CN115766252A - Flow abnormity detection method and device, electronic equipment and storage medium - Google Patents
Flow abnormity detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115766252A CN115766252A CN202211460837.5A CN202211460837A CN115766252A CN 115766252 A CN115766252 A CN 115766252A CN 202211460837 A CN202211460837 A CN 202211460837A CN 115766252 A CN115766252 A CN 115766252A
- Authority
- CN
- China
- Prior art keywords
- flow
- network
- traffic
- data
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 69
- 230000002159 abnormal effect Effects 0.000 claims abstract description 72
- 238000000034 method Methods 0.000 claims abstract description 29
- 239000011159 matrix material Substances 0.000 claims description 23
- 238000012549 training Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 9
- 230000010365 information processing Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 9
- 238000012360 testing method Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 3
- 238000012512 characterization method Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000036632 reaction speed Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of information processing, and discloses a flow abnormity detection method and device, electronic equipment and a storage medium. In the invention, initial network equipment information is obtained according to an original network, and a network equipment topological graph is drawn according to the initial network equipment information, a link layer protocol and a network layer protocol; acquiring flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data; after the abnormal traffic detection is carried out, if the traffic is detected to be abnormal traffic, tracing the abnormal traffic through the network topological graph. By the method, the tracing and accurate positioning capabilities of the network abnormal traffic are improved, and the time for tracing the abnormal traffic and processing the abnormal traffic is greatly shortened.
Description
Technical Field
The embodiment of the invention relates to the technical field of information processing, in particular to a method and a device for detecting abnormal flow, electronic equipment and a storage medium.
Background
At present, along with the gradual expansion of the industrial control network, a number of network security problems are developed, and in order to ensure the service security of the user equipment in the industrial control network and monitor the abnormal traffic behavior of the equipment, a practical and effective method for detecting the abnormal traffic of the equipment in the industrial control network needs to be established. When the equipment in the industrial control network has abnormal traffic, the equipment with abnormal network needs to be manually checked, the abnormal equipment cannot be accurately and timely positioned, and the disposal time is lagged.
The inventors found that at least the following problems exist in the related art: the tracing efficiency of the abnormal flow of the industrial control network equipment is low. The traditional detection method usually performs fine feature analysis on the components of the network traffic, the obtained traffic is the network traffic mixed with a plurality of users, after the traffic anomaly detection is realized, the network traffic needs to be analyzed and cleaned to accurately position the abnormal traffic, the detection and the anomaly positioning are performed separately, and the efficiency of the whole process is very low.
Disclosure of Invention
An object of embodiments of the present invention is to provide a method and an apparatus for detecting abnormal traffic, an electronic device, and a storage medium, so as to implement comprehensive detection of network traffic abnormality and accurate alarm of network threat, thereby improving traceability and accurate positioning capabilities of network abnormal traffic, and shortening time for tracing the abnormal traffic and processing the abnormal traffic.
In order to solve the above technical problem, an embodiment of the present invention provides a method for detecting a traffic anomaly, including: acquiring initial network equipment information according to an original network, and drawing a network equipment topological graph according to the initial network equipment information, a link layer protocol and a network layer protocol; acquiring flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data; after the abnormal traffic detection is carried out, if the traffic is detected to be abnormal traffic, tracing the abnormal traffic through the network topological graph.
An embodiment of the present invention further provides a flow anomaly detection device, including: the topology discovery module is used for acquiring initial network equipment information according to an original network and drawing a network equipment topology map according to the initial network equipment information, a link layer protocol and a network layer protocol; the anomaly detection module is used for acquiring the flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data; and the abnormal tracing module is used for tracing the abnormal traffic through the network topological graph if the abnormal traffic is detected after the abnormal traffic detection.
An embodiment of the present invention also provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the above-described traffic anomaly detection method.
The embodiment of the present invention further provides a computer-readable storage medium storing a computer program, wherein the computer program is configured to implement the above-mentioned flow anomaly detection method when executed by a processor.
In the embodiment of the invention, firstly, initial network equipment information is obtained according to an original network, and a network equipment topological graph is drawn according to the initial network equipment information, a link layer protocol and a network layer protocol; secondly, acquiring flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data; and finally, after the abnormal traffic detection is carried out, if the abnormal traffic is detected, tracing the abnormal traffic through the network topological graph. By the method, the problem of low tracing efficiency of traditional flow content analysis is solved, network flow and flow direction relation are increased by introducing a network topology discovery technology, comprehensive detection of network flow abnormity and accurate alarm of network threat are realized by comprehensive decision, so that tracing and accurate positioning capabilities of network abnormal flow are improved, and time for tracing abnormal flow and processing abnormal flow is greatly shortened.
In addition, the drawing a network device topology map according to the initial network device information, the link layer protocol and the network layer protocol includes: acquiring network link information according to the link protocol, and acquiring network terminal information according to the network layer protocol; and drawing a network equipment topological graph according to the initial network equipment information, the network link information and the network terminal information. By acquiring the information, the tracing and accurate positioning capabilities of the network abnormal flow can be further improved.
In addition, the performing of the flow anomaly detection based on the inlet flow data and the outlet flow data includes: generating an inlet flow vector according to the inlet flow data; generating an outlet flow vector according to the outlet flow data; generating a flow matrix according to the inlet flow vector and the outlet flow vector; and carrying out flow abnormity detection according to the flow matrix and the flow relation model. And a vector and matrix model is constructed by increasing the network flow and the flow direction relation, so that the rapid response of the network flow abnormity is realized by comprehensive decision, and the time for processing the abnormal flow is further shortened.
In addition, the performing of traffic anomaly detection according to the traffic matrix and the traffic relation model includes: the flow relation model is established by adopting a K-neighbor algorithm; before the flow anomaly detection is carried out, model training is started by utilizing a preset standard training data set to generate the flow relation model; and after the flow matrix is input into the flow relation model, carrying out flow abnormity detection by the flow relation model. The model is constructed by adopting the algorithm, the algorithm complexity is low, the reaction speed is high, and the resource occupation is less.
Additionally, the standard traffic training set includes: traffic data identified as normal and traffic data identified as abnormal.
In addition, the network terminal information at least comprises one or any combination of the following: router address, connection subnet type, target subnet IP.
In addition, the acquiring network link information according to the link protocol includes: and acquiring an ARP protocol table according to the link protocol, and acquiring network link information according to the ARP protocol table.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings which correspond to and are not to be construed as limiting the embodiments, in which elements having the same reference numeral designations represent like elements throughout, and in which the drawings are not to be construed as limiting in scale unless otherwise specified.
FIG. 1 is a flow chart of a method for detecting traffic anomalies according to an embodiment of the present invention;
FIG. 2 is a flowchart of a topology discovery method in an embodiment in accordance with the invention;
FIG. 3 is a flow diagram of an anomaly detection method in accordance with an embodiment of the present invention;
fig. 4 is a schematic structural view provided by a flow abnormality detection apparatus according to another embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
The invention relates to a flow abnormity detection method, which can be applied to terminal equipment such as a computer and the like and can also be used as a server. In the embodiment, initial network equipment information is obtained according to an original network, and a network equipment topological graph is drawn according to the initial network equipment information, a link layer protocol and a network layer protocol; acquiring flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data; after the abnormal flow detection is carried out, if the abnormal flow is detected, the abnormal flow is traced through the network topological graph, the problem of low tracing efficiency aiming at the traditional flow content analysis is solved through the mode, the network flow and the flow direction relation are increased through introducing a network topology discovery technology, comprehensive decision is carried out, the comprehensive detection of the abnormal network flow and the accurate alarm of the network threat are realized, the tracing and accurate positioning capabilities of the abnormal network flow are improved, and the time for tracing the abnormal flow and processing the abnormal flow is greatly shortened. The following describes implementation details of the traffic anomaly detection method according to the present embodiment in detail, and the following is only provided for easy understanding and is not necessary for implementing the present embodiment.
As shown in fig. 1, in step 101, a terminal device obtains initial network device information according to an original network, and draws a network device topology according to the initial network device information, a link layer protocol and a network layer protocol.
The initial network device information, the link layer protocol and the network layer protocol are used to implement topology discovery, the topology discovery method is shown in fig. 2, and in step 201, the terminal device obtains the network original network information.
In one example, initial network equipment information is obtained according to an original network, a network attribute set is obtained based on the network equipment information data, and a network attribute vector set is constructed based on the network attribute set; and acquiring network equipment information according to a link protocol, and acquiring a network equipment attribute set based on the link information.
In step 202, the network link information is obtained according to a link protocol.
In one example, the obtaining network link information according to the link protocol includes: and acquiring an ARP protocol table according to the link protocol, and acquiring network link information according to the ARP protocol table.
Because all network devices support ARP protocol, the protocol belongs to TCP/IP protocol, the IP address (logical address) of the device can be converted into MAC address (physical address), by inquiring ARP table in the exchanger, one ARP protocol table with one-to-one correspondence of IP address and MAC address can be obtained, and all active host address information in the same network segment is recorded in the ARP table.
In step 203, the terminal device obtains the network terminal information according to a network layer protocol.
And acquiring network equipment information according to a network layer protocol, and acquiring a network equipment attribute set based on the network information. Based on the management station, the SNMP protocol message is sent to the adjacent switch of the network terminal, and the connection information of each port of the switch is obtained, so that the connection state of the network terminal is obtained. And according to the network, the management station sends an ICMP protocol packet to confirm the online condition of the terminal and discover new node equipment in the network.
In one example, said mapping a network device topology map based on said initial network device information, link layer protocols and network layer protocols comprises: acquiring network link information according to the link protocol, and acquiring network terminal information according to the network layer protocol; and drawing a network equipment topological graph according to the initial network equipment information, the network link information and the network terminal information.
Specifically, an SNMP protocol, i.e., a simple network management protocol, is used, and the protocol realizes unified management of different devices in a network system by establishing a unified standard interface, thereby greatly simplifying the management difficulty and improving the management efficiency. Through SNMP protocol, network administrator can obtain the device information of different physical positions in the network, and through reading and setting the device information, the network administrator can change the state of the network system in real time, and carry out unified and standardized management on the whole system. Through SNMP protocol, access is carried out on the router, a routing table of the router can be inquired, the connection information of key equipment such as the address of the next hop direct connection router, the type of a connected subnet, the IP of a target subnet and the like is obtained, and then network topology drawing is carried out.
Specifically, an ICMP protocol, i.e., an Internet control message protocol, is used. The Ping command is the protocol used, and the judgment of whether the network node is alive or not is carried out through the Ping command. The source node sends an ICMP data packet to the target node device through the Ping command, and responds through an ICMP response packet if the node device is alive. The TraceRoute command may be used to obtain routing information from the source node to the target device.
It should be noted that, the source node sends UDP detection packets with increasing TTL values to the target node one by one through a Traceroute command, and when the TTL value is reduced by 1 through one router and is 0, the router returns an ICMP error message to the source node, so that the source node obtains the router address, and so on until the destination node is reached and the address is obtained, a complete network path information can be obtained. The method comprises the steps of obtaining path information from a source node to a target node by using a Traceroute command, recording related IP addresses, equipment and network segment data to form a complete path table, then sequentially detecting the survival state of the equipment by using a Ping command according to all the IP addresses contained in the target network segment, and integrating the survival state with the path table to form complete network topology information.
In one example, the network terminal information includes at least one of the following: router address, connection subnet type, target subnet IP.
In one example, network device information is obtained according to a network layer protocol, and a network device attribute set is obtained based on the network information. Based on the management station, the SNMP protocol message is sent to the adjacent switch of the network terminal, and the connection information of each port of the switch is obtained, so that the connection state of the network terminal is obtained. And according to the network, the management station sends an ICMP protocol packet to confirm the online condition of the terminal and discover new node equipment in the network. Preferably, a topology map is constructed according to the link information and the terminal device information acquired by the management station, and the topology map is composed of nodes and links. The node data is composed of equipment type, equipment identification and connection port; the link data is composed of a data output node and a data receiving node. And drawing a basically complete network equipment topological graph through the acquired equipment IP, the ports and the network nodes.
In step 102, the terminal device obtains the traffic data of the network device to be monitored in the network device topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; and carrying out flow abnormity detection based on the inlet flow data and the outlet flow data.
In one example, the performing traffic anomaly detection based on the ingress traffic data and the egress traffic data includes: generating an inlet flow vector according to the inlet flow data; generating an outlet flow vector according to the outlet flow data; generating a flow matrix according to the inlet flow vector and the outlet flow vector; and carrying out flow anomaly detection according to the flow matrix and the flow relation model.
As shown in fig. 3, in step 301, the terminal device generates an ingress traffic vector according to the ingress traffic data; generating an outlet flow vector according to the outlet flow data;
the method comprises the steps that flow data of each physical port of the network equipment to be monitored can be obtained through open-source network management software, and the ports used in each time period can be obtained to send or receive messages. Thus, traffic data flowing into and out of each physical port in each time period can be acquired.
And according to the obtained network equipment topological graph, carrying out flow abnormity detection according to the acquired network flow data. For example, if the network device 1 includes 8 physical ports and the network device 2 includes 16 physical ports, the ports of the network devices may be sequentially numbered as port1 to port24. Taking one of the network devices as an example, the received traffic is monitored.
And reconstructing the received flow data according to the corresponding mode of the trained flow relation model. Specifically, a vector of a transmission direction and a vector of a reception direction are constructed for traffic received and transmitted by each physical port on the network device 1.
Where j is the serial number of the network port,
characterizing an inlet flow vector of the port j, namely characterizing network flow values sent to the port j by other ports;
an outlet flow vector of the characterization port j, namely a network flow value sent to other ports by the characterization port j; vector element S kj The characterization port j receives a statistical flow value of the port k in a preset period; vector element S jk And characterizing the statistical flow value sent by the port j to the port k in a preset period, wherein n is the number of the monitored ports in the network.
In step 302, generating an outlet flow vector according to the outlet flow data; and generating a flow matrix according to the inlet flow vector and the outlet flow vector.
Further constructing a flow matrix F according to the inlet flow vector and the outlet flow vector j :
In step 303, the terminal device performs traffic anomaly detection according to the traffic matrix and the traffic relation model.
In one example, the performing traffic anomaly detection according to the traffic matrix and the traffic relation model includes: the flow relation model is established by adopting a K-proximity algorithm; before the flow anomaly detection is carried out, model training is started by utilizing a preset standard training data set to generate the flow relation model; and after the flow matrix is input into the flow relation model, carrying out flow abnormity detection by the flow relation model.
In one example, the standard traffic training set includes: traffic data identified as normal and traffic data identified as abnormal.
The traffic matrix constructed by the monitoring object is brought into the trained traffic relation model, and the traffic relation model in this embodiment adopts the K-nearest neighbor algorithm as an example for description.
In this embodiment, taking the port j as an example, the traffic data of the network port j is collected, for example, the traffic in N monitoring periods may be collected as samples, and each sample of the N samples is collected to construct a traffic matrix according to the manner given in the step S4.
Further, according to N samples of the port j known in advance, normal traffic data or abnormal traffic data is identified. And then constructing a standard training data set, wherein the standard training data set comprises a traffic matrix of each sample of the N samples corresponding to the port j and a result of a traffic identification corresponding to each sample.
The constructed standard training data set can be expressed as:
wherein N represents the number of samples,
wherein-1 represents abnormal flow and 1 represents normal flow; where x is the upper landmark for distinguishing into training sets.
Model training is started using this standard training data set, with the goal of finding the most appropriate model parameters P.
(1) Selecting an initial model parameter P, wherein the value of the parameter P can be selected according to the number of samples, and firstly selecting a P value from [6 x the number of categories, the number of samples ].
In finding the most suitable model parameter P, when the loss function is minimized, it can be considered that the optimum model parameter is found. And the minimum loss function represents that the number of the classified errors of the sample is minimum under the current model parameter P. The initial loss function may be made equal to the sample, i.e. loss = N, and the value of the loss function is updated subsequently.
(2) In particular, from a standard training data set
In turn selecting each sample
Computing each selected sample with other samples in a standard training data set
The Euclidean distance of the standard training data set is calculated until the Euclidean distances of the N samples in the standard training data set are calculated. Wherein N =1.
(3) And when the Euclidean distance of the N samples is calculated, selecting the front P samples with the minimum Euclidean distance, and counting the classes to which the P samples belong, wherein the classes to which the samples with large quantity belong are determined as the test classes of the currently selected samples. For example, if the current P value is 12, where the current P value is based on the 12 samples
And the value determines that 8 samples belong to normal flow data and 4 samples belong to abnormal flow data, so that the test classification of the currently selected samples is normal flow data.
Normal traffic data and abnormal traffic may also occurIf the number of data is the same, that is, if 6 samples belong to normal flow data and 6 samples belong to abnormal flow data, the average Euclidean distance of each category is calculated respectively, and the category with the minimum average Euclidean distance is the sample
In the training set
The test result of (1).
(4) For the currently selected sample, it is actually identified
The value may be abnormal traffic data. I.e. at this point it may occur that the test classification is not consistent with the actual identified classification. The number of samples for which the test classification is inconsistent with the actual identified classification may be counted at this time.
Specifically, a counter C may be designed, where the initial value C =0, and C is increased by 1 when there is a test classification of the sample inconsistent with the actually identified classification.
(5) And updating the loss function according to the minimum value of the initial loss function and the number of the samples of which the test classification is inconsistent with the classification of the actual identifier.
After the P value is adjusted, the above steps (1) - (5) are repeatedly executed until the loss function is found to be minimum or loss =0, and then the model parameter P value at this time is determined to be the optimal model parameter value.
In step 103, after the abnormal traffic is detected, if it is detected that the traffic is abnormal traffic, tracing the abnormal traffic through the network topology map.
In one example, the trained model is applied to an actual network, and once abnormal traffic data is detected by the model, the model can be quickly positioned in the network topology, so that the tracing and processing time of the abnormal traffic is saved.
In the embodiment, the problem of low tracing efficiency aiming at the traditional flow content analysis is solved, the network flow and flow direction relation is increased by introducing a network topology discovery technology, and comprehensive decision is comprehensively made to realize the comprehensive detection of the network flow abnormity and the accurate alarm of the network threat, so that the tracing and accurate positioning capabilities of the network abnormal flow are improved, and the time for tracing the abnormal flow and processing the abnormal flow is greatly shortened.
The steps of the above method are divided for clarity of description, and may be combined into one step or split into some steps, and the steps are decomposed into multiple steps, so long as the steps include the same logical relationship, which is within the protection scope of the patent; it is within the scope of this patent to add insignificant modifications or introduce insignificant designs to the algorithms or processes, but not to change the core designs of the algorithms and processes.
Another embodiment of the present invention relates to a flow rate abnormality detection device, as shown in fig. 4, including: a topology discovery module 401, configured to obtain initial network device information according to an original network, and draw a network device topology map according to the initial network device information, a link layer protocol, and a network layer protocol; an anomaly detection module 402, configured to obtain traffic data of the network device to be monitored in the network device topology map; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data; an anomaly tracing module 403, configured to trace a source of the abnormal traffic through the network topology map if it is detected that the traffic is abnormal after the traffic anomaly detection.
In an example, the topology discovery module 401 is specifically configured to draw a network device topology map according to the initial network device information, the link layer protocol and the network layer protocol, and includes: acquiring network link information according to the link protocol, and acquiring network terminal information according to the network layer protocol; and drawing a network equipment topological graph according to the initial network equipment information, the network link information and the network terminal information.
In an example, the anomaly detection module 402 is specifically configured to perform traffic anomaly detection based on the ingress traffic data and the egress traffic data, and includes: generating an inlet flow vector according to the inlet flow data; generating an outlet flow vector according to the outlet flow data; generating a flow matrix according to the inlet flow vector and the outlet flow vector; and carrying out flow abnormity detection according to the flow matrix and the flow relation model.
In one example, the performing traffic anomaly detection according to the traffic matrix and the traffic relation model includes: the flow relation model is established by adopting a K-proximity algorithm; before the flow anomaly detection is carried out, model training is started by utilizing a preset standard training data set to generate the flow relation model; and after the flow matrix is input into the flow relation model, carrying out flow abnormity detection by the flow relation model.
In one example, the standard traffic training set includes: traffic data identified as normal and traffic data identified as abnormal.
In one example, the network terminal information includes at least one or any combination of the following: router address, connection subnet type, target subnet IP.
In one example, the obtaining network link information according to the link protocol includes:
and acquiring an ARP protocol table according to the link protocol, and acquiring network link information according to the ARP protocol table.
In the embodiment, the problem of low tracing efficiency aiming at the traditional flow content analysis is solved, the network flow and flow direction relation is increased by introducing a network topology discovery technology, and comprehensive decision is comprehensively made to realize the comprehensive detection of the network flow abnormity and the accurate alarm of the network threat, so that the tracing and accurate positioning capabilities of the network abnormal flow are improved, and the time for tracing the abnormal flow and processing the abnormal flow is greatly shortened.
It should be understood that this embodiment is an apparatus embodiment corresponding to the method embodiment described above, and that this embodiment can be implemented in cooperation with the method embodiment described above. The related technical details mentioned in the above method embodiments are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related art details mentioned in the present embodiment can also be applied to the above-described method embodiment.
It should be noted that, in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may also be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
Another embodiment of the invention relates to an electronic device, as shown in FIG. 5, comprising at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of flow anomaly detection as described above.
The memory 502 and the processor 501 are coupled by a bus, which may include any number of interconnected buses and bridges that couple one or more of the various circuits of the processor 501 and the memory 502 together. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 501 is transmitted over a wireless medium through an antenna, which further receives the data and transmits the data to the processor 501.
The processor 501 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 502 may be used to store data used by processor 501 in performing operations.
Another embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (10)
1. A method for detecting flow anomaly, comprising:
acquiring initial network equipment information according to an original network, and drawing a network equipment topological graph according to the initial network equipment information, a link layer protocol and a network layer protocol;
acquiring flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data;
after the abnormal traffic detection is carried out, if the traffic is detected to be abnormal traffic, tracing the abnormal traffic through the network topological graph.
2. The method for detecting traffic anomaly according to claim 1, wherein said drawing a network device topology map according to the initial network device information, a link layer protocol and a network layer protocol comprises:
acquiring network link information according to the link protocol, and acquiring network terminal information according to the network layer protocol;
and drawing a network equipment topological graph according to the initial network equipment information, the network link information and the network terminal information.
3. The method of detecting flow anomaly according to claim 1, wherein said performing flow anomaly detection based on said ingress flow data and egress flow data comprises:
generating an inlet flow vector according to the inlet flow data;
generating an outlet flow vector according to the outlet flow data;
generating a flow matrix according to the inlet flow vector and the outlet flow vector;
and carrying out flow abnormity detection according to the flow matrix and the flow relation model.
4. The method according to claim 3, wherein the performing traffic anomaly detection according to the traffic matrix and the traffic relation model includes:
the flow relation model is established by adopting a K-proximity algorithm;
before the abnormal flow detection is carried out, model training is started by utilizing a preset standard training data set to generate the flow relation model;
and after the flow matrix is input into the flow relation model, carrying out flow abnormity detection by the flow relation model.
5. The method of detecting flow anomalies according to claim 4, characterized in that the standard flow training set includes: traffic data identified as normal and traffic data identified as abnormal.
6. The flow anomaly detection method according to claim 2,
the network terminal information at least comprises one or any combination of the following: router address, connection subnet type, target subnet IP.
7. The traffic anomaly detection method according to claim 2, wherein said obtaining network link information according to the link protocol comprises:
and acquiring an ARP protocol table according to the link protocol, and acquiring network link information according to the ARP protocol table.
8. A flow anomaly detection device, comprising:
the topology discovery module is used for acquiring initial network equipment information according to an original network and drawing a network equipment topology map according to the initial network equipment information, a link layer protocol and a network layer protocol;
the anomaly detection module is used for acquiring the flow data of the network equipment to be monitored in the network equipment topological graph; wherein the traffic data comprises ingress traffic data and egress traffic data; performing flow anomaly detection based on the inlet flow data and the outlet flow data;
and the abnormal tracing module is used for tracing the abnormal flow through the network topological graph if the abnormal flow is detected to be abnormal after the abnormal flow detection is carried out.
9. An electronic device, comprising:
at least one processor; and (c) a second step of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a method of traffic anomaly detection as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the flow anomaly detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211460837.5A CN115766252A (en) | 2022-11-17 | 2022-11-17 | Flow abnormity detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211460837.5A CN115766252A (en) | 2022-11-17 | 2022-11-17 | Flow abnormity detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766252A true CN115766252A (en) | 2023-03-07 |
Family
ID=85334435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211460837.5A Pending CN115766252A (en) | 2022-11-17 | 2022-11-17 | Flow abnormity detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766252A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061252A (en) * | 2023-10-12 | 2023-11-14 | 杭州智顺科技有限公司 | Data security detection method, device, equipment and storage medium |
-
2022
- 2022-11-17 CN CN202211460837.5A patent/CN115766252A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061252A (en) * | 2023-10-12 | 2023-11-14 | 杭州智顺科技有限公司 | Data security detection method, device, equipment and storage medium |
| CN117061252B (en) * | 2023-10-12 | 2024-03-12 | 杭州智顺科技有限公司 | Data security detection method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110661669B (en) | Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols | |
| US11743153B2 (en) | Apparatus and process for monitoring network behaviour of Internet-of-things (IoT) devices | |
| JP4112492B2 (en) | Use of link state information for IP network topology discovery | |
| US8751642B2 (en) | Method and system for management of sampled traffic data | |
| US20180131590A1 (en) | Method and apparatus for tracing paths in service function chains | |
| CN108011746B (en) | IP-level global Internet topology mapping method based on Traceroute and SNMP protocol | |
| US20120314605A1 (en) | Communication system, path control apparatus, packet forwarding apparatus, and path control method | |
| US6944130B1 (en) | Method and apparatus for determining a layer 2 path in a switched network | |
| CN105991338A (en) | Network operation and maintenance management method and device | |
| CN110855464A (en) | Network topology structure adjusting method and device | |
| CN111147371A (en) | Method for processing routing event record table item, network equipment and control equipment | |
| CN115766252A (en) | Flow abnormity detection method and device, electronic equipment and storage medium | |
| CN114465931A (en) | Network detection method, device, electronic equipment and storage medium | |
| CN106301844B (en) | Method and device for realizing log transmission | |
| KR20220029142A (en) | Sdn controller server and method for analysing sdn based network traffic usage thereof | |
| CN111698110B (en) | Network equipment performance analysis method, system, equipment and computer medium | |
| US20220174081A1 (en) | Monitoring of abnormal host | |
| CN105634868A (en) | Network scanning packet sending rate detecting system and method | |
| CN113014602A (en) | Industrial network defense method and system based on optimal communication path | |
| KR102092015B1 (en) | Method, apparatus and computer program for recognizing network equipment in a software defined network | |
| CN114844821B (en) | Network automatic discovery method, device, equipment and storage medium | |
| CN116260726A (en) | Topology discovery method, device, terminal and storage medium | |
| US11438237B1 (en) | Systems and methods for determining physical links between network devices | |
| WO2022132208A1 (en) | Performance measurement in a segment routing network | |
| CN117896237B (en) | Multi-device intercommunication scene supervision system aiming at network networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |