Abnormal flow monitoring method, device, equipment and storage medium
阅读说明:本技术 异常流量监测方法、装置、设备及存储介质 (Abnormal flow monitoring method, device, equipment and storage medium ) 是由 刘玉洁 杨冬艳 于 2019-10-18 设计创作,主要内容包括:本发明公开了一种异常流量监测方法,包括:收集用户访问记录;对原始数据进行清洗与统计处理,生成第一流量时序数据;对第一流量时序数据进行多尺度小波分解,得到各层小波系数;以各层小波系数为分析对象,建立对应的平稳时间序列模型并进行预测,得到各层预测小波系数;对各层预测小波系数进行小波重构,得到第二流量时序数据;以第二流量时序数据为流量预测值,将同一时间对应的实际流量值与流量预测值进行比对;若实际流量值在流量预测值的置信区间内,则判定当前网络流量正常,否则判定当前网络流量异常。本发明还公开了一种异常流量监测装置、设备及计算机可读存储介质。本发明提升了异常流量监测准确率,降低了部署成本。(The invention discloses an abnormal flow monitoring method, which comprises the following steps: collecting user access records; cleaning and counting the original data to generate first flow time sequence data; carrying out multi-scale wavelet decomposition on the first flow time sequence data to obtain wavelet coefficients of each layer; establishing a corresponding stationary time sequence model by taking the wavelet coefficients of each layer as an analysis object, and predicting to obtain the predicted wavelet coefficients of each layer; performing wavelet reconstruction on the prediction wavelet coefficients of each layer to obtain second flow time sequence data; taking the second flow time series data as a flow predicted value, and comparing an actual flow value corresponding to the same time with the flow predicted value; and if the actual flow value is within the confidence interval of the flow predicted value, judging that the current network flow is normal, otherwise, judging that the current network flow is abnormal. The invention also discloses an abnormal flow monitoring device, equipment and a computer readable storage medium. The invention improves the abnormal flow monitoring accuracy and reduces the deployment cost.)
1. An abnormal flow monitoring method is characterized by comprising the following steps:
collecting user access records in a preset time period based on a preset buried point;
cleaning and counting the original data in the user access record to generate first traffic time series data corresponding to the access volume, wherein the first traffic time series data reflect the corresponding relation between the access volume and time;
performing multi-scale wavelet decomposition on the first flow time sequence data by adopting a multi-resolution analysis algorithm through a preset low-pass filter and a preset high-pass filter to obtain wavelet coefficients respectively corresponding to wavelet decomposition of each layer;
respectively establishing corresponding stationary time sequence models by taking the wavelet coefficients of each layer as analysis objects, and predicting the wavelet coefficients of each layer through the stationary time sequence models to obtain the corresponding predicted wavelet coefficients of each layer;
performing wavelet reconstruction on the prediction wavelet coefficients corresponding to each layer by adopting inverse wavelet transform to obtain second flow time sequence data;
taking the second flow time series data as a flow predicted value, and comparing an actual flow value corresponding to the same time with the flow predicted value;
if the actual flow value is within the confidence interval of the flow predicted value, judging that the current network flow is normal; and if the actual flow value exceeds the confidence interval of the flow predicted value, judging that the current network flow is abnormal.
2. The abnormal traffic monitoring method according to claim 1, wherein the cleaning and statistical processing of the raw data in the user access record, and the generating of the first traffic timing data corresponding to the access volume comprises:
detecting whether the original data in the user access record has missing values or not;
if the missing value exists, calculating the missing value proportion corresponding to each field, and cleaning the missing value according to the missing value proportion and the field importance degree, wherein the missing value cleaning comprises the following steps: deleting the field of the missing value and completing the missing value by using an interpolation method;
sequencing original data in the user access records, and calculating the similarity between each sequenced record and an adjacent record;
if the similarity between different records exceeds a preset threshold, judging to record repeatedly and deleting redundant data;
and carrying out access quantity statistics on the cleaned data according to a time sequence to generate the first flow time series data corresponding to the access quantity.
3. The abnormal flow monitoring method according to claim 1 or 2, wherein the step of taking wavelet coefficients of each layer as an analysis object, respectively establishing corresponding stationary time series models, and predicting the wavelet coefficients of each layer through the stationary time series models to obtain the predicted wavelet coefficients corresponding to each layer comprises:
respectively carrying out stationarity detection on the wavelet coefficients of each layer to judge whether the wavelet coefficients of each layer are a stationary time sequence;
if one or more layers of wavelet coefficients are non-stationary time sequences, performing differential operation on the one or more layers of wavelet coefficients until any layer of wavelet coefficients are stationary time sequences;
if any layer of wavelet coefficient is a stationary time sequence, white noise detection is respectively carried out on each layer of wavelet coefficient;
if any layer of wavelet coefficient is a stable non-white noise time sequence, respectively calculating the autocorrelation coefficient and the partial autocorrelation coefficient of each layer of wavelet coefficient;
respectively determining a stable time sequence model suitable for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients;
if the wavelet coefficients of all layers are suitable for the autoregressive moving average model, determining the order of the autoregressive moving average model to be constructed based on a preset order-fixing rule;
performing parameter estimation on an autoregressive moving average model to be constructed to obtain a model parameter value;
respectively constructing an autoregressive moving average model corresponding to each layer of wavelet coefficient based on the determined order and the model parameter value;
and respectively predicting wavelet coefficients of each layer based on the constructed respective regression moving average model to obtain the predicted wavelet coefficients corresponding to each layer.
4. The abnormal flow monitoring method according to claim 3, wherein the determining the suitable stationary time series model for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients respectively comprises:
judging whether the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are trailing or not and judging whether the autocorrelation coefficients corresponding to the wavelet coefficients of each layer are truncated or not;
if the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are truncated and the autocorrelation coefficients are all trailing, determining that the wavelet coefficients of each layer are all suitable for the autoregressive model;
if the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are all trailing and the autocorrelation coefficients are all truncated, determining that the wavelet coefficients of each layer are all suitable for the moving average model;
and if the partial autocorrelation coefficients and the autocorrelation coefficients corresponding to the wavelet coefficients of each layer are both tailing, determining that the wavelet coefficients of each layer are all suitable for the autoregressive moving average model.
5. The abnormal flow monitoring method according to claim 4, wherein after the step of determining the suitable stationary time series model for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients, further comprising:
if the wavelet coefficients of all layers are suitable for the autoregressive model, determining the order of the autoregressive model to be constructed based on the preset order-fixing criterion;
performing parameter estimation on the autoregressive model to be constructed to obtain a model parameter value;
respectively constructing autoregressive models corresponding to wavelet coefficients of each layer based on the determined order and the model parameter values obtained through parameter estimation;
and respectively predicting wavelet coefficients of each layer based on each constructed autoregressive model to obtain the predicted wavelet coefficients corresponding to each layer.
6. The abnormal flow monitoring method according to claim 4, wherein after the step of determining the suitable stationary time series model for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients, further comprising:
if the wavelet coefficients of all layers are suitable for the moving average model, determining the order of the moving average model to be constructed based on the preset order-fixing criterion;
performing parameter estimation on a moving average model to be constructed to obtain a model parameter value;
respectively constructing moving average models corresponding to wavelet coefficients of each layer based on the determined order and model parameter values obtained through parameter estimation;
and respectively predicting wavelet coefficients of each layer based on each constructed moving average model to obtain the predicted wavelet coefficients corresponding to each layer.
7. The abnormal flow monitoring method of claim 1, wherein the corresponding formula for performing multi-scale wavelet decomposition using the multi-resolution analysis algorithm is as follows:
cAj+1=H*cAj,cDj+1=G*cDj,j=1,2,...,J;
the corresponding formula for wavelet reconstruction using inverse wavelet transform is as follows:
cAj-1=H**cAj+G*cDj,j=1,2,...,J;
wherein H, G is decomposition operator, H is low-pass filter, G is high-pass filter, H and G are dual operators of decomposition operator H, G, and cA0Representing the raw signal data, cAjAnd cDjRespectively expressed in resolution 2-jThe low-frequency signal portion and the high-frequency signal portion of the lower-original signal data, J indicates the maximum number of decomposition layers.
8. An abnormal flow monitoring device, comprising:
the collection module is used for collecting user access records in a preset time period based on a preset buried point;
the preprocessing module is used for cleaning and counting the original data in the user access record to generate first traffic time series data corresponding to the access volume, and the first traffic time series data reflect the corresponding relation between the access volume and the time;
the decomposition module is used for carrying out multi-scale wavelet decomposition on the first flow time sequence data by adopting a multi-resolution analysis algorithm through a preset low-pass filter and a preset high-pass filter to obtain wavelet coefficients respectively corresponding to wavelet decomposition of each layer;
the prediction module is used for respectively establishing corresponding stationary time series models by taking the wavelet coefficients of each layer as an analysis object, and predicting the wavelet coefficients of each layer through the stationary time series models to obtain the corresponding predicted wavelet coefficients of each layer;
the reconstruction module is used for performing wavelet reconstruction on the prediction wavelet coefficients corresponding to each layer by adopting inverse wavelet transform to obtain second flow time sequence data;
the comparison module is used for taking the second flow time sequence data as a flow predicted value and comparing an actual flow value corresponding to the same time with the flow predicted value;
the judging module is used for judging that the current network flow is normal if the actual flow value is within the confidence interval of the flow predicted value; and if the actual flow value exceeds the confidence interval of the flow predicted value, judging that the current network flow is abnormal.
9. An abnormal traffic monitoring device, comprising a memory, a processor, and an abnormal traffic monitoring program stored on the memory and executable on the processor, the abnormal traffic monitoring program when executed by the processor implementing the steps of the abnormal traffic monitoring method according to any one of claims 1-7.
10. A computer-readable storage medium, having stored thereon an abnormal flow monitoring program, which when executed by a processor, performs the steps of the abnormal flow monitoring method of any one of claims 1-7.
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for monitoring abnormal traffic.
Background
With the arrival of the information age, monitoring of abnormal network traffic is always an important ring in the field of information security. Network anomaly traffic refers to traffic in the network that varies significantly on an irregular basis. The method aims at sudden change abnormality which can occur in a short time of network traffic, and problems such as high-frequency operation, abnormal period access, file abnormality or access object abnormality and the like can exist behind the sudden change abnormality. Either type of problem may face quality of service degradation affecting normal user access and network security issues.
The conventional abnormal traffic monitoring is used for monitoring abnormal traffic according to basic characteristics and combination characteristics such as request quantity, length of a traffic data packet, network traffic size and the like, the method is suitable for monitoring small-scale and simple networks, network structures used by a plurality of enterprises at present are large in scale, such as a plurality of branch organizations, a plurality of service types, and a plurality of and complicated application scenes, such as a scene of network shopping, the application scenes are not only related to customer service communication and third party payment, but also related to third party logistics, subsequent after-sale service, provider management and the like, and the application scenes are very complicated, so that the conventional abnormal traffic monitoring is not suitable for the complicated network structures and complicated application scenes at present.
Disclosure of Invention
The invention mainly aims to provide an abnormal traffic monitoring method, device, equipment and storage medium, aiming at solving the technical problem that the existing network abnormal traffic monitoring mode cannot adapt to the current complex network structure and application scene.
In order to achieve the above object, the present invention provides an abnormal traffic monitoring method, which includes the following steps:
collecting user access records in a preset time period based on a preset buried point;
cleaning and counting the original data in the user access record to generate first traffic time series data corresponding to the access volume, wherein the first traffic time series data reflect the corresponding relation between the access volume and time;
performing multi-scale wavelet decomposition on the first flow time sequence data by adopting a multi-resolution analysis algorithm through a preset low-pass filter and a preset high-pass filter to obtain wavelet coefficients respectively corresponding to wavelet decomposition of each layer;
respectively establishing corresponding stationary time sequence models by taking the wavelet coefficients of each layer as analysis objects, and predicting the wavelet coefficients of each layer through the stationary time sequence models to obtain the corresponding predicted wavelet coefficients of each layer;
performing wavelet reconstruction on the prediction wavelet coefficients corresponding to each layer by adopting inverse wavelet transform to obtain second flow time sequence data;
taking the second flow time series data as a flow predicted value, and comparing an actual flow value corresponding to the same time with the flow predicted value;
if the actual flow value is within the confidence interval of the flow predicted value, judging that the current network flow is normal; and if the actual flow value exceeds the confidence interval of the flow predicted value, judging that the current network flow is abnormal.
Optionally, the cleaning and counting the original data in the user access record, and generating first traffic time series data corresponding to the access volume includes:
detecting whether the original data in the user access record has missing values or not;
if the missing value exists, calculating the missing value proportion corresponding to each field, and cleaning the missing value according to the missing value proportion and the field importance degree, wherein the missing value cleaning comprises the following steps: deleting the field of the missing value and completing the missing value by using an interpolation method;
sequencing original data in the user access records, and calculating the similarity between each sequenced record and an adjacent record;
if the similarity between different records exceeds a preset threshold, judging to record repeatedly and deleting redundant data;
and carrying out access quantity statistics on the cleaned data according to a time sequence to generate the first flow time series data corresponding to the access quantity.
Optionally, the step of taking the wavelet coefficients of each layer as an analysis object, respectively establishing corresponding stationary time series models, and predicting the wavelet coefficients of each layer through the stationary time series models to obtain the predicted wavelet coefficients corresponding to each layer includes:
respectively carrying out stationarity detection on the wavelet coefficients of each layer to judge whether the wavelet coefficients of each layer are a stationary time sequence;
if one or more layers of wavelet coefficients are non-stationary time sequences, performing differential operation on the one or more layers of wavelet coefficients until any layer of wavelet coefficients are stationary time sequences;
if any layer of wavelet coefficient is a stationary time sequence, white noise detection is respectively carried out on each layer of wavelet coefficient;
if any layer of wavelet coefficient is a stable non-white noise time sequence, respectively calculating the autocorrelation coefficient and the partial autocorrelation coefficient of each layer of wavelet coefficient;
respectively determining a stable time sequence model suitable for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients;
if the wavelet coefficients of all layers are suitable for the autoregressive moving average model, determining the order of the autoregressive moving average model to be constructed based on a preset order-fixing rule;
performing parameter estimation on an autoregressive moving average model to be constructed to obtain a model parameter value;
respectively constructing an autoregressive moving average model corresponding to each layer of wavelet coefficient based on the determined order and the model parameter value;
and respectively predicting wavelet coefficients of each layer based on the constructed respective regression moving average model to obtain the predicted wavelet coefficients corresponding to each layer.
Optionally, the determining, according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer, a stationary time series model suitable for the wavelet coefficients of each layer respectively includes:
judging whether the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are trailing or not and judging whether the autocorrelation coefficients corresponding to the wavelet coefficients of each layer are truncated or not;
if the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are truncated and the autocorrelation coefficients are all trailing, determining that the wavelet coefficients of each layer are all suitable for the autoregressive model;
if the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are all trailing and the autocorrelation coefficients are all truncated, determining that the wavelet coefficients of each layer are all suitable for the moving average model;
and if the partial autocorrelation coefficients and the autocorrelation coefficients corresponding to the wavelet coefficients of each layer are both tailing, determining that the wavelet coefficients of each layer are all suitable for the autoregressive moving average model.
Optionally, after the step of determining a suitable stationary time series model for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients, the method further includes:
if the wavelet coefficients of all layers are suitable for the autoregressive model, determining the order of the autoregressive model to be constructed based on the preset order-fixing criterion;
performing parameter estimation on an autoregressive model to be constructed to obtain a model parameter value;
respectively constructing autoregressive models corresponding to wavelet coefficients of each layer based on the determined order and model parameter values obtained through parameter estimation;
and respectively predicting wavelet coefficients of each layer based on the constructed respective regression models to obtain the predicted wavelet coefficients corresponding to each layer.
Optionally, after the step of determining a suitable stationary time series model for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients, the method further includes:
if the wavelet coefficients of all layers are suitable for the moving average model, determining the order of the moving average model to be constructed based on the preset order-fixing criterion;
performing parameter estimation on a moving average model to be constructed to obtain a model parameter value;
respectively constructing moving average models corresponding to wavelet coefficients of each layer based on the determined order and model parameter values obtained through parameter estimation;
and respectively predicting wavelet coefficients of each layer based on each constructed moving average model to obtain the predicted wavelet coefficients corresponding to each layer.
Optionally, a corresponding formula for performing multi-scale wavelet decomposition by using a multi-resolution analysis algorithm is as follows:
cAj+1=H*cAj,cDj+1=G*cDj,j=1,2,...,J;
the corresponding formula for wavelet reconstruction using inverse wavelet transform is as follows:
cAj-1=H**cAj+G*cDj,j=1,2,...,J;
wherein H, G is decomposition operator, H is low-pass filter, G is high-pass filter, H and G are dual operators of decomposition operator H, G, and cA0Representing the raw signal data, cAjAnd cDjRespectively expressed in resolution 2-jThe low-frequency signal portion and the high-frequency signal portion of the lower-original signal data, J indicates the maximum number of decomposition layers.
Further, to achieve the above object, the present invention further provides an abnormal flow monitoring device, including:
the collection module is used for collecting user access records in a preset time period based on a preset buried point;
the preprocessing module is used for cleaning and counting the original data in the user access record to generate first traffic time series data corresponding to the access volume, and the first traffic time series data reflect the corresponding relation between the access volume and the time;
the decomposition module is used for carrying out multi-scale wavelet decomposition on the first flow time sequence data by adopting a multi-resolution analysis algorithm through a preset low-pass filter and a preset high-pass filter to obtain wavelet coefficients respectively corresponding to wavelet decomposition of each layer;
the prediction module is used for respectively establishing corresponding stationary time series models by taking the wavelet coefficients of each layer as an analysis object, and predicting the wavelet coefficients of each layer through the stationary time series models to obtain the corresponding predicted wavelet coefficients of each layer;
the reconstruction module is used for performing wavelet reconstruction on the prediction wavelet coefficients corresponding to each layer by adopting inverse wavelet transform to obtain second flow time sequence data;
the comparison module is used for taking the second flow time sequence data as a flow predicted value and comparing an actual flow value corresponding to the same time with the flow predicted value;
the judging module is used for judging that the current network flow is normal if the actual flow value is within the confidence interval of the flow predicted value; and if the actual flow value exceeds the confidence interval of the flow predicted value, judging that the current network flow is abnormal.
Optionally, the preprocessing module comprises:
the detection unit is used for detecting whether the original data in the user access record has missing values or not;
a cleaning unit, configured to calculate a missing value ratio corresponding to each field if a missing value exists, and perform missing value cleaning according to the missing value ratio and a field importance degree, where the missing value cleaning includes: deleting the field of the missing value and completing the missing value by using an interpolation method;
the sequencing unit is used for sequencing the original data in the user access records and calculating the similarity between each sequenced record and the adjacent record;
the judging unit is used for judging that the records are repeatedly recorded and deleting redundant data if the similarity between different records exceeds a preset threshold;
and the generating unit is used for counting the access amount of the cleaned data according to the time sequence and generating the first flow time sequence data corresponding to the access amount.
Optionally, the prediction module comprises:
the stability detection unit is used for respectively carrying out stability detection on the wavelet coefficients of each layer so as to judge whether the wavelet coefficients of each layer are stable time sequences or not;
the differential operation unit is used for carrying out differential operation on one or more layers of wavelet coefficients until any layer of wavelet coefficient is a stationary time sequence if one or more layers of wavelet coefficients are non-stationary time sequences;
the white noise detection unit is used for respectively carrying out white noise detection on the wavelet coefficients of each layer if the wavelet coefficients of any layer are a stationary time sequence;
the coefficient determining unit is used for respectively calculating the autocorrelation coefficient and the partial autocorrelation coefficient of each layer of wavelet coefficient if any layer of wavelet coefficient is a stable non-white noise time sequence;
the model determining unit is used for respectively determining a stable time sequence model suitable for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients;
the model building unit is used for determining the order of the autoregressive moving average model to be built based on a preset order-fixing rule if the wavelet coefficients of each layer are suitable for the autoregressive moving average model; performing parameter estimation on an autoregressive moving average model to be constructed to obtain a model parameter value; respectively constructing an autoregressive moving average model corresponding to each layer of wavelet coefficient based on the determined order and the model parameter value;
and the model prediction unit is used for predicting the wavelet coefficients of each layer respectively based on the constructed respective regression moving average model to obtain the corresponding predicted wavelet coefficients of each layer.
Optionally, the model determining unit is further specifically configured to:
judging whether the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are trailing or not and judging whether the autocorrelation coefficients corresponding to the wavelet coefficients of each layer are truncated or not;
if the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are truncated and the autocorrelation coefficients are all trailing, determining that the wavelet coefficients of each layer are all suitable for the autoregressive model;
if the partial autocorrelation coefficients corresponding to the wavelet coefficients of each layer are all trailing and the autocorrelation coefficients are all truncated, determining that the wavelet coefficients of each layer are all suitable for the moving average model;
and if the partial autocorrelation coefficients and the autocorrelation coefficients corresponding to the wavelet coefficients of each layer are both tailing, determining that the wavelet coefficients of each layer are all suitable for the autoregressive moving average model.
Optionally, the model building unit is further specifically configured to:
if the wavelet coefficients of all layers are suitable for the autoregressive model, determining the order of the autoregressive model to be constructed based on the preset order-fixing criterion; performing parameter estimation on an autoregressive model to be constructed to obtain a model parameter value; respectively constructing autoregressive models corresponding to wavelet coefficients of each layer based on the determined order and model parameter values obtained through parameter estimation; and respectively predicting the wavelet coefficients of each layer based on the constructed respective regression models to obtain the predicted wavelet coefficients corresponding to each layer.
Optionally, the model building unit is further specifically configured to: if the wavelet coefficients of all layers are suitable for the moving average model, determining the order of the moving average model to be constructed based on the preset order-fixing criterion; performing parameter estimation on a moving average model to be constructed to obtain a model parameter value; respectively constructing moving average models corresponding to wavelet coefficients of each layer based on the determined order and model parameter values obtained through parameter estimation; and respectively predicting the wavelet coefficients of each layer based on each constructed moving average model to obtain the corresponding predicted wavelet coefficients of each layer.
Optionally, a corresponding formula for performing multi-scale wavelet decomposition by using a multi-resolution analysis algorithm in the decomposition module is as follows:
cAj+1=H*cAj,cDj+1=G*cDj,j=1,2,...,J;
the corresponding formula for wavelet reconstruction using inverse wavelet transform is as follows:
cAj-1=H**cAj+G*cDj,j=1,2,...,J;
wherein H, G is decomposition operator, H is low-pass filter, G is high-pass filter, H and G are dual operators of decomposition operator H, G, and cA0Representing the raw signal data, cAjAnd cDjRespectively expressed in resolution 2-jThe low-frequency signal portion and the high-frequency signal portion of the lower-original signal data, J indicates the maximum number of decomposition layers.
Further, in order to achieve the above object, the present invention also provides an abnormal traffic monitoring device, which includes a memory, a processor, and an abnormal traffic monitoring program stored in the memory and capable of running on the processor, wherein when the abnormal traffic monitoring program is executed by the processor, the abnormal traffic monitoring method according to any one of the above steps is implemented.
Further, to achieve the above object, the present invention also provides a computer readable storage medium, having an abnormal flow monitoring program stored thereon, where the abnormal flow monitoring program, when executed by a processor, implements the steps of the abnormal flow monitoring method according to any one of the above.
The invention processes flow data based on wavelet analysis to highlight the local information of flow, and finds out the rules and characteristics hidden by the original signal after multi-scale thinning the signal information, namely obtains the predicted value of each layer of wavelet coefficient, and then carries out wavelet reconstruction on each obtained wavelet coefficient predicted value to obtain predicted flow time sequence data. Based on the advantages of wavelet analysis, the method not only can remove prediction misjudgment caused by noise in flow time sequence data, but also can contain time domain and frequency domain information in signals, firstly establishes an ARMA time sequence model to predict wavelet coefficients through wavelet decomposition, then obtains predicted series flow data through wavelet reconstruction, reserves time sequence characteristics, and further can set different threshold ranges according to flow predicted values and different service scenes to identify and alarm abnormal flow.
Drawings
Fig. 1 is a schematic structural diagram of an operating environment of an abnormal flow monitoring device according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating an abnormal traffic monitoring method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a detailed flow of step S20 in FIG. 2;
FIG. 4 is a schematic diagram illustrating a detailed flow of step S40 in FIG. 2;
FIG. 5 is a functional block diagram of an embodiment of an abnormal flow monitoring apparatus according to the present invention;
FIG. 6 is a block diagram illustrating a detailed function of one embodiment of the
fig. 7 is a schematic diagram of a detailed functional module of an embodiment of the
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides abnormal flow monitoring equipment.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an operating environment of an abnormal flow monitoring device according to an embodiment of the present invention.
As shown in fig. 1, the abnormal flow monitoring apparatus includes: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display (Display), an input unit such as a Keyboard (Keyboard), and the network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the hardware configuration of the abnormal flow monitoring device shown in fig. 1 does not constitute a limitation of the abnormal flow monitoring device, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer-readable storage medium, may include therein an operating system, a network communication module, a user interface module, and an abnormal traffic monitoring program. The operating system is a program for managing and controlling the abnormal flow monitoring equipment and software resources, and supports the operation of the abnormal flow monitoring program and other software and/or programs.
In the hardware structure of the abnormal traffic monitoring apparatus shown in fig. 1, the network interface 1004 is mainly used for accessing a network; the user interface 1003 is mainly used for detecting a confirmation instruction, an editing instruction, and the like, and the processor 1001 may be configured to call the abnormal traffic monitoring program stored in the memory 1005, and perform the following operations of the embodiments of the abnormal traffic monitoring method.
Based on the above hardware structure of the abnormal traffic monitoring device, the embodiments of the abnormal traffic monitoring method of the present invention are provided.
Referring to fig. 2, fig. 2 is a schematic flow chart of an abnormal traffic monitoring method according to an embodiment of the present invention. In this embodiment, the abnormal traffic monitoring method includes the following steps:
step S10, collecting user access records in a preset time period based on a preset buried point;
generally, network traffic is reflected in the access volume, and therefore, the embodiment needs to obtain the user access record recorded with the user access volume information. In this embodiment, the user access record data in the preset time period is collected by burying a point in a preset burying point, for example, in a log database. To more truly fit the traffic characteristics of the network traffic, it is therefore preferable to collect user access records over a period of at least one month or more.
Optionally, in an embodiment, the user access record includes information such as a user ID, user and server IP addresses, user access time, user dwell time, and user end access time.
Step S20, cleaning and counting the original data in the user access record, and generating first flow time series data corresponding to the access amount, wherein the first flow time series data reflects the corresponding relation between the access amount and the time;
in this embodiment, for convenience of subsequent processing, the raw data in the collected user access record is cleaned and statistically processed in advance, so as to generate traffic time series data corresponding to the access amount.
Data cleansing refers to filtering out unsatisfactory data, mainly including incomplete data, erroneous data and repeated data. In which, incomplete data, that is, some information that should be present, is missing, and such data needs to be removed or supplemented by interpolation processing. The wrong data refers to data with an incorrect format, such as an incorrect field format and an incorrect business meaning corresponding to the data. Duplicate data, such data needs to be culled. The data statistics refers to statistics of system access volumes in different time periods, so that time sequence data corresponding to the access volumes, namely first flow rate time sequence data, can be obtained.
In this embodiment, after the original data in the user access record is cleaned and statistically processed, the flow time series data corresponding to the access amount, that is, the time series data formed by the access amount sets corresponding to different time points, is generated.
Step S30, performing multi-scale wavelet decomposition on the first flow time sequence data by adopting a multi-resolution analysis algorithm through a preset low-pass filter and a preset high-pass filter to obtain wavelet coefficients respectively corresponding to wavelet decomposition of each layer;
wavelet decomposition refers to that an original signal is expanded according to a certain wavelet function cluster, namely, the original signal is represented as a series of linear combinations of wavelet functions with different scales and different time shifts, wherein the coefficient of each term is called as a wavelet coefficient, and the linear combinations of all the wavelet functions with different time shifts under the same scale are called as wavelet components of the signal under the scale.
The wavelet coefficient is a coefficient of which the wavelet basis function is similar to the original signal, and is only suitable for discrete wavelet transform because network flow data is discrete data, and simultaneously, because a plurality of wavelet functions are not orthogonal functions, the wavelet transform needs a scale function, namely the original signal function can be decomposed into a linear combination of the scale function and the wavelet function, in the function, the scale function generates a low-frequency part, and the wavelet function generates a high-frequency part, so that the wavelet coefficient comprises a detail coefficient corresponding to the high-frequency part in flow time sequence data and an approximation coefficient corresponding to the low-frequency part. The scaling function may be implemented by a low pass filter and the wavelet function may be implemented by a high pass filter. Such a filter bank forms the framework of the original signal decomposition. The scaling function of the low-pass filter may be a mother function of the wavelet function and the scaling function of the next stage.
In the embodiment, the original signal function is decomposed into corresponding spaces according to layers by adopting a multi-resolution analysis algorithm. In one embodiment, the multi-resolution analysis algorithm performs band division on the original signal by using two constructed filters, and the algorithm is expressed as follows:
cAj+1=H*cAj,cDj+1=G*cDj,j=1,2,...,J;
wherein H, G is a decomposition operator, H represents a low-pass filter, G represents a high-pass filter, and cA0Representing the raw signal data, cAjAnd cDjRespectively expressed in resolution 2-jA low frequency signal portion and a high frequency signal portion of the lower original signal data, J represents a maximum number of decomposition layers, cD1=G*cA0。
Step S40, taking wavelet coefficients of each layer as analysis objects, respectively establishing corresponding stationary time series models, and predicting the wavelet coefficients of each layer through the stationary time series models to obtain the corresponding predicted wavelet coefficients of each layer;
in this embodiment, a stationary time series model (preferably an ARMA model) is initialized using wavelet coefficients (including detail coefficients corresponding to a high frequency portion and approximation coefficients corresponding to a low frequency portion) obtained by performing wavelet decomposition on actual flow as actual data. Before the stationary time series model is used, parameters of the stationary time series model need to be calculated, and then wavelet coefficients of each layer need to be predicted.
Step S50, performing wavelet reconstruction on the prediction wavelet coefficients corresponding to each layer by adopting inverse wavelet transform to obtain second flow time sequence data;
in this embodiment, wavelet reconstruction is performed on each layer of wavelet coefficients obtained by prediction by using inverse wavelet transform, that is, the prediction results of each layer of detail coefficients and approximation coefficients are superimposed (the original signal is equal to the superposition of the high frequency part of each decomposition layer and the low frequency part of the last layer), and finally reconstructed flow time series data is obtained.
It should be noted that if cAj and cDj are known, the wavelet decomposition process can be subjected to inverse operation, so that the reconstruction of the approximate part and the detailed part of the original signal is realized, and new equal-length flow time series data is obtained. In one embodiment, the wavelet reconstruction is preferably performed by using an inverse wavelet transform, and the corresponding formula is as follows:
cAj-1=H**cAj+G*cDj,j=1,2,...,J;
wherein H, G is decomposition operator, H is low-pass filter, G is high-pass filter, H and G are dual operators of decomposition operator H, G, and cA0Representing the raw signal data, cAjAnd cDjRespectively expressed in resolution 2-jA low frequency signal portion and a high frequency signal portion of the lower original signal data, J represents a maximum number of decomposition layers, cD1=G*cA0。
The approximate part and the detail part of the original signal can be reconstructed by the reconstruction algorithm.
Step S60, taking the second flow time sequence data as a flow predicted value, and comparing an actual flow value corresponding to the same time with the flow predicted value;
in this embodiment, after the reconstructed predicted flow time series data is obtained, the reconstructed predicted flow time series data is compared with actual flow data, and a certain difference threshold between a predicted value and a true value is set to perform abnormal flow judgment and alarm.
Step S70, if the actual flow value is in the confidence interval of the flow predicted value, the current network flow is judged to be normal; and if the actual flow value exceeds the confidence interval of the flow predicted value, judging that the current network flow is abnormal.
In this embodiment, a range above and below the predicted value may be set as a confidence interval, for example, five per thousand; however, in actual traffic, the tolerance to fluctuation may be different, for example, the threshold value is one thousandth of fluctuation upwards (the surge in the access amount may be caused by malicious access or attack, and the risk is high), and five thousandth of fluctuation downwards (the tolerance to the reduction in the access amount of the user is high).
In the embodiment, by comparing the flow time series data corresponding to the same time, if the actual flow value is within the confidence interval of the flow predicted value, the current network flow is judged to be normal; and if the actual flow value exceeds the confidence interval of the flow predicted value, judging that the current network flow is abnormal.
The embodiment performs flow data processing based on wavelet analysis to highlight the local information of flow, finds rules and characteristics hidden by original signals after performing multi-scale refinement on signal information, namely obtains the predicted values of wavelet coefficients of each layer, performs wavelet reconstruction on the obtained predicted values of the wavelet coefficients to obtain predicted flow time sequence data, and can distinguish normal sequences from abnormal sequences based on the predicted flow time sequence data so as to identify and alarm abnormal flow. Based on the advantages of wavelet analysis, the method can remove prediction misjudgment caused by noise in flow time sequence data, can also contain time domain and frequency domain information in signals, firstly establishes an ARMA time sequence model to predict wavelet coefficients through wavelet decomposition, then obtains a series of predicted flow data through wavelet reconstruction, retains period time sequence characteristics, and further can set different threshold ranges according to flow predicted values and different service scenes to identify and alarm abnormal flow.
Referring to fig. 3, fig. 3 is a schematic view of a detailed flow of the step S20 in fig. 2. Based on the foregoing embodiment, in this embodiment, the foregoing step S20 further includes:
step S201, detecting whether the original data in the user access record has a missing value;
in this embodiment, the user access log records a plurality of information, such as a user ID, user and server IP addresses, user access time, user dwell time, user access end time, access exception condition, access state, exception type code, and exception type description, using a plurality of fields, and if a field corresponding to a record has a missing value, it is determined that the record has a missing value.
Step S202, if a missing value exists, calculating the missing value proportion corresponding to each field, and cleaning the missing value according to the missing value proportion and the field importance degree, wherein the cleaning of the missing value comprises the following steps: deleting the field of the missing value and completing the missing value by using an interpolation method;
in this embodiment, if there are missing values in one or some fields in the user access record, the missing value ratio corresponding to each field, for example, there are 100 user access records, and if there are missing values in 10 records corresponding to a field, the missing value ratio corresponding to the field is 10%.
In this embodiment, the importance levels of different fields in the actual application scenario are different. For example, the user IP address is more important than the server IP address, and the user access time is more important than the user dwell time. The different degrees of importance of the fields differ in the cleaning strategy used. For example, if the missing value ratio is high and the field importance level is low, the missing value field is deleted as it is, and if the missing value ratio is low and the field importance level is high, the missing value is completed by interpolation.
Step S203, sequencing the original data in the user access records, and calculating the similarity between each sequenced record and the adjacent record;
step S204, if the similarity between different records exceeds a preset threshold, determining to repeatedly record and delete redundant data;
in this embodiment, the repeated records are further subjected to deduplication processing, specifically, all original data in the user access records are sorted first, for example, sorted based on the numerical value of a certain field, for example, sorted based on access time, and then the similarity between each sorted record and an adjacent record is calculated, for example, the similarity between different records is calculated by adopting a field matching algorithm, a standardized euclidean distance, and the like. If the similarity between different records exceeds a preset threshold (such as 90%), the recording is determined to be repeated and redundant data is deleted.
Step S205, performing access amount statistics on the cleaned data according to a time sequence, and generating the first traffic time series data corresponding to the access amount.
In this embodiment, in order to obtain time series data of the access amount, statistical processing is further performed on the data after cleaning. For example, at time point 1, three IP addresses IP1, IP2 and IP3 are corresponded, and the corresponding time point corresponds to
Referring to fig. 4, fig. 4 is a schematic view of a detailed flow of the step S40 in fig. 2. Based on the foregoing embodiment, in this embodiment, the foregoing step S40 further includes:
step S401, respectively carrying out stationarity detection on wavelet coefficients of each layer to judge whether the wavelet coefficients of each layer are stationary time sequences;
if the time series meets the following requirements: (1) for any time t, the average value is constant; (2) for any time t and s, the correlation coefficient of the time series is determined by the time period between two time points, and the starting point of the two time points does not cause any influence. Such a time series is a stationary time series.
In this embodiment, in order to determine whether there is a random trend or a deterministic trend in the original data sequence, it is necessary to perform stationarity detection on the data. The stationarity checking method comprises data diagram, reverse order checking, run checking, unit root checking, DF checking, ADF checking and the like.
Step S402, if one or more layers of wavelet coefficients are non-stationary time sequences, performing differential operation on the one or more layers of wavelet coefficients until any layer of wavelet coefficients are stationary time sequences;
in practical applications, it is often encountered that the time series of the input is verified to be non-stationary, so that a stationary time series model cannot be adopted, and the common processing method is to convert them into stationary by adopting a differential method.
After the difference, if the time sequence is checked to be stable, the time sequence after the difference is processed, and a corresponding stable random process or model can be established. When a non-stationary time series is subjected to d-order difference processing and becomes a stationary time series, a stationary ARMA (p, q) model can be used as its corresponding model.
Step S403, if any layer of wavelet coefficients are stationary time sequences, white noise detection is respectively carried out on the wavelet coefficients of each layer;
in this embodiment, in order to verify whether the sequence is white noise, if the sequence is white noise, the sequence is all randomly disturbed, and cannot be predicted and used.
Step S404, if any layer of wavelet coefficients are a stationary non-white noise time sequence, respectively calculating the autocorrelation coefficients and the partial autocorrelation coefficients of the wavelet coefficients of each layer;
the correlation coefficient is used to measure the linear correlation of two vectors, while in stationary time series RtIn (b), RtAnd Rt-iThe linear correlation of (a) is called the autocorrelation coefficient. Partial autocorrelation coefficients for evaluation, Rt-iTo RtThe degree of correlation of the influence. The specific calculation method is the same as that in the prior art, and therefore, redundant description is not repeated.
Step S405, respectively determining a stable time sequence model suitable for each layer of wavelet coefficients according to the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients;
in this embodiment, the autocorrelation coefficients and the partial autocorrelation coefficients corresponding to the time series data are different, and the stationary time series models corresponding to the time series data are also different.
Optionally, in a specific embodiment, the stationary time series model suitable for each layer of wavelet coefficients is determined by determining whether the partial autocorrelation coefficients corresponding to each layer of wavelet coefficients are trailing and determining whether the autocorrelation coefficients corresponding to each layer of wavelet coefficients are truncated.
If the partial autocorrelation coefficients of the stationary sequence are truncated and the autocorrelation coefficients are trailing, it can be concluded that the sequence fits the AR model; if the partial autocorrelation coefficients of stationary sequences are tailing and the autocorrelation coefficients are truncated, then the sequence can be judged to fit the MA model; if both the partial and autocorrelation coefficients of a stationary sequence are smeared, the sequence fits into the ARMA model. The truncation refers to the property that the Autocorrelation Coefficient (ACF) or Partial Autocorrelation Coefficient (PACF) of the time series is 0 after a certain order (e.g., PACF of AR); tail is a property that either ACF or PACF is not all 0 after a certain order (e.g., ACF for AR).
Step S406, if the wavelet coefficients of each layer are all suitable for the autoregressive moving average model, determining the order of the autoregressive moving average model to be constructed based on a preset order-fixing criterion;
in this embodiment, the autoregressive moving average process has the characteristic of randomness, and includes two different parts, i.e., autoregressive and moving average. If p represents the upper limit of the order value of the previous portion (autoregressive order) and q represents the upper limit of the order value of the subsequent portion (moving average order), the autoregressive moving average process can be denoted as ARMA (p, q). In an embodiment, the following expression is preferably used to determine the auto-regressive moving average model to be constructed, specifically as follows:
wherein epsilont,εt-1,...,εt-qIs a white noise source, and is,
And if the wavelet coefficients of all the layers belong to the autoregressive moving average model, determining the order of the autoregressive moving average model to be constructed based on a preset order-fixing rule. When the model is judged to be the ARMA model by using the autocorrelation function and the truncation of the partial autocorrelation function, the orders of p and q cannot be determined, and the order of p and q must be combined with a common order-determining criterion for accurately determining the orders of p and q. Such as the minimum Information Criterion AIC (a-Information Criterion).
Step S407, performing parameter estimation on an autoregressive moving average model to be constructed to obtain a model parameter value;
in this embodiment, after determining the order of the auto-regressive moving average model to be constructed, the parameter value of the model needs to be further calculated. For example, using a moment estimation method for parameter estimation, or using an approximate maximum likelihood estimation method for parameter estimation.
Step S408, respectively constructing autoregressive moving average models corresponding to wavelet coefficients of each layer based on the determined orders and the model parameter values;
and step S409, respectively predicting wavelet coefficients of each layer based on the constructed respective regression moving average model to obtain the corresponding predicted wavelet coefficients of each layer.
In this embodiment, after the order and the model parameter value of the autoregressive moving average model are determined, the autoregressive moving average model corresponding to each layer of wavelet coefficients can be constructed, and the predicted value of each layer of wavelet coefficients can be calculated according to the constructed autoregressive moving average model. In addition, the autoregressive model and the moving average model are constructed in the same manner as the autoregressive moving average model, and therefore, redundant description is not repeated.
Referring to fig. 5, fig. 5 is a functional module schematic diagram of an abnormal flow monitoring device according to an embodiment of the present invention. In this embodiment, the abnormal flow monitoring apparatus includes:
the collecting
the
the
the
the
a
the judging
Based on the same description of the embodiment as the abnormal traffic monitoring method of the present invention, the contents of the embodiment of the abnormal traffic monitoring apparatus are not described in detail in this embodiment.
The embodiment performs flow data processing based on wavelet analysis to highlight the local information of flow, finds rules and characteristics hidden by original signals after performing multi-scale refinement on signal information, namely obtains the predicted values of wavelet coefficients of each layer, performs wavelet reconstruction on the obtained predicted values of the wavelet coefficients to obtain predicted flow time sequence data, and can distinguish normal sequences from abnormal sequences based on the predicted flow time sequence data so as to identify and alarm abnormal flow. Based on the advantages of wavelet analysis, the method can remove prediction misjudgment caused by noise in flow time sequence data, can also contain time domain and frequency domain information in signals, firstly establishes an ARMA time sequence model to predict wavelet coefficients through wavelet decomposition, then obtains a series of predicted flow data through wavelet reconstruction, retains period time sequence characteristics, and further can set different threshold ranges according to flow predicted values and different service scenes to identify and alarm abnormal flow.
Referring to fig. 6, fig. 6 is a schematic diagram of a detailed functional module of an embodiment of the
a detecting
a
the
a determining
a
Based on the same description of the embodiment as the abnormal traffic monitoring method of the present invention, the contents of the embodiment of the abnormal traffic monitoring apparatus are not described in detail in this embodiment.
Referring to fig. 7, fig. 7 is a schematic diagram of a detailed functional module of an embodiment of the
a
a
a white
a
a
a
and the
Based on the same description of the embodiment as the abnormal traffic monitoring method of the present invention, the contents of the embodiment of the abnormal traffic monitoring apparatus are not described in detail in this embodiment.
The invention also provides a computer readable storage medium.
In this embodiment, a computer-readable storage medium stores an abnormal flow monitoring program, and the abnormal flow monitoring program, when executed by a processor, implements the steps of the abnormal flow monitoring method described in any one of the above embodiments. The method implemented when the abnormal traffic monitoring program is executed by the processor may refer to each embodiment of the abnormal traffic monitoring method of the present invention, and therefore, redundant description is not repeated.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM), and includes instructions for causing a terminal (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The present invention is described in connection with the accompanying drawings, but the present invention is not limited to the above embodiments, which are only illustrative and not restrictive, and those skilled in the art can make various changes without departing from the spirit and scope of the invention as defined by the appended claims, and all changes that come within the meaning and range of equivalency of the specification and drawings that are obvious from the description and the attached claims are intended to be embraced therein.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:代理IP地址识别方法、装置、电子设备及存储介质