CN110138720A - Anomaly classification detection method, device, storage medium and the processor of network flow - Google Patents
Anomaly classification detection method, device, storage medium and the processor of network flow Download PDFInfo
- Publication number
- CN110138720A CN110138720A CN201910217643.4A CN201910217643A CN110138720A CN 110138720 A CN110138720 A CN 110138720A CN 201910217643 A CN201910217643 A CN 201910217643A CN 110138720 A CN110138720 A CN 110138720A
- Authority
- CN
- China
- Prior art keywords
- target
- attribute values
- value
- attribute
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses anomaly classification detection method, device, storage medium and the processors of a kind of network flow.This method comprises: obtaining the target journaling that targeted website generates under target network flow;Obtain the property value set of target journaling, wherein the attribute value in property value set is used to indicate state of the field associated with attribute value under objective attribute target attribute;In the case where property value set includes predefined Target Attribute values, at least one Target Attribute values associated with same field are synthesized into first object attribute value;In the case where first object attribute value and predefined second Target Attribute values successful match, determining target network flow, there are the abnormalities of target type, wherein, the second Target Attribute values are used to indicate the abnormality that field associated with the second Target Attribute values belongs to target type.Through the invention, reached and improved the technical effect that website abnormal flow carries out classification and Detection efficiency.
Description
Technical field
The present invention relates to internet areas, anomaly classification detection method, dress in particular to a kind of network flow
It sets, storage medium and processor.
Background technique
Currently, in network flow, it will usually which there are abnormal flows, for example, can have 25% or so abnormal flow.?
In these flows, there is different classification, some is used for brush amount, and some is used for crawler, and some is for frequently accessing, these exceptions
Flow belongs to the invalid traffic of user's access.It is then desired to carry out classification and Detection to website abnormal flow.
In the related art, the type of artificial observation website abnormal flow is usually taken, but makes in this way to website traffic
The poor in timeliness analyzed, labor intensive;Also judge newly to add by the historical traffic sequence of each website in the related technology
The type of the network flow entered needs the accumulation of historical traffic in this way, increases memory space, can not be in time to Network Abnormal stream
Amount carries out classification and Detection, to there is technical issues that website abnormal flow carries out classification and Detection.
The technical issues of carrying out classification and Detection low efficiency for website abnormal flow in the prior art not yet proposes have at present
The solution of effect.
Summary of the invention
The main purpose of the present invention is to provide a kind of anomaly classification detection method of network flow, device, storage mediums
And processor, at least to solve the technical issues of website abnormal flow carries out classification and Detection low efficiency.
To achieve the goals above, according to an aspect of the invention, there is provided a kind of anomaly classification of network flow is examined
Survey method.This method comprises: obtaining the target journaling that targeted website generates under target network flow;Obtain the category of target journaling
Property value set, wherein the attribute value in property value set is used to indicate field associated with attribute value under objective attribute target attribute
State;In the case where property value set includes predefined Target Attribute values, will it is associated with same field at least one
Target Attribute values synthesize first object attribute value;It is matched into first object attribute value with predefined second Target Attribute values
In the case where function, determining target network flow, there are the abnormalities of target type, wherein the second Target Attribute values are used to indicate
Field associated with the second Target Attribute values belongs to the abnormality of target type.
Optionally, at least one Target Attribute values associated with same field are synthesized into first object attribute value packet
It includes: in the case where Target Attribute values associated with same field are multiple, to multiple targets associated with same field
The binary numeral of attribute value carries out logic or processing, obtains first object attribute value;In target associated with same field
In the case that attribute value is one, Target Attribute values are determined as first object attribute value.
Optionally, determine target network flow there are before target abnormality, this method further include: to target class
Associated multiple second Target Attribute values of the abnormality of type are traversed;By the binary numeral of first object attribute value with
The binary numeral of second Target Attribute values currently traversed carries out logical AND processing, obtains target process outcome;?
Target process outcome is greater than second Target Attribute values in the case where target value, determining first object attribute value with traversing
Successful match;It, will be more in target process outcome no more than target value and in the case where not traversed multiple second Target Attribute values
Next second Target Attribute values in a second Target Attribute values are determined as currently traverse second objective attribute target attribute
Value.
Optionally, will at least one Target Attribute values associated with same field synthesize first object attribute value it
Afterwards, this method further include: store first object attribute value into target journaling.
Optionally, the property value set for obtaining target journaling includes: the multiple aiming fields obtained in target journaling;It will packet
The set for including attribute value associated with multiple aiming fields respectively, is determined as property value set.
To achieve the goals above, according to another aspect of the present invention, a kind of anomaly classification of network flow is additionally provided
Detection device.The device includes: first acquisition unit, the target day generated under target network flow for obtaining targeted website
Will;Second acquisition unit, for obtaining the property value set of target journaling, wherein the attribute value in property value set is for referring to
Show state of the field associated with attribute value under objective attribute target attribute;Synthesis unit, for including predefined in property value set
Target Attribute values in the case where, at least one Target Attribute values associated with same field are synthesized into first object attribute
Value;First determination unit is used in the case where first object attribute value and predefined second Target Attribute values successful match,
Determining target network flow, there are the abnormalities of target type, wherein the second Target Attribute values are used to indicate and the second target
The associated field of attribute value belongs to the abnormality of target type.
To achieve the goals above, according to another aspect of the present invention, a kind of storage medium is additionally provided.The storage medium
Program including storage, wherein the method that equipment where control storage medium executes the embodiment of the present invention in program operation.
To achieve the goals above, according to another aspect of the present invention, a kind of processor is additionally provided.The processor is used for
Run program, wherein the method for the embodiment of the present invention is executed when program is run.
Through the invention, the target journaling generated under target network flow using targeted website is obtained;Obtain target day
The property value set of will, wherein the attribute value in property value set is used to indicate field associated with attribute value in target category
State under property;In the case where property value set includes predefined Target Attribute values, will it is associated with same field extremely
Few Target Attribute values synthesize first object attribute value;In first object attribute value and predefined second Target Attribute values
In the case where successful match, determining target network flow, there are the abnormalities of target type, wherein the second Target Attribute values are used
Belong to the abnormality of target type in instruction field associated with the second Target Attribute values.That is, predefined target
Attribute value, in the case where the property value set of target journaling includes predefined Target Attribute values, by least one target category
Property value synthesize first object attribute value (synthesis attribute value), by first object attribute value and predefined divided the of class
Two Target Attribute values are matched, and in the case where successful match, determine abnormal shape of the target network flow there are target type
State solves the technical issues of website abnormal flow carries out classification and Detection low efficiency, and then has reached raising website abnormal flow
Carry out the technical effect of classification and Detection efficiency.
Detailed description of the invention
The attached drawing constituted part of this application is used to provide further understanding of the present invention, schematic reality of the invention
It applies example and its explanation is used to explain the present invention, do not constitute improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of flow chart of the anomaly classification detection method of network flow according to an embodiment of the present invention.;
Fig. 2 is a kind of flow chart of the method for the storage of anomaly classification according to an embodiment of the present invention;
Fig. 3 is a kind of flow chart of the decomposition matching process of anomaly classification according to an embodiment of the present invention;And
Fig. 4 is a kind of schematic diagram of the anomaly classification detection device of network flow according to an embodiment of the present invention.
Specific embodiment
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase
Mutually combination.The present invention will be described in detail below with reference to the accompanying drawings and embodiments.
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only
The embodiment of the application a part, instead of all the embodiments.Based on the embodiment in the application, ordinary skill people
Member's every other embodiment obtained without making creative work, all should belong to the model of the application protection
It encloses.
It should be noted that the description and claims of this application and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to embodiments herein described herein.In addition, term " includes " and " tool
Have " and their any deformation, it is intended that cover it is non-exclusive include, for example, containing a series of steps or units
Process, method, system, product or equipment those of are not necessarily limited to be clearly listed step or unit, but may include without clear
Other step or units listing to Chu or intrinsic for these process, methods, product or equipment.
Embodiment 1
The embodiment of the invention provides a kind of anomaly classification detection methods of network flow.
Fig. 1 is a kind of flow chart of the anomaly classification detection method of network flow according to an embodiment of the present invention.Such as Fig. 1 institute
Show, method includes the following steps:
Step S102 obtains the target journaling that targeted website generates under target network flow.
Step S102 provide technical solution in, target network flow be it is to be detected whether Yi Chang flow.Target day
Will namely web log file are generated under target network flow for targeted website.The target journaling is that record server connects
The file to be ended up with " .log " for receiving the various raw informations such as processing request and server runtime error, can recorde target
The information such as traffic-operating period of website during operation and accessed request, can be determined clearly user by the target journaling
What IP, when, with what operating system, what browser, what resolution display when access target
Which page of website, and whether access the information such as successfully.
Optionally, the target journaling of the embodiment can be indicated with log ID, for example, passing through xxx_001, xxx_
002, xxx_003 etc. indicates target journaling.
Step S104 obtains the property value set of target journaling.
In the technical solution that step S104 is provided, in the target day that acquisition targeted website generates under target network flow
After will, the property value set of target journaling is obtained, wherein the attribute value in property value set is used to indicate related to attribute value
State of the field of connection under objective attribute target attribute.
In this embodiment, target journaling includes field, for example, including field A corresponding with cookie, with internet protocol
Discuss (IP) corresponding field B, field C corresponding with user agent (User Agent) etc., wherein user agent can be browsing
Device can also include that fields, each field such as timestamp, website incoming road (referer) can have multiple attribute values, correspond to not
Same Data Representation.The property value set of target journaling includes the attribute value that the field of target journaling is calculated, the category
Property value be used to indicate state of the target journaling under field associated with attribute value, the state can be normal condition, can also
Think abnormality.Optionally, the attribute value of A field is 1, for indicating that state of the A field under cookie attribute be
Cookie format abnormality, the attribute value of A field are 2, are exposed for indicating state of the A field under cookie attribute different
Normal state, the attribute value of B field are 16, for indicating that state of the B field under IP attribute is that IP changes too fast state etc., herein
Do not do any restrictions.
Step S106 will be related to same field in the case where property value set includes predefined Target Attribute values
At least one Target Attribute values of connection synthesize first object attribute value.
In the technical solution that step S106 is provided, in the target day that acquisition targeted website generates under target network flow
It, will at least one mesh associated with same field if property value set includes predefined Target Attribute values after will
Mark attribute value synthesizes first object attribute value.
In this embodiment, the attribute value of exception field is predefined, obtains Target Attribute values.For example, for
Cookie corresponding field A, regular definition value A:1 are for indicating that field A is in cookie in the case where Target Attribute values are 1
State under attribute is that cookie format is abnormal;Regular definition value A:2, for indicating in the case where Target Attribute values are 2, word
State of the section A under cookie attribute is that cookie exposure is abnormal;Regular definition value A:4, for indicating that in Target Attribute values be 4
In the case where, state of the field A under cookie attribute is that cookie clicks exception;Regular definition value A:8, for indicating in mesh
In the case that mark attribute value is 8, state of the field A under cookie attribute is that cookie variation is too fast;Regular definition value A:16,
For indicating in the case where Target Attribute values are 16, state of the field A under cookie attribute is cookie time time-out.Its
In, regular definition value is the condition that anomaly classification defines.
Optionally, for field B corresponding with IP, regular definition value B:1, for indicating the feelings for being 1 in Target Attribute values
Under condition, state of the field B under IP attribute is crawler IP abnormal;Regular definition value B:2, for indicating that in Target Attribute values be 2
In the case where, state of the field B under IP attribute is data center IP abnormal;Regular definition value B:4, for indicating in target category
Property value be 4 in the case where, state of the field B under IP attribute is that Agent IP is abnormal;Regular definition value B:8, for indicating in mesh
In the case that mark attribute value is 8, state of the field B under IP attribute is spare IP abnormal;Regular definition value B:16, for indicating
In the case where Target Attribute values are 16, state of the field B under IP attribute is that IP variation is too fast.
Optionally, it is in Target Attribute values for expression for field C corresponding with UserAgent, regular definition value C:1
In the case where 1, state of the field C under UserAgent attribute is simple crawler UserAgent;Regular definition value C:2 is used for table
Show that, in the case where Target Attribute values are 2, state of the field C under UserAgent attribute is that UserAgent is too short;Rule is fixed
Justice value C:4 is for indicating that, in the case where Target Attribute values are 4, state of the field C under UserAgent attribute is advanced crawler
UserAgent。
It should be noted that above-mentioned predefined Target Attribute values are only one kind of the embodiment of the present invention for example, simultaneously
The predefined Target Attribute values for not representing the embodiment of the present invention are only above-mentioned, any for determining whether website traffic is abnormal
Predefined Target Attribute values all within the scope of the embodiment, no longer illustrate one by one herein.
The embodiment determines the attribute value in property value set, can by its with predefined Target Attribute values into
Row matching primitives, in the case where property value set includes predefined Target Attribute values, will it is associated with same field extremely
Few Target Attribute values synthesize first object attribute value, the synthesis attribute of the first object attribute value namely target journaling
Value.For example, property value set includes the attribute value 1,8,16 of A field, that is, the rule of correspondence definition value A:1, regular definition value A:
The Target Attribute values of A field 1,8,16 are then synthesized the first object attribute value 25 of A field by 8, regular definition value A:16;It should
Property value set further includes the attribute value 1 of C field, that is, rule of correspondence definition value C:1, then first object attribute value can be C
The Target Attribute values 1 of field.
Step S108, in the case where first object attribute value and predefined second Target Attribute values successful match, really
There are the abnormalities of target type for the network flow that sets the goal.
In the technical solution that step S108 is provided, in first object attribute value and predefined second Target Attribute values
In the case where with success, determining target network flow, there are the abnormalities of target type, wherein the second Target Attribute values are used for
Indicate that field associated with the second Target Attribute values belongs to the abnormality of target type.
In this embodiment, the second Target Attribute values, target class belonging to second Target Attribute values and field are predefined
The abnormality of type is corresponding, the abnormality namely anomaly classification result of the target type.For example, the abnormal shape of target type
State is that the frequency is abnormal, then the second Target Attribute values can be the attribute value 8 under A field, that is, rule of correspondence definition value A:8, the
Two Target Attribute values can also be the attribute value 16 under B field, rule of correspondence definition value B:16;For another example, target type is different
Normal state is crawler problem, then regular definition value can be the attribute value 1 under B field, rule of correspondence definition value B:1, can be with
For the attribute value 1 under C field, rule of correspondence definition value C:1 can also be the attribute value 4 under C field, rule of correspondence definition value
C:4, for indicating the set of various crawler problems.
It should be noted that above-mentioned second Target Attribute values predetermined and associated with the second Target Attribute values
It is only one kind of the embodiment of the present invention for example, not representing the embodiment of the present invention that field, which belongs to the abnormality of target type,
The second Target Attribute values and field associated with the second Target Attribute values belong to target type abnormality be only on
State, it is any can it is predetermined for determine the second whether abnormal Target Attribute values of website traffic and with the second target category
Property be worth the abnormality that associated field belongs to target type, all within the scope of the embodiment, no longer one at one stroke herein
Example explanation.
In the case where first object attribute value and predefined second Target Attribute values successful match, for example, the first mesh
The binary value of the binary value and predefined second Target Attribute values of marking attribute value carries out logical AND processing, if output knot
Fruit is greater than 0, it is determined that there are the abnormalities of target type for target journaling, and then can determine target corresponding with target journaling
There are the abnormalities of target type for network flow, that is, having obtained anomaly classification as a result, realizing to target network flow
The purpose that exception is classified, the anomaly classification result can be used in the report finally counted to target network flow
It arrives.
For example, the first object attribute value of target journaling xxx_001 is 25 under A field, that is, A:25, C:1,
Then can under the second Target Attribute values 1 under A field predetermined, the second Target Attribute values 8 under A field, A field
Second Target Attribute values, 16 successful match, that is, with A:1, A:8, A:16 successful match, then the abnormality of target type can be with
For the corresponding cookie format anomaly classification of A:1 as a result, and the corresponding frequency anomaly classification of A:8 as a result, corresponding with A16
Cookie time time-out anomaly classification result.
In this embodiment, the abnormality of target type can match condition (the rule definition of multiple class definitions
Value), for example, frequency anomaly classification result can match A:8 (cookie variation is too fast), B:16 (IP variation is too fast), as long as the
One Target Attribute values meet the condition of one of class definition, so that it may determine that the abnormality of target type is fixed for classification
Anomaly classification corresponding to adopted condition.
In this embodiment, target journaling meets the condition that different anomaly classifications defines simultaneously, then final different
In normal classification results, different anomaly classifications will be participated in and calculated.
In this embodiment, the target journaling that targeted website generates under target network flow is obtained;Obtain target journaling
Property value set, wherein the attribute value in property value set is used to indicate field associated with attribute value in objective attribute target attribute
Under state;In the case where property value set includes predefined Target Attribute values, will it is associated with same field at least
One Target Attribute values synthesizes first object attribute value;In first object attribute value and predefined second Target Attribute values
In the case where with success, determining target network flow, there are the abnormalities of target type, wherein the second Target Attribute values are used for
Indicate that field associated with the second Target Attribute values belongs to the abnormality of target type.That is, predefined target category
Property value, in the case where the property value set of target journaling includes predefined Target Attribute values, by least one objective attribute target attribute
Value synthesizes first object attribute value (synthesis attribute value), has divided the second of class with predefined for first object attribute value
Target Attribute values are matched, in the case where successful match, determine target network flow there are the abnormality of target type,
It solves the technical issues of website abnormal flow carries out classification and Detection low efficiency, and then has reached the progress of raising website abnormal flow
The technical effect of classification and Detection efficiency.
As an alternative embodiment, step S106, it will at least one objective attribute target attribute associated with same field
Value synthesize first object attribute value include: Target Attribute values associated with same field be it is multiple in the case where, to
The binary numeral of the same associated multiple Target Attribute values of field carries out logic or processing, obtains first object attribute value;
In the case where Target Attribute values associated with same field are one, Target Attribute values are determined as first object attribute
Value.
In this embodiment, Target Attribute values associated with same field be it is multiple in the case where, to same word
The binary numeral of the associated multiple Target Attribute values of section carries out logic or processing, first object attribute value is obtained, that is, right
The binary numeral of different target attribute value associated with same field carries out logic or processing, generates new attribute value, should
Synthesis attribute value in first object attribute value namely target journaling, for example, target journaling includes A field and C field, then with A
The associated Target Attribute values of field are 1,8,16, regular definition value A:1, A:8, A:16 are respectively corresponded, to associated with A field
1,8,16 binary numeral carry out logic or processing, obtain 25, can be indicated with A1:25.
In the case where Target Attribute values associated with same field are one, Target Attribute values are determined as the first mesh
Attribute value is marked, which can be determined directly as to first object attribute value, for example, target associated with C field
Attribute value is 1, then is determined directly as first object attribute value for 1, can be indicated with C:1.
As an alternative embodiment, in step S108, determine target network flow there are target abnormality it
Before, this method further include: multiple second Target Attribute values associated with the abnormality of target type are traversed;By
The binary numeral of one Target Attribute values and the binary numeral of second Target Attribute values currently traversed carry out logic
With processing, target process outcome is obtained;Target process outcome be greater than target value in the case where, determine first object attribute value with
The second Target Attribute values successful match traversed;It is equal to 0 in target process outcome, and has not traversed multiple second targets
In the case where attribute value, next second Target Attribute values in multiple second Target Attribute values are determined as currently traversing
Second Target Attribute values.
In this embodiment, the second Target Attribute values predetermined are multiple, and determining target network flow, there are mesh
Before marking abnormality, multiple second Target Attribute values associated with the abnormality of target type are traversed, that is,
Traverse the attribute value of anomaly classification.In the case where currently traversing second Target Attribute values, by first object attribute value
Binary numeral and second Target Attribute values binary numeral carry out logical AND processing, obtain target process outcome, lead to
It crosses binary mode to match first object attribute value, can be improved and matched speed is carried out to first object attribute value
Degree.
After obtaining target process outcome, judge whether target process outcome is greater than target value, for example, target value is 0,
Judge whether target process outcome is greater than 0.If it is judged that target process outcome is greater than target value, it is determined that first object attribute
The second Target Attribute values successful match for being worth and traversing, determines abnormal shape of the target network flow there are target type
State, that is, obtaining a qualified anomaly classification as a result, and exporting the anomaly classification result.
Optionally, the case where being not more than target value in target process outcome, and not traversed multiple second Target Attribute values
Under, by next second Target Attribute values in multiple second Target Attribute values, it is determined as currently traverse second mesh
Attribute value is marked, continues to match first object attribute value with next second Target Attribute values, up to having traversed and target
Associated multiple second Target Attribute values of the abnormality of type.
As a kind of optional example, in step S108, determine that target network flow there are before target abnormality, is somebody's turn to do
Method further include: multiple second Target Attribute values associated with the abnormality of the first kind are traversed, and by first
The binary numeral of Target Attribute values and the binary numeral of the second Target Attribute values traversed carry out logical AND processing, obtain
Target process outcome, wherein target type includes the first kind, for example, being frequency Exception Type;It is greater than in target process outcome
In the case where target value, first object attribute value is determined and the second Target Attribute values successful match for traversing;Determine target network
Network flow there are the abnormality of target type comprises determining that target network flow, and there are the abnormalities of the first kind.
As a kind of optional example, first object attribute value is being carried out at logical AND with the Target Attribute values traversed
Reason, after obtaining target process outcome, this method further include: target process outcome no more than target value and do not traversed with
In the case where associated multiple second Target Attribute values of the abnormality of the first kind, by the binary system of first object attribute value
The binary numeral of numerical value and next second Target Attribute values traversed carries out logical AND processing, obtains second processing knot
Fruit;In the case where second processing result is greater than target value, first object attribute value is determined and next second mesh for traversing
Mark attribute value successful match;Optionally, in next second Target Attribute values for determining first object attribute value Yu traversing
After success, if not traversed multiple second Target Attribute values associated with the abnormality of the first kind, continue
First object attribute value is matched according to the method described above, until having traversed associated with the abnormality of target type more
A second Target Attribute values;Optionally, it in the case where second processing result is not more than target value, and has not traversed and the first kind
In the case where associated multiple second Target Attribute values of the abnormality of type, continue according to the method described above to first object attribute
Value is matched, until having traversed multiple second Target Attribute values associated with the abnormality of target type.
As a kind of optional example, by the binary numeral of first object attribute value with traverse next second
The binary numeral of Target Attribute values carries out logical AND processing, before obtaining second processing result, this method further include: traversing
In the case where complete multiple second Target Attribute values associated with the abnormality of the first kind, to the abnormal shape with Second Type
Associated multiple second Target Attribute values of state are traversed, and by the binary numeral of first object attribute value with traverse
The binary numerals of second Target Attribute values carries out logical AND processing, obtains third processing result, wherein target type includes the
Two types, for example, the Second Type is crawler problem;In the case where third processing result is greater than target value, the first mesh is determined
Mark attribute value and the second Target Attribute values successful match traversed;Determine abnormal shape of the target network flow there are target type
State comprises determining that target network flow, and there are the abnormalities of Second Type.
As an alternative embodiment, in step S106, it will at least one target category associated with same field
After property value synthesizes first object attribute value, this method further include: store first object attribute value into target journaling.
In this embodiment, at least one Target Attribute values associated with same field are synthesized into first object attribute
After value, that is, store first object attribute value to target journaling after obtaining the synthesis attribute value of target journaling,
That is, the first object attribute value can be used as the attribute value that target journaling finally stores, to save memory space.
As an alternative embodiment, step S104, the property value set for obtaining target journaling includes: acquisition target
Multiple aiming fields in log;It will include the set of attribute value associated with multiple aiming fields respectively, be determined as attribute
Value set.
In this embodiment, obtain target journaling property value set when, can in target journaling random acquisition unit
Partial objectives for field, and do not have to obtain whole fields.Each aiming field may include multiple attribute values, will be by multiple attribute value
The combination of composition is determined as property value set.
In this embodiment, website generates log under flow to be detected, which includes multiple fields, each field
There can be multiple attribute values, different attribute values has corresponded to the different data performance of field, which can use binary system
The attribute value of each field is identified, OR operation is carried out to the different attribute value of the same field, generates new attribute
Value is stored, to save the space stored to attribute value.In addition, the class definition condition of the embodiment can be certainly
By combining, arbitrary fields can be chosen from field all in log, to be used to judge whether target network flow to be abnormal, mentions
The high efficiency that anomaly classification detection is carried out to target network flow.
Embodiment 2
Technical solution of the present invention is illustrated below with reference to preferred embodiment.
In this embodiment, multiple fields be may include in the monitoring journal that third company collects, for example, including
Cookie, ip, timestamp, user agent (UserAgent), website incoming road (referer) etc..Can exist in network flow different
Normal flow, can be with brush amount, crawler, excessively frequent etc. corresponding invalid traffic of access, which can be to above-mentioned invalid
Flow is differentiated and carries out anomaly classification statistics.
In this embodiment, it is necessary first to which field is defined extremely.For example, field A, for indicating that cookie is corresponding
Rule, field B, for indicating the corresponding rule of IP, field C, for indicating the corresponding rule of UserAgent.Table 1 is basis
A kind of definition table of field attribute exception of the embodiment of the present invention.
The definition table of table 1 field attribute exception
Field name | Attribute value | Represent meaning |
A | 1 | Cookie format is abnormal |
A | 2 | Cookie exposure is abnormal |
A | 4 | Cookie clicks abnormal |
A | 8 | Cookie variation is too fast |
A | 16 | Cookie time time-out |
B | 1 | Crawler IP |
B | 2 | Data center IP |
B | 4 | Agent IP |
B | 8 | Spare IP |
B | 16 | IP variation is too fast |
B | 32 | Retain |
C | 1 | Simple crawler UserAgent |
C | 2 | UserAgent is too short |
C | 4 | Advanced crawler UserAgent |
…… |
Table 2 is a kind of definition table of anomaly classification according to an embodiment of the present invention.
The definition table of 2 anomaly classification of table
Table 3 is a kind of storage table of the anomaly classification of log according to an embodiment of the present invention.
The storage table of the anomaly classification of 3 log of table
In this embodiment, the value of attribute set is the intermediate result during an exception of network traffic classification and Detection,
Finger is that this log and strictly all rules carry out matching primitives, has been matched to A:1, A:8, A:16, this four rule of C:1;In log
Synthesis attribute value, for by A:1, A:8, A:16, C:1, corresponding attribute value, the binary system OR operation for having carried out attribute value is obtained
It arrives.
The decomposition of anomaly classification matches, and exactly matches the synthesis attribute value in log with the regular definition value of table 2,
The anomaly classification result for the condition that meets all is come out.
For example, the synthesis attribute value of log xxx_001 is A:25, C:1, then it can be matched to simultaneously in frequency exception
C:1 in A:8 and crawler problem, that is, flow corresponding with log xxx_001 has frequency exception and reptile class.
Table 4 is the anomaly classification result table according to a kind of log of the embodiment of the present invention.
The anomaly classification result table of 4 log of table
Classification results can be used in carrying out final report statistics to network flow.
Fig. 2 is a kind of flow chart of the method for the storage of anomaly classification according to an embodiment of the present invention.As shown in Fig. 2, should
Method the following steps are included:
Step S201, the attribute value of predefined field in abnormal cases.
Step S202, obtains the attribute value of the field in log, and it is matched with the attribute value of predefined field.
Step S203 synthesizes the attribute value being matched under the same field in log.
The value of synthesis is recorded in the synthesis attribute value of log step S204.
Fig. 3 is a kind of flow chart of the decomposition matching process of anomaly classification according to an embodiment of the present invention.As shown in figure 3,
Method includes the following steps:
Step S301 defines multiple attribute values of anomaly classification.
Step S302 traverses multiple attribute values of anomaly classification.
Step S303 carries out the binary value of the synthesis attribute value in the binary value and log of the attribute value traversed
Logical "and" processing, obtains processing result.
Step S304, judges whether processing result is greater than 0.
After judging whether processing result is greater than 0, if it is judged that processing result is greater than 0, S305 is thened follow the steps;Such as
Fruit judges that processing result no more than 0, thens follow the steps S302.
Step S305, obtain a qualified anomaly classification as a result, and exporting the anomaly classification result.
Step S306 judges whether to have traversed all properties value under anomaly classification.
After exporting the anomaly classification result, judge whether to have traversed all properties value under anomaly classification.If sentenced
It is disconnected to go out whether to have traversed all properties value under anomaly classification, then terminate the multiple attribute values for synthesizing attribute value and anomaly classification
Matching process;If it is judged that not traversed all properties value under anomaly classification, S302 is thened follow the steps.
In this embodiment, each anomaly classification result can match the condition of multiple class definitions, as long as to be detected
Flow meets the condition of one of class definition, so that it may determine that the abnormal conditions of flow to be detected belong to and the classification
The corresponding anomaly classification of the condition of definition;The class definition condition of the embodiment can be freely combined, can from log institute
Arbitrary fields are chosen in some fields, to be used to judge whether flow to be abnormal;In this embodiment, website is in flow to be detected
Lower generation log, the log include multiple fields, and each field can have multiple attribute values, and different attribute values has corresponded to field
Different data performance, which can make full use of binary system to be identified each field, not to the same field
OR operation is carried out with attribute value, new attribute value is generated and is stored, to save the space stored to attribute value;
In this embodiment, a log is possible to meet the condition that different anomaly classifications defines simultaneously, different anomaly classifications
The condition of definition is just used in the calculating of the different anomaly classification results of log, improves and carries out exception to target network flow
The efficiency of classification and Detection.
Embodiment 3
The embodiment of the invention also provides a kind of anomaly classification detection devices of network flow.It should be noted that the reality
Apply the network flow of example anomaly classification detection device can be used for executing the embodiment of the present invention network flow anomaly classification
Detection method.
Fig. 4 is a kind of schematic diagram of the anomaly classification detection device of network flow according to an embodiment of the present invention.Such as Fig. 4 institute
Show, which includes: first acquisition unit 10, second acquisition unit 20, synthesis unit 30 and the first determination unit 40.
First acquisition unit 10, the target journaling generated under target network flow for obtaining targeted website.
Second acquisition unit 20, for obtaining the property value set of target journaling, wherein the attribute value in property value set
It is used to indicate state of the field associated with attribute value under objective attribute target attribute.
Synthesis unit 30 will be with same word in the case where property value set includes predefined Target Attribute values
At least one associated Target Attribute values of section synthesize first object attribute value.
First determination unit 40, in first object attribute value and predefined second Target Attribute values successful match
In the case of, determining target network flow, there are the abnormalities of target type, wherein the second Target Attribute values are used to indicate and the
The associated field of two Target Attribute values belongs to the abnormality of target type.
Optionally, synthesis unit includes: processing module and determining module.Wherein, processing module, for same field
In the case that associated Target Attribute values are multiple, to the binary number of multiple Target Attribute values associated with same field
Value carries out logic or processing, obtains first object attribute value;Determining module, in objective attribute target attribute associated with same field
In the case that value is one, Target Attribute values are determined as first object attribute value.
Optionally, the device of the embodiment further include: the first Traversal Unit, processing unit, the second determination unit and second
Traversal Unit.Wherein, the first Traversal Unit, for determine target network flow there are before target abnormality, to mesh
Associated multiple second Target Attribute values of abnormality of mark type are traversed;Processing unit is used for first object category
Property value binary numeral logical AND processing is carried out with the binary numeral of second Target Attribute values currently traversed, obtain
To target process outcome;Second determination unit, for determining first object in the case where target process outcome is greater than target value
Attribute value and the second Target Attribute values successful match traversed;Second Traversal Unit, for target process outcome not
It, will be next in multiple second Target Attribute values greater than target value, and in the case where not traversed multiple second Target Attribute values
A second Target Attribute values are determined as currently traverse second Target Attribute values.
The embodiment obtains the target journaling that targeted website generates under target network flow by first acquisition unit 10,
The property value set of target journaling is obtained by second acquisition unit 20, wherein the attribute value in property value set is used to indicate
State of the field associated with attribute value under objective attribute target attribute in property value set includes predefined by synthesis unit 30
In the case where Target Attribute values, at least one Target Attribute values associated with same field are synthesized into first object attribute
Value, through determination unit 40 in the case where first object attribute value and predefined second Target Attribute values successful match, really
There are the abnormalities of target type for the network flow that sets the goal, wherein the second Target Attribute values are used to indicate and the second target category
Property be worth the abnormality that associated field belongs to target type, solve website abnormal flow and carry out the low technology of detection efficiency
Problem, and then reached and improved the technical effect that website abnormal flow carries out classification and Detection efficiency.
Embodiment 4
The embodiment of the invention also provides a kind of storage mediums.The storage medium includes the program of storage, wherein in program
Equipment executes the anomaly classification detection method of the network flow of the embodiment of the present invention where controlling storage medium when operation.
Embodiment 5
The embodiment of the invention also provides a kind of processors.The processor is for running program, wherein program is held when running
The anomaly classification detection method of the network flow of the row embodiment of the present invention.
Obviously, those skilled in the art should be understood that each module of the above invention or each step can be with general
Computing device realize that they can be concentrated on a single computing device, or be distributed in multiple computing devices and formed
Network on, optionally, they can be realized with the program code that computing device can perform, it is thus possible to which they are stored
Be performed by computing device in the storage device, perhaps they are fabricated to each integrated circuit modules or by they
In multiple modules or step be fabricated to single integrated circuit module to realize.In this way, the present invention is not limited to any specific
Hardware and software combines.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of anomaly classification detection method of network flow characterized by comprising
Obtain the target journaling that targeted website generates under target network flow;
Obtain the property value set of the target journaling, wherein the attribute value in the property value set be used to indicate with it is described
State of the associated field of attribute value under objective attribute target attribute;
It, will be associated extremely with the same field in the case where the property value set includes predefined Target Attribute values
Few Target Attribute values synthesize first object attribute value;
In the case where the first object attribute value and predefined second Target Attribute values successful match, the target is determined
There are the abnormalities of target type for network flow, wherein second Target Attribute values are used to indicate and second target
The associated field of attribute value belongs to the abnormality of the target type.
2. the method according to claim 1, wherein will be associated with the same field described at least one
Target Attribute values synthesize first object attribute value
In the case where the Target Attribute values associated with the same field are multiple, to related to the same field
The binary numeral of multiple Target Attribute values of connection carries out logic or processing, obtains the first object attribute value;
In the case where the Target Attribute values associated with the same field are one, the Target Attribute values are determined
For the first object attribute value.
3. the method according to claim 1, wherein determining the target network flow, there are target exception shapes
Before state, the method also includes:
Multiple second Target Attribute values associated with the abnormality of the target type are traversed;
By the binary numeral of the first object attribute value and the two of second Target Attribute values currently traversed
Binary value carries out logical AND processing, obtains target process outcome;
In the case where the target process outcome is greater than target value, the first object attribute value is determined and traverse one
The second Target Attribute values successful match;
The case where being not more than the target value in the target process outcome, and not traversed multiple second Target Attribute values
Under, by next second Target Attribute values in multiple second Target Attribute values, it is determined as one currently traversed
A second Target Attribute values.
4. the method according to claim 1, which is characterized in that will be related to the same field
After at least one described Target Attribute values of connection synthesize first object attribute value, the method also includes:
The first object attribute value is stored into the target journaling.
5. the method according to claim 1, which is characterized in that obtain the attribute of the target journaling
Value set includes:
Obtain multiple aiming fields in the target journaling;
It will include the set of attribute value associated with the multiple aiming field respectively, be determined as the property value set.
6. a kind of anomaly classification detection device of network flow characterized by comprising
First acquisition unit, the target journaling generated under target network flow for obtaining targeted website;
Second acquisition unit, for obtaining the property value set of the target journaling, wherein the attribute in the property value set
Value is used to indicate state of the field associated with the attribute value under objective attribute target attribute;
Synthesis unit, in the case where the property value set includes predefined Target Attribute values, will with it is same described
At least one associated described Target Attribute values of field synthesize first object attribute value;
First determination unit, for the feelings in the first object attribute value and predefined second Target Attribute values successful match
Under condition, determine that there are the abnormalities of target type for the target network flow, wherein second Target Attribute values are for referring to
Show that field associated with second Target Attribute values belongs to the abnormality of the target type.
7. device according to claim 6, which is characterized in that synthesis unit includes:
Processing module, in the case where the Target Attribute values associated with the same field are multiple, to it is same
The binary numeral of the one associated multiple Target Attribute values of field carries out logic or processing, obtains first mesh
Mark attribute value;
Determining module will be described in the case where the Target Attribute values associated with the same field are one
Target Attribute values are determined as the first object attribute value.
8. device according to claim 6, which is characterized in that described device further include:
First Traversal Unit, for determine the target network flow there are before target abnormality, to the target
Associated multiple second Target Attribute values of the abnormality of type are traversed;
Processing unit, for by the binary numeral of the first object attribute value and second mesh currently traversing
The binary numeral for marking attribute value carries out logical AND processing, obtains target process outcome;
Second determination unit, for determining the first object category in the case where the target process outcome is greater than target value
Property value and the second Target Attribute values successful match traversing;
Second Traversal Unit for being not more than the target value in the target process outcome, and has not traversed multiple described the
In the case where two Target Attribute values, by next second Target Attribute values in multiple second Target Attribute values, really
It is set to one currently traversed, second Target Attribute values.
9. a kind of storage medium, which is characterized in that the storage medium includes the program of storage, wherein run in described program
When control the storage medium where equipment perform claim require any one of 1 to 5 described in method.
10. a kind of processor, which is characterized in that the processor is for running program, wherein right of execution when described program is run
Benefit require any one of 1 to 5 described in method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910217643.4A CN110138720B (en) | 2019-03-21 | 2019-03-21 | Method and device for detecting abnormal classification of network traffic, storage medium and processor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910217643.4A CN110138720B (en) | 2019-03-21 | 2019-03-21 | Method and device for detecting abnormal classification of network traffic, storage medium and processor |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110138720A true CN110138720A (en) | 2019-08-16 |
CN110138720B CN110138720B (en) | 2021-08-24 |
Family
ID=67568536
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910217643.4A Active CN110138720B (en) | 2019-03-21 | 2019-03-21 | Method and device for detecting abnormal classification of network traffic, storage medium and processor |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110138720B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110545292A (en) * | 2019-09-29 | 2019-12-06 | 秒针信息技术有限公司 | Abnormal flow monitoring method and device |
CN111538704A (en) * | 2020-03-26 | 2020-08-14 | 平安科技(深圳)有限公司 | Log optimization method, device, equipment and readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102916991A (en) * | 2011-08-03 | 2013-02-06 | ***通信集团公司 | Method, system and device for transmitting data |
CN105471670A (en) * | 2014-09-11 | 2016-04-06 | 中兴通讯股份有限公司 | Flow data classification method and device |
CN107071084A (en) * | 2017-04-01 | 2017-08-18 | 北京神州绿盟信息安全科技股份有限公司 | A kind of DNS evaluation method and device |
KR20170106833A (en) * | 2016-03-14 | 2017-09-22 | 국방과학연구소 | A system for detecting of network anomaly and operation method thereof |
CN107508809A (en) * | 2017-08-17 | 2017-12-22 | 腾讯科技(深圳)有限公司 | Identify the method and device of website type |
CN107547490A (en) * | 2016-06-29 | 2018-01-05 | 阿里巴巴集团控股有限公司 | A kind of scanner recognition method, apparatus and system |
-
2019
- 2019-03-21 CN CN201910217643.4A patent/CN110138720B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102916991A (en) * | 2011-08-03 | 2013-02-06 | ***通信集团公司 | Method, system and device for transmitting data |
CN105471670A (en) * | 2014-09-11 | 2016-04-06 | 中兴通讯股份有限公司 | Flow data classification method and device |
KR20170106833A (en) * | 2016-03-14 | 2017-09-22 | 국방과학연구소 | A system for detecting of network anomaly and operation method thereof |
CN107547490A (en) * | 2016-06-29 | 2018-01-05 | 阿里巴巴集团控股有限公司 | A kind of scanner recognition method, apparatus and system |
CN107071084A (en) * | 2017-04-01 | 2017-08-18 | 北京神州绿盟信息安全科技股份有限公司 | A kind of DNS evaluation method and device |
CN107508809A (en) * | 2017-08-17 | 2017-12-22 | 腾讯科技(深圳)有限公司 | Identify the method and device of website type |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110545292A (en) * | 2019-09-29 | 2019-12-06 | 秒针信息技术有限公司 | Abnormal flow monitoring method and device |
CN110545292B (en) * | 2019-09-29 | 2021-07-30 | 秒针信息技术有限公司 | Abnormal flow monitoring method and device |
CN111538704A (en) * | 2020-03-26 | 2020-08-14 | 平安科技(深圳)有限公司 | Log optimization method, device, equipment and readable storage medium |
WO2021189831A1 (en) * | 2020-03-26 | 2021-09-30 | 平安科技(深圳)有限公司 | Log optimization method, apparatus and device, and readable storage medium |
CN111538704B (en) * | 2020-03-26 | 2023-09-15 | 平安科技(深圳)有限公司 | Log optimization method, device, equipment and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110138720B (en) | 2021-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103297435B (en) | A kind of abnormal access behavioral value method and system based on WEB daily record | |
CN103927307B (en) | A kind of method and apparatus of identification website user | |
CN104426713B (en) | The monitoring method and device of web site access effect data | |
CN107705149A (en) | Data method for real-time monitoring, device, terminal device and storage medium | |
CN102831218B (en) | Method and device for determining data in thermodynamic chart | |
CN112347377B (en) | IP address field searching method, service scheduling method, device and electronic equipment | |
CN102857493A (en) | Content filtering method and device | |
CN104574124B (en) | Determine the method and device of the bandwagon effect of ad data | |
CN104102576A (en) | Multi-version test method and device | |
CN109271321A (en) | A kind of contribution code number statistical method and device | |
CN106888280A (en) | DNS update methods, apparatus and system | |
CN101841435A (en) | Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow | |
KR20150084892A (en) | Dynamic graph performance monitoring | |
CN110060053A (en) | A kind of recognition methods, equipment and computer-readable medium | |
CN104199945A (en) | Data storing method and device | |
CN110138720A (en) | Anomaly classification detection method, device, storage medium and the processor of network flow | |
CN112632446A (en) | Page access path construction method and system | |
CN107832446A (en) | A kind of searching method and computing device of configuration item information | |
CN102521283A (en) | Service composition recommendation method based on Bayes principle, and system for the same | |
CN115145751A (en) | Method, device, equipment and storage medium for positioning fault root cause of micro-service system | |
US20110184905A1 (en) | Method of storing and analysing data produced from interactions between external agents and a system | |
CN109359027A (en) | Monkey test method, device, electronic equipment and computer readable storage medium | |
CN106909454A (en) | A kind of rules process method and equipment | |
Song et al. | Blockchain data analysis from the perspective of complex networks: Overview | |
CN110535686A (en) | Anomalous event treating method and apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |