CN115913763A - Flow abnormity detection method, device, equipment and medium - Google Patents
Flow abnormity detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN115913763A CN115913763A CN202211603518.5A CN202211603518A CN115913763A CN 115913763 A CN115913763 A CN 115913763A CN 202211603518 A CN202211603518 A CN 202211603518A CN 115913763 A CN115913763 A CN 115913763A
- Authority
- CN
- China
- Prior art keywords
- flow
- abnormal
- sampling point
- abnormal flow
- early warning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of artificial intelligence, and provides a method, a device, equipment and a medium for detecting abnormal flow, wherein the method comprises the following steps: responding to a flow abnormity detection instruction, and acquiring the flow to be detected according to the flow abnormity detection instruction; detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow; acquiring a pre-constructed early warning model and a pre-configured abnormal flow threshold; and screening out target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold. The invention can be used for further combining the pre-constructed early warning model to detect the abnormal flow on the basis of the traditional 95 charging algorithm, solves the problem that the abnormal flow is not accurately detected by singly adopting the traditional 95 charging algorithm, and improves the accuracy of abnormal flow prediction through the fusion of multi-source data.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a method, a device, equipment and a medium for detecting flow abnormity.
Background
Network security is an important part of the national security system, and with the continuous improvement of the development degree of the network society and the increasing popularization of network application, the network brings convenience to people and brings non-negligible security risk.
For the field of internet of things, the abnormal network traffic information causes technical difficulties and significant economic losses for network traffic cost accounting, network troubleshooting and the like of the data center of the internet of things, so that accurate traffic value calculation needs to be performed on the abnormal network traffic.
Disclosure of Invention
In view of the above, it is necessary to provide a traffic anomaly detection method, apparatus, device and medium, aiming at solving the problem of accurate detection of anomalous traffic.
A traffic anomaly detection method, comprising:
responding to a flow abnormity detection instruction, and acquiring the flow to be detected according to the flow abnormity detection instruction;
detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow;
acquiring a pre-constructed early warning model and a pre-configured abnormal flow threshold;
and screening target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold.
According to a preferred embodiment of the present invention, the acquiring a to-be-detected flow according to the flow anomaly detection instruction includes:
analyzing the flow abnormity detection instruction to obtain a time interval to be detected and a port to be detected;
and acquiring all input flow and output flow generated by the port to be detected in the time interval to be detected as the flow to be detected.
According to the preferred embodiment of the present invention, the detecting abnormal traffic in the traffic to be detected based on the 95 th charging algorithm, and obtaining the candidate abnormal traffic comprises:
determining a sampling point every other preset time interval in the time interval to be detected;
acquiring the flow generated at each sampling point as alternative flow;
sequencing the alternative flows according to the flow values from high to low;
acquiring the candidate flow rate of the top 5% as the candidate abnormal flow rate.
According to the preferred embodiment of the present invention, before the pre-constructed early warning model is obtained, the method further comprises:
and constructing the early warning model based on a random forest algorithm.
According to a preferred embodiment of the present invention, the screening target abnormal traffic from the candidate abnormal traffic according to the early warning model and the abnormal traffic threshold includes:
constructing a first sampling point set in the candidate abnormal flow by a first sampling strategy, constructing a second sampling point set in the candidate abnormal flow by a second sampling strategy, and constructing a third sampling point set in the candidate abnormal flow by a third sampling strategy;
inputting each first sampling point in the first sampling point set to the early warning model for prediction to obtain a first abnormal probability of each first sampling point;
inputting each second sampling point in the second sampling point set to the early warning model for prediction to obtain a second abnormal probability of each second sampling point;
inputting each third sampling point in the third sampling point set to the early warning model for prediction to obtain a third anomaly probability of each third sampling point;
and when detecting that the first abnormal probability and the second abnormal probability corresponding to the sampling point in the first sampling point set, the second sampling point set and the third sampling point set are both greater than or equal to the abnormal flow threshold, or the second abnormal probability and the third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, or the first abnormal probability and the third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, determining the candidate abnormal flow corresponding to the detected sampling point as the abnormal flow threshold.
According to a preferred embodiment of the present invention, the first sampling strategy comprises: determining a sampling point at intervals of a first time interval within a first time range from a current timestamp;
the second sampling strategy comprises: determining a sampling point at intervals of a second time within a second time range from the current timestamp;
the third sampling strategy comprises: determining a sampling point at a third time interval within a third time range from the current timestamp;
wherein the first time range is less than the second time range, which is less than the third time range;
wherein the first time interval is less than the second time interval, which is less than the third time interval;
wherein, the three continuous ratios of the first time range, the second time range and the third time range are the same as the three continuous ratios of the first time interval, the second time interval and the third time interval.
According to the preferred embodiment of the present invention, after the target abnormal flow is screened from the candidate abnormal flows according to the early warning model and the abnormal flow threshold, the method further includes:
generating prompt information according to the target abnormal flow;
and sending the prompt information to appointed terminal equipment.
A flow anomaly detection device, comprising:
the acquiring unit is used for responding to a flow abnormity detection instruction and acquiring the flow to be detected according to the flow abnormity detection instruction;
the detection unit is used for detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow;
the acquisition unit is also used for acquiring a pre-constructed early warning model and acquiring a pre-configured abnormal flow threshold;
and the screening unit is used for screening target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold value.
A computer device, the computer device comprising:
a memory storing at least one instruction; and
and the processor executes the instructions stored in the memory to realize the flow abnormity detection method.
A computer-readable storage medium having at least one instruction stored therein, the at least one instruction being executable by a processor in a computer device to implement the traffic anomaly detection method.
According to the technical scheme, the abnormal flow can be detected by further combining the pre-constructed early warning model on the basis of the traditional 95 charging algorithm, the problem that the abnormal flow is detected only by adopting the traditional 95 charging algorithm is inaccurate is solved, and the accuracy of abnormal flow prediction is improved through fusion of multi-source data.
Drawings
FIG. 1 is a flow chart of a method for detecting traffic anomalies according to a preferred embodiment of the present invention.
Fig. 2 is a functional block diagram of a flow anomaly detection device according to a preferred embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a computer device for implementing a method for detecting traffic anomaly according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a flow chart of a flow anomaly detection method according to a preferred embodiment of the present invention. The order of the steps in the flow chart may be changed and some steps may be omitted according to different needs.
The flow anomaly detection method is applied to one or more computer devices, wherein the computer devices are devices capable of automatically performing numerical calculation and/or information processing according to preset or stored instructions, and the hardware thereof includes but is not limited to a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device may be any electronic product capable of performing human-computer interaction with a user, for example, a Personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), a game machine, an interactive web Television (IPTV), an intelligent wearable device, and the like.
The computer device may also include a network device and/or a user device. The network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of hosts or network servers.
The server may be an independent server, or may be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), a big data and artificial intelligence platform, and the like.
Among them, artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
The Network in which the computer device is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
And S10, responding to the flow abnormity detection instruction, and acquiring the flow to be detected according to the flow abnormity detection instruction.
In this embodiment, the flow anomaly detection instruction may be automatically triggered periodically, or may be triggered by a relevant worker according to an actual requirement, which is not limited in the present invention.
In this embodiment, the acquiring, according to the flow anomaly detection instruction, the flow to be detected includes:
analyzing the flow abnormity detection instruction to obtain a time interval to be detected and a port to be detected;
and acquiring all input flow and output flow generated by the port to be detected in the time interval to be detected as the flow to be detected.
And S11, detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow.
In this embodiment, the detecting abnormal traffic in the traffic to be detected based on a 95 charging algorithm, and obtaining the candidate abnormal traffic includes:
determining a sampling point every other preset time interval in the time interval to be detected;
acquiring the flow generated at each sampling point as alternative flow;
sequencing the alternative flows according to the flow values from high to low;
acquiring the candidate flow rate of the top 5% as the candidate abnormal flow rate.
For example: the preset time interval may be 5 minutes, one sampling point is taken every 5 minutes, 12 sampling points are available in 1 hour, 12 sampling points are available in 1 day, one month is calculated according to 30 days (according to different days of the month), total 12 sampling points 24 sampling points 30=8640 sampling points are available, then the flow rate of five percent with the highest value is removed, and the remaining 95% is the normal flow rate range. The number of the charging points is 8208 sampling points, wherein 432 sampling points are not charged, and the sampling points are the candidate abnormal flow.
However, the 95 billing algorithm has a disadvantage that five percent with the highest value is not necessarily abnormal traffic, and the 95 billing algorithm defines all of the 5% as candidate abnormal traffic, so that the 5% traffic needs to be predicted to confirm the true abnormal traffic.
And S12, acquiring a pre-constructed early warning model and acquiring a pre-configured abnormal flow threshold.
The abnormal flow threshold may be configured by user, which is not limited in the present invention.
In this embodiment, before obtaining the pre-constructed early warning model, the method further includes:
and constructing the early warning model based on a random forest algorithm.
For example: in the process of training the early warning model, a training sample set is obtained, and a data set is randomly selected from the training sample set to carry out training of a preset round. Specifically, the ith random sampling is performed on a training sample set, the sampling is performed n times in total to obtain a sampling set containing n samples, and the nth decision tree model is trained by using the sampling set. When the nodes of the decision tree model are trained, a part of sample features are randomly selected from all sample features on the nodes, an optimal feature is selected from the randomly selected part of sample features to make the left and right subtree division results of the decision tree, and then the final prediction probability is equal to the weighted average of probability predictions of all acquisition points of 5 minutes, 15 minutes, 30 minutes and the like with the highest flow of 5% of the port.
Through the embodiment, the early warning model can be obtained based on artificial intelligence algorithm training so as to assist in judging abnormal flow.
And S13, screening out target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold.
In this embodiment, the screening out the target abnormal traffic from the candidate abnormal traffic according to the early warning model and the abnormal traffic threshold includes:
constructing a first sampling point set in the candidate abnormal flow by a first sampling strategy, constructing a second sampling point set in the candidate abnormal flow by a second sampling strategy, and constructing a third sampling point set in the candidate abnormal flow by a third sampling strategy;
inputting each first sampling point in the first sampling point set to the early warning model for prediction to obtain a first abnormal probability of each first sampling point;
inputting each second sampling point in the second sampling point set to the early warning model for prediction to obtain a second abnormal probability of each second sampling point;
inputting each third sampling point in the third sampling point set to the early warning model for prediction to obtain a third anomaly probability of each third sampling point;
and when detecting that the first abnormal probability and the second abnormal probability corresponding to the sampling point in the first sampling point set, the second sampling point set and the third sampling point set are both greater than or equal to the abnormal flow threshold, or the second abnormal probability and the third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, or the first abnormal probability and the third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, determining the candidate abnormal flow corresponding to the detected sampling point as the abnormal flow threshold.
Wherein the first sampling strategy comprises: determining a sampling point at intervals of a first time interval within a first time range from a current timestamp;
the second sampling strategy comprises: determining a sampling point at intervals of a second time within a second time range from the current timestamp;
the third sampling strategy comprises: determining a sampling point at a third time interval within a third time range from the current timestamp;
wherein the first time range is less than the second time range, which is less than the third time range;
wherein the first time interval is less than the second time interval, which is less than the third time interval;
wherein, the three continuous ratios of the first time range, the second time range and the third time range are the same as the three continuous ratios of the first time interval, the second time interval and the third time interval.
For example: the first time range may be the last month, the second time range may be the last 3 months, the third time range may be the last 6 months, the first time interval may be 5 minutes, the second time interval may be 15 minutes, and the third time interval may be 30 minutes. The abnormal flow threshold may be 50%. Furthermore, the abnormal probabilities of the collection points of the three groups of the previous month, the 3 month and the half year with the maximum flow rate of 5 minutes, 15 minutes and 30 minutes of the corresponding ports are compared according to the number. And if the same acquisition point has 2 times in the three time periods which are more than or equal to 50 percent, defining the same acquisition point as an abnormal flow point.
After abnormal network flow bursts, firstly predicting the highest 5% network flow value in the occurrence time through a 95 charging algorithm, and then further determining that the network flow is abnormal by combining an artificial intelligence model, thereby solving the inaccuracy defect that the highest 5% of the 95 charging flow algorithm is completely defined as the abnormal flow, improving the defect flow prediction precision through the fusion of acquisition point flow values and the model and the fusion of multiple data sources, highlighting the status of the artificial intelligence in the flow abnormal prediction, providing a more standard, accurate and scientific flow value for the normal flow value in the current time period, reducing the economic loss caused by the inaccuracy of flow cost accounting due to abnormal network bandwidth flow, and simultaneously improving the safety of the network flow and the high efficiency of system service.
In this embodiment, after screening out a target abnormal flow from the candidate abnormal flows according to the early warning model and the abnormal flow threshold, the method further includes:
generating prompt information according to the target abnormal flow;
and sending the prompt information to appointed terminal equipment.
The prompt information may include the target abnormal traffic, and the designated terminal device may be a user terminal responsible for handling the abnormal traffic, so as to improve timeliness of handling the abnormal traffic, and further ensure network security.
According to the technical scheme, the abnormal flow can be detected by further combining the pre-constructed early warning model on the basis of the traditional 95 charging algorithm, the problem that the abnormal flow is detected only by adopting the traditional 95 charging algorithm is inaccurate is solved, and the accuracy of abnormal flow prediction is improved through fusion of multi-source data.
Fig. 2 is a functional block diagram of the flow anomaly detection device according to the preferred embodiment of the present invention. The flow anomaly detection device 11 includes an acquisition unit 110, a detection unit 111, and a screening unit 112. A module/unit as referred to herein is a series of computer program segments stored in a memory that can be executed by a processor and that can perform a fixed function. In the present embodiment, the functions of the modules/units will be described in detail in the following embodiments.
The obtaining unit 110 is configured to respond to a flow anomaly detection instruction and obtain a flow to be detected according to the flow anomaly detection instruction.
In this embodiment, the flow anomaly detection instruction may be automatically triggered periodically, or may be triggered by a relevant worker according to an actual requirement, which is not limited by the present invention.
In this embodiment, the obtaining, by the obtaining unit 110, the flow to be detected according to the flow anomaly detection instruction includes:
analyzing the flow abnormity detection instruction to obtain a time interval to be detected and a port to be detected;
and acquiring all input flows and output flows generated by the port to be detected in the time interval to be detected as the flows to be detected.
The detecting unit 111 is configured to detect an abnormal traffic in the traffic to be detected based on a 95 charging algorithm, so as to obtain a candidate abnormal traffic.
In this embodiment, the detecting unit 111 detects an abnormal traffic in the traffic to be detected based on a 95 charging algorithm, and obtaining a candidate abnormal traffic includes:
determining a sampling point every other preset time interval in the time interval to be detected;
acquiring the flow generated at each sampling point as alternative flow;
sequencing the alternative flows according to the flow values from high to low;
acquiring the candidate flow rate of the top 5% as the candidate abnormal flow rate.
For example: the preset time interval may be 5 minutes, one sampling point is taken every 5 minutes, 12 sampling points are available in 1 hour, 12 sampling points are available in 1 day, one month is calculated according to 30 days (according to different days of the month), total 12 sampling points 24 sampling points 30=8640 sampling points are available, then the flow rate of five percent with the highest value is removed, and the remaining 95% is the normal flow rate range. The charging point number is 8208 sampling points, wherein 432 sampling points are not used for charging, and the sampling points are the candidate abnormal flow.
However, the 95 billing algorithm has a disadvantage that five percent with the highest value is not necessarily abnormal traffic, and the 95 billing algorithm defines all of the 5% as candidate abnormal traffic, so that the 5% traffic needs to be predicted to confirm the true abnormal traffic.
The obtaining unit 110 is further configured to obtain a pre-constructed early warning model and obtain a pre-configured abnormal flow threshold.
The abnormal flow threshold may be configured by user, which is not limited in the present invention.
In this embodiment, before a pre-constructed early warning model is obtained, the early warning model is constructed based on a random forest algorithm.
For example: in the process of training the early warning model, a training sample set is obtained, and a data set is randomly selected from the training sample set to carry out training of a preset round. Specifically, the ith random sampling is performed on the training sample set, and the sampling is performed n times in total to obtain a sampling set containing n samples, and the nth decision tree model is trained by using the sampling set. When the nodes of the decision tree model are trained, a part of sample features are randomly selected from all the sample features on the nodes, an optimal feature is selected from the randomly selected part of sample features to make the left and right subtree division results of the decision tree, and then the final prediction probability is equal to the weighted average of the probability predictions of all acquisition points of 5 minutes, 15 minutes, 30 minutes and the like of the port with the highest flow rate of 5%.
Through the embodiment, the early warning model can be obtained based on artificial intelligence algorithm training so as to assist in judging abnormal flow.
The screening unit 112 is configured to screen a target abnormal flow from the candidate abnormal flows according to the early warning model and the abnormal flow threshold.
In this embodiment, the screening unit 112 screening the target abnormal flow from the candidate abnormal flows according to the early warning model and the abnormal flow threshold includes:
constructing a first sampling point set in the candidate abnormal flow by a first sampling strategy, constructing a second sampling point set in the candidate abnormal flow by a second sampling strategy, and constructing a third sampling point set in the candidate abnormal flow by a third sampling strategy;
inputting each first sampling point in the first sampling point set to the early warning model for prediction to obtain a first abnormal probability of each first sampling point;
inputting each second sampling point in the second sampling point set to the early warning model for prediction to obtain a second abnormal probability of each second sampling point;
inputting each third sampling point in the third sampling point set to the early warning model for prediction to obtain a third anomaly probability of each third sampling point;
and when detecting that a first abnormal probability and a second abnormal probability corresponding to a sampling point in the first sampling point set, the second sampling point set and the third sampling point set are both greater than or equal to the abnormal flow threshold, or a second abnormal probability and a third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, or a first abnormal probability and a third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, determining the candidate abnormal flow corresponding to the detected sampling point as the abnormal flow threshold.
Wherein the first sampling strategy comprises: determining a sampling point at intervals of a first time interval within a first time range from a current timestamp;
the second sampling strategy comprises: determining a sampling point at intervals of a second time within a second time range from the current timestamp;
the third sampling strategy comprises: determining a sampling point at intervals of a third time interval within a third time range from the current timestamp;
wherein the first time range is less than the second time range, which is less than the third time range;
wherein the first time interval is less than the second time interval, which is less than the third time interval;
wherein, the three continuous ratios of the first time range, the second time range and the third time range are the same as the three continuous ratios of the first time interval, the second time interval and the third time interval.
For example: the first time range may be the last month, the second time range may be the last 3 months, the third time range may be the last 6 months, the first time interval may be 5 minutes, the second time interval may be 15 minutes, and the third time interval may be 30 minutes. The abnormal flow threshold may be 50%. Furthermore, the probability of abnormity of the collection points of 5 minutes, 15 minutes and 30 minutes with the highest flow rate of 5 percent of the three groups of the previous month, 3 months and half year of the corresponding ports is compared according to the number. And if the same acquisition point has more than or equal to 50% for 2 times in the three time periods, defining the abnormal flow point.
After abnormal network flow bursts, firstly predicting the highest 5% network flow value in the occurrence time through a 95 charging algorithm, and then further determining that the network flow is abnormal by combining an artificial intelligence model, thereby solving the inaccuracy defect that the highest 5% of the 95 charging flow algorithm is completely defined as the abnormal flow, improving the defect flow prediction precision through the fusion of acquisition point flow values and the model and the fusion of multiple data sources, highlighting the status of the artificial intelligence in the flow abnormal prediction, providing a more standard, accurate and scientific flow value for the normal flow value in the current time period, reducing the economic loss caused by the inaccuracy of flow cost accounting due to abnormal network bandwidth flow, and simultaneously improving the safety of the network flow and the high efficiency of system service.
In this embodiment, after a target abnormal flow is screened from the candidate abnormal flows according to the early warning model and the abnormal flow threshold, prompt information is generated according to the target abnormal flow;
and sending the prompt information to appointed terminal equipment.
The prompt message may include the target abnormal traffic, and the designated terminal device may be a user terminal responsible for handling the abnormal traffic, so as to improve timeliness of handling the abnormal traffic, and further ensure network security.
According to the technical scheme, the abnormal flow can be detected by further combining the pre-constructed early warning model on the basis of the traditional 95 charging algorithm, the problem that the abnormal flow is detected only by adopting the traditional 95 charging algorithm is inaccurate is solved, and the accuracy of abnormal flow prediction is improved through fusion of multi-source data.
Fig. 3 is a schematic structural diagram of a computer device according to a preferred embodiment of the method for detecting traffic anomalies according to the present invention.
The computer device 1 may comprise a memory 12, a processor 13 and a bus, and may further comprise a computer program, such as a flow anomaly detection program, stored in the memory 12 and executable on the processor 13.
It will be understood by those skilled in the art that the schematic diagram is merely an example of the computer device 1, and does not constitute a limitation to the computer device 1, the computer device 1 may have a bus-type structure or a star-shaped structure, the computer device 1 may further include more or less other hardware or software than those shown, or different component arrangements, for example, the computer device 1 may further include an input and output device, a network access device, etc.
It should be noted that the computer device 1 is only an example, and other electronic products that are now or may come into existence in the future, such as may be adapted to the present invention, should also be included within the scope of the present invention, and are hereby incorporated by reference.
The memory 12 includes at least one type of readable storage medium, which includes flash memory, removable hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disks, optical disks, etc. The memory 12 may in some embodiments be an internal storage unit of the computer device 1, for example a removable hard disk of the computer device 1. The memory 12 may also be an external storage device of the computer device 1 in other embodiments, such as a plug-in removable hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 1. Further, the memory 12 may also include both an internal storage unit and an external storage device of the computer device 1. The memory 12 can be used not only to store application software installed in the computer device 1 and various types of data such as a code of a flow abnormality detection program, etc., but also to temporarily store data that has been output or is to be output.
The processor 13 may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips. The processor 13 is a Control Unit (Control Unit) of the computer device 1, connects various components of the entire computer device 1 by using various interfaces and lines, and executes various functions and processes data of the computer device 1 by running or executing programs or modules (for example, executing a flow abnormality detection program and the like) stored in the memory 12 and calling data stored in the memory 12.
The processor 13 executes the operating system of the computer device 1 and various installed application programs. The processor 13 executes the application program to implement the steps in each of the above embodiments of the traffic anomaly detection method, such as the steps shown in fig. 1.
Illustratively, the computer program may be divided into one or more modules/units, which are stored in the memory 12 and executed by the processor 13 to accomplish the present invention. The one or more modules/units may be a series of computer readable instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the computer device 1. For example, the computer program may be divided into an acquisition unit 110, a detection unit 111, a screening unit 112.
The integrated unit implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a computer device, or a network device) or a processor (processor) to execute the parts of the flow anomaly detection method according to the embodiments of the present invention.
The modules/units integrated by the computer device 1 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments described above may be implemented.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, read-Only Memory (ROM), random access Memory, etc.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one line is shown in FIG. 3, but this does not mean only one bus or one type of bus. The bus is arranged to enable connection communication between the memory 12 and at least one processor 13 or the like.
Although not shown, the computer device 1 may further include a power supply (such as a battery) for supplying power to the various components, and preferably, the power supply may be logically connected to the at least one processor 13 through a power management device, so as to implement functions such as charge management, discharge management, and power consumption management through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The computer device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the computer device 1 may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the computer device 1 and other computer devices.
Optionally, the computer device 1 may further comprise a user interface, which may be a Display (Display), an input unit, such as a Keyboard (Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the computer device 1 and for displaying a visualized user interface.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
Fig. 3 shows only the computer device 1 with the components 12-13, and it will be understood by a person skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the computer device 1 and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
With reference to fig. 1, the memory 12 of the computer device 1 stores a plurality of instructions to implement a traffic anomaly detection method, and the processor 13 can execute the plurality of instructions to implement:
responding to a flow abnormity detection instruction, and acquiring the flow to be detected according to the flow abnormity detection instruction;
detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow;
acquiring a pre-constructed early warning model and a pre-configured abnormal flow threshold;
and screening target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold.
Specifically, the processor 13 may refer to the description of the relevant steps in the embodiment corresponding to fig. 1 for a specific implementation method of the instruction, which is not described herein again.
It should be noted that all the data involved in the present application are legally acquired.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The invention is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the present invention may also be implemented by one unit or means through software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the same, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A method for detecting traffic abnormality, the method comprising:
responding to a flow abnormity detection instruction, and acquiring the flow to be detected according to the flow abnormity detection instruction;
detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow;
acquiring a pre-constructed early warning model and a pre-configured abnormal flow threshold;
and screening target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold.
2. The method for detecting traffic anomaly according to claim 1, wherein the acquiring traffic to be detected according to the traffic anomaly detection instruction comprises:
analyzing the flow abnormity detection instruction to obtain a time interval to be detected and a port to be detected;
and acquiring all input flows and output flows generated by the port to be detected in the time interval to be detected as the flows to be detected.
3. The method for detecting traffic anomaly according to claim 2, wherein the detecting the abnormal traffic in the traffic to be detected based on a 95 charging algorithm to obtain the candidate abnormal traffic comprises:
determining a sampling point every other preset time interval in the time interval to be detected;
acquiring the flow generated at each sampling point as alternative flow;
sequencing the alternative flows according to the flow values from high to low;
acquiring the candidate flow rate of the top 5% as the candidate abnormal flow rate.
4. The method for detecting flow anomalies according to claim 1, wherein, before obtaining the pre-constructed early warning model, the method further comprises:
and constructing the early warning model based on a random forest algorithm.
5. The method for detecting abnormal flow rate according to claim 1, wherein the step of screening the target abnormal flow rate from the candidate abnormal flow rates according to the early warning model and the abnormal flow rate threshold value comprises:
constructing a first sampling point set in the candidate abnormal flow by a first sampling strategy, constructing a second sampling point set in the candidate abnormal flow by a second sampling strategy, and constructing a third sampling point set in the candidate abnormal flow by a third sampling strategy;
inputting each first sampling point in the first sampling point set to the early warning model for prediction to obtain a first abnormal probability of each first sampling point;
inputting each second sampling point in the second sampling point set to the early warning model for prediction to obtain a second abnormal probability of each second sampling point;
inputting each third sampling point in the third sampling point set to the early warning model for prediction to obtain a third anomaly probability of each third sampling point;
and when detecting that the first abnormal probability and the second abnormal probability corresponding to the sampling point in the first sampling point set, the second sampling point set and the third sampling point set are both greater than or equal to the abnormal flow threshold, or the second abnormal probability and the third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, or the first abnormal probability and the third abnormal probability corresponding to the sampling point are both greater than or equal to the abnormal flow threshold, determining the candidate abnormal flow corresponding to the detected sampling point as the abnormal flow threshold.
6. The flow anomaly detection method according to claim 5, characterized in that:
the first sampling strategy comprises: determining a sampling point at intervals of a first time interval within a first time range from the current timestamp;
the second sampling strategy comprises: determining a sampling point at intervals of a second time interval within a second time range from the current timestamp;
the third sampling strategy comprises: determining a sampling point at a third time interval within a third time range from the current timestamp;
wherein the first time range is less than the second time range, which is less than the third time range;
wherein the first time interval is less than the second time interval, which is less than the third time interval;
wherein, the three continuous ratios of the first time range, the second time range and the third time range are the same as the three continuous ratios of the first time interval, the second time interval and the third time interval.
7. The method for detecting abnormal flow rate according to claim 1, wherein after screening out target abnormal flow rate from the candidate abnormal flow rate according to the early warning model and the abnormal flow rate threshold, the method further comprises:
generating prompt information according to the target abnormal flow;
and sending the prompt information to a specified terminal device.
8. A flow abnormality detection device, characterized by comprising:
the acquiring unit is used for responding to a flow abnormity detection instruction and acquiring the flow to be detected according to the flow abnormity detection instruction;
the detection unit is used for detecting abnormal flow in the flow to be detected based on a 95 charging algorithm to obtain candidate abnormal flow;
the acquisition unit is also used for acquiring a pre-constructed early warning model and acquiring a pre-configured abnormal flow threshold;
and the screening unit is used for screening target abnormal flow from the candidate abnormal flow according to the early warning model and the abnormal flow threshold value.
9. A computer device, characterized in that the computer device comprises:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the traffic anomaly detection method of any one of claims 1 to 7.
10. A computer-readable storage medium characterized by: the computer-readable storage medium has stored therein at least one instruction that is executable by a processor in a computer device to implement the flow anomaly detection method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211603518.5A CN115913763A (en) | 2022-12-13 | 2022-12-13 | Flow abnormity detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211603518.5A CN115913763A (en) | 2022-12-13 | 2022-12-13 | Flow abnormity detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913763A true CN115913763A (en) | 2023-04-04 |
Family
ID=86480486
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211603518.5A Pending CN115913763A (en) | 2022-12-13 | 2022-12-13 | Flow abnormity detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913763A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117351604A (en) * | 2023-09-13 | 2024-01-05 | 深圳华越南方电子技术有限公司 | Water charging method, water charging device, electronic device and storage medium |
-
2022
- 2022-12-13 CN CN202211603518.5A patent/CN115913763A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117351604A (en) * | 2023-09-13 | 2024-01-05 | 深圳华越南方电子技术有限公司 | Water charging method, water charging device, electronic device and storage medium |
| CN117351604B (en) * | 2023-09-13 | 2024-06-04 | 深圳华越南方电子技术有限公司 | Water charging method, water charging device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113592019A (en) | Fault detection method, device, equipment and medium based on multi-model fusion | |
| CN113806434B (en) | Big data processing method, device, equipment and medium | |
| CN112463530A (en) | Anomaly detection method and device for micro-service system, electronic equipment and storage medium | |
| CN111950621A (en) | Target data detection method, device, equipment and medium based on artificial intelligence | |
| CN115081538A (en) | Customer relationship identification method, device, equipment and medium based on machine learning | |
| CN112380454A (en) | Training course recommendation method, device, equipment and medium | |
| CN111882873B (en) | Track anomaly detection method, device, equipment and medium | |
| CN111985545B (en) | Target data detection method, device, equipment and medium based on artificial intelligence | |
| CN112396547A (en) | Course recommendation method, device, equipment and medium based on unsupervised learning | |
| CN114612194A (en) | Product recommendation method and device, electronic equipment and storage medium | |
| CN112948275A (en) | Test data generation method, device, equipment and storage medium | |
| CN115913763A (en) | Flow abnormity detection method, device, equipment and medium | |
| CN111950707B (en) | Behavior prediction method, device, equipment and medium based on behavior co-occurrence network | |
| CN112651782B (en) | Behavior prediction method, device, equipment and medium based on dot product attention scaling | |
| CN114185776A (en) | Big data point burying method, device, equipment and medium for application program | |
| CN113256181A (en) | Risk factor prediction method, device, equipment and medium | |
| CN116823437A (en) | Access method, device, equipment and medium based on configured wind control strategy | |
| CN112307771A (en) | Course analysis method, device, equipment and medium based on emotion analysis | |
| CN114816371B (en) | Message processing method, device, equipment and medium | |
| CN114817408B (en) | Scheduling resource identification method and device, electronic equipment and storage medium | |
| CN113449037B (en) | AI-based SQL engine calling method, device, equipment and medium | |
| CN112330080B (en) | Factor screening method, device, equipment and medium based on connectivity graph | |
| CN114268559A (en) | Directional network detection method, device, equipment and medium based on TF-IDF algorithm | |
| CN113657546A (en) | Information classification method and device, electronic equipment and readable storage medium | |
| CN116976821B (en) | Enterprise problem feedback information processing method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |