Search

CN-121984774-A - Network traffic data detection method, device, electronic equipment and readable medium

CN121984774ACN 121984774 ACN121984774 ACN 121984774ACN-121984774-A

Abstract

The embodiment of the disclosure discloses a network traffic data detection method, a network traffic data detection device, electronic equipment and a readable medium. The method comprises the steps of obtaining a first flow data set, generating target baseline flow characteristics according to the first flow data set, conducting flow data filtering on first flow data in the first flow data set according to the target baseline flow characteristics, conducting data fingerprint characteristic extraction on a second flow data set to generate a local data fingerprint characteristic set and a global data fingerprint characteristic, conducting secondary flow data filtering on the second flow data set according to the global data fingerprint characteristic and the local data fingerprint characteristic set, and generating flow abnormality detection results aiming at third flow data according to the local data fingerprint characteristic corresponding to third flow data and a pre-trained flow abnormality detection model. According to the embodiment, the data processing pressure during real-time detection can be effectively relieved, and meanwhile the detection precision is guaranteed.

Inventors

  • WU JIANJUN
  • ZHANG XINCHENG
  • WANG FANG
  • WANG FENG
  • SUN HANG

Assignees

  • 开封大学

Dates

Publication Date
20260505
Application Date
20260304

Claims (10)

  1. 1. A method for detecting network traffic data, comprising: acquiring a first flow data set, wherein the first flow data in the first flow data set is network flow data which corresponds to the same flow batch and is to be subjected to data detection; generating a target baseline flow characteristic according to the first flow data set; According to the target baseline flow characteristics, carrying out flow data filtering on the first flow data in the first flow data set to obtain a second flow data set; Extracting data fingerprint features of the second flow data set to generate a local data fingerprint feature set and global data fingerprint features, wherein the local data fingerprint features and the second flow data are in one-to-one correspondence; According to the global data fingerprint feature and the local data fingerprint feature set, secondary flow data filtering is carried out on the second flow data set to obtain a third flow data set; And generating a flow abnormality detection result for each third flow data in the third flow data set according to the local data fingerprint characteristics corresponding to the third flow data and a pre-trained flow abnormality detection model.
  2. 2. The method of claim 1, wherein generating a target baseline traffic characteristic from the first set of traffic data comprises: Acquiring interface description information corresponding to a target network interface, wherein the target network interface is a network interface in a target local area network and used for receiving the first flow data set; According to the interface description information, screening out network interfaces meeting interface screening conditions from a network interface set included in a target local area network as candidate network interfaces to obtain a candidate network interface set; Determining network interface liveness corresponding to each candidate network interface in the candidate network interface set, wherein the network interface liveness is generated in real time by a network firewall included in the target local area network; Acquiring a reference baseline flow characteristic corresponding to each candidate network interface in the candidate network interface set to obtain a reference baseline flow characteristic set; Generating a global baseline flow characteristic according to the network interface liveness corresponding to the candidate network interface and the reference baseline flow characteristic set; Extracting flow characteristics of each first flow data in the first flow data set to obtain a flow characteristic set, wherein the flow characteristics and the first flow data are in one-to-one correspondence; generating a local baseline flow characteristic according to the flow characteristic set; And carrying out baseline correction on the local baseline flow characteristic according to the global baseline flow characteristic to obtain a target baseline flow characteristic.
  3. 3. The network traffic data detection method of claim 2, wherein the method further comprises: Responding to the flow abnormality detection result to represent that the third flow data has flow abnormality, and determining a risk level corresponding to the third flow data; responding to the risk level as a first risk level, and carrying out flow rate limiting on a data source corresponding to the third flow rate data; In response to the risk level being a second risk level, activating flow silence rule information for the third flow data; and synchronizing the traffic silence rule information to a network firewall included in the target local area network.
  4. 4. The method for detecting network traffic data according to claim 3, wherein the filtering the traffic data of the first traffic data set according to the target baseline traffic characteristic to obtain a second traffic data set includes: Determining a traffic load corresponding to the target network interface; determining a flow data filtering mode according to the flow load; For each first flow data in the first flow data set, determining a characteristic difference degree of a flow characteristic corresponding to the first flow data and the target baseline flow characteristic, wherein the characteristic difference degree represents the data outlier of the first flow data; determining flow data distribution of first flow data in the first flow data set according to the characteristic difference degree corresponding to the first flow data; Performing outlier data grouping on the first flow data in the first flow data set according to the flow data distribution to obtain a first candidate flow data set and a second candidate flow data set; Determining a first candidate traffic data set as a second traffic data set in response to the traffic data filtering mode being a first filtering mode; and determining the first candidate flow data set and second candidate flow data with preset proportion in the second candidate flow data set as a second flow data set in response to the flow data filtering mode being a second filtering mode, wherein the preset proportion is a mode parameter corresponding to the flow data filtering mode.
  5. 5. The method of claim 4, wherein the performing data fingerprint extraction on the second traffic data set to generate a local data fingerprint set and a global data fingerprint set comprises: For each second traffic data in the second set of traffic data, performing the following processing steps: extracting network protocol characteristics corresponding to the second traffic data; extracting static data features and dynamic data features corresponding to the second flow data, wherein the dynamic data features comprise flow data behavior features and flow data interaction features; Performing feature stitching on the network protocol features, the static data features and the dynamic data features to obtain stitched data features; Performing feature compression on the spliced data features to obtain local data fingerprint features corresponding to the second flow data in a local data fingerprint feature set; according to local features corresponding to dynamic data features in the local data fingerprint features, performing feature association on the local data fingerprint features in the local data fingerprint feature set to obtain an associated local data fingerprint feature set; extracting the characteristics of each associated local data fingerprint characteristic group in the associated local data fingerprint characteristic group set to generate local associated fingerprint characteristics so as to obtain a local associated fingerprint characteristic set; Extracting global features of the local associated fingerprint feature set to obtain global associated fingerprint features; and performing feature compression on the global associated fingerprint features to obtain global data fingerprint features.
  6. 6. The method for detecting network traffic data according to claim 5, wherein the performing secondary traffic data filtering on the second traffic data set according to the global data fingerprint feature and the local data fingerprint feature set to obtain a third traffic data set includes: performing fingerprint feature mapping on the global data fingerprint features to obtain mapped global data fingerprint features; Performing fingerprint feature mapping on each local data fingerprint feature in the local data fingerprint feature set to obtain a mapped local data fingerprint feature set, wherein the mapped global data fingerprint feature and the mapped local data fingerprint feature are located in the same feature space; performing feature clustering on the mapped local data fingerprint features in the mapped local data fingerprint feature set to obtain a mapped local data fingerprint feature set, wherein each mapped local data fingerprint feature in the mapped local data fingerprint feature set corresponds to the same clustering center; determining the fingerprint feature difference degree of each mapped local data fingerprint feature group and the mapped global data fingerprint feature in the mapped local data fingerprint feature group set; and filtering second flow data with the corresponding fingerprint feature difference degree meeting the data screening condition from the second flow data set to obtain a third flow data set as third flow data.
  7. 7. The method for detecting network traffic data according to claim 6, wherein the traffic anomaly detection model includes a traffic splitter, a traffic feature extraction network group, a self-attention weighted fusion network, and a result classifier, and wherein the generating the traffic anomaly detection result for the third traffic data according to the local data fingerprint feature corresponding to the third traffic data and a pre-trained traffic anomaly detection model includes: shunting local data fingerprint features corresponding to the third flow data to at least one flow feature extraction network matched with the third flow data in the flow feature extraction network group through the flow shunt; Carrying out depth feature extraction on local data fingerprint features corresponding to the third flow data in parallel through a flow feature extraction network in the at least one flow feature extraction network to obtain a depth flow data feature set; self-attention weighting is carried out on the depth flow data characteristics in the depth flow data characteristic group through the self-attention weighting fusion network, so that fusion flow data characteristics are obtained; And generating a flow abnormality detection result corresponding to the third flow data according to the fused flow data characteristics and the result classifier.
  8. 8. A network traffic data detection device, comprising: the system comprises an acquisition unit, a data processing unit and a data processing unit, wherein the acquisition unit is configured to acquire a first flow data set, and the first flow data in the first flow data set is network flow data which corresponds to the same flow batch and is to be subjected to data detection; a first generation unit configured to generate a target baseline flow characteristic from the first flow data set; A first flow data filtering unit configured to perform flow data filtering on first flow data in the first flow data set according to the target baseline flow characteristic to obtain a second flow data set; the data fingerprint feature extraction unit is configured to perform data fingerprint feature extraction on the second flow data set so as to generate a local data fingerprint feature set and global data fingerprint features, wherein the local data fingerprint features and the second flow data are in one-to-one correspondence; The second flow data filtering unit is configured to perform secondary flow data filtering on the second flow data set according to the global data fingerprint feature and the local data fingerprint feature set to obtain a third flow data set; And the second generating unit is configured to generate a flow abnormality detection result for each third flow data in the third flow data set according to the local data fingerprint characteristics corresponding to the third flow data and a pre-trained flow abnormality detection model.
  9. 9. An electronic device, comprising: One or more processors; A storage device having one or more programs stored thereon; when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1 to 7.
  10. 10. A computer readable medium, characterized in that a computer program is stored thereon, wherein the computer program, when executed by a processor, implements the method according to any of claims 1 to 7.

Description

Network traffic data detection method, device, electronic equipment and readable medium Technical Field Embodiments of the present disclosure relate to the field of computer technology, and in particular, to the field of network traffic data detection, and in particular, to a method, an apparatus, an electronic device, and a readable medium for detecting network traffic data. Background With the development of internet technology, the scale of network traffic data is developed in a blowout manner, so that malicious network behaviors taking the network traffic data as a carrier are also in an increasing situation. At present, network traffic detection is generally carried out by constructing a malicious network behavior feature library and carrying out fine-grained real-time detection on network traffic data. However, the above manner often has the technical problems that the duty ratio of network traffic data containing malicious network behaviors is relatively small, and meanwhile, the construction of the malicious network behavior characteristics often has hysteresis, which results in extremely high data processing pressure and difficult guarantee of detection accuracy when real-time detection is performed. Disclosure of Invention The disclosure is in part intended to introduce concepts in a simplified form that are further described below in the detailed description. The disclosure is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Some embodiments of the present disclosure propose a network traffic data detection method, apparatus, electronic device, and readable medium to solve the technical problems mentioned in the background section above. In a first aspect, some embodiments of the present disclosure provide a method for detecting network traffic data, where the method includes obtaining a first traffic data set, where first traffic data in the first traffic data set is network traffic data to be subjected to data detection corresponding to a same traffic lot; The method comprises the steps of obtaining a target baseline flow characteristic, carrying out flow data filtering on first flow data in a first flow data set according to the target baseline flow characteristic to obtain a second flow data set, carrying out data fingerprint characteristic extraction on the second flow data set to generate a local data fingerprint characteristic set and a global data fingerprint characteristic, wherein the local data fingerprint characteristic corresponds to the second flow data one by one, carrying out secondary flow data filtering on the second flow data set according to the global data fingerprint characteristic set and the local data fingerprint characteristic set to obtain a third flow data set, and generating a flow abnormality detection result aiming at the third flow data according to the local data fingerprint characteristic corresponding to the third flow data and a pre-trained flow abnormality detection model for each third flow data in the third flow data set. In a third aspect, some embodiments of the present disclosure provide a network traffic data detection device, where the device includes an acquisition unit configured to acquire a first traffic data set, where first traffic data in the first traffic data set is network traffic data to be subjected to data detection corresponding to a same traffic lot, a first generation unit configured to generate a target baseline traffic characteristic according to the first traffic data set, a first traffic data filtering unit configured to perform traffic data filtering on first traffic data in the first traffic data set according to the target baseline traffic characteristic to obtain a third traffic data set, and a data fingerprint extraction unit configured to perform data fingerprint extraction on the second traffic data set to generate a local data fingerprint characteristic set and a global data fingerprint characteristic, where the local data fingerprint characteristic corresponds to the second traffic data one by one, a second traffic data filtering unit configured to perform secondary traffic data filtering on the third traffic data set according to the global data fingerprint characteristic and the local data fingerprint characteristic set, to obtain a third traffic data set, and a third traffic data filtering unit configured to generate a third traffic data fingerprint characteristic corresponding to the third traffic data to each abnormal detection result of the third traffic data set. In a third aspect, some embodiments of the present disclosure provide an electronic device comprising one or more processors, and storage means having one or more programs stored thereon, which when executed by the one or more processors, cause the one or more processors to implement the method described in any of the implementations of th