CN113556317B - Abnormal flow detection method and device based on network flow structure feature fusion - Google Patents

Abstract

The invention provides an abnormal flow detection method and device based on network flow structural feature fusion, which comprises the following steps: inputting a network flow to be detected to a preset prejudging device to obtain a corresponding judgment result; if the judgment result is that the network flow to be detected can be detected only by depending on the structure characteristics of the network flow, inputting the network flow to be detected to a preset network flow structure characteristic detector for detection; and if the judgment result is that the network flow to be detected can not be detected only by the structural characteristics of the network flow, inputting the network flow to be detected to a preset full-characteristic detector for detection. The invention expresses the network flow structure information and extracts the network flow structure characteristics, solves the problem of lacking the network flow structure information, and then realizes the fusion of the network flow characteristics and the network flow structure characteristics through the pre-judgment type characteristic fusion, thereby improving the detection rate and reducing the false alarm rate.

Description

Translated fromChinese

基于网络流结构特征融合的异常流量检测方法及装置Abnormal flow detection method and device based on network flow structure feature fusion

技术领域technical field

本发明涉及网络安全技术领域，尤其涉及一种基于网络流结构特征融合的异常流量检测方法及装置。The present invention relates to the technical field of network security, and in particular, to a method and device for detecting abnormal traffic based on network flow structure feature fusion.

背景技术Background technique

网络入侵行为与网络正常行为产生的流量具有差异性。通过分析网络流量，可检测到网络异常行为。因此，网络异常流量检测是网络入侵检测研究重点。The traffic generated by the network intrusion behavior is different from the normal behavior of the network. By analyzing network traffic, abnormal network behavior can be detected. Therefore, network abnormal traffic detection is the focus of network intrusion detection research.

目前的检测方法主要分为基于网络流的检测方法和基于网络图的检测方法两类；其中，基于网络流的检测方法主要依据数据分组的头部信息计算网络流的统计特征，结合统计方法、机器学习或深度学习等技术实现异常流量检测；基于网络图的检测方法主要通过挖掘网络通信图中通信模式的潜在关系，发现异常行为。The current detection methods are mainly divided into two categories: network flow-based detection methods and network graph-based detection methods. Among them, the network flow-based detection method mainly calculates the statistical characteristics of the network flow according to the header information of the data packet, and combines the statistical methods, Technologies such as machine learning or deep learning realize abnormal traffic detection; detection methods based on network graphs mainly discover abnormal behaviors by mining the potential relationships of communication patterns in network communication graphs.

然而，当前网络异常流量检测的工作存在以下两点不足：1、缺乏网络流结构信息，在现有的的网络异常流量检测方法中，根据提取的网络流内容特征检测，忽略了网络流之间的结构关系信息，导致特征不全面，影响检测效果；2、单一类型特征检测能力不足：现有的检测方法主要依靠单一类型的特征进行检测，容易被攻击者伪装从而绕过检测，导致检测效果不佳。However, the current network abnormal traffic detection work has the following two deficiencies: 1. The lack of network flow structure information, in the existing network abnormal traffic detection methods, based on the extracted network flow content features, ignoring the relationship between network flows 2. Insufficient detection capability of a single type of feature: the existing detection methods mainly rely on a single type of feature for detection, which is easy to be disguised by attackers to bypass the detection, resulting in the detection effect not good.

发明内容SUMMARY OF THE INVENTION

针对现有技术中存在的问题，本发明实施例提供一种基于网络流结构特征融合的异常流量检测方法及装置。In view of the problems existing in the prior art, embodiments of the present invention provide a method and apparatus for detecting abnormal traffic based on fusion of network flow structure features.

第一方面，本发明实施例提供一种基于网络流结构特征融合的异常流量检测方法，包括：In a first aspect, an embodiment of the present invention provides an abnormal traffic detection method based on network flow structure feature fusion, including:

获取待检测的网络流；Get the network flow to be detected;

将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；Inputting the network flow to be detected into a preset predictor to obtain a judgment result corresponding to the network flow to be detected;

若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；If the judgment result corresponding to the to-be-detected network flow is that the to-be-detected network flow can be detected only by relying on the network flow structure feature, the to-be-detected network flow is input to the preset network flow structure feature detection The device detects the network flow to be detected, and determines the abnormal network flow detection result;

若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。If the judgment result corresponding to the to-be-detected network flow is that the to-be-detected network flow cannot be detected only by relying on the network flow structural features, the to-be-detected network flow is input to a preset full-feature detector The detection of the network flow to be detected is performed, and the abnormal network flow detection result is determined; the preset full-feature detector is a detector constructed based on network flow characteristics and network flow structure characteristics.

进一步地，所述预设的网络流结构特征检测器，包括：Further, the preset network flow structure feature detector includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征采用KNN分类算法构建预设的网络流结构特征检测器。Based on the structural features of the network flow, a KNN classification algorithm is used to construct a preset network flow structure feature detector.

进一步地，所述预设的全特征检测器，包括：Further, the preset full-feature detector includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征和所述网络流特征组成全特征向量；A full feature vector is formed based on the structural feature of the network flow and the network flow feature;

基于所述全特征向量采用KNN分类算法构建预设的全特征检测器。Based on the full feature vector, a KNN classification algorithm is used to construct a preset full feature detector.

进一步地，所述网络流的标识特征包括源节点的IP地址、目的节点的IP地址、时间戳、源端口和目的端口。Further, the identification features of the network flow include the IP address of the source node, the IP address of the destination node, a timestamp, a source port and a destination port.

进一步地，所述预设的预判器，包括：Further, the preset predictor includes:

使用预设的网络流结构特征检测器和预设的全特征检测器的测试结果构建数据集；Build a dataset using the test results of the preset network flow structure feature detector and the preset full-feature detector;

基于所述数据集采用KNN分类算法构建预设的预判器；A preset predictor is constructed by using the KNN classification algorithm based on the data set;

若所述预设的预判器输出结果为0，则表示输入的网络流能够仅依靠网络流结构特征进行检测；If the preset predictor output result is 0, it means that the input network flow can be detected only by relying on the network flow structure characteristics;

若所述预设的预判器输出结果为1，则表示输入的网络流不能够仅依靠网络流结构特征进行检测。If the output result of the preset predictor is 1, it means that the input network flow cannot be detected only by relying on the structural characteristics of the network flow.

第二方面，本发明实施例提供了一种基于网络流结构特征融合的异常流量检测装置，包括：In a second aspect, an embodiment of the present invention provides an abnormal traffic detection device based on network flow structure feature fusion, including:

获取模块，用于获取待检测的网络流；The acquisition module is used to acquire the network flow to be detected;

预判模块，用于将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；a pre-judgment module, configured to input the network flow to be detected into a preset predictor to obtain a judgment result corresponding to the network flow to be detected;

检测模块，用于若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。The detection module is configured to input the network flow to be detected into a preset network flow if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by relying on the structural characteristics of the network flow The network flow structure feature detector detects the network flow to be detected, and determines the abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected cannot rely solely on If the network flow structure feature is detected, the network flow to be detected is input to a preset full-feature detector to detect the network flow to be detected, and the abnormal network traffic detection result is determined; The feature detector is a detector constructed based on network flow features and network flow structure features.

进一步地，所述检测模块中的所述预设的网络流结构特征检测器，包括：Further, the preset network flow structure feature detector in the detection module includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征采用KNN分类算法构建预设的网络流结构特征检测器。Based on the structural features of the network flow, a KNN classification algorithm is used to construct a preset network flow structure feature detector.

进一步地，所述检测模块中的所述预设的全特征检测器，包括：Further, the preset full-feature detector in the detection module includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征和所述网络流特征组成全特征向量；A full feature vector is formed based on the structural feature of the network flow and the network flow feature;

基于所述全特征向量采用KNN分类算法构建预设的全特征检测器。Based on the full feature vector, a KNN classification algorithm is used to construct a preset full feature detector.

第三方面，本发明实施例还提供了一种电子设备，包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序，所述处理器执行所述程序时实现如上第一方面所述的基于网络流结构特征融合的异常流量检测方法的步骤。In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implements the first above-mentioned program when the processor executes the program The steps of the abnormal traffic detection method based on network flow structure feature fusion described in the aspect.

第四方面，本发明实施例还提供了一种非暂态计算机可读存储介质，其上存储有计算机程序，该计算机程序被处理器执行时实现如上第一方面所述的基于网络流结构特征融合的异常流量检测方法的步骤。In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the network flow-based structure feature described in the first aspect above The steps of a fused anomalous traffic detection method.

由上述技术方案可知，本发明实施例提供的基于网络流结构特征融合的异常流量检测方法及装置，通过获取待检测的网络流；将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。本发明在获取待检测的网络流后由预判器进行判断，依据判断结果选择合适的检测器进行异常流量检测，通过上述这种预判式特征融合的方案实现网络流特征与网络流结构特征的融合，从而解决了缺乏网络流结构信息的问题，从而提高检测率、降低误报率。As can be seen from the above technical solutions, the method and device for detecting abnormal traffic based on network flow structure feature fusion provided by the embodiments of the present invention obtain the network flow to be detected; and input the network flow to be detected into a preset predictor , to obtain the judgment result corresponding to the network flow to be detected; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by relying on the structural characteristics of the network flow, the The network flow to be detected is input to the preset network flow structure feature detector to detect the network flow to be detected, and determine the abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is all The network flow to be detected cannot be detected only by relying on the structural characteristics of the network flow, then the network flow to be detected is input into a preset full-feature detector to detect the network flow to be detected, and an abnormal network flow is determined. Traffic detection results; the preset full-feature detector is a detector constructed based on network flow features and network flow structure features. In the present invention, the predictor performs judgment after acquiring the network flow to be detected, selects a suitable detector to detect abnormal flow according to the judgment result, and realizes network flow characteristics and network flow structure characteristics through the above-mentioned scheme of predicting feature fusion. Therefore, the problem of lack of network flow structure information is solved, thereby improving the detection rate and reducing the false positive rate.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to illustrate the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are For some embodiments of the present invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明一实施例提供的基于网络流结构特征融合的异常流量检测方法的流程示意图；1 is a schematic flowchart of an abnormal flow detection method based on network flow structure feature fusion provided by an embodiment of the present invention;

图2为本发明一实施例提供的总流程示意图；FIG. 2 is a schematic diagram of a general process provided by an embodiment of the present invention;

图3为本发明一实施例提供的基于网络流结构特征融合的异常流量检测装置的结构示意图；3 is a schematic structural diagram of an abnormal traffic detection apparatus based on network flow structure feature fusion provided by an embodiment of the present invention;

图4为本发明一实施例提供的电子设备的实体结构示意图。FIG. 4 is a schematic diagram of a physical structure of an electronic device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚，下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。下面将通过具体的实施例对本发明提供的基于网络流结构特征融合的异常流量检测方法进行详细解释和说明。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are the Some, but not all, embodiments are disclosed. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention. The method for detecting abnormal traffic based on network flow structure feature fusion provided by the present invention will be explained and described in detail below through specific embodiments.

图1为本发明一实施例提供的基于网络流结构特征融合的异常流量检测方法的流程示意图；如图1所示，该方法包括：FIG. 1 is a schematic flowchart of an abnormal traffic detection method based on network flow structure feature fusion provided by an embodiment of the present invention; as shown in FIG. 1 , the method includes:

步骤101：获取待检测的网络流。Step 101: Acquire the network flow to be detected.

在本步骤中，可以理解的是，获取待检测的网络流即采集用于进行异常流量检测的网络流数据。In this step, it can be understood that acquiring the network flow to be detected means collecting network flow data for abnormal traffic detection.

步骤102：将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果。Step 102: Input the network flow to be detected into a preset predictor to obtain a judgment result corresponding to the network flow to be detected.

在本步骤中，针对预设的预判器，需要说明的是，该预判器用于判断网络流结构特征的检测能力，所述预设的预判器的构建方法具体为：使用预设的网络流结构特征检测器和预设的全特征检测器的测试结果构建数据集；数据集构建完毕后，基于所述数据集采用KNN分类算法训练构建网络流结构特征预判器模型(即预设的预判器)；具体的，将待检测的网络流输入至预设的预判器，通过预判器判断会得到两种预判结果，一种为所述待检测的网络流能够仅依靠网络流结构特征进行检测；一种为所述待检测的网络流不能够仅依靠网络流结构特征进行检测。In this step, with respect to the preset predictor, it should be noted that the predictor is used to determine the detection capability of network flow structural features, and the construction method of the preset predictor is specifically: using a preset predictor A data set is constructed from the test results of the network flow structure feature detector and the preset full-feature detector; after the data set is constructed, the KNN classification algorithm is used to train and construct a network flow structure feature predictor model based on the data set (that is, the preset Specifically, the network flow to be detected is input into the preset predictor, and two kinds of prediction results will be obtained through the judgment of the predictor, one is that the network flow to be detected can only rely on The network flow structure feature is detected; one is that the network flow to be detected cannot be detected only by the network flow structure feature.

步骤103：若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。Step 103: If the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by relying on the structural characteristics of the network flow, then input the network flow to be detected into a preset network flow. The structural feature detector detects the network flow to be detected, and determines the abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected cannot rely solely on the network flow If the structural features are detected, the network flow to be detected is input to a preset full-feature detector to detect the network flow to be detected, and the abnormal network traffic detection result is determined; the preset full-feature detection The detector is a detector constructed based on network flow features and network flow structure features.

在本步骤中，针对预设的网络流结构特征检测器，需要说明的是，所述预设的网络流结构特征检测器构建方法为：获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；基于所述网络流的标识特征提取网络流的结构特征；基于所述网络流的结构特征采用KNN分类算法构建预设的网络流结构特征检测器。In this step, for the preset network flow structure feature detector, it should be noted that the construction method of the preset network flow structure feature detector is: acquiring the network flow feature of the data set; the network flow feature includes: Identifying features and statistical features of the network flow; extracting structural features of the network flow based on the identifying features of the network flow; constructing a preset network flow structure feature detector based on the structural features of the network flow using KNN classification algorithm.

在本步骤中，针对预设的全特征检测器，需要说明的是，所述预设的全特征检测器构建方法为：获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；基于所述网络流的标识特征提取网络流的结构特征；基于所述网络流的结构特征和所述网络流特征组成全特征向量；基于所述全特征向量采用KNN分类算法构建预设的全特征检测器。In this step, for the preset full-feature detector, it should be noted that the preset full-feature detector construction method is: acquiring the network flow feature of the data set; the network flow feature includes the identifier of the network flow features and statistical features; extract the structural features of the network flow based on the identification features of the network flow; form a full feature vector based on the structural features of the network flow and the network flow features; construct a KNN classification algorithm based on the full feature vector Preset full feature detectors.

本发明实施例提供的基于网络流结构特征融合的异常流量检测方法，与现有技术相比，实现了对网络流结构信息的挖掘，充分将网络流内容特征与结构特征相融合，使得网络异常流量检测可以在更多的特征下展开，使得检测结果更加准确。Compared with the prior art, the method for detecting abnormal traffic based on the fusion of network flow structure features provided by the embodiment of the present invention realizes the mining of network flow structure information, and fully integrates the network flow content features and structural features, so that the network flow is abnormal. Traffic detection can be expanded under more features, making the detection results more accurate.

由上面技术方案可知，本发明实施例提供的基于网络流结构特征融合的异常流量检测方法，通过获取待检测的网络流；将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。本发明在获取待检测的网络流后由预判器进行判断，依据判断结果选择合适的检测器进行异常流量检测，通过上述这种预判式特征融合的方案实现网络流特征与网络流结构特征的融合，从而解决了缺乏网络流结构信息的问题，从而提高检测率、降低误报率。As can be seen from the above technical solutions, the abnormal traffic detection method based on the fusion of network flow structure features provided by the embodiment of the present invention obtains the network flow to be detected by acquiring the network flow to be detected; The judgment result corresponding to the network flow to be detected; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by relying on the structural characteristics of the network flow, the The network flow is input to the preset network flow structure feature detector to detect the network flow to be detected, and determine the abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is the to-be-detected network flow The detected network flow cannot be detected only by relying on the structural characteristics of the network flow, then the network flow to be detected is input into a preset full-feature detector to detect the network flow to be detected, and the abnormal network flow detection is determined. As a result, the preset full-feature detector is a detector constructed based on network flow features and network flow structure features. In the present invention, the predictor performs judgment after acquiring the network flow to be detected, selects a suitable detector to detect abnormal flow according to the judgment result, and realizes network flow characteristics and network flow structure characteristics through the above-mentioned scheme of predicting feature fusion. Therefore, the problem of lack of network flow structure information is solved, thereby improving the detection rate and reducing the false positive rate.

在上述实施例的基础上，在本实施例中，所述预设的网络流结构特征检测器，包括：On the basis of the above embodiment, in this embodiment, the preset network flow structure feature detector includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征采用KNN分类算法构建预设的网络流结构特征检测器。Based on the structural features of the network flow, a KNN classification algorithm is used to construct a preset network flow structure feature detector.

在本实施例中，举例来说，首先进行数据集采集，如借助CICFlowMeter工具，获取数据集的网络流特征，所述网络流特征包含网络流的标识特征与统计特征(即所述网络流特征中除了标识特征外，剩余的网络流特征)。其中，标识特征包含源、目的IP地址(即源节点的IP地址、目的节点的IP地址)，时间戳，源、目的端口(即源端口和目的端口)等信息；统计特征包含流持续时间、前(后)向分组数量、前(后)向最大分组等80个特征。然后依据网络流的标识特征提取网络流的结构特征，本发明实施例所采用的提取方法如下：使用过去一段时间网络流形成的网络结构，来表示当前时刻网络流结构。首先，将时间划分为等长的时间片序列

且T_m＝[t_(m-1)n,t_mn]，t_c是当前时间，有t_c∈T_m。然后，对于t_c时刻的网络流f_tc(u,v)，构建时间段[t_(m-1)n,t_c]的网络通信图，其中u和v分别表示网络流f_tc的源、目的节点。最后，使用u、v在该网络通信图中的出度与入度组成的四维向量

来表示网络流

的网络流结构特征，本发明实施例将网络流结构特征称为网络流度d_f。本发明实施例依据上述表示方法，提取网络流结构特征，提取公式如下：In this embodiment, for example, data set collection is firstly performed, for example, with the help of CICFlowMeter tool, the network flow characteristics of the data set are obtained, and the network flow characteristics include network flow identification characteristics and statistical characteristics (that is, the network flow characteristics In addition to identifying features, the remaining network flow features). Among them, the identification features include source and destination IP addresses (that is, the IP address of the source node, the IP address of the destination node), timestamp, source and destination ports (that is, the source port and destination port) and other information; statistical features include flow duration, 80 features such as the number of forward (backward) groups and the maximum forward (backward) grouping. Then, the structural features of the network flow are extracted according to the identification features of the network flow. The extraction method adopted in the embodiment of the present invention is as follows: the network structure formed by the network flow in the past period of time is used to represent the network flow structure at the current moment. First, divide time into a sequence of time slices of equal length

And T_m =[t_(m-1)n ,t_mn ], t_c is the current time, there is t_c ∈ T_m . Then, for the network flow f_tc (u, v) at time t_c , a network communication graph for the time period [t_(m-1)n ,t_c ] is constructed, where u and v_represent the source, destination node. Finally, use the four-dimensional vector composed of the out-degree and in-degree of u and v in the network communication graph

to represent network flow

The network flow structure feature of , the embodiment of the present invention refers to the network flow structure feature as the network flow degree d_f . According to the above-mentioned representation method, the embodiment of the present invention extracts network flow structure features, and the extraction formula is as follows:

描述了源主机u在t_c时刻的出度：

Describes the out-degree of source host u at time t_c :

其中

in

描述了源主机u在t_c时刻的入度：

Describes the in-degree of source host u at time t_c :

其中

in

描述目的主机v在t_c时刻的出度：

Describe the out-degree of destination host v at time t_c :

其中

in

描述目的主机v在t_c时刻的入度：

Describe the in-degree of the destination host v at time t_c :

其中

本发明实施例所采用的提取方法，对于t_c时刻的网络流

构建时间段[t_(m-1)n,t_c]的网络通信图，可见t_(m-1)n是保持不变的，时间段可以为t1～t2、t1～t3、t1～t5等等，不同于t1～t2、t2～t3、t4～t5，有利于增加网络流结构特征的随机性。然后训练构建网络流结构特征检测器，如选取网络流结构特征，使用KNN分类算法训练结构特征检测器。

in

The extraction method adopted in the embodiment of the present invention, for the network flow at time t_c

Construct the network communication diagram of the time period [t_(m-1)n ,_tc ], it can be seen that t_(m-1)n remains unchanged, and the time period can be t1~t2, t1~t3, t1~t5, etc. etc., different from t1~t2, t2~t3, t4~t5, which is beneficial to increase the randomness of network flow structure characteristics. Then train and construct the network flow structure feature detector. For example, select the network flow structure feature and use the KNN classification algorithm to train the structure feature detector.

由上面技术方案可知，本发明实施例提供的基于网络流结构特征融合的异常流量检测方法，针对网络流结构信息进行表示，并提取网络流结构特征，解决了缺乏网络流结构信息的问题，然后通过预判式特征融合实现网络流特征与网络流结构特征融合，从而提高检测率、降低误报率。As can be seen from the above technical solutions, the abnormal traffic detection method based on the fusion of network flow structure features provided by the embodiment of the present invention represents the network flow structure information, and extracts the network flow structure features, which solves the problem of lack of network flow structure information, and then Through predictive feature fusion, network flow features and network flow structure features are fused, thereby improving the detection rate and reducing the false positive rate.

在上述实施例的基础上，在本实施例中，所述预设的全特征检测器，包括：On the basis of the above embodiment, in this embodiment, the preset full-feature detector includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征和所述网络流特征组成全特征向量；A full feature vector is formed based on the structural feature of the network flow and the network flow feature;

基于所述全特征向量采用KNN分类算法构建预设的全特征检测器。Based on the full feature vector, a KNN classification algorithm is used to construct a preset full feature detector.

在本实施例中，举例来说，获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；基于所述网络流的标识特征提取网络流的结构特征；然后训练构建全特征检测器，如选取8个网络流特征与网络流结构特征组成的12维的全特征向量，使用KNN分类算法训练全特征检测器。8个网络流特征分别是：Flow Duration、Total FwdPackets、Total Backward Packets、Total Length of Fwd Packets、Total Length ofBwd Packets、Flow Bytes/s、Flow Packets/s、Average Packet Size。In this embodiment, for example, the network flow features of the data set are obtained; the network flow features include identification features and statistical features of the network flow; the structural features of the network flow are extracted based on the identification features of the network flow; and then training Build a full-feature detector, such as selecting a 12-dimensional full-feature vector composed of 8 network flow features and network flow structure features, and using the KNN classification algorithm to train the full-feature detector. The eight network flow features are: Flow Duration, Total FwdPackets, Total Backward Packets, Total Length of Fwd Packets, Total Length of Bwd Packets, Flow Bytes/s, Flow Packets/s, Average Packet Size.

由上面技术方案可知，本发明实施例提供的基于网络流结构特征融合的异常流量检测方法，针对网络流结构信息进行表示，并提取网络流结构特征，解决了缺乏网络流结构信息的问题，然后通过预判式特征融合实现网络流特征与网络流结构特征融合，从而提高检测率、降低误报率。As can be seen from the above technical solutions, the abnormal traffic detection method based on the fusion of network flow structure features provided by the embodiment of the present invention represents the network flow structure information, and extracts the network flow structure features, which solves the problem of lack of network flow structure information, and then Through predictive feature fusion, network flow features and network flow structure features are fused, thereby improving the detection rate and reducing the false positive rate.

在上述实施例的基础上，在本实施例中，所述网络流的标识特征包括源节点的IP地址、目的节点的IP地址、时间戳、源端口和目的端口。On the basis of the above embodiment, in this embodiment, the identification features of the network flow include the IP address of the source node, the IP address of the destination node, a timestamp, a source port and a destination port.

在上述实施例的基础上，在本实施例中，所述预设的预判器，包括：On the basis of the above embodiment, in this embodiment, the preset predictor includes:

使用预设的网络流结构特征检测器和预设的全特征检测器的测试结果构建数据集；Build a dataset using the test results of the preset network flow structure feature detector and the preset full-feature detector;

基于所述数据集采用KNN分类算法构建预设的预判器；A preset predictor is constructed by using the KNN classification algorithm based on the data set;

若所述预设的预判器输出结果为0，则表示输入的网络流能够仅依靠网络流结构特征进行检测；If the preset predictor output result is 0, it means that the input network flow can be detected only by relying on the network flow structure characteristics;

若所述预设的预判器输出结果为1，则表示输入的网络流不能够仅依靠网络流结构特征进行检测。If the output result of the preset predictor is 1, it means that the input network flow cannot be detected only by relying on the structural characteristics of the network flow.

在本实施例中，举例来说，使用全特征检测器与网流结构特征检测器的测试结果构建预判器的数据集。该数据集由网络流结构特征组成，包含正样本与负样本两种，分别标记为0和1。0代表输入结构特征检测器能正确分类的网络流结构特征；1代表输入网络流结构特征检测器误分类但结合网络流特征(即全特征)输入全特征检测器可正确分类的结构特征。数据集的正负样本比例为7:3。将该数据集按照8:2的比例分为训练集与测试集。数据集构建完毕后，使用KNN算法训练预判器，最终得到网络流结构特征预判器模型。In this embodiment, for example, the data set of the predictor is constructed using the test results of the full feature detector and the network flow structure feature detector. The dataset consists of network flow structure features, including positive samples and negative samples, which are marked as 0 and 1. 0 represents the network flow structure features that can be correctly classified by the input structure feature detector; 1 represents the input network flow structure feature detection. Structural features that are misclassified by the detector but can be correctly classified by the full-feature detector combined with network flow features (i.e. full features). The ratio of positive and negative samples in the dataset is 7:3. The dataset is divided into training set and test set according to the ratio of 8:2. After the data set is constructed, use the KNN algorithm to train the predictor, and finally obtain the network flow structure feature predictor model.

为了更好的理解本发明，下面结合实施例进一步阐述本发明的内容，但本发明不仅仅局限于下面的实施例，参见图2所示的总流程图，举例来说：In order to better understand the present invention, the content of the present invention is further described below in conjunction with the embodiments, but the present invention is not limited to the following embodiments, refer to the general flow chart shown in Figure 2, for example:

步骤一：数据集特征提取Step 1: Dataset Feature Extraction

1、借助CICFlowMeter工具，获取数据集的网络流特征，包含网络流的标识特征与统计特征。标识特征包含源、目的IP地址，时间戳，源、目的端口等信息；统计特征包含流持续时间、前(后)向分组数量、前(后)向最大分组等80个特征。1. With the help of the CICFlowMeter tool, the network flow characteristics of the data set are obtained, including the identification characteristics and statistical characteristics of the network flow. Identification features include source, destination IP address, timestamp, source, destination port and other information; statistical features include 80 features such as flow duration, number of forward (backward) packets, and maximum forward (backward) packets.

2、依据网络流的标识特征，提取网络流结构特征。2. According to the identification features of the network flow, extract the structure features of the network flow.

这里介绍一下网络流结构特征的表示方法与提取过程。本发明实施例使用过去一段时间网络流形成的网络结构，来表示当前时刻网络流结构。首先，将时间划分为等长的时间片序列

且T_m＝[t_(m-1)n,t_mn]，t_c是当前时间，有t_c∈T_m。然后，对于t_c时刻的网络流

构建时间段[t_(m-1)n,t_c]的网络通信图，其中u和v分别表示网络流f_tc的源、目的节点。最后，使用u、v在该网络通信图中的出度与入度组成的四维向量

来表示网络流

的网络流结构特征，本发明实施例将网络流结构特征称为网络流度d_f。本发明实施例依据上述表示方法，提取网络流结构特征，提取公式如下：Here we introduce the representation method and extraction process of network flow structure features. In the embodiment of the present invention, the network structure formed by the network flow in the past period of time is used to represent the network flow structure at the current moment. First, divide time into a sequence of time slices of equal length

And T_m =[t_(m-1)n ,t_mn ], t_c is the current time, there is t_c ∈ T_m . Then, for the network flow at time t_c

Construct a network communication graph for the time period [t_(m-1)n ,t_c ], where u and v represent the source and destination nodes of the network flow f_tc , respectively. Finally, use the four-dimensional vector composed of the out-degree and in-degree of u and v in the network communication graph

to represent network flow

The network flow structure feature of , the embodiment of the present invention refers to the network flow structure feature as the network flow degree d_f . According to the above-mentioned representation method, the embodiment of the present invention extracts network flow structure features, and the extraction formula is as follows:

描述了源主机u在t_c时刻的出度：

Describes the out-degree of source host u at time t_c :

其中

in

描述了源主机u在t_c时刻的入度：

Describes the in-degree of source host u at time t_c :

其中

in

描述目的主机v在t_c时刻的出度：

Describe the out-degree of destination host v at time t_c :

其中

in

描述目的主机v在t_c时刻的入度：

Describe the in-degree of the destination host v at time t_c :

其中

in

步骤二：训练两种检测器Step 2: Train two detectors

3、完成上述工作后，本发明实施例首先训练全特征检测器。选取8个网络流特征与网络流结构特征组成的12维的全特征向量，使用KNN分类算法训练全特征检测器。8个网络流特征分别是：Flow Duration、Total Fwd Packets、Total Backward Packets、TotalLength of Fwd Packets、Total Length of Bwd Packets、Flow Bytes/s、Flow Packets/s、Average Packet Size。3. After completing the above work, the embodiment of the present invention first trains a full-feature detector. A 12-dimensional full feature vector composed of 8 network flow features and network flow structure features is selected, and the KNN classification algorithm is used to train the full feature detector. The eight network flow features are: Flow Duration, Total Fwd Packets, Total Backward Packets, TotalLength of Fwd Packets, Total Length of Bwd Packets, Flow Bytes/s, Flow Packets/s, Average Packet Size.

4、然后，本发明实施例训练网络流结构特征检测器。选取网络流结构特征，使用KNN分类算法训练结构特征检测器。4. Then, the embodiment of the present invention trains a network flow structure feature detector. The network flow structure features are selected, and the KNN classification algorithm is used to train the structure feature detector.

步骤三：构建预判器Step 3: Build the predictor

5、使用全特征检测器与网流结构特征检测器的测试结果构建预判器的数据集。该数据集由网络流结构特征组成，包含正样本与负样本两种，分别标记为0和1。0代表输入结构特征检测器能正确分类的网络流结构特征；1代表输入网络流结构特征检测器误分类但结合网络流特征(即全特征)输入全特征检测器可正确分类的结构特征。数据集的正负样本比例为7:3。将该数据集按照8:2的比例分为训练集与测试集。5. Use the test results of the full feature detector and the network flow structure feature detector to construct the data set of the predictor. The dataset consists of network flow structure features, including positive samples and negative samples, which are marked as 0 and 1. 0 represents the network flow structure features that can be correctly classified by the input structure feature detector; 1 represents the input network flow structure feature detection. Structural features that are misclassified by the detector but can be correctly classified by the full-feature detector combined with network flow features (i.e. full features). The ratio of positive and negative samples in the dataset is 7:3. The dataset is divided into training set and test set according to the ratio of 8:2.

6、数据集构建完毕后，使用KNN算法训练预判器，最终得到网络流结构特征预判器模型。6. After the data set is constructed, use the KNN algorithm to train the predictor, and finally obtain the network flow structure feature predictor model.

步骤四：检测异常网络流量Step 4: Detect abnormal network traffic

7、为了检测异常网络流量，本发明实施例首先对输入的网络流量进行特征提取，即依据步骤一中的方法提取网络流特征与网络流结构特征。7. In order to detect abnormal network traffic, the embodiments of the present invention first perform feature extraction on the input network traffic, that is, extract network flow features and network flow structure features according to the method in step 1.

8、使用步骤三中构建的预判器，判断该条网络流是否能仅依靠网络流结构特征进行检测。如果能，则输入结构特征检测器，由网络流结构特征完成该条网络流的检测；如果不能，接下来将网络流特征与网络流结构特征综合进行检测，即形成12维的特征向量输入全特征检测器，由此完成该条网络流的检测。8. Use the predictor constructed in step 3 to determine whether the network flow can be detected only by relying on the structural characteristics of the network flow. If it can, input the structure feature detector, and complete the detection of the network flow by the network flow structure feature; if not, then combine the network flow feature and the network flow structure feature to detect, that is, a 12-dimensional feature vector is formed. The feature detector is used to complete the detection of the network flow.

步骤五：保存检测结果并生成检测报告。Step 5: Save the test results and generate a test report.

本发明实施例从现有检测工作中的两点不足出发，针性地提出了两点方案。针对以往的工作缺乏网络流结构信息的问题，本发明实施例提出了网络流结构信息的表示方案，即选择过去一段时间部分网络流结构，近似表示当前网络流的结构信息，并基于该方案提取网络流结构特征；针对使用单一类型的网络流特征检测能力不足的问题，提出了一种预判式特征融合方案，即由预判器判断网络流结构特征的检测能力，依据判断结果选择合适的检测器进行异常流量检测，由此实现网络流特征与网络流结构特征融合。Based on two deficiencies in the existing detection work, the embodiment of the present invention proposes a two-point solution in a targeted manner. Aiming at the problem of lack of network flow structure information in previous work, the embodiment of the present invention proposes a representation scheme for network flow structure information, that is, selects a part of the network flow structure in the past period of time, approximately represents the structure information of the current network flow, and extracts the structure information based on the scheme. Network flow structure features; Aiming at the problem of insufficient detection ability using a single type of network flow features, a predictive feature fusion scheme is proposed, that is, the predictor judges the detection ability of network flow structure features, and selects the appropriate one according to the judgment results. The detector performs abnormal traffic detection, thereby realizing the fusion of network flow features and network flow structure features.

图3为本发明一实施例提供的基于网络流结构特征融合的异常流量检测装置的结构示意图，如图3所示，该装置包括：获取模块201、预判模块202和检测模块203，其中：3 is a schematic structural diagram of an abnormal traffic detection device based on network flow structure feature fusion provided by an embodiment of the present invention. As shown in FIG. 3 , the device includes: anacquisition module 201, apre-judgment module 202, and adetection module 203, wherein:

其中，获取模块201，用于获取待检测的网络流；Wherein, the obtainingmodule 201 is used to obtain the network flow to be detected;

预判模块202，用于将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；Apre-judgment module 202, configured to input the network flow to be detected into a preset predictor to obtain a judgment result corresponding to the network flow to be detected;

检测模块203，用于若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。Thedetection module 203 is configured to input the network flow to be detected into a preset if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by relying on the structural characteristics of the network flow The network flow structure feature detector detects the network flow to be detected, and determines the abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected cannot be only Relying on the network flow structure feature for detection, the network flow to be detected is input to a preset full-feature detector to detect the network flow to be detected, and the abnormal network traffic detection result is determined; the preset full-feature detector The full-feature detector is a detector constructed based on network flow features and network flow structure features.

在上述实施例基础上，在本实施例中，所述检测模块中的所述预设的网络流结构特征检测器，包括：Based on the above embodiment, in this embodiment, the preset network flow structure feature detector in the detection module includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征采用KNN分类算法构建预设的网络流结构特征检测器。Based on the structural features of the network flow, a KNN classification algorithm is used to construct a preset network flow structure feature detector.

在上述实施例基础上，在本实施例中，所述检测模块中的所述预设的全特征检测器，包括：Based on the above embodiment, in this embodiment, the preset full-feature detector in the detection module includes:

获取数据集的网络流特征；所述网络流特征包括网络流的标识特征和统计特征；Obtain the network flow feature of the data set; the network flow feature includes the identification feature and statistical feature of the network flow;

基于所述网络流的标识特征提取网络流的结构特征；Extracting structural features of the network flow based on the identification features of the network flow;

基于所述网络流的结构特征和所述网络流特征组成全特征向量；A full feature vector is formed based on the structural feature of the network flow and the network flow feature;

基于所述全特征向量采用KNN分类算法构建预设的全特征检测器。Based on the full feature vector, a KNN classification algorithm is used to construct a preset full feature detector.

本发明实施例提供的基于网络流结构特征融合的异常流量检测装置具体可以用于执行上述实施例的基于网络流结构特征融合的异常流量检测方法，其技术原理和有益效果类似，具体可参见上述实施例，此处不再赘述。The apparatus for detecting abnormal traffic based on network flow structure feature fusion provided by the embodiment of the present invention can be specifically used to execute the abnormal traffic detection method based on network flow structure feature fusion in the above-mentioned embodiment, and its technical principles and beneficial effects are similar. For details, please refer to the above Examples are not repeated here.

基于相同的发明构思，本发明实施例提供一种电子设备，参见图4，电子设备具体包括如下内容：处理器301、通信接口303、存储器302和通信总线304；Based on the same inventive concept, an embodiment of the present invention provides an electronic device. Referring to FIG. 4 , the electronic device specifically includes the following contents: aprocessor 301, acommunication interface 303, amemory 302, and acommunication bus 304;

其中，处理器301、通信接口303、存储器302通过通信总线304完成相互间的通信；通信接口303用于实现各建模软件及智能制造装备模块库等相关设备之间的信息传输；处理器301用于调用存储器302中的计算机程序，处理器执行计算机程序时实现上述各方法实施例所提供的方法，例如，处理器执行计算机程序时实现下述步骤：获取待检测的网络流；将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。Among them, theprocessor 301, thecommunication interface 303, and thememory 302 complete the communication with each other through thecommunication bus 304; thecommunication interface 303 is used to realize the information transmission between various modeling software and the intelligent manufacturing equipment module library and other related equipment; theprocessor 301 For invoking the computer program in thememory 302, when the processor executes the computer program, the methods provided by the above method embodiments are implemented. For example, when the processor executes the computer program, the following steps are implemented: acquiring the network flow to be detected; The network flow to be detected is input to a preset predictor, and a judgment result corresponding to the network flow to be detected is obtained; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can Only rely on the network flow structure feature to detect, then input the network flow to be detected into a preset network flow structure feature detector to detect the network flow to be detected, and determine the abnormal network flow detection result; The judgment result corresponding to the network flow to be detected is that the network flow to be detected cannot be detected only by relying on the structural characteristics of the network flow, then the network flow to be detected is input into a preset full-feature detector for detection. The detection of the network flow to be detected is performed, and the abnormal network flow detection result is determined; the preset full-feature detector is a detector constructed based on the network flow feature and the network flow structure feature.

基于相同的发明构思，本发明又一实施例还提供一种非暂态计算机可读存储介质，其上存储有计算机程序，该计算机程序被处理器执行时实现以执行上述各方法实施例提供的方法，例如，获取待检测的网络流；将所述待检测的网络流输入至预设的预判器，得到与所述待检测的网络流对应的判断结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的网络流结构特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；若与所述待检测的网络流对应的判断结果为所述待检测的网络流不能够仅依靠网络流结构特征进行检测，则将所述待检测的网络流输入至预设的全特征检测器进行所述待检测的网络流的检测，并确定异常网络流量检测结果；所述预设的全特征检测器为基于网络流特征和网络流结构特征构建的检测器。Based on the same inventive concept, another embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, and the computer program is implemented when executed by a processor to execute the methods provided by the foregoing method embodiments. method, for example, acquiring the network flow to be detected; inputting the network flow to be detected into a preset predictor to obtain a judgment result corresponding to the network flow to be detected; The judgment result corresponding to the flow is that the network flow to be detected can be detected only by relying on the network flow structure feature, then the network flow to be detected is input into the preset network flow structure feature detector to perform the network flow to be detected. flow detection, and determine the abnormal network flow detection result; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected cannot be detected only by relying on the structural characteristics of the network flow, the network flow to be detected The network flow is input to a preset full-feature detector to detect the network flow to be detected, and determine the abnormal network traffic detection result; the preset full-feature detector is based on network flow characteristics and network flow structure characteristics. The built detector.

以上所描述的装置实施例仅仅是示意性的，其中作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下，即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place , or distributed to multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

通过以上的实施方式的描述，本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现，当然也可以通过硬件。基于这样的理解，上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品可以存储在计算机可读存储介质中，如ROM/RAM、磁碟、光盘等，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行各个实施例或者实施例的某些部分的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic Disks, optical discs, etc., include instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods of various embodiments or portions of embodiments.

此外，在本发明中，诸如“第一”、“第二”仅用于描述目的，而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此，限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。在本发明的描述中，“多个”的含义是至少两个，例如两个，三个等，除非另有明确具体的限定。In addition, in the present invention, such as "first" and "second" are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature delimited with "first", "second" may expressly or implicitly include at least one of that feature. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise expressly and specifically defined.

此外，在本发明中，诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来，而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。Furthermore, in the present invention, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply existence between these entities or operations any such actual relationship or sequence. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article, or device that includes the element.

此外，在本说明书的描述中，参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中，对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且，描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外，在不相互矛盾的情况下，本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In addition, in the description of this specification, reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples" and the like means description in conjunction with the embodiment or example. A particular feature, structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.

最后应说明的是：以上实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An abnormal flow detection method based on network flow structure feature fusion is characterized by comprising the following steps:

acquiring a network flow to be detected;

inputting the network flow to be detected to a preset prejudging device to obtain a judgment result corresponding to the network flow to be detected;

if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can be detected only by depending on the network flow structural characteristics, inputting the network flow to be detected to a preset network flow structural characteristic detector to detect the network flow to be detected, and determining an abnormal network flow detection result;

if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by depending on the structure characteristics of the network flow, inputting the network flow to be detected to a preset full-characteristic detector to detect the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structure features;

the network flow structure characteristics of the network flow are represented by adopting a four-dimensional vector formed by the out degree and the in degree of a source node and a destination node in a network communication graph respectively, and the network structure formed by the network flow in the past period is used for representing the network flow structure at the current moment.

2. The abnormal traffic detection method based on network flow structural feature fusion according to claim 1, wherein the preset network flow structural feature detector comprises:

acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow;

extracting structural features of the network flow based on the identification features of the network flow;

and constructing a preset network flow structural feature detector by adopting a KNN classification algorithm based on the structural features of the network flow.

3. The abnormal traffic detection method based on network flow structure feature fusion according to claim 1, wherein the preset full-feature detector comprises:

acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow;

extracting structural features of the network flow based on the identification features of the network flow;

forming a full feature vector based on the structural features of the network flow and the network flow features;

and constructing a preset full-feature detector by adopting a KNN classification algorithm based on the full-feature vector.

4. The abnormal traffic detection method based on fusion of network flow structural features according to claim 2 or 3, wherein the identification features of the network flow comprise an IP address of a source node, an IP address of a destination node, a timestamp, a source port and a destination port.

5. The abnormal flow detection method based on network flow structure feature fusion according to claim 1, wherein the preset prejudger comprises:

constructing a data set by using test results of a preset network flow structure characteristic detector and a preset full characteristic detector;

constructing a preset prejudgment device by adopting a KNN classification algorithm based on the data set;

if the output result of the preset prejudger is 0, the input network flow can be detected only by depending on the structural characteristics of the network flow;

and if the output result of the preset prejudger is 1, the input network flow cannot be detected only by depending on the structural characteristics of the network flow.

6. An abnormal flow detection device based on network flow structure feature fusion is characterized by comprising:

the acquisition module is used for acquiring the network flow to be detected;

the pre-judging module is used for inputting the network flow to be detected to a preset pre-judging device to obtain a judgment result corresponding to the network flow to be detected;

the detection module is used for inputting the network flow to be detected to a preset network flow structure characteristic detector to detect the network flow to be detected and determining an abnormal network flow detection result if the judgment result corresponding to the network flow to be detected indicates that the network flow to be detected can be detected only by means of the network flow structure characteristic; if the judgment result corresponding to the network flow to be detected is that the network flow to be detected can not be detected only by depending on the structure characteristics of the network flow, inputting the network flow to be detected to a preset full-characteristic detector to detect the network flow to be detected, and determining an abnormal network flow detection result; the preset full-feature detector is a detector constructed based on network flow features and network flow structure features;

the network flow structure characteristics of the network flow are represented by adopting a four-dimensional vector formed by the out degree and the in degree of a source node and a destination node in a network communication graph respectively, and the network structure formed by the network flow in the past period is used for representing the network flow structure at the current moment.

7. The abnormal traffic detection device based on the fusion of the network flow structural features according to claim 6, wherein the preset network flow structural feature detector in the detection module comprises:

acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow;

extracting structural features of the network flow based on the identification features of the network flow;

and constructing a preset network flow structural feature detector by adopting a KNN classification algorithm based on the structural features of the network flow.

8. The abnormal traffic detection device based on the fusion of the network flow structure characteristics according to claim 6, wherein the preset full characteristic detector in the detection module comprises:

acquiring network flow characteristics of a data set; the network flow characteristics comprise identification characteristics and statistical characteristics of the network flow;

extracting structural features of the network flow based on the identification features of the network flow;

forming a full feature vector based on the structural features of the network flow and the network flow features;

and constructing a preset full-feature detector by adopting a KNN classification algorithm based on the full-feature vector.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for detecting abnormal traffic based on feature fusion of network flows according to any one of claims 1 to 5 when executing the program.

10. A non-transitory computer readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the abnormal traffic detection method based on network flow structure feature fusion according to any one of claims 1 to 5.

Images