CN120263505A

CN120263505A - Traffic anomaly detection and network security reinforcement method for full data center

Info

Publication number: CN120263505A
Application number: CN202510510578.XA
Authority: CN
Inventors: 刘文峰; 张志刚; 赵猛; 闫彬; 赵元辉
Original assignee: Shandong Shengzhong Network Technology Co ltd; Weihai Ocean Vocational College
Current assignee: Shandong Shengzhong Network Technology Co ltd; Weihai Ocean Vocational College
Priority date: 2025-04-23
Filing date: 2025-04-23
Publication date: 2025-07-04

Abstract

The invention relates to a traffic abnormality detection and network security reinforcement method for a full-volume data center, which comprises the following steps: by collecting the total network traffic in real time, a multidimensional time sequence model based on the characteristics of the historical attack chain is constructed, and the accurate identification and active blocking of the attack chain are realized by combining the dynamic judgment threshold value and the space-time distribution characteristic analysis. The method comprises the steps of analyzing traffic in real time to generate an attack chain characteristic sequence, carrying out clustering and association analysis based on a multidimensional time sequence model, dynamically adjusting monitoring density to focus on a high risk area, generating a threat blocking instruction and executing network isolation. Aiming at the problems of high detection rate, resource contention conflict and insufficient dynamic defense capacity of an attack chain caused by the dependence of a static rule and a fixed threshold value in the traditional scheme, the method solves the problem of weak perceptibility of the traditional technology to a complex attack chain, obviously reduces the false alarm rate and the false blocking rate, ensures service continuity through dynamic resource scheduling, and is suitable for real-time safety protection of a large-scale data center.

Description

Traffic abnormality detection and network security reinforcement method for full-volume data center

Technical Field

The invention relates to the technical field of network security early warning, in particular to a traffic abnormality detection and network security reinforcement method for a full-volume data center.

Background

With the rapid development of cloud computing and big data technology, the network scale and business complexity of modern data centers increase exponentially. Massive east-west traffic, diversified protocol types and APT attack with extremely strong concealment make the traditional network security protection system face serious challenges. Under the background, the technology of anomaly detection and dynamic defense for the total network traffic becomes a core requirement for guaranteeing the safe operation of a data center. Existing solutions typically implement threat identification by matching known attack features based on traffic threshold decisions or a predefined rule base. However, facing the attack means of TB-level real-time traffic and continuous evolution, the method gradually exposes limitations in detection efficiency, behavior association analysis, dynamic resource scheduling and the like.

In the prior art, the detection scheme based on the static rules or the statistical threshold has the obvious defects that firstly, a predefined rule base is difficult to cover hidden behavior association of a multi-stage attack chain, so that the report missing rate of APT attack is high, secondly, mass flow processing needs to consume a large amount of computing resources, resource contention is easy to generate with business service to influence system stability, thirdly, the dynamic perceptibility of space-time distribution characteristics of abnormal behaviors is lacking, and monitoring strategies are difficult to adjust in time. Especially when facing novel attacks such as low-rate penetration, encrypted channel data outward transmission and the like, the traditional method cannot realize effective blocking before attack diffusion.

Disclosure of Invention

Based on the above, the invention aims to provide a traffic anomaly detection and network security reinforcement method for a full-volume data center, which realizes efficient attack chain identification, dynamic resource optimization and service continuity.

The invention adopts the following scheme:

In a first aspect, the present invention provides a traffic anomaly detection and network security reinforcement method for a full-volume data center, including the following steps:

S1, collecting the total network traffic from a network end in real time, preprocessing the total network traffic and extracting a characteristic sequence to generate a real-time attack chain characteristic sequence;

S2, constructing a multidimensional time sequence model based on a pre-stored historical attack chain characteristic sequence, inputting the real-time attack chain characteristic sequence into the multidimensional time sequence model for processing, and generating an abnormal behavior judgment result;

s3, identifying whether an abnormal behavior judgment result exceeds a dynamic judgment threshold value, if so, carrying out parallel calculation processing on the total network flow to generate abnormal space-time distribution characteristics, wherein the dynamic judgment threshold value is used for indicating a distinguishing boundary between normal behavior and abnormal behavior;

s4, monitoring density adjustment processing is carried out on the relevant network area based on abnormal space-time distribution characteristics, and abnormal points of the high-risk area flow are generated;

S5, carrying out real-time flow characteristic extraction and online detection processing on flow abnormal points of the high-risk area to generate threat blocking instructions;

And S6, executing network isolation processing on the abnormal traffic based on the threat blocking instruction, and generating a network security reinforcement result based on the feedback isolation result.

In one embodiment, the S1 method for traffic anomaly detection and network security reinforcement for a full-volume data center provided by the invention specifically includes the following steps:

S11, acquiring the total network traffic in real time through a traffic acquisition device deployed at a network node, and preprocessing the total network traffic to generate an original network message data stream;

s12, carrying out protocol analysis processing on an original network message data stream, and extracting protocol metadata comprising a source address, a destination port and a session time sequence;

S13, carrying out segmentation statistical processing on the protocol metadata based on a sliding window technology to generate an attack chain feature sequence.

In one embodiment, the S2 method for traffic anomaly detection and network security reinforcement for a full-volume data center specifically includes the following steps:

s21, converting the pre-stored historical attack chain characteristic sequences to generate a space-time matrix containing time window statistic values and network position aggregation information;

s22, grouping processing and anomaly identification are carried out on the space-time matrix based on a clustering algorithm, so that an anomaly data set is obtained;

S23, carrying out evolution analysis processing on the abnormal data set based on a time sequence association rule mining algorithm to generate a multi-dimensional time sequence model;

S24, inputting the real-time attack chain characteristic sequence into a multidimensional time sequence model for analysis and processing to generate attack analysis data;

S25, clustering and association analysis processing are carried out on the attack analysis data, and abnormal behavior judgment results are generated.

In one embodiment, the S4 method for traffic anomaly detection and network security reinforcement for a full-volume data center specifically includes the following steps:

S41, based on abnormal space-time distribution characteristics, carrying out acquisition rate improvement processing on the flow of the network area with the abnormal diffusion behavior detected, and generating adjusted network area flow data;

s42, performing flow guiding processing on the adjusted network area flow data based on a software defined network technology to generate special analysis node flow;

s43, carrying out complete protocol analysis processing on the special analysis node flow, and generating high-risk area flow abnormal points.

In one embodiment, the S5 method for traffic anomaly detection and network security reinforcement for a full-volume data center provided by the invention specifically includes the following steps:

S51, carrying out real-time feature extraction processing on the flow corresponding to the flow abnormal point of the high-risk area to obtain real-time flow features comprising the connection rate and protocol violation;

S52, outputting the real-time flow characteristics to a multidimensional time sequence model for online detection processing, and generating an attack association relationship which is used for indicating the association relationship of continuity activation in a flow attack stage;

And S53, generating a threat blocking instruction based on the attack association relation.

In a second aspect, the present invention provides a traffic anomaly detection and network security reinforcement system for a full-volume data center, including:

the data acquisition processing module is used for acquiring the total network traffic from the network end in real time, preprocessing the total network traffic and extracting the characteristic sequence to generate a real-time attack chain characteristic sequence;

The model construction and processing module is used for constructing a multidimensional time sequence model based on a pre-stored historical attack chain characteristic sequence, inputting the real-time attack chain characteristic sequence into the multidimensional time sequence model for processing, and generating an abnormal behavior judgment result;

The abnormal recognition module is used for recognizing whether the abnormal behavior judgment result exceeds a dynamic judgment threshold value, if so, the total network flow is subjected to parallel calculation processing to generate abnormal space-time distribution characteristics, and the dynamic judgment threshold value is used for indicating the distinguishing boundary of normal behavior and abnormal behavior;

The high risk detection module is used for carrying out monitoring density adjustment processing on the related network area based on the abnormal space-time distribution characteristics to generate abnormal points of the high risk area flow;

the threat blocking module is used for extracting real-time flow characteristics of the flow abnormal points of the high-risk area and performing online detection processing to generate threat blocking instructions;

The instruction execution and safety reinforcement module is used for executing network isolation processing on the abnormal traffic based on the threat blocking instruction and generating a network safety reinforcement result based on the feedback isolation result.

In a third aspect, the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements any one of the above-mentioned traffic anomaly detection and network security reinforcement methods for a full-volume data center when executing the computer program.

In a fourth aspect, the present application provides a computer readable storage medium, on which a computer program is stored, where the computer program when executed by a processor implements any one of the above-mentioned traffic anomaly detection and network security reinforcement methods for a full-volume data center.

In summary, the traffic anomaly detection and network security reinforcement method for the full-volume data center provided by the invention can be used for rapidly and accurately detecting the anomaly behavior and potential threat in the network and timely taking isolation and reinforcement measures by collecting and processing the full-volume network traffic in real time and combining the multi-dimensional time sequence model and the dynamic judgment threshold. The method can effectively improve the instantaneity, accuracy and flexibility of the network security protection through the step flow, reduce the probability and influence range of occurrence of network security events, and ensure the stable operation of a network system and the security of data. Meanwhile, by means of parallel computing, monitoring density adjustment and other technical means, resource utilization is optimized, processing efficiency and expandability of the system are improved, and the method is suitable for safety protection requirements in a large-scale complex network environment.

For a better understanding and implementation, the present invention is described in detail below with reference to the drawings.

Drawings

Fig. 1 is a flow chart of a flow anomaly detection and network security reinforcement method for a full-volume data center provided by an embodiment of the application;

FIG. 2 is a schematic flow chart of generating an abnormal behavior determination result according to an embodiment of the present application;

fig. 3 is a schematic structural diagram of a traffic anomaly detection and network security reinforcement system for a full-volume data center according to another embodiment of the present application.

Detailed Description

In order that the invention may be readily understood, a more complete description of the invention will be rendered by reference to the appended drawings. Preferred embodiments of the present invention are shown in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.

In one embodiment, as shown in fig. 1, a traffic anomaly detection and network security reinforcement method for a full-volume data center is provided, and this embodiment is illustrated by applying the method to a terminal, where it can be understood that the method may also be applied to a server, and may also be applied to a system including a terminal and a server, and implemented through interaction between the terminal and the server. In this embodiment, the method includes the steps of:

S1, collecting the total network traffic from a network end in real time, preprocessing the total network traffic and extracting a characteristic sequence to generate a real-time attack chain characteristic sequence.

Specifically, the network sniffing technology and the data packet capturing tool can be utilized to collect the total network traffic of the network end in real time. The distributed flow acquisition probes are deployed at key nodes of the data center, including positions of a core switch, a server cluster inlet and the like, so that all network links entering and exiting the data center are ensured to be covered, and dead angle-free monitoring of the full data packets from a network layer to a transmission layer to an application layer is realized. The probes are connected into the network in a bypass mirror image mode, so that interference to normal service flow is avoided, meanwhile, line speed data packet capturing is supported, and no packet loss under a TB-level flow peak value is ensured.

After the data is collected, the system performs preliminary processing on the collected original flow data, including data cleaning to remove repeated packets and error packets, regulates the data packet representation forms in different formats through flow measurement, can analyze the data packet load by adopting a Deep Packet Inspection (DPI) technology, and extracts key characteristic fields such as source IP, destination IP, port number, protocol type, load content keywords and the like. And performing dimension reduction processing on the feature fields by combining a machine learning algorithm, removing redundant information, reserving the most representative feature dimension, and constructing a real-time attack chain feature sequence. The sequence is arranged in time sequence, reflects the behavior pattern evolution process of the network traffic, and provides fine-granularity characteristic input for subsequent anomaly detection.

S2, constructing a multidimensional time sequence model based on a pre-stored historical attack chain characteristic sequence, inputting the real-time attack chain characteristic sequence into the multidimensional time sequence model for processing, and generating an abnormal behavior judgment result.

Specifically, the pre-stored historical attack chain feature sequences may be stored in a high-performance distributed database with mass data storage and fast retrieval capabilities. By collecting and sorting a large number of historical attack cases, the characteristic sequences cover various types of network attacks, such as DDoS attacks, APT attacks, webshell penetration and the like. And carrying out deep analysis on the historical data, mining commonalities and differences of different attack types on characteristic sequences, providing data support for model construction, and constructing a multidimensional time sequence model by adopting a long and short term memory network (LSTM) or a gate-controlled circulating unit (GRU) and other circulating neural network architectures. And taking the characteristic sequence of the historical attack chain as input, training a model to learn the evolution rule of normal and abnormal network behaviors in the time dimension, and capturing the correlation and dynamic change trend among different characteristic dimensions. In the model training process, fitting capacity of the model to complex attack modes is improved by means of adjusting super parameters, optimizing loss functions and the like, and the model is ensured to have a high-precision abnormality detection basis.

After the multidimensional time sequence model is built, the system inputs the real-time attack chain characteristic sequence generated by preprocessing into the trained multidimensional time sequence model. The model analyzes the real-time sequence based on the learned rule, outputs an abnormal behavior judging result, presents the result in the form of probability value or abnormal score and the like, intuitively reflects the degree of deviation of the current network flow behavior from the normal mode, and provides a quantization basis for the subsequent threshold comparison and further processing.

And S3, identifying whether the abnormal behavior judgment result exceeds a dynamic judgment threshold value, and if so, carrying out parallel calculation processing on the total network flow to generate abnormal space-time distribution characteristics, wherein the dynamic judgment threshold value is used for indicating the distinguishing boundary of the normal behavior and the abnormal behavior.

Specifically, the dynamic determination threshold is not fixed, but dynamically adjusted according to the real-time state of the network traffic and the historical statistics. The initial threshold is determined based on the statistical distribution of a large amount of historical normal flow data, and the system continuously monitors the overall characteristics of the flow, such as statistical indexes of flow peaks, valleys, mean values and the like, and the proportion change trend of the flows of different protocol types along with the change of the network environment. When the flow characteristics are monitored to have obvious fluctuation, such as sudden large-flow access or abnormal growth of certain protocol flow, the judgment threshold value is correspondingly increased or decreased according to a preset threshold value adjustment rule, so that normal and abnormal behaviors can be accurately distinguished all the time, and the method is suitable for complex and changeable network environments.

Specifically, if the system judges that the real-time attack chain characteristic sequence exceeds the dynamic judgment threshold value, namely, abnormal behavior is confirmed, the system immediately starts the parallel computing processing flow of the total network traffic. The parallel computing adopts a large-scale distributed computing framework, such as APACHE SPARK, divides the total network flow data into a plurality of sub-data sets according to a preset partition strategy, and distributes the sub-data sets to different computing nodes for parallel processing. Each computing node uses a specific flow analysis algorithm to deeply mine the flow from different angles and extract abnormal space-time distribution characteristics. For example, some nodes are responsible for analyzing regional distribution changes of traffic in different time windows, identifying whether there is a centralized attack on a specific area, and other nodes pay attention to traffic fluctuation of a specific port or service to find abnormal connection modes. By parallel computing, the processing efficiency of mass flow data is greatly improved, and the feature extraction and analysis of the whole data can be completed in a short time.

After feature extraction and analysis are completed, the system synthesizes analysis results of all the calculation nodes, and abnormal space-time distribution features are generated in an integrated mode. The characteristics comprehensively describe the distribution situation of the abnormal behavior in time and space dimensions, including information such as origin place, destination place, active time interval, frequency change rule and the like of abnormal traffic. For example, for a distributed denial of service attack (DDoS), its abnormal spatio-temporal distribution may be characterized by IP addresses from multiple different regions initiating high frequency connection requests to a particular server port in a short time, and the request traffic exhibiting a sudden increase. By accurately describing the characteristics, a detailed basis is provided for the subsequent network area monitoring density adjustment, and the method is helpful for more targeted implementation of defensive measures.

And S4, carrying out monitoring density adjustment processing on the related network area based on the abnormal space-time distribution characteristics, and generating abnormal points of the high-risk area flow.

Specifically, the system makes a strategy for improving the monitoring density aiming at a network area with high abnormal behavior and large security threat degree to a data center. The method comprises the steps of shortening a data acquisition time interval, increasing feature extraction dimension, improving accuracy of a data analysis algorithm and the like, so that the high-risk areas are monitored more finely, the system carries out intensive monitoring on the related network areas according to an adjusted monitoring density strategy, and the flow abnormal points are accurately positioned by adopting a high-accuracy flow feature extraction and online detection technology, such as carrying out flow calculation by using a real-time data flow processing framework APACHE FLINK and carrying out rolling analysis on real-time flow data in combination with a sliding window mechanism. These outliers, manifested as traffic surges, specific malicious load occurrences, unusual access patterns, etc., are a direct manifestation of potential network threats, providing a clear target for subsequent threat blocking.

And S5, carrying out real-time flow characteristic extraction and online detection processing on the flow abnormal points of the high-risk area to generate a threat blocking instruction.

Specifically, the system can adopt a depth feature extraction technology for the identified traffic outlier of the high risk area to acquire finer traffic features, such as specific fields of an application layer protocol, micro-behavior features in encrypted traffic, and the like. And carrying out real-time analysis on the fine features by using an online detection algorithm, such as a clustering algorithm based on flow and a real-time association rule mining algorithm. In the detection process, hardware optimization technologies such as GPU acceleration and intelligent caching are fully utilized, the detection speed is ensured to keep pace with the real-time traffic rhythm, and the ongoing network threat behavior is timely found.

If the system detects and confirms that the real threat exists on line, a threat blocking instruction generation mechanism is immediately triggered. And according to the threat type, the attack target and the severity, combining the data center network security policy, and generating a corresponding blocking action instruction. The instructions cover operations such as blocking specific IP and ports of a network layer, resetting connection of a transmission layer, interception of malicious requests of an application layer and the like, and meanwhile, the priority and the sequence of instruction execution are defined, so that efficient and accurate blocking operation is ensured, and the overall safety architecture requirements are met.

Specifically, the system transmits the generated threat blocking instruction to the network isolation execution module, and after receiving the threat blocking instruction, the network isolation module rapidly responds to execute accurate network isolation operation on abnormal traffic according to the instruction content. For the related specific IP address or address segment, all inbound or outbound traffic is directly refused by configuring firewall rules or router Access Control List (ACL) to realize isolation of physical layer, for specific port or protocol type, port blocking or protocol filtering measures are adopted to block related communication links, when abnormal traffic in an encrypted channel is processed, the technology of deep traffic detection and man-in-the-middle (MITM) is applied to identify and block malicious traffic under the condition of not decrypting, so that the security of encrypted communication is ensured not to be influenced. The whole isolation process follows the principle of minimizing influence, only blocks the determined abnormal traffic, furthest reduces the interference to the normal traffic and ensures the continuity of the data center traffic.

After the network isolation operation is completed, the system feeds back and records the isolation result in real time. The feedback information includes the blocked traffic details (such as source IP, destination IP, port, protocol type, blocking time, etc.), the success or failure status of the blocking operation, and the evaluation of the impact on the traffic. Based on the feedback data, the system is combined with the analysis of the overall security situation of the current network to generate a network security reinforcement result. The reinforcement result not only reflects the effect of the abnormal flow processing, but also provides an important reference for the subsequent network security policy optimization. For example, if a new type of attack is found to occur frequently and the existing protection measures have poor effects, the system prompts the security administrator to strengthen the defending capability against the type of attack, such as updating the firewall rule base, upgrading the feature base of the intrusion detection system, adjusting the network topology structure, and the like, so as to realize continuous improvement and reinforcement of network security and improve the capability of the data center for coping with complex network threats.

And S11, acquiring the total network traffic in real time through a traffic acquisition device deployed at a network node, and preprocessing the total network traffic to generate an original network message data stream.

In particular, the system may deploy traffic collection devices on network nodes, which may be devices such as dedicated network sniffers, splitters, or switches with traffic mirroring functionality. They are distributed according to a specific network topology, covering all critical access points and data transmission paths of the data center, ensuring that each bit traffic in and out of the data center can be captured. The devices are connected with a network through a high-speed data interface, support line speed data packet capture, can stably work even in the peak period of network traffic, and cannot cause data loss due to equipment performance problems. The flow acquisition device monitors data transmission in the network link in real time by using an interrupt mechanism or a polling mechanism of the bottom hardware. Upon detecting the arrival of a data packet, the data packet capture process is immediately initiated and the complete data packet content is copied into the acquisition buffer. In order to ensure the integrity of the data, the acquisition device has enough buffer area capacity, adopts a cyclic coverage strategy, automatically covers the earliest acquired data when the buffer area is full, and ensures the availability of the latest data.

After the data acquisition is completed, the system performs integrity and validity verification of the data packet on the acquired original flow, and eliminates invalid data packets caused by transmission errors or malicious counterfeiting. And then, carrying out refined classification on the traffic according to a predefined traffic classification rule base, covering a plurality of dimensions such as protocol type, source and destination IP address, port number, traffic size and the like, laying a foundation for subsequent feature extraction, and integrating the preprocessed traffic data into an original network message data stream. The process recombines the scattered data packets according to the transmission sequence by a data packet recombination technology to form continuous data flow, ensures the integrity and continuity of the data and provides an accurate data basis for the subsequent protocol analysis processing. Preferably, an efficient hash algorithm can be applied in the classification process, so that the flow can be classified rapidly, and the processing efficiency is ensured.

And S12, carrying out protocol analysis processing on the original network message data stream, and extracting protocol metadata comprising a source address, a destination port and a session time sequence.

Specifically, deep Packet Inspection (DPI) may be used to perform protocol parsing on each packet in the original network packet data stream. DPI technology is capable of identifying a variety of network protocols including, but not limited to, TCP/IP, UDP, HTTP, HTTPS, FTP, etc. The analysis process starts from the data link layer, gradually goes deep to the network layer, the transmission layer and the application layer, and extracts key field information of each layer of protocol.

On the basis of protocol analysis, protocol metadata including a source address, a destination port and a session time sequence are extracted in an important way. The source address identifies the sender network location of the data packet, the destination port indicates the service or application to be accessed by the data packet on the destination device, the session timing records the time sequence of the data packet in the network session, and these metadata have a key indication effect on the subsequent generation of the attack chain feature sequence.

The extracted protocol metadata is stored in an efficient data structure, such as a relational database or a distributed key value storage system. In order to facilitate subsequent inquiry and analysis, a corresponding index mechanism is established, and the data retrieval speed is improved. Meanwhile, considering timeliness of data, a data life cycle management strategy is set, and expired metadata are cleaned regularly, so that efficient operation of the system is ensured.

Specifically, the system introduces a sliding window technology to perform segment statistics processing on the protocol metadata. The size of the sliding window can be dynamically adjusted according to the characteristics of network traffic, the duration of attack and other factors. For example, when network traffic is relatively stable, a larger window size may be set to obtain more comprehensive data statistics, while when traffic bursts or short-time attacks are suspected, the window size is reduced to capture fast-changing traffic characteristics in time. And in the range of the sliding window, carrying out multidimensional statistical analysis on the protocol metadata. The statistical dimensions include, but are not limited to, access frequency of source address and destination port, continuity and interval distribution of session timing, data traffic duty cycle of different protocol types, etc. Through these statistical indicators, the behavior patterns of network traffic within a local time window can be captured.

And generating an attack chain feature sequence according to the segmentation statistics result and by combining known attack mode features. The attack chain feature sequence is a multidimensional vector sequence, and each vector element represents a key feature point in a network behavior chain, such as abnormal access frequency of a certain source address to a specific target port, abnormal reconnection behavior after session interrupt and the like. These feature sequences will serve as an important basis for subsequent traffic anomaly detection and network security reinforcement to identify potential network attacks.

In one embodiment, as shown in fig. 2, the S2 method for traffic anomaly detection and network security reinforcement for a full-volume data center provided by the present invention specifically includes the following steps:

S21, converting the pre-stored historical attack chain characteristic sequences to generate a space-time matrix containing time window statistic values and network position aggregation information.

Specifically, the system selects a representative sample set from a prestored massive historical attack chain characteristic sequence. These samples cover various types of network attacks, such as DDoS attacks, APT attacks, webshell penetration, etc. Preprocessing the selected samples, including data cleaning, denoising and format unification, ensuring the accuracy and consistency of the data, dividing the sorted historical attack chain characteristic sequences according to time sequence, and performing sliding processing by adopting a time window with a fixed size. And in each time window, calculating the statistical values of various attack characteristics, such as the occurrence frequency, the duration, the intensity index and the like. For example, for DDoS attack characteristics, the peak value, average flow and the like of attack flow in each time window are counted, and for APT attack characteristics, the suspicious connection times, data external flow and the like in the time window are calculated. These statistics can reflect the dynamic change law of the attack behavior in the time dimension.

After the sliding process is completed, the system analyzes the network location information related in the historical attack chain feature sequence, including the source IP address, the destination IP address, the node location in the network topology structure, and the like. The network location information is aggregated, e.g., categorized and aggregated by IP address segments, geographic location areas, network function areas (e.g., server areas, office areas, etc.). And extracting the distribution condition of the attack characteristics in each aggregation unit, such as the occurrence times, the duty ratio and the like of different types of attacks in each aggregation unit, forming the aggregation information of the network position dimension, integrating the calculated time window statistical value and the network position aggregation information, and constructing a space-time matrix. The rows of the matrix represent time windows and the columns represent network location aggregation units, each element containing a corresponding time window and attack feature statistics at the network location. By the matrix form, the distribution situation of the historical attack chain features in the time dimension and the space dimension is comprehensively and systematically described, and a structured data base is provided for subsequent cluster analysis and time sequence modeling.

S22, grouping processing and anomaly identification are carried out on the space-time matrix based on a clustering algorithm, and an anomaly data set is obtained.

Specifically, a clustering algorithm suitable for processing the space-time data, such as K-Means, DBSCAN or hierarchical clustering, can be selected. And optimizing and setting parameters of a clustering algorithm according to the scale of the space-time matrix, the data distribution characteristics and the requirements on the clustering effect. For example, in the K-Means algorithm, the optimal cluster center number is determined by an elbow rule or a contour coefficient method, and in the DBSCAN algorithm, parameters such as a neighborhood radius, the minimum sample number and the like are reasonably set so as to ensure that a natural grouping structure in data can be effectively identified.

Specifically, the system inputs the constructed space-time matrix into a selected clustering algorithm, and groups the space-time data points therein. The clustering algorithm classifies spatio-temporal windows with similar attack patterns into the same group according to the similarity of data points in time and space dimensions. The data points in each group show a certain commonality in the aspects of attack frequency, target selection preference and the like, and obvious differences exist among different groups, so that the preliminary classification and arrangement of the historical attack chain feature sequences can be realized.

Based on the clustering results, the system identifies a small set of data points that differ significantly from the majority of the groups, or isolated data points that have not been reasonably divided into any major groups during the clustering process, as outlier data points. These outlier data points may correspond to new patterns of attacks, variations of attacks in special scenarios, noise and mislabeling in historical data, etc. Through deep analysis of the clustering result, and combining with field expert knowledge and experience judgment, an abnormal data set truly having research value and analysis significance is screened out, and a key clue is provided for further mining potential network security threats.

S23, carrying out evolution analysis processing on the abnormal data set based on a time sequence association rule mining algorithm to generate a multi-dimensional time sequence model.

Specifically, for the selected abnormal data set, a time sequence association rule mining algorithm, such as an Apriori algorithm, an extended form of an FP-Growth algorithm on time sequence data, and the like, can be applied to mine the time sequence association rule contained in the time sequence association rule mining algorithm. These rules describe the sequence, co-occurrence relation and evolution mode of different attack features on time sequence, for example, "when the source IPA scans the destination port B in time window t at high frequency, port intrusion behavior is usually tried in time window t+1", and the like, and reveal the inherent logic relation of attack behavior on time dimension.

Based on the mined time sequence association rule, the system performs evolution analysis on the characteristic sequence of the attack chain in the abnormal data set, analyzes the dynamic change process of the attack behavior from the initial stage to the development stage and then to the possible explosion stage or the regression stage, and determines the key characteristic indexes and the conversion conditions of the key characteristic indexes. By constructing an evolution model of the attack behavior, the potential trend and the possible influence range of the attack can be predicted in advance, and prospective support is provided for the formulation of the network security defense strategy.

And finally, combining the mined time sequence association rule with the space characteristic information in the space-time matrix by the system to construct a multidimensional time sequence model. The model not only considers the dependency of the attack characteristics on the time sequence, but also integrates the influence factors of spatial dimensions such as network positions and the like, and forms a multidimensional data structure capable of comprehensively describing the network attack behavior mode. The multidimensional time sequence model can be realized by adopting mathematical or machine learning models such as vector autoregressive models (VAR), long-term short-term memory networks (LSTM) and the like, and has the capability of analyzing and predicting new real-time attack chain feature sequences through learning and training historical attack data, thereby laying a solid foundation for subsequent real-time attack detection and defense.

S24, inputting the real-time attack chain characteristic sequence into a multidimensional time sequence model for analysis and processing to generate attack analysis data.

Specifically, the system acquires current attack chain feature sequences from a real-time network traffic monitoring system, wherein the real-time feature sequences are obtained by carrying out real-time acquisition, preprocessing and feature extraction on the total network traffic, and have the same feature dimension and data structure as the historical attack chain feature sequences. The real-time characteristic sequence is subjected to necessary preprocessing including data format conversion, missing value filling, noise filtering and the like so as to ensure that the real-time characteristic sequence is matched with the input requirements of the multi-dimensional time sequence model, and the accuracy and the stability of model analysis are ensured.

Specifically, the system inputs the preprocessed real-time attack chain characteristic sequence into a constructed multidimensional time sequence model, and the model analyzes and processes the real-time characteristic sequence according to the time sequence association rule and the characteristic evolution mode in the model. The analysis process comprises prediction of real-time attack behaviors in a time dimension, assessment of the current attack state and early warning of potential abnormal trends. The model can judge whether the real-time attack characteristic sequence accords with a normal behavior mode based on a rule learned by historical data, and if the real-time attack characteristic sequence has signs deviating from the normal mode, corresponding attack analysis data are timely generated, so that a quantification basis is provided for subsequent abnormal behavior judgment.

The attack analysis data output by the multidimensional time sequence model contains rich contents such as the prediction strength of real-time attack behaviors, the possible evolution direction, the similarity with the historical abnormal modes and the like. The data is organized in a structured manner to facilitate subsequent clustering and association analysis. Meanwhile, the attack analysis data is also attached with a corresponding confidence index, reflects the credibility of the analysis result of the model, and helps the system to make a more reasonable decision when facing uncertainty.

Specifically, the system performs cluster analysis on the generated attack analysis data, and aims to group similar attack analysis results into a group. The clustering process groups the data based on multidimensional features of the data, including attack prediction strength, evolution direction, similarity and the like, by applying a proper clustering algorithm (such as K-means, hierarchical clustering and the like). By clustering, different types of attack behavior patterns existing in the current network traffic and the distribution conditions of the attack behavior patterns on the feature space can be identified. The clustering result is not only helpful for visually presenting the overall situation of the attack, but also provides a basis for further association analysis, and potential relations among different attack behaviors are revealed.

And carrying out association analysis on the attack analysis data on the basis of the clustering result. The association analysis aims at mining the inherent links between different attack behaviors, such as whether a sequence, a cooperative relationship or a causal relationship exists or not. And constructing a correlation map of the attack behaviors by analyzing the correlation of the attack behaviors in multiple dimensions such as time, space, characteristics and the like. For example, finding some unusual traffic behavior often accompanies a particular port scan behavior, or some aggressive behavior has a significant propagation path and time delay relationship between different network regions. The correlation map can provide comprehensive and deep attack behavior insight for security analysts, and is helpful for formulating more targeted defense strategies.

And (5) integrating the clustering and the association analysis results to generate a final abnormal behavior judgment result. The judging result clearly indicates key information such as abnormal behavior type, occurrence position, influence range, severity and the like existing in the current network traffic. Meanwhile, according to the severity and the urgency of the judgment result, the system can trigger a corresponding early warning mechanism to inform network security management personnel to conduct timely processing. The abnormal behavior judgment result is not only an accurate reflection of the current network security condition, but also is input into the network security reinforcement system as feedback information, so that the system is guided to automatically adjust and optimize network configuration, defense strategies and the like, and the capability and toughness of the data center for coping with network security threats are improved.

According to the traffic anomaly detection and network security reinforcement method for the full-scale data center, the historical attack chain feature sequence is converted into the space-time matrix, and the clustering algorithm and the time sequence association rule mining algorithm are used for analysis and processing, so that the distribution rule, the evolution mode and the association relation of the network attack behaviors in time and space dimensions can be effectively mined. The process is helpful for improving the accuracy and timeliness of network security detection, and timely finding out potential abnormal behaviors and novel attack means, thereby providing powerful support for network security protection. Meanwhile, a multidimensional time sequence model is constructed to analyze the real-time attack chain feature sequence, and abnormal behavior judgment results are generated by combining clustering and association analysis, so that dynamic monitoring and intelligent analysis of network attack behaviors can be realized, complex and changeable network environments and continuously evolving attack means can be better adapted, and the overall safety of a network system is enhanced.

and S41, based on the abnormal space-time distribution characteristics, carrying out acquisition rate improvement processing on the flow of the network area with the abnormal diffusion behavior detected, and generating adjusted network area flow data.

Specifically, the system performs deep analysis on the abnormal space-time distribution characteristics immediately after receiving the abnormal behavior judgment result and determining that abnormal diffusion behaviors exist. The method comprises the steps of identifying key information such as the starting position, the diffusion direction, the diffusion speed and the affected network area range of abnormal behaviors in a network, and formulating a flow acquisition rate promotion strategy aiming at a specific network area according to the analysis result of abnormal time-space distribution characteristics. The strategy content covers specific measures such as increasing the sampling frequency of the flow acquisition device, improving the resource allocation priority of the acquisition device, optimizing the acquisition path to reduce the data transmission delay and the like. Meanwhile, the balance of the overall network performance of the data center is considered, the amplitude and the duration of the acquisition rate improvement are reasonably set, and the negative influence on the normal service flow caused by excessive acquisition is avoided.

And finally, the system adjusts the flow acquisition device of the target network area in real time according to the formulated lifting strategy. The acquisition device captures network flow data at a higher acquisition rate, and preprocesses the acquired data, including operations such as unified data format, error correction and the like, so as to ensure the accuracy and the integrity of the data. The processed data is the adjusted network area flow data, contains richer and finer flow information, and provides a high-quality data base for subsequent flow guidance and deep analysis.

S42, performing flow guiding processing on the adjusted network area flow data based on the software defined network technology to generate special analysis node flow.

Specifically, a software defined networking technology is deployed in a data center network architecture, and an SDN (software defined network) controller and programmable data plane equipment are built. The SDN controller serves as a core brain of the network and centrally manages forwarding rules of network traffic. And formulating a fine flow control strategy according to the adjusted flow data characteristics of the network area and the safety analysis requirements. The policy content covers key information such as source IP, destination IP, port number, protocol type, etc. of the traffic, and it is clear how to direct specific traffic to a dedicated analysis node.

And the SDN controller issues the formulated flow control strategy to data plane equipment such as a switch, a router and the like in the network. The devices perform real-time matching and forwarding operations on the incoming traffic according to the policies, and accurately guide the traffic conforming to the specific characteristics to the special analysis nodes. Dedicated analysis nodes typically have powerful computational power and memory resources that enable advanced processing of guided traffic. In the guiding process, the sequence and the integrity of the traffic are ensured, the problem of data loss or wrong sequence caused by network forwarding is avoided, and continuous and accurate special analysis node traffic is generated.

Specifically, the system continuously monitors the network state and the traffic load condition in the traffic guiding process, and collects traffic forwarding statistical information of each network device through the SDN controller. This information is analyzed to evaluate the validity of the traffic steering policy and the impact on network performance. If the problems of network congestion, traffic forwarding delay and the like are found, a traffic control strategy is timely adjusted, such as changing a traffic path, optimizing a matching rule and the like, so that the traffic can be efficiently and stably transmitted to a special analysis node, and timeliness of analysis processing is guaranteed.

Specifically, on a dedicated analysis node, the system can adopt Deep Packet Inspection (DPI) technology and complete protocol analysis algorithm to perform comprehensive and deep protocol analysis on the guided traffic. The resolution range covers various protocols from the link layer to the application layer, such as TCP, UDP, HTTP, HTTPS, DNS. Not only are key fields of the protocol header, such as an IP address, a port number, a flag bit and the like extracted, but also the protocol load content is deeply analyzed, and a specific mode, a key word, potential malicious codes and the like in the protocol load content are identified. And decomposing complex network protocol data into structural metadata through multistage analysis and semantic analysis, and providing fine and micro data support for subsequent abnormal point detection.

Based on the detailed data obtained by protocol analysis, the flow is subjected to omnibearing scanning by using a plurality of anomaly detection algorithms, and the anomaly points in the flow are identified. The detection algorithm includes statistical-based anomaly detection, machine-learning-based anomaly detection, signature-based anomaly detection, and the like. For example, judging whether the flow has abnormality by analyzing the deviation degree of the behavior mode and the history normal mode of the flow, classifying and predicting the flow characteristics by using a trained machine learning model to identify data points which do not accord with the normal class, or comparing the data points with a known attack signature library to directly match possible attack flow. And precisely marking the detected abnormal points, and recording key information such as occurrence time, position, characteristics and the like of the abnormal points to form a high-risk area flow abnormal point data set.

And finally, carrying out association analysis on the detected abnormal points of the high-risk area flow by the system, and mining potential relations and internal logic relations among different abnormal points. For example, it is analyzed whether multiple outliers belong to different phases of the same attack chain or whether there is evidence of a collaborative attack. And carrying out comprehensive risk assessment on the abnormal points by combining the service context information and the network security threat information to determine the actual threat degree of the abnormal points to the security of the data center. And according to the evaluation result, the abnormal points are prioritized, and a clear processing sequence and basis are provided for the subsequent threat blocking and safety reinforcing measures, so that the most serious safety threat can be preferentially handled.

And S51, carrying out real-time feature extraction processing on the flow corresponding to the flow abnormal point of the high-risk area to obtain the real-time flow features comprising the connection rate and the protocol violation.

Specifically, the system starts a real-time feature extraction process immediately after identifying the abnormal point of the high risk area flow. Aiming at the flow corresponding to each abnormal point, a high-performance feature extraction algorithm is applied to quickly acquire key flow features. These features include, but are not limited to, connection rate, i.e. the number of network connections established per unit time, which can reflect the activity level of network traffic and the possible signs of connection flooding attacks, protocol violations, analyzing the protocol structure of a data packet by Deep Packet Inspection (DPI) technology, checking if there are anomalies such as field values that do not meet the standard protocol specification, illegal protocol state transitions, etc., which are often important clues for an attacker to exploit a protocol vulnerability to perform an intrusion. And finally, integrating the extracted characteristics of the connection rate, protocol violation and the like by the system to form a structured real-time flow characteristic data set. Each feature item in the dataset has a well-defined definition and identification that facilitates subsequent analysis. Meanwhile, in order to ensure timeliness and accuracy of feature data, a data updating mechanism is arranged, and the real-time flow feature is ensured to reflect the latest state of the current network flow in time.

S52, outputting the real-time flow characteristics to the multidimensional time sequence model for online detection processing, and generating an attack association relationship which is used for indicating the association relationship of continuity activation in the flow attack stage.

Specifically, the system takes the integrated real-time flow characteristic data set as input and transmits the integrated real-time flow characteristic data set to a pre-trained multi-dimensional time sequence model. The multidimensional time sequence model is trained based on historical attack data and normal flow data, and has deep understanding of evolution rules and interrelationships of flow characteristics on time sequence. The model can identify similarities between real-time traffic features and historical attack patterns, as well as potential correlation patterns between different features.

The multidimensional time sequence model carries out online detection processing on the real-time flow characteristics, and judges whether the current flow has attack behaviors or not by calculating indexes such as similarity, relativity and the like between the real-time characteristics and attack mode characteristic vectors stored in the model. Meanwhile, the system can analyze the sequence and co-occurrence relation of the real-time flow characteristics on the time sequence by adopting a time sequence association rule mining algorithm, and mine out the attack association relation. These attack associations reveal inherent logical links between different traffic characteristics, e.g., a certain protocol violation often occurs before the connection rate is abnormally high, indicating that there may be some multi-stage attack procedure where the protocol violation is a pre-probing stage of the attack and the connection rate is raised as a subsequent explosion stage of the attack.

And finally, storing the mined attack association relation by the system to form an attack association knowledge base. Each association in the knowledge base is attached with detailed description information, including associated feature combinations, association strength, occurrence probability and the like. And (3) periodically updating and optimizing an attack association knowledge base along with the time and continuous input of new attack data, removing outdated or low-efficiency association relations, and adding new, more representative and predictive association modes to adapt to continuous changing network attack means.

Specifically, the system establishes a corresponding threat blocking instruction generation strategy and generates a specific threat blocking instruction according to the mined attack association relation and by combining network security strategy and service importance evaluation of the data center. The policy content covers blocking action selection for different attack phases, different attack types, priority setting of blocking instructions and the like. For example, for those high-risk associations with obvious attack intention and possibly causing serious consequences, strict blocking instructions are preferentially generated, such as directly cutting off related network connections, while for some suspected attacks or low-risk associations, milder measures, such as increasing traffic monitoring density, limiting connection rate, etc., can be taken first to reduce the influence on normal traffic as much as possible while ensuring network security.

The threat blocking instruction is encoded in a standardized format, including information such as explicit execution actions, target objects (e.g., specific IP addresses, port numbers, etc.), and execution conditions. And the generated blocking instruction is sent to network security equipment (such as a firewall, an intrusion prevention system and the like) for execution, and the equipment performs accurate blocking operation on abnormal traffic according to the instruction content, so that further diffusion and harm of attack behaviors are effectively restrained. Meanwhile, the generation and execution logs of the blocking instruction are recorded so as to facilitate subsequent audit and analysis, and a basis is provided for continuous improvement of network security.

In summary, the traffic anomaly detection and network security reinforcement method for the full-volume data center provided by the invention can accurately and timely identify threat behaviors and association relations thereof in a network by extracting characteristics of traffic anomaly points in a high-risk area in real time and carrying out online detection and attack association relation analysis by utilizing a multi-dimensional time sequence model, so that an effective threat blocking instruction is quickly generated. The process is beneficial to enhancing the real-time performance and the accuracy of network security protection, and effectively reducing the influence and the loss caused by threat. Meanwhile, through the excavation and analysis of the attack association relationship, the overall and evolution process of the attack behavior can be better understood, powerful support is provided for the optimization of the network security policy and the accumulation of threat information, and the overall security and the defense capability of the network system are improved.

In a second aspect, as shown in fig. 3, the present invention provides a traffic anomaly detection and network security enforcement system 700 for a full-volume data center, the system being configured with the following modules:

The data acquisition processing module 710 is configured to acquire the total network traffic from the network end in real time, perform preprocessing and feature sequence extraction on the total network traffic, and generate a real-time attack chain feature sequence;

The model construction and processing module 720 is configured to construct a multidimensional time sequence model based on a pre-stored historical attack chain feature sequence, and input the real-time attack chain feature sequence into the multidimensional time sequence model for processing, so as to generate an abnormal behavior judgment result;

the anomaly identification module 730 is configured to identify whether the anomaly behavior determination result exceeds a dynamic determination threshold, and if so, perform parallel computing on the total network traffic to generate an anomaly spatial-temporal distribution feature, where the dynamic determination threshold is used to indicate a distinguishing boundary between a normal behavior and an anomaly behavior;

The high risk detection module 740 is configured to perform monitoring density adjustment processing on the relevant network area based on the abnormal space-time distribution characteristics, and generate a high risk area flow abnormal point;

the threat blocking module 750 is configured to perform real-time flow feature extraction and online detection processing on the flow anomaly points of the high-risk area, and generate a threat blocking instruction;

The instruction execution and security reinforcement module 760 is configured to execute network isolation processing on the abnormal traffic based on the threat blocking instruction, and generate a network security reinforcement result based on the feedback isolation result.

In summary, the traffic anomaly detection and network security reinforcement system for the full-volume data center provided by the invention can be used for rapidly and accurately detecting the anomaly behavior and potential threat in the network and timely taking isolation and reinforcement measures by collecting and processing the full-volume network traffic in real time and combining the multi-dimensional time sequence model and the dynamic judgment threshold. The system can effectively improve the instantaneity, accuracy and flexibility of network security protection through the step flow, reduces the probability and influence range of occurrence of network security events, and ensures the stable operation of the network system and the security of data. Meanwhile, by means of parallel computing, monitoring density adjustment and other technical means, resource utilization is optimized, processing efficiency and expandability of the system are improved, and the method is suitable for safety protection requirements in a large-scale complex network environment.

Preferably, the data acquisition processing module 710 provided by the present invention is configured with the following units:

The flow collection preprocessing unit is used for collecting the total network flow in real time through a flow collection device deployed at a network node, preprocessing the total network flow and generating an original network message data flow;

the protocol analysis unit is used for carrying out protocol analysis processing on the original network message data stream and extracting protocol metadata comprising a source address, a destination port and a session time sequence;

And the characteristic sequence generating unit is used for carrying out segmentation statistical processing on the protocol metadata based on a sliding window technology to generate an attack chain characteristic sequence.

Preferably, the model building and processing module 720 provided by the present invention is configured with the following units:

the space-time matrix generation unit is used for carrying out conversion processing on the pre-stored historical attack chain characteristic sequences to generate a space-time matrix containing time window statistic values and network position aggregation information;

the abnormal data acquisition unit is used for carrying out grouping processing and abnormal recognition on the space-time matrix based on a clustering algorithm to obtain an abnormal data set;

the time sequence model construction unit is used for carrying out evolution analysis processing on the abnormal data set based on a time sequence association rule mining algorithm to generate a multi-dimensional time sequence model;

the attack analysis unit is used for inputting the real-time attack chain characteristic sequence into the multidimensional time sequence model for analysis and processing to generate attack analysis data;

And the judging result generating unit is used for carrying out clustering and association analysis processing on the attack analysis data and generating an abnormal behavior judging result.

Preferably, the high risk detection module 740 provided by the present invention is configured with the following units:

The flow acquisition and lifting unit is used for carrying out acquisition rate lifting processing on the flow of the network area with the abnormal diffusion behavior detected based on the abnormal space-time distribution characteristics, and generating adjusted network area flow data;

The flow guiding unit is used for carrying out flow guiding processing on the adjusted network area flow data based on a software defined network technology to generate special analysis node flow;

And the abnormal point generating unit is used for carrying out complete protocol analysis processing on the special analysis node flow and generating abnormal points of the high-risk area flow.

Preferably, the threat blocking module 750 provided by the present invention is configured with the following elements:

The real-time feature extraction unit is used for carrying out real-time feature extraction processing on the flow corresponding to the flow abnormal point of the high-risk area to obtain real-time flow features comprising the connection rate and protocol violation behaviors;

the detection and relation generation unit is used for outputting the real-time flow characteristics to the multidimensional time sequence model for online detection processing, generating an attack association relation which is used for indicating the association relation of continuity activation in the flow attack stage;

the instruction generation unit is used for generating a threat blocking instruction based on the attack association relation.

In one embodiment, the application further provides a computer device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the traffic abnormality detection and network security reinforcement method facing the full-volume data center when executing the computer program.

In one embodiment, the present application further provides a computer readable storage medium, on which a computer program is stored, where the computer program when executed by a processor implements the method for traffic anomaly detection and network security reinforcement for a full-volume data center.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above-described apparatus embodiments are merely illustrative, wherein the components illustrated as separate components may or may not be physically separate, and the components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the disclosed solution. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that various changes and substitutions are possible within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims

1. A method for traffic anomaly detection and network security reinforcement for a full data center, characterized in that it includes the following steps:

S1: collect the full amount of network traffic from the network end in real time, preprocess and extract feature sequences from the full amount of network traffic, and generate a real-time attack chain feature sequence;

S2: constructing a multidimensional time series model based on the pre-stored historical attack chain feature sequence, and inputting the real-time attack chain feature sequence into the multidimensional time series model for processing to generate an abnormal behavior determination result;

S3: Identify whether the abnormal behavior determination result exceeds a dynamic determination threshold, and if so, perform parallel computing on the entire network traffic to generate abnormal spatiotemporal distribution features, wherein the dynamic determination threshold is used to indicate a boundary between normal behavior and abnormal behavior;

S4: Based on the abnormal spatiotemporal distribution characteristics, the monitoring density of the relevant network area is adjusted to generate traffic anomaly points in high-risk areas;

S5: extracting real-time traffic features and performing online detection processing on traffic anomalies in the high-risk area, and generating threat blocking instructions;

S6: Perform network isolation processing on abnormal traffic based on the threat blocking instruction, and generate network security reinforcement results based on the feedback isolation results.

2. The method according to claim 1, characterized in that S1 comprises:

S11: collecting the full amount of network traffic in real time through a traffic collection device deployed at a network node, and preprocessing the full amount of network traffic to generate an original network message data stream;

S12: Perform protocol parsing on the original network message data stream to extract protocol metadata including source address, destination port and session timing;

S13: Perform segmented statistical processing on the protocol metadata based on the sliding window technology to generate an attack chain feature sequence.

3. The method according to claim 1, characterized in that S2 comprises:

S21: converting the pre-stored historical attack chain feature sequence to generate a spatiotemporal matrix containing time window statistics and network location aggregation information;

S22: performing grouping processing and anomaly identification on the spatiotemporal matrix based on a clustering algorithm to obtain an anomaly data set;

S23: performing evolution analysis on the abnormal data set based on a time series association rule mining algorithm to generate a multidimensional time series model;

S24: inputting the real-time attack chain feature sequence into the multi-dimensional time series model for analysis and processing to generate attack analysis data;

S25: Perform clustering and association analysis on the attack analysis data to generate abnormal behavior determination results.

4. The method according to claim 1, characterized in that said S4 comprises:

S41: Based on the abnormal spatiotemporal distribution characteristics, the flow rate of the network area where the abnormal diffusion behavior is detected is improved to generate adjusted network area flow data;

S42: Performing traffic guidance processing on the adjusted network area traffic data based on software defined network technology to generate dedicated analysis node traffic;

S43: Perform complete protocol parsing on the dedicated analysis node traffic to generate traffic anomaly points in high-risk areas.

5. The method according to any one of claims 1 to 4, characterized in that S5 comprises:

S51: Performing real-time feature extraction processing on the traffic corresponding to the traffic anomaly point in the high-risk area to obtain real-time traffic features including connection rate and protocol violation behavior;

S52: Outputting the real-time traffic feature to the multi-dimensional time series model for online detection processing to generate an attack correlation relationship, where the attack correlation relationship is used to indicate a correlation relationship that is continuously activated in a traffic attack stage;

S53: Generate a threat blocking instruction based on the attack association relationship.

6. A traffic anomaly detection and network security reinforcement system for a full data center, characterized in that the system includes:

A data collection and processing module is used to collect the full amount of network traffic from the network end in real time, and to pre-process and extract feature sequences from the full amount of network traffic to generate a real-time attack chain feature sequence;

A model building and processing module, used to build a multidimensional time series model based on a pre-stored historical attack chain feature sequence, and input the real-time attack chain feature sequence into the multidimensional time series model for processing to generate an abnormal behavior determination result;

An abnormality identification module, used to identify whether the abnormal behavior determination result exceeds a dynamic determination threshold, and if so, to perform parallel computing processing on the entire network traffic to generate abnormal spatiotemporal distribution characteristics, wherein the dynamic determination threshold is used to indicate the distinguishing boundary between normal behavior and abnormal behavior;

A high-risk detection module, used to adjust the monitoring density of the relevant network area based on the abnormal spatiotemporal distribution characteristics, and generate traffic anomaly points in the high-risk area;

A threat blocking module is used to extract real-time traffic features and perform online detection processing on traffic anomalies in the high-risk area, and generate threat blocking instructions;

The instruction execution and security reinforcement module is used to perform network isolation processing on abnormal traffic based on the threat blocking instruction, and generate network security reinforcement results based on the feedback isolation results.

7. A computer device, comprising a memory and a processor, wherein the memory stores a computer program, wherein the processor implements the method according to any one of claims 1 to 5 when executing the computer program.

8. A computer-readable storage medium having a computer program stored thereon, wherein the computer program implements the method according to any one of claims 1 to 5 when executed by a processor.