CN107222497A - Network traffic anomaly monitor method and electronic equipment - Google Patents

Network traffic anomaly monitor method and electronic equipment Download PDF

Info

Publication number
CN107222497A
CN107222497A CN201710524847.3A CN201710524847A CN107222497A CN 107222497 A CN107222497 A CN 107222497A CN 201710524847 A CN201710524847 A CN 201710524847A CN 107222497 A CN107222497 A CN 107222497A
Authority
CN
China
Prior art keywords
moment
flow
value
network traffic
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710524847.3A
Other languages
Chinese (zh)
Other versions
CN107222497B (en
Inventor
王文韬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201710524847.3A priority Critical patent/CN107222497B/en
Publication of CN107222497A publication Critical patent/CN107222497A/en
Application granted granted Critical
Publication of CN107222497B publication Critical patent/CN107222497B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application provides Network traffic anomaly monitor method and electronic equipment, corresponding flow value of each moment, and the first flow trend that flow value is changed over time are obtained;Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment for being subordinated to each moment;Circulation performs following steps every time, according to first flow trend, obtains in the case of assuming that corresponding flow value of abnormal moment is exception of network traffic value, each moment corresponding abnormal probability;When number of the cycle-index equal at least about two moment, circulation terminates, and is then added the abnormal probability of the corresponding synchronization of different cycle-indexes, obtains corresponding exception of network traffic probability of each moment;It is thus possible to determine the objective network Traffic Anomaly moment from each moment.It is determined that be to be compared each moment during the objective network Traffic Anomaly moment, it is compared with web-based history flow, it is possible to which whether the network traffics monitored after new network environment or change are abnormal.

Description

Network traffic anomaly monitor method and electronic equipment
Technical field
The application is related to network security monitoring technical field, is more particularly to Network traffic anomaly monitor method and electronics is set It is standby.
Background technology
Network security requirement more and more higher, can judge whether network environment is safe by monitoring network flow.
At present, the method for monitoring network flow is, according to web-based history flow, reasonable threshold value artificially to be provided, if current network Flow is more than the threshold value, it is determined that current network flow is abnormal.
Because the monitoring of network traffics is to be based on web-based history flow, so can not monitor after new network environment or change Network traffics it is whether abnormal.
The content of the invention
In view of this, the invention provides a kind of Network traffic anomaly monitor method and electronic equipment, to overcome existing skill Because the monitoring of network traffics is to be based on web-based history flow in art, so the net after new network environment or change can not be monitored The problem of whether network flow is abnormal.
To achieve the above object, the present invention provides following technical scheme:
A kind of Network traffic anomaly monitor method, including:
Obtain corresponding flow value of each moment;
According to corresponding flow value of each moment, the first flow trend that flow value is changed over time is obtained;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment for being subordinated to each moment;
According to the first flow trend, obtain and assume that corresponding flow value of abnormal moment is exception of network traffic described In the case of value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment that return to step is subordinated to each moment, Until cycle-index is equal with the number at least two moment, wherein, when the hypothesis determined in different cycle-indexes is abnormal Carve different;
The abnormal probability for belonging to synchronization in different cycle-indexes is added, the corresponding network flow of each moment difference is obtained The abnormal probability of amount;
According to corresponding exception of network traffic probability of each moment, the objective network Traffic Anomaly moment is determined from each moment.
A kind of electronic equipment, including:
First acquisition module, for obtaining corresponding flow value of each moment;
Second acquisition module, for according to corresponding flow value of each moment, it is first-class that acquisition flow value is changed over time Amount trend;
First determining module, for be subordinated to each moment at least two moment in determine assume abnormity point it is corresponding assume The abnormal moment;
3rd acquisition module, corresponding stream of abnormal moment is assumed for according to the first flow trend, obtaining described In the case that value is exception of network traffic value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Module is returned to, for returning to first determining module, until cycle-index and the number at least two moment Mesh is equal, wherein, the hypothesis abnormal moment determined in different cycle-indexes is different;
4th acquisition module, for the abnormal probability for belonging to synchronization in different cycle-indexes to be added, when obtaining each Carve corresponding exception of network traffic probability respectively;
Second determining module, for according to corresponding exception of network traffic probability of each moment, target to be determined from each moment The exception of network traffic moment.
A kind of electronic equipment, including:
Memory, for storage program;
Processor, for performing described program, described program specifically for:
Obtain corresponding flow value of each moment;
According to corresponding flow value of each moment, the first flow trend that flow value is changed over time is obtained;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment for being subordinated to each moment;
According to the first flow trend, obtain and assume that corresponding flow value of abnormal moment is exception of network traffic described In the case of value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment that return to step is subordinated to each moment, Until cycle-index is equal with the number at least two moment, wherein, when the hypothesis determined in different cycle-indexes is abnormal Carve different;
The abnormal probability for belonging to synchronization in different cycle-indexes is added, the corresponding network flow of each moment difference is obtained The abnormal probability of amount;
According to corresponding exception of network traffic probability of each moment, the objective network Traffic Anomaly moment is determined from each moment.
Understand that compared with prior art, the embodiments of the invention provide a kind of network traffics via above-mentioned technical scheme Method for monitoring abnormality, obtains corresponding flow value of each moment, and the first flow trend that flow value is changed over time;It is subordinated to Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment at each moment, for the vacation assumed in circulation every time The fixed exception moment performs following steps, according to the first flow trend, obtains and assumes corresponding flow of abnormal moment described In the case of being worth for exception of network traffic value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;When following When ring number of times is equal to the number at least two moment, circulation terminates, then by the corresponding synchronization of different cycle-indexes Abnormal probability be added, obtain each moment corresponding exception of network traffic probability;Then, according to corresponding network traffics of each moment Abnormal probability, determines the objective network Traffic Anomaly moment from each moment.It is determined that the process at objective network Traffic Anomaly moment In, be to be compared each moment, it be compared with web-based history flow, it is possible to monitors new network environment or change Whether the network traffics after more are abnormal.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this The embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing of offer obtains other accompanying drawings.
A kind of flow chart for Network traffic anomaly monitor method that Fig. 1 provides for the embodiment of the present application;
Fig. 2 is the foundation first flow trend that the embodiment of the present application is provided, and obtains and assumes the abnormal moment pair described In the case that the flow value answered is exception of network traffic value, each moment corresponding flow value is the abnormal general of exception of network traffic value A kind of method flow diagram of implementation of rate;
The structure chart for a kind of electronic equipment that Fig. 3 provides for the embodiment of the present application;
The cut-away view for the electronic equipment that Fig. 4 provides for the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
With Internet development, network traffics are skyrocketed through, and internet turns into indispensable information carrier.With This simultaneously, network traffics also often occur deviate normal range (NR) abnormal flow, mainly by worm propagation, dos attack, The behavior of the malicious network attacks such as DDOS attack, Botnet and network configuration error, sporadic line interruption etc. cause.These Abnormal flow frequently can lead to whole network service quality and drastically decline, and aggrieved end main frame, network is directly paralysed.Therefore, such as What carries out Network anomaly detection in a network environment, and operation normal to Logistics networks is significant.
Current Network traffic anomaly monitor method, is to determine the normal of network traffics according to network traffics historical data Scope;In normal course of operation, the flow value at each moment and normal range (NR) are compared, if flow value exceeds normal range (NR) It is the exception of network traffic moment then to think the moment.But, if network environment changes, the normal range (NR) of network traffics also can Change, be no network traffics historical data due to the initial stage after change of network environment, therefore, this period without Method is monitored to network traffics.Therefore, as long as occurring network environment change or new network environment occur, network flow is being saved bit by bit The initial stage of historical data is measured, Network anomaly detection can not be all carried out, accordingly, there exist very big potential safety hazard.
Therefore, the embodiment of the present application provides a kind of Network traffic anomaly monitor method, it is each by what is obtained more in real time Moment corresponding flow value, obtains the exception of network traffic probability that each moment is probably the network traffics moment;When being then based on each Corresponding exception of network traffic probability is carved, the objective network Traffic Anomaly moment is determined from each moment.It is not necessarily based on network traffics Historical data, therefore, it can be applied to any network environment.The network environment or new network rings of change can also be applied to Border, so as to can carry out Network traffic anomaly monitor in each stage of grid environment.
As shown in figure 1, a kind of flow chart of the Network traffic anomaly monitor method provided for the embodiment of the present application, this method Including:
Step S101:Obtain corresponding flow value of each moment.
It is preferred that, step S101 is to obtain corresponding flow value of each moment in real time.Each moment, corresponding flow value was just The real flow value often produced in real time in operation.
Step S102:According to corresponding flow value of each moment, the first flow trend that flow value is changed over time is obtained.
First flow trend is used to characterize the rule that flow value is changed over time.
Due to needing to obtain the first flow trend that flow value is changed over time, therefore the corresponding flow of each moment obtained The number of value is more, and the first flow trend calculated is more accurate.
Assuming that each moment includes N number of moment altogether, N is any positive integer, it is preferred that N is more than or equal to 30.
It is assumed that N=50, and each moment is respectively moment y1, moment y2 ..., moment y50;Each moment distinguishes corresponding stream Value is:1000th, 1000,1000,5000,1000,1000,1000,1000,1000,1000 ..., 1000;Only y4 pairs of moment The flow value answered is 5000, and other moment, corresponding flow value was 1000.
It can be seen that first flow trend that flow value changes over time close to straight line by corresponding flow value of each moment. Section can substantially be pushed away by first flow trend and go out two kinds of results, one kind is that moment y4 is the exception of network traffic moment;One kind is In addition to moment y4, other moment are the exception of network traffic moment.
Step S103:When determining that assuming that abnormity point is corresponding assumes abnormal at least two moment for being subordinated to each moment Carve.
Step S104:According to the first flow trend, obtain and assume that corresponding flow value of abnormal moment is net described In the case of network Traffic Anomaly value, each moment corresponding flow value is the abnormal probability of exception of network traffic value.
In order to from it is a variety of may in the case of determine most probable result, for example from two push away section result in determine most may be used Can as a result, it is desirable to set hypothesis abnormity point.Still illustrated with N=50 example, it is assumed that when " at least two moment " includes Carve y2 and moment y4;The corresponding flow values of moment y2 are 1000, and the corresponding flow values of moment y4 are 5000.It is assumed that for the first time In cyclic process, it is assumed that the corresponding flow values 1000 of moment y2 are that exception of network traffic value, i.e. moment y2 are to assume the abnormal moment. Flow value 1000 so corresponding with moment y2 is exception of network traffic at the time of having same characteristics in first flow trend The probability at moment is just larger;Flow value 1000 corresponding with moment y2 has in first flow trend at the time of different feature The probability at exception of network traffic moment is just small.
If the corresponding flow values 1000 of moment y2 are exception of network traffic values, in addition to moment y4, other moment are network The probability at Traffic Anomaly moment is just very big.And moment y4 for the exception of network traffic moment probability with regard to very little.For another example, if assume It is the exception of network traffic moment to carve the corresponding flow values 5000 of y4, then other moment for the exception of network traffic moment probability just very It is small.
To sum up, each moment is the size of the probability at Network Abnormal moment with assuming which is to assume the abnormal moment very at moment It is related.Again because in the case where not knowing which is the exception of network traffic moment at moment, each moment is possible to as network flow The amount abnormal moment, it is preferred, therefore, that number H=N at the time of at least two moment included in step S103.
Step S105:Judge whether current cycle time is equal with the number at least two moment;If equal, hold Row step S106, otherwise return to step S103.
Wherein, the hypothesis abnormal moment determined in different cycle-indexes is different.
Assuming that number at the time of at least two moment included is H, then cycle-index is H times, and circulation every time is assumed abnormal Moment is different, for example, circulating for the first time, moment y2 may be the hypothesis abnormal moment;Moment y4 may be false in second of circulation If the abnormal moment.
Step S106:The abnormal probability for belonging to synchronization in different cycle-indexes is added, each moment is obtained right respectively The exception of network traffic probability answered.
In order to make it easy to understand, being exemplified below, in order to enumerate conveniently, below with H=3, illustrated exemplified by N=5.
Assuming that each moment is respectively:Moment y1, moment y2, moment y3, moment y4, moment y5;At least two moment were distinguished For moment y2, moment y3 and moment y4.
In first time is circulated, it is assumed that moment y2 is the exception of network traffic moment, and the corresponding exceptions of y1 are general at the time of acquisition Rate is that the corresponding abnormal probability of 0.09, moment y2 is that the corresponding abnormal probability of 1, moment y3 is 0.3;The corresponding exceptions of moment y4 are general Rate is 0.2;The corresponding abnormal probability of moment y5 is 0.4;In second circulates, it is assumed that when moment y3 is exception of network traffic Carve, the corresponding abnormal probability of y1 is that the corresponding abnormal probability of 0.2, moment y2 is 0.1, the corresponding exceptions of moment y3 at the time of acquisition Probability is 1;The corresponding abnormal probability of moment y4 is 0.2;The corresponding abnormal probability of moment y5 is 0.4;It is false in third time is circulated If moment y4 is the exception of network traffic moment, the corresponding abnormal probability of y1 is that 0.3, the corresponding exceptions of moment y2 are general at the time of acquisition Rate is that the corresponding abnormal probability of 0.2, moment y3 is 0.1;The corresponding abnormal probability of moment y4 is 1;The corresponding exceptions of moment y5 are general Rate is 0.4;Then corresponding exception of network traffic probability P (y of each momentl) (l=1,2,3,4,5) be respectively:
P(y1)=0.09+0.2+0.3=0.59;P(y2)=1+0.1+0.2=1.3;P(y3)=0.3+1+0.1=1.4; P(y4)=0.2+0.2+1=1.4;P(y5)=0.4+0.4+0.4=1.2.
Step S107:According to corresponding exception of network traffic probability of each moment, objective network flow is determined from each moment The abnormal moment.
Corresponding exception of network traffic probability is likely larger than 1 at the time of due to having, and therefore, it can to corresponding net of each moment Network Traffic Anomaly probability is normalized so that each moment, corresponding exception of network traffic probability was respectively less than 1.
Step S107 can be specifically included:From each moment, it is determined that more than or equal to the exception of network traffic of predetermined threshold value The corresponding object time of probability;The object time is defined as the objective network Traffic Anomaly moment.
The embodiments of the invention provide a kind of Network traffic anomaly monitor method, corresponding flow value of each moment is obtained, with And the first flow trend that flow value is changed over time;Determine to assume abnormity point pair at least two moment for being subordinated to each moment At the hypothesis abnormal moment answered, following steps are performed for the hypothetical anomaly moment assumed in circulation every time, according to described first-class Amount trend, obtain it is described assume that corresponding flow value of abnormal moment is exception of network traffic value in the case of, each moment correspondence Flow value be exception of network traffic value abnormal probability;When cycle-index is equal to the number at least two moment, follow Ring terminates, and is then added the abnormal probability of the corresponding synchronization of different cycle-indexes, obtains corresponding network flow of each moment The abnormal probability of amount;Then, according to corresponding exception of network traffic probability of each moment, determine that objective network flow is different from each moment The normal moment.It is determined that be to be compared each moment during the objective network Traffic Anomaly moment, it is not and web-based history stream Amount is compared, it is possible to suitable for any network environment.
What the embodiment of the present application was provided " according to corresponding flow value of each moment, obtains flow value is changed over time first Traffic trends " include:According to corresponding flow value of each moment, the probability distribution rule that each flow value meets is obtained.The regularity of distribution It can be distributed model.
A kind of suitable distributed model fitting localized network flow (step can be chosen for the specific features of network traffics Each moment corresponding flow value is localized network flow in S101), when the distributed model allows for description localized network flow Between sequence feature and distributed model must pass through the distribution model test of localized network flow, such as general Pearson came inspection Method etc. is tested, and for the method for inspection of specific distribution model, the W being for example just distributed very much is examined, D is examined.Some conventional points Cloth model is for example:Poisso distributed models, just too distributed model etc. may serve to be fitted local network traffics.
As shown in Fig. 2 being the foundation first flow trend that the embodiment of the present application is provided, obtain and assume abnormal described In the case that moment corresponding flow value is exception of network traffic value, each moment corresponding flow value is exception of network traffic value A kind of method flow diagram of implementation of abnormal probability, this method includes:
Step S201:The hypothetical anomaly moment is defined as time cut-off.
Step S202:According to the time cut-off, by corresponding flow value of each moment be divided into first flow combination with And second flow combination;Wherein, the first flow combination includes being less than or equal to corresponding at the time of the time cut-off Flow value, corresponding flow value at the time of the second flow combination includes being more than the time cut-off.
Step S203:The second flow trend that the flow value included is changed over time is combined based on the second flow, really Determine the abnormal probability that corresponding flow value of each moment is exception of network traffic value.
It is understood that in the process of running, most of flow value is in relative plateau, but has not timing Spine flow value is produced;These spine flow values are referred to as bur type data.Bur type data are to occur abnormal flow value.
Step S203 can be specifically included:
First, obtain in the case where the hypothetical anomaly moment is exception of network traffic point, the second flow combination bag Each moment contained distinguishes the corresponding simultaneous joint probability of flow value.
It is assumed that N number of moment is respectively:y1,y2,...,yn;Assuming that M Network Abnormal point is occurred in that in this N number of moment, This M Network Abnormal point is referred to as height (changepoint), it is assumed that this M height be respectively:First Network Abnormal point (or first height), second Network Abnormal point (or second height) ..., m-th Network Abnormal point (or, m-th becomes Point), it is assumed that this M Network Abnormal point is respectively τ at the time of generation12,…,τM;Wherein, 0 < τ1< τ2< ... < τM, 1≤M ≤ N, τ12,…,τM∈[y1,y2,...,yN]。
Postulate exception moment t be height, then subsequent time until last moment between all flow values simultaneously The probability of appearance is joint probability Q (t) calculation formula can be as follows;The embodiment of the present application provides but is not limited to following calculating Formula:
Pr(yt:N, no futher changepoint) and=P (t, N) (1-G (N-t)).
Wherein, the probability that time interval is t between two continuous heights of g (t) expressions;Represent two The probability recurred between height in time t;P (t, s), represents that (wherein, the s in formula is in same segment Segment's writes a Chinese character in simplified form) in the probability that occurs simultaneously of each moment corresponding flow value;Initial time probability Q (N-1)=P (N-1, N)。
Wherein it is possible to calculate g (t) using negative binomial distribution, it is assumed that the probability that height occurs is p, is gone out just in time t The calculation formula of existing 2 times probability is as follows:Wherein, k=2.
2nd, based on the joint probability and the hypothetical anomaly moment corresponding flow value, j-th of Network Abnormal is determined Point is respectively occurring at the probability at each moment in the 3rd flow combination, and the 3rd flow combination, which includes to sort in N number of moment, to be more than Or corresponding flow value at the time of equal to j, j value is from 1 to N.
Below to calculate the 1st Network Abnormal point τ1Be respectively occurring at moment t in the 3rd flow combination probability P cp (1, T) illustrated exemplified by, the embodiment of the present application provides but is not limited to below equation:
Pr(τjj-1,y1:N)=P (τj-1+1,τj)Q(τj+1)g(τjj-1)/Q(τj-1+1)
By above-mentioned formula and then probability P cp (j, t) can be obtained, i.e., j-th Network Abnormal point occurs in the general of moment t Rate.
3rd, synchronization is added for the probability of Network Abnormal point, obtains the corresponding abnormal probability of each moment difference.
The corresponding abnormal probability=Pcp of one moment t (1, t)+Pcp (2, t)+Pcp (3, t)+Pcp (4, t)+... ,+ Pcp(M,t)。
Limited in the embodiment of the present application and " determine that j-th of Network Abnormal point is respectively occurring at each moment in the 3rd flow combination Probability " be because:Preceding j-1 moment corresponding flow value, may be the 1st Network Abnormal point or the 2nd Network Abnormal At the time of point .., or -1 Network Abnormal point of jth occur, it is impossible at the time of generation for i-th of Network Abnormal point, therefore, the It is 0 that j Network Abnormal point, which occurs in the 1st to the moment of jth -1 probability, so only needing to calculate j-th of Network Abnormal point difference Occurs the probability at each moment in the 3rd flow combination.
The embodiment of the present application additionally provides the electronics comprising virtual bench corresponding with network flow abnormal detecting method and set It is standby, as shown in figure 3, the structure chart of a kind of electronic equipment provided for the embodiment of the present application, the electronic equipment includes:
First acquisition module 31, for obtaining corresponding flow value of each moment;
Second acquisition module 32, for according to corresponding flow value of each moment, obtaining flow value is changed over time first Traffic trends;
First determining module 33, for be subordinated to each moment at least two moment in determine to assume the corresponding vacation of abnormity point If the abnormal moment;
3rd acquisition module 34, assumes that the abnormal moment is corresponding for according to the first flow trend, obtaining described In the case that flow value is exception of network traffic value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Module 35 is returned to, for returning to first determining module 33, until cycle-index and at least two moment Number it is equal, wherein, the hypothesis that is determined in the different cycle-indexes abnormal moment is different;
4th acquisition module 36, for the abnormal probability for belonging to synchronization in different cycle-indexes to be added, obtains each Moment distinguishes corresponding exception of network traffic probability;
Second determining module 37, for according to corresponding exception of network traffic probability of each moment, mesh to be determined from each moment Mark the exception of network traffic moment.
Optionally, the 3rd acquisition module 34 includes:
First determining unit, for the hypothetical anomaly moment to be defined as into time cut-off;
Division unit, for according to the time cut-off, corresponding flow value of each moment to be divided into first flow group Close and second flow combination;Wherein, at the time of first flow combination includes being less than or equal to the time cut-off pair The flow value answered, corresponding flow value at the time of the second flow combination includes being more than the time cut-off;
Second determining unit, for combining the second flow that the flow value included is changed over time based on the second flow Trend, determines the abnormal probability that corresponding flow value of each moment is exception of network traffic value.
Optionally, each moment includes N number of moment, and N is the positive integer more than preset value, the second determining unit bag Include:
First obtains subelement, for obtaining in the case where the hypothetical anomaly moment is exception of network traffic point, institute State the corresponding simultaneous joint probability of flow value of difference of each moment that second flow combination is included;
First determination subelement, for based on the joint probability and the hypothetical anomaly moment corresponding flow value, Determine that j-th of Network Abnormal point is respectively occurring at the probability at each moment in the 3rd flow combination, the 3rd flow combination includes N Corresponding flow value at the time of sequence is more than or equal to j in the individual moment, j value is from 1 to N;
Second obtains subelement, for synchronization to be added for the probability of Network Abnormal point, obtains each moment right respectively The abnormal probability answered.
Optionally, the second acquisition module 32 specifically for:
According to corresponding flow value of each moment, the probability distribution rule that each flow value meets is obtained.
Optionally, second determining module 37 includes:
3rd determining unit, for from each moment, it is determined that more than or equal to the exception of network traffic probability of predetermined threshold value Corresponding object time;
4th determining unit, for the object time to be defined as into the objective network Traffic Anomaly moment.
The embodiment of the present application additionally provides the internal structure of a kind of electronic equipment, as shown in figure 4, being carried for the embodiment of the present application The cut-away view of the electronic equipment of confession, the electronic equipment can be the terminal devices such as smart mobile phone, server, computer, electricity Sub- equipment can include:
Memory 41, for storage program;
Program can include program code, and described program code includes computer-managed instruction.
Memory 41 may include high-speed RAM memory, it is also possible to also including nonvolatile memory (non-volatile Memory), for example, at least one magnetic disk storage.
Processor 42, for performing described program, described program specifically for:
Obtain corresponding flow value of each moment;
According to corresponding flow value of each moment, the first flow trend that flow value is changed over time is obtained;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment for being subordinated to each moment;
According to the first flow trend, obtain and assume that corresponding flow value of abnormal moment is exception of network traffic described In the case of value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment that return to step is subordinated to each moment, Until cycle-index is equal with the number at least two moment, wherein, when the hypothesis determined in different cycle-indexes is abnormal Carve different;
The abnormal probability for belonging to synchronization in different cycle-indexes is added, the corresponding network flow of each moment difference is obtained The abnormal probability of amount;
According to corresponding exception of network traffic probability of each moment, the objective network Traffic Anomaly moment is determined from each moment.
Processor 42 is probably a central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or it is arranged to implement one or more integrated electricity of the embodiment of the present invention Road.
Electronic equipment can also include communication interface 43 and communication bus 44, wherein, memory 41, processor 42 and Communication interface 43 communicates realizes mutual communication by communication bus 44.
Optionally, the processor is being performed according to the first flow trend, is obtained and is assumed the abnormal moment pair described In the case that the flow value answered is exception of network traffic value, each moment corresponding flow value is the abnormal general of exception of network traffic value During rate, specifically for:
The hypothetical anomaly moment is defined as time cut-off;
According to the time cut-off, corresponding flow value of each moment is divided into first flow combination and second flow Combination;Wherein, corresponding flow value at the time of the first flow combination includes being less than or equal to the time cut-off, it is described Corresponding flow value at the time of second flow combination includes being more than the time cut-off;
The second flow trend that the flow value included is changed over time is combined based on the second flow, each moment pair is determined The flow value answered is the abnormal probability of exception of network traffic value.
Optionally, each moment includes N number of moment, and N is the positive integer more than preset value, and the processor is performing base The second flow trend that the flow value included in second flow combination is changed over time, determines corresponding flow value of each moment For exception of network traffic value abnormal probability when, specifically for:
Obtain in the case where the hypothetical anomaly moment is exception of network traffic point, what the second flow combination was included Each moment distinguishes the corresponding simultaneous joint probability of flow value;
Based on the joint probability and the hypothetical anomaly moment corresponding flow value, j-th of Network Abnormal point is determined Be respectively occurring at the probability at each moment in the 3rd flow combination, the 3rd flow combination include sequence in N number of moment be more than or Corresponding flow value at the time of equal to j, j value is from 1 to N;
Synchronization is added for the probability of Network Abnormal point, the corresponding abnormal probability of each moment difference is obtained.
Optionally, processor is being performed according to corresponding flow value of each moment, obtains flow value is changed over time first During traffic trends, specifically for:
According to corresponding flow value of each moment, the probability distribution rule that each flow value meets is obtained.
Optionally, the processor is being performed according to corresponding exception of network traffic probability of each moment, from each moment really Set the goal the exception of network traffic moment when, specifically for:
From each moment, it is determined that more than or equal to the corresponding object time of exception of network traffic probability of predetermined threshold value;
The object time is defined as the objective network Traffic Anomaly moment.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant meaning Covering including for nonexcludability, so that process, method, article or equipment including a series of key elements not only include that A little key elements, but also other key elements including being not expressly set out, or also include be this process, method, article or The intrinsic key element of equipment.In the absence of more restrictions, the key element limited by sentence "including a ...", is not arranged Except also there is other identical element in the process including the key element, method, article or equipment.
The embodiment of each in this specification is described by the way of progressive, and what each embodiment was stressed is and other Between the difference of embodiment, each embodiment identical similar portion mutually referring to.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or use the application. A variety of modifications to these embodiments will be apparent for those skilled in the art, as defined herein General Principle can in other embodiments be realized in the case where not departing from spirit herein or scope.Therefore, the application The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one The most wide scope caused.

Claims (10)

1. a kind of Network traffic anomaly monitor method, it is characterised in that including:
Obtain corresponding flow value of each moment;
According to corresponding flow value of each moment, the first flow trend that flow value is changed over time is obtained;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment for being subordinated to each moment;
According to the first flow trend, obtain and assume that corresponding flow value of abnormal moment is exception of network traffic value described In the case of, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment that return to step is subordinated to each moment, until Cycle-index is equal with the number at least two moment, wherein, the hypothesis abnormal moment determined in different cycle-indexes is not Together;
The abnormal probability for belonging to synchronization in different cycle-indexes is added, the corresponding network traffics of each moment difference are obtained different Normal probability;
According to corresponding exception of network traffic probability of each moment, the objective network Traffic Anomaly moment is determined from each moment.
2. Network traffic anomaly monitor method according to claim 1, it is characterised in that described to become according to the first flow Gesture, obtain it is described assume that corresponding flow value of abnormal moment is exception of network traffic value in the case of, corresponding stream of each moment Value includes for the abnormal probability of exception of network traffic value:
The hypothetical anomaly moment is defined as time cut-off;
According to the time cut-off, corresponding flow value of each moment is divided into first flow combination and second flow group Close;Wherein, corresponding flow value at the time of first flow combination includes being less than or equal to the time cut-off, described the Corresponding flow value at the time of two flow combinations include being more than the time cut-off;
The second flow trend that the flow value included is changed over time is combined based on the second flow, determines that each moment is corresponding Flow value is the abnormal probability of exception of network traffic value.
3. Network traffic anomaly monitor method according to claim 2, it is characterised in that each moment includes N number of moment, N is the positive integer more than preset value, described that the second that the flow value included is changed over time is combined based on the second flow Amount trend, determines that the abnormal probability that corresponding flow value of each moment is exception of network traffic value includes:
Obtain in the case where the hypothetical anomaly moment is exception of network traffic point, second flow combination include it is each when Carve the corresponding simultaneous joint probability of flow value respectively;
Based on the joint probability and the hypothetical anomaly moment corresponding flow value, j-th of Network Abnormal point difference is determined Occurs the probability at each moment in the 3rd flow combination, the 3rd flow combination includes sequence in N number of moment and is more than or equal to j At the time of corresponding flow value, j value is from 1 to N;
Synchronization is added for the probability of Network Abnormal point, the corresponding abnormal probability of each moment difference is obtained.
4. Network traffic anomaly monitor method according to claim 1, it is characterised in that described according to corresponding stream of each moment Value, the first flow trend that acquisition flow value is changed over time includes:
According to corresponding flow value of each moment, the probability distribution rule that each flow value meets is obtained.
5. Network traffic anomaly monitor method according to claim 1, it is characterised in that described according to corresponding net of each moment Network Traffic Anomaly probability, determines that the objective network Traffic Anomaly moment includes from each moment:
From each moment, it is determined that more than or equal to the corresponding object time of exception of network traffic probability of predetermined threshold value;
The object time is defined as the objective network Traffic Anomaly moment.
6. a kind of electronic equipment, it is characterised in that including:
First acquisition module, for obtaining corresponding flow value of each moment;
Second acquisition module, for according to corresponding flow value of each moment, the first flow that acquisition flow value is changed over time to become Gesture;
First determining module, for be subordinated to each moment at least two moment in determine that assuming that abnormity point is corresponding assumes abnormal Moment;
3rd acquisition module, corresponding flow value of abnormal moment is assumed for according to the first flow trend, obtaining described In the case of for exception of network traffic value, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Module is returned to, for returning to first determining module, until cycle-index and the number phase at least two moment Deng, wherein, the hypothesis abnormal moment determined in different cycle-indexes is different;
4th acquisition module, for the abnormal probability for belonging to synchronization in different cycle-indexes to be added, obtains each moment point Not corresponding exception of network traffic probability;
Second determining module, for according to corresponding exception of network traffic probability of each moment, objective network to be determined from each moment The Traffic Anomaly moment.
7. a kind of electronic equipment, it is characterised in that including:
Memory, for storage program;
Processor, for performing described program, described program specifically for:
Obtain corresponding flow value of each moment;
According to corresponding flow value of each moment, the first flow trend that flow value is changed over time is obtained;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment for being subordinated to each moment;
According to the first flow trend, obtain and assume that corresponding flow value of abnormal moment is exception of network traffic value described In the case of, each moment corresponding flow value is the abnormal probability of exception of network traffic value;
Determine that assuming that abnormity point is corresponding assumes the abnormal moment at least two moment that return to step is subordinated to each moment, until Cycle-index is equal with the number at least two moment, wherein, the hypothesis abnormal moment determined in different cycle-indexes is not Together;
The abnormal probability for belonging to synchronization in different cycle-indexes is added, the corresponding network traffics of each moment difference are obtained different Normal probability;
According to corresponding exception of network traffic probability of each moment, the objective network Traffic Anomaly moment is determined from each moment.
8. electronic equipment according to claim 7, it is characterised in that the processor is performing to become according to the first flow Gesture, obtain it is described assume that corresponding flow value of abnormal moment is exception of network traffic value in the case of, corresponding stream of each moment When value is the abnormal probability of exception of network traffic value, specifically for:
The hypothetical anomaly moment is defined as time cut-off;
According to the time cut-off, corresponding flow value of each moment is divided into first flow combination and second flow group Close;Wherein, corresponding flow value at the time of first flow combination includes being less than or equal to the time cut-off, described the Corresponding flow value at the time of two flow combinations include being more than the time cut-off;
The second flow trend that the flow value included is changed over time is combined based on the second flow, determines that each moment is corresponding Flow value is the abnormal probability of exception of network traffic value.
9. electronic equipment according to claim 8, it is characterised in that each moment includes N number of moment, N is more than default The positive integer of value, the second that the processor is changed over time in execution based on the flow value that second flow combination is included Amount trend, when determining the abnormal probability that corresponding flow value of each moment is exception of network traffic value, specifically for:
Obtain in the case where the hypothetical anomaly moment is exception of network traffic point, second flow combination include it is each when Carve the corresponding simultaneous joint probability of flow value respectively;
Based on the joint probability and the hypothetical anomaly moment corresponding flow value, j-th of Network Abnormal point difference is determined Occurs the probability at each moment in the 3rd flow combination, the 3rd flow combination includes sequence in N number of moment and is more than or equal to j At the time of corresponding flow value, j value is from 1 to N;
Synchronization is added for the probability of Network Abnormal point, the corresponding abnormal probability of each moment difference is obtained.
10. electronic equipment according to claim 7, it is characterised in that the processor perform it is corresponding according to each moment Exception of network traffic probability, when determining the objective network Traffic Anomaly moment from each moment, specifically for:
From each moment, it is determined that more than or equal to the corresponding object time of exception of network traffic probability of predetermined threshold value;
The object time is defined as the objective network Traffic Anomaly moment.
CN201710524847.3A 2017-06-30 2017-06-30 Network flow abnormity monitoring method and electronic equipment Active CN107222497B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710524847.3A CN107222497B (en) 2017-06-30 2017-06-30 Network flow abnormity monitoring method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710524847.3A CN107222497B (en) 2017-06-30 2017-06-30 Network flow abnormity monitoring method and electronic equipment

Publications (2)

Publication Number Publication Date
CN107222497A true CN107222497A (en) 2017-09-29
CN107222497B CN107222497B (en) 2020-03-24

Family

ID=59951581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710524847.3A Active CN107222497B (en) 2017-06-30 2017-06-30 Network flow abnormity monitoring method and electronic equipment

Country Status (1)

Country Link
CN (1) CN107222497B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600024A (en) * 2018-05-07 2018-09-28 苏州明上***科技有限公司 a kind of wireless network management system
CN109857618A (en) * 2019-02-02 2019-06-07 中国银行股份有限公司 A kind of monitoring method, apparatus and system
CN111835696A (en) * 2019-04-23 2020-10-27 阿里巴巴集团控股有限公司 Method and device for detecting abnormal request individuals
CN112152869A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Network detection method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0676195A (en) * 1992-08-27 1994-03-18 Hitachi Ltd Abnormal event detector
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN105049276A (en) * 2015-05-29 2015-11-11 北京东方棱镜科技有限公司 Monitoring management method and device for WAN (Wide Area Network) traffic behavior

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0676195A (en) * 1992-08-27 1994-03-18 Hitachi Ltd Abnormal event detector
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN102014031A (en) * 2010-12-31 2011-04-13 湖南神州祥网科技有限公司 Method and system for network flow anomaly detection
CN105049276A (en) * 2015-05-29 2015-11-11 北京东方棱镜科技有限公司 Monitoring management method and device for WAN (Wide Area Network) traffic behavior

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600024A (en) * 2018-05-07 2018-09-28 苏州明上***科技有限公司 a kind of wireless network management system
CN109857618A (en) * 2019-02-02 2019-06-07 中国银行股份有限公司 A kind of monitoring method, apparatus and system
CN111835696A (en) * 2019-04-23 2020-10-27 阿里巴巴集团控股有限公司 Method and device for detecting abnormal request individuals
CN111835696B (en) * 2019-04-23 2023-05-09 阿里巴巴集团控股有限公司 Method and device for detecting abnormal request individuals
CN112152869A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Network detection method and device, electronic equipment and storage medium
CN112152869B (en) * 2019-06-28 2022-05-06 北京金山云网络技术有限公司 Network detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107222497B (en) 2020-03-24

Similar Documents

Publication Publication Date Title
CN107222497A (en) Network traffic anomaly monitor method and electronic equipment
CN107067157A (en) Business risk appraisal procedure, device and air control system
CN105306463B (en) Modbus TCP intrusion detection methods based on support vector machines
CN106643765A (en) Method for calculating collection abnormality maintenance time
CN101267313A (en) Flooding attack detection method and detection device
CN102790700A (en) Method and device for recognizing webpage crawler
CN102045360A (en) Method and device for processing baleful website library
CN107992738A (en) A kind of account logs in method for detecting abnormality, device and electronic equipment
CN102436529B (en) Modeling method for metal oxide semiconductor (MOS) transistor reliability statistics models distributed based on Weibull
CN107590016A (en) Power-down rebooting recognition methods and device
CN112087445A (en) Electric power Internet of things security vulnerability assessment method fusing business security
CN102510400A (en) Method, apparatus and equipment used for determining user suspectableness degree
CN111641619A (en) Method and device for constructing hacker portrait based on big data and computer equipment
CN108833442A (en) A kind of distributed network security monitoring device and its method
CN107784107A (en) Dark chain detection method and device based on flight behavior analysis
CN107742883A (en) A kind of power system topology island system for rapidly identifying and method based on Spark
CN107231383A (en) The detection method and device of CC attacks
CN104702598A (en) Distributed network protocol security detection method for smart power grid
CN109525683A (en) The free address Tapping Potential Method and device of the address Metropolitan Area Network (MAN) IPV4
CN107944982A (en) A kind of user behavior information processing method, device, electronic equipment and storage medium
CN110672951B (en) Method and device for identifying voltage fragile region of power distribution network
CN103577296A (en) Bus reliability testing method and system
CN106535102A (en) Mobile terminal positioning method and mobile terminal
CN114679335A (en) Network security risk assessment training and assessment method and equipment for power monitoring system
CN108932279A (en) A kind of application page processing method and processing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant