CN115935237A - Method and device for detecting abnormity of service flow data and electronic equipment - Google Patents
Method and device for detecting abnormity of service flow data and electronic equipment Download PDFInfo
- Publication number
- CN115935237A CN115935237A CN202211624050.8A CN202211624050A CN115935237A CN 115935237 A CN115935237 A CN 115935237A CN 202211624050 A CN202211624050 A CN 202211624050A CN 115935237 A CN115935237 A CN 115935237A
- Authority
- CN
- China
- Prior art keywords
- service
- data
- index data
- classification detection
- alarm threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The disclosure relates to a method, a device and an electronic device for detecting the abnormality of service flow data, wherein the method comprises the following steps: acquiring service flow data sent by a source object end; classifying and preprocessing the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types; inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model; and outputting alarm prompt information when abnormal data exist in the service index data according to the alarm threshold curve. By the method, the service type of the data is considered, the granularity of data detection is refined, and the detection precision is improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, and an electronic device for detecting an anomaly of traffic data.
Background
Currently, more and more financial industries such as banks rely on financial clients to provide more convenient services for users. The financial client can realize interaction with the user and communication with the server, and realize transmission of business data through communication with the server, thereby providing corresponding business service for the user. A data center is usually established in a financial service system, and the data center is used as a hub for data transmission between a financial client and a server, and carries huge data traffic throughput to support the business process of each financial client. Therefore, if the data transmission is abnormal, the data center needs to find the abnormal data transmission in time to avoid the stagnation of the business process, so that the user experience is influenced.
When the current data center carries out data monitoring, the index of the data monitoring is single, the abnormity of the data is judged through a preset specific threshold value, and then alarm reminding information is generated. However, the diversity of the business data of the financial industry is not considered in this way, which results in that the way of judging the data abnormality of the current data center is too single, and accurate detection of the business flow data cannot be guaranteed.
Disclosure of Invention
In order to solve the problems in the related art, embodiments of the present disclosure provide a method and an apparatus for detecting an anomaly of service traffic data, and an electronic device.
In a first aspect, an embodiment of the present disclosure provides an anomaly detection method for service traffic data, including:
acquiring service flow data sent by a source object end;
classifying and preprocessing the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types;
inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model;
and outputting alarm prompt information when abnormal data exist in the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the classifying and preprocessing the service flow data to obtain service index data of each service type includes:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
and classifying and summarizing the time slice data according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the step of inputting the service index data of each service type into a target classification detection model and performing classification detection on the service index data according to the alarm threshold curve in the target classification detection model includes:
inputting the service index data of each service type into a channel corresponding to each service type in the target classification detection model, wherein the channel comprises a detection algorithm for the service index data of each service type;
and in the channel corresponding to each service type, carrying out classification detection on the service index data according to the detection algorithm and the alarm threshold curve corresponding to each service type.
According to an embodiment of the present disclosure, the service traffic data includes attribute information of the source object, the service index data includes time slice data and traffic index data, and the classifying and preprocessing the service traffic data to obtain service index data of each service type includes:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
classifying and summarizing the time slice data according to the attribute information to obtain the time slice data of each source object end;
and classifying and summarizing the time slice data of each source object terminal according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model includes:
inputting the service index data of each service type into the target classification detection model, and analyzing the service type and attribute information corresponding to the service index data by the target classification detection model;
searching a corresponding alarm threshold value curve according to the service type and the attribute information corresponding to the service index data;
and carrying out classification detection on the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the target classification detection model includes at least two basic detection models, the step of inputting the service index data of each service type into the target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model includes:
respectively inputting the service index data of each service type into the at least two basic detection models;
detecting whether each source object end has an abnormal source object end or not by one of the at least two basic detection models;
and carrying out classification detection on the service index data by the other of the at least two basic detection models according to the alarm threshold curve in the target classification detection model.
In a second aspect, an embodiment of the present disclosure provides an apparatus for detecting an anomaly of traffic data, including:
the acquisition module is used for acquiring the service flow data sent by the source object terminal;
the processing module is used for carrying out classification pretreatment on the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types;
the input module is used for inputting the service index data of each service type into a target classification detection model and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model;
and the output module is used for outputting alarm prompt information when abnormal data exists in the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the processing module is specifically configured to:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
and classifying and summarizing the time slice data according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the alarm threshold curves include alarm threshold curves corresponding to the service types, and the input module is specifically configured to:
inputting the service index data of each service type into a channel corresponding to each service type in the target classification detection model, wherein the channel comprises a detection algorithm for the service index data of each service type;
and in the channel corresponding to each service type, carrying out classification detection on the service index data according to the detection algorithm and the alarm threshold curve corresponding to each service type.
According to an embodiment of the present disclosure, the service flow data includes attribute information of the source object, the service index data includes time slice data and flow index data, and the processing module is specifically configured to:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
according to the attribute information, the time slice data are classified and summarized to obtain the time slice data of each source object end;
and classifying and summarizing the time slice data of each source object terminal according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the input module is specifically configured to:
inputting the service index data of each service type into the target classification detection model, and analyzing the service type and attribute information corresponding to the service index data by the target classification detection model;
searching a corresponding alarm threshold value curve according to the service type and the attribute information corresponding to the service index data;
and carrying out classification detection on the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the object classification detection model includes at least two basic detection models, and the input module is specifically configured to:
respectively inputting the service index data of each service type into the at least two basic detection models;
detecting whether each source object end has an abnormal source object end or not by one of the at least two basic detection models;
and carrying out classification detection on the service index data by the other of the at least two basic detection models according to the alarm threshold curve in the target classification detection model.
In a third aspect, the disclosed embodiments provide an electronic device comprising a memory and a processor, wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method according to the first aspect.
In a fourth aspect, the disclosed embodiments provide a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method according to the first aspect.
In a fifth aspect, the disclosed embodiments provide a computer program product comprising computer instructions which, when executed by a processor, implement the method steps as described in the first aspect.
Through the implementation mode, the service flow data is classified according to the service types, the service flow data is refined into the service index data of each service type, the service index data of each service type is input into the target classification detection model, classification detection of the target classification detection model based on the service index data of each service type can be realized, and alarm prompt information is output when abnormality is found. By the mode, the service type of the data is considered, the granularity of data detection is refined, and the detection precision is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects, and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments when taken in conjunction with the accompanying drawings. In the drawings:
fig. 1 shows a block diagram of an anomaly detection system for traffic data according to an embodiment of the present disclosure;
fig. 2 shows a flow chart of an anomaly detection method for traffic data according to an embodiment of the present disclosure;
fig. 3 shows a flow chart of an anomaly detection method for traffic data according to an embodiment of the present disclosure;
fig. 4 shows a flow chart of an anomaly detection method for traffic data according to an embodiment of the present disclosure;
fig. 5 shows a flow chart of an anomaly detection method for traffic data according to an embodiment of the present disclosure;
fig. 6 is a structural diagram illustrating an abnormality detection method of traffic data according to an embodiment of the present disclosure;
fig. 7 shows a block diagram of an electronic device according to an embodiment of the present disclosure.
FIG. 8 shows a schematic block diagram of a computer system suitable for use in implementing a method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Also, for the sake of clarity, parts not relevant to the description of the exemplary embodiments are omitted in the drawings.
In the present disclosure, it is to be understood that terms such as "including" or "having," etc., are intended to indicate the presence of the disclosed features, numbers, steps, behaviors, components, parts, or combinations thereof, and are not intended to preclude the possibility that one or more other features, numbers, steps, behaviors, components, parts, or combinations thereof may be present or added.
It should be further noted that the embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In the present disclosure, if an operation of acquiring user information or user data or an operation of presenting user information or user data to others is involved, the operations are all operations authorized, confirmed by a user, or actively selected by the user.
First, an application scenario of the embodiment of the present disclosure is described with reference to fig. 1.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an anomaly detection system for traffic data according to an embodiment of the present disclosure. As shown in fig. 1, the system 100 includes a data center 110, a financial client 120, and a server 130.
The financial client 120 is a terminal that can interact with a user and provide professional financial services. It includes terminals used by internal practitioners of the financial industry, as well as terminals that are customers of the financial industry in the face of it.
The financial client 120 and the server 130 can implement transmission of service traffic data through the data center 110. Specifically, the financial client 120 uploads and downloads the service data to the data center 110, and similarly, the server 130 requests and stores the service data from the data center 110. The data center 110, the financial client 120 and the server 130 realize the transmission of the service flow data. When the data center 110 performs data operation and maintenance, it is an important index to detect the abnormality of the flow data timely and accurately. However, in the current implementation, since the service attribute of the financial client is not considered, when the user of the financial client performs normal operation, misjudgment of an abnormal phenomenon occurs, and further, a false alarm is caused.
Based on the problem existing in the current data center 110 for data anomaly detection, the embodiment of the present disclosure discloses a technical solution, which includes: acquiring service flow data sent by a source object end; classifying and preprocessing the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types; inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model; and outputting alarm prompt information when abnormal data exist in the service index data according to the alarm threshold curve.
Through the implementation mode, the service flow data is classified according to the service types, the service flow data is refined into the service index data of each service type, the service index data of each service type is input into the target classification detection model, classification detection of the target classification detection model based on the service index data of each service type can be realized, and alarm prompt information is output when abnormality is found. By the mode, the service type of the data is considered, the granularity of data detection is refined, and the detection precision is improved.
Fig. 2 shows a flowchart of an anomaly detection method for traffic data according to an embodiment of the present disclosure. As shown in fig. 1, the method for detecting an anomaly of service traffic data includes the following steps S201 to S204:
in step S201, service traffic data sent by the source object is acquired.
In embodiments of the present disclosure, the "source object side" refers to one of the financial client side and the server side. The "business flow data" refers to business data which passes through a data center within a certain time and is related to financial business for realizing financial business service. The certain time may refer to a period of 24 hours, 48 hours, a week, or a month. For the acquisition of the size of the service flow data, the acquisition of the service flow data can be triggered by intercepting the data for a certain time or by monitoring the size of the passing accumulated data volume, if a certain threshold is reached. If the traffic data is obtained by frequency, the frequency setting can be related to the operation and maintenance frequency set by the data center.
In step S202, the service traffic data is subjected to classification preprocessing to obtain service index data of each service type, where the service type includes a user type, a transaction style type, and an operation rule type.
In the embodiment of the present disclosure, the service traffic data is subjected to classification preprocessing, and specifically, the service traffic data may be classified according to the service type. In the embodiment of the present disclosure, the service types may include a user type, a transaction style type, an operation rule type, and the like. The source object end is taken as a financial client end as an example, the user type refers to a user group using the financial client end, and the user type comprises a personal identification of the user or a financial portrait set for the user according to the financial operation attribute of the user. The transaction style type refers to a transaction type tag set for the user based on the past transaction history of the user, and may include a high-risk type or a low-risk type. The operation rule type refers to an operation rule summarized for the user based on the past operation history of the user, and is divided into specific types. The operation rule type may include a frequent operation type, or a low frequency operation type, etc. For the source object end as a server end, the service type can be stored in the server end corresponding to the financial client end in a mode that the server end and the financial client end form a communication pair, namely, no matter the source object segment is the financial client end or the server end, the data center can acquire the service type in the data.
In one implementation, the features of each service type may be set in a classifier, and the service flow data is classified and preprocessed by the classifier to obtain service index data of each service type. In another implementation, traffic data may be classified and preprocessed using traffic classification and classification algorithms associated therewith. After the service flow data is classified, a service type label can be added to the classified data to identify the service type to which the service index data belongs, so that the classification of the data can be obtained when the following steps are performed.
In step S203, the service index data of each service type is input into a target classification detection model, and the service index data is classified and detected according to an alarm threshold curve in the target classification detection model, where the alarm threshold curve is obtained by passing historical service traffic data through the target classification detection model.
In the embodiment of the present disclosure, the "target classification monitoring model" may be obtained by performing iterative training on a preset basic classification monitoring model based on historical traffic data. Iterative training is carried out by utilizing historical service flow data, characteristic information of service index data of each service type is extracted from the historical service flow data, and then alarm threshold values of the service index data of different service types in a certain time are determined, and an alarm threshold value curve is fitted. Compared with a fixed threshold, the alarm threshold curve is more in line with the data characteristics in the service flow data, and is more accurate.
In the embodiment of the present disclosure, the alarm threshold curve may be a curve implemented by two dimensions, or may be a curve implemented by three dimensions. The specific implementation manner can be seen in the embodiments shown in fig. 3 or fig. 4 described below.
In the embodiment of the present disclosure, the service index data is classified and monitored according to the alarm threshold curve, specifically, the service index data may be projected in a coordinate system where the alarm threshold curve is located, a service index data curve is formed, the service index data curve is compared with the alarm threshold curve, if there is an area with a large difference, it is further determined whether the difference exceeds an error value, and if the error value is checked, it is determined that a value in the area is abnormal.
In step S204, when it is detected that abnormal data exists in the service index data according to the alarm threshold curve, alarm prompt information is output.
In the embodiment of the disclosure, the skip points in the service index data can be ignored, that is, the comparison range is not point-to-point comparison, and the regional comparison can be implemented, so as to reduce the invalid alarm. The "alarm prompt information" of the present disclosure may include an abnormal target service type, an abnormal degree, and the like. Furthermore, a solution model is trained through historical data, and an abnormal analysis result, an abnormal solution scheme and the like are obtained according to the information included in the alarm prompt information, so that operation and maintenance personnel can timely handle the detected abnormal problem.
Through the implementation mode, the service flow data is classified according to the service types, the service flow data is refined into the service index data of each service type, the service index data of each service type is input into the target classification detection model, classification detection of the target classification detection model based on the service index data of each service type can be realized, and alarm prompt information is output when abnormality is found. By the mode, the service type of the data is considered, the granularity of data detection is refined, and the detection precision is improved.
Specific implementation examples of the technical solutions in the present disclosure are described below with reference to fig. 3 to 5, respectively.
Fig. 3 shows a flowchart of an anomaly detection method for traffic data according to an embodiment of the present disclosure, and as shown in fig. 3, the method includes steps S301 to S306.
In step S301, service traffic data sent by a source object is acquired;
in the embodiment of the present disclosure, the specific implementation of step S301 may refer to the related description in step S201, and is not described herein again.
In step S302, time sorting and slicing are performed on the service traffic data to obtain time slice data;
in step S303, the time slice data is classified and summarized according to the service type, so as to obtain service index data of each service type.
In the embodiment of the present disclosure, step S302 and step S303 are a specific implementation manner of step S201.
In this implementation, the traffic data is pre-processed into two-dimensional data by classification.
Firstly, time sequencing and slicing processing are carried out on service flow data to obtain time slice data. The "slicing processing" in the present disclosure refers to a processing procedure of dividing traffic data by time zones to summarize data in the same time zone. Here, the time corresponding to the service traffic data refers to the time when the data center acquires the service traffic data. The time zone is the minimum time unit of the data slice, and the time zone can be determined according to the period of abnormal monitoring on the data. For example, if the cycle of abnormality monitoring is 24 hours, the time zone may be set to 1 hour or 0.5 hour; if the cycle of abnormality monitoring is 1 week, the time zone may be set to 24 hours or 12 hours.
And secondly, classifying and summarizing the obtained time slice data according to the service types to obtain service index data of each service type. The service types in the embodiment of the present disclosure are as described in the above embodiment, and include a user type, a transaction style type, and an operation rule type. And further classifying and summarizing the time slice data according to the service types. Specifically, the data center data may determine the service type corresponding to the data center data according to the data characteristics or the specific content included in the data center data, and after the service type of each data in the time region is determined, the data may be classified according to the service type, and the data of the same service type in each time region may be summarized.
Through the implementation of the process, the service flow data can be refined into data with time slice attributes and service type attributes, the granularity of the service flow data is further refined, and anomaly monitoring can be performed more accurately. Specifically, after the service traffic data is subjected to classification preprocessing, the service traffic data can be refined into two-dimensional data, that is, the service traffic data can be projected into a two-dimensional coordinate system, in the two-dimensional coordinate system, a horizontal axis represents time, a vertical axis represents service types, scales of the horizontal axis represent time areas, and scales of the vertical axis represent different service types. And projecting the service flow data into the two-dimensional coordinate system according to the time region and the service type to form a discrete point set, or further processing the discrete points to obtain a curve representing the service flow data. The coordinate value of the horizontal axis of the formed discrete point or curve in the two-dimensional coordinate system represents time slice data, and the coordinate value of the vertical axis represents service index data.
In step S304, the service index data of each service type is input into a channel corresponding to each service type in the target classification detection model, where the channel includes a detection algorithm for the service index data of each service type;
in step S305, in the channel corresponding to each service type, the service index data is classified and detected according to the detection algorithm and the alarm threshold curve corresponding to each service type.
In the embodiment of the present disclosure, step S304 and step S305 are a specific implementation manner of step S203 in the foregoing embodiment, and the implementation manner of the specific implementation manner is based on that the alarm threshold curve in the target classification detection model includes alarm threshold curves corresponding to the service types. When the target classification detection model is trained, the historical data is also subjected to classification pretreatment to obtain service index data of each service type, and then an alarm threshold curve corresponding to each service type is formed.
In the embodiment of the present disclosure, classification detection is performed on service traffic data based on service types, as described in steps S302 to S303, the service traffic data is classified and preprocessed into service index data, where the service index data is a one-dimensional sequence of time slice data, and service index data of different service types are classified into sub-channels in a target classification detection model, and the sub-channels are respectively adapted with detection algorithms corresponding to the service types. The detection algorithm can be used for processing the service index data in the channel so as to change the service index data into data which is matched with the corresponding alarm threshold curve; or, the detection algorithm can be used for detecting whether abnormal data exist in the corresponding service index data or not by using the alarm threshold curve.
For example, for the disclosed service types including three service types, the target classification detection model may include three channels and three alarm threshold curves, and the three service types, the three channels and the three alarm threshold curves are in one-to-one correspondence. After the user type service index data is input into the target classification detection model, the user type service index data is specifically input into a channel corresponding to the user type, and the abnormal data is detected by using a detection algorithm in the channel and an alarm threshold curve corresponding to the user type.
By the mode, the detection of the abnormal data can be refined into the granularity of the service type, so that a user can know which specific service type has abnormal data and the time period corresponding to the abnormal data, and operation and maintenance personnel can check and maintain conveniently. And different detection algorithms are designed according to different detection types, so that the abnormal detection of the data can better meet the detection standard of the service type of the data, and the accuracy is further improved.
In step S306, when it is detected that abnormal data exists in the service index data according to the alarm threshold curve, alarm prompt information is output.
In the embodiment of the present disclosure, the specific implementation of step S306 may refer to the related description of step S204 in the above embodiment, and is not repeated herein.
Fig. 4 shows a flowchart of an anomaly detection method for traffic data according to an embodiment of the present disclosure. As shown in fig. 4, the method includes steps S401 to S408.
In step S401, service traffic data sent by a source object is acquired;
in the embodiment of the present disclosure, the specific implementation manner of step S401 may refer to the related description of step S201 in the above embodiment, and is not repeated herein.
In an embodiment of the present disclosure, steps S402 to S404 are a specific implementation manner of step S202, and the implementation manner is that the service traffic data includes attribute information of the source object, and the service index data includes time slice data and traffic index data. Namely, the service flow data is classified and preprocessed into three-dimensional data.
In step S402, time sorting and slicing are performed on the service traffic data to obtain time slice data;
in step S403, according to the attribute information, the time slice data is classified and summarized to obtain time slice data of each source object;
in step S404, the time slice data of each source object is classified and summarized according to the service type, so as to obtain service index data of each service type.
In an embodiment of the present disclosure, the attribute information of the present disclosure includes a unique identifier of the source object side or a unique attribute of the source object side. Each source object end comprises a source object end of the same type or a unique specified source object end.
In the embodiment of the present disclosure, step S402 to step S404 perform classification preprocessing on the service traffic data based on three dimensions, which are respectively from a time dimension, an attribute dimension of the source object side, and a service type dimension. Firstly, time slicing is carried out on service flow data to obtain time slice data; secondly, the time slice data is further classified and summarized to enable different time slice data to be classified to the corresponding source object ends, so that the time slice data of each source object end is obtained, namely the time slice data is sent by the corresponding source object end; and finally, classifying and summarizing the time slice data of each source object end according to the service types to obtain service index data of each service type.
Through the implementation of the process, the service flow data can be refined into data with time attributes, source object end attributes and service type attributes, and the granularity of the service flow data is further refined. Specifically, after the service traffic data is subjected to classification preprocessing, the service traffic data can be refined into three-dimensional data, that is, the service traffic data can be projected into a three-dimensional coordinate system, wherein the three-dimensional coordinate system respectively comprises an x axis, a y axis and a z axis which are perpendicular to each other. Wherein, the x axis represents time, the y axis represents source object ends with different attributes, and the z axis represents different service types. And projecting the service flow data into a three-dimensional coordinate system according to the time slice, the attribute of the source object end and the service type. And projecting the service flow data into a three-dimensional coordinate system to form a discrete point set, or further processing the discrete point set to obtain a three-dimensional curve representing the service flow data.
In step S405, the service index data of each service type is input into the target classification detection model, and the service type and attribute information corresponding to the service index data are analyzed by the target classification detection model;
in step S406, a corresponding alarm threshold curve is searched according to the service type and attribute information corresponding to the service index data;
in step S407, the service index data is classified and detected according to the alarm threshold curve.
In the embodiment of the present disclosure, steps S405 to S407 are a specific implementation manner of step S203 in the above embodiment. The specific implementation method is based on the premise that the alarm threshold curves in the target classification detection model include a plurality of alarm threshold curves, the plurality of alarm threshold curves can respectively correspond to the service types and the attribute information, and the alarm threshold curves in the embodiment can be three-dimensional curves. Specifically, the service index data of the service type is input into the target detection model, and the target detection model may first analyze the service type and the attribute information corresponding to the service index data, for example, check a coordinate value included in the service index data, and determine the service type and the attribute information according to the coordinate value. The alarm threshold curve corresponding to the service type and attribute information can be obtained by training historical service flow data, and can be two-dimensional curves or a three-dimensional curve, and the three-dimensional curve is the abnormal state of the comprehensive judgment data.
In the embodiment of the disclosure, the service index data is classified and detected according to the alarm threshold curve, the difference degree of the alarm threshold curve and the service index data in the same three-dimensional coordinate system can be compared, and if the difference degree exceeds the error value, the data is judged to be abnormal.
By the mode, the granularity of abnormal data detection is further refined, and after abnormal data are found, the time region of the abnormal data, the source object terminal to which the abnormal data belong and the corresponding service type can be prompted to the operation and maintenance personnel, so that the operation and maintenance personnel can quickly locate and maintain the reason of the abnormal data.
In step S408, when it is detected that abnormal data exists in the service index data according to the alarm threshold curve, alarm prompt information is output.
In the embodiment of the present disclosure, the specific implementation of step S408 can refer to the related description of step S204 in the above embodiment, and is not repeated herein.
Fig. 5 shows a flowchart of an anomaly detection method for traffic data according to an embodiment of the present disclosure. As shown in fig. 5, the method includes steps S501 to S508.
In step S501, service traffic data sent by a source object is acquired; the service flow data comprises attribute information of the source object end, and the service index data comprises time slice data and flow index data.
In step S502, time sorting and slicing are performed on the service traffic data to obtain time slice data;
in step S503, according to the attribute information, the time slice data is classified and summarized to obtain time slice data of each source object;
in step S504, according to the service type, the time slice data of each source object end is classified and summarized to obtain service index data of each service type.
In the embodiment of the present disclosure, the specific implementation of step S501 may refer to the related description of step S201 in the above embodiment, and the specific implementation of steps S502 to S504 may refer to the related description of step S402 to step S404 in the above embodiment, which is not described herein again.
In step S505, the service index data of each service type is respectively input to the at least two basic detection models;
in step S506, detecting whether each source object has an abnormal source object by one of the at least two basic detection models;
in step S507, the service index data is classified and detected by another one of the at least two basic detection models according to the alarm threshold curve in the target classification detection model.
In the embodiment of the present disclosure, steps S505 to S507 are another implementation manner of step S203 in the above embodiment, and in this implementation manner, the traffic data is classified and preprocessed into three-dimensional data according to steps S502 to S504.
The target classification detection model may include at least two basic detection models for realizing different detection directions of the abnormal data. In one implementation, a first basic detection model of the at least two basic detection models may be used to detect whether there is an abnormality at the source object, such as aging, performance degradation of data processing capability, and the like. A second of the at least two base detection models may be used to detect anomalous data.
Specifically, the specific implementation of the second basic detection model can be referred to the implementation of step S505 to step S507 in the above embodiment. The detailed service index data can be input into a first basic detection model, the first basic detection model can extract the attribute characteristics in the service index data, namely, the source object end to which the service index data belongs is known, whether the source object end is abnormal can be determined according to an alarm threshold curve or other indexes, for example, data related to a certain source object end is different from historical data, or time slice data of each source object end is input into the first basic detection model, and whether the source object end is abnormal is determined by the first basic detection model. Of course, other data of different levels may be input into the basic detection model for classification detection, which is not limited herein.
In step S508, when it is detected that there is abnormal data in the service index data according to the alarm threshold curve, an alarm prompt message is output.
In the embodiment of the present disclosure, the specific implementation of step S408 can refer to the related description of step S204 in the above embodiment, and is not repeated herein.
Fig. 6 shows a block diagram of an abnormality detection apparatus for traffic data according to an embodiment of the present disclosure. The apparatus may be implemented as part or all of an electronic device through software, hardware, or a combination of both.
As shown in fig. 6, the apparatus 600 for detecting an anomaly of service traffic data includes an obtaining module 610, a processing module 620, an input module 630, and an output module 640.
The processing module is used for carrying out classification pretreatment on the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types;
the input module is used for inputting the service index data of each service type into a target classification detection model and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model;
and the output module is used for outputting alarm prompt information when abnormal data exists in the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the processing module is specifically configured to:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
and classifying and summarizing the time slice data according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the alarm threshold curves include alarm threshold curves corresponding to the service types, and the input module is specifically configured to:
inputting the service index data of each service type into a channel corresponding to each service type in the target classification detection model, wherein the channel comprises a detection algorithm for the service index data of each service type;
and in the channel corresponding to each service type, carrying out classification detection on the service index data according to the detection algorithm and the alarm threshold curve corresponding to each service type.
According to an embodiment of the present disclosure, the service flow data includes attribute information of the source object, the service index data includes time slice data and flow index data, and the processing module is specifically configured to:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
classifying and summarizing the time slice data according to the attribute information to obtain the time slice data of each source object end;
and classifying and summarizing the time slice data of each source object terminal according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the input module is specifically configured to:
inputting the service index data of each service type into the target classification detection model, and analyzing the service type and attribute information corresponding to the service index data by the target classification detection model;
searching a corresponding alarm threshold value curve according to the service type and the attribute information corresponding to the service index data;
and carrying out classification detection on the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the object classification detection model includes at least two basic detection models, and the input module is specifically configured to:
respectively inputting the service index data of each service type into the at least two basic detection models;
detecting whether each source object end has an abnormal source object end or not by one of the at least two basic detection models;
and carrying out classification detection on the service index data by the other of the at least two basic detection models according to the alarm threshold curve in the target classification detection model.
Through the implementation mode, the service flow data is classified according to the service types, the service flow data is refined into the service index data of each service type, the service index data of each service type is input into the target classification detection model, classification detection of the target classification detection model based on the service index data of each service type can be realized, and alarm prompt information is output when abnormality is found. By the mode, the service type of the data is considered, the granularity of data detection is refined, and the detection precision is improved.
The present disclosure also discloses an electronic device, and fig. 7 shows a block diagram of the electronic device according to an embodiment of the present disclosure.
As shown in fig. 7, the electronic device includes a memory and a processor, where the memory is to store one or more computer instructions, where the one or more computer instructions are executed by the processor to implement a method according to an embodiment of the disclosure.
The method of the embodiment of the present disclosure includes:
acquiring service flow data sent by a source object end;
classifying and preprocessing the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types;
inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model;
and outputting alarm prompt information when abnormal data exist in the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the classifying and preprocessing the service traffic data to obtain service index data of each service type includes:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
and classifying and summarizing the time slice data according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the method for classifying and detecting service index data of each service type includes inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, where the alarm threshold curve includes an alarm threshold curve corresponding to each service type, and the method includes:
inputting the service index data of each service type into a channel corresponding to each service type in the target classification detection model, wherein the channel comprises a detection algorithm for the service index data of each service type;
and in the channel corresponding to each service type, classifying and detecting the service index data according to the detection algorithm and the alarm threshold curve corresponding to each service type.
According to an embodiment of the present disclosure, the service traffic data includes attribute information of the source object, the service index data includes time slice data and traffic index data, and the classifying and preprocessing the service traffic data to obtain service index data of each service type includes:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
classifying and summarizing the time slice data according to the attribute information to obtain the time slice data of each source object end;
and classifying and summarizing the time slice data of each source object terminal according to the service types to obtain service index data of each service type.
According to an embodiment of the present disclosure, the inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model includes:
inputting the service index data of each service type into the target classification detection model, and analyzing the service type and attribute information corresponding to the service index data by the target classification detection model;
searching a corresponding alarm threshold value curve according to the service type and the attribute information corresponding to the service index data;
and carrying out classification detection on the service index data according to the alarm threshold curve.
According to an embodiment of the present disclosure, the target classification detection model includes at least two basic detection models, the step of inputting the service index data of each service type into the target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model includes:
respectively inputting the service index data of each service type into the at least two basic detection models;
detecting whether each source object end has an abnormal source object end or not by one of the at least two basic detection models;
and carrying out classification detection on the service index data by the other of the at least two basic detection models according to the alarm threshold curve in the target classification detection model.
Through the implementation mode, the service flow data is classified according to the service types, the service flow data is refined into the service index data of each service type, the service index data of each service type is input into the target classification detection model, classification detection of the target classification detection model based on the service index data of each service type can be realized, and alarm prompt information is output when abnormality is found. By the method, the service type of the data is considered, the granularity of data detection is refined, and the detection precision is improved.
FIG. 8 shows a schematic block diagram of a computer system suitable for use in implementing a method according to an embodiment of the present disclosure.
As shown in fig. 8, the computer system includes a processing unit that can execute the various methods in the above-described embodiments according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage section into a Random Access Memory (RAM). In the RAM, various programs and data necessary for the operation of the computer system are also stored. The processing unit, the ROM, and the RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
The following components are connected to the I/O interface: an input section including a keyboard, a mouse, and the like; an output section including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section including a hard disk and the like; and a communication section including a network interface card such as a LAN card, a modem, or the like. The communication section performs a communication process via a network such as the internet. The drive is also connected to the I/O interface as needed. A removable medium such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive as necessary, so that a computer program read out therefrom is mounted into the storage section as necessary. The processing unit can be realized as a CPU, a GPU, a TPU, an FPGA, an NPU and other processing units.
In particular, the methods described above may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the above-described method. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules described in the embodiments of the present disclosure may be implemented by software or by programmable hardware. The units or modules described may also be provided in a processor, and the names of the units or modules do not in some cases constitute a limitation of the units or modules themselves.
As another aspect, the present disclosure also provides a computer-readable storage medium, which may be the computer-readable storage medium included in the electronic device or the computer system in the above embodiments; or it may be a separate computer readable storage medium not incorporated into the device. The computer readable storage medium stores one or more programs for use by one or more processors in performing the methods described in the present disclosure.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is possible without departing from the inventive concept. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Claims (10)
1. A method for detecting the abnormity of service flow data is characterized by comprising the following steps:
acquiring service flow data sent by a source object end;
classifying and preprocessing the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types;
inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model;
and outputting alarm prompt information when abnormal data exist in the service index data according to the alarm threshold curve.
2. The method according to claim 1, wherein the classifying and preprocessing the service traffic data to obtain service index data of each service type includes:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
and classifying and summarizing the time slice data according to the service types to obtain service index data of each service type.
3. The method according to claim 2, wherein the alarm threshold curve includes an alarm threshold curve corresponding to each service type, and the inputting the service index data of each service type into a target classification detection model and performing classification detection on the service index data according to the alarm threshold curve in the target classification detection model includes:
inputting the service index data of each service type into a channel corresponding to each service type in the target classification detection model, wherein the channel comprises a detection algorithm for the service index data of each service type;
and in the channel corresponding to each service type, carrying out classification detection on the service index data according to the detection algorithm and the alarm threshold curve corresponding to each service type.
4. The method according to claim 1, wherein the service traffic data includes attribute information of the source object, the service index data includes time slice data and traffic index data, and the classifying and preprocessing the service traffic data to obtain service index data of each service type includes:
time sequencing and slicing processing are carried out on the service flow data to obtain time slice data;
classifying and summarizing the time slice data according to the attribute information to obtain the time slice data of each source object end;
and classifying and summarizing the time slice data of each source object terminal according to the service types to obtain service index data of each service type.
5. The method according to claim 4, wherein the inputting the service index data of each service type into a target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model comprises:
inputting the service index data of each service type into the target classification detection model, and analyzing the service type and attribute information corresponding to the service index data by the target classification detection model;
searching a corresponding alarm threshold value curve according to the service type and the attribute information corresponding to the service index data;
and carrying out classification detection on the service index data according to the alarm threshold curve.
6. The method according to claim 4, wherein the target classification detection model includes at least two basic detection models, the inputting the service index data of each service type into the target classification detection model, and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model includes:
respectively inputting the service index data of each service type into the at least two basic detection models;
detecting whether each source object end has an abnormal source object end or not by one of the at least two basic detection models;
and carrying out classification detection on the service index data by the other of the at least two basic detection models according to the alarm threshold curve in the target classification detection model.
7. An abnormality detection device for traffic data, comprising:
the acquisition module is used for acquiring the service flow data sent by the source object terminal;
the processing module is used for carrying out classification pretreatment on the service flow data to obtain service index data of each service type, wherein the service types comprise user types, transaction style types and operation rule types;
the input module is used for inputting the service index data of each service type into a target classification detection model and performing classification detection on the service index data according to an alarm threshold curve in the target classification detection model, wherein the alarm threshold curve is obtained by historical service flow data through the target classification detection model;
and the output module is used for outputting alarm prompt information when abnormal data exists in the service index data according to the alarm threshold curve.
8. An electronic device comprising a memory and a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions are to be executed by the processor to implement the method steps of any of claims 1-6.
9. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the method steps of any one of claims 1 to 6.
10. A computer program product comprising computer instructions which, when executed by a processor, carry out the method steps of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211624050.8A CN115935237A (en) | 2022-12-16 | 2022-12-16 | Method and device for detecting abnormity of service flow data and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211624050.8A CN115935237A (en) | 2022-12-16 | 2022-12-16 | Method and device for detecting abnormity of service flow data and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115935237A true CN115935237A (en) | 2023-04-07 |
Family
ID=86697506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211624050.8A Pending CN115935237A (en) | 2022-12-16 | 2022-12-16 | Method and device for detecting abnormity of service flow data and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115935237A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596133A (en) * | 2024-01-18 | 2024-02-23 | 山东中测信息技术有限公司 | Service portrayal and anomaly monitoring system and monitoring method based on multidimensional data |
-
2022
- 2022-12-16 CN CN202211624050.8A patent/CN115935237A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596133A (en) * | 2024-01-18 | 2024-02-23 | 山东中测信息技术有限公司 | Service portrayal and anomaly monitoring system and monitoring method based on multidimensional data |
| CN117596133B (en) * | 2024-01-18 | 2024-04-05 | 山东中测信息技术有限公司 | Service portrayal and anomaly monitoring system and monitoring method based on multidimensional data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614690B (en) | Abnormal behavior detection method and device | |
| US20170371757A1 (en) | System monitoring method and apparatus | |
| KR20070008611A (en) | Method and system for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis | |
| CN112200067B (en) | Intelligent video event detection method, system, electronic equipment and storage medium | |
| CN114219545B (en) | Data processing method and device | |
| CN109241043B (en) | Data quality detection method and device | |
| CN115935237A (en) | Method and device for detecting abnormity of service flow data and electronic equipment | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN110807050B (en) | Performance analysis method, device, computer equipment and storage medium | |
| CN108512674B (en) | Method, device and equipment for outputting information | |
| CN110895811A (en) | Image tampering detection method and device | |
| CN114202256A (en) | Architecture upgrading early warning method and device, intelligent terminal and readable storage medium | |
| CN112950359B (en) | User identification method and device | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN113949881A (en) | Service processing method and system based on smart city data | |
| CN110751354A (en) | Abnormal user detection method and device | |
| CN113535458B (en) | Abnormal false alarm processing method and device, storage medium and terminal | |
| CN115392351A (en) | Risk user identification method and device, electronic equipment and storage medium | |
| CN115314424A (en) | Method and device for rapidly detecting network signals | |
| CN115484044A (en) | Data state monitoring method and system | |
| CN114581219A (en) | Anti-telecommunication network fraud early warning method and system | |
| CN113722485A (en) | Abnormal data identification and classification method, system and storage medium | |
| CN114416786A (en) | Stream data processing method and device, storage medium and computer equipment | |
| CN111382343B (en) | Label system generation method and device | |
| CN113869904A (en) | Suspicious data identification method, device, electronic equipment, medium and computer program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |