility evaluation calculation model.

In a more specific embodiment, the evaluation factor includes: whether equipment is embedded with a trusted chip or not, whether the equipment is localized or not, the safety level of the equipment and the performance parameters of the equipment; whether the equipment is embedded with a trusted chip or not and whether the equipment is localized or not are quantized according to the fact that whether the two states respectively correspond to two parameter values of 1 and 0 (or any corresponding binary values); the equipment security level sets a quantization standard according to a network security level protection standard; the device performance parameter sets a quantization standard by referring to the performance of a CPU and a memory of the device.

For example, each evaluation factor is represented by a parameter (e.g., Pi), such as whether the device is embedded in a trusted chip (P1), whether the device is localized (P2), a device security level (P3), and a device performance parameter (P4) as evaluation factor parameters.

If the device is configured with a trusted chip, the corresponding setting P1 is 1, otherwise the setting P1 is 0; if the equipment is localized, correspondingly setting P2 to be 1, otherwise setting P2 to be 0; the device security level P3 may refer to a related security standard (e.g., network security level protection standard 2.0, abbreviated as equal protection 2.0, specifically, it is selected to be determined according to a network level requirement or a system level where the device is located), and set different values, for example, a value range of P3 is set to [1,5], a presentation enhancement indicates that a larger value indicates a higher security level, and conversely indicates a lower security level, and may combine with equal protection 2.0, set P3 in a self-defined manner, set a range of P3 [1,5], such as a user-independent protection level (P3 ═ 1), a system audit protection level (P3 ═ 2), a security label protection level (P3 ═ 3), a structured protection level (P3 ═ 4), and an access authentication protection level (P3 ═ 5); the device performance parameter P4 mainly refers to various parameters of the device, such as a CPU, a memory, and the like, and if the value range of P4 is set to [0.1,1], it presents incremental representation, that is, the larger the value is, the higher the performance is, and conversely, the lower the performance is, for example, as compared with an 8-core processor, a CPU 4-core processor has 4 cores set to 0.1 and 8 cores set to 0.6, and under the same condition, in view of storage capacity, the performance of the memory that is larger and the performance of the memory that is smaller is better, and the corresponding P4 value is also larger.

S1.2, acquiring a quantized numerical value of each corresponding evaluation factor for each device related to each flow link, calculating a credibility value Ts of each device according to the quantized numerical value of the evaluation factor of each device, and judging the credibility of the device according to the calculated credibility value Ts.

In this embodiment, according to traffic links passed by two ends of traffic generation, information of all devices involved on each traffic link is obtained for each traffic link, quantized values of corresponding evaluation factors are obtained for information of devices involved on the traffic links, and then calculation of reliability evaluation is further performed according to the quantized values.

In a more specific embodiment, the confidence measure value Ts is the sum of the quantized values of all the evaluation factors of the device; the determining the reliability of the device according to the calculated reliability metric value Ts specifically includes: presetting a credibility measurement reference value ut; and comparing Ts with ut, if the Ts is more than or equal to ut, judging that the reliability of the equipment is high, and otherwise, judging that the reliability of the equipment is low.

In one specific embodiment, the devices involved in the traffic link include: the method includes the steps that a source end device, all intermediate node devices and a destination end device are used, flow is generated from the source end to the destination end, and the method relates to numerous node devices, the source end and the destination end device, specifically as shown in fig. 3, firstly, acquired flow link device information includes information of a server, a router, a terminal and other devices, then, reliability evaluation is carried out according to the flow link device information, and a reliability measurement value Ts of each device is calculated after the reliability evaluation is quantized according to device information.

In one specific embodiment, the confidence metric value Ts is the sum of quantized values of all evaluation factors of the device, that is, Ts is P1+ P2+ P3+ P4, and a proper Ts value result is obtained by setting a reasonable value of Pi, so that the confidence level of the device can be further judged; in another embodiment, the evaluation factors may also be weighted, the confidence measure value Ts is a sum of quantized values of all evaluation factors of the device multiplied by weights, and the influence of the evaluation factors on the confidence measure value Ts is adjusted, for example, WPi represents the weight of the corresponding evaluation factor, and Ts is P1 WP1+ P2 WP2+ P3 WP3+ P4 WP 4.

After the calculated credibility metric value Ts is obtained, the credibility of the equipment is further divided according to a preset credibility metric reference value ut, the ut can be set by combining with the actual network environment, if the Ts is larger than or equal to the ut, the credibility of the equipment is judged to be high and is marked as Hs, and otherwise, the credibility of the equipment is judged to be low and is marked as Ls.

S1.3, respectively calculating the proportion of the number of devices with high credibility or/and the number of devices with low credibility on each flow link, and judging the credibility level of the flow link according to the proportion.

In this embodiment, the confidence level of the traffic link may be determined according to the ratio of the number of devices with high confidence to the number of all devices, where the higher the ratio is, the higher the confidence level is; the credibility level of the traffic link can also be judged according to the ratio of the number of the devices with low credibility to the number of all the devices, wherein the higher the ratio is, the lower the credibility level is; the credibility level of the traffic link can be judged according to the ratio of the number of the devices with high credibility to the number of the devices with low credibility, wherein the larger the ratio is, the higher the credibility level is, and the like.

In a more specific embodiment, the confidence level of each traffic link is determined by selecting the ratio X of the number of devices with high confidence in each link to the number of all devices in the link. Specifically, the number of all devices identified by Hs may be counted first, then the number of all devices identified by Hs and Ls may be counted, a ratio obtained by dividing the number of the devices identified by Hs by the number of all devices is defined as X, a plurality of confidence levels may be set according to the level accuracy to be divided, and the number and the value of the confidence level dividing parameters may be set according to the number of the confidence levels and the dividing standard. More specifically, the method comprises the following steps: presetting credibility grade division parameters Y1, Y2 epsilon (0,1), and Y1 > Y2; respectively calculating the ratio X of the number of devices with high reliability on each flow link to the number of all devices on the flow link; the confidence level of the traffic link is determined according to the ratio X, for example, as shown in fig. 3, the classification step is divided into three confidence levels: when X is larger than Y1, judging the credibility level of the flow link to be A level; when the X is more than or equal to Y2 and less than or equal to Y1, the credibility level of the flow link is judged to be B level; when X < Y2, the traffic link credibility level is judged to be C level.

The following is exemplarily calculated, when a traffic is generated, on a path from a source end to a destination end, all devices and their related information on a traffic link are obtained, and related evaluation factors of the devices are obtained, assuming that the traffic is known to flow through 3 devices in total: a source end device, a middle node device and a destination end device; the source device configures a trusted chip, is a domestic device, has a security level reaching a security label protection level in equal security 2.0, and has higher device performance, that is, the evaluation factors of the device take values as follows: p1y ═ 1, P2y ═ 1, P3y ═ 3, P4y ═ 0.8; the middle node device is configured with a trusted chip, is a domestic device, has a security level reaching a structural protection level in an equal security 2.0, and has higher device performance, that is, the evaluation factors of the device take values as follows: p1j1 ═ 1, P2j1 ═ 1, P3j1 ═ 4, P4j1 ═ 0.8; the target terminal equipment is configured with a credible chip, is a domestic equipment, and has a security level reaching a structural protection level in equal security 2.0 and the highest equipment performance, namely, the evaluation factors of the equipment take values as follows: p1m ═ 1, P2m ═ 1, P3m ═ 4, P4m ═ 1; calculating the sum of the quantized values of all the evaluation factors of each device to obtain a confidence measure (Ts) of each device, that is, the source device confidence measure Tsy equals P1Y + P2Y + P3Y + P4Y equals 1+1+3+0.8 equals 5.8, the intermediate node device confidence measure Tsj1 equals P1j1+ P2j1+ P3j1+ P4j1 equals 1+1+4+0.8 equals 6.8, the destination device confidence measure Tsm equals P1+ 1+ P2m + P3m + P4m equals 1+1+4+ 7, assuming that the preset ut equals 6, 573, 5 < ut, Tsj1 > Tsm > ut, the Tsm > ut is a device with low confidence level, and is identified as Ls, the intermediate node device and the destination device all share a high confidence level hsx and Y equal to the number of devices on the link, which is assumed as 82599, and the link quality ratio of the link is high hst 2, and X is Y1, namely Y2 is less than or equal to X is less than or equal to Y1, the link is a relatively credible link, the credibility level is judged to be B level and is identified.

In summary, according to the calculation of the confidence measure Ts, each generated flow comes from a corresponding flow link and has a corresponding confidence level (A, B, C), for this reason, starting from the source end of the flow generation, but each generated flow determines and identifies a level, according to the mass flows sent from the source end to the destination end, the device involved in the flow link through which each flow passes is evaluated for the confidence level, and according to the confidence level of the corresponding flow link identified by the result of the confidence level evaluation, the mass flows are classified, and each flow is located in a corresponding level.

Optionally, as shown in fig. 4, after step S1, the method may further include:

s2, obtaining security levels corresponding to the traffic from each traffic link with different credibility levels, determining the priority of the traffic entering the step S3 and the step S4 according to the security levels, and preferentially processing the traffic with low security level, wherein the traffic with low security level at least comprises all the traffic from the traffic link with the lowest credibility level.

In this embodiment, according to a traffic link with traffic from different trusted levels, the security level of the traffic is divided corresponding to the trusted level of the traffic link, and one security level corresponds to one or more trusted levels. Specifically, step S2 is intended to determine the priority of traffic analysis according to the confidence level, and analyze the traffic with high risk level preferentially under the condition of limited resources or specific conditions, so as to prevent the occurrence of the situation in the future, improve the network security, and guarantee the smoothness of the service.

For example, the credibility level is identified as a level a traffic link, and the traffic security level from the traffic link is set to 1, which means that the traffic from the traffic link is relatively less likely to be attacked; the credibility level is marked as a B-level flow link, the flow security level from the flow link is set to be 2, and the possibility that the flow from the flow link is attacked is relatively low; the credible level is marked as a C-level flow link, the flow security level from the flow link is set to be 3, and the flow security level indicates that a certain security risk exists in the flow from the flow link; for example, for traffic with a security level of 3, traffic analysis is highest in priority, and is preferentially analyzed under resource-limited or specific conditions, and then sequentially decremented.

And S3, clustering the traffic from the traffic links with different credibility levels respectively to obtain one or more class clusters.

In a specific embodiment, as shown in the clustering step in fig. 3, for the traffic from each traffic link with different confidence levels (A, B, C), a K-Means algorithm is used for clustering, the K values are input for the traffic from the traffic links with the same confidence level, the traffic is clustered into clusters according to the K-Means, and K clusters are output.

Further extracting the similarity between the flows in the same credible grade to obtain a flow fine-grained classification result, the purpose of clustering in the same credibility level is to dig the similarity between flows and divide clusters, which is beneficial to further monitoring and analyzing the fine granularity of the flows, for example, for traffic with a confidence level of C, after clustering is preferentially performed, a fine classification (i.e. all traffic under one class cluster) with the highest traffic similarity under the confidence level is obtained, for example, traffic from the same source has greater similarity, multiple pieces of traffic with the highest similarity after clustering may be sent by the same host, of course, the similarity of the traffic is not limited to the same host, and if the hosts with similar functions also have the similarity, the traffic generated based on the quintuple (source IP address, source port, destination IP address, destination port and transport layer protocol) is usually stable.

And S4, respectively carrying out safety monitoring on the flow in each cluster.

In a specific embodiment, as shown in the monitoring step in fig. 3, the step S4 specifically includes: and a flow safety baseline is defined for each cluster, whether the flow in the cluster exceeds the safety baseline or not is monitored, if yes, early warning information is sent out, and flow monitoring and early warning are carried out.

In a more specific embodiment, the traffic safety baseline includes: and when a large amount of flow is suddenly generated and is higher than the flow safety baseline, the abnormal condition is considered to occur, and a flow safety early warning signal is sent out.

Specifically, by combining the characteristics of clustering, the flow in the same cluster has greater similarity, and the K clusters have respective similarity, so that on one hand, the flow safety baselines in 1-K clusters can be defined according to the characteristics of uplink and downlink generated by the flow, busy time and idle time and the like to form two reference lines of uplink flow busy time and idle time, and two reference lines of downlink flow busy time and idle time, for example, the peak value of the busy time flow in a cluster can be monitored continuously for several days, the average number is taken as the value of the flow safety baseline, and on the basis of the value, the conditions of the uplink flow and the downlink flow are monitored in real time, and once abnormality is found, the abnormality is timely processed, for example, early warning is provided by means of giving a prompt to a manager and the like, and the purpose of early warning in advance is achieved.

In a specific embodiment, as shown in the monitoring step in fig. 3, the step S4 specifically includes: and establishing a flow analysis model aiming at the flow in each cluster, extracting flow information in the cluster by using the corresponding flow analysis model to analyze whether abnormal flow exists or not, and actively unloading the flow if the abnormal flow exists.

In a more specific embodiment, deep analysis is performed on traffic clusters with similarity by methods based on Deep Packet Inspection (DPI), machine learning, and deep learning to establish a traffic analysis model, and traffic information is extracted by using a corresponding traffic analysis model, where the extracted traffic information includes: extracting one or more of quintuple-based information, information of each layer in a data packet, a protocol, the size of the data packet and an encryption mode, comprehensively studying and judging by using the information, analyzing whether the flow has abnormity, wherein the abnormity comprises behaviors such as network malicious attack and the like, and actively unloading the flow to protect the network safety and realize the safety monitoring of the flow if the abnormity exists.

Specifically, by combining the characteristics of clustering, the flow in the same cluster has greater similarity, the K clusters have respective similarities, the flow analysis is performed on the 1-K clusters, the fine-grained analysis can be performed based on the characteristics of the flow, the flow protocol, the application, the service and the like are identified under the condition that the flow is not decrypted, corresponding measures are taken, for example, the flow can be further analyzed by using the measures of integrated learning, certificate chain association and the like, and corresponding measures are taken for abnormal flow acquisition. The method has the advantages that the flow clusters with the similarity are deeply analyzed, so that the method has great significance for analyzing abnormal flow by utilizing machine learning, because the boundaries of a training set and a test set are very fuzzy due to reasons such as timeliness when the flow is analyzed by utilizing machine learning, the establishment of a model has certain deviation, and the analysis result can have great influence.

The embodiment 1 of the present invention provides a flow monitoring method, which is used for solving the flow safety problem under the background of a large flow, quickly and accurately finding and processing abnormal flows, improving the network safety protection capability, performing hierarchical classification according to the credibility of equipment related in a path generated by the flows to realize flow classification, quickly finishing clustering the classified flows into a cluster based on a clustering idea, and realizing refined monitoring analysis in the flow cluster, thereby improving the network safety protection capability, and specifically:

firstly, carrying out grade division according to the credibility of node equipment, terminals, platforms and the like related to a path generated by flow, generalizing a credibility range, wherein the measurement of the credibility comprises the overall evaluation of whether the equipment is embedded into a credible chip, whether the equipment is localized, the safety function of the equipment, the performance of the equipment and the like, accordingly, a credible interval is defined, then carrying out flow grade division according to the weight of the credibility of the equipment, carrying out fine grading on the flow carried by the equipment based on the differentiated credibility, and starting from the overall flow, dividing the grade according to the credibility;

secondly, according to the flow grading result, the security grade is defined, the flow is gradually unloaded into the corresponding processing grade, the priority processing of monitoring and analysis can be carried out according to the flow security grade, the flow is gradually unloaded through grading, and a differentiated security strategy is adopted, if the priority analysis with lower security grade can be carried out, the preemptive opportunity is preempted, and the occurrence of malicious attack is prevented;

further, in order to improve the analysis efficiency in each credible grade, clustering is carried out by utilizing K-Means clustering to realize refined flow classification, the classified flow is quickly clustered based on the clustering idea, and the efficiency of network monitoring analysis is quickly and accurately improved by the classification based on the clustering idea, so that the value of the existing flow analysis technology is maximally exerted;

finally, in the flow cluster, on one hand, a flow safety baseline reference value is defined in combination with busy and idle times of uplink and downlink flow to realize bidirectional flow monitoring, the abnormal flow is alarmed in time, on the other hand, the comprehensive study and judgment analysis is carried out by combining the prior technical means, including machine learning, deep learning and the like, refined monitoring analysis is realized, the fine granularity of flow classification and classification is insufficient in the traditional mode, the adopted measures are more general, and the adopted measures cannot be differentiated or refined, in the embodiment, smaller flow clusters are divided in the same cluster according to clustering, the monitoring analysis is carried out in each small flow cluster, the flow analysis time is greatly shortened, the processing efficiency is improved for timely discovering abnormal behaviors, so that the safety protection capability of the network is enhanced, malicious attacks are invisibly made, and smooth operation of services is guaranteed.

Under the existing 5G network environment, especially in the process of comprehensive digital transformation of the vertical industry, the flow is continuously increased rapidly, and how to efficiently realize the flow distribution analysis is very important, for example, in a garden network, the garden network flow mainly has three trends, the first is the flow in the garden, namely, the data does not go out of the garden; the data of the second edge or sub-park needs to be transmitted back to the main park (core management center); the third type of campus data creates Internet access to the outside world. In the environment of the campus, the method provided by the embodiment 1 of the invention can be used for solving the safety problem of each flow generated by the campus to a certain extent, improving the data safety and the service fluency of the campus, and having good reference value for further network safety capability opening of an operator.

Example 2:

as shown in fig. 5, embodiment 2 of the present invention provides a flow rate monitoring device, including:

the classification module 1 is used for respectively evaluating the credibility of all devices related to each flow link in a plurality of flow links and judging the credibility grade corresponding to each flow link according to the evaluation result;

the clustering module 2 is connected with the grading module 1 and is used for respectively clustering the flow from each flow link with different credibility grades to obtain one or more clusters;

and the monitoring module 3 is connected with the clustering module 2 and is used for respectively carrying out safety monitoring on the flow in each cluster.

Optionally, the ranking module 1 comprises:

an obtaining unit, configured to obtain, for each device involved on a traffic link, a quantized value of a corresponding evaluation factor;

the first calculation unit is connected with the acquisition unit and used for calculating a credibility metric value Ts of each device according to the quantitative value of the evaluation factor of the device;

the first judgment unit is connected with the first calculation unit and used for judging the reliability of the equipment according to the calculated reliability metric value Ts;

the second calculation unit is connected with the first judgment unit and used for calculating the proportion X of the number of the devices with high reliability on the whole flow link to the number of all the devices on the link;

the second judging unit is connected with the second calculating unit and used for judging the credibility level of the flow link according to the ratio X;

the device further comprises:

the selection module is respectively connected with the grading module 1 and the clustering module 2 and is used for determining the priority during flow analysis according to the credibility grade and selecting the flow with low priority for analyzing the credibility grade;

the clustering module 2 adopts a K-Means algorithm for classification;

the monitoring module 3 includes:

the first analysis unit is connected with the clustering module 2 and used for defining a flow safety baseline for each cluster and monitoring whether the flow in the cluster exceeds the safety baseline or not so as to realize flow monitoring and early warning;

and the second analysis unit is connected with the clustering module 2 and is used for establishing a flow analysis model aiming at the flow in each cluster, and extracting the flow information in the cluster by using the corresponding flow analysis model so as to analyze whether abnormal flow exists or not and realize the safety monitoring of the flow.

The traffic monitoring device provided by embodiment 2 of the present invention performs classification according to the credibility of the devices related to the path where the traffic is generated, so as to implement traffic classification, and based on the clustering idea, clusters the classified traffic into clusters, and implements refined monitoring analysis in the traffic clusters, thereby improving the network security protection capability.

It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A traffic monitoring method, applied to end-to-end traffic monitoring, the method comprising:

s1, performing credibility evaluation on all devices related to each flow link in the plurality of flow links respectively, and obtaining the proportion of the number of devices with high credibility or/and the number of devices with low credibility on each flow link according to the evaluation result to judge the credibility level corresponding to each flow link;

s3, clustering the flow from each flow link with different credibility levels respectively to obtain one or more clusters;

and S4, respectively carrying out safety monitoring on the flow in each cluster.

2. The flow rate monitoring method according to claim 1, wherein the step S1 specifically includes:

s1.1, selecting equipment characteristics as evaluation factors in advance, and setting a quantification standard according to the characteristics of each evaluation factor;

s1.2, acquiring a quantized numerical value of a corresponding evaluation factor for each equipment related to each flow link, calculating a credibility value Ts of each equipment according to the quantized numerical value of the evaluation factor of each equipment, and judging the credibility of the equipment according to the calculated credibility value Ts;

s1.3, respectively calculating the ratio of the number of devices with high reliability or/and the number of devices with low reliability on each flow link, and judging the reliability level of the flow link according to the ratio.

3. The method of traffic monitoring according to claim 2, wherein the devices involved in the traffic link comprise: the method comprises the following steps that source end equipment, all middle node equipment and destination end equipment are adopted;

the evaluation factor includes: whether equipment is embedded with a trusted chip or not, whether the equipment is localized or not, the safety level of the equipment and the performance parameters of the equipment;

whether the equipment is embedded into a credible chip or not and whether the equipment is localized realize quantization according to the fact that whether the two states respectively correspond to binary values or not;

the equipment security level sets a quantization standard according to a network security level protection standard;

the device performance parameter sets a quantization standard by referring to the performance of a CPU and a memory of the device.

4. The flow monitoring method according to claim 2, characterized in that in step S1.2, the confidence measure value Ts is the sum of quantized values of all evaluation factors of the device;

the determining the reliability of the device according to the calculated reliability metric value Ts specifically includes:

presetting a credibility measurement reference value ut;

and comparing Ts with ut, if the Ts is more than or equal to ut, judging that the reliability of the equipment is high, and otherwise, judging that the reliability of the equipment is low.

5. The traffic monitoring method according to claim 2, wherein in step S1.3, the ratio of the number of devices with high reliability on each traffic link is calculated, and the reliability level of the traffic link is determined according to the ratio, specifically including:

presetting credibility grade division parameters Y1, Y2 epsilon (0,1), and Y1 > Y2;

respectively calculating the ratio X of the number of devices with high reliability on each flow link to the number of all devices on the flow link;

judging the credibility level of the flow link according to the proportion X, and when X is more than Y1, judging the credibility level of the flow link to be A level; when the X is more than or equal to Y2 and less than or equal to Y1, the credibility level of the flow link is judged to be B level; and when X is less than Y2, judging the credibility level of the traffic link to be C level.

6. The method of flow monitoring according to claim 1, further comprising:

s2, obtaining security levels corresponding to the traffic from each traffic link with different credibility levels, determining the priority of the traffic entering the step S3 and the step S4 according to the security levels, and preferentially processing the traffic with low security level, wherein the traffic with low security level at least comprises all the traffic from the traffic link with the lowest credibility level.

7. The flow monitoring method according to any one of claims 1 to 6, wherein the step S3 specifically includes:

and (3) clustering the flow from each flow link with different credibility levels by adopting a K-Means algorithm, inputting K values to the flow from the flow links with the same credibility level, and outputting K clusters.

8. The flow rate monitoring method according to claim 7, wherein the step S4 includes:

and a flow safety baseline is defined for each cluster, whether the flow in the cluster exceeds the safety baseline or not is monitored, and if yes, early warning information is sent out.

9. The flow rate monitoring method according to claim 7, wherein the step S4 includes:

and establishing a flow analysis model aiming at the flow in each cluster, extracting flow information by using the corresponding flow analysis model to analyze whether abnormal flow exists or not, and actively unloading the flow if the abnormal flow exists.

10. A flow monitoring device, comprising:

the grading module is used for respectively evaluating the credibility of all the equipment related to each flow link in the plurality of flow links, and obtaining the ratio of the number of the equipment with high credibility or/and the number of the equipment with low credibility on each flow link according to an evaluation result so as to judge the credibility grade corresponding to each flow link;

the clustering module is connected with the grading module and is used for respectively clustering the flow from each flow link with different credibility grades to obtain one or more clusters;

and the monitoring module is connected with the clustering module and is used for respectively carrying out safety monitoring on the flow in each cluster.

Images