CN114024867A - Network anomaly detection method and device - Google Patents
Network anomaly detection method and device Download PDFInfo
- Publication number
- CN114024867A CN114024867A CN202111329927.6A CN202111329927A CN114024867A CN 114024867 A CN114024867 A CN 114024867A CN 202111329927 A CN202111329927 A CN 202111329927A CN 114024867 A CN114024867 A CN 114024867A
- Authority
- CN
- China
- Prior art keywords
- network
- request
- requests
- abnormal
- expiration time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
Landscapes
- Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
The disclosure provides a network anomaly detection method which can be applied to the technical field of the Internet. The network anomaly detection method comprises the following steps: monitoring the network request to obtain a monitoring result for representing that the network request is a normal request or an abnormal request; based on the monitoring result, recording the total quantity of the network requests and the quantity of the abnormal requests in an expiration time range by using a monitoring key configured in a cache database, wherein the expiration time range is an effective working range of the monitoring key; and generating a network anomaly detection result within an expiration time range according to the total number of the network requests and the number of the anomaly requests. The present disclosure also provides a network anomaly detection apparatus, device, storage medium and program product.
Description
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for detecting network anomalies.
Background
At present, a server usually uses the internet to send a notification and a push file to an object such as a mobile terminal, and if network abnormality is not found in time and is solved, serious business influence is generated.
The inventor finds that an effective network anomaly early warning method is lacked in the related art for determining whether the network is abnormal or not by analyzing the network log based on problem feedback in the process of implementing the disclosed concept.
Disclosure of Invention
In view of the above, the present disclosure provides a network anomaly detection method, apparatus, device, medium, and program product.
According to a first aspect of the present disclosure, there is provided a network anomaly detection method, including:
monitoring the network request to obtain a monitoring result for representing that the network request is a normal request or an abnormal request;
based on the monitoring result, recording the total quantity of the network requests and the quantity of the abnormal requests in an expiration time range by using a monitoring key configured by a cache database, wherein the expiration time range is an effective working range of the monitoring key; and
and generating a network anomaly detection result within the expiration time range according to the total number of the network requests and the number of the anomaly requests.
According to an embodiment of the present disclosure, the generating a network anomaly detection result within the expiration time range according to the total number of the network requests and the number of the anomaly requests includes:
acquiring a first record value representing the total quantity of the network requests and a second record value representing the quantity of the abnormal requests from the monitoring key;
generating a first ratio according to the first record value and the second record value, wherein the first ratio represents the network request abnormal rate in the expiration time;
and taking the first ratio as the network abnormality detection result.
According to an embodiment of the present disclosure, the method further includes:
and generating abnormal reminding information under the condition that the first ratio is greater than a first preset threshold value.
According to an embodiment of the present disclosure, the monitoring key records the number of the abnormal requests by:
responding to the record of the abnormal request, and acquiring the residual expiration time of the monitoring key;
and after the abnormal request is recorded, taking the residual expiration time as the expiration time of the monitoring key.
According to the embodiment of the disclosure, the network request carries calling information for a target object; the method further comprises the following steps:
and responding to the successful call of the network request to the target object, determining the network request as a normal network request, and otherwise, determining the network request as the abnormal network request.
According to an embodiment of the present disclosure, the method further includes:
and generating the reminding information of the abnormal throughput when the first record value is larger than a second preset threshold value.
A second aspect of the present disclosure provides a network anomaly detection apparatus, including:
the monitoring module is used for monitoring the network request to obtain a monitoring result for representing that the network request is a normal request or an abnormal request;
a recording module, configured to record, based on the monitoring result, the total number of network requests and the number of abnormal requests in an expiration time range by using a monitoring key configured in a cache database, where the expiration time range is an effective working range of the monitoring key; and
and the first generation module is used for generating a network anomaly detection result within the expiration time range according to the total number of the network requests and the number of the anomaly requests.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the network anomaly detection method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described network anomaly detection method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described network anomaly detection method.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a network anomaly detection method, apparatus, device, medium and program product according to embodiments of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a network anomaly detection method according to an embodiment of the present disclosure;
fig. 3 schematically illustrates a flow chart for generating network anomaly detection results within an expiration time range according to the total number of network requests and the number of anomaly requests according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a monitor key recording an abnormal network request according to an embodiment of the present disclosure;
fig. 5 schematically shows a block diagram of a structure of a network anomaly detection apparatus according to an embodiment of the present disclosure; and
fig. 6 schematically shows a block diagram of an electronic device adapted to implement a network anomaly detection method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The current application platform generally uses the internet to send notification and push information for users, and if the network abnormality of the application platform is not discovered in time and is solved, serious business influence may be generated. In the related art, whether a network has a problem is determined by means of problem feedback and log analysis, and a method for early warning network abnormality is lacked.
The disclosure provides a network anomaly detection method which can be applied to the technical field of the Internet. The network anomaly detection method comprises the following steps: monitoring the network request to obtain a monitoring result for representing that the network request is a normal request or an abnormal request; based on the monitoring result, recording the total quantity of the network requests and the quantity of the abnormal requests in an expiration time range by using a monitoring key configured in a cache database, wherein the expiration time range is an effective working range of the monitoring key; and generating a network anomaly detection result within an expiration time range according to the total number of the network requests and the number of the anomaly requests. The present disclosure also provides a network anomaly detection apparatus, device, storage medium and program product.
Fig. 1 schematically illustrates an application scenario diagram of a network anomaly detection method, apparatus, device, medium, and program product according to embodiments of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the network anomaly detection method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the network anomaly detection apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The network anomaly detection method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the network anomaly detection apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the server 105 and can communicate with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The network anomaly detection method of the disclosed embodiment will be described in detail below with fig. 2 to 4 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a network anomaly detection method according to an embodiment of the present disclosure.
As shown in fig. 2, the network anomaly detection method of this embodiment includes operations S201 to S203.
In operation S201, the network request is monitored to obtain a monitoring result for indicating that the network request is a normal request or an abnormal request.
According to the embodiment of the disclosure, after the network request is received, the network request can be determined to be a normal network request or an abnormal network request based on a handshake protocol and the like.
According to the embodiment of the disclosure, for example, a sends a network request to B, the network request is used for requesting push information from B, and in the case that B can normally receive the network request, or normally receives the network request and normally pushes the push information to a, the network request can be determined as a normal network request, otherwise, the network request can be determined as an abnormal network request.
According to the embodiment of the disclosure, each time a network request is received, it needs to be determined whether the network request is a normal network request or an abnormal network request.
In operation S202, based on the monitoring result, the total number of network requests and the number of abnormal requests within an expiration time range are recorded by using a monitoring key configured in a cache database, wherein the expiration time range is a valid working range of the monitoring key.
According to the embodiment of the present disclosure, a monitor key having an expiration time range may be configured in a cache database in advance. The monitoring key has a function of data recording, and for example, the number of network requests can be recorded based on a counter.
According to an embodiment of the present disclosure, the cache database may include a redis database.
According to the embodiment of the present disclosure, the expiration time range can be flexibly set by a person skilled in the art according to actual needs, for example, the expiration time range can include 1 minute, 5 minutes, 10 minutes, 30 minutes, and the like.
In operation S203, a network anomaly detection result within an expiration time range is generated according to the total number of network requests and the number of anomaly requests.
According to the embodiment of the disclosure, by generating the network anomaly detection result within the expiration time range, the detection time of the network anomaly can be divided into fine granularities, the network anomaly can be early warned in time, and the early warning effect is improved.
In the embodiment of the disclosure, the network requests are monitored, the monitoring results are recorded by using the monitoring keys configured in the cache database, and the total quantity of the network requests and the quantity of the abnormal requests are determined, so that a network abnormality detection result can be generated, and accurate early warning of network abnormality is realized.
According to an embodiment of the present disclosure, the network request carries invocation information for the target object.
According to an embodiment of the disclosure, the target object may include an application component such as a control, or a data file.
The network anomaly detection method provided by the embodiment of the disclosure further comprises the following steps:
and responding to the successful call of the network request to the target object, determining the network request as a normal network request, and otherwise, determining the network request as an abnormal network request.
According to an embodiment of the present disclosure, for example, a sends a network request to B, where the network request carries call information for the data file C. If B receives the network request and returns the data file C to A, the network request can be determined to be a normal network request, otherwise, the network request can be determined to be an abnormal network request.
Fig. 3 schematically shows a flowchart for generating a network anomaly detection result within an expiration time range according to the total number of network requests and the number of anomaly requests according to an embodiment of the present disclosure.
As shown in fig. 3, the method of this embodiment includes operations S301 to S303.
In operation S301, a first record value representing the total number of network requests and a second record value representing the number of abnormal requests are acquired from the monitoring key.
According to the embodiment of the present disclosure, the monitoring key may include a first counter and a second counter, and the first counter may be used to count the total number of all network requests, for example, the first counter may be incremented by 1 every time a network request is received, and the count result is stored in the first count table; the second counter may be used to count the number of abnormal network requests, for example, the second counter may be incremented by 1 only when an abnormal network request is monitored, and the count result is stored in the second count table.
According to the embodiment of the disclosure, after the expiration time range is timed, a first record value can be obtained from the first count table, and a second record value can be obtained from the second count table.
In operation S302, a first ratio is generated according to the first record value and the second record value, and the first ratio characterizes a network request anomaly rate within an expiration time.
According to an embodiment of the present disclosure, the first ratio may be generated, for example, by dividing the second recorded value by the first recorded value.
In operation S303, the first ratio is used as a network abnormality detection result.
According to an embodiment of the present disclosure, after operation S301, the network anomaly detection method further includes:
and generating abnormal reminding information under the condition that the first ratio is greater than a first preset threshold value.
According to the embodiment of the disclosure, in practical applications, for example, in a case that a network request does not request a right to call a control or a data file, the network request cannot correctly call a target object, and the network request is determined to be an abnormal network request; or, under the condition that the control or the data file requested to be called by the network request does not exist, the network request cannot correctly call the target object, and the network request is also determined to be an abnormal network request; however, these abnormal network requests are not caused by network abnormality, and if it is determined that the network is abnormal when the abnormal network request is detected, erroneous determination may be caused.
Therefore, a first preset threshold value can be preset, the first preset threshold value represents the proportion of all abnormal network requests in all network requests within a safety range, and when the first ratio is greater than the first preset threshold value, namely a large number of abnormal network requests exist within an expiration time range, abnormal reminding information can be generated so as to remind operation and maintenance personnel to check the network conditions and determine whether the network is abnormal.
According to the embodiment of the disclosure, a plurality of first preset threshold intervals can be preset, each first preset threshold interval can correspond to different early warning levels, and each early warning level can correspond to different abnormal reminding information.
For example, the plurality of first threshold intervals may include a-B, B-C, C-D, where the first threshold intervals a-B may represent mild abnormalities, and the abnormality reminding information corresponding to the first threshold intervals a-B may be a first ratio sent by an operation and maintenance worker in a short message manner; the first threshold interval B-C can represent moderate abnormity, and the abnormity reminding information corresponding to the first threshold interval B-C can be a first ratio and a recommended abnormity troubleshooting method which are sent to operation and maintenance personnel in the modes of short messages, large-screen display and the like; the first threshold interval C-D may represent a serious abnormality, and the abnormality prompting information corresponding to the first threshold interval C-D may be a first ratio and a recommended abnormality troubleshooting method that are sent to the operation and maintenance staff by means of a short message, a large screen display, and the like, and an abnormality condition that is sent to the operation and maintenance unit supervisor.
According to an embodiment of the present disclosure, after operation S301, the network anomaly detection method further includes:
and generating the reminding information of the abnormal throughput when the first record value is larger than a second preset threshold value.
According to the embodiment of the disclosure, the application platform such as a server can only process limited network requests, and if the number of network requests exceeds the maximum load of the application platform, the application platform may crash or otherwise have adverse conditions.
According to the embodiment of the present disclosure, the value of the second preset threshold may be determined by a person skilled in the art according to practical application, and the embodiment of the present disclosure does not specifically limit the specific value of the second preset threshold. The second preset threshold may be determined according to a maximum network request load amount of the application platform, for example, 90%, 85%, or 80% of the maximum network request load amount of the application platform may be determined as the second preset threshold.
According to the embodiment of the disclosure, when the first record value is greater than the second preset threshold value, it is indicated that the total number of the network requests exceeds the preset safety load of the application platform, so that the throughput exception reminding information can be generated, and an operation and maintenance worker can expand the maximum load of the network requests of the application platform or limit the network requests.
Fig. 4 schematically illustrates a flow chart of a monitor key recording an abnormal network request according to an embodiment of the present disclosure.
As shown in fig. 4, the method of this embodiment includes operations S401 to S402.
In operation S401, in response to recording an exception request, a remaining expiration time of a monitor key is acquired.
In operation S402, after recording the exception request, the remaining expiration time is used as the expiration time of the monitor key.
According to the embodiment of the present disclosure, for example, the expiration time range of the monitor key is 10 seconds, and at the 3 rd second, the monitor key records an abnormal network request, and at this time, the remaining expiration time of the monitor key can be obtained.
According to an embodiment of the present disclosure, the remaining expiration time may be calculated based on the expiration time range and the timed time range of the monitor key.
According to the embodiment of the disclosure, after the abnormal network request is recorded, the remaining expiration time is used as the expiration time, and timing is restarted based on the newly generated expiration time.
Based on the network anomaly detection method, the disclosure also provides a network anomaly detection device. The apparatus will be described in detail below with reference to fig. 5.
Fig. 5 schematically shows a block diagram of a network anomaly detection apparatus according to an embodiment of the present disclosure.
As shown in fig. 5, the network abnormality detection apparatus 500 of this embodiment includes a monitoring module 501, a recording module 502, and a first generation module 503.
The monitoring module 501 is configured to monitor the network request to obtain a monitoring result for indicating that the network request is a normal request or an abnormal request. In an embodiment, the monitoring module 501 may be configured to perform the operation S201 described above, which is not described herein again.
The recording module 502 is configured to record the total number of network requests and the number of abnormal requests in an expiration time range by using a monitoring key configured in the cache database based on the monitoring result, where the expiration time range is an effective working range of the monitoring key. In an embodiment, the recording module 502 may be configured to perform the operation S202 described above, which is not described herein again.
The first generating module 503 is configured to generate a network anomaly detection result within an expiration time range according to the total number of network requests and the number of anomaly requests. In an embodiment, the first generating module 530 may be configured to perform the operation S203 described above, which is not described herein again.
According to an embodiment of the present disclosure, the first generating module 503 includes a first recording unit, a first generating unit, and a second generating unit.
And the first recording unit is used for acquiring a first recording value representing the total quantity of the network requests and a second recording value representing the quantity of the abnormal requests from the monitoring key.
And the first generating unit is used for generating a first ratio according to the first record value and the second record value, and the first ratio represents the network request abnormal rate in the expiration time.
And the second generating unit is used for taking the first ratio as a network abnormality detection result.
According to an embodiment of the present disclosure, the first generating module 503 further includes a second generating unit.
And the second generating unit is used for generating the abnormal reminding information under the condition that the first ratio is greater than the first preset threshold value.
According to an embodiment of the present disclosure, the monitoring module 501 includes a first obtaining unit and a third generating unit.
A first obtaining unit, configured to obtain a remaining expiration time of the monitor key in response to recording an exception request.
And the third generating unit is used for taking the residual expiration time as the expiration time of the monitoring key after the abnormal request is recorded.
According to an embodiment of the present disclosure, the network request carries invocation information for the target object.
According to an embodiment of the present disclosure, the network anomaly detection apparatus 500 further includes a determination module.
And the determining module is used for responding to the successful call of the network request to the target object, determining the network request as a normal network request, and otherwise, determining the network request as an abnormal network request.
According to an embodiment of the present disclosure, the first generating module 503 further includes a fourth generating unit.
And the fourth generation unit is used for responding to the successful call of the network request to the target object, determining the network request as a normal network request, and otherwise, determining the network request as an abnormal network request.
According to the embodiment of the present disclosure, any plurality of modules in the monitoring module 501, the recording module 502 and the first generating module 503 may be combined and implemented in one module, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the monitoring module 501, the recording module 502, and the first generating module 503 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or may be implemented by any one of or a suitable combination of software, hardware, and firmware. Alternatively, at least one of the monitoring module 501, the recording module 502 and the first generating module 503 may be at least partly implemented as a computer program module, which when executed may perform a corresponding function.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement a network anomaly detection method according to an embodiment of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include onboard memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM 602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 602 and/or RAM 603 described above and/or one or more memories other than the ROM 602 and RAM 603.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the network anomaly detection method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 601. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 609, and/or installed from the removable medium 611. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. A network anomaly detection method comprises the following steps:
monitoring a network request to obtain a monitoring result for representing that the network request is a normal request or an abnormal request;
recording the total number of network requests and the number of abnormal requests in an expiration time range by using a monitoring key configured by a cache database based on the monitoring result, wherein the expiration time range is an effective working range of the monitoring key; and
and generating a network anomaly detection result within the expiration time range according to the total number of the network requests and the number of the anomaly requests.
2. The method of claim 1, wherein the generating network anomaly detection results within the expiration time range according to the total number of network requests and the number of anomaly requests comprises:
acquiring a first record value representing the total number of the network requests and a second record value representing the number of the abnormal requests from the monitoring key;
generating a first ratio according to the first record value and the second record value, wherein the first ratio is used for representing the network request abnormal rate in the expiration time;
and taking the first ratio as the network abnormality detection result.
3. The method of claim 2, further comprising:
and generating abnormal reminding information under the condition that the first ratio is greater than a first preset threshold value.
4. The method of claim 1, wherein the monitor key records the number of exception requests by:
responding to the recording of one abnormal request, and acquiring the remaining expiration time of the monitoring key;
and after the abnormal request is recorded, taking the residual expiration time as the expiration time of the monitoring key.
5. The method of claim 1, wherein the network request carries invocation information for a target object; the method further comprises the following steps:
and responding to the successful call of the network request to the target object, determining the network request as a normal network request, and otherwise, determining the network request as the abnormal network request.
6. The method of claim 2, further comprising:
and generating throughput abnormity reminding information under the condition that the first record value is larger than a second preset threshold value.
7. A network anomaly detection apparatus comprising:
the monitoring module is used for monitoring the network request to obtain a monitoring result for representing that the network request is a normal request or an abnormal request;
the recording module is used for recording the total quantity of the network requests and the quantity of the abnormal requests in an expiration time range by using a monitoring key configured by a cache database based on the monitoring result, wherein the expiration time range is the effective working range of the monitoring key; and
and the first generation module is used for generating a network anomaly detection result within the expiration time range according to the total number of the network requests and the number of the anomaly requests.
8. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111329927.6A CN114024867B (en) | 2021-11-10 | 2021-11-10 | Network anomaly detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111329927.6A CN114024867B (en) | 2021-11-10 | 2021-11-10 | Network anomaly detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114024867A true CN114024867A (en) | 2022-02-08 |
| CN114024867B CN114024867B (en) | 2023-04-28 |
Family
ID=80063622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111329927.6A Active CN114024867B (en) | 2021-11-10 | 2021-11-10 | Network anomaly detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114024867B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112242984A (en) * | 2019-07-19 | 2021-01-19 | 伊姆西Ip控股有限责任公司 | Method, electronic device and computer program product for detecting abnormal network requests |
| CN112737894A (en) * | 2021-01-06 | 2021-04-30 | 北京字节跳动网络技术有限公司 | Network quality monitoring method and device, storage medium and electronic equipment |
| US20210184945A1 (en) * | 2019-12-13 | 2021-06-17 | Cisco Technology, Inc. | Network throughput assurance, anomaly detection and mitigation in service chain |
-
2021
- 2021-11-10 CN CN202111329927.6A patent/CN114024867B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112242984A (en) * | 2019-07-19 | 2021-01-19 | 伊姆西Ip控股有限责任公司 | Method, electronic device and computer program product for detecting abnormal network requests |
| US20210184945A1 (en) * | 2019-12-13 | 2021-06-17 | Cisco Technology, Inc. | Network throughput assurance, anomaly detection and mitigation in service chain |
| CN112737894A (en) * | 2021-01-06 | 2021-04-30 | 北京字节跳动网络技术有限公司 | Network quality monitoring method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114024867B (en) | 2023-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20130276124A1 (en) | Systems, methods, apparatuses and computer program products for providing mobile device protection | |
| US20160224400A1 (en) | Automatic root cause analysis for distributed business transaction | |
| CN113900834B (en) | Data processing method, device, equipment and storage medium based on Internet of things technology | |
| CN111914262A (en) | Test method, device, system, electronic equipment and storage medium | |
| CN110727560A (en) | Cloud service alarm method and device | |
| CN114238058A (en) | Monitoring method, apparatus, device, medium, and program product | |
| CN112817831A (en) | Application performance monitoring method, device, computer system and readable storage medium | |
| US10599505B1 (en) | Event handling system with escalation suppression | |
| US20160020976A1 (en) | Incident-Based Adaptive Monitoring of Information in a Distributed Computing Environment | |
| CN114760233A (en) | Service processing method and device, electronic equipment and storage medium | |
| CN112882895A (en) | Health examination method, device, computer system and readable storage medium | |
| CN112882948A (en) | Stability testing method, device and system for application and storage medium | |
| CN116841902A (en) | Health state checking method, device, equipment and storage medium | |
| CN114024867B (en) | Network anomaly detection method and device | |
| CN115202973A (en) | Application running state determining method and device, electronic equipment and medium | |
| CN114218283A (en) | Abnormality detection method, apparatus, device, and medium | |
| CN115203178A (en) | Data quality inspection method and device, electronic equipment and storage medium | |
| US9959195B2 (en) | Dynamic instrumentation of WSGI applications | |
| CN113419887A (en) | Method and device for processing abnormal online transaction of host | |
| CN111897701A (en) | Alarm processing method, device, computer system and medium for application | |
| CN115499292B (en) | Alarm method, device, equipment and storage medium | |
| CN114328151A (en) | Operation and maintenance event relation mining method, device, equipment and medium | |
| CN114861054A (en) | Information acquisition method and device, electronic equipment and storage medium | |
| CN114676020A (en) | Performance monitoring method and device of cache system, electronic equipment and storage medium | |
| CN115269336A (en) | Monitoring method and device for database connection pool, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |