CN116723138B - Abnormal flow monitoring method and system based on flow probe dyeing - Google Patents
Abnormal flow monitoring method and system based on flow probe dyeing Download PDFInfo
- Publication number
- CN116723138B CN116723138B CN202311003068.0A CN202311003068A CN116723138B CN 116723138 B CN116723138 B CN 116723138B CN 202311003068 A CN202311003068 A CN 202311003068A CN 116723138 B CN116723138 B CN 116723138B
- Authority
- CN
- China
- Prior art keywords
- user
- flow
- determining
- access
- access flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Measuring And Recording Apparatus For Diagnosis (AREA)
Abstract
The invention provides an abnormal flow monitoring method and system based on flow probe dyeing, which belongs to the technical field of flow management and specifically comprises the following steps: the method comprises the steps of obtaining access flow of a user in preset time through a flow probe, determining information entropy time sequence characteristic values according to distribution conditions of information entropy of the access flow at different moments, obtaining IMF components of the access flow through an EEMD algorithm, determining time sequence characteristic values according to spatial characteristics of the access flow and the information entropy time sequence characteristic values, analyzing data packets corresponding to the access flow to obtain operation types corresponding to the access flow, determining operation characteristic values according to operation times and operation frequencies of different operation types and types of the operation types, and determining whether dyeing processing is needed for the user according to the amplitude characteristic values and the time sequence characteristic values, so that accuracy and comprehensiveness of flow monitoring are further improved.
Description
Technical Field
The invention belongs to the technical field of flow management, and particularly relates to an abnormal flow monitoring method and system based on flow probe dyeing.
Background
The flow probe is a common network flow processing tool for collecting, analyzing and extracting specific network flows, and meanwhile, in order to realize differential treatment of different types of flows, different types of flows are distinguished in a dyeing mode, and different types of flows are treated differently according to a distinguishing result.
In the prior art, since the credit application system has been turned on-line, real-time traffic from different sources needs to be monitored to ensure the reliability of operation of the credit application system, and in order to realize the problem of abnormal traffic detection for traffic by using traffic probes, traffic data of a user network is obtained through a traffic acquisition probe in the invention patent application number CN202011640745, "traffic abnormality detection method, device, storage medium and processor", and a first predicted value and a second predicted value are determined according to a traffic history; the poisson distribution detection method is adopted to combine the first predicted value and the second predicted value for analysis, so as to determine whether the flow observed value at the current moment is abnormal, but the following technical problems exist:
1. the identification and dyeing of the abnormal flow are neglected by combining the operation types corresponding to the flow of the user, specifically, when the network flow of some users in unit time does not exceed the flow limit value, but the operation types corresponding to the flow are consistent and are the same or the same, for example, the user tries to log in for many times or clicks to enter a certain interface repeatedly, the risk of the abnormal flow is obviously larger than that of other network flows, and therefore, if the flow types of the users cannot be considered, the monitoring and dyeing of the abnormal flow cannot be accurately realized.
2. The identification and dyeing of abnormal traffic by combining the time sequence characteristics of the access traffic of the user are ignored, and particularly, when the user applies for credit, the time sequence characteristics of the traffic generated by the operation of the user and the time sequence characteristics of the abnormal machine access have great difference, so that if the time sequence characteristics are not considered, the monitoring and dyeing of the abnormal traffic can not be accurately realized.
Aiming at the technical problems, the invention provides an abnormal flow monitoring method and system based on flow probe dyeing.
Disclosure of Invention
In order to achieve the purpose of the invention, the invention adopts the following technical scheme:
according to one aspect of the present invention, there is provided a method for monitoring abnormal flow based on flow probe staining.
The abnormal flow monitoring method based on flow probe dyeing is characterized by comprising the following steps:
s11, determining whether the user is a dyed user according to the access terminal or the access IP of the user, if so, determining that the access flow of the user is abnormal, and if not, entering step S12;
s12, acquiring access flow of a user in preset time through a flow probe, determining the size and variance of a data packet through the access flow, determining an amplitude characteristic quantity by combining the access flow, determining whether an abnormality exists or not based on the amplitude characteristic quantity, if yes, entering a step S13, and if no, determining that dyeing treatment is not needed for the user;
s13, determining information entropy time sequence characteristic values according to the distribution conditions of the information entropy of the access flow at different moments, acquiring IMF components of the access flow through an EEMD algorithm, determining time sequence characteristic values according to the spatial characteristics of the access flow and the information entropy time sequence characteristic values, determining whether abnormality exists or not according to the time sequence characteristic values, if so, entering a step S14, and if not, determining that dyeing treatment is not needed for a user;
s14, analyzing the data packet to obtain an operation type corresponding to the access flow, determining an operation characteristic quantity based on operation times, operation frequency and operation type types of different operation types, and determining whether dyeing treatment is needed for a user or not according to the amplitude characteristic quantity and the time sequence characteristic quantity.
The method comprises the steps of obtaining access flow of a user in preset time through a flow probe, determining the size and variance of a data packet through the access flow, and determining amplitude characteristic quantity in combination with the access flow, so that abnormal judgment from the amplitude change condition of the access flow is realized, and judging efficiency is also ensured on the basis of ensuring judging reliability.
The information entropy time sequence characteristic value is determined according to the distribution condition of the information entropy of the access flow at different moments, the IMF component of the access flow is obtained according to an EEMD algorithm, and the time sequence characteristic value is determined according to the spatial characteristic of the access flow and the information entropy time sequence characteristic value, so that the judgment of access abnormality from the time sequence characteristic of the access flow at a certain time is realized, the fluctuation condition of the information entropy at different moments is considered, the spatial characteristic and the IMF component are considered, and the comprehensiveness and the reliability of class analysis and determination are further expanded.
The operation types corresponding to the access flow are obtained through analyzing the data packet, the operation characteristic quantity is determined based on the operation times, the operation frequency and the operation type of different operation types, and whether the user needs to be dyed or not is determined by combining the amplitude characteristic quantity and the time sequence characteristic quantity, so that not only the single flow characteristic quantity is considered, but also the operation types behind the access flow are fully considered, and the accuracy of the judgment of the dyeing process is further ensured.
Further, determining whether the user is a dyed user according to the access terminal or the access IP of the user specifically includes:
acquiring a unique identifier of an access terminal of the user, determining whether the user is a dyed user according to the unique identifier, if so, determining that the user is the dyed user, and if not, entering the next step;
and acquiring the access IP of the user, and determining whether the user is a dyed user according to the access IP of the user.
Further, the preset time is determined at least according to the number of ports and the concurrency of the servers of the credit application system, wherein the greater the number of ports and the greater the concurrency of the servers of the credit application system, the longer the preset time.
Further, determining whether there is an abnormality based on the amplitude feature quantity specifically includes:
and when the amplitude characteristic quantity is larger than a set value, determining that the access flow of the user is abnormal.
Further, determining whether an abnormality exists based on the access flow of the user in a preset time specifically includes:
acquiring access flow of different users in preset time to determine an average value of the access flow;
correcting the average value of the access flow through the preset time to obtain a corrected average value, wherein the corrected average value is smaller than the average value;
judging whether the access flow of the user in the preset time is smaller than the corrected average value, if yes, determining that the access flow of the user in the preset time is not abnormal, and if not, determining that the access flow of the user in the preset time is abnormal.
Further, the value range of the time sequence feature quantity is between 0 and 1, wherein the larger the time sequence feature quantity is, the larger the probability that the access flow of the user is abnormal is.
Further, determining whether the user needs to be dyed according to the amplitude feature quantity and the time sequence feature quantity specifically comprises the following steps:
determining whether an abnormality exists or not through the operation characteristic quantity, if so, determining that the user needs to be dyed, and if not, entering the next step;
and determining the comprehensive characteristic quantity of the access flow of the user through the amplitude characteristic quantity, the time sequence characteristic quantity and the operation characteristic quantity, determining whether abnormality exists based on the comprehensive characteristic quantity, determining that the user needs to be dyed when the abnormality exists, temporarily not carrying out the dyeing processing on the user when the abnormality does not exist, and confirming the monitoring frequency of the access flow of the user according to the comprehensive characteristic quantity.
In a second aspect, the present invention provides a computer system comprising: a communicatively coupled memory and processor, and a computer program stored on the memory and capable of running on the processor, characterized by: the processor executes the abnormal flow monitoring method based on the flow probe dyeing when running the computer program.
In a third aspect, the present invention provides a computer storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform an abnormal flow monitoring method based on flow probe staining as described above.
Additional features and advantages will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings;
FIG. 1 is a flow chart of a method of abnormal flow monitoring based on flow probe staining;
FIG. 2 is a flow chart of a method of amplitude feature determination;
FIG. 3 is a flow chart of a method of timing feature determination;
FIG. 4 is a flow chart of a particular method of operating feature quantity determination;
fig. 5 is a frame diagram of a computer storage medium.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present disclosure.
In order to solve the above problems, according to one aspect of the present invention, as shown in fig. 1, there is provided an abnormal flow monitoring method based on flow probe staining, which is characterized by comprising:
s11, determining whether the user is a dyed user according to the access terminal or the access IP of the user, if so, determining that the access flow of the user is abnormal, and if not, entering step S12;
it should be noted that, determining whether the user is a dyed user according to the access terminal or the access IP of the user specifically includes:
acquiring a unique identifier of an access terminal of the user, determining whether the user is a dyed user according to the unique identifier, if so, determining that the user is the dyed user, and if not, entering the next step;
and acquiring the access IP of the user, and determining whether the user is a dyed user according to the access IP of the user.
S12, acquiring access flow of a user in preset time through a flow probe, determining the size and variance of a data packet through the access flow, determining an amplitude characteristic quantity by combining the access flow, determining whether an abnormality exists or not based on the amplitude characteristic quantity, if yes, entering a step S13, and if no, determining that dyeing treatment is not needed for the user;
it can be understood that the preset time is determined at least according to the number of ports and the concurrency of the servers of the credit application system, wherein the greater the number of ports and the concurrency of the servers of the credit application system, the longer the preset time.
Specifically, the preset time is determined according to the product of the number of ports of the server and the concurrency quantity, specifically, the preset base time of the system is built according to the product of the number of ports of the server and the concurrency quantity, and the preset time is determined according to the product of the preset base time and the preset correction quantity.
As shown in fig. 2, the method for determining the amplitude feature quantity specifically includes:
s21, acquiring access flow of the user in preset time through the flow probe, determining whether abnormality exists or not based on the access flow of the user in the preset time, if so, entering a step S22, if not, determining that abnormality does not exist, and determining that dyeing treatment is not needed for the user;
s22, determining the maximum value, the minimum value and the variance of the access flow of the user in unit time in the predicted time according to the access flow of the user in the preset time, and constructing a flow characteristic value based on the maximum value, the minimum value and the variance of the access flow of the user in unit time in the predicted time;
s23, determining a data packet corresponding to the access flow through the access flow of the user in a preset time, dividing the data packet into a large data packet, a medium data packet and a general data packet based on the data volume of the data packet, determining the characteristic value of the data packet according to the number of the large data packet, the number of the medium data packet and the number of the general data packet and combining the variance of the data volume of the data packet;
s24, constructing the amplitude characteristic quantity by combining the flow characteristic value and the data packet characteristic value and combining the number of the data packets of the user and the access flow of the user.
Specifically, determining whether there is an abnormality based on the amplitude feature amount specifically includes:
and when the amplitude characteristic quantity is larger than a set value, determining that the access flow of the user is abnormal.
Specifically, determining whether an abnormality exists based on the access flow of the user in a preset time specifically includes:
acquiring access flow of different users in preset time to determine an average value of the access flow;
correcting the average value of the access flow through the preset time to obtain a corrected average value, wherein the corrected average value is smaller than the average value;
judging whether the access flow of the user in the preset time is smaller than the corrected average value, if yes, determining that the access flow of the user in the preset time is not abnormal, and if not, determining that the access flow of the user in the preset time is abnormal.
In this embodiment, the access flow of the user in the preset time is obtained through the flow probe, the size and variance of the data packet are determined through the access flow, and the amplitude characteristic quantity is determined in combination with the access flow, so that the judgment of the abnormality from the amplitude variation condition of the access flow is realized, and the judgment efficiency is also ensured on the basis of ensuring the reliability of the judgment.
S13, determining information entropy time sequence characteristic values according to the distribution conditions of the information entropy of the access flow at different moments, acquiring IMF components of the access flow through an EEMD algorithm, determining time sequence characteristic values according to the spatial characteristics of the access flow and the information entropy time sequence characteristic values, determining whether abnormality exists or not according to the time sequence characteristic values, if so, entering a step S14, and if not, determining that dyeing treatment is not needed for a user;
as shown in fig. 3, the method for determining the time sequence feature quantity specifically includes:
s31, determining the discrete coefficient, the autocorrelation coefficient and the maximum value and the average value of interval time when the absolute value of the difference value of the information entropy is larger than the set quantity of the information entropy according to the distribution condition of the information entropy of the access flow at different moments, determining whether abnormality exists according to the information entropy time sequence characteristic value, if so, entering a step S32, if not, determining that abnormality does not exist, and determining that dyeing treatment is not needed for a user;
s32, decomposing a spectrogram of the access flow in a preset time through the EEMD algorithm, obtaining IMF components in different modes through preset processing times, determining the number of the obvious IMF components and the general IMF components through the amplitude values of the IMF components, determining a characteristic quantity evaluation value of the obvious IMF components at least through the average value of the number and the amplitude values of the obvious IMF components, the frequency spectrum characteristic quantity and the gradient, and determining whether abnormality exists through the characteristic quantity evaluation value of the obvious IMF components, if so, entering step S33, otherwise, entering step S34;
s33, determining a characteristic quantity evaluation value of the general IMF component at least through an average value of the quantity and the amplitude of the general IMF component, a frequency spectrum characteristic quantity and a gradient, determining whether an abnormality exists through the characteristic quantity evaluation value of the general IMF component and the characteristic quantity evaluation value of the obvious IMF component, if yes, entering a step S34, if no, determining that the abnormality does not exist, and determining that dyeing treatment is not needed for a user;
s34, extracting spatial features by adopting a spatial feature model based on a CNN algorithm through a spectrogram of the access flow in preset time, wherein the spatial feature extraction model based on the CNN algorithm comprises two repeated convolution layers after an input layer, outputting the spatial features after the spatial features and a pooling layer are processed, and determining the time sequence feature based on the spatial features, feature quantity evaluation values of general IMF components, feature quantity evaluation values of obvious IMF components and information entropy time sequence feature values.
The value range of the time sequence feature quantity is between 0 and 1, wherein the larger the time sequence feature quantity is, the larger the probability that the access flow of the user is abnormal is.
In this embodiment, the information entropy time sequence feature value is determined according to the distribution condition of the information entropy of the access flow at different moments, the IMF component of the access flow is obtained through an EEMD algorithm, and the time sequence feature value is determined by combining the spatial feature of the access flow and the information entropy time sequence feature value, so that the judgment of access abnormality from the time sequence feature of the access flow at a period of time is realized, the variation condition of the information entropy at different moments is considered, and meanwhile, the spatial feature and the IMF component are considered, so that the comprehensiveness and reliability of class analysis and determination are further expanded.
S14, analyzing the data packet to obtain an operation type corresponding to the access flow, determining an operation characteristic quantity based on operation times, operation frequency and operation type types of different operation types, and determining whether dyeing treatment is needed for a user or not according to the amplitude characteristic quantity and the time sequence characteristic quantity.
As shown in fig. 4, the specific method for determining the operation feature quantity is as follows:
s41, analyzing the data packet corresponding to the access flow to obtain an operation type corresponding to the access flow, determining whether an abnormality exists based on the type of the operation type, if so, determining that the user needs to be dyed, and if not, entering step S42;
s42, determining operation times of different operation types according to the types of the operation types, determining whether an abnormality exists or not based on the operation times of the different operation types, if so, determining that dyeing treatment is required to be carried out on the user, and if not, entering a step S43;
s43, taking the operation types with the operation times larger than the preset number as alternative operation types, determining operation evaluation values of the alternative operation types based on the operation frequency of the alternative operation types, the interval time with the operation frequency larger than the set frequency and the operation times, screening abnormal operation types based on the operation evaluation values of the alternative operation types, determining whether the abnormal operation types exist or not according to the number of the abnormal operation types, if so, determining that dyeing treatment is needed for the user, and if not, entering step S44;
s44 performs the determination of the operation feature quantity by the kind of the operation type, the number of operations of the different kinds of operation types, the number of abnormal operation types, and the average of the operation evaluation values, the operation evaluation values of the alternative operation types.
Specifically, by way of illustration, determining whether a user needs to be dyed or not by combining the amplitude feature quantity and the time sequence feature quantity specifically includes:
determining whether an abnormality exists or not through the operation characteristic quantity, if so, determining that the user needs to be dyed, and if not, entering the next step;
and determining the comprehensive characteristic quantity of the access flow of the user through the amplitude characteristic quantity, the time sequence characteristic quantity and the operation characteristic quantity, determining whether abnormality exists based on the comprehensive characteristic quantity, determining that the user needs to be dyed when the abnormality exists, temporarily not carrying out the dyeing processing on the user when the abnormality does not exist, and confirming the monitoring frequency of the access flow of the user according to the comprehensive characteristic quantity.
In this embodiment, the operation type corresponding to the access flow is obtained by analyzing the data packet, the operation characteristic quantity is determined based on the operation times and the operation frequencies of different operation types, and the types of the operation types, and whether the user needs to be dyed is determined by combining the amplitude characteristic quantity and the time characteristic quantity, so that not only the single flow characteristic quantity is considered, but also the operation type behind the access flow is fully considered, and the accuracy of the judgment of the dyeing process is further ensured.
In another aspect, the present invention provides a computer system comprising: a communicatively coupled memory and processor, and a computer program stored on the memory and capable of running on the processor, characterized by: the processor executes the abnormal flow monitoring method based on the flow probe dyeing when running the computer program.
The abnormal flow monitoring method based on flow probe dyeing specifically comprises the following steps:
determining whether the user is a dyed user according to an access terminal or an access IP of the user, if so, determining that the access flow of the user is abnormal, and if not, entering the next step;
acquiring access flow of a user in preset time through a flow probe, determining the size and variance of a data packet through the access flow, determining an amplitude characteristic quantity in combination with the access flow, determining whether an abnormality exists or not based on the amplitude characteristic quantity, if so, entering the next step, and if not, determining that dyeing treatment is not needed for the user;
determining the discrete coefficient, the autocorrelation coefficient and the maximum value and the average value of interval time when the absolute value of the difference value of the information entropy is larger than the set quantity of the information entropy according to the distribution condition of the information entropy of the access flow at different moments, determining the information entropy time sequence characteristic value, and entering the next step when no abnormality exists according to the information entropy time sequence characteristic value;
decomposing a spectrogram of the access flow in a preset time through the EEMD algorithm, obtaining IMF components in different modes through preset processing times, determining the number of the obvious IMF components and the number of the general IMF components through the amplitude values of the IMF components, determining a characteristic quantity evaluation value of the obvious IMF components at least through the average value of the number and the amplitude values of the obvious IMF components, the frequency spectrum characteristic quantity and the gradient, and entering the next step when the abnormality is determined through the characteristic quantity evaluation value of the obvious IMF components;
determining a characteristic quantity evaluation value of the general IMF component at least through an average value of the quantity and the amplitude of the general IMF component, a spectrum characteristic quantity and a gradient, and determining that no abnormality exists when no abnormality exists through the characteristic quantity evaluation value of the general IMF component and the characteristic quantity evaluation value of the obvious IMF component, and determining that dyeing treatment is not needed for a user;
in another aspect, as shown in fig. 5, the present invention provides a computer storage medium having a computer program stored thereon, which when executed in a computer, causes the computer to perform the above-described abnormal flow monitoring method based on flow probe staining.
Determining whether the user is a dyed user according to an access terminal or an access IP of the user, if so, determining that the access flow of the user is abnormal, and if not, entering the next step;
acquiring access flow of a user in preset time through a flow probe, determining the size and variance of a data packet through the access flow, determining an amplitude characteristic quantity in combination with the access flow, determining whether an abnormality exists or not based on the amplitude characteristic quantity, if so, entering the next step, and if not, determining that dyeing treatment is not needed for the user;
determining information entropy time sequence characteristic values according to the distribution condition of the information entropy of the access flow at different moments, acquiring an IMF component of the access flow through an EEMD algorithm, determining time sequence characteristic values according to the spatial characteristics of the access flow and the information entropy time sequence characteristic values, determining whether abnormality exists or not according to the time sequence characteristic values, entering the next step if the abnormality exists, and determining that dyeing treatment is not needed for a user if the abnormality exists;
analyzing the data packet corresponding to the access flow to obtain an operation type corresponding to the access flow, and entering the next step when determining that no abnormality exists based on the type of the operation type;
determining operation times of different operation types according to the types of the operation types, and entering a next step when no abnormality is determined based on the operation times of the different operation types;
taking the operation types with the operation times larger than the preset number as alternative operation types, determining operation evaluation values of the alternative operation types based on the operation frequency of the alternative operation types, the interval time with the operation frequency larger than the set frequency and the operation times, screening abnormal operation types based on the operation evaluation values of the alternative operation types, and entering the next step when no abnormality exists according to the number of the abnormal operation types;
the determination of the operation feature quantity is performed by the kind of the operation type, the operation times of the operation types of different kinds, the number of abnormal operation types, and the average value of the operation evaluation value and the operation evaluation value of the alternative operation type.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus, devices, non-volatile computer storage medium embodiments, the description is relatively simple, as it is substantially similar to method embodiments, with reference to the section of the method embodiments being relevant.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing is merely one or more embodiments of the present description and is not intended to limit the present description. Various modifications and alterations to one or more embodiments of this description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of one or more embodiments of the present description, is intended to be included within the scope of the claims of the present description.
Claims (9)
1. The abnormal flow monitoring method based on flow probe dyeing is characterized by comprising the following steps:
determining whether the user is a dyed user according to an access terminal or an access IP of the user, if so, determining that the access flow of the user is abnormal, and if not, entering the next step;
acquiring access flow of a user in preset time through a flow probe, determining the size and variance of a data packet through the access flow, determining an amplitude characteristic quantity in combination with the access flow, determining whether an abnormality exists or not based on the amplitude characteristic quantity, if so, entering the next step, and if not, determining that dyeing treatment is not needed for the user;
the method for determining the amplitude characteristic quantity comprises the following steps:
acquiring the access flow of the user in the preset time through the flow probe, determining whether an abnormality exists or not based on the access flow of the user in the preset time, if so, entering the next step, if not, determining that the abnormality does not exist, and determining that dyeing treatment is not needed for the user;
determining the maximum value, the minimum value and the variance of the access flow of the user in unit time in the predicted time according to the access flow of the user in the preset time, and constructing a flow characteristic value based on the maximum value, the minimum value and the variance of the access flow of the user in unit time in the predicted time;
determining a data packet corresponding to the access flow through the access flow of the user in a preset time, dividing the data packet into a large data packet, a medium data packet and a general data packet based on the data quantity of the data packet, determining a data packet characteristic value according to the quantity of the large data packet, the quantity of the medium data packet and the quantity of the general data packet and combining the variance of the data quantity of the data packet;
constructing the amplitude characteristic quantity by combining the flow characteristic value and the data packet characteristic value with the number of the data packets of the user and the access flow of the user;
determining information entropy time sequence characteristic values according to the distribution condition of the information entropy of the access flow at different moments, acquiring an IMF component of the access flow through an EEMD algorithm, determining time sequence characteristic values according to the spatial characteristics of the access flow and the information entropy time sequence characteristic values, determining whether abnormality exists or not according to the time sequence characteristic values, entering the next step if the abnormality exists, and determining that dyeing treatment is not needed for a user if the abnormality exists;
analyzing the data packet to obtain an operation type corresponding to the access flow, determining an operation characteristic quantity based on operation times, operation frequency and operation type types of different operation types, and determining whether dyeing treatment is needed for a user or not by combining the amplitude characteristic quantity and the time characteristic quantity.
2. The abnormal traffic monitoring method based on traffic probe staining according to claim 1, wherein determining whether the user is a stained user according to the access terminal or access IP of the user, specifically comprises:
acquiring a unique identifier of an access terminal of the user, determining whether the user is a dyed user according to the unique identifier, if so, determining that the user is the dyed user, and if not, entering the next step;
and acquiring the access IP of the user, and determining whether the user is a dyed user according to the access IP of the user.
3. The abnormal flow monitoring method based on flow probe staining according to claim 1, wherein the preset time is determined at least according to the number of ports and the concurrency of the servers of the credit application system, and the greater the number of ports and the greater the concurrency of the servers of the credit application system, the longer the preset time.
4. The abnormal flow monitoring method based on flow probe staining according to claim 1, wherein determining whether there is an abnormality based on the amplitude feature quantity specifically comprises:
and when the amplitude characteristic quantity is larger than a set value, determining that the access flow of the user is abnormal.
5. The method for monitoring abnormal flow based on flow probe staining according to claim 1, wherein determining whether there is an abnormality based on the access flow of the user within a preset time, specifically comprises:
acquiring access flow of different users in preset time to determine an average value of the access flow;
correcting the average value of the access flow through the preset time to obtain a corrected average value, wherein the corrected average value is smaller than the average value;
judging whether the access flow of the user in the preset time is smaller than the corrected average value, if yes, determining that the access flow of the user in the preset time is not abnormal, and if not, determining that the access flow of the user in the preset time is abnormal.
6. The abnormal flow monitoring method based on flow probe staining according to claim 1, wherein the method for determining the time sequence characteristic quantity is as follows:
s31, determining the discrete coefficient, the autocorrelation coefficient and the maximum value and the average value of interval time when the absolute value of the difference value of the information entropy is larger than the set quantity of the information entropy according to the distribution condition of the information entropy of the access flow at different moments, determining whether abnormality exists according to the information entropy time sequence characteristic value, if so, entering a step S32, if not, determining that abnormality does not exist, and determining that dyeing treatment is not needed for a user;
s32, decomposing a spectrogram of the access flow in a preset time through the EEMD algorithm, obtaining IMF components in different modes through preset processing times, determining the number of the obvious IMF components and the general IMF components through the amplitude values of the IMF components, determining a characteristic quantity evaluation value of the obvious IMF components at least through the average value of the number and the amplitude values of the obvious IMF components, the frequency spectrum characteristic quantity and the gradient, and determining whether abnormality exists through the characteristic quantity evaluation value of the obvious IMF components, if so, entering step S33, otherwise, entering step S34;
s33, determining a characteristic quantity evaluation value of the general IMF component at least through an average value of the quantity and the amplitude of the general IMF component, a frequency spectrum characteristic quantity and a gradient, determining whether an abnormality exists through the characteristic quantity evaluation value of the general IMF component and the characteristic quantity evaluation value of the obvious IMF component, if yes, entering a step S34, if no, determining that the abnormality does not exist, and determining that dyeing treatment is not needed for a user;
s34, extracting spatial features by adopting a spatial feature model based on a CNN algorithm through a spectrogram of the access flow in preset time, wherein the spatial feature extraction model based on the CNN algorithm comprises two repeated convolution layers after an input layer, outputting the spatial features after the spatial features and a pooling layer are processed, and determining the time sequence feature based on the spatial features, feature quantity evaluation values of general IMF components, feature quantity evaluation values of obvious IMF components and information entropy time sequence feature values.
7. The abnormal flow monitoring method based on flow probe staining according to claim 6, wherein the value of the time series characteristic quantity ranges from 0 to 1, and the larger the time series characteristic quantity is, the larger the probability that the access flow of the user is abnormal is.
8. A computer system, comprising: a communicatively coupled memory and processor, and a computer program stored on the memory and capable of running on the processor, characterized by: the processor, when executing the computer program, performs a method for monitoring abnormal flow based on flow probe staining according to any of claims 1-7.
9. A computer storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method for abnormal flow monitoring based on flow probe staining according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311003068.0A CN116723138B (en) | 2023-08-10 | 2023-08-10 | Abnormal flow monitoring method and system based on flow probe dyeing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311003068.0A CN116723138B (en) | 2023-08-10 | 2023-08-10 | Abnormal flow monitoring method and system based on flow probe dyeing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116723138A CN116723138A (en) | 2023-09-08 |
| CN116723138B true CN116723138B (en) | 2023-10-20 |
Family
ID=87868347
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311003068.0A Active CN116723138B (en) | 2023-08-10 | 2023-08-10 | Abnormal flow monitoring method and system based on flow probe dyeing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116723138B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117439827B (en) * | 2023-12-22 | 2024-03-08 | 中国人民解放军陆军步兵学院 | Network flow big data analysis method |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
| CN109067586A (en) * | 2018-08-16 | 2018-12-21 | 海南大学 | Ddos attack detection method and device |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN112543199A (en) * | 2020-12-07 | 2021-03-23 | 北京明略昭辉科技有限公司 | IP abnormal flow detection method, system, computer equipment and storage medium |
| CN112788066A (en) * | 2021-02-26 | 2021-05-11 | 中南大学 | Abnormal flow detection method and system for Internet of things equipment and storage medium |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
| CN113271297A (en) * | 2021-04-28 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Multilayer flow intrusion detection method based on relative information entropy and semi-supervised clustering |
| WO2021207984A1 (en) * | 2020-04-15 | 2021-10-21 | 深圳市欢太科技有限公司 | Traffic detection method and apparatus, server, and storage medium |
| CN113765873A (en) * | 2020-11-02 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Method and apparatus for detecting abnormal access traffic |
| CN116257884A (en) * | 2023-03-20 | 2023-06-13 | 杭州霖芮科技有限公司 | E-commerce platform customer data processing method and system based on flow analysis |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733921A (en) * | 2017-11-14 | 2018-02-23 | 深圳中兴网信科技有限公司 | Network flow abnormal detecting method, device, computer equipment and storage medium |
| CN111818037A (en) * | 2020-07-02 | 2020-10-23 | 上海工业控制安全创新科技有限公司 | Vehicle-mounted network flow abnormity detection defense method and system based on information entropy |
-
2023
- 2023-08-10 CN CN202311003068.0A patent/CN116723138B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
| CN109067586A (en) * | 2018-08-16 | 2018-12-21 | 海南大学 | Ddos attack detection method and device |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| WO2021207984A1 (en) * | 2020-04-15 | 2021-10-21 | 深圳市欢太科技有限公司 | Traffic detection method and apparatus, server, and storage medium |
| CN113765873A (en) * | 2020-11-02 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Method and apparatus for detecting abnormal access traffic |
| CN112543199A (en) * | 2020-12-07 | 2021-03-23 | 北京明略昭辉科技有限公司 | IP abnormal flow detection method, system, computer equipment and storage medium |
| CN112788022A (en) * | 2020-12-31 | 2021-05-11 | 山石网科通信技术股份有限公司 | Flow abnormity detection method and device, storage medium and processor |
| CN112788066A (en) * | 2021-02-26 | 2021-05-11 | 中南大学 | Abnormal flow detection method and system for Internet of things equipment and storage medium |
| CN113271297A (en) * | 2021-04-28 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Multilayer flow intrusion detection method based on relative information entropy and semi-supervised clustering |
| CN116257884A (en) * | 2023-03-20 | 2023-06-13 | 杭州霖芮科技有限公司 | E-commerce platform customer data processing method and system based on flow analysis |
Non-Patent Citations (3)
| Title |
|---|
| IPv4/IPv6过渡中的DNS64关键技术研究与实现;邵帅;《中国优秀硕士学位论文全文数据库》(04);全文 * |
| T. Qin ; X. Guan ; W. Li ; P. Wang.Monitoring Abnormal Traffic Flows Based on Independent Component Analysis.《2009 IEEE International Conference on Communications》.2009,全文. * |
| 吕宗平 ; 钟友兵 ; 顾兆军.基于攻击链和网络流量检测的威胁情报分析研究.《计算机应用研究》.2016,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116723138A (en) | 2023-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116723138B (en) | Abnormal flow monitoring method and system based on flow probe dyeing | |
| AU770611B2 (en) | Transaction recognition and prediction using regular expressions | |
| CN113518011B (en) | Abnormality detection method and apparatus, electronic device, and computer-readable storage medium | |
| GB2456914A (en) | Network management involving cross-checking identified possible root causes of events in different data subsets of events | |
| CN109495291B (en) | Calling abnormity positioning method and device and server | |
| CN107341095B (en) | Method and device for intelligently analyzing log data | |
| JP4504346B2 (en) | Trouble factor detection program, trouble factor detection method, and trouble factor detection device | |
| CN110008049A (en) | A kind of data correcting method based on internet platform, terminal device and medium | |
| CN113098912B (en) | User account abnormity identification method and device, electronic equipment and storage medium | |
| CN113612645A (en) | Internet of things data processing method and system | |
| WO2021101490A1 (en) | Network failure prediction module and the method performed by this module | |
| CN111061581A (en) | Fault detection method, device and equipment | |
| CN115150294B (en) | Data analysis method, device and medium for monitoring Internet of things device | |
| CN112087450A (en) | Abnormal IP identification method, system and computer equipment | |
| CN116485571A (en) | Audit tracking method based on user behavior prediction | |
| KR101982235B1 (en) | Method and device for similar equipment clustering using feature extraction method based on survival function | |
| CN111582343B (en) | Equipment fault prediction method and device | |
| US20120209985A1 (en) | Detecting network-application service failures | |
| CN115700553A (en) | Anomaly detection method and related device | |
| CN112541177A (en) | Data security-based anomaly detection method and system | |
| CN115080289A (en) | Anomaly detection method, electronic device and storage medium | |
| CN109815134A (en) | The methods, devices and systems of combined data library auto Analysis test result | |
| CN106991038A (en) | Service monitoring method and device based on java collectors | |
| CN116453437B (en) | Display screen module testing method, device, equipment and storage medium | |
| CN111404766B (en) | Dial testing method, system and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |