CN115484044A - Data state monitoring method and system - Google Patents
Data state monitoring method and system Download PDFInfo
- Publication number
- CN115484044A CN115484044A CN202210877996.9A CN202210877996A CN115484044A CN 115484044 A CN115484044 A CN 115484044A CN 202210877996 A CN202210877996 A CN 202210877996A CN 115484044 A CN115484044 A CN 115484044A
- Authority
- CN
- China
- Prior art keywords
- data
- network data
- target network
- pieces
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for monitoring a data state, and relates to the technical field of network security. In the invention, for each target network data in a plurality of pieces of stored network data, data access characteristic information corresponding to the target network data is obtained; for each two pieces of target network data in the multiple pieces of network data, performing feature similarity calculation according to data access feature information corresponding to the two pieces of target network data to output access feature similarities corresponding to the two pieces of target network data; and analyzing the data state according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data to output the target data state corresponding to each piece of target network data, wherein the target data state is used for representing whether the corresponding target network data is abnormal or not. Based on the method, the problem of poor data state monitoring effect in the prior art can be solved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for monitoring a data state.
Background
In the technical field of network security, monitoring of data states is an important means for guaranteeing network data security. However, in the prior art, it is general to analyze some characteristics of the access device itself to determine whether it belongs to an abnormal access, such as analyzing a device fingerprint or an IP address. Thus, there may be a problem that the data status monitoring effect is not good.
Disclosure of Invention
In view of this, the present invention provides a method and a system for monitoring a data state to solve the problem of poor monitoring effect of the data state in the prior art.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
a method for monitoring data state includes:
for each piece of target network data in the stored multiple pieces of network data, acquiring data access characteristic information corresponding to the target network data, wherein the data access characteristic information is used for representing characteristics of the corresponding target network data which are accessed historically;
for each two pieces of target network data in the multiple pieces of network data, performing feature similarity calculation according to data access feature information corresponding to the two pieces of target network data to output access feature similarities corresponding to the two pieces of target network data;
and analyzing the data state according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data to output the target data state corresponding to each piece of target network data, wherein the target data state is used for representing whether the corresponding target network data is abnormal or not.
In some preferred embodiments, in the method for monitoring a data state, the step of acquiring, for each target network data in the stored multiple pieces of network data, data access characteristic information corresponding to the target network data includes:
for each piece of stored network data, acquiring a first data monitoring result corresponding to the network data, wherein the first data monitoring result is used for representing whether the corresponding network data is requested by network terminal equipment for data access currently;
for each piece of network data in the plurality of pieces of network data, if a first data monitoring result corresponding to the network data represents that the network data is currently subjected to a data access request by network terminal equipment, marking the network data as candidate network data;
extracting target network data from each marked candidate network data, and acquiring data access characteristic information corresponding to each target network data.
In some preferred embodiments, in the method for monitoring a data state, the step of extracting target network data from each marked candidate network data and acquiring data access characteristic information corresponding to each target network data includes:
for each marked candidate network data, acquiring a second data monitoring result corresponding to the candidate network data, wherein the second data monitoring result is used for representing whether the network terminal equipment corresponding to the corresponding candidate network data accesses other network data within a preset time length;
for each marked candidate network data, if the second data monitoring result corresponding to the candidate network data indicates that the network terminal device corresponding to the candidate network data has accessed other network data within a preset time, marking the candidate network data as target network data, and acquiring data access characteristic information corresponding to the target network data.
In some preferred embodiments, in the method for monitoring a data state, the step of performing, for each two pieces of target network data in the plurality of pieces of network data, feature similarity calculation according to data access feature information corresponding to the two pieces of target network data to output access feature similarities corresponding to the two pieces of target network data includes:
for each piece of target network data in the plurality of pieces of network data, analyzing a first data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the first data access characteristic sequence is formed based on historical access time of the corresponding target network data accessed historically and is ordered according to the corresponding time sequence;
for each piece of target network data in the plurality of pieces of network data, analyzing a second data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the second data access characteristic sequence is formed on the basis of network terminal equipment historically accessed by the corresponding target network data and is ordered according to the sequence of corresponding access time;
for each two pieces of target network data in the multiple pieces of network data, performing first feature similarity calculation according to first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data;
for each two pieces of target network data in the multiple pieces of network data, performing second feature similarity calculation according to second data access feature sequences corresponding to the two pieces of target network data to output second access feature similarities corresponding to the two pieces of target network data;
and for each two pieces of target network data in the plurality of pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarities corresponding to the two pieces of target network data.
In some preferred embodiments, in the method for monitoring a data state, the step of performing, for each two pieces of target network data in the multiple pieces of network data, similarity fusion calculation according to a first access characteristic similarity and a second access characteristic similarity corresponding to the two pieces of target network data to output access characteristic similarities corresponding to the two pieces of target network data includes:
acquiring a first weighting coefficient corresponding to the first access characteristic similarity and acquiring a second weighting coefficient corresponding to the second access characteristic similarity;
and for each two pieces of target network data in the multiple pieces of network data, performing weighted summation calculation on the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data according to a first weighting coefficient corresponding to the first access characteristic similarity and a second weighting coefficient corresponding to the second access characteristic similarity to output corresponding similarity weighted sum values, and marking the similarity weighted sum values as the access characteristic similarities corresponding to the two pieces of target network data.
In some preferred embodiments, in the method for monitoring a data state, the step of analyzing the data state according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data to output the target data state corresponding to each piece of target network data includes:
classifying the target network data according to the access characteristic similarity corresponding to every two pieces of target network data to output a data classification set corresponding to the target network data, wherein the number of the data classification sets is at least one, the number of set elements included in each data classification set is at least one, the set elements are the target network data, and the access characteristic similarity corresponding to any two pieces of target network data selected from the data classification sets is greater than or equal to a preset similarity for any one data classification set with multiple number of included set elements;
for each data classification set, screening out network terminal equipment which respectively accesses each target network data in the data classification set in history to output the target network terminal equipment corresponding to the data classification set, and respectively determining the historical access time of each target network terminal equipment accessing each target network data in the data classification set to respectively output the access time set corresponding to each target network terminal equipment;
for each access time set, performing time dispersion calculation on each historical access time included in the access time set to output time dispersion corresponding to the access time set, comparing the time dispersion with a preset dispersion, and if the time dispersion is greater than or equal to the preset dispersion value, marking the access time set as a first access time set;
respectively marking the target network terminal equipment corresponding to each first access time set as first target network terminal equipment, calculating the number of the first target network terminal equipment corresponding to each data classification set to output the first equipment number corresponding to the data classification set, and calculating the number of the target network terminal equipment corresponding to each data classification set to output the second equipment number corresponding to each data classification set;
and for each data classification set, performing ratio calculation on the number of the first equipment and the number of the second equipment corresponding to the data classification set to output a number ratio corresponding to the data classification set, and performing data state analysis according to the number ratio to output a target data state corresponding to each piece of target network data included in the data classification set.
In some preferred embodiments, in the method for monitoring a data state, for each of the data classification sets, the step of performing ratio calculation on the first device quantity and the second device quantity corresponding to the data classification set to output a quantity ratio corresponding to the data classification set, and performing data state analysis according to the quantity ratio to output a target data state corresponding to each of the target network data included in the data classification set includes:
for each data classification set, carrying out ratio calculation on the number of first equipment and the number of second equipment corresponding to the data classification set so as to output the number ratio corresponding to the data classification set, and comparing the number ratio with a preset ratio;
for each data classification set, if the quantity ratio corresponding to the data classification set is less than or equal to the preset ratio, marking the target data state corresponding to each piece of target network data included in the data classification set as an abnormal data state, and if the quantity ratio corresponding to the data classification set is greater than the preset ratio, marking the target data state corresponding to each piece of target network data included in the data classification set as a non-abnormal data state.
An embodiment of the present invention further provides a system for monitoring a data state, including:
the access characteristic acquisition module is used for acquiring data access characteristic information corresponding to each piece of target network data in the stored plurality of pieces of network data, wherein the data access characteristic information is used for representing the characteristics of the corresponding target network data accessed historically;
the characteristic similarity calculation module is used for calculating the characteristic similarity of each two pieces of target network data in the multiple pieces of network data according to the data access characteristic information corresponding to the two pieces of target network data so as to output the access characteristic similarity corresponding to the two pieces of target network data;
and the data state analysis module is used for performing data state analysis according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data so as to output a target data state corresponding to each piece of target network data, wherein the target data state is used for representing whether the corresponding target network data is abnormal or not.
In some preferred embodiments, in the above monitoring system for data status, the feature similarity calculating module is specifically configured to:
for each piece of target network data in the plurality of pieces of network data, analyzing a first data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the first data access characteristic sequence is formed based on historical access time of the corresponding target network data accessed historically and is ordered according to the corresponding time sequence;
for each piece of target network data in the plurality of pieces of network data, analyzing a second data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the second data access characteristic sequence is formed on the basis of network terminal equipment historically accessed by the corresponding target network data and is ordered according to the sequence of corresponding access time;
for each two pieces of target network data in the multiple pieces of network data, performing first feature similarity calculation according to first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data;
for every two pieces of target network data in the plurality of pieces of network data, performing second feature similarity calculation according to second data access feature sequences corresponding to the two pieces of target network data to output second access feature similarities corresponding to the two pieces of target network data;
and for each two pieces of target network data in the plurality of pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarities corresponding to the two pieces of target network data.
In some preferred embodiments, in the above monitoring system for data status, the data status analysis module is specifically configured to:
classifying the target network data according to the access characteristic similarity corresponding to every two pieces of target network data to output a data classification set corresponding to the target network data, wherein the number of the data classification sets is at least one, the number of set elements included in each data classification set is at least one, the set elements are the target network data, and the access characteristic similarity corresponding to any two pieces of target network data selected from the data classification sets is greater than or equal to a preset similarity for any one data classification set with multiple number of set elements;
for each data classification set, screening out network terminal equipment which respectively accesses each target network data in the data classification set in history to output the target network terminal equipment corresponding to the data classification set, and respectively determining the historical access time of each target network terminal equipment accessing each target network data in the data classification set to respectively output the access time set corresponding to each target network terminal equipment;
for each access time set, performing time dispersion calculation on each historical access time included in the access time set to output time dispersion corresponding to the access time set, comparing the time dispersion with a preset dispersion, and if the time dispersion is greater than or equal to the preset dispersion value, marking the access time set as a first access time set;
respectively marking the target network terminal equipment corresponding to each first access time set as first target network terminal equipment, calculating the number of the first target network terminal equipment corresponding to each data classification set to output the first equipment number corresponding to the data classification set, and calculating the number of the target network terminal equipment corresponding to each data classification set to output the second equipment number corresponding to each data classification set;
and for each data classification set, performing ratio calculation on the number of the first equipment and the number of the second equipment corresponding to the data classification set to output a number ratio corresponding to the data classification set, and performing data state analysis according to the number ratio to output a target data state corresponding to each piece of target network data included in the data classification set.
In the method and system for monitoring a data state provided in an embodiment of the present invention, for each piece of target network data in a plurality of pieces of stored network data, data access feature information corresponding to the target network data may be obtained first, and then, for each two pieces of target network data in the plurality of pieces of network data, feature similarity calculation may be performed according to the data access feature information corresponding to the two pieces of target network data to output access feature similarities corresponding to the two pieces of target network data, so that data state analysis may be performed according to the access feature similarities corresponding to each two pieces of target network data in the plurality of pieces of network data to output a target data state corresponding to each piece of target network data, where the target data state is used to represent whether the corresponding target network data is abnormal. The method has the advantages that the similarity determination is carried out on the accessed data characteristics of the network data, and then the data state analysis is carried out based on the determined similarity, so that the correlation analysis among different network data is realized, the accuracy of the obtained data state can be better to a certain extent, and the problem of poor data state monitoring effect in the prior art is solved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
Fig. 1 is a block diagram of a network security protection device according to an embodiment of the present invention.
Fig. 2 is a schematic flowchart illustrating steps included in a data status monitoring method according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a data status monitoring system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a network security protection device. Wherein the network security guard device may include a memory and a processor.
In detail, the memory and the processor are electrically connected directly or indirectly to realize data transmission or interaction. For example, they may be electrically connected to each other via one or more communication buses or signal lines. The memory can have at least one software functional module (computer program) stored therein, which can be in the form of software or firmware. The processor may be configured to execute the executable computer program stored in the memory, thereby implementing the method for monitoring data states provided by the embodiments of the present invention (described below).
The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), a System on Chip (SoC), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
Moreover, the structure shown in fig. 1 is only an illustration, and the network security protection device may further include more or fewer components than those shown in fig. 1, or have a different configuration from that shown in fig. 1, for example, may include a communication unit for information interaction with other devices.
The network security protection device may be a server with data processing capabilities.
With reference to fig. 2, an embodiment of the present invention further provides a method for monitoring a data state, which is applicable to the network security protection device. The method steps defined by the flow related to the monitoring method of the data state can be implemented by the network security protection device.
The specific process shown in FIG. 2 will be described in detail below.
Step S110, for each piece of target network data in the stored multiple pieces of network data, obtaining data access characteristic information corresponding to the target network data.
In the embodiment of the present invention, the network security protection device may execute the step of acquiring, for each piece of target network data in the stored plurality of pieces of network data, data access characteristic information corresponding to the target network data. The data access characteristic information is used for characterizing the characteristic of the corresponding target network data which is accessed historically.
Step S120, for each two pieces of target network data in the multiple pieces of network data, performing feature similarity calculation according to the data access feature information corresponding to the two pieces of target network data, so as to output the access feature similarity corresponding to the two pieces of target network data.
In the embodiment of the present invention, the network security protection device may perform feature similarity calculation on each two pieces of target network data in the multiple pieces of network data according to the data access feature information corresponding to the two pieces of target network data, so as to output the access feature similarity corresponding to the two pieces of target network data.
Step S130, performing data state analysis according to the access feature similarity corresponding to each two pieces of target network data in the multiple pieces of network data, so as to output a target data state corresponding to each piece of target network data.
In the embodiment of the present invention, the network security protection device may perform data state analysis according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data, so as to output a target data state corresponding to each piece of target network data. The target data state is used for representing whether corresponding target network data is abnormal or not.
Based on the steps S110, S120, and S130 included in the method, for each piece of target network data in the stored multiple pieces of network data, data access feature information corresponding to the target network data may be obtained first, and then, for each two pieces of target network data in the multiple pieces of network data, feature similarity calculation may be performed according to the data access feature information corresponding to the two pieces of target network data to output access feature similarities corresponding to the two pieces of target network data, so that data state analysis may be performed according to the access feature similarities corresponding to each two pieces of target network data in the multiple pieces of network data to output a target data state corresponding to each piece of target network data, where the target data state is used to characterize whether the corresponding target network data is abnormal. The method has the advantages that the similarity determination is carried out on the accessed data characteristics of the network data, and then the data state analysis is carried out based on the determined similarity, so that the correlation analysis among different network data is realized, the accuracy of the obtained data state can be better to a certain extent, and the problem of poor data state monitoring effect in the prior art is solved.
Step S110 in the above may further include the following:
for each piece of stored network data, acquiring a first data monitoring result corresponding to the network data, wherein the first data monitoring result is used for representing whether the corresponding network data is requested by network terminal equipment for data access currently;
for each piece of network data in the plurality of pieces of network data, if a first data monitoring result corresponding to the network data represents that the network data is currently subjected to a data access request by network terminal equipment, marking the network data as candidate network data;
extracting target network data from each marked candidate network data, and acquiring data access characteristic information corresponding to each target network data.
In the foregoing, the step of extracting target network data from each piece of the candidate network data of the tag and obtaining data access characteristic information corresponding to each piece of the target network data may further include the following steps:
for each marked candidate network data, acquiring a second data monitoring result corresponding to the candidate network data, wherein the second data monitoring result is used for representing whether the network terminal equipment corresponding to the corresponding candidate network data accesses other network data within a preset time length;
for each marked candidate network data, if the second data monitoring result corresponding to the candidate network data indicates that the network terminal device corresponding to the candidate network data has accessed other network data within a preset time, marking the candidate network data as target network data, and acquiring data access characteristic information corresponding to the target network data.
Step S120 in the above may further include the following:
for each piece of target network data in the plurality of pieces of network data, analyzing a first data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the first data access characteristic sequence is formed based on historical access time of the corresponding target network data accessed in history and is sequenced according to the corresponding time sequence;
for each piece of target network data in the plurality of pieces of network data, analyzing a second data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the second data access characteristic sequence is formed on the basis of network terminal equipment accessed by the corresponding target network data in history and is sequenced according to the sequence of corresponding access time;
for each two pieces of target network data in the multiple pieces of network data, performing first feature similarity calculation according to first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data;
for each two pieces of target network data in the multiple pieces of network data, performing second feature similarity calculation (which may be calculation of coincidence between two sequences, or by referring to an existing sequence similarity calculation rule) according to second data access feature sequences corresponding to the two pieces of target network data, so as to output second access feature similarities corresponding to the two pieces of target network data;
and for each two pieces of target network data in the multiple pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarity corresponding to the two pieces of target network data.
In the foregoing, the step of performing, for each two pieces of target network data in the plurality of pieces of network data, first feature similarity calculation according to the first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data may further include the following steps:
for each piece of target network data, performing sliding window segmentation on a first data access characteristic sequence corresponding to the target network data according to a preset number to output a plurality of first data access characteristic sequence segments corresponding to the target network data, wherein the number of historical access time included in each first data access characteristic sequence segment is the preset number;
for each first data access characteristic sequence segment, respectively calculating the difference value of every two adjacent historical access times in the first data access characteristic sequence segment to output a historical time interval corresponding to every two adjacent historical access times, respectively marking each historical access time except the first historical access time in the first data access sequence segment and the historical time interval corresponding to the historical access time and the previous historical access time as corresponding two-dimensional coordinates, and marking the average value of the historical time interval corresponding to the first historical access time in the first data access sequence segment and every two adjacent historical access times in the first data access characteristic sequence segment as one two-dimensional coordinate;
for each first data access characteristic sequence segment, performing polygon construction according to two-dimensional coordinates corresponding to each historical access time in the first data access characteristic sequence segment to output a convex polygon corresponding to the first data access characteristic sequence segment, wherein each vertex of each convex polygon is a two-dimensional coordinate corresponding to the corresponding first data access characteristic sequence segment, and each convex polygon surrounds each two-dimensional coordinate corresponding to the corresponding first data access characteristic sequence segment;
for each first data access characteristic sequence segment, performing mean value calculation on two-dimensional coordinates corresponding to each vertex of the convex polygon corresponding to the first data access characteristic sequence segment to output two-dimensional mean value coordinates corresponding to the first data access characteristic sequence segment;
for each piece of target network data, sorting a plurality of two-dimensional mean coordinates corresponding to a plurality of first data access characteristic sequence segments according to a sorting relation among the plurality of first data access characteristic sequence segments corresponding to the target network data so as to output a coordinate sorting sequence corresponding to the target network data, and performing curve fitting on the plurality of two-dimensional mean coordinates included in the coordinate sorting sequence so as to output a fitting curve corresponding to the coordinate sorting sequence;
for every two pieces of target network data, similarity calculation is performed according to two fitting curves corresponding to the two pieces of target network data (an existing curve similarity calculation rule can be referred to), so that first access feature similarity corresponding to the two pieces of target network data is output.
In the foregoing, for each two pieces of target network data in the multiple pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarities corresponding to the two pieces of target network data, may further include the following steps:
acquiring a first weighting coefficient corresponding to the first access characteristic similarity and acquiring a second weighting coefficient corresponding to the second access characteristic similarity;
and for each two pieces of target network data in the multiple pieces of network data, performing weighted summation calculation on the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data according to a first weighting coefficient corresponding to the first access characteristic similarity and a second weighting coefficient corresponding to the second access characteristic similarity to output corresponding similarity weighted sum values, and marking the similarity weighted sum values as the access characteristic similarities corresponding to the two pieces of target network data.
Step S130 in the above may further include the following:
classifying the target network data according to the access characteristic similarity corresponding to every two pieces of target network data to output a data classification set corresponding to the target network data, wherein the number of the data classification sets is at least one, the number of set elements included in each data classification set is at least one, the set elements are the target network data, and the access characteristic similarity corresponding to any two pieces of target network data selected from the data classification sets is greater than or equal to a preset similarity for any one data classification set with multiple number of set elements;
for each data classification set, screening out network terminal equipment which respectively accesses each target network data in the data classification set in history to output the target network terminal equipment corresponding to the data classification set, and respectively determining the historical access time of each target network terminal equipment accessing each target network data in the data classification set to respectively output the access time set corresponding to each target network terminal equipment;
for each access time set, performing time dispersion calculation on each historical access time included in the access time set to output time dispersion corresponding to the access time set, comparing the time dispersion with a preset dispersion, and if the time dispersion is greater than or equal to the preset dispersion value, marking the access time set as a first access time set;
respectively marking the target network terminal equipment corresponding to each first access time set as first target network terminal equipment, calculating the number of the first target network terminal equipment corresponding to the data classification set for each data classification set so as to output the number of the first equipment corresponding to the data classification set, and calculating the number of the target network terminal equipment corresponding to the data classification set so as to output the number of the second equipment corresponding to the data classification set;
for each data classification set, performing ratio calculation (for example, dividing the former by the latter) on the first equipment quantity and the second equipment quantity corresponding to the data classification set to output a quantity ratio corresponding to the data classification set, and performing data state analysis according to the quantity ratio to output a target data state corresponding to each piece of target network data included in the data classification set.
In the foregoing, for each data classification set, the step of performing ratio calculation on the first device quantity and the second device quantity corresponding to the data classification set to output a quantity ratio corresponding to the data classification set, and performing data state analysis according to the quantity ratio to output a target data state corresponding to each piece of target network data included in the data classification set may further include the following steps:
for each data classification set, calculating the ratio of the number of the first equipment to the number of the second equipment corresponding to the data classification set to output the ratio of the number corresponding to the data classification set, and comparing the magnitude of the ratio of the number to a preset ratio;
for each data classification set, if the quantity ratio corresponding to the data classification set is less than or equal to the preset ratio, marking the target data state corresponding to each piece of target network data included in the data classification set as an abnormal data state, and if the quantity ratio corresponding to the data classification set is greater than the preset ratio, marking the target data state corresponding to each piece of target network data included in the data classification set as a non-abnormal data state.
With reference to fig. 3, an embodiment of the present invention further provides a data state monitoring system, which is applicable to the network security protection device. Wherein, the monitoring system of the data state can comprise:
the access characteristic acquisition module is used for acquiring data access characteristic information corresponding to each piece of target network data in the stored plurality of pieces of network data, wherein the data access characteristic information is used for representing the characteristics of the corresponding target network data accessed historically;
the characteristic similarity calculation module is used for calculating the characteristic similarity of each two pieces of target network data in the multiple pieces of network data according to the data access characteristic information corresponding to the two pieces of target network data so as to output the access characteristic similarity corresponding to the two pieces of target network data;
and the data state analysis module is used for carrying out data state analysis according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data so as to output a target data state corresponding to each piece of target network data, wherein the target data state is used for representing whether the corresponding target network data is abnormal or not.
The feature similarity calculation module in the foregoing is specifically configured to:
for each piece of target network data in the plurality of pieces of network data, analyzing a first data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the first data access characteristic sequence is formed based on historical access time of the corresponding target network data accessed historically and is ordered according to the corresponding time sequence;
for each piece of target network data in the plurality of pieces of network data, analyzing a second data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the second data access characteristic sequence is formed on the basis of network terminal equipment historically accessed by the corresponding target network data and is ordered according to the sequence of corresponding access time;
for each two pieces of target network data in the multiple pieces of network data, performing first feature similarity calculation according to first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data;
for each two pieces of target network data in the multiple pieces of network data, performing second feature similarity calculation according to second data access feature sequences corresponding to the two pieces of target network data to output second access feature similarities corresponding to the two pieces of target network data;
and for each two pieces of target network data in the multiple pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarity corresponding to the two pieces of target network data.
The data state analysis module in the foregoing content is specifically configured to:
classifying the target network data according to the access characteristic similarity corresponding to every two pieces of target network data to output a data classification set corresponding to the target network data, wherein the number of the data classification sets is at least one, the number of set elements included in each data classification set is at least one, the set elements are the target network data, and the access characteristic similarity corresponding to any two pieces of target network data selected from the data classification sets is greater than or equal to a preset similarity for any one data classification set with multiple number of included set elements;
for each data classification set, screening out network terminal equipment which respectively accesses each target network data in the data classification set in history to output the target network terminal equipment corresponding to the data classification set, and respectively determining the historical access time of each target network terminal equipment accessing each target network data in the data classification set to respectively output an access time set corresponding to each target network terminal equipment;
for each access time set, performing time dispersion calculation on each historical access time included in the access time set to output time dispersion corresponding to the access time set, comparing the time dispersion with a preset dispersion, and if the time dispersion is greater than or equal to the preset dispersion value, marking the access time set as a first access time set;
respectively marking the target network terminal equipment corresponding to each first access time set as first target network terminal equipment, calculating the number of the first target network terminal equipment corresponding to the data classification set for each data classification set so as to output the number of the first equipment corresponding to the data classification set, and calculating the number of the target network terminal equipment corresponding to the data classification set so as to output the number of the second equipment corresponding to the data classification set;
and for each data classification set, calculating the ratio of the number of the first equipment to the number of the second equipment corresponding to the data classification set to output the quantity ratio corresponding to the data classification set, and analyzing the data state according to the quantity ratio to output the target data state corresponding to each piece of target network data included in the data classification set.
In summary, according to the monitoring method and system for data state provided by the present invention, for each target network data in the stored multiple pieces of network data, the data access characteristic information corresponding to the target network data may be obtained first, and then, for each two pieces of target network data in the multiple pieces of network data, the characteristic similarity calculation may be performed according to the data access characteristic information corresponding to the two pieces of target network data, so as to output the access characteristic similarity corresponding to the two pieces of target network data, so that the data state analysis may be performed according to the access characteristic similarity corresponding to each two pieces of target network data in the multiple pieces of network data, so as to output the target data state corresponding to each piece of target network data, where the target data state is used to represent whether the corresponding target network data is abnormal. The method and the device have the advantages that the similarity determination is carried out on the accessed data characteristics of the network data, and then the data state analysis is carried out based on the determined similarity, namely, the correlation analysis among different network data is realized, so that the accuracy of the obtained data state is better to a certain extent, and the problem of poor data state monitoring effect in the prior art is solved.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for monitoring data status, comprising:
for each piece of target network data in the stored multiple pieces of network data, acquiring data access characteristic information corresponding to the target network data, wherein the data access characteristic information is used for representing characteristics of the corresponding target network data which are accessed historically;
for each two pieces of target network data in the multiple pieces of network data, performing feature similarity calculation according to data access feature information corresponding to the two pieces of target network data to output access feature similarities corresponding to the two pieces of target network data;
and analyzing the data state according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data to output the target data state corresponding to each piece of target network data, wherein the target data state is used for representing whether the corresponding target network data is abnormal or not.
2. The method for monitoring a data state according to claim 1, wherein the step of acquiring, for each target network data in the stored pieces of network data, data access characteristic information corresponding to the target network data includes:
for each piece of stored network data, acquiring a first data monitoring result corresponding to the network data, wherein the first data monitoring result is used for representing whether the corresponding network data is requested by network terminal equipment for data access currently;
for each piece of network data in the plurality of pieces of network data, if a first data monitoring result corresponding to the network data represents that the network data is currently subjected to a data access request by network terminal equipment, marking the network data as candidate network data;
extracting target network data from each marked candidate network data, and acquiring data access characteristic information corresponding to each target network data.
3. The method for monitoring a data state according to claim 2, wherein the step of extracting target network data from each marked candidate network data and obtaining data access characteristic information corresponding to each target network data includes:
for each marked candidate network data, acquiring a second data monitoring result corresponding to the candidate network data, wherein the second data monitoring result is used for representing whether the network terminal equipment corresponding to the corresponding candidate network data accesses other network data within a preset time length;
for each marked candidate network data, if the second data monitoring result corresponding to the candidate network data indicates that the network terminal device corresponding to the candidate network data has accessed other network data within a preset time, marking the candidate network data as target network data, and acquiring data access characteristic information corresponding to the target network data.
4. The method for monitoring the data status according to claim 1, wherein the step of performing the feature similarity calculation for each two pieces of target network data in the plurality of pieces of network data according to the data access feature information corresponding to the two pieces of target network data to output the access feature similarity corresponding to the two pieces of target network data includes:
for each piece of target network data in the plurality of pieces of network data, analyzing a first data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the first data access characteristic sequence is formed based on historical access time of the corresponding target network data accessed in history and is sequenced according to the corresponding time sequence;
for each piece of target network data in the plurality of pieces of network data, analyzing a second data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the second data access characteristic sequence is formed on the basis of network terminal equipment historically accessed by the corresponding target network data and is ordered according to the sequence of corresponding access time;
for each two pieces of target network data in the multiple pieces of network data, performing first feature similarity calculation according to first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data;
for each two pieces of target network data in the multiple pieces of network data, performing second feature similarity calculation according to second data access feature sequences corresponding to the two pieces of target network data to output second access feature similarities corresponding to the two pieces of target network data;
and for each two pieces of target network data in the plurality of pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarities corresponding to the two pieces of target network data.
5. The method for monitoring data status according to claim 4, wherein the step of performing similarity fusion calculation on each two pieces of target network data in the plurality of pieces of network data according to the first access feature similarity and the second access feature similarity corresponding to the two pieces of target network data to output the access feature similarity corresponding to the two pieces of target network data includes:
acquiring a first weighting coefficient corresponding to the first access characteristic similarity and acquiring a second weighting coefficient corresponding to the second access characteristic similarity;
and for each two pieces of target network data in the multiple pieces of network data, performing weighted summation calculation on the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data according to a first weighting coefficient corresponding to the first access characteristic similarity and a second weighting coefficient corresponding to the second access characteristic similarity to output corresponding similarity weighted sum values, and marking the similarity weighted sum values as the access characteristic similarities corresponding to the two pieces of target network data.
6. The method for monitoring data state according to any one of claims 1 to 5, wherein the step of performing data state analysis according to the access feature similarity corresponding to each two pieces of target network data in the plurality of pieces of network data to output the target data state corresponding to each piece of target network data includes:
classifying the target network data according to the access characteristic similarity corresponding to every two pieces of target network data to output a data classification set corresponding to the target network data, wherein the number of the data classification sets is at least one, the number of set elements included in each data classification set is at least one, the set elements are the target network data, and the access characteristic similarity corresponding to any two pieces of target network data selected from the data classification sets is greater than or equal to a preset similarity for any one data classification set with multiple number of included set elements;
for each data classification set, screening out network terminal equipment which respectively accesses each target network data in the data classification set in history to output the target network terminal equipment corresponding to the data classification set, and respectively determining the historical access time of each target network terminal equipment accessing each target network data in the data classification set to respectively output an access time set corresponding to each target network terminal equipment;
for each access time set, performing time dispersion calculation on each historical access time included in the access time set to output time dispersion corresponding to the access time set, comparing the time dispersion with a preset dispersion, and if the time dispersion is greater than or equal to the preset dispersion value, marking the access time set as a first access time set;
respectively marking the target network terminal equipment corresponding to each first access time set as first target network terminal equipment, calculating the number of the first target network terminal equipment corresponding to each data classification set to output the first equipment number corresponding to the data classification set, and calculating the number of the target network terminal equipment corresponding to each data classification set to output the second equipment number corresponding to each data classification set;
and for each data classification set, performing ratio calculation on the number of the first equipment and the number of the second equipment corresponding to the data classification set to output a number ratio corresponding to the data classification set, and performing data state analysis according to the number ratio to output a target data state corresponding to each piece of target network data included in the data classification set.
7. The method for monitoring data states of claim 6, wherein for each of the data classification sets, the step of performing a ratio calculation on the first device quantity and the second device quantity corresponding to the data classification set to output a quantity ratio corresponding to the data classification set, and performing a data state analysis according to the quantity ratio to output a target data state corresponding to each of the target network data included in the data classification set comprises:
for each data classification set, carrying out ratio calculation on the number of first equipment and the number of second equipment corresponding to the data classification set so as to output the number ratio corresponding to the data classification set, and comparing the number ratio with a preset ratio;
for each data classification set, if the quantity ratio corresponding to the data classification set is less than or equal to the preset ratio, marking the target data state corresponding to each piece of target network data included in the data classification set as an abnormal data state, and if the quantity ratio corresponding to the data classification set is greater than the preset ratio, marking the target data state corresponding to each piece of target network data included in the data classification set as a non-abnormal data state.
8. A system for monitoring data status, comprising:
the access characteristic acquisition module is used for acquiring data access characteristic information corresponding to each piece of target network data in the stored pieces of network data, wherein the data access characteristic information is used for representing the characteristics of the corresponding target network data accessed historically;
the characteristic similarity calculation module is used for calculating the characteristic similarity of each two pieces of target network data in the multiple pieces of network data according to the data access characteristic information corresponding to the two pieces of target network data so as to output the access characteristic similarity corresponding to the two pieces of target network data;
and the data state analysis module is used for performing data state analysis according to the access characteristic similarity corresponding to each two pieces of target network data in the plurality of pieces of network data so as to output a target data state corresponding to each piece of target network data, wherein the target data state is used for representing whether the corresponding target network data is abnormal or not.
9. The system for monitoring the status of data according to claim 8, wherein the feature similarity calculation module is specifically configured to:
for each piece of target network data in the plurality of pieces of network data, analyzing a first data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the first data access characteristic sequence is formed based on historical access time of the corresponding target network data accessed historically and is ordered according to the corresponding time sequence;
for each piece of target network data in the plurality of pieces of network data, analyzing a second data access characteristic sequence corresponding to the target network data in data access characteristic information corresponding to the target network data, wherein the second data access characteristic sequence is formed on the basis of network terminal equipment historically accessed by the corresponding target network data and is ordered according to the sequence of corresponding access time;
for each two pieces of target network data in the multiple pieces of network data, performing first feature similarity calculation according to first data access feature sequences corresponding to the two pieces of target network data to output first access feature similarities corresponding to the two pieces of target network data;
for every two pieces of target network data in the plurality of pieces of network data, performing second feature similarity calculation according to second data access feature sequences corresponding to the two pieces of target network data to output second access feature similarities corresponding to the two pieces of target network data;
and for each two pieces of target network data in the plurality of pieces of network data, performing similarity fusion calculation according to the first access characteristic similarity and the second access characteristic similarity corresponding to the two pieces of target network data to output the access characteristic similarities corresponding to the two pieces of target network data.
10. The system for monitoring a data state of claim 8, wherein the data state analysis module is specifically configured to:
classifying the target network data according to the access characteristic similarity corresponding to every two pieces of target network data to output a data classification set corresponding to the target network data, wherein the number of the data classification sets is at least one, the number of set elements included in each data classification set is at least one, the set elements are the target network data, and the access characteristic similarity corresponding to any two pieces of target network data selected from the data classification sets is greater than or equal to a preset similarity for any one data classification set with multiple number of set elements;
for each data classification set, screening out network terminal equipment which respectively accesses each target network data in the data classification set in history to output the target network terminal equipment corresponding to the data classification set, and respectively determining the historical access time of each target network terminal equipment accessing each target network data in the data classification set to respectively output an access time set corresponding to each target network terminal equipment;
for each access time set, performing time dispersion calculation on each historical access time included in the access time set to output time dispersion corresponding to the access time set, comparing the time dispersion with a preset dispersion, and if the time dispersion is greater than or equal to the preset dispersion value, marking the access time set as a first access time set;
respectively marking the target network terminal equipment corresponding to each first access time set as first target network terminal equipment, calculating the number of the first target network terminal equipment corresponding to the data classification set for each data classification set so as to output the number of the first equipment corresponding to the data classification set, and calculating the number of the target network terminal equipment corresponding to the data classification set so as to output the number of the second equipment corresponding to the data classification set;
and for each data classification set, performing ratio calculation on the number of the first equipment and the number of the second equipment corresponding to the data classification set to output a number ratio corresponding to the data classification set, and performing data state analysis according to the number ratio to output a target data state corresponding to each piece of target network data included in the data classification set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210877996.9A CN115484044A (en) | 2022-07-25 | 2022-07-25 | Data state monitoring method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210877996.9A CN115484044A (en) | 2022-07-25 | 2022-07-25 | Data state monitoring method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115484044A true CN115484044A (en) | 2022-12-16 |
Family
ID=84423101
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210877996.9A Withdrawn CN115484044A (en) | 2022-07-25 | 2022-07-25 | Data state monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115484044A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800604A (en) * | 2023-08-22 | 2023-09-22 | 中国科学院空天信息创新研究院 | Configurable laser communication equipment control method, device, equipment and medium |
-
2022
- 2022-07-25 CN CN202210877996.9A patent/CN115484044A/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800604A (en) * | 2023-08-22 | 2023-09-22 | 中国科学院空天信息创新研究院 | Configurable laser communication equipment control method, device, equipment and medium |
| CN116800604B (en) * | 2023-08-22 | 2023-11-07 | 中国科学院空天信息创新研究院 | Configurable laser communication equipment control method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115098705B (en) | Network security event analysis method and system based on knowledge graph reasoning | |
| CN115188485A (en) | User demand analysis method and system based on intelligent medical big data | |
| CN114647636B (en) | Big data anomaly detection method and system | |
| CN115484044A (en) | Data state monitoring method and system | |
| CN116821777B (en) | Novel basic mapping data integration method and system | |
| CN113949881A (en) | Service processing method and system based on smart city data | |
| CN113869327A (en) | Data processing method and system based on soil element content detection | |
| CN117593115A (en) | Feature value determining method, device, equipment and medium of credit risk assessment model | |
| CN112532645A (en) | Internet of things equipment operation data monitoring method and system and electronic equipment | |
| CN112990080A (en) | Rule determination method based on big data and artificial intelligence | |
| CN115620211A (en) | Performance data processing method and system of flame-retardant low-smoke halogen-free sheath | |
| CN115601564A (en) | Colloid contour detection method and system based on image recognition | |
| CN115375886A (en) | Data acquisition method and system based on cloud computing service | |
| CN113673430A (en) | User behavior analysis method based on Internet of things | |
| CN113808088A (en) | Pollution detection method and system | |
| CN115664702A (en) | Network security data protection method and system | |
| CN113705625A (en) | Method and device for identifying abnormal life guarantee application families and electronic equipment | |
| CN115620210B (en) | Method and system for determining performance of electronic wire material based on image processing | |
| CN115906170B (en) | Security protection method and AI system applied to storage cluster | |
| CN116958838B (en) | Forest resource monitoring method and system based on unmanned aerial vehicle aerial survey technology | |
| CN114625786B (en) | Dynamic data mining method and system based on wind control technology | |
| CN116996403B (en) | Network traffic diagnosis method and system applying AI model | |
| CN114978040B (en) | Attenuation condition analysis method and system based on solar cell data | |
| CN115980279B (en) | Stability optimization method and system for neon purity detection system | |
| CN117201183A (en) | Secure access method and system for Internet equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20221216 |
|
| WW01 | Invention patent application withdrawn after publication |