WO2021008296A1 - Traffic abnormality detection method and apparatus, network device, and storage medium - Google Patents

Traffic abnormality detection method and apparatus, network device, and storage medium Download PDF

Info

Publication number
WO2021008296A1
WO2021008296A1 PCT/CN2020/096847 CN2020096847W WO2021008296A1 WO 2021008296 A1 WO2021008296 A1 WO 2021008296A1 CN 2020096847 W CN2020096847 W CN 2020096847W WO 2021008296 A1 WO2021008296 A1 WO 2021008296A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
time
abnormal
flow
deviation ratio
Prior art date
Application number
PCT/CN2020/096847
Other languages
French (fr)
Chinese (zh)
Inventor
蒋勇
彭鑫
叶德忠
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021008296A1 publication Critical patent/WO2021008296A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present invention relates to the field of communications, and in particular to a method, device, network equipment and storage medium for detecting abnormal flow.
  • the flow abnormality detection method, device, network equipment and storage medium provided by the embodiments of the present invention mainly solve the technical problem of: solving the problem that the related flow monitoring solution cannot detect the abnormal flow that will not cause the port flow to exceed the limit.
  • an embodiment of the present invention provides a method for detecting abnormal traffic, including:
  • the current time window is the time window corresponding to the current detection moment.
  • the real-time window deviation ratio is, and the flow deviation ratio can characterize the receiving The degree of balance between traffic and sending traffic;
  • the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time
  • the embodiment of the present invention also provides a flow abnormality detection device, including:
  • the traffic collection module is set to collect the receiving and sending traffic of each port of the detected network element at the current detection moment
  • the deviation determination module is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic.
  • the current time window is the time window corresponding to the current detection moment, and the flow deviation ratio can represent the received The degree of balance between traffic and sending traffic;
  • the slope determination module is set to determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio.
  • the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
  • the abnormality determination module is configured to determine whether the current detection time is the abnormal flow time based on the steep slope of the current detection time.
  • the embodiment of the present invention also provides a network device, which includes a processor, a memory, and a communication bus;
  • the communication bus is set to realize the connection and communication between the processor and the memory
  • the processor is configured to execute one or more programs stored in the memory to implement the steps of the method for detecting abnormal flow.
  • the embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the above-mentioned traffic abnormality detection method A step of.
  • the method, device, network equipment, and storage medium for detecting abnormal traffic collect the received and sent traffic of each port of the detected network element at the current detection moment, and then determine the received and sent traffic according to the collected received and sent traffic. Check the real-time flow deviation ratio of the network element in the current time window, and determine the steep slope of the current detection time based on the real-time flow deviation ratio and the historical flow deviation ratio, and then determine whether the current detection time is an abnormal flow based on the steep slope of the current detection time .
  • the traffic anomaly detection solution provided by the embodiment of the present invention is based on the fact that the total flow in and out of all ports of the inspected network element is basically balanced under normal working conditions, but when the inspected network element is in data routing and switching processing When abnormalities such as packet loss or illegal duplication occur, the balance of the received and received traffic will be broken. Therefore, the traffic anomaly detection solution provided by the embodiment of the present invention can measure the balance of the received and received traffic of the inspected network element and determine the inspected network element. The moment when the traffic balance changes sharply, so as to detect the moment when the traffic of the detected network element is abnormal.
  • the traffic anomaly detection solution provided by the embodiments of the present invention can more effectively find those abnormalities that will not cause the traffic to exceed the limit, improve the comprehensiveness of the traffic monitoring of the detected network element, and increase the detection result. Accuracy and reliability.
  • FIG. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of the traffic deviation ratio of the checked network element in one day according to the embodiment of the present invention
  • FIG. 3 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a relationship between a time window and a detection time according to an embodiment of the present invention
  • FIG. 5 is a flowchart of adjusting the normal slope range by a network device according to an embodiment of the present invention.
  • FIG. 6 is a network device according to an embodiment of the present invention determined to automatically mark an abnormal set
  • FIG. 7 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a flow abnormality detection device provided by an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of a hardware structure of a network device provided by an embodiment of the present invention.
  • Traditional traffic monitoring solutions generally set fixed thresholds for indicators such as port bandwidth utilization and CPU utilization based on manual experience. If an indicator of the detected network element port is found to exceed the fixed threshold corresponding to the indicator during the detection process, then It is determined that the monitoring is abnormal, and an alarm can be issued. Obviously, this traffic monitoring method is simply to determine whether the detected index value is normal based on the threshold. This is effective for monitoring the abnormality of the peak traffic exceeding the limit, but if the occurrence of the abnormality does not cause the port traffic to exceed the limit, then This traditional traffic monitoring solution cannot be perceived. For example, if a large number of packet loss or a large number of illegally copied packets occur in the inspected network element, but these abnormalities do not cause the traffic to exceed the limit, the traditional traffic monitoring solution will not identify these abnormalities.
  • this embodiment provides a method for detecting abnormal traffic. Please refer to the flowchart shown in FIG. 1, which includes the following steps:
  • S102 Collect the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment.
  • the total traffic in and out of all ports should be basically balanced, that is to say, each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic.
  • each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic.
  • the balance of the traffic sent and received by the network element under inspection will be broken.
  • the receiving traffic and the sending traffic of each port of the detected network element can be collected.
  • the network device can collect port a Receive traffic and send traffic, collect the receive traffic and send traffic of port b.
  • the network device will also collect the send and receive traffic.
  • the network device may periodically collect the receiving traffic and sending traffic of each port of the inspected network element during the process of detecting abnormal traffic of a inspected network element. For example, in an example Among them, the network device can use 15 minutes as the detection granularity, that is, collect the receiving and sending traffic of each port of the inspected network element every 15 minutes.
  • the network device collects the inspected network for the first time at 00:00.
  • the sending and receiving traffic of each port of the element the next time, the network device will collect the sending and receiving traffic of each port of the inspected network element at 00:15, and the timing of the third traffic collection is at 00:30... 00:00, 00:15, and 00:30, etc., which are referred to as detection time in this embodiment.
  • the current time is 00:15
  • 00:15 is the current detection time
  • 00:00 is the historical detection time.
  • the network device when the network device detects abnormal traffic of the detected network element, it may also not need to periodically collect traffic. That is, when the network device collects the receiving and sending traffic of the inspected network element, the time interval between each inspection time is not completely consistent.
  • S104 Determine the real-time window deviation ratio of the checked network element in the current time window according to the collected receiving traffic and sending traffic.
  • the network device After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection time, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window.
  • the so-called real-time window deviation ratio is the network under inspection.
  • the flow deviation ratio of the yuan in the current time window is the network under inspection.
  • the traffic deviation ratio at a certain detection time can be the sum of the received traffic and the sent traffic of each port of the inspected network element at the detection time.
  • bias is the traffic deviation ratio
  • N recv is the sum of all received traffic at the time when each port of the detected network element is detected. It can be calculated by the following formula:
  • n is the total number of ports in the inspected network element
  • i represents the i-th port
  • N send is the sum of all received traffic at the time when each port of the inspected network element is detected, and can be calculated by the following formula:
  • n is the total number of ports in the inspected network element
  • i represents the i-th port
  • the traffic deviation ratio of an inspected network element is mainly used to characterize the balance between the sending and receiving traffic of each port of the inspected network element. Therefore, there is no doubt that the traffic deviation ratio of the inspected network element is not necessarily the receiving
  • the ratio of the sum of traffic to the sum of sent traffic may also be the ratio of the sent traffic to the received traffic, that is,
  • each time the network device determines the traffic deviation ratio of the inspected network element it should choose a unified calculation method for the traffic deviation ratio. For example, in some examples, if the network device calculates the traffic deviation ratio for the first time When checking the traffic deviation ratio of the network element, the ratio of the sum of the received traffic and the sum of the sending traffic corresponding to the ports of the checked network element at the first detection time is calculated, and then at the subsequent detection time, the network device calculates When the flow deviation ratio of the spare part network element is calculated, it should also calculate the ratio of the sum of the received flow and the sum of the transmitted flow. It should not suddenly become the calculation of the sum of the transmitted flow and the received flow of each port of the inspected network element during a certain calculation process. The ratio of the sum.
  • Figures 2 and 3 respectively show schematic diagrams of the traffic deviation ratios of two checked network elements in the same day, where the vertical axis bias represents the traffic deviation ratio, and the horizontal axis represents time.
  • the so-called current time window refers to the time window corresponding to the current detection time.
  • the so-called "real-time window deviation ratio" is actually the traffic deviation ratio of the detected network element in the current time window.
  • a time window includes at least one detection time. For example, in an example of this embodiment, there is only one detection time in the time window, and the real-time window deviation ratio of the detected network element in the current time window is actually the time window. Check the flow deviation ratio of the network element at the current detection time. However, if a time window includes two or more detection moments at the same time, the real-time window deviation ratio of the detected network element in the current time window is the traffic deviation of the detected network element at each detection time in the current time window. The mean of the ratio. For example, in an example, the time window includes three detection times. Please refer to the schematic diagram of the relationship between the time window and the detection time shown in Figure 4, where the vertical axis bias represents the flow deviation ratio, and the horizontal axis represents time:
  • the current time window 401 is the time window corresponding to the nth detection time, which also includes the nth detection time, the n-1th detection time and the n-2th detection time. Detection time.
  • the historical time window 402 it is the time window corresponding to the previous detection time (that is, the n-1th detection time), which includes the n-1th detection time, the n-2th detection time, and the n-3th detection time. The time window of the detection time.
  • the traffic deviation ratios of the detected network element at the nth detection time, the n-1th detection time, the n-2th detection time, and the n-3th detection time are b n , b n-1 , b n-2 and b n-3
  • the real-time window deviation ratio of the checked network element is (b n + b n-1 + b n-2 )/3
  • the historical window deviation ratio of the checked network element is (b n-1 + b n-2 ) + b n-3 )/3.
  • Deviation ratio b n As for the calculation of the real-time window deviation ratio, the other flow deviation ratios b n-1 and b n-2 have been calculated in the previous detection process (b n-1 is the calculation of the real-time window deviation at the n-1th detection time It is calculated when comparing, b n-2 is calculated when calculating the real-time window deviation ratio at the n-2th detection time), there is no need to calculate it again here.
  • S106 Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
  • anomalies are data that deviate from most of the data in the data set. Therefore, anomalies are also called outliers. Therefore, in this embodiment, the network device determines whether the current detection time is an abnormal point (that is, the abnormal flow time) according to whether the flow deviation ratio corresponding to the current detection time deviates from the flow deviation ratio of most detection times.
  • the traffic deviation ratio of the inspected network element belongs to a time series indicator.
  • the main goal of monitoring this indicator is to find the time point when it deviates from the normal value in time, which is a change point detection problem for the time series.
  • Change point theory is a classic branch of statistics. Its basic definition is that in a sequence or process, when a certain statistical characteristic (distribution type, distribution parameter) changes at a certain point in time by systemic factors rather than accidental factors , We call this point in time the change point.
  • the change point detection is to use statistics or statistical methods to find out the position of the change point.
  • the network device can determine the steep slope of the inspected network element at the current detection time based on the real-time window deviation ratio of the inspected network element and the historical window deviation ratio ,
  • the steep slope can characterize the degree of change of the real-time window deviation ratio at the current detection time relative to the historical window deviation ratio.
  • the steep slope of the current detection moment can be determined according to the following formula:
  • n represents the nth detection time
  • M n represents the traffic deviation ratio in the time window corresponding to the nth detection time of the detected network element
  • M n-1 represents the detected network element at the n-1th detection time
  • K n is the steep slope of the nth detection time. If it is the nth detection time, Kn is the steep slope corresponding to the current detection time.
  • the historical window deviation ratio of the inspected network element will be calculated after the network device performs the n-1th transmission and reception traffic collection for the inspected network element. Therefore, in this embodiment, after the network device calculates the real-time window deviation ratio corresponding to the nth detection time, it records it so as to participate in the calculation as the historical window deviation ratio at the n+1th time.
  • S108 Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  • the network device can determine whether the detected network element has abnormal traffic at the current detection time according to the steep slope, that is, whether the current detection time is the abnormal traffic time.
  • the network device stores the parameters that can divide the normal slope threshold.
  • the normal slope range (1/Q, Q) where Q is a positive number, so (1/Q, Q) is The values are relatively close to 1.
  • the network device determines whether the traffic of the inspected network element is abnormal at the nth detection moment, it can determine whether the steep slope of the inspected network element at the nth detection moment is at a normal slope. Within the range, if yes, it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is the time of abnormal flow of the detected network element.
  • the value of Q may be fixed, for example, it is set by network operation and maintenance personnel based on a large number of experience values. It is understandable that the Q value set by network operation and maintenance personnel should ensure Detect all network abnormalities of the inspected network elements as accurately as possible.
  • the value of Q can be adjusted adaptively. For example, the initial value of Q is set by network operation and maintenance personnel based on experience, but as the network equipment continues to check the network element For traffic anomaly detection, the network device can adjust the value of Q according to the accuracy of its detection results, thereby reducing false detections and/or missed detections during the flow anomaly detection process. Please refer to the adjustment shown in Figure 5 A flow chart of the normal slope range:
  • the network device may adjust the value of Q at regular intervals. There is no doubt that adjusting the value of Q actually means adjusting the normal slope range. It is assumed that the network equipment set here adjusts the normal slope range every two hours.
  • the network device may have performed 8 detections on the detected network element, and part of the detection moments of the 8 detections It will be judged as an abnormal flow time.
  • the network device can add the abnormal traffic moments among the 8 detection moments to the automatic anomaly marking set.
  • the automatic anomaly marking set is a set of abnormal traffic moments marked by the network equipment mechanized.
  • the first is that, compared with the historical window deviation ratio, the real-time window deviation is better than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is less than the absolute difference between the historical window deviation ratio and 1, which means that although the current There was an abnormal flow at the time of detection, but this is because the abnormal flow is gradually recovering. Therefore, the abnormal flow at the current detection time is actually in the recovery state.
  • the second type compared with the historical window deviation ratio, the real-time window deviation is worse than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection
  • the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection
  • the abnormal flow at the current detection time is actually in a deteriorating state.
  • the network device may refer to the flowchart shown in FIG. 6 to determine the automatic annotated abnormal set:
  • S602 The network device determines all abnormal traffic moments within the time period
  • the network device determines whether the abnormal flow at the abnormal flow time is in a recovery state or a deteriorating state according to the abrupt slope and historical abrupt slope of the abnormal flow;
  • S606 The network device removes the abnormal traffic moments that are in the recovery state, and uses the remaining abnormal traffic moments as an automatic anomaly set.
  • S504 Compare each abnormal flow time in the manually marked abnormal set with each abnormal flow time in the automatically marked abnormal set.
  • the network equipment will also obtain the manually marked abnormal set corresponding to the automatically marked abnormal set.
  • the marked result of the abnormal traffic time within the hour.
  • the abnormal traffic moments in the artificially marked abnormal set can be regarded as completely correct, and there is no mislabeling; and it is considered that the artificially marked abnormal set contains all the abnormal traffic moments in the past two hours, and there is no missing label. happening.
  • the network device can compare each abnormal flow time in the artificially marked anomaly set with each abnormal flow time in the automatically marked anomaly set.
  • the network device can determine the false detection exception in the automatic labeling anomaly set.
  • the false detection exception is actually Automatically mark the abnormal traffic moments that exist in the abnormal set, but manually mark the abnormal traffic that does not exist in the abnormal set.
  • the network equipment can determine the missed anomalies in the automatically marked anomaly set.
  • the missed anomalies are manually marked Exist in the abnormal set, but automatically mark the abnormal traffic moment that does not exist in the abnormal set.
  • the network device can determine its own false detection rate according to the following formula:
  • the network device determines that the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, it can determine the steep slope corresponding to each false detection abnormality, and then the network device determines the Q value corresponding to each steep slope, and then selects the largest one
  • the Q value is used as the adjusted Q value. For example, if the network device determines that the false detection rate in the automatically marked anomaly set reaches the preset false detection threshold, including 3 false detection anomalies, the steep slopes corresponding to these three false detection anomalies are 1.5, 2 and 2.5 respectively, then this The Q corresponding to the three steep slopes are 1.5, 2 and 2.5 respectively, so the updated Q value is 2.5.
  • the abrupt slopes corresponding to three false detection abnormalities are 1/4, 1/3, and 1/2 respectively, and the Q corresponding to the three abrupt slopes are 4, 3, and 2, respectively. Therefore, the updated Q value Is 4.
  • the Q value is increased, and the normal slope range is also increased, thereby reducing the possibility that the network device detects the abnormal flow when the flow is normal.
  • the network device can also determine its own missed detection rate according to the following formula:
  • the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, it can determine the steep slope corresponding to each missed anomaly, and then update the Q value according to the minimum value of the steep slopes.
  • the network device may determine the Q value corresponding to each steep slope, and then select the smallest Q value as the updated Q value. For example, if the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, including 3 missed detections, the steep slopes corresponding to the three missed detections are 1/2, 1/3, and 3.
  • the Q values corresponding to the three steep slopes are 2, 3, and 3 respectively.
  • the network equipment can adjust the value of Q to 2. It should be understood Yes, the value of Q must be greater than 3 before adjustment. Therefore, this adjustment actually reduces the value of Q, which also increases the range of abnormal slopes, thereby reducing the amount of abnormal traffic that cannot be correctly detected by network equipment. possibility.
  • the flow anomaly detection method provided in this embodiment analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormal moment.
  • This flow anomaly detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
  • the network equipment can adjust the parameters used to determine the abnormal time of the flow according to the result of marking the abnormal flow, the parameters used to determine the abnormal time of the flow are more accurate and more in line with the actual situation of the network, thereby improving the detection of the abnormal flow. Accuracy, reduce false detections and missed detections.
  • S702 Collect receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment.
  • a network device used for traffic abnormality monitoring may monitor the traffic of two or more detected network elements at the same time. Therefore, when the network device performs port traffic collection, it is for all the monitored network elements. All ports of the inspected network element are performed. Therefore, after obtaining the collection result, the network device needs to determine which of the inspected network elements the collection result belongs to, according to the asset relationship data (which can characterize the corresponding relationship between the inspected network element and the port). Then, the time of abnormal traffic is determined for each detected network element.
  • the network device may perform detection every 15 minutes, that is, the detection granularity is 15 minutes. It is understandable that if the detection granularity is set too large, the network device will not be able to detect which abnormalities that appear and recover in a short time. For example, if the detection granularity is set to 3 hours, the network device cannot detect the graph. The abnormality shown in 8.
  • the network device sets the detection granularity, it can be set according to its own processing capability.
  • S704 Determine whether the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected.
  • the network device It is understandable that a large abrupt slope is easily generated during the fluctuation process. Therefore, the current detection time is easily recognized by the network device as an abnormal flow time. However, when some port data is missing, the abnormal flow deviation ratio on a single port is not actually the abnormal flow deviation ratio of the network element we want to obtain. Therefore, in some examples of this embodiment, the network device It is necessary to exclude network elements that only have valid single-port data.
  • the network device continues to perform S706, otherwise the process ends.
  • S706 Determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero.
  • missing value filling is a common method.
  • Common missing value filling methods include: before and after mean filling, mode filling, linear regression filling and so on.
  • missing value filling is generally effective, but for the traffic anomaly detection scheme in this embodiment, missing value filling often has a great impact on the detection result.
  • most filling methods make the data smoother, so that the network equipment cannot detect the original abnormal points based on the steep rise and fall of the traffic deviation ratio.
  • S708 Determine the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and sending traffic.
  • the network device After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window.
  • one time window includes three detection moments. Therefore, the network device can determine the current detection time corresponding to the current detection time based on the traffic deviation ratio at the current detection time and the traffic deviation ratio between the previous two detection times. Real-time window deviation ratio.
  • S710 Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
  • the network device can calculate the ratio of the real-time window deviation ratio of the inspected network element to the historical window deviation ratio to obtain the sharp change of the inspected network element at the current inspection time. Slope.
  • S712 Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  • the network device can determine whether the flow of the detected network element is abnormal at the current detection time according to the steep slope.
  • the network device determines whether the steep slope corresponding to the current detection time is within the normal slope range (1/Q, Q), if yes, then it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is The time when the network element's traffic is abnormal.
  • the network device if the network device determines that the current detection time is the abnormal flow time of the inspected network element, the network device will further determine whether the abnormal flow time is a deteriorating abnormal flow time:
  • S714 Determine whether the abnormality at the time of the abnormal flow is in a deteriorating state according to the abrupt slope and the historical abrupt slope at the time of the abnormal flow.
  • S716 Record the time when the traffic is abnormal.
  • the network device can record the abnormal flow for use in the subsequent network optimization process.
  • the network device can also evaluate its own false detection rate and missed detection rate once a period of time, and adjust the normal slope range according to the duration of the evaluation result, so as to reduce the error of abnormal traffic in the subsequent detection process. Detection rate and missed detection rate.
  • the specific evaluation and adjustment process has been described in more detail in the foregoing embodiment, and will not be repeated here.
  • the traffic abnormality detection method automatically monitors the traffic of the inspected network element by the network device, and marks the abnormal time of the traffic, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and can find conventional Traffic abnormalities that cannot be detected by the method. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
  • the embodiment of the present invention also provides a flow abnormality detection device. Please refer to the schematic structural diagram shown in FIG. 9, in which:
  • the flow abnormality detection device 90 includes a flow collection module 902, a deviation determination module 904, a slope determination module 906, and an abnormality determination module 908.
  • the flow collection module 902 is configured to collect the received and sent traffic of each port of the inspected network element at the current detection moment.
  • the deviation determination module 904 is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic, and the slope determination module 906 is set to determine based on the real-time window deviation ratio and the historical window deviation ratio
  • the steep slope of the current detection time, the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
  • the abnormality determination module 908 is set to determine whether the current detection time is based on the steep slope of the current detection time It is the moment of abnormal flow.
  • the flow anomaly detection device 90 further includes a preprocessing module 910, which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
  • a preprocessing module 910 which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
  • the preprocessing module 910 may also be configured to determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero values. Only when the judgment result of the preprocessing module 910 is negative, the deviation determination module 904 will calculate the real-time window deviation ratio.
  • a time window includes at least two detection moments
  • the deviation determination module 904 can determine the flow deviation ratio at the current detection moment based on the received traffic and the sent traffic collected at the current detection moment, and obtain the current time
  • the flow deviation ratio of other detection moments in the window is then determined according to the flow deviation ratio of each detection time in the current time window to determine the average value of the flow deviation ratio of the current time window as the real-time window deviation ratio.
  • the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
  • the abnormality determination module 908 can determine whether the steep slope of the current detection moment is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines The current detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
  • the flow anomaly detection device 90 may further include a parameter adjustment module 912, which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
  • a parameter adjustment module 912 which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
  • the parameter adjustment module 912 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow in the abnormal set Perform comparison at all times, and adjust the normal slope range according to the comparison result.
  • the parameter adjustment module 912 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the parameter adjustment The module 912 further determines the steep slope corresponding to each false detection abnormality, and adjusts the Q value according to the maximum value of the steep slope.
  • the parameter adjustment module 912 determines the missed abnormalities in the automatically labeled abnormal set, and then determines that the missed detection rate in the automatically labeled abnormal set reaches the preset missed detection threshold. If so, the parameter adjustment module 912 further determines the steep change slope corresponding to each missed abnormality, and adjusts the Q value according to the maximum value of each steep change slope.
  • the parameter adjustment module 912 may first determine all the abnormal flow moments in a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow rate according to the steep slope of the abnormal flow moment and the historical steep slope. Whether the abnormality is in the recovery state or the deteriorating state, then the abnormal flow moments in the recovery state are eliminated, and the remaining abnormal flow moments are regarded as the automatic anomaly set.
  • the traffic anomaly detection device 90 in this embodiment can be deployed on a network device, such as a network device in a bearer network, where the function of the traffic collection module 902 can be implemented by the processor of the network device and the communication Danyun, and the deviation determination module
  • the functions of 904, the slope determination module 906, the abnormality determination module 908, the preprocessing module 910, and the parameter adjustment module 912 can all be implemented by the processor of the network device.
  • the flow abnormality detection device analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormality moment.
  • This flow abnormality detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
  • the traffic anomaly detection device can adjust the parameters for determining the abnormal time of the traffic according to the result of marking the abnormal traffic, so that the parameters for judging the abnormal time of the traffic are more accurate, more in line with the actual situation of the network, and thereby increase the traffic.
  • the accuracy of anomaly detection reduces false detections and missed detections.
  • the embodiment of the present invention also provides a computer-readable storage medium.
  • the computer-readable storage medium may store one or more computer programs that can be read, compiled, and executed by one or more processors.
  • the computer-readable storage medium may store a flow anomaly detection program, and the flow anomaly detection program can be used by one or more processors to execute a process for implementing any of the flow anomaly detection methods introduced in the foregoing embodiments.
  • the network device 120 includes a processor 121, a memory 122, and a communication bus 123 configured to connect the processor 121 and the memory 122, where the memory 122 may be the aforementioned storage
  • the processor 121 may read the flow anomaly detection program, compile and execute the flow of the flow anomaly detection method introduced in the foregoing embodiment:
  • the processor 121 collects the receiving traffic and sending traffic of each port of the inspected network element at the current detection time, and determines the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving and sending traffic, and then according to the real-time window
  • the deviation ratio and the historical window deviation ratio determine the steep slope of the current detection time, and determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  • the processor 121 is further configured to determine whether at least the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected. Only when the judgment result is yes, the processor 121 will calculate the real-time window deviation ratio.
  • the processor 121 may also determine whether the receiving traffic and the sending traffic of each port of the detected network element at the current detection moment are all zero values. Only when the judgment result is negative, the processor 121 will calculate the real-time window deviation ratio.
  • a time window includes at least two detection moments
  • the processor 121 may determine the flow deviation ratio at the current detection moment according to the received traffic and the sent traffic collected at the current detection moment, and obtain the current time window Then, according to the flow deviation ratio of each detection time in the current time window, the average value of the flow deviation ratio of the current time window is determined as the real-time window deviation ratio.
  • the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
  • the processor 121 may determine whether the steep slope at the current detection time is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines that the current The detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
  • the processor 121 may also evaluate its own multiple determination results, and adjust the value used to determine whether a detection moment is an abnormal flow according to at least one of the false detection rate and the missed detection rate. Adjust the normal slope range.
  • the processor 121 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow time in the abnormal set Perform comparison, and adjust the normal slope range according to the comparison result.
  • the processor 121 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the processor 121 Further determine the steep slope corresponding to each false detection abnormality, and adjust the Q value according to the maximum value of each steep slope.
  • the processor 121 determines the missed abnormalities in the automatically marked abnormal set, and then determines that the missed detection rate in the automatically marked abnormal set reaches the preset missed detection threshold, and if so, the processor 121 further Determine the steep slope corresponding to each missed abnormality, and adjust the Q value according to the steep slope.
  • the processor 121 may first determine all abnormal flow moments within a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow abnormal moment according to the abrupt slope of the abnormal flow moment and the historical abrupt slope. Whether it is in a recovering state or a deteriorating state, then the abnormal traffic moments in the recovering state are eliminated, and the remaining abnormal traffic moments are regarded as the automatic marking abnormal set.
  • the network device provided in this embodiment can automatically monitor the traffic of the inspected network element and mark the time when the traffic is abnormal, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and it can be found that the conventional method cannot be detected. Abnormal traffic conditions. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
  • the functional modules/units in the system, and the device can be implemented as software (which can be implemented by program code executable by a computing device) , Firmware, hardware and their appropriate combination.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may consist of several physical components. The components are executed cooperatively.
  • Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • the computer-readable medium may include computer storage Medium (or non-transitory medium) and communication medium (or temporary medium).
  • computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
  • flexible, removable and non-removable media are examples of flexible, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media . Therefore, the present invention is not limited to any specific combination of hardware and software.
  • the method, device, network device, and storage medium for detecting traffic anomalies provided by the embodiments of the present invention have the following beneficial effects: they can more effectively find abnormalities that do not cause the traffic to exceed the limit, and increase the traffic to the network element equipment.
  • the comprehensiveness of monitoring increases the accuracy and credibility of the test results.

Abstract

Embodiments of the present invention provide a traffic abnormality detection method and apparatus, a network device, and a storage medium. The method comprises: acquiring the reception traffic and transmission traffic of each port of a network element device at the current detection moment; then determining a real-time traffic deviation ratio of the network element device in the current time window according to the acquired reception traffic and transmission traffic; determining the abrupt change slope of the current detection moment according to the real-time traffic deviation ratio and a historical traffic deviation ratio; and subsequently, based on the abrupt change slope of the current detection moment, determining whether the current detection moment is a moment when traffic is abnormal. Compared with a traffic monitoring solution in relevant prior art, a traffic abnormality detection solution provided by the embodiments of the present invention can more effectively discover an abnormality that does not make traffic exceed a limit, improve the comprehensiveness of the traffic monitoring of the network element device, and enhance the accuracy and reliability of a detection result.

Description

一种流量异常检测方法、装置、网络设备及存储介质Method, device, network equipment and storage medium for detecting abnormal flow 技术领域Technical field
本发明涉及通信领域,尤其涉及一种流量异常检测方法、装置、网络设备及存储介质。The present invention relates to the field of communications, and in particular to a method, device, network equipment and storage medium for detecting abnormal flow.
背景技术Background technique
随着通信网络规模和复杂度的与日俱增,运营商在网络运维方面面临越来越大的压力和挑战。传统的网元设备异常监控方案主要依赖对告警事件的监控进行,例如,对网络流量的监控一般是将端口带宽利用率、CPU利用率这些指标值与根据人工经验设置的固定阈值进行比较,从而确定端口带宽利用率、CPU利用率这些指标值是否处于对应固定阈值所限定的合理范围内。这些手段对于一些峰值流量的监控是有效的,但对于网元设备中一些比较隐蔽却影响业务运行质量的异常却难以发现,例如网络中可能会出现的大量丢包或者大量非法复制报文,但这种异常发生时,端口流量可能并不越限,因此,对于这种不会导致端口流量越限的异常,传统的流量监控方案无法感知。With the increasing scale and complexity of communication networks, operators are facing increasing pressure and challenges in network operation and maintenance. Traditional network element equipment abnormality monitoring solutions mainly rely on the monitoring of alarm events. For example, the monitoring of network traffic generally compares port bandwidth utilization and CPU utilization with fixed thresholds set based on manual experience. Determine whether the index values of port bandwidth utilization and CPU utilization are within a reasonable range defined by the corresponding fixed threshold. These methods are effective for monitoring some peak traffic, but it is difficult to find some hidden abnormalities in the network element equipment that affect the quality of service operation, such as a large number of packet loss or a large number of illegally copied packets in the network. When this kind of abnormality occurs, the port traffic may not exceed the limit. Therefore, the traditional traffic monitoring solution cannot perceive this abnormality that does not cause the port traffic to exceed the limit.
发明内容Summary of the invention
本发明实施例提供的流量异常检测方法、装置、网络设备及存储介质,主要解决的技术问题是:解决相关流量监控方案无法检测出不会导致端口流量越限的流量异常的问题。The flow abnormality detection method, device, network equipment and storage medium provided by the embodiments of the present invention mainly solve the technical problem of: solving the problem that the related flow monitoring solution cannot detect the abnormal flow that will not cause the port flow to exceed the limit.
为解决上述技术问题,本发明实施例提供一种流量异常检测方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a method for detecting abnormal traffic, including:
采集被检网元各端口在当前检测时刻的接收流量与发送流量;Collect the receiving and sending traffic of each port of the inspected network element at the current inspection moment;
根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时窗口偏差比,当前时间窗口为当前检测时刻所对应的时间窗口,实 时窗口偏差比为,流量偏差比能够表征接收流量与发送流量的均衡程度;Determine the real-time window deviation ratio of the detected network element in the current time window according to the collected receiving and sending traffic. The current time window is the time window corresponding to the current detection moment. The real-time window deviation ratio is, and the flow deviation ratio can characterize the receiving The degree of balance between traffic and sending traffic;
根据实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,历史窗口偏差比为被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;Determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio. The historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
基于当前检测时刻的陡变斜率确定当前检测时刻是否为流量异常时刻。Based on the steep slope of the current detection time, it is determined whether the current detection time is an abnormal flow time.
本发明实施例还提供一种流量异常检测装置,包括:The embodiment of the present invention also provides a flow abnormality detection device, including:
流量采集模块,设置为采集被检网元各端口在当前检测时刻的接收流量与发送流量;The traffic collection module is set to collect the receiving and sending traffic of each port of the detected network element at the current detection moment;
偏差确定模块,设置为根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时窗口偏差比,当前时间窗口为当前检测时刻所对应的时间窗口,流量偏差比能够表征接收流量与发送流量的均衡程度;The deviation determination module is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic. The current time window is the time window corresponding to the current detection moment, and the flow deviation ratio can represent the received The degree of balance between traffic and sending traffic;
斜率确定模块,设置为根据实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,历史窗口偏差比为被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;The slope determination module is set to determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio. The historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
异常判定模块,设置为基于当前检测时刻的陡变斜率确定当前检测时刻是否为流量异常时刻。The abnormality determination module is configured to determine whether the current detection time is the abnormal flow time based on the steep slope of the current detection time.
本发明实施例还提供一种网络设备,网络设备包括处理器、存储器及通信总线;The embodiment of the present invention also provides a network device, which includes a processor, a memory, and a communication bus;
通信总线设置为实现处理器和存储器之间的连接通信;The communication bus is set to realize the connection and communication between the processor and the memory;
处理器设置为执行存储器中存储的一个或者多个程序,以实现上述流量异常检测方法的步骤。The processor is configured to execute one or more programs stored in the memory to implement the steps of the method for detecting abnormal flow.
本发明实施例还提供一种计算机可读存储介质,该计算机可读存储介质存储有一个或者多个程序,一个或者多个程序可被一个或者多个处理器 执行,以实现上述流量异常检测方法的步骤。The embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the above-mentioned traffic abnormality detection method A step of.
本发明的有益效果是:The beneficial effects of the present invention are:
本发明实施例提供的流量异常检测方法、装置、网络设备及存储介质,通过采集被检网元各端口在当前检测时刻的接收流量与发送流量,然后根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时流量偏差比,并根据实时流量偏差比与历史流量偏差比确定当前检测时刻的陡变斜率,随后基于当前检测时刻的陡变斜率确定当前检测时刻是否为流量异常时刻。本发明实施例提供的流量异常检测方案是依据被检网元在正常工作情况下,其所有端口流入和流出的总流量是基本均衡的,但当该被检网元在数据路由和交换处理中出现丢包、非法复制等异常时,其收发流量的均衡度会被打破,故本发明实施例提供的流量异常检测方案可以通过衡量被检网元收发流量的均衡度,并确定被检网元流量均衡度发生陡变的时刻,从而检测出被检网元流量出现异常的时刻。相较于相关流量监控方案,本发明实施例所提供的流量异常检测方案能够更有效地发现那些不会造成流量越限的异常,提升对被检网元流量监控的全面性,增加检测结果的准确率和可信度。The method, device, network equipment, and storage medium for detecting abnormal traffic provided by the embodiments of the present invention collect the received and sent traffic of each port of the detected network element at the current detection moment, and then determine the received and sent traffic according to the collected received and sent traffic. Check the real-time flow deviation ratio of the network element in the current time window, and determine the steep slope of the current detection time based on the real-time flow deviation ratio and the historical flow deviation ratio, and then determine whether the current detection time is an abnormal flow based on the steep slope of the current detection time . The traffic anomaly detection solution provided by the embodiment of the present invention is based on the fact that the total flow in and out of all ports of the inspected network element is basically balanced under normal working conditions, but when the inspected network element is in data routing and switching processing When abnormalities such as packet loss or illegal duplication occur, the balance of the received and received traffic will be broken. Therefore, the traffic anomaly detection solution provided by the embodiment of the present invention can measure the balance of the received and received traffic of the inspected network element and determine the inspected network element. The moment when the traffic balance changes sharply, so as to detect the moment when the traffic of the detected network element is abnormal. Compared with related traffic monitoring solutions, the traffic anomaly detection solution provided by the embodiments of the present invention can more effectively find those abnormalities that will not cause the traffic to exceed the limit, improve the comprehensiveness of the traffic monitoring of the detected network element, and increase the detection result. Accuracy and reliability.
本发明其他特征和相应的有益效果在说明书的后面部分进行阐述说明,且应当理解,至少部分有益效果从本发明说明书中的记载变的显而易见。Other features and corresponding beneficial effects of the present invention are described in the latter part of the specification, and it should be understood that at least some of the beneficial effects will become apparent from the description in the specification of the present invention.
附图说明Description of the drawings
图1为本发明实施例提供的流量异常检测方法的一种流程图;FIG. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention;
图2为本发明实施例的被检网元在一天内的流量偏差比的示意图;2 is a schematic diagram of the traffic deviation ratio of the checked network element in one day according to the embodiment of the present invention;
图3为本发明实施例的另一被检网元在一天内的流量偏差比的示意图;3 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention;
图4为本发明实施例的时间窗口与检测时刻的一种关系示意图;4 is a schematic diagram of a relationship between a time window and a detection time according to an embodiment of the present invention;
图5为本发明实施例的网络设备调整正常斜率范围的一种流程图;FIG. 5 is a flowchart of adjusting the normal slope range by a network device according to an embodiment of the present invention;
图6为本发明实施例的网络设备确定自动标注异常集合;FIG. 6 is a network device according to an embodiment of the present invention determined to automatically mark an abnormal set;
图7为本发明实施例提供的流量异常检测方法的一种流程图;FIG. 7 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention;
图8为本发明实施例的另一被检网元在一天内的流量偏差比的示意图;8 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention;
图9为本发明实施例提供的流量异常检测装置的一种结构示意图;FIG. 9 is a schematic structural diagram of a flow abnormality detection device provided by an embodiment of the present invention;
图10为本发明实施例提供的流量异常检测装置的另一种结构示意图;10 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention;
图11为本发明实施例提供的流量异常检测装置的另一种结构示意图;11 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention;
图12为本发明实施例提供的网络设备的一种硬件结构示意图。FIG. 12 is a schematic diagram of a hardware structure of a network device provided by an embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案及优点更加清楚明白,下面通过具体实施方式结合附图对本发明实施例作进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions, and advantages of the present invention clearer, the following further describes the embodiments of the present invention in detail through specific implementations in conjunction with the accompanying drawings. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.
随着通信网络的不断发展,网络运维所面临的压力逐渐增大,以人工为主的传统运维模式的先进性已经无法满足要求,因为传统运维模式中的运维投入不断高涨,但网络故障率和故障响应处理的及时性却没有改善。With the continuous development of communication networks, the pressure on network operation and maintenance has gradually increased. The advanced nature of the traditional operation and maintenance model based on manual labor has been unable to meet the requirements, because the investment in operation and maintenance in the traditional operation and maintenance model is constantly increasing. The network failure rate and the timeliness of failure response processing have not improved.
传统的流量监控方案一般是根据人工经验设置针对端口带宽利用率、CPU利用率等指标的固定阈值,如果在检测过程中发现被检网元端口的某个指标超过该指标对应的固定阈值,则判定监控到了异常,可以进行告警。显然,这种流量监控方式是简单地根据阈值来确定检测到的指标值是否正常,这对于监控流量峰值越限的异常是有效的,但如果异常的发生并不会引起端口流量越限,则这种传统流量监控方案就无法感知。例如,如果被检网元中出现了大量丢包或者大量的非法复制报文,这些异常却并没有引起流量越限,则传统的流量监控方案并不会识别出这些异常。Traditional traffic monitoring solutions generally set fixed thresholds for indicators such as port bandwidth utilization and CPU utilization based on manual experience. If an indicator of the detected network element port is found to exceed the fixed threshold corresponding to the indicator during the detection process, then It is determined that the monitoring is abnormal, and an alarm can be issued. Obviously, this traffic monitoring method is simply to determine whether the detected index value is normal based on the threshold. This is effective for monitoring the abnormality of the peak traffic exceeding the limit, but if the occurrence of the abnormality does not cause the port traffic to exceed the limit, then This traditional traffic monitoring solution cannot be perceived. For example, if a large number of packet loss or a large number of illegally copied packets occur in the inspected network element, but these abnormalities do not cause the traffic to exceed the limit, the traditional traffic monitoring solution will not identify these abnormalities.
为了解决上述问题,本实施例提供一种流量异常检测方法,请参见图1示出的流程图,包括如下步骤:In order to solve the above problem, this embodiment provides a method for detecting abnormal traffic. Please refer to the flowchart shown in FIG. 1, which includes the following steps:
S102:采集被检网元各端口在当前检测时刻的接收流量与发送流量。S102: Collect the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment.
对于一个被检网元而言,其在正常工作情况下,所有端口流入和流出的总流量应该是基本均衡的,也就是说,在单播业务为主的网络里各被检网元发送流量与接收流量大致持平。当而当被检网元在数据路由和交换处理的过程中出现丢包、非法复制等现象时,则该被检网元收发流量的均衡会被打破。For an inspected network element, under normal working conditions, the total traffic in and out of all ports should be basically balanced, that is to say, each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic. When and when the network element under inspection has packet loss or illegal duplication in the process of data routing and exchange processing, the balance of the traffic sent and received by the network element under inspection will be broken.
所以,在本实施例中,在对一个被检网元的流量异常进行检测的过程中,可以采集该被检网元各端口的接收流量与发送流量。例如,假定一个被检网元有4个端口,分别是端口a、端口b、端口c以及端口d,则在对该被检网元进行流量异常检测的过程中,网络设备可以采集端口a的接收流量与发送流量,采集端口b的接收流量与发送流量,对于端口c与端口d,网络设备也同样会进行收发流量的采集。Therefore, in this embodiment, in the process of detecting abnormal traffic of a detected network element, the receiving traffic and the sending traffic of each port of the detected network element can be collected. For example, suppose that a detected network element has 4 ports, namely port a, port b, port c, and port d. In the process of detecting abnormal traffic on the detected network element, the network device can collect port a Receive traffic and send traffic, collect the receive traffic and send traffic of port b. For port c and port d, the network device will also collect the send and receive traffic.
在本实施例的一些示例当中,网络设备在对一个被检网元进行流量异常检测的过程中,可以周期性地采集该被检网元各端口的接收流量与发送流量,例如,在一个示例当中,网络设备可以以15分钟作为检测粒度,也即每15分钟采集一次被检网元各端口的收发流量,可选地,假定网络设备在00:00的时候第一次采集了被检网元各端口的发送流量与接收流量,则下一次,该网络设备将在00:15对被检网元的各端口进行收发流量的采集,第三次流量采集的时机在00:30……对于00:00、00:15以及00:30等时刻,本实施例中将其称为检测时刻。假定当前的时间为00:15,则00:15就是当前检测时刻,那么00:00就是历史检测时刻。In some examples of this embodiment, the network device may periodically collect the receiving traffic and sending traffic of each port of the inspected network element during the process of detecting abnormal traffic of a inspected network element. For example, in an example Among them, the network device can use 15 minutes as the detection granularity, that is, collect the receiving and sending traffic of each port of the inspected network element every 15 minutes. Optionally, assume that the network device collects the inspected network for the first time at 00:00. The sending and receiving traffic of each port of the element, the next time, the network device will collect the sending and receiving traffic of each port of the inspected network element at 00:15, and the timing of the third traffic collection is at 00:30... 00:00, 00:15, and 00:30, etc., which are referred to as detection time in this embodiment. Assuming that the current time is 00:15, 00:15 is the current detection time, and 00:00 is the historical detection time.
可以理解的是,在本实施例的其他一些示例当中,网络设备在检测被检网元的流量异常时,也可以不用周期性进行流量采集。也即,网络设备在对被检网元进行收发流量采集的时候,各次检测时刻之间的时间间隔不完全一致。It can be understood that, in some other examples of this embodiment, when the network device detects abnormal traffic of the detected network element, it may also not need to periodically collect traffic. That is, when the network device collects the receiving and sending traffic of the inspected network element, the time interval between each inspection time is not completely consistent.
S104:根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时窗口偏差比。S104: Determine the real-time window deviation ratio of the checked network element in the current time window according to the collected receiving traffic and sending traffic.
当采集到被检网元各端口在当前检测时刻的接收流量与发送流量之后,网络设备可以确定该被检网元在当前时间窗口中的实时窗口偏差比,所谓实时窗口偏差比为被检网元在当前时间窗口中的流量偏差比。After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection time, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window. The so-called real-time window deviation ratio is the network under inspection. The flow deviation ratio of the yuan in the current time window.
首先对“流量偏差比”进行解释:对于被检网元而言,其在某一检测时刻的流量偏差比可以是该被检网元各端口在该检测时刻的接收流量之和与发送流量之和的比值,例如,First, explain the "traffic deviation ratio": for the inspected network element, the traffic deviation ratio at a certain detection time can be the sum of the received traffic and the sent traffic of each port of the inspected network element at the detection time. And the ratio of, for example,
bias=N recv/N sendbias=N recv /N send ;
其中,bias是流量偏差比,N recv是被检网元各端口才检测时刻的所有接收流量之和,可以通过如下公式计算得到: Among them, bias is the traffic deviation ratio, and N recv is the sum of all received traffic at the time when each port of the detected network element is detected. It can be calculated by the following formula:
Figure PCTCN2020096847-appb-000001
Figure PCTCN2020096847-appb-000001
其中,n为被检网元中端口的总数,而i表示第i个端口,
Figure PCTCN2020096847-appb-000002
表示被检网元第i个端口在检测时刻的接收流量。 Among them, n is the total number of ports in the inspected network element, and i represents the i-th port,
Figure PCTCN2020096847-appb-000002
Represents the received traffic of the i-th port of the inspected network element at the time of inspection.
N send是被检网元各端口才检测时刻的所有接收流量之和,可以通过如下公式计算得到: N send is the sum of all received traffic at the time when each port of the inspected network element is detected, and can be calculated by the following formula:
Figure PCTCN2020096847-appb-000003
Figure PCTCN2020096847-appb-000003
其中,n为被检网元中端口的总数,而i表示第i个端口,
Figure PCTCN2020096847-appb-000004
表示被检网元第i个端口在检测时刻的发送流量。 Among them, n is the total number of ports in the inspected network element, and i represents the i-th port,
Figure PCTCN2020096847-appb-000004
Indicates the sending traffic of the i-th port of the inspected network element at the time of inspection.
一个被检网元的流量偏差比主要是能够表征该被检网元各端口发送流量与接收流量的均衡度,因此,毫无疑义的是,被检网元的流量偏差比并不一定是接收流量之和与发送流量之和的比值,也可能是发送流量与接收流量的比值,也即,The traffic deviation ratio of an inspected network element is mainly used to characterize the balance between the sending and receiving traffic of each port of the inspected network element. Therefore, there is no doubt that the traffic deviation ratio of the inspected network element is not necessarily the receiving The ratio of the sum of traffic to the sum of sent traffic may also be the ratio of the sent traffic to the received traffic, that is,
bias=N send/N recvbias=N send /N recv ;
不过,需要说明的是,网络设备在每次确定被检网元流量偏差比的时候,应当选择统一的流量偏差比计算方式,例如,在一些示例当中,如果网络设备在第一次计算某被检网元的流量偏差比的时候,计算的是该被检网元各端口在第一个检测时刻对应的接收流量之和与发送流量之和的比值,则在后续检测时刻下,网络设备计算备件网元流量偏差比的时候,也应当是计算接收流量之和与发送流量之和的比值,不应当在某一次计算过程中突然变成计算被检网元各端口发送流量之和与接收流量之和的比值。图2和图3分别示出了两个被检网元在同一天内的流量偏差比的示意图,其中纵轴bias表示流量偏差比,横轴表示时间。However, it should be noted that each time the network device determines the traffic deviation ratio of the inspected network element, it should choose a unified calculation method for the traffic deviation ratio. For example, in some examples, if the network device calculates the traffic deviation ratio for the first time When checking the traffic deviation ratio of the network element, the ratio of the sum of the received traffic and the sum of the sending traffic corresponding to the ports of the checked network element at the first detection time is calculated, and then at the subsequent detection time, the network device calculates When the flow deviation ratio of the spare part network element is calculated, it should also calculate the ratio of the sum of the received flow and the sum of the transmitted flow. It should not suddenly become the calculation of the sum of the transmitted flow and the received flow of each port of the inspected network element during a certain calculation process. The ratio of the sum. Figures 2 and 3 respectively show schematic diagrams of the traffic deviation ratios of two checked network elements in the same day, where the vertical axis bias represents the traffic deviation ratio, and the horizontal axis represents time.
所谓当前时间窗口是指与当前检测时刻对应的时间窗口,所谓“实时窗口偏差比”实际上就是被检网元在当前时间窗口中的流量偏差比。一个时间窗口中至少包括一个检测时刻,例如,在本实施例的一个示例当中时间窗口中仅有一个检测时刻,则被检网元在当前时间窗口中的实时窗口偏差比实际上也就是该被检网元在当前检测时刻的流量偏差比。但如果一个时间窗口中同时包括两个甚至更多的检测时刻,则该被检网元在当前时间窗口中的实时窗口偏差比就是该被检网元在当前时间窗口中各检测时刻的流量偏差比的均值。例如,在一个示例当中,时间窗口中包括三个检测时刻,请结合图4示出的时间窗口与检测时刻的一种关系示意图,其中纵轴bias表示流量偏差比,横轴表示时间:The so-called current time window refers to the time window corresponding to the current detection time. The so-called "real-time window deviation ratio" is actually the traffic deviation ratio of the detected network element in the current time window. A time window includes at least one detection time. For example, in an example of this embodiment, there is only one detection time in the time window, and the real-time window deviation ratio of the detected network element in the current time window is actually the time window. Check the flow deviation ratio of the network element at the current detection time. However, if a time window includes two or more detection moments at the same time, the real-time window deviation ratio of the detected network element in the current time window is the traffic deviation of the detected network element at each detection time in the current time window. The mean of the ratio. For example, in an example, the time window includes three detection times. Please refer to the schematic diagram of the relationship between the time window and the detection time shown in Figure 4, where the vertical axis bias represents the flow deviation ratio, and the horizontal axis represents time:
假定当前检测时刻是第n个检测时刻,则当前时间窗口401就是与第n个检测时刻对应的时间窗口,其同时包括第n个检测时刻,第n-1个检测时刻以及第n-2个检测时刻。至于历史时间窗口402,就是与前一检测时刻(也即第n-1个检测时刻)对应的时间窗口,其包括第n-1个检测时刻、第n-2个检测时刻以及第n-3个检测时刻的时间窗口。Assuming that the current detection time is the nth detection time, the current time window 401 is the time window corresponding to the nth detection time, which also includes the nth detection time, the n-1th detection time and the n-2th detection time. Detection time. As for the historical time window 402, it is the time window corresponding to the previous detection time (that is, the n-1th detection time), which includes the n-1th detection time, the n-2th detection time, and the n-3th detection time. The time window of the detection time.
进一步假定被检网元在第n个检测时刻、第n-1个检测时刻、第n-2 个检测时刻、第n-3个检测时刻的流量偏差比分别为b n、b n-1、b n-2、b n-3,则被检网元的实时窗口偏差比为(b n+b n-1+b n-2)/3。被检网元的历史窗口偏差比为(b n-1+b n-2)+b n-3)/3。 It is further assumed that the traffic deviation ratios of the detected network element at the nth detection time, the n-1th detection time, the n-2th detection time, and the n-3th detection time are b n , b n-1 , b n-2 and b n-3 , the real-time window deviation ratio of the checked network element is (b n + b n-1 + b n-2 )/3. The historical window deviation ratio of the checked network element is (b n-1 + b n-2 ) + b n-3 )/3.
可以理解的是,如果当前检测时刻是第n个检测时刻,则网络设备确定实时窗口偏差比的时候,仅需要根据第n次流量采集到的接收流量与发送流量计算第n个检测时刻的流量偏差比b n。至于计算该实时窗口偏差比的其他流量偏差比b n-1与b n-2,在之前的检测过程中已经计算过了(b n-1是在第n-1个检测时刻计算实时窗口偏差比的时候计算得到的,b n-2是在第n-2个检测时刻计算实时窗口偏差比的时候计算得到的),这里不必再计算一次。 It is understandable that if the current detection time is the nth detection time, when the network device determines the real-time window deviation ratio, it only needs to calculate the flow at the nth detection time based on the received flow and the sent flow collected in the nth flow. Deviation ratio b n . As for the calculation of the real-time window deviation ratio, the other flow deviation ratios b n-1 and b n-2 have been calculated in the previous detection process (b n-1 is the calculation of the real-time window deviation at the n-1th detection time It is calculated when comparing, b n-2 is calculated when calculating the real-time window deviation ratio at the n-2th detection time), there is no need to calculate it again here.
S106:根据实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率。S106: Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
按照Hawkin给出的定义,异常就是在数据集中偏离大部分数据的数据,因此,异常点也称为离群点。所以,在本实施例中,网络设备就是根据当前检测时刻所对应的流量偏差比是否偏离大多数检测时刻的流量偏差比,来确定当前检测时刻是否是异常点(也即流量异常时刻)的。According to the definition given by Hawkin, anomalies are data that deviate from most of the data in the data set. Therefore, anomalies are also called outliers. Therefore, in this embodiment, the network device determines whether the current detection time is an abnormal point (that is, the abnormal flow time) according to whether the flow deviation ratio corresponding to the current detection time deviates from the flow deviation ratio of most detection times.
被检网元的流量偏差比属于一种时间序列指标,对该指标的监控主要目标是及时发现其偏离正常值的时刻点,也就是一个针对时间序列的变点检测问题。变点理论是统计学中的一个经典分支,其基本定义是在一个序列或过程中,当某个统计特性(分布类型、分布参数)在某时间点受系统性因素而非偶然性因素影响发生变化,我们就称该时间点为变点。变点检测即利用统计量或统计方法将该变点位置找出来。The traffic deviation ratio of the inspected network element belongs to a time series indicator. The main goal of monitoring this indicator is to find the time point when it deviates from the normal value in time, which is a change point detection problem for the time series. Change point theory is a classic branch of statistics. Its basic definition is that in a sequence or process, when a certain statistical characteristic (distribution type, distribution parameter) changes at a certain point in time by systemic factors rather than accidental factors , We call this point in time the change point. The change point detection is to use statistics or statistical methods to find out the position of the change point.
所以,计算出被检网元当前检测时刻对应的实时窗口偏差比之后,网络设备可以根据该被检网元的实时窗口偏差比与历史窗口偏差比确定被检网元在当前检测时刻的陡变斜率,陡变斜率能够表征当前检测时刻的实 时窗口偏差比相对于历史窗口偏差比的变化程度。Therefore, after calculating the real-time window deviation ratio corresponding to the current detection time of the inspected network element, the network device can determine the steep slope of the inspected network element at the current detection time based on the real-time window deviation ratio of the inspected network element and the historical window deviation ratio , The steep slope can characterize the degree of change of the real-time window deviation ratio at the current detection time relative to the historical window deviation ratio.
在本实施例中,当前检测时刻的陡变斜率可以根据如下公式确定:In this embodiment, the steep slope of the current detection moment can be determined according to the following formula:
Figure PCTCN2020096847-appb-000005
Figure PCTCN2020096847-appb-000005
其中,n表示第n个检测时刻,而M n表示被检网元在第n个检测时刻对应的时间窗口中流量偏差比,而M n-1表示被检网元在第n-1个检测时刻对应的时间窗口中流量偏差比,K n为第n个检测时刻的陡变斜率。如果当前是第n个检测时刻,则K n就是当前检测时刻对应的陡变斜率。 Among them, n represents the nth detection time, and M n represents the traffic deviation ratio in the time window corresponding to the nth detection time of the detected network element, and M n-1 represents the detected network element at the n-1th detection time The flow deviation ratio in the time window corresponding to the time, K n is the steep slope of the nth detection time. If it is the nth detection time, Kn is the steep slope corresponding to the current detection time.
可以理解的是,对于被检网元的历史窗口偏差比,在网络设备对该被检网元进行第n-1次收发流量采集之后,就会被计算出来。所以,在本实施例中,网络设备在计算出第n个检测时刻对应的实时窗口偏差比之后,会将其记录下来,以便在第n+1个时刻作为历史窗口偏差比参与计算。It is understandable that the historical window deviation ratio of the inspected network element will be calculated after the network device performs the n-1th transmission and reception traffic collection for the inspected network element. Therefore, in this embodiment, after the network device calculates the real-time window deviation ratio corresponding to the nth detection time, it records it so as to participate in the calculation as the historical window deviation ratio at the n+1th time.
S108:基于当前检测时刻的陡变斜率确定当前检测时刻是否为流量异常时刻。S108: Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
当计算出被检网元在当前检测时刻对应的陡变斜率之后,网络设备可以根据该陡变斜率确定该被检网元在当前检测时刻是否流量异常,也即当前检测时刻是否是流量异常时刻。After calculating the steep slope corresponding to the detected network element at the current detection time, the network device can determine whether the detected network element has abnormal traffic at the current detection time according to the steep slope, that is, whether the current detection time is the abnormal traffic time.
可以理解的是,如果被检网元在第n个检测时刻的流量正常,则其在第n个检测时刻的陡变斜率会接近于1。在本实施例的一些示例当中,网络设备中存储了能够划分正常斜率阈值的参数,这里假定正常斜率范围(1/Q,Q),其中Q为正数,所以(1/Q,Q)中的数值都是相对比较接近于1的数值。It is understandable that if the traffic of the inspected network element at the nth detection time is normal, its steep slope at the nth detection time will be close to 1. In some examples of this embodiment, the network device stores the parameters that can divide the normal slope threshold. Here, it is assumed that the normal slope range (1/Q, Q), where Q is a positive number, so (1/Q, Q) is The values are relatively close to 1.
自然,小于1/Q的范围与大于Q的范围的并集就属于异常斜率范围。因此,在本实施例的一些示例当中,网络设备在确定被检网元在第n个检测时刻是否流量异常的时候,可以确定被检网元在第n个检测时刻的陡变 斜率是否处于正常斜率范围之内,若是,则判定该检测时刻不是流量异常时刻;若否,则判定该检测时刻是被检网元的流量异常时刻。Naturally, the union of the range smaller than 1/Q and the range larger than Q belongs to the abnormal slope range. Therefore, in some examples of this embodiment, when the network device determines whether the traffic of the inspected network element is abnormal at the nth detection moment, it can determine whether the steep slope of the inspected network element at the nth detection moment is at a normal slope. Within the range, if yes, it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is the time of abnormal flow of the detected network element.
在本实施例的一些示例当中,Q的取值可以固定不变的,例如,是由网络运维人员根据大量的经验值设置的,可以理解的是,网络运维人员设置的Q应当保证能够尽可能准确地检测出被检网元的全部网络异常。在本实施例的另外一些示例当中,Q的取值可以自适应调整,例如,Q的初始取值是由网络运维人员根据经验设置的,但随着网络设备在不断地对被检网元进行流量异常检测,网络设备可以根据自己检测结果的准确性对Q的取值的进行调整,从而降低流量异常检测过程中的误检情况和/或漏检情况,请参见图5示出的调整正常斜率范围的一种流程图:In some examples of this embodiment, the value of Q may be fixed, for example, it is set by network operation and maintenance personnel based on a large number of experience values. It is understandable that the Q value set by network operation and maintenance personnel should ensure Detect all network abnormalities of the inspected network elements as accurately as possible. In some other examples of this embodiment, the value of Q can be adjusted adaptively. For example, the initial value of Q is set by network operation and maintenance personnel based on experience, but as the network equipment continues to check the network element For traffic anomaly detection, the network device can adjust the value of Q according to the accuracy of its detection results, thereby reducing false detections and/or missed detections during the flow anomaly detection process. Please refer to the adjustment shown in Figure 5 A flow chart of the normal slope range:
S502:将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合。S502: Add each abnormal time of flow detected in a certain time period to the automatic marking abnormality set.
在本实施例中,网络设备可以每隔一段时间对Q的取值进行一次调整,毫无疑义的是,调整Q的取值实际上也就是调整正常斜率范围。假定这里设置的网络设备每两个小时来调整一次正常斜率范围。In this embodiment, the network device may adjust the value of Q at regular intervals. There is no doubt that adjusting the value of Q actually means adjusting the normal slope range. It is assumed that the network equipment set here adjusts the normal slope range every two hours.
在这两个小时内,如果网络设备的两个相邻检测时刻之间的时间差为15分钟,则网络设备可能已经对被检网元进行了8次检测,这8次检测中的部分检测时刻会被判定为流量异常时刻。网络设备可以将这8个检测时刻中的流量异常时刻添加到自动标注异常集合,自动标注异常集合是网络设备机器化标注出的流量异常时刻的集合。In these two hours, if the time difference between two adjacent detection moments of the network device is 15 minutes, the network device may have performed 8 detections on the detected network element, and part of the detection moments of the 8 detections It will be judged as an abnormal flow time. The network device can add the abnormal traffic moments among the 8 detection moments to the automatic anomaly marking set. The automatic anomaly marking set is a set of abnormal traffic moments marked by the network equipment mechanized.
可以理解的是,如果一个检测时刻的实时窗口偏差比与历史窗口偏差比的陡变斜率比较大,则可能会存在两种情况:It is understandable that if the steep slope of the real-time window deviation ratio and the historical window deviation ratio at a detection moment is relatively large, there may be two situations:
第一种,相较于历史窗口偏差比,实时窗口偏差比所表征的流量情况更优,也即实时窗口偏差比与1的绝对差小于历史窗口偏差比与1的绝对差,则说明虽然当前检测时刻的有流量异常情况,但这是因为流量异常正 在逐渐恢复。所以,当前检测时刻的流量异常时刻实际上是处于恢复状态的。The first is that, compared with the historical window deviation ratio, the real-time window deviation is better than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is less than the absolute difference between the historical window deviation ratio and 1, which means that although the current There was an abnormal flow at the time of detection, but this is because the abnormal flow is gradually recovering. Therefore, the abnormal flow at the current detection time is actually in the recovery state.
第二种,相较于历史窗口偏差比,实时窗口偏差比所表征的流量情况更差,也即实时窗口偏差比与1的绝对差大于历史窗口偏差比与1的绝对差,则说明当前检测时刻的有流量异常情况,并且这种异常是正在恶化的,因此,当前检测时刻的流量异常时刻实际上是处于恶化状态的。The second type, compared with the historical window deviation ratio, the real-time window deviation is worse than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection There is an abnormal flow at the moment, and this abnormality is deteriorating. Therefore, the abnormal flow at the current detection time is actually in a deteriorating state.
在对被检网元进行流量异常检测的过程中,网络设备仅需要关注那些异常发生的点或者是异常恶化的点,对于那些已经有恢复趋势的流量异常时刻,网络设备可以不必关注,因此,在本实施例的一些示例当中,网络设备可以参照图6示出的流程图来确定自动标注异常集合:In the process of detecting abnormal traffic on the inspected network elements, the network equipment only needs to pay attention to the points where the abnormality occurs or the points where the abnormality deteriorates, and the network equipment does not need to pay attention to the abnormal traffic moments that have a trend of recovery. Therefore, In some examples of this embodiment, the network device may refer to the flowchart shown in FIG. 6 to determine the automatic annotated abnormal set:
S602:网络设备确定时间段内的全部流量异常时刻;S602: The network device determines all abnormal traffic moments within the time period;
S602:对于该时间段内的各流量异常时刻,网络设备根据流量异常时刻的陡变斜率与历史陡变斜率确定流量异常时刻的异常是处于恢复状态还是恶化状态;S602: For each abnormal flow time within the time period, the network device determines whether the abnormal flow at the abnormal flow time is in a recovery state or a deteriorating state according to the abrupt slope and historical abrupt slope of the abnormal flow;
S606:网络设备剔除处于恢复状态的流量异常时刻,将剩余的流量异常时刻作为自动标注异常集合。S606: The network device removes the abnormal traffic moments that are in the recovery state, and uses the remaining abnormal traffic moments as an automatic anomaly set.
S504:将人工标注异常集合的中各流量异常时刻与自动标注异常集合中各流量异常时刻进行比对。S504: Compare each abnormal flow time in the manually marked abnormal set with each abnormal flow time in the automatically marked abnormal set.
另一方面,为了检验网络设备对这两个小时中流量异常时刻的检测准确程度,网络设备还会获取到与自动标注异常集合对应的人工标注异常集合,人工标注异常集合是人工对同样两个小时内的流量异常时刻的标注结果。这里可以将人工标注异常集合中的流量异常时刻视为完全正确的,不存在错误标注的情况;并且认为该人工标注异常集合已经包含这两个小时内所有的流量异常时刻,不存在漏标注的情况。On the other hand, in order to check the accuracy of the network equipment's detection of abnormal traffic in these two hours, the network equipment will also obtain the manually marked abnormal set corresponding to the automatically marked abnormal set. The marked result of the abnormal traffic time within the hour. Here, the abnormal traffic moments in the artificially marked abnormal set can be regarded as completely correct, and there is no mislabeling; and it is considered that the artificially marked abnormal set contains all the abnormal traffic moments in the past two hours, and there is no missing label. Happening.
得到人工标注异常集合与自动标注异常集合之后,网络设备可以将人 工标注异常集合的中各流量异常时刻与自动标注异常集合中各流量异常时刻进行比对。After obtaining the artificially marked anomaly set and the automatically marked anomaly set, the network device can compare each abnormal flow time in the artificially marked anomaly set with each abnormal flow time in the automatically marked anomaly set.
如果网络设备需要检验自动标注异常集合中的错误标注情况,也即确定自动标注异常集合的误检率,则网络设备可以确定出自动标注异常集合中的误检异常,误检异常实际上就是在自动标注异常集合中存在,但在人工标注异常集合中不存在的流量异常时刻。If the network equipment needs to check the error labeling in the automatic labeling anomaly set, that is, to determine the false detection rate of the automatic labeling anomaly set, the network device can determine the false detection exception in the automatic labeling anomaly set. The false detection exception is actually Automatically mark the abnormal traffic moments that exist in the abnormal set, but manually mark the abnormal traffic that does not exist in the abnormal set.
如果网络设备需要检验自动标注异常集合中的漏标注情况,也即确定自动标注异常集合的漏检率,则网络设备可以确定出自动标注异常集合中的漏检异常,漏检异常为在人工标注异常集合中存在,但在自动标注异常集合中不存在的流量异常时刻。If the network equipment needs to check the omissions in the automatic anomaly set, that is, determine the missed detection rate of the automatic anomaly set, the network equipment can determine the missed anomalies in the automatically marked anomaly set. The missed anomalies are manually marked Exist in the abnormal set, but automatically mark the abnormal traffic moment that does not exist in the abnormal set.
S506:根据比对结果调整正常斜率范围。S506: Adjust the normal slope range according to the comparison result.
在本实施例的一些示例当中,网络设备可以根据以下公式确定自己的误检率:In some examples of this embodiment, the network device can determine its own false detection rate according to the following formula:
Figure PCTCN2020096847-appb-000006
Figure PCTCN2020096847-appb-000006
如果网络设备确定自动标注异常集合中的误检率达到预设误检阈值,则可以确定出各误检异常对应的陡变斜率,然后网络设备确定各陡变斜率对应的Q值,然后选择最大的一个Q值作为调整后的Q值。例如,如果网络设备确定在自动标注异常集合中的误检率达到预设误检阈值,包含3个误检异常,这三个误检异常对应的陡变斜率分别是1.5、2和2.5,则这三个陡变斜率对应的Q分别为1.5、2和2.5,因此,更新后的Q值为2.5。又例如,3个误检异常对应的陡变斜率分别是1/4、1/3与1/2,则这三个陡变斜率对应的Q分别为4、3和2,因此,更新后的Q值为4。If the network device determines that the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, it can determine the steep slope corresponding to each false detection abnormality, and then the network device determines the Q value corresponding to each steep slope, and then selects the largest one The Q value is used as the adjusted Q value. For example, if the network device determines that the false detection rate in the automatically marked anomaly set reaches the preset false detection threshold, including 3 false detection anomalies, the steep slopes corresponding to these three false detection anomalies are 1.5, 2 and 2.5 respectively, then this The Q corresponding to the three steep slopes are 1.5, 2 and 2.5 respectively, so the updated Q value is 2.5. For another example, the abrupt slopes corresponding to three false detection abnormalities are 1/4, 1/3, and 1/2 respectively, and the Q corresponding to the three abrupt slopes are 4, 3, and 2, respectively. Therefore, the updated Q value Is 4.
通过这种调整,增大了Q值,也就增大了正常斜率范围,从而减小了流量正常时刻被网络设备检测为异常流量时刻的可能性。Through this adjustment, the Q value is increased, and the normal slope range is also increased, thereby reducing the possibility that the network device detects the abnormal flow when the flow is normal.
网络设备还可以根据以下公式确定自己的漏检率:The network device can also determine its own missed detection rate according to the following formula:
Figure PCTCN2020096847-appb-000007
Figure PCTCN2020096847-appb-000007
如果网络设备确定自动标注异常集合中的漏检率达到预设漏检阈值,则可以确定出各漏检异常对应的陡变斜率,然后根据各陡变斜率中的最小值更新Q值。可选地,网络设备可以确定各陡变斜率对应的Q值,然后选择其中最小的一个Q值作为更新后的Q值。例如,如果网络设备确定在自动标注异常集合中的漏检率达到预设漏检阈值,包含3个漏检异常,这三个漏检异常对应的陡变斜率分别是1/2、1/3和3,这三个陡变斜率对应的Q值分别为2、3、3,为了能够将这3个漏检异常识别为流量异常时刻,网络设备可以将则Q的取值调整为2,应当理解的是,调整之前Q的取值必定大于3,因此,这种调整实际上是减小了Q值,也就增大了异常斜率范围,从而减小了流量异常时刻不能被网络设备正确检测到的可能性。If the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, it can determine the steep slope corresponding to each missed anomaly, and then update the Q value according to the minimum value of the steep slopes. Optionally, the network device may determine the Q value corresponding to each steep slope, and then select the smallest Q value as the updated Q value. For example, if the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, including 3 missed detections, the steep slopes corresponding to the three missed detections are 1/2, 1/3, and 3. The Q values corresponding to the three steep slopes are 2, 3, and 3 respectively. In order to identify these three missed abnormalities as abnormal traffic moments, the network equipment can adjust the value of Q to 2. It should be understood Yes, the value of Q must be greater than 3 before adjustment. Therefore, this adjustment actually reduces the value of Q, which also increases the range of abnormal slopes, thereby reducing the amount of abnormal traffic that cannot be correctly detected by network equipment. possibility.
本实施例提供的流量异常检测方法,通过分析被检网元的流量偏差比,并基于陡变斜率识别出流量偏差比变化较大的时刻作为流量异常时刻,这种流量异常检测方案能够有效识别出那些不会引起被检网元流量越限的异常点,为网络优化提供基础。The flow anomaly detection method provided in this embodiment analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormal moment. This flow anomaly detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
更进一步地,因为网络设备可以根据自己对流量异常的标注结果来调整进行流量异常时刻判决的参数,从而使得用于判断流量异常时刻的参数更准确,更契合网络实际情况,进而提升流量异常检测准确性,减少误检与漏检的情况。Furthermore, because the network equipment can adjust the parameters used to determine the abnormal time of the flow according to the result of marking the abnormal flow, the parameters used to determine the abnormal time of the flow are more accurate and more in line with the actual situation of the network, thereby improving the detection of the abnormal flow. Accuracy, reduce false detections and missed detections.
本实施例将继续对前述实施例中的流量异常检测方法进行介绍,请参见图7示出的流程图,包括如下步骤:This embodiment will continue to introduce the flow abnormality detection method in the foregoing embodiment. Please refer to the flowchart shown in FIG. 7, which includes the following steps:
S702:采集被检网元各端口在当前检测时刻的接收流量与发送流量。S702: Collect receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment.
可以理解的是,一个用于流量异常监控的网络设备可能会同时对两个甚至更多的被检网元进行流量监控,因此,当网络设备进行端口流量采集时,是针对自己所监控的所有被检网元的所有端口进行,因此,得到采集结果之后,网络设备需要根据资产关系数据(能够表征被检网元与端口的对应关系)分别确定出采集结果是属于哪一个被检网元。然后,再分别针对各个被检网元来确定流量异常时刻。It is understandable that a network device used for traffic abnormality monitoring may monitor the traffic of two or more detected network elements at the same time. Therefore, when the network device performs port traffic collection, it is for all the monitored network elements. All ports of the inspected network element are performed. Therefore, after obtaining the collection result, the network device needs to determine which of the inspected network elements the collection result belongs to, according to the asset relationship data (which can characterize the corresponding relationship between the inspected network element and the port). Then, the time of abnormal traffic is determined for each detected network element.
在本实施例中,网络设备可以每15分钟进行一次检测,也即检测粒度为15分钟。可以理解的是,如果检测粒度设置得过大,则会导致网络设备无法检测哪些在短时间内出现并恢复的异常,例如,如图将检测粒度设置为3小时,则网络设备无法检测到图8中示出的异常。In this embodiment, the network device may perform detection every 15 minutes, that is, the detection granularity is 15 minutes. It is understandable that if the detection granularity is set too large, the network device will not be able to detect which abnormalities that appear and recover in a short time. For example, if the detection granularity is set to 3 hours, the network device cannot detect the graph. The abnormality shown in 8.
当然,虽然网络设备将检测粒度设置得越小,则越能检测出更多的细小异常,但这也会导致网络设备的检测频率变高,从而占用更多的处理资源。因此,网络设备在设置检测粒度的时候,可以根据自己的处理能力设置。Of course, although the smaller the detection granularity is set by the network device, the more subtle anomalies can be detected, but this will also cause the detection frequency of the network device to become higher, thus occupying more processing resources. Therefore, when the network device sets the detection granularity, it can be set according to its own processing capability.
S704:判断是否至少采集到被检网元至少两个端口的接收流量与发送流量。S704: Determine whether the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected.
可以理解的是,在网络设备对被检网元的各端口进行接收流量采集与发送流量采集之后,可能存在这样的情况:被检网元包含的端口集中,仅有一个端口存在有效的流量数据。这种情况在实际网络中本身就是一种异常现象,因为正常网元设备作为数据交换节点,至少存在两个工作端口来完成源和目的的数据交换,单端口自交换的现象实际上可能是由于某些故障导致部分端口流量没有采集上来导致。同时,如果网络设备对这种仅单端口数据有效的网元进行数据观察,会发现其接收和发送流量数据波动较大,也导致流量偏差比指标数据波动很大。可以理解的是,波动过程中极易产生较大的陡变斜率,因此,当前检测时刻很容易被网络设备识别为流 量异常时刻。但在部分端口数据缺失的情况下,这种单端口上的流量偏差比异常实际上并不是我们想要获取的网元流量偏差比异常,因此,在本实施例的一些示例当中,网络设备在需要将仅单端口数据有效的网元进行排除。It is understandable that after the network equipment collects the receiving traffic and the sending traffic on each port of the inspected network element, there may be a situation where the inspected network element contains a centralized port, and only one port has valid traffic data. . This situation is itself an abnormal phenomenon in the actual network, because the normal network element equipment as a data exchange node has at least two working ports to complete the source and destination data exchange. The phenomenon of single-port self-switching may actually be due to Certain failures caused some port traffic to not be collected. At the same time, if a network device conducts data observation on such a network element that only has single-port data, it will find that the received and sent traffic data fluctuates greatly, which also causes the traffic deviation to fluctuate greatly from the index data. It is understandable that a large abrupt slope is easily generated during the fluctuation process. Therefore, the current detection time is easily recognized by the network device as an abnormal flow time. However, when some port data is missing, the abnormal flow deviation ratio on a single port is not actually the abnormal flow deviation ratio of the network element we want to obtain. Therefore, in some examples of this embodiment, the network device It is necessary to exclude network elements that only have valid single-port data.
所以,如果网络设备的判断结果为是,则网络设备继续执行S706,否则结束流程。Therefore, if the judgment result of the network device is yes, the network device continues to perform S706, otherwise the process ends.
S706:判断被检网元各端口在当前检测时刻的接收流量与发送流量是否全为零值。S706: Determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero.
由于各种因素,网络设备采集回来的流量数据难免存在缺漏,例如,一个被检网元可能会存在各端口接收流量与发送流量均为零的情况。按照传统的大数据处理方式,针对这种数据缺漏的情况,缺失值填充是常用的一种手段。常见的缺失值填充方法有:前后均值填充、众数填充、线性回归填充等等。对于机器学习训练数据来说,缺失值填充一般是有效的,但对于本实施例中的流量异常检测方案来说,缺失值的填充往往会对检测结果产生很大影响。实际上大部分填充方法会使数据更平滑,从而导致网络设备无法根据流量偏差比的陡升陡降检测到原有的异常点。Due to various factors, the flow data collected by the network equipment will inevitably have deficiencies. For example, a detected network element may have a situation where the received and sent traffic on each port are both zero. According to the traditional big data processing method, for this kind of data missing, missing value filling is a common method. Common missing value filling methods include: before and after mean filling, mode filling, linear regression filling and so on. For machine learning training data, missing value filling is generally effective, but for the traffic anomaly detection scheme in this embodiment, missing value filling often has a great impact on the detection result. In fact, most filling methods make the data smoother, so that the network equipment cannot detect the original abnormal points based on the steep rise and fall of the traffic deviation ratio.
因此,在本实施例中,如果网络设备判定被检网元各端口在当前检测时刻的接收流量与发送流量全为零值,则执行S718。Therefore, in this embodiment, if the network device determines that the receiving traffic and the sending traffic of each port of the detected network element at the current detection moment are all zero values, S718 is executed.
S708:根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时窗口偏差比。S708: Determine the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and sending traffic.
当采集到被检网元各端口在当前检测时刻的接收流量与发送流量之后,网络设备可以确定该被检网元在当前时间窗口中的实时窗口偏差比。在本实施例的一个示例当中,一个时间窗口中包括三个检测时刻,所以,网络设备可以根据当前检测时刻的流量偏差比,和之前两个检测时刻的流量偏差比确定出当前检测时刻对应的实时窗口偏差比。After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window. In an example of this embodiment, one time window includes three detection moments. Therefore, the network device can determine the current detection time corresponding to the current detection time based on the traffic deviation ratio at the current detection time and the traffic deviation ratio between the previous two detection times. Real-time window deviation ratio.
S710:根据实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率。S710: Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
计算出被检网元当前检测时刻对应的实时窗口偏差比之后,网络设备可以计算该被检网元的实时窗口偏差比与历史窗口偏差比的比值,得到被检网元在当前检测时刻的陡变斜率。After calculating the real-time window deviation ratio corresponding to the current detection time of the inspected network element, the network device can calculate the ratio of the real-time window deviation ratio of the inspected network element to the historical window deviation ratio to obtain the sharp change of the inspected network element at the current inspection time. Slope.
S712:基于当前检测时刻的陡变斜率判断当前检测时刻是否为流量异常时刻。S712: Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
计算出被检网元在当前检测时刻对应的陡变斜率之后,网络设备可以根据该陡变斜率确定该被检网元在当前检测时刻是否流量异常。可选地,网络设备中判断当前检测时刻对应的陡变斜率是否处于正常斜率范围(1/Q,Q)内,若是,则判定该检测时刻不是流量异常时刻;若否,则判定该检测时刻是被检网元的流量异常时刻。After calculating the steep slope corresponding to the detected network element at the current detection time, the network device can determine whether the flow of the detected network element is abnormal at the current detection time according to the steep slope. Optionally, the network device determines whether the steep slope corresponding to the current detection time is within the normal slope range (1/Q, Q), if yes, then it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is The time when the network element's traffic is abnormal.
在本实施例的一些示例当中,如果网络设备确定当前检测时刻是被检网元的流量异常时刻,则网络设备还会进一步判断出该流量异常时刻是否是处于恶化状态的流量异常时刻:In some examples of this embodiment, if the network device determines that the current detection time is the abnormal flow time of the inspected network element, the network device will further determine whether the abnormal flow time is a deteriorating abnormal flow time:
S714:根据流量异常时刻的陡变斜率与历史陡变斜率判断流量异常时刻的异常是处于恶化状态。S714: Determine whether the abnormality at the time of the abnormal flow is in a deteriorating state according to the abrupt slope and the historical abrupt slope at the time of the abnormal flow.
若判断结果为是,则执行S716,否则,没执行S718。If the judgment result is yes, S716 is executed, otherwise, S718 is not executed.
S716:记录该流量异常时刻。S716: Record the time when the traffic is abnormal.
如果根据流量异常时刻的陡变斜率与历史陡变斜率判断流量异常时刻的异常是处于恶化状态,则网络设备可以将该流量异常时刻进行记录,以供后续网络优化过程中使用。If it is judged that the abnormality of the abnormal flow is in a deteriorating state based on the abrupt slope and the historical abrupt slope of the abnormal flow, the network device can record the abnormal flow for use in the subsequent network optimization process.
S718:判断是否到达新的检测时刻。S718: Determine whether a new detection time is reached.
若判断结果为是,则继续执行S702,否则继续判断。If the judgment result is yes, continue to execute S702, otherwise continue to judge.
在本实施例中,网络设备还可以隔一段时间对自己的误检率与漏检率进行一次评估,并根据评估结果时长调整正常斜率范围,从而在后续检测过程中降低对流量异常时刻的误检率与漏检率。具体评估调整过程在前述实施例中已经做了比较详细的介绍,这里不再赘述。In this embodiment, the network device can also evaluate its own false detection rate and missed detection rate once a period of time, and adjust the normal slope range according to the duration of the evaluation result, so as to reduce the error of abnormal traffic in the subsequent detection process. Detection rate and missed detection rate. The specific evaluation and adjustment process has been described in more detail in the foregoing embodiment, and will not be repeated here.
本实施例提供的流量异常检测方法,由网络设备自动对被检网元的流量进行监控,并进行流量异常时刻标注,不仅降低了对人力资源的需求,而且,检测过程快速高效,能发现常规方式无法检测到的流量异常情况。同时还能根据检测结果反馈调节进行流量异常时刻判决的参数,可以使检测结果达到较高的准确率和可信度。The traffic abnormality detection method provided in this embodiment automatically monitors the traffic of the inspected network element by the network device, and marks the abnormal time of the traffic, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and can find conventional Traffic abnormalities that cannot be detected by the method. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
本发明实施例中还提供了一种流量异常检测装置,请参见图9示出的结构示意图,其中:The embodiment of the present invention also provides a flow abnormality detection device. Please refer to the schematic structural diagram shown in FIG. 9, in which:
流量异常检测装置90包括流量采集模块902、偏差确定模块904、斜率确定模块906以及异常判定模块908,其中,流量采集模块902设置为采集被检网元各端口在当前检测时刻的接收流量与发送流量;偏差确定模块904设置为根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时窗口偏差比,斜率确定模块906设置为根据实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,历史窗口偏差比为被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;异常判定模块908设置为基于当前检测时刻的陡变斜率确定当前检测时刻是否为流量异常时刻。The flow abnormality detection device 90 includes a flow collection module 902, a deviation determination module 904, a slope determination module 906, and an abnormality determination module 908. The flow collection module 902 is configured to collect the received and sent traffic of each port of the inspected network element at the current detection moment. Flow; the deviation determination module 904 is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic, and the slope determination module 906 is set to determine based on the real-time window deviation ratio and the historical window deviation ratio The steep slope of the current detection time, the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time; the abnormality determination module 908 is set to determine whether the current detection time is based on the steep slope of the current detection time It is the moment of abnormal flow.
在本实施例的另外一些示例当中,请参见图10,流量异常检测装置90还包括预处理模块910,其设置为判断流量采集模块902是否至少采集到被检网元至少两个端口的接收流量与发送流量。只有在预处理模块910的判断结果为是的情况下,偏差确定模块904才会进行实时窗口偏差比的 计算。In some other examples of this embodiment, referring to FIG. 10, the flow anomaly detection device 90 further includes a preprocessing module 910, which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
或者,预处理模块910也可以设置为判断被检网元各端口在当前检测时刻的接收流量与发送流量是否全为零值。只有在预处理模块910的判断结果为否的情况下,偏差确定模块904才会进行实时窗口偏差比的计算。Alternatively, the preprocessing module 910 may also be configured to determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero values. Only when the judgment result of the preprocessing module 910 is negative, the deviation determination module 904 will calculate the real-time window deviation ratio.
在本实施例的一些示例当中,一个时间窗口中包括至少两个检测时刻,偏差确定模块904可以根据当前检测时刻采集到的接收流量与发送流量确定当前检测时刻的流量偏差比,并获取当前时间窗口中其他检测时刻的流量偏差比,然后根据当前时间窗口中各检测时刻的流量偏差比确定当前时间窗口的流量偏差比均值作为实时窗口偏差比。In some examples of this embodiment, a time window includes at least two detection moments, the deviation determination module 904 can determine the flow deviation ratio at the current detection moment based on the received traffic and the sent traffic collected at the current detection moment, and obtain the current time The flow deviation ratio of other detection moments in the window is then determined according to the flow deviation ratio of each detection time in the current time window to determine the average value of the flow deviation ratio of the current time window as the real-time window deviation ratio.
当前检测时刻的流量偏差比为当前检测时刻采集到的被检网元各端口接收流量之和与发送流量之和的比值。The traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
在本实施例的一些示例当中,异常判定模块908可以判断当前检测时刻的陡变斜率是否处于正常斜率范围之外,正常斜率范围(1/Q,Q),其中Q为正数;若是,则判定当前检测时刻为流量异常时刻,若否,则判定当前检测时刻不是流量异常时刻。In some examples of this embodiment, the abnormality determination module 908 can determine whether the steep slope of the current detection moment is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines The current detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
在本实施例的一些示例当中,如图11,流量异常检测装置90还可以包括参数调整模块912,参数调整模块912设置为对异常判定模块908的多次判定结果进行评估,根据误检率和漏检率中的至少一个来调整异常判定模块908设置为判决一个检测时刻是否为流量异常时刻的正常斜率范围进行调整。In some examples of this embodiment, as shown in FIG. 11, the flow anomaly detection device 90 may further include a parameter adjustment module 912, which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
可选地,参数调整模块912可以将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合,然后将人工标注异常集合的中各流量异常时刻与自动标注异常集合中各流量异常时刻进行比对,并根据比对结果调整正常斜率范围。Optionally, the parameter adjustment module 912 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow in the abnormal set Perform comparison at all times, and adjust the normal slope range according to the comparison result.
在本实施例的一种示例中,参数调整模块912确定出自动标注异常集 合中的误检异常,然后判断自动标注异常集合中的误检率是否达到预设误检阈值,若是,则参数调整模块912进一步确定各误检异常对应的陡变斜率,并根据各陡变斜率中的最大值调整Q值。In an example of this embodiment, the parameter adjustment module 912 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the parameter adjustment The module 912 further determines the steep slope corresponding to each false detection abnormality, and adjusts the Q value according to the maximum value of the steep slope.
在本实施例的一种示例中,参数调整模块912确定出自动标注异常集合中的漏检异常,然后判断自动标注异常集合中的漏检率达到预设漏检阈值,若是,则参数调整模块912进一步确定各漏检异常对应的陡变斜率,并根据各陡变斜率中的最大值调整Q值。In an example of this embodiment, the parameter adjustment module 912 determines the missed abnormalities in the automatically labeled abnormal set, and then determines that the missed detection rate in the automatically labeled abnormal set reaches the preset missed detection threshold. If so, the parameter adjustment module 912 further determines the steep change slope corresponding to each missed abnormality, and adjusts the Q value according to the maximum value of each steep change slope.
可选地,参数调整模块912可以先确定出一个时间段内的全部流量异常时刻,然后对于该时间段内的各流量异常时刻,根据流量异常时刻的陡变斜率与历史陡变斜率确定流量异常时刻的异常是处于恢复状态还是恶化状态,随后剔除处于恢复状态的流量异常时刻,将剩余的流量异常时刻作为自动标注异常集合。Optionally, the parameter adjustment module 912 may first determine all the abnormal flow moments in a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow rate according to the steep slope of the abnormal flow moment and the historical steep slope. Whether the abnormality is in the recovery state or the deteriorating state, then the abnormal flow moments in the recovery state are eliminated, and the remaining abnormal flow moments are regarded as the automatic anomaly set.
本实施例中流量异常检测装置90可以部署在网络设备上,例如承载网中的网络设备,其中,流量采集模块902的功能可以通过网络设备的处理器与通信淡云共同实现,而偏差确定模块904、斜率确定模块906、异常判定模块908、预处理模块910以及参数调整模块912的功能,均可以通过网络设备的处理器实现。The traffic anomaly detection device 90 in this embodiment can be deployed on a network device, such as a network device in a bearer network, where the function of the traffic collection module 902 can be implemented by the processor of the network device and the communication Danyun, and the deviation determination module The functions of 904, the slope determination module 906, the abnormality determination module 908, the preprocessing module 910, and the parameter adjustment module 912 can all be implemented by the processor of the network device.
对于流量异常检测装置实现流量异常检测方法的其他细节,请参见前述实施例的介绍,这里不再赘述。For other details of the method for detecting an abnormal flow of the flow anomaly detection device, please refer to the introduction of the foregoing embodiment, which will not be repeated here.
本实施例提供的流量异常检测装置,通过分析被检网元的流量偏差比,并基于陡变斜率识别出流量偏差比变化较大的时刻作为流量异常时刻,这种流量异常检测方案能够有效识别出那些不会引起被检网元流量越限的异常点,为网络优化提供基础。The flow abnormality detection device provided in this embodiment analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormality moment. This flow abnormality detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
更进一步地,因为流量异常检测装置可以根据自己对流量异常的标注结果来调整进行流量异常时刻判决的参数,从而使得用于判断流量异常时刻的参数更准确,更契合网络实际情况,进而提升流量异常检测准确性, 减少误检与漏检的情况。Furthermore, because the traffic anomaly detection device can adjust the parameters for determining the abnormal time of the traffic according to the result of marking the abnormal traffic, so that the parameters for judging the abnormal time of the traffic are more accurate, more in line with the actual situation of the network, and thereby increase the traffic. The accuracy of anomaly detection reduces false detections and missed detections.
本发明实施例中还提供了一种计算机可读存储介质,该计算机可读存储介质中可以存储有一个或多个可供一个或多个处理器读取、编译并执行的计算机程序,在本实施例中,该计算机可读存储介质可以存储有流量异常检测程序,该流量异常检测程序可供一个或多个处理器执行实现前述实施例介绍的任意一种流量异常检测方法的流程。The embodiment of the present invention also provides a computer-readable storage medium. The computer-readable storage medium may store one or more computer programs that can be read, compiled, and executed by one or more processors. In an embodiment, the computer-readable storage medium may store a flow anomaly detection program, and the flow anomaly detection program can be used by one or more processors to execute a process for implementing any of the flow anomaly detection methods introduced in the foregoing embodiments.
另外,本实施例提供一种网络设备,如图12所示:网络设备120包括处理器121、存储器122以及设置为连接处理器121与存储器122的通信总线123,其中存储器122可以为前述存储有流量异常检测程序的计算机可读存储介质。处理器121可以读取流量异常检测程序,进行编译并执行实现前述实施例中介绍的流量异常检测方法的流程:In addition, this embodiment provides a network device, as shown in FIG. 12: the network device 120 includes a processor 121, a memory 122, and a communication bus 123 configured to connect the processor 121 and the memory 122, where the memory 122 may be the aforementioned storage A computer-readable storage medium for the flow anomaly detection program. The processor 121 may read the flow anomaly detection program, compile and execute the flow of the flow anomaly detection method introduced in the foregoing embodiment:
处理器121采集被检网元各端口在当前检测时刻的接收流量与发送流量,根据采集到的接收流量与发送流量确定被检网元在当前时间窗口中的实时窗口偏差比,然后根据实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,并基于当前检测时刻的陡变斜率确定当前检测时刻是否为流量异常时刻。The processor 121 collects the receiving traffic and sending traffic of each port of the inspected network element at the current detection time, and determines the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving and sending traffic, and then according to the real-time window The deviation ratio and the historical window deviation ratio determine the steep slope of the current detection time, and determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
在本实施例的另外一些示例当中,处理器121还设置为判断是否至少采集到被检网元至少两个端口的接收流量与发送流量。只有判断结果为是的情况下,处理器121才会进行实时窗口偏差比的计算。In some other examples of this embodiment, the processor 121 is further configured to determine whether at least the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected. Only when the judgment result is yes, the processor 121 will calculate the real-time window deviation ratio.
或者,处理器121还可以判断被检网元各端口在当前检测时刻的接收流量与发送流量是否全为零值。只有判断结果为否的情况下,处理器121才会进行实时窗口偏差比的计算。Alternatively, the processor 121 may also determine whether the receiving traffic and the sending traffic of each port of the detected network element at the current detection moment are all zero values. Only when the judgment result is negative, the processor 121 will calculate the real-time window deviation ratio.
在本实施例的一些示例当中,一个时间窗口中包括至少两个检测时刻,处理器121可以根据当前检测时刻采集到的接收流量与发送流量确定当前 检测时刻的流量偏差比,并获取当前时间窗口中其他检测时刻的流量偏差比,然后根据当前时间窗口中各检测时刻的流量偏差比确定当前时间窗口的流量偏差比均值作为实时窗口偏差比。In some examples of this embodiment, a time window includes at least two detection moments, and the processor 121 may determine the flow deviation ratio at the current detection moment according to the received traffic and the sent traffic collected at the current detection moment, and obtain the current time window Then, according to the flow deviation ratio of each detection time in the current time window, the average value of the flow deviation ratio of the current time window is determined as the real-time window deviation ratio.
当前检测时刻的流量偏差比为当前检测时刻采集到的被检网元各端口接收流量之和与发送流量之和的比值。The traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
在本实施例的一些示例当中,处理器121可以判断当前检测时刻的陡变斜率是否处于正常斜率范围之外,正常斜率范围(1/Q,Q),其中Q为正数;若是,则判定当前检测时刻为流量异常时刻,若否,则判定当前检测时刻不是流量异常时刻。In some examples of this embodiment, the processor 121 may determine whether the steep slope at the current detection time is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines that the current The detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
在本实施例的一些示例当中,处理器121还可以对自己的多次判定结果进行评估,根据误检率和漏检率中的至少一个来调整用于判决一个检测时刻是否为流量异常时刻的正常斜率范围进行调整。In some examples of this embodiment, the processor 121 may also evaluate its own multiple determination results, and adjust the value used to determine whether a detection moment is an abnormal flow according to at least one of the false detection rate and the missed detection rate. Adjust the normal slope range.
可选地,处理器121可以将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合,然后将人工标注异常集合的中各流量异常时刻与自动标注异常集合中各流量异常时刻进行比对,并根据比对结果调整正常斜率范围。Optionally, the processor 121 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow time in the abnormal set Perform comparison, and adjust the normal slope range according to the comparison result.
在本实施例的一种示例中,处理器121确定出自动标注异常集合中的误检异常,然后判断自动标注异常集合中的误检率是否达到预设误检阈值,若是,则处理器121进一步确定各误检异常对应的陡变斜率,并根据各陡变斜率最大值调整Q值。In an example of this embodiment, the processor 121 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the processor 121 Further determine the steep slope corresponding to each false detection abnormality, and adjust the Q value according to the maximum value of each steep slope.
在本实施例的一种示例中,处理器121确定出自动标注异常集合中的漏检异常,然后判断自动标注异常集合中的漏检率达到预设漏检阈值,若是,则处理器121进一步确定各漏检异常对应的陡变斜率,并根据各陡变斜率调整Q值。In an example of this embodiment, the processor 121 determines the missed abnormalities in the automatically marked abnormal set, and then determines that the missed detection rate in the automatically marked abnormal set reaches the preset missed detection threshold, and if so, the processor 121 further Determine the steep slope corresponding to each missed abnormality, and adjust the Q value according to the steep slope.
可选地,处理器121可以先确定出一个时间段内的全部流量异常时刻,然后对于该时间段内的各流量异常时刻,根据流量异常时刻的陡变斜率与 历史陡变斜率确定流量异常时刻的异常是处于恢复状态还是恶化状态,随后剔除处于恢复状态的流量异常时刻,将剩余的流量异常时刻作为自动标注异常集合。Optionally, the processor 121 may first determine all abnormal flow moments within a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow abnormal moment according to the abrupt slope of the abnormal flow moment and the historical abrupt slope. Whether it is in a recovering state or a deteriorating state, then the abnormal traffic moments in the recovering state are eliminated, and the remaining abnormal traffic moments are regarded as the automatic marking abnormal set.
对于流量异常检测装置实现流量异常检测方法的其他细节,请参见前述实施例的介绍,这里不再赘述。For other details of the method for detecting an abnormal flow of the flow anomaly detection device, please refer to the introduction of the foregoing embodiment, which will not be repeated here.
本实施例提供的网络设备,可以自动对被检网元的流量进行监控,并进行流量异常时刻标注,不仅降低了对人力资源的需求,而且,检测过程快速高效,能发现常规方式无法检测到的流量异常情况。同时还能根据检测结果反馈调节进行流量异常时刻判决的参数,可以使检测结果达到较高的准确率和可信度。The network device provided in this embodiment can automatically monitor the traffic of the inspected network element and mark the time when the traffic is abnormal, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and it can be found that the conventional method cannot be detected. Abnormal traffic conditions. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
可以理解的是,在不冲突的情况下,本发明各实施例中的特征可以结合使用。It can be understood that, in the case of no conflict, the features in the embodiments of the present invention can be used in combination.
显然,本领域的技术人员应该明白,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件(可以用计算装置可执行的程序代码来实现)、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸 如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM,ROM,EEPROM、闪存或其他存储器技术、CD-ROM,数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。所以,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that all or some of the steps in the method disclosed above, the functional modules/units in the system, and the device can be implemented as software (which can be implemented by program code executable by a computing device) , Firmware, hardware and their appropriate combination. In hardware implementations, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may consist of several physical components. The components are executed cooperatively. Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on a computer-readable medium and executed by a computing device, and in some cases, the steps shown or described may be executed in a different order than here. The computer-readable medium may include computer storage Medium (or non-transitory medium) and communication medium (or temporary medium). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Flexible, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media . Therefore, the present invention is not limited to any specific combination of hardware and software.
以上内容是结合具体的实施方式对本发明实施例所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。The above content is a further detailed description of the embodiments of the present invention in combination with specific implementations, and it cannot be considered that the specific implementations of the present invention are limited to these descriptions. For those of ordinary skill in the technical field to which the present invention belongs, several simple deductions or substitutions can be made without departing from the concept of the present invention, which should be regarded as falling within the protection scope of the present invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种流量异常检测方法、装置、网络设备及存储介质具有以下有益效果:能够更有效地发现那些不会造成流量越限的异常,提升对网元设备流量监控的全面性,增加检测结果的准确率和可信度。As described above, the method, device, network device, and storage medium for detecting traffic anomalies provided by the embodiments of the present invention have the following beneficial effects: they can more effectively find abnormalities that do not cause the traffic to exceed the limit, and increase the traffic to the network element equipment. The comprehensiveness of monitoring increases the accuracy and credibility of the test results.

Claims (13)

  1. 一种流量异常检测方法,包括:A flow abnormality detection method, including:
    采集被检网元各端口在当前检测时刻的接收流量与发送流量;Collect the receiving and sending traffic of each port of the inspected network element at the current inspection moment;
    根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比,所述当前时间窗口为当前检测时刻所对应的时间窗口,所述实时窗口偏差比为所述,所述流量偏差比能够表征接收流量与发送流量的均衡程度;Determine the real-time window deviation ratio of the detected network element in the current time window according to the collected received traffic and the sent traffic, and the current time window is the time window corresponding to the current detection moment, and the real-time window The deviation ratio is as described above, and the flow deviation ratio can represent the degree of balance between the received flow and the sent flow;
    根据所述实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,所述历史窗口偏差比为所述被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;Determining the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio, where the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
    基于当前检测时刻的所述陡变斜率确定当前检测时刻是否为流量异常时刻。Based on the steep slope of the current detection time, it is determined whether the current detection time is an abnormal flow time.
  2. 如权利要求1所述的流量异常检测方法,其中,所述根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比之前,还包括:The method for detecting abnormal traffic according to claim 1, wherein before determining the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and the sending traffic, the method further comprises :
    确定至少采集到所述被检网元至少两个端口的接收流量与发送流量。It is determined that at least the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected.
  3. 如权利要求1所述的流量异常检测方法,其中,所述根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比之前,还包括:The method for detecting abnormal traffic according to claim 1, wherein before determining the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and the sending traffic, the method further comprises :
    确定所述被检网元各端口在当前检测时刻的接收流量与发送流量并非全为零值。It is determined that the receiving traffic and the sending traffic of each port of the checked network element at the current detection moment are not all zero values.
  4. 如权利要求1所述的流量异常检测方法,其中,一个时间窗口中包括至少两个检测时刻,所述根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比包括:The traffic abnormality detection method according to claim 1, wherein a time window includes at least two detection moments, and the detected network element is determined at the current time according to the collected receiving traffic and the sending traffic. The real-time window deviation ratio in the window includes:
    根据当前检测时刻采集到的所述接收流量与所述发送流量确定当前检测时刻的流量偏差比,并获取所述当前时间窗口中其他检测时刻的流量 偏差比;Determine the flow deviation ratio at the current detection time according to the received flow rate collected at the current detection time and the transmission flow rate, and obtain the flow deviation ratios at other detection times in the current time window;
    根据所述当前时间窗口中各检测时刻的流量偏差比确定所述当前时间窗口的流量偏差比均值作为所述实时窗口偏差比。The average value of the flow deviation ratio of the current time window is determined as the real-time window deviation ratio according to the flow deviation ratio at each detection time in the current time window.
  5. 如权利要求4所述的流量异常检测方法,其中,所述当前检测时刻的流量偏差比为当前检测时刻采集到的所述被检网元各端口接收流量之和与发送流量之和的比值。The method for detecting abnormal traffic according to claim 4, wherein the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
  6. 如权利要求1-5任一项所述的流量异常检测方法,其中,所述基于当前检测时刻的所述陡变斜率确定当前检测时刻是否为流量异常时刻包括:The method for detecting abnormal flow according to any one of claims 1 to 5, wherein the determining whether the current detection time is the abnormal flow time based on the steep slope of the current detection time comprises:
    判断当前检测时刻的所述陡变斜率是否处于正常斜率范围之外,所述正常斜率范围(1/Q,Q),其中Q为正数;Judging whether the steep slope at the current detection moment is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number;
    若是,则判定当前检测时刻为流量异常时刻,若否,则判定当前检测时刻不是流量异常时刻。If yes, it is determined that the current detection time is the time of abnormal flow; if not, it is determined that the current detection time is not the time of abnormal flow.
  7. 如权利要求6所述的流量异常检测方法,其中,所述流量异常检测方法还包括:8. The method for detecting abnormal traffic according to claim 6, wherein the method for detecting abnormal traffic further comprises:
    将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合;Add each abnormal flow detected in a certain period of time to the automatic anomaly set;
    将人工标注异常集合的中各流量异常时刻与所述自动标注异常集合中各流量异常时刻进行比对;Comparing each abnormal flow time in the manually marked abnormal set with each abnormal flow time in the automatically marked abnormal set;
    根据比对结果调整所述正常斜率范围。Adjust the normal slope range according to the comparison result.
  8. 如权利要求7所述的流量异常检测方法,其中,将人工标注异常集合的中各流量异常时刻与所述自动标注异常集合中各流量异常时刻进行比对包括:确定所述自动标注异常集合中的误检异常,所述误检异常为在所述自动标注异常集合中存在,但在所述人工标注异常集合中不存在的流量异常时刻;The method for detecting abnormal traffic according to claim 7, wherein comparing each abnormal time in the manually marked abnormal set with each abnormal time in the automatically marked abnormal set comprises: determining that the abnormal time in the automatically marked abnormal set The misdetection anomaly of, the misdetection anomaly is a traffic abnormal moment that exists in the automatically marked anomaly set but does not exist in the manually marked anomaly set;
    所述根据比对结果调整所述正常斜率范围包括:The adjusting the normal slope range according to the comparison result includes:
    确定所述自动标注异常集合中的误检率达到预设误检阈值,所述误检率为所述自动标注异常集合中误检异常的数目/所述自动标注异常集合中流量异常时刻总数;Determining that the false detection rate in the automatically marked anomaly set reaches a preset false detection threshold, and the false detection rate is the number of falsely detected anomalies in the automatically marked anomaly set/the total number of abnormal traffic moments in the automatically marked anomaly set;
    确定各所述误检异常对应的陡变斜率;Determine the steep slope corresponding to each of the misdetected abnormalities;
    根据各所述陡变斜率调整所述Q值。The Q value is adjusted according to each of the steep slopes.
  9. 如权利要求7所述的流量异常检测方法,其中,所述将人工标注异常集合的中各流量异常时刻与所述自动标注异常集合中各流量异常时刻进行比对包括:确定所述自动标注异常集合中的漏检异常,所述漏检异常为在所述人工标注异常集合中存在,但在所述自动标注异常集合中不存在的流量异常时刻;8. The method for detecting abnormal traffic according to claim 7, wherein the comparing the abnormal time of each traffic in the set of manually marked abnormalities with the abnormal time of each traffic in the set of automatically marked abnormalities comprises: determining the automatically marked abnormal A missed abnormality in the set, where the missed anomaly is a traffic abnormal moment that exists in the manually marked abnormal set but does not exist in the automatically marked abnormal set;
    所述根据比对结果调整所述正常斜率范围包括:The adjusting the normal slope range according to the comparison result includes:
    确定所述自动标注异常集合中的漏检率达到预设漏检阈值,所述漏检率为所述自动标注异常集合中漏检异常的数目/(所述自动标注异常集合中流量异常时刻总数+漏检异常的数目);It is determined that the missed detection rate in the automatically labeled anomaly set reaches a preset missed detection threshold, and the missed detection rate is the number of missed anomalies in the automatically labeled anomaly set/(the total number of abnormal traffic moments in the automatically labeled anomaly set +Number of missed abnormalities);
    确定各所述漏检异常对应的陡变斜率;Determine the steep slope corresponding to each of the missed abnormalities;
    根据各所述陡变斜率调整所述Q值。The Q value is adjusted according to each of the steep slopes.
  10. 如权利要求7所述的流量异常检测方法,其中,所述将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合包括:8. The method for detecting abnormal traffic according to claim 7, wherein the adding each abnormal time of traffic detected in a certain period of time to the automatic marking abnormal set comprises:
    确定所述时间段内的全部流量异常时刻;Determine all abnormal traffic moments within the time period;
    对于该时间段内的各流量异常时刻,根据所述流量异常时刻的陡变斜率与历史陡变斜率确定所述流量异常时刻的异常是处于恢复状态还是恶化状态;For each abnormal flow time in this time period, determine whether the abnormal flow at the abnormal flow time is in a recovery state or a deteriorating state according to the steep change slope and the historical steep change slope of the flow abnormal time;
    剔除处于恢复状态的流量异常时刻,将剩余的流量异常时刻作为自动标注异常集合。Eliminate the abnormal flow moments in the recovery state, and use the remaining abnormal flow moments as the automatic anomaly set.
  11. 一种流量异常检测装置,包括:A flow abnormality detection device, including:
    流量采集模块,设置为采集被检网元各端口在当前检测时刻的接收流量与发送流量;The traffic collection module is set to collect the receiving and sending traffic of each port of the detected network element at the current detection moment;
    偏差确定模块,设置为根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比,所述当前时间窗口为当前检测时刻所对应的时间窗口,所述流量偏差比能够表征接收流量与发送流量的均衡程度;The deviation determining module is configured to determine the real-time window deviation ratio of the detected network element in the current time window based on the collected received traffic and the sent traffic, where the current time window is the time corresponding to the current detection moment Window, the traffic deviation ratio can represent the degree of balance between the received traffic and the sent traffic;
    斜率确定模块,设置为根据所述实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,所述历史窗口偏差比为所述被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;The slope determination module is configured to determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio, and the historical window deviation ratio is the time window corresponding to the previous detection time of the detected network element The flow deviation ratio;
    异常判定模块,设置为基于当前检测时刻的所述陡变斜率确定当前检测时刻是否为流量异常时刻。The abnormality determination module is configured to determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  12. 一种网络设备,所述网络设备包括处理器、存储器及通信总线;A network device, the network device including a processor, a memory, and a communication bus;
    所述通信总线设置为实现处理器和存储器之间的连接通信;The communication bus is configured to realize connection and communication between the processor and the memory;
    所述处理器设置为执行存储器中存储的一个或者多个程序,以实现如权利要求1至10中任一项所述的流量异常检测方法的步骤。The processor is configured to execute one or more programs stored in the memory to implement the steps of the flow abnormality detection method according to any one of claims 1 to 10.
  13. 一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如权利要求1至10中任一项所述的流量异常检测方法的步骤。A computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement any of claims 1 to 10 The steps of the method for detecting abnormal flow.
PCT/CN2020/096847 2019-07-16 2020-06-18 Traffic abnormality detection method and apparatus, network device, and storage medium WO2021008296A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910640994.6 2019-07-16
CN201910640994.6A CN112242971B (en) 2019-07-16 2019-07-16 Traffic abnormality detection method and device, network equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2021008296A1 true WO2021008296A1 (en) 2021-01-21

Family

ID=74166749

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/096847 WO2021008296A1 (en) 2019-07-16 2020-06-18 Traffic abnormality detection method and apparatus, network device, and storage medium

Country Status (2)

Country Link
CN (1) CN112242971B (en)
WO (1) WO2021008296A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285612A (en) * 2021-12-14 2022-04-05 北京天融信网络安全技术有限公司 Method, system, device, equipment and medium for detecting abnormal data
CN114373308A (en) * 2021-11-30 2022-04-19 深圳市顺易通信息科技有限公司 Method and device for determining total effective parking space quantity and storage medium
CN114745304A (en) * 2022-04-27 2022-07-12 北京广通优云科技股份有限公司 Service mutation point identification method based on network behavior parameters in IT intelligent operation and maintenance system
CN114979828A (en) * 2022-05-18 2022-08-30 成都安讯智服科技有限公司 Internet of things communication module flow control method and system based on Modbus
CN116915517A (en) * 2023-09-14 2023-10-20 厦门快快网络科技有限公司 Cloud service resource risk security management method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117650791B (en) * 2024-01-30 2024-04-05 苏芯物联技术(南京)有限公司 Welding history airflow data compression method integrating welding process mechanism

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184097A (en) * 2007-12-14 2008-05-21 北京大学 Method of detecting worm activity based on flux information
CN101399709A (en) * 2007-09-28 2009-04-01 福建星网锐捷网络有限公司 Method, device and system for network monitoring
CN107332723A (en) * 2016-04-28 2017-11-07 华为技术有限公司 The detection method and detection device of convert channel
US20180103045A1 (en) * 2014-10-10 2018-04-12 The Hong Kong Polytechnic University Network attack detection method
CN108989135A (en) * 2018-09-29 2018-12-11 新华三技术有限公司合肥分公司 Network equipment failure detection method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9843488B2 (en) * 2011-11-07 2017-12-12 Netflow Logic Corporation Method and system for confident anomaly detection in computer network traffic
WO2018035765A1 (en) * 2016-08-24 2018-03-01 深圳天珑无线科技有限公司 Method and apparatus for detecting network abnormity
CN109327345A (en) * 2017-08-01 2019-02-12 中国移动通信集团湖北有限公司 The detection method and device of exception flow of network, computer readable storage medium
CN108390864B (en) * 2018-02-01 2020-12-11 杭州安恒信息技术股份有限公司 Trojan horse detection method and system based on attack chain behavior analysis
CN109951491A (en) * 2019-03-28 2019-06-28 腾讯科技(深圳)有限公司 Network attack detecting method, device, equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399709A (en) * 2007-09-28 2009-04-01 福建星网锐捷网络有限公司 Method, device and system for network monitoring
CN101184097A (en) * 2007-12-14 2008-05-21 北京大学 Method of detecting worm activity based on flux information
US20180103045A1 (en) * 2014-10-10 2018-04-12 The Hong Kong Polytechnic University Network attack detection method
CN107332723A (en) * 2016-04-28 2017-11-07 华为技术有限公司 The detection method and detection device of convert channel
CN108989135A (en) * 2018-09-29 2018-12-11 新华三技术有限公司合肥分公司 Network equipment failure detection method and device

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114373308A (en) * 2021-11-30 2022-04-19 深圳市顺易通信息科技有限公司 Method and device for determining total effective parking space quantity and storage medium
CN114285612A (en) * 2021-12-14 2022-04-05 北京天融信网络安全技术有限公司 Method, system, device, equipment and medium for detecting abnormal data
CN114285612B (en) * 2021-12-14 2023-09-26 北京天融信网络安全技术有限公司 Method, system, device, equipment and medium for detecting abnormal data
CN114745304A (en) * 2022-04-27 2022-07-12 北京广通优云科技股份有限公司 Service mutation point identification method based on network behavior parameters in IT intelligent operation and maintenance system
CN114745304B (en) * 2022-04-27 2024-02-27 北京广通优云科技股份有限公司 Service mutation point identification method based on network behavior parameters in IT operation and maintenance system
CN114979828A (en) * 2022-05-18 2022-08-30 成都安讯智服科技有限公司 Internet of things communication module flow control method and system based on Modbus
CN114979828B (en) * 2022-05-18 2023-03-10 成都安讯智服科技有限公司 Internet of things communication module flow control method and system based on Modbus
CN116915517A (en) * 2023-09-14 2023-10-20 厦门快快网络科技有限公司 Cloud service resource risk security management method
CN116915517B (en) * 2023-09-14 2023-11-24 厦门快快网络科技有限公司 Cloud service resource risk security management method

Also Published As

Publication number Publication date
CN112242971A (en) 2021-01-19
CN112242971B (en) 2023-06-16

Similar Documents

Publication Publication Date Title
WO2021008296A1 (en) Traffic abnormality detection method and apparatus, network device, and storage medium
CN111126824B (en) Multi-index correlation model training method and multi-index anomaly analysis method
US9015312B2 (en) Network management system and method for identifying and accessing quality of service issues within a communications network
US9921943B2 (en) Predicting anomalies and incidents in a computer application
CN101189895B (en) Abnormality detecting method and system, and upkeep method and system
US10447561B2 (en) BFD method and apparatus
WO2022028120A1 (en) Indicator detection model acquisition method and apparatus, fault locating method and apparatus, and device and storage medium
KR20060028601A (en) Apparatus for detecting abnormality of traffic in network and method thereof
EP2741439B1 (en) Network failure detecting method and monitoring center
CN115038088B (en) Intelligent network security detection early warning system and method
JP2021022759A (en) Network analysis program, network analysis apparatus, and network analysis method
US20110153804A1 (en) Method and system for reporting defects within a network
CN114978939B (en) Method for detecting network link quality
CN112751722A (en) Data transmission quality monitoring method and system
WO2022057501A1 (en) Method for identifying abnormal terminal, analysis apparatus and device, and storage medium
US11265237B2 (en) System and method for detecting dropped aggregated traffic metadata packets
CN115774159A (en) Fault detection system for power unit of high-voltage frequency converter
CN110120893B (en) Method and device for positioning network system security problem
CN113438116A (en) Power communication data management system and method
CN103384215A (en) Virus situation anomaly detection method and system based on join AR model
TWI533688B (en) Network protocol television service network anomaly node judgment method
US11140067B2 (en) Discovering cross-domain links based on traffic flow
CN117336202B (en) Multichannel management system and method based on vibration meter controller
CN117856441A (en) Smart power grid transmission delay optimization method and system
WO2024066331A1 (en) Network abnormality detection method and apparatus, electronic device, and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 22.09.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1