CN111901316A

CN111901316A - Network flow abnormity detection method applied to industrial Internet and big data platform

Info

Publication number: CN111901316A
Application number: CN202010675003.0A
Authority: CN
Inventors: 袁媛
Original assignee: Individual
Current assignee: Changzhou Longyu Tianzheng New Energy Industry Co ltd; Changzhou Tianzheng Industrial Development Co ltd
Priority date: 2020-07-14
Filing date: 2020-07-14
Publication date: 2020-11-06
Anticipated expiration: 2040-07-14
Also published as: CN112929340A; CN112788047A; CN111901316B

Abstract

The network flow abnormity detection method and the big data platform applied to the industrial internet can establish a flow detection channel corresponding to the target terminal equipment through the authorization instruction, collect the real-time network flow of the target terminal equipment through the flow detection channel so as to draw a flow curve, periodically determine a plurality of groups of flow change tracks of the target terminal equipment based on the flow curve, calculate the track offset between the flow change tracks at different time intervals, determine the state parameter of the target terminal equipment at the current time interval when the target terminal equipment is judged to be attacked by distributed denial of service according to the track offset, and generate a dynamic security policy according to the state parameter and send the dynamic security policy to the target terminal equipment. Therefore, the target terminal device can determine and destroy the abnormal request in the to-be-processed request based on the dynamic security policy. Therefore, the paralysis of the target terminal equipment can be avoided, and the safe and reliable operation of the whole industrial internet control system is ensured.

Description

Network traffic anomaly detection method and big data platform applied to industrial Internet

技术领域technical field

本申请涉及工业互联网通信安全处理技术领域，尤其涉及应用于工业互联网的网络流量异常检测方法及大数据平台。The present application relates to the technical field of industrial Internet communication security processing, and in particular, to a network traffic anomaly detection method and a big data platform applied to the industrial Internet.

背景技术Background technique

工业互联网的发展使得制造业朝着智能化和数字化方向改进，能够极大地提高生产效率并释放人工劳动力。随着边缘计算的日趋成熟，云边端协同的分布式工业控制系统以逐渐应用于各类大型生产场景下。边缘计算能够在边缘设备侧实现数据处理和分析，进而有效提高数据交互效率，降低数据交互延时。The development of the Industrial Internet has made the manufacturing industry improve in the direction of intelligence and digitization, which can greatly improve production efficiency and release manual labor. With the maturity of edge computing, the distributed industrial control system of cloud, edge and terminal collaboration is gradually applied in various large-scale production scenarios. Edge computing can realize data processing and analysis on the edge device side, thereby effectively improving the efficiency of data interaction and reducing the delay of data interaction.

在实际应用中，为了确保整个工业互联网系统的安全可靠运行，需要对工业互联网系统进行安全检测。由于工业互联网系统中部署有多个终端设备，因此，分布式拒绝服务攻击(Distributed denial of service attack，DDos)是工业互联网系统遭受的主要攻击模式。DDos攻击可以使很多终端设备在同一时间遭受到攻击，导致这些终端设备无法正常使用，从而引发大规模的生产事故，造成极大的经济损失。In practical applications, in order to ensure the safe and reliable operation of the entire industrial Internet system, it is necessary to perform security detection on the industrial Internet system. Due to the deployment of multiple terminal devices in the Industrial Internet system, Distributed Denial of Service attack (DDos) is the main attack mode suffered by the Industrial Internet system. DDos attacks can cause many terminal devices to be attacked at the same time, causing these terminal devices to fail to work normally, resulting in large-scale production accidents and huge economic losses.

由此可见，如何对分布式拒绝服务攻击进行有效检测并制定安全策略是现阶段亟待解决的一个技术问题。It can be seen that how to effectively detect distributed denial of service attacks and formulate security strategies is a technical problem that needs to be solved urgently at this stage.

发明内容SUMMARY OF THE INVENTION

本申请提供应用于工业互联网的网络流量异常检测方法及大数据平台，以对分布式拒绝服务攻击进行有效检测并制定安全策略。This application provides a network traffic anomaly detection method and a big data platform applied to the Industrial Internet, so as to effectively detect distributed denial of service attacks and formulate security policies.

首先提供一种应用于工业互联网的网络流量异常检测方法，应用于大数据平台，所述方法包括：First, a network traffic anomaly detection method applied to the Industrial Internet is provided, applied to a big data platform, and the method includes:

在接收到目标终端设备基于所述大数据平台发送的流量检测请求所反馈的授权指令时，通过所述授权指令中携带的设备接口参数建立与所述目标终端设备对应的流量检测通道；When receiving the authorization instruction fed back by the target terminal device based on the traffic detection request sent by the big data platform, establish a traffic detection channel corresponding to the target terminal device through the device interface parameters carried in the authorization instruction;

通过所述流量检测通道采集所述目标终端设备的实时网络流量，并基于所述实时网络流量绘制所述目标终端设备对应的流量曲线；Collect real-time network traffic of the target terminal device through the traffic detection channel, and draw a traffic curve corresponding to the target terminal device based on the real-time network traffic;

周期性地基于所述流量曲线确定所述目标终端设备的多组流量变化轨迹，并计算当前时段对应的流量变化轨迹与上一时段对应的流量变化轨迹之间的轨迹偏移量；Periodically determine multiple groups of flow change trajectories of the target terminal device based on the flow curve, and calculate the trajectory offset between the flow change trajectory corresponding to the current period and the flow change trajectory corresponding to the previous period;

在依据所述轨迹偏移量判定出所述目标终端设备遭受分布式拒绝服务攻击时，通过所述轨迹偏移量确定出所述目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并将所述动态安全策略下发给所述目标终端设备以使所述目标终端设备基于所述动态安全策略确定出待处理请求中的异常请求并销毁。When it is determined according to the track offset that the target terminal device is subject to a DDoS attack, the state parameter of the target terminal device in the current period is determined by the track offset, and according to the state parameter A dynamic security policy is generated and delivered to the target terminal device, so that the target terminal device determines and destroys abnormal requests in pending requests based on the dynamic security policy.

可选地，判断目标终端设备是否遭受到分布式拒绝服务攻击，具体包括：Optionally, judging whether the target terminal device suffers from a distributed denial of service attack specifically includes:

判断轨迹偏移量是否低于设定阈值；Determine whether the trajectory offset is lower than the set threshold;

在所述轨迹偏移量低于设定阈值时，将上一时段对应的流量变化轨迹叠加到当前时段对应的流量变化轨迹中；When the trajectory offset is lower than the set threshold, superimposing the flow change trajectory corresponding to the previous period to the flow rate change trajectory corresponding to the current period;

计算当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数；Calculate the correlation coefficient of the trajectory feature between the flow change trajectory corresponding to the current period and the flow change trajectory corresponding to the next period;

如果所述相关性系数大于设定系数，则判定所述目标终端设备遭受到分布式拒绝服务攻击。If the correlation coefficient is greater than the set coefficient, it is determined that the target terminal device suffers from a distributed denial of service attack.

可选地，所述方法还包括：Optionally, the method further includes:

在所述轨迹偏移量大于等于所述设定阈值时，确定所述轨迹偏移量在上一时段对应的流量变化轨迹中对应的第一轨迹区间以及在当前时段对应的流量变化轨迹中对应的第二轨迹区间；When the trajectory offset is greater than or equal to the set threshold, determine the first trajectory interval corresponding to the trajectory offset in the flow change trajectory corresponding to the previous period and in the flow rate change trajectory corresponding to the current period. the second trajectory interval of ;

提取所述第一轨迹区间的第一轨迹数据清单以及所述第二轨迹区间的第二轨迹数据清单，计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率；Extracting the first track data list of the first track section and the second track data list of the second track section, and calculating the traffic feature overlap ratio between the first track data list and the second track data list ;

若所述流量特征重叠率大于设定比率，则判定所述目标终端设备遭受到分布式拒绝服务攻击。If the traffic feature overlap ratio is greater than a set ratio, it is determined that the target terminal device suffers from a distributed denial of service attack.

可选地，将上一时段对应的流量变化轨迹叠加到当前时段对应的流量变化轨迹中，并计算当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数，具体包括：Optionally, the flow change trajectory corresponding to the previous period is superimposed on the flow rate change trajectory corresponding to the current period, and the correlation of the trajectory characteristics between the flow rate change trajectory corresponding to the current period and the flow rate change trajectory corresponding to the next period is calculated. coefficients, including:

生成上一时段对应的流量变化轨迹对应的用于表征上一时段对应的流量变化轨迹的流量报文的报文信息的第一流量协议地址列表以及用于表征当前时段对应的流量变化轨迹的流量报文的报文信息的第二流量协议地址列表；其中，所述第一流量协议地址列表和所述第二流量协议地址列表中分别包括相同数量的多个列表单元，且每个列表单元的单元识别度不同，所述单元识别度用于表征所述列表单元的列表特征的关联度；Generate a first traffic protocol address list corresponding to the traffic change track corresponding to the previous time period and used to represent the packet information of the traffic packets corresponding to the traffic change track corresponding to the previous time period, and the traffic used to represent the traffic change track corresponding to the current time period. The second flow protocol address list of the message information of the message; wherein, the first flow protocol address list and the second flow protocol address list respectively include the same number of multiple list units, and the number of each list unit is The unit recognition degrees are different, and the unit recognition degrees are used to represent the degree of association of the list features of the list units;

从上一时段对应的流量变化轨迹对应的第一流量协议地址列表中提取出其中一个列表单元对应的协议地址路径；其中，在确定所述协议地址路径时，并行地将当前时段对应的流量变化轨迹对应的第二流量协议地址列表中具有最大单元识别度的列表单元确定为参考列表单元；A protocol address path corresponding to one of the list units is extracted from the first traffic protocol address list corresponding to the traffic change track corresponding to the previous period; wherein, when determining the protocol address path, the traffic corresponding to the current period is changed in parallel The list unit with the largest unit identification degree in the second traffic protocol address list corresponding to the track is determined as the reference list unit;

将所述协议地址路径映射到所述参考列表单元中并确定出所述协议地址路径在所述参考列表单元中的映射地址路径；通过所述映射地址路径和所述协议地址路径确定所述第一流量协议地址列表和所述第二流量协议地址列表之间的用于表征流量协议地址的对应关系的有向无环图；Map the protocol address path into the reference list unit and determine the mapped address path of the protocol address path in the reference list unit; determine the first address path through the mapped address path and the protocol address path A directed acyclic graph used to characterize the correspondence between a traffic protocol address list and the second traffic protocol address list;

基于所述用于表征流量协议地址的对应关系的有向无环图将上一时段对应的流量变化轨迹中的每组第一流量轨迹参数叠加到当前时段对应的流量变化轨迹中的对应的第二流量轨迹参数组中；Based on the directed acyclic graph for characterizing the correspondence between traffic protocol addresses, each group of first traffic trajectory parameters in the traffic change trajectory corresponding to the previous period is superimposed on the corresponding first traffic trajectory parameter in the traffic change trajectory corresponding to the current period. In the second flow trajectory parameter group;

若每组第一流量轨迹参数在其对应的第二流量轨迹参数组中存在唯一对应的协议签名，则根据所述协议签名对当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征所对应的数值队列进行加权，并计算加权之后的数值队列的中位数作为当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数；If each group of first traffic trajectory parameters has a unique corresponding protocol signature in its corresponding second traffic trajectory parameter group, then according to the protocol signature, the difference between the traffic change trajectory corresponding to the current period and the traffic change trajectory corresponding to the next period is calculated. The numerical queues corresponding to the trajectory characteristics of the interval are weighted, and the median of the weighted numerical queues is calculated as the correlation coefficient of the trajectory characteristics between the traffic change trajectory corresponding to the current period and the traffic change trajectory corresponding to the next period;

若每组第一流量轨迹参数在其对应的第二流量轨迹参数组中不存在唯一对应的协议签名，则返回根据所述用于表征流量协议地址的对应关系的有向无环图将上一时段对应的流量变化轨迹中的每组流量轨迹参数叠加到当前时段对应的流量变化轨迹中的对应的第二流量轨迹参数组中的步骤。If each group of first traffic trajectory parameters does not have a unique corresponding protocol signature in its corresponding second traffic trajectory parameter group, return the directed acyclic graph used to represent the correspondence between the traffic protocol addresses and the previous The step of superimposing each group of flow track parameters in the flow rate change track corresponding to the time period to the corresponding second flow track parameter group in the flow rate change track corresponding to the current time period.

可选地，确定所述轨迹偏移量在上一时段对应的流量变化轨迹中对应的第一轨迹区间以及在当前时段对应的流量变化轨迹中对应的第二轨迹区间，提取所述第一轨迹区间的第一轨迹数据清单以及所述第二轨迹区间的第二轨迹数据清单，计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率，具体包括：Optionally, determine the first trajectory interval corresponding to the trajectory offset in the flow rate change trajectory corresponding to the previous period and the second trajectory interval corresponding to the flow rate change trajectory corresponding to the current period, and extract the first trajectory. The first track data list of the interval and the second track data list of the second track interval, and the calculation of the traffic feature overlap ratio between the first track data list and the second track data list, specifically including:

分别将上一时段对应的流量变化轨迹的第一描述信息以及当前时段对应的流量变化轨迹的第二描述信息列出，并将按照上一时段对应的流量变化轨迹与当前时段对应的流量变化轨迹之间的时序权重将所述第一描述信息和第二描述信息进行整合得到目标描述信息；其中，所述目标描述信息中包括多个第一轨迹标识和多个第二轨迹标识；List the first description information of the flow change trajectory corresponding to the previous period and the second description information of the flow rate change trajectory corresponding to the current period, respectively, according to the flow change trajectory corresponding to the previous period and the current period corresponding to the flow change trajectory. The timing weight between the first description information and the second description information is integrated to obtain target description information; wherein, the target description information includes multiple first track identifiers and multiple second track identifiers;

确定所述轨迹偏移量与每个第一轨迹标识之间的第一偏移权重以及与每个第二轨迹标识之间的第二偏移权重；根据所述第一偏移权重和所述第二偏移权重的分布序列确定所述第一轨迹区间和所述第二轨迹区间；determining a first offset weight between the track offset and each first track identifier and a second offset weight between the track offset and each second track identifier; according to the first offset weight and the The distribution sequence of the second offset weight determines the first trajectory interval and the second trajectory interval;

确定所述第一轨迹区间对应的第一区间参数矩阵以及所述第二轨迹区间对应的第二区间参数矩阵；其中，所述第一区间参数矩阵用于表征所述第一轨迹区间的轨迹节点的分布情况，所述第二区间参数矩阵用于表征所述第二轨迹区间的轨迹节点的分布情况；分别提取所述第一区间参数矩阵的第一矩阵离散值和所述第二区间参数矩阵的第二矩阵离散值，根据所述第一矩阵离散值和所述第二矩阵离散值分别从所述第一区间参数矩阵和所述第二区间参数矩阵中提取所述第一轨迹数据清单和所述第二轨迹数据清单；Determine a first interval parameter matrix corresponding to the first trajectory interval and a second interval parameter matrix corresponding to the second trajectory interval; wherein the first interval parameter matrix is used to represent the trajectory nodes of the first trajectory interval The distribution of the second interval parameter matrix is used to represent the distribution of the trajectory nodes in the second trajectory interval; respectively extract the first matrix discrete values of the first interval parameter matrix and the second interval parameter matrix The second matrix discrete value, according to the first matrix discrete value and the second matrix discrete value, respectively extract the first trajectory data list and the second track data list;

确定根据所述第一轨迹数据清单和所述第二轨迹数据清单所生成的流量清单队列；针对所述流量清单队列中的当前流量清单队列，基于当前流量清单队列在上一时段内的第一队列变化频率以及各所述流量清单队列在所述当前时段内的第二队列变化频率，确定当前流量清单队列在所述上一时段和当前时段之间的第三队列变化频率；基于所述第三队列变化频率以及所述流量清单队列的数量计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率。determining a traffic list queue generated according to the first track data list and the second track data list; for the current traffic list queue in the traffic list queue, based on the first traffic list queue of the current traffic list queue in the previous period The queue change frequency and the second queue change frequency of each of the traffic list queues within the current time period, determine the third queue change frequency of the current traffic list queue between the previous time period and the current time period; The change frequency of the three queues and the number of the traffic list queues are used to calculate the traffic feature overlap ratio between the first trajectory data list and the second trajectory data list.

可选地，通过所述轨迹偏移量确定出所述目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并将所述动态安全策略下发给所述目标终端设备，具体包括：Optionally, the state parameter of the target terminal device in the current period is determined by the track offset, a dynamic security policy is generated according to the state parameter, and the dynamic security policy is issued to the target terminal device , including:

基于获取的用于表征轨迹偏移量的置信度的偏移量评价因子和轨迹连续性因子，确定待标记的用于识别目标终端设备的状态参数的多个识别标签的标签脚本文件，以及不同识别标签之间的相似度；Based on the obtained offset evaluation factor and the trajectory continuity factor used to characterize the confidence of the trajectory offset, determine the label script files of multiple identification labels to be marked for identifying the state parameters of the target terminal device, and different Identify the similarity between tags;

基于确定的所述多个识别标签的标签脚本文件，以及不同识别标签之间的相似度，对所述多个识别标签进行标记，使得标记出的识别标签的标签脚本文件对应的文件响应耗时小于第一设定值、且标记出识别标签之间的相似度大于第二设定值；Mark the multiple identification tags based on the determined tag script files of the multiple identification tags and the similarity between different identification tags, so that the file response corresponding to the marked tag script files of the identification tags is time-consuming is less than the first set value, and marks that the similarity between the identification tags is greater than the second set value;

根据标记出的识别标签从所述目标终端设备的运行日志中提取出目标终端设备在当前时段内的状态参数；将所述状态参数按照时序依次拆分为多个参数段，并确定每个参数段对应的流量处理指标信息；其中，所述流量处理指标信息用于表征所述目标终端设备的吞吐量和最大流量承载量；According to the marked identification tag, the state parameters of the target terminal device in the current period are extracted from the operation log of the target terminal device; the state parameters are divided into multiple parameter segments according to the time sequence, and each parameter is determined. The traffic processing indicator information corresponding to the segment; wherein, the traffic processing indicator information is used to characterize the throughput and the maximum traffic carrying capacity of the target terminal device;

确定与每组流量处理指标信息对应的DDos攻击的事件行为特征，并根据所述事件行为特征及其对应的流量处理指标信息的吞吐量和最大流量承载量生成目标安全策略；按照目标安全策略对应的事件行为特征的时序特征将目标安全策略封装为所述动态安全策略。Determine the event behavior characteristics of the DDos attack corresponding to each group of traffic processing index information, and generate a target security policy according to the event behavior characteristics and the throughput and maximum traffic carrying capacity of the corresponding traffic processing index information; corresponding to the target security policy The time sequence feature of the event behavior feature encapsulates the target security policy as the dynamic security policy.

其次提供一种大数据平台，所述大数据平台与终端设备通信，所述大数据平台用于：Secondly, a big data platform is provided, the big data platform communicates with terminal equipment, and the big data platform is used for:

可选地，所述大数据平台判断目标终端设备是否遭受到分布式拒绝服务攻击具体具体包括：Optionally, the big data platform judging whether the target terminal device suffers from a distributed denial of service attack specifically includes:

在所述轨迹偏移量低于设定阈值时，将上一时段对应的流量变化轨迹叠加到当前时段对应的流量变化轨迹中；计算当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数；如果所述相关性系数大于设定系数，则判定所述目标终端设备遭受到分布式拒绝服务攻击；When the trajectory offset is lower than the set threshold, the flow change trajectory corresponding to the previous period is superimposed on the flow rate change trajectory corresponding to the current period; the flow rate change trajectory corresponding to the current period and the flow rate change corresponding to the next period are calculated The correlation coefficient of the trajectory features between the trajectories; if the correlation coefficient is greater than the set coefficient, it is determined that the target terminal device has suffered a distributed denial of service attack;

在所述轨迹偏移量大于等于所述设定阈值时，确定所述轨迹偏移量在上一时段对应的流量变化轨迹中对应的第一轨迹区间以及在当前时段对应的流量变化轨迹中对应的第二轨迹区间；提取所述第一轨迹区间的第一轨迹数据清单以及所述第二轨迹区间的第二轨迹数据清单，计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率；若所述流量特征重叠率大于设定比率，则判定所述目标终端设备遭受到分布式拒绝服务攻击。When the trajectory offset is greater than or equal to the set threshold, determine the first trajectory interval corresponding to the trajectory offset in the flow change trajectory corresponding to the previous period and in the flow rate change trajectory corresponding to the current period. the second track interval of If the traffic feature overlap ratio is greater than the set ratio, it is determined that the target terminal device suffers from a distributed denial of service attack.

然后提供一种大数据平台，包括互相之间通信的处理器和存储器，所述处理器通过运行从所述存储器中调取的计算机程序以实现上述的方法。Then a big data platform is provided, including a processor and a memory in communication with each other, the processor implements the above method by running a computer program retrieved from the memory.

最后提供一种计算机可读存储介质，其上存储有计算机程序，所述计算机程序在运行时实现上述的方法。Finally, a computer-readable storage medium is provided on which a computer program is stored, and the computer program implements the above method when running.

本发明实施例提供的应用于工业互联网的网络流量异常检测方法及大数据平台，能够通过授权指令中携带的设备接口参数建立与目标终端设备对应的流量检测通道，并通过流量检测通道采集目标终端设备的实时网络流量从而绘制目标终端设备对应的流量曲线，然后周期性地基于流量曲线确定目标终端设备的多组流量变化轨迹，并计算不同时段下的流量变化轨迹之间的轨迹偏移量，最后在依据轨迹偏移量判定出目标终端设备遭受分布式拒绝服务攻击时确定出目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并下发给目标终端设备。这样可以使目标终端设备基于动态安全策略确定出待处理请求中的异常请求并销毁。如此，这样能够避免目标终端设备的瘫痪，确保整个工业互联网控制系统的安全可靠运行。The network traffic anomaly detection method and big data platform applied to the industrial Internet provided by the embodiments of the present invention can establish a traffic detection channel corresponding to the target terminal device through the device interface parameters carried in the authorization instruction, and collect the target terminal through the traffic detection channel. The real-time network traffic of the device is used to draw the traffic curve corresponding to the target terminal device, and then periodically based on the traffic curve, multiple groups of traffic change trajectories of the target terminal device are determined, and the trajectory offset between the traffic change trajectories in different time periods is calculated. Finally, when it is determined that the target terminal device is subject to a DDoS attack according to the trajectory offset, the state parameters of the target terminal device in the current period are determined, and a dynamic security policy is generated according to the state parameters and sent to the target terminal device. In this way, the target terminal device can determine the abnormal request in the pending request based on the dynamic security policy and destroy it. In this way, it can avoid the paralysis of the target terminal equipment and ensure the safe and reliable operation of the entire industrial Internet control system.

附图说明Description of drawings

此处的附图被并入说明书中并构成本说明书的一部分，示出了符合本申请的实施例，并与说明书一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description serve to explain the principles of the application.

图1是应用于工业互联网的网络流量异常检测方法的流程图。FIG. 1 is a flow chart of a network traffic anomaly detection method applied to the Industrial Internet.

图2是应用于工业互联网的网络流量异常检测装置的一个实施例框图。FIG. 2 is a block diagram of an embodiment of a network traffic anomaly detection apparatus applied to the Industrial Internet.

图3是应用于工业互联网的网络流量异常检测系统的通信架构示意图。FIG. 3 is a schematic diagram of a communication architecture of a network traffic anomaly detection system applied to the Industrial Internet.

图4是大数据平台的一种硬件结构图。Figure 4 is a hardware structure diagram of the big data platform.

具体实施方式Detailed ways

在实际应用时，发明人对分布式拒绝服务攻击的远离进行了分析，发现分布式拒绝服务攻击的攻击方式是在一段时间内向终端设备发送大量的需要处理的无用信息，这样会大规模地占用终端设备的资源，使得终端设备无法正常使用或瘫痪。进一步地，发明人还发现，终端设备在接收到大量需要处理的无用信息时，终端设备的信息流量会发生显著变化。In practical application, the inventor analyzed the distance of DDoS attack, and found that the DDoS attack method is to send a large amount of useless information to the terminal device within a period of time, which will occupy large-scale The resources of the terminal equipment make the terminal equipment unable to be used normally or paralyzed. Further, the inventor also found that when the terminal device receives a large amount of useless information that needs to be processed, the information flow of the terminal device will change significantly.

以上现有技术中的方案所存在的缺陷，均是发明人在经过实践并仔细研究后得出的结果，因此，上述问题的发现过程以及下文中本发明实施例针对上述问题所提出的解决方案，都应该是发明人在本发明过程中对本发明做出的贡献。The defects of the above solutions in the prior art are the results obtained by the inventor after practice and careful research. Therefore, the discovery process of the above problems and the solutions proposed in the following embodiments of the present invention for the above problems , should be the contributions made by the inventor to the present invention in the process of the present invention.

为此，本发明实施例提供了应用于工业互联网的网络流量异常检测方法及大数据平台，能够对终端设备的实时网络流量进行检测和分析，从而判断终端设备是否遭受DDos攻击，并在判断出终端设备遭受到DDos攻击之后生成针对于DDos攻击的不同阶段的动态安全策略并下发给终端设备，这样能够避免终端设备的瘫痪，确保整个工业互联网控制系统的安全可靠运行。To this end, the embodiments of the present invention provide a network traffic anomaly detection method and a big data platform applied to the Industrial Internet, which can detect and analyze the real-time network traffic of the terminal device, so as to determine whether the terminal device suffers from a DDos attack, and determine whether the terminal device is under DDos attack. After the terminal device is attacked by DDos, dynamic security policies for different stages of the DDos attack are generated and issued to the terminal device, which can avoid the paralysis of the terminal device and ensure the safe and reliable operation of the entire industrial Internet control system.

以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围，而是仅仅表示本发明的选定实施例。基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。The following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the invention as claimed, but is merely representative of selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

图1为本发明实施例所提供的应用于工业互联网的网络流量异常检测方法的流程示意图，所述网络流量异常检测方法可以应用于与多个终端设备通信的大数据平台，所述大数据平台在运行时通过执行以下步骤S110-步骤S140来实现上述的网络流量异常检测方法。1 is a schematic flowchart of a network traffic abnormality detection method applied to the Industrial Internet provided by an embodiment of the present invention. The network traffic abnormality detection method can be applied to a big data platform that communicates with multiple terminal devices. The big data platform The above-mentioned network traffic abnormality detection method is implemented by executing the following steps S110-S140 during operation.

步骤S110，在接收到目标终端设备基于所述大数据平台发送的流量检测请求所反馈的授权指令时，通过所述授权指令中携带的设备接口参数建立与所述目标终端设备对应的流量检测通道。Step S110, when receiving the authorization instruction fed back by the target terminal device based on the traffic detection request sent by the big data platform, establish a traffic detection channel corresponding to the target terminal device through the device interface parameters carried in the authorization instruction .

在本实施例中，大数据平台首先向每个终端设备发送流量检测请求。终端设备验证流量检测请求是否合法，并在验证合法时向大数据平台反馈携带有设备接口参数的授权指令。In this embodiment, the big data platform first sends a traffic detection request to each terminal device. The terminal device verifies whether the traffic detection request is legal, and when verifying the legality, feeds back an authorization instruction carrying the device interface parameters to the big data platform.

大数据平台通过不同的设备接口参数建立不同的流量检测通道，能够避免流量检测通道之间的互相干扰，从而确保对每个终端设备的流量检测的准确性和可靠性。The big data platform establishes different traffic detection channels through different device interface parameters, which can avoid mutual interference between traffic detection channels, thereby ensuring the accuracy and reliability of traffic detection for each terminal device.

步骤S120，通过所述流量检测通道采集所述目标终端设备的实时网络流量，并基于所述实时网络流量绘制所述目标终端设备对应的流量曲线。Step S120: Collect real-time network traffic of the target terminal device through the traffic detection channel, and draw a traffic curve corresponding to the target terminal device based on the real-time network traffic.

在一个可能的实现方式中，实时网络流量包括所述目标终端设备接收的第一网络流量以及所述目标终端设备发送的第二网络流量。In a possible implementation manner, the real-time network traffic includes first network traffic received by the target terminal device and second network traffic sent by the target terminal device.

步骤S130，周期性地基于所述流量曲线确定所述目标终端设备的多组流量变化轨迹，并计算当前时段对应的流量变化轨迹与上一时段对应的流量变化轨迹之间的轨迹偏移量。Step S130: Periodically determine multiple sets of flow change trajectories of the target terminal device based on the flow curve, and calculate the track offset between the flow change trajectory corresponding to the current period and the flow change trajectory corresponding to the previous period.

在实际实施时，流量变化轨迹可以通过图数据的方式进行表示。其中，图数据中的包括图节点和图连线，所述图节点用于封装流量曲线的特征数据，所述图连线用于连接多个图节点。In actual implementation, the flow change trajectory can be represented by graph data. The graph data includes graph nodes and graph connections, the graph nodes are used to encapsulate characteristic data of the flow curve, and the graph connections are used to connect multiple graph nodes.

步骤S140，在依据所述轨迹偏移量判定出所述目标终端设备遭受分布式拒绝服务攻击时，通过所述轨迹偏移量确定出所述目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并将所述动态安全策略下发给所述目标终端设备以使所述目标终端设备基于所述动态安全策略确定出待处理请求中的异常请求并销毁。Step S140, when it is determined that the target terminal device suffers from a DDoS attack according to the trajectory offset, the state parameter of the target terminal device in the current period is determined by the trajectory offset, and according to the The state parameter generates a dynamic security policy and delivers the dynamic security policy to the target terminal device, so that the target terminal device determines and destroys abnormal requests in pending requests based on the dynamic security policy.

具体地，运行参数包括目标终端设备的网络协议参数、加密密钥参数和请求队列配置参数等。动态安全策略包括针对不同时段的请求进行异常检测的脚本文件。异常请求可以理解为分布式拒绝服务攻击对应的大量的需要目标终端设备处理的无效请求。Specifically, the operating parameters include network protocol parameters of the target terminal device, encryption key parameters, request queue configuration parameters, and the like. The dynamic security policy includes script files for anomaly detection for requests in different time periods. Abnormal requests can be understood as a large number of invalid requests corresponding to distributed denial of service attacks that need to be processed by the target terminal device.

通过实施上述步骤S110-步骤S140所描述的内容，能够通过授权指令中携带的设备接口参数建立与目标终端设备对应的流量检测通道，并通过流量检测通道采集目标终端设备的实时网络流量从而绘制目标终端设备对应的流量曲线，然后周期性地基于流量曲线确定目标终端设备的多组流量变化轨迹，并计算不同时段下的流量变化轨迹之间的轨迹偏移量，最后在依据轨迹偏移量判定出目标终端设备遭受分布式拒绝服务攻击时确定出目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并下发给目标终端设备。这样可以使目标终端设备基于动态安全策略确定出待处理请求中的异常请求并销毁。如此，这样能够避免目标终端设备的瘫痪，确保整个工业互联网控制系统的安全可靠运行。By implementing the content described in the above steps S110-S140, a traffic detection channel corresponding to the target terminal device can be established through the device interface parameters carried in the authorization instruction, and the real-time network traffic of the target terminal device can be collected through the traffic detection channel to draw the target. The flow curve corresponding to the terminal device, and then periodically determine the multiple sets of flow change trajectories of the target terminal device based on the flow curve, and calculate the trajectory offset between the flow change trajectories in different time periods, and finally determine the trajectory according to the offset. When the target terminal device is subjected to a distributed denial of service attack, the state parameters of the target terminal device in the current period are determined, and a dynamic security policy is generated according to the state parameters and delivered to the target terminal device. In this way, the target terminal device can determine the abnormal request in the pending request based on the dynamic security policy and destroy it. In this way, it can avoid the paralysis of the target terminal equipment and ensure the safe and reliable operation of the entire industrial Internet control system.

在实施上述方案时发明人发现，依据轨迹偏移量进行分布式拒绝服务攻击的判断时，可能会出现漏判的现象。发明人在对漏判现象进行研究和分析后得出如下原因：没有将连续时段下的流量变化轨迹的迭代性考虑在内，这样会导致连续时段下的流量变化轨迹之间出现流量特征的缺失，从而影响到判断的准确性。为改善上述问题，在步骤S140中，示例性地可以通过以下步骤S1411-步骤S1413所描述的方法判断目标终端设备是否遭受到分布式拒绝服务攻击。When implementing the above solution, the inventor finds that when the judgment of the distributed denial of service attack is performed according to the trajectory offset, the phenomenon of omission of judgment may occur. After researching and analyzing the phenomenon of missed judgment, the inventor came to the following reasons: the iterative nature of the flow change trajectories in the continuous period was not taken into account, which would lead to the lack of flow characteristics between the flow change trajectories in the continuous period. , thus affecting the accuracy of the judgment. In order to improve the above-mentioned problem, in step S140, whether the target terminal device is subjected to a distributed denial of service attack can be exemplarily determined by the method described in the following steps S1411-S1413.

步骤S1411，判断轨迹偏移量是否低于设定阈值，若是，则转向步骤S1412，若否，则转向步骤S1413。In step S1411, it is judged whether the track offset is lower than the set threshold, if yes, go to step S1412, if not, go to step S1413.

步骤S1412，在所述轨迹偏移量低于设定阈值时，将上一时段对应的流量变化轨迹叠加到当前时段对应的流量变化轨迹中，并计算当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数，如果所述相关性系数大于设定系数，则判定所述目标终端设备遭受到分布式拒绝服务攻击。Step S1412, when the trajectory offset is lower than the set threshold, superimpose the flow change trajectory corresponding to the previous period to the flow rate change trajectory corresponding to the current period, and calculate the flow rate change trajectory corresponding to the current period and the next period. Correlation coefficients of trajectory features between corresponding traffic change trajectories, if the correlation coefficient is greater than the set coefficient, it is determined that the target terminal device has suffered a distributed denial of service attack.

步骤S1413，在所述轨迹偏移量大于等于所述设定阈值时，确定所述轨迹偏移量在上一时段对应的流量变化轨迹中对应的第一轨迹区间以及在当前时段对应的流量变化轨迹中对应的第二轨迹区间；提取所述第一轨迹区间的第一轨迹数据清单以及所述第二轨迹区间的第二轨迹数据清单，计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率，若所述流量特征重叠率大于设定比率，则判定所述目标终端设备遭受到分布式拒绝服务攻击。Step S1413, when the trajectory offset is greater than or equal to the set threshold, determine the first trajectory interval corresponding to the trajectory offset in the flow change trajectory corresponding to the previous period and the flow change corresponding to the current period The corresponding second trajectory interval in the trajectory; extract the first trajectory data list of the first trajectory interval and the second trajectory data list of the second trajectory interval, and calculate the first trajectory data list and the second trajectory The traffic feature overlap ratio between the data lists. If the traffic feature overlap ratio is greater than the set ratio, it is determined that the target terminal device has suffered a distributed denial of service attack.

可以理解，基于上述步骤S1411-步骤S1413，能够将连续时段下的流量变化轨迹的迭代性和叠加性考虑在内，这样能够确保连续时段下的流量变化轨迹之间不会出现流量特征的缺失，从而确保分布式拒绝服务攻击的判断准确性。It can be understood that, based on the above steps S1411-S1413, the iteration and superposition of the flow change trajectories in continuous periods can be taken into account, which can ensure that there will be no missing flow characteristics between the flow change trajectories in continuous periods, Thus, the judgment accuracy of distributed denial of service attacks is ensured.

在具体实施时，为了确保不同时段下的流量变化轨迹在叠加时流量报文在流量协议地址上的一一对应，从而准确地确定不同时段下的流量变化轨迹的轨迹特征的相关性系数，步骤S1412所描述的将上一时段对应的流量变化轨迹叠加到当前时段对应的流量变化轨迹中，并计算当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数，具体可以包括以下步骤a-步骤e所描述的内容。During the specific implementation, in order to ensure the one-to-one correspondence of the traffic packets on the traffic protocol addresses when the traffic change trajectories in different time periods are superimposed, so as to accurately determine the correlation coefficient of the trajectory characteristics of the traffic change trajectories in different time periods, the steps Described in S1412, the flow change trajectory corresponding to the previous period is superimposed on the flow rate change trajectory corresponding to the current period, and the correlation of the trajectory characteristics between the flow rate change trajectory corresponding to the current period and the flow rate change trajectory corresponding to the next period is calculated The coefficient may specifically include the content described in the following steps a to e.

步骤a，生成上一时段对应的流量变化轨迹对应的用于表征上一时段对应的流量变化轨迹的流量报文的报文信息的第一流量协议地址列表以及用于表征当前时段对应的流量变化轨迹的流量报文的报文信息的第二流量协议地址列表；其中，所述第一流量协议地址列表和所述第二流量协议地址列表中分别包括相同数量的多个列表单元，且每个列表单元的单元识别度不同，所述单元识别度用于表征所述列表单元的列表特征的关联度。Step a, generating a first traffic protocol address list corresponding to the traffic change track corresponding to the previous time period and used to represent the packet information of the traffic packets corresponding to the traffic change track corresponding to the previous time period, and for representing the traffic change corresponding to the current time period. A second flow protocol address list of the packet information of the traced flow packets; wherein the first flow protocol address list and the second flow protocol address list respectively include the same number of multiple list units, and each The unit identification degrees of the list units are different, and the unit identification degrees are used to represent the association degree of the list features of the list units.

步骤b，从上一时段对应的流量变化轨迹对应的第一流量协议地址列表中提取出其中一个列表单元对应的协议地址路径；其中，在确定所述协议地址路径时，并行地将当前时段对应的流量变化轨迹对应的第二流量协议地址列表中具有最大单元识别度的列表单元确定为参考列表单元。Step b, extracting a protocol address path corresponding to one of the list units from the first traffic protocol address list corresponding to the traffic change track corresponding to the previous period; wherein, when determining the protocol address path, the current period corresponds to the current period in parallel. The list unit with the largest unit identification degree in the address list of the second traffic protocol corresponding to the traffic change track of , is determined as the reference list unit.

步骤c，将所述协议地址路径映射到所述参考列表单元中并确定出所述协议地址路径在所述参考列表单元中的映射地址路径；通过所述映射地址路径和所述协议地址路径确定所述第一流量协议地址列表和所述第二流量协议地址列表之间的用于表征流量协议地址的对应关系的有向无环图。Step c, mapping the protocol address path to the reference list unit and determining the mapped address path of the protocol address path in the reference list unit; determining the mapped address path and the protocol address path A directed acyclic graph between the first traffic protocol address list and the second traffic protocol address list for representing the correspondence between traffic protocol addresses.

步骤d，基于所述用于表征流量协议地址的对应关系的有向无环图将上一时段对应的流量变化轨迹中的每组第一流量轨迹参数叠加到当前时段对应的流量变化轨迹中的对应的第二流量轨迹参数组中。Step d, based on the directed acyclic graph used to characterize the correspondence of the traffic protocol addresses, superimpose each group of first traffic trajectory parameters in the traffic change trajectory corresponding to the previous period to the flow rate change trajectory corresponding to the current period. in the corresponding second flow trajectory parameter group.

步骤e，若每组第一流量轨迹参数在其对应的第二流量轨迹参数组中存在唯一对应的协议签名，则根据所述协议签名对当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征所对应的数值队列进行加权，并计算加权之后的数值队列的中位数作为当前时段对应的流量变化轨迹与下一时段对应的流量变化轨迹之间的轨迹特征的相关性系数。Step e, if each group of first traffic trajectory parameters has a unique corresponding protocol signature in its corresponding second traffic trajectory parameter group, then according to the protocol signature, the traffic change trajectory corresponding to the current period and the traffic corresponding to the next period are compared. The numerical queues corresponding to the trajectory features between the change trajectories are weighted, and the median of the weighted numerical queues is calculated as the correlation of the trajectory characteristics between the traffic change trajectory corresponding to the current period and the traffic change trajectory corresponding to the next period Sex coefficient.

步骤f，若每组第一流量轨迹参数在其对应的第二流量轨迹参数组中不存在唯一对应的协议签名，则返回根据所述用于表征流量协议地址的对应关系的有向无环图将上一时段对应的流量变化轨迹中的每组流量轨迹参数叠加到当前时段对应的流量变化轨迹中的对应的第二流量轨迹参数组中的步骤。Step f, if each group of first traffic trajectory parameters does not have a unique corresponding protocol signature in its corresponding second traffic trajectory parameter group, return the directed acyclic graph according to the corresponding relationship used to represent the traffic protocol addresses The step of superimposing each group of flow track parameters in the flow change track corresponding to the previous time period to the corresponding second flow track parameter group in the flow change track corresponding to the current time period.

在应用上述步骤a-步骤f所描述的内容时，能够确保不同时段下的流量变化轨迹在叠加时流量报文在流量协议地址上的一一对应，从而准确地确定不同时段下的流量变化轨迹的轨迹特征的相关性系数。When applying the content described in the above steps a to f, it can ensure that the traffic change trajectories in different time periods have a one-to-one correspondence between the traffic packets and the traffic protocol addresses when they are superimposed, so as to accurately determine the traffic change trajectories in different time periods. The correlation coefficient of the trajectory features.

在一个可能的实施方式中，步骤S1413所描述的确定所述轨迹偏移量在上一时段对应的流量变化轨迹中对应的第一轨迹区间以及在当前时段对应的流量变化轨迹中对应的第二轨迹区间，提取所述第一轨迹区间的第一轨迹数据清单以及所述第二轨迹区间的第二轨迹数据清单，计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率，具体可以包括以下步骤(1)-(4)所描述的内容。In a possible implementation manner, the step S1413 described in determining the first track interval corresponding to the track offset in the flow change track corresponding to the previous period and the second track interval corresponding to the flow change track corresponding to the current period Track section, extracting the first track data list of the first track section and the second track data list of the second track section, and calculating the flow between the first track data list and the second track data list The feature overlap rate may specifically include the content described in the following steps (1)-(4).

(1)分别将上一时段对应的流量变化轨迹的第一描述信息以及当前时段对应的流量变化轨迹的第二描述信息列出，并将按照上一时段对应的流量变化轨迹与当前时段对应的流量变化轨迹之间的时序权重将所述第一描述信息和第二描述信息进行整合得到目标描述信息；其中，所述目标描述信息中包括多个第一轨迹标识和多个第二轨迹标识。(1) List the first description information of the flow change trajectory corresponding to the previous period and the second description information of the flow rate change trajectory corresponding to the current period, respectively. The time sequence weight between the traffic change tracks integrates the first description information and the second description information to obtain target description information; wherein, the target description information includes multiple first track identifiers and multiple second track identifiers.

(2)确定所述轨迹偏移量与每个第一轨迹标识之间的第一偏移权重以及与每个第二轨迹标识之间的第二偏移权重；根据所述第一偏移权重和所述第二偏移权重的分布序列确定所述第一轨迹区间和所述第二轨迹区间。(2) Determine the first offset weight between the track offset and each first track identifier and the second offset weight between the track offset and each second track identifier; according to the first offset weight and the distribution sequence of the second offset weights to determine the first trajectory interval and the second trajectory interval.

(3)确定所述第一轨迹区间对应的第一区间参数矩阵以及所述第二轨迹区间对应的第二区间参数矩阵；其中，所述第一区间参数矩阵用于表征所述第一轨迹区间的轨迹节点的分布情况，所述第二区间参数矩阵用于表征所述第二轨迹区间的轨迹节点的分布情况；分别提取所述第一区间参数矩阵的第一矩阵离散值和所述第二区间参数矩阵的第二矩阵离散值，根据所述第一矩阵离散值和所述第二矩阵离散值分别从所述第一区间参数矩阵和所述第二区间参数矩阵中提取所述第一轨迹数据清单和所述第二轨迹数据清单。(3) Determine a first interval parameter matrix corresponding to the first trajectory interval and a second interval parameter matrix corresponding to the second trajectory interval; wherein, the first interval parameter matrix is used to represent the first trajectory interval The distribution of the trajectory nodes of the first interval, the second interval parameter matrix is used to represent the distribution of the trajectory nodes of the second trajectory interval; respectively extract the first matrix discrete values of the first interval parameter matrix and the second interval parameter matrix. A second matrix discrete value of the interval parameter matrix, and the first trajectory is extracted from the first interval parameter matrix and the second interval parameter matrix according to the first matrix discrete value and the second matrix discrete value, respectively A data list and the second trajectory data list.

(4)确定根据所述第一轨迹数据清单和所述第二轨迹数据清单所生成的流量清单队列；针对所述流量清单队列中的当前流量清单队列，基于当前流量清单队列在上一时段内的第一队列变化频率以及各所述流量清单队列在所述当前时段内的第二队列变化频率，确定当前流量清单队列在所述上一时段和当前时段之间的第三队列变化频率；基于所述第三队列变化频率以及所述流量清单队列的数量计算所述第一轨迹数据清单与所述第二轨迹数据清单之间的流量特征重叠率。(4) Determine the traffic list queue generated according to the first track data list and the second track data list; for the current traffic list queue in the traffic list queue, based on the current traffic list queue within the previous period of time The first queue change frequency and the second queue change frequency of each of the traffic list queues within the current time period, determine the third queue change frequency of the current traffic list queue between the previous time period and the current time period; based on The frequency of change of the third queue and the number of the traffic list queues are used to calculate a traffic feature overlap ratio between the first trajectory data list and the second trajectory data list.

可以理解，通过上述步骤(1)-步骤(4)，能够准确地计算第一轨迹数据清单与第二轨迹数据清单之间的流量特征重叠率，从而提高对DDos攻击进行判断和检测的准确性。It can be understood that through the above steps (1) to (4), the traffic feature overlap rate between the first track data list and the second track data list can be accurately calculated, thereby improving the accuracy of judging and detecting DDos attacks. .

在具体实施过程中，为了确保目标终端设备能够应对DDos攻击，需要根据DDos攻击的事件行为特征指定不同的动态安全策略以供目标终端设备使用，为此，步骤S140所描述的通过所述轨迹偏移量确定出所述目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并将所述动态安全策略下发给所述目标终端设备，示例性地可以包括以下步骤S1421-步骤S1424所描述的内容。In the specific implementation process, in order to ensure that the target terminal device can cope with the DDos attack, it is necessary to specify different dynamic security policies for the target terminal device to use according to the event behavior characteristics of the DDos attack. Determining the state parameters of the target terminal device in the current period of time by the shift amount, generating a dynamic security policy according to the state parameters and issuing the dynamic security policy to the target terminal device, exemplarily including the following step S1421 - the content described in step S1424.

步骤S1421，基于获取的用于表征轨迹偏移量的置信度的偏移量评价因子和轨迹连续性因子，确定待标记的用于识别目标终端设备的状态参数的多个识别标签的标签脚本文件，以及不同识别标签之间的相似度。Step S1421, based on the obtained offset evaluation factor and the trajectory continuity factor used to characterize the confidence of the trajectory offset, determine the label script file of multiple identification labels to be marked for identifying the state parameters of the target terminal device , and the similarity between different identification labels.

步骤S1422，基于确定的所述多个识别标签的标签脚本文件，以及不同识别标签之间的相似度，对所述多个识别标签进行标记，使得标记出的识别标签的标签脚本文件对应的文件响应耗时小于第一设定值、且标记出识别标签之间的相似度大于第二设定值。Step S1422, marking the multiple identification tags based on the determined tag script files of the multiple identification tags and the similarity between different identification tags, so that the files corresponding to the marked tag script files of the identification tags are marked. The response time is less than the first set value, and the similarity between the marked identification tags is greater than the second set value.

步骤S1423，根据标记出的识别标签从所述目标终端设备的运行日志中提取出目标终端设备在当前时段内的状态参数；将所述状态参数按照时序依次拆分为多个参数段，并确定每个参数段对应的流量处理指标信息；其中，所述流量处理指标信息用于表征所述目标终端设备的吞吐量和最大流量承载量。Step S1423, according to the marked identification tag, extract the state parameter of the target terminal device in the current period from the operation log of the target terminal device; divide the state parameter into multiple parameter segments according to the time sequence, and determine Traffic processing indicator information corresponding to each parameter segment; wherein, the traffic processing indicator information is used to represent the throughput and maximum traffic carrying capacity of the target terminal device.

步骤S1424，确定与每组流量处理指标信息对应的DDos攻击的事件行为特征，并根据所述事件行为特征及其对应的流量处理指标信息的吞吐量和最大流量承载量生成目标安全策略；按照目标安全策略对应的事件行为特征的时序特征将目标安全策略封装为所述动态安全策略。Step S1424: Determine the event behavior characteristics of the DDos attack corresponding to each group of traffic processing index information, and generate a target security policy according to the event behavior characteristics and the throughput and maximum traffic carrying capacity of the event behavior characteristics and corresponding traffic processing index information; The time sequence feature of the event behavior feature corresponding to the security policy encapsulates the target security policy as the dynamic security policy.

在具体实施时，通过执行上述步骤S1421-步骤S1424所描述的内容，能够根据DDos攻击的事件行为特征指定不同的动态安全策略以供目标终端设备使用，从而确保目标终端设备能够应对DDos攻击。In specific implementation, by executing the content described in the above steps S1421-S1424, different dynamic security policies can be specified for the target terminal device according to the event behavior characteristics of the DDos attack, thereby ensuring that the target terminal device can cope with the DDos attack.

在一种可替换的实施方式中，步骤S110所描述的通过所述授权指令中携带的设备接口参数建立与所述目标终端设备对应的流量检测通道，具体可以包括以下步骤S111-步骤S113所描述的内容。In an alternative implementation manner, the establishment of a traffic detection channel corresponding to the target terminal device through the device interface parameters carried in the authorization instruction described in step S110 may specifically include the following steps S111-S113. Content.

步骤S111，获取所述设备接口参数对应的数据转发逻辑信息，对所述数据转发逻辑信息进行通道参数提取，得到包括通道密钥字符及所述通道密钥字符对应的带宽频段的通道参数包。Step S111: Acquire data forwarding logic information corresponding to the device interface parameters, perform channel parameter extraction on the data forwarding logic information, and obtain a channel parameter package including a channel key character and a bandwidth frequency band corresponding to the channel key character.

步骤S112，基于所述通道密钥字符以及所述带宽频段生成第一校验随机数并将所述第一校验随机数植入所述通道参数包得到目标参数包。Step S112: Generate a first check random number based on the channel key character and the bandwidth frequency band, and insert the first check random number into the channel parameter package to obtain a target parameter package.

步骤S113，将所述目标参数包发送给所述目标终端设备以获取所述目标终端设备基于所述第一校验随机数对所述通道参数包进行校验所反馈的第二校验随机数，并在所述第一校验随机数和所述第二校验随机数相等时根据所述通道密钥字符、所述带宽频段、所述第一校验随机数和所述第二校验随机数建立与所述目标终端设备对应的流量检测通道。Step S113: Send the target parameter packet to the target terminal device to obtain a second verification random number fed back by the target terminal device for verifying the channel parameter packet based on the first verification random number , and when the first verification random number and the second verification random number are equal, according to the channel key character, the bandwidth frequency band, the first verification random number and the second verification random number The random number establishes a traffic detection channel corresponding to the target terminal device.

示例性地执行上述步骤S111-步骤S113，能够不同的设备接口参数建立不同的流量检测通道，从而避免流量检测通道之间的互相干扰，确保对每个终端设备的流量检测的准确性和可靠性。Exemplarily performing the above steps S111-S113, different traffic detection channels can be established with different device interface parameters, thereby avoiding mutual interference between traffic detection channels and ensuring the accuracy and reliability of traffic detection for each terminal device .

进一步地，步骤S120所描述的基于所述实时网络流量绘制所述目标终端设备对应的流量曲线，具体可以包括以下步骤S121-步骤S123所描述的内容。Further, the drawing of the traffic curve corresponding to the target terminal device based on the real-time network traffic described in step S120 may specifically include the content described in the following steps S121-S123.

步骤S121，将所述实时网络流量划分为第一网络流量和第二网络流量。Step S121: Divide the real-time network traffic into first network traffic and second network traffic.

步骤S122，按照所述第一网络流量和所述第二网络流量在相同时刻上的流量值在预设坐标平面中进行描点，得到所述第一网络流量对应的第一描点集以及所述第二网络流量对应的第二描点集。Step S122, plot points in a preset coordinate plane according to the flow values of the first network traffic and the second network traffic at the same time, to obtain a first plot point set corresponding to the first network traffic and the first plotted point set. The second set of delineation points corresponding to the network traffic.

步骤S123，基于所述第一网络流量和所述第二网络流量在相同时刻上流量优先级将所述第一描点集和所述第二描点集进行拟合得到流量曲线。Step S123: Fitting the first trace point set and the second trace point set based on the traffic priorities of the first network traffic and the second network traffic at the same time to obtain a traffic curve.

通过上述步骤S121-步骤S123，能够将目标终端设备接收的第一网络流量以及目标终端设备发送的第二网络流量考虑在内，从而完整地确定出流量曲线。Through the above steps S121-S123, the first network traffic received by the target terminal device and the second network traffic sent by the target terminal device can be taken into account, so that the traffic curve can be completely determined.

更进一步地，步骤S130所描述的周期性地基于所述流量曲线确定所述目标终端设备的多组流量变化轨迹，并计算当前时段对应的流量变化轨迹与上一时段对应的流量变化轨迹之间的轨迹偏移量，具体可以通过以下步骤S131和步骤S132所描述的内容实现。Further, step S130 periodically determines multiple groups of flow change trajectories of the target terminal device based on the flow curve, and calculates the difference between the flow change trajectories corresponding to the current period and the flow change trajectories corresponding to the previous period. The track offset can be specifically implemented through the content described in the following steps S131 and S132.

步骤S131，按照设定时间步长从所述流量曲线中确定出所述目标终端设备的多组流量变化轨迹。Step S131: Determine multiple groups of flow change trajectories of the target terminal device from the flow curve according to a set time step.

步骤S132，根据当前时段对应的流量变化轨迹的第一流量值序列以及上一时段对应的流量变化轨迹的第二流量值序列之间的序列差值的加权和确定所述轨迹偏移量。Step S132: Determine the track offset according to the weighted sum of the sequence differences between the first flow value sequence of the flow change track corresponding to the current time period and the second flow value sequence of the flow change track corresponding to the previous time period.

通过执行上述步骤S131-步骤S132所描述的内容，能够准确地确定计算当前时段对应的流量变化轨迹与上一时段对应的流量变化轨迹之间的轨迹偏移量。By executing the content described in the above steps S131-S132, the track offset between the flow change track corresponding to the current time period and the flow change track corresponding to the previous time period can be accurately determined.

基于上述同样的发明构思，请结合参阅图2，提供了一种应用于工业互联网的网络流量异常检测装置200，应用于大数据平台，所述装置包括：Based on the same inventive concept described above, please refer to FIG. 2 , a network traffic anomaly detection device 200 applied to the Industrial Internet is provided, applied to a big data platform, the device includes:

通道建立模块210，用于在接收到目标终端设备基于所述大数据平台发送的流量检测请求所反馈的授权指令时，通过所述授权指令中携带的设备接口参数建立与所述目标终端设备对应的流量检测通道；The channel establishment module 210 is configured to, when receiving the authorization instruction fed back by the target terminal device based on the traffic detection request sent by the big data platform, establish a corresponding connection with the target terminal device through the device interface parameters carried in the authorization instruction flow detection channel;

流量采集模块220，用于通过所述流量检测通道采集所述目标终端设备的实时网络流量，并基于所述实时网络流量绘制所述目标终端设备对应的流量曲线；A traffic collection module 220, configured to collect real-time network traffic of the target terminal device through the traffic detection channel, and draw a traffic curve corresponding to the target terminal device based on the real-time network traffic;

轨迹确定模块230，用于周期性地基于所述流量曲线确定所述目标终端设备的多组流量变化轨迹，并计算当前时段对应的流量变化轨迹与上一时段对应的流量变化轨迹之间的轨迹偏移量；A trajectory determination module 230, configured to periodically determine multiple groups of flow change trajectories of the target terminal device based on the flow curve, and calculate a trajectory between the flow change trajectory corresponding to the current period and the flow change trajectory corresponding to the previous period Offset;

策略下发模块240，用于在依据所述轨迹偏移量判定出所述目标终端设备遭受分布式拒绝服务攻击时，通过所述轨迹偏移量确定出所述目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并将所述动态安全策略下发给所述目标终端设备以使所述目标终端设备基于所述动态安全策略确定出待处理请求中的异常请求并销毁。The policy issuing module 240 is configured to determine, according to the trajectory offset, that the target terminal device is subject to a distributed denial of service attack, and determine the target terminal device's status in the current period by using the trajectory offset. state parameter, generate a dynamic security policy according to the state parameter and issue the dynamic security policy to the target terminal device, so that the target terminal device determines the abnormal request in the pending requests based on the dynamic security policy and destroy.

可选地，所述策略下发模块240，具体用于：Optionally, the policy issuing module 240 is specifically configured to:

可选地，所述策略下发模块240，进一步具体用于：Optionally, the policy issuing module 240 is further specifically configured to:

可选地，所述流量采集模块220，用于：Optionally, the flow collection module 220 is used for:

将所述实时网络流量划分为第一网络流量和第二网络流量；dividing the real-time network traffic into a first network traffic and a second network traffic;

按照所述第一网络流量和所述第二网络流量在相同时刻上的流量值在预设坐标平面中进行描点，得到所述第一网络流量对应的第一描点集以及所述第二网络流量对应的第二描点集；According to the flow values of the first network flow and the second network flow at the same time, plot points in a preset coordinate plane to obtain a first plot point set corresponding to the first network flow and the second network flow the corresponding second drawing point set;

基于所述第一网络流量和所述第二网络流量在相同时刻上流量优先级将所述第一描点集和所述第二描点集进行拟合得到流量曲线。A traffic curve is obtained by fitting the first plot point set and the second plot point set based on the traffic priorities of the first network traffic and the second network traffic at the same time.

可选地，所述轨迹确定模块230，用于：Optionally, the trajectory determination module 230 is configured to:

按照设定时间步长从所述流量曲线中确定出所述目标终端设备的多组流量变化轨迹；Determine multiple groups of flow change trajectories of the target terminal device from the flow curve according to a set time step;

根据当前时段对应的流量变化轨迹的第一流量值序列以及上一时段对应的流量变化轨迹的第二流量值序列之间的序列差值的加权和确定所述轨迹偏移量。The track offset is determined according to the weighted sum of the sequence differences between the first flow value sequence of the flow change track corresponding to the current period and the second flow value sequence of the flow change track corresponding to the previous period.

关于上述模块的详细描述请参阅对图1所示的方法的说明，在此不作更多说明。For a detailed description of the above modules, please refer to the description of the method shown in FIG. 1 , and no further description is given here.

基于上述同样的发明构思，请结合参阅图3，提供了一种应用于工业互联网的网络流量异常检测系统300，所述系统包括互相之间通信的大数据平台400和终端设备500；Based on the same inventive concept described above, please refer to FIG. 3 , a network traffic anomaly detection system 300 applied to the Industrial Internet is provided, and the system includes a big data platform 400 and a terminal device 500 that communicate with each other;

所述大数据平台400用于：The big data platform 400 is used for:

在依据所述轨迹偏移量判定出所述目标终端设备遭受分布式拒绝服务攻击时，通过所述轨迹偏移量确定出所述目标终端设备在当前时段内的状态参数，根据所述状态参数生成动态安全策略并将所述动态安全策略下发给所述目标终端设备；When it is determined according to the track offset that the target terminal device is subject to a DDoS attack, the state parameter of the target terminal device in the current period is determined by the track offset, and according to the state parameter generating a dynamic security policy and delivering the dynamic security policy to the target terminal device;

所述目标终端设备用于：The target terminal equipment is used for:

基于所述动态安全策略确定出待处理请求中的异常请求并销毁。An abnormal request in the pending request is determined and destroyed based on the dynamic security policy.

可选地，所述大数据平台400，具体用于：Optionally, the big data platform 400 is specifically used for:

可选地，所述大数据平台400，进一步具体用于：Optionally, the big data platform 400 is further specifically used for:

可选地，所述大数据平台400，用于：Optionally, the big data platform 400 is used for:

关于上述系统的详细描述请参阅对图1所示的方法的说明，在此不作更多说明。For a detailed description of the above system, please refer to the description of the method shown in FIG. 1 , and no further description will be given here.

在上述系统的基础上，如图4所示，还提供了一种大数据平台400的硬件结构示意图，包括互相之间通信的处理器410和存储器420，所述处理器410通过运行从所述存储器420中调取的计算机程序以实现上述的方法。On the basis of the above system, as shown in FIG. 4 , a schematic diagram of the hardware structure of a big data platform 400 is also provided, including a processor 410 and a memory 420 that communicate with each other, and the processor 410 runs from the The computer program retrieved in the memory 420 implements the above-mentioned method.

进一步地，还提供了一种计算机可读存储介质，其上存储有计算机程序，所述计算机程序在运行时实现上述的方法。Further, a computer-readable storage medium is provided, on which a computer program is stored, and the computer program implements the above method when running.

以上所述仅为本发明的优选实施例而已，并不用于限制本发明，对于本领域的技术人员来说，本发明可以有各种更改和变化。凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims

1. A network flow abnormity detection method applied to an industrial Internet is characterized by being applied to a big data platform, and the method comprises the following steps:

when an authorization instruction fed back by a flow detection request sent by a target terminal device based on the big data platform is received, establishing a flow detection channel corresponding to the target terminal device through a device interface parameter carried in the authorization instruction;

acquiring real-time network traffic of the target terminal equipment through the traffic detection channel, and drawing a traffic curve corresponding to the target terminal equipment based on the real-time network traffic;

periodically determining a plurality of groups of flow change tracks of the target terminal equipment based on the flow curve, and calculating the track offset between the flow change track corresponding to the current time period and the flow change track corresponding to the previous time period;

when the target terminal equipment is judged to be attacked by the distributed denial of service according to the track offset, determining the state parameters of the target terminal equipment in the current time period through the track offset, generating a dynamic security policy according to the state parameters and issuing the dynamic security policy to the target terminal equipment so that the target terminal equipment determines the abnormal request in the request to be processed based on the dynamic security policy and destroys the abnormal request.

2. The method for detecting network traffic anomaly according to claim 1, wherein determining whether a target terminal device is under a distributed denial of service attack specifically comprises:

judging whether the track offset is lower than a set threshold value or not;

when the track offset is lower than a set threshold value, the flow change track corresponding to the previous time period is superposed to the flow change track corresponding to the current time period;

calculating a correlation coefficient of track characteristics between a flow change track corresponding to a current period and a flow change track corresponding to a next period;

and if the correlation coefficient is larger than a set coefficient, judging that the target terminal equipment is attacked by the distributed denial of service attack.

3. The method of detecting network traffic anomalies of claim 2, the method further comprising:

when the track offset is greater than or equal to the set threshold, determining a first track interval corresponding to the track offset in the flow change track corresponding to the last period and a second track interval corresponding to the flow change track corresponding to the current period;

extracting a first track data list of the first track interval and a second track data list of the second track interval, and calculating the flow characteristic overlapping rate between the first track data list and the second track data list;

and if the flow characteristic overlapping rate is greater than a set rate, judging that the target terminal equipment is attacked by the distributed denial of service.

4. The method according to claim 2, wherein the step of superimposing the traffic variation trajectory corresponding to the previous time period onto the traffic variation trajectory corresponding to the current time period and calculating a correlation coefficient of trajectory characteristics between the traffic variation trajectory corresponding to the current time period and the traffic variation trajectory corresponding to the next time period specifically includes:

generating a first traffic protocol address list corresponding to the traffic change track corresponding to the previous time period and used for representing message information of the traffic message of the traffic change track corresponding to the previous time period and a second traffic protocol address list corresponding to the message information of the traffic message of the traffic change track corresponding to the current time period; the first traffic protocol address list and the second traffic protocol address list respectively comprise a plurality of list units with the same number, the unit identification degree of each list unit is different, and the unit identification degree is used for representing the relevance degree of the list characteristics of the list units;

extracting a protocol address path corresponding to one list unit from a first flow protocol address list corresponding to a flow change track corresponding to the previous period; when the protocol address path is determined, determining a list unit with the maximum unit identification degree in a second flow protocol address list corresponding to the flow change track corresponding to the current time period in parallel as a reference list unit;

mapping the protocol address path to the reference list unit and determining a mapping address path of the protocol address path in the reference list unit; determining a directed acyclic graph used for representing the corresponding relation of traffic protocol addresses between the first traffic protocol address list and the second traffic protocol address list through the mapping address path and the protocol address path;

based on the directed acyclic graph for representing the corresponding relation of the traffic protocol addresses, superposing each group of first traffic track parameters in the traffic change tracks corresponding to the previous time period to corresponding second traffic track parameter groups in the traffic change tracks corresponding to the current time period;

if each group of first flow rate track parameters has a unique corresponding protocol signature in a corresponding second flow rate track parameter group, weighting a numerical value queue corresponding to track characteristics between a flow rate change track corresponding to a current time period and a flow rate change track corresponding to a next time period according to the protocol signature, and calculating the median of the weighted numerical value queue as a correlation coefficient of the track characteristics between the flow rate change track corresponding to the current time period and the flow rate change track corresponding to the next time period;

and if the unique corresponding protocol signature does not exist in the corresponding second flow trajectory parameter group of each group of first flow trajectory parameters, the step of superposing each group of flow trajectory parameters in the flow change trajectory corresponding to the previous time period to the corresponding second flow trajectory parameter group in the flow change trajectory corresponding to the current time period according to the directed acyclic graph for representing the corresponding relation of the flow protocol addresses is returned.

5. The method for detecting network traffic anomaly according to claim 3, wherein determining a first track interval corresponding to the track offset in the traffic change track corresponding to the previous period and a second track interval corresponding to the traffic change track corresponding to the current period, extracting a first track data list of the first track interval and a second track data list of the second track interval, and calculating a traffic feature overlap ratio between the first track data list and the second track data list specifically includes:

respectively listing first description information of a flow change track corresponding to a previous period and second description information of the flow change track corresponding to a current period, and integrating the first description information and the second description information according to a time sequence weight between the flow change track corresponding to the previous period and the flow change track corresponding to the current period to obtain target description information; the target description information comprises a plurality of first track identifications and a plurality of second track identifications;

determining a first offset weight between the track offset and each first track identification and a second offset weight between the track offset and each second track identification; determining the first track interval and the second track interval according to the distribution sequence of the first offset weight and the second offset weight;

determining a first interval parameter matrix corresponding to the first track interval and a second interval parameter matrix corresponding to the second track interval; the first interval parameter matrix is used for representing the distribution condition of the track nodes of the first track interval, and the second interval parameter matrix is used for representing the distribution condition of the track nodes of the second track interval; extracting a first matrix discrete value of the first interval parameter matrix and a second matrix discrete value of the second interval parameter matrix respectively, and extracting the first track data list and the second track data list from the first interval parameter matrix and the second interval parameter matrix respectively according to the first matrix discrete value and the second matrix discrete value;

determining a traffic list queue generated according to the first track data list and the second track data list; for a current traffic list queue in the traffic list queues, determining a third queue change frequency of the current traffic list queue between a previous time period and a current time period based on a first queue change frequency of the current traffic list queue in the previous time period and a second queue change frequency of each traffic list queue in the current time period; calculating a traffic feature overlap ratio between the first trajectory data list and the second trajectory data list based on the third queue change frequency and the number of the traffic list queues.

6. The method according to any one of claims 1 to 5, wherein the determining, by the trajectory offset, a state parameter of the target terminal device in a current time period, generating a dynamic security policy according to the state parameter, and issuing the dynamic security policy to the target terminal device specifically includes:

determining label script files of a plurality of identification labels to be marked for identifying the state parameters of the target terminal equipment and similarity among different identification labels based on the acquired offset evaluation factor and the acquired track continuity factor for representing the confidence degree of the track offset;

marking the plurality of identification tags based on the determined tag script files of the plurality of identification tags and the similarity among different identification tags, so that the time consumption of file response corresponding to the marked tag script files of the identification tags is less than a first set value, and the similarity among the marked identification tags is greater than a second set value;

extracting the state parameters of the target terminal equipment in the current time period from the running log of the target terminal equipment according to the marked identification label; sequentially splitting the state parameters into a plurality of parameter sections according to a time sequence, and determining flow processing index information corresponding to each parameter section; the traffic processing index information is used for representing the throughput and the maximum traffic carrying capacity of the target terminal equipment;

determining the event behavior characteristics of DDos attack corresponding to each group of flow processing index information, and generating a target security strategy according to the event behavior characteristics and the throughput and the maximum flow carrying capacity of the corresponding flow processing index information; and packaging the target security policy into the dynamic security policy according to the time sequence characteristics of the event behavior characteristics corresponding to the target security policy.

7. A big data platform, wherein the big data platform is in communication with a terminal device, the big data platform configured to:

8. The big data platform of claim 7, wherein the big data platform specifically determines whether the target terminal device is subject to the distributed denial of service attack comprises:

judging whether the track offset is lower than a set threshold value or not;

when the track offset is lower than a set threshold value, the flow change track corresponding to the previous time period is superposed to the flow change track corresponding to the current time period; calculating a correlation coefficient of track characteristics between a flow change track corresponding to a current period and a flow change track corresponding to a next period; if the correlation coefficient is larger than a set coefficient, judging that the target terminal equipment is attacked by the distributed denial of service;

when the track offset is greater than or equal to the set threshold, determining a first track interval corresponding to the track offset in the flow change track corresponding to the last period and a second track interval corresponding to the flow change track corresponding to the current period; extracting a first track data list of the first track interval and a second track data list of the second track interval, and calculating the flow characteristic overlapping rate between the first track data list and the second track data list; and if the flow characteristic overlapping rate is greater than a set rate, judging that the target terminal equipment is attacked by the distributed denial of service.

9. A big data platform comprising a processor and a memory communicating with each other, the processor implementing the method of any of the preceding claims 1-6 by running a computer program fetched from the memory.

10. A computer-readable storage medium, on which a computer program is stored which, when executed, implements the method of any of claims 1-6 above.