CN116915453A - Network traffic detection method, device, server and storage medium - Google Patents

Network traffic detection method, device, server and storage medium Download PDF

Info

Publication number
CN116915453A
CN116915453A CN202310822448.0A CN202310822448A CN116915453A CN 116915453 A CN116915453 A CN 116915453A CN 202310822448 A CN202310822448 A CN 202310822448A CN 116915453 A CN116915453 A CN 116915453A
Authority
CN
China
Prior art keywords
flow
data
detection
flow data
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310822448.0A
Other languages
Chinese (zh)
Inventor
程筱彪
徐雷
张曼君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202310822448.0A priority Critical patent/CN116915453A/en
Publication of CN116915453A publication Critical patent/CN116915453A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network traffic detection method, a network traffic detection device, a server and a storage medium. The method comprises the following steps: acquiring flow data to be detected, and extracting features of the flow data to obtain flow features of the flow data; performing first flow detection on the flow characteristics based on a preset flow characteristic library, and if the detection result of the first flow detection is unknown type flow, determining the significance level and the coefficient of the foundation of the flow data; and performing second flow detection on the flow data based on the significance level, the coefficient of the foundation and a preset detection algorithm to obtain a target detection result of the flow data. According to the method, the detection accuracy of abnormal flow is improved by performing feature comparison detection and algorithm detection on two layers of detection.

Description

Network traffic detection method, device, server and storage medium
Technical Field
The present application relates to the field of network traffic detection technologies, and in particular, to a network traffic detection method, device, server, and storage medium.
Background
In recent years, the number of network attack events is increased, and at the same time, attack means are also becoming more hidden, and an attacker usually adopts an encrypted communication transmission mode to perform information interaction, so that the encrypted attack traffic is mixed in normal service data, and the discovery difficulty is high.
In the prior art, in the method for detecting the encrypted traffic, a feature library is generated according to the existing network protocol, and the feature library is compared with the traffic features of the collected traffic, so that whether the captured network traffic is the encrypted traffic or not is determined according to the comparison result.
The prior art method finds in the implementation process: the mode of the independent comparison feature library may occur that partial novel encrypted traffic cannot be detected due to untimely updating of the network protocol feature library; and judging only through the dimension of the network protocol, a large amount of abnormal traffic which is not easy to detect possibly occurs, so that the detection accuracy of the abnormal traffic is reduced.
Disclosure of Invention
The application provides a network flow detection method, a device, a server and a storage medium, which are used for solving the problem that in the prior art, the accuracy of a detection result is low only by carrying out flow detection through a feature comparison method, and the detection accuracy of abnormal flow is improved by carrying out feature comparison detection and algorithm detection on two layers of detection.
In a first aspect, the present application provides a network traffic detection method, including:
acquiring flow data to be detected, and extracting features of the flow data to obtain flow features of the flow data;
Performing first flow detection on the flow characteristics based on a preset flow characteristic library, and if the detection result of the first flow detection is unknown type flow, determining the significance level and the coefficient of the foundation of the flow data;
and performing second flow detection on the flow data based on the significance level, the coefficient of the foundation and a preset detection algorithm to obtain a target detection result of the flow data.
Optionally, the acquiring the flow data to be detected includes:
and receiving the flow data packet captured by the acquisition module, and carrying out data preprocessing on the flow data packet to obtain the flow data to be detected.
Optionally, the performing the first flow detection on the flow feature based on a preset flow feature library includes:
acquiring a preset flow characteristic library, and comparing the flow characteristics with all storage characteristics in the flow characteristic library to obtain a detection result of the first flow detection; the detection result comprises normal flow, abnormal flow and unknown flow.
Optionally, the determining the significance level and the coefficient of kunity of the traffic data includes:
vectorizing the flow data to obtain a vector sequence of the flow data;
Determining a vector proportion of a first vector in the vector sequence, and determining a kunit of the flow data based on the vector proportion;
and determining the number of subsequence bits of a preset subsequence in the vector sequence, and determining the significance level of the flow data based on the vector proportion and the number of subsequence bits.
Optionally, the vectorizing the flow data to obtain a vector sequence of the flow data includes:
performing data sampling processing on the flow data to obtain a plurality of sampled data packets;
and determining flow vectors corresponding to the sampling data packets respectively, and determining a vector sequence of the flow data based on the flow vectors.
Optionally, the determining the flow vector corresponding to each sampled data packet includes:
for any one of the sampled data packets, determining the payload of the sampled data packet;
and carrying out data vectorization processing on each payload based on a preset load threshold value to obtain a flow vector corresponding to the sampling data packet.
Optionally, the performing the second flow detection on the flow data based on the significance level, the coefficient of kunity and a preset detection algorithm to obtain a target detection result of the flow data includes:
And inputting the significance level and the coefficient of kunity into the detection algorithm to obtain a target detection result of the flow data.
In a second aspect, the present application provides a network traffic detection device, including:
the flow data acquisition module is used for acquiring flow data to be detected, and extracting characteristics of the flow data to obtain flow characteristics of the flow data;
the parameter determining module is used for detecting the flow characteristics according to a preset flow characteristic library, and determining the significance level and the coefficient of the flow data if the detection result of the first flow detection is an unknown type flow;
and the target detection result acquisition module is used for carrying out second flow detection on the flow data based on the significance level, the coefficient of the foundation and a preset detection algorithm to obtain a target detection result of the flow data.
Optionally, the flow data acquisition module includes:
and the flow data acquisition sub-module is used for receiving the flow data packet acquired by the acquisition module, and carrying out data preprocessing on the flow data packet to obtain the flow data to be detected.
Optionally, the parameter determining module includes:
The first detection result acquisition sub-module is used for acquiring a preset flow characteristic library, and comparing the flow characteristic with each storage characteristic in the flow characteristic library to obtain a detection result of the first flow detection; the detection result comprises normal flow, abnormal flow and unknown flow.
Optionally, the parameter determining module includes:
the vector sequence determining submodule is used for carrying out vectorization processing on the flow data to obtain a vector sequence of the flow data;
a coefficient of parities determination submodule for determining a vector proportion of a first vector in the vector sequence and determining a coefficient of parities of the flow data based on the vector proportion;
and the significance level determination submodule is used for determining the subsequence bit number of a preset subsequence in the vector sequence and determining the significance level of the flow data based on the vector proportion and the subsequence bit number.
Optionally, the vector sequence determination submodule includes:
the sampling data packet obtaining unit is used for carrying out data sampling processing on the flow data to obtain a plurality of sampling data packets;
and the flow sequence determining unit is used for determining flow vectors corresponding to the sampling data packets respectively and determining a vector sequence of the flow data based on the flow vectors.
Optionally, the traffic sequence determining unit includes:
a payload determination subunit, configured to determine, for any one of the sampled data packets, a payload of the sampled data packet;
and the flow vector determining subunit is used for carrying out data vectorization processing on each effective load based on a preset load threshold value to obtain a flow vector corresponding to the sampling data packet.
Optionally, the target detection result obtaining module includes:
and the target detection result obtaining module is used for inputting the significance level and the coefficient of the kunity into the detection algorithm to obtain a target detection result of the flow data.
In a third aspect, the present application provides a server comprising: a processor, and a communication connection with the processor
Is a memory of (a);
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method as described in the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for performing the method according to the first aspect when executed by a processor.
In a fifth aspect, the application provides a computer program product comprising a computer program which, when executed by a processor, implements the method of the first aspect.
According to the technical scheme provided by the application, the flow characteristics of the flow data are extracted by acquiring the flow data to be detected, the flow characteristics are subjected to characteristic matching with each storage characteristic in a preset flow characteristic library, and a detection result of the first flow detection is obtained based on the matching result; optionally, if the detection result is an unknown flow, to avoid no detection, further detection is required to be performed on the flow data, that is, the significance level and the kunity coefficient of the flow data are obtained, and the two parameters are input into a detection algorithm which is completed by training, so as to obtain the target detection result of the flow data. In the implementation process, the first detection is performed based on the flow characteristics of the flow data, so that the flow detection result of the flow data is detected again through the significance level and the coefficient of the foundation of the flow data, and the detection accuracy and the coverage rate of the flow data are improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is an application scenario diagram of a network traffic detection method provided by the present application;
fig. 2 is a flow chart of a network traffic detection method according to an embodiment of the present application;
fig. 3 is a flow chart of another network traffic detection method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a network traffic detection device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a server according to an embodiment of the present application;
fig. 6 is a block diagram of a server according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
In practical applications, in order to ensure the security of network communication, traffic data of communication in the network needs to be detected. The existing detection method generally extracts the flow characteristics of flow data, compares the flow characteristics with all stored flows stored in a flow characteristic library which is constructed in advance based on the existing network protocol, and further obtains the detection result of the flow data based on the comparison result. However, in the detection process based on the detection method, because the flow characteristic library is not updated timely, some novel encrypted flows cannot be detected correctly, and the accuracy of the detection result is low; in addition, the flow data is detected only through the flow characteristic comparison in a single dimension, and some encrypted flows are possibly misdetected, so that the accuracy of a detection result is further reduced.
The application provides a network flow detection method, which aims to solve the technical problems in the prior art. Specifically, the detection result of the network flow data is comprehensively judged based on the flow characteristics of the flow data, the coefficient of the discrete degree of the characterization flow data and the significance level of the overall random degree of the characterization flow data, and the detection accuracy and coverage rate of the flow data are improved.
Fig. 1 is an application scenario diagram of a network traffic detection method provided by the present application. The application scenario to which the embodiment of the present application is applicable is described below with reference to fig. 1. Referring to fig. 1, an acquisition module and a detection module are arranged in the detection device. Specifically, the acquisition module acquires network traffic data transmitted in equipment where the current detection device is located, and transmits the network traffic data to the detection module; further, the detection module carries out first flow detection processing on the flow characteristics of the network flow data based on a flow characteristic library preset in the module; optionally, if the obtained detection result is an unknown type of traffic, further detection is required for the network traffic data; further, the significance level and the coefficient of the network traffic data are obtained, and the two parameters are input into a trained detection algorithm to detect whether the network traffic data are encrypted traffic.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flow chart of a network traffic detection method according to an embodiment of the present application. The method may be performed by a network traffic detection device, which may be disposed in a server or in an electronic device, and the server is taken as an example to describe the method in this embodiment, and the method may be implemented by software, hardware, or a combination of software and hardware, as shown in fig. 2, and includes the following steps.
S210, acquiring flow data to be detected, and extracting features of the flow data to obtain flow features of the flow data.
In the embodiment of the application, the flow data to be detected is a complete session data packet. Specifically, the flow data to be detected can be obtained by performing data preprocessing on the acquired network flow data. Further, in order to facilitate subsequent feature comparison, the detection module performs flow feature extraction on the acquired flow data. Alternatively, the flow characteristics of the flow data may be obtained by extracting the network protocol characteristic field in the session packet. Of course, the flow characteristic extraction may be performed in other manners, which is not limited in the present application.
S220, carrying out first flow detection on the flow characteristics based on a preset flow characteristic library, and if the detection result of the first flow detection is unknown flow, determining the significance level and the coefficient of the kunity of the flow data.
In an embodiment of the present application, the first flow detection is a first detection based on a flow characteristic of the flow data. Specifically, a preset flow characteristic library is obtained, the extracted flow characteristics are subjected to characteristic comparison with storage characteristics stored in the flow characteristic library, and the characteristic comparison result is used as a detection result of the first flow detection. Since the traffic feature library is a feature library constructed based on the existing network protocol. Therefore, network traffic data encrypted based on the novel network protocol cannot be accurately detected due to the fact that the feature library is not updated timely, and detection accuracy is reduced. Based on this, when the detection result of the first flow detection is an unknown type flow, further flow detection is required for the flow data in order to avoid false detection due to the above-described reasons.
In practical applications, the above unknown types of traffic are mainly classified into encrypted traffic (new network protocol, malicious attack traffic) and compressed traffic. The main difference between the two types of traffic is that encrypted traffic data has overall randomness, whereas compressed traffic typically has randomness only in local areas and not overall randomness. Wherein, the significance level refers to the probability or risk that people reject the original assumption when it is correct; in other words, is a probability value for a recognized small probability event. In particular, the significance level is not a fixed value, the greater the number the greater the likelihood that the original hypothesis will be rejected and the greater the risk that the original hypothesis will be true and negative. The coefficient of kunity refers to the difference between samples. Specifically, the coefficient of kunity is a value between 0 and 1, and the larger the value is, the larger the difference is. In the present application, the significance level is used to characterize the overall degree of randomness of the flow data to be detected; the coefficient of kunity is used to characterize the degree of dispersion of the flow data to be detected.
On the basis, the significance level and the coefficient of the foundation of the flow data to be detected are obtained, and the randomness of the flow data is detected through the two parameters, so that the final detection result of the flow data is obtained. Alternatively, the significance level and the coefficient of kunity for the flow data to be detected may be described in detail in the following embodiments.
S230, performing second flow detection on the flow data based on the significance level, the coefficient of the radix and a preset detection algorithm to obtain a target detection result of the flow data.
In the embodiment of the application, a preset detection algorithm is obtained on the basis of obtaining the two parameters of the significance level and the coefficient of the kunity, and then the detection algorithm is used for detecting the parameters of the flow data, and the detection result calculated by the algorithm is output to obtain the target detection result of the flow data.
Alternatively, since the above unknown type traffic is mainly divided into encrypted traffic (new network protocol, malicious attack traffic) and compressed traffic, the target detection result in this embodiment is encrypted traffic or compressed traffic. Of course, in practical application, other flow rates may be used, and the present application is not limited in particular.
In the technical scheme, flow data to be detected is obtained, flow characteristics of the flow data are extracted, the flow characteristics are subjected to characteristic matching with all storage characteristics in a preset flow characteristic library, and a detection result of the first flow detection is obtained based on the matching result; optionally, if the detection result is an unknown flow, to avoid no detection, further detection is required to be performed on the flow data, that is, the significance level and the kunity coefficient of the flow data are obtained, and the two parameters are input into a detection algorithm which is completed by training, so as to obtain the target detection result of the flow data. In the implementation process, the first detection is performed based on the flow characteristics of the flow data, so that the flow detection result of the flow data is detected again through the significance level and the coefficient of the foundation of the flow data, and the detection accuracy and the coverage rate of the flow data are improved.
Fig. 3 is a flow chart of another network traffic detection method according to an embodiment of the present application. This embodiment may be understood as an embodiment of the above embodiment describing a method of specifying steps, and referring to fig. 3, the method may specifically include:
s310, obtaining flow data to be detected, and extracting features of the flow data to obtain flow features of the flow data.
Specifically, for understanding and examples of the technical means, technical effects, and technical terms in step S310, reference may be made to the explanation of step S210 in the above embodiments.
On the basis of the foregoing embodiment, in this embodiment, the step of determining in step S310 may specifically include:
s311, receiving the flow data packet captured by the acquisition module, and carrying out data preprocessing on the flow data packet to obtain flow data to be detected.
In the embodiment of the application, the acquisition module is a built-in module in the current detection device and is used for acquiring network flow data in the communication process of equipment where the detection device is located. Specifically, when the acquisition module acquires network traffic data, the acquisition module directly transmits the network traffic data to the detection module, and the detection module performs data preprocessing on the network traffic data and performs traffic detection on the processed traffic data. Optionally, the data preprocessing can be performed immediately after the acquisition module acquires the network traffic data, and the traffic data obtained after the processing is transmitted to the detection module for traffic detection.
S312, extracting features of the flow data to obtain flow features of the flow data.
In the embodiment of the application, the method for realizing flow detection can be to detect the network protocol adopted by the flow data, thereby obtaining the detection result. Therefore, the technical scheme of the application carries out feature recognition on the flow data to be detected to obtain the flow characteristics of the flow data, determines the protocol characteristics of the characterization network protocol in the flow characteristics, and further carries out detection processing based on the protocol characteristics.
Alternatively, the method for extracting the features may be actually selected according to different data, and the application is not limited to the extraction method.
S320, carrying out first flow detection on the flow characteristics based on a preset flow characteristic library, and if the detection result of the first flow detection is unknown flow, determining the significance level and the coefficient of the kunity of the flow data.
Specifically, for understanding and examples of the technical means, technical effects, and technical terms in step S320, reference may be made to the explanation of step S220 in the above embodiments.
On the basis of the foregoing embodiment, in this embodiment, the step of step S320 may specifically include:
s321, acquiring a preset flow characteristic library, and comparing the flow characteristic with each storage characteristic in the flow characteristic library to obtain a detection result of the first flow detection.
In the embodiment of the application, the flow characteristic library comprises a plurality of storage characteristics, and the storage characteristics can be network characteristics generated based on the existing network protocol. It should be noted that, in the existing network protocols, there is a network protocol adopted by normal traffic during compression; and the network protocol adopted in the abnormal traffic compression is also included.
Specifically, a flow characteristic library is obtained, and each storage characteristic stored in the flow library is obtained. And respectively carrying out feature matching on the extracted flow features and any one of the stored features in the flow feature library, namely carrying out first flow detection, and further obtaining a detection result of the first flow detection based on the feature matching result.
In the present application, the detection results include normal traffic, abnormal traffic, and unknown type traffic. Optionally, if the flow characteristics are not successfully matched with the storage characteristics, indicating that the flow data to be detected is an unknown type flow; otherwise, if the flow characteristic can be successfully matched with any storage characteristic, the flow data to be detected is the known type flow.
Further, determining a network protocol adopted by the storage characteristics successfully matched; optionally, if the adopted network protocol is a network protocol adopted by normal flow compression, the flow data to be detected is indicated to be normal flow, and further the flow data to be detected is indicated to have no abnormal problem; furthermore, the flow data can be directly discarded, so that invalid storage of the data is avoided, and the data storage efficiency in the current detection device is improved. Optionally, if the adopted network protocol is the network protocol adopted when the abnormal traffic is compressed, the traffic to be detected is an abnormal traffic, and further, the abnormal problem of the traffic data to be detected is described, and the traffic data is required to be sent to a preset traffic analysis module for abnormal analysis processing, so that the security of network communication is improved.
S322, if the detection result of the first flow detection is the unknown flow, vectorizing the flow data to obtain a vector sequence of the flow data.
In the embodiment of the application, when the detection result of the first flow detection is unknown flow based on the detection mode, in order to further determine the flow detection result to be detected, the significance level and the coefficient of the kunity of the flow data can be determined by the technical scheme of the application, and then the second flow data is detected based on the two parameters.
Specifically, the flow data to be detected may be vectorized, and then the significant bubble and the kennel coefficient may be determined based on the obtained vector sequence. Optionally, the method for vectorizing the flow data to obtain the vector sequence of the flow data may include: carrying out data sampling processing on the flow data to obtain a plurality of sampling data packets; and determining flow vectors corresponding to the sampling data packets respectively, and determining a vector sequence of flow data based on the flow vectors.
In the embodiment of the application, since the flow data comprises a plurality of data packets, in order to improve the efficiency, the data packets in the flow data can be sampled and quantized firstly based on the sampled data packets obtained after sampling.
Specifically, each data packet in the streaming data can be sampled and extracted by adopting an equidistant algorithm, so as to obtain n sampled data packets. Further, vectorization processing is carried out on each sampling data packet to obtain a flow vector corresponding to each sampling data packet.
Optionally, taking any sampled data packet as an example for introduction, the method for determining the traffic vector corresponding to the sampled data packet may include: determining the payload of the sampled data packet; and carrying out data vectorization processing on each payload based on a preset load threshold value to obtain a flow vector corresponding to the sampled data packet.
In the present application, the payload refers to the data portion actually required to be transmitted in the data packet, and the other portions are information such as addresses and protocols for enabling successful transmission of the data packet.
Specifically, the data analysis is performed on the sampled data packet, and the payload of the sampled data packet is determined based on the analyzed data field. Further, a preset load threshold is obtained, the obtained effective load and the load threshold are compared, a comparison result is obtained, and data quantization processing is carried out on the sampled data packet based on the comparison result.
Alternatively, the process may be: if the payload is greater than the payload threshold, quantizing the sampled data packet to a value of 1; otherwise, the value is quantized to 0.
Taking the sampled data packet as an IPv6 data packet as an example, 65535 is obtained if the maximum number of bytes in the data packet, except for the basic header, is 2 minus one to the power of 16; correspondingly, if the payload of the data packet is smaller than the 15 th power of 2, namely 32768, the data packet is quantized to 0; if the value is larger than 32678, the value is quantized to 1.
Optionally, each flow vector is combined to obtain a vector sequence corresponding to the flow data to be detected. For example, the obtained vector sequence may be expressed as: a={a 1 ,a 2 ,a 3 ,...,a n -a }; wherein a represents a vector sequence, a i I epsilon (i, n) represents the traffic vector of the i-th sampled packet; specifically, based on the quantized result, the vector sequence of the flow data may also be expressed as a= {1, 0,..1 }.
S323, determining the vector proportion of the first vector in the vector sequence, and determining the coefficient of the basis of the vector proportion.
In the embodiment of the present application, the first vector may be understood as a flow vector of the same vector value in the above obtained vector sequence, that is, in the above exemplary embodiment, each flow vector with a vector value of 1 may be denoted as the first vector; of course, each flow vector having a vector value of 0 may be referred to as a first vector, and the specific direction of the first vector may be set according to the actual situation. Vector proportion may be understood as the proportion of the first vector in all traffic vectors of the vector sequence.
Specifically, the vector ratio may be calculated by obtaining a first vector number of the first vector, obtaining a total vector number of all traffic vectors in the vector sequence, further determining a ratio of the first vector number to the total vector number, and determining the ratio as a vector ratio of the first vector in the vector sequence.
For example, the vector proportion of the first vector may be calculated based on the proportion calculation expression described below. Wherein the expression comprises:
wherein W represents the vector proportion of the first vector; n represents the number of flow vectors in the flow sequence; b (i) represents an ith first vector; specifically, when a 1 When=1, b (i) =1; otherwise, b (i) =0.
Further, further calculation processing is performed based on the vector proportion, and the coefficient of the basis of the flow data is obtained. Alternatively, a preset coefficient calculation expression may be obtained, and the vector proportion may be taken as a parameter value into the coefficient calculation expression to be calculated, so as to obtain the coefficient of the flow data.
Illustratively, the coefficient of kunit calculation expression may be as follows:
wherein Gini represents the coefficient of keni.
S324, determining the number of sub-sequence bits of a preset sub-sequence in the vector sequence, and determining the significance level of the flow data based on the vector proportion and the number of sub-sequence bits.
In the embodiment of the present application, the predetermined subsequence may be understood as a subsequence formed by each traffic vector having consecutive identical vector values after starting from the first bit in the vector sequence. The number of sub-sequence bits can be understood as the number of vectors of the flow vector in the preset sub-sequence.
Specifically, based on a pre-statistics algorithm, each flow vector in the vector sequence is subjected to statistics processing, and the number of sub-sequence bits of the pre-sequence is calculated. Alternatively, the vector sequence may be calculated based on other modes, so as to obtain the number of sub-sequence bits, which is not limited in the present application.
For example, the number of sub-sequence bits of the preset sub-sequence may be calculated based on the following proportional calculation expression. Wherein the expression comprises:
wherein T is n Representing the number of sub-sequence bits; n represents the number of flow vectors in the flow sequence; r (i) represents the number of bits of the flow vector having consecutive identical vector values in the vector sequence; specifically, when a 1 =a 2 When r (i) =1, otherwise r (i) =0.
Further, further calculation processing is performed based on the subsequence bit number and the vector proportion, and the significance level of the flow data is obtained. Alternatively, a preset significance level calculation expression may be obtained, and then the vector proportion and the sub-sequence bit number are taken as parameter values to be carried into the significance level calculation expression for calculation processing, so as to obtain the significance level of the flow data.
Illustratively, the significance level calculation expression may be as follows:
wherein P represents a level of significance; erfc () represents an error function.
S330, performing second flow detection on the flow data based on the significance level, the coefficient of the radix and a preset detection algorithm to obtain a target detection result of the flow data.
Specifically, for understanding and examples of the technical means, technical effects, and technical terms in step S330, reference may be made to the explanation of step S230 in the above embodiments.
On the basis of the foregoing embodiment, in this embodiment, the step of step S330 may specifically include:
s331, inputting the significance level and the coefficient of the kunity into a detection algorithm to obtain a target detection result of the flow data.
In the embodiment of the application, the preset detection algorithm can be a K-means clustering algorithm which is trained and completed in advance based on the significance level and the coefficient of the known type of flow corresponding to the network protocols in the prior art; of course, according to practical application, the detection algorithm can also be other neural network algorithms trained based on the data and conventional algorithms. The application is not particularly limited in terms of the selection of the detection algorithm.
Specifically, on the basis of obtaining the significance level and the coefficient of kunning, the two parameters are input into a K-means clustering algorithm which is trained in advance, and a detection result output by the algorithm, namely, a target detection result of flow data is obtained.
In the technical scheme, network flow data in the communication process are collected, data preprocessing is carried out to obtain flow data to be detected, flow characteristics of the flow data are extracted, the flow characteristics are matched with all storage characteristics in a preset flow characteristic library, and a detection result of first flow detection is obtained based on the matching result; the detection result comprises normal flow, abnormal flow and unknown flow. Optionally, if the detection result is an unknown type flow, to avoid no detection, further detection is required to be performed on the flow data, i.e. the significance level and the coefficient of the foundation of the flow data are obtained; the method specifically comprises the steps of carrying out vectorization processing on a sampled data packet obtained after sampling the flow data to obtain a vector sequence, carrying out processing on each flow vector in the vector sequence to obtain the two parameters, and inputting the two parameters into a trained detection algorithm to obtain a target detection result of the flow data. In the implementation process, the first detection is performed based on the flow characteristics of the flow data, and then the flow data is detected again through the coefficient of the discrete degree representation and the significance level of the overall random degree representation, so that the detection accuracy and coverage rate of the flow data are improved.
Fig. 4 is a schematic structural diagram of a network flow detection device according to an embodiment of the present application. Referring to fig. 4, the apparatus includes: a flow data acquisition module 410, a parameter determination module 420, and a target detection result acquisition module 430; wherein, the liquid crystal display device comprises a liquid crystal display device,
the flow data acquisition module 410 is configured to acquire flow data to be detected, and perform feature extraction on the flow data to obtain flow features of the flow data;
the parameter determining module 420 is configured to perform first flow detection on the flow characteristics based on a preset flow characteristic library, and determine a significance level and a coefficient of a kunity of the flow data if a detection result of the first flow detection is an unknown type flow;
the target detection result obtaining module 430 is configured to perform second flow detection on the flow data based on the significance level, the coefficient of kunning, and a preset detection algorithm, so as to obtain a target detection result of the flow data.
Optionally, the traffic data acquisition module 410 includes:
and the flow data acquisition sub-module is used for receiving the flow data packet acquired by the acquisition module and carrying out data preprocessing on the flow data packet to obtain flow data to be detected.
Optionally, the parameter determining module 420 includes:
The first detection result acquisition sub-module is used for acquiring a preset flow characteristic library, and comparing the flow characteristic with each storage characteristic in the flow characteristic library to obtain a detection result of first flow detection; the detection result comprises normal flow, abnormal flow and unknown flow.
Optionally, the parameter determining module 420 includes:
the vector sequence determining submodule is used for carrying out vectorization processing on the flow data to obtain a vector sequence of the flow data;
the system comprises a vector sequence, a vector coefficient determination submodule and a vector coefficient determination submodule, wherein the vector proportion of a first vector in the vector sequence is determined, and the vector coefficient of flow data is determined based on the vector proportion;
the significance level determination submodule is used for determining the number of subsequence bits of a preset subsequence in the vector sequence and determining the significance level of the flow data based on the vector proportion and the number of subsequence bits.
Optionally, the vector sequence determination submodule includes:
the sampling data packet obtaining unit is used for carrying out data sampling processing on the flow data to obtain a plurality of sampling data packets;
and the flow sequence determining unit is used for determining flow vectors corresponding to the sampling data packets respectively and determining a vector sequence of the flow data based on the flow vectors.
Optionally, the traffic sequence determining unit includes:
a payload determination subunit, configured to determine, for any one of the sampled data packets, a payload of the sampled data packet;
and the flow vector determining subunit is used for carrying out data vectorization processing on each effective load based on a preset load threshold value to obtain a flow vector corresponding to the sampled data packet.
Optionally, the target detection result obtaining module 430 includes:
the target detection result obtaining module is used for inputting the significance level and the coefficient of the kunity into the detection algorithm to obtain a target detection result of the flow data.
Fig. 5 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 5, the server of the present embodiment may include:
at least one processor 501; and
a memory 502 communicatively coupled to the at least one processor;
wherein the memory 502 stores instructions executable by the at least one processor 501, the instructions being executable by the at least one processor 501 to cause the server to perform a method as in any one of the embodiments described above.
Alternatively, the memory 502 may be separate or integrated with the processor 501.
The implementation principle and technical effects of the server provided in this embodiment may be referred to the foregoing embodiments, and will not be described herein again.
The embodiment of the application also provides a computer readable storage medium, wherein computer executable instructions are stored in the computer readable storage medium, and when the processor executes the computer executable instructions, the method of any of the previous embodiments is realized.
Embodiments of the present application also provide a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the preceding embodiments.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, e.g., the division of modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules may be combined or integrated into another system, or some features may be omitted or not performed.
The integrated modules, which are implemented in the form of software functional modules, may be stored in a computer readable storage medium. The software functional modules described above are stored in a storage medium and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or processor to perform some of the steps of the methods of the various embodiments of the application.
It should be appreciated that the processor may be a central processing unit (Central Processing Unit, CPU for short), other general purpose processors, digital signal processor (Digital Signal Processor, DSP for short), application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution. The memory may comprise a high-speed RAM memory, and may further comprise a non-volatile memory NVM, such as at least one magnetic disk memory, and may also be a U-disk, a removable hard disk, a read-only memory, a magnetic disk or optical disk, etc.
The storage medium may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC for short). It is also possible that the processor and the storage medium reside as discrete components in a server or master device.
Fig. 6 is a block diagram of a server according to an embodiment of the present application. Referring to fig. 6, server 800 may include one or more of the following components: a processing component 802, a memory 804, a power component 806, a multimedia component 808, an audio component 810, an input/output (I/O) interface 812, a sensor component 814, and a communication component 816.
The processing component 802 generally controls overall operation of the server 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 802 may include one or more processors 820 to execute instructions to perform all or part of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interactions between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operations at the server 800. Examples of such data include instructions for any application or method operating on server 800, contact data, phonebook data, messages, pictures, video, and the like. The memory 804 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The power supply component 806 provides power to the various components of the server 800. The power components 806 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the server 800.
The multimedia component 808 includes a screen between the server 800 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation. In some embodiments, the multimedia component 808 includes a front camera and/or a rear camera. When the server 800 is in an operation mode, such as a photographing mode or a video mode, the front camera and/or the rear camera may receive external multimedia data. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the server 800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may be further stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 further includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be a keyboard, click wheel, buttons, etc. These buttons may include, but are not limited to: homepage button, volume button, start button, and lock button.
The sensor assembly 814 includes one or more sensors for providing status assessment of various aspects for the server 800. For example, the sensor component 814 may detect an on/off state of the server 800, a relative positioning of components, such as a display and keypad of the server 800, the sensor component 814 may also detect a change in position of the server 800 or a component of the server 800, the presence or absence of a user's contact with the server 800, an orientation or acceleration/deceleration of the server 800, and a change in temperature of the server 800. The sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communication between the server 800 and other devices, either wired or wireless. The server 800 may access a wireless network based on a communication standard, such as WiFi,2G, or 3G, or a combination thereof. In one exemplary embodiment, the communication component 816 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the server 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as memory 804 including instructions executable by processor 820 of server 800 to perform the above-described method. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
A non-transitory computer readable storage medium, which when executed by a processor of a server, enables the server to perform the split screen processing method of the server described above.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A method for detecting network traffic, the method comprising:
acquiring flow data to be detected, and extracting features of the flow data to obtain flow features of the flow data;
Performing first flow detection on the flow characteristics based on a preset flow characteristic library, and if the detection result of the first flow detection is unknown type flow, determining the significance level and the coefficient of the foundation of the flow data;
and performing second flow detection on the flow data based on the significance level, the coefficient of the foundation and a preset detection algorithm to obtain a target detection result of the flow data.
2. The method of claim 1, wherein the acquiring traffic data to be detected comprises:
and receiving the flow data packet captured by the acquisition module, and carrying out data preprocessing on the flow data packet to obtain the flow data to be detected.
3. The method of claim 1, wherein the performing a first flow detection on the flow characteristics based on a preset flow characteristics library comprises:
acquiring a preset flow characteristic library, and comparing the flow characteristics with all storage characteristics in the flow characteristic library to obtain a detection result of the first flow detection; the detection result comprises normal flow, abnormal flow and unknown flow.
4. The method of claim 1, wherein said determining a significance level and a coefficient of kunity of said traffic data comprises:
vectorizing the flow data to obtain a vector sequence of the flow data;
determining a vector proportion of a first vector in the vector sequence, and determining a kunit of the flow data based on the vector proportion;
and determining the number of subsequence bits of a preset subsequence in the vector sequence, and determining the significance level of the flow data based on the vector proportion and the number of subsequence bits.
5. The method of claim 4, wherein the vectorizing the traffic data to obtain the vector sequence of the traffic data comprises:
performing data sampling processing on the flow data to obtain a plurality of sampled data packets;
and determining flow vectors corresponding to the sampling data packets respectively, and determining a vector sequence of the flow data based on the flow vectors.
6. The method of claim 5, wherein determining a traffic vector for each of the sampled data packets comprises:
For any one of the sampled data packets, determining the payload of the sampled data packet;
and carrying out data vectorization processing on each payload based on a preset load threshold value to obtain a flow vector corresponding to the sampling data packet.
7. The method according to claim 1, wherein the performing the second flow detection on the flow data based on the significance level, the kunity coefficient and a preset detection algorithm to obtain a target detection result of the flow data includes:
and inputting the significance level and the coefficient of kunity into the detection algorithm to obtain a target detection result of the flow data.
8. A network traffic detection apparatus, the apparatus comprising:
the flow data acquisition module is used for acquiring flow data to be detected, and extracting characteristics of the flow data to obtain flow characteristics of the flow data;
the parameter determining module is used for detecting the flow characteristics according to a preset flow characteristic library, and determining the significance level and the coefficient of the flow data if the detection result of the first flow detection is an unknown type flow;
The target detection result obtaining module is used for carrying out second flow detection on the flow data based on the significance level, the coefficient of the foundation and a preset detection algorithm to obtain a target detection result of the flow data.
9. A server, comprising:
a processor and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor, when executing the computer-executable instructions, is configured to implement the network traffic detection method according to any one of claims 1 to 7.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to implement the network traffic detection method according to any of claims 1 to 7.
CN202310822448.0A 2023-07-05 2023-07-05 Network traffic detection method, device, server and storage medium Pending CN116915453A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310822448.0A CN116915453A (en) 2023-07-05 2023-07-05 Network traffic detection method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310822448.0A CN116915453A (en) 2023-07-05 2023-07-05 Network traffic detection method, device, server and storage medium

Publications (1)

Publication Number Publication Date
CN116915453A true CN116915453A (en) 2023-10-20

Family

ID=88367588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310822448.0A Pending CN116915453A (en) 2023-07-05 2023-07-05 Network traffic detection method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN116915453A (en)

Similar Documents

Publication Publication Date Title
CN108629354B (en) Target detection method and device
CN112258381B (en) Model training method, image processing method, device, equipment and storage medium
US10643054B2 (en) Method and device for identity verification
WO2021031609A1 (en) Living body detection method and device, electronic apparatus and storage medium
EP3855360A1 (en) Method and device for training image recognition model, and storage medium
CN109934275B (en) Image processing method and device, electronic equipment and storage medium
CN109359056B (en) Application program testing method and device
CN110287671B (en) Verification method and device, electronic equipment and storage medium
US20220019772A1 (en) Image Processing Method and Device, and Storage Medium
CN109951476B (en) Attack prediction method and device based on time sequence and storage medium
CN110990801B (en) Information verification method and device, electronic equipment and storage medium
CN112669583A (en) Alarm threshold value adjusting method and device, electronic equipment and storage medium
CN107133577B (en) Fingerprint identification method and device
CN114338083A (en) Controller local area network bus abnormality detection method and device and electronic equipment
US20210279508A1 (en) Image processing method, apparatus and storage medium
WO2022142330A1 (en) Identity authentication method and apparatus, and electronic device and storage medium
CN112509586A (en) Method and device for recognizing voice print of telephone channel
CN110826697A (en) Method and device for obtaining sample, electronic equipment and storage medium
US20210350177A1 (en) Network training method and device and storage medium
CN113342170A (en) Gesture control method, device, terminal and storage medium
CN107423757B (en) Clustering processing method and device
CN116915453A (en) Network traffic detection method, device, server and storage medium
CN105653623B (en) Picture collection method and device
CN114222302A (en) Calling method and device for abnormal call, electronic equipment and storage medium
CN112269730A (en) Abnormal log detection method, abnormal log detection device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination