WO2023124034A1 - Int-based anomalous-traffic detection method and apparatus - Google Patents

Int-based anomalous-traffic detection method and apparatus Download PDF

Info

Publication number
WO2023124034A1
WO2023124034A1 PCT/CN2022/107422 CN2022107422W WO2023124034A1 WO 2023124034 A1 WO2023124034 A1 WO 2023124034A1 CN 2022107422 W CN2022107422 W CN 2022107422W WO 2023124034 A1 WO2023124034 A1 WO 2023124034A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
traffic
telemetry
flow
data packet
Prior art date
Application number
PCT/CN2022/107422
Other languages
French (fr)
Chinese (zh)
Inventor
郭永安
马德睿
佘昊
钱琪杰
Original Assignee
南京邮电大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京邮电大学 filed Critical 南京邮电大学
Publication of WO2023124034A1 publication Critical patent/WO2023124034A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/10Packet switching elements characterised by the switching fabric construction
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present application relates to the technical field of computer networks, in particular to an INT-based abnormal traffic detection method and device.
  • abnormal traffic detection is a technology that detects abnormalities by collecting and analyzing system network information. It mainly monitors the computer system and network in real time, discovers and identifies abnormal traffic in network traffic, and gives abnormal traffic alarms, so that network administrators can take corresponding measures in time to protect network security.
  • In-band telemetry is a new approach to network monitoring. INT directly executes the abnormal traffic monitoring process on the data plane, attaches real-time network status to each data packet at the line rate, and provides monitoring of network performance and load by collecting information on the data plane, but the current in-band telemetry technology is Abnormal traffic detection has the following defects:
  • the detection speed is slow. Because in-band telemetry encapsulates telemetry data and instructions into normal data packets, the encapsulation and extraction of traffic data detected by telemetry are all implemented by switches with telemetry functions, and the processing burden of switches is heavy, resulting in slow detection speed.
  • the functional integrity is not enough.
  • the in-band telemetry technology can only realize the collection and upload of telemetry data, and the switch can only extract traffic data, and cannot detect and trace abnormal traffic.
  • An INT-based abnormal flow detection method comprising:
  • the sender encapsulates the interaction data and telemetry instructions into data packets and transmits them to the receiver through the switch on the transmission link;
  • the first hop switch on the transmission link encapsulates the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and sends it to the next hop switch;
  • the next-hop switch encapsulates the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continues to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches last hop switch;
  • the last hop switch collects flow-related data according to the telemetry instruction carried in the received data packet, splits the flow-related data in the data packet, and sends all flow-related data as telemetry data to the telemetry server, Send the interaction data to the receiver;
  • the telemetry server extracts traffic data from the received telemetry data
  • the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and outputs a detection result.
  • the method also includes:
  • the telemetry server generates a telemetry report according to the detection result and feeds it back to the sender, and when the detection result is abnormal, sends a stop data packet sending instruction to the sender, so that the sender stops sending the data packet, and proceeds according to the flow data Tracing the source of abnormal traffic.
  • the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and the step of outputting the detection result includes:
  • the telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic characteristics
  • the telemetry server extracts frequently occurring features by inputting the preliminary traffic features into a feature extraction model to obtain frequent traffic feature vectors;
  • the frequent flow feature vector of the telemetry server is input into a reshaping model for reshaping to form a two-dimensional matrix data feature;
  • the telemetry server uses k convolution kernels of the same shape as the two-dimensional matrix data features to perform feature extraction on the two-dimensional matrix data features to obtain three-dimensional data features;
  • the telemetry server inputs the three-dimensional data features into a classification model for classification, and obtains a detection result.
  • the method further includes: generating a visual interface according to the characteristics of the three-dimensional data and displaying it on the display.
  • the step of encoding the traffic data by the telemetry server using a tag encoder to form preliminary traffic characteristics includes:
  • the telemetry server takes n groups of flow data samples from the flow data, and performs normalized encoding processing on the n groups of flow data samples according to a normalization formula to obtain preliminary flow characteristics;
  • the normalization formula is:
  • s ij identifies each data in the i-th group of flow data samples
  • j represents the data at the jth time point in the i-th group of flow data samples
  • s i_min is the minimum value in the i-th group of flow data samples
  • s i_max is the maximum value in the i-th group of flow data samples
  • c ij represents the normalized data of the j-th time point data of the i-th group
  • s i represents the preliminary flow characteristics.
  • the feature extraction model is:
  • x i represents the output frequent traffic feature vector
  • w is the shape reshaping vector
  • a 1 is the parameter value of the generated feature vector
  • f is the feature acquisition function
  • n is the total number of groups of traffic data samples.
  • the remodeling model is:
  • h is the shape reshaping sample
  • xi represents the output frequent flow feature vector
  • w is the shape reshaping vector
  • a 1 is the parameter value of the generated feature vector
  • M is the two-dimensional matrix data feature.
  • the formula for feature extraction of the convolution kernel is:
  • k is the number of convolution kernels
  • h is the shape remodeling sample
  • x i represents the output frequent flow feature vector
  • O i is the extracted three-dimensional data feature.
  • the classification model is:
  • e is the natural base
  • sig is the sigmoid activation function
  • class is the detection result
  • class is 0 for normal
  • class is 1 for abnormal
  • O i is the extracted three-dimensional data features.
  • An INT-based abnormal flow detection device comprising:
  • the sender's data transmission module is used for the sender to encapsulate the interaction data and telemetry instructions into data packets according to the interaction request and transmit them to the receiver through the switch on the transmission link;
  • the first encapsulation module of the switch is used for the first hop switch on the transmission link to encapsulate the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and Send to the next hop switch;
  • the second encapsulation module of the switch is used for the next-hop switch to encapsulate the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continue to pass it to the next-hop switch for collection Encapsulate the incoming traffic-related data until it reaches the last hop switch;
  • the third encapsulation module of the switch is used for the last hop switch to collect flow-related data according to the telemetry instruction carried in the received data packet, split the flow-related data in the data packet, and collect all flow-related data As telemetry data, it is sent to the telemetry server, and the interaction data is sent to the receiver;
  • the extraction module of the telemetry server is used for the telemetry server to extract traffic data from the received telemetry data
  • the detection module of the telemetry server is used for the telemetry server to detect abnormal traffic by using an adaptive traffic detection algorithm according to the traffic data, and output a detection result.
  • the sender encapsulates the interaction data and telemetry instructions into data packets according to the interaction request and transmits them to the receiver through the switch on the transmission link; the first hop switch on the transmission link According to the telemetry instruction carried in the received data packet, encapsulate the telemetry data packet header and the collected traffic-related data into the data packet, and send it to the next-hop switch; the next-hop switch according to the received data packet
  • the carried telemetry command encapsulates the collected traffic-related data into the data packet, and then continues to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches the last-hop switch; the last-hop switch receives
  • the telemetry command carried in the received data packet collects traffic-related data, splits the traffic-related data in the data packet, sends all traffic-related data as telemetry data to the telemetry server, and sends the interactive data to the receiver
  • the telemetry server extracts traffic data from the received
  • Fig. 1 is a schematic flowchart of an INT-based abnormal traffic detection method in an embodiment.
  • an INT-based abnormal traffic detection method including the following steps:
  • Step S220 according to the interaction request, the sender encapsulates the interaction data and the telemetry instruction into a data packet and transmits it to the receiver through the switch on the transmission link.
  • the interaction request may be a request sent by the sender and the receiver through interaction, such as an Internet access request, a data transmission request, etc.
  • the sender may be a terminal or a server
  • the receiver may be a terminal or a server.
  • Step S240 the first-hop switch on the transmission link encapsulates the telemetry data packet header and the collected flow-related data into a data packet according to the telemetry instruction carried in the received data packet, and sends it to the next-hop switch.
  • the first-hop switch when encapsulating the data packet, adds the telemetry data packet header to the received data packet, and adds the flow-related data collected by itself behind the field of the telemetry data packet header.
  • Traffic-related data includes network status, network performance, event types, and traffic composition, among others.
  • Step S260 the next-hop switch encapsulates the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continues to pass the collected traffic-related data to the next-hop switch for encapsulation, until Reach the last hop switch.
  • Step S280 the last hop switch collects traffic-related data according to the telemetry instruction carried in the received data packet, splits the traffic-related data in the data packet, and sends all traffic-related data as telemetry data to the telemetry server , to send the interaction data to the receiver.
  • the telemetry data is encapsulated into a telemetry data packet and sent to the telemetry server, and the telemetry data packet does not include interaction data.
  • the interaction data is encapsulated into an interaction data packet and sent to the receiver, and the interaction data packet does not include telemetry data.
  • step S300 the telemetry server extracts flow data from the received telemetry data.
  • traffic data includes network status, network performance, event type and traffic composition, etc.
  • step S320 the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and outputs a detection result.
  • the above-mentioned INT-based abnormal traffic detection method through the sender according to the interaction request, encapsulates the interaction data and telemetry instructions into the data packet and transmits it to the receiver through the switch on the transmission link; the first hop switch on the transmission link according to the received
  • the telemetry command carried in the received data packet encapsulates the telemetry data packet header and the collected traffic-related data into the data packet, and sends it to the next-hop switch;
  • the next-hop switch according to the telemetry command carried in the received data packet after encapsulating the collected traffic-related data into data packets, continue to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches the last-hop switch;
  • the last-hop switch carries
  • the telemetry command collects traffic-related data, splits the traffic-related data in the data packet, sends all traffic-related data as telemetry data to the telemetry server, and sends the interactive data to the receiver; From the telemetry data, the
  • the method for detecting abnormal traffic based on INT further includes: the telemetry server generates a telemetry report to feed back to the sender according to the detection result; Stop sending data packets, and trace the source of abnormal traffic based on traffic data.
  • the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and the step of outputting the detection result includes: the telemetry server uses a label encoder to encode the traffic data to form preliminary traffic characteristics; telemetry The server inputs the preliminary traffic features into the feature extraction model to extract frequently occurring features and obtains the frequent traffic feature vectors; the telemetry server inputs the frequent traffic feature vectors into the reshaping model for reshaping to form two-dimensional matrix data features; the telemetry server uses the same The k convolution kernels with the same shape of the two-dimensional matrix data feature extract the two-dimensional matrix data feature to obtain the three-dimensional data feature; the telemetry server inputs the three-dimensional data feature into the classification model for classification, and obtains the detection result.
  • the feature extraction model is used to extract the data features of the two-dimensional matrix, and then the feature extraction is performed through the reshaping model, which can better extract the local features of the traffic data and more comprehensively extract the traffic features.
  • the INT-based abnormal flow detection method further includes: generating a visual interface according to the characteristics of the three-dimensional data and displaying it on the display.
  • the visual interface can realize real-time monitoring of abnormal traffic.
  • the telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic characteristics, including:
  • the telemetry server takes n sets of flow data samples from the flow data, and performs normalized coding processing on the n sets of flow data samples according to the normalization formula to obtain preliminary flow characteristics;
  • the normalization formula is:
  • s ij identifies each data in the i-th group of flow data samples
  • j represents the data at the jth time point in the i-th group of flow data samples
  • s i_min is the minimum value in the i-th group of flow data samples
  • s i_max is the maximum value in the flow data samples of the i-th group
  • c ij represents the normalized data of the data at the j-th time point of the i-th group
  • s i represents the preliminary flow characteristics.
  • the method of digital normalization will be used to obtain the preliminary flow characteristics mapped within a certain range.
  • the feature extraction model is:
  • x i represents the output frequent traffic feature vector
  • w is the shape reshaping vector
  • a 1 is the parameter value of the generated feature vector
  • f is the feature acquisition function
  • n is the total number of groups of traffic data samples.
  • the reshape model is:
  • h is the shape reshaping sample
  • xi represents the output frequent flow feature vector
  • w is the shape reshaping vector
  • a 1 is the parameter value of the generated feature vector
  • M is the two-dimensional matrix data feature.
  • the formula for feature extraction by the convolution kernel is:
  • k is the number of convolution kernels
  • h is the shape remodeling sample
  • x i represents the output frequent flow feature vector
  • O i is the extracted three-dimensional data feature.
  • the classification model is:
  • e is the natural base
  • sig is the sigmoid activation function
  • class is the detection result
  • class is 0 for normal
  • class is 1 for abnormal
  • O i is the extracted three-dimensional data features.
  • the above-mentioned INT-based abnormal traffic detection method adopts the telemetry server to parse the data packet. After the switch obtains the telemetry data packet, it can directly forward it to the telemetry server for unified extraction and analysis, which reduces the processing burden of the switch to a certain extent. It is helpful for more effective traffic detection.
  • an abnormal traffic detection algorithm is embedded in the telemetry server to make up for the defect that the traditional in-band telemetry method can only collect and upload but not detect.
  • the self-adaptive abnormal traffic identification algorithm used by using the label encoder to encode the traffic data, forms the preprocessing method of the preliminary traffic feature data, and extracts the features into the data features of the two-dimensional matrix through the feature extraction model, After reshaping the model for feature extraction, the deep features of network traffic can be identified, thereby increasing the precision and accuracy of the abnormal traffic detection process.
  • steps in the flow chart of FIG. 1 are displayed sequentially as indicated by the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and these steps can be executed in other orders. Moreover, at least some of the steps in Fig. 1 may include multiple sub-steps or multiple stages, these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, the execution of these sub-steps or stages The order is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.
  • an INT-based abnormal traffic detection device including: a data transmission module of a sender, a first encapsulation module of a switch, a second encapsulation module of a switch, a third encapsulation module of a switch, and a telemetry server The extraction module for and the detection module for the telemetry server.
  • the data transmission module of the sender is used for the sender to encapsulate the interaction data and telemetry instructions into data packets according to the interaction request and transmit them to the receiver through the switch on the transmission link.
  • the first encapsulation module of the switch is used for the first hop switch on the transmission link to encapsulate the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and send the packet to Next hop switch.
  • the second encapsulation module of the switch is used for the next-hop switch to encapsulate the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continue to pass it to the next-hop switch for the collected data. Traffic related data is encapsulated until it reaches the last hop switch.
  • the third encapsulation module of the switch is used for the last hop switch to collect traffic-related data according to the telemetry instructions carried in the received data packets, split the traffic-related data in the data packets, and use all traffic-related data as telemetry Data, sent to the telemetry server, which sends the interaction data to the receiver.
  • the extraction module of the telemetry server is used for the telemetry server to extract traffic data from the received telemetry data.
  • the detection module of the telemetry server is used for the telemetry server to detect abnormal traffic by using an adaptive traffic detection algorithm according to the traffic data, and output the detection result.
  • the INT-based abnormal traffic detection device also includes: a feedback module of the telemetry server, used for the telemetry server to generate a telemetry report to feed back to the sender according to the detection result, and when the detection result is abnormal, stop sending to the sender
  • the data packet sending instruction makes the sending sender stop sending data packets, and traces the source of abnormal traffic according to the traffic data.
  • the detection module of the telemetry server is further used for: the telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic features; the telemetry server inputs the preliminary traffic features into the feature extraction model to extract frequently occurring features, Obtain frequent traffic feature vectors; the telemetry server frequent traffic feature vectors are input into the reshaping model for reshaping to form two-dimensional matrix data features; the telemetry server uses k convolution kernels of the same shape as the two-dimensional matrix data features to compare the two-dimensional matrix data features Perform feature extraction to obtain three-dimensional data features; the telemetry server inputs the three-dimensional data features into the classification model for classification and obtains detection results.
  • the INT-based abnormal traffic detection device further includes: a visualization module of the telemetry server, configured to generate a visualization interface based on three-dimensional data features and display it on a display.
  • the detection module of the telemetry server is also used for: the telemetry server takes n groups of traffic data samples from the traffic data, performs normalized encoding processing on the n groups of traffic data samples according to the normalization formula, and obtains preliminary traffic characteristics ;
  • the normalization formula is:
  • s ij identifies each data in the i-th group of flow data samples
  • j represents the data at the j-th time point in the i-th group of flow data samples
  • s i_min is the minimum value in the i-th group of flow data samples
  • s i_max is the maximum value in the i-th group of flow data samples
  • c ij represents the normalized data of the j-th time point data of the i-th group
  • s i represents the preliminary flow characteristics.
  • the feature extraction model is:
  • x i represents the output frequent traffic feature vector
  • w is the shape reshaping vector
  • a 1 is the parameter value of the generated feature vector
  • f is the feature acquisition function
  • n is the total number of groups of traffic data samples.
  • the reshape model is:
  • h is the shape reshaping sample
  • xi represents the output frequent flow feature vector
  • w is the shape reshaping vector
  • a 1 is the parameter value of the generated feature vector
  • M is the two-dimensional matrix data feature.
  • the formula for feature extraction by the convolution kernel is:
  • k is the number of convolution kernels
  • h is the shape remodeling sample
  • x i represents the output frequent flow feature vector
  • O i is the extracted three-dimensional data feature.
  • the classification model is:
  • e is the natural base
  • sig is the sigmoid activation function
  • class is the detection result
  • class is 0 for normal
  • class is 1 for abnormal
  • O i is the extracted three-dimensional data features.
  • Each module in the above-mentioned INT-based abnormal flow detection device can be fully or partially realized by software, hardware and combinations thereof.
  • the above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.
  • a computer device which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above-mentioned INT-based abnormal traffic detection method when executing the computer program.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above-mentioned INT-based abnormal traffic detection method are implemented.
  • Nonvolatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory can include random access memory (RAM) or external cache memory.
  • RAM random access memory
  • RAM is available in many forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Chain Synchlink DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to an INT-based anomalous-traffic detection method and apparatus. The method comprises: a sender encapsulating interaction data and a telemetry instruction into a data packet according to an interaction request, and transmitting the data packet to a receiver by means of a switch on a transmission link; according to the telemetry instruction carried in the data packet, the switch on the transmission link encapsulating a telemetry data packet header and collected traffic-related data into the data packet and sending same out, until same reaches the last-hop switch; according to the telemetry instruction carried in the data packet, the last-hop switch collecting the traffic-related data, splitting the traffic-related data from the data packet, taking all of the traffic-related data as telemetry data and sending same to a telemetry server, and sending the interaction data to the receiver; and the telemetry server extracting traffic data from the received telemetry data, performing anomalous-traffic detection by using an adaptive traffic detection algorithm, and outputting a detection result. By means of the method, the accuracy and efficiency of an anomalous-traffic detection process are improved.

Description

基于INT的异常流量检测方法和装置INT-Based Abnormal Flow Detection Method and Device 技术领域technical field
本申请涉及计算机网络技术领域,特别是涉及一种基于INT的异常流量检测方法和装置。The present application relates to the technical field of computer networks, in particular to an INT-based abnormal traffic detection method and device.
背景技术Background technique
随着信息时代的到来,网络普及和使用量激增,网络流量也呈指数式增长,网络流量的大小一定程度上反映了网络的安全性,异常流量的出现意味着网络上出现了某些未经授权的信息,因此通过异常流量检测减小网络流量负载,缓解网络拥塞,维护网络安全是当前面临的迫切问题。异常流量检测是一种通过对系统网络信息收集和分析,从而发现异常的技术。它主要是通过对计算机系统和网络进行实时监控,发现和识别网络流量中的异常流量,给出异常流量警报,方便网络管理员及时采取相应措施保护网络安全。With the advent of the information age, the popularity and usage of the Internet have increased sharply, and the network traffic has also grown exponentially. The size of the network traffic reflects the security of the network to a certain extent. The appearance of abnormal traffic means that some unauthorized Therefore, reducing network traffic load through abnormal traffic detection, alleviating network congestion, and maintaining network security are urgent issues currently facing. Abnormal traffic detection is a technology that detects abnormalities by collecting and analyzing system network information. It mainly monitors the computer system and network in real time, discovers and identifies abnormal traffic in network traffic, and gives abnormal traffic alarms, so that network administrators can take corresponding measures in time to protect network security.
带内遥测(INT)是一种新的网络监测方法。INT直接在数据平面上执行异常流量监测过程,以线路速率将实时网络状态附加到每个数据包,通过在数据平面上收集信息,提供对网络性能和负载的监控,但目前带内遥测技术在异常流量检测方面存在以下缺陷:In-band telemetry (INT) is a new approach to network monitoring. INT directly executes the abnormal traffic monitoring process on the data plane, attaches real-time network status to each data packet at the line rate, and provides monitoring of network performance and load by collecting information on the data plane, but the current in-band telemetry technology is Abnormal traffic detection has the following defects:
(1)检测速度慢。由于带内遥测将遥测数据和指令封装到正常数据包中,遥测到的流量数据的封装,提取等都靠具有遥测功能的交换机实现,交换机处理负担较重,导致检测速度慢。(1) The detection speed is slow. Because in-band telemetry encapsulates telemetry data and instructions into normal data packets, the encapsulation and extraction of traffic data detected by telemetry are all implemented by switches with telemetry functions, and the processing burden of switches is heavy, resulting in slow detection speed.
(2)功能完整性不够。目前带内遥测技术目前只能实现遥测数据的采集和上传,交换机只能提取流量数据,不能进行异常流量检测和溯源工作。(2) The functional integrity is not enough. At present, the in-band telemetry technology can only realize the collection and upload of telemetry data, and the switch can only extract traffic data, and cannot detect and trace abnormal traffic.
(3)准确性低。目前在带内遥测上层嵌入的一些异常流量检测算法可识别的异常流量种类较少,不能识别流量的深层特征,从而影响异常流量检 测的准确性。(3) The accuracy is low. At present, some abnormal traffic detection algorithms embedded in the upper layer of in-band telemetry can identify fewer types of abnormal traffic and cannot identify the deep characteristics of traffic, thus affecting the accuracy of abnormal traffic detection.
上述缺陷导致基于带内遥测的异常流量检测不够准确高效,进一步影响对网络攻击的判断和处理,影响网络安全。The above defects lead to inaccurate and efficient detection of abnormal traffic based on in-band telemetry, which further affects the judgment and processing of network attacks and affects network security.
发明内容Contents of the invention
基于此,有必要针对上述技术问题,提供一种能够提高常流量检测效率和准确性的基于INT的异常流量检测方法和装置。Based on this, it is necessary to address the above technical problems and provide an INT-based abnormal flow detection method and device that can improve the efficiency and accuracy of constant flow detection.
一种基于INT的异常流量检测方法,所述方法包括:An INT-based abnormal flow detection method, the method comprising:
发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输;According to the interaction request, the sender encapsulates the interaction data and telemetry instructions into data packets and transmits them to the receiver through the switch on the transmission link;
传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到所述数据包中,并发送至下一跳交换机;The first hop switch on the transmission link encapsulates the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and sends it to the next hop switch;
下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到所述数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机;The next-hop switch encapsulates the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continues to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches last hop switch;
最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将所述数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方;The last hop switch collects flow-related data according to the telemetry instruction carried in the received data packet, splits the flow-related data in the data packet, and sends all flow-related data as telemetry data to the telemetry server, Send the interaction data to the receiver;
遥测服务器从接收到的遥测数据中,提取出流量数据;The telemetry server extracts traffic data from the received telemetry data;
遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果。The telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and outputs a detection result.
在其中一个实施例中,所述方法还包括:In one embodiment, the method also includes:
所述遥测服务器根据检测结果生成遥测报告反馈至发送方,当所述检测结果为异常时,向发送方发送停止数据包发送指令,使发送发停止数据包的发送,并根据所述流量数据进行异常流量的溯源。The telemetry server generates a telemetry report according to the detection result and feeds it back to the sender, and when the detection result is abnormal, sends a stop data packet sending instruction to the sender, so that the sender stops sending the data packet, and proceeds according to the flow data Tracing the source of abnormal traffic.
在其中一个实施例中,所述遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果的步骤,包括:In one of the embodiments, the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and the step of outputting the detection result includes:
所述遥测服务器采用标签编码器对所述流量数据进行编码,形成初步流量特征;The telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic characteristics;
所述遥测服务器将所述初步流量特征输入特征提取模型中提取出频繁出现的特征,获得频繁流量特征向量;The telemetry server extracts frequently occurring features by inputting the preliminary traffic features into a feature extraction model to obtain frequent traffic feature vectors;
所述遥测服务器所述频繁流量特征向量输入重塑模型中进行重塑,形成二维矩阵数据特征;The frequent flow feature vector of the telemetry server is input into a reshaping model for reshaping to form a two-dimensional matrix data feature;
所述遥测服务器使用与所述二维矩阵数据特征相同形状的k个卷积核对所述二维矩阵数据特征进行特征提取,获得三维数据特征;The telemetry server uses k convolution kernels of the same shape as the two-dimensional matrix data features to perform feature extraction on the two-dimensional matrix data features to obtain three-dimensional data features;
所述遥测服务器将所述三维数据特征输入到分类模型中进行分类,获得检测结果。The telemetry server inputs the three-dimensional data features into a classification model for classification, and obtains a detection result.
在其中一个实施例中,所述方法还包括:根据三维数据特征生成可视化界面在显示器上显示。In one of the embodiments, the method further includes: generating a visual interface according to the characteristics of the three-dimensional data and displaying it on the display.
在其中一个实施例中,所述遥测服务器采用标签编码器对所述流量数据进行编码,形成初步流量特征的步骤,包括:In one of the embodiments, the step of encoding the traffic data by the telemetry server using a tag encoder to form preliminary traffic characteristics includes:
所述遥测服务器从流量数据中取n组流量数据样本,根据归一化公式对n组流量数据样本进行归一化编码处理,获得初步流量特征;The telemetry server takes n groups of flow data samples from the flow data, and performs normalized encoding processing on the n groups of flow data samples according to a normalization formula to obtain preliminary flow characteristics;
所述归一化公式为:The normalization formula is:
s i={c ij|i∈1,2,3......n},
Figure PCTCN2022107422-appb-000001
s i ={c ij |i∈1,2,3...n},
Figure PCTCN2022107422-appb-000001
其中,s ij标识第i组流量数据样本中的每个数据,j表示第i组流量数据样本中的第j个时间点的数据,s i_min为第i组流量数据样本中的最小值,s i_max为第i组流量数据样本中的最大值,c ij表示第i组的第j个时间点的数据的归一化后数据,s i表示初步流量特征。 Among them, s ij identifies each data in the i-th group of flow data samples, j represents the data at the jth time point in the i-th group of flow data samples, s i_min is the minimum value in the i-th group of flow data samples, s i_max is the maximum value in the i-th group of flow data samples, c ij represents the normalized data of the j-th time point data of the i-th group, and s i represents the preliminary flow characteristics.
在其中一个实施例中,所述特征提取模型为:In one of the embodiments, the feature extraction model is:
Figure PCTCN2022107422-appb-000002
Figure PCTCN2022107422-appb-000002
其中,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,f为特征获取函数,n为流量数据样本的总组数。 Among them, x i represents the output frequent traffic feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, f is the feature acquisition function, and n is the total number of groups of traffic data samples.
在其中一个实施例中,所述重塑模型为:In one of the embodiments, the remodeling model is:
Figure PCTCN2022107422-appb-000003
Figure PCTCN2022107422-appb-000003
M=(h,x i) M=(h,x i )
其中,h为形状重塑样本,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,M为二维矩阵数据特征。 Among them, h is the shape reshaping sample, xi represents the output frequent flow feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, and M is the two-dimensional matrix data feature.
在其中一个实施例中,所述卷积核进行特征提取的公式为:In one of the embodiments, the formula for feature extraction of the convolution kernel is:
O i=((h-k+1)/2*k,(h-k+1)/x i,(h-k+1)/1) O i =((h-k+1)/2*k, (h-k+1)/ xi , (h-k+1)/1)
其中,k为卷积核的个数,h为形状重塑样本,x i代表输出的频繁流量特征向量,O i为提取出的三维数据特征。 Among them, k is the number of convolution kernels, h is the shape remodeling sample, x i represents the output frequent flow feature vector, and O i is the extracted three-dimensional data feature.
在其中一个实施例中,所述分类模型为:In one of the embodiments, the classification model is:
Figure PCTCN2022107422-appb-000004
Figure PCTCN2022107422-appb-000004
其中,e为自然底数,sig为sigmoid激活功能函数,class为检测结果,class为0代表正常,class为1代表异常,O i为提取出的三维数据特征。 Among them, e is the natural base, sig is the sigmoid activation function, class is the detection result, class is 0 for normal, class is 1 for abnormal, O i is the extracted three-dimensional data features.
一种基于INT的异常流量检测装置,所述装置包括:An INT-based abnormal flow detection device, said device comprising:
发送方的数据传输模块,用于发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输;The sender's data transmission module is used for the sender to encapsulate the interaction data and telemetry instructions into data packets according to the interaction request and transmit them to the receiver through the switch on the transmission link;
交换机的第一封装模块,用于传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到所述数据包中,并发送至下一跳交换机;The first encapsulation module of the switch is used for the first hop switch on the transmission link to encapsulate the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and Send to the next hop switch;
交换机的第二封装模块,用于下一跳交换机根据接收到的数据包中携 带的遥测指令,将采集到的流量相关数据封装到所述数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机;The second encapsulation module of the switch is used for the next-hop switch to encapsulate the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continue to pass it to the next-hop switch for collection Encapsulate the incoming traffic-related data until it reaches the last hop switch;
交换机的第三封装模块,用于最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将所述数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方;The third encapsulation module of the switch is used for the last hop switch to collect flow-related data according to the telemetry instruction carried in the received data packet, split the flow-related data in the data packet, and collect all flow-related data As telemetry data, it is sent to the telemetry server, and the interaction data is sent to the receiver;
遥测服务器的提取模块,用于遥测服务器从接收到的遥测数据中,提取出流量数据;The extraction module of the telemetry server is used for the telemetry server to extract traffic data from the received telemetry data;
遥测服务器的检测模块,用于遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果。The detection module of the telemetry server is used for the telemetry server to detect abnormal traffic by using an adaptive traffic detection algorithm according to the traffic data, and output a detection result.
上述基于INT的异常流量检测方法和装置,通过发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输;传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到所述数据包中,并发送至下一跳交换机;下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到所述数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机;最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将所述数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方;遥测服务器从接收到的遥测数据中,提取出流量数据;遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果,可以识别网络流量的深层特征,从而增加异常流量检测过程的精度和准确度,进一步的减轻了交换机的处理负担,有助于更有效的进行流量检测,提高了检测效率。In the above-mentioned INT-based abnormal flow detection method and device, the sender encapsulates the interaction data and telemetry instructions into data packets according to the interaction request and transmits them to the receiver through the switch on the transmission link; the first hop switch on the transmission link According to the telemetry instruction carried in the received data packet, encapsulate the telemetry data packet header and the collected traffic-related data into the data packet, and send it to the next-hop switch; the next-hop switch according to the received data packet The carried telemetry command encapsulates the collected traffic-related data into the data packet, and then continues to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches the last-hop switch; the last-hop switch receives The telemetry command carried in the received data packet collects traffic-related data, splits the traffic-related data in the data packet, sends all traffic-related data as telemetry data to the telemetry server, and sends the interactive data to the receiver The telemetry server extracts traffic data from the received telemetry data; the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and outputs the detection results, which can identify the deep features of network traffic, thereby The precision and accuracy of the abnormal flow detection process are increased, the processing load of the switch is further reduced, the flow detection is more effective, and the detection efficiency is improved.
附图说明Description of drawings
图1为一个实施例中基于INT的异常流量检测方法的流程示意图。Fig. 1 is a schematic flowchart of an INT-based abnormal traffic detection method in an embodiment.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.
在一个实施例中,如图1所示,提供了一种基于INT的异常流量检测方法,包括以下步骤:In one embodiment, as shown in FIG. 1 , an INT-based abnormal traffic detection method is provided, including the following steps:
步骤S220,发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输。Step S220, according to the interaction request, the sender encapsulates the interaction data and the telemetry instruction into a data packet and transmits it to the receiver through the switch on the transmission link.
其中,交互请求可以是发送方与接收方进行交互发出的请求,如互联网访问请求、数据传输请求等等,发送方可以是终端或服务器,接收方可以是终端或服务器。Wherein, the interaction request may be a request sent by the sender and the receiver through interaction, such as an Internet access request, a data transmission request, etc., the sender may be a terminal or a server, and the receiver may be a terminal or a server.
步骤S240,传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到数据包中,并发送至下一跳交换机。Step S240, the first-hop switch on the transmission link encapsulates the telemetry data packet header and the collected flow-related data into a data packet according to the telemetry instruction carried in the received data packet, and sends it to the next-hop switch.
其中,第一跳交换机在封装数据包时,将遥测数据包头添加到收到的数据包中,并将自身采集的流量相关数据添加到遥测数据包头字段后面。流量相关数据包括网络状态、网络性能、事件类型和流量成分等等。Wherein, when encapsulating the data packet, the first-hop switch adds the telemetry data packet header to the received data packet, and adds the flow-related data collected by itself behind the field of the telemetry data packet header. Traffic-related data includes network status, network performance, event types, and traffic composition, among others.
步骤S260,下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机。Step S260, the next-hop switch encapsulates the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continues to pass the collected traffic-related data to the next-hop switch for encapsulation, until Reach the last hop switch.
步骤S280,最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将数据包中的流量相关数据拆分出来,将所有流量相 关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方。Step S280, the last hop switch collects traffic-related data according to the telemetry instruction carried in the received data packet, splits the traffic-related data in the data packet, and sends all traffic-related data as telemetry data to the telemetry server , to send the interaction data to the receiver.
其中,遥测数据封装为遥测数据包发送至遥测服务器,遥测数据包中不包括交互数据。交互数据封装为交互数据包发送至接收方,交互数据包中不包括遥测数据。Wherein, the telemetry data is encapsulated into a telemetry data packet and sent to the telemetry server, and the telemetry data packet does not include interaction data. The interaction data is encapsulated into an interaction data packet and sent to the receiver, and the interaction data packet does not include telemetry data.
步骤S300,遥测服务器从接收到的遥测数据中,提取出流量数据。In step S300, the telemetry server extracts flow data from the received telemetry data.
其中,流量数据包括网络状态、网络性能、事件类型和流量成分等。Among them, traffic data includes network status, network performance, event type and traffic composition, etc.
步骤S320,遥测服务器根据流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果。In step S320, the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and outputs a detection result.
上述基于INT的异常流量检测方法,通过发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输;传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到数据包中,并发送至下一跳交换机;下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机;最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方;遥测服务器从接收到的遥测数据中,提取出流量数据;遥测服务器根据流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果,可以识别网络流量的深层特征,从而增加异常流量检测过程的精度和准确度,进一步的减轻了交换机的处理负担,有助于更有效的进行流量检测,提高了检测效率。The above-mentioned INT-based abnormal traffic detection method, through the sender according to the interaction request, encapsulates the interaction data and telemetry instructions into the data packet and transmits it to the receiver through the switch on the transmission link; the first hop switch on the transmission link according to the received The telemetry command carried in the received data packet, encapsulates the telemetry data packet header and the collected traffic-related data into the data packet, and sends it to the next-hop switch; the next-hop switch according to the telemetry command carried in the received data packet , after encapsulating the collected traffic-related data into data packets, continue to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches the last-hop switch; the last-hop switch carries The telemetry command collects traffic-related data, splits the traffic-related data in the data packet, sends all traffic-related data as telemetry data to the telemetry server, and sends the interactive data to the receiver; From the telemetry data, the traffic data is extracted; the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic based on the traffic data, and outputs the detection results, which can identify the deep characteristics of network traffic, thereby increasing the precision and accuracy of the abnormal traffic detection process , which further reduces the processing load of the switch, helps to perform traffic detection more effectively, and improves detection efficiency.
在一个实施例中,该基于INT的异常流量检测方法还包括:遥测服务器根据检测结果生成遥测报告反馈至发送方,当检测结果为异常时,向发送方发送停止数据包发送指令,使发送发停止数据包的发送,并根据流量数据进行异常流量的溯源。In one embodiment, the method for detecting abnormal traffic based on INT further includes: the telemetry server generates a telemetry report to feed back to the sender according to the detection result; Stop sending data packets, and trace the source of abnormal traffic based on traffic data.
其中,进行异常流量的溯源时,依据遥测报告的内容对异常流量的网络拓扑信息进行编辑,通过触发机制重现INT数据包的传输过程,标记异常交换机,确定异常流量的来源并进行相应的网络故障预警。Among them, when tracing the source of abnormal traffic, edit the network topology information of the abnormal traffic according to the content of the telemetry report, reproduce the transmission process of the INT data packet through the trigger mechanism, mark the abnormal switch, determine the source of the abnormal traffic, and perform corresponding network monitoring. Failure warning.
在一个实施例中,遥测服务器根据流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果的步骤,包括:遥测服务器采用标签编码器对流量数据进行编码,形成初步流量特征;遥测服务器将初步流量特征输入特征提取模型中提取出频繁出现的特征,获得频繁流量特征向量;遥测服务器频繁流量特征向量输入重塑模型中进行重塑,形成二维矩阵数据特征;遥测服务器使用与二维矩阵数据特征相同形状的k个卷积核对二维矩阵数据特征进行特征提取,获得三维数据特征;遥测服务器将三维数据特征输入到分类模型中进行分类,获得检测结果。In one embodiment, the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and the step of outputting the detection result includes: the telemetry server uses a label encoder to encode the traffic data to form preliminary traffic characteristics; telemetry The server inputs the preliminary traffic features into the feature extraction model to extract frequently occurring features and obtains the frequent traffic feature vectors; the telemetry server inputs the frequent traffic feature vectors into the reshaping model for reshaping to form two-dimensional matrix data features; the telemetry server uses the same The k convolution kernels with the same shape of the two-dimensional matrix data feature extract the two-dimensional matrix data feature to obtain the three-dimensional data feature; the telemetry server inputs the three-dimensional data feature into the classification model for classification, and obtains the detection result.
其中,通过特征提取模型进行特征提取为二维矩阵的数据特征,再经过重塑模型进行特征提取,可以更好地提取流量数据的局部特征,更全面地提取出流量特征,Among them, the feature extraction model is used to extract the data features of the two-dimensional matrix, and then the feature extraction is performed through the reshaping model, which can better extract the local features of the traffic data and more comprehensively extract the traffic features.
在一个实施例中,该基于INT的异常流量检测方法还包括:根据三维数据特征生成可视化界面在显示器上显示。In one embodiment, the INT-based abnormal flow detection method further includes: generating a visual interface according to the characteristics of the three-dimensional data and displaying it on the display.
其中,可视化界面可以实现对异常流量的实时监控。Among them, the visual interface can realize real-time monitoring of abnormal traffic.
在一个实施例中,遥测服务器采用标签编码器对流量数据进行编码,形成初步流量特征的步骤,包括:In one embodiment, the telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic characteristics, including:
遥测服务器从流量数据中取n组流量数据样本,根据归一化公式对n组流量数据样本进行归一化编码处理,获得初步流量特征;The telemetry server takes n sets of flow data samples from the flow data, and performs normalized coding processing on the n sets of flow data samples according to the normalization formula to obtain preliminary flow characteristics;
归一化公式为:The normalization formula is:
s i={c ij|i∈1,2,3......n},
Figure PCTCN2022107422-appb-000005
s i ={c ij |i∈1,2,3...n},
Figure PCTCN2022107422-appb-000005
其中,s ij标识第i组流量数据样本中的每个数据,j表示第i组流量数据样本中的第j个时间点的数据,s i_min为第i组流量数据样本中的最小值,s i_max为第i组流量数据样本中的最大值,c ij表示第i组的第j个时间点的数 据的归一化后数据,s i表示初步流量特征。 Among them, s ij identifies each data in the i-th group of flow data samples, j represents the data at the jth time point in the i-th group of flow data samples, s i_min is the minimum value in the i-th group of flow data samples, s i_max is the maximum value in the flow data samples of the i-th group, c ij represents the normalized data of the data at the j-th time point of the i-th group, and s i represents the preliminary flow characteristics.
其中,为了使初步流量特征保持在一定精度,将使用数字归一化的方式得到映射在一定范围内的初步流量特征。Among them, in order to keep the preliminary flow characteristics at a certain accuracy, the method of digital normalization will be used to obtain the preliminary flow characteristics mapped within a certain range.
在一个实施例中,特征提取模型为:In one embodiment, the feature extraction model is:
Figure PCTCN2022107422-appb-000006
Figure PCTCN2022107422-appb-000006
其中,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,f为特征获取函数,n为流量数据样本的总组数。 Among them, x i represents the output frequent traffic feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, f is the feature acquisition function, and n is the total number of groups of traffic data samples.
在一个实施例中,重塑模型为:In one embodiment, the reshape model is:
Figure PCTCN2022107422-appb-000007
Figure PCTCN2022107422-appb-000007
M=(h,x i) M=(h,x i )
其中,h为形状重塑样本,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,M为二维矩阵数据特征。 Among them, h is the shape reshaping sample, xi represents the output frequent flow feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, and M is the two-dimensional matrix data feature.
在一个实施例中,卷积核进行特征提取的公式为:In one embodiment, the formula for feature extraction by the convolution kernel is:
O i=((h-k+1)/2*k,(h-k+1)/x i,(h-k+1)/1) O i =((h-k+1)/2*k, (h-k+1)/ xi , (h-k+1)/1)
其中,k为卷积核的个数,h为形状重塑样本,x i代表输出的频繁流量特征向量,O i为提取出的三维数据特征。 Among them, k is the number of convolution kernels, h is the shape remodeling sample, x i represents the output frequent flow feature vector, and O i is the extracted three-dimensional data feature.
在一个实施例中,分类模型为:In one embodiment, the classification model is:
Figure PCTCN2022107422-appb-000008
Figure PCTCN2022107422-appb-000008
其中,e为自然底数,sig为sigmoid激活功能函数,class为检测结果,class为0代表正常,class为1代表异常,O i为提取出的三维数据特征。 Among them, e is the natural base, sig is the sigmoid activation function, class is the detection result, class is 0 for normal, class is 1 for abnormal, O i is the extracted three-dimensional data features.
上述基于INT的异常流量检测方法,采用了遥测服务器解析数据包的方式,交换机获取到遥测数据包后可以直接转发至遥测服务器进行统一的提取和解析,这一定程度上减轻了交换机的处理负担,有助于更有效的进行流量检测。The above-mentioned INT-based abnormal traffic detection method adopts the telemetry server to parse the data packet. After the switch obtains the telemetry data packet, it can directly forward it to the telemetry server for unified extraction and analysis, which reduces the processing burden of the switch to a certain extent. It is helpful for more effective traffic detection.
进一步地,在遥测服务器中嵌入异常流量检测算法,以此弥补传统带 内遥测方式只能采集上传不能检测的缺陷。Furthermore, an abnormal traffic detection algorithm is embedded in the telemetry server to make up for the defect that the traditional in-band telemetry method can only collect and upload but not detect.
进一步地,使用的自适应的异常流量识别算法,通过采用标签编码器对流量数据进行编码,形成初步流量特征数据的预处理方式,以及过特征提取模型进行特征提取为二维矩阵的数据特征,再经过重塑模型进行特征提取的方式,可以识别网络流量的深层特征,从而增加异常流量检测过程的精度和准确度。Furthermore, the self-adaptive abnormal traffic identification algorithm used, by using the label encoder to encode the traffic data, forms the preprocessing method of the preliminary traffic feature data, and extracts the features into the data features of the two-dimensional matrix through the feature extraction model, After reshaping the model for feature extraction, the deep features of network traffic can be identified, thereby increasing the precision and accuracy of the abnormal traffic detection process.
应该理解的是,虽然图1的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,图1中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flow chart of FIG. 1 are displayed sequentially as indicated by the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and these steps can be executed in other orders. Moreover, at least some of the steps in Fig. 1 may include multiple sub-steps or multiple stages, these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, the execution of these sub-steps or stages The order is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.
在一个实施例中,提供了一种基于INT的异常流量检测装置,包括:发送方的数据传输模块、交换机的第一封装模块、交换机的第二封装模块、交换机的第三封装模块、遥测服务器的提取模块和遥测服务器的检测模块。In one embodiment, an INT-based abnormal traffic detection device is provided, including: a data transmission module of a sender, a first encapsulation module of a switch, a second encapsulation module of a switch, a third encapsulation module of a switch, and a telemetry server The extraction module for and the detection module for the telemetry server.
发送方的数据传输模块,用于发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输。The data transmission module of the sender is used for the sender to encapsulate the interaction data and telemetry instructions into data packets according to the interaction request and transmit them to the receiver through the switch on the transmission link.
交换机的第一封装模块,用于传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到数据包中,并发送至下一跳交换机。The first encapsulation module of the switch is used for the first hop switch on the transmission link to encapsulate the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and send the packet to Next hop switch.
交换机的第二封装模块,用于下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机。The second encapsulation module of the switch is used for the next-hop switch to encapsulate the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continue to pass it to the next-hop switch for the collected data. Traffic related data is encapsulated until it reaches the last hop switch.
交换机的第三封装模块,用于最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方。The third encapsulation module of the switch is used for the last hop switch to collect traffic-related data according to the telemetry instructions carried in the received data packets, split the traffic-related data in the data packets, and use all traffic-related data as telemetry Data, sent to the telemetry server, which sends the interaction data to the receiver.
遥测服务器的提取模块,用于遥测服务器从接收到的遥测数据中,提取出流量数据。The extraction module of the telemetry server is used for the telemetry server to extract traffic data from the received telemetry data.
遥测服务器的检测模块,用于遥测服务器根据流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果。The detection module of the telemetry server is used for the telemetry server to detect abnormal traffic by using an adaptive traffic detection algorithm according to the traffic data, and output the detection result.
在一个实施例中,该基于INT的异常流量检测装置还包括:遥测服务器的反馈模块,用于遥测服务器根据检测结果生成遥测报告反馈至发送方,当检测结果为异常时,向发送方发送停止数据包发送指令,使发送发停止数据包的发送,并根据流量数据进行异常流量的溯源。In one embodiment, the INT-based abnormal traffic detection device also includes: a feedback module of the telemetry server, used for the telemetry server to generate a telemetry report to feed back to the sender according to the detection result, and when the detection result is abnormal, stop sending to the sender The data packet sending instruction makes the sending sender stop sending data packets, and traces the source of abnormal traffic according to the traffic data.
在一个实施例中,遥测服务器的检测模块还用于:遥测服务器采用标签编码器对流量数据进行编码,形成初步流量特征;遥测服务器将初步流量特征输入特征提取模型中提取出频繁出现的特征,获得频繁流量特征向量;遥测服务器频繁流量特征向量输入重塑模型中进行重塑,形成二维矩阵数据特征;遥测服务器使用与二维矩阵数据特征相同形状的k个卷积核对二维矩阵数据特征进行特征提取,获得三维数据特征;遥测服务器将三维数据特征输入到分类模型中进行分类,获得检测结果。In one embodiment, the detection module of the telemetry server is further used for: the telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic features; the telemetry server inputs the preliminary traffic features into the feature extraction model to extract frequently occurring features, Obtain frequent traffic feature vectors; the telemetry server frequent traffic feature vectors are input into the reshaping model for reshaping to form two-dimensional matrix data features; the telemetry server uses k convolution kernels of the same shape as the two-dimensional matrix data features to compare the two-dimensional matrix data features Perform feature extraction to obtain three-dimensional data features; the telemetry server inputs the three-dimensional data features into the classification model for classification and obtains detection results.
在一个实施例中,该基于INT的异常流量检测装置还包括:遥测服务器的可视化模块,用于根据三维数据特征生成可视化界面在显示器上显示。In one embodiment, the INT-based abnormal traffic detection device further includes: a visualization module of the telemetry server, configured to generate a visualization interface based on three-dimensional data features and display it on a display.
在一个实施例中,遥测服务器的检测模块还用于:遥测服务器从流量数据中取n组流量数据样本,根据归一化公式对n组流量数据样本进行归一化编码处理,获得初步流量特征;归一化公式为:In one embodiment, the detection module of the telemetry server is also used for: the telemetry server takes n groups of traffic data samples from the traffic data, performs normalized encoding processing on the n groups of traffic data samples according to the normalization formula, and obtains preliminary traffic characteristics ;The normalization formula is:
s i={c ij|i∈1,2,3......n},
Figure PCTCN2022107422-appb-000009
s i ={c ij |i∈1,2,3...n},
Figure PCTCN2022107422-appb-000009
其中,s ij标识第i组流量数据样本中的每个数据,j表示第i组流量数据样本中的第j个时间点的数据,s i_min为第i组流量数据样本中的最小值,s i_max为第i组流量数据样本中的最大值,c ij表示第i组的第j个时间点的数据的归一化后数据,s i表示初步流量特征。 Among them, s ij identifies each data in the i-th group of flow data samples, j represents the data at the j-th time point in the i-th group of flow data samples, s i_min is the minimum value in the i-th group of flow data samples, s i_max is the maximum value in the i-th group of flow data samples, c ij represents the normalized data of the j-th time point data of the i-th group, and s i represents the preliminary flow characteristics.
在一个实施例中,特征提取模型为:In one embodiment, the feature extraction model is:
Figure PCTCN2022107422-appb-000010
Figure PCTCN2022107422-appb-000010
其中,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,f为特征获取函数,n为流量数据样本的总组数。 Among them, x i represents the output frequent traffic feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, f is the feature acquisition function, and n is the total number of groups of traffic data samples.
在一个实施例中,重塑模型为:In one embodiment, the reshape model is:
Figure PCTCN2022107422-appb-000011
Figure PCTCN2022107422-appb-000011
M=(h,x i) M=(h,x i )
其中,h为形状重塑样本,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,M为二维矩阵数据特征。 Among them, h is the shape reshaping sample, xi represents the output frequent flow feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, and M is the two-dimensional matrix data feature.
在一个实施例中,卷积核进行特征提取的公式为:In one embodiment, the formula for feature extraction by the convolution kernel is:
O i=((h-k+1)/2*k,(h-k+1)/x i,(h-k+1)/1) O i =((h-k+1)/2*k, (h-k+1)/ xi , (h-k+1)/1)
其中,k为卷积核的个数,h为形状重塑样本,x i代表输出的频繁流量特征向量,O i为提取出的三维数据特征。 Among them, k is the number of convolution kernels, h is the shape remodeling sample, x i represents the output frequent flow feature vector, and O i is the extracted three-dimensional data feature.
在一个实施例中,分类模型为:In one embodiment, the classification model is:
Figure PCTCN2022107422-appb-000012
Figure PCTCN2022107422-appb-000012
其中,e为自然底数,sig为sigmoid激活功能函数,class为检测结果,class为0代表正常,class为1代表异常,O i为提取出的三维数据特征。 Among them, e is the natural base, sig is the sigmoid activation function, class is the detection result, class is 0 for normal, class is 1 for abnormal, O i is the extracted three-dimensional data features.
关于基于INT的异常流量检测装置的具体限定可以参见上文中对于基于INT的异常流量检测方法的限定,在此不再赘述。上述基于INT的异常 流量检测装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific limitations of the INT-based abnormal traffic detection device, refer to the above-mentioned definition of the INT-based abnormal traffic detection method, which will not be repeated here. Each module in the above-mentioned INT-based abnormal flow detection device can be fully or partially realized by software, hardware and combinations thereof. The above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.
在一个实施例中,提供一种计算机设备,包括存储器和处理器,存储器存储有计算机程序,处理器执行计算机程序时实现上述的基于INT的异常流量检测方法的步骤。In one embodiment, a computer device is provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above-mentioned INT-based abnormal traffic detection method when executing the computer program.
在一个实施例中,提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现上述的基于INT的异常流量检测方法的步骤。In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above-mentioned INT-based abnormal traffic detection method are implemented.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成的,计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those of ordinary skill in the art can understand that realizing all or part of the processes in the methods of the above embodiments can be completed by instructing related hardware through computer programs, and the computer programs can be stored in a non-volatile computer-readable storage medium , when the computer program is executed, it may include the procedures of the embodiments of the above-mentioned methods. Wherein, any references to memory, storage, database or other media used in the various embodiments provided in the present application may include non-volatile and/or volatile memory. Nonvolatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in many forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Chain Synchlink DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. To make the description concise, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, they should be It is considered to be within the range described in this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和 详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation modes of the present application, and its description is relatively specific and detailed, but it should not be interpreted as limiting the scope of the patent for the invention. It should be noted that those skilled in the art can make several modifications and improvements without departing from the concept of the present application, and these all belong to the protection scope of the present application. Therefore, the scope of protection of the patent application should be based on the appended claims.

Claims (10)

  1. 一种基于INT的异常流量检测方法,其特征在于,所述方法包括:An INT-based abnormal flow detection method, characterized in that the method comprises:
    发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输;According to the interaction request, the sender encapsulates the interaction data and telemetry instructions into data packets and transmits them to the receiver through the switch on the transmission link;
    传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到所述数据包中,并发送至下一跳交换机;The first hop switch on the transmission link encapsulates the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and sends it to the next hop switch;
    下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到所述数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机;The next-hop switch encapsulates the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continues to pass it to the next-hop switch to encapsulate the collected traffic-related data until it reaches last hop switch;
    最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将所述数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接收方;The last hop switch collects flow-related data according to the telemetry instruction carried in the received data packet, splits the flow-related data in the data packet, and sends all flow-related data as telemetry data to the telemetry server, Send the interaction data to the receiver;
    遥测服务器从接收到的遥测数据中,提取出流量数据;The telemetry server extracts traffic data from the received telemetry data;
    遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果。The telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and outputs a detection result.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    所述遥测服务器根据检测结果生成遥测报告反馈至发送方,当所述检测结果为异常时,向发送方发送停止数据包发送指令,使发送发停止数据包的发送,并根据所述流量数据进行异常流量的溯源。The telemetry server generates a telemetry report according to the detection result and feeds it back to the sender, and when the detection result is abnormal, sends a stop data packet sending instruction to the sender, so that the sender stops sending the data packet, and proceeds according to the flow data Tracing the source of abnormal traffic.
  3. 据权利要求1所述的方法,其特征在于,所述遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果的步骤,包括:The method according to claim 1, wherein the telemetry server uses an adaptive traffic detection algorithm to detect abnormal traffic according to the traffic data, and the step of outputting a detection result includes:
    所述遥测服务器采用标签编码器对所述流量数据进行编码,形成初步流量特征;The telemetry server uses a tag encoder to encode the traffic data to form preliminary traffic characteristics;
    所述遥测服务器将所述初步流量特征输入特征提取模型中提取出频繁出现的特征,获得频繁流量特征向量;The telemetry server extracts frequently occurring features by inputting the preliminary traffic features into a feature extraction model to obtain frequent traffic feature vectors;
    所述遥测服务器所述频繁流量特征向量输入重塑模型中进行重塑,形成二维矩阵数据特征;The frequent flow feature vector of the telemetry server is input into a reshaping model for reshaping to form a two-dimensional matrix data feature;
    所述遥测服务器使用与所述二维矩阵数据特征相同形状的k个卷积核对所述二维矩阵数据特征进行特征提取,获得三维数据特征;The telemetry server uses k convolution kernels of the same shape as the two-dimensional matrix data features to perform feature extraction on the two-dimensional matrix data features to obtain three-dimensional data features;
    所述遥测服务器将所述三维数据特征输入到分类模型中进行分类,获得检测结果。The telemetry server inputs the three-dimensional data features into a classification model for classification, and obtains a detection result.
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:根据三维数据特征生成可视化界面在显示器上显示。The method according to claim 3, further comprising: generating a visual interface according to the characteristics of the three-dimensional data and displaying it on a display.
  5. 根据权利要求3所述的方法,其特征在于,所述遥测服务器采用标签编码器对所述流量数据进行编码,形成初步流量特征的步骤,包括:The method according to claim 3, wherein the telemetry server uses a label encoder to encode the traffic data to form a preliminary traffic feature, comprising:
    所述遥测服务器从流量数据中取n组流量数据样本,根据归一化公式对n组流量数据样本进行归一化编码处理,获得初步流量特征;The telemetry server takes n groups of flow data samples from the flow data, and performs normalized encoding processing on the n groups of flow data samples according to a normalization formula to obtain preliminary flow characteristics;
    所述归一化公式为:The normalization formula is:
    Figure PCTCN2022107422-appb-100001
    Figure PCTCN2022107422-appb-100001
    其中,s ij标识第i组流量数据样本中的每个数据,j表示第i组流量数据样本中的第j个时间点的数据,s i_min为第i组流量数据样本中的最小值,s i_max为第i组流量数据样本中的最大值,c ij表示第i组的第j个时间点的数据的归一化后数据,s i表示初步流量特征。 Among them, s ij identifies each data in the i-th group of flow data samples, j represents the data at the jth time point in the i-th group of flow data samples, s i_min is the minimum value in the i-th group of flow data samples, s i_max is the maximum value in the flow data samples of the i-th group, c ij represents the normalized data of the data at the j-th time point of the i-th group, and s i represents the preliminary flow characteristics.
  6. 根据权利要求3所述的方法,其特征在于,所述特征提取模型为:The method according to claim 3, wherein the feature extraction model is:
    Figure PCTCN2022107422-appb-100002
    Figure PCTCN2022107422-appb-100002
    其中,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,f为特征获取函数,n为流量数据样本的总组数。 Among them, x i represents the output frequent traffic feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, f is the feature acquisition function, and n is the total number of groups of traffic data samples.
  7. 根据权利要求3所述的方法,其特征在于,所述重塑模型为:The method according to claim 3, wherein the remodeling model is:
    Figure PCTCN2022107422-appb-100003
    Figure PCTCN2022107422-appb-100003
    M=(h,x i) M=(h,x i )
    其中,h为形状重塑样本,x i代表输出的频繁流量特征向量,w为形状重塑向量,a 1为生成特征向量的参数值,M为二维矩阵数据特征。 Among them, h is the shape reshaping sample, xi represents the output frequent flow feature vector, w is the shape reshaping vector, a 1 is the parameter value of the generated feature vector, and M is the two-dimensional matrix data feature.
  8. 根据权利要求3所述的方法,其特征在于,所述卷积核进行特征提取的公式为:The method according to claim 3, wherein the formula for feature extraction by the convolution kernel is:
    O i=((h-k+1)/2*k,(h-k+1)/x i,(h-k+1)/1) O i =((h-k+1)/2*k, (h-k+1)/ xi , (h-k+1)/1)
    其中,k为卷积核的个数,h为形状重塑样本,x i代表输出的频繁流量特征向量,O i为提取出的三维数据特征。 Among them, k is the number of convolution kernels, h is the shape remodeling sample, x i represents the output frequent flow feature vector, and O i is the extracted three-dimensional data feature.
  9. 根据权利要求3所述的方法,其特征在于,所述分类模型为:The method according to claim 3, wherein the classification model is:
    Figure PCTCN2022107422-appb-100004
    Figure PCTCN2022107422-appb-100004
    其中,e为自然底数,sig为sigmoid激活功能函数,class为检测结果,class为0代表正常,class为1代表异常,O i为提取出的三维数据特征。 Among them, e is the natural base, sig is the sigmoid activation function, class is the detection result, class is 0 for normal, class is 1 for abnormal, O i is the extracted three-dimensional data features.
  10. 一种基于INT的异常流量检测装置,其特征在于,所述装置包括:A kind of abnormal traffic detection device based on INT, it is characterized in that, described device comprises:
    发送方的数据传输模块,用于发送方根据交互请求,将交互数据和遥测指令封装到数据包中通过传输链路上的交换机向接收方传输;The sender's data transmission module is used for the sender to encapsulate the interaction data and telemetry instructions into data packets according to the interaction request and transmit them to the receiver through the switch on the transmission link;
    交换机的第一封装模块,用于传输链路上的第一跳交换机根据接收到的数据包中携带的遥测指令,将遥测数据包头和采集到的流量相关数据封装到所述数据包中,并发送至下一跳交换机;The first encapsulation module of the switch is used for the first hop switch on the transmission link to encapsulate the telemetry data packet header and the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and Send to the next hop switch;
    交换机的第二封装模块,用于下一跳交换机根据接收到的数据包中携带的遥测指令,将采集到的流量相关数据封装到所述数据包中后,继续传递给下一跳交换机进行采集到的流量相关数据封装,直至到达最后一跳交换机;The second encapsulation module of the switch is used for the next-hop switch to encapsulate the collected traffic-related data into the data packet according to the telemetry instruction carried in the received data packet, and then continue to pass it to the next-hop switch for collection Encapsulate the incoming traffic-related data until it reaches the last hop switch;
    交换机的第三封装模块,用于最后一跳交换机根据接收到的数据包中携带的遥测指令,采集流量相关数据,并将所述数据包中的流量相关数据拆分出来,将所有流量相关数据作为遥测数据,发送至遥测服务器,将交互数据发送至接 收方;The third encapsulation module of the switch is used for the last hop switch to collect flow-related data according to the telemetry instruction carried in the received data packet, split the flow-related data in the data packet, and collect all flow-related data As telemetry data, it is sent to the telemetry server, and the interaction data is sent to the receiver;
    遥测服务器的提取模块,用于遥测服务器从接收到的遥测数据中,提取出流量数据;The extraction module of the telemetry server is used for the telemetry server to extract traffic data from the received telemetry data;
    遥测服务器的检测模块,用于遥测服务器根据所述流量数据,采用自适应的流量检测算法进行异常流量检测,输出检测结果。The detection module of the telemetry server is used for the telemetry server to detect abnormal traffic by using an adaptive traffic detection algorithm according to the traffic data, and output a detection result.
PCT/CN2022/107422 2021-12-31 2022-07-22 Int-based anomalous-traffic detection method and apparatus WO2023124034A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111665464.0 2021-12-31
CN202111665464.0A CN114422213B (en) 2021-12-31 2021-12-31 INT-based abnormal flow detection method and device

Publications (1)

Publication Number Publication Date
WO2023124034A1 true WO2023124034A1 (en) 2023-07-06

Family

ID=81272406

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/107422 WO2023124034A1 (en) 2021-12-31 2022-07-22 Int-based anomalous-traffic detection method and apparatus

Country Status (2)

Country Link
CN (1) CN114422213B (en)
WO (1) WO2023124034A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118400191A (en) * 2024-06-26 2024-07-26 军工保密资格审查认证中心 Industrial control network attack event tracing processing method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422213B (en) * 2021-12-31 2023-07-25 南京邮电大学 INT-based abnormal flow detection method and device
CN118138375B (en) * 2024-05-06 2024-07-23 国网浙江省电力有限公司信息通信分公司 Network telemetry method and system for detecting network intrusion

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422498A (en) * 2020-09-04 2021-02-26 网络通信与安全紫金山实验室 In-band network remote measuring method, system and computer readable storage medium
CN112491661A (en) * 2020-12-11 2021-03-12 苏州浪潮智能科技有限公司 Time delay detection method, device, equipment and medium for data center switch
US20210152526A1 (en) * 2019-11-18 2021-05-20 Cisco Technology, Inc. Device detection in network telemetry with tls fingerprinting
EP3826261A1 (en) * 2019-11-25 2021-05-26 Cisco Technology, Inc. Network telemetry collection with packet metadata filtering
CN112995238A (en) * 2021-05-21 2021-06-18 华中科技大学 Method for reducing DDoS attack, programmable switch and SDN controller
CN113271225A (en) * 2021-05-18 2021-08-17 浙江大学 Network reliability evaluation method based on in-band network telemetry technology
CN114422213A (en) * 2021-12-31 2022-04-29 南京邮电大学 INT-based abnormal flow detection method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110048912B (en) * 2019-04-26 2022-07-15 中国科学技术大学 Photoelectric cross-layer network monitoring system, data processing method and device
KR20210060180A (en) * 2019-11-18 2021-05-26 포항공과대학교 산학협력단 Method for detecting anomaly of network and apparatus therefor
CN113676376B (en) * 2021-08-20 2022-12-13 北京交通大学 In-band network telemetry method based on clustering

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210152526A1 (en) * 2019-11-18 2021-05-20 Cisco Technology, Inc. Device detection in network telemetry with tls fingerprinting
EP3826261A1 (en) * 2019-11-25 2021-05-26 Cisco Technology, Inc. Network telemetry collection with packet metadata filtering
CN112422498A (en) * 2020-09-04 2021-02-26 网络通信与安全紫金山实验室 In-band network remote measuring method, system and computer readable storage medium
CN112491661A (en) * 2020-12-11 2021-03-12 苏州浪潮智能科技有限公司 Time delay detection method, device, equipment and medium for data center switch
CN113271225A (en) * 2021-05-18 2021-08-17 浙江大学 Network reliability evaluation method based on in-band network telemetry technology
CN112995238A (en) * 2021-05-21 2021-06-18 华中科技大学 Method for reducing DDoS attack, programmable switch and SDN controller
CN114422213A (en) * 2021-12-31 2022-04-29 南京邮电大学 INT-based abnormal flow detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUANG, YINGJUN ET AL.: "SNMP-based Constellation Networks Traffic Telemetry and Forecasting", APPLICATION RESEARCH OF COMPUTERS, 15 July 2007 (2007-07-15), XP009547347 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118400191A (en) * 2024-06-26 2024-07-26 军工保密资格审查认证中心 Industrial control network attack event tracing processing method and device

Also Published As

Publication number Publication date
CN114422213B (en) 2023-07-25
CN114422213A (en) 2022-04-29

Similar Documents

Publication Publication Date Title
WO2023124034A1 (en) Int-based anomalous-traffic detection method and apparatus
CN109639481A (en) A kind of net flow assorted method, system and electronic equipment based on deep learning
US10706062B2 (en) Method and system for exchanging data from a big data source to a big data target corresponding to components of the big data source
CN115606162A (en) Abnormal flow detection method and system, and computer storage medium
CN112804253B (en) Network flow classification detection method, system and storage medium
CN111064678A (en) Network traffic classification method based on lightweight convolutional neural network
CN107786388B (en) Anomaly detection system based on large-scale network flow data
CN109639734B (en) Abnormal flow detection method with computing resource adaptivity
CN112511555A (en) Private encryption protocol message classification method based on sparse representation and convolutional neural network
CN114448830B (en) Equipment detection system and method
Wu et al. TDAE: Autoencoder-based automatic feature learning method for the detection of DNS tunnel
CN111242167B (en) Distributed image labeling method, device, computer equipment and storage medium
CN116599720A (en) Malicious DoH flow detection method and system based on GraphSAGE
Kumar et al. Deep Learning Based Optimal Traffic Classification Model for Modern Wireless Networks
US9398040B2 (en) Intrusion detection system false positive detection apparatus and method
CN117097578A (en) Network traffic safety monitoring method, system, medium and electronic equipment
CN112468509A (en) Deep learning technology-based automatic flow data detection method and device
CN113452810B (en) Traffic classification method, device, equipment and medium
CN114186637A (en) Traffic identification method, traffic identification device, server and storage medium
CN114143385A (en) Network traffic data identification method, device, equipment and medium
CN111008227A (en) Data analysis processing platform
CN113095426A (en) Encrypted traffic classification method, system, equipment and readable storage medium
Ma et al. Bi-ETC: A Bidirectional Encrypted Traffic Classification Model Based on BERT and BiLSTM
CN115002045B (en) Twin network-based dark website session identification method and system
CN114025203B (en) Sequence similarity-based encrypted video flow content analysis method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22913323

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE