[go: up one dir, main page]

CN116760747A - Intelligent detection method and device for network information security - Google Patents

Intelligent detection method and device for network information security Download PDF

Info

Publication number
CN116760747A
CN116760747A CN202310809816.8A CN202310809816A CN116760747A CN 116760747 A CN116760747 A CN 116760747A CN 202310809816 A CN202310809816 A CN 202310809816A CN 116760747 A CN116760747 A CN 116760747A
Authority
CN
China
Prior art keywords
flow
data
flow characteristic
value
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202310809816.8A
Other languages
Chinese (zh)
Inventor
肖文红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiaxing Vocational and Technical College
Original Assignee
Jiaxing Vocational and Technical College
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiaxing Vocational and Technical College filed Critical Jiaxing Vocational and Technical College
Priority to CN202310809816.8A priority Critical patent/CN116760747A/en
Publication of CN116760747A publication Critical patent/CN116760747A/en
Priority to ZA2024/01702A priority patent/ZA202401702B/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0888Throughput
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a network information security intelligent detection method and a device, which are used for carrying out standardized processing on flow data acquired in network information to obtain standard flow data and constructing a flow characteristic correlation matrix, carrying out characteristic value decomposition on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, mapping the standard flow data onto the flow characteristic to obtain preprocessed flow characteristic data, determining an abnormal flow detection model according to the standard deviation and the average value of the preprocessed flow characteristic data, detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value, judging that the preprocessed flow characteristic data is the abnormal flow data when the flow abnormal value is larger than a preset abnormal threshold, and sending warning information to a control center when the abnormal flow data is detected, so that the problem that the network information security detection result is low in accuracy and high in false alarm can be solved.

Description

一种网络信息安全性智能检测方法及装置An intelligent detection method and device for network information security

技术领域Technical field

本发明涉及网络信息安全技术领域,尤其涉及一种网络信息安全性智能检测方法及装置。The present invention relates to the technical field of network information security, and in particular to an intelligent detection method and device for network information security.

背景技术Background technique

网络信息安全智能检测是指利用人工智能和机器学习技术来自动监测、识别和应对网络安全威胁的方法。它可以帮助发现潜在的网络攻击、恶意行为和异常活动,并及时采取相应的措施进行应对。Network information security intelligent detection refers to the method of using artificial intelligence and machine learning technology to automatically monitor, identify and respond to network security threats. It can help detect potential network attacks, malicious behaviors and abnormal activities, and take appropriate measures to respond in a timely manner.

异常检测是网络信息安全智能检测的重要组成部分,它旨在发现与正常行为模式不符的异常活动,这可能是潜在的网络攻击、恶意行为或系统故障的指示。异常检测的目标是建立一个正常行为的基线模型,然后通过实时监测和分析用户行为和系统活动,识别与该基线模型不符的异常情况,使用机器学习和统计分析方法建立基线模型,监测用户行为和系统活动,以检测与正常行为模式不符的异常活动,这可以帮助发现未知的攻击和新型威胁,但现有技术中通过对行为模式的分析来检测网络信息的安全性时,存在网络信息安全性检测结果准确率低,误报高的技术问题。Anomaly detection is an important part of intelligent detection of network information security. It aims to discover abnormal activities that are inconsistent with normal behavior patterns, which may be an indication of potential network attacks, malicious behaviors, or system failures. The goal of anomaly detection is to establish a baseline model of normal behavior, and then through real-time monitoring and analysis of user behavior and system activities, identify anomalies that are inconsistent with the baseline model, use machine learning and statistical analysis methods to establish a baseline model, monitor user behavior and System activities to detect abnormal activities that are inconsistent with normal behavior patterns, which can help discover unknown attacks and new threats. However, in the existing technology, when the security of network information is detected through the analysis of behavior patterns, there is network information security. Technical problems include low accuracy of detection results and high false positives.

发明内容Contents of the invention

本申请实施例提供一种网络信息安全性智能检测方法及装置,以解决在现有技术中,网络信息安全性检测结果准确率低、误报高的技术问题。Embodiments of the present application provide a network information security intelligent detection method and device to solve the technical problems in the existing technology of low accuracy of network information security detection results and high false positives.

为解决上述技术问题,本申请采用如下技术方案:In order to solve the above technical problems, this application adopts the following technical solutions:

第一方面,本申请提供一种网络信息安全性智能检测方法,包括如下步骤:In the first aspect, this application provides an intelligent detection method for network information security, which includes the following steps:

采集网络信息中的流量数据,对采集到的流量数据进行标准化处理得到标准流量数据;Collect traffic data in network information, and standardize the collected traffic data to obtain standard traffic data;

根据所述标准流量数据构建流量特征相关性矩阵,对所述流量特征相关性矩阵进行特征值分解得到流量特征向量和流量特征值,根据所述流量特征值选择流量特征向量作为流量特征,将所述标准流量数据映射到所述流量特征上得到预处理流量特征数据;Construct a traffic feature correlation matrix based on the standard traffic data, perform eigenvalue decomposition on the traffic feature correlation matrix to obtain a traffic feature vector and a traffic feature value, select a traffic feature vector as a traffic feature based on the traffic feature value, and then Mapping the standard traffic data to the traffic characteristics to obtain preprocessed traffic characteristic data;

对所述预处理流量特征数据进行计算,得到标准差和均值,根据所述标准差和所述均值确定异常流量检测模型,通过所述异常流量检测模型对所述预处理流量特征数据进行检测,得到流量异常值;Calculate the preprocessed traffic characteristic data to obtain a standard deviation and a mean value, determine an abnormal flow detection model based on the standard deviation and the mean value, and detect the preprocessed flow characteristic data through the abnormal flow detection model, Obtain traffic abnormal values;

当所述流量异常值大于预设异常阈值时,判定所述预处理流量特征数据为异常流量数据,当检测到异常流量数据时,向控制中心发送警示信息。When the flow abnormal value is greater than the preset abnormal threshold, the preprocessed flow characteristic data is determined to be abnormal flow data. When abnormal flow data is detected, a warning message is sent to the control center.

在一些实施例中,所述对采集到的流量数据进行标准化处理得到标准流量数据具体包括:In some embodiments, standardizing the collected traffic data to obtain standard traffic data specifically includes:

通过遍历流量数据确定所述流量数据的最大值和最小值;Determine the maximum value and minimum value of the traffic data by traversing the traffic data;

根据所述最大值和所述最小值对所述流量数据进行标准化处理,得到标准流量数据,所述标准流量数据根据下述公式确定:The flow data is standardized according to the maximum value and the minimum value to obtain standard flow data. The standard flow data is determined according to the following formula:

其中,Xs表示标准化处理后的标准流量数据,X表示流量数据,Xmax表示流量数据的最大值,Xmin表示流量数据的最小值。Among them, X s represents the standard flow data after normalization, X represents the flow data, X max represents the maximum value of the flow data, and X min represents the minimum value of the flow data.

在一些实施例中,所述根据所述标准流量数据构建流量特征相关性矩阵具体包括:In some embodiments, constructing a traffic feature correlation matrix based on the standard traffic data specifically includes:

确定标准流量数据的个数n和均值μ;Determine the number n and mean μ of standard flow data;

确定标准流量数据的矩阵φ;Determine the matrix φ of standard flow data;

根据所述标准流量数据的个数n和均值μ和所述标准流量数据的矩阵φ构建得到流量特征相关性矩阵,所述流量特征相关性矩阵根据下述公式确定:A flow characteristic correlation matrix is constructed based on the number n and mean μ of the standard flow data and the matrix φ of the standard flow data. The flow characteristic correlation matrix is determined according to the following formula:

其中,ψ表示流量特征相关性矩阵,n表示标准流量数据的个数,φ表示标准流量数据的矩阵,μ表示标准流量数据的均值,(φ-μ)T表示矩阵的转置。Among them, ψ represents the traffic characteristic correlation matrix, n represents the number of standard traffic data, φ represents the matrix of standard traffic data, μ represents the mean value of standard traffic data, and (φ-μ) T represents the transpose of the matrix.

在一些实施例中,对所述流量特征相关性矩阵进行特征值分解得到流量特征向量和流量特征值具体包括:In some embodiments, performing eigenvalue decomposition on the traffic feature correlation matrix to obtain the traffic feature vector and traffic feature value specifically includes:

根据所述流量特征值的解方程式得到流量特征值序列,该流量特征值的解方程式由下式确定:The flow characteristic value sequence is obtained according to the solution equation of the flow characteristic value. The solution equation of the flow characteristic value is determined by the following formula:

|ψ-αθ|=0|ψ-αθ|=0

其中,ψ表示流量特征相关性矩阵,α表示流量特征值,θ表示单位矩阵;Among them, ψ represents the flow characteristic correlation matrix, α represents the flow characteristic value, and θ represents the unit matrix;

通过所述流量特征值序列确定流量特征向量,所述流量特征向量的解方程式由下式确定:The flow characteristic vector is determined through the flow characteristic value sequence, and the solution equation of the flow characteristic vector is determined by the following formula:

|ψ-αiθ|βi=0|ψ-α i θ|β i =0

其中,ψ表示流量特征相关性矩阵,αi表示流量特征值序列中的第i个流量特征值,θ表示单位矩阵,βi表示αi对应的流量特征向量。Among them, ψ represents the traffic characteristic correlation matrix, α i represents the i-th traffic characteristic value in the traffic characteristic value sequence, θ represents the unit matrix, and β i represents the traffic characteristic vector corresponding to α i .

在一些实施例中,将流量特征值按照大小进行排序,根据预设维数在排序后的流量特征值中选择流量特征向量作为流量特征。In some embodiments, the traffic feature values are sorted by size, and a traffic feature vector is selected as the traffic feature from the sorted traffic feature values according to a preset dimension.

在一些实施例中,所述将所述标准流量数据映射到所述流量特征上得到预处理流量特征数据具体包括:In some embodiments, mapping the standard traffic data to the traffic characteristics to obtain preprocessed traffic characteristic data specifically includes:

将标准流量数据构成的矩阵与流量特征构成的矩阵相乘,得到预处理流量特征矩阵;Multiply the matrix composed of standard traffic data and the matrix composed of traffic characteristics to obtain the preprocessed traffic characteristic matrix;

根据所述预处理流量特征矩阵确定预处理流量特征数据。Determine preprocessing flow characteristic data according to the preprocessing flow characteristic matrix.

在一些实施例中,其特征在于,通过对异常流量的历史数据分析来确定预设异常阈值。In some embodiments, the feature is that the preset abnormal threshold is determined through historical data analysis of abnormal traffic.

第二方面,本申请提供一种网络信息安全性智能检测装置,包括有:In the second aspect, this application provides an intelligent detection device for network information security, including:

标准流量数据确定模块,用于采集网络信息中的流量数据,对采集到的流量数据进行标准化处理,得到标准流量数据;The standard traffic data determination module is used to collect traffic data in network information, standardize the collected traffic data, and obtain standard traffic data;

预处理流量特征数据确定模块,用于根据所述标准流量数据构建流量特征相关性矩阵,对所述流量特征相关性矩阵进行特征值分解,得到流量特征向量和流量特征值,根据所述流量特征值选择流量特征向量作为流量特征,将所述标准流量数据映射到所述流量特征上,得到预处理流量特征数据;A preprocessing flow characteristic data determination module is used to construct a flow characteristic correlation matrix based on the standard flow data, perform eigenvalue decomposition on the flow characteristic correlation matrix, and obtain a flow characteristic vector and a flow characteristic value. According to the flow characteristic Select the traffic feature vector as the traffic feature, map the standard traffic data to the traffic feature, and obtain the preprocessed traffic feature data;

流量异常值确定模块,用于对所述预处理流量特征数据进行计算,得到标准差和均值,根据所述标准差和所述均值确定异常流量检测模型,通过所述异常流量检测模型对所述预处理流量特征数据进行检测,得到流量异常值;A flow abnormal value determination module is used to calculate the preprocessed flow characteristic data to obtain a standard deviation and a mean value, determine an abnormal flow detection model based on the standard deviation and the mean value, and detect the abnormal flow detection model through the abnormal flow detection model. Preprocess traffic characteristic data for detection and obtain traffic abnormal values;

警示模块,用于当所述流量异常值大于预设异常阈值时,判定所述预处理流量特征数据为异常流量数据,当检测到异常流量数据时,向控制中心发送警示信息。A warning module, configured to determine that the preprocessed traffic characteristic data is abnormal flow data when the flow abnormal value is greater than a preset abnormal threshold, and to send warning information to the control center when abnormal flow data is detected.

第三方面,本申请提供一种计算机设备,所述计算机设备包括存储器和处理器,所述存储器存储有代码,所述处理器被配置为获取所述代码,并执行上述网络信息安全性智能检测方法。In a third aspect, the present application provides a computer device. The computer device includes a memory and a processor. The memory stores code. The processor is configured to obtain the code and perform the above-mentioned intelligent detection of network information security. method.

第四方面,本申请提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述的网络信息安全性智能检测方法。In a fourth aspect, the present application provides a computer-readable storage medium that stores a computer program. When the computer program is executed by a processor, the above-mentioned intelligent detection method for network information security is implemented.

本申请实施例提供的技术方案具有以下有益效果:The technical solutions provided by the embodiments of this application have the following beneficial effects:

本申请公开的网络信息安全性智能检测方法及装置中,通过采集网络信息中的流量数据,对采集到的流量数据进行标准化处理得到标准流量数据,根据所述标准流量数据构建流量特征相关性矩阵,对所述流量特征相关性矩阵进行特征值分解得到流量特征向量和流量特征值,根据所述流量特征值选择流量特征向量作为流量特征,将所述标准流量数据映射到所述流量特征上得到预处理流量特征数据,对所述预处理流量特征数据进行计算,得到标准差和均值,根据所述标准差和所述均值确定异常流量检测模型,通过所述异常流量检测模型对所述预处理流量特征数据进行检测,得到流量异常值,当所述流量异常值大于预设异常阈值时,判定所述预处理流量特征数据为异常流量数据,当检测到异常流量数据时,向系统发送警示信息,可以解决在现有技术中,网络信息安全性检测结果准确率低、误报高的技术问题。In the intelligent detection method and device for network information security disclosed in this application, the traffic data in the network information is collected, the collected traffic data is standardized to obtain standard traffic data, and a traffic characteristic correlation matrix is constructed based on the standard traffic data. , perform eigenvalue decomposition on the flow characteristic correlation matrix to obtain the flow characteristic vector and flow characteristic value, select the flow characteristic vector as the flow characteristic according to the flow characteristic value, and map the standard flow data to the flow characteristic to obtain Preprocess the traffic characteristic data, calculate the preprocessed traffic characteristic data to obtain the standard deviation and the mean, determine the abnormal flow detection model based on the standard deviation and the mean, and use the abnormal flow detection model to perform the preprocessing The flow characteristic data is detected to obtain the flow abnormal value. When the flow abnormal value is greater than the preset abnormal threshold, the preprocessed flow characteristic data is determined to be abnormal flow data. When abnormal flow data is detected, a warning message is sent to the system. , which can solve the technical problems of low accuracy and high false positives in network information security detection results in the existing technology.

附图说明Description of the drawings

图1是根据本申请一些实施例所示的网络信息安全性智能检测方法的示例性流程图;Figure 1 is an exemplary flow chart of a network information security intelligent detection method according to some embodiments of the present application;

图2是根据本申请一些实施例所示的网络信息安全性智能检测装置的示例性硬件和/或软件的示意图;Figure 2 is a schematic diagram of exemplary hardware and/or software of a network information security intelligent detection device according to some embodiments of the present application;

图3是根据本申请一些实施例所示的应用网络信息安全性智能检测方法的计算机设备的示例性结构示意图。Figure 3 is a schematic structural diagram of an exemplary computer device applying a network information security intelligent detection method according to some embodiments of the present application.

具体实施方式Detailed ways

本申请实例提供一种网络信息安全性智能检测方法及装置,其核心是采集网络信息中的流量数据,对采集到的流量数据进行标准化处理得到标准流量数据,根据所述标准流量数据构建流量特征相关性矩阵,对所述流量特征相关性矩阵进行特征值分解得到流量特征向量和流量特征值,根据所述流量特征值选择流量特征向量作为流量特征,将所述标准流量数据映射到所述流量特征上得到预处理流量特征数据,对所述预处理流量特征数据进行计算,得到标准差和均值,根据所述标准差和所述均值确定异常流量检测模型,通过所述异常流量检测模型对所述预处理流量特征数据进行检测,得到流量异常值,当所述流量异常值大于预设异常阈值时,判定所述预处理流量特征数据为异常流量数据,当检测到异常流量数据时,向系统发送警示信息,可以解决在现有技术中,网络信息安全性检测结果准确率低、误报高的技术问题。This application example provides an intelligent detection method and device for network information security. Its core is to collect traffic data in network information, standardize the collected traffic data to obtain standard traffic data, and construct traffic characteristics based on the standard traffic data. Correlation matrix, perform eigenvalue decomposition on the flow characteristic correlation matrix to obtain flow characteristic vector and flow characteristic value, select the flow characteristic vector as the flow characteristic according to the flow characteristic value, and map the standard flow data to the flow rate Characteristically, the preprocessed flow characteristic data is obtained, the preprocessed flow characteristic data is calculated to obtain the standard deviation and the mean, the abnormal flow detection model is determined based on the standard deviation and the mean, and all the abnormal flow detection models are detected through the abnormal flow detection model. The preprocessed flow characteristic data is detected to obtain the flow abnormal value. When the flow abnormal value is greater than the preset abnormal threshold, the preprocessed flow characteristic data is determined to be abnormal flow data. When abnormal flow data is detected, the system reports Sending warning information can solve the technical problems of low accuracy and high false positives in network information security detection results in the existing technology.

为了更好的理解上述技术方案,下面将结合说明书附图以及具体的实施方式对上述技术方案进行详细的说明。参考图1,该图是根据本申请一些实施例所示的网络信息安全性智能检测方法的示例性流程图,该网络信息安全性智能检测方法100主要包括如下步骤:In order to better understand the above technical solution, the above technical solution will be described in detail below with reference to the accompanying drawings and specific implementation modes. Referring to Figure 1, this figure is an exemplary flow chart of a network information security intelligent detection method according to some embodiments of the present application. The network information security intelligent detection method 100 mainly includes the following steps:

在步骤101,采集网络信息中的流量数据,对采集到的流量数据进行标准化处理得到标准流量数据。In step 101, traffic data in the network information is collected, and the collected traffic data is standardized to obtain standard traffic data.

在一些实施例中,对采集到的流量数据进行标准化处理,得到标准流量数据具体包括:通过遍历流量数据确定流量数据的最大值和最小值,根据所述最大值和所述最小值对流量数据进行标准化处理,得到标准流量数据,所述标准流量数据根据下述公式确定:In some embodiments, standardizing the collected traffic data to obtain standard traffic data specifically includes: determining the maximum value and minimum value of the traffic data by traversing the traffic data, and comparing the traffic data according to the maximum value and the minimum value. Perform standardization processing to obtain standard flow data, which is determined according to the following formula:

其中,Xs表示标准化处理后的标准流量数据,X表示流量数据,Xmax表示流量数据的最大值,Xmin表示流量数据的最小值。Among them, X s represents the standard flow data after normalization, X represents the flow data, X max represents the maximum value of the flow data, and X min represents the minimum value of the flow data.

在一些实施例中,假设有一个数据流量的数据集合[120,60,95,110,75,130,90],通过遍历流量数据确定流量数据的最大值为130,最小值为75,接下来,通过最大值和最小值对流量进行标准化处理,得到标准流量数据[0.4167,0.0833,0.25,0.375,0,0.5833,0.1667]。In some embodiments, assuming there is a data traffic data set [120, 60, 95, 110, 75, 130, 90], it is determined by traversing the traffic data that the maximum value of the traffic data is 130 and the minimum value is 75. Next , normalize the flow through the maximum and minimum values, and obtain the standard flow data [0.4167, 0.0833, 0.25, 0.375, 0, 0.5833, 0.1667].

需要说明的是,通过标准化处理,流量数据将被映射到一个范围内,使得最小值对应目标范围的下限,最大值对应目标范围的上限,这种标准化处理方法可以保留流量数据的相对关系和分布形态,并将流量数据映射到一个确定的范围内,方便后续的处理和比较。It should be noted that through standardization processing, the traffic data will be mapped to a range, so that the minimum value corresponds to the lower limit of the target range, and the maximum value corresponds to the upper limit of the target range. This standardization processing method can retain the relative relationship and distribution of the traffic data. form, and map the traffic data to a certain range to facilitate subsequent processing and comparison.

在步骤102,根据所述标准流量数据构建流量特征相关性矩阵,对所述流量特征相关性矩阵进行特征值分解得到流量特征向量和流量特征值,根据所述流量特征值选择流量特征向量作为流量特征,将所述标准流量数据映射到所述流量特征上得到预处理流量特征数据。In step 102, construct a traffic feature correlation matrix based on the standard traffic data, perform eigenvalue decomposition on the traffic feature correlation matrix to obtain a traffic feature vector and a traffic feature value, and select a traffic feature vector as the traffic flow based on the traffic feature value. Features, mapping the standard traffic data to the traffic features to obtain preprocessed traffic feature data.

在一些实施例中,所述根据所述标准流量数据构建流量特征相关性矩阵具体可采用下述方式,即:In some embodiments, the following method may be used to construct the traffic feature correlation matrix based on the standard traffic data, namely:

首先确定标准流量数据的个数n和均值μ,进而确定标准流量数据的矩阵φ,最后根据标准流量数据的个数n和均值μ和标准流量数据的矩阵φ构建得到流量特征相关性矩阵,流量特征相关性矩阵根据下述公式确定:First, determine the number n and mean μ of standard flow data, and then determine the matrix φ of standard flow data. Finally, based on the number n and mean μ of standard flow data and the matrix φ of standard flow data, the flow characteristic correlation matrix is constructed. The feature correlation matrix is determined according to the following formula:

其中,ψ表示流量特征相关性矩阵,n表示标准流量数据的个数,φ表示标准流量数据的矩阵,μ表示标准流量数据的均值,(φ-μ)T表示矩阵的转置,需要说明的是,构建流量特征相关性矩阵可以帮助增强流量数据中各个特征之间的相关性。Among them, ψ represents the traffic characteristic correlation matrix, n represents the number of standard traffic data, φ represents the matrix of standard traffic data, μ represents the mean value of standard traffic data, (φ-μ) T represents the transpose of the matrix, it needs to be explained Yes, building a traffic feature correlation matrix can help enhance the correlation between features in traffic data.

在一些实施例中,根据所述流量特征值的解方程式得到流量特征值序列,该流量特征值的解方程式由下式确定:In some embodiments, a flow characteristic value sequence is obtained according to the solution equation of the flow characteristic value, and the solution equation of the flow characteristic value is determined by the following formula:

|ψ-αθ|=0|ψ-αθ|=0

其中,ψ表示流量特征相关性矩阵,α表示流量特征值,θ表示单位矩阵;Among them, ψ represents the flow characteristic correlation matrix, α represents the flow characteristic value, and θ represents the unit matrix;

通过流量特征值序列确定流量特征向量,流量特征向量的解方程式由下式确定:The flow characteristic vector is determined through the flow characteristic value sequence, and the solution equation of the flow characteristic vector is determined by the following formula:

|ψ-αiθ|βi=0|ψ-α i θ|β i =0

其中,ψ表示流量特征相关性矩阵,αi表示流量特征值序列中的第i个流量特征值,θ表示单位矩阵,βi表示αi对应的流量特征向量。Among them, ψ represents the traffic characteristic correlation matrix, α i represents the i-th traffic characteristic value in the traffic characteristic value sequence, θ represents the unit matrix, and β i represents the traffic characteristic vector corresponding to α i .

需要说明的是,特征值分解可以帮助增强流量数据集中各个特征之间的相关性和重要性,在实际实现中,特征值分解的计算也可以使用数值计算库或线性代数库提供的函数来实现,这不再赘述。It should be noted that eigenvalue decomposition can help enhance the correlation and importance between various features in the traffic data set. In actual implementation, the calculation of eigenvalue decomposition can also be implemented using functions provided by a numerical calculation library or a linear algebra library. , which will not be described again.

在一些实施例中,将流量特征值按照大小进行排序,根据预设维数在排序后的流量特征值中选择流量特征向量作为流量特征,其中,预设维数指想要将标准流量数据降维的维度,将流量特征值按照从大到小的顺序进行排序,并相应地调整流量特征向量的顺序,这样,流量特征值较大的流量特征向量将对应于标准流量数据中更重要的流量特征,例如,当预设维数为3时,则选择流量特征值最大的前三个流量特征向量作为流量特征,需要说明的是,该流量特征即为标准流量数据保留下来的最主要的流量特征。In some embodiments, the traffic characteristic values are sorted according to size, and the traffic characteristic vector is selected as the traffic characteristic from the sorted traffic characteristic values according to a preset dimension, where the preset dimension refers to the standard traffic data that is to be reduced. Dimension of the dimension, sort the traffic characteristic values from large to small, and adjust the order of the traffic feature vectors accordingly, so that the traffic feature vectors with larger traffic feature values will correspond to more important traffic in the standard traffic data Features, for example, when the preset dimension is 3, the first three traffic feature vectors with the largest traffic feature values are selected as the traffic features. It should be noted that this traffic feature is the most important traffic retained by the standard traffic data. feature.

在一些实施例中,将标准流量数据映射到流量特征上,得到预处理流量特征数据具体可采用下述方式实现,即:In some embodiments, mapping standard traffic data to traffic characteristics and obtaining preprocessed traffic characteristics data can be implemented in the following ways, namely:

将标准流量数据构成的矩阵与流量特征构成的矩阵相乘,得到预处理流量特征矩阵,根据所述预处理流量特征矩阵确定预处理流量特征数据,通过将标准流量数据映射到流量特征上,可以将维度较高的标准流量数据转化为维度较低的预处理流量特征数据,同时尽可能地保留标准流量数据的关键特征。Multiply the matrix composed of standard flow data and the matrix composed of flow characteristics to obtain the preprocessing flow characteristic matrix. The preprocessing flow characteristic data is determined according to the preprocessing flow characteristic matrix. By mapping the standard flow data to the flow characteristics, we can Convert higher-dimensional standard traffic data into lower-dimensional preprocessed traffic feature data while retaining the key features of the standard traffic data as much as possible.

在步骤103,对所述预处理流量特征数据进行计算,得到标准差和均值,根据所述标准差和所述均值确定异常流量检测模型,通过所述异常流量检测模型对所述预处理流量特征数据进行检测,得到流量异常值。In step 103, the preprocessed traffic characteristic data is calculated to obtain a standard deviation and a mean value, an abnormal flow detection model is determined based on the standard deviation and the mean value, and the preprocessed traffic characteristics are determined through the abnormal flow detection model. The data is detected and traffic abnormal values are obtained.

在一些实施例中,对预处理流量特征数据进行计算,得到标准差和均值,假设收集一段时间内预处理流量特征数据,例如每分钟的网络流量传输速率,对特征进行统计描述,计算均值和标准差,假设得到统计结果,均值τ=100,标准差λ=10,需要说明的是,均值和标准差的单位都为Mbps(Million bits per second)即兆比特每秒,均值和标准的计算过程这里不再赘述。In some embodiments, the preprocessed traffic characteristic data is calculated to obtain the standard deviation and mean. It is assumed that the preprocessed traffic characteristic data is collected over a period of time, such as the network traffic transmission rate per minute, the characteristics are statistically described, and the mean and mean are calculated. Standard deviation, assuming that the statistical results are obtained, the mean τ = 100, and the standard deviation λ = 10. It should be noted that the units of the mean and standard deviation are Mbps (Million bits per second), that is, megabits per second. Calculation of the mean and standard The process will not be described again here.

在一些实施例中,可通过首先确定预处理流量特征数据x,进而确定预处理流量特征数据x的标准差λ和均值τ,最后根据预处理流量特征数据x、标准差λ和均值τ确定异常流量检测模型,作为一个优选实施例,异常流量检测模型可由下式确定:In some embodiments, the preprocessing flow characteristic data x can be determined first, then the standard deviation λ and the mean τ of the preprocessing flow characteristic data x can be determined, and finally the anomaly can be determined based on the preprocessing flow characteristic data x, the standard deviation λ and the mean τ Traffic detection model, as a preferred embodiment, the abnormal traffic detection model can be determined by the following formula:

其中,ω(x)表示流量异常值,x表示预处理流量特征数据,τ表示预处理流量特征数据的均值,λ表示预处理流量特征数据的标准差,e表示欧拉数,π表示圆周率,a表示一个中间代换变量。Among them, ω(x) represents the traffic abnormal value, x represents the preprocessed traffic characteristic data, τ represents the mean value of the preprocessed traffic characteristic data, λ represents the standard deviation of the preprocessed traffic characteristic data, e represents Euler's number, and π represents pi. a represents an intermediate substitution variable.

需要说明的是,异常流量检测模型对于实现网络信息安全至关重要,本申请中通过异常流量检测模型能够发现潜在的网络威胁、识别异常行为、优化防御策略,并帮助进行应急响应和恶意活动分析,通过有效的异常流量检测,可以提高网络的安全性和稳定性,保护重要的数据和资源。It should be noted that the abnormal traffic detection model is crucial to realizing network information security. In this application, the abnormal traffic detection model can discover potential network threats, identify abnormal behaviors, optimize defense strategies, and help with emergency response and malicious activity analysis. , through effective abnormal traffic detection, the security and stability of the network can be improved, and important data and resources can be protected.

在一些实施例中,通过异常流量检测模型对预处理流量特征数据进行检测,得到流量异常值,例如,假设有一个预处理流量特征数据表示流量的传输速率,传输速率为92Mbps,将其代入异常流量检测模型得到流量异常值为0.048,代入异常流量检测模型的计算过程这里不再赘述。In some embodiments, the preprocessed traffic characteristic data is detected through an abnormal traffic detection model to obtain the traffic abnormal value. For example, suppose there is a preprocessed traffic characteristic data representing the transmission rate of the traffic, and the transmission rate is 92Mbps. Substitute it into the abnormal value. The traffic detection model obtained the traffic abnormal value as 0.048. The calculation process of substituting the abnormal traffic detection model into the abnormal traffic detection model will not be described again here.

在步骤104,当所述流量异常值大于预设异常阈值时,判定所述预处理流量特征数据为异常流量数据,当检测到异常流量数据时,向控制中心发送警示信息。In step 104, when the traffic abnormal value is greater than the preset abnormal threshold, the preprocessed traffic characteristic data is determined to be abnormal traffic data. When abnormal traffic data is detected, warning information is sent to the control center.

在一些实施例中,通过对异常流量的历史数据分析来确定预设异常阈值,例如,收集一段时间内的历史流量数据,包括正常流量和已知异常流量的样本数据,对收集到的历史流量数据进行预处理,包括数据清洗、数据过滤和数据标准化等操作,这里不做限定,根据预处理后的历史流量数据,计算统计指标,例如均值、标准差等,这些统计指标可以反映历史流量数据的分布情况,本申请采用的是历史流量数据的标准差和均值来反映历史流量数据的分布情况。In some embodiments, the preset abnormal threshold is determined by analyzing historical data of abnormal traffic, for example, collecting historical traffic data over a period of time, including sample data of normal traffic and known abnormal traffic, and analyzing the collected historical traffic. Data is preprocessed, including data cleaning, data filtering, and data standardization. There are no limitations here. Based on the preprocessed historical traffic data, statistical indicators, such as mean, standard deviation, etc., are calculated. These statistical indicators can reflect historical traffic data. This application uses the standard deviation and mean of historical traffic data to reflect the distribution of historical traffic data.

根据历史流量数据的标准差和均值确定预设异常阈值,在一些实施例中,使用均值加减多个标准差的方式来确定预设异常阈值,例如,可以选择使用均值减去两倍标准差作为下限异常阈值,以及均值加上两倍标准差作为上限异常阈值。The preset abnormality threshold is determined based on the standard deviation and mean of historical traffic data. In some embodiments, the preset abnormality threshold is determined by using the mean plus or minus multiple standard deviations. For example, you can choose to use the mean minus twice the standard deviation. as the lower anomaly threshold, and the mean plus two standard deviations as the upper anomaly threshold.

需要说明的是,在比较预设异常阈值和流量异常值时,需要将预设异常阈值缩小一百倍,方便进行比较,预设异常阈值的确定是一个关键步骤,需要根据实际场景和需求进行调整和优化,同时,随着流量数据的变化和新的异常情况的出现,预设异常阈值也可能需要进行周期性的更新和调整,以保持异常流量检测模型的有效性。It should be noted that when comparing the preset abnormal threshold and the traffic abnormal value, the preset abnormal threshold needs to be reduced by a hundred times to facilitate comparison. The determination of the preset abnormal threshold is a key step and needs to be carried out based on actual scenarios and needs. Adjustment and optimization. At the same time, as traffic data changes and new anomalies appear, the preset anomaly thresholds may also need to be periodically updated and adjusted to maintain the effectiveness of the anomaly traffic detection model.

在一些实施例中,当流量异常值大于预设异常阈值时,判定预处理流量特征数据为异常流量数据,例如,假设我们有一个预处理流量特征数据为92Mbps,预设阈值的上限阈值为3.9,将其缩小一百倍后为0.039,可以将流量异常值与预设异常阈值进行比较,如果流量异常值大于上限阈值的缩小值(0.048>0.039),则判定为异常流量数据。In some embodiments, when the traffic abnormal value is greater than the preset abnormal threshold, the preprocessed traffic characteristic data is determined to be abnormal traffic data. For example, suppose we have a preprocessed traffic characteristic data of 92Mbps, and the upper limit of the preset threshold is 3.9 , after reducing it one hundred times, it is 0.039. The traffic abnormal value can be compared with the preset abnormal threshold. If the traffic abnormal value is greater than the reduced value of the upper limit threshold (0.048>0.039), it is determined to be abnormal traffic data.

在一些实施例中,当检测到异常流量数据时,可以通过向控制中心发送警示信息来通知系统管理员或相关人员,这样可以及时采取措施来处理异常情况,防止可能的网络问题或安全威胁,警示信息可以通过各种方式发送,如电子邮件、短信、即时通讯工具等,这里不做限定。通过发送警示信息,可以及时发现和处理异常流量,确保网络的稳定性和安全性,同时及时的警示也有助于减少潜在的影响和损失。In some embodiments, when abnormal traffic data is detected, the system administrator or relevant personnel can be notified by sending an alert message to the control center, so that timely measures can be taken to deal with the abnormal situation and prevent possible network problems or security threats. Warning information can be sent through various methods, such as email, text messages, instant messaging tools, etc., and there are no limitations here. By sending warning information, abnormal traffic can be discovered and processed in a timely manner to ensure the stability and security of the network. At the same time, timely warnings can also help reduce potential impacts and losses.

需要说明的是,上述实施例中对流量数据进行检测可以提供更全面的分析,进而区分正常流量数据和异常流量数据,并进行更精确的判断,提高准确率和减小误报率,通过对流量数据进行标准化处理,可以将流量数据映射到一个确定的范围内,通过流量特征相关性矩阵可以帮助增强流量数据中各个特征之间的相关性,通过将标准流量数据映射到流量特征上,可以将维度较高的标准流量数据转化为维度较低的预处理流量特征数据,同时尽可能地保留标准流量数据的关键特征,通过异常流量检测模型进行检测得到流量异常值,将其与预设阈值对比后进行判定,相比较传统的基于规则或行为模式的检测方法,对流量数据进行检测能够捕捉到更多的细节和变化,可提高网络信息安全性检测结果的准确率,减小误报率。It should be noted that the detection of traffic data in the above embodiments can provide a more comprehensive analysis, thereby distinguishing normal traffic data and abnormal traffic data, and making more accurate judgments, improving accuracy and reducing false alarm rates. Standardized processing of traffic data can map traffic data to a certain range. The traffic feature correlation matrix can help enhance the correlation between various features in traffic data. By mapping standard traffic data to traffic features, it can Convert higher-dimensional standard traffic data into lower-dimensional preprocessed traffic feature data, while retaining the key features of the standard traffic data as much as possible. Use the abnormal traffic detection model to detect traffic anomalies and compare them with the preset thresholds. Determination is made after comparison. Compared with traditional detection methods based on rules or behavior patterns, detection of traffic data can capture more details and changes, which can improve the accuracy of network information security detection results and reduce the false alarm rate. .

另外,在一些实施例中,参考图2,该图是根据本申请一些实施例所示的网络信息安全性智能检测装置的示例性硬件和/或软件的示意图,本实施例网络信息安全性智能检测装置200可包括:标准流量数据确定模块201、预处理流量特征数据确定模块202、流量异常值确定模块203和警示模块204,分别说明如下:In addition, in some embodiments, refer to Figure 2, which is a schematic diagram of exemplary hardware and/or software of a network information security intelligent detection device according to some embodiments of the present application. In this embodiment, the network information security intelligence The detection device 200 may include: a standard flow data determination module 201, a preprocessed flow characteristic data determination module 202, a flow abnormal value determination module 203 and a warning module 204, which are respectively described as follows:

标准流量数据确定模块201,本申请中标准流量数据确定模块201主要用于采集网络信息中的流量数据,对采集到的流量数据进行标准化处理,得到标准流量数据;Standard traffic data determination module 201. The standard traffic data determination module 201 in this application is mainly used to collect traffic data in network information, standardize the collected traffic data, and obtain standard traffic data;

预处理流量特征数据确定模块202,本申请中预处理流量特征数据确定模块202主要用于根据所述标准流量数据构建流量特征相关性矩阵,对所述流量特征相关性矩阵进行特征值分解,得到流量特征向量和流量特征值,根据所述流量特征值选择流量特征向量作为流量特征,将所述标准流量数据映射到所述流量特征上,得到预处理流量特征数据;Preprocessing flow characteristic data determination module 202. In this application, the preprocessing flow characteristic data determination module 202 is mainly used to construct a flow characteristic correlation matrix based on the standard flow data, and perform eigenvalue decomposition on the flow characteristic correlation matrix to obtain Traffic feature vector and traffic feature value, select the traffic feature vector as the traffic feature according to the traffic feature value, map the standard traffic data to the traffic feature, and obtain preprocessed traffic feature data;

流量异常值确定模块203,本申请中流量异常值确定模块203主要用于对所述预处理流量特征数据进行计算,得到标准差和均值,根据所述标准差和所述均值确定异常流量检测模型,通过所述异常流量检测模型对所述预处理流量特征数据进行检测,得到流量异常值;Traffic abnormal value determination module 203. In this application, the traffic abnormal value determination module 203 is mainly used to calculate the preprocessed traffic characteristic data, obtain the standard deviation and the mean, and determine the abnormal traffic detection model based on the standard deviation and the mean. , detect the preprocessed traffic characteristic data through the abnormal traffic detection model, and obtain traffic abnormal values;

警示模块204,本申请中警示模块204主要用于当所述流量异常值大于预设异常阈值时,判定所述预处理流量特征数据为异常流量数据,当检测到异常流量数据时,向控制中心发送警示信息。Warning module 204. The warning module 204 in this application is mainly used to determine that the preprocessed traffic characteristic data is abnormal traffic data when the traffic abnormal value is greater than the preset abnormal threshold. When abnormal traffic data is detected, notify the control center Send an alert message.

在一些实施例中,本申请还提供一种计算机设备,所述计算机设备包括存储器和处理器;所述存储器存储有代码,所述处理器被配置为获取所述代码,并执行上述的网络信息安全性智能检测方法。In some embodiments, the present application also provides a computer device, the computer device includes a memory and a processor; the memory stores code, and the processor is configured to obtain the code and execute the above network information Intelligent security detection method.

在一些实施例中,参考图3,该图是根据本申请施例提供的一种网络信息安全性智能检测方法的计算机设备的结构示意图。上述实施例中的上述的网络信息安全性智能检测方法可以通过图3所示的计算机设备来实现,该计算机设备300包括至少一个处理器301、通信总线302、存储器303以及至少一个通信接口304。In some embodiments, refer to FIG. 3 , which is a schematic structural diagram of a computer device according to an intelligent detection method for network information security provided by an embodiment of the present application. The above-mentioned intelligent detection method of network information security in the above-mentioned embodiment can be implemented by the computer device shown in FIG. 3 . The computer device 300 includes at least one processor 301 , a communication bus 302 , a memory 303 and at least one communication interface 304 .

处理器301可以是一个通用中央处理器(central processing unit,CPU)、特定应用集成电路(application-specific integrated circuit,ASIC)或一个或多个用于控制本申请中的网络信息安全性智能检测方法的执行。The processor 301 may be a general central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more intelligent detection methods for controlling network information security in this application. execution.

通信总线302可包括一通路,在上述组件之间传送信息。Communication bus 302 may include a path that carries information between the above-mentioned components.

存储器303可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其它类型的动态存储设备,也可以是电可擦可编程只读存储器(electricallyerasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only Memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘或者其它磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器303可以是独立存在,通过通信总线302与处理器301相连接。存储器303也可以和处理器301集成在一起。The memory 303 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory (RAM)) or other type that can store information and instructions. The dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disc storage ( Including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disks or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer Any other medium, but not limited to this. The memory 303 may exist independently and be connected to the processor 301 through the communication bus 302. The memory 303 may also be integrated with the processor 301.

其中,存储器303用于存储执行本申请方案的程序代码,并由处理器301来控制执行。处理器301用于执行存储器303中存储的程序代码。程序代码中可以包括一个或多个软件模块。上述实施例中网络信息安全性智能检测方法可以通过处理器301以及存储器303中的程序代码中的一个或多个软件模块实现。Among them, the memory 303 is used to store the program code for executing the solution of the present application, and the processor 301 controls the execution. The processor 301 is used to execute program codes stored in the memory 303 . The program code may include one or more software modules. The intelligent detection method for network information security in the above embodiment can be implemented by one or more software modules in the program code in the processor 301 and the memory 303 .

通信接口304,使用任何收发器一类的装置,用于与其它设备或通信网络通信,如以太网,无线接入网(radio access network,RAN),无线局域网(wireless local areanetworks,WLAN)等。The communication interface 304 uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, wireless access network (radio access network, RAN), wireless local area networks (WLAN), etc.

在具体实现中,作为一种实施例,计算机设备可以包括多个处理器,这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In specific implementation, as an embodiment, the computer device may include multiple processors, and each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. processor. A processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

上述的计算机设备可以是一个通用计算机设备或者是一个专用计算机设备。在具体实现中,计算机设备可以是台式机、便携式电脑、网络服务器、掌上电脑(personaldigital assistant,PDA)、移动手机、平板电脑、无线终端设备、通信设备或者嵌入式设备。本申请实施例不限定计算机设备的类型。The above computer device may be a general computer device or a special computer device. In a specific implementation, the computer device may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device or an embedded device. The embodiments of the present application do not limit the type of computer equipment.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Thus, the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

例如,在一些实施例中,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现上述的网络信息安全性智能检测方法。For example, in some embodiments, the present application also provides a computer-readable storage medium that stores a computer program. When the computer program is executed by a processor, the above-mentioned intelligent detection of network information security is implemented. method.

本发明是根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described in terms of flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art will be able to make additional changes and modifications to these embodiments once the basic inventive concepts are apparent. Therefore, it is intended that the appended claims be construed to include the preferred embodiments and all changes and modifications that fall within the scope of the invention.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (10)

1. The intelligent network information security detection method is characterized by comprising the following steps:
collecting flow data in network information, and carrying out standardized processing on the collected flow data to obtain standard flow data;
constructing a flow characteristic correlation matrix according to the standard flow data, decomposing a characteristic value of the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, and mapping the standard flow data to the flow characteristic to obtain preprocessed flow characteristic data;
calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
when the abnormal flow value is larger than a preset abnormal threshold value, judging that the preprocessed flow characteristic data is abnormal flow data, and when the abnormal flow data is detected, sending warning information to a control center.
2. The method of claim 1, wherein the normalizing the collected flow data to obtain standard flow data specifically comprises:
determining a maximum value and a minimum value of flow data by traversing the flow data;
and carrying out standardization processing on the flow data according to the maximum value and the minimum value to obtain standard flow data, wherein the standard flow data is determined according to the following formula:
wherein X is s Represents standard flow data after standardized processing, X represents flow data, X max Represents the maximum value of flow data, X min Representing the minimum value of the flow data.
3. The method of claim 1, wherein constructing a flow characteristic correlation matrix from the standard flow data comprises:
determining the number n and the average mu of standard flow data;
determining a matrix phi of standard flow data;
constructing a flow characteristic correlation matrix according to the number n and the mean value mu of the standard flow data and a matrix phi of the standard flow data, wherein the flow characteristic correlation matrix is determined according to the following formula:
wherein, psi represents the flow characteristic correlation matrix, n represents the number of standard flow data, phi represents the matrix of standard flow data, mu represents the average value of standard flow data, (phi-mu) T Representing the transpose of the matrix.
4. The method of claim 1, wherein performing eigenvalue decomposition on the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value specifically comprises:
obtaining a flow characteristic value sequence according to a solution equation of the flow characteristic value, wherein the solution equation of the flow characteristic value is determined by the following formula:
|ψ-αθ|=0
wherein, psi represents a flow characteristic correlation matrix, alpha represents a flow characteristic value, and theta represents a unit matrix;
and determining a flow characteristic vector through the flow characteristic value sequence, wherein a solution equation of the flow characteristic vector is determined by the following formula:
|ψ-α i θ|β i =0
wherein, psi represents a flow characteristic correlation matrix, alpha i Represents the ith flow characteristic value in the flow characteristic value sequence, theta represents the identity matrix and beta i Representing alpha i Corresponding flow characteristic vectors.
5. The method of claim 1 wherein the flow feature values are ranked by size and a flow feature vector is selected as a flow feature from the ranked flow feature values according to a predetermined dimension.
6. The method of claim 1, wherein mapping the standard flow data onto the flow characteristics to obtain pre-processed flow characteristic data comprises:
multiplying a matrix formed by standard flow data by a matrix formed by flow characteristics to obtain a preprocessed flow characteristic matrix;
and determining preprocessing flow characteristic data according to the preprocessing flow characteristic matrix.
7. The method of claim 1, wherein the predetermined anomaly threshold value is determined by historical data analysis of anomaly traffic.
8. The utility model provides a network information security intelligent detection device which characterized in that includes:
the standard flow data determining module is used for collecting flow data in the network information and carrying out standardized processing on the collected flow data to obtain standard flow data;
the preprocessing flow characteristic data determining module is used for constructing a flow characteristic correlation matrix according to the standard flow data, decomposing the characteristic value of the flow characteristic correlation matrix to obtain a flow characteristic vector and a flow characteristic value, selecting the flow characteristic vector as a flow characteristic according to the flow characteristic value, and mapping the standard flow data to the flow characteristic to obtain preprocessing flow characteristic data;
the flow abnormal value determining module is used for calculating the preprocessed flow characteristic data to obtain standard deviation and average value, determining an abnormal flow detection model according to the standard deviation and the average value, and detecting the preprocessed flow characteristic data through the abnormal flow detection model to obtain a flow abnormal value;
and the warning module is used for judging that the preprocessed flow characteristic data is abnormal flow data when the flow abnormal value is larger than a preset abnormal threshold value, and sending warning information to the control center when the abnormal flow data is detected.
9. A computer device comprising a memory storing code and a processor configured to obtain the code and to perform the network information security intelligent detection method of any of claims 1 to 7.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the network information security intelligent detection method according to any one of claims 1 to 7.
CN202310809816.8A 2023-07-04 2023-07-04 Intelligent detection method and device for network information security Withdrawn CN116760747A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310809816.8A CN116760747A (en) 2023-07-04 2023-07-04 Intelligent detection method and device for network information security
ZA2024/01702A ZA202401702B (en) 2023-07-04 2024-02-28 Intelligent detection method and device for network information security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310809816.8A CN116760747A (en) 2023-07-04 2023-07-04 Intelligent detection method and device for network information security

Publications (1)

Publication Number Publication Date
CN116760747A true CN116760747A (en) 2023-09-15

Family

ID=87957005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310809816.8A Withdrawn CN116760747A (en) 2023-07-04 2023-07-04 Intelligent detection method and device for network information security

Country Status (2)

Country Link
CN (1) CN116760747A (en)
ZA (1) ZA202401702B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119832087A (en) * 2024-12-23 2025-04-15 甘肃天立恒智电子科技有限公司 A data perception intelligent processing method for low-altitude aircraft
CN120750417A (en) * 2025-08-06 2025-10-03 深圳市光网世纪科技有限公司 Method, device, equipment and medium for detecting abnormal flow of optical fiber network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119832087A (en) * 2024-12-23 2025-04-15 甘肃天立恒智电子科技有限公司 A data perception intelligent processing method for low-altitude aircraft
CN120750417A (en) * 2025-08-06 2025-10-03 深圳市光网世纪科技有限公司 Method, device, equipment and medium for detecting abnormal flow of optical fiber network

Also Published As

Publication number Publication date
ZA202401702B (en) 2024-09-25

Similar Documents

Publication Publication Date Title
CN111262722B (en) Safety monitoring method for industrial control system network
CN115514627B (en) Fault root cause positioning method and device, electronic equipment and readable storage medium
EP3465515B1 (en) Classifying transactions at network accessible storage
CN105577685A (en) Autonomous analysis intrusion detection method and system in cloud computing environment
CN116760747A (en) Intelligent detection method and device for network information security
CN112532435B (en) Operation and maintenance method, operation and maintenance management platform, equipment and medium
CN111897705A (en) Service state processing method, service state processing device, model training method, model training device, equipment and storage medium
CN110677271B (en) Big data alarm method, device, equipment and storage medium based on ELK
CN116366374A (en) Security assessment method, system and medium for power grid network management based on big data
CN113656452A (en) Method and device for detecting abnormal index of call chain, electronic equipment and storage medium
CN116628554A (en) A method, system and device for detecting anomalies in industrial Internet data
CN115561546A (en) Abnormity detection and alarm system for power system
CN118114038A (en) Abnormal behavior detection model training method and abnormal behavior detection method
CN115114124A (en) Host risk assessment method and assessment device
CN120498901B (en) Method, device, equipment and storage medium for identifying abnormal nodes of computing power network
CN117914547A (en) Security situation awareness processing method, system and device with built-in data processing unit
CN117609862A (en) A method, device, equipment and medium for determining the abnormality level of power grid data
CN110830504A (en) A kind of network intrusion behavior detection method and system
CN115686756A (en) Virtual machine migration method and device, storage medium and electronic equipment
CN119628963B (en) A method and system for monitoring cybersecurity threats based on artificial intelligence
CN119544352A (en) Virtual power plant data attack detection method and system based on improved binary tree group
CN119383006A (en) Abnormal network traffic detection method and related hardware
CN119906557A (en) Method, device and equipment for dynamically adjusting network security rule threshold data
CN117149486B (en) Alarm and root cause positioning method, model training method, device, equipment and medium
Hairuman et al. Evaluation of machine learning techniques for anomaly detection on hourly basis kpi

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20230915