技术领域technical field
本发明涉及网络技术,尤其涉及一种基于流量镜像的异常流量检测方法及装置。The invention relates to network technology, in particular to a method and device for detecting abnormal traffic based on traffic mirroring.
背景技术Background technique
随着计算机与网络技术的发展,网络流量异常检测和海量数据处理技术逐渐成为研究热点。With the development of computer and network technology, network traffic anomaly detection and massive data processing technology have gradually become research hotspots.
目前,现有的异常流量检测技术是采用流量取样的方式进行分析,对于云互联网数据中心(International Data Corporation,IDC)流量分析的支持不足,更偏重于互联网或者确定业务的流量分析。在确定业务的条件下,流量的特征比较确定,但是在云环境下流量复杂性要高很多,遇到更大的挑战。At present, the existing abnormal traffic detection technology uses traffic sampling for analysis, which does not provide enough support for cloud Internet data center (International Data Corporation, IDC) traffic analysis, and focuses more on traffic analysis of the Internet or certain services. Under certain business conditions, the characteristics of the traffic are relatively certain, but in the cloud environment, the complexity of the traffic is much higher, and greater challenges are encountered.
因此,现有的异常流量检测技术对云服务提供商的大流量分析能力不足,尤其对云IDC流量进行分析和处理时的异常流量检测的准确度较低。Therefore, the existing abnormal traffic detection technology is not capable of analyzing the large traffic of cloud service providers, especially when analyzing and processing cloud IDC traffic, the accuracy of abnormal traffic detection is low.
发明内容Contents of the invention
在下文中给出了关于本发明的简要概述,以便提供关于本发明的某些方面的基本理解。应当理解,这个概述并不是关于本发明的穷举性概述。它并不是意图确定本发明的关键或重要部分,也不是意图限定本发明的范围。其目的仅仅是以简化的形式给出某些概念,以此作为稍后论述的更详细描述的前序。A brief overview of the invention is given below in order to provide a basic understanding of some aspects of the invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to identify key or critical parts of the invention nor to delineate the scope of the invention. Its purpose is merely to present some concepts in a simplified form as a prelude to the more detailed description that is discussed later.
为了解决上述技术问题,本发明提供了一种基于流量镜像的异常流量检测方法及装置,以至少解决现有的异常流量检测技术对云IDC流量进行分析和处理时存在异常流量检测准确度较低的问题。In order to solve the above technical problems, the present invention provides a method and device for detecting abnormal traffic based on traffic mirroring, so as to at least solve the problem of low accuracy of abnormal traffic detection when the existing abnormal traffic detection technology analyzes and processes cloud IDC traffic The problem.
为了达到本发明目的,根据本发明的一个方面,提供了一种基于流量镜像的异常流量检测方法,异常流量检测方法包括:采用流量镜像方法实时获取云IDC的镜像流量,并将获取的镜像流量按照租户进行分流,以得到每个租户各自的镜像流量;通过对每个租户的镜像流量进行特征提取,得到其镜像流量的特征数据并进行存储;针对每个租户,根据其当前镜像流量的特征数据、历史镜像流量的特征数据,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量。In order to achieve the purpose of the present invention, according to one aspect of the present invention, a method for detecting abnormal traffic based on traffic mirroring is provided. Divide traffic according to tenants to obtain the respective mirrored traffic of each tenant; by extracting features from mirrored traffic of each tenant, obtain and store the characteristic data of its mirrored traffic; for each tenant, according to the characteristics of its current mirrored traffic Data, characteristic data of historical mirror traffic, combined with Poisson distribution and outlier detection method to determine whether the current mirror traffic is abnormal traffic.
进一步地,离群点检测方法包括具有噪声的基于密度的聚类方法(Density-BasedSpatial Clustering of Applications with Noise,DBSCAN)、支持向量机(SupportVector Machine,SVM)、逻辑回归、线性拟合中的一种或多种。Further, the outlier detection method includes one of density-based clustering with noise (Density-BasedSpatial Clustering of Applications with Noise, DBSCAN), Support Vector Machine (SupportVector Machine, SVM), logistic regression, linear fitting one or more species.
进一步地,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量的步骤包括:根据该租户的历史镜像流量的特征数据判定其是否对应于稳定业务类型;在判定该租户对应于稳定业务类型的情况下,采用卡方校验方法以及通过最小二乘法进行线性拟合来获得该租户当前镜像流量对应的特征预测值,以根据该租户当前镜像流量对应的特征预测值与实际的特征数据之差来确定该当前镜像流量是否为异常流量。Further, the step of judging whether the current mirrored traffic is abnormal traffic in combination with the Poisson distribution and the outlier detection method includes: judging whether it corresponds to a stable business type according to the characteristic data of the historical mirrored traffic of the tenant; In the case of a stable business type, the chi-square check method and the least squares method are used to perform linear fitting to obtain the characteristic prediction value corresponding to the tenant's current mirroring traffic, so as to compare the characteristic prediction value corresponding to the tenant's current mirroring traffic with the actual to determine whether the current mirrored traffic is abnormal traffic.
进一步地,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量的步骤还包括:确定当前镜像流量之前的预定时间段内的历史镜像流量,利用该预定时间段内的历史镜像流量的特征数据,采用逻辑回归方法获得当前镜像流量的对应的特征预测值,以根据该租户当前镜像流量对应的特征预测值与实际的特征数据之差来确定该当前镜像流量是否为异常流量。Further, the step of judging whether the current mirrored traffic is abnormal traffic by combining the Poisson distribution and the outlier detection method also includes: determining the historical mirrored traffic in a predetermined time period before the current mirrored traffic, using the historical mirrored traffic in the predetermined time period For the characteristic data of the mirrored traffic, use the logistic regression method to obtain the corresponding characteristic prediction value of the current mirrored traffic, so as to determine whether the current mirrored traffic is abnormal traffic according to the difference between the predicted characteristic value corresponding to the current mirrored traffic of the tenant and the actual characteristic data .
进一步地,对每个租户的镜像流量进行特征提取的步骤包括:对于每个租户的镜像流量,提取该镜像流量的多种特征,并通过计算多种特征之间的相关性来在多种特征之中选择至少部分特征,作为特征提取结果。Further, the step of extracting the features of the mirrored traffic of each tenant includes: for the mirrored traffic of each tenant, extracting various features of the mirrored traffic, and calculating the correlation between various features Among them, at least some features are selected as the result of feature extraction.
进一步地,镜像流量的特征数据包括以下特征中的至少部分:当前流量值;网络协议数据;应用层数据;传输速率;包转发率;源IP分布;IP特征;荷载的协议;连接数;URL访问频次。Further, the feature data of mirrored traffic includes at least some of the following features: current traffic value; network protocol data; application layer data; transmission rate; packet forwarding rate; source IP distribution; IP feature; load protocol; number of connections; URL Frequency of visits.
进一步地,异常流量检测方法还包括:针对每个租户,基于该租户的历史镜像流量的特征数据,判定该租户是否满足预设条件,并在其满足预设条件的情况下判定该租户存在业务异常;预设条件为:该租户的连接数、URL访问频次、流量增加,并且其源IP信誉值高于预设值。Further, the abnormal traffic detection method also includes: for each tenant, based on the feature data of the tenant's historical mirror traffic, determine whether the tenant meets a preset condition, and determine that the tenant has a business if the tenant meets the preset condition Abnormal; the preset conditions are: the number of connections, URL access frequency, and traffic of the tenant increase, and the source IP reputation value is higher than the preset value.
根据本发明的另一方面,还提供了一种基于流量镜像的异常流量检测装置,该异常流量检测装置包括:流量镜像单元,其用于采用流量镜像方法实时获取云IDC的镜像流量;分流单元,其用于将获取的镜像流量按照租户进行分流,以得到每个租户各自的镜像流量;特征提取单元,其用于通过对每个租户的镜像流量进行特征提取,得到其镜像流量的特征数据并进行存储;异常检测单元,其用于针对每个租户,根据其当前镜像流量的特征数据、历史镜像流量的特征数据,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量。According to another aspect of the present invention, there is also provided an abnormal traffic detection device based on traffic mirroring, the abnormal traffic detection device includes: a traffic mirroring unit, which is used to obtain the mirrored traffic of the cloud IDC in real time by using the traffic mirroring method; a traffic distribution unit , which is used to divide the obtained mirrored traffic according to the tenants, so as to obtain the respective mirrored traffic of each tenant; the feature extraction unit, which is used to obtain the characteristic data of the mirrored traffic by performing feature extraction on the mirrored traffic of each tenant And store; anomaly detection unit, it is used for each tenant, according to its characteristic data of current image traffic, characteristic data of history mirror traffic, combines Poisson distribution and outlier point detection method to determine whether current mirror traffic is abnormal flow.
进一步地,异常检测单元采用的离群点检测方法包括DBSCAN、SVM、逻辑回归、线性拟合中的一种或多种。Further, the outlier detection method adopted by the abnormality detection unit includes one or more of DBSCAN, SVM, logistic regression, and linear fitting.
进一步地,异常检测单元还用于:针对每个租户,基于该租户的历史镜像流量的特征数据,判定该租户是否满足预设条件,并在其满足预设条件的情况下判定该租户存在业务异常;预设条件为:该租户的连接数、URL访问频次、流量增加,并且其源IP信誉值高于预设值。Further, the anomaly detection unit is also used for: for each tenant, based on the feature data of the tenant's historical image traffic, determine whether the tenant meets the preset condition, and determine that the tenant has a business if the tenant meets the preset condition Abnormal; the preset conditions are: the number of connections, URL access frequency, and traffic of the tenant increase, and the source IP reputation value is higher than the preset value.
本发明的基于流量镜像的异常流量检测方法及装置,其采用流量镜像方法实时获取云IDC镜像流量,通过对每个租户的镜像流量进行高性能数据包预处理,得到其镜像流量的特征数据,由此基于当前镜像流量的特征数据、历史镜像流量的特征数据来检测异常流量。The abnormal traffic detection method and device based on traffic mirroring of the present invention adopts the traffic mirroring method to obtain cloud IDC mirrored traffic in real time, and obtains the characteristic data of the mirrored traffic by performing high-performance data packet preprocessing on the mirrored traffic of each tenant, In this way, the abnormal traffic is detected based on the characteristic data of the current mirrored traffic and the characteristic data of the historical mirrored traffic.
本发明的上述异常流量检测方法及装置通过采用流量镜像技术来处理云IDC的流量数据,具有以下有益效果:(1)能够处理海量的流量,能够准确地发现网络攻击或者系统异常,可解决现有技术在处理海量网络流量和数据的分析能力不足以及在云IDC流量处理分析时不能准确检测异常流量的问题;(2)相比于现有技术,本发明的上述异常流量检测方法及装置能够提供实时检测,快速定位发生异常的对象,由此解决了现有技术在分析和检测的实时性方面存在不足的问题;(3)本发明适于在云计算IDC机房实施,便于扩展。The above-mentioned abnormal traffic detection method and device of the present invention process the traffic data of the cloud IDC by using traffic mirroring technology, which has the following beneficial effects: (1) It can handle massive traffic, can accurately find network attacks or system abnormalities, and can solve existing problems. Existing technologies are insufficient in processing massive network traffic and data analysis capabilities and cannot accurately detect abnormal traffic when analyzing cloud IDC traffic; (2) Compared with the prior art, the above-mentioned abnormal traffic detection method and device of the present invention can Real-time detection is provided to quickly locate abnormal objects, thereby solving the problem of insufficient real-time analysis and detection in the prior art; (3) the present invention is suitable for implementation in cloud computing IDC computer rooms and is easy to expand.
此外,在本发明的一些实施例中,可以采用DPDK做高性能数据包处理,以及采用流式计算平台做低延时检测逻辑,由此能够降低检测的延时。In addition, in some embodiments of the present invention, DPDK can be used for high-performance data packet processing, and a streaming computing platform can be used for low-latency detection logic, thereby reducing the detection delay.
此外,在本发明的一些实施例中,通过优化检测方法,采用多种探测方法集合,避免单一方法带来的局限性,同时降低误报的概率。In addition, in some embodiments of the present invention, by optimizing the detection method, a set of multiple detection methods is used to avoid the limitations brought by a single method and reduce the probability of false positives.
本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
附图说明Description of drawings
附图用来提供对本发明技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本发明的技术方案,并不构成对本发明技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present invention, and constitute a part of the description, and are used together with the embodiments of the application to explain the technical solution of the present invention, and do not constitute a limitation to the technical solution of the present invention.
图1A为本发明的基于流量镜像的异常流量检测方法的一个示例性处理的流程图;FIG. 1A is a flowchart of an exemplary processing of the method for detecting abnormal traffic based on traffic mirroring in the present invention;
图1B为本发明的基于流量镜像的异常流量检测方法的Fig. 1B is the abnormal traffic detection method based on traffic mirroring of the present invention
图1C为本发明的基于流量镜像的异常流量检测方法的网络拓扑图;FIG. 1C is a network topology diagram of the abnormal traffic detection method based on traffic mirroring of the present invention;
图2为第一子处理流程的流程图;Fig. 2 is the flowchart of the first sub-processing flow;
图3为第二子处理流程的流程图;Fig. 3 is the flowchart of the second sub-processing flow;
图4为本发明的基于流量镜像的异常流量检测方法的另一个示例性处理的流程图;FIG. 4 is a flow chart of another exemplary process of the method for detecting abnormal traffic based on traffic mirroring in the present invention;
图5为本发明的基于流量镜像的异常流量检测装置的一种示例结构的框图。Fig. 5 is a block diagram of an exemplary structure of the device for detecting abnormal traffic based on traffic mirroring in the present invention.
本领域技术人员应当理解,附图中的元件仅仅是为了简单和清楚起见而示出的,而且不一定是按比例绘制的。例如,附图中某些元件的尺寸可能相对于其他元件放大了,以便有助于提高对本发明实施例的理解。It will be appreciated by those skilled in the art that elements in the figures are illustrated for simplicity and clarity only and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of the embodiments of the present invention.
具体实施方式Detailed ways
为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solution and advantages of the present invention more clear, the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined arbitrarily with each other.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps shown in the flowcharts of the figures may be performed in a computer system, such as a set of computer-executable instructions. Also, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.
本发明的实施例提供了一种基于流量镜像的异常流量检测方法,该异常流量检测方法包括:采用流量镜像方法实时获取云IDC的镜像流量,并将获取的镜像流量按照租户进行分流,以得到每个租户各自的镜像流量;通过对每个租户的镜像流量进行特征提取,得到其镜像流量的特征数据并进行存储;针对每个租户,根据其当前镜像流量的特征数据、历史镜像流量的特征数据,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量。An embodiment of the present invention provides a method for detecting abnormal traffic based on traffic mirroring. The method for detecting abnormal traffic includes: using the traffic mirroring method to obtain the mirrored traffic of the cloud IDC in real time, and splitting the acquired mirrored traffic according to the tenants to obtain Each tenant's own mirrored traffic; by extracting the features of each tenant's mirrored traffic, the feature data of its mirrored traffic is obtained and stored; for each tenant, according to the feature data of its current mirrored traffic and the characteristics of historical mirrored traffic Data, combined with Poisson distribution and outlier detection methods to determine whether the current mirrored traffic is abnormal traffic.
下面结合图1A来描述上述基于流量镜像的异常流量检测方法的一个示例的处理流程。The processing flow of an example of the method for detecting abnormal traffic based on traffic mirroring is described below with reference to FIG. 1A .
如图1A所示,方法开始后,执行步骤S110。在步骤S110中,采用流量镜像方法实时获取云IDC的镜像流量,并将获取的镜像流量按照租户进行分流,以得到每个租户各自的镜像流量。然后,执行步骤S120。As shown in FIG. 1A, after the method starts, step S110 is executed. In step S110, a traffic mirroring method is used to acquire mirrored traffic of the cloud IDC in real time, and the acquired mirrored traffic is distributed according to tenants, so as to obtain respective mirrored traffic of each tenant. Then, step S120 is executed.
流量镜像技术是通过在如交换机或路由器上,将一个或多个源端口的数据流量转发到某一个指定端口来实现对网络的监听,指定端口称之为“镜像端口”,在不严重影响源端口正常吞吐流量的情况下,可以通过镜像端口对网络的流量进行监控分析。Traffic mirroring technology is to monitor the network by forwarding the data traffic of one or more source ports to a designated port on a switch or router. The designated port is called a "mirror port". When the port handles traffic normally, the network traffic can be monitored and analyzed through the mirrored port.
此外,实时计算一般都是针对海量数据进行的,一般要求为秒级。In addition, real-time calculations are generally performed on massive amounts of data, and are generally required to be at the second level.
在步骤S120中,通过对每个租户的镜像流量进行特征提取,得到其镜像流量的特征数据并进行存储。然后,执行步骤S130。In step S120, by extracting the features of the mirrored traffic of each tenant, the feature data of the mirrored traffic is obtained and stored. Then, step S130 is executed.
步骤S120是高性能数据包预处理步骤,在该步骤中,可以采用DPDK(Intel公司发布的一款数据包转发处理套件)来实现高性能的数据包处理,将得到的镜像流量的各个特征解析,加速镜像流量预处理。举例来说,如HTTP协议,它包括某些特征字段,可以在此基础上建立状态机,通过对数据包的荷载内容进行匹配,来进行协议解析。由于需要性能提升,需要进行并行的匹配。Step S120 is a high-performance data packet preprocessing step. In this step, DPDK (a data packet forwarding processing suite released by Intel Corporation) can be used to realize high-performance data packet processing, and each feature analysis of the mirrored traffic obtained , to speed up image traffic preprocessing. For example, such as the HTTP protocol, which includes certain characteristic fields, a state machine can be established on this basis, and the protocol analysis can be performed by matching the payload content of the data packet. Due to the need for performance gains, parallel matching is required.
根据一种实现方式,步骤S120中所述的对每个租户的镜像流量进行特征提取的步骤可以通过如下处理来实现:对于每个租户的镜像流量,提取该镜像流量的多种特征,并通过计算多种特征之间的相关性来在多种特征之中选择至少部分特征,作为特征提取结果。According to an implementation manner, the step of extracting features of each tenant's mirrored traffic described in step S120 may be implemented through the following processing: For each tenant's mirrored traffic, extract various features of the mirrored traffic, and pass Calculating the correlation among the multiple features to select at least some features among the multiple features as a feature extraction result.
例如,镜像流量的特征数据可以包括以下特征中的至少部分:当前流量值;网络协议(TCP/UDP)数据;应用层(如HTTP)数据;传输速率(单位bps);包转发率(单位pps);源IP分布;IP特征;荷载的协议;连接数;URL访问频次。For example, the feature data of mirrored traffic may include at least some of the following features: current traffic value; network protocol (TCP/UDP) data; application layer (such as HTTP) data; transmission rate (unit bps); packet forwarding rate (unit pps ); source IP distribution; IP characteristics; payload protocol; number of connections; URL access frequency.
在步骤S130中,针对每个租户,根据其当前镜像流量的特征数据、历史镜像流量的特征数据,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量(如攻击流量)。这样,执行完步骤S130后可以结束该处理。例如,通过匹配流量分布,分析各个特征的相关性(可以采用欧几里德距离来描述相关性,采用机器学习算法特征之间关联程度等,如贝叶斯公式),查找离群点等方法来发现异常。In step S130, for each tenant, according to the characteristic data of its current mirrored traffic and the characteristic data of historical mirrored traffic, combined with Poisson distribution and outlier detection method to determine whether the current mirrored traffic is abnormal traffic (such as attack traffic) . In this way, the process can end after step S130 is executed. For example, by matching the traffic distribution, analyzing the correlation of each feature (the Euclidean distance can be used to describe the correlation, and the degree of correlation between the features of the machine learning algorithm, such as the Bayesian formula), to find outliers and other methods to find anomalies.
根据一种实现方式,离群点检测方法可以包括DBSCAN、SVM、逻辑回归、线性拟合中的一种或多种。According to an implementation manner, the outlier detection method may include one or more of DBSCAN, SVM, logistic regression, and linear fitting.
在一个例子中,步骤S130的处理例如可以采用如图1B所示的流程来实现。如图1B所示,首先执行步骤S131。在步骤S131中,按小时来统计当前镜像流量的bps和pps值,作为当前镜像流量的特征数据,则其对应的历史镜像流量的特征数据为过去的一段时间内每一天的同一时间段的bps和pps值。如,统计获得当天20:00~21:00的bps和pps值,其对应的历史历史镜像流量的特征数据为过去30天(或者其他时间段)每一天20:00~21:00的bps和pps值。In an example, the processing of step S130 can be implemented by using the flow shown in FIG. 1B , for example. As shown in FIG. 1B , step S131 is executed first. In step S131, the bps and pps values of the current mirrored traffic are counted by hour, as the characteristic data of the current mirrored traffic, and the characteristic data of the corresponding historical mirrored traffic are the bps of the same time period of each day in a period of time in the past and pps value. For example, to obtain the bps and pps values from 20:00 to 21:00 of the current day, the characteristic data of the corresponding historical image traffic is the bps and pps value.
这样,在步骤S132中,利用对应的历史镜像流量的特征数据和当前镜像流量的特征数据,根据泊松算法来计算当前镜像流量的特征数据所出现的概率,将该概率记为P。In this way, in step S132, using the corresponding feature data of the historical mirror traffic and the feature data of the current mirror traffic, the probability of occurrence of the feature data of the current mirror traffic is calculated according to the Poisson algorithm, and the probability is recorded as P.
然后,在步骤S133中,判定概率P是否小于80%:若是,执行步骤S134;否则,判定当前镜像流量为正常流量(步骤S135)。Then, in step S133, determine whether the probability P is less than 80%: if yes, execute step S134; otherwise, determine that the current mirrored traffic is normal traffic (step S135).
在步骤S134中,判定当前镜像流量存在异常,此时需要进一步计算来判定。In step S134, it is determined that there is an abnormality in the current mirroring traffic, and further calculation is required for determination at this time.
然后,在步骤136中,利用历史镜像流量的特征数据和当前镜像流量的特征数据进行离群点计算,以获得当前镜像流量和历史镜像流量中每段镜像流量的离群点因子。Then, in step 136, the outlier calculation is performed by using the feature data of the historical mirror traffic and the feature data of the current mirror traffic, so as to obtain the outlier factor of each segment of mirror traffic in the current mirror traffic and the historical mirror traffic.
例如,将当前镜像流量的特征数据纳入历史镜像流量的特征数据,然后利用局部离群因子(Local Outlier Factor,LOF)检测方法对这些数据(即历史镜像流量的特征数据与当前镜像流量的特征数据)进行距离计算,以获得每个点的离群点因子。其中,这里所说的每个点是指每段镜像流量,如当前镜像流量、每段历史镜像流量。For example, the characteristic data of the current mirrored traffic is incorporated into the characteristic data of the historical mirrored traffic, and then the local outlier factor (Local Outlier Factor, LOF) detection method is used to analyze these data (that is, the characteristic data of the historical mirrored traffic and the characteristic data of the current mirrored traffic). ) to calculate the distance to obtain the outlier factor of each point. Wherein, each point mentioned here refers to each segment of mirrored traffic, such as current mirrored traffic, and each segment of historical mirrored traffic.
然后,在步骤S137中,将步骤S136中得到的所有离群点因子按从大到小顺序进行排序,并取排在最前面的k(如k可取值为3或5等)个离群点因子。Then, in step S137, sort all the outlier factors obtained in step S136 in descending order, and take the top k (such as k can be 3 or 5, etc.) outliers point factor.
这样,在步骤S138中,判定当前镜像流量的离群点因子是否包含在上述k个离群点因子之中:若是,则判定当前镜像流量为异常流量,并报警(步骤S139);否则,判定当前镜像流量为正常流量(步骤S135)。Like this, in step S138, judge whether the outlier point factor of current mirror image traffic is included among above-mentioned k outlier point factors: if so, then judge that current mirror image traffic is abnormal flow, and report to the police (step S139); Otherwise, judge The current mirrored traffic is normal traffic (step S135).
图1C示出了在本发明的一个示例中用于实现上述基于流量镜像的异常流量检测方法的网络拓扑结构。FIG. 1C shows a network topology used to implement the above method for detecting abnormal traffic based on traffic mirroring in an example of the present invention.
如图1C所示,通过流量镜像技术从云IDC获取的镜像流量(相当于图1A所示的步骤S110)被转至“流量预处理”,经过“流量预处理”后导出流量深度分析结果(相当于图1A所示的步骤S120),然后被发送至“计算集群”。其中,流量深度解析可以探测出数据包的应用协议,例如QQ、BT、微信等等,增加检测异常算法特征,提升准确度。“计算集群”用于执行异常检测程序(相当于图1A所示的步骤S130),其中,“计算集群”通过与防火墙联动的方式来提高其安全性。As shown in Figure 1C, the mirrored traffic obtained from the cloud IDC through traffic mirroring technology (equivalent to step S110 shown in Figure 1A) is transferred to "traffic preprocessing", and after "traffic preprocessing", the traffic depth analysis result is exported ( is equivalent to step S120 shown in FIG. 1A ), and then sent to the “computing cluster”. Among them, the in-depth analysis of traffic can detect the application protocol of the data packet, such as QQ, BT, WeChat, etc., and increase the characteristics of the abnormal detection algorithm to improve the accuracy. The "computing cluster" is used to execute the anomaly detection program (equivalent to step S130 shown in FIG. 1A ), wherein the "computing cluster" improves its security by linking with the firewall.
根据一种实现方式,步骤S130中所述的结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量的步骤可以包括如图2所示的第一子处理流程。如图2所示,第一子处理流程开始后,执行步骤S210。According to an implementation manner, the step of determining whether the current mirrored traffic is abnormal traffic in combination with the Poisson distribution and the outlier detection method described in step S130 may include the first sub-processing flow as shown in FIG. 2 . As shown in FIG. 2 , after the first sub-processing flow starts, step S210 is executed.
在步骤S210中,根据该租户的历史镜像流量的特征数据判定其是否对应于稳定业务类型。若判定该租户对应于稳定业务类型,执行步骤S220;否则,结束第一子处理流程。In step S210, it is determined according to the feature data of the tenant's historical mirrored traffic whether it corresponds to a stable service type. If it is determined that the tenant corresponds to a stable service type, step S220 is executed; otherwise, the first sub-processing flow ends.
在步骤S220中,采用卡方校验方法以及通过最小二乘法进行线性拟合来获得该租户当前镜像流量对应的特征预测值。然后,执行步骤S230。In step S220, the feature prediction value corresponding to the tenant's current image traffic is obtained by using the chi-square verification method and performing linear fitting by the least square method. Then, step S230 is executed.
在步骤S230中,根据该租户当前镜像流量对应的特征预测值与实际的特征数据之差来确定该当前镜像流量是否为异常流量。结束第一子处理流程。In step S230, it is determined whether the current mirrored traffic is abnormal traffic according to the difference between the characteristic prediction value corresponding to the current mirrored traffic of the tenant and the actual characteristic data. End the first sub-processing flow.
此外,根据另一种实现方式,步骤S130中所述的结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量的步骤也可以包括如图3所示的第二子处理流程。如图3所示,第二子处理流程开始后,执行步骤S310。In addition, according to another implementation, the step of combining the Poisson distribution and the outlier detection method described in step S130 to determine whether the current mirrored traffic is abnormal traffic may also include the second sub-processing flow as shown in FIG. 3 . As shown in FIG. 3 , after the second sub-processing flow starts, step S310 is executed.
在步骤S310中,确定当前镜像流量之前的预定时间段内的历史镜像流量。然后,执行步骤S320。In step S310, historical mirrored traffic within a predetermined period of time before the current mirrored traffic is determined. Then, step S320 is executed.
在步骤S320中,利用该预定时间段内的历史镜像流量的特征数据,采用逻辑回归方法获得当前镜像流量的对应的特征预测值。然后,执行步骤S330。In step S320, using the feature data of the historical mirrored traffic within the predetermined time period, a logistic regression method is used to obtain a corresponding feature prediction value of the current mirrored traffic. Then, step S330 is executed.
在步骤S330中,根据该租户当前镜像流量对应的特征预测值与实际的特征数据之差来确定该当前镜像流量是否为异常流量。结束第二子处理流程。In step S330, it is determined whether the current mirrored traffic is abnormal traffic according to the difference between the characteristic prediction value corresponding to the current mirrored traffic of the tenant and the actual characteristic data. End the second sub-processing flow.
例如,在步骤S330中,可以预设一组阈值,如第一阈值S1、第二阈值S2、…第N阈值SN,其中,N为特征种数(步骤S120中所述的对每个租户的镜像流量进行特征提取的特征种类数目)。这样,每种特征各自对应一个阈值,计算每种特征对应的特征预测值与实际值之差,若当前镜像流量对应的特征数据中,存在任一种特征对应的特征预测值与实际值之差大于其对应的阈值,则判定当前镜像流量是否为异常流量。For example, in step S330, a set of thresholds can be preset, such as the first threshold S1, the second threshold S2, ... the Nth threshold SN, where N is the number of feature types (the The number of feature types for feature extraction of mirrored traffic). In this way, each feature corresponds to a threshold value, and the difference between the predicted value and the actual value of the feature corresponding to each feature is calculated. If there is a difference between the predicted value and the actual value of the feature corresponding to any feature in the feature data corresponding to the current image traffic is greater than its corresponding threshold, it is determined whether the current mirrored traffic is abnormal traffic.
综上可知,由于在云IDC由于有大量的租户,业务具有很大的不确定性,因而在本发明的实施例中采用多种方式综合检查的方式来发现异常流量。对于流量镜像中提取的特征进行分析,对于稳定的业务,流量分布普遍符合泊松分布,可以验证来源的流量特征是否满足此分布。例如,某IP在一周的流量满足泊松分布,或者在每天的某时段满足分布,因此可以采用卡方校验方法做验证,同时采用最小二乘法来做线型拟合,做预测。流量在较小的时间区间内普遍符合线性特征,采用逻辑回归方式来预测下一个时间点的特征数据。To sum up, because there are a large number of tenants in the cloud IDC, the business has great uncertainty, so in the embodiment of the present invention, various ways of comprehensive inspection are used to find abnormal traffic. Analyze the characteristics extracted from traffic mirroring. For stable services, the traffic distribution generally conforms to the Poisson distribution, and it can be verified whether the source traffic characteristics meet this distribution. For example, the traffic of an IP in a week satisfies the Poisson distribution, or satisfies the distribution at a certain period of time every day, so the chi-square verification method can be used for verification, and the least square method can be used for linear fitting and prediction. Flow generally conforms to linear characteristics in a small time interval, and logistic regression is used to predict the characteristic data of the next time point.
下面结合图4来描述上述基于流量镜像的异常流量检测方法的另一个示例的处理流程。The processing flow of another example of the method for detecting abnormal traffic based on traffic mirroring is described below with reference to FIG. 4 .
如图4所示,该处理流程包括步骤S410-S460。其中,步骤S410-S430分别可以和上文中结合图1A所描述的步骤S110-S130的处理相同,并且能够达到相类似的功能和效果,这里不再赘述。As shown in FIG. 4, the processing flow includes steps S410-S460. Wherein, steps S410-S430 may be the same as steps S110-S130 described above in conjunction with FIG. 1A , and can achieve similar functions and effects, and will not be repeated here.
执行完步骤S410-S430之后,执行步骤S440。After steps S410-S430 are executed, step S440 is executed.
在步骤S440中,针对每个租户,基于该租户的历史镜像流量的特征数据,判定该租户是否满足预设条件。若判定其满足预设条件,则执行步骤S450;否则,执行步骤S460。In step S440, for each tenant, it is determined whether the tenant satisfies a preset condition based on the feature data of the tenant's historical mirroring traffic. If it is determined that the preset condition is satisfied, step S450 is executed; otherwise, step S460 is executed.
在步骤S450中,确定该租户存在业务异常,然后结束处理。In step S450, it is determined that the tenant has a business abnormality, and then the process ends.
在步骤S460中,确定该租户不存在业务异常,然后结束处理。In step S460, it is determined that there is no business abnormality of the tenant, and then the processing ends.
其中,上述预设条件为:该租户的连接数、URL访问频次、流量增加,并且其源IP信誉值高于预设值。Wherein, the above preset conditions are: the tenant's connection number, URL access frequency, and traffic increase, and its source IP reputation value is higher than the preset value.
在一个示例中,可以通过计算租户的往返时延(Round-Trip Time,RTT)、对其连接数据进行实时监控,定位CC(Challenge Collapsar,意为挑战黑洞)或者租户系统负载过高,以检测出业务型异常(如秒杀、业务突增、代码错误等)。通过对客户的流量进行协议解析,根据历史数据建立用户流量模型,如果发现客户连接数、URL访问频次、流量增加,并且源IP信誉值较高,可以估计为业务异常。In an example, by calculating the round-trip delay (Round-Trip Time, RTT) of the tenant, monitoring its connection data in real time, locating the CC (Challenge Collapsar, which means challenging the black hole) or the tenant system load is too high to detect Business-type exceptions (such as spikes, business surges, code errors, etc.). By analyzing the protocol of the customer's traffic and establishing a user traffic model based on historical data, if the number of customer connections, URL access frequency, and traffic increase, and the source IP reputation value is high, it can be estimated as a business anomaly.
现有技术在主机端对业务进行监控,可以满足需求,但是监控系统开发和部署比较困难,需要比较高技术素质,因而对于云上中小用户实施困难。本发明采用镜像流量数据分析能力,可以帮助监控和及时发现问题。The existing technology monitors the business on the host side, which can meet the needs, but the development and deployment of the monitoring system are relatively difficult and require relatively high technical quality, so it is difficult to implement for small and medium-sized users on the cloud. The present invention adopts the image flow data analysis ability, which can help monitor and find problems in time.
从上图可以看到,我们对于流量型的异常和业务性的异常均进行检测,给用户更加全面异常流量检测。As can be seen from the figure above, we detect both traffic-type anomalies and business-related anomalies to provide users with more comprehensive abnormal traffic detection.
综上,异常流量检测是一个系统的工程,在处理能力、可扩展性和算法方面都需要改进,以实用云计算环境。To sum up, abnormal traffic detection is a systematic project, which needs to be improved in terms of processing capacity, scalability and algorithm to be practical in cloud computing environment.
此外,本发明的实施例还提供了一种基于流量镜像的异常流量检测装置,该异常流量检测装置包括:流量镜像单元,其用于采用流量镜像方法实时获取云IDC的镜像流量;分流单元,其用于将获取的镜像流量按照租户进行分流,以得到每个租户各自的镜像流量;特征提取单元,其用于通过对每个租户的镜像流量进行特征提取,得到其镜像流量的特征数据并进行存储;异常检测单元,其用于针对每个租户,根据其当前镜像流量的特征数据、历史镜像流量的特征数据,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量。In addition, an embodiment of the present invention also provides an abnormal traffic detection device based on traffic mirroring, the abnormal traffic detection device includes: a traffic mirroring unit, which is used to obtain the mirrored traffic of the cloud IDC in real time by using a traffic mirroring method; a traffic distribution unit, It is used to divide the obtained mirror traffic according to the tenants to obtain the respective mirror traffic of each tenant; the feature extraction unit is used to extract the feature data of the mirror traffic of each tenant by performing feature extraction on the mirror traffic and storage; the anomaly detection unit, which is used for each tenant, according to the characteristic data of its current mirrored traffic and the characteristic data of historical mirrored traffic, combined with Poisson distribution and outlier detection methods to determine whether the current mirrored traffic is abnormal traffic .
下面结合图5来描述本发明的基于流量镜像的异常流量检测装置的一个示例的结构。The structure of an example of the device for detecting abnormal traffic based on traffic mirroring in the present invention will be described below with reference to FIG. 5 .
如图5所示,本发明的基于流量镜像的异常流量检测装置500包括流量镜像单元501、分流单元502、特征提取单元503和异常检测单元504。As shown in FIG. 5 , an abnormal traffic detection device 500 based on traffic mirroring in the present invention includes a traffic mirroring unit 501 , a distribution unit 502 , a feature extraction unit 503 and an abnormality detection unit 504 .
其中,流量镜像单元501用于采用流量镜像方法实时获取云IDC的镜像流量。Wherein, the traffic mirroring unit 501 is used for obtaining the mirrored traffic of the cloud IDC in real time by adopting the traffic mirroring method.
分流单元502用于将获取的镜像流量按照租户进行分流,以得到每个租户各自的镜像流量。The splitting unit 502 is configured to split the acquired mirrored traffic according to tenants, so as to obtain respective mirrored traffics of each tenant.
特征提取单元503用于通过对每个租户的镜像流量进行特征提取,得到其镜像流量的特征数据并进行存储。例如,特征提取单元503中可以设有存储模块,用于保存各租户镜像流量的特征数据。The feature extraction unit 503 is configured to perform feature extraction on the mirrored traffic of each tenant, obtain and store the feature data of its mirrored traffic. For example, the feature extraction unit 503 may be provided with a storage module for storing feature data of each tenant's image traffic.
异常检测单元504用于针对每个租户,根据其当前镜像流量的特征数据、历史镜像流量的特征数据,结合泊松分布以及离群点检测方法来判定当前镜像流量是否为异常流量。The anomaly detection unit 504 is used for each tenant to determine whether the current mirrored traffic is abnormal traffic according to the characteristic data of the current mirrored traffic and the characteristic data of the historical mirrored traffic, in combination with the Poisson distribution and the outlier detection method.
其中,异常检测单元504例如可以采用DBSCAN、SVM、逻辑回归、线性拟合中的一种或多种离群点检测方法。Wherein, the anomaly detection unit 504 may, for example, adopt one or more outlier detection methods among DBSCAN, SVM, logistic regression, and linear fitting.
根据一种实现方式,异常检测单元504还可以用于:针对每个租户,基于该租户的历史镜像流量的特征数据,判定该租户是否满足预设条件,并在其满足预设条件的情况下判定该租户存在业务异常;预设条件为:该租户的连接数、URL访问频次、流量增加,并且其源IP信誉值高于预设值。According to an implementation manner, the anomaly detection unit 504 can also be used to: for each tenant, based on the feature data of the tenant's historical image traffic, determine whether the tenant meets the preset condition, and if the tenant meets the preset condition, It is determined that the tenant has business anomalies; the preset conditions are: the number of connections, URL access frequency, and traffic of the tenant increase, and the reputation value of the source IP is higher than the preset value.
虽然本发明所揭露的实施方式如上,但所述的内容仅为便于理解本发明而采用的实施方式,并非用以限定本发明。任何本发明所属领域内的技术人员,在不脱离本发明所揭露的精神和范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本发明的专利保护范围,仍须以所附的权利要求书所界定的范围为准。Although the embodiments disclosed in the present invention are as above, the described content is only an embodiment adopted for understanding the present invention, and is not intended to limit the present invention. Anyone skilled in the field of the present invention can make any modifications and changes in the form and details of the implementation without departing from the spirit and scope disclosed by the present invention, but the patent protection scope of the present invention must still be The scope defined by the appended claims shall prevail.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611012012.1ACN108076019B (en) | 2016-11-17 | 2016-11-17 | Abnormal traffic detection method and device based on traffic mirroring |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611012012.1ACN108076019B (en) | 2016-11-17 | 2016-11-17 | Abnormal traffic detection method and device based on traffic mirroring |
| Publication Number | Publication Date |
|---|---|
| CN108076019Atrue CN108076019A (en) | 2018-05-25 |
| CN108076019B CN108076019B (en) | 2021-04-09 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611012012.1AActiveCN108076019B (en) | 2016-11-17 | 2016-11-17 | Abnormal traffic detection method and device based on traffic mirroring |
| Country | Link |
|---|---|
| CN (1) | CN108076019B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108429651A (en)* | 2018-06-06 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Data on flows detection method, device, electronic equipment and computer-readable medium |
| CN108880931A (en)* | 2018-05-29 | 2018-11-23 | 北京百度网讯科技有限公司 | Method and apparatus for output information |
| CN109040127A (en)* | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of Diameter flood attack |
| CN109245913A (en)* | 2018-08-02 | 2019-01-18 | 浙江口碑网络技术有限公司 | A kind of cloud Physical Examination System and method |
| CN109889552A (en)* | 2019-04-18 | 2019-06-14 | 南瑞集团有限公司 | Power marketing terminal abnormal flow monitoring method, system and power marketing system |
| CN110209560A (en)* | 2019-05-09 | 2019-09-06 | 北京百度网讯科技有限公司 | Data exception detection method and detection device |
| CN110519290A (en)* | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN110602046A (en)* | 2019-08-13 | 2019-12-20 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Data monitoring processing method and device, computer equipment and storage medium |
| CN111049762A (en)* | 2019-12-23 | 2020-04-21 | 上海金仕达软件科技有限公司 | Data acquisition method and device, storage medium and switch |
| JP2020107337A (en)* | 2018-12-25 | 2020-07-09 | 安華聯網科技股▲分▼有限公司 | Device, method, and non-transitory tangible machine-readable medium for traffic monitoring |
| CN111555919A (en)* | 2020-04-28 | 2020-08-18 | 山石网科通信技术股份有限公司 | Method and device for forwarding flow based on virtualized cloud platform and storage medium |
| CN111884881A (en)* | 2020-07-28 | 2020-11-03 | 苏州浪潮智能科技有限公司 | Monitoring method, device and system for Ethernet switching network and switch |
| CN112291276A (en)* | 2020-12-28 | 2021-01-29 | 金锐同创(北京)科技股份有限公司 | Flow alarm method and device and electronic equipment |
| CN113114691A (en)* | 2021-04-15 | 2021-07-13 | 西安交通大学 | Network intrusion detection method, system, equipment and readable storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431449A (en)* | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
| CN103441982A (en)* | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
| CN103973481A (en)* | 2014-04-21 | 2014-08-06 | 蓝盾信息安全技术股份有限公司 | System and method for auditing cloud computing data center based on SDN |
| US20150085642A1 (en)* | 2012-07-03 | 2015-03-26 | Fujitsu Limited | Control target flow specifying method and control target flow specifying device |
| US20150215328A1 (en)* | 2005-12-19 | 2015-07-30 | Alcatel-Lucent Usa Inc. | Methods and Devices for Defending a 3G Wireless Network Against Malicious Attacks |
| CN105007282A (en)* | 2015-08-10 | 2015-10-28 | 济南大学 | Malicious software network behavior detection method specific to network service provider and system thereof |
| KR101623071B1 (en)* | 2015-01-28 | 2016-05-31 | 한국인터넷진흥원 | System for detecting attack suspected anomal event |
| CN105871847A (en)* | 2016-04-01 | 2016-08-17 | 国网江苏省电力公司电力科学研究院 | Intelligent substation network abnormal flow detection method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150215328A1 (en)* | 2005-12-19 | 2015-07-30 | Alcatel-Lucent Usa Inc. | Methods and Devices for Defending a 3G Wireless Network Against Malicious Attacks |
| CN101431449A (en)* | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
| US20150085642A1 (en)* | 2012-07-03 | 2015-03-26 | Fujitsu Limited | Control target flow specifying method and control target flow specifying device |
| CN103441982A (en)* | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
| CN103973481A (en)* | 2014-04-21 | 2014-08-06 | 蓝盾信息安全技术股份有限公司 | System and method for auditing cloud computing data center based on SDN |
| KR101623071B1 (en)* | 2015-01-28 | 2016-05-31 | 한국인터넷진흥원 | System for detecting attack suspected anomal event |
| CN105007282A (en)* | 2015-08-10 | 2015-10-28 | 济南大学 | Malicious software network behavior detection method specific to network service provider and system thereof |
| CN105871847A (en)* | 2016-04-01 | 2016-08-17 | 国网江苏省电力公司电力科学研究院 | Intelligent substation network abnormal flow detection method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108880931A (en)* | 2018-05-29 | 2018-11-23 | 北京百度网讯科技有限公司 | Method and apparatus for output information |
| US11169911B2 (en)* | 2018-05-29 | 2021-11-09 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for performing a fitting calculation on test data and generating data fluctuation values |
| CN108429651A (en)* | 2018-06-06 | 2018-08-21 | 腾讯科技(深圳)有限公司 | Data on flows detection method, device, electronic equipment and computer-readable medium |
| CN108429651B (en)* | 2018-06-06 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Flow data detection method and device, electronic equipment and computer readable medium |
| CN109245913A (en)* | 2018-08-02 | 2019-01-18 | 浙江口碑网络技术有限公司 | A kind of cloud Physical Examination System and method |
| CN109040127B (en)* | 2018-09-18 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Diameter flood attack detection device and method |
| CN109040127A (en)* | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of Diameter flood attack |
| JP6990452B2 (en) | 2018-12-25 | 2022-01-12 | 安華聯網科技股▲分▼有限公司 | Devices, methods, and non-temporary tangible machine-readable media for traffic monitoring |
| JP2020107337A (en)* | 2018-12-25 | 2020-07-09 | 安華聯網科技股▲分▼有限公司 | Device, method, and non-transitory tangible machine-readable medium for traffic monitoring |
| US11429501B2 (en) | 2018-12-25 | 2022-08-30 | Onward Security Corporation | Device, method and non-transitory tangible machine-readable medium for traffic monitoring |
| TWI704784B (en)* | 2018-12-25 | 2020-09-11 | 安華聯網科技股份有限公司 | Device, method and non-transitory tangible machine-readable medium for traffic monitoring |
| CN109889552A (en)* | 2019-04-18 | 2019-06-14 | 南瑞集团有限公司 | Power marketing terminal abnormal flow monitoring method, system and power marketing system |
| CN110209560B (en)* | 2019-05-09 | 2023-05-12 | 北京百度网讯科技有限公司 | Data anomaly detection method and detection device |
| CN110209560A (en)* | 2019-05-09 | 2019-09-06 | 北京百度网讯科技有限公司 | Data exception detection method and detection device |
| CN110602046B (en)* | 2019-08-13 | 2022-04-26 | 未鲲(上海)科技服务有限公司 | Data monitoring processing method and device, computer equipment and storage medium |
| CN110602046A (en)* | 2019-08-13 | 2019-12-20 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Data monitoring processing method and device, computer equipment and storage medium |
| CN110519290A (en)* | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN111049762A (en)* | 2019-12-23 | 2020-04-21 | 上海金仕达软件科技有限公司 | Data acquisition method and device, storage medium and switch |
| CN111555919A (en)* | 2020-04-28 | 2020-08-18 | 山石网科通信技术股份有限公司 | Method and device for forwarding flow based on virtualized cloud platform and storage medium |
| CN111884881B (en)* | 2020-07-28 | 2022-02-18 | 苏州浪潮智能科技有限公司 | An Ethernet switching network monitoring method, device, system and switch |
| CN111884881A (en)* | 2020-07-28 | 2020-11-03 | 苏州浪潮智能科技有限公司 | Monitoring method, device and system for Ethernet switching network and switch |
| CN112291276B (en)* | 2020-12-28 | 2021-03-23 | 金锐同创(北京)科技股份有限公司 | Flow alarm method and device and electronic equipment |
| CN112291276A (en)* | 2020-12-28 | 2021-01-29 | 金锐同创(北京)科技股份有限公司 | Flow alarm method and device and electronic equipment |
| CN113114691A (en)* | 2021-04-15 | 2021-07-13 | 西安交通大学 | Network intrusion detection method, system, equipment and readable storage medium |
| CN113114691B (en)* | 2021-04-15 | 2022-02-22 | 西安交通大学 | Network intrusion detection method, system, equipment and readable storage medium |
| Publication number | Publication date |
|---|---|
| CN108076019B (en) | 2021-04-09 |
| Publication | Publication Date | Title |
|---|---|---|
| CN108076019A (en) | Anomalous traffic detection method and device based on traffic mirroring | |
| CN108965347B (en) | Distributed denial of service attack detection method, device and server | |
| US9386028B2 (en) | System and method for malware detection using multidimensional feature clustering | |
| US8954550B2 (en) | Service dependency discovery in enterprise networks | |
| US11966319B2 (en) | Identifying anomalies in a data center using composite metrics and/or machine learning | |
| US10200382B2 (en) | System and method for detecting abnormal traffic behavior using infinite decaying clusters | |
| US10505819B2 (en) | Method and apparatus for computing cell density based rareness for use in anomaly detection | |
| Hsieh et al. | Detection DDoS attacks based on neural-network using Apache Spark | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| US8677485B2 (en) | Detecting network anomaly | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| US20140165207A1 (en) | Method for detecting anomaly action within a computer network | |
| WO2022083353A1 (en) | Abnormal network data detection method and apparatus, computer device, and storage medium | |
| CN109766695A (en) | A kind of network security situational awareness method and system based on fusion decision | |
| US20180191748A1 (en) | Associating a user identifier detected from web traffic with a client address | |
| JP6564799B2 (en) | Threshold determination device, threshold determination method and program | |
| CN111193608B (en) | Network quality detection monitoring method, device and system and computer equipment | |
| CN115529595B (en) | A method, device, equipment and medium for detecting abnormality in log data | |
| US20110113004A1 (en) | Time modulated generative probabilistic models for automated causal discovery using a continuous time noisy-or (ct-nor) models | |
| WO2017000536A1 (en) | Bfd method and apparatus | |
| US10834110B1 (en) | Methods for preventing DDoS attack based on adaptive self learning of session and transport layers and devices thereof | |
| US20210083985A1 (en) | System and method for determining a network performance property in at least one network | |
| CN115714717B (en) | A method for locating faults in IoT terminal communication links based on traffic characteristics | |
| CN104125105B (en) | The method and apparatus classified to the Internet, applications place | |
| JP7366690B2 (en) | Equipment type estimation system |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |