CN112543199A - IP abnormal flow detection method, system, computer equipment and storage medium - Google Patents

IP abnormal flow detection method, system, computer equipment and storage medium Download PDF

Info

Publication number
CN112543199A
CN112543199A CN202011418675.XA CN202011418675A CN112543199A CN 112543199 A CN112543199 A CN 112543199A CN 202011418675 A CN202011418675 A CN 202011418675A CN 112543199 A CN112543199 A CN 112543199A
Authority
CN
China
Prior art keywords
flow
periodic
obtaining
abnormal
frequency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011418675.XA
Other languages
Chinese (zh)
Other versions
CN112543199B (en
Inventor
韩坤
田丹丹
卫海天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Minglue Zhaohui Technology Co Ltd
Original Assignee
Beijing Minglue Zhaohui Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Minglue Zhaohui Technology Co Ltd filed Critical Beijing Minglue Zhaohui Technology Co Ltd
Priority to CN202011418675.XA priority Critical patent/CN112543199B/en
Publication of CN112543199A publication Critical patent/CN112543199A/en
Application granted granted Critical
Publication of CN112543199B publication Critical patent/CN112543199B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a system, a computer device and a storage medium for detecting IP abnormal flow, wherein the method comprises the following steps: acquiring average flow times: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times; obtaining ideal average flow times: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data; an abnormality degree acquisition step: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency; an identification step: and identifying IP abnormal flow according to the IP abnormal degree. The invention can remove the influence of normal fluctuation of the flow, thereby obtaining more accurate estimation of the abnormal degree of the IP.

Description

IP abnormal flow detection method, system, computer equipment and storage medium
Technical Field
The invention belongs to the field of IP abnormal flow detection methods, and particularly relates to an IP abnormal flow detection method, an IP abnormal flow detection system, computer equipment and a storage medium.
Background
Every day, the internet generates massive network data, the data records various information of daily life, work and the like of people, and people store own privacy and safety information on the internet. Meanwhile, the huge network data also brings a huge information market. Among them, black market threatens the network security. Worm virus attack and DDoS attack occur every day, and daily internet use experience is seriously influenced. In the face of these threats, the fluctuation of the flow times of the IP is monitored to judge whether an IP address is abnormal. But simply monitoring the fluctuations in the number of times the traffic is fluctuating is not sufficient to cope with the complex means of attack of hackers. The method calculates the estimated value of the IP flow times by counting the IP flow times and establishing a model, and evaluates the difference between the actual value and the estimated value to obtain the abnormal degree of the IP, so as to identify the abnormal IP flow.
At present, the technology for monitoring the IP by using a statistical mode is to observe the flow fluctuation condition of the IP according to the time sequence, and the abnormal phenomenon is that the IP flow fluctuates in a short time. Some of them observe the uncertainty of IP flow by calculating statistics such as entropy, etc., and if the entropy is large, the fluctuation range of IP flow is large. It also compares the data packet content with some known abnormal information, or uses the byte number and ASCII code distribution in the packet to distinguish normal flow from abnormal flow.
The flow fluctuation of the IP is observed, and the statistics of entropy value are calculated, so that the flow change of the IP can be described to a certain extent. However, the above statistics do not take normal fluctuation of the IP into account, and do not eliminate the influence of the normal fluctuation of the IP on abnormal IP traffic monitoring.
Specific IP can be captured effectively by using methods such as packet content, but the collection of information is difficult to implement in a large-scale communication network, and the data analysis is relatively difficult.
The method calculates the estimated value of the IP flow times by counting the IP flow times and establishing a model, considers the normal fluctuation of the IP flow, and estimates the difference between the actual value and the estimated value by correcting the IP flow times to obtain the abnormal degree of the IP for identifying the abnormal IP flow.
Disclosure of Invention
The embodiment of the application provides a method, a system and a computer storage device for detecting IP abnormal flow, which are used for at least solving the problem of subjective factor influence in the related technology.
The invention provides an IP abnormal flow detection method, which comprises the following steps:
acquiring average flow times: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times;
obtaining ideal average flow times: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree acquisition step: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification step: identifying IP abnormal flow according to the IP abnormal degree
In the method, the step of obtaining the average traffic frequency includes constructing a first function, where the first function is a discrete function, counting the periodic IP traffic frequency through the discrete function, and obtaining the periodic IP traffic frequency of the IP in a period according to the periodic IP traffic frequency.
The method, wherein the step of obtaining the ideal average flow number includes:
abnormal value operation step: sampling the rest periods of the IP to obtain sampling data, and removing abnormal values of the sampling data;
and an estimated flow frequency obtaining step: obtaining the estimated flow times of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
calculating the ideal average flow times: and obtaining the ideal average flow times according to the estimated flow times.
The method described above, wherein the abnormality degree acquiring step includes:
and (3) modifying: the number of periodic IP flows is modified according to the following formula:
Figure BDA0002821247640000021
wherein f (t) is the number of periodic IP flows, avgeFor ideal average flow times, avg is the average flow times in the period, f*(tk) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
IP abnormality degree calculation step: the IP abnormality degree is obtained according to the following formula:
Figure BDA0002821247640000031
wherein diff is the degree of IP abnormality, f*(t) number of processed periodic IP flows, F*And (t) is the estimated flow number.
The invention also provides an IP abnormal flow detection system, which comprises:
the average flow frequency acquiring module is used for counting the periodic IP flow frequency of any IP in a period and acquiring the average flow frequency in the period according to the periodic IP flow frequency;
the module for obtaining the ideal average flow times samples the rest periods of the IP to obtain sampling data, and obtains estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree obtaining module, wherein the abnormality degree obtaining module processes the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtains the IP abnormality degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification module that identifies IP anomaly traffic based on the IP anomaly.
In the system, the average traffic frequency obtaining module constructs a first function, the first function is a discrete function, the periodic IP traffic frequency is counted through the discrete function, and the periodic IP traffic frequency of the IP in one period is obtained according to the periodic IP traffic frequency.
The system, wherein the module for obtaining the ideal average flow number includes:
an abnormal value operation unit which samples the rest periods of the IP to obtain sampling data and removes the abnormal value from the sampling data;
an estimated flow frequency obtaining unit which obtains the estimated flow frequency of any time point of the normal network IP according to the sampling data after removing the abnormal value;
and the ideal average flow frequency calculating unit is used for obtaining the ideal average flow frequency according to the estimated flow frequency.
The system, wherein the abnormality degree obtaining module includes:
a modification unit that modifies the periodic IP traffic number according to the following formula:
Figure BDA0002821247640000041
wherein f (t) is the number of periodic IP flows, avgeFor ideal average flow times, avg is the average flow times in the period, f*(tk) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
an IP abnormality degree calculation unit that obtains an IP abnormality degree according to the following formula:
Figure BDA0002821247640000042
wherein diff is the degree of IP abnormality, f*(t) number of processed periodic IP flows, F*And (t) is the estimated flow number.
The invention also provides computer equipment comprising a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to realize the IP abnormal traffic detection method.
The present invention also provides a storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the IP abnormal traffic detection method as described in any one of the above.
The invention has the beneficial effects that:
the invention provides an IP abnormal flow identification method, which calculates the abnormal degree of a certain IP in a period through the flow times in the period. The method comprises the steps of firstly counting the flow times of one period of the IP, secondly calculating the average flow times of the IP in the period, thirdly estimating the flow times according to the flow times of other periods, and finally calculating the difference between a statistic value and an estimated value through an abnormality algorithm to obtain the IP abnormality. Wherein the function f (t) of the number of statistical flowsk) In time, the patent considers that the flow of the IP has normal times fluctuation, and the average times is estimated to be f (t)k) And correction is carried out to remove the influence of normal fluctuation of the flow, so that more accurate estimation of the IP abnormal degree is obtained.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application.
In the drawings:
FIG. 1 is a flow chart of a method of IP anomaly traffic detection;
FIG. 2 is a flow chart illustrating the substeps of step S2 in FIG. 1;
FIG. 3 is a flow chart illustrating the substeps of step S3 in FIG. 1;
FIG. 4 is a schematic structural diagram of an IP abnormal traffic identification system of the present invention;
fig. 5 is a block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.
Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.
Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.
Referring to fig. 1, fig. 1 is a flowchart of an IP abnormal traffic detection method. As shown in fig. 1, the IP abnormal traffic detection method of the present invention includes:
average flow rate number acquisition step S1: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times; the step S1 of obtaining the average flow rate number includes: constructing a first function which is a discrete function, counting the periodic IP flow times through the discrete function, and obtaining the periodic IP flow times of the IP in one period according to the periodic IP flow times
Step S2 of obtaining the ideal average flow rate: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data;
abnormality degree acquisition step S3: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency;
identification step S4: and identifying IP abnormal flow according to the IP abnormal degree.
Referring to fig. 2, fig. 2 is a flowchart illustrating a sub-step of step S2 in fig. 1. As shown in fig. 2, the step S2 of obtaining the ideal average flow rate includes:
abnormal value operation step S21: sampling the rest periods of the IP to obtain sampling data, and removing abnormal values of the sampling data;
estimated flow number obtaining step S22: obtaining the estimated flow times of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
ideal average flow rate number calculation step S23: and obtaining the ideal average flow times according to the estimated flow times.
Referring to fig. 3, fig. 3 is a flowchart illustrating a sub-step of step S2 in fig. 1. As shown in fig. 3, the abnormality degree acquisition step S3 includes:
modification step S31: the number of periodic IP flows is modified according to the following formula:
Figure BDA0002821247640000071
wherein f (t) is the number of periodic IP flows, avgeIs an ideal average flowNumber of measurements, avg being the number of mean flows in a cycle, f*(tk) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
IP abnormality degree calculation step S32: the IP abnormality degree is obtained according to the following formula:
Figure BDA0002821247640000072
wherein diff is the degree of IP abnormality, f*(t) number of processed periodic IP flows, F*And (t) is the estimated flow number.
The IP abnormal traffic detection method of the present invention will be specifically described below with reference to examples.
The first embodiment is as follows:
this example discloses a specific implementation of a statistical-based IP anomaly traffic detection method (hereinafter "method"). The invention is firstly based on step 1: let f (T) (T ∈ [0, T)0]) For the flow number of a certain IP at the time T, f (T) is a discrete function, and the IP is counted in a period T by taking deltat as a time interval0Number of flows f (t) ink)(k∈[0,T0/Δt])。
Step 2, calculating the average flow frequency avg in a period, wherein the calculation formula is as follows:
Figure BDA0002821247640000081
wherein k is0=0,km=T0
Step 3, calculating the estimated value y and the ideal average flow times avg of each time point of the normal network IPeSampling K periods to obtain K groups of data fi(tk)(i∈[0,K],k∈[0,T0/Δt]) For each tkThe number of flows at that time removes outliers (differences from the mean greater than two standard deviations are considered outliers). From the K sets of data, f (t) at time t can be calculatedkEstimated value of (a):
Figure BDA0002821247640000082
wherein KoutlierIs tkA set of outliers of time instants. The ideal average flow times can thus be calculated:
Figure BDA0002821247640000083
and 4, processing the flow frequency function to eliminate the influence of normal fluctuation of the network flow. For f (t)k) With slight modifications:
Figure BDA0002821247640000084
thus, the influence of normal fluctuation of network flow can be eliminated.
Step 5, calculating the abnormal degree of IP and enabling F*(tk)=ykTo estimate the number of flows. The calculation formula of the degree of abnormality is as follows:
Figure BDA0002821247640000085
1. the number of independent IPs refers to the number of websites visited by users using different IP addresses. The number of independent IP is 1 no matter the same IP visits several pages bai, and the current common practice is that the same IP visits only 1 time in 24 hours, which is in line with the calculation habit of most advertisement investors at present.
2. PV (web site browsing volume), that is, the number of people browsing a page, different statistical systems have more or less different definitions, and mainly adopt the following method, that is, refresh a page, that is, increase the count 1, regardless of whether malicious refresh or continuous refresh; the real PV statistics should be combined with IP, i.e. the number of times different pages are visited within a certain IP24 hour, which means that the same IP visits the same page no matter how many times within 24 hours, only count 1, and only visit different pages can increment the PV count.
3. The independent visitor means the count of different users, and it should be determined that the count should be increased for different users, but it is impossible or difficult to determine whether the visitor is an independent user from the current technical point of view, for example, in the following cases, multiple users share one IP to surf the internet, the same user dynamically surfs the internet, the same IP and different users of the same machine surf the internet, generally speaking, the website traffic and the IP can be understood equally.
IP is a code unique to each computer;
PV is the number of views, e.g., 10 pages viewed by one IP, then the traffic today is 1IP,10 PV;
the higher the IP is, the more users are on the website, the higher the PV is, the more users are browsing the website content, generally speaking, the low IP and the high PV indicate that the website content attracts the users, the users can check your website continuously, and the website is a high-quality website;
if the quantity of the IP and the PV is not much different, the content of the website is enriched, and the flow refers to the number of data read from the server by the website accessed by the user;
the IP address is unique and can be replaced through the proxy server, and the IP address can also be replaced every second, so that the hacker can be prevented from being attacked if the hacker attacks the IP address;
each internet device has one IP, that is, how many devices access the site by receiving the IP;
as for the traffic, it is simply the page has pictures and texts, and if the sum is 2M, one user browses the whole page, the traffic is 2M.
Example two:
referring to fig. 4, fig. 4 is a schematic structural diagram of an IP abnormal traffic identification system according to the present invention. Fig. 4 shows a system for detecting abnormal IP traffic based on statistics, which includes:
the average flow frequency acquiring module is used for counting the periodic IP flow frequency of any IP in a period and acquiring the average flow frequency in the period according to the periodic IP flow frequency;
the module for obtaining the ideal average flow times samples the rest periods of the IP to obtain sampling data, and obtains estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree obtaining module, wherein the abnormality degree obtaining module processes the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtains the IP abnormality degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification module that identifies IP anomaly traffic based on the IP anomaly.
The module for obtaining the average flow times constructs a first function, the first function is a discrete function, the periodic IP flow times are counted through the discrete function, and the periodic IP flow times of the IP in one period are obtained according to the periodic IP flow times.
Wherein the module for obtaining the ideal average flow number comprises:
an abnormal value operation unit which samples the rest periods of the IP to obtain sampling data and removes the abnormal value from the sampling data;
an estimated flow frequency obtaining unit which obtains the estimated flow frequency of any time point of the normal network IP according to the sampling data after removing the abnormal value;
and the ideal average flow frequency calculating unit is used for obtaining the ideal average flow frequency according to the estimated flow frequency.
Wherein the abnormality degree acquisition module includes:
a modification unit that modifies the periodic IP traffic number according to the following formula:
Figure BDA0002821247640000101
wherein f (t) is the number of periodic IP flows, avgeFor ideal average flow times, avg is the average flow times in the period, f*(tk) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
an IP abnormality degree calculation unit that obtains an IP abnormality degree according to the following formula:
Figure BDA0002821247640000102
wherein diff is the degree of IP abnormality, f*(t) number of processed periodic IP flows, F*And (t) is the estimated flow number.
Example three:
referring to FIG. 5, the embodiment discloses an embodiment of a computer device. The computer device may comprise a processor 81 and a memory 82 in which computer program instructions are stored.
Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.
The processor 81 reads and executes the computer program instructions stored in the memory 82 to implement any one of the IP abnormal traffic detection methods in the above embodiments.
In some of these embodiments, the computer device may also include a communication interface 83 and a bus 80. As shown in fig. 5, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.
The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 80 includes hardware, software, or both to couple the components of the computer device to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (PerIPheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The computer device can detect the network abnormal traffic based on the IP abnormal traffic detection method, thereby implementing the methods described in conjunction with fig. 1-3.
In addition, in combination with the IP abnormal traffic detection method in the foregoing embodiment, the embodiment of the present application may provide a computer-readable storage medium to implement the method. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the IP anomaly traffic detection methods in the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
In summary, the beneficial effects of the invention are that the invention provides an IP special deviceThe constant flow identification method calculates the abnormal degree of a certain IP in a period through the flow times in the period. The method comprises the steps of firstly counting the flow times of one period of the IP, secondly calculating the average flow times of the IP in the period, thirdly estimating the flow times according to the flow times of other periods, and finally calculating the difference between a statistic value and an estimated value through an abnormality algorithm to obtain the IP abnormality. Wherein the function f (t) of the number of statistical flowsk) In time, the patent considers that the flow of the IP has normal times fluctuation, and the average times is estimated to be f (t)k) And correction is carried out to remove the influence of normal fluctuation of the flow, so that more accurate estimation of the IP abnormal degree is obtained.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. An IP abnormal flow detection method is characterized by comprising the following steps:
acquiring average flow times: counting the periodic IP flow times of any IP in a period, and obtaining the average flow times in the period according to the periodic IP flow times;
obtaining ideal average flow times: sampling the rest periods of the IP to obtain sampling data, and obtaining estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree acquisition step: processing the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtaining the IP abnormal degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification step: and identifying IP abnormal flow according to the IP abnormal degree.
2. The IP abnormal traffic detection method according to claim 1, wherein the acquiring IP traffic number step includes:
the step of obtaining the average flow number comprises the following steps: and constructing a first function, wherein the first function is a discrete function, counting the periodic IP flow times through the discrete function, and obtaining the periodic IP flow times of the IP in one period according to the periodic IP flow times.
3. The IP abnormal traffic detection method according to claim 1, wherein the obtaining of the ideal average traffic number includes:
abnormal value operation step: sampling the rest periods of the IP to obtain sampling data, and removing abnormal values of the sampling data;
and an estimated flow frequency obtaining step: obtaining the estimated flow times of any time point of the normal network IP according to the sampling data after the abnormal value is removed;
calculating the ideal average flow times: and obtaining the ideal average flow times according to the estimated flow times.
4. The IP abnormal traffic detection method according to claim 1, wherein the abnormality degree acquisition step includes:
and (3) modifying: the number of periodic IP flows is modified according to the following formula:
Figure FDA0002821247630000021
wherein f (t) is the number of periodic IP flows, avgeFor ideal average flow times, avg is the average flow times in the period, f*(tk) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
IP abnormality degree calculation step: the IP abnormality degree is obtained according to the following formula:
Figure FDA0002821247630000022
wherein diff is the degree of IP abnormality, f*(t) number of processed periodic IP flows, F*And (t) is the estimated flow number.
5. An IP abnormal traffic detection system, comprising:
the average flow frequency acquiring module is used for counting the periodic IP flow frequency of any IP in a period and acquiring the average flow frequency in the period according to the periodic IP flow frequency;
the module for obtaining the ideal average flow times samples the rest periods of the IP to obtain sampling data, and obtains estimated flow times and ideal average flow times according to the sampling data;
an abnormality degree obtaining module, wherein the abnormality degree obtaining module processes the periodic IP flow frequency according to the ideal average flow frequency and the average flow frequency in the period, and obtains the IP abnormality degree according to the processed periodic IP flow frequency and the estimated flow frequency;
an identification module that identifies IP anomaly traffic based on the IP anomaly. 2. The IP abnormal traffic detecting method according to claim 1.
6. The IP abnormal traffic detection system according to claim 5, wherein the average traffic obtaining time module constructs a first function, the first function is a discrete function, the periodic IP traffic times are counted by the discrete function, and the periodic IP traffic times of the IP in one period are obtained according to the periodic IP traffic times.
7. The IP anomaly traffic detection system according to claim 5, wherein said module for obtaining a desired average traffic number comprises:
an abnormal value operation unit which samples the rest periods of the IP to obtain sampling data and removes the abnormal value from the sampling data;
an estimated flow frequency obtaining unit which obtains the estimated flow frequency of any time point of the normal network IP according to the sampling data after removing the abnormal value;
and the ideal average flow frequency calculating unit is used for obtaining the ideal average flow frequency according to the estimated flow frequency.
8. The IP abnormal traffic detection system according to claim 1, wherein the abnormality degree acquisition module includes:
a modification unit that modifies the periodic IP traffic number according to the following formula:
Figure FDA0002821247630000031
wherein f (t) is the number of periodic IP flows, avgeFor ideal average flow times, avg is the average flow times in the period, f*(tk) The number of times of the processed periodic IP flow is the number of times of the processed periodic IP flow;
an IP abnormality degree calculation unit that obtains an IP abnormality degree according to the following formula:
Figure FDA0002821247630000032
wherein diff is the degree of IP abnormality, f*(t) number of processed periodic IP flows, F*And (t) is the estimated flow number.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the IP abnormal traffic detection method according to any one of claims 1 to 4 when executing the computer program.
10. A storage medium on which a computer program is stored, the program, when executed by a processor, implementing the IP abnormal traffic detection method according to any one of claims 1 to 4.
CN202011418675.XA 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium Active CN112543199B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011418675.XA CN112543199B (en) 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011418675.XA CN112543199B (en) 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112543199A true CN112543199A (en) 2021-03-23
CN112543199B CN112543199B (en) 2022-12-23

Family

ID=75016311

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011418675.XA Active CN112543199B (en) 2020-12-07 2020-12-07 IP abnormal flow detection method, system, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112543199B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116723138A (en) * 2023-08-10 2023-09-08 杭银消费金融股份有限公司 Abnormal flow monitoring method and system based on flow probe dyeing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610616A (en) * 2015-12-29 2016-05-25 赛尔网络有限公司 Method and system for performing statistics to obtain average flow of single IP (Internet Protocol) of access network based on ICP (Internet Content Provider) activity
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
CN109639633A (en) * 2018-11-02 2019-04-16 平安科技(深圳)有限公司 Abnormal flow data identification method, device, medium and electronic equipment
US20190333099A1 (en) * 2018-04-30 2019-10-31 Affle (India) Limited Method and system for ip address traffic based detection of fraud
CN111600865A (en) * 2020-05-11 2020-08-28 杭州安恒信息技术股份有限公司 Abnormal communication detection method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610616A (en) * 2015-12-29 2016-05-25 赛尔网络有限公司 Method and system for performing statistics to obtain average flow of single IP (Internet Protocol) of access network based on ICP (Internet Content Provider) activity
CN105847283A (en) * 2016-05-13 2016-08-10 深圳市傲天科技股份有限公司 Information entropy variance analysis-based abnormal traffic detection method
US20190333099A1 (en) * 2018-04-30 2019-10-31 Affle (India) Limited Method and system for ip address traffic based detection of fraud
CN109639633A (en) * 2018-11-02 2019-04-16 平安科技(深圳)有限公司 Abnormal flow data identification method, device, medium and electronic equipment
CN111600865A (en) * 2020-05-11 2020-08-28 杭州安恒信息技术股份有限公司 Abnormal communication detection method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116723138A (en) * 2023-08-10 2023-09-08 杭银消费金融股份有限公司 Abnormal flow monitoring method and system based on flow probe dyeing
CN116723138B (en) * 2023-08-10 2023-10-20 杭银消费金融股份有限公司 Abnormal flow monitoring method and system based on flow probe dyeing

Also Published As

Publication number Publication date
CN112543199B (en) 2022-12-23

Similar Documents

Publication Publication Date Title
Moustafa et al. Big data analytics for intrusion detection system: Statistical decision-making using finite dirichlet mixture models
CN108768943B (en) Method and device for detecting abnormal account and server
CN105577608B (en) Network attack behavior detection method and device
KR102238612B1 (en) DoS/DDoS attack detection method, device, server and storage medium
EP2725512B1 (en) System and method for malware detection using multi-dimensional feature clustering
US9009825B1 (en) Anomaly detector for computer networks
CN107770132B (en) Method and device for detecting algorithmically generated domain name
US20180069883A1 (en) Detection of Known and Unknown Malicious Domains
CN108965347B (en) Distributed denial of service attack detection method, device and server
EP3215955B1 (en) Identifying a potential ddos attack using statistical analysis
US20130268675A1 (en) Method and System for Tracing Domain Names and Computer Readable Storage Medium Storing the Method
US11770397B2 (en) Malicious port scan detection using source profiles
EP3101580B1 (en) Website information extraction device, system, website information extraction method, and website information extraction program
CN110636068B (en) Method and device for identifying unknown CDN node in CC attack protection
US20220217162A1 (en) Malicious port scan detection using port profiles
CN113518064B (en) Defense method and device for challenging black hole attack, computer equipment and storage medium
US20200244683A1 (en) Port scan detection using destination profiles
CN110941823B (en) Threat information acquisition method and device
CN107682341A (en) The means of defence and device of CC attacks
CN113556343B (en) DDoS attack defense method and device based on browser fingerprint identification
CN108809943B (en) Website monitoring method and device
CN112543199B (en) IP abnormal flow detection method, system, computer equipment and storage medium
CN115225385B (en) Flow monitoring method, system, equipment and computer readable storage medium
CN107231383B (en) CC attack detection method and device
CN115086060A (en) Flow detection method, device and equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant