WO2021008296A1 - Traffic abnormality detection method and apparatus, network device, and storage medium - Google Patents
Traffic abnormality detection method and apparatus, network device, and storage medium Download PDFInfo
- Publication number
- WO2021008296A1 WO2021008296A1 PCT/CN2020/096847 CN2020096847W WO2021008296A1 WO 2021008296 A1 WO2021008296 A1 WO 2021008296A1 CN 2020096847 W CN2020096847 W CN 2020096847W WO 2021008296 A1 WO2021008296 A1 WO 2021008296A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- traffic
- time
- abnormal
- flow
- deviation ratio
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Definitions
- the present invention relates to the field of communications, and in particular to a method, device, network equipment and storage medium for detecting abnormal flow.
- the flow abnormality detection method, device, network equipment and storage medium provided by the embodiments of the present invention mainly solve the technical problem of: solving the problem that the related flow monitoring solution cannot detect the abnormal flow that will not cause the port flow to exceed the limit.
- an embodiment of the present invention provides a method for detecting abnormal traffic, including:
- the current time window is the time window corresponding to the current detection moment.
- the real-time window deviation ratio is, and the flow deviation ratio can characterize the receiving The degree of balance between traffic and sending traffic;
- the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time
- the embodiment of the present invention also provides a flow abnormality detection device, including:
- the traffic collection module is set to collect the receiving and sending traffic of each port of the detected network element at the current detection moment
- the deviation determination module is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic.
- the current time window is the time window corresponding to the current detection moment, and the flow deviation ratio can represent the received The degree of balance between traffic and sending traffic;
- the slope determination module is set to determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio.
- the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
- the abnormality determination module is configured to determine whether the current detection time is the abnormal flow time based on the steep slope of the current detection time.
- the embodiment of the present invention also provides a network device, which includes a processor, a memory, and a communication bus;
- the communication bus is set to realize the connection and communication between the processor and the memory
- the processor is configured to execute one or more programs stored in the memory to implement the steps of the method for detecting abnormal flow.
- the embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the above-mentioned traffic abnormality detection method A step of.
- the method, device, network equipment, and storage medium for detecting abnormal traffic collect the received and sent traffic of each port of the detected network element at the current detection moment, and then determine the received and sent traffic according to the collected received and sent traffic. Check the real-time flow deviation ratio of the network element in the current time window, and determine the steep slope of the current detection time based on the real-time flow deviation ratio and the historical flow deviation ratio, and then determine whether the current detection time is an abnormal flow based on the steep slope of the current detection time .
- the traffic anomaly detection solution provided by the embodiment of the present invention is based on the fact that the total flow in and out of all ports of the inspected network element is basically balanced under normal working conditions, but when the inspected network element is in data routing and switching processing When abnormalities such as packet loss or illegal duplication occur, the balance of the received and received traffic will be broken. Therefore, the traffic anomaly detection solution provided by the embodiment of the present invention can measure the balance of the received and received traffic of the inspected network element and determine the inspected network element. The moment when the traffic balance changes sharply, so as to detect the moment when the traffic of the detected network element is abnormal.
- the traffic anomaly detection solution provided by the embodiments of the present invention can more effectively find those abnormalities that will not cause the traffic to exceed the limit, improve the comprehensiveness of the traffic monitoring of the detected network element, and increase the detection result. Accuracy and reliability.
- FIG. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention
- FIG. 2 is a schematic diagram of the traffic deviation ratio of the checked network element in one day according to the embodiment of the present invention
- FIG. 3 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention.
- FIG. 4 is a schematic diagram of a relationship between a time window and a detection time according to an embodiment of the present invention
- FIG. 5 is a flowchart of adjusting the normal slope range by a network device according to an embodiment of the present invention.
- FIG. 6 is a network device according to an embodiment of the present invention determined to automatically mark an abnormal set
- FIG. 7 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention.
- FIG. 8 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention.
- FIG. 9 is a schematic structural diagram of a flow abnormality detection device provided by an embodiment of the present invention.
- FIG. 10 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention.
- FIG. 11 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention.
- FIG. 12 is a schematic diagram of a hardware structure of a network device provided by an embodiment of the present invention.
- Traditional traffic monitoring solutions generally set fixed thresholds for indicators such as port bandwidth utilization and CPU utilization based on manual experience. If an indicator of the detected network element port is found to exceed the fixed threshold corresponding to the indicator during the detection process, then It is determined that the monitoring is abnormal, and an alarm can be issued. Obviously, this traffic monitoring method is simply to determine whether the detected index value is normal based on the threshold. This is effective for monitoring the abnormality of the peak traffic exceeding the limit, but if the occurrence of the abnormality does not cause the port traffic to exceed the limit, then This traditional traffic monitoring solution cannot be perceived. For example, if a large number of packet loss or a large number of illegally copied packets occur in the inspected network element, but these abnormalities do not cause the traffic to exceed the limit, the traditional traffic monitoring solution will not identify these abnormalities.
- this embodiment provides a method for detecting abnormal traffic. Please refer to the flowchart shown in FIG. 1, which includes the following steps:
- S102 Collect the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment.
- the total traffic in and out of all ports should be basically balanced, that is to say, each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic.
- each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic.
- the balance of the traffic sent and received by the network element under inspection will be broken.
- the receiving traffic and the sending traffic of each port of the detected network element can be collected.
- the network device can collect port a Receive traffic and send traffic, collect the receive traffic and send traffic of port b.
- the network device will also collect the send and receive traffic.
- the network device may periodically collect the receiving traffic and sending traffic of each port of the inspected network element during the process of detecting abnormal traffic of a inspected network element. For example, in an example Among them, the network device can use 15 minutes as the detection granularity, that is, collect the receiving and sending traffic of each port of the inspected network element every 15 minutes.
- the network device collects the inspected network for the first time at 00:00.
- the sending and receiving traffic of each port of the element the next time, the network device will collect the sending and receiving traffic of each port of the inspected network element at 00:15, and the timing of the third traffic collection is at 00:30... 00:00, 00:15, and 00:30, etc., which are referred to as detection time in this embodiment.
- the current time is 00:15
- 00:15 is the current detection time
- 00:00 is the historical detection time.
- the network device when the network device detects abnormal traffic of the detected network element, it may also not need to periodically collect traffic. That is, when the network device collects the receiving and sending traffic of the inspected network element, the time interval between each inspection time is not completely consistent.
- S104 Determine the real-time window deviation ratio of the checked network element in the current time window according to the collected receiving traffic and sending traffic.
- the network device After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection time, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window.
- the so-called real-time window deviation ratio is the network under inspection.
- the flow deviation ratio of the yuan in the current time window is the network under inspection.
- the traffic deviation ratio at a certain detection time can be the sum of the received traffic and the sent traffic of each port of the inspected network element at the detection time.
- bias is the traffic deviation ratio
- N recv is the sum of all received traffic at the time when each port of the detected network element is detected. It can be calculated by the following formula:
- n is the total number of ports in the inspected network element
- i represents the i-th port
- N send is the sum of all received traffic at the time when each port of the inspected network element is detected, and can be calculated by the following formula:
- n is the total number of ports in the inspected network element
- i represents the i-th port
- the traffic deviation ratio of an inspected network element is mainly used to characterize the balance between the sending and receiving traffic of each port of the inspected network element. Therefore, there is no doubt that the traffic deviation ratio of the inspected network element is not necessarily the receiving
- the ratio of the sum of traffic to the sum of sent traffic may also be the ratio of the sent traffic to the received traffic, that is,
- each time the network device determines the traffic deviation ratio of the inspected network element it should choose a unified calculation method for the traffic deviation ratio. For example, in some examples, if the network device calculates the traffic deviation ratio for the first time When checking the traffic deviation ratio of the network element, the ratio of the sum of the received traffic and the sum of the sending traffic corresponding to the ports of the checked network element at the first detection time is calculated, and then at the subsequent detection time, the network device calculates When the flow deviation ratio of the spare part network element is calculated, it should also calculate the ratio of the sum of the received flow and the sum of the transmitted flow. It should not suddenly become the calculation of the sum of the transmitted flow and the received flow of each port of the inspected network element during a certain calculation process. The ratio of the sum.
- Figures 2 and 3 respectively show schematic diagrams of the traffic deviation ratios of two checked network elements in the same day, where the vertical axis bias represents the traffic deviation ratio, and the horizontal axis represents time.
- the so-called current time window refers to the time window corresponding to the current detection time.
- the so-called "real-time window deviation ratio" is actually the traffic deviation ratio of the detected network element in the current time window.
- a time window includes at least one detection time. For example, in an example of this embodiment, there is only one detection time in the time window, and the real-time window deviation ratio of the detected network element in the current time window is actually the time window. Check the flow deviation ratio of the network element at the current detection time. However, if a time window includes two or more detection moments at the same time, the real-time window deviation ratio of the detected network element in the current time window is the traffic deviation of the detected network element at each detection time in the current time window. The mean of the ratio. For example, in an example, the time window includes three detection times. Please refer to the schematic diagram of the relationship between the time window and the detection time shown in Figure 4, where the vertical axis bias represents the flow deviation ratio, and the horizontal axis represents time:
- the current time window 401 is the time window corresponding to the nth detection time, which also includes the nth detection time, the n-1th detection time and the n-2th detection time. Detection time.
- the historical time window 402 it is the time window corresponding to the previous detection time (that is, the n-1th detection time), which includes the n-1th detection time, the n-2th detection time, and the n-3th detection time. The time window of the detection time.
- the traffic deviation ratios of the detected network element at the nth detection time, the n-1th detection time, the n-2th detection time, and the n-3th detection time are b n , b n-1 , b n-2 and b n-3
- the real-time window deviation ratio of the checked network element is (b n + b n-1 + b n-2 )/3
- the historical window deviation ratio of the checked network element is (b n-1 + b n-2 ) + b n-3 )/3.
- Deviation ratio b n As for the calculation of the real-time window deviation ratio, the other flow deviation ratios b n-1 and b n-2 have been calculated in the previous detection process (b n-1 is the calculation of the real-time window deviation at the n-1th detection time It is calculated when comparing, b n-2 is calculated when calculating the real-time window deviation ratio at the n-2th detection time), there is no need to calculate it again here.
- S106 Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
- anomalies are data that deviate from most of the data in the data set. Therefore, anomalies are also called outliers. Therefore, in this embodiment, the network device determines whether the current detection time is an abnormal point (that is, the abnormal flow time) according to whether the flow deviation ratio corresponding to the current detection time deviates from the flow deviation ratio of most detection times.
- the traffic deviation ratio of the inspected network element belongs to a time series indicator.
- the main goal of monitoring this indicator is to find the time point when it deviates from the normal value in time, which is a change point detection problem for the time series.
- Change point theory is a classic branch of statistics. Its basic definition is that in a sequence or process, when a certain statistical characteristic (distribution type, distribution parameter) changes at a certain point in time by systemic factors rather than accidental factors , We call this point in time the change point.
- the change point detection is to use statistics or statistical methods to find out the position of the change point.
- the network device can determine the steep slope of the inspected network element at the current detection time based on the real-time window deviation ratio of the inspected network element and the historical window deviation ratio ,
- the steep slope can characterize the degree of change of the real-time window deviation ratio at the current detection time relative to the historical window deviation ratio.
- the steep slope of the current detection moment can be determined according to the following formula:
- n represents the nth detection time
- M n represents the traffic deviation ratio in the time window corresponding to the nth detection time of the detected network element
- M n-1 represents the detected network element at the n-1th detection time
- K n is the steep slope of the nth detection time. If it is the nth detection time, Kn is the steep slope corresponding to the current detection time.
- the historical window deviation ratio of the inspected network element will be calculated after the network device performs the n-1th transmission and reception traffic collection for the inspected network element. Therefore, in this embodiment, after the network device calculates the real-time window deviation ratio corresponding to the nth detection time, it records it so as to participate in the calculation as the historical window deviation ratio at the n+1th time.
- S108 Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
- the network device can determine whether the detected network element has abnormal traffic at the current detection time according to the steep slope, that is, whether the current detection time is the abnormal traffic time.
- the network device stores the parameters that can divide the normal slope threshold.
- the normal slope range (1/Q, Q) where Q is a positive number, so (1/Q, Q) is The values are relatively close to 1.
- the network device determines whether the traffic of the inspected network element is abnormal at the nth detection moment, it can determine whether the steep slope of the inspected network element at the nth detection moment is at a normal slope. Within the range, if yes, it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is the time of abnormal flow of the detected network element.
- the value of Q may be fixed, for example, it is set by network operation and maintenance personnel based on a large number of experience values. It is understandable that the Q value set by network operation and maintenance personnel should ensure Detect all network abnormalities of the inspected network elements as accurately as possible.
- the value of Q can be adjusted adaptively. For example, the initial value of Q is set by network operation and maintenance personnel based on experience, but as the network equipment continues to check the network element For traffic anomaly detection, the network device can adjust the value of Q according to the accuracy of its detection results, thereby reducing false detections and/or missed detections during the flow anomaly detection process. Please refer to the adjustment shown in Figure 5 A flow chart of the normal slope range:
- the network device may adjust the value of Q at regular intervals. There is no doubt that adjusting the value of Q actually means adjusting the normal slope range. It is assumed that the network equipment set here adjusts the normal slope range every two hours.
- the network device may have performed 8 detections on the detected network element, and part of the detection moments of the 8 detections It will be judged as an abnormal flow time.
- the network device can add the abnormal traffic moments among the 8 detection moments to the automatic anomaly marking set.
- the automatic anomaly marking set is a set of abnormal traffic moments marked by the network equipment mechanized.
- the first is that, compared with the historical window deviation ratio, the real-time window deviation is better than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is less than the absolute difference between the historical window deviation ratio and 1, which means that although the current There was an abnormal flow at the time of detection, but this is because the abnormal flow is gradually recovering. Therefore, the abnormal flow at the current detection time is actually in the recovery state.
- the second type compared with the historical window deviation ratio, the real-time window deviation is worse than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection
- the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection
- the abnormal flow at the current detection time is actually in a deteriorating state.
- the network device may refer to the flowchart shown in FIG. 6 to determine the automatic annotated abnormal set:
- S602 The network device determines all abnormal traffic moments within the time period
- the network device determines whether the abnormal flow at the abnormal flow time is in a recovery state or a deteriorating state according to the abrupt slope and historical abrupt slope of the abnormal flow;
- S606 The network device removes the abnormal traffic moments that are in the recovery state, and uses the remaining abnormal traffic moments as an automatic anomaly set.
- S504 Compare each abnormal flow time in the manually marked abnormal set with each abnormal flow time in the automatically marked abnormal set.
- the network equipment will also obtain the manually marked abnormal set corresponding to the automatically marked abnormal set.
- the marked result of the abnormal traffic time within the hour.
- the abnormal traffic moments in the artificially marked abnormal set can be regarded as completely correct, and there is no mislabeling; and it is considered that the artificially marked abnormal set contains all the abnormal traffic moments in the past two hours, and there is no missing label. happening.
- the network device can compare each abnormal flow time in the artificially marked anomaly set with each abnormal flow time in the automatically marked anomaly set.
- the network device can determine the false detection exception in the automatic labeling anomaly set.
- the false detection exception is actually Automatically mark the abnormal traffic moments that exist in the abnormal set, but manually mark the abnormal traffic that does not exist in the abnormal set.
- the network equipment can determine the missed anomalies in the automatically marked anomaly set.
- the missed anomalies are manually marked Exist in the abnormal set, but automatically mark the abnormal traffic moment that does not exist in the abnormal set.
- the network device can determine its own false detection rate according to the following formula:
- the network device determines that the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, it can determine the steep slope corresponding to each false detection abnormality, and then the network device determines the Q value corresponding to each steep slope, and then selects the largest one
- the Q value is used as the adjusted Q value. For example, if the network device determines that the false detection rate in the automatically marked anomaly set reaches the preset false detection threshold, including 3 false detection anomalies, the steep slopes corresponding to these three false detection anomalies are 1.5, 2 and 2.5 respectively, then this The Q corresponding to the three steep slopes are 1.5, 2 and 2.5 respectively, so the updated Q value is 2.5.
- the abrupt slopes corresponding to three false detection abnormalities are 1/4, 1/3, and 1/2 respectively, and the Q corresponding to the three abrupt slopes are 4, 3, and 2, respectively. Therefore, the updated Q value Is 4.
- the Q value is increased, and the normal slope range is also increased, thereby reducing the possibility that the network device detects the abnormal flow when the flow is normal.
- the network device can also determine its own missed detection rate according to the following formula:
- the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, it can determine the steep slope corresponding to each missed anomaly, and then update the Q value according to the minimum value of the steep slopes.
- the network device may determine the Q value corresponding to each steep slope, and then select the smallest Q value as the updated Q value. For example, if the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, including 3 missed detections, the steep slopes corresponding to the three missed detections are 1/2, 1/3, and 3.
- the Q values corresponding to the three steep slopes are 2, 3, and 3 respectively.
- the network equipment can adjust the value of Q to 2. It should be understood Yes, the value of Q must be greater than 3 before adjustment. Therefore, this adjustment actually reduces the value of Q, which also increases the range of abnormal slopes, thereby reducing the amount of abnormal traffic that cannot be correctly detected by network equipment. possibility.
- the flow anomaly detection method provided in this embodiment analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormal moment.
- This flow anomaly detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
- the network equipment can adjust the parameters used to determine the abnormal time of the flow according to the result of marking the abnormal flow, the parameters used to determine the abnormal time of the flow are more accurate and more in line with the actual situation of the network, thereby improving the detection of the abnormal flow. Accuracy, reduce false detections and missed detections.
- S702 Collect receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment.
- a network device used for traffic abnormality monitoring may monitor the traffic of two or more detected network elements at the same time. Therefore, when the network device performs port traffic collection, it is for all the monitored network elements. All ports of the inspected network element are performed. Therefore, after obtaining the collection result, the network device needs to determine which of the inspected network elements the collection result belongs to, according to the asset relationship data (which can characterize the corresponding relationship between the inspected network element and the port). Then, the time of abnormal traffic is determined for each detected network element.
- the network device may perform detection every 15 minutes, that is, the detection granularity is 15 minutes. It is understandable that if the detection granularity is set too large, the network device will not be able to detect which abnormalities that appear and recover in a short time. For example, if the detection granularity is set to 3 hours, the network device cannot detect the graph. The abnormality shown in 8.
- the network device sets the detection granularity, it can be set according to its own processing capability.
- S704 Determine whether the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected.
- the network device It is understandable that a large abrupt slope is easily generated during the fluctuation process. Therefore, the current detection time is easily recognized by the network device as an abnormal flow time. However, when some port data is missing, the abnormal flow deviation ratio on a single port is not actually the abnormal flow deviation ratio of the network element we want to obtain. Therefore, in some examples of this embodiment, the network device It is necessary to exclude network elements that only have valid single-port data.
- the network device continues to perform S706, otherwise the process ends.
- S706 Determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero.
- missing value filling is a common method.
- Common missing value filling methods include: before and after mean filling, mode filling, linear regression filling and so on.
- missing value filling is generally effective, but for the traffic anomaly detection scheme in this embodiment, missing value filling often has a great impact on the detection result.
- most filling methods make the data smoother, so that the network equipment cannot detect the original abnormal points based on the steep rise and fall of the traffic deviation ratio.
- S708 Determine the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and sending traffic.
- the network device After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window.
- one time window includes three detection moments. Therefore, the network device can determine the current detection time corresponding to the current detection time based on the traffic deviation ratio at the current detection time and the traffic deviation ratio between the previous two detection times. Real-time window deviation ratio.
- S710 Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
- the network device can calculate the ratio of the real-time window deviation ratio of the inspected network element to the historical window deviation ratio to obtain the sharp change of the inspected network element at the current inspection time. Slope.
- S712 Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
- the network device can determine whether the flow of the detected network element is abnormal at the current detection time according to the steep slope.
- the network device determines whether the steep slope corresponding to the current detection time is within the normal slope range (1/Q, Q), if yes, then it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is The time when the network element's traffic is abnormal.
- the network device if the network device determines that the current detection time is the abnormal flow time of the inspected network element, the network device will further determine whether the abnormal flow time is a deteriorating abnormal flow time:
- S714 Determine whether the abnormality at the time of the abnormal flow is in a deteriorating state according to the abrupt slope and the historical abrupt slope at the time of the abnormal flow.
- S716 Record the time when the traffic is abnormal.
- the network device can record the abnormal flow for use in the subsequent network optimization process.
- the network device can also evaluate its own false detection rate and missed detection rate once a period of time, and adjust the normal slope range according to the duration of the evaluation result, so as to reduce the error of abnormal traffic in the subsequent detection process. Detection rate and missed detection rate.
- the specific evaluation and adjustment process has been described in more detail in the foregoing embodiment, and will not be repeated here.
- the traffic abnormality detection method automatically monitors the traffic of the inspected network element by the network device, and marks the abnormal time of the traffic, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and can find conventional Traffic abnormalities that cannot be detected by the method. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
- the embodiment of the present invention also provides a flow abnormality detection device. Please refer to the schematic structural diagram shown in FIG. 9, in which:
- the flow abnormality detection device 90 includes a flow collection module 902, a deviation determination module 904, a slope determination module 906, and an abnormality determination module 908.
- the flow collection module 902 is configured to collect the received and sent traffic of each port of the inspected network element at the current detection moment.
- the deviation determination module 904 is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic, and the slope determination module 906 is set to determine based on the real-time window deviation ratio and the historical window deviation ratio
- the steep slope of the current detection time, the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
- the abnormality determination module 908 is set to determine whether the current detection time is based on the steep slope of the current detection time It is the moment of abnormal flow.
- the flow anomaly detection device 90 further includes a preprocessing module 910, which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
- a preprocessing module 910 which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
- the preprocessing module 910 may also be configured to determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero values. Only when the judgment result of the preprocessing module 910 is negative, the deviation determination module 904 will calculate the real-time window deviation ratio.
- a time window includes at least two detection moments
- the deviation determination module 904 can determine the flow deviation ratio at the current detection moment based on the received traffic and the sent traffic collected at the current detection moment, and obtain the current time
- the flow deviation ratio of other detection moments in the window is then determined according to the flow deviation ratio of each detection time in the current time window to determine the average value of the flow deviation ratio of the current time window as the real-time window deviation ratio.
- the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
- the abnormality determination module 908 can determine whether the steep slope of the current detection moment is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines The current detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
- the flow anomaly detection device 90 may further include a parameter adjustment module 912, which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
- a parameter adjustment module 912 which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
- the parameter adjustment module 912 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow in the abnormal set Perform comparison at all times, and adjust the normal slope range according to the comparison result.
- the parameter adjustment module 912 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the parameter adjustment The module 912 further determines the steep slope corresponding to each false detection abnormality, and adjusts the Q value according to the maximum value of the steep slope.
- the parameter adjustment module 912 determines the missed abnormalities in the automatically labeled abnormal set, and then determines that the missed detection rate in the automatically labeled abnormal set reaches the preset missed detection threshold. If so, the parameter adjustment module 912 further determines the steep change slope corresponding to each missed abnormality, and adjusts the Q value according to the maximum value of each steep change slope.
- the parameter adjustment module 912 may first determine all the abnormal flow moments in a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow rate according to the steep slope of the abnormal flow moment and the historical steep slope. Whether the abnormality is in the recovery state or the deteriorating state, then the abnormal flow moments in the recovery state are eliminated, and the remaining abnormal flow moments are regarded as the automatic anomaly set.
- the traffic anomaly detection device 90 in this embodiment can be deployed on a network device, such as a network device in a bearer network, where the function of the traffic collection module 902 can be implemented by the processor of the network device and the communication Danyun, and the deviation determination module
- the functions of 904, the slope determination module 906, the abnormality determination module 908, the preprocessing module 910, and the parameter adjustment module 912 can all be implemented by the processor of the network device.
- the flow abnormality detection device analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormality moment.
- This flow abnormality detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
- the traffic anomaly detection device can adjust the parameters for determining the abnormal time of the traffic according to the result of marking the abnormal traffic, so that the parameters for judging the abnormal time of the traffic are more accurate, more in line with the actual situation of the network, and thereby increase the traffic.
- the accuracy of anomaly detection reduces false detections and missed detections.
- the embodiment of the present invention also provides a computer-readable storage medium.
- the computer-readable storage medium may store one or more computer programs that can be read, compiled, and executed by one or more processors.
- the computer-readable storage medium may store a flow anomaly detection program, and the flow anomaly detection program can be used by one or more processors to execute a process for implementing any of the flow anomaly detection methods introduced in the foregoing embodiments.
- the network device 120 includes a processor 121, a memory 122, and a communication bus 123 configured to connect the processor 121 and the memory 122, where the memory 122 may be the aforementioned storage
- the processor 121 may read the flow anomaly detection program, compile and execute the flow of the flow anomaly detection method introduced in the foregoing embodiment:
- the processor 121 collects the receiving traffic and sending traffic of each port of the inspected network element at the current detection time, and determines the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving and sending traffic, and then according to the real-time window
- the deviation ratio and the historical window deviation ratio determine the steep slope of the current detection time, and determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
- the processor 121 is further configured to determine whether at least the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected. Only when the judgment result is yes, the processor 121 will calculate the real-time window deviation ratio.
- the processor 121 may also determine whether the receiving traffic and the sending traffic of each port of the detected network element at the current detection moment are all zero values. Only when the judgment result is negative, the processor 121 will calculate the real-time window deviation ratio.
- a time window includes at least two detection moments
- the processor 121 may determine the flow deviation ratio at the current detection moment according to the received traffic and the sent traffic collected at the current detection moment, and obtain the current time window Then, according to the flow deviation ratio of each detection time in the current time window, the average value of the flow deviation ratio of the current time window is determined as the real-time window deviation ratio.
- the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
- the processor 121 may determine whether the steep slope at the current detection time is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines that the current The detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
- the processor 121 may also evaluate its own multiple determination results, and adjust the value used to determine whether a detection moment is an abnormal flow according to at least one of the false detection rate and the missed detection rate. Adjust the normal slope range.
- the processor 121 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow time in the abnormal set Perform comparison, and adjust the normal slope range according to the comparison result.
- the processor 121 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the processor 121 Further determine the steep slope corresponding to each false detection abnormality, and adjust the Q value according to the maximum value of each steep slope.
- the processor 121 determines the missed abnormalities in the automatically marked abnormal set, and then determines that the missed detection rate in the automatically marked abnormal set reaches the preset missed detection threshold, and if so, the processor 121 further Determine the steep slope corresponding to each missed abnormality, and adjust the Q value according to the steep slope.
- the processor 121 may first determine all abnormal flow moments within a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow abnormal moment according to the abrupt slope of the abnormal flow moment and the historical abrupt slope. Whether it is in a recovering state or a deteriorating state, then the abnormal traffic moments in the recovering state are eliminated, and the remaining abnormal traffic moments are regarded as the automatic marking abnormal set.
- the network device provided in this embodiment can automatically monitor the traffic of the inspected network element and mark the time when the traffic is abnormal, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and it can be found that the conventional method cannot be detected. Abnormal traffic conditions. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
- the functional modules/units in the system, and the device can be implemented as software (which can be implemented by program code executable by a computing device) , Firmware, hardware and their appropriate combination.
- the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may consist of several physical components. The components are executed cooperatively.
- Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
- the computer-readable medium may include computer storage Medium (or non-transitory medium) and communication medium (or temporary medium).
- computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
- flexible, removable and non-removable media are examples of flexible, removable and non-removable media.
- Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
- communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media . Therefore, the present invention is not limited to any specific combination of hardware and software.
- the method, device, network device, and storage medium for detecting traffic anomalies provided by the embodiments of the present invention have the following beneficial effects: they can more effectively find abnormalities that do not cause the traffic to exceed the limit, and increase the traffic to the network element equipment.
- the comprehensiveness of monitoring increases the accuracy and credibility of the test results.
Abstract
Description
Claims (13)
- 一种流量异常检测方法,包括:A flow abnormality detection method, including:采集被检网元各端口在当前检测时刻的接收流量与发送流量;Collect the receiving and sending traffic of each port of the inspected network element at the current inspection moment;根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比,所述当前时间窗口为当前检测时刻所对应的时间窗口,所述实时窗口偏差比为所述,所述流量偏差比能够表征接收流量与发送流量的均衡程度;Determine the real-time window deviation ratio of the detected network element in the current time window according to the collected received traffic and the sent traffic, and the current time window is the time window corresponding to the current detection moment, and the real-time window The deviation ratio is as described above, and the flow deviation ratio can represent the degree of balance between the received flow and the sent flow;根据所述实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,所述历史窗口偏差比为所述被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;Determining the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio, where the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;基于当前检测时刻的所述陡变斜率确定当前检测时刻是否为流量异常时刻。Based on the steep slope of the current detection time, it is determined whether the current detection time is an abnormal flow time.
- 如权利要求1所述的流量异常检测方法,其中,所述根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比之前,还包括:The method for detecting abnormal traffic according to claim 1, wherein before determining the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and the sending traffic, the method further comprises :确定至少采集到所述被检网元至少两个端口的接收流量与发送流量。It is determined that at least the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected.
- 如权利要求1所述的流量异常检测方法,其中,所述根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比之前,还包括:The method for detecting abnormal traffic according to claim 1, wherein before determining the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and the sending traffic, the method further comprises :确定所述被检网元各端口在当前检测时刻的接收流量与发送流量并非全为零值。It is determined that the receiving traffic and the sending traffic of each port of the checked network element at the current detection moment are not all zero values.
- 如权利要求1所述的流量异常检测方法,其中,一个时间窗口中包括至少两个检测时刻,所述根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比包括:The traffic abnormality detection method according to claim 1, wherein a time window includes at least two detection moments, and the detected network element is determined at the current time according to the collected receiving traffic and the sending traffic. The real-time window deviation ratio in the window includes:根据当前检测时刻采集到的所述接收流量与所述发送流量确定当前检测时刻的流量偏差比,并获取所述当前时间窗口中其他检测时刻的流量 偏差比;Determine the flow deviation ratio at the current detection time according to the received flow rate collected at the current detection time and the transmission flow rate, and obtain the flow deviation ratios at other detection times in the current time window;根据所述当前时间窗口中各检测时刻的流量偏差比确定所述当前时间窗口的流量偏差比均值作为所述实时窗口偏差比。The average value of the flow deviation ratio of the current time window is determined as the real-time window deviation ratio according to the flow deviation ratio at each detection time in the current time window.
- 如权利要求4所述的流量异常检测方法,其中,所述当前检测时刻的流量偏差比为当前检测时刻采集到的所述被检网元各端口接收流量之和与发送流量之和的比值。The method for detecting abnormal traffic according to claim 4, wherein the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
- 如权利要求1-5任一项所述的流量异常检测方法,其中,所述基于当前检测时刻的所述陡变斜率确定当前检测时刻是否为流量异常时刻包括:The method for detecting abnormal flow according to any one of claims 1 to 5, wherein the determining whether the current detection time is the abnormal flow time based on the steep slope of the current detection time comprises:判断当前检测时刻的所述陡变斜率是否处于正常斜率范围之外,所述正常斜率范围(1/Q,Q),其中Q为正数;Judging whether the steep slope at the current detection moment is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number;若是,则判定当前检测时刻为流量异常时刻,若否,则判定当前检测时刻不是流量异常时刻。If yes, it is determined that the current detection time is the time of abnormal flow; if not, it is determined that the current detection time is not the time of abnormal flow.
- 如权利要求6所述的流量异常检测方法,其中,所述流量异常检测方法还包括:8. The method for detecting abnormal traffic according to claim 6, wherein the method for detecting abnormal traffic further comprises:将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合;Add each abnormal flow detected in a certain period of time to the automatic anomaly set;将人工标注异常集合的中各流量异常时刻与所述自动标注异常集合中各流量异常时刻进行比对;Comparing each abnormal flow time in the manually marked abnormal set with each abnormal flow time in the automatically marked abnormal set;根据比对结果调整所述正常斜率范围。Adjust the normal slope range according to the comparison result.
- 如权利要求7所述的流量异常检测方法,其中,将人工标注异常集合的中各流量异常时刻与所述自动标注异常集合中各流量异常时刻进行比对包括:确定所述自动标注异常集合中的误检异常,所述误检异常为在所述自动标注异常集合中存在,但在所述人工标注异常集合中不存在的流量异常时刻;The method for detecting abnormal traffic according to claim 7, wherein comparing each abnormal time in the manually marked abnormal set with each abnormal time in the automatically marked abnormal set comprises: determining that the abnormal time in the automatically marked abnormal set The misdetection anomaly of, the misdetection anomaly is a traffic abnormal moment that exists in the automatically marked anomaly set but does not exist in the manually marked anomaly set;所述根据比对结果调整所述正常斜率范围包括:The adjusting the normal slope range according to the comparison result includes:确定所述自动标注异常集合中的误检率达到预设误检阈值,所述误检率为所述自动标注异常集合中误检异常的数目/所述自动标注异常集合中流量异常时刻总数;Determining that the false detection rate in the automatically marked anomaly set reaches a preset false detection threshold, and the false detection rate is the number of falsely detected anomalies in the automatically marked anomaly set/the total number of abnormal traffic moments in the automatically marked anomaly set;确定各所述误检异常对应的陡变斜率;Determine the steep slope corresponding to each of the misdetected abnormalities;根据各所述陡变斜率调整所述Q值。The Q value is adjusted according to each of the steep slopes.
- 如权利要求7所述的流量异常检测方法,其中,所述将人工标注异常集合的中各流量异常时刻与所述自动标注异常集合中各流量异常时刻进行比对包括:确定所述自动标注异常集合中的漏检异常,所述漏检异常为在所述人工标注异常集合中存在,但在所述自动标注异常集合中不存在的流量异常时刻;8. The method for detecting abnormal traffic according to claim 7, wherein the comparing the abnormal time of each traffic in the set of manually marked abnormalities with the abnormal time of each traffic in the set of automatically marked abnormalities comprises: determining the automatically marked abnormal A missed abnormality in the set, where the missed anomaly is a traffic abnormal moment that exists in the manually marked abnormal set but does not exist in the automatically marked abnormal set;所述根据比对结果调整所述正常斜率范围包括:The adjusting the normal slope range according to the comparison result includes:确定所述自动标注异常集合中的漏检率达到预设漏检阈值,所述漏检率为所述自动标注异常集合中漏检异常的数目/(所述自动标注异常集合中流量异常时刻总数+漏检异常的数目);It is determined that the missed detection rate in the automatically labeled anomaly set reaches a preset missed detection threshold, and the missed detection rate is the number of missed anomalies in the automatically labeled anomaly set/(the total number of abnormal traffic moments in the automatically labeled anomaly set +Number of missed abnormalities);确定各所述漏检异常对应的陡变斜率;Determine the steep slope corresponding to each of the missed abnormalities;根据各所述陡变斜率调整所述Q值。The Q value is adjusted according to each of the steep slopes.
- 如权利要求7所述的流量异常检测方法,其中,所述将某一时间段内检测出的各流量异常时刻添加至自动标注异常集合包括:8. The method for detecting abnormal traffic according to claim 7, wherein the adding each abnormal time of traffic detected in a certain period of time to the automatic marking abnormal set comprises:确定所述时间段内的全部流量异常时刻;Determine all abnormal traffic moments within the time period;对于该时间段内的各流量异常时刻,根据所述流量异常时刻的陡变斜率与历史陡变斜率确定所述流量异常时刻的异常是处于恢复状态还是恶化状态;For each abnormal flow time in this time period, determine whether the abnormal flow at the abnormal flow time is in a recovery state or a deteriorating state according to the steep change slope and the historical steep change slope of the flow abnormal time;剔除处于恢复状态的流量异常时刻,将剩余的流量异常时刻作为自动标注异常集合。Eliminate the abnormal flow moments in the recovery state, and use the remaining abnormal flow moments as the automatic anomaly set.
- 一种流量异常检测装置,包括:A flow abnormality detection device, including:流量采集模块,设置为采集被检网元各端口在当前检测时刻的接收流量与发送流量;The traffic collection module is set to collect the receiving and sending traffic of each port of the detected network element at the current detection moment;偏差确定模块,设置为根据采集到的所述接收流量与所述发送流量确定所述被检网元在当前时间窗口中的实时窗口偏差比,所述当前时间窗口为当前检测时刻所对应的时间窗口,所述流量偏差比能够表征接收流量与发送流量的均衡程度;The deviation determining module is configured to determine the real-time window deviation ratio of the detected network element in the current time window based on the collected received traffic and the sent traffic, where the current time window is the time corresponding to the current detection moment Window, the traffic deviation ratio can represent the degree of balance between the received traffic and the sent traffic;斜率确定模块,设置为根据所述实时窗口偏差比与历史窗口偏差比确定当前检测时刻的陡变斜率,所述历史窗口偏差比为所述被检网元在前一检测时刻所对应的时间窗口中的流量偏差比;The slope determination module is configured to determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio, and the historical window deviation ratio is the time window corresponding to the previous detection time of the detected network element The flow deviation ratio;异常判定模块,设置为基于当前检测时刻的所述陡变斜率确定当前检测时刻是否为流量异常时刻。The abnormality determination module is configured to determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
- 一种网络设备,所述网络设备包括处理器、存储器及通信总线;A network device, the network device including a processor, a memory, and a communication bus;所述通信总线设置为实现处理器和存储器之间的连接通信;The communication bus is configured to realize connection and communication between the processor and the memory;所述处理器设置为执行存储器中存储的一个或者多个程序,以实现如权利要求1至10中任一项所述的流量异常检测方法的步骤。The processor is configured to execute one or more programs stored in the memory to implement the steps of the flow abnormality detection method according to any one of claims 1 to 10.
- 一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如权利要求1至10中任一项所述的流量异常检测方法的步骤。A computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement any of claims 1 to 10 The steps of the method for detecting abnormal flow.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910640994.6 | 2019-07-16 | ||
CN201910640994.6A CN112242971B (en) | 2019-07-16 | 2019-07-16 | Traffic abnormality detection method and device, network equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021008296A1 true WO2021008296A1 (en) | 2021-01-21 |
Family
ID=74166749
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/096847 WO2021008296A1 (en) | 2019-07-16 | 2020-06-18 | Traffic abnormality detection method and apparatus, network device, and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112242971B (en) |
WO (1) | WO2021008296A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114285612A (en) * | 2021-12-14 | 2022-04-05 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for detecting abnormal data |
CN114373308A (en) * | 2021-11-30 | 2022-04-19 | 深圳市顺易通信息科技有限公司 | Method and device for determining total effective parking space quantity and storage medium |
CN114745304A (en) * | 2022-04-27 | 2022-07-12 | 北京广通优云科技股份有限公司 | Service mutation point identification method based on network behavior parameters in IT intelligent operation and maintenance system |
CN114979828A (en) * | 2022-05-18 | 2022-08-30 | 成都安讯智服科技有限公司 | Internet of things communication module flow control method and system based on Modbus |
CN116915517A (en) * | 2023-09-14 | 2023-10-20 | 厦门快快网络科技有限公司 | Cloud service resource risk security management method |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117650791B (en) * | 2024-01-30 | 2024-04-05 | 苏芯物联技术(南京)有限公司 | Welding history airflow data compression method integrating welding process mechanism |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101184097A (en) * | 2007-12-14 | 2008-05-21 | 北京大学 | Method of detecting worm activity based on flux information |
CN101399709A (en) * | 2007-09-28 | 2009-04-01 | 福建星网锐捷网络有限公司 | Method, device and system for network monitoring |
CN107332723A (en) * | 2016-04-28 | 2017-11-07 | 华为技术有限公司 | The detection method and detection device of convert channel |
US20180103045A1 (en) * | 2014-10-10 | 2018-04-12 | The Hong Kong Polytechnic University | Network attack detection method |
CN108989135A (en) * | 2018-09-29 | 2018-12-11 | 新华三技术有限公司合肥分公司 | Network equipment failure detection method and device |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9843488B2 (en) * | 2011-11-07 | 2017-12-12 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
WO2018035765A1 (en) * | 2016-08-24 | 2018-03-01 | 深圳天珑无线科技有限公司 | Method and apparatus for detecting network abnormity |
CN109327345A (en) * | 2017-08-01 | 2019-02-12 | 中国移动通信集团湖北有限公司 | The detection method and device of exception flow of network, computer readable storage medium |
CN108390864B (en) * | 2018-02-01 | 2020-12-11 | 杭州安恒信息技术股份有限公司 | Trojan horse detection method and system based on attack chain behavior analysis |
CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
-
2019
- 2019-07-16 CN CN201910640994.6A patent/CN112242971B/en active Active
-
2020
- 2020-06-18 WO PCT/CN2020/096847 patent/WO2021008296A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101399709A (en) * | 2007-09-28 | 2009-04-01 | 福建星网锐捷网络有限公司 | Method, device and system for network monitoring |
CN101184097A (en) * | 2007-12-14 | 2008-05-21 | 北京大学 | Method of detecting worm activity based on flux information |
US20180103045A1 (en) * | 2014-10-10 | 2018-04-12 | The Hong Kong Polytechnic University | Network attack detection method |
CN107332723A (en) * | 2016-04-28 | 2017-11-07 | 华为技术有限公司 | The detection method and detection device of convert channel |
CN108989135A (en) * | 2018-09-29 | 2018-12-11 | 新华三技术有限公司合肥分公司 | Network equipment failure detection method and device |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114373308A (en) * | 2021-11-30 | 2022-04-19 | 深圳市顺易通信息科技有限公司 | Method and device for determining total effective parking space quantity and storage medium |
CN114285612A (en) * | 2021-12-14 | 2022-04-05 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for detecting abnormal data |
CN114285612B (en) * | 2021-12-14 | 2023-09-26 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for detecting abnormal data |
CN114745304A (en) * | 2022-04-27 | 2022-07-12 | 北京广通优云科技股份有限公司 | Service mutation point identification method based on network behavior parameters in IT intelligent operation and maintenance system |
CN114745304B (en) * | 2022-04-27 | 2024-02-27 | 北京广通优云科技股份有限公司 | Service mutation point identification method based on network behavior parameters in IT operation and maintenance system |
CN114979828A (en) * | 2022-05-18 | 2022-08-30 | 成都安讯智服科技有限公司 | Internet of things communication module flow control method and system based on Modbus |
CN114979828B (en) * | 2022-05-18 | 2023-03-10 | 成都安讯智服科技有限公司 | Internet of things communication module flow control method and system based on Modbus |
CN116915517A (en) * | 2023-09-14 | 2023-10-20 | 厦门快快网络科技有限公司 | Cloud service resource risk security management method |
CN116915517B (en) * | 2023-09-14 | 2023-11-24 | 厦门快快网络科技有限公司 | Cloud service resource risk security management method |
Also Published As
Publication number | Publication date |
---|---|
CN112242971A (en) | 2021-01-19 |
CN112242971B (en) | 2023-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021008296A1 (en) | Traffic abnormality detection method and apparatus, network device, and storage medium | |
CN111126824B (en) | Multi-index correlation model training method and multi-index anomaly analysis method | |
US9015312B2 (en) | Network management system and method for identifying and accessing quality of service issues within a communications network | |
US9921943B2 (en) | Predicting anomalies and incidents in a computer application | |
CN101189895B (en) | Abnormality detecting method and system, and upkeep method and system | |
US10447561B2 (en) | BFD method and apparatus | |
WO2022028120A1 (en) | Indicator detection model acquisition method and apparatus, fault locating method and apparatus, and device and storage medium | |
KR20060028601A (en) | Apparatus for detecting abnormality of traffic in network and method thereof | |
EP2741439B1 (en) | Network failure detecting method and monitoring center | |
CN115038088B (en) | Intelligent network security detection early warning system and method | |
JP2021022759A (en) | Network analysis program, network analysis apparatus, and network analysis method | |
US20110153804A1 (en) | Method and system for reporting defects within a network | |
CN114978939B (en) | Method for detecting network link quality | |
CN112751722A (en) | Data transmission quality monitoring method and system | |
WO2022057501A1 (en) | Method for identifying abnormal terminal, analysis apparatus and device, and storage medium | |
US11265237B2 (en) | System and method for detecting dropped aggregated traffic metadata packets | |
CN115774159A (en) | Fault detection system for power unit of high-voltage frequency converter | |
CN110120893B (en) | Method and device for positioning network system security problem | |
CN113438116A (en) | Power communication data management system and method | |
CN103384215A (en) | Virus situation anomaly detection method and system based on join AR model | |
TWI533688B (en) | Network protocol television service network anomaly node judgment method | |
US11140067B2 (en) | Discovering cross-domain links based on traffic flow | |
CN117336202B (en) | Multichannel management system and method based on vibration meter controller | |
CN117856441A (en) | Smart power grid transmission delay optimization method and system | |
WO2024066331A1 (en) | Network abnormality detection method and apparatus, electronic device, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20840133 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20840133 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20840133 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 22.09.2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20840133 Country of ref document: EP Kind code of ref document: A1 |