WO2021008296A1 - Procédé et appareil de détection d'anomalie de trafic, dispositif de réseau et support d'informations - Google Patents

Procédé et appareil de détection d'anomalie de trafic, dispositif de réseau et support d'informations Download PDF

Info

Publication number
WO2021008296A1
WO2021008296A1 PCT/CN2020/096847 CN2020096847W WO2021008296A1 WO 2021008296 A1 WO2021008296 A1 WO 2021008296A1 CN 2020096847 W CN2020096847 W CN 2020096847W WO 2021008296 A1 WO2021008296 A1 WO 2021008296A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
time
abnormal
flow
deviation ratio
Prior art date
Application number
PCT/CN2020/096847
Other languages
English (en)
Chinese (zh)
Inventor
蒋勇
彭鑫
叶德忠
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021008296A1 publication Critical patent/WO2021008296A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present invention relates to the field of communications, and in particular to a method, device, network equipment and storage medium for detecting abnormal flow.
  • the flow abnormality detection method, device, network equipment and storage medium provided by the embodiments of the present invention mainly solve the technical problem of: solving the problem that the related flow monitoring solution cannot detect the abnormal flow that will not cause the port flow to exceed the limit.
  • an embodiment of the present invention provides a method for detecting abnormal traffic, including:
  • the current time window is the time window corresponding to the current detection moment.
  • the real-time window deviation ratio is, and the flow deviation ratio can characterize the receiving The degree of balance between traffic and sending traffic;
  • the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time
  • the embodiment of the present invention also provides a flow abnormality detection device, including:
  • the traffic collection module is set to collect the receiving and sending traffic of each port of the detected network element at the current detection moment
  • the deviation determination module is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic.
  • the current time window is the time window corresponding to the current detection moment, and the flow deviation ratio can represent the received The degree of balance between traffic and sending traffic;
  • the slope determination module is set to determine the steep slope of the current detection time according to the real-time window deviation ratio and the historical window deviation ratio.
  • the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
  • the abnormality determination module is configured to determine whether the current detection time is the abnormal flow time based on the steep slope of the current detection time.
  • the embodiment of the present invention also provides a network device, which includes a processor, a memory, and a communication bus;
  • the communication bus is set to realize the connection and communication between the processor and the memory
  • the processor is configured to execute one or more programs stored in the memory to implement the steps of the method for detecting abnormal flow.
  • the embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to realize the above-mentioned traffic abnormality detection method A step of.
  • the method, device, network equipment, and storage medium for detecting abnormal traffic collect the received and sent traffic of each port of the detected network element at the current detection moment, and then determine the received and sent traffic according to the collected received and sent traffic. Check the real-time flow deviation ratio of the network element in the current time window, and determine the steep slope of the current detection time based on the real-time flow deviation ratio and the historical flow deviation ratio, and then determine whether the current detection time is an abnormal flow based on the steep slope of the current detection time .
  • the traffic anomaly detection solution provided by the embodiment of the present invention is based on the fact that the total flow in and out of all ports of the inspected network element is basically balanced under normal working conditions, but when the inspected network element is in data routing and switching processing When abnormalities such as packet loss or illegal duplication occur, the balance of the received and received traffic will be broken. Therefore, the traffic anomaly detection solution provided by the embodiment of the present invention can measure the balance of the received and received traffic of the inspected network element and determine the inspected network element. The moment when the traffic balance changes sharply, so as to detect the moment when the traffic of the detected network element is abnormal.
  • the traffic anomaly detection solution provided by the embodiments of the present invention can more effectively find those abnormalities that will not cause the traffic to exceed the limit, improve the comprehensiveness of the traffic monitoring of the detected network element, and increase the detection result. Accuracy and reliability.
  • FIG. 1 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of the traffic deviation ratio of the checked network element in one day according to the embodiment of the present invention
  • FIG. 3 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a relationship between a time window and a detection time according to an embodiment of the present invention
  • FIG. 5 is a flowchart of adjusting the normal slope range by a network device according to an embodiment of the present invention.
  • FIG. 6 is a network device according to an embodiment of the present invention determined to automatically mark an abnormal set
  • FIG. 7 is a flowchart of a method for detecting abnormal traffic according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a traffic deviation ratio of another checked network element in one day according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a flow abnormality detection device provided by an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of another structure of a flow abnormality detection device provided by an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of a hardware structure of a network device provided by an embodiment of the present invention.
  • Traditional traffic monitoring solutions generally set fixed thresholds for indicators such as port bandwidth utilization and CPU utilization based on manual experience. If an indicator of the detected network element port is found to exceed the fixed threshold corresponding to the indicator during the detection process, then It is determined that the monitoring is abnormal, and an alarm can be issued. Obviously, this traffic monitoring method is simply to determine whether the detected index value is normal based on the threshold. This is effective for monitoring the abnormality of the peak traffic exceeding the limit, but if the occurrence of the abnormality does not cause the port traffic to exceed the limit, then This traditional traffic monitoring solution cannot be perceived. For example, if a large number of packet loss or a large number of illegally copied packets occur in the inspected network element, but these abnormalities do not cause the traffic to exceed the limit, the traditional traffic monitoring solution will not identify these abnormalities.
  • this embodiment provides a method for detecting abnormal traffic. Please refer to the flowchart shown in FIG. 1, which includes the following steps:
  • S102 Collect the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment.
  • the total traffic in and out of all ports should be basically balanced, that is to say, each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic.
  • each inspected network element sends traffic in a unicast-based network Roughly the same as the received traffic.
  • the balance of the traffic sent and received by the network element under inspection will be broken.
  • the receiving traffic and the sending traffic of each port of the detected network element can be collected.
  • the network device can collect port a Receive traffic and send traffic, collect the receive traffic and send traffic of port b.
  • the network device will also collect the send and receive traffic.
  • the network device may periodically collect the receiving traffic and sending traffic of each port of the inspected network element during the process of detecting abnormal traffic of a inspected network element. For example, in an example Among them, the network device can use 15 minutes as the detection granularity, that is, collect the receiving and sending traffic of each port of the inspected network element every 15 minutes.
  • the network device collects the inspected network for the first time at 00:00.
  • the sending and receiving traffic of each port of the element the next time, the network device will collect the sending and receiving traffic of each port of the inspected network element at 00:15, and the timing of the third traffic collection is at 00:30... 00:00, 00:15, and 00:30, etc., which are referred to as detection time in this embodiment.
  • the current time is 00:15
  • 00:15 is the current detection time
  • 00:00 is the historical detection time.
  • the network device when the network device detects abnormal traffic of the detected network element, it may also not need to periodically collect traffic. That is, when the network device collects the receiving and sending traffic of the inspected network element, the time interval between each inspection time is not completely consistent.
  • S104 Determine the real-time window deviation ratio of the checked network element in the current time window according to the collected receiving traffic and sending traffic.
  • the network device After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection time, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window.
  • the so-called real-time window deviation ratio is the network under inspection.
  • the flow deviation ratio of the yuan in the current time window is the network under inspection.
  • the traffic deviation ratio at a certain detection time can be the sum of the received traffic and the sent traffic of each port of the inspected network element at the detection time.
  • bias is the traffic deviation ratio
  • N recv is the sum of all received traffic at the time when each port of the detected network element is detected. It can be calculated by the following formula:
  • n is the total number of ports in the inspected network element
  • i represents the i-th port
  • N send is the sum of all received traffic at the time when each port of the inspected network element is detected, and can be calculated by the following formula:
  • n is the total number of ports in the inspected network element
  • i represents the i-th port
  • the traffic deviation ratio of an inspected network element is mainly used to characterize the balance between the sending and receiving traffic of each port of the inspected network element. Therefore, there is no doubt that the traffic deviation ratio of the inspected network element is not necessarily the receiving
  • the ratio of the sum of traffic to the sum of sent traffic may also be the ratio of the sent traffic to the received traffic, that is,
  • each time the network device determines the traffic deviation ratio of the inspected network element it should choose a unified calculation method for the traffic deviation ratio. For example, in some examples, if the network device calculates the traffic deviation ratio for the first time When checking the traffic deviation ratio of the network element, the ratio of the sum of the received traffic and the sum of the sending traffic corresponding to the ports of the checked network element at the first detection time is calculated, and then at the subsequent detection time, the network device calculates When the flow deviation ratio of the spare part network element is calculated, it should also calculate the ratio of the sum of the received flow and the sum of the transmitted flow. It should not suddenly become the calculation of the sum of the transmitted flow and the received flow of each port of the inspected network element during a certain calculation process. The ratio of the sum.
  • Figures 2 and 3 respectively show schematic diagrams of the traffic deviation ratios of two checked network elements in the same day, where the vertical axis bias represents the traffic deviation ratio, and the horizontal axis represents time.
  • the so-called current time window refers to the time window corresponding to the current detection time.
  • the so-called "real-time window deviation ratio" is actually the traffic deviation ratio of the detected network element in the current time window.
  • a time window includes at least one detection time. For example, in an example of this embodiment, there is only one detection time in the time window, and the real-time window deviation ratio of the detected network element in the current time window is actually the time window. Check the flow deviation ratio of the network element at the current detection time. However, if a time window includes two or more detection moments at the same time, the real-time window deviation ratio of the detected network element in the current time window is the traffic deviation of the detected network element at each detection time in the current time window. The mean of the ratio. For example, in an example, the time window includes three detection times. Please refer to the schematic diagram of the relationship between the time window and the detection time shown in Figure 4, where the vertical axis bias represents the flow deviation ratio, and the horizontal axis represents time:
  • the current time window 401 is the time window corresponding to the nth detection time, which also includes the nth detection time, the n-1th detection time and the n-2th detection time. Detection time.
  • the historical time window 402 it is the time window corresponding to the previous detection time (that is, the n-1th detection time), which includes the n-1th detection time, the n-2th detection time, and the n-3th detection time. The time window of the detection time.
  • the traffic deviation ratios of the detected network element at the nth detection time, the n-1th detection time, the n-2th detection time, and the n-3th detection time are b n , b n-1 , b n-2 and b n-3
  • the real-time window deviation ratio of the checked network element is (b n + b n-1 + b n-2 )/3
  • the historical window deviation ratio of the checked network element is (b n-1 + b n-2 ) + b n-3 )/3.
  • Deviation ratio b n As for the calculation of the real-time window deviation ratio, the other flow deviation ratios b n-1 and b n-2 have been calculated in the previous detection process (b n-1 is the calculation of the real-time window deviation at the n-1th detection time It is calculated when comparing, b n-2 is calculated when calculating the real-time window deviation ratio at the n-2th detection time), there is no need to calculate it again here.
  • S106 Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
  • anomalies are data that deviate from most of the data in the data set. Therefore, anomalies are also called outliers. Therefore, in this embodiment, the network device determines whether the current detection time is an abnormal point (that is, the abnormal flow time) according to whether the flow deviation ratio corresponding to the current detection time deviates from the flow deviation ratio of most detection times.
  • the traffic deviation ratio of the inspected network element belongs to a time series indicator.
  • the main goal of monitoring this indicator is to find the time point when it deviates from the normal value in time, which is a change point detection problem for the time series.
  • Change point theory is a classic branch of statistics. Its basic definition is that in a sequence or process, when a certain statistical characteristic (distribution type, distribution parameter) changes at a certain point in time by systemic factors rather than accidental factors , We call this point in time the change point.
  • the change point detection is to use statistics or statistical methods to find out the position of the change point.
  • the network device can determine the steep slope of the inspected network element at the current detection time based on the real-time window deviation ratio of the inspected network element and the historical window deviation ratio ,
  • the steep slope can characterize the degree of change of the real-time window deviation ratio at the current detection time relative to the historical window deviation ratio.
  • the steep slope of the current detection moment can be determined according to the following formula:
  • n represents the nth detection time
  • M n represents the traffic deviation ratio in the time window corresponding to the nth detection time of the detected network element
  • M n-1 represents the detected network element at the n-1th detection time
  • K n is the steep slope of the nth detection time. If it is the nth detection time, Kn is the steep slope corresponding to the current detection time.
  • the historical window deviation ratio of the inspected network element will be calculated after the network device performs the n-1th transmission and reception traffic collection for the inspected network element. Therefore, in this embodiment, after the network device calculates the real-time window deviation ratio corresponding to the nth detection time, it records it so as to participate in the calculation as the historical window deviation ratio at the n+1th time.
  • S108 Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  • the network device can determine whether the detected network element has abnormal traffic at the current detection time according to the steep slope, that is, whether the current detection time is the abnormal traffic time.
  • the network device stores the parameters that can divide the normal slope threshold.
  • the normal slope range (1/Q, Q) where Q is a positive number, so (1/Q, Q) is The values are relatively close to 1.
  • the network device determines whether the traffic of the inspected network element is abnormal at the nth detection moment, it can determine whether the steep slope of the inspected network element at the nth detection moment is at a normal slope. Within the range, if yes, it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is the time of abnormal flow of the detected network element.
  • the value of Q may be fixed, for example, it is set by network operation and maintenance personnel based on a large number of experience values. It is understandable that the Q value set by network operation and maintenance personnel should ensure Detect all network abnormalities of the inspected network elements as accurately as possible.
  • the value of Q can be adjusted adaptively. For example, the initial value of Q is set by network operation and maintenance personnel based on experience, but as the network equipment continues to check the network element For traffic anomaly detection, the network device can adjust the value of Q according to the accuracy of its detection results, thereby reducing false detections and/or missed detections during the flow anomaly detection process. Please refer to the adjustment shown in Figure 5 A flow chart of the normal slope range:
  • the network device may adjust the value of Q at regular intervals. There is no doubt that adjusting the value of Q actually means adjusting the normal slope range. It is assumed that the network equipment set here adjusts the normal slope range every two hours.
  • the network device may have performed 8 detections on the detected network element, and part of the detection moments of the 8 detections It will be judged as an abnormal flow time.
  • the network device can add the abnormal traffic moments among the 8 detection moments to the automatic anomaly marking set.
  • the automatic anomaly marking set is a set of abnormal traffic moments marked by the network equipment mechanized.
  • the first is that, compared with the historical window deviation ratio, the real-time window deviation is better than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is less than the absolute difference between the historical window deviation ratio and 1, which means that although the current There was an abnormal flow at the time of detection, but this is because the abnormal flow is gradually recovering. Therefore, the abnormal flow at the current detection time is actually in the recovery state.
  • the second type compared with the historical window deviation ratio, the real-time window deviation is worse than the flow situation represented, that is, the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection
  • the absolute difference between the real-time window deviation ratio and 1 is greater than the absolute difference between the historical window deviation ratio and 1, indicating the current detection
  • the abnormal flow at the current detection time is actually in a deteriorating state.
  • the network device may refer to the flowchart shown in FIG. 6 to determine the automatic annotated abnormal set:
  • S602 The network device determines all abnormal traffic moments within the time period
  • the network device determines whether the abnormal flow at the abnormal flow time is in a recovery state or a deteriorating state according to the abrupt slope and historical abrupt slope of the abnormal flow;
  • S606 The network device removes the abnormal traffic moments that are in the recovery state, and uses the remaining abnormal traffic moments as an automatic anomaly set.
  • S504 Compare each abnormal flow time in the manually marked abnormal set with each abnormal flow time in the automatically marked abnormal set.
  • the network equipment will also obtain the manually marked abnormal set corresponding to the automatically marked abnormal set.
  • the marked result of the abnormal traffic time within the hour.
  • the abnormal traffic moments in the artificially marked abnormal set can be regarded as completely correct, and there is no mislabeling; and it is considered that the artificially marked abnormal set contains all the abnormal traffic moments in the past two hours, and there is no missing label. happening.
  • the network device can compare each abnormal flow time in the artificially marked anomaly set with each abnormal flow time in the automatically marked anomaly set.
  • the network device can determine the false detection exception in the automatic labeling anomaly set.
  • the false detection exception is actually Automatically mark the abnormal traffic moments that exist in the abnormal set, but manually mark the abnormal traffic that does not exist in the abnormal set.
  • the network equipment can determine the missed anomalies in the automatically marked anomaly set.
  • the missed anomalies are manually marked Exist in the abnormal set, but automatically mark the abnormal traffic moment that does not exist in the abnormal set.
  • the network device can determine its own false detection rate according to the following formula:
  • the network device determines that the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, it can determine the steep slope corresponding to each false detection abnormality, and then the network device determines the Q value corresponding to each steep slope, and then selects the largest one
  • the Q value is used as the adjusted Q value. For example, if the network device determines that the false detection rate in the automatically marked anomaly set reaches the preset false detection threshold, including 3 false detection anomalies, the steep slopes corresponding to these three false detection anomalies are 1.5, 2 and 2.5 respectively, then this The Q corresponding to the three steep slopes are 1.5, 2 and 2.5 respectively, so the updated Q value is 2.5.
  • the abrupt slopes corresponding to three false detection abnormalities are 1/4, 1/3, and 1/2 respectively, and the Q corresponding to the three abrupt slopes are 4, 3, and 2, respectively. Therefore, the updated Q value Is 4.
  • the Q value is increased, and the normal slope range is also increased, thereby reducing the possibility that the network device detects the abnormal flow when the flow is normal.
  • the network device can also determine its own missed detection rate according to the following formula:
  • the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, it can determine the steep slope corresponding to each missed anomaly, and then update the Q value according to the minimum value of the steep slopes.
  • the network device may determine the Q value corresponding to each steep slope, and then select the smallest Q value as the updated Q value. For example, if the network device determines that the missed detection rate in the automatically marked anomaly set reaches the preset missed detection threshold, including 3 missed detections, the steep slopes corresponding to the three missed detections are 1/2, 1/3, and 3.
  • the Q values corresponding to the three steep slopes are 2, 3, and 3 respectively.
  • the network equipment can adjust the value of Q to 2. It should be understood Yes, the value of Q must be greater than 3 before adjustment. Therefore, this adjustment actually reduces the value of Q, which also increases the range of abnormal slopes, thereby reducing the amount of abnormal traffic that cannot be correctly detected by network equipment. possibility.
  • the flow anomaly detection method provided in this embodiment analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormal moment.
  • This flow anomaly detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
  • the network equipment can adjust the parameters used to determine the abnormal time of the flow according to the result of marking the abnormal flow, the parameters used to determine the abnormal time of the flow are more accurate and more in line with the actual situation of the network, thereby improving the detection of the abnormal flow. Accuracy, reduce false detections and missed detections.
  • S702 Collect receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment.
  • a network device used for traffic abnormality monitoring may monitor the traffic of two or more detected network elements at the same time. Therefore, when the network device performs port traffic collection, it is for all the monitored network elements. All ports of the inspected network element are performed. Therefore, after obtaining the collection result, the network device needs to determine which of the inspected network elements the collection result belongs to, according to the asset relationship data (which can characterize the corresponding relationship between the inspected network element and the port). Then, the time of abnormal traffic is determined for each detected network element.
  • the network device may perform detection every 15 minutes, that is, the detection granularity is 15 minutes. It is understandable that if the detection granularity is set too large, the network device will not be able to detect which abnormalities that appear and recover in a short time. For example, if the detection granularity is set to 3 hours, the network device cannot detect the graph. The abnormality shown in 8.
  • the network device sets the detection granularity, it can be set according to its own processing capability.
  • S704 Determine whether the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected.
  • the network device It is understandable that a large abrupt slope is easily generated during the fluctuation process. Therefore, the current detection time is easily recognized by the network device as an abnormal flow time. However, when some port data is missing, the abnormal flow deviation ratio on a single port is not actually the abnormal flow deviation ratio of the network element we want to obtain. Therefore, in some examples of this embodiment, the network device It is necessary to exclude network elements that only have valid single-port data.
  • the network device continues to perform S706, otherwise the process ends.
  • S706 Determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero.
  • missing value filling is a common method.
  • Common missing value filling methods include: before and after mean filling, mode filling, linear regression filling and so on.
  • missing value filling is generally effective, but for the traffic anomaly detection scheme in this embodiment, missing value filling often has a great impact on the detection result.
  • most filling methods make the data smoother, so that the network equipment cannot detect the original abnormal points based on the steep rise and fall of the traffic deviation ratio.
  • S708 Determine the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving traffic and sending traffic.
  • the network device After collecting the receiving traffic and sending traffic of each port of the inspected network element at the current inspection moment, the network device can determine the real-time window deviation ratio of the inspected network element in the current time window.
  • one time window includes three detection moments. Therefore, the network device can determine the current detection time corresponding to the current detection time based on the traffic deviation ratio at the current detection time and the traffic deviation ratio between the previous two detection times. Real-time window deviation ratio.
  • S710 Determine the steep slope of the current detection moment according to the real-time window deviation ratio and the historical window deviation ratio.
  • the network device can calculate the ratio of the real-time window deviation ratio of the inspected network element to the historical window deviation ratio to obtain the sharp change of the inspected network element at the current inspection time. Slope.
  • S712 Determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  • the network device can determine whether the flow of the detected network element is abnormal at the current detection time according to the steep slope.
  • the network device determines whether the steep slope corresponding to the current detection time is within the normal slope range (1/Q, Q), if yes, then it is determined that the detection time is not the time of abnormal flow; if not, it is determined that the detection time is The time when the network element's traffic is abnormal.
  • the network device if the network device determines that the current detection time is the abnormal flow time of the inspected network element, the network device will further determine whether the abnormal flow time is a deteriorating abnormal flow time:
  • S714 Determine whether the abnormality at the time of the abnormal flow is in a deteriorating state according to the abrupt slope and the historical abrupt slope at the time of the abnormal flow.
  • S716 Record the time when the traffic is abnormal.
  • the network device can record the abnormal flow for use in the subsequent network optimization process.
  • the network device can also evaluate its own false detection rate and missed detection rate once a period of time, and adjust the normal slope range according to the duration of the evaluation result, so as to reduce the error of abnormal traffic in the subsequent detection process. Detection rate and missed detection rate.
  • the specific evaluation and adjustment process has been described in more detail in the foregoing embodiment, and will not be repeated here.
  • the traffic abnormality detection method automatically monitors the traffic of the inspected network element by the network device, and marks the abnormal time of the traffic, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and can find conventional Traffic abnormalities that cannot be detected by the method. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
  • the embodiment of the present invention also provides a flow abnormality detection device. Please refer to the schematic structural diagram shown in FIG. 9, in which:
  • the flow abnormality detection device 90 includes a flow collection module 902, a deviation determination module 904, a slope determination module 906, and an abnormality determination module 908.
  • the flow collection module 902 is configured to collect the received and sent traffic of each port of the inspected network element at the current detection moment.
  • the deviation determination module 904 is set to determine the real-time window deviation ratio of the inspected network element in the current time window based on the collected received and sent traffic, and the slope determination module 906 is set to determine based on the real-time window deviation ratio and the historical window deviation ratio
  • the steep slope of the current detection time, the historical window deviation ratio is the traffic deviation ratio of the detected network element in the time window corresponding to the previous detection time;
  • the abnormality determination module 908 is set to determine whether the current detection time is based on the steep slope of the current detection time It is the moment of abnormal flow.
  • the flow anomaly detection device 90 further includes a preprocessing module 910, which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
  • a preprocessing module 910 which is configured to determine whether the flow collection module 902 has collected at least two ports of received traffic of the detected network element. And send traffic. Only when the judgment result of the preprocessing module 910 is yes, the deviation determination module 904 will calculate the real-time window deviation ratio.
  • the preprocessing module 910 may also be configured to determine whether the receiving traffic and the sending traffic of each port of the inspected network element at the current inspection moment are all zero values. Only when the judgment result of the preprocessing module 910 is negative, the deviation determination module 904 will calculate the real-time window deviation ratio.
  • a time window includes at least two detection moments
  • the deviation determination module 904 can determine the flow deviation ratio at the current detection moment based on the received traffic and the sent traffic collected at the current detection moment, and obtain the current time
  • the flow deviation ratio of other detection moments in the window is then determined according to the flow deviation ratio of each detection time in the current time window to determine the average value of the flow deviation ratio of the current time window as the real-time window deviation ratio.
  • the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
  • the abnormality determination module 908 can determine whether the steep slope of the current detection moment is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines The current detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
  • the flow anomaly detection device 90 may further include a parameter adjustment module 912, which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
  • a parameter adjustment module 912 which is configured to evaluate the multiple determination results of the abnormality determination module 908, according to the false detection rate and At least one of the missed detection rates is adjusted to adjust the abnormality determination module 908 to determine whether a detection time is the normal slope range of the abnormal flow time.
  • the parameter adjustment module 912 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow in the abnormal set Perform comparison at all times, and adjust the normal slope range according to the comparison result.
  • the parameter adjustment module 912 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the parameter adjustment The module 912 further determines the steep slope corresponding to each false detection abnormality, and adjusts the Q value according to the maximum value of the steep slope.
  • the parameter adjustment module 912 determines the missed abnormalities in the automatically labeled abnormal set, and then determines that the missed detection rate in the automatically labeled abnormal set reaches the preset missed detection threshold. If so, the parameter adjustment module 912 further determines the steep change slope corresponding to each missed abnormality, and adjusts the Q value according to the maximum value of each steep change slope.
  • the parameter adjustment module 912 may first determine all the abnormal flow moments in a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow rate according to the steep slope of the abnormal flow moment and the historical steep slope. Whether the abnormality is in the recovery state or the deteriorating state, then the abnormal flow moments in the recovery state are eliminated, and the remaining abnormal flow moments are regarded as the automatic anomaly set.
  • the traffic anomaly detection device 90 in this embodiment can be deployed on a network device, such as a network device in a bearer network, where the function of the traffic collection module 902 can be implemented by the processor of the network device and the communication Danyun, and the deviation determination module
  • the functions of 904, the slope determination module 906, the abnormality determination module 908, the preprocessing module 910, and the parameter adjustment module 912 can all be implemented by the processor of the network device.
  • the flow abnormality detection device analyzes the flow deviation ratio of the detected network element, and identifies the moment when the flow deviation ratio changes greatly based on the steep slope as the flow abnormality moment.
  • This flow abnormality detection scheme can effectively identify Those abnormal points that will not cause the traffic of the inspected network element to exceed the limit, provide a basis for network optimization.
  • the traffic anomaly detection device can adjust the parameters for determining the abnormal time of the traffic according to the result of marking the abnormal traffic, so that the parameters for judging the abnormal time of the traffic are more accurate, more in line with the actual situation of the network, and thereby increase the traffic.
  • the accuracy of anomaly detection reduces false detections and missed detections.
  • the embodiment of the present invention also provides a computer-readable storage medium.
  • the computer-readable storage medium may store one or more computer programs that can be read, compiled, and executed by one or more processors.
  • the computer-readable storage medium may store a flow anomaly detection program, and the flow anomaly detection program can be used by one or more processors to execute a process for implementing any of the flow anomaly detection methods introduced in the foregoing embodiments.
  • the network device 120 includes a processor 121, a memory 122, and a communication bus 123 configured to connect the processor 121 and the memory 122, where the memory 122 may be the aforementioned storage
  • the processor 121 may read the flow anomaly detection program, compile and execute the flow of the flow anomaly detection method introduced in the foregoing embodiment:
  • the processor 121 collects the receiving traffic and sending traffic of each port of the inspected network element at the current detection time, and determines the real-time window deviation ratio of the inspected network element in the current time window according to the collected receiving and sending traffic, and then according to the real-time window
  • the deviation ratio and the historical window deviation ratio determine the steep slope of the current detection time, and determine whether the current detection time is an abnormal flow time based on the steep slope of the current detection time.
  • the processor 121 is further configured to determine whether at least the receiving traffic and the sending traffic of at least two ports of the inspected network element are collected. Only when the judgment result is yes, the processor 121 will calculate the real-time window deviation ratio.
  • the processor 121 may also determine whether the receiving traffic and the sending traffic of each port of the detected network element at the current detection moment are all zero values. Only when the judgment result is negative, the processor 121 will calculate the real-time window deviation ratio.
  • a time window includes at least two detection moments
  • the processor 121 may determine the flow deviation ratio at the current detection moment according to the received traffic and the sent traffic collected at the current detection moment, and obtain the current time window Then, according to the flow deviation ratio of each detection time in the current time window, the average value of the flow deviation ratio of the current time window is determined as the real-time window deviation ratio.
  • the traffic deviation ratio at the current detection time is the ratio of the sum of the received traffic and the sum of the sent traffic of each port of the detected network element collected at the current detection time.
  • the processor 121 may determine whether the steep slope at the current detection time is outside the normal slope range, the normal slope range (1/Q, Q), where Q is a positive number; if so, it determines that the current The detection time is the time of abnormal flow. If not, it is determined that the current detection time is not the time of abnormal flow.
  • the processor 121 may also evaluate its own multiple determination results, and adjust the value used to determine whether a detection moment is an abnormal flow according to at least one of the false detection rate and the missed detection rate. Adjust the normal slope range.
  • the processor 121 may add each abnormal time of traffic detected in a certain period of time to the automatic marking abnormality set, and then manually marking each abnormal flow time in the abnormal set and automatically marking each abnormal flow time in the abnormal set Perform comparison, and adjust the normal slope range according to the comparison result.
  • the processor 121 determines the false detection abnormalities in the automatically marked abnormal set, and then determines whether the false detection rate in the automatically marked abnormal set reaches the preset false detection threshold, and if so, the processor 121 Further determine the steep slope corresponding to each false detection abnormality, and adjust the Q value according to the maximum value of each steep slope.
  • the processor 121 determines the missed abnormalities in the automatically marked abnormal set, and then determines that the missed detection rate in the automatically marked abnormal set reaches the preset missed detection threshold, and if so, the processor 121 further Determine the steep slope corresponding to each missed abnormality, and adjust the Q value according to the steep slope.
  • the processor 121 may first determine all abnormal flow moments within a time period, and then for each abnormal flow moment in the time period, determine the abnormal flow abnormal moment according to the abrupt slope of the abnormal flow moment and the historical abrupt slope. Whether it is in a recovering state or a deteriorating state, then the abnormal traffic moments in the recovering state are eliminated, and the remaining abnormal traffic moments are regarded as the automatic marking abnormal set.
  • the network device provided in this embodiment can automatically monitor the traffic of the inspected network element and mark the time when the traffic is abnormal, which not only reduces the demand for human resources, but also the detection process is fast and efficient, and it can be found that the conventional method cannot be detected. Abnormal traffic conditions. At the same time, it can also feedback and adjust the parameters for judging when the flow is abnormal according to the detection result, so that the detection result can achieve higher accuracy and reliability.
  • the functional modules/units in the system, and the device can be implemented as software (which can be implemented by program code executable by a computing device) , Firmware, hardware and their appropriate combination.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may consist of several physical components. The components are executed cooperatively.
  • Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • the computer-readable medium may include computer storage Medium (or non-transitory medium) and communication medium (or temporary medium).
  • computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
  • flexible, removable and non-removable media are examples of flexible, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media . Therefore, the present invention is not limited to any specific combination of hardware and software.
  • the method, device, network device, and storage medium for detecting traffic anomalies provided by the embodiments of the present invention have the following beneficial effects: they can more effectively find abnormalities that do not cause the traffic to exceed the limit, and increase the traffic to the network element equipment.
  • the comprehensiveness of monitoring increases the accuracy and credibility of the test results.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Certains modes de réalisation de la présente invention concernent un procédé et un appareil de détection d'anomalie de trafic, un dispositif de réseau et un support d'informations. Le procédé consiste : à acquérir le trafic de réception et le trafic de transmission de chaque port d'un dispositif d'élément de réseau au moment de détection actuel ; puis à déterminer un facteur de déviation de trafic en temps réel du dispositif d'élément de réseau dans la fenêtre temporelle actuelle en fonction du trafic de réception et du trafic de transmission acquis ; à déterminer la pente de changement brusque du moment de détection actuel en fonction du facteur de déviation de trafic en temps réel et d'un facteur de déviation de trafic historique ; et ensuite, sur la base de la pente de changement brusque du moment de détection actuel, à déterminer si le moment de détection actuel est un moment où le trafic est anormal. Par comparaison avec une solution de surveillance de trafic dans l'état de la technique pertinent, une solution de détection d'anomalie de trafic fournie par les modes de réalisation de la présente invention peut découvrir plus efficacement une anomalie qui ne dépasse pas une limite, améliorer l'intelligibilité de la surveillance de trafic du dispositif d'élément de réseau, et améliorer la précision et la fiabilité d'un résultat de détection.
PCT/CN2020/096847 2019-07-16 2020-06-18 Procédé et appareil de détection d'anomalie de trafic, dispositif de réseau et support d'informations WO2021008296A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910640994.6 2019-07-16
CN201910640994.6A CN112242971B (zh) 2019-07-16 2019-07-16 一种流量异常检测方法、装置、网络设备及存储介质

Publications (1)

Publication Number Publication Date
WO2021008296A1 true WO2021008296A1 (fr) 2021-01-21

Family

ID=74166749

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/096847 WO2021008296A1 (fr) 2019-07-16 2020-06-18 Procédé et appareil de détection d'anomalie de trafic, dispositif de réseau et support d'informations

Country Status (2)

Country Link
CN (1) CN112242971B (fr)
WO (1) WO2021008296A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285612A (zh) * 2021-12-14 2022-04-05 北京天融信网络安全技术有限公司 一种异常数据检测的方法、系统、装置、设备及介质
CN114373308A (zh) * 2021-11-30 2022-04-19 深圳市顺易通信息科技有限公司 一种总有效停车位数量确定的方法、装置以及存储介质
CN114745304A (zh) * 2022-04-27 2022-07-12 北京广通优云科技股份有限公司 一种it智能运维系统中基于网络行为参数的业务突变点识别方法
CN114979828A (zh) * 2022-05-18 2022-08-30 成都安讯智服科技有限公司 基于Modbus的物联网通信模块流量控制方法及系统
CN116915517A (zh) * 2023-09-14 2023-10-20 厦门快快网络科技有限公司 一种云服务资源风险安全管理方法

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117650791B (zh) * 2024-01-30 2024-04-05 苏芯物联技术(南京)有限公司 一种融合焊接工艺机理的焊接历史气流数据压缩方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184097A (zh) * 2007-12-14 2008-05-21 北京大学 一种基于流量信息检测蠕虫活动的方法
CN101399709A (zh) * 2007-09-28 2009-04-01 福建星网锐捷网络有限公司 一种网络监控方法、装置和系统
CN107332723A (zh) * 2016-04-28 2017-11-07 华为技术有限公司 隐蔽通道的检测方法和检测设备
US20180103045A1 (en) * 2014-10-10 2018-04-12 The Hong Kong Polytechnic University Network attack detection method
CN108989135A (zh) * 2018-09-29 2018-12-11 新华三技术有限公司合肥分公司 网络设备故障检测方法及装置

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9843488B2 (en) * 2011-11-07 2017-12-12 Netflow Logic Corporation Method and system for confident anomaly detection in computer network traffic
WO2018035765A1 (fr) * 2016-08-24 2018-03-01 深圳天珑无线科技有限公司 Procédé et appareil de détection d'anomalie de réseau
CN109327345A (zh) * 2017-08-01 2019-02-12 中国移动通信集团湖北有限公司 网络异常流量的检测方法和装置、计算机可读存储介质
CN108390864B (zh) * 2018-02-01 2020-12-11 杭州安恒信息技术股份有限公司 一种基于攻击链行为分析的木马检测方法及系统
CN109951491A (zh) * 2019-03-28 2019-06-28 腾讯科技(深圳)有限公司 网络攻击检测方法、装置、设备及存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399709A (zh) * 2007-09-28 2009-04-01 福建星网锐捷网络有限公司 一种网络监控方法、装置和系统
CN101184097A (zh) * 2007-12-14 2008-05-21 北京大学 一种基于流量信息检测蠕虫活动的方法
US20180103045A1 (en) * 2014-10-10 2018-04-12 The Hong Kong Polytechnic University Network attack detection method
CN107332723A (zh) * 2016-04-28 2017-11-07 华为技术有限公司 隐蔽通道的检测方法和检测设备
CN108989135A (zh) * 2018-09-29 2018-12-11 新华三技术有限公司合肥分公司 网络设备故障检测方法及装置

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114373308A (zh) * 2021-11-30 2022-04-19 深圳市顺易通信息科技有限公司 一种总有效停车位数量确定的方法、装置以及存储介质
CN114285612A (zh) * 2021-12-14 2022-04-05 北京天融信网络安全技术有限公司 一种异常数据检测的方法、系统、装置、设备及介质
CN114285612B (zh) * 2021-12-14 2023-09-26 北京天融信网络安全技术有限公司 一种异常数据检测的方法、系统、装置、设备及介质
CN114745304A (zh) * 2022-04-27 2022-07-12 北京广通优云科技股份有限公司 一种it智能运维系统中基于网络行为参数的业务突变点识别方法
CN114745304B (zh) * 2022-04-27 2024-02-27 北京广通优云科技股份有限公司 It运维系统中基于网络行为参数的业务突变点识别方法
CN114979828A (zh) * 2022-05-18 2022-08-30 成都安讯智服科技有限公司 基于Modbus的物联网通信模块流量控制方法及系统
CN114979828B (zh) * 2022-05-18 2023-03-10 成都安讯智服科技有限公司 基于Modbus的物联网通信模块流量控制方法及系统
CN116915517A (zh) * 2023-09-14 2023-10-20 厦门快快网络科技有限公司 一种云服务资源风险安全管理方法
CN116915517B (zh) * 2023-09-14 2023-11-24 厦门快快网络科技有限公司 一种云服务资源风险安全管理方法

Also Published As

Publication number Publication date
CN112242971B (zh) 2023-06-16
CN112242971A (zh) 2021-01-19

Similar Documents

Publication Publication Date Title
WO2021008296A1 (fr) Procédé et appareil de détection d'anomalie de trafic, dispositif de réseau et support d'informations
CN111126824B (zh) 多指标关联模型训练方法及多指标异常分析方法
US9015312B2 (en) Network management system and method for identifying and accessing quality of service issues within a communications network
US9921943B2 (en) Predicting anomalies and incidents in a computer application
CN101189895B (zh) 异常检测方法和系统以及维护方法和系统
US10447561B2 (en) BFD method and apparatus
KR20060028601A (ko) 네트워크 트래픽 이상 징후 감지 장치 및 그 방법
EP2741439B1 (fr) Procédé de détection de défaillance de réseau et centre de surveillance
WO2022028120A1 (fr) Procédé et appareil d'acquisition de modèle de détection d'indicateur, procédé et appareil de localisation de défaut et dispositif et support de stockage
CN115038088B (zh) 一种智能网络安全检测预警系统和方法
JP2021022759A (ja) ネットワーク分析プログラム、ネットワーク分析装置及びネットワーク分析方法
US20110153804A1 (en) Method and system for reporting defects within a network
WO2022057501A1 (fr) Procédé d'identification de terminal anormal, appareil et dispositif d'analyse, et support de stockage
CN112751722A (zh) 数据传输质量监控方法和系统
US11265237B2 (en) System and method for detecting dropped aggregated traffic metadata packets
CN115774159A (zh) 高压变频器功率单元故障检测系统
CN110120893B (zh) 一种定位网络系统安全问题的方法及装置
CN113438116A (zh) 一种电力通讯数据管理系统及方法
KR100812946B1 (ko) 이동 통신망에서의 서비스 품질 관리 시스템 및 방법
CN103384215A (zh) 一种基于联合ar模型的病毒态势异常检测方法及系统
CN114978939B (zh) 一种网络链路质量的检测方法
TWI533688B (zh) Network protocol television service network anomaly node judgment method
US11140067B2 (en) Discovering cross-domain links based on traffic flow
CN117336202B (zh) 一种基于测振仪控制器的多通道管理系统及其方法
CN117856441A (zh) 一种智能电网传输时延优化方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 22.09.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20840133

Country of ref document: EP

Kind code of ref document: A1