CN113794719B - Network abnormal traffic analysis method and device based on elastic search technology and electronic equipment - Google Patents
Network abnormal traffic analysis method and device based on elastic search technology and electronic equipment Download PDFInfo
- Publication number
- CN113794719B CN113794719B CN202111077098.7A CN202111077098A CN113794719B CN 113794719 B CN113794719 B CN 113794719B CN 202111077098 A CN202111077098 A CN 202111077098A CN 113794719 B CN113794719 B CN 113794719B
- Authority
- CN
- China
- Prior art keywords
- network
- traffic data
- elastic search
- abnormal
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The disclosure provides a network abnormal traffic analysis method based on an elastic search technology, which can be used in the financial field or other fields, and comprises the following steps: acquiring network traffic data, wherein the network traffic data comprises normal traffic data and/or abnormal traffic data, storing the network traffic data into an elastic search engine, acquiring the abnormal traffic data from the network traffic data by using the elastic search engine, and analyzing the abnormal traffic data by using the elastic search engine to obtain an analysis result of the abnormal traffic data. The method and the device can improve the resolving capability of the network flow data, solve the problem of message loss caused by low resolving and storing efficiency of the network flow data, solve the problem of memory resource exhaustion of a network management server, rapidly locate the application causing the port flow to exceed the threshold value and the flow statistical information of the application, improve the emergency efficiency and the level of network faults, and solve the problems of low inquiring and analyzing efficiency of a structural database and poor user experience effect.
Description
Technical Field
The disclosure relates to the field of research and development management software modeling, and in particular relates to a network abnormal flow analysis method, device, electronic equipment and program product based on an elastic search technology.
Background
The rapidly evolving Internet provides users with higher bandwidth, supporting an increasing number of services and applications. However, in the face of a huge and complex network environment, network security is also becoming important, and in normal traffic of the network, various abnormal traffic is often accompanied, so that normal operation of the network is affected, and network security and normal use are threatened. How to rapidly analyze abnormal network traffic and accurately position the abnormal network traffic, and to achieve the higher requirement of network traffic fine management, has become the urgent need for operation and maintenance personnel in the network technical field.
BRIEF SUMMARY OF THE PRESENT DISCLOSURE
First, the technical problem to be solved
In view of the foregoing deficiencies of the prior art, a primary object of the present disclosure is to provide a method, apparatus, electronic device, storage medium and program product for analyzing abnormal traffic of a network based on an elastic search technology, so as to at least partially solve at least one of the foregoing technical problems.
(II) technical scheme
In order to achieve the above object, the present disclosure provides a network anomaly traffic analysis method based on an elastic search technology, the method comprising:
Acquiring network traffic data, wherein the network traffic data comprises normal traffic data and/or abnormal traffic data;
storing the network traffic data into an elastic search engine;
acquiring abnormal traffic data from the network traffic data by using the elastic search engine;
and analyzing the abnormal flow data by using the elastic search engine to obtain an analysis result of the abnormal flow data.
In some embodiments, the network includes at least one device, each of the devices including at least one port, and the acquiring network traffic data includes:
and monitoring all ports of the at least one device, periodically collecting and storing network flow data of all ports, and obtaining the network flow data.
In some embodiments, the storing the network traffic data in the elastic search engine specifically includes:
analyzing the network flow data according to a preset format to obtain an analysis result, wherein the analysis result comprises a source address, a source port and a destination address;
performing secondary aggregation on the network traffic data by taking the source address, the source port and the destination address as dimensions to obtain an aggregate traffic packet;
Storing the aggregate traffic packet in the elastic search engine.
In some embodiments, the acquiring, by the elastic search engine, abnormal traffic data from the network traffic data specifically includes:
when the flow of any port is monitored to exceed a preset threshold value, a flow abnormality alarm is sent out, the port and the time point of the flow abnormality alarm are recorded, and an alarm time point and an alarm port are obtained;
acquiring a preset time period including the alarm time point;
acquiring abnormal network traffic data in the preset time period from the network traffic data by using range query of the elastic search engine;
and acquiring the abnormal flow data of the alarm port from the abnormal network flow data by using the term query of the elastic search engine.
In some embodiments, the analyzing the abnormal traffic data by using the elastic search engine to obtain an analysis result of the abnormal traffic data specifically includes:
determining all applications corresponding to the alarm ports to obtain an application list;
dividing the abnormal flow data according to the application in the application list by utilizing Bucket Aggregation barrel type aggregation query of the elastic search engine to obtain flow data of each application in the application list;
And performing aggregation operation on the flow data of each application in the application list by utilizing Metrics Aggregation index aggregation of the elastic search engine, and counting the flow data of each application according to a preset dimension to obtain an analysis result of the abnormal flow data.
In some embodiments, the preset dimensions include total traffic, average traffic, bandwidth duty cycle of the application.
In some embodiments, the collection time of the aggregate traffic packet is the latest collection time of the network traffic data.
In some embodiments, if the flow rate of at least two ports exceeds the preset threshold value at the same time point, the at least two ports are analyzed randomly one by one.
On the other hand, the disclosure also provides a network abnormal traffic analysis device based on the elastic search technology, which comprises:
the first acquisition module is used for acquiring network traffic data, wherein the network traffic data comprises normal traffic data and/or abnormal traffic data;
the storage module is used for storing the network traffic data into an elastic search engine;
the second acquisition module is used for acquiring abnormal traffic data from the network traffic data by using the elastic search engine;
The analysis module is used for analyzing the abnormal flow data by using the elastic search engine to obtain an analysis result of the abnormal flow data.
In some embodiments, the network includes at least one device, each of the devices including at least one port, and the first obtaining module includes:
and the monitoring module is used for monitoring all ports of the at least one device, periodically collecting and storing the network flow data of all ports, and obtaining the network flow data.
In some embodiments, the storage module includes:
the analysis module is used for analyzing the network flow data according to a preset format to obtain an analysis result, wherein the analysis result comprises a source address, a source port and a destination address;
and the aggregation module is used for carrying out secondary aggregation on the network traffic data by taking the source address, the source port and the destination address as dimensions respectively to obtain an aggregation traffic packet, and storing the aggregation traffic packet into the elastic search engine.
In some embodiments, the second obtaining module includes:
the alarm module is used for sending out abnormal flow alarm when the flow of any port exceeds a preset threshold value, recording the port and the time point of the abnormal flow alarm, and obtaining the alarm time point and the alarm port;
A third obtaining module, configured to obtain a preset time period including the alarm time point; and
the range query of the elastic search engine is used for acquiring abnormal network traffic data in the preset time period from the network traffic data; and
and acquiring the abnormal traffic data of the alarm port from the abnormal network traffic data by using the term query of the elastic search engine.
In some embodiments, the analysis module includes:
the application module is used for determining all the applications corresponding to the alarm ports to obtain an application list;
the dividing module is used for dividing the abnormal flow data according to the application in the application list by utilizing Bucket Aggregation barrel type gathering query of the elastic search engine to obtain flow data of each application in the application list;
and the statistics module is used for carrying out aggregation operation on the flow data of each application in the application list by utilizing the Metrics Aggregation index aggregation of the elastic search engine, and carrying out statistics on the flow data of each application according to a preset dimension to obtain an abnormal flow analysis result.
In some embodiments, the preset dimensions include total traffic by application, average traffic, bandwidth duty cycle.
In some embodiments, the collection time of the aggregate traffic packet is the latest collection time of the network traffic data.
In another aspect, the present disclosure also provides an electronic device, including:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform a network anomaly traffic analysis method according to performing an elastic search technique as described above.
In another aspect, the disclosure also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a network anomaly traffic analysis method based on the elastiscearch technique as described above.
In another aspect, the disclosure further provides a computer program product, including a computer program, where the computer program is executed by a processor to implement a network abnormal traffic analysis method based on the elastic search technology.
(III) beneficial effects
The network abnormal traffic analysis method, device, electronic equipment, storage medium and program product based on the elastic search technology have at least the following advantages compared with the related technology:
(1) By utilizing the network abnormal flow analysis method based on the elastic search technology, which is provided by the invention, the application causing the port flow to exceed the threshold value and the flow statistical information of the application can be rapidly positioned, the network fault emergency efficiency and level are further improved, and the problems of low structural database query analysis efficiency and poor user experience effect are solved.
(2) The network abnormal flow analysis method based on the elastic search technology can improve the analysis capacity of network flow data, solve the problem of message loss caused by slow analysis and storage efficiency of the network flow data, and solve the problem of memory resource exhaustion of a network management server.
(3) The network abnormal flow analysis method based on the elastic search technology has great application value in improving the network flow fine management control capability.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 schematically illustrates an application scenario diagram of a network anomaly traffic analysis method based on an elastic search technique according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method for analyzing abnormal traffic of a network based on an elastic search technology according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow diagram for storing network traffic data in an elastic search engine provided by an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flowchart of a method for acquiring abnormal traffic data from network traffic data using an elastic search engine according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flowchart of a method for analyzing abnormal traffic data to obtain an analysis result using an elastic search engine according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a network anomaly traffic analysis device based on an elastic search technique according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates an elastosear-based approach provided by an embodiment of the present disclosure c h, a block diagram of a first acquisition module of the network abnormal flow analysis device of the technology;
FIG. 8 schematically illustrates a block diagram of a storage module of a network anomaly traffic analysis device based on an elastic search technique according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of a second acquisition module of a network anomaly traffic analysis device based on an elastic search technique according to an embodiment of the present disclosure;
FIG. 10 schematically illustrates a block diagram of an analysis module of a network anomaly traffic analysis device based on an elastic search technique according to an embodiment of the present disclosure;
fig. 11 schematically illustrates a block diagram of an electronic device adapted for a network anomaly traffic analysis method based on the elastiscearch technique, in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). It should also be appreciated by those skilled in the art that virtually any disjunctive word and/or phrase presenting two or more alternative items, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the items, either of the items, or both. For example, the phrase "a or B" should be understood to include the possibility of "a" or "B", or "a and B".
Some of the block diagrams and/or flowchart illustrations are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, when executed by the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). Additionally, the techniques of this disclosure may take the form of a computer program product on a computer-readable medium having instructions stored thereon, the computer program product being usable by or in connection with an instruction execution system. In the context of this disclosure, a computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the instructions. For example, a computer-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. Specific examples of the computer readable medium include: magnetic storage devices such as magnetic tape or hard disk (HDD); optical storage devices such as compact discs (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and/or a wired/wireless communication link.
The disclosure provides a network abnormal traffic analysis method, a device, an electronic device, a storage medium and a program product based on an elastic search technology. The following is an exemplary description with reference to the accompanying drawings. It should be noted that the sequence numbers of the respective operations in the following methods are merely representative of the operations for the purpose of description, and should not be construed as representing the order of execution of the respective operations. The method need not be performed in the exact order shown unless explicitly stated.
It should be noted that, the method and the device for analyzing abnormal network traffic based on the elastic search technology provided by the present disclosure may be used in the financial field, and may also be used in any field other than the financial field, and the application field of the method and the device for analyzing abnormal network traffic based on the elastic search technology provided by the present disclosure is not limited
Fig. 1 schematically illustrates an application scenario diagram of a network anomaly traffic analysis method based on an elastiscearch technique according to an embodiment of the present disclosure. As shown in fig. 1, an application scenario diagram according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server/server cluster 105. Network 104 is the medium used to provide communication links between terminal devices 101, 102, 103 and server/server cluster 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server/server cluster 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various client applications may be installed on the terminal devices 101, 102, 103, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, and the like (just examples).
The terminal devices 101, 102, 103 may interact with the server/server cluster 105 through various client applications to send various requests to the server/server cluster 105 or to receive results returned by the server/server cluster 105.
The terminal devices 101, 102, 103 may be a variety of electronic devices including, but not limited to, smartphones, tablets, laptop portable computers, desktop computers, and the like.
The server/server cluster 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the network anomaly traffic analysis method based on the elastic search technology provided in the embodiments of the present disclosure may be generally performed by the server/server cluster 105. Accordingly, a network anomaly traffic analysis device based on the elastic search technique provided by the embodiments of the present disclosure may be generally disposed in the server/server cluster 105. A network anomaly traffic analysis method based on the elastic search technique provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server/server cluster 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server/server cluster 105. Accordingly, a network anomaly traffic analysis device based on the elastic search technology provided in the embodiments of the present disclosure may also be disposed in a server or a server cluster different from the server/server cluster 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server/server cluster 105.
It should be understood that the number of terminal devices, networks and server/server clusters in fig. 1 is merely illustrative. There may be any number of terminal devices, networks and server/server clusters, as is practical.
A network anomaly traffic analysis method based on the elastic search technology according to the disclosed embodiment will be described in detail with reference to fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flowchart of a network abnormal traffic analysis method based on an elastic search technology according to an embodiment of the disclosure. As shown in fig. 2, in an embodiment of the present disclosure, the method includes operations S210 to S240.
In operation S210, network traffic data including normal traffic data and/or abnormal traffic data is acquired.
In this embodiment, the network includes at least one device, each device includes at least one port, all ports of each device in the network are monitored, and network traffic data of all ports are periodically collected and stored to obtain the network traffic data.
In operation S220, the network traffic data is stored in the elastic search engine.
In operation S230, abnormal traffic data is acquired from the network traffic data using the elastic search engine.
In operation S240, the abnormal traffic data is analyzed using the elastic search engine to obtain an analysis result of the abnormal traffic data.
In this embodiment, in order to timely discover and solve the situation of the traffic abnormality occurring in the network, the network needs to be monitored so as to acquire network traffic data in real time, then the acquired network traffic data is stored in an elastic search engine, the acquired network traffic data is analyzed by the elastic search engine to determine whether the abnormal traffic data exists therein, if the abnormal traffic data exists in the acquired network traffic data, a section of network traffic data including the abnormal traffic data is intercepted from the network traffic data, the intercepted abnormal traffic data is analyzed by the elastic search engine, the application generating the traffic abnormality can be determined according to the analysis result, further the ports from which the abnormal traffic data comes can be determined, and in addition, the devices, the applications and the like in the network can be adjusted according to the analysis result of the abnormal traffic data. According to the network abnormal flow analysis method based on the elastic search technology, which is provided by the embodiment of the disclosure, the application causing the port flow to exceed the threshold value and the flow statistical information of the application can be rapidly positioned, the network fault emergency efficiency and level are further improved, and the problems of low structural database query analysis efficiency and poor user experience effect are solved.
In an embodiment of the disclosure, the network includes at least one device, each of the devices includes at least one port, and the acquiring network traffic data includes: and monitoring all ports of the at least one device, periodically collecting and storing network flow data of all ports, and obtaining the network flow data.
In this embodiment, a network generally includes a plurality of devices, each device has a plurality of ports, in order to obtain all traffic data of the network, all ports of all devices in the network need to be monitored, and traffic data of all ports of all devices are obtained in real time, where the traffic data of all ports of all devices in the network obtained in real time is the network traffic data to be analyzed.
Fig. 3 schematically illustrates a flowchart of storing network traffic data in an elastic search engine according to an embodiment of the present disclosure, as shown in fig. 3, and in an embodiment of the present disclosure, the flowchart includes operations S310 to S330.
In operation S310, the network traffic data is parsed according to a preset format to obtain a parsing result, where the parsing result includes a source address, a source port and a destination address.
In this embodiment, the network application traffic data is parsed according to a preset format, for example, text parsing is performed on the network traffic data according to a data stream format defined by RPC protocol, and the network traffic data is parsed into information such as a source address, a source port, a destination address, a destination port, a byte number, a timestamp, a service Type (TOS), and the like.
In operation S320, the network traffic data is secondarily aggregated with the source address, the source port, and the destination address as dimensions, respectively, to obtain an aggregate traffic packet.
In this embodiment, after the network traffic data is parsed, the parsed network traffic data is periodically secondarily aggregated with the source address, the source port and the destination address as dimensions, and the aggregated traffic packets obtained after aggregation are periodically stored, where the acquisition time of the aggregated traffic packets is the latest acquisition time of the network traffic data.
In operation S330, the aggregate traffic packet is stored in the elastic search engine.
In this embodiment, the acquired network traffic data is resolved, then the network traffic data is secondarily aggregated by taking the source address, the source port and the destination address obtained by resolving as dimensions, and the aggregated network traffic data is stored in the elastic search engine, so that not only is the data storage amount small, but also when the abnormal traffic data exists in the network traffic data, the abnormal traffic data can be rapidly located, the time for searching the abnormal traffic data from the database is reduced, and the processing efficiency of the condition that the abnormal traffic occurs in the network is improved.
Fig. 4 schematically illustrates a flowchart of a method for acquiring abnormal traffic data from network traffic data by using an elastic search engine according to an embodiment of the present disclosure, as shown in fig. 4, and in an embodiment of the present disclosure, the method includes operations S410 to S440.
In operation S410, when the flow of any port is monitored to exceed the preset threshold, a flow abnormality alarm is issued, and the port and the time point at which the flow abnormality alarm occurs are recorded, so as to obtain an alarm time point and an alarm port.
In this embodiment, when it is monitored in real time that the traffic of a port in the network exceeds a preset threshold, it is proved that the port has a traffic abnormality, a traffic abnormality alarm is sent out, the port with the traffic abnormality alarm is recorded, and the time point with the traffic abnormality alarm is recorded, if there are a plurality of ports with traffic abnormality, each port with traffic abnormality needs to be recorded.
In operation S420, a preset time period including the above-described alarm time point is acquired.
In this embodiment, the cause of the abnormal flow condition is analyzed to obtain a section of flow data including abnormal flow, so after the alarm time point is obtained, the flow data in a preset time period including the alarm time point needs to be obtained, and the flow data is the abnormal flow data. Because the network traffic data is periodically collected, the preset time period needs to include at least one complete collection period, for example, assuming that the alarm time point is a and the collection period is b, the preset time period is at least (a, a+b) or (a-b, a), so that the collection of the network traffic data can be guaranteed to be performed at least twice in the preset time period, if the collection period b is divided, the collection of the network traffic data can be performed only once in the preset time period, that is, the collection of the network traffic data is performed once at the alarm time point a, for example, the preset time period is (a, a+b/2) or (a-b/2, a), and the collection period b at this time is divided into two parts and is not a complete collection period.
It should be noted that the above-mentioned preset time period is (a, a+b) or (a-b, a) merely as an example to help those skilled in the art understand the technical content of the present disclosure, but it is not meant that the preset time period provided by the present disclosure may be only (a, a+b) or (a-b, a) as mentioned above, and may be specifically set according to actual needs.
In operation S430, abnormal network traffic data within the preset time period is obtained from the network traffic data by using the range query of the elastic search engine.
In operation S440, the abnormal traffic data of the alarm port is acquired from the abnormal network traffic data using the term query of the elastic search engine.
In this embodiment, after determining which ports the abnormal traffic data comes from and the time point when the traffic abnormality occurs, the range query in the elastic search engine storing the network traffic data is used to obtain the abnormal network traffic data in the preset time period from the network traffic data, and then the term query is used to obtain the abnormal traffic data of the alarm port from the abnormal network traffic data. By acquiring the abnormal traffic data by using a tool in the elastic search engine, the time for searching the abnormal traffic data from the database can be reduced, and the solving efficiency of the traffic abnormality condition can be improved.
In an embodiment of the disclosure, if the flow rate of at least two ports at the same time point exceeds the preset threshold value, the at least two ports are analyzed randomly one by one.
In this embodiment, the network includes a plurality of devices, and each device includes at least one port, so that a situation that the flows of the plurality of ports at the same time point exceed a preset threshold may occur, at this time, a time point when the flows exceed the preset threshold and all the ports when the flows exceed the preset threshold are recorded, each port when the flow alarm occurs is analyzed one by one, for example, a plurality of ports when the flow alarm occurs is analyzed according to the importance level of the device where the port is located, or a plurality of ports when the flow alarm occurs are analyzed one by one according to the number of applications corresponding to the port.
It should be noted that the above-mentioned analysis sequence of the plurality of ports on which the flow alarm occurs is merely an example, so as to help those skilled in the art understand the technical content of the present disclosure, and the specific analysis sequence may be set according to actual needs.
Fig. 5 schematically illustrates a flowchart of a method for analyzing abnormal traffic data to obtain an analysis result using an elastic search engine according to an embodiment of the present disclosure, as shown in fig. 5, and in an embodiment of the present disclosure, the method includes operations S510 to S530.
In operation S510, all applications corresponding to the alarm ports are determined, and an application list is obtained.
In this embodiment, the traffic data of each port comes from at least one application, each application has its own IP address, in order to determine from which application each traffic in the abnormal traffic data comes, all applications corresponding to the ports where traffic alarms appear need to be acquired, and the IP addresses corresponding to these applications, the IP address corresponding to each application may be acquired through a mapping table of pre-stored applications and IP addresses, the IP address of each acquired abnormal traffic data may be analyzed, and then the IP address of each traffic data and the IP address of the application corresponding to the alarm port may be matched, so that it may be determined from which application each traffic data in the abnormal traffic data comes, thereby obtaining an abnormal traffic application list.
In operation S520, the abnormal traffic data is divided according to the applications in the application list by using the Bucket Aggregation bucket aggregation query of the elastic search engine, so as to obtain traffic data of each application in the application list.
In this embodiment, after an application corresponding to an alarm port is determined, and an abnormal traffic application list is obtained, dividing each piece of traffic data in the abnormal traffic data into applications corresponding to the abnormal traffic data by using a BucketAggregation bucket-type aggregation query of an elastic search engine, determining traffic data corresponding to each application in the abnormal traffic application list, and completing the division of the abnormal traffic data so as to perform statistical analysis on the traffic data of each application in the abnormal traffic application list.
In operation S530, the aggregation operation is performed on the traffic data of each application in the application list by using the Metrics Aggregation index aggregation of the elastic search engine, and the traffic data of each application is counted according to a preset dimension, so as to obtain an analysis result of the abnormal traffic data.
In this embodiment, after determining the flow data corresponding to each application in the abnormal flow application list, the aggregate operation is performed on the flow data of each application in the abnormal flow application list by using the Metrics Aggregation index aggregate of the elastic search engine, and statistics is performed on the flow data of each application according to a preset dimension, for example, statistics is performed on the total flow, the average flow, the bandwidth ratio, and the like of each application.
It should be noted that the above statistics of the total flow, average flow, and bandwidth ratio of each application are only examples, so as to help those skilled in the art understand the technical content of the present disclosure, and specific statistics items may be set according to actual needs.
Based on the above network abnormal traffic analysis method based on the elastic search technology, the present disclosure also provides a network abnormal traffic analysis device based on the elastic search technology. The device will be described in detail below in connection with fig. 6.
Fig. 6 schematically illustrates a block diagram of a network anomaly traffic analysis device based on an elastic search technology according to an embodiment of the disclosure, as shown in fig. 6, in an embodiment of the disclosure, the device 600 includes a first acquisition module 610, a storage module 620, a second acquisition module 630, and an analysis module 640.
The first obtaining module 610 is configured to obtain network traffic data, where the network traffic data includes normal traffic data and/or abnormal traffic data. In an embodiment, the first obtaining module 610 may be configured to perform the operation S210 described above, which is not described herein.
The storage module 620 is configured to store the network traffic data into an elastic search engine. In an embodiment, the storage module 620 may be used to perform the operation S220 described above, which is not described herein.
The second obtaining module 630 is configured to obtain abnormal traffic data from the network traffic data by using the elastic search engine. In an embodiment, the second obtaining module 630 may be configured to perform the operation S230 described above, which is not described herein.
The analysis module 640 is configured to analyze the abnormal traffic data by using the elastic search engine, and obtain an analysis result of the abnormal traffic data. In an embodiment, the analysis module 640 may be configured to perform the operation S240 described above, which is not described herein.
Fig. 7 schematically illustrates a block diagram of a first acquisition module of a network abnormal traffic analysis device based on an elastic search technology according to an embodiment of the present disclosure, as shown in fig. 7, in an embodiment of the present disclosure, the first acquisition module 610 includes a monitoring module 710.
The monitoring module 710 is configured to monitor all ports of the at least one device, and periodically collect and store network traffic data of all ports to obtain the network traffic data.
Fig. 8 schematically illustrates a block diagram of a storage module of a network abnormal traffic analysis device based on an elastic search technology according to an embodiment of the present disclosure, as shown in fig. 8, in an embodiment of the present disclosure, the storage module 620 includes an analysis module 810 and an aggregation module 820.
The parsing module 810 is configured to parse the network traffic data according to a preset format to obtain a parsing result, where the parsing result includes a source address, a source port and a destination address.
The aggregation module 820 is configured to perform secondary aggregation on the network traffic data with the source address, the source port, and the destination address as dimensions, to obtain an aggregate traffic packet, and store the aggregate traffic packet in the elastic search engine.
Fig. 9 schematically illustrates a block diagram of a second acquisition module of a network abnormal traffic analysis apparatus based on an elastic search technology according to an embodiment of the present disclosure, as shown in fig. 9, in an embodiment of the present disclosure, the second acquisition module 630 includes an alarm module 910 and a third acquisition module 920.
The alarm module 910 is configured to send out a flow abnormal alarm when the flow of any port is monitored to exceed a preset threshold, record a port and a time point where the flow abnormal alarm occurs, and obtain an alarm time point and an alarm port.
The third obtaining module 920 is configured to obtain a preset time period including the alarm time point; the range query of the elastic search engine is used for acquiring abnormal network traffic data in the preset time period from the network traffic data; and acquiring the abnormal traffic data of the alarm port from the abnormal network traffic data by using the term query of the elastic search engine.
Fig. 10 schematically illustrates a block diagram of an analysis module of a network abnormal traffic analysis device based on an elastic search technology according to an embodiment of the present disclosure, as shown in fig. 10, in an embodiment of the present disclosure, the analysis module 640 includes an application module 1010, a division module 1020, and a statistics module 1030.
The application module 1010 is configured to determine all applications corresponding to the alarm ports to obtain an application list.
The partitioning module 1020 is configured to partition the abnormal traffic data according to the applications in the application list by using the Bucket Aggregation bucket aggregation query of the elastic search engine, so as to obtain traffic data of each application in the application list.
The statistics module 1030 is configured to perform an aggregation operation on the traffic data of each application in the application list by using the Metrics Aggregation index aggregation of the elastic search engine, and perform statistics on the traffic data of each application according to a preset dimension, so as to obtain an analysis result of the abnormal traffic data.
It should be noted that, in the embodiment of the apparatus portion, the implementation manner, the solved technical problem, the realized function, and the achieved technical effect of each module/unit/subunit and the like are the same as or similar to the implementation manner, the solved technical problem, the realized function, and the achieved technical effect of each corresponding step in the embodiment of the method portion, and are not described herein again.
Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which when executed, may perform the corresponding functions.
For example, any of the first acquisition module 610, the storage module 620, the second acquisition module 630, and the analysis module 640 may be combined to be implemented in one module, or any of the modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the first acquisition module 610, the storage module 620, the second acquisition module 630, and the analysis module 640 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the first acquisition module 610, the storage module 620, the second acquisition module 630, and the analysis module 640 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 11 schematically illustrates a block diagram of an electronic device adapted to implement a network anomaly traffic analysis method based on an elastiscearch technique, in accordance with an embodiment of the present disclosure.
As shown in fig. 11, an electronic device 1100 according to an embodiment of the present disclosure includes a processor 1101 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1102 or a program loaded from a storage section 1108 into a Random Access Memory (RAM) 1103. The processor 1101 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1101 may also include on-board memory for caching purposes. The processor 1101 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flow according to embodiments of the present disclosure.
In the RAM 1103, various programs and data necessary for the operation of the electronic device 1100 are stored. The processor 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. The processor 1101 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1102 and/or the RAM 1103. Note that the program may be stored in one or more memories other than the ROM 1102 and the RAM 1103. The processor 1101 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 1100 may also include an input/output (I/O) interface 1105, the input/output (I/O) interface 1105 also being connected to the bus 1104. The electronic device 1100 may also include one or more of the following components connected to the I/O interface 1105: an input section 1106 including a keyboard, a mouse, and the like; an output portion 1107 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1108 including a hard disk or the like; and a communication section 1109 including a network interface card such as a LAN card, a modem, and the like. The communication section 1109 performs communication processing via a network such as the internet. The drive 1110 is also connected to the I/O interface 1105 as needed. Removable media 1111, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed as needed in drive 1110, so that a computer program read therefrom is installed as needed in storage section 1108.
The present disclosure also provides a computer-readable storage medium having stored thereon a computer program comprising a network anomaly traffic analysis method based on an elastsearch technique as described above. The computer-readable storage medium may be embodied in the apparatus/device described in the above embodiments; or may exist alone without being assembled into the apparatus/device. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer readable medium may be a computer readable signal medium or a computer readable storage medium or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 1102 and/or RAM 1103 described above and/or one or more memories other than ROM 1102 and RAM 1103.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. When the computer program product runs in a computer system, the program code is used for enabling the computer system to realize the network abnormal flow analysis method based on the elastic search technology provided by the embodiment of the disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1101. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication portion 1109, and/or installed from the removable media 1111. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1109, and/or installed from the removable media 1111. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1101. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. While the present disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present disclosure as defined by the appended claims and their equivalents. The scope of the disclosure should, therefore, not be limited to the above-described embodiments, but should be determined not only by the following claims, but also by the equivalents of the following claims.
Claims (10)
1. A network anomaly traffic analysis method based on an elastic search technology, the method comprising:
acquiring network traffic data, wherein the network traffic data comprises normal traffic data and/or abnormal traffic data; monitoring all ports of at least one device included in a network, and periodically collecting and storing network traffic data of all ports to obtain the network traffic data;
storing the network traffic data into an elastic search engine;
Obtaining abnormal traffic data from the network traffic data using the elastic search engine, including:
when the flow of any port is monitored to exceed a preset threshold, recording the port and a time point to obtain an alarm port and an alarm time point;
acquiring a preset time period including the alarm time point, wherein the preset time period comprises at least one complete acquisition period;
acquiring abnormal network traffic data in the preset time period from the network traffic data by using range query of the elastic search engine;
acquiring the abnormal traffic data of the alarm port from the abnormal network traffic data by using the term query of the elastic search engine;
analyzing the abnormal flow data by using the elastic search engine to obtain an analysis result of the abnormal flow data; determining all applications corresponding to the alarm ports to obtain an application list; dividing the abnormal flow data according to the application in the application list by utilizing BUcket Aggregation barrel type aggregation query of the elastic search engine to obtain flow data of each application in the application list; collecting flow data of each application in the application list by utilizing Metrics Aggregation index collection of the elastic search engine, and counting the flow data of each application according to a preset dimension to obtain an analysis result of the abnormal flow data; and if at least two alarm ports appear at the same time point, analyzing the at least two alarm ports one by one according to the number of applications corresponding to each alarm port.
2. The method for analyzing network abnormal traffic based on the elastic search technology according to claim 1, wherein the storing the network traffic data in the elastic search engine specifically comprises:
analyzing the network flow data according to a preset format to obtain an analysis result, wherein the analysis result comprises a source address, a source port and a destination address;
performing secondary aggregation on the network traffic data by taking the source address, the source port and the destination address as dimensions respectively to obtain an aggregated traffic packet;
and storing the aggregate traffic packet into the elastic search engine.
3. The method for analyzing abnormal network traffic based on the elastic search technology according to claim 1, wherein the preset dimensions include total traffic, average traffic, and bandwidth duty ratio of the application.
4. The method for analyzing abnormal network traffic based on the elastic search technology according to claim 2, wherein the collection time of the aggregate traffic packet is the latest collection time of the network traffic data.
5. A network anomaly traffic analysis device based on an elastic search technique, the device comprising:
The first acquisition module is used for acquiring network traffic data, wherein the network traffic data comprises normal traffic data and/or abnormal traffic data; the first acquisition module comprises a monitoring module, wherein the monitoring module is used for monitoring all ports of at least one device included in a network, periodically acquiring and storing network flow data of all ports, and obtaining the network flow data;
the storage module is used for storing the network traffic data into an elastic search engine;
the second acquisition module is used for acquiring abnormal traffic data from the network traffic data by using the elastic search engine;
the analysis module is used for analyzing the abnormal flow data by using the elastic search engine to obtain an analysis result of the abnormal flow data;
wherein the second acquisition module comprises an alarm module and a third acquisition module, wherein,
the alarm module is used for recording the port and the time point when the flow of any port is monitored to exceed a preset threshold value, and obtaining an alarm port and an alarm time point;
the third acquisition module is used for: acquiring a preset time period including the alarm time point, wherein the preset time period comprises at least one complete acquisition period;
Acquiring abnormal network traffic data in the preset time period from the network traffic data by using range query of the elastic search engine; and
acquiring the abnormal traffic data of the alarm port from the abnormal network traffic data by using the term query of the elastic search engine;
the analysis module comprises an application module, a dividing module and a statistics module;
the application module is used for determining all applications corresponding to the alarm port to obtain an application list;
the dividing module is configured to divide the abnormal traffic data according to the applications in the application list by using Bucket Aggregation bucket type aggregation query of the elastic search engine to obtain traffic data of each application in the application list;
the statistics module is used for performing aggregation operation on the flow data of each application in the application list by utilizing Metrics Aggregation index aggregation of the elastic search engine, and performing statistics on the flow data of each application according to a preset dimension to obtain an abnormal flow analysis result;
and the analysis module is further used for analyzing at least two alarm ports one by one according to the number of applications corresponding to each alarm port if the at least two alarm ports appear at the same time point.
6. The network anomaly traffic analysis device based on the elastic search technique according to claim 5, wherein the storage module comprises:
the analysis module is used for analyzing the network flow data according to a preset format to obtain an analysis result, wherein the analysis result comprises a source address, a source port and a destination address;
and the aggregation module is used for carrying out secondary aggregation on the network traffic data by taking the source address, the source port and the destination address as dimensions respectively to obtain an aggregation traffic packet, and storing the aggregation traffic packet into the elastic search engine.
7. The device for analyzing abnormal traffic of a network based on the elastic search technology according to claim 5, wherein the preset dimensions include total traffic, average traffic, and bandwidth ratio by application.
8. The device for analyzing abnormal traffic of a network based on the elastic search technique according to claim 6, wherein the collection time of the aggregate traffic packet is the latest collection time of the network traffic data.
9. An electronic device, the electronic device comprising:
one or more processors;
a memory for storing one or more programs,
Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of network anomaly traffic analysis based on the elastic search technique of any one of claims 1 to 4.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the network anomaly traffic analysis method based on the elastiscearch technique according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111077098.7A CN113794719B (en) | 2021-09-14 | 2021-09-14 | Network abnormal traffic analysis method and device based on elastic search technology and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111077098.7A CN113794719B (en) | 2021-09-14 | 2021-09-14 | Network abnormal traffic analysis method and device based on elastic search technology and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113794719A CN113794719A (en) | 2021-12-14 |
| CN113794719B true CN113794719B (en) | 2023-07-25 |
Family
ID=79183317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111077098.7A Active CN113794719B (en) | 2021-09-14 | 2021-09-14 | Network abnormal traffic analysis method and device based on elastic search technology and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113794719B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113162818A (en) * | 2021-02-01 | 2021-07-23 | 国家计算机网络与信息安全管理中心 | Method and system for realizing distributed flow acquisition and analysis |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102916856B (en) * | 2012-10-30 | 2015-11-11 | 中国工商银行股份有限公司 | A kind of application oriented network flow monitoring method, Apparatus and system |
| CN103532940B (en) * | 2013-09-30 | 2016-06-08 | 广东电网公司电力调度控制中心 | network security detection method and device |
| CN108429651B (en) * | 2018-06-06 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Flow data detection method and device, electronic equipment and computer readable medium |
| WO2020006562A1 (en) * | 2018-06-29 | 2020-01-02 | Rocus Group, Llc | Integrated security and threat prevention and detection device |
| CN109150859B (en) * | 2018-08-02 | 2021-03-19 | 北京北信源信息安全技术有限公司 | Botnet detection method based on network traffic flow direction similarity |
| US11586972B2 (en) * | 2018-11-19 | 2023-02-21 | International Business Machines Corporation | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs |
| CN110650126A (en) * | 2019-09-06 | 2020-01-03 | 珠海格力电器股份有限公司 | Method and device for preventing website traffic attack, intelligent terminal and storage medium |
-
2021
- 2021-09-14 CN CN202111077098.7A patent/CN113794719B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113162818A (en) * | 2021-02-01 | 2021-07-23 | 国家计算机网络与信息安全管理中心 | Method and system for realizing distributed flow acquisition and analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113794719A (en) | 2021-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107992398B (en) | Monitoring method and monitoring system of service system | |
| Aktas | Hybrid cloud computing monitoring software architecture | |
| US10747592B2 (en) | Router management by an event stream processing cluster manager | |
| US20150170070A1 (en) | Method, apparatus, and system for monitoring website | |
| CN113987074A (en) | Distributed service full-link monitoring method and device, electronic equipment and storage medium | |
| US11188443B2 (en) | Method, apparatus and system for processing log data | |
| US20220050902A1 (en) | Opentelemetry security extensions | |
| CN110633195B (en) | Performance data display method and device, electronic equipment and storage medium | |
| CN109039787A (en) | log processing method, device and big data cluster | |
| US9218205B2 (en) | Resource management in ephemeral environments | |
| CN112134719A (en) | Method and system for analyzing base station security log | |
| CN113794719B (en) | Network abnormal traffic analysis method and device based on elastic search technology and electronic equipment | |
| CN116048846A (en) | Data transmission method, device, equipment and storage medium | |
| CN114756301A (en) | Log processing method, device and system | |
| CN114513553A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN114598622A (en) | Data monitoring method and device, storage medium and computer equipment | |
| CN114153703A (en) | Micro-service exception positioning method and device, electronic equipment and program product | |
| CN113342619A (en) | Log monitoring method and system, electronic device and readable medium | |
| Vainio | Implementation of Centralized Logging and Log Analysis in Cloud Transition | |
| da Silva Rocha et al. | Aggregating data center measurements for availability analysis | |
| CN114448976B (en) | Method, device, equipment, medium and program product for assembling network message | |
| CN115277477B (en) | Flow detection method and device based on simple object access protocol | |
| CN115242513B (en) | Wide area network link flow abnormality warning method, device, equipment and medium | |
| Wen et al. | Revolutionizing Network Performance: The Active and Passive Service Path Performance Monitoring Analysis Method | |
| CN117573478A (en) | Performance monitoring method, device, apparatus, medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |