CN115242427A - Network flow abnormity detection method and system - Google Patents

Network flow abnormity detection method and system Download PDF

Info

Publication number
CN115242427A
CN115242427A CN202210640507.8A CN202210640507A CN115242427A CN 115242427 A CN115242427 A CN 115242427A CN 202210640507 A CN202210640507 A CN 202210640507A CN 115242427 A CN115242427 A CN 115242427A
Authority
CN
China
Prior art keywords
network
time period
chart
flow
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210640507.8A
Other languages
Chinese (zh)
Inventor
康振国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Communication Information System Co Ltd
Original Assignee
Inspur Communication Information System Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Communication Information System Co Ltd filed Critical Inspur Communication Information System Co Ltd
Priority to CN202210640507.8A priority Critical patent/CN115242427A/en
Publication of CN115242427A publication Critical patent/CN115242427A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention particularly relates to a method and a system for detecting network traffic anomaly. According to the network flow anomaly detection method and system, different network environments are learned through a CNN model, and a graph drawing module is used for forming and storing the learning results into a graph; when the network environment to be detected is accessed, the flow monitoring module automatically detects the current network environment, matches the learning result which is closest to the current network environment, detects the flow condition of the current network environment, and compares the detection result with the learning result, thereby realizing the detection of network flow abnormity. The method and the system for detecting the network traffic anomaly can automatically detect the current network environment, improve the detection efficiency, reduce the detection cost and are suitable for popularization and application.

Description

Network flow abnormity detection method and system
Technical Field
The present invention relates to the field of network traffic detection technologies, and in particular, to a method and a system for detecting network traffic anomalies.
Background
The internet, also known as an international network, refers to a huge network formed by connecting networks in series, and these networks are connected by a set of general protocols to form a logically single huge international network. With the development of the internet, people can not leave the internet more and more.
When the internet is used for communication, network traffic is often accompanied. In order to ensure the normal internet communication, it is often necessary to detect the network traffic condition. In a conventional detection method, data of network traffic is generally obtained manually, and the traffic data is analyzed, and then whether the network traffic is abnormal or not is determined. The mode is time-consuming and labor-consuming, and the labor input cost is greatly increased.
In view of the above situation, the present invention provides a method and a system for detecting network traffic anomaly.
Disclosure of Invention
In order to make up for the defects of the prior art, the invention provides a simple and efficient network flow abnormity detection method and system.
The invention is realized by the following technical scheme:
a network flow abnormity detection method is characterized in that: the method comprises the following steps:
s1, establishing a CNN model, arranging the established CNN model into each network environment, and simultaneously acquiring real-time network traffic data of each time period t in different network environments;
s2, averaging the network traffic data of each time period T acquired in the network environment of the CNN model to obtain an average value of the network traffic data in the time period T, and taking the average value as the weight of the CNN model;
s3, taking the real-time network data of each time period t acquired in the network environment of the CNN model as an input data sample set of the CNN model, carrying out multiple times of network flow, and simultaneously recording the input data sample set;
s4, drawing the network traffic condition of each time period t in different network environments into a chart through a chart drawing algorithm, and storing the drawn chart;
s5, accessing a network environment to be detected, acquiring network flow data of each time period t of the current network, comparing the acquired network flow data with the input data sample set recorded in the step S3, and matching the acquired network flow data with a network flow condition chart corresponding to the input data sample set;
and S6, comparing the matched network flow condition chart with a network flow condition chart of the current network environment to be detected, if the difference between the matched network flow condition chart and the network flow condition chart of the current network environment to be detected in each time period t is not larger than a preset threshold value of a user, judging that the network in the current time period is not abnormal, otherwise, judging that the network is abnormal, and feeding abnormal information back to the user.
In step S2, the maximum and minimum values in the network traffic data of each time period t are removed, and the remaining network traffic data values are summed as effective values, and the average is taken as the weight of the CNN model.
In step S4, the process of drawing the chart is as follows:
s4.1, finding an initial time point t0 and an end time point t1 in each time period t, and traversing, wherein all the time points which are greater than the initial time point t0 and less than the end time point t1 are the time points in the time period t;
s4.2, firstly, arranging time periods from small to large, and then arranging all the acquired flow data in each time period t from small to large;
and S4.3, drawing the chart by taking the time point in each time period t as a horizontal axis and the flow data as a vertical axis and positioning the time point and the flow data.
In step S6, the threshold preset by the user is 10%.
A network flow abnormity detection system is characterized in that: the system comprises a CNN model module, a chart drawing module, a flow monitoring module and an information warning module;
learning different network environments through a CNN model, and forming a graph of a learning result by using a graph drawing module for storage;
when the network environment to be detected is accessed, the flow monitoring module automatically detects the current network environment, matches the learning result which is closest to the current network environment, detects the flow condition of the current network environment, and compares the detection result with the learning result, thus realizing the detection of network flow abnormity.
The CNN model module is arranged in each network environment, learns different network environments, acquires real-time network traffic data of each time period t in different network environments, takes the average network traffic data of each time period t acquired in the network environment as the weight of the CNN model, takes the real-time network data of each time period t acquired in the network environment as an input data sample set of the CNN model, performs multiple times of network traffic, and records the input data sample set;
the chart drawing module is responsible for drawing the network flow condition of each time period t in different network environments into a chart and storing the drawn chart;
after the network environment to be detected is accessed, the flow monitoring module is responsible for acquiring network flow data of each time period t of the current network, then comparing the acquired network flow data with an input data sample set recorded by the graph drawing module, and matching the acquired network flow data with a network flow condition graph corresponding to the input data sample set;
and comparing the matched network traffic condition chart with the network traffic condition chart of the current network environment to be detected, if the difference between the network traffic data of the two in each time period t is not larger than a preset threshold value of a user, judging that the network in the current time period is not abnormal, otherwise, judging that the network is abnormal, and feeding the abnormal information back to the user through the information alarm module.
The weight of the CNN model is an average number obtained by summing or obtaining effective network flow data; the effective network flow data refers to the rest network flow data after the maximum value and the minimum value in the network flow data in each time period t are removed.
When the chart drawing module draws a chart, an initial time point t0 and an end time point t1 in each time period t are found firstly, then traversal is carried out, and all time points which are greater than the initial time point t0 and less than the end time point t1 are time points in the time period t; then, the time periods are arranged from small to large, and then all the acquired flow data in each time period t are arranged from small to large; and finally, drawing a chart by taking the time point in each time period t as a horizontal axis and the flow data as a vertical axis and positioning the time point and the flow data.
When the traffic monitoring module judges whether the network is abnormal or not, the threshold value preset by a user is 10%.
The invention has the beneficial effects that: the method and the system for detecting the network flow abnormity can automatically detect the current network environment, improve the detection efficiency, reduce the detection cost and are suitable for popularization and application.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of a network traffic anomaly detection method according to the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The network flow abnormity detection method comprises the following steps:
s1, establishing a CNN model, arranging the established CNN model in each network environment, and simultaneously acquiring real-time network flow data of each time period t in different network environments;
s2, averaging the network traffic data of each time period T acquired in the network environment of the CNN model to obtain an average value of the network traffic data in the time period T, and taking the average value as the weight of the CNN model;
s3, taking the real-time network data of each time period t acquired in the network environment of the CNN model as an input data sample set of the CNN model, carrying out multiple times of network flow, and simultaneously recording the input data sample set;
s4, drawing the network traffic condition of each time period t in different network environments into a chart through a chart drawing algorithm, and storing the drawn chart;
s5, accessing a network environment to be detected, acquiring network flow data of each time period t of the current network, comparing the acquired network flow data with the input data sample set recorded in the step S3, and matching the acquired network flow data with a network flow condition chart corresponding to the input data sample set;
and S6, comparing the matched network traffic condition chart with a network traffic condition chart of the current network environment to be detected, if the difference between the network traffic data of the two in each time period t is not larger than a threshold value preset by a user, judging that the network in the current time period is not abnormal, otherwise, judging that the network is abnormal, and feeding the abnormal information back to the user.
In step S2, the maximum and minimum values in the network traffic data in each time period t are removed, and the remaining network traffic data values are summed as effective values, and the average is taken as the weight of the CNN model.
In step S4, the process of drawing the chart is as follows:
s4.1, finding an initial time point t0 and an end time point t1 in each time period t, and traversing, wherein all the time points which are greater than the initial time point t0 and less than the end time point t1 are the time points in the time period t;
s4.2, firstly, arranging time periods from small to large, and then arranging all the acquired flow data in each time period t from small to large;
and S4.3, drawing a chart by taking the time point in each time period t as a horizontal axis and the flow data as a vertical axis and positioning the time point and the flow data.
In step S6, the threshold preset by the user is 10%.
The network flow anomaly detection system comprises a CNN model module, a chart drawing module, a flow monitoring module and an information warning module;
learning different network environments through a CNN model, and forming a graph of a learning result by using a graph drawing module for storage;
when the network environment to be detected is accessed, the flow monitoring module automatically detects the current network environment, matches the learning result which is closest to the current network environment, detects the flow condition of the current network environment, and compares the detection result with the learning result, thus realizing the detection of network flow abnormity.
The CNN model module is arranged in each network environment, learns different network environments, acquires real-time network traffic data of each time period t in different network environments, takes the average network traffic data of each time period t acquired in the network environment as the weight of the CNN model, takes the real-time network data of each time period t acquired in the network environment as an input data sample set of the CNN model, performs multiple times of network traffic, and records the input data sample set;
the graph drawing module is responsible for drawing the network flow condition of each time period t in different network environments into a graph and storing the drawn graph;
after a network environment to be detected is accessed, the flow monitoring module is responsible for acquiring network flow data of each time period t of the current network, then comparing the acquired network flow data with an input data sample set recorded by the graph drawing module, and matching the acquired network flow data with a network flow condition graph corresponding to the input data sample set;
and comparing the matched network traffic condition chart with the network traffic condition chart of the current network environment to be detected, if the difference between the network traffic data of the two in each time period t is not larger than a preset threshold value of a user, judging that the network in the current time period is not abnormal, otherwise, judging that the network is abnormal, and feeding the abnormal information back to the user through the information alarm module.
The weight of the CNN model is an average number obtained by summing or obtaining effective network flow data; the effective network flow data refers to the rest network flow data after the maximum value and the minimum value in the network flow data of each time period t are removed.
When the chart drawing module draws a chart, an initial time point t0 and an end time point t1 in each time period t are found firstly, then traversal is carried out, and all time points which are greater than the initial time point t0 and less than the end time point t1 are time points in the time period t; then, the time periods are arranged from small to large, and then all the acquired flow data in each time period t are arranged from small to large; and finally, drawing a chart by taking the time point in each time period t as a horizontal axis and the flow data as a vertical axis and positioning the time point and the flow data.
When the traffic monitoring module judges whether the network is abnormal, the threshold value preset by a user is 10%.
Compared with the prior art, the method and the system for detecting the network flow abnormity have the following characteristics:
the CNN model can learn different network environments, forms a learning result into a chart for storage, can automatically detect the current network environment and network traffic after being accessed into the network environment to be detected, matches the learning result closest to the current network environment, and compares the detection result with the learning result to realize the detection of network traffic abnormality, thereby not only having higher detection efficiency, but also reducing the cost of manual investment.
Secondly, when different network environments are learned, the effective values of the network traffic data of each time period in different environments are averaged, and the average value is used as the weight of the CNN model, so that the learning result is more accurate.
The above-described embodiment is only one specific embodiment of the present invention, and general changes and substitutions by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.

Claims (9)

1. A method for detecting network flow abnormity is characterized by comprising the following steps:
s1, establishing a CNN model, arranging the established CNN model in each network environment, and simultaneously acquiring real-time network flow data of each time period t in different network environments;
s2, averaging the network flow data of each time period T acquired in the network environment of the CNN model to obtain an average value of the network flow data in the time period T, and taking the average value as the weight of the CNN model;
s3, taking the real-time network data of each time period t acquired in the network environment of the CNN model as an input data sample set of the CNN model, carrying out multiple times of network flow, and simultaneously recording the input data sample set;
s4, drawing the network traffic condition of each time period t in different network environments into a chart through a chart drawing algorithm, and storing the drawn chart;
s5, accessing a network environment to be detected, acquiring network traffic data of each time period t of the current network, comparing the acquired network traffic data with the input data sample set recorded in the step S3, and matching a network traffic condition chart corresponding to the input data sample set;
and S6, comparing the matched network flow condition chart with a network flow condition chart of the current network environment to be detected, if the difference between the matched network flow condition chart and the network flow condition chart of the current network environment to be detected in each time period t is not larger than a preset threshold value of a user, judging that the network in the current time period is not abnormal, otherwise, judging that the network is abnormal, and feeding abnormal information back to the user.
2. The method for detecting network traffic abnormality according to claim 1, characterized in that: in step S2, the maximum and minimum values in the network traffic data of each time period t are removed, and the remaining network traffic data values are summed as effective values, and the average is taken as the weight of the CNN model.
3. The method for detecting network traffic abnormality according to claim 1, characterized in that: in step S4, the process of drawing the chart is as follows:
s4.1, finding an initial time point t0 and an end time point t1 in each time period t, and traversing, wherein all the time points which are greater than the initial time point t0 and less than the end time point t1 are the time points in the time period t;
s4.2, firstly, arranging the time periods from small to large, and then arranging all the acquired flow data in each time period t from small to large;
and S4.3, drawing the chart by taking the time point in each time period t as a horizontal axis and the flow data as a vertical axis and positioning the time point and the flow data.
4. The method for detecting network traffic abnormality according to claim 1, characterized in that: in step S6, the threshold preset by the user is 10%.
5. A network flow abnormity detection system is characterized in that: the system comprises a CNN model module, a chart drawing module, a flow monitoring module and an information warning module;
learning different network environments through a CNN model, and forming a graph of a learning result by using a graph drawing module for storage;
when the network environment to be detected is accessed, the flow monitoring module automatically detects the current network environment, matches the learning result which is closest to the current network environment, detects the flow condition of the current network environment, and compares the detection result with the learning result, thereby realizing the detection of network flow abnormity.
6. The network traffic anomaly detection system according to claim 5, characterized in that: the CNN model module is arranged in each network environment, learns different network environments, acquires real-time network flow data of each time period t in different network environments, takes the average network flow data of each time period t acquired in the network environment as the weight of the CNN model, takes the real-time network data of each time period t acquired in the network environment as an input data sample set of the CNN model, performs multiple times of network flow, and records the input data sample set;
the chart drawing module is responsible for drawing the network flow condition of each time period t in different network environments into a chart and storing the drawn chart;
after the network environment to be detected is accessed, the flow monitoring module is responsible for acquiring network flow data of each time period t of the current network, then comparing the acquired network flow data with an input data sample set recorded by the graph drawing module, and matching the acquired network flow data with a network flow condition graph corresponding to the input data sample set;
and comparing the matched network traffic condition chart with the network traffic condition chart of the current network environment to be detected, if the difference between the network traffic data of each time period t between the matched network traffic condition chart and the network traffic condition chart is not larger than a preset threshold value of a user, judging that the network is not abnormal in the current time period, otherwise, judging that the network is abnormal, and feeding the abnormal information back to the user through the information alarm module.
7. The network traffic anomaly detection system according to claim 6, characterized in that: the weight of the CNN model is an average number obtained by summing or obtaining effective network flow data; the effective network flow data refers to the rest network flow data after the maximum value and the minimum value in the network flow data in each time period t are removed.
8. The network traffic anomaly detection system according to claim 6, characterized by: when the chart drawing module draws a chart, an initial time point t0 and an end time point t1 in each time period t are found first, then traversal is carried out, and all time points which are greater than the initial time point t0 and less than the end time point t1 are time points in the time period t; then, arranging the time periods from small to large, and arranging all the acquired flow data in each time period t from small to large; and finally, drawing a chart by taking the time point in each time period t as a horizontal axis and the flow data as a vertical axis and positioning the time point and the flow data.
9. The network traffic anomaly detection system according to claim 6, characterized by: when the traffic monitoring module judges whether the network is abnormal, the threshold value preset by a user is 10%.
CN202210640507.8A 2022-06-08 2022-06-08 Network flow abnormity detection method and system Pending CN115242427A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210640507.8A CN115242427A (en) 2022-06-08 2022-06-08 Network flow abnormity detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210640507.8A CN115242427A (en) 2022-06-08 2022-06-08 Network flow abnormity detection method and system

Publications (1)

Publication Number Publication Date
CN115242427A true CN115242427A (en) 2022-10-25

Family

ID=83670350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210640507.8A Pending CN115242427A (en) 2022-06-08 2022-06-08 Network flow abnormity detection method and system

Country Status (1)

Country Link
CN (1) CN115242427A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818976A (en) * 2019-03-15 2019-05-28 杭州迪普科技股份有限公司 A kind of anomalous traffic detection method and device
US20200387797A1 (en) * 2018-06-12 2020-12-10 Ciena Corporation Unsupervised outlier detection in time-series data
CN114389881A (en) * 2022-01-13 2022-04-22 北京金山云网络技术有限公司 Network abnormal flow detection method and device, electronic equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200387797A1 (en) * 2018-06-12 2020-12-10 Ciena Corporation Unsupervised outlier detection in time-series data
CN109818976A (en) * 2019-03-15 2019-05-28 杭州迪普科技股份有限公司 A kind of anomalous traffic detection method and device
CN114389881A (en) * 2022-01-13 2022-04-22 北京金山云网络技术有限公司 Network abnormal flow detection method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
连鸿飞;张浩;郭文忠;: "一种数据增强与混合神经网络的异常流量检测", 小型微型计算机系统, no. 04 *

Similar Documents

Publication Publication Date Title
JP2023508759A (en) Method and Apparatus, Device and Storage Medium for Determining Operational State of Photovoltaic Array
CN112788066B (en) Abnormal flow detection method and system for Internet of things equipment and storage medium
CN108776276B (en) Power consumption abnormity detection method and system
CN114509283A (en) System fault monitoring method and device, electronic equipment and storage medium
CN111160791A (en) Abnormal user identification method based on GBDT algorithm and factor fusion
WO2022048668A1 (en) Knowledge graph construction method and apparatus, check method and storage medium
US20090043536A1 (en) Use of Sequential Clustering for Instance Selection in Machine Condition Monitoring
CN110334105B (en) Stream data abnormity detection method based on Storm
CN117093947B (en) Power generation diesel engine operation abnormity monitoring method and system
CN110825798A (en) Electric power application data maintenance method and device
CN117149733B (en) Multi-platform log audit analysis system and method based on big data
CN117093461A (en) Method, system, equipment and storage medium for time delay detection and analysis
CN111371647A (en) Data center monitoring data preprocessing method and device
CN103856367A (en) Safe and quick detection method of IP network route and route analysis server
CN114726740A (en) Method and system for identifying platform area topology and intelligent fusion terminal
CN115242427A (en) Network flow abnormity detection method and system
CN113746862A (en) Abnormal flow detection method, device and equipment based on machine learning
CN110816938B (en) Big data analysis method based on comprehensive detection platform of cigarette packaging machine
CN112039907A (en) Automatic testing method and system based on Internet of things terminal evaluation platform
CN115016976B (en) Root cause positioning method, device, equipment and storage medium
CN114285596B (en) Transformer substation terminal account abnormity detection method based on machine learning
CN115859198A (en) Dust monitoring data anomaly detection method
CN115622720A (en) Network anomaly detection method and device and detection equipment
CN113810334A (en) Detection method and detection system for abnormal IP of mail system
CN110569277A (en) Method and system for automatically identifying and classifying configuration data information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination