CN116886430B - Method, device and storage medium for detecting index abnormality - Google Patents
Method, device and storage medium for detecting index abnormality Download PDFInfo
- Publication number
- CN116886430B CN116886430B CN202311042885.7A CN202311042885A CN116886430B CN 116886430 B CN116886430 B CN 116886430B CN 202311042885 A CN202311042885 A CN 202311042885A CN 116886430 B CN116886430 B CN 116886430B
- Authority
- CN
- China
- Prior art keywords
- edges
- data
- type
- time window
- historical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000005856 abnormality Effects 0.000 title claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims abstract description 28
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 238000013461 design Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a storage medium for detecting index abnormality, and relates to the technical field of computer networks. Extracting parameters of each data stream in a plurality of data streams in a current time window to obtain a plurality of characteristic data corresponding to the plurality of data streams in the current time window one by one, wherein the parameters comprise a time stamp, a source IP and a target IP; classifying the plurality of feature data based on the source IP and the target IP to obtain multi-class feature data; associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges, wherein each edge corresponds to two feature data with overlapping time; counting the number of each type of edges in the plurality of edges; if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of a certain type, judging that abnormal data flows exist. The method, the device and the storage medium for detecting the index abnormality can accurately identify the abnormal data flow.
Description
Technical Field
The invention belongs to the technical field of computer networks, and particularly relates to a method, a device and a storage medium for detecting index abnormality.
Background
At present, the data borne by the Internet is basically in the form of network data flow, and in order to ensure the stable operation of the service, a safe network environment is constructed, and the harm of various network attacks to a communication network and the bearing service of the communication network is reduced, so that the detection of the abnormal behavior of the data flow is very necessary.
Currently, for detecting anomalies in a data stream, a more common method is to determine whether the data stream is anomalous by determining the source IP of the data stream and determining the characteristics of the source IP of the data stream (e.g., determining whether the source IP belongs to the partitioned blacklist IP range). However, in this way, there is a case where detection errors are liable to occur, and anomaly detection of the data stream is inconvenient.
Therefore, how to provide an effective solution to accurately detect abnormal data flows has become a challenge in the prior art.
Disclosure of Invention
The present invention is directed to a method, an apparatus and a storage medium for detecting an index anomaly, which are used for solving the above problems in the prior art.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in a first aspect, the present invention provides a method for detecting an indicator anomaly, which is used for detecting an anomaly data stream in a target network, including:
extracting parameters of each data stream in a plurality of data streams in a current time window to obtain a plurality of characteristic data corresponding to the plurality of data streams in the current time window one by one, wherein the parameters comprise a time stamp, a source IP and a target IP;
dividing the characteristic data with the same source IP and the same target IP in the plurality of characteristic data into the same type of characteristic data to obtain multiple types of characteristic data;
associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges, wherein each edge corresponds to two feature data with overlapping time;
counting the number of each type of edges in the plurality of edges;
if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of the certain type, judging that abnormal data flows exist;
the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, the preset threshold corresponding to any type of edge is n=μ+l×λ, μ represents an average number of the edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, λ represents a standard deviation based on the number of edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, and L represents a coefficient larger than zero.
Based on the above disclosure, the present invention obtains a plurality of feature data corresponding to a plurality of data streams in a current time window one by extracting parameters of each data stream in the plurality of data streams in the current time window, wherein the parameters include a time stamp, a source IP and a target IP; classifying the plurality of feature data based on the source IP and the target IP to obtain multi-class feature data; associating the feature data with overlapping time in the feature data to obtain a plurality of edges, wherein each edge corresponds to two feature data with overlapping time; counting the number of each type of edges in the plurality of edges; if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of a certain type, judging that abnormal data flows exist; the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to a plurality of divided time windows after time window division is performed on the data flow of the target network in a normal network operation state. Therefore, the characteristic data formed by parameters in the data stream are related to form edges in pairs, and the number of similar edges is counted, so that abnormal detection of the data stream is converted into characteristic distribution situation analysis of the data stream, and the characteristic distribution situation of the normal data stream and the characteristic distribution situation of the data stream of the abnormal network attack are often greatly different, so that the abnormal data stream can be accurately identified, and the network security is ensured.
Through the design, the method and the device can accurately identify abnormal data flow, ensure network safety and facilitate practical application and popularization.
In one possible design, the counting the number of each type of edge in the plurality of edges includes:
dividing edges with the same characteristic data in the plurality of edges into the same class of edges to obtain the number of the edges of each type; or (b)
And dividing the edges which have the same characteristic data and have the same sequence of the characteristic data into the same type of edges to obtain the number of the edges of each type.
In one possible design, if the number of the certain type of edges is greater than a preset threshold corresponding to the certain type of edges, determining that an abnormal data stream exists includes:
if the number of the certain type of edges is larger than a preset threshold value corresponding to the certain type of edges, judging that the data flow corresponding to the certain type of edges is abnormal.
In one possible design, before extracting the parameters of each of the plurality of data streams within the current time window, the method further comprises:
acquiring a historical data stream of the target network in a normal network operation state;
dividing time windows to obtain historical data streams of a plurality of historical time windows;
extracting parameters of each data stream in the historical data streams in each historical time window to obtain a plurality of historical characteristic data corresponding to the data streams in each historical time window one by one;
classifying the historical characteristic data in each historical time window based on the source IP and the target IP to obtain multi-class historical characteristic data in each historical time window;
for each historical time window, historical characteristic data with overlapping time in a plurality of historical characteristic data are related in pairs to obtain a plurality of edges;
counting the number of each type of edge of each historical time window;
and determining a preset threshold corresponding to each type of edge based on the number of each type of edge in each historical time window.
In one possible design, after determining that an abnormal data stream exists, the method further comprises:
and generating abnormal reminding information representing the abnormality of the network data flow.
In a second aspect, the present invention provides an apparatus for detecting an indicator anomaly, configured to detect an anomaly data stream in a target network, including:
the extraction unit is used for extracting parameters of each data stream in the plurality of data streams in the current time window to obtain a plurality of characteristic data which are in one-to-one correspondence with the plurality of data streams in the current time window, wherein the parameters comprise a time stamp, a source IP and a target IP;
the classification unit is used for dividing the characteristic data with the same source IP and the same target IP in the plurality of characteristic data into the same type of characteristic data to obtain a plurality of types of characteristic data;
the association unit is used for associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges, and each edge corresponds to two feature data with overlapping time;
a statistics unit for counting the number of each type of edges in the plurality of edges;
the judging unit is used for judging that abnormal data streams exist if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of the certain type;
the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, the preset threshold corresponding to any type of edge is n=μ+l×λ, μ represents an average number of the edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, λ represents a standard deviation based on the number of edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, and L represents a coefficient larger than zero.
In a third aspect, the present invention provides another apparatus for detecting an indicator anomaly, including a memory, a processor and a transceiver, which are communicatively connected in sequence, wherein the memory is configured to store a computer program, the transceiver is configured to send and receive a message, and the processor is configured to read the computer program, and perform a method for detecting an indicator anomaly as described in any one of the first aspect or the first aspect.
In a fourth aspect, the present invention provides a computer readable storage medium having instructions stored thereon which, when executed on a computer, perform the method of the first aspect or any of the first aspects, possibly devised to detect indicator anomalies.
In a fifth aspect, the invention provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of detecting an indicator anomaly as described in the first aspect or any one of the possible designs of the first aspect.
The beneficial effects are that:
the method, the device and the storage medium for detecting the index abnormality can accurately identify the abnormal data flow, ensure the network security and are convenient for practical application and popularization.
Drawings
FIG. 1 is a flowchart of a method for detecting an indicator anomaly according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a device for detecting index anomalies according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of another device for detecting index anomalies according to an embodiment of the present disclosure.
Detailed Description
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the present invention will be briefly described below with reference to the accompanying drawings and the description of the embodiments or the prior art, and it is obvious that the following description of the structure of the drawings is only some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort to a person skilled in the art. It should be noted that the description of these examples is for aiding in understanding the present invention, but is not intended to limit the present invention.
It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments of the present invention.
It should be understood that for the term "and/or" that may appear herein, it is merely one association relationship that describes an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a alone, B alone, and both a and B; for the term "/and" that may appear herein, which is descriptive of another associative object relationship, it means that there may be two relationships, e.g., a/and B, it may be expressed that: a alone, a alone and B alone; in addition, for the character "/" that may appear herein, it is generally indicated that the context associated object is an "or" relationship.
In order to accurately detect abnormal data streams, the embodiment of the application provides a method, a device and a storage medium for detecting index anomalies.
The method for detecting index anomalies provided in the embodiments of the present application will be described in detail below.
As shown in fig. 1, a flowchart of a method for detecting an indicator abnormality provided in the first aspect of the embodiment of the present application may include, but is not limited to, the following steps S101 to S105.
S101, extracting parameters of each data stream in the plurality of data streams in the current time window to obtain a plurality of characteristic data corresponding to the plurality of data streams in the current time window one by one.
The parameters include a time stamp, a source IP and a target IP, wherein the source IP is an IP address of an initiator of the data flow, and the target IP is a destination address of the data flow. The duration of the current time window may be set according to the actual situation, for example, the duration of the current time window may be 5 seconds or 10 seconds.
S102, classifying the plurality of feature data based on the source IP and the target IP to obtain multi-class feature data.
In this embodiment of the present application, classifying the feature data may be dividing feature data having the same source IP and the same target IP in the plurality of feature data into the same type of feature data, to obtain multiple types of feature data.
For example, the plurality of feature data includes feature data A1 and A2, wherein a source IP in the feature data A1 is IP11, a source IP in the feature data A2 is IP21, a target IP in the feature data A1 is IP12, and a target IP in the feature data A2 is IP22, and if the IP11 is the same as the IP21 and the IP12 is the same as the IP22, the feature data A1 and the feature data A2 are judged to be the same type of feature data.
In one or more embodiments, if the source IP in one feature data is the same as the destination IP in another feature data, and the destination IP in the one feature data is the same as the source IP in the other feature data, then the two feature data may also be considered to be the same type of feature data. Still based on the above example, assuming that IP11 is the same as IP22 and IP12 is the same as IP21, it can be determined that feature data A1 and feature data A2 are the same type of feature data.
And S103, associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges.
Wherein each edge corresponds to two feature data with overlapping time, the two feature data with overlapping time may mean that the difference between the time stamps in the data streams corresponding to the two feature data is lower than a preset time difference, for example, the difference between the time stamps in the data streams corresponding to the two feature data is lower than 0.1 seconds or 0.2 seconds, and the two feature data may be considered as feature data with overlapping time.
And S104, counting the number of each type of edges in the plurality of edges.
In this embodiment of the present application, when counting the number of each type of edge in the plurality of edges, the edges having the same feature data in the plurality of edges may be divided into the same type of edge to obtain the number of each type of edge, or the edges having the same feature data in the plurality of edges and having the same sequence of feature data may be divided into the same type of edge to obtain the number of each type of edge.
S105, if the number of the edges of a certain type is larger than a preset threshold corresponding to the edges of a certain type, judging that abnormal data flows exist.
In this embodiment of the present application, a preset threshold value corresponding to each type of edge is set, after the number of edges of each type is counted, whether the number of edges of each type is greater than the corresponding preset threshold value may be determined, and if the number of edges of a certain type is greater than the corresponding preset threshold value of edges of the type, it is determined that an abnormal data stream exists. Specifically, if the number of edges of a certain type is greater than a preset threshold corresponding to the edge of the type, it is determined that there is an abnormality in the data stream corresponding to the edge of the type (corresponding to the feature data).
For network attack, most of the network attacks have a common behavior characteristic, namely, the occurrence time period and the attack frequency are concentrated, so that characteristic data are obtained through parameter extraction, after the characteristic data are associated to form a plurality of edges, the distribution condition of the edges is greatly different from the distribution condition of the edges in a normal network running state (namely, a network attack state does not occur), and therefore, the data flow which possibly has abnormality can be accurately identified by judging the number of the edges of each type and the corresponding preset threshold value.
In the embodiment of the application, after determining that an abnormal data stream exists, an abnormality reminding message indicating that an abnormality exists in the network data stream may also be generated.
In this embodiment of the present application, the preset threshold corresponding to any type of edge is determined based on counting the number of edges corresponding to a plurality of time windows divided after time window division is performed on the data flow of the target network in the normal network operation state. The preset threshold corresponding to any type of edge may be expressed as n=μ+l×λ, where μ represents an average number of the edges of any type in the divided time windows based on time window division of the data stream of the target network in the normal network operation state, λ represents a standard deviation based on the number of edges of each type in the divided time windows based on time window division of the data stream of the target network in the normal network operation state, and L represents a coefficient greater than zero.
The following steps S201 to S207 are flowcharts for determining the preset threshold values corresponding to the respective types of edges.
Step S201, acquiring a historical data stream of a target network in a normal network operation state.
S202, dividing time windows to obtain historical data streams of a plurality of historical time windows.
The duration of the divided time window is identical to the duration of the current time window in the aforementioned step S101.
S203, extracting parameters of each data stream in the historical data streams in each historical time window to obtain a plurality of historical characteristic data corresponding to the data streams in each historical time window one by one.
Likewise, the parameters of each of the historical data streams include a timestamp, a source IP, and a destination IP.
S204, classifying the historical characteristic data in each historical time window based on the source IP and the target IP to obtain multi-class historical characteristic data in each historical time window.
The process of classifying the historical feature data in each historical time window is consistent with the process in step S102, and is not described in detail in the embodiment of the present application.
Step S205, relating the historical characteristic data with overlapping time in the plurality of historical characteristic data in pairs for each historical time window to obtain a plurality of edges.
The process of associating the history feature data is consistent with the process in step S103, which is not described in detail in the embodiment of the present application.
S206, counting the number of each type of edge of each historical time window.
S207, determining preset thresholds corresponding to the edges of each type based on the number of the edges of each type in each historical time window.
Specifically, the number of similar edges in a plurality of historical time windows can be averaged, and then the preset threshold corresponding to each type of edge is determined according to the following formula.
ni=μi+l×λi, where ni represents a preset threshold corresponding to the i-th type edge, μi represents an average number of i-th type edges in the plurality of history time windows, L represents a coefficient greater than zero, and λi represents a standard deviation of the number of i-th type edges in the plurality of history time windows.
In summary, according to the method for detecting the index anomaly provided by the invention, the parameters of each data stream in the plurality of data streams in the current time window are extracted to obtain a plurality of characteristic data which are in one-to-one correspondence with the plurality of data streams in the current time window, wherein the parameters comprise a time stamp, a source IP and a target IP; classifying the plurality of feature data based on the source IP and the target IP to obtain multi-class feature data; associating the feature data with overlapping time in the feature data to obtain a plurality of edges, wherein each edge corresponds to two feature data with overlapping time; counting the number of each type of edges in the plurality of edges; if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of a certain type, judging that abnormal data flows exist; the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to a plurality of divided time windows after time window division is performed on the data flow of the target network in a normal network operation state. Therefore, the characteristic data formed by parameters in the data stream are related in pairs to form edges, and the number of similar edges is counted, so that abnormal detection of the data stream is converted into characteristic distribution situation analysis of the data stream, and the characteristic distribution situation of the normal data stream and the characteristic distribution situation of the data stream of an abnormal network attack are often greatly different, so that the abnormal data stream can be accurately identified, network safety is guaranteed, and practical application and popularization are facilitated.
Referring to fig. 2, in a second aspect of the embodiments of the present application, an apparatus for detecting an indicator anomaly is provided, and the apparatus for detecting an anomaly in a target network includes:
the extraction unit is used for extracting parameters of each data stream in the plurality of data streams in the current time window to obtain a plurality of characteristic data which are in one-to-one correspondence with the plurality of data streams in the current time window, wherein the parameters comprise a time stamp, a source IP and a target IP;
the classifying unit is used for classifying the plurality of characteristic data based on the source IP and the target IP to obtain multi-class characteristic data;
the association unit is used for associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges, and each edge corresponds to two feature data with overlapping time;
a statistics unit for counting the number of each type of edges in the plurality of edges;
the judging unit is used for judging that abnormal data streams exist if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of the certain type;
the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to a plurality of divided time windows after time window division is performed on the data flow of the target network in a normal network operation state.
The working process, working details and technical effects of the device provided in the second aspect of the present embodiment may be referred to in the first aspect of the present embodiment, and are not described herein.
As shown in fig. 3, a third aspect of the embodiment of the present application provides another device for detecting an indicator anomaly, which includes a memory, a processor and a transceiver that are sequentially connected in communication, where the memory is configured to store a computer program, the transceiver is configured to send and receive a message, and the processor is configured to read the computer program, and execute the method for detecting an indicator anomaly according to the first aspect of the embodiment.
By way of specific example, the Memory may include, but is not limited to, random Access Memory (RAM), read Only Memory (ROM), flash Memory (Flash Memory), first-in-first-out Memory (FIFO), and/or first-in-last-out Memory (FILO), etc.; the processor may not be limited to a processor adopting architecture such as a microprocessor, ARM (Advanced RISC Machines), X86, etc. of the model STM32F105 series or a processor integrating NPU (neural-network processing units); the transceiver may be, but is not limited to, a WiFi (wireless fidelity) wireless transceiver, a bluetooth wireless transceiver, a general packet radio service technology (General Packet Radio Service, GPRS) wireless transceiver, a ZigBee protocol (low power local area network protocol based on the ieee802.15.4 standard), a 3G transceiver, a 4G transceiver, and/or a 5G transceiver, etc.
The working process, working details and technical effects of the device provided in the third aspect of the present embodiment may be referred to in the first aspect of the present embodiment, and are not described herein.
A fourth aspect of the present embodiment provides a computer readable storage medium storing instructions containing the method for detecting an indicator anomaly according to the first aspect of the present embodiment, i.e. the computer readable storage medium has instructions stored thereon, which when executed on a computer, perform the method for detecting an indicator anomaly according to the first aspect. The computer readable storage medium refers to a carrier for storing data, and may include, but is not limited to, a floppy disk, an optical disk, a hard disk, a flash Memory, and/or a Memory Stick (Memory Stick), etc., where the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
A fifth aspect of the present embodiment provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of detecting an indicator anomaly according to the first aspect of the embodiment, wherein the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus.
Finally, it should be noted that: the foregoing description is only of the preferred embodiments of the invention and is not intended to limit the scope of the invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. A method for detecting an indicator anomaly for detecting an anomaly in a data stream in a target network, comprising:
extracting parameters of each data stream in a plurality of data streams in a current time window to obtain a plurality of characteristic data corresponding to the plurality of data streams in the current time window one by one, wherein the parameters comprise a time stamp, a source IP and a target IP;
dividing the characteristic data with the same source IP and the same target IP in the plurality of characteristic data into the same type of characteristic data to obtain multiple types of characteristic data;
associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges, wherein each edge corresponds to two feature data with overlapping time;
counting the number of each type of edges in the plurality of edges;
if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of the certain type, judging that abnormal data flows exist;
the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, the preset threshold corresponding to any type of edge is n=μ+l×λ, μ represents an average number of the edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, λ represents a standard deviation based on the number of edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, and L represents a coefficient larger than zero.
2. The method of detecting an indicator anomaly according to claim 1, wherein the counting the number of each type of edge in the plurality of edges comprises:
dividing edges with the same characteristic data in the plurality of edges into the same class of edges to obtain the number of the edges of each type; or (b)
And dividing the edges which have the same characteristic data and have the same sequence of the characteristic data into the same type of edges to obtain the number of the edges of each type.
3. The method for detecting an indicator anomaly according to claim 1, wherein determining that an anomaly data stream exists if the number of edges of a certain type is greater than a preset threshold corresponding to the edges of the certain type comprises:
if the number of the certain type of edges is larger than a preset threshold value corresponding to the certain type of edges, judging that the data flow corresponding to the certain type of edges is abnormal.
4. The method of detecting an indicator anomaly of claim 1, wherein prior to extracting parameters for each of the plurality of data streams within the current time window, the method further comprises:
acquiring a historical data stream of the target network in a normal network operation state;
dividing time windows to obtain historical data streams of a plurality of historical time windows;
extracting parameters of each data stream in the historical data streams in each historical time window to obtain a plurality of historical characteristic data corresponding to the data streams in each historical time window one by one;
classifying the historical characteristic data in each historical time window based on the source IP and the target IP to obtain multi-class historical characteristic data in each historical time window;
for each historical time window, historical characteristic data with overlapping time in a plurality of historical characteristic data are related in pairs to obtain a plurality of edges;
counting the number of each type of edge of each historical time window;
and determining a preset threshold corresponding to each type of edge based on the number of each type of edge in each historical time window.
5. The method of detecting an indicator anomaly according to claim 1, wherein after determining that an anomalous data stream exists, the method further comprises:
and generating abnormal reminding information representing the abnormality of the network data flow.
6. An apparatus for detecting an indicator anomaly, for detecting an anomaly data stream in a target network, comprising:
the extraction unit is used for extracting parameters of each data stream in the plurality of data streams in the current time window to obtain a plurality of characteristic data which are in one-to-one correspondence with the plurality of data streams in the current time window, wherein the parameters comprise a time stamp, a source IP and a target IP;
the classification unit is used for dividing the characteristic data with the same source IP and the same target IP in the plurality of characteristic data into the same type of characteristic data to obtain a plurality of types of characteristic data;
the association unit is used for associating the feature data corresponding to the same time in the feature data to obtain a plurality of edges, and each edge corresponds to two feature data with overlapping time;
a statistics unit for counting the number of each type of edges in the plurality of edges;
the judging unit is used for judging that abnormal data streams exist if the number of the edges of a certain type is larger than a preset threshold value corresponding to the edges of the certain type;
the preset threshold corresponding to any type of edge is determined based on statistics of the number of edges corresponding to the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, the preset threshold corresponding to any type of edge is n=μ+l×λ, μ represents an average number of the edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, λ represents a standard deviation based on the number of edges of the plurality of divided time windows after time window division is performed on the data flow of the target network in the normal network operation state, and L represents a coefficient larger than zero.
7. An apparatus for detecting an indicator anomaly, comprising a memory, a processor and a transceiver in communication in sequence, wherein the memory is configured to store a computer program, the transceiver is configured to send and receive messages, and the processor is configured to read the computer program and perform the method for detecting an indicator anomaly as claimed in any one of claims 1 to 5.
8. A computer readable storage medium having instructions stored thereon which, when executed on a computer, perform the method of detecting an indicator anomaly of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311042885.7A CN116886430B (en) | 2023-08-17 | 2023-08-17 | Method, device and storage medium for detecting index abnormality |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311042885.7A CN116886430B (en) | 2023-08-17 | 2023-08-17 | Method, device and storage medium for detecting index abnormality |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116886430A CN116886430A (en) | 2023-10-13 |
| CN116886430B true CN116886430B (en) | 2024-02-23 |
Family
ID=88258839
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311042885.7A Active CN116886430B (en) | 2023-08-17 | 2023-08-17 | Method, device and storage medium for detecting index abnormality |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886430B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
| CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN113556358A (en) * | 2021-07-30 | 2021-10-26 | 平安普惠企业管理有限公司 | Abnormal flow data detection method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI727213B (en) * | 2018-10-08 | 2021-05-11 | 安碁資訊股份有限公司 | Method and system for detecting abnormal operation of operating system |
-
2023
- 2023-08-17 CN CN202311042885.7A patent/CN116886430B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
| CN110519290A (en) * | 2019-09-03 | 2019-11-29 | 南京中孚信息技术有限公司 | Anomalous traffic detection method, device and electronic equipment |
| CN113556358A (en) * | 2021-07-30 | 2021-10-26 | 平安普惠企业管理有限公司 | Abnormal flow data detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116886430A (en) | 2023-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10785244B2 (en) | Anomaly detection method, learning method, anomaly detection device, and learning device | |
| US20220006666A1 (en) | Method and system for detecting and defending against abnormal traffic of in-vehicle network based on information entropy | |
| KR101519623B1 (en) | DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false | |
| CN105049291B (en) | A method of detection exception of network traffic | |
| WO2016082284A1 (en) | Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model | |
| CN103532940A (en) | Network security detection method and device | |
| WO2013188611A3 (en) | Real-time reporting of anomalous internet protocol attacks | |
| CN101378394A (en) | Detection defense method for distributed reject service and network appliance | |
| US20170208083A1 (en) | Network management device at network edge | |
| CN101707601A (en) | Invasion defence detection method and device and gateway equipment | |
| CN108600003A (en) | A kind of intrusion detection method, the apparatus and system of facing video monitoring network | |
| CN112565229B (en) | Hidden channel detection method and device | |
| CN111107077A (en) | SVM-based attack flow classification method | |
| CN116886430B (en) | Method, device and storage medium for detecting index abnormality | |
| CN113225342B (en) | Communication abnormality detection method and device, electronic equipment and storage medium | |
| CN113285847A (en) | Communication network anomaly detection method and system of intelligent converter station monitoring system | |
| CN105516164A (en) | P2P botnet detection method based on fractal and self-adaptation fusion | |
| CN108366053B (en) | MQTT abnormal flow detection method based on naive Bayes | |
| CN112995104B (en) | Communication equipment and network security prediction method | |
| CN116545668A (en) | Method and device for judging server attack, storage medium and electronic device | |
| CN110768934A (en) | Method and device for checking network access rule | |
| CN106485147A (en) | Based on the method for security protection that intelligent mobile terminal interface image changes | |
| CN111510443B (en) | Terminal monitoring method and terminal monitoring device based on equipment portrait | |
| EP4084408A1 (en) | Fault detection method, apparatus and system | |
| CN113872980A (en) | Industrial control equipment information identification method and device, storage medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |