CN117640232A - Abnormal flow monitoring method and device based on access network and electronic equipment - Google Patents
Abnormal flow monitoring method and device based on access network and electronic equipment Download PDFInfo
- Publication number
- CN117640232A CN117640232A CN202311675593.7A CN202311675593A CN117640232A CN 117640232 A CN117640232 A CN 117640232A CN 202311675593 A CN202311675593 A CN 202311675593A CN 117640232 A CN117640232 A CN 117640232A
- Authority
- CN
- China
- Prior art keywords
- information
- network
- abnormal
- access
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 140
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000012544 monitoring process Methods 0.000 title claims abstract description 24
- 238000003860 storage Methods 0.000 claims abstract description 16
- 238000012549 training Methods 0.000 claims abstract description 13
- 239000010410 layer Substances 0.000 claims description 47
- 238000013507 mapping Methods 0.000 claims description 28
- 239000012792 core layer Substances 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 16
- 238000009826 distribution Methods 0.000 claims description 9
- 238000012806 monitoring device Methods 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000002776 aggregation Effects 0.000 description 4
- 238000004220 aggregation Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses an abnormal flow monitoring method, device, electronic equipment and storage medium based on an access network, which comprises the following steps: acquiring a target data packet corresponding to the flow to be detected in the network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected; inputting network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on access right information of all switch ports in a network to be tested; and determining an abnormal data packet in the flow to be detected according to the abnormal flow identification model. By training the abnormal network model according to the access authority information table and the historical flow information, the model after training is completed can identify and detect the abnormal data packet, so that the abnormal flow is identified, effective protection is provided for the safe access of data, and the safety of the data access among all network addresses is further improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for monitoring abnormal traffic based on an access network, an electronic device, and a storage medium.
Background
With the development of information technology and network technology, network security has established a secret and inseparable relation with people's life, how to ensure network security, ensure the security of data is a problem that needs to be solved urgently.
Traditional network security solutions generally limit the protection object to a more critical computing resource node or a set thereof in the target network, and correspondingly protect the node by taking the node as a core and establishing a firewall or access control authority.
However, this network security protection method can only protect some local networks, and cannot identify and prevent potential network problems.
Disclosure of Invention
The invention provides an abnormal flow monitoring method, device, electronic equipment and storage medium based on an access network, which are used for solving the problem that potential network security cannot be identified and prevented in the prior art.
According to an aspect of the present invention, there is provided an abnormal traffic monitoring method based on an access network, including:
acquiring a target data packet corresponding to a flow to be detected in a network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected;
Inputting the network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on access right information of all switch ports in the network to be tested;
and determining an abnormal data packet in the flow to be detected according to the abnormal flow identification model.
According to another aspect of the present invention, there is provided an abnormal traffic monitoring apparatus based on an access network, including:
the network attribute information acquisition module is used for acquiring a target data packet corresponding to the flow to be detected in the network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected;
network attribute information input module: the network attribute information is used for inputting the network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on the access right information of each switch port in the network to be tested;
an abnormal data packet determining module: and determining the abnormal data packet in the flow to be detected according to the abnormal flow identification model.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the access network-based abnormal traffic monitoring method of any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the abnormal traffic monitoring method based on an access network according to any embodiment of the present invention when executed.
According to the technical scheme, the abnormal flow identification model is trained according to the access authority information table and the historical flow information, so that the model after training is completed can identify and detect the abnormal data packet, abnormal flow is identified, the safe transmission of network data is further ensured, effective protection is provided for safe access of the data, and the safety of data access is improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an abnormal traffic monitoring method based on an access network according to a first embodiment of the present invention;
fig. 2 is a flowchart of another abnormal traffic monitoring method based on an access network according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an abnormal traffic monitoring apparatus based on an access network according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing an abnormal traffic monitoring method based on an access network according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of an abnormal traffic monitoring method based on an access network according to an embodiment of the present invention, where the method may be performed by an abnormal traffic monitoring device based on an access network, where the abnormal traffic monitoring device based on an access network may be implemented in hardware and/or software, and the abnormal traffic monitoring device based on an access network may be configured in an electronic device. As shown in fig. 1, the method includes:
s110, obtaining a target data packet corresponding to the flow to be detected in the network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected.
The target data packet may be a carrier for transmitting data from a source node to a target node in network communication, and includes control information of the data to be transmitted. The network attribute information of the traffic to be detected may be characteristic information of the traffic to be detected in network transmission, including source address information, access port number information, destination port information, destination address information, and the like. The network attribute information of the measured flow can be used for describing and identifying the network flow, and helping to monitor and identify the abnormal flow.
Specifically, the method includes acquiring a target data packet corresponding to a flow to be detected in a network to be detected, analyzing the target data packet to obtain network attribute information of the flow to be detected, capturing the target data packet corresponding to the flow to be detected in the network to be detected through a network sniffer or a capturing tool such as a network flow capturing tool, and analyzing the target data packet to obtain network attribute information of the flow to be detected, for example, source address information, access port number information, destination port information, destination address information and the like. The network attribute information of the flow to be detected is obtained by preprocessing the target data packet corresponding to the flow to be detected in the network to be detected, so that the data quantity required to be processed during network flow analysis can be reduced, and a data base is provided for abnormal flow identification.
S120, inputting network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on access right information of all switch ports in the network to be tested.
The abnormal traffic identification model can be a model for identifying abnormal traffic in network traffic, the abnormal traffic identification model can be trained according to an access right information table and historical traffic information, and the access right information table can be determined based on access right information of all switch ports in the network to be tested. The access authority information comprises configuration information of each switch port in the network to be tested and address information contained in a virtual local area network VLAN corresponding to each switch port. The access right information table may be a data table for recording and managing access rights of network resources, storing related information about users and access rights, and data related to access control policies.
Specifically, training an abnormal flow identification model according to the access right information table and the historical flow information, including:
generating an access right information table of the network to be tested according to the access right information of each switch port in the network to be tested;
and inputting the access right information table and the historical flow data of the network to be tested into the abnormal flow identification model, and training the abnormal flow identification model, wherein the historical flow data comprises normal flow data and abnormal flow data.
Specifically, the method for generating the access right information table of the network to be tested according to the access right information of each switch port in the network to be tested comprises the following steps:
acquiring configuration information of a first switch port, wherein the configuration information of the first switch port is used for representing a mapping relation between port information and VLAN information of an access layer switch;
acquiring configuration information of a second switch port, wherein the configuration information of the second switch port is used for representing the mapping relation between port information and VLAN information of a convergence layer switch and a core layer switch and the mapping relation between VLAN information corresponding to the convergence layer switch and the core layer switch and the first switch port;
and generating an access right information table of the network to be tested according to the configuration information of the first switch port, the configuration information of the second switch port and the IP address information contained in each VLAN in the network to be tested.
Wherein, using the link layer discovery protocol LLDP (Link Layer Discovery Protocol) to obtain the configuration information of the first switch port and the configuration information of the second switch port, LLDP is a link layer discovery protocol that enables a network device to periodically send its own device information to its neighboring devices and receive the information sent by other devices. Through LLDP, network devices can discover each other's existence, acquire detailed device information of the other party, such as device name, port name, IP address, and so on, and construct own network neighbor list and local network topology from this.
Specifically, collecting configuration information of an access layer switch port includes:
acquiring first VLAN configuration information and first ACL configuration information of a first switch port in a network to be tested;
and determining the configuration information of the first switch port according to the first VLAN configuration information and the first ACL configuration information.
The first VLAN configuration information may be VLAN configuration information of a switch of the access layer. The VLAN (Virtual Local Area Network) configuration information of the switch of the access layer, which may be virtual lan configuration information, is a technology for constructing a plurality of logical networks by dividing a physical network by software. By obtaining VLAN configuration information of the switch of the access stratum, it can be determined which VLANs the access stratum switch manages, and the broadcast domain each VLAN runs. The broadcast domains operated by the VLANs are isolated from each other, and one physical network can be converted into a plurality of virtual networks through the VLAN technology so as to realize logic isolation of different user groups.
The first ACL configuration information may be ACL configuration information of a switch of the access layer, and ACL (Access Control List) configuration information of the switch of the access layer may be an access control list of the switch of the access layer, which is a network security technology. By setting ACL rules on the interfaces of routers or switches of the access layer, data packets flowing through the interfaces can be filtered, and control over network resource access is realized.
Specifically, the configuration information of the port of the first switch is determined according to the first VLAN configuration information and the first ACL configuration information, the VLAN configuration information of the port can be collected on the access layer switch, the VLAN configuration information comprises the VLAN ID, the VLAN name and the like of the port, and the VLAN managed by each port is determined according to the VLAN configuration information of the port. And then acquiring first ACL configuration information comprising ACL rules, filtering conditions and the like, determining which data packets need to be filtered or controlled according to the first ACL configuration information, thereby determining the configuration information of the port of the first switch, and determining the mapping relation between the port information of the access layer switch and VLAN information according to the configuration information of the port of the first switch.
Specifically, collecting configuration information of the convergence layer and core layer switch ports includes:
Acquiring second VLAN configuration information, second ACL configuration information and firewall information of a second switch port in the network to be tested;
and determining the configuration information of the second switch port according to the second VLAN configuration information, the second ACL configuration information and the firewall information.
The second VLAN configuration information may be VLAN configuration information of the convergence layer and core layer switches. The VLAN (Virtual Local Area Network) configuration information of the convergence layer and core layer switches of the access layer, which may be virtual local area network configuration information, is a technology for constructing a plurality of logical networks by dividing a physical network by software. By obtaining VLAN configuration information of the switch of the access stratum, it can be determined which VLANs the access stratum switch manages, and the broadcast domain each VLAN runs.
The second ACL configuration information may be ACL configuration information of the aggregation layer and core layer switches, and ACL (Access Control List) configuration information of the aggregation layer and core layer switches may be access control lists of the aggregation layer and core layer switches, which is a network security technology. By setting ACL rules on interfaces of the aggregation layer and core layer switch routers or switches, data packets flowing through the interfaces can be filtered, and control over network resource access is achieved.
Wherein firewall information may be to use some access control information at the boundary, e.g. to allow device a access to address 1 and address 2; device B is prohibited from accessing addresses 1 and 3. The firewall information is used for controlling the external network to access the internal resources of the data center, and the firewall is deployed in different security domains to perform access control.
Specifically, the configuration information of the port of the second switch is determined according to the second VLAN configuration information, the second ACL configuration information and the firewall information, the VLAN configuration information of the port can be collected on the switches of the convergence layer and the core layer, the VLAN configuration information comprises VLAN ID, VLAN name and the like of the port, and the VLAN managed by each switch port of the convergence layer and the core layer is determined according to the VLAN configuration information of the port. And then acquiring second ACL configuration information and firewall information, including ACL rules, filtering conditions, which devices and addresses are allowed to access which addresses and devices, and the like, determining which data packets need to be filtered or controlled according to the second ACL configuration information and the firewall information, thereby determining configuration information of a second switch port, and determining mapping relations between port information and VLAN information of a convergence layer switch and a core layer switch and mapping relations between VLAN information corresponding to the convergence layer switch and the core layer switch and the first switch port according to the configuration information of the second switch port.
Specifically, generating an access right information table of the network to be tested according to the configuration information of the first switch port, the configuration information of the second switch port and the IP address information contained in each VLAN in the network to be tested, including:
generating a VLAN mapping relation table of the network to be tested according to the configuration information of the first switch port and the configuration information of the second switch port;
acquiring data table information configured on each switch in a network to be tested, and determining service access range information and user address distribution information of each VLAN according to the data table information, wherein the data table information comprises IP address information contained in each VLAN in the network to be tested;
and determining an access right information table of the network to be tested according to the VLAN mapping relation table of the network to be tested, the service access range information of each VLAN and the user address distribution information.
Specifically, the VLAN mapping table of the network to be tested is generated according to the configuration information of the ports of the first switch and the configuration information of the ports of the second switch, which may be that the mapping relationship between the port information of the corresponding access layer switch and the VLAN information is determined according to the configuration information of the ports of the corresponding second switch of the convergence layer and the core layer, the mapping relationship between the port information of the corresponding convergence layer switch and the VLAN information of the corresponding core layer switch and the ports of the first switch is determined, and then the VLAN mapping table of the network to be tested is generated according to the mapping relationship between the port information of the access layer switch and the VLAN information of the convergence layer switch and the VLAN information of the corresponding core layer switch and the VLAN information of the port of the first switch, which is from the access layer to the VLAN of the convergence layer and the core layer, wherein the VLAN mapping relationship table of the network to be tested is used for characterizing how the VLAN accessed by the user is transmitted and expanded in the three-layer network, so as to determine the total interface range of each VLAN.
Specifically, the data table information configured on each switch in the network to be tested is collected, the service access range information and the user address distribution information of each VLAN are determined according to the data table information, that is, the information such as the IP address of the internal interface of each VLAN and the subnet mask is collected, the IP address range of each VLAN is obtained by calculation, and the IP network segment where each VLAN is located is determined. And determining the main IP address and the MAC address corresponding to each VLAN by analyzing the ARP table, the MAC address table, the routing table and other information of the switch, and determining the main service access range and the user address distribution of each VLAN. Wherein, the mapping relation between the IP address and the MAC address is recorded in the ARP table; the MAC address table records the mapping relation between the MAC address of the equipment and the port of the switch; the routing table records the routing information of the network.
Specifically, the access right information table of the network to be tested is determined according to the VLAN mapping relation table of the network to be tested, the service access range information of each VLAN and the user address distribution information, after the mapping relation of the VLAN managed by each layer of switch port and the service access range of each VLAN related to each user when accessing the VLAN from the access layer are obtained, the interfaces and address ranges which can be accessed and used at the convergence layer and the core layer when accessing a specific VLAN after different users access the access layer switch from different source addresses can be determined, and then, which destination port information and destination address information can be accessed by the user from source address information and access port number information can be determined, and the access right information table of the network to be tested is generated according to which destination port information and destination address information can be accessed by the user from source address information and access port number information. The access authority information table of the network to be tested records all destination port information and destination address information which can be accessed by the user from the source address information and the access port number information.
Specifically, the access authority information table and the historical flow data of the network to be tested are input into the abnormal flow identification model, the abnormal flow identification model is trained, the acquired historical flow data can be firstly subjected to data cleaning to ensure the usability of the data, then the abnormal flow data in the historical flow data are marked as positive samples, and the normal flow data are marked as negative samples. The specific labeling method can be set according to the requirements. Extracting relevant features, such as source address information and access port number information which can access to destination port information, destination address information and other feature information, from an access authority information table of the network to be tested, inputting the extracted feature information into an abnormal flow identification model, training the abnormal flow identification model, and training the abnormal flow identification model by using marked data and features. After model training is completed, the test data set may be input to the abnormal flow identification model to evaluate the performance of the abnormal flow identification model, and the model may be optimized and adjusted according to the evaluation result.
Specifically, the network attribute information is input to the abnormal traffic identification model, that is, the network attribute information of the traffic to be detected obtained by analyzing the target data packet is input to the trained abnormal network detection model, so that the abnormal network detection model identifies the abnormal data packet in the traffic to be detected.
S130, determining an abnormal data packet in the flow to be detected according to the abnormal flow identification model.
Specifically, the determining the abnormal data packet in the to-be-detected flow according to the abnormal flow identification model may be detecting and identifying the network attribute information of the to-be-detected flow after obtaining the input network attribute information of the to-be-detected flow, and determining the abnormal data packet in the to-be-detected flow according to the identification result.
According to the method and the device, the target data packet corresponding to the flow to be detected in the network to be detected is preprocessed to obtain the network attribute information of the flow to be detected, so that the data quantity to be processed in network flow analysis can be reduced, an abnormal network model is trained according to the access right information table and the historical flow information, the abnormal data packet in the flow information in the network to be detected can be identified and detected by the model after training is completed, abnormal flow in the network to be detected can be accurately detected, effective protection is provided for data security access, and the security of data access between network addresses is further improved.
Example two
Fig. 2 is a flowchart of an abnormal traffic monitoring method based on an access network according to a second embodiment of the present invention, where, based on the foregoing embodiment, an abnormal data packet in a traffic to be detected is determined according to an abnormal traffic identification model, and the network attribute information includes: source address information, access port number information, destination port information, and destination address information. As shown in fig. 2, the method includes:
S210, obtaining a target data packet corresponding to the flow to be detected in the network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected.
S220, inputting network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on access right information of all switch ports in the network to be tested.
S230, for each target data packet in the flow to be detected, determining whether the target data packet is an abnormal data packet or not through an abnormal flow identification model based on source address information, access port information, destination port information and destination address information corresponding to the target data packet.
The source address information may be a network address of a computer or a device that transmits the data packet, for example, IP address information used when a user accesses the data; the access port information refers to a port where a data packet enters or leaves the network device, and may be, for example, switch port information of an access layer; the destination port information may be a network address of a destination computer or device receiving data of the data packet, and illustratively may be switch port information of the convergence layer and the core layer. In an IP network, this is typically an IP address; the destination address information may be a network address of a destination computer or device receiving the data of the data packet, such as IP address information that the user wants to access.
Specifically, for each target data packet in the flow to be detected, source address information, access port information, destination port information and destination address information of the flow to be detected can be analyzed by preprocessing the target data packet, then whether the target data packet is abnormal or not is judged based on the source address information, the access port information, the destination port information and the destination address information corresponding to the target data packet through an abnormal flow identification model, and if the source address information and the access port number information contained in the data packet are detected to be incapable of accessing the destination port information and the destination address information contained in the target data packet, the target data packet is determined to be an abnormal data packet.
Optionally, after determining whether the target data packet is an abnormal data packet based on the source address information, the access port information, the destination port information and the destination address information corresponding to the target data packet through the abnormal traffic identification model, the method further includes:
if the target data packet is detected to be an abnormal data packet, generating corresponding alarm information according to the abnormal grade of the abnormal data packet information;
and sending the alarm information to an alarm center, and sending an alarm signal of a corresponding grade by the alarm center according to the alarm grade.
Specifically, corresponding alarm information is generated according to the abnormal grade of the abnormal data packet information, the alarm information is sent to an alarm center, the alarm center sends out alarm signal data packet monitoring of the corresponding grade according to the alarm grade, and the corresponding alarm information can be generated according to the abnormal grade after the data packet is monitored. The alarm information may include detailed information of the abnormal data packet, such as time, source, destination, abnormal type, etc. And then sending the alarm information to an alarm center, and sending alarm signals of corresponding grades according to preset alarm grades and corresponding processing strategies after the alarm center receives the alarm information. The processing policy may be sending a notification such as an email, a sms, a phone call, or the like, or displaying a warning on a monitor screen. Therefore, after receiving the alarm signal, the staff can respond and process according to a preset response strategy, such as log recording, abnormal source isolation and the like.
In this embodiment, the source address information, the access port information, the destination port information and the destination address information of the traffic to be detected are obtained by inputting the analyzed target data packet into the abnormal traffic identification model, which can be the abnormal traffic model, and if it is detected that the source address information and the access port number information contained in the data packet cannot access the destination port information and the destination address information contained in the target data packet, the target data packet is determined to be the abnormal data packet, and then the abnormal data packet is determined quickly. After the abnormal flow information is determined, corresponding alarm information is generated according to the abnormal grade of the abnormal data packet information, the alarm information is sent to an alarm center, and the alarm center sends out alarm signals of the corresponding grade according to the alarm grade, so that the abnormal flow in a network to be detected can be accurately detected, effective protection is provided for safe access of data, the safety of data access among network addresses is further improved, an administrator is guaranteed to know the abnormal condition in the network in time, and corresponding processing is performed.
Example III
Fig. 3 is a schematic structural diagram of an abnormal traffic monitoring device based on an access network according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: a network attribute information acquisition module 31, a network attribute information input module 32, and an abnormal packet determination module 33.
The network attribute information acquisition module 31: the method comprises the steps of obtaining a target data packet corresponding to a flow to be detected in a network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected;
network attribute information input module 32: the method comprises the steps of inputting network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on access right information of all switch ports in a network to be tested;
abnormal packet determination module 33: and the abnormal data packet in the flow to be detected is determined according to the abnormal flow identification model.
Wherein the network attribute information includes: source address information, access port number information, destination port information, and destination address information.
Further, the abnormal data packet determining module 33 is specifically configured to:
for each target data packet in the flow to be detected, determining whether the target data packet is an abnormal data packet or not through an abnormal flow identification model based on source address information, access port information, destination port information and destination address information corresponding to the target data packet.
Further, the abnormal traffic monitoring device based on the access network further comprises:
the abnormal flow identification model training module is used for generating an access right information table of the network to be tested according to the access right information of each switch port in the network to be tested;
and inputting the access right information table and the historical flow data of the network to be tested into the abnormal flow identification model, and training the abnormal flow identification model, wherein the historical flow data comprises normal flow data and abnormal flow data.
The access authority information comprises configuration information of each switch port in the network to be tested and address information contained in a virtual local area network VLAN corresponding to each switch port.
Further, the abnormal traffic monitoring device based on the access network further comprises:
the access right information table generation module: the method comprises the steps of acquiring configuration information of a first switch port, wherein the configuration information of the first switch port is used for representing a mapping relation between port information and VLAN information of an access layer switch;
acquiring configuration information of a second switch port, wherein the configuration information of the second switch port is used for representing the mapping relation between port information and VLAN information of a convergence layer switch and a core layer switch and the mapping relation between VLAN information corresponding to the convergence layer switch and the core layer switch and the first switch port;
And generating an access right information table of the network to be tested according to the configuration information of the first switch port, the configuration information of the second switch port and the IP address information contained in each VLAN in the network to be tested.
Further, the access right information table generating module is specifically configured to:
acquiring first VLAN configuration information and first ACL configuration information of a first switch port in a network to be tested;
and determining the configuration information of the first switch port according to the first VLAN configuration information and the first ACL configuration information.
Further, the access right information table generating module is specifically configured to:
acquiring second VLAN configuration information, second ACL configuration information and firewall information of a second switch port in the network to be tested;
and determining the configuration information of the second switch port according to the second VLAN configuration information, the second ACL configuration information and the firewall information.
Further, the access right information table generating module is specifically configured to:
generating a VLAN mapping relation table of the network to be tested according to the configuration information of the first switch port and the configuration information of the second switch port;
collecting data table information configured on each switch in a network to be tested, and determining service access range information and user address distribution information of each VLAN according to the data table information, wherein the data table information comprises IP address information contained in each VLAN in the network to be tested;
And determining an access right information table of the network to be tested according to the VLAN mapping relation table of the network to be tested, the service access range information of each VLAN and the user address distribution information.
The abnormal flow monitoring device based on the access network provided by the embodiment of the invention can execute the abnormal flow monitoring method based on the access network provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the access network based abnormal traffic monitoring method.
In some embodiments, the access network-based abnormal traffic monitoring method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more of the steps of the access network based abnormal traffic monitoring method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the access network based abnormal traffic monitoring method in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. An abnormal traffic monitoring method based on an access network, which is characterized by comprising the following steps:
acquiring a target data packet corresponding to a flow to be detected in a network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected;
inputting the network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on access right information of all switch ports in the network to be tested;
And determining an abnormal data packet in the flow to be detected according to the abnormal flow identification model.
2. The method of claim 1, wherein training the abnormal traffic identification model based on the access rights information table and the historical traffic information comprises:
generating an access right information table of the network to be tested according to the access right information of each switch port in the network to be tested;
and inputting the access right information table and the historical flow data of the network to be tested into an abnormal flow identification model, and training the abnormal flow identification model, wherein the historical flow data comprises normal flow data and abnormal flow data.
3. The method according to claim 2, wherein the access right information includes configuration information of each switch port in the network to be tested and address information contained in a virtual local area network VLAN corresponding to each switch port;
the generating the access right information table of the network to be tested according to the access right information of each switch port in the network to be tested includes:
acquiring configuration information of a first switch port, wherein the configuration information of the first switch port is used for representing a mapping relation between port information and VLAN information of an access layer switch;
Acquiring configuration information of a second switch port, wherein the configuration information of the second switch port is used for representing the mapping relation between port information and VLAN information of a convergence layer switch and a core layer switch and the mapping relation between VLAN information corresponding to the convergence layer switch and the core layer switch and the first switch port;
and generating an access right information table of the network to be tested according to the configuration information of the first switch port, the configuration information of the second switch port and the IP address information contained in each VLAN in the network to be tested.
4. The method of claim 3, wherein the collecting configuration information of the access stratum switch port comprises:
acquiring first VLAN configuration information and first ACL configuration information of a first switch port in a network to be tested;
and determining the configuration information of the first switch port according to the first VLAN configuration information and the first ACL configuration information.
5. The method of claim 3, wherein the collecting configuration information for the convergence layer and core layer switch ports comprises:
acquiring second VLAN configuration information, second ACL configuration information and firewall information of the second switch port in the network to be tested;
And determining the configuration information of the second switch port according to the second VLAN configuration information, the second ACL configuration information and the firewall information.
6. The method of claim 3, wherein generating the access rights information table of the network under test according to the configuration information of the first switch port, the configuration information of the second switch port, and the IP address information included in each VLAN in the network under test comprises:
generating a VLAN mapping relation table of the network to be tested according to the configuration information of the first switch port and the configuration information of the second switch port;
collecting data table information configured on each switch in a network to be tested, and determining service access range information and user address distribution information of each VLAN according to the data table information, wherein the data table information comprises IP address information contained in each VLAN in the network to be tested;
and determining an access right information table of the network to be tested according to the VLAN mapping relation table of the network to be tested, the service access range information of each VLAN and the user address distribution information.
7. The method of claim 1, wherein the network attribute information comprises: source address information, access port number information, destination port information, and destination address information; the determining the abnormal data packet in the flow to be detected according to the abnormal flow identification model comprises the following steps:
For each target data packet in the flow to be detected, determining whether the target data packet is an abnormal data packet or not through an abnormal flow identification model based on source address information, access port information, destination port information and destination address information corresponding to the target data packet.
8. An abnormal traffic monitoring device based on an access network, comprising:
the network attribute information acquisition module is used for acquiring a target data packet corresponding to the flow to be detected in the network to be detected, and analyzing the target data packet to obtain network attribute information of the flow to be detected;
network attribute information input module: the network attribute information is used for inputting the network attribute information into an abnormal flow identification model, wherein the abnormal flow identification model is trained according to an access right information table and historical flow information, and the access right information table is determined based on the access right information of each switch port in the network to be tested;
an abnormal data packet determining module: and determining the abnormal data packet in the flow to be detected according to the abnormal flow identification model.
9. An electronic device, the electronic device comprising:
at least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the access network-based abnormal traffic monitoring method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the access network based abnormal traffic monitoring method of any of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311675593.7A CN117640232A (en) | 2023-12-07 | 2023-12-07 | Abnormal flow monitoring method and device based on access network and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311675593.7A CN117640232A (en) | 2023-12-07 | 2023-12-07 | Abnormal flow monitoring method and device based on access network and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117640232A true CN117640232A (en) | 2024-03-01 |
Family
ID=90023193
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311675593.7A Pending CN117640232A (en) | 2023-12-07 | 2023-12-07 | Abnormal flow monitoring method and device based on access network and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117640232A (en) |
-
2023
- 2023-12-07 CN CN202311675593.7A patent/CN117640232A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
| US10425443B2 (en) | Detecting volumetric attacks | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| CN111600863B (en) | Network intrusion detection method, device, system and storage medium | |
| CN103607399A (en) | Special IP network safety monitor system and method based on hidden network | |
| CN106789177A (en) | A kind of system of dealing with network breakdown | |
| US11128670B2 (en) | Methods, systems, and computer readable media for dynamically remediating a security system entity | |
| GB2362076A (en) | Network intrusion detector which detects pre-attack probes or scans | |
| CN117640232A (en) | Abnormal flow monitoring method and device based on access network and electronic equipment | |
| CN115567258A (en) | Network security situation awareness method, system, electronic device and storage medium | |
| CN109462617A (en) | Device talk behavioral value method and device in a kind of local area network | |
| CN112291185B (en) | Method and device for collecting network data | |
| CN109450918B (en) | IoT (Internet of things) equipment safety protection system based on software defined network | |
| CN112350864A (en) | Protection method, device, equipment and computer readable storage medium for domain control terminal | |
| CN113055427A (en) | Service-based server cluster access method and device | |
| CN115871754B (en) | Rail transit control signal system, detection method, detection device, detection equipment and medium | |
| Gong et al. | Research on Evaluation Method of Hierarchical Network Security Threat | |
| CN111385113B (en) | Differential access method and system for VPN server cluster | |
| CN115037664B (en) | Network connection testing method and device, repeater and storage medium | |
| CN116743508B (en) | Method, device, equipment and medium for detecting network attack chain of power system | |
| CN117155645A (en) | Network sharing permission judging method, device, equipment and storage medium | |
| CN117675345A (en) | Control method, device, equipment and medium for flow data packet | |
| CN117834230A (en) | Protection method, device, equipment and medium for phantom router attack | |
| CN117061130A (en) | Network anomaly detection method, device, equipment and storage medium | |
| CN115150108A (en) | DDoS protection system-oriented traffic monitoring method, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |