CN107659560A - A kind of abnormal auditing method for mass network data flow log processing - Google Patents

A kind of abnormal auditing method for mass network data flow log processing Download PDF

Info

Publication number
CN107659560A
CN107659560A CN201710750717.1A CN201710750717A CN107659560A CN 107659560 A CN107659560 A CN 107659560A CN 201710750717 A CN201710750717 A CN 201710750717A CN 107659560 A CN107659560 A CN 107659560A
Authority
CN
China
Prior art keywords
data flow
network data
uninterrupted
list
interaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710750717.1A
Other languages
Chinese (zh)
Inventor
张震
摆亮
柳林
倪江帆
殷兵
张程风
冯祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201710750717.1A priority Critical patent/CN107659560A/en
Publication of CN107659560A publication Critical patent/CN107659560A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of abnormal auditing method for mass network data flow log processing, it is characterised in that comprises the following steps:Step SS1:Feature extraction pre-processes, and specifically includes:Feature extraction is carried out to network data flow daily record using MapReduce;Step SS2:Abnormal audit, is specifically included:Network data flow daily record segmentation polymerization is carried out using outlier detection algorithm.The present invention proposes to think the network data flow audit algorithm of combination based on MapRduce and outlier detection, with reference to Hadoop open source systems and outlier detection algorithm, analyzed on a large scale, by will not same date, the daily record of same time period is polymerize, and can effectively analyze the abnormality detection changed based on itself behavioural habits of user.

Description

A kind of abnormal auditing method for mass network data flow log processing
Technical field
The present invention relates to a kind of abnormal auditing method for mass network data flow log processing, belong to distributed network Abnormality detection technical field.
Background technology
Network traffics log recording the dribs and drabs occurred in network, can be to net by analyzing network traffics daily record Security incident in network environment is positioned and analysed in depth, and finds the abnormal behaviour of network internal user.Network log at present In safety auditing system, what network traffics were analyzed is work of being analyzed and audited according to protocol type and content mostly Make.Most Traffic Anomaly is also all real-time, the time window division based on static or dynamic threshold value, the whole network is entered Row monitoring, identification can not be so made to the periodic exception of unique user and is judged.Therefore, offline network security is built Log Audit System is necessary, and the daily record of different user not same date same time period is divided and polymerize again by examining Calculating method audit can be positioned with the anomalous event to user.
The data volume of network security traffic log is very huge, how effectively could store and manage these data. This will not only consider cost of device, it is portable the problems such as, while be also required to consider to include many information in massive logs. The appearance of Google MapReduce computation modules and GFS (Google Filesystem) technology to mass data storage, Processing provides solution, and Hadoop is the realization of increasing income of this technology.Can be by common computer using Hadoop technologies Storage capacity and computing capability gather together, build Hadoop environment to provide powerful storage capacity and mass computing Ability.At home and abroad there are many enterprises in application Hadoop to carry out the storage of mass data and processing.
In log audit the problem of the storage and processing of mass data, can be solved using Hadoop technologies.Utilize It is two non-that Hadoop, which carries out effective and reasonable data storage and is combined traditional audit with MapReduce technologies, Often important work.
With distributed treatment, the development of mass data mining technology, Hadoop distributed systems are studied, from depositing for data Two aspect expansion researchs of storage and processing, Hadoop are not only to count comprising HDFS distributed file storage systems and MapReduce The simple combination of model is calculated, with the development of technology, nowadays Hadoop also contains many subsystems as Hadoop ecologies Each component of system so that Hadoop can preferably provide service.Therefore need to carry out deep study to Hadoop to grind Study carefully, preferably to organize data to be stored and to be handled.Needed MapReduce programming think of during log audit Want to be combined with traditional auditing method.
The content of the invention
Algorithm of the invention for existing abnormal traffic detection can not effectively identify to periodically exception, be right The shortcomings that combination of MapReduce and traditional algorithm is difficult, the division of anomaly detection time window is improper, it is proposed that one kind is based on The abnormal auditing method for mass network data flow log processing that MapReduce and outlier detection algorithm are combined, can To carry out effectively storing and handling to mass data, the exception that new method detects has more preferable convincingness, and this is a kind of Exception of the user based on the behavioural habits of itself.
The present invention adopts the following technical scheme that:A kind of abnormal auditing method for mass network data flow log processing, It is characterised in that it includes following steps:
Step SS1:Feature extraction pre-processes, and specifically includes:Feature is carried out to network data flow daily record using MapReduce Extraction;
Step SS2:Abnormal audit, is specifically included:It is poly- that network data flow daily record segmentation is carried out using outlier detection algorithm Close.
As a kind of preferred embodiment, the characteristic of the feature extraction in the step SS1 includes uninterrupted, handed over Mutual IP number, hour and minute, date.
As a kind of preferred embodiment, the method for the feature extraction in the step SS1 comprises the following steps:
Step SS11:Scan data set, map stage extraction sources IP, purpose IP, uninterrupted, hour and minute, date; If it is monitoring IP to judge source IP, a data is write in being exported to map, key is source IP, hour and minute, the group on date Close, value is purpose IP, uninterrupted combination;If it is monitoring IP to judge purpose IP, one is write in being exported to map Data, key are the combination of purpose IP, hour and minute, date, and value is the combination of source IP, uninterrupted;
Step SS12:The reduce stages receive the output in map stages, and input is the combination on IP, hour and minute, date Key, list i.e. interaction IP, the value of uninterrupted;Ip_list is initialized, records different interaction IP;For each list Interaction IP i.e. comprising interaction IP and uninterrupted, is judged whether in ip_list, if there is no being then added to ip_ In list;Constantly cumulative uninterrupted;After the data whole end of scan in list, by IP, hour and minute, date, interaction IP number, uninterrupted are written to output.
As a kind of preferred embodiment, the method for the network data flow daily record segmentation polymerization in the step SS2 Specifically comprise the following steps:
Step SS21:Map processes, Map are corresponding using the daily record preserved in all HBase as input<K1, Value1 >, respectively RowKey, Value correspond to the value of each row;IP and time are extracted as K2, IP number of interaction and generation flow is big Small to be used as V2, Map output is list (K2, V2);
Step SS22:During shuffle, sort, system can be automatically by the record aggregate with identical key one Rise, generate (K2, list (V2)), the input as Reduce functions;
Step SS23:Reduce processes, (K2, list (V2)) after sequence is received, each K2 here represents each need The minimum unit of abnormality detection is carried out, identifies some period of some user.
As a kind of preferred embodiment, the step SS23 also includes:All V2 are initialized as multiple objects, so Abnormality detection is carried out using outlier detection algorithm afterwards, result table is finally write the result into and is saved in HBase.
As a kind of preferred embodiment, the minimum unit in the step SS23 is in certain time of a certain user Data acquisition system.
The beneficial effect that the present invention is reached:The present invention proposes to think the network of combination based on MapRduce and outlier detection Data flow is audited algorithm, with reference to Hadoop open source systems and outlier detection algorithm, is analyzed on a large scale, by will not Same date, the daily record of same time period are polymerize, and it is different can effectively to analyze changing based on itself behavioural habits for user Often detection.
Brief description of the drawings
Fig. 1 is the curve map of certain 7 days same time period traffic conditions of user of one embodiment of the present of invention.
Fig. 2 is that 7 days same times of certain user of one embodiment of the present of invention interact the curve map of IP number.
Fig. 3 is certain user 7 days the same time period interaction IP, the curve maps of flow information of one embodiment of the present of invention.
Fig. 4 is the interpretation of result curve map of one embodiment of the present of invention.
Embodiment
The invention will be further described below in conjunction with the accompanying drawings.Following examples are only used for clearly illustrating the present invention Technical scheme, and can not be limited the scope of the invention with this.
The specific implementation process of the present invention includes following steps:First, feature extraction pretreatment:The present invention is to daily record The final purpose counted is to find to produce the host ip of abnormal flow and corresponding time interval.We are needed to deposit All data carry out category filter in database, pick out desired target, then carry out the extraction of characteristic value.To each main frame IP interior flow per minute is counted, and counts the opposite end host ip number for producing flow interaction in this minute therewith.
Map algorithm flows:
Input:Respectively arranged corresponding to rowkey in raw information table, rowkey, output descriptor context.
Output:Ip and time, date key, opposite end ip and uninterrupted are vaule.
1. extract raw information rowkey.
String row []=new String (rowkey.get ()) .split (" # ");
2. extraction source ip information, purpose ip information, temporal information, uninterrupted.
3. the date and time in extraction time stamp.
4. if source IP is monitoring IP.
A data, key ip, the combination of minute hour, date are write in being exported to map, value is purpose IP, stream Measure the combination of size.
5. if purpose IP is monitoring IP.
A data, key ip, the combination of minute hour, date are write in being exported to map, value is purpose IP, stream Measure the combination of size.
6. terminate.
Reduce algorithm flows:
Input:Ip and minute hour, the date combination key, list (interaction ip, uninterrupted) value, output retouches State symbol context.
Output:NULL, HBase interpolation data object put.
1. extract key.
2. initializing ip_list, different interaction IP is recorded.
3. for value in list (interaction ip, uninterrupted).
4. if ' interaction ip ' in ip_list.
5. if is true, do not add.
6. if is false, addition is ' in interaction ip ' to ip_list.
7. uninterrupted is added in data_size.
⑧end for。
9. new rowkey is combined, for ip, minute hour, date, IP number of interaction, stream
Measure size.
10. initialize put objects.
Add train value, ip, hour_and_min, date, ip_nums, data_size.
To output descriptor, put is write.
Terminate.
Principal function flow:
Input:Original log table name, statistical information table name
Output:Nothing
1. initializing HBase configurations, the related IP of cluster, port are set.
2. initializing Job objects, named for job.
3. it is Job assigned operation classes.
4. initialize Scan objects.
5. using the initial TableMapperJob of TableMapReduceUtil, set original log table name, scan, Mapper classes, Mapper output Key types, Mapper output Value types, Job objects.
6. using the initial TableReducerJob of TableMapReduceUtil, set statistical information table name, Reducer classes, Job objects.
7. wait Job to perform to terminate.
8. terminate.
Second, abnormal audit process:
Map processes, Map are corresponding using the daily record preserved in all HBase as input<K1, Value1>, it is respectively RowKey, Value are the value of corresponding each row.Extract IP and time (hh:Mm K2) is used as, IP number of interaction and generation flow is big Small to be used as V2, Map output is list (K2, V2).
During shuffle, sort, system can automatically by the record aggregate with identical key together, generation (K2, List (V2)), the input as Reduce functions.
Reduce processes, (K2, list (V2)) after sorting is received, each needs of each K2 representatives here carry out exception The minimum unit of detection, identify some period of some user.All V2 are initialized as multiple objects, then utilized Outlier detection algorithm carries out abnormality detection, finally writes the result into result table and is saved in HBase.
Map algorithm flows:
Input:Arranged corresponding to rowkey in HBase table, rowkey, output descriptor context;
Output:Ip and time are key, and interaction IP numbers and uninterrupted are vaule;
1. extract ip.
String ip=new
String(value.getValue(Bytes.toBytes("basic"),
Bytes.toBytes("ip")));
2. extract hour and minute hour_min.
String hour_min=new
String(value.getValue(Bytes.toBytes("basic"),
Bytes.toBytes("hour_minute")));
3. extract date date.
String date=new
String(value.getValue(Bytes.toBytes("basic"),
Bytes.toBytes("date")));
4. IP number ip_nums of extraction interaction.
Integer ip_nums=new
Integer(Bytes.toInt(value.getValue(Bytes.toBytes("basic"), Bytes.toBytes("ip_nums"))));
5. extract uninterrupted data_size.
Integer data_size=new
Integer(Bytes.toInt(value.getValue(Bytes.toBytes("basic"), Bytes.toBytes("data_size"))));
6. the hour of character string type and minute are extracted as into integer, and calculate a time_id.
Int time_id=(hour_int*6)+(min_int/10);
7. using ip and time_id combination as key, it is defeated that interaction ip numbers and uninterrupted as value are written to map Go out.
8. terminate.
Reduce algorithm flows:
Input:The key of ip and time_id combination, list (ip number of interaction, uninterrupted) value, output description Accord with context
Output:User ip, time, ip number of interaction, uninterrupted rowkey, local coefficient of deviation is colum
1. initialize list object.
ArrayList<Node>Dpoints=new ArrayList<Node>().
2. for value in list (ip number of interaction, uninterrupted).
3. value is initialized as Node objects.
④End for。
5. call outlier detection algorithm flow.
6. using user ip, time, date, interaction ip, uninterrupted as rowkey, using local coefficient of deviation as row Value, it is stored in HBase.
7. terminate.
Principal function flow:
Input:Preserve the table name of data, preserve the table name of result
Output:Nothing
1. initializing HBase configurations, the related IP of cluster, port are set.
2. initializing Job objects, named for job.
3. it is Job assigned operation classes.
4. initialize Scan objects.
5. using the initial TableMapperJob of TableMapReduceUtil, set table name, scan, Mapper class, Mapper output Key types, Mapper output Value types, Job objects.
6. using the initial TableReducerJob of TableMapReduceUtil, table name, Reducer classes, Job are set Object.
7. wait Job to perform to terminate.
8. terminate.
In order to verification algorithm reasonability correctness, it is necessary to network security daily record is collected according to the design of system, Can pretreatment, the process of detection, experimental design focus on to investigate the correctness of algorithm, i.e., detect net by network security daily record The abnormal conditions occurred in network, and the correctness for detection of opposing makes assessment.
Experimental situation is specific as follows:
Hardware:Hadoop servers (4,1 HMaster, 3 RegionServer), client rs PC (2), exchange Machine (1).
Software:Hadoop-1.0.1, Hbase-0.92.0, Zookeeper-4.3.3, Eclipse3.7.
Hadoop servers configure:Double-core CPU Dual-Core AMD Opteron (tm) Processor 2214, dominant frequency 2.2GHZ, internal memory 1G, network interface speed are 1Gb/s (double netcard), kernel GNU/linux2.6.18.
Client rs PC configures:Double-core CPU Intel-Core Duo, dominant frequency 1.67GHZ, internal memory 1G, Windows XP.
Need to carry out in a network environment in experiment, thus server be required for being connected under interchanger, Master can In order to avoid password login is on each machines of slave.
Experimental data in the present invention is the packet in LAN real network environment, is captured by libpcap, And it is stored into Hadoop clusters.
(2) test and analyze
To some user (192.168.100.37), user is 10 for extraction:00~10:Generation per minute in 09,10 minute Uninterrupted, and other IP interacted within each minute number, take data the having for verification algorithm of seven days Effect property, 9 days 10 December:03-10:05 starts sudden peal of thunder download tool.
The user's 192.168.100.37 portions of log data tables of table 1
K selection can directly affect last testing result in outlier detection algorithm, under this paper application scenarios, The point that the audit target is formed is not same date, the flow of same time period.For the flow in 7 days in 10 minutes intervals, k is selected =11, be so in order to detect the flow of some day all abnormal situations, if k is too small, then it is abnormal may be by Ignore.If k crosses the complexity that conference increase calculates.
Deviation value table caused by table 2
Fig. 1 is the curve map of certain 7 days same time period traffic conditions of user of one embodiment of the present of invention.Fig. 2 is this 7 days same times of certain user of one embodiment of invention interact the curve map of IP number.Fig. 3 is one embodiment of the present of invention 7 days same time periods of certain user interaction IP, the curve map of flow information.Fig. 4 is the result point of one embodiment of the present of invention Analyse curve map.Experimental verification, can be with history as considering, it is contemplated that different user for exception flow of network detection Different Internet Uses, user and own net historical traffic be contrasted when being audited, pass through outlier detection Algorithm can judge to user network Traffic Anomaly situation.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, some improvement and deformation can also be made, these are improved and deformation Also it should be regarded as protection scope of the present invention.

Claims (6)

1. a kind of abnormal auditing method for mass network data flow log processing, it is characterised in that comprise the following steps:
Step SS1:Feature extraction pre-processes, and specifically includes:Feature is carried out using MapReduce to network data flow daily record to carry Take;
Step SS2:Abnormal audit, is specifically included:Network data flow daily record segmentation polymerization is carried out using outlier detection algorithm.
2. a kind of abnormal auditing method for mass network data flow log processing according to claim 1, its feature It is, the characteristic of the feature extraction in the step SS1 includes uninterrupted, IP number of interaction, hour and minute, day Phase.
3. a kind of abnormal auditing method for mass network data flow log processing according to claim 1, its feature It is, the method for the feature extraction in the step SS1 comprises the following steps:
Step SS11:Scan data set, map stage extraction sources IP, purpose IP, uninterrupted, hour and minute, date;Judge If source IP is monitoring IP, a data is write in being exported to map, key is the combination of source IP, hour and minute, date, Value is purpose IP, uninterrupted combination;If it is monitoring IP to judge purpose IP, a number is write in being exported to map According to key is the combination of purpose IP, hour and minute, date, and value is the combination of source IP, uninterrupted;
Step SS12:The reduce stages receive the output in map stages, input be IP, hour and minute, the date combination key, List i.e. interaction IP, the value of uninterrupted;Ip_list is initialized, records different interaction IP;Wrapped for each list The IP containing interaction and uninterrupted interaction IP, are judged whether in ip_list, if there is no being then added to ip_list In;Constantly cumulative uninterrupted;After the data whole end of scan in list, by IP, hour and minute, date, interaction IP Number, uninterrupted are written to output.
4. a kind of abnormal auditing method for mass network data flow log processing according to claim 1, its feature It is, the method for the network data flow daily record segmentation polymerization in the step SS2 specifically comprises the following steps:
Step SS21:Map processes, Map are corresponding using the daily record preserved in all HBase as input<K1, Value1>, point Not Wei RowKey, Value correspond to the values of each row;IP and time are extracted as K2, by IP number of interaction and produces uninterrupted work For V2, Map output is list (K2, V2);
Step SS22:During shuffle, sort, system can automatically by the record aggregate with identical key together, it is raw Into (K2, list (V2)), the input as Reduce functions;
Step SS23:Reduce processes, receive (K2, list (V2)) after sequence, each K2 here represent it is each need into The minimum unit of row abnormality detection, identify some period of some user.
5. a kind of abnormal auditing method for mass network data flow log processing according to claim 4, its feature It is, the step SS23 also includes:All V2 are initialized as multiple objects, then carried out using outlier detection algorithm Abnormality detection, finally write the result into result table and be saved in HBase.
6. a kind of abnormal auditing method for mass network data flow log processing according to claim 4, its feature It is, the minimum unit in the step SS23 is the data acquisition system in certain time of a certain user.
CN201710750717.1A 2017-08-28 2017-08-28 A kind of abnormal auditing method for mass network data flow log processing Pending CN107659560A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710750717.1A CN107659560A (en) 2017-08-28 2017-08-28 A kind of abnormal auditing method for mass network data flow log processing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710750717.1A CN107659560A (en) 2017-08-28 2017-08-28 A kind of abnormal auditing method for mass network data flow log processing

Publications (1)

Publication Number Publication Date
CN107659560A true CN107659560A (en) 2018-02-02

Family

ID=61127836

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710750717.1A Pending CN107659560A (en) 2017-08-28 2017-08-28 A kind of abnormal auditing method for mass network data flow log processing

Country Status (1)

Country Link
CN (1) CN107659560A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109029564A (en) * 2018-07-12 2018-12-18 江苏慧学堂***工程有限公司 A kind of computer network system for environment measuring
CN109556864A (en) * 2018-12-17 2019-04-02 衢州职业技术学院 A kind of motor bearings defect detecting system
CN111355625A (en) * 2018-12-24 2020-06-30 中移(杭州)信息技术有限公司 Analysis method and device for abnormal Internet of things card
CN113836431A (en) * 2021-10-19 2021-12-24 中国平安人寿保险股份有限公司 User recommendation method, device, equipment and medium based on user duration

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049232A (en) * 2015-06-19 2015-11-11 成都艾尔普科技有限责任公司 Network information log audit system
CN105653427A (en) * 2016-03-04 2016-06-08 上海交通大学 Log monitoring method based on abnormal behavior detection
CN106777133A (en) * 2016-12-16 2017-05-31 浙江大学 A kind of similar connection processing method of metric space based on MapReduce
CN106776942A (en) * 2016-11-30 2017-05-31 任子行网络技术股份有限公司 A kind of transmission of network audit daily record preserves system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049232A (en) * 2015-06-19 2015-11-11 成都艾尔普科技有限责任公司 Network information log audit system
CN105653427A (en) * 2016-03-04 2016-06-08 上海交通大学 Log monitoring method based on abnormal behavior detection
CN106776942A (en) * 2016-11-30 2017-05-31 任子行网络技术股份有限公司 A kind of transmission of network audit daily record preserves system and method
CN106777133A (en) * 2016-12-16 2017-05-31 浙江大学 A kind of similar connection processing method of metric space based on MapReduce

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张萌: ""基于hadoop的网络安全日志审计***关键技术研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109029564A (en) * 2018-07-12 2018-12-18 江苏慧学堂***工程有限公司 A kind of computer network system for environment measuring
CN109556864A (en) * 2018-12-17 2019-04-02 衢州职业技术学院 A kind of motor bearings defect detecting system
CN111355625A (en) * 2018-12-24 2020-06-30 中移(杭州)信息技术有限公司 Analysis method and device for abnormal Internet of things card
CN111355625B (en) * 2018-12-24 2021-12-07 中移(杭州)信息技术有限公司 Analysis method and device for abnormal Internet of things card
CN113836431A (en) * 2021-10-19 2021-12-24 中国平安人寿保险股份有限公司 User recommendation method, device, equipment and medium based on user duration

Similar Documents

Publication Publication Date Title
KR102548217B1 (en) Systems and methods for real-time processing of data streams
CN108664375B (en) Method for detecting abnormal behavior of computer network system user
Zou et al. A docker container anomaly monitoring system based on optimized isolation forest
Liu et al. Monitoring and analyzing big traffic data of a large-scale cellular network with Hadoop
Yang et al. A time efficient approach for detecting errors in big sensor data on cloud
CN107659560A (en) A kind of abnormal auditing method for mass network data flow log processing
CN109842628A (en) A kind of anomaly detection method and device
CN106371986A (en) Log treatment operation and maintenance monitoring system
CN107992746A (en) Malicious act method for digging and device
Barbosa et al. Exploiting traffic periodicity in industrial control networks
CN107222472A (en) A kind of user behavior method for detecting abnormality under Hadoop clusters
Lee et al. Toward the SIEM architecture for cloud-based security services
CN108737549A (en) A kind of log analysis method and device of big data quantity
CN109040130A (en) Mainframe network behavior pattern measure based on attributed relational graph
Las-Casas et al. A big data architecture for security data and its application to phishing characterization
CN109359109A (en) A kind of data processing method and system calculated based on distributed stream
Fatemi et al. Threat hunting in windows using big security log data
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN116991675A (en) Abnormal access monitoring method and device, computer equipment and storage medium
CN116910023A (en) Data management system
Lee et al. Detecting anomaly teletraffic using stochastic self-similarity based on Hadoop
CN113987492A (en) Method and device for determining alarm event
CN117201045A (en) Method and device for detecting network traffic abnormality
Prashanthi et al. Generating analytics from web log
CN112769755A (en) DNS log statistical feature extraction method for threat detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180202