CN113595784A - Network flow detection method, device, equipment, storage medium and program product - Google Patents
Network flow detection method, device, equipment, storage medium and program product Download PDFInfo
- Publication number
- CN113595784A CN113595784A CN202110854304.4A CN202110854304A CN113595784A CN 113595784 A CN113595784 A CN 113595784A CN 202110854304 A CN202110854304 A CN 202110854304A CN 113595784 A CN113595784 A CN 113595784A
- Authority
- CN
- China
- Prior art keywords
- data
- communication pair
- communication
- monitoring index
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 93
- 238000004891 communication Methods 0.000 claims abstract description 423
- 238000012544 monitoring process Methods 0.000 claims abstract description 137
- 230000002159 abnormal effect Effects 0.000 claims abstract description 124
- 238000000034 method Methods 0.000 claims abstract description 32
- 238000004590 computer program Methods 0.000 claims description 10
- 239000011159 matrix material Substances 0.000 claims description 10
- 238000005065 mining Methods 0.000 claims description 8
- 238000012549 training Methods 0.000 claims description 8
- 230000000737 periodic effect Effects 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 12
- 230000005856 abnormality Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000005484 gravity Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 235000019580 granularity Nutrition 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000010079 rubber tapping Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network flow detection method, a device, equipment, a storage medium and a program product, wherein the method comprises the following steps: when a communication connection request is detected, acquiring communication pair data and monitoring index data of the communication pair data of the communication connection request, wherein the communication pair data comprises key communication pair data and non-key communication pair data; classifying and summarizing the communication pair data according to the service type of the communication pair data to obtain the flow data of the communication pair data; detecting whether abnormal data exist in monitoring index data of the key communication pair data; if the traffic data does not exist, judging whether the traffic of the communication pair data is abnormal according to the traffic data, and if the traffic of the communication pair data is abnormal, detecting whether abnormal data exists in the monitoring index data of the non-key communication pair data. The invention reduces invalid alarms through graded detection, improves the detection accuracy of network flow abnormity, and can quickly locate abnormal indexes and analyze abnormal reasons by combining the detection of each monitoring index data.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, a storage medium, and a program product for detecting network traffic.
Background
With the arrival of the information age, network communication becomes more and more important infrastructure service, and various industries or enterprises pay more and more attention to own data, and data centers are established for facilitating storage, use and the like of the data. Data centers are typically the central hub for networks and data flows, with a large amount of traffic being switched in and out at each moment. At present, network communication generally uses a TCP (Transmission Control Protocol) connection, which is a connection-oriented, reliable transport layer communication Protocol based on byte streams. Usually, when a TCP connection is established between two terminals, a "three-way handshake" is required, and the "three-way handshake" of the TCP refers to a preparation stage before data transmission or information interaction is performed, and three times of interaction is required between the two terminals to establish communication.
The data centers are established in large quantities, so that the data volume of network operation and maintenance is increased, and in the era of rapid expansion of internet services and high labor cost, the network traffic of the interactive process of three-way handshake for establishing TCP connection is detected and analyzed at the traffic inlet and outlet of the data centers, so that the connection state of network communication of the whole data centers is detected, whether the data transmission or information interaction of each TCP connection is abnormal or not is determined, and the reduction of the workload of manual operation and maintenance is particularly important.
The traditional method for detecting network traffic is a fixed threshold alarm, that is, a fixed threshold is set for each connection index of the TCP connection, and an alarm is generated once a certain index of the network real-time connection exceeds the set threshold. Based on the traditional network flow detection method, if a certain index exceeds a set threshold value only at a certain specific moment, an invalid alarm is generated. In addition, when one or more indexes generate an alarm, the reason of the index abnormality cannot be quickly determined by combining other indexes, that is, the conventional network traffic detection method has the defects that the reason of the abnormality is difficult to analyze comprehensively by combining multiple indexes or the abnormality is positioned, and the like.
Disclosure of Invention
The invention mainly aims to provide a network traffic detection method, a network traffic detection device, network traffic detection equipment, a network traffic detection storage medium and a network traffic detection program product, and aims to solve the technical problems that the detection accuracy of network traffic abnormity is low due to invalid alarms in the traditional network traffic detection method, and the alarms based on a fixed threshold value are difficult to integrate multiple indexes to quickly locate abnormal indexes and analyze abnormal reasons.
In addition, in order to achieve the above object, the present invention further provides a network traffic detection method, including the following steps:
when a communication connection request is detected, communication pair data of the communication connection request and monitoring index data of the communication pair data are obtained, wherein the communication pair data comprise key communication pair data and non-key communication pair data;
classifying and summarizing the communication pair data according to the service type of the communication pair data to obtain the flow data of the communication pair data;
detecting whether abnormal data exist in the monitoring index data of the key communication pair data;
if the traffic data does not exist, judging whether the traffic of the communication pair data is abnormal or not according to the traffic data, and if the traffic of the communication pair data is abnormal, detecting whether abnormal data exists in the monitoring index data of the non-key communication pair data or not.
Optionally, the step of detecting whether there is abnormal data in the monitoring index data of the critical communication pair data includes:
inputting the monitoring index data of the key communication pair data into a preset target detection model to obtain a predicted value of the monitoring index data of the key communication pair data, wherein the target detection model is obtained by performing iterative training on a preset basic detection model by using historical communication;
comparing the predicted value with a true value of monitoring index data of the key communication pair data, and determining a target difference value of the predicted value and the true value;
and determining whether abnormal data exists in the monitoring index data of the key communication pair data or not based on the target difference and a preset experience threshold, wherein the experience threshold is obtained by mining the monitoring index data of the communication pair data.
Optionally, the step of obtaining the traffic data of the communication pair data by classifying and summarizing the communication pair data according to the service type of the communication pair data includes:
arranging all monitoring index data of the communication pair data in a row, and summarizing the communication pair data with the same service type according to all the monitoring index data to obtain sub-flow data of each service type;
summarizing the sub-flow data according to each monitoring index data to obtain total flow data of the communication pair data, wherein the sub-flow data and the total flow data are one-dimensional time sequences of each monitoring index data.
Optionally, the traffic data has a periodic characteristic, and the step of determining whether the traffic of the communication pair is abnormal according to the traffic data includes:
according to the periodic characteristics of the flow data, performing two-dimensional operation on the flow data to obtain two-dimensional data;
slicing the two-dimensional data to obtain a two-dimensional feature matrix;
extracting the characteristics of the two-dimensional characteristic matrix, and determining a predicted value of the communication pair data flow according to the extracted characteristics;
and comparing the predicted value of the flow of the communication pair with the true value of the flow of the communication pair, and judging whether the flow of the communication pair data is abnormal or not.
Optionally, the step of acquiring, when a communication connection request is detected, communication pair data of the communication connection request and monitoring index data of the communication pair data includes:
when a communication connection request is detected, communication pair data of the communication connection request is acquired;
summarizing the communication pair data acquired within a preset time interval to obtain monitoring index data of the communication pair data.
Optionally, after the step of detecting whether there is abnormal data in the monitoring index data of the non-critical communication pair data, the method further includes:
if abnormal data exist in the monitoring index data of the non-critical communication pair data, outputting alarm information, wherein the alarm information comprises target non-critical communication pair data with the abnormal data and abnormal indexes of the target non-critical communication pair data;
and if a plurality of abnormal indexes of the target non-key communication pair exist, sequencing the plurality of abnormal indexes in the alarm information.
In addition, to achieve the above object, the present invention further provides a network traffic detection device, including:
the data acquisition module is used for acquiring a communication pair of the communication connection request and monitoring index data of the communication pair when the communication connection request is detected, wherein the communication pair comprises a key communication pair and a non-key communication pair;
the data summarizing module is used for classifying and summarizing the communication pairs according to the service types of the communication pairs to obtain the flow data of the communication pairs;
the first detection module is used for detecting whether abnormal data exist in the monitoring index data of the key communication pair;
and the second detection module is used for judging whether the flow of the communication pair is abnormal according to the flow data if the flow data does not exist, and detecting whether abnormal data exists in the monitoring index data of the non-key communication pair if the flow of the communication pair is abnormal.
In addition, to achieve the above object, the present invention also provides a terminal device, including: the network traffic detection method comprises a memory, a processor and a network traffic detection program stored on the memory and capable of running on the processor, wherein the network traffic detection program realizes the steps of the network traffic detection method when being executed by the processor.
Furthermore, to achieve the above object, the present invention also provides a computer readable storage medium having a network traffic detection program stored thereon, which when executed by a processor implements the steps of the method as described above.
Furthermore, to achieve the above object, the present invention also provides a computer program product, which includes a computer program, and the computer program realizes the steps of the network traffic detection method as described above when being executed by a processor.
The embodiment of the invention provides a network flow detection method, a network flow detection device, network flow detection equipment, a storage medium and a program product. In the traditional network flow detection method based on the fixed threshold, invalid alarms are easy to generate, so that the detection accuracy of network flow abnormity is low, and the alarms based on the fixed threshold are difficult to synthesize multiple indexes to analyze abnormity reasons or position the abnormity. Compared with the traditional network flow detection method, in the embodiment of the invention, when a communication connection request is detected, a communication pair of the communication connection request and monitoring index data of the communication pair are obtained, wherein the communication pair comprises a key communication pair and a non-key communication pair; classifying and summarizing the communication pairs according to the service types of the communication pairs to obtain flow data of the communication pairs; detecting whether abnormal data exist in the monitoring index data of the key communication pair; if not, judging whether the flow of the communication pair is abnormal according to the flow data, and if so, detecting whether abnormal data exists in the monitoring index data of the non-key communication pair. By carrying out hierarchical detection on the acquired communication, invalid alarm caused by short-time abnormity of single index data in a detection mode based on a fixed threshold value is reduced, the detection accuracy of network flow abnormity in the communication connection process is improved, and the communication pair data is divided into key communication pair data and non-key communication pair data.
Drawings
Fig. 1 is a schematic hardware structure diagram of an implementation manner of a terminal device according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a network traffic detection method according to a first embodiment of the present invention;
fig. 3 is a schematic functional block diagram of a network traffic detection apparatus according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.
The device (also called terminal, device or terminal device) in the embodiment of the invention can be a PC, and can also be a mobile terminal device with display and data processing functions, such as a smart phone, a tablet computer, a portable computer and the like.
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the terminal may further include a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like. Such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display screen according to the brightness of ambient light, and a proximity sensor that may turn off the display screen and/or the backlight when the mobile terminal is moved to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), detect the magnitude and direction of gravity when the mobile terminal is stationary, and can be used for applications (such as horizontal and vertical screen switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer and tapping) and the like for recognizing the attitude of the mobile terminal; of course, the mobile terminal may also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which are not described herein again.
Those skilled in the art will appreciate that the terminal structure shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer-readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a network traffic detection program.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to invoke a network traffic detection program stored in the memory 1005, and when the network traffic detection program is executed by the processor, the network traffic detection program implements the operations in the network traffic detection method provided by the following embodiments.
Based on the hardware structure of the equipment, the embodiment of the network flow detection method is provided.
It should be noted that, in the "three-way handshake" for establishing the TCP connection, the first handshake: the client sends a section of TCP message (SYN packet) to the server, the marking bit is SYN, which indicates that 'new connection is requested to be established', the sequence number is Seq ═ X (X is generally 1), and then the client enters a SYN-SENT stage and waits for the server to confirm; second handshake: after receiving a TCP message from a client, a server end finishes a LISTEN stage, and returns a section of TCP message (SYN. ACK packet) to the client, wherein the flag bits of the message are SYN and ACK, the sequence number is Seq which is Y, the acknowledgement number is ACK which is X +1, the sequence number Seq of the client is received, the value of the sequence number is added with 1 to be used as the value of the acknowledgement number ACK of the server end to indicate that the message Seq sequence number of the client is effective, the server can normally receive data sent by the client and agrees to create new connection (namely telling the client and the server receives the data), and then the server end enters a SYN-RCVD stage; third handshake: after receiving the TCP message confirming that the data is received from the server, the client determines that the data transmission from the client to the server is normal, ends the SYN-send phase, and returns a last TCP message (Ack packet), where the flag bit is Ack, which indicates "a signal confirming that the server agrees to connect is received", the sequence number is Seq +1, which indicates that the acknowledgement number Ack of the server is received, and takes its value as its own sequence number value, the acknowledgement number is Ack +1, which indicates that the server sequence number Seq is received, and adds 1 to its value as its own value of the acknowledgement number Ack. The client then enters the ESTABLISHED phase. After the server receives the TCP message of 'confirming the receiving of the server data' from the client, the server confirms that the data transmission from the server to the client is normal, the SYN-RCVD stage is ended, and the ESTABLISHED stage is entered. The client and the server complete three-way handshake to complete communication connection. After the communication connection is established, the client and the server can carry out data transmission and information interaction.
In the TCP message transmitted by the client and the server, the values of the acknowledgement number Ack and the sequence number Seq of the client and the server are calculated on the basis of the Ack and the sequence value, so that the transmission consistency of the TCP message is ensured. Once the TCP message sent by a certain party is lost, the handshake cannot be continued, so that the smooth completion of the three-way handshake is ensured. Therefore, the message sent in the TCP connection establishment process is detected and analyzed, and whether the network flow in the TCP connection establishment process is abnormal or not can be detected.
The traditional method for detecting the network flow in the TCP connection establishment process mostly adopts a fixed threshold value to alarm, when a certain index exceeds the set threshold value at a certain moment in the communication connection establishment process, an abnormal alarm is generated, but for an instant alarm or in a certain special time period, if marketing activities exist, the phenomenon that certain index exceeds the set threshold value for a short time is normal, and the network flow is not necessarily abnormal. Therefore, the traditional anomaly detection method based on the fixed threshold has the problems of low detection accuracy of network traffic anomalies, furthermore, when a certain index exceeds the set threshold, it is difficult to synthesize multiple indexes to quickly locate and analyze the abnormal cause of the network traffic, for example, when the communication connection is established, when a certain moment or a certain time interval is detected, the client end for establishing the communication connection request sends M syn packets to the server end, however, the number of syn packets received by the server is N, and the number of lost packets (M-N) when the server responds to the client request exceeds the set threshold of the packet loss index, so that an alarm is triggered, however, according to the alarm information, it cannot be known which clients send syn packets at which time or in which time period, and therefore, the specific reason for packet loss cannot be quickly analyzed. Based on this, the embodiments of the network traffic detection method of the present invention are provided.
Key technical terms used in the embodiments of the present invention include:
communication pair data: when a TCP connection is established, messages and other information sent by a "three-way handshake" interaction are generated as communication pair data, wherein two terminals (generally, a client and a server) establishing a communication connection may be called a communication pair, and information such as a source address, a destination address, and a port number in the communication pair data generated by the same communication pair during the "three-way handshake" is the same.
Network flow: the network traffic is the amount of data transmitted on the network, and in the embodiments of the present invention, the network traffic is the amount of data of message information (i.e., communication-to-data) transmitted when the TCP communication is established.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a network traffic detection method according to the present invention, where in the first embodiment of the network traffic detection method according to the present invention, the network traffic detection method includes:
step S10, when a communication connection request is detected, acquiring communication pair data of the communication connection request and monitoring index data of the communication pair data, wherein the communication pair data comprises key communication pair data and non-key communication pair data;
in each embodiment of the invention, the network flow detection method is implemented on the network flow detection terminal, detects the data flow of the communication connection established in the network, and determines whether the communication connection state in the network is abnormal or not according to the detection result of the flow. The network traffic terminal may be a terminal device with display and data processing functions, such as a personal computer or a tablet computer. In recent years, with the development of information technology, various industries pay more attention to their own data values, and thus data centers are established and put more and more attention to their own data centers. Particularly, in financial industries such as banks, a data center is a hub for data transfer and exchange in the whole network, and supports the data transfer and exchange requirements of each client, thereby ensuring the normal operation of each business process of the bank. The data center has a large amount of data flow at every moment, and if the communication connection between the client and the data center server is abnormal, the data flow or exchange of the client is affected, and further the service of the client is affected. Therefore, it is necessary to detect whether there is an abnormality in the communication connection state between the client and the server in time. The traditional method for detecting the flow in the communication connection alarms based on a fixed threshold, so that the detection accuracy is low, and the abnormality cannot be analyzed or accurately positioned in time when the abnormality is detected. In this embodiment, the network traffic detection method of the present invention is used to detect data traffic for establishing communication connection in a network, and further detect a communication connection state in a data center network of a financial institution such as a bank. By adopting a grading detection mode, the anomaly detection accuracy can be improved, and the anomaly can be quickly analyzed and positioned.
Specifically, when a communication connection request is detected in a network, communication pair data of the communication connection request and monitoring index data of the communication pair data are acquired, wherein the acquired communication pair data include critical communication pair data and non-critical communication pair data. Specifically, the communication connection request is a communication connection request sent by a client to a server, and taking the client and the server as an example, when detecting that there is a message of the communication connection request sent by the client, capturing the message of establishing communication connection between the client and the server, and generating monitoring index data of communication pair data according to the captured message. The monitoring index data of the data by communication comprises a client request number, a server response number, a syn packet of three-way handshake, a syn.ack packet of three-way handshake, an ack packet of three-way handshake, a packet number of client data, a client reset packet (reset packet), a client fin packet (end packet, fin is finish), a packet number of client no data, a packet number of server data, a server reset packet, a server fin packet and the like, and is used for monitoring the flow of the data by communication. In other words, when establishing communication connection, messages sent by the same client to the same server are communication pair data, wherein in the communication pair data, the client and the server are a communication pair.
The captured communication is subjected to data gathering analysis and other processing, so that monitoring index data of the communication connection state in the whole network can be obtained, for example, the establishment condition of the communication connection can be determined according to the number of the captured syn packet, the syn.ack packet and the ack packet, if the number of the captured syn packet, the syn.ack packet and the ack packet is not consistent, the condition that packet loss exists in the establishment of the communication connection is indicated, and further, the condition that the network traffic is abnormal can be determined.
Further, since the establishment of the communication connection requires three-way handshake interaction, when acquiring the monitoring index data of the communication pair data, the communication pair data of different communication pairs captured at the same time may be summarized to obtain corresponding monitoring index data to detect the current network traffic, or the captured communication pair data may be summarized once every preset time interval to obtain the monitoring index data of the network traffic when the communication connection is established for each communication pair, and then the communication pair data of each communication pair is summarized to obtain the monitoring index data for detecting the entire network traffic.
Further, the obtained communication pair data includes critical communication pair data and non-critical communication pair data, and whether the communication pair data is critical communication pair data or non-critical communication pair data needs to be determined according to whether the communication pair corresponding to the communication pair data is a critical communication pair, the critical communication pair and the non-critical communication pair may be determined according to traffic (i.e., communication frequency) between the communication pairs, or according to priority of service types of clients in the communication pairs, and the critical communication pair is the one with the higher priority of the service types of the clients. It should be noted that, when the same client corresponds to different server sides, the same client may correspond to different service types, and the priorities of the service types are also different, so that when determining the priority of the service type, the priority may also be determined by combining the client and the server side in the communication pair at the same time. Further, the priority of different services may also be different in different time periods, and therefore, the critical communication and non-critical communication pairs are not necessarily fixed, and the critical communication and non-critical communication pairs may be adjusted according to conditions such as time.
Further, the refinement of step S10 includes:
step S11, when a communication connection request is detected, communication pair data of the communication connection request is obtained;
step S12, summarizing the communication pair data acquired within a preset time interval to obtain monitoring index data of the communication pair data.
When the communication pair data and the monitoring index data of the communication pair data are obtained, firstly, messages sent when communication connection is established are captured by each communication pair, and then the communication pair data are obtained, and then the captured communication pair data in a preset time interval are summarized, and the monitoring index data of the communication pair data flow is obtained. When communication pair data are summarized, the data are summarized according to the same communication pair, and the data of the same communication pair are summarized to obtain monitoring index data of flow of each communication pair, so that whether the flow of each communication pair is abnormal or not can be judged.
Then, the data of the same type of communication pair is summarized to obtain monitoring index data of each type, so that the data of different types of communication pair can be classified according to different standards, the classified data of communication pair is summarized from different dimensions, and then the flow of the data of communication pair is detected from different dimensions.
Step S20, classifying and summarizing the communication pair data according to the service type of the communication pair data to obtain the flow data of the communication pair data;
further, in this embodiment, after the communication pair data and the monitoring index data of the communication pair data are acquired, the acquired communication pair data are classified and summarized according to the service type of the communication pair data, so as to obtain the traffic data of the communication pair data. The total traffic data of the communication pair data includes sub-traffic data of each service type and total traffic data obtained by summarizing the sub-traffic data of each service type, that is, data of communication pairs of different service types are summarized according to the service type of each communication pair to obtain traffic of the communication pair data of different service types, and then traffic of the communication pair data of each service type is summarized to obtain total traffic. Specifically, the step of classifying and summarizing the acquired communication pair data according to the service type of the communication pair data to further obtain the traffic data of the communication pair data includes:
step S21, arranging each monitoring index data of the communication pair data in a row, and summarizing the communication pair data with the same service type according to each monitoring index data to obtain sub-flow data of each service type;
step S22, summarizing the sub-flow data according to each monitoring index data to obtain total flow data of the communication pair data, where the sub-flow data and the total flow data are a one-dimensional time sequence of each monitoring index data.
When communication pair data are summarized, monitoring index data of the communication pair data are arranged in columns, then the communication pair data are stacked and summarized in the channel direction of the monitoring index data, when the communication pair data are summarized, the communication pair data with the same service type are summarized, and then the communication pair data of each service type are summarized. Taking the number of syn packets and the number of syn.ack packets in the monitoring index data as an example, respectively summarizing the syn packets and the syn.ack packets in the communication pair data of different service types to obtain the traffic data of the syn packets and the syn.ack packets, and summarizing the data corresponding to each monitoring index data in the communication pair data according to the service types when a plurality of monitoring index data exist, so as to obtain the traffic data of different granularities. The monitoring index data obtained through summarization is a one-dimensional time sequence of each monitoring index data, and represents the value of each monitoring index data at a certain moment or within a certain time period.
Step S30, detecting whether abnormal data exist in the monitoring index data of the key communication pair;
after communication pair data are obtained, whether monitoring index data of each key communication pair data are abnormal or not is detected, whether the flow of the key communication pair data are abnormal or not can be judged by detecting each monitoring index data of the viewing communication pair, and by detecting each monitoring index data, when the flow of the key communication pair data are abnormal, an index causing the flow abnormality can be quickly determined, and the abnormal communication pair is positioned. When detecting whether the monitoring index data of the key communication pair data is abnormal, the monitoring index data of each key communication pair data can be compared with the normal value of each monitoring index data at the current time or within a certain time period from the current time. It should be noted that the normal value of each monitoring index data may be obtained by analyzing and mining historical data of the data based on each key communication, or may be a value adaptively adjusted based on a performance requirement of the monitoring index of the data for the communication.
It can be known that, in the conventional abnormal detection mode based on the fixed threshold, when the monitoring index data exceeds the set normal threshold range, an abnormal alarm is generated, taking the broadband resource occupancy rate of the server as an example, in the alarm mode based on the fixed threshold, when the broadband resource occupancy rate of the server is detected to reach above 90%, an alarm is triggered, if the broadband resource occupancy rate of the server is only about 70% under normal conditions, and when the broadband resource occupancy rate of the server is about 80% for a long time, it indicates that the performance of the server is abnormal, thus it is clear that the conventional abnormal detection mode based on the fixed threshold is insufficient in the detection accuracy of the potential abnormality. In this embodiment, the historical data is mined to determine the normal values of the monitoring index data of the communication pair data of different service types, and the normal values of the monitoring index data of the same communication pair data in different time periods may be different, for example, if the traffic of the client in a certain key communication pair is concentrated and needs to be centrally processed in a certain specific time period, such as the last day of a month, the communication connection request with the server in the client and server key communication pair data in a certain specific time period will be rapidly increased in a short time, and in order to reduce invalid alarms, the normal values of the monitoring index data of the key communication pair data in the time period for centrally processing the service and the time period for non-centrally processing the service may be different.
When abnormal data exist in the monitoring index data of the key communication pair data, alarm prompt information is output, and the alarm prompt information comprises the abnormal communication pair and the abnormal index data of the abnormal communication pair, so that the abnormal communication pair is quickly positioned in the key communication pair data, and the quick analysis of the abnormal reason is facilitated.
And step S40, if not, judging whether the flow of the communication pair is abnormal according to the flow data, and if so, detecting whether abnormal data exists in the monitoring index data of the non-key communication pair.
If abnormal data does not exist in the monitoring index data of the key communication pair data, whether the flow data of all the communication pair data is abnormal is detected, if the abnormal data is detected in the key communication pair data and the flow of the communication pair data is abnormal, whether abnormal data exists in the monitoring index data of the non-key communication pair data is detected, and therefore whether the flow of the overall communication pair data is abnormal or not is determined, and whether the abnormal data exists is caused by the abnormal flow of the non-key communication pair data or not is determined.
Further, the communication has a periodic characteristic on the traffic data of the data, and whether the traffic data at different times or time periods are abnormal or not can be judged through the summarized monitoring index data, and when judging whether the traffic of the communication is abnormal or not, the method specifically includes:
step S41, according to the periodicity characteristics of the flow data, performing two-dimensional processing on the flow data to obtain two-dimensional data;
step S42, slicing the two-dimensional data to obtain a two-dimensional feature matrix;
step S43, extracting the characteristics of the two-dimensional characteristic matrix, and determining the predicted value of the communication pair data flow according to the extracted characteristics;
step S44, comparing the predicted value of the traffic of the communication pair with the true value of the traffic of the communication pair, and determining whether the traffic of the communication pair data is abnormal.
Specifically, the one-dimensional time sequence of each monitoring index data takes a period as an abscissa, the monitoring index data acquired for the second time in each period is recorded as an ordinate for bidimensionalization, the obtained two-dimensional data represents the development trend of the flow index data in the period in the ordinate direction, and represents the change trend of the flow index data in the same time period in each period in the abscissa direction.
And slicing the obtained two-dimensional data to obtain a multi-channel two-dimensional feature matrix, extracting features of the two-dimensional feature matrix, determining a predicted value of the flow of the obtained communication pair data according to the extracted features, comparing the predicted value with a real value obtained through summarization, and judging whether the flow of the communication pair data is abnormal or not according to a difference value between the predicted value and the real value.
Further, after step S40, the method further includes:
step S401, if abnormal data exists in the monitoring index data of the non-key communication pair data, outputting alarm information, wherein the alarm information comprises target non-key communication pair data with the abnormal data and an abnormal index of the target non-key communication pair data;
step S402, if a plurality of abnormal indexes of the target non-key communication pair exist, sequencing the plurality of abnormal indexes in the alarm information.
When abnormal data exist in monitoring index data of non-key communication pair data, alarm information is output, wherein the output alarm information comprises the abnormal non-key communication pair data and abnormal indexes of the abnormal non-key communication pair data, and if a plurality of abnormal indexes exist, the abnormal indexes are sequenced in the alarm information. When the plurality of abnormal indexes are sorted, the abnormal degrees of the indexes exceeding the normal range value may be sorted, or the indexes may be sorted according to the priority order set by the indexes, which is not specifically limited herein. It is known that when a plurality of non-critical communication pairs are detected to be abnormal to the data, the plurality of abnormal non-critical communication pairs may be sorted in the alarm information.
In this embodiment, when a communication connection request is detected, communication pair data of the communication connection request and monitoring index data of the communication pair data are acquired, where the communication pair data include critical communication pair data and non-critical communication pair data; classifying and summarizing the communication pair data according to the service type of the communication pair data to obtain the flow data of the communication pair data; detecting whether abnormal data exist in the monitoring index data of the key communication pair data; if the traffic data does not exist, judging whether the traffic of the communication pair data is abnormal or not according to the traffic data, and if the traffic of the communication pair data is abnormal, detecting whether abnormal data exists in the monitoring index data of the non-key communication pair data or not. By carrying out hierarchical detection on the acquired communication, invalid alarm caused by short-time abnormity of single index data in a detection mode based on a fixed threshold value is reduced, the detection accuracy of network flow abnormity in the communication connection process is improved, and the communication pair data is divided into key communication pair data and non-key communication pair data.
Further, on the basis of the above embodiment of the present invention, a second embodiment of the network traffic detection method of the present invention is provided.
This embodiment is a step refined in step S30 in the first embodiment, and based on the above embodiments, in this embodiment, the step of detecting whether there is abnormal data in the monitoring index data of the key communication paired books includes:
step S301, inputting the monitoring index data of the key communication pair data into a preset target detection model to obtain a predicted value of the monitoring index data of the key communication pair data, wherein the target detection model is obtained by performing iterative training on the preset basic detection model by using historical communication;
based on the above embodiment, in this embodiment, when detecting whether there is abnormal data in the monitoring data of the key communication pair data, the detection is performed in a target detection model preset by a monitoring index data input value of the key communication pair data, where the preset target detection model is obtained by performing iterative training on a built basic detection model by using historical communication.
Further, when the basic detection model is subjected to iterative training, firstly, historical communication is used for extracting monitoring index data from data, a corresponding sample data set is generated, the generated sample data set is used for carrying out iterative training on the established basic detection model, and a trained target detection model is obtained until model parameters are converged. And inputting the obtained monitoring index data of the communication pair data into the trained target detection model, and obtaining a predicted value of the monitoring index of the communication pair data according to the input communication pair data.
Step S302, comparing the predicted value with a true value of monitoring index data of the key communication pair data, and determining a target difference value of the predicted value and the true value;
after the predicted value of the monitoring index data of the key communication pair data is obtained, the predicted value is compared with the real value of each obtained monitoring index data, a target difference value between the predicted value and the real value is further determined, and whether abnormal data exists in the monitoring index data of the key communication pair data or not can be detected according to the target difference value. It should be noted that the trained target detection model may obtain predicted values of different monitoring index data according to communication acquired at different times or time periods. It is known that the transactions of financial institutions, such as banks, generally exhibit a periodicity which may be small in the period of hours or days, or large in the period of months, quarters or years, which results in different communication with different periodicities for the traffic of data.
And determining a predicted value of the monitoring index data of the key communication pair according to the time for acquiring the key communication pair data, comparing the predicted value with the acquired real value to determine a target difference value between the predicted value and the real value, judging whether abnormal data exists in the monitoring index data of the key communication pair data according to the target difference value, and further determining whether the flow of the key communication pair data is abnormal.
Step S303, determining whether abnormal data exists in the monitoring index data of the key communication pair data based on the target difference and a preset experience threshold, where the experience threshold is obtained by mining historical monitoring index data of the communication pair data.
Further, when judging whether abnormal data exists in the monitoring index data of the key communication pair data according to a target difference value between a predicted value and a true value of the monitoring index data of the key communication pair data, specifically, comparing the target difference value with a preset experience threshold value, and if the target difference value is greater than the preset experience threshold value, indicating that an abnormal index exists in the monitoring index data of the key communication pair data, so that the flow abnormality of the key communication pair data can be determined. The preset experience threshold is obtained by mining monitoring index data of historical communication on the data, and the alarm threshold is determined by continuously mining the historical communication on the data.
In this embodiment, a predicted value of monitoring index data of key communication pair data is obtained by using a target detection model obtained by performing iterative training on data based on historical communication, and whether the flow of the key communication pair data is abnormal or not is judged based on an experience threshold obtained by mining the monitoring index data of the historical communication pair data.
In addition, referring to fig. 3, an embodiment of the present invention further provides a network traffic detection apparatus, where the network traffic detection apparatus includes:
a data obtaining module 10, configured to obtain, when a communication connection request is detected, a communication pair of the communication connection request and monitoring index data of the communication pair, where the communication pair includes a critical communication pair and a non-critical communication pair;
the data summarizing module 20 is configured to classify and summarize the communication pairs according to the service types of the communication pairs to obtain traffic data of the communication pairs;
a first detecting module 30, configured to detect whether there is abnormal data in the monitoring index data of the key communication pair;
and the second detection module 40 is configured to, if not, determine whether the traffic of the communication pair is abnormal according to the traffic data, and if so, detect whether abnormal data exists in the monitoring index data of the non-critical communication pair.
Optionally, the data obtaining module 10 is further configured to:
when a communication connection request is detected, communication pair data of the communication connection request is acquired;
summarizing the communication pair data acquired within a preset time interval to obtain monitoring index data of the communication pair data.
Optionally, the data summarizing module 20 is further configured to:
arranging all monitoring index data of the communication pair data in a row, and summarizing the communication pair data with the same service type according to all the monitoring index data to obtain sub-flow data of each service type;
summarizing the sub-flow data according to each monitoring index data to obtain total flow data of the communication pair data, wherein the sub-flow data and the total flow data are one-dimensional time sequences of each monitoring index data.
Optionally, the first detecting module 30 is further configured to:
inputting the monitoring index data of the key communication pair data into a preset target detection model to obtain a predicted value of the monitoring index data of the key communication pair data, wherein the target detection model is obtained by performing iterative training on a preset basic detection model by using historical communication;
comparing the predicted value with a true value of monitoring index data of the key communication pair data, and determining a target difference value of the predicted value and the true value;
and determining whether abnormal data exists in the monitoring index data of the key communication pair data or not based on the target difference and a preset experience threshold, wherein the experience threshold is obtained by mining the monitoring index data of the communication pair data.
Optionally, the second detecting module 40 is further configured to:
according to the periodic characteristics of the flow data, performing two-dimensional operation on the flow data to obtain two-dimensional data;
slicing the two-dimensional data to obtain a two-dimensional feature matrix;
extracting the characteristics of the two-dimensional characteristic matrix, and determining a predicted value of the communication pair data flow according to the extracted characteristics;
and comparing the predicted value of the flow of the communication pair with the true value of the flow of the communication pair, and judging whether the flow of the communication pair data is abnormal or not.
Optionally, the network traffic detection apparatus further includes an alarm prompting module, configured to:
if abnormal data exist in the monitoring index data of the non-critical communication pair data, outputting alarm information, wherein the alarm information comprises target non-critical communication pair data with the abnormal data and abnormal indexes of the target non-critical communication pair data;
and if a plurality of abnormal indexes of the target non-key communication pair exist, sequencing the plurality of abnormal indexes in the alarm information.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a network traffic detection program is stored on the computer-readable storage medium, and when the network traffic detection program is executed by a processor, the network traffic detection program implements operations in the network traffic detection method provided in the foregoing embodiment.
In addition, an embodiment of the present invention further provides a computer program product, which includes a computer program, and when executed by a processor, the computer program implements the operations in the network traffic detection method provided in the foregoing embodiments.
The embodiments of the device, the computer program product, and the computer-readable storage medium of the present invention may refer to the embodiments of the network traffic detection method of the present invention, and are not described herein again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity/action/object from another entity/action/object without necessarily requiring or implying any actual such relationship or order between such entities/actions/objects; the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
For the apparatus embodiment, since it is substantially similar to the method embodiment, it is described relatively simply, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, in that elements described as separate components may or may not be physically separate. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the network traffic detection method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A network flow detection method is characterized by comprising the following steps:
when a communication connection request is detected, communication pair data of the communication connection request and monitoring index data of the communication pair data are obtained, wherein the communication pair data comprise key communication pair data and non-key communication pair data;
classifying and summarizing the communication pair data according to the service type of the communication pair data to obtain the flow data of the communication pair data;
detecting whether abnormal data exist in the monitoring index data of the key communication pair data;
if the traffic data does not exist, judging whether the traffic of the communication pair data is abnormal or not according to the traffic data, and if the traffic of the communication pair data is abnormal, detecting whether abnormal data exists in the monitoring index data of the non-key communication pair data or not.
2. The method for detecting network traffic according to claim 1, wherein the step of detecting whether abnormal data exists in the monitoring index data of the critical communication pair data includes:
inputting the monitoring index data of the key communication pair data into a preset target detection model to obtain a predicted value of the monitoring index data of the key communication pair data, wherein the target detection model is obtained by performing iterative training on a preset basic detection model by using historical communication;
comparing the predicted value with a true value of monitoring index data of the key communication pair data, and determining a target difference value of the predicted value and the true value;
and determining whether abnormal data exists in the monitoring index data of the key communication pair data or not based on the target difference and a preset experience threshold, wherein the experience threshold is obtained by mining the monitoring index data of the communication pair data.
3. The method for detecting network traffic according to claim 1, wherein the traffic data includes sub-traffic data of each service type and total traffic data obtained by summarizing the sub-traffic data, and the step of classifying and summarizing the communication pair data according to the service type of the communication pair data to obtain the traffic data of the communication pair data includes:
arranging all monitoring index data of the communication pair data in a row, and summarizing the communication pair data with the same service type according to all the monitoring index data to obtain sub-flow data of each service type;
summarizing the sub-flow data according to each monitoring index data to obtain total flow data of the communication pair data, wherein the sub-flow data and the total flow data are one-dimensional time sequences of each monitoring index data.
4. The method according to claim 3, wherein the traffic data has a periodic characteristic, and the step of determining whether the traffic of the communication pair is abnormal according to the traffic data comprises:
according to the periodic characteristics of the flow data, performing two-dimensional operation on the flow data to obtain two-dimensional data;
slicing the two-dimensional data to obtain a two-dimensional feature matrix;
extracting the characteristics of the two-dimensional characteristic matrix, and determining a predicted value of the communication pair data flow according to the extracted characteristics;
and comparing the predicted value of the flow of the communication pair with the true value of the flow of the communication pair, and judging whether the flow of the communication pair data is abnormal or not.
5. The network traffic detection method according to claim 1, wherein the step of acquiring, when the communication connection request is detected, communication pair data of the communication connection request and monitoring index data of the communication pair data includes:
when a communication connection request is detected, communication pair data of the communication connection request is acquired;
summarizing the communication pair data acquired within a preset time interval to obtain monitoring index data of the communication pair data.
6. The method for detecting network traffic according to claim 1, wherein after the step of detecting whether abnormal data exists in the monitoring index data of the non-critical communication pair data, the method further comprises:
if abnormal data exist in the monitoring index data of the non-critical communication pair data, outputting alarm information, wherein the alarm information comprises target non-critical communication pair data with the abnormal data and abnormal indexes of the target non-critical communication pair data;
and if a plurality of abnormal indexes of the target non-key communication pair exist, sequencing the plurality of abnormal indexes in the alarm information.
7. A network traffic detection device, characterized in that the network traffic detection device comprises:
the data acquisition module is used for acquiring a communication pair of the communication connection request and monitoring index data of the communication pair when the communication connection request is detected, wherein the communication pair comprises a key communication pair and a non-key communication pair;
the data summarizing module is used for classifying and summarizing the communication pairs according to the service types of the communication pairs to obtain the flow data of the communication pairs;
the first detection module is used for detecting whether abnormal data exist in the monitoring index data of the key communication pair;
and the second detection module is used for judging whether the flow of the communication pair is abnormal according to the flow data if the flow data does not exist, and detecting whether abnormal data exists in the monitoring index data of the non-key communication pair if the flow of the communication pair is abnormal.
8. An apparatus, characterized in that the apparatus comprises: memory, a processor and a network traffic detection program stored on the memory and executable on the processor, the network traffic detection program when executed by the processor implementing the steps of the network traffic detection method according to any of claims 1 to 6.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a network traffic detection program, which when executed by a processor implements the steps of the network traffic detection method according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the network traffic detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110854304.4A CN113595784B (en) | 2021-07-26 | 2021-07-26 | Network traffic detection method, device, equipment, storage medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110854304.4A CN113595784B (en) | 2021-07-26 | 2021-07-26 | Network traffic detection method, device, equipment, storage medium and program product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113595784A true CN113595784A (en) | 2021-11-02 |
| CN113595784B CN113595784B (en) | 2024-05-31 |
Family
ID=78250864
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110854304.4A Active CN113595784B (en) | 2021-07-26 | 2021-07-26 | Network traffic detection method, device, equipment, storage medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113595784B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363160A (en) * | 2021-12-31 | 2022-04-15 | 锐捷网络股份有限公司 | Network management method and device based on wide area network |
| CN114793180A (en) * | 2022-05-26 | 2022-07-26 | 恒安嘉新(北京)科技股份公司 | Method and device for intercepting abnormal network traffic, intercepting equipment and medium |
| CN116016284A (en) * | 2022-12-09 | 2023-04-25 | 中国联合网络通信集团有限公司 | Data analysis method, device, electronic equipment and storage medium |
| CN116074215A (en) * | 2022-12-30 | 2023-05-05 | 中国联合网络通信集团有限公司 | Network quality detection method, device, equipment and storage medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009049592A (en) * | 2007-08-16 | 2009-03-05 | Nippon Telegr & Teleph Corp <Ntt> | Ip flow measuring circuit and ip flow measuring method |
| CN101686235A (en) * | 2008-09-26 | 2010-03-31 | 中联绿盟信息技术(北京)有限公司 | Device and method for analyzing abnormal network flow |
| CN102957579A (en) * | 2012-09-29 | 2013-03-06 | 北京邮电大学 | Network anomaly traffic monitoring method and device |
| CN103532776A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Service flow detection method and system |
| RU2013136682A (en) * | 2013-08-05 | 2015-02-10 | Государственное казенное образовательное учреждение высшего профессионального образования Академия Федеральной службы охраны Российской Федерации (Академия ФСО России) | METHOD FOR ANALYSIS OF INFORMATION FLOW AND DETERMINATION OF THE STATE OF NETWORK SECURITY ON THE BASIS OF ADAPTIVE FORECASTING AND DEVICE FOR ITS IMPLEMENTATION |
| US20150169393A1 (en) * | 2013-12-13 | 2015-06-18 | Hitachi High-Technologies Corporation | Anomaly detecting method, and apparatus for the same |
| CN105049291A (en) * | 2015-08-20 | 2015-11-11 | 广东睿江科技有限公司 | Method for detecting network traffic anomaly |
| CN105281981A (en) * | 2015-11-04 | 2016-01-27 | 北京百度网讯科技有限公司 | Data traffic monitoring method and device for network service |
| WO2016177156A1 (en) * | 2015-07-16 | 2016-11-10 | 中兴通讯股份有限公司 | Traffic processing method, device and system |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
| CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN111756706A (en) * | 2020-06-05 | 2020-10-09 | 腾讯科技(深圳)有限公司 | Abnormal flow detection method and device and storage medium |
| CN112822167A (en) * | 2020-12-31 | 2021-05-18 | 杭州立思辰安科科技有限公司 | Abnormal TLS encrypted traffic detection method and system |
-
2021
- 2021-07-26 CN CN202110854304.4A patent/CN113595784B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009049592A (en) * | 2007-08-16 | 2009-03-05 | Nippon Telegr & Teleph Corp <Ntt> | Ip flow measuring circuit and ip flow measuring method |
| CN101686235A (en) * | 2008-09-26 | 2010-03-31 | 中联绿盟信息技术(北京)有限公司 | Device and method for analyzing abnormal network flow |
| CN102957579A (en) * | 2012-09-29 | 2013-03-06 | 北京邮电大学 | Network anomaly traffic monitoring method and device |
| RU2013136682A (en) * | 2013-08-05 | 2015-02-10 | Государственное казенное образовательное учреждение высшего профессионального образования Академия Федеральной службы охраны Российской Федерации (Академия ФСО России) | METHOD FOR ANALYSIS OF INFORMATION FLOW AND DETERMINATION OF THE STATE OF NETWORK SECURITY ON THE BASIS OF ADAPTIVE FORECASTING AND DEVICE FOR ITS IMPLEMENTATION |
| CN103532776A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Service flow detection method and system |
| US20150169393A1 (en) * | 2013-12-13 | 2015-06-18 | Hitachi High-Technologies Corporation | Anomaly detecting method, and apparatus for the same |
| WO2016177156A1 (en) * | 2015-07-16 | 2016-11-10 | 中兴通讯股份有限公司 | Traffic processing method, device and system |
| CN105049291A (en) * | 2015-08-20 | 2015-11-11 | 广东睿江科技有限公司 | Method for detecting network traffic anomaly |
| CN105281981A (en) * | 2015-11-04 | 2016-01-27 | 北京百度网讯科技有限公司 | Data traffic monitoring method and device for network service |
| CN107733937A (en) * | 2017-12-01 | 2018-02-23 | 广东奥飞数据科技股份有限公司 | A kind of Abnormal network traffic detection method |
| CN109660502A (en) * | 2018-09-28 | 2019-04-19 | 平安科技(深圳)有限公司 | Detection method, device, equipment and the storage medium of abnormal behaviour |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN111756706A (en) * | 2020-06-05 | 2020-10-09 | 腾讯科技(深圳)有限公司 | Abnormal flow detection method and device and storage medium |
| CN112822167A (en) * | 2020-12-31 | 2021-05-18 | 杭州立思辰安科科技有限公司 | Abnormal TLS encrypted traffic detection method and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363160A (en) * | 2021-12-31 | 2022-04-15 | 锐捷网络股份有限公司 | Network management method and device based on wide area network |
| CN114793180A (en) * | 2022-05-26 | 2022-07-26 | 恒安嘉新(北京)科技股份公司 | Method and device for intercepting abnormal network traffic, intercepting equipment and medium |
| CN116016284A (en) * | 2022-12-09 | 2023-04-25 | 中国联合网络通信集团有限公司 | Data analysis method, device, electronic equipment and storage medium |
| CN116016284B (en) * | 2022-12-09 | 2024-05-28 | 中国联合网络通信集团有限公司 | Data analysis method, device, electronic equipment and storage medium |
| CN116074215A (en) * | 2022-12-30 | 2023-05-05 | 中国联合网络通信集团有限公司 | Network quality detection method, device, equipment and storage medium |
| CN116074215B (en) * | 2022-12-30 | 2024-04-19 | 中国联合网络通信集团有限公司 | Network quality detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113595784B (en) | 2024-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113595784A (en) | Network flow detection method, device, equipment, storage medium and program product | |
| US10547618B2 (en) | Method and apparatus for setting access privilege, server and storage medium | |
| US11089007B2 (en) | Role-based resource access control | |
| CN114448830B (en) | Equipment detection system and method | |
| US20220391229A1 (en) | Icon updating method and apparatus, and electronic device | |
| CN111611044B (en) | Feedback processing method of uploading task and related equipment | |
| CN111371648A (en) | Monitoring method and device for global fault of virtual gateway cluster | |
| CN113627412A (en) | Target area detection method, target area detection device, electronic equipment and medium | |
| CN113242301A (en) | Method and device for selecting real server, computer equipment and storage medium | |
| JP2021170319A (en) | Method and device for acquiring information | |
| CN110347973B (en) | Method and device for generating information | |
| CN109522133B (en) | Data splicing method and device, electronic equipment and storage medium | |
| CN110868410B (en) | Method and device for acquiring webpage Trojan horse connection password, electronic equipment and storage medium | |
| CN111565311B (en) | Network traffic characteristic generation method and device | |
| CN110401603B (en) | Method and device for processing information | |
| CN109614137B (en) | Software version control method, device, equipment and medium | |
| CN110875856B (en) | Method and apparatus for activation data anomaly detection and analysis | |
| CN111125015A (en) | Method, apparatus, terminal and medium for dump file classification | |
| CN110991312A (en) | Method, apparatus, electronic device, and medium for generating detection information | |
| CN112398909B (en) | Data exchange method, device, equipment and computer readable storage medium | |
| CN116016230B (en) | Multi-type service processing method and device for Internet of things network card, electronic equipment and medium | |
| WO2023207360A1 (en) | Image segmentation method and apparatus, electronic device, and storage medium | |
| US20240152504A1 (en) | Data interaction method, apparatus, and electronic device | |
| US20230308392A1 (en) | Linked Packet Tracing for Software Load Balancers | |
| CN107800729B (en) | Information query method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |