CN114422267A - Flow detection method, device, equipment and medium - Google Patents
Flow detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN114422267A CN114422267A CN202210202225.XA CN202210202225A CN114422267A CN 114422267 A CN114422267 A CN 114422267A CN 202210202225 A CN202210202225 A CN 202210202225A CN 114422267 A CN114422267 A CN 114422267A
- Authority
- CN
- China
- Prior art keywords
- target
- time sequence
- graph
- flow
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 35
- 239000013598 vector Substances 0.000 claims abstract description 102
- 230000002159 abnormal effect Effects 0.000 claims abstract description 101
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000005070 sampling Methods 0.000 claims description 38
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 15
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 238000002372 labelling Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Networks & Wireless Communication (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- Bioinformatics & Computational Biology (AREA)
- Signal Processing (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the disclosure relates to a flow detection method, a device, equipment and a medium, wherein the method comprises the following steps: acquiring an access time sequence map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification; performing graph representation learning on the access time sequence graph to obtain a time sequence vector corresponding to each graph node in the access time sequence graph; clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories; and acquiring a target cluster category to which the target map node belongs from the plurality of cluster categories, and determining the abnormal flow of the end to be detected based on the target cluster category. According to the embodiment of the invention, the detection rate of abnormal traffic of unknown rules is increased, the network security is ensured, the automation degree of abnormal traffic marking in a long time period is increased, and the labor cost consumed by abnormal traffic marking is reduced.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting traffic.
Background
With the development of computer technology, network security is becoming more important, and abnormal traffic threatening network security can be detected through traffic detection technology.
In the related art, a method of a built-in rule may be used to detect traffic, and traffic may be screened according to the built-in rule, so as to identify abnormal traffic.
However, with the above technical solution, if the rule corresponding to the abnormal traffic is unknown, the abnormal traffic cannot be identified, thereby causing a network security risk.
Disclosure of Invention
To solve the technical problem or at least partially solve the technical problem, the present disclosure provides a traffic detection method, apparatus, device, and medium.
In a first aspect, an embodiment of the present disclosure provides a traffic detection method, where the method includes:
acquiring an access time sequence map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification;
performing graph representation learning on the visit time sequence graph to obtain a time sequence vector corresponding to each graph node in the visit time sequence graph; wherein the target map node corresponds to a target timing sequence vector;
clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories;
and acquiring a target cluster category to which the target time sequence vector belongs from the plurality of cluster categories, and determining the abnormal flow of the end to be detected based on the target cluster category.
In an optional implementation manner, the obtaining an access time sequence map of a terminal to be detected includes:
obtaining access flow data of the end to be detected, and constructing an original input sequence according to the access flow data;
sampling the original input sequence to obtain a plurality of subsequences;
calculating a weight index corresponding to the subsequence, sequencing the subsequence from high to low according to the weight index, and taking the first N subsequences as reference sequences; wherein N is a positive integer;
and constructing map nodes of the visit time sequence map according to the reference sequence, constructing map edges of the visit time sequence map according to the time sequence relation of the reference sequence on the original input sequence, and constructing the visit time sequence map.
In an optional embodiment, the method further comprises:
acquiring a historical input sequence comprising abnormal time periods, and sampling the abnormal time periods in the historical input sequence to obtain the target map nodes;
and using the abnormal flow identification to perform identification processing on the target map node.
In an optional embodiment, the method further comprises:
constructing the access time-series graph including the target graph nodes according to time sequence.
In an optional implementation manner, the obtaining a target cluster category to which the target timing vector belongs from the multiple cluster categories, and determining an abnormal flow of the end to be detected based on the target cluster category includes:
inquiring whether each cluster type comprises the target time sequence vector or not, and if the currently processed cluster type comprises the target time sequence vector, determining the currently processed cluster type as the target cluster type;
and acquiring abnormal time periods corresponding to all time sequence vectors belonging to the target cluster category, and determining the flow sent by the end to be detected in the abnormal time periods as abnormal flow.
In an optional embodiment, the method further comprises:
if the currently processed clustering category does not include the target timing sequence vector, randomly selecting M timing sequence vectors in the currently processed clustering category as sampling timing sequence vectors; wherein M is a positive integer;
analyzing and determining a sampling flow identifier corresponding to each sampling time sequence vector;
and counting the sampling flow identification, and judging whether the flow corresponding to the currently processed cluster type is the abnormal flow according to a counting result.
In a second aspect, an embodiment of the present disclosure further provides a flow rate detection device, where the device includes:
the acquisition module is used for acquiring an access time sequence map of the end to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification;
the learning module is used for performing graph representation learning on the visit time sequence graph to obtain a time sequence vector corresponding to each graph node in the visit time sequence graph; wherein the target map node corresponds to a target timing sequence vector;
the clustering module is used for clustering the time sequence vector according to a preset clustering algorithm to obtain a plurality of clustering categories;
and the detection module is used for acquiring a target cluster category to which the target time sequence vector belongs from the plurality of cluster categories and determining the abnormal flow of the end to be detected based on the target cluster category.
In a third aspect, the present disclosure provides a computer-readable storage medium having stored therein instructions that, when run on a terminal device, cause the terminal device to implement the above-mentioned method.
In a fourth aspect, the present disclosure provides an apparatus comprising: the system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the method.
In a fifth aspect, the present disclosure provides a computer program product comprising computer programs/instructions which, when executed by a processor, implement the method described above.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the flow detection method of the embodiment of the disclosure acquires an access time sequence map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification; performing graph representation learning on the access time sequence graph to obtain a time sequence vector corresponding to each graph node in the access time sequence graph; wherein the target spectrum node corresponds to a target timing sequence vector; clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories; and acquiring a target clustering category to which the target time sequence vector belongs from the multiple clustering categories, and determining the abnormal flow of the end to be detected based on the target clustering category. Therefore, the map nodes belonging to the same cluster type as the target map nodes with the abnormal flow marks can be determined based on the information carried by the access time sequence map, so that the abnormal flow of unknown rules can be detected through time sequence characteristics, the detection rate of the abnormal flow of unknown rules can be improved, the network safety can be guaranteed, the automation degree of abnormal flow labeling in a long time period can be improved, and the labor cost for abnormal flow labeling can be reduced.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.
Fig. 1 is a schematic flow chart of a traffic detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of another flow rate detection method provided in the embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a flow rate detection device according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
In order to solve the above problem, embodiments of the present disclosure provide a flow rate detection method, which is described below with reference to specific embodiments.
Fig. 1 is a schematic flow chart of a flow detection method provided in an embodiment of the present disclosure, which may be executed by a flow detection apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 1, the method includes:
The embodiment of the disclosure can be applied to situations such as situation awareness of big data security analysis, supervision units, and the like, in this embodiment, the end to be detected sends traffic to access a destination Internet Protocol (IP) address, and the like.
It can be understood that the access initiated by the end to be detected has a sequential time relationship, the access characteristics of the end to be detected in the time sequence dimension can be represented by accessing the time sequence map, the access time sequence map has various construction methods, and can be set according to application requirements and the like, which is not limited in this embodiment.
In an optional implementation manner, the visit time-series graph comprises a plurality of graph nodes, each graph node can represent the flow characteristics of a terminal to be detected in a short time period, and graph edges of the visit time-series graph can be determined according to the time-series relation between every two graph nodes.
The construction method of the graph nodes comprises but is not limited to the following two methods:
the first method comprises the steps of counting the access times of a terminal to be detected to any destination IP address in a plurality of preset time periods, and constructing a plurality of map nodes according to the counting result.
And secondly, counting the access times of the to-be-detected end to a preset Uniform Resource Locator (URL) in a plurality of preset time periods, and constructing a plurality of map nodes according to the counting result.
It should be noted that, in order to improve automation of labeling an abnormal traffic, at least one target graph node having an abnormal traffic identifier may be included in the access time series graph, and the target graph node has multiple construction manners. And the target graph node can be added into the current access time sequence graph according to time sequence.
And 102, performing graph representation learning on the access time sequence graph to obtain a time sequence vector corresponding to each graph node in the access time sequence graph, wherein the target graph node corresponds to the target time sequence vector.
Map nodes in the access time sequence map can be mapped into time sequence vectors through map representation learning, wherein target map nodes are mapped into target time sequence vectors through map representation learning, and the target time sequence vectors correspond to abnormal flow due to the fact that the target map nodes correspond to the abnormal flow. The topological information in the access time sequence map can be well reserved through map representation learning, and the distances between time sequence vectors corresponding to map nodes with similar or similar representation flow information can be closer.
In each map node in the access time sequence map, the map node corresponding to the abnormal flow and the map node corresponding to the normal flow have different characteristics, so after map representation learning, the distance between the time sequence vectors corresponding to the abnormal flow is closer, the distance between the time sequence vectors corresponding to the normal flow is also closer, and the distance between the time sequence vectors corresponding to the abnormal flow and the time sequence vectors corresponding to the normal flow is farther.
In this embodiment, there are various methods for Graph representation learning of a time-series Graph, which may be selected according to application scenarios, and this embodiment is not limited to this, and for example, the time-series Graph may be processed by a Graph representation learning model based on Graph features, which may be a Graph Convolutional Network (GCN) model or the like.
And 103, clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories.
Further, after obtaining the time sequence vector corresponding to each time sequence node in the access time sequence map, a preset clustering algorithm may be used to perform clustering processing on the time sequence vector, and a plurality of clustering categories may be obtained through the clustering processing, where the number of the clustering categories and the granularity of the clustering processing may be determined according to service requirements and the like, which is not limited in this embodiment. The clustering algorithm for clustering the time-series vectors includes, but is not limited to: a K-means clustering algorithm or a density-based clustering algorithm.
And 104, acquiring a target cluster category to which the target time sequence vector belongs from the plurality of cluster categories, and determining the abnormal flow of the end to be detected based on the target cluster category.
In this embodiment, a plurality of cluster categories obtained by clustering are retrieved, and a target cluster category to which a target timing vector belongs is determined from the retrieved cluster categories, and since the flow rate corresponding to the target timing vector is an abnormal flow rate, the flow rates corresponding to other timing vectors included in the target cluster category are also abnormal flow rates, and further, the timing vectors in the target cluster category can be analyzed, so that the abnormal flow rate sent by each end to be detected is determined.
In an optional implementation, the determining the abnormal flow specifically includes the following steps:
step a1, inquiring whether each cluster category includes a target timing vector, and if the cluster category currently processed includes the target timing vector, determining the cluster category currently processed as the target cluster category.
In this embodiment, there are various methods for querying whether a cluster category includes a target timing vector, which may be set according to an application scenario, and this embodiment is not limited. For example, in some application scenarios, the target timing vector has an abnormal traffic identifier that is consistent with the target graph node, so that each cluster category can be retrieved according to the abnormal traffic identifier, and if the abnormal traffic identifier is retrieved from the currently processed cluster category, it is indicated that the currently processed cluster category includes the target timing vector, and the cluster category is determined as the target cluster category.
Step a2, obtaining abnormal time periods corresponding to all time sequence vectors belonging to the target cluster category, and determining the flow sent by the end to be detected in the abnormal time periods as abnormal flow.
Further, all time sequence vectors included in the target cluster category are obtained, the end to be detected and the abnormal time period corresponding to each time sequence vector are determined, and the flow sent by the end to be detected in the corresponding abnormal time period is determined as the abnormal flow.
For example, if the first cluster type includes the target timing vector, the first timing vector and the second timing vector, and the end to be detected corresponding to the first timing vector is IP1, the corresponding time period is 1 day to 7 days; the end to be detected corresponding to the second time sequence vector is also IP1, and the corresponding time period is 3 days to 9 days. The traffic sent by IP1 between days 1 and 9 may be considered as anomalous traffic.
In some application scenarios, the currently processed cluster category does not include the target timing vector, and the timing vector in the cluster category may be subjected to sampling detection, so as to further determine whether the cluster category corresponds to the abnormal traffic, specifically including:
b1, if the current processing cluster category does not include the target time sequence vector, randomly selecting M time sequence vectors in the current processing cluster category as sampling time sequence vectors; wherein M is a positive integer.
If the currently processed cluster type does not include the target timing vector, whether the cluster type corresponds to the abnormal flow or not can be further judged by sampling the timing vector in the cluster type.
Specifically, M timing vectors in the currently processed cluster category may be randomly selected as sampling timing vectors, where M may be determined according to parameters such as the number of timing vectors in the cluster category.
And b2, analyzing and determining the sampling flow identification corresponding to each sampling timing vector.
In this embodiment, the alternative sampling traffic identifier may be set according to a user requirement, for example, the sampling traffic identifier may include: any one or more of website traffic identification, database traffic identification, mail traffic identification, domain name service traffic identification, file server identification, and abnormal traffic identification.
In an optional implementation manner, a corresponding relationship between the sampling flow identifier and the keyword may be established, the original data corresponding to the sampling timing vector may be obtained, the original data may be retrieved according to the keyword, and the sampling flow identifier corresponding to the sampling timing vector may be determined according to the hit keyword.
And b3, counting the sampling flow identifiers, and judging whether the flow corresponding to the currently processed cluster type is abnormal flow according to the counting result.
Furthermore, the sampling flow identifiers corresponding to the M timing vectors may be counted, the sampling flow identifier with the largest number may be used as the category identifier of the currently processed cluster category, and if the category identifier is an abnormal flow identifier, the flow corresponding to the cluster category is determined to be an abnormal flow, and then the timing vectors in the cluster category may be analyzed, so as to determine the abnormal flow.
In summary, the traffic detection method in the embodiments of the present disclosure obtains an access timing map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification; performing graph representation learning on the access time sequence graph to obtain a time sequence vector corresponding to each graph node in the access time sequence graph; clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories; and acquiring a target cluster category to which the target map node belongs from the plurality of cluster categories, and determining the abnormal flow of the end to be detected based on the target cluster category. Therefore, the map nodes belonging to the same cluster type as the target map nodes with the abnormal flow marks can be determined based on the information carried by the access time sequence map, so that the abnormal flow of unknown rules can be detected through time sequence characteristics, the detection rate of the abnormal flow of unknown rules can be improved, the network safety can be guaranteed, the automation degree of abnormal flow labeling in a long time period can be improved, and the labor cost for abnormal flow labeling can be reduced.
Based on the foregoing embodiment, fig. 2 is a schematic flow chart of another traffic detection method provided in the embodiment of the present disclosure, as shown in fig. 2, where obtaining an access timing map of a to-be-detected end includes the following steps:
In this embodiment, the access traffic data records an access condition of the to-be-detected end, and the access traffic data may be set according to an application scenario and the like, which is not limited in this embodiment, for example, the access traffic data may be network traffic data or a system access log. After the access traffic data of the detection end is obtained, the access traffic data can be analyzed, so that an original input sequence is constructed.
In an optional implementation manner, a preset time period may be used to obtain access flow data in the preset time period, statistics may be performed on the access times of each to-be-detected end according to a preset sub-time period, and the access times are sorted in time sequence, so as to construct an original input sequence. The preset time period and the preset sub-time period may be set according to an application scenario, for example, the preset time period may be any value from half a year to one year, and the preset sub-time period may be 1 day.
In this embodiment, the original input sequence may be sampled by using a sliding window according to a sliding distance, so as to obtain a plurality of sub-sequences, where the length of the sliding window and the sliding distance may be set according to an application scenario, for example, the length of the sliding window may be 7, and the sliding distance may be 2.
For example, if the original input sequence is {12, 13, 10, 12, 11, 13, 15, 16, 11, 12}, the first subsequence of the two subsequences obtained by sampling the original input sequence is {12, 13, 10, 12, 11, 13, 15}, and the second subsequence is {10, 12, 11, 13, 15, 16, 11 }.
And 203, calculating a weight index corresponding to the subsequence, sequencing the subsequence from high to low according to the weight index, and taking the first N subsequences as a reference sequence, wherein N is a positive integer.
In this embodiment, the reference sequence is a sub-sequence with a strong representativeness, and the weight index can represent the representativeness of the sub-sequence, so that the sub-sequence can be screened according to the weight index to determine the reference sequence, wherein the weight index includes but is not limited to the information gain of the sub-sequence or the number of repetitions of the sub-sequence, and further the sub-sequence is ordered according to the value of the weight index from large to small, and the larger the value of the weight index is, the stronger the representativeness of the sub-sequence is, and the first N sub-sequences are taken as the reference sequence.
In an alternative embodiment, if the number of repetitions of a subsequence is used as a weight index, the number of repetitions of each subsequence in the sampled subsequences may be counted, and the subsequence with the top N of the repetitions may be used as a reference sequence.
In another optional implementation, if the information gain of the subsequence is used as the weight index, the information gain of the currently processed subsequence in the distance dimension relative to each original input sequence may be calculated, the subsequence with the largest information gain is extracted as the reference sequence, the currently extracted reference sequence is removed from the subsequence, the subsequence with the largest information gain is extracted from the current subsequence again as the reference sequence, and N reference sequences are sequentially extracted.
And 204, constructing map nodes of the access time sequence map according to the reference sequence, constructing map edges of the access time sequence map according to the time sequence relation of the reference sequence on the original input sequence, and constructing the access time sequence map.
Furthermore, the reference sequence can be used as a graph node of the time sequence graph, the reference sequences belonging to the same original input sequence are determined, and a graph edge is constructed between two adjacent reference sequences in time sequence according to the time sequence relation of the reference sequences in the same original input sequence, so that the access time sequence graph is constructed according to the graph node and the graph edge.
For example: if the original input sequence is {12, 13, 10, 12, 11, 13, 15, 16, 11, 12}, the reference sequence determined according to the weight index is: the first reference sequence {12, 13, 10, 12, 11, 13, 15} and the second reference sequence are {10, 12, 11, 13, 15, 16, 11}, and since the timing of the first reference sequence is prior to the timing of the second reference sequence in the original input sequence, a graph edge pointing from the first reference sequence to the second reference sequence can be established between the first reference sequence and the second reference sequence, and the first reference sequence and the second reference sequence are taken as graph nodes.
In this embodiment, an access time-series graph including a target graph node may also be constructed, which specifically includes:
firstly, acquiring a historical input sequence comprising abnormal time periods, and sampling the abnormal time periods in the historical input sequence to obtain target map nodes.
In this embodiment, the time sequence of the history input sequence is before the time sequence of the original input sequence, and in the history input sequence, there is an abnormal time period corresponding to the abnormal traffic, so that the abnormal time period in the history input sequence can be sampled and processed to obtain the target graph node with the same length as the graph node in the access time-series graph. It should be noted that the number of target graph nodes may be one or more, and this embodiment is not limited.
Further, the abnormal traffic identification is used for identifying and processing the target graph nodes. The target map node can be distinguished from other map nodes through the abnormal flow identification, so that the target map node can be conveniently indexed according to the target map node.
Finally, an access time-series graph including the target graph nodes is constructed according to the time sequence.
In this embodiment, the target graph node is sampled from the historical input sequence, so that the time sequence of the target graph node is earlier than that of the graph node sampled from the original input sequence, and therefore, the construction of the access time sequence graph can be performed by arranging the target graph node before other graph nodes according to the time sequence.
In summary, in the traffic detection method according to the embodiment of the present disclosure, the reference sequence is determined according to the weight index, and data with higher representativeness is reserved, and redundant data is screened, so that the constructed access time sequence map can better reflect whether abnormal traffic exists at the end to be detected, and meanwhile, the computational effort and manpower consumed by determining the abnormal traffic are also reduced.
Fig. 3 is a schematic structural diagram of a flow rate detection device provided in an embodiment of the present disclosure, where the flow rate detection device may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 3, the apparatus includes:
an obtaining module 301, configured to obtain an access timing map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification;
a learning module 302, configured to perform graph representation learning on the access time sequence graph to obtain a time sequence vector corresponding to each graph node in the access time sequence graph; wherein the target map node corresponds to a target timing sequence vector;
the clustering module 303 is configured to perform clustering processing on the time sequence vector according to a preset clustering algorithm to obtain a plurality of clustering categories;
the detection module 304 is configured to obtain a target cluster category to which the target timing vector belongs from the multiple cluster categories, and determine the abnormal traffic of the end to be detected based on the target cluster category.
Optionally, the obtaining module 301 is configured to:
obtaining access flow data of the end to be detected, and constructing an original input sequence according to the access flow data;
sampling the original input sequence to obtain a plurality of subsequences;
calculating a weight index corresponding to the subsequence, sequencing the subsequence from high to low according to the weight index, and taking the first N subsequences as reference sequences; wherein N is a positive integer;
and constructing map nodes of the visit time sequence map according to the reference sequence, constructing map edges of the visit time sequence map according to the time sequence relation of the reference sequence on the original input sequence, and constructing the visit time sequence map.
Optionally, the apparatus further comprises:
the first sampling module is used for acquiring a historical input sequence comprising abnormal time periods, and sampling the abnormal time periods in the historical input sequence to obtain the target map node;
and the identification module is used for identifying and processing the target graph nodes by using the abnormal flow identification.
Optionally, the apparatus further comprises:
a construction module to construct the access time series graph including the target graph nodes according to a time series.
Optionally, the detecting module 304 is configured to:
inquiring whether each cluster type comprises the target time sequence vector or not, and if the currently processed cluster type comprises the target time sequence vector, determining the currently processed cluster type as the target cluster type;
and acquiring abnormal time periods corresponding to all time sequence vectors belonging to the target cluster category, and determining the flow sent by the end to be detected in the abnormal time periods as abnormal flow.
Optionally, the apparatus further comprises:
the second sampling module is used for randomly selecting M time sequence vectors in the currently processed clustering category as sampling time sequence vectors if the currently processed clustering category does not comprise the target time sequence vector; wherein M is a positive integer;
the analysis module is used for analyzing and determining a sampling flow identifier corresponding to each sampling time sequence vector;
and the judging module is used for counting the sampling flow identifiers and judging whether the flow corresponding to the currently processed clustering category is the abnormal flow according to a counting result.
The flow detection device provided by the embodiment of the disclosure can execute the flow detection method provided by any embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method.
To implement the above embodiments, the present disclosure also proposes a computer program product comprising a computer program/instructions, which when executed by a processor, implements the flow detection method in the above embodiments
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Referring now specifically to fig. 4, a schematic diagram of an electronic device 400 suitable for use in implementing embodiments of the present disclosure is shown. The electronic device 400 in the embodiments of the present disclosure may include, but is not limited to, mobile terminals such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle-mounted terminal (e.g., a car navigation terminal), and the like, and fixed terminals such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, electronic device 400 may include a processing device (e.g., central processing unit, graphics processor, etc.) 401 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage device 408 into a Random Access Memory (RAM) 403. In the RAM403, various programs and data necessary for the operation of the electronic apparatus 400 are also stored. The processing device 401, the ROM 402, and the RAM403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
Generally, the following devices may be connected to the I/O interface 405: input devices 406 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 407 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 408 including, for example, tape, hard disk, etc.; and a communication device 409. The communication means 409 may allow the electronic device 400 to communicate wirelessly or by wire with other devices to exchange data. While fig. 4 illustrates an electronic device 400 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 409, or from the storage device 408, or from the ROM 402. The computer program, when executed by the processing device 401, performs the above-described functions defined in the flow rate detection method of the embodiment of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring an access time sequence map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification; performing graph representation learning on the access time sequence graph to obtain a time sequence vector corresponding to each graph node in the access time sequence graph; wherein the target spectrum node corresponds to a target timing sequence vector; clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories; and acquiring a target clustering category to which the target time sequence vector belongs from the multiple clustering categories, and determining the abnormal flow of the end to be detected based on the target clustering category. Therefore, the map nodes belonging to the same cluster type as the target map nodes with the abnormal flow marks can be determined based on the information carried by the access time sequence map, so that the abnormal flow of unknown rules can be detected through time sequence characteristics, the detection rate of the abnormal flow of unknown rules can be improved, the network safety can be guaranteed, the automation degree of abnormal flow labeling in a long time period can be improved, and the labor cost for abnormal flow labeling can be reduced.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (10)
1. A method for detecting traffic, comprising:
acquiring an access time sequence map of a terminal to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification;
performing graph representation learning on the visit time sequence graph to obtain a time sequence vector corresponding to each graph node in the visit time sequence graph; wherein the target map node corresponds to a target timing sequence vector;
clustering the time sequence vectors according to a preset clustering algorithm to obtain a plurality of clustering categories;
and acquiring a target cluster category to which the target time sequence vector belongs from the plurality of cluster categories, and determining the abnormal flow of the end to be detected based on the target cluster category.
2. The method according to claim 1, wherein the obtaining of the visit timing map of the terminal to be detected comprises:
obtaining access flow data of the end to be detected, and constructing an original input sequence according to the access flow data;
sampling the original input sequence to obtain a plurality of subsequences;
calculating a weight index corresponding to the subsequence, sequencing the subsequence from high to low according to the weight index, and taking the first N subsequences as reference sequences; wherein N is a positive integer;
and constructing map nodes of the visit time sequence map according to the reference sequence, constructing map edges of the visit time sequence map according to the time sequence relation of the reference sequence on the original input sequence, and constructing the visit time sequence map.
3. The method of claim 2, further comprising:
acquiring a historical input sequence comprising abnormal time periods, and sampling the abnormal time periods in the historical input sequence to obtain the target map nodes;
and using the abnormal flow identification to perform identification processing on the target map node.
4. The method of claim 3, further comprising:
constructing the access time-series graph including the target graph nodes according to time sequence.
5. The method according to claim 1, wherein the obtaining a target cluster category to which the target timing vector belongs from the plurality of cluster categories and determining the abnormal flow of the end to be detected based on the target cluster category comprises:
inquiring whether each cluster type comprises the target time sequence vector or not, and if the currently processed cluster type comprises the target time sequence vector, determining the currently processed cluster type as the target cluster type;
and acquiring abnormal time periods corresponding to all time sequence vectors belonging to the target cluster category, and determining the flow sent by the end to be detected in the abnormal time periods as abnormal flow.
6. The method of claim 5, further comprising:
if the currently processed clustering category does not include the target timing sequence vector, randomly selecting M timing sequence vectors in the currently processed clustering category as sampling timing sequence vectors; wherein M is a positive integer;
analyzing and determining a sampling flow identifier corresponding to each sampling time sequence vector;
and counting the sampling flow identification, and judging whether the flow corresponding to the currently processed cluster type is the abnormal flow according to a counting result.
7. A flow sensing device, comprising:
the acquisition module is used for acquiring an access time sequence map of the end to be detected; wherein the access time-series graph comprises at least one target graph node with abnormal traffic identification;
the learning module is used for performing graph representation learning on the visit time sequence graph to obtain a time sequence vector corresponding to each graph node in the visit time sequence graph; wherein the target map node corresponds to a target timing sequence vector;
the clustering module is used for clustering the time sequence vector according to a preset clustering algorithm to obtain a plurality of clustering categories;
and the detection module is used for acquiring a target cluster category to which the target time sequence vector belongs from the plurality of cluster categories and determining the abnormal flow of the end to be detected based on the target cluster category.
8. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the traffic detection method according to any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the flow rate detection method according to any one of the preceding claims 1 to 6.
10. A computer program product, characterized in that the computer program product comprises a computer program/instructions which, when executed by a processor, implements the flow detection method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210202225.XA CN114422267B (en) | 2022-03-03 | 2022-03-03 | Flow detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210202225.XA CN114422267B (en) | 2022-03-03 | 2022-03-03 | Flow detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114422267A true CN114422267A (en) | 2022-04-29 |
| CN114422267B CN114422267B (en) | 2024-02-06 |
Family
ID=81262828
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210202225.XA Active CN114422267B (en) | 2022-03-03 | 2022-03-03 | Flow detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422267B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115237081A (en) * | 2022-09-22 | 2022-10-25 | 蘑菇物联技术(深圳)有限公司 | Method, apparatus, and medium for determining post-processing device with exception |
| CN115473789A (en) * | 2022-09-16 | 2022-12-13 | 深信服科技股份有限公司 | Alarm processing method and related equipment |
| CN115514620A (en) * | 2022-11-15 | 2022-12-23 | 阿里云计算有限公司 | Anomaly detection method and cloud network platform |
| CN115995282A (en) * | 2023-03-23 | 2023-04-21 | 山东纬横数据科技有限公司 | Expiratory flow data processing system based on knowledge graph |
| CN116112292A (en) * | 2023-04-12 | 2023-05-12 | 湖南丛茂科技有限公司 | Abnormal behavior detection method, system and medium based on network flow big data |
| CN116614282A (en) * | 2023-05-24 | 2023-08-18 | 阿里云计算有限公司 | Method, device, storage medium and electronic device for determining abnormal access object |
| CN118171271A (en) * | 2024-05-14 | 2024-06-11 | 深圳震有科技股份有限公司 | Safety monitoring method, system and terminal for database |
| WO2025020380A1 (en) * | 2023-07-27 | 2025-01-30 | 中国互联网络信息中心 | Method and apparatus for identifying malicious domain name on basis of dynamic heterogeneous graph |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200336499A1 (en) * | 2019-04-16 | 2020-10-22 | International Business Machines Corporation | Anomaly and mode inference from time series data |
| CN111949803A (en) * | 2020-08-21 | 2020-11-17 | 深圳供电局有限公司 | A method, device and device for detecting abnormal network users based on knowledge graph |
| CN112541022A (en) * | 2020-12-18 | 2021-03-23 | 网易(杭州)网络有限公司 | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment |
| CN112685396A (en) * | 2020-12-30 | 2021-04-20 | 平安普惠企业管理有限公司 | Financial data violation detection method and device, computer equipment and storage medium |
| WO2021109314A1 (en) * | 2019-12-06 | 2021-06-10 | 网宿科技股份有限公司 | Method, system and device for detecting abnormal data |
| CN113010896A (en) * | 2021-03-17 | 2021-06-22 | 北京百度网讯科技有限公司 | Method, apparatus, device, medium and program product for determining an abnormal object |
| CN113312447A (en) * | 2021-03-10 | 2021-08-27 | 天津大学 | Semi-supervised log anomaly detection method based on probability label estimation |
| CN113360580A (en) * | 2021-05-31 | 2021-09-07 | 北京百度网讯科技有限公司 | Abnormal event detection method, device, equipment and medium based on knowledge graph |
| CN113554175A (en) * | 2021-09-18 | 2021-10-26 | 平安科技(深圳)有限公司 | Knowledge graph construction method and device, readable storage medium and terminal equipment |
| CN113704008A (en) * | 2021-03-09 | 2021-11-26 | 腾讯科技(深圳)有限公司 | Anomaly detection method, problem diagnosis method and related products |
| CN113852603A (en) * | 2021-08-13 | 2021-12-28 | 京东科技信息技术有限公司 | Method and device for detecting abnormality of network traffic, electronic equipment and readable medium |
| CN114117134A (en) * | 2021-11-09 | 2022-03-01 | 南京星云数字技术有限公司 | Abnormal feature detection method, device, equipment and computer readable medium |
-
2022
- 2022-03-03 CN CN202210202225.XA patent/CN114422267B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200336499A1 (en) * | 2019-04-16 | 2020-10-22 | International Business Machines Corporation | Anomaly and mode inference from time series data |
| WO2021109314A1 (en) * | 2019-12-06 | 2021-06-10 | 网宿科技股份有限公司 | Method, system and device for detecting abnormal data |
| CN111949803A (en) * | 2020-08-21 | 2020-11-17 | 深圳供电局有限公司 | A method, device and device for detecting abnormal network users based on knowledge graph |
| CN112541022A (en) * | 2020-12-18 | 2021-03-23 | 网易(杭州)网络有限公司 | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment |
| CN112685396A (en) * | 2020-12-30 | 2021-04-20 | 平安普惠企业管理有限公司 | Financial data violation detection method and device, computer equipment and storage medium |
| CN113704008A (en) * | 2021-03-09 | 2021-11-26 | 腾讯科技(深圳)有限公司 | Anomaly detection method, problem diagnosis method and related products |
| CN113312447A (en) * | 2021-03-10 | 2021-08-27 | 天津大学 | Semi-supervised log anomaly detection method based on probability label estimation |
| CN113010896A (en) * | 2021-03-17 | 2021-06-22 | 北京百度网讯科技有限公司 | Method, apparatus, device, medium and program product for determining an abnormal object |
| CN113360580A (en) * | 2021-05-31 | 2021-09-07 | 北京百度网讯科技有限公司 | Abnormal event detection method, device, equipment and medium based on knowledge graph |
| CN113852603A (en) * | 2021-08-13 | 2021-12-28 | 京东科技信息技术有限公司 | Method and device for detecting abnormality of network traffic, electronic equipment and readable medium |
| CN113554175A (en) * | 2021-09-18 | 2021-10-26 | 平安科技(深圳)有限公司 | Knowledge graph construction method and device, readable storage medium and terminal equipment |
| CN114117134A (en) * | 2021-11-09 | 2022-03-01 | 南京星云数字技术有限公司 | Abnormal feature detection method, device, equipment and computer readable medium |
Non-Patent Citations (1)
| Title |
|---|
| 夏彬;白宇轩;殷俊杰;: "基于生成对抗网络的系统日志级异常检测算法", 计算机应用, vol. 40, no. 10, pages 2960 - 2966 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115473789B (en) * | 2022-09-16 | 2024-02-27 | 深信服科技股份有限公司 | Alarm processing method and related equipment |
| CN115473789A (en) * | 2022-09-16 | 2022-12-13 | 深信服科技股份有限公司 | Alarm processing method and related equipment |
| CN115237081B (en) * | 2022-09-22 | 2022-12-02 | 蘑菇物联技术(深圳)有限公司 | Method, apparatus, and medium for determining post-processing device with exception |
| CN115237081A (en) * | 2022-09-22 | 2022-10-25 | 蘑菇物联技术(深圳)有限公司 | Method, apparatus, and medium for determining post-processing device with exception |
| CN115514620A (en) * | 2022-11-15 | 2022-12-23 | 阿里云计算有限公司 | Anomaly detection method and cloud network platform |
| CN115514620B (en) * | 2022-11-15 | 2023-03-10 | 阿里云计算有限公司 | An anomaly detection method and cloud network platform |
| CN115995282A (en) * | 2023-03-23 | 2023-04-21 | 山东纬横数据科技有限公司 | Expiratory flow data processing system based on knowledge graph |
| CN116112292A (en) * | 2023-04-12 | 2023-05-12 | 湖南丛茂科技有限公司 | Abnormal behavior detection method, system and medium based on network flow big data |
| CN116112292B (en) * | 2023-04-12 | 2023-06-09 | 湖南丛茂科技有限公司 | Abnormal behavior detection method, system and medium based on network flow big data |
| CN116614282A (en) * | 2023-05-24 | 2023-08-18 | 阿里云计算有限公司 | Method, device, storage medium and electronic device for determining abnormal access object |
| WO2025020380A1 (en) * | 2023-07-27 | 2025-01-30 | 中国互联网络信息中心 | Method and apparatus for identifying malicious domain name on basis of dynamic heterogeneous graph |
| CN118171271A (en) * | 2024-05-14 | 2024-06-11 | 深圳震有科技股份有限公司 | Safety monitoring method, system and terminal for database |
| CN118171271B (en) * | 2024-05-14 | 2024-07-19 | 深圳震有科技股份有限公司 | Safety monitoring method, system and terminal for database |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114422267B (en) | 2024-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114422267B (en) | Flow detection method, device, equipment and medium | |
| CN109587008B (en) | Method, device and storage medium for detecting abnormal flow data | |
| CN112836128A (en) | Information recommendation method, apparatus, device and storage medium | |
| CN116662672B (en) | Value object information transmitting method, device, equipment and computer readable medium | |
| CN114780338A (en) | Host information processing method and device, electronic equipment and computer readable medium | |
| CN110737691B (en) | Method and apparatus for processing access behavior data | |
| CN115277261B (en) | Abnormal machine intelligent identification method, device and equipment based on industrial control network virus | |
| CN112200173A (en) | Multi-network model training method, image labeling method and face image recognition method | |
| CN113763077A (en) | Method and apparatus for detecting false trade orders | |
| CN113837278B (en) | Method and device for detecting dirty data | |
| CN108011936B (en) | Method and device for pushing information | |
| CN113902230A (en) | Electric quantity deviation control method, system, storage medium and electronic equipment | |
| CN111478861B (en) | Traffic identification method and device, electronic equipment and storage medium | |
| CN112379967A (en) | Simulator detection method, device, equipment and medium | |
| CN113592557A (en) | Attribution method and device of advertisement putting result, storage medium and electronic equipment | |
| CN114547491B (en) | Method, device, equipment and medium for constructing time series graph | |
| CN116992115A (en) | Recommendation method and device, storage medium and electronic equipment | |
| CN117196333A (en) | Natural disaster influence and loss information generation method and device based on power data | |
| CN113051400B (en) | Labeling data determining method and device, readable medium and electronic equipment | |
| CN111507734B (en) | Method and device for identifying cheating request, electronic equipment and computer storage medium | |
| CN111782549A (en) | Test method and device and electronic equipment | |
| CN117857388B (en) | Switch operation information detection method and device, electronic equipment and computer medium | |
| CN111628913A (en) | Online time length determining method and device, readable medium and electronic equipment | |
| CN111382233A (en) | Similar text detection method and device, electronic equipment and storage medium | |
| CN116541421B (en) | Address query information generation method and device, electronic equipment and computer medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |