CN116132370A - Abnormal flow identification method and device, electronic equipment and storage medium - Google Patents

Abstract

The application discloses an abnormal flow identification method and device, electronic equipment and a computer readable storage medium, which are applied to an abnormal flow identification module, wherein the abnormal flow identification module comprises a TCP flow identification thread and a UDP flow identification thread, and the method comprises the following steps: reading configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads; creating TCP flow identification threads according to the number of the TCP flow identification threads, and creating UDP flow identification threads according to the number of the UDP flow identification threads; and carrying out abnormal flow identification on the TCP flow by utilizing the TCP flow identification thread, and carrying out abnormal flow identification on the UDP flow by utilizing the UDP flow identification thread. The method and the device reduce resource consumption in the abnormal flow identification process.

Description

Translated fromChinese

一种异常流量识别方法、装置及电子设备和存储介质Abnormal traffic identification method, device, electronic equipment, and storage medium

技术领域technical field

本申请涉及通信技术领域，更具体地说，涉及一种异常流量识别方法、装置及一种电子设备和一种计算机可读存储介质。The present application relates to the technical field of communications, and more specifically, to a method and device for identifying abnormal traffic, an electronic device, and a computer-readable storage medium.

背景技术Background technique

在相关技术中，需要为网络中的流量开辟多个线程，以实现异常流量的识别，其中，线程数量往往是固定的，但很多情况下，固定的线程数量会面临线程不够用或者线程过多的情况，从而导致识别效率低或者资源消耗大。因此，如何兼顾识别效率以及资源消耗是本领域技术人员需要解决的技术问题。In related technologies, it is necessary to open up multiple threads for the traffic in the network to realize the identification of abnormal traffic. Among them, the number of threads is often fixed, but in many cases, the fixed number of threads will face insufficient threads or too many threads. situation, resulting in low recognition efficiency or high resource consumption. Therefore, how to balance recognition efficiency and resource consumption is a technical problem to be solved by those skilled in the art.

发明内容Contents of the invention

本申请的目的在于提供一种异常流量识别方法、装置及一种电子设备和一种计算机可读存储介质，减少了异常流量识别过程中的资源消耗。The purpose of the present application is to provide a method and device for identifying abnormal traffic, an electronic device and a computer-readable storage medium, which reduce resource consumption in the process of identifying abnormal traffic.

为实现上述目的，本申请提供了一种异常流量识别方法，应用于异常流量识别模块，所述异常流量识别模块包括TCP流量识别线程和UDP流量识别线程，所述方法包括：In order to achieve the above object, the present application provides a method for identifying abnormal traffic, which is applied to an abnormal traffic identification module. The abnormal traffic identification module includes a TCP traffic identification thread and a UDP traffic identification thread. The method includes:

读取配置信息，以确定TCP流量识别线程数量和UDP流量识别线程数量；Read configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads;

根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；Create a TCP flow identification thread according to the number of TCP flow identification threads, and create a UDP flow identification thread according to the number of UDP flow identification threads;

利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。Utilize the TCP flow identification thread to perform abnormal flow identification on TCP flow, and use the UDP flow identification thread to perform abnormal flow identification on UDP flow.

其中，所述TCP流量识别线程以及UDP流量识别线程均不包括结果上报功能；所述异常流量识别模块还包括：结果上报线程；Wherein, neither the TCP traffic identification thread nor the UDP traffic identification thread includes a result reporting function; the abnormal traffic identification module also includes: a result reporting thread;

相应地，所述方法还包括：Correspondingly, the method also includes:

创建结果上报线程，利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台。Create a result reporting thread, and use the result reporting thread to report the identification results of the TCP flow identification thread and the UDP flow identification thread to the management platform.

其中，所述方法还包括：Wherein, the method also includes:

读取所述配置信息，以确定结果上报线程数量；Read the configuration information to determine the number of result reporting threads;

相应地，所述创建结果上报线程包括：Correspondingly, the creation result reporting thread includes:

根据所述结果上报线程数量创建结果上报线程。A result reporting thread is created according to the number of result reporting threads.

其中，所述结果上报线程包括：TCP流量结果上报线程和UDP流量结果上报线程；Wherein, the result reporting thread includes: a TCP flow result reporting thread and a UDP flow result reporting thread;

相应地，所述确定结果上报线程数量，包括：Correspondingly, the determination result reports the number of threads, including:

确定TCP流量结果上报线程数量和UDP流量结果上报线程数量；Determine the number of threads reporting TCP flow results and the number of threads reporting UDP flow results;

所述根据所述结果上报线程数量创建结果上报线程，包括：The creating of result reporting threads according to the number of result reporting threads includes:

根据所述TCP流量结果上报线程数量创建TCP流量结果上报线程，根据所述UDP流量结果上报线程数量创建UDP流量结果上报线程；Create a TCP flow result reporting thread according to the number of TCP flow result reporting threads, and create a UDP flow result reporting thread according to the UDP flow result reporting thread quantity;

相应的，所述利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台，包括：Correspondingly, reporting the identification results of the TCP traffic identification thread and the UDP traffic identification thread to the management platform by using the result reporting thread includes:

利用所述TCP流量结果上报线程将所述TCP流量识别线程的TCP流量识别结果上报至管理平台，利用所述UDP流量结果上报线程将所述UDP流量识别线程的UDP流量识别结果上报至管理平台。Use the TCP flow result reporting thread to report the TCP flow identification result of the TCP flow identification thread to the management platform, and use the UDP flow result reporting thread to report the UDP flow identification result of the UDP flow identification thread to the management platform.

其中，还包括：Among them, also include:

每间隔一段时间，获取TCP流量识别线程中的空闲线程比例，以及，UDP流量识别线程的空闲线程比例，并根据得到的空闲线程比例，增加或减少相应的线程数量。At intervals, obtain the proportion of idle threads in the TCP traffic identification thread and the proportion of idle threads in the UDP traffic identification thread, and increase or decrease the corresponding number of threads according to the obtained proportion of idle threads.

其中，所述异常流量识别模块还包括任务监听线程，所述方法还包括：Wherein, the abnormal traffic identification module also includes a task monitoring thread, and the method also includes:

利用任务监听线程从特征提取模块持续接收以流为单位的特征数据，并确定所述流量的协议类型；其中，流与五元组一一对应；Utilize the task monitoring thread to continuously receive the feature data in units of flow from the feature extraction module, and determine the protocol type of the flow; wherein, the flow is in one-to-one correspondence with the five-tuple;

当满足第一预设条件时，基于接收到的TCP类型的特征数据创建TCP流量识别任务，并将所述TCP流量识别任务加入TCP流量识别任务队列中；其中，所述第一预设条件包括接任务流数达到第一预设值或任务生存时间达到第二预设值；When the first preset condition is met, a TCP traffic identification task is created based on the received TCP type characteristic data, and the TCP traffic identification task is added to the TCP traffic identification task queue; wherein the first preset condition includes The number of received task flows reaches the first preset value or the task survival time reaches the second preset value;

当满足第二预设条件时，基于接收到的UDP类型的特征数据创建UDP流量识别任务，并将所述UDP流量识别任务加入UDP流量识别任务队列中；其中，所述第二预设条件包括任务流数达到第一预设值或任务生存时间达到第二预设值；When the second preset condition is met, a UDP traffic identification task is created based on the received characteristic data of the UDP type, and the UDP traffic identification task is added to the UDP traffic identification task queue; wherein the second preset condition includes The number of task flows reaches a first preset value or the task survival time reaches a second preset value;

相应地，所述利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别，包括：Correspondingly, using the TCP traffic identification thread to identify the abnormal traffic of the TCP traffic, and using the UDP traffic identification thread to identify the abnormal traffic of the UDP traffic includes:

利用所述TCP流量识别线程从所述TCP流量识别任务队列中取出TCP流量识别任务，基于取出的TCP流量识别任务中的特征数据进行TCP流量的异常流量识别；Utilize described TCP flow identification thread to take out TCP flow identification task from described TCP flow identification task queue, carry out abnormal flow identification of TCP flow based on the characteristic data in the TCP flow identification task taken out;

利用所述UDP流量识别线程从所述UDP流量识别任务队列中取出UDP流量识别任务，基于取出的UDP流量识别任务中的特征数据进行UDP流量的异常流量识别。The UDP traffic identification thread is used to extract the UDP traffic identification task from the UDP traffic identification task queue, and the abnormal traffic identification of the UDP traffic is performed based on the feature data in the extracted UDP traffic identification task.

其中，所述确定所述流量的协议类型，包括：Wherein, said determining the protocol type of said traffic includes:

根据所述流的五元组，或者，与特征提取模块通信时自定义数据格式，确定所述流量的协议类型。The protocol type of the traffic is determined according to the quintuple of the stream, or a custom data format when communicating with the feature extraction module.

为实现上述目的，本申请提供了一种异常流量识别装置，应用于异常流量识别模块，所述异常流量识别模块包括TCP流量识别线程和UDP流量识别线程，所述装置包括：In order to achieve the above object, the present application provides an abnormal traffic identification device, which is applied to an abnormal traffic identification module, the abnormal traffic identification module includes a TCP traffic identification thread and a UDP traffic identification thread, and the device includes:

第一确定单元，用于读取配置信息，以确定TCP流量识别线程数量和UDP流量识别线程数量；The first determining unit is used to read the configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads;

第一创建单元，用于根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；A first creating unit, configured to create TCP traffic identification threads according to the number of TCP traffic identification threads, and create UDP traffic identification threads according to the number of UDP traffic identification threads;

识别单元，用于利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。The identification unit is configured to use the TCP flow identification thread to identify abnormal traffic of TCP traffic, and use the UDP traffic identification thread to identify abnormal traffic of UDP traffic.

为实现上述目的，本申请提供了一种电子设备，包括：In order to achieve the above purpose, the application provides an electronic device, including:

存储器，用于存储计算机程序；memory for storing computer programs;

处理器，用于执行所述计算机程序时实现如上述异常流量识别方法的步骤。A processor, configured to implement the steps of the above-mentioned method for identifying abnormal traffic when executing the computer program.

为实现上述目的，本申请提供了一种计算机可读存储介质，所述计算机可读存储介质上存储有计算机程序，所述计算机程序被处理器执行时实现如上述异常流量识别方法的步骤。To achieve the above object, the present application provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above-mentioned method for identifying abnormal traffic are implemented.

为实现上述目的，本申请提供了一种计算机程序产品，包含指令，当所述计算机程序产品由计算机执行时，所述指令使计算机执行如上述异常流量识别方法的步骤。In order to achieve the above object, the present application provides a computer program product including instructions, and when the computer program product is executed by a computer, the instructions cause the computer to execute the steps of the above-mentioned method for identifying abnormal traffic.

通过以上方案可知，本申请提供的一种异常流量识别方法，应用于异常流量识别模块，所述异常流量识别模块包括TCP流量识别线程和UDP流量识别线程，所述方法包括：确定TCP流量识别线程数量和UDP流量识别线程数量；根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。It can be seen from the above scheme that a method for identifying abnormal traffic provided by the present application is applied to an abnormal traffic identifying module, and the abnormal traffic identifying module includes a TCP traffic identifying thread and a UDP traffic identifying thread, and the method includes: determining the TCP traffic identifying thread Quantity and UDP flow recognition thread quantity; Create TCP flow recognition thread according to described TCP flow recognition thread quantity, create UDP flow recognition thread according to described UDP flow recognition thread quantity; Utilize described TCP flow recognition thread to carry out abnormal flow recognition to TCP flow , using the UDP traffic identification thread to perform abnormal traffic identification on the UDP traffic.

本申请提供的异常流量识别方法，将TCP流量的异常识别和UDP流量的异常识别分别作为独立的线程拆分执行，也即分别创建TCP流量识别线程和UDP流量识别线程，利用TCP流量识别线程对TCP流量进行异常流量识别，利用UDP流量识别线程对UDP流量进行异常流量识别，从而避免将TCP流量和UDP流量混合在一起识别时，由于特征渗透造成识别准确度低的技术问题。此外，对于不同的地理区域以及识别时间段，TCP流量以及UDP流量的数量可能差异非常大，因此，可通过配置信息事先分别来配置TCP识别线程数量以及UDP识别线程数量，以此达到针对不同地理区域以及识别时间段的最优识别效果的同时，还能够避免开辟过多线程造成资源消耗过大。本申请还公开了一种异常流量识别装置及一种电子设备和一种计算机可读存储介质，同样能实现上述技术效果。The abnormal traffic identification method provided by this application splits and executes the abnormal identification of TCP traffic and the abnormal identification of UDP traffic respectively as independent threads, that is, respectively creates a TCP traffic identification thread and a UDP traffic identification thread, and utilizes the TCP traffic identification thread to Abnormal traffic identification is performed on TCP traffic, and UDP traffic identification thread is used to identify abnormal traffic on UDP traffic, so as to avoid the technical problem of low identification accuracy caused by feature penetration when TCP traffic and UDP traffic are mixed together for identification. In addition, for different geographical areas and identification time periods, the number of TCP traffic and UDP traffic may vary greatly. Therefore, the number of TCP identification threads and the number of UDP identification threads can be configured in advance through configuration information, so as to achieve different geographical While achieving the optimal recognition effect of the area and the recognition time period, it can also avoid excessive resource consumption caused by opening too many threads. The present application also discloses an abnormal flow identification device, an electronic device, and a computer-readable storage medium, which can also achieve the above-mentioned technical effects.

应当理解的是，以上的一般描述和后文的细节描述仅是示例性的，并不能限制本申请。It is to be understood that both the foregoing general description and the following detailed description are exemplary only and are not restrictive of the application.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。附图是用来提供对本公开的进一步理解，并且构成说明书的一部分，与下面的具体实施方式一起用于解释本公开，但并不构成对本公开的限制。在附In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present application. Those skilled in the art can also obtain other drawings based on these drawings without creative work. The accompanying drawings are used to provide a further understanding of the present disclosure, and constitute a part of the description, together with the following specific embodiments, are used to explain the present disclosure, but do not constitute a limitation to the present disclosure. in the attached

图中：In the picture:

图1为根据一示例性实施例示出的一种异常流量识别方法的流程图；Fig. 1 is a flow chart of a method for identifying abnormal traffic according to an exemplary embodiment;

图2为根据一示例性实施例示出的另一种异常流量识别方法的流程图；Fig. 2 is a flowchart of another method for identifying abnormal traffic according to an exemplary embodiment;

图3为本申请提供的一种应用实施例中异常流量识别系统的结构图；FIG. 3 is a structural diagram of an abnormal traffic identification system in an application embodiment provided by the present application;

图4为本申请提供的一种应用实施例中异常流量识别方法的流程图；FIG. 4 is a flow chart of an abnormal traffic identification method in an application embodiment provided by the present application;

图5为本申请提供的一种应用实施例中任务监听线程的流程图；FIG. 5 is a flowchart of a task monitoring thread in an application embodiment provided by the present application;

图6为本申请提供的一种应用实施例中管理线程的流程图；FIG. 6 is a flow chart of thread management in an application embodiment provided by the present application;

图7为本申请提供的一种应用实施例中识别线程的流程图；FIG. 7 is a flow chart of identifying threads in an application embodiment provided by the present application;

图8为本申请提供的一种应用实施例中结果上报线程的流程图；FIG. 8 is a flowchart of a result reporting thread in an application embodiment provided by the present application;

图9为根据一示例性实施例示出的一种异常流量识别装置的结构图；Fig. 9 is a structural diagram of an abnormal traffic identification device according to an exemplary embodiment;

图10为根据一示例性实施例示出的一种电子设备的结构图。Fig. 10 is a structural diagram of an electronic device according to an exemplary embodiment.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述。显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。另外，在本申请实施例中，“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。The technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Apparently, the described embodiments are only some of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this application. In addition, in the embodiments of the present application, "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.

本申请实施例公开了一种异常流量识别方法，减少了异常流量识别过程中的资源消耗。The embodiment of the present application discloses a method for identifying abnormal traffic, which reduces resource consumption in the process of identifying abnormal traffic.

参见图1，根据一示例性实施例示出的一种异常流量识别方法的流程图，如图1所示，包括：Referring to FIG. 1 , a flow chart of a method for identifying abnormal traffic according to an exemplary embodiment, as shown in FIG. 1 , includes:

S101：读取配置信息，以确定TCP流量识别线程数量和UDP流量识别线程数量；S101: Read configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads;

S102：根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；S102: Create a TCP traffic identification thread according to the number of TCP traffic identification threads, and create a UDP traffic identification thread according to the number of UDP traffic identification threads;

本实施例的执行主体为电子设备中的异常流量识别模块，目的为在所有流量中识别异常流量，本实施例中的流量可以为VPN(Virtual Private Network，虚拟专用网络)流量，指VPN应用程序和服务器用于建立连接并相互安全加密通信的网络流量，一般包含TCP(传输控制协议，Transmission Control Protocol)流量与UDP(User Datagram Protocol，用户数据报协议)流量。The execution subject of this embodiment is the abnormal traffic identification module in the electronic device, and the purpose is to identify abnormal traffic in all traffics. The traffic in this embodiment can be VPN (Virtual Private Network, virtual private network) traffic, referring to the VPN application program The network traffic used to establish a connection with the server and communicate securely with each other, generally includes TCP (Transmission Control Protocol, Transmission Control Protocol) traffic and UDP (User Datagram Protocol, User Datagram Protocol) traffic.

在具体实施中，接收用户事先配置的TCP流量识别线程数量和UDP流量识别线程数量，以确定TCP流量识别线程数量和UDP流量识别线程数量，根据TCP流量识别线程数量创建对应数量的TCP流量识别线程，根据UDP流量识别线程数量创建对应数量的UDP流量识别线程。In the specific implementation, the number of TCP traffic identification threads and the number of UDP traffic identification threads configured by the user in advance are received to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads, and a corresponding number of TCP traffic identification threads is created according to the number of TCP traffic identification threads , create a corresponding number of UDP traffic identification threads according to the number of UDP traffic identification threads.

用户可以通过修改配置文件，设置TCP流量识别线程数量和UDP流量识别线程数量。可见，本实施例可以通过配置文件实现灵活的配置TCP流量识别线程数量和UDP流量识别线程数量。Users can set the number of TCP traffic identification threads and UDP traffic identification threads by modifying the configuration file. It can be seen that in this embodiment, the number of threads for identifying TCP traffic and the number of threads for identifying UDP traffic can be flexibly configured through configuration files.

作为一种优选实施方式，本实施例还包括：每间隔一段时间，获取TCP流量识别线程中的空闲线程比例，以及，UDP流量识别线程的空闲线程比例，并根据得到的空闲线程比例，增加或减少相应的线程数量。在具体实施中，每隔预设时间获取TCP识别线程中的空闲线程比例，当TCP识别线程中的空闲线程比例超过第一预设阈值时，说明异常流量识别模块中创建的TCP识别线程数量较多，此时减少TCP识别线程的数量，当TCP识别线程中的空闲线程比例小于第二预设阈值时，说明异常流量识别模块中创建的TCP识别线程数量较少，此时增加TCP识别线程的数量，此处的第一预设阈值和第二预设阈值可以设置为相同的值也可以设置为不同的值，在此不进行具体限定。同理，每隔预设时间获取UDP流量识别线程中的空闲线程比例，以及，UDP流量识别线程的空闲线程比例，并根据得到的空闲线程比例，增加或减少相应的线程数量。在具体实施中，每隔预设时间获取UDP识别线程中的空闲线程比例，当UDP识别线程中的空闲线程比例超过第一预设阈值时，说明异常流量识别模块中创建的UDP识别线程数量较多，此时减少UDP识别线程的数量，当UDP识别线程中的空闲线程比例小于第二预设阈值时，说明异常流量识别模块中创建的UDP识别线程数量较少，此时增加UDP识别线程的数量。As a preferred implementation, this embodiment also includes: acquiring the proportion of idle threads in the TCP traffic identification thread at regular intervals, and the proportion of idle threads in the UDP traffic identification thread, and according to the proportion of idle threads obtained, increase or Reduce the number of threads accordingly. In the specific implementation, the proportion of idle threads in the TCP identification threads is obtained every preset time, and when the proportion of idle threads in the TCP identification threads exceeds the first preset threshold, it means that the number of TCP identification threads created in the abnormal traffic identification module is relatively small. More, reduce the number of TCP identification threads at this time, when the proportion of idle threads in the TCP identification threads is less than the second preset threshold, it means that the number of TCP identification threads created in the abnormal traffic identification module is small, and increase the number of TCP identification threads at this time. The quantity, here, the first preset threshold and the second preset threshold may be set to the same value or different values, which are not specifically limited here. Similarly, the proportion of idle threads among the UDP traffic identification threads and the proportion of idle threads of the UDP traffic identification threads are obtained at preset intervals, and the number of corresponding threads is increased or decreased according to the obtained proportion of idle threads. In the specific implementation, the proportion of idle threads in the UDP identification threads is obtained every preset time, and when the proportion of idle threads in the UDP identification threads exceeds the first preset threshold, it means that the number of UDP identification threads created in the abnormal traffic identification module is relatively small. More, reduce the number of UDP identification threads at this time. When the proportion of idle threads in UDP identification threads is less than the second preset threshold, it means that the number of UDP identification threads created in the abnormal traffic identification module is small. At this time, increase the number of UDP identification threads. quantity.

S103：利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。S103: Use the TCP traffic identification thread to identify abnormal traffic on TCP traffic, and use the UDP traffic identification thread to identify abnormal traffic on UDP traffic.

在本步骤中，利用TCP流量识别线程对TCP流量进行异常流量识别，利用UDP流量识别线程对UDP流量进行异常流量识别。In this step, the abnormal traffic identification is performed on the TCP traffic by using the TCP traffic identification thread, and the abnormal traffic identification is performed on the UDP traffic by using the UDP traffic identification thread.

作为一种可行的实施方式，所述异常流量识别模块还包括任务监听线程，所述方法还包括：利用任务监听线程从特征提取模块持续接收以流为单位的特征数据，并确定所述流量的协议类型；其中，流与五元组一一对应；当满足第一预设条件时，基于接收到的TCP类型的特征数据创建TCP流量识别任务，并将所述TCP流量识别任务加入TCP流量识别任务队列中；其中，所述第一预设条件包括接任务流数达到第一预设值或任务生存时间达到第二预设值；当满足第二预设条件时，基于接收到的UDP类型的特征数据创建UDP流量识别任务，并将所述UDP流量识别任务加入UDP流量识别任务队列中；其中，所述第二预设条件包括任务流数达到第一预设值或任务生存时间达到第二预设值；相应地，所述利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别，包括：利用所述TCP流量识别线程从所述TCP流量识别任务队列中取出TCP流量识别任务，基于取出的TCP流量识别任务中的特征数据进行TCP流量的异常流量识别；利用所述UDP流量识别线程从所述UDP流量识别任务队列中取出UDP流量识别任务，基于取出的UDP流量识别任务中的特征数据进行UDP流量的异常流量识别。As a feasible implementation, the abnormal traffic identification module further includes a task monitoring thread, and the method further includes: using the task monitoring thread to continuously receive feature data in flow units from the feature extraction module, and determine the Protocol type; wherein, the flow is in one-to-one correspondence with the quintuple; when the first preset condition is met, a TCP traffic identification task is created based on the characteristic data of the received TCP type, and the TCP traffic identification task is added to the TCP traffic identification In the task queue; wherein, the first preset condition includes that the number of connected task flows reaches a first preset value or the task survival time reaches a second preset value; when the second preset condition is met, based on the received UDP type Create a UDP traffic identification task based on the characteristic data, and add the UDP traffic identification task to the UDP traffic identification task queue; wherein, the second preset condition includes that the number of task flows reaches the first preset value or the task lifetime reaches the second Two preset values; correspondingly, said using said TCP traffic identification thread to carry out abnormal traffic identification to TCP traffic, and utilizing said UDP traffic identification thread to carry out abnormal traffic identification to UDP traffic, including: utilizing said TCP traffic identification thread from The TCP flow identification task is taken out from the TCP flow identification task queue, and the abnormal flow identification of the TCP flow is carried out based on the characteristic data in the TCP flow identification task taken out; UDP traffic identification task, based on the characteristic data in the extracted UDP traffic identification task, abnormal traffic identification of UDP traffic is performed.

在具体实施中，特征提取模块用于提取流量的特征数据，利用任务监听线程开始监听特征提取模块的连接，成功建立连接后，异常流量识别模块以流为单位接收特征数据，确定流的协议类型，也即TCP类型或UDP类型，并将其加入到对应协议类型的流量识别任务中。可以理解的是，可以根据流的五元组，或者，与特征提取模块通信时自定义数据格式确定流的协议类型。当TCP流量识别任务包含的TCP类型的流数达到第一预设值或者该TCP流量识别任务的生存时间达到第二预设值时，将该TCP流量识别任务包含的特征数据作为一次任务识别的任务量，将该TCP流量识别任务加入TCP流量识别任务队列中。当UDP流量识别任务包含的UDP类型的流数达到第一预设值或者该UDP流量识别任务的生存时间达到第二预设值时，将该UDP流量识别任务包含的特征数据作为一次任务识别的任务量，将该UDP流量识别任务加入UDP流量识别任务队列中。In the specific implementation, the feature extraction module is used to extract the characteristic data of the traffic, and the connection of the feature extraction module is started to be monitored by using the task monitoring thread. After the connection is successfully established, the abnormal traffic identification module receives the characteristic data in flow units and determines the protocol type of the flow , that is, the TCP type or the UDP type, and add it to the traffic identification task of the corresponding protocol type. It can be understood that the protocol type of the stream can be determined according to the five-tuple of the stream, or a custom data format when communicating with the feature extraction module. When the number of flows of the TCP type included in the TCP flow identification task reaches a first preset value or the lifetime of the TCP flow identification task reaches a second preset value, the characteristic data included in the TCP flow identification task is used as a task identification Task amount, add the TCP traffic identification task to the TCP traffic identification task queue. When the number of UDP-type flows included in the UDP traffic identification task reaches the first preset value or the lifetime of the UDP traffic identification task reaches the second preset value, the characteristic data included in the UDP traffic identification task is used as a task identification Task amount, add the UDP traffic identification task to the UDP traffic identification task queue.

各TCP流量识别线程从TCP流量识别任务队列中取出TCP流量识别任务，将其中的特征数据输入已加载的机器学习模型中，预测得到对应的TCP流量分类结果及信心分数，与预设信心分数阈值进行比较，若预测得到的信心分数大于预设信心分数阈值，则将预测得到的TCP流量分类结果作为TCP流量识别结果。各UDP流量识别线程从UDP流量识别任务队列中取出UDP流量识别任务，将其中的特征数据输入已加载的机器学习模型中，预测得到对应的UDP流量分类结果及信心分数，与预设信心分数阈值进行比较，若预测得到的信心分数大于预设信心分数阈值，则将预测得到的UDP流量分类结果作为UDP流量识别结果。Each TCP traffic identification thread takes out the TCP traffic identification task from the TCP traffic identification task queue, inputs the feature data in it into the loaded machine learning model, and predicts the corresponding TCP traffic classification results and confidence scores, and the preset confidence score threshold For comparison, if the predicted confidence score is greater than the preset confidence score threshold, the predicted TCP traffic classification result is used as the TCP traffic identification result. Each UDP traffic identification thread takes out the UDP traffic identification task from the UDP traffic identification task queue, inputs the feature data in it into the loaded machine learning model, and predicts the corresponding UDP traffic classification result and confidence score, which is consistent with the preset confidence score threshold For comparison, if the predicted confidence score is greater than the preset confidence score threshold, the predicted UDP traffic classification result is used as the UDP traffic identification result.

需要说明的是，TCP协议与UDP协议流量本身特征表现有较大差别，另外TCP流量可以提取许多UDP流量不具有的特征。因此，在特征提取模块对流量进行特征提取时，可以根据流量的协议类型分别提取对应的特征数据。TCP流量和UDP流量分别需要提取那些特征数据可以进行配置，比如在上述配置文件中进行灵活配置。可见，为TCP流量和UDP流量分别设置对应的特征数据，可以提取到更加符合对应流量的特征，提高后续机器学习模型的分类精度。It should be noted that the characteristics of TCP protocol and UDP protocol traffic are quite different. In addition, TCP traffic can extract many features that UDP traffic does not have. Therefore, when the feature extraction module performs feature extraction on the traffic, corresponding feature data can be extracted according to the protocol type of the traffic. The feature data that needs to be extracted for TCP traffic and UDP traffic can be configured, for example, flexibly configured in the above configuration file. It can be seen that setting corresponding feature data for TCP traffic and UDP traffic can extract features that are more in line with the corresponding traffic and improve the classification accuracy of subsequent machine learning models.

进一步的，可以采用不同的机器学习模型分别对TCP流量和UDP流量进行识别。也即，作为一种优选实施方式，所述利用所述TCP流量识别线程对TCP流量进行异常流量识别，包括：利用所述TCP流量识别线程基于TCP异常流量识别模型对TCP流量进行异常流量识别；相应的，所述利用所述UDP流量识别线程对UDP流量进行异常流量识别，包括：利用所述UDP流量识别线程基于UDP异常流量识别模型对UDP流量进行异常流量识别。Further, different machine learning models may be used to identify TCP traffic and UDP traffic respectively. That is, as a preferred implementation manner, the using the TCP traffic identification thread to perform abnormal traffic identification on TCP traffic includes: using the TCP traffic identification thread to perform abnormal traffic identification on TCP traffic based on a TCP abnormal traffic identification model; Correspondingly, using the UDP traffic identification thread to perform abnormal traffic identification on UDP traffic includes: using the UDP traffic identification thread to perform abnormal traffic identification on UDP traffic based on a UDP abnormal traffic identification model.

在具体实施中，将TCP流量的特征数据输入TCP异常流量识别模型中得到对应的识别结果，将UDP流量的特征数据输入UDP异常流量识别模型中得到对应的识别结果。每个流量识别模型分别使用对应的协议所能提供的特征数据进行训练，使用对应的协议所能提供的特征数据专门的对该协议的流量进行识别，各协议流量之间互不影响，从而减轻了各个模型分类任务的复杂性，提高了每种协议流量的分类精度，进而提高了识别异常流量的准确度。In a specific implementation, the characteristic data of TCP traffic is input into the TCP abnormal traffic identification model to obtain corresponding identification results, and the characteristic data of UDP traffic is input into the UDP abnormal traffic identification model to obtain corresponding identification results. Each traffic recognition model uses the characteristic data provided by the corresponding protocol for training, and uses the characteristic data provided by the corresponding protocol to specifically identify the traffic of the protocol. The traffic of each protocol does not affect each other, thereby reducing The complexity of each model classification task is reduced, the classification accuracy of each protocol traffic is improved, and the accuracy of identifying abnormal traffic is improved.

需要说明的是，可以根据实际需要将异常流量识别模块部署于不同的位置，例如，主机、网关、或伴随网关单独实现的服务器上，也可以独立实现于服务器上，可扩展性，面对任务过多机器性能不够的情况，随时可以针对各个模块增加部署。另外当正在运行模块遇到故障时，不破坏整体系统的运行，且可以快速部署新的模块替换故障模块。另外，本实施例中的异常流量识别模块可以为外界提供API(Application Programming Interface，应用程序编程接口)，既可对任意区域或组织内部提供服务，也可部署于公网，实现在线对异常流量的识别。It should be noted that the abnormal traffic identification module can be deployed in different locations according to actual needs, for example, on a host, a gateway, or a server independently implemented with a gateway, or independently implemented on a server, scalability, and task-oriented If there are too many machines and the performance is not enough, you can increase the deployment of each module at any time. In addition, when the running module encounters a failure, the operation of the overall system will not be disrupted, and a new module can be quickly deployed to replace the failed module. In addition, the abnormal traffic identification module in this embodiment can provide an API (Application Programming Interface, application programming interface) for the outside world, which can provide services to any area or within the organization, and can also be deployed on the public network to realize online detection of abnormal traffic. recognition.

本申请实施例提供的异常流量识别方法，将TCP流量的异常识别和UDP流量的异常识别分别作为独立的线程拆分执行，也即分别创建TCP流量识别线程和UDP流量识别线程，利用TCP流量识别线程对TCP流量进行异常流量识别，利用UDP流量识别线程对UDP流量进行异常流量识别。，从而避免将TCP流量和UDP流量混合在一起识别时，由于特征渗透造成识别准确度低的技术问题。此外，对于不同的地理区域以及识别时间段，TCP流量以及UDP流量的数量可能差异非常大，因此，可通过配置信息事先分别来配置TCP识别线程数量以及UDP识别线程数量，以此达到针对不同地理区域以及识别时间段的最优识别效果的同时，还能够避免开辟过多线程造成资源消耗过大。The abnormal traffic identification method provided by the embodiment of the present application splits and executes the abnormal identification of TCP traffic and the abnormal identification of UDP traffic respectively as independent threads, that is, respectively creates a TCP traffic identification thread and a UDP traffic identification thread, and utilizes TCP traffic identification The thread identifies the abnormal traffic of the TCP traffic, and uses the UDP traffic identification thread to identify the abnormal traffic of the UDP traffic. , so as to avoid the technical problem of low recognition accuracy caused by feature penetration when TCP traffic and UDP traffic are mixed together for recognition. In addition, for different geographical areas and identification time periods, the number of TCP traffic and UDP traffic may vary greatly. Therefore, the number of TCP identification threads and the number of UDP identification threads can be configured in advance through configuration information, so as to achieve different geographical While achieving the optimal recognition effect of the area and the recognition time period, it can also avoid excessive resource consumption caused by opening too many threads.

在上述实施例的基础上，作为一种优选实施方式，所述TCP流量识别线程以及UDP流量识别线程均不包括结果上报功能；所述异常流量识别模块还包括：结果上报线程；相应地，所述方法还包括：创建结果上报线程，利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台。On the basis of the foregoing embodiments, as a preferred implementation manner, neither the TCP traffic identification thread nor the UDP traffic identification thread includes a result reporting function; the abnormal traffic identification module further includes: a result reporting thread; correspondingly, the The method further includes: creating a result reporting thread, and using the result reporting thread to report the identification results of the TCP traffic identification thread and the UDP traffic identification thread to the management platform.

在具体实施中，TCP流量识别线程以及UDP流量识别线程均不包括结果上报功能，异常流量识别模块还包括结果上报线程，用于将TCP流量识别线程得到的TCP流量识别结果和UDP流量识别线程得到的UDP流量识别结果上报至管理平台。将识别异常流量和结果上报分别作为独立的线程拆分执行，从而使得在结果上报线程阻塞时，还能够采用识别线程继续进行异常流量识别，相比现有技术，也可以达到在提高异常流量识别效率的同时，尽可能减少线程数量，进而减少异常流量识别过程中的资源消耗。In specific implementation, neither the TCP traffic identification thread nor the UDP traffic identification thread includes a result reporting function, and the abnormal traffic identification module also includes a result reporting thread, which is used to obtain the TCP traffic identification result obtained by the TCP traffic identification thread and the UDP traffic identification thread. Report the UDP traffic identification results to the management platform. The identification of abnormal traffic and result reporting are split and executed as independent threads, so that when the result reporting thread is blocked, the identification thread can also be used to continue abnormal traffic identification. Compared with the existing technology, it can also achieve improved abnormal traffic identification While improving efficiency, reduce the number of threads as much as possible, thereby reducing resource consumption during abnormal traffic identification.

在上述实施例的基础上，作为一种优选实施方式，所述方法还包括：根据配置信息确定结果上报线程数量；相应地，所述创建结果上报线程包括：根据所述结果上报线程数量创建结果上报线程。On the basis of the above embodiments, as a preferred implementation, the method further includes: determining the number of result reporting threads according to the configuration information; correspondingly, the creating a result reporting thread includes: creating a result according to the number of result reporting threads Report thread.

在具体实施中，可以通过异常流量识别模块中的配置文件维护结果上报线程数量，用户可以通过修改配置文件，设置结果上报线程数量，实现灵活的配置结果上报线程数量。用户可以根据当地的地理环境以及识别时间段的具体情况，提前配置上报线程数量。In specific implementation, the number of result reporting threads can be maintained through the configuration file in the abnormal traffic identification module, and the user can modify the configuration file to set the number of result reporting threads to achieve flexible configuration of the number of result reporting threads. Users can configure the number of reporting threads in advance according to the local geographical environment and the specific conditions of the identification time period.

在上述实施例的基础上，作为一种优选实施方式，所述结果上报线程包括：TCP流量结果上报线程和UDP流量结果上报线程；相应地，所述确定结果上报线程数量，包括：确定TCP流量结果上报线程数量和UDP流量结果上报线程数量；所述根据所述结果上报线程数量创建结果上报线程，包括：根据所述TCP流量结果上报线程数量创建TCP流量结果上报线程，根据所述UDP流量结果上报线程数量创建UDP流量结果上报线程；相应的，所述利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台，包括：利用所述TCP流量结果上报线程将所述TCP流量识别线程的TCP流量识别结果上报至管理平台，利用所述UDP流量结果上报线程将所述UDP流量识别线程的UDP流量识别结果上报至管理平台。对于结果上报线程来说，区分TCP和UDP结果上报线程，目的是一方面可以针对TCP和UDP设置不同的上报代码逻辑，另一方面，也可以通过TCP结果上报线程以及UDP结果上报线程的忙碌程度分析，便于用户了解TCP异常流数量以及UDP异常流数量。On the basis of the foregoing embodiments, as a preferred implementation manner, the result reporting thread includes: a TCP flow result reporting thread and a UDP flow result reporting thread; correspondingly, the determination of the number of result reporting threads includes: determining the TCP flow Result reporting thread quantity and UDP flow result reporting thread quantity; said creating result reporting thread according to said result reporting thread quantity includes: creating TCP flow result reporting thread according to said TCP flow result reporting thread quantity, according to said UDP flow result The number of reporting threads creates a UDP traffic result reporting thread; correspondingly, the described utilization of the result reporting thread reports the identification results of the TCP traffic identification thread and the UDP traffic identification thread to the management platform, including: utilizing the TCP traffic result reporting The thread reports the TCP traffic identification result of the TCP traffic identification thread to the management platform, and uses the UDP traffic result reporting thread to report the UDP traffic identification result of the UDP traffic identification thread to the management platform. For the result reporting thread, distinguish between TCP and UDP result reporting threads. The purpose is that on the one hand, different reporting code logics can be set for TCP and UDP. On the other hand, the busyness of the TCP result reporting thread and the UDP result reporting thread can also be used. Analysis, so that users can understand the number of abnormal TCP flows and UDP abnormal flows.

在具体实施中，将TCP流量的结果上报和UDP流量的结果上报分别作为独立的线程拆分执行，也即分别创建TCP流量结果上报线程和UDP流量结果上报线程，利用TCP流量结果上报线程将TCP流量识别线程的TCP流量识别结果上报至管理平台，利用UDP流量结果上报线程将UDP流量识别线程的UDP流量识别结果上报至管理平台。可以理解的是，可以通过异常流量识别模块中的配置文件维护TCP流量结果上报线程数量和UDP流量结果上报线程数量，用户可以通过修改配置文件，设置TCP流量结果上报线程数量和UDP流量结果上报线程数量，实现灵活的配置TCP流量结果上报线程数量和UDP流量结果上报线程数量。In the specific implementation, the result reporting of TCP traffic and the reporting of UDP traffic results are split and executed as independent threads, that is, the TCP traffic result reporting thread and the UDP traffic result reporting thread are respectively created, and the TCP traffic result reporting thread is used to report the TCP traffic results. The TCP traffic identification result of the traffic identification thread is reported to the management platform, and the UDP traffic identification result of the UDP traffic identification thread is reported to the management platform by the UDP traffic result reporting thread. It is understandable that the number of TCP flow result reporting threads and the number of UDP flow result reporting threads can be maintained through the configuration file in the abnormal traffic identification module. Users can modify the configuration file to set the number of TCP flow result reporting threads and UDP flow result reporting threads Quantity, to achieve flexible configuration of the number of threads for reporting TCP traffic results and the number of threads for reporting UDP traffic results.

本申请实施例公开了一种异常流量识别方法，相对于上一实施例，本实施例对技术方案作了进一步的说明和优化。具体的：The embodiment of the present application discloses a method for identifying abnormal traffic. Compared with the previous embodiment, this embodiment further explains and optimizes the technical solution. specific:

参见图2，根据一示例性实施例示出的另一种异常流量识别方法的流程图，如图2所示，包括：Referring to FIG. 2 , a flow chart of another method for identifying abnormal traffic according to an exemplary embodiment, as shown in FIG. 2 , includes:

S201：获取TCP识别线程数量、UDP识别线程数量、TCP结果上报线程数量以及UDP结果上报线程数量；S201: Obtain the number of TCP identification threads, the number of UDP identification threads, the number of TCP result reporting threads, and the number of UDP result reporting threads;

在本实施例中，可以利用管理线程分别确定TCP流量识别线程数量、UDP流量识别线程数量、确定TCP流量结果上报线程数量和UDP流量结果上报线程数量，各线程数量可以通过配置文件进行配置，可以依据所处的网络环境特点，灵活控制需要重点识别的流量。In this embodiment, the number of TCP traffic identification threads, the number of UDP traffic identification threads, the number of threads for reporting TCP traffic results, and the number of threads for reporting UDP traffic results can be determined by using the management thread, and the number of each thread can be configured through a configuration file. According to the characteristics of the network environment, flexibly control the traffic that needs to be identified.

S202：根据所述TCP识别线程数量创建TCP识别线程，根据所述UDP识别线程数量创建UDP识别线程，根据所述TCP结果上报线程数量创建TCP结果上报线程，根据所述UDP结果上报线程数量创建UDP结果上报线程；S202: Create TCP identification threads according to the number of TCP identification threads, create UDP identification threads according to the number of UDP identification threads, create TCP result reporting threads according to the number of TCP result reporting threads, and create UDP based on the number of UDP result reporting threads Result reporting thread;

在具体实施中，可以利用管理线程根据TCP流量识别线程数量创建TCP流量识别线程、根据UDP流量识别线程数量创建UDP流量识别线程、根据TCP流量结果上报线程数量创建TCP流量结果上报线程、根据UDP流量结果上报线程数量创建UDP流量结果上报线程。另外，还可以利用管理线程创建一个任务监听线程。In specific implementation, the management thread can be used to create TCP traffic identification threads according to the number of TCP traffic identification threads, create UDP traffic identification threads according to the number of UDP traffic identification threads, create TCP traffic result reporting threads according to the number of TCP traffic result reporting threads, and create TCP traffic result reporting threads according to UDP traffic Number of result reporting threads Create UDP traffic result reporting threads. In addition, you can also use the management thread to create a task monitoring thread.

S203：利用所述TCP识别线程通过针对TCP协议的异常流量识别方法进行异常流量识别，利用所述UDP识别线程通过针对UDP协议的异常流量识别方法进行异常流量识别；S203: Use the TCP identification thread to identify abnormal traffic through the abnormal traffic identification method for the TCP protocol, and use the UDP identification thread to perform abnormal traffic identification through the abnormal traffic identification method for the UDP protocol;

在具体实施中，特征提取模块用于提取流量的特征数据，利用任务监听线程开始监听特征提取模块的连接，成功建立连接后，异常流量识别模块分别创建TCP流量识别任务和UDP流量识别任务，以流为单位接收特征数据，确定流的协议类型，也即TCP类型或UDP类型，并将其加入到对应协议类型的流量识别任务中。可以理解的是，可以根据流的五元组，或者，与特征提取模块通信时自定义数据格式确定流的协议类型。当TCP流量识别任务包含的TCP类型的流数达到第一预设值或者该TCP流量识别任务的生存时间达到第二预设值时，将该TCP流量识别任务包含的特征数据作为一次任务识别的任务量，将该TCP流量识别任务加入TCP流量识别任务队列中。当UDP流量识别任务包含的UDP类型的流数达到第一预设值或者该UDP流量识别任务的生存时间达到第二预设值时，将该UDP流量识别任务包含的特征数据作为一次任务识别的任务量，将该UDP流量识别任务加入UDP流量识别任务队列中。In the specific implementation, the feature extraction module is used to extract the characteristic data of the flow, and the connection of the feature extraction module is started to be monitored by using the task monitoring thread. Receive characteristic data as a unit of flow, determine the protocol type of the flow, that is, TCP type or UDP type, and add it to the traffic identification task of the corresponding protocol type. It can be understood that the protocol type of the stream can be determined according to the five-tuple of the stream, or a custom data format when communicating with the feature extraction module. When the number of flows of the TCP type included in the TCP flow identification task reaches a first preset value or the lifetime of the TCP flow identification task reaches a second preset value, the characteristic data included in the TCP flow identification task is used as a task identification Task amount, add the TCP traffic identification task to the TCP traffic identification task queue. When the number of UDP-type flows included in the UDP traffic identification task reaches the first preset value or the lifetime of the UDP traffic identification task reaches the second preset value, the characteristic data included in the UDP traffic identification task is used as a task identification Task amount, add the UDP traffic identification task to the UDP traffic identification task queue.

各TCP流量识别线程从TCP流量识别任务队列中取出TCP流量识别任务，将其中的特征数据输入已加载的机器学习模型中，预测得到对应的TCP流量分类结果及信心分数，与预设信心分数阈值进行比较，若预测得到的信心分数大于预设信心分数阈值，则将预测得到的TCP流量分类结果作为TCP流量识别结果。检查TCP流量识别结果是否为空，如果不为空，则基于TCP流量识别结果创建TCP流量结果上报任务，并将其加入TCP流量结果上报任务队列，以保证不将空的TCP流量识别结果加入TCP流量结果上报任务。各UDP流量识别线程从UDP流量识别任务队列中取出UDP流量识别任务，将其中的特征数据输入已加载的机器学习模型中，预测得到对应的UDP流量分类结果及信心分数，与预设信心分数阈值进行比较，若预测得到的信心分数大于预设信心分数阈值，则将预测得到的UDP流量分类结果作为UDP流量识别结果。检查UDP流量识别结果是否为空，如果不为空，则基于UDP流量识别结果创建UDP流量结果上报任务，并将其加入UDP流量结果上报任务队列，以保证不将空的UDP流量识别结果加入UDP流量结果上报任务。Each TCP traffic identification thread takes out the TCP traffic identification task from the TCP traffic identification task queue, inputs the feature data in it into the loaded machine learning model, and predicts the corresponding TCP traffic classification results and confidence scores, and the preset confidence score threshold For comparison, if the predicted confidence score is greater than the preset confidence score threshold, the predicted TCP traffic classification result is used as the TCP traffic identification result. Check whether the TCP traffic identification result is empty, if not, create a TCP traffic result reporting task based on the TCP traffic identification result, and add it to the TCP traffic result reporting task queue to ensure that the empty TCP traffic identification result is not added to the TCP Traffic result reporting task. Each UDP traffic identification thread takes out the UDP traffic identification task from the UDP traffic identification task queue, inputs the feature data in it into the loaded machine learning model, and predicts the corresponding UDP traffic classification result and confidence score, which is consistent with the preset confidence score threshold For comparison, if the predicted confidence score is greater than the preset confidence score threshold, the predicted UDP traffic classification result is used as the UDP traffic identification result. Check whether the UDP traffic identification result is empty, if not, create a UDP traffic result reporting task based on the UDP traffic identification result, and add it to the UDP traffic result reporting task queue to ensure that the empty UDP traffic identification result is not added to UDP Traffic result reporting task.

S204：利用所述TCP结果上报线程对TCP识别线程的识别结果上报给管理平台，利用所述UDP结果上报线程对UDP识别线程的识别结果上报给管理平台。S204: Use the TCP result reporting thread to report the identification result of the TCP identification thread to the management platform, and use the UDP result reporting thread to report the identification result of the UDP identification thread to the management platform.

在本步骤中，各TCP结果上报线程从TCP流量结果上报任务队列中取出TCP流量结果上报任务，并将其中的TCP流量识别结果上报至管理平台。各UDP结果上报线程从UDP流量结果上报任务队列中取出UDP流量结果上报任务，并将其中的UDP流量识别结果上报至管理平台。In this step, each TCP result reporting thread takes out a TCP flow result reporting task from the TCP flow result reporting task queue, and reports the TCP flow identification result therein to the management platform. Each UDP result reporting thread takes out the UDP flow result reporting task from the UDP flow result reporting task queue, and reports the UDP flow identification result therein to the management platform.

由此可见，在本实施例中，将TCP流量的异常识别和UDP流量的异常识别分别作为独立的线程拆分执行，将识别异常流量和结果上报也分别作为独立的线程拆分执行，在结果上报线程阻塞时，还能够采用识别线程继续进行异常流量识别，相比现有技术，可以减少线程数量，进而减少异常流量识别过程中的资源消耗。It can be seen that, in this embodiment, the abnormal identification of TCP traffic and the abnormal identification of UDP traffic are divided and executed as independent threads respectively, and the identification of abnormal traffic and the reporting of results are also divided and executed as independent threads respectively. When the reporting thread is blocked, the identification thread can also be used to continue abnormal traffic identification. Compared with the existing technology, the number of threads can be reduced, thereby reducing resource consumption in the process of abnormal traffic identification.

下面介绍本申请提供的一种应用实施例，参见图3和图4，图3为本申请提供的一种应用实施例中异常流量识别系统的结构图，图4为本申请提供的一种应用实施例中异常流量识别方法的流程图。An application embodiment provided by this application is introduced below, see Figure 3 and Figure 4, Figure 3 is a structural diagram of an abnormal traffic identification system in an application embodiment provided by this application, Figure 4 is an application provided by this application A flow chart of the method for identifying abnormal traffic in the embodiment.

如图4所示，总体流程大体分为初始化与识别部分，初始化部分实现读取配置，检查模型，开启相关进程等功能，不断检查维护识别部分是否继续运行，识别部分完成监听数据源输入，识别流量，反馈识别结果至结果需求部分的功能。As shown in Figure 4, the overall process is roughly divided into initialization and identification. The initialization part implements functions such as reading configuration, checking the model, and starting related processes. It continuously checks whether the maintenance and identification part continues to run. Flow, the function of feeding back the recognition result to the result requirement part.

任务监听线程实现了接收外界输入流/特征数据的功能，为全流程提供了数据源。如图5所示，具体执行以下步骤：The task monitoring thread realizes the function of receiving external input stream/feature data, and provides a data source for the whole process. As shown in Figure 5, the following steps are specifically performed:

步骤1：任务监听线程在启动后，开始监听流/特征数据连接，成功建立连接后进入步骤2；Step 1: After the task monitoring thread is started, it starts to monitor the stream/feature data connection, and entersstep 2 after the connection is successfully established;

步骤2：根据管理线程控制的值或变量来判断是否继续运行，若是则进入步骤3，若否则结束该线程；Step 2: Determine whether to continue running according to the value or variable controlled by the management thread, if so, enterstep 3, otherwise end the thread;

步骤3：对新发来的一条流/特征信息，接收发来的头部信息，根据协议分类，以相应长度读取后续内容，将加入对应协议的当前识别任务中；Step 3: For a newly sent flow/characteristic information, receive the header information sent, classify according to the protocol, read the subsequent content with the corresponding length, and add it to the current recognition task of the corresponding protocol;

步骤4：判断TCP、UDP分别对应的当前识别任务是否到达限制条件，例如任务内流数，任务生存时间内是否为空等条件，若是则进入步骤5，若否则进入步骤2；Step 4: Determine whether the current recognition tasks corresponding to TCP and UDP respectively reach the limit conditions, such as the number of streams in the task, whether the task survival time is empty and other conditions, if so, go to step 5, otherwise go tostep 2;

步骤5：将当前识别任务加入管理线程的识别任务队列中，清空当前任务变量，进入步骤2。Step 5: Add the current recognition task to the recognition task queue of the management thread, clear the current task variable, and go tostep 2.

管理线程提供了识别线程和报告线程间的数据共享，负责启动、维护、关闭各线程。The management thread provides data sharing between the identification thread and the reporting thread, and is responsible for starting, maintaining, and closing each thread.

如图6所示，具体执行以下步骤：As shown in Figure 6, the following steps are specifically performed:

步骤1：根据初始化阶段读取的配置信息创建n个TCP流识别线程、s个TCP结果报告线程、m个UDP流识别线程、t个UDP结果报告线程、1个任务监听线程；Step 1: Create n TCP flow identification threads, s TCP result reporting threads, m UDP flow identification threads, t UDP result reporting threads, and 1 task monitoring thread according to the configuration information read in the initialization phase;

步骤2：每等待一段时间进行判断，是否继续运行，若是进入步骤2，若否进入步骤3；Step 2: Wait for a period of time to judge whether to continue to run, if it goes to step 2, if not to go tostep 3;

步骤3：控制各线程退出。Step 3: Control each thread to exit.

识别线程主要负责从管理线程的识别任务队列中读取任务，通过模型判断，结合初始化阶段读取的配置中信心分数得到识别结果，最终将非空的VPN流识别结果加入到结果上报队列。如图7所示，具体执行以下步骤：The identification thread is mainly responsible for reading tasks from the identification task queue of the management thread. Through model judgment, combined with the confidence score in the configuration read in the initialization phase, the identification results are obtained, and finally the non-empty VPN flow identification results are added to the result reporting queue. As shown in Figure 7, the following steps are specifically performed:

步骤1：根据初始化阶段读取的配置进行初始化；Step 1: Initialize according to the configuration read in the initialization phase;

步骤2：判断是否继续运行该线程，若是则进入步骤3，若否则结束该线程；Step 2: Determine whether to continue running the thread, if so, enterstep 3, otherwise end the thread;

步骤3：阻塞至获取一个识别任务，使用已加载的机器学习模型得到每条流的分类结果及信心分数，与初始化阶段的预设信心分数阈值作比较，得到符合要求的VPN流识别结果，包括VPN五元组列表；Step 3: Block to obtain a recognition task, use the loaded machine learning model to obtain the classification result and confidence score of each flow, compare it with the preset confidence score threshold in the initialization stage, and obtain the VPN flow recognition result that meets the requirements, including List of VPN quintuples;

步骤4：判断当前VPN流识别结果是否为空，若否则进入步骤5，若是则进入步骤6；Step 4: Determine whether the current VPN flow identification result is empty, if not, go to step 5, and if so, go to step 6;

步骤5：将当前VPN流识别结果加入管理线程的v；Step 5: Add the current VPN flow identification result to v of the management thread;

步骤6：当前任务完成，进入步骤2；Step 6: The current task is completed, go tostep 2;

结果上报线程主要负责从管理线程的结果上报队列读取识别结果，并将其报告给结果需求模块。如图8所示，具体执行以下步骤：The result reporting thread is mainly responsible for reading the recognition result from the result reporting queue of the management thread, and reporting it to the result requirement module. As shown in Figure 8, specifically perform the following steps:

步骤1：依据初始化阶段的配置文件与结果需求模块建立连接；Step 1: Establish a connection with the result requirement module according to the configuration file in the initialization phase;

步骤2：判断是否继续运行该线程，若是进入步骤3，若否结束该线程；Step 2: Determine whether to continue running the thread, if it entersstep 3, if not end the thread;

步骤3：阻塞至获取管理线程的结果上报队列中的一个报告，发送给结果需求模块，完成当前任务进入步骤2。Step 3: Block to obtain a report in the result reporting queue of the management thread, send it to the result demand module, complete the current task and enterstep 2.

下面对本申请实施例提供的一种异常流量识别装置进行介绍，下文描述的一种异常流量识别装置与上文描述的一种异常流量识别方法可以相互参照。The following is an introduction to an abnormal traffic identification device provided in an embodiment of the present application. The abnormal traffic identification device described below and the abnormal traffic identification method described above may refer to each other.

参见图9，根据一示例性实施例示出的一种异常流量识别装置的结构图，如图9所示，包括：Referring to FIG. 9 , a structural diagram of an abnormal flow identification device according to an exemplary embodiment, as shown in FIG. 9 , includes:

第一确定单元901，用于读取配置信息，以确定TCP流量识别线程数量和UDP流量识别线程数量；The first determiningunit 901 is configured to read configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads;

第一创建单元902，用于根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；The first creatingunit 902 is configured to create TCP traffic identification threads according to the number of TCP traffic identification threads, and create UDP traffic identification threads according to the number of UDP traffic identification threads;

识别单元903，用于利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。Theidentification unit 903 is configured to use the TCP flow identification thread to identify abnormal traffic of TCP traffic, and use the UDP traffic identification thread to identify abnormal flow of UDP traffic.

本申请实施例提供的异常流量识别装置，将TCP流量的异常识别和UDP流量的异常识别分别作为独立的线程拆分执行，也即分别创建TCP流量识别线程和UDP流量识别线程，利用TCP流量识别线程对TCP流量进行异常流量识别，利用UDP流量识别线程对UDP流量进行异常流量识别，从而避免将TCP流量和UDP流量混合在一起识别时，由于特征渗透造成识别准确度低的技术问题。此外，对于不同的地理区域以及识别时间段，TCP流量以及UDP流量的数量可能差异非常大，因此，可通过配置信息事先分别来配置TCP识别线程数量以及UDP识别线程数量，以此达到针对不同地理区域以及识别时间段的最优识别效果的同时，还能够避免开辟过多线程造成资源消耗过大。The abnormal traffic identification device provided by the embodiment of the present application splits and executes the abnormal identification of TCP traffic and the abnormal identification of UDP traffic respectively as independent threads, that is, respectively creates a TCP traffic identification thread and a UDP traffic identification thread, and utilizes TCP traffic identification Threads identify abnormal traffic on TCP traffic, and UDP traffic identification threads are used to identify abnormal traffic on UDP traffic, thereby avoiding the technical problem of low recognition accuracy caused by feature penetration when TCP traffic and UDP traffic are mixed together for identification. In addition, for different geographical areas and identification time periods, the number of TCP traffic and UDP traffic may vary greatly. Therefore, the number of TCP identification threads and the number of UDP identification threads can be configured in advance through configuration information, so as to achieve different geographical While achieving the optimal recognition effect of the area and the recognition time period, it can also avoid excessive resource consumption caused by opening too many threads.

在上述实施例的基础上，作为一种优选实施方式，所述TCP流量识别线程以及UDP流量识别线程均不包括结果上报功能；所述异常流量识别模块还包括：结果上报线程；On the basis of the foregoing embodiments, as a preferred implementation manner, neither the TCP traffic identification thread nor the UDP traffic identification thread includes a result reporting function; the abnormal traffic identification module further includes: a result reporting thread;

相应地，所述装置还包括：Correspondingly, the device also includes:

第二创建单元，用于创建结果上报线程；The second creation unit is used to create a result reporting thread;

上报单元，用于利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台。The reporting unit is configured to use the result reporting thread to report the identification results of the TCP traffic identification thread and the UDP traffic identification thread to the management platform.

在上述实施例的基础上，作为一种优选实施方式，所述装置还包括：On the basis of the above-mentioned embodiments, as a preferred implementation manner, the device further includes:

第二确定单元，用于读取配置信息，以确定结果上报线程数量；The second determination unit is used to read configuration information to determine the number of result reporting threads;

相应地，所述创第二创建单元具体用于：根据所述结果上报线程数量创建结果上报线程。Correspondingly, the second creating unit is specifically configured to: create result reporting threads according to the number of result reporting threads.

在上述实施例的基础上，作为一种优选实施方式，所述结果上报线程包括：TCP流量结果上报线程和UDP流量结果上报线程；On the basis of the foregoing embodiments, as a preferred implementation manner, the result reporting thread includes: a TCP flow result reporting thread and a UDP flow result reporting thread;

相应地，所述第二确定单元具体用于：确定TCP流量结果上报线程数量和UDP流量结果上报线程数量；Correspondingly, the second determining unit is specifically configured to: determine the number of threads for reporting TCP flow results and the number of threads for reporting UDP flow results;

相应地，所述创第二创建单元具体用于：根据所述TCP流量结果上报线程数量创建TCP流量结果上报线程，根据所述UDP流量结果上报线程数量创建UDP流量结果上报线程；Correspondingly, the second creating unit is specifically configured to: create a TCP flow result reporting thread according to the number of TCP flow result reporting threads, and create a UDP flow result reporting thread according to the number of UDP flow result reporting threads;

相应的，所述上报单元具体用于：利用所述TCP流量结果上报线程将所述TCP流量识别线程的TCP流量识别结果上报至管理平台，利用所述UDP流量结果上报线程将所述UDP流量识别线程的UDP流量识别结果上报至管理平台。Correspondingly, the reporting unit is specifically configured to: use the TCP flow result reporting thread to report the TCP flow identification result of the TCP flow identification thread to the management platform, and use the UDP flow result reporting thread to identify the UDP flow The UDP traffic identification result of the thread is reported to the management platform.

在上述实施例的基础上，作为一种优选实施方式，还包括：On the basis of the foregoing embodiments, as a preferred implementation manner, it also includes:

调整单元，用于每间隔一段时间，获取TCP流量识别线程中的空闲线程比例，以及，UDP流量识别线程的空闲线程比例，并根据得到的空闲线程比例，增加或减少相应的线程数量。The adjustment unit is used to obtain the proportion of idle threads in the TCP traffic identification thread and the proportion of idle threads in the UDP traffic identification thread at intervals, and increase or decrease the corresponding number of threads according to the obtained proportion of idle threads.

在上述实施例的基础上，作为一种优选实施方式，所述异常流量识别模块还包括任务监听线程，所述装置还包括：On the basis of the above embodiments, as a preferred implementation manner, the abnormal traffic identification module further includes a task monitoring thread, and the device further includes:

接收单元，用于利用任务监听线程从特征提取模块持续接收以流为单位的特征数据，并确定所述流量的协议类型；其中，流与五元组一一对应；The receiving unit is used to continuously receive the feature data in units of flow from the feature extraction module by using the task monitoring thread, and determine the protocol type of the flow; wherein, the flow is in one-to-one correspondence with the quintuple;

第一加入单元，用于当满足第一预设条件时，基于接收到的TCP类型的特征数据创建TCP流量识别任务，并将所述TCP流量识别任务加入TCP流量识别任务队列中；其中，所述第一预设条件包括接任务流数达到第一预设值或任务生存时间达到第二预设值；The first adding unit is used to create a TCP traffic identification task based on the received characteristic data of the TCP type when the first preset condition is met, and add the TCP traffic identification task to the TCP traffic identification task queue; wherein, The first preset condition includes that the number of task flows reaches a first preset value or the task survival time reaches a second preset value;

第二加入单元，用于当满足第二预设条件时，基于接收到的UDP类型的特征数据创建UDP流量识别任务，并将所述UDP流量识别任务加入UDP流量识别任务队列中；其中，所述第二预设条件包括任务流数达到第一预设值或任务生存时间达到第二预设值；The second adding unit is used to create a UDP traffic identification task based on the received characteristic data of the UDP type when the second preset condition is met, and add the UDP traffic identification task to the UDP traffic identification task queue; wherein, the The second preset condition includes that the number of task flows reaches a first preset value or the task survival time reaches a second preset value;

相应地，所述识别单元903具体用于：利用所述TCP流量识别线程从所述TCP流量识别任务队列中取出TCP流量识别任务，基于取出的TCP流量识别任务中的特征数据进行TCP流量的异常流量识别；利用所述UDP流量识别线程从所述UDP流量识别任务队列中取出UDP流量识别任务，基于取出的UDP流量识别任务中的特征数据进行UDP流量的异常流量识别。Correspondingly, theidentification unit 903 is specifically configured to: use the TCP flow identification thread to take out the TCP flow identification task from the TCP flow identification task queue, and perform abnormal TCP flow based on the feature data in the extracted TCP flow identification task Traffic identification; using the UDP traffic identification thread to take out the UDP traffic identification task from the UDP traffic identification task queue, and perform abnormal traffic identification of the UDP traffic based on the feature data in the extracted UDP traffic identification task.

在上述实施例的基础上，作为一种优选实施方式，所述接收单元具体用于：利用任务监听线程从特征提取模块持续接收以流为单位的特征数据，并根据所述流的五元组，或者，与特征提取模块通信时自定义数据格式，确定所述流量的协议类型。On the basis of the above embodiments, as a preferred implementation manner, the receiving unit is specifically configured to: use the task monitoring thread to continuously receive feature data in flow units from the feature extraction module, and , or, when communicating with the feature extraction module, customize the data format to determine the protocol type of the traffic.

关于上述实施例中的装置，具体指软件功能模块，其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述，此处将不做详细阐述说明。The devices in the above embodiments specifically refer to software function modules, where the specific manners of performing operations of each module have been described in detail in the embodiments of the method, and will not be described in detail here.

基于上述程序模块的硬件实现，且为了实现本申请实施例的方法，本申请实施例还提供了一种电子设备，该电子设备可以是单个硬件实体(比如一个网关)，也可以是多个计算机硬件组成的云计算平台，在这种情况下，本申请的各个方法是多个硬件实体池化为一个整体后，在该多个硬件实体中执行。Based on the hardware implementation of the above program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application also provides an electronic device, which can be a single hardware entity (such as a gateway), or multiple computers A cloud computing platform composed of hardware, in this case, each method of the present application is executed in the multiple hardware entities after pooling them into a whole.

图10为以单个硬件实体为例，示出的一种电子设备的结构图，如图10所示，电子设备包括：FIG. 10 is a structural diagram of an electronic device, taking a single hardware entity as an example. As shown in FIG. 10, the electronic device includes:

通信接口1，能够与其它设备比如网络设备等进行信息交互；Communication interface 1, which can exchange information with other devices such as network devices;

处理器2，与通信接口1连接，以实现与其它设备进行信息交互，用于运行计算机程序时，执行上述一个或多个技术方案提供的异常流量识别方法。而所述计算机程序存储在存储器3上。Theprocessor 2 is connected to the communication interface 1 to realize information exchange with other devices, and is used to execute the abnormal traffic identification method provided by one or more technical solutions above when running a computer program. Instead, the computer program is stored on thememory 3 .

当然，实际应用时，电子设备中的各个组件通过总线系统4耦合在一起。可理解，总线系统4用于实现这些组件之间的连接通信。总线系统4除包括数据总线之外，还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见，在图10中将各种总线都标为总线系统4。Of course, in actual application, various components in the electronic device are coupled together through the bus system 4 . It can be understood that the bus system 4 is used to realize connection and communication between these components. In addition to the data bus, the bus system 4 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are labeled as bus system 4 in FIG. 10 .

本申请实施例中的存储器3用于存储各种类型的数据以支持电子设备的操作。这些数据的示例包括：用于在电子设备上操作的任何计算机程序。Thememory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program used to operate on an electronic device.

可以理解，存储器3可以是易失性存储器或非易失性存储器，也可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(ROM，Read Only Memory)、可编程只读存储器(PROM，Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM，Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM，Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM，ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM，Compact Disc Read-Only Memory)；磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM，Random AccessMemory)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(SRAM，Static Random Access Memory)、同步静态随机存取存储器(SSRAM，Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM，Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM，SynchronousDynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM，Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM，Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM，SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM，Direct Rambus Random Access Memory)。本申请实施例描述的存储器3旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that thememory 3 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memories. Among them, the non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read-Only Memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (Flash Memory), Magnetic Surface Memory , CD, or CD-ROM (Compact Disc Read-Only Memory); magnetic surface storage can be disk storage or tape storage. The volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM, Static Random Access Memory), Synchronous Static Random Access Memory (SSRAM, Synchronous Static Random Access Memory), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM, Synchronous Dynamic Random Access Memory), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Connection Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory) . Thememory 3 described in the embodiment of the present application is intended to include but not limited to these and any other suitable types of memory.

上述本申请实施例揭示的方法可以应用于处理器2中，或者由处理器2实现。处理器2可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法的各步骤可以通过处理器2中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器2可以是通用处理器、DSP，或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器2可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤，可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中，该存储介质位于存储器3，处理器2读取存储器3中的程序，结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to theprocessor 2 or implemented by theprocessor 2 .Processor 2 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in theprocessor 2 or instructions in the form of software. Theaforementioned processor 2 may be a general-purpose processor, DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. Theprocessor 2 may implement or execute various methods, steps, and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in the storage medium, and the storage medium is located in thememory 3, and theprocessor 2 reads the program in thememory 3, and completes the steps of the foregoing method in combination with its hardware.

处理器2执行所述程序时实现本申请实施例的各个方法中的相应流程，为了简洁，在此不再赘述。When theprocessor 2 executes the program, the corresponding processes in the various methods of the embodiments of the present application are implemented, and details are not repeated here for the sake of brevity.

在示例性实施例中，本申请实施例还提供了一种存储介质，即计算机存储介质，具体为计算机可读存储介质，例如包括存储计算机程序的存储器3，上述计算机程序可由处理器2执行，以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、CD-ROM等存储器。In an exemplary embodiment, the embodiment of the present application also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including amemory 3 storing a computer program, and the above-mentioned computer program can be executed by theprocessor 2, To complete the steps described in the aforementioned method. The computer readable storage medium can be memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, CD-ROM.

本领域普通技术人员可以理解：实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成，前述的程序可以存储于一计算机可读取存储介质中，该程序在执行时，执行包括上述方法实施例的步骤；而前述的存储介质包括：移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: various media that can store program codes such as removable storage devices, ROM, RAM, magnetic disks or optical disks.

或者，本申请上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时，也可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台电子设备(可以是个人计算机、服务器、网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括：移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated units of the present application are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make an electronic device (which may be a personal computer, server, network device, etc.) execute all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media capable of storing program codes such as removable storage devices, ROM, RAM, magnetic disks or optical disks.

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (10)

Translated fromChinese

1.一种异常流量识别方法，其特征在于，应用于异常流量识别模块，所述异常流量识别模块包括TCP流量识别线程和UDP流量识别线程，所述方法包括：1. A method for identifying abnormal traffic, characterized in that it is applied to an abnormal traffic identification module, and the abnormal traffic identification module includes a TCP traffic identification thread and a UDP traffic identification thread, and the method comprises:读取配置信息，以确定TCP流量识别线程数量和UDP流量识别线程数量；Read configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads;根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；Create a TCP flow identification thread according to the number of TCP flow identification threads, and create a UDP flow identification thread according to the number of UDP flow identification threads;利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。Utilize the TCP flow identification thread to perform abnormal flow identification on TCP flow, and use the UDP flow identification thread to perform abnormal flow identification on UDP flow.2.根据权利要求1所述的异常流量识别方法，其特征在于，所述TCP流量识别线程以及UDP流量识别线程均不包括结果上报功能；所述异常流量识别模块还包括：结果上报线程；2. abnormal traffic identification method according to claim 1, is characterized in that, described TCP traffic identification thread and UDP traffic identification thread all do not comprise result reporting function; Described abnormal traffic identification module also comprises: result reporting thread;相应地，所述方法还包括：Correspondingly, the method also includes:创建结果上报线程，利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台。Create a result reporting thread, and use the result reporting thread to report the identification results of the TCP flow identification thread and the UDP flow identification thread to the management platform.3.根据权利要求2所述的异常流量识别方法，其特征在于，所述方法还包括：3. The method for identifying abnormal traffic according to claim 2, wherein the method further comprises:读取配置信息，以确定结果上报线程数量；Read configuration information to determine the number of result reporting threads;相应地，所述创建结果上报线程包括：Correspondingly, the creation result reporting thread includes:根据所述结果上报线程数量创建结果上报线程。A result reporting thread is created according to the number of result reporting threads.4.根据权利要求3所述的异常流量识别方法，其特征在于，所述结果上报线程包括：TCP流量结果上报线程和UDP流量结果上报线程；4. The abnormal flow identification method according to claim 3, wherein the result reporting thread comprises: a TCP flow result reporting thread and a UDP flow result reporting thread;相应地，所述确定结果上报线程数量，包括：Correspondingly, the determination result reports the number of threads, including:确定TCP流量结果上报线程数量和UDP流量结果上报线程数量；Determine the number of threads reporting TCP flow results and the number of threads reporting UDP flow results;所述根据所述结果上报线程数量创建结果上报线程，包括：The creating of result reporting threads according to the number of result reporting threads includes:根据所述TCP流量结果上报线程数量创建TCP流量结果上报线程，根据所述UDP流量结果上报线程数量创建UDP流量结果上报线程；Create a TCP flow result reporting thread according to the number of TCP flow result reporting threads, and create a UDP flow result reporting thread according to the UDP flow result reporting thread quantity;相应的，所述利用所述结果上报线程将所述TCP流量识别线程以及UDP流量识别线程的识别结果上报至管理平台，包括：Correspondingly, reporting the identification results of the TCP traffic identification thread and the UDP traffic identification thread to the management platform by using the result reporting thread includes:利用所述TCP流量结果上报线程将所述TCP流量识别线程的TCP流量识别结果上报至管理平台，利用所述UDP流量结果上报线程将所述UDP流量识别线程的UDP流量识别结果上报至管理平台。Use the TCP flow result reporting thread to report the TCP flow identification result of the TCP flow identification thread to the management platform, and use the UDP flow result reporting thread to report the UDP flow identification result of the UDP flow identification thread to the management platform.5.根据权利要求1所述的异常流量识别方法，其特征在于，还包括：5. The abnormal traffic identification method according to claim 1, further comprising:每间隔一段时间，获取TCP流量识别线程中的空闲线程比例，以及，UDP流量识别线程的空闲线程比例，并根据得到的空闲线程比例，增加或减少相应的线程数量。At intervals, obtain the proportion of idle threads in the TCP traffic identification thread and the proportion of idle threads in the UDP traffic identification thread, and increase or decrease the corresponding number of threads according to the obtained proportion of idle threads.6.根据权利要求1至5任一项所述异常流量识别方法，其特征在于，所述异常流量识别模块还包括任务监听线程，所述方法还包括：6. The abnormal traffic identification method according to any one of claims 1 to 5, wherein the abnormal traffic identification module further comprises a task monitoring thread, and the method further comprises:利用任务监听线程从特征提取模块持续接收以流为单位的特征数据，并确定所述流量的协议类型；其中，流与五元组一一对应；Utilize the task monitoring thread to continuously receive the feature data in units of flow from the feature extraction module, and determine the protocol type of the flow; wherein, the flow is in one-to-one correspondence with the five-tuple;当满足第一预设条件时，基于接收到的TCP类型的特征数据创建TCP流量识别任务，并将所述TCP流量识别任务加入TCP流量识别任务队列中；其中，所述第一预设条件包括接任务流数达到第一预设值或任务生存时间达到第二预设值；When the first preset condition is met, a TCP traffic identification task is created based on the received TCP type characteristic data, and the TCP traffic identification task is added to the TCP traffic identification task queue; wherein the first preset condition includes The number of received task flows reaches the first preset value or the task survival time reaches the second preset value;当满足第二预设条件时，基于接收到的UDP类型的特征数据创建UDP流量识别任务，并将所述UDP流量识别任务加入UDP流量识别任务队列中；其中，所述第二预设条件包括任务流数达到第一预设值或任务生存时间达到第二预设值；When the second preset condition is met, a UDP traffic identification task is created based on the received characteristic data of the UDP type, and the UDP traffic identification task is added to the UDP traffic identification task queue; wherein the second preset condition includes The number of task flows reaches a first preset value or the task survival time reaches a second preset value;相应地，所述利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别，包括：Correspondingly, using the TCP traffic identification thread to identify the abnormal traffic of the TCP traffic, and using the UDP traffic identification thread to identify the abnormal traffic of the UDP traffic includes:利用所述TCP流量识别线程从所述TCP流量识别任务队列中取出TCP流量识别任务，基于取出的TCP流量识别任务中的特征数据进行TCP流量的异常流量识别；Utilize described TCP flow identification thread to take out TCP flow identification task from described TCP flow identification task queue, carry out abnormal flow identification of TCP flow based on the characteristic data in the TCP flow identification task taken out;利用所述UDP流量识别线程从所述UDP流量识别任务队列中取出UDP流量识别任务，基于取出的UDP流量识别任务中的特征数据进行UDP流量的异常流量识别。The UDP traffic identification thread is used to extract the UDP traffic identification task from the UDP traffic identification task queue, and the abnormal traffic identification of the UDP traffic is performed based on the feature data in the extracted UDP traffic identification task.7.根据权利要求6所述异常流量识别方法，其特征在于，所述确定所述流量的协议类型，包括：7. The method for identifying abnormal traffic according to claim 6, wherein said determining the protocol type of said traffic comprises:根据所述流的五元组，或者，与特征提取模块通信时自定义数据格式，确定所述流量的协议类型。The protocol type of the traffic is determined according to the quintuple of the stream, or a custom data format when communicating with the feature extraction module.8.一种异常流量识别装置，其特征在于，应用于异常流量识别模块，所述异常流量识别模块包括TCP流量识别线程和UDP流量识别线程，所述装置包括：8. An abnormal traffic identification device, characterized in that it is applied to an abnormal traffic identification module, and the abnormal traffic identification module includes a TCP traffic identification thread and a UDP traffic identification thread, and the device includes:第一确定单元，用于读取配置信息，以确定TCP流量识别线程数量和UDP流量识别线程数量；The first determining unit is used to read the configuration information to determine the number of TCP traffic identification threads and the number of UDP traffic identification threads;第一创建单元，用于根据所述TCP流量识别线程数量创建TCP流量识别线程，根据所述UDP流量识别线程数量创建UDP流量识别线程；A first creating unit, configured to create TCP traffic identification threads according to the number of TCP traffic identification threads, and create UDP traffic identification threads according to the number of UDP traffic identification threads;识别单元，用于利用所述TCP流量识别线程对TCP流量进行异常流量识别，利用所述UDP流量识别线程对UDP流量进行异常流量识别。The identification unit is configured to use the TCP flow identification thread to identify abnormal traffic of TCP traffic, and use the UDP traffic identification thread to identify abnormal traffic of UDP traffic.9.一种电子设备，其特征在于，包括：9. An electronic device, characterized in that it comprises:存储器，用于存储计算机程序；memory for storing computer programs;处理器，用于执行所述计算机程序时实现如权利要求1至7任一项所述异常流量识别方法的步骤。A processor, configured to implement the steps of the method for identifying abnormal traffic according to any one of claims 1 to 7 when executing the computer program.10.一种计算机可读存储介质，其特征在于，所述计算机可读存储介质上存储有计算机程序，所述计算机程序被处理器执行时实现如权利要求1至7任一项所述异常流量识别方法的步骤。10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the abnormal traffic as described in any one of claims 1 to 7 is realized. Identify the steps of the method.

Images