CN113556317A

Movatterモバイル変換

Info

Publication number: CN113556317A
Application number: CN202110633083.8A
Authority: CN
Inventors: 喻民; 刘超; 杜富强; 刘明奇; 高世浩; 姜建国; 黄伟庆
Original assignee: Institute of Information Engineering of CAS
Current assignee: Institute of Information Engineering of CAS
Priority date: 2021-06-07
Filing date: 2021-06-07
Publication date: 2021-10-26
Anticipated expiration: 2041-06-07
Also published as: CN113556317B

Abstract

Translated fromChinese

本发明提供了一种基于网络流结构特征融合的异常流量检测方法及装置，包括：将待检测的网络流输入至预设的预判器，得到对应的判断结果；若判断结果为待检测的网络流能够仅依靠网络流结构特征进行检测，则将待检测的网络流输入至预设的网络流结构特征检测器进行检测；若判断结果为待检测的网络流不能够仅依靠网络流结构特征进行检测，则将待检测的网络流输入至预设的全特征检测器进行检测。本发明针对网络流结构信息进行表示，并提取网络流结构特征，解决了缺乏网络流结构信息的问题，然后通过预判式特征融合实现网络流特征与网络流结构特征融合，从而提高检测率、降低误报率。

The present invention provides a method and device for detecting abnormal traffic based on network flow structure feature fusion, comprising: inputting the network flow to be detected into a preset predictor to obtain a corresponding judgment result; If the network flow can be detected only by relying on the network flow structure features, the network flow to be detected is input to the preset network flow structure feature detector for detection; if the judgment result is that the network flow to be detected cannot be detected only by the network flow structure features For detection, the network stream to be detected is input to a preset full-feature detector for detection. The present invention expresses network flow structure information, extracts network flow structure features, solves the problem of lack of network flow structure information, and realizes the fusion of network flow features and network flow structure features through predictive feature fusion, thereby improving the detection rate, Reduce false positives.

Description

Abnormal flow detection method and device based on network flow structural feature fusion

Technical Field

The invention relates to the technical field of network security, in particular to an abnormal traffic detection method and device based on network flow structural feature fusion.

Background

The network intrusion behavior is different from the traffic generated by the normal behavior of the network. By analyzing network traffic, network anomalous behavior can be detected. Therefore, network anomaly traffic detection is the key point of network intrusion detection research.

The current detection methods are mainly divided into two types, namely a detection method based on network flow and a detection method based on a network diagram; the detection method based on the network flow mainly calculates the statistical characteristics of the network flow according to the head information of the data packets, and combines the statistical method, the machine learning or the deep learning and other technologies to realize abnormal flow detection; the detection method based on the network diagram mainly discovers abnormal behaviors by mining the potential relation of communication modes in the network communication diagram.

However, the current work of network abnormal traffic detection has the following two disadvantages: 1. the existing network abnormal flow detection method is lack of network flow structure information, and the detection is carried out according to the extracted network flow content characteristics, so that the structure relation information among the network flows is ignored, the characteristics are incomplete, and the detection effect is influenced; 2. single type feature detection capability is insufficient: the existing detection method mainly depends on single type of characteristics for detection, and is easy to be disguised by an attacker so as to bypass detection, so that the detection effect is poor.

Disclosure of Invention

Aiming at the problems in the prior art, the embodiment of the invention provides an abnormal traffic detection method and device based on network flow structural feature fusion.

In a first aspect, an embodiment of the present invention provides an abnormal traffic detection method based on network flow structure feature fusion, including:

acquiring a network flow to be detected;

inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected;

if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result;

if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features.

Further, the preset network flow structure feature detector includes:

acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow;

extracting structural features of the network flow based on the identification features of the network flow;

and constructing a preset network flow structural feature detector by adopting a KNN classification algorithm based on the structural features of the network flow.

Further, the preset full-feature detector comprises:

forming a full feature vector based on the structural features of the network flow and the network flow features;

and constructing a preset full-feature detector by adopting a KNN classification algorithm based on the full-feature vector.

Further, the identifying characteristics of the network flow include an IP address of the source node, an IP address of the destination node, a timestamp, a source port, and a destination port.

Further, the preset prejudger includes:

constructing a data set by using test results of a preset network flow structure characteristic detector and a preset full characteristic detector;

constructing a preset prejudgment device by adopting a KNN classification algorithm based on the data set;

if the output result of the preset prejudger is 0, the input network flow can be detected only by depending on the structural characteristics of the network flow;

and if the output result of the preset prejudger is 1, the input network flow cannot be detected only by the structural characteristics of the network flow.

In a second aspect, an embodiment of the present invention provides an abnormal traffic detection apparatus based on network flow structure feature fusion, including:

the acquisition module is used for acquiring the network flow to be detected;

the pre-judging module is used for inputting the network flow to be detected to a preset pre-judging device to obtain a judgment result corresponding to the network flow to be detected;

the detection module is used for inputting the network flow to be detected to a preset network flow structure characteristic detector to detect the network flow to be detected and determining an abnormal network flow detection result if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by means of network flow structure characteristics; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features.

Further, the preset network flow structure feature detector in the detection module includes:

Further, the preset full-feature detector in the detection module comprises:

In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method for detecting abnormal traffic based on feature fusion of network flows according to the first aspect when executing the program.

In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for detecting abnormal traffic based on feature fusion of network flows according to the first aspect.

According to the technical scheme, the abnormal traffic detection method and device based on the fusion of the network flow structural features, provided by the embodiment of the invention, are implemented by acquiring the network flow to be detected; inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features. According to the invention, after the network flow to be detected is obtained, the judgment is carried out by the pre-judging device, the proper detector is selected according to the judgment result to carry out abnormal flow detection, and the fusion of the network flow characteristics and the network flow structure characteristics is realized by the pre-judging type characteristic fusion scheme, so that the problem of lacking of network flow structure information is solved, the detection rate is improved, and the false alarm rate is reduced.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic flowchart of an abnormal traffic detection method based on fusion of network flow structural features according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a general flow chart provided by an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an abnormal traffic detection apparatus based on network flow structural feature fusion according to an embodiment of the present invention;

fig. 4 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The abnormal traffic detection method based on the fusion of network flow structural features provided by the invention will be explained and explained in detail through specific embodiments.

Fig. 1 is a schematic flowchart of an abnormal traffic detection method based on fusion of network flow structural features according to an embodiment of the present invention; as shown in fig. 1, the method includes:

step 101: and acquiring the network flow to be detected.

In this step, it can be understood that the network flow to be detected is acquired, that is, the network flow data for performing abnormal traffic detection is acquired.

Step 102: and inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected.

In this step, it should be noted that, for a preset prejudger, the prejudger is configured to judge a detection capability of a network flow structural feature, and a construction method of the preset prejudger specifically includes: constructing a data set by using test results of a preset network flow structure characteristic detector and a preset full characteristic detector; after the data set is constructed, training and constructing a network flow structure characteristic pre-judging device model (namely a pre-judging device) by adopting a KNN classification algorithm based on the data set; specifically, a network flow to be detected is input to a preset prejudging device, two prejudging results are obtained through judgment of the prejudging device, and one result is that the network flow to be detected can be detected only by means of the structural characteristics of the network flow; one is that the network flow to be detected cannot be detected only by means of the structural characteristics of the network flow.

Step 103: if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features.

In this step, for a preset network flow structure feature detector, it should be noted that the preset network flow structure feature detector is constructed by the following steps: acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow; extracting structural features of the network flow based on the identification features of the network flow; and constructing a preset network flow structural feature detector by adopting a KNN classification algorithm based on the structural features of the network flow.

In this step, for a preset full-feature detector, it should be noted that the preset full-feature detector is constructed by the following steps: acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow; extracting structural features of the network flow based on the identification features of the network flow; forming a full feature vector based on the structural features of the network flow and the network flow features; and constructing a preset full-feature detector by adopting a KNN classification algorithm based on the full-feature vector.

Compared with the prior art, the abnormal traffic detection method based on the fusion of the network flow structural features provided by the embodiment of the invention realizes the mining of the network flow structural information, and fully fuses the network flow content features and the structural features, so that the network abnormal traffic detection can be developed under more features, and the detection result is more accurate.

According to the technical scheme, the abnormal flow detection method based on the fusion of the network flow structural features provided by the embodiment of the invention obtains the network flow to be detected; inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features. According to the invention, after the network flow to be detected is obtained, the judgment is carried out by the pre-judging device, the proper detector is selected according to the judgment result to carry out abnormal flow detection, and the fusion of the network flow characteristics and the network flow structure characteristics is realized by the pre-judging type characteristic fusion scheme, so that the problem of lacking of network flow structure information is solved, the detection rate is improved, and the false alarm rate is reduced.

On the basis of the foregoing embodiment, in this embodiment, the preset network flow structure feature detector includes:

In this embodiment, for example, first, a data set is collected, for example, by using a cic flowmeter tool, to obtain network flow characteristics of the data set, where the network flow characteristics include identification characteristics and statistical characteristics of network flows (i.e., the remaining network flows except the identification characteristics in the network flow characteristicsFlow characteristics). The identification characteristics include information such as a source IP address, a destination IP address (i.e., an IP address of a source node, an IP address of a destination node), a timestamp, and source and destination ports (i.e., a source port and a destination port); the statistical characteristics include 80 characteristics such as flow duration, number of packets in the forward (backward) direction, maximum packets in the forward (backward) direction, etc. Then, extracting the structural features of the network flow according to the identification features of the network flow, wherein the extraction method adopted by the embodiment of the invention is as follows: the network structure formed by the network flows in the past period is used for representing the network flow structure at the current moment. First, time is divided into a sequence of equal-length time slices

And T_m＝[t_(m-1)n,t_mn]，t_cIs the current time, there is t_c∈T_m. Then, for t_cNetwork flow f of time of day_tc(u, v), construction time period [ t ]_(m-1)n,t_c]Wherein u and v represent the network flow f, respectively_tcSource, destination node. Finally, a four-dimensional vector consisting of the out degree and the in degree of u and v in the network communication diagram is used

To represent network flows

The embodiment of the invention refers to the structural characteristics of the network flow as the network fluidity d_f. According to the expression method, the embodiment of the invention extracts the structural characteristics of the network flow, and the extraction formula is as follows:

illustrating the source host u at t_cOut degree of time:

wherein

Illustrating the source host u at t_cThe time in degree:

wherein

Description destination host v is at t_cOut degree of time:

wherein

Description destination host v is at t_cThe time in degree:

wherein

The extraction method adopted by the embodiment of the invention is used for t_cNetwork flow of time of day

Construction of time period [ t ]_(m-1)n,t_c]Network communication diagram of (1), see t_(m-1)nIs kept constant for a period of timeThe network flow structure characteristics are t 1-t 2, t 1-t 3, t 1-t 5 and the like, and are different from t 1-t 2, t 2-t 3 and t 4-t 5, so that the randomness of the network flow structure characteristics is increased. And then training and constructing the network flow structure feature detector, and if the network flow structure feature is selected, training the structure feature detector by using a KNN classification algorithm.

As can be seen from the above technical solutions, the abnormal traffic detection method based on network flow structural feature fusion provided in the embodiments of the present invention represents network flow structural information, extracts network flow structural features, solves the problem of lacking network flow structural information, and then realizes fusion of network flow features and network flow structural features through pre-judgment type feature fusion, thereby improving detection rate and reducing false alarm rate.

On the basis of the foregoing embodiment, in this embodiment, the preset full-feature detector includes:

In this embodiment, for example, the network flow characteristics of the data set are obtained; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow; extracting structural features of the network flow based on the identification features of the network flow; and then training and constructing a full-feature detector, for example, selecting a 12-dimensional full-feature vector consisting of 8 network flow features and network flow structure features, and training the full-feature detector by using a KNN classification algorithm. The 8 network flow characteristics are: flow Duration, Total Fwd Packets, Total Backward Packets, Total Length of Fwd Packets, Total Length of Bwd Packets, Flow Bytes/s, Flow Packets/s, and Average Packet Size.

On the basis of the foregoing embodiment, in this embodiment, the identification characteristics of the network flow include an IP address of the source node, an IP address of the destination node, a timestamp, a source port, and a destination port.

On the basis of the foregoing embodiment, in this embodiment, the preset prejudger includes:

In this embodiment, for example, the data set of the prejudger is constructed by using the test results of the full feature detector and the network flow structure feature detector. The data set is composed of network flow structural features, and comprises two types of positive samples and negative samples which are respectively marked as 0 and 1. 0 represents the network flow structure characteristics which can be correctly classified by the input structure characteristic detector; 1 represents the structural features that the input network flow structural feature detector misclassifies but the input full feature detector can correctly classify in combination with the network flow features (i.e., full features). The positive to negative sample ratio of the data set was 7: 3. The data set was divided into a training set and a test set on an 8:2 scale. And after the data set is constructed, training the pre-judging device by using a KNN algorithm to finally obtain a network flow structure characteristic pre-judging device model.

For better understanding of the present invention, the following examples are further provided to illustrate the present invention, but the present invention is not limited to the following examples, which are shown in the general flow chart of fig. 2, for example:

the method comprises the following steps: data set feature extraction

1. By means of a CICFlowMeter tool, network flow characteristics of the data set are acquired, including identification characteristics and statistical characteristics of the network flow. The identification characteristics comprise information such as source and destination IP addresses, timestamps, source and destination ports and the like; the statistical characteristics include 80 characteristics such as flow duration, number of packets in the forward (backward) direction, maximum packets in the forward (backward) direction, etc.

2. And extracting the structural characteristics of the network flow according to the identification characteristics of the network flow.

The method for representing the structural features of network flow and the extraction process are introduced. The embodiment of the invention uses the network structure formed by the network flow in the past period of time to represent the network flow structure at the current moment. First, time is divided into a sequence of equal-length time slices

And T_m＝[t_(m-1)n,t_mn]，t_cIs the current time, there is t_c∈T_m. Then, for t_cNetwork flow of time of day

Construction of time period [ t ]_(m-1)n,t_c]Wherein u and v represent the network flow f, respectively_tcSource, destination node. Finally, a four-dimensional vector consisting of the out degree and the in degree of u and v in the network communication diagram is used

To represent network flows

illustrating the source host u at t_cOut degree of time:

wherein

Illustrating the source host u at t_cThe time in degree:

wherein

Description destination host v is at t_cOut degree of time:

wherein

Description destination host v is at t_cThe time in degree:

wherein

Step two: training two detectors

3. After the above-mentioned work is completed, the embodiment of the present invention first trains the full-feature detector. And selecting a 12-dimensional full-feature vector consisting of 8 network flow features and network flow structure features, and training a full-feature detector by using a KNN classification algorithm. The 8 network flow characteristics are: flow Duration, Total Fwd Packets, Total Backward Packets, Total Length of Fwd Packets, Total Length of Bwd Packets, Flow Bytes/s, Flow Packets/s, and Average Packet Size.

4. Then, embodiments of the present invention train a network flow structural feature detector. And selecting the network flow structure characteristics, and training a structure characteristic detector by using a KNN classification algorithm.

Step three: construct a prejudger

5. And constructing a data set of the prejudge device by using the test results of the full feature detector and the network flow structure feature detector. The data set is composed of network flow structural features, and comprises two types of positive samples and negative samples which are respectively marked as 0 and 1. 0 represents the network flow structure characteristics which can be correctly classified by the input structure characteristic detector; 1 represents the structural features that the input network flow structural feature detector misclassifies but the input full feature detector can correctly classify in combination with the network flow features (i.e., full features). The positive to negative sample ratio of the data set was 7: 3. The data set was divided into a training set and a test set on an 8:2 scale.

6. And after the data set is constructed, training the pre-judging device by using a KNN algorithm to finally obtain a network flow structure characteristic pre-judging device model.

Step four: detecting abnormal network traffic

7. In order to detect abnormal network traffic, the embodiment of the present invention first performs feature extraction on the input network traffic, that is, extracts network flow features and network flow structural features according to the method in step one.

8. And (4) judging whether the network flow can be detected only by depending on the structural characteristics of the network flow by using a prejudger constructed in the step three. If yes, inputting a structure characteristic detector, and finishing the detection of the network flow by the structure characteristic of the network flow; if not, the network flow characteristics and the network flow structure characteristics are integrated for detection, namely 12-dimensional characteristic vectors are formed and input into a full characteristic detector, and therefore the detection of the network flow is completed.

Step five: and storing the detection result and generating a detection report.

The embodiment of the invention provides two schemes based on two defects in the existing detection work. Aiming at the problem that the prior work lacks network flow structure information, the embodiment of the invention provides a representation scheme of network flow structure information, namely selecting a part of network flow structure in the past period of time, approximately representing the structure information of the current network flow, and extracting the structure characteristics of the network flow based on the scheme; aiming at the problem of insufficient detection capability of a single type of network flow characteristic, a pre-judgment type characteristic fusion scheme is provided, namely, a pre-judgment device judges the detection capability of the network flow structural characteristic and selects a proper detector to detect abnormal flow according to the judgment result, so that the fusion of the network flow characteristic and the network flow structural characteristic is realized.

Fig. 3 is a schematic structural diagram of an abnormal traffic detection apparatus based on network flow structural feature fusion according to an embodiment of the present invention, and as shown in fig. 3, the apparatus includes: an obtainingmodule 201, aprejudging module 202 and a detectingmodule 203, wherein:

the acquiringmodule 201 is configured to acquire a network flow to be detected;

thepre-judging module 202 is configured to input the network flow to be detected to a preset pre-judging device, so as to obtain a judgment result corresponding to the network flow to be detected;

thedetection module 203 is configured to, if the determination result corresponding to the to-be-detected network flow indicates that the to-be-detected network flow can be detected only by means of the network flow structural feature, input the to-be-detected network flow to a preset network flow structural feature detector to detect the to-be-detected network flow, and determine an abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features.

On the basis of the foregoing embodiment, in this embodiment, the preset network flow structure feature detector in the detection module includes:

On the basis of the foregoing embodiment, in this embodiment, the preset full-feature detector in the detection module includes:

The abnormal traffic detection device based on the fusion of the network flow structural features provided in the embodiment of the present invention may be specifically used for executing the abnormal traffic detection method based on the fusion of the network flow structural features in the above embodiment, and the technical principle and the beneficial effect thereof are similar, and reference may be specifically made to the above embodiment, and details are not described here.

Based on the same inventive concept, an embodiment of the present invention provides an electronic device, which specifically includes the following components, with reference to fig. 4: aprocessor 301, acommunication interface 303, amemory 302, and acommunication bus 304;

the processor 301, the communication interface 303 and the memory 302 complete mutual communication through the communication bus 304; the communication interface 303 is used for realizing information transmission between related devices such as modeling software, an intelligent manufacturing equipment module library and the like; the processor 301 is used for calling the computer program in the memory 302, and the processor executes the computer program to implement the method provided by the above method embodiments, for example, the processor executes the computer program to implement the following steps: acquiring a network flow to be detected; inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features.

Based on the same inventive concept, another embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the methods provided by the above method embodiments when executed by a processor, for example, acquiring a network flow to be detected; inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by means of the network flow structural characteristics, inputting the network flow to be detected to a preset full-characteristic detector for detecting the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structural features.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.

In addition, in the present invention, terms such as "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

Moreover, in the present invention, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Furthermore, in the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.