[go: up one dir, main page]

CN119583095A - Traffic data statistical analysis method and system based on large model - Google Patents

Traffic data statistical analysis method and system based on large model Download PDF

Info

Publication number
CN119583095A
CN119583095A CN202411418271.9A CN202411418271A CN119583095A CN 119583095 A CN119583095 A CN 119583095A CN 202411418271 A CN202411418271 A CN 202411418271A CN 119583095 A CN119583095 A CN 119583095A
Authority
CN
China
Prior art keywords
resource
security
large model
network
clients
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411418271.9A
Other languages
Chinese (zh)
Other versions
CN119583095B (en
Inventor
栾姝
赵海清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lingnan Normal University
Original Assignee
Lingnan Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lingnan Normal University filed Critical Lingnan Normal University
Priority to CN202411418271.9A priority Critical patent/CN119583095B/en
Publication of CN119583095A publication Critical patent/CN119583095A/en
Application granted granted Critical
Publication of CN119583095B publication Critical patent/CN119583095B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提出基于大模型的流量数据统计分析方法、系统与计算机程序产品,属于计算机网络安全与数据分析技术领域。方法包括:获取客户端当前请求的资源集;识别待统计资源与待排查客户端;分析待统计资源在预设时长内的流量传输特征、网络文本特征、和/或加密特征;大模型针对待排查客户端输出安全排查结果;基于安全排查结果,针对所述待排查客户端的后续资源请求执行安全措施。系统包括云端服务器。本发明的方案可以利用现有的基于网络安全的大模型针对客户端的欺骗性数据识别出网络欺诈、恶意流量以及伪装的攻击数据流,从而使提升流量数据分析的统计结果的价值度,避免云端资源服务的延迟和阻塞。

The present invention proposes a traffic data statistical analysis method, system and computer program product based on a large model, which belongs to the field of computer network security and data analysis technology. The method includes: obtaining the resource set currently requested by the client; identifying the resources to be counted and the clients to be checked; analyzing the traffic transmission characteristics, network text characteristics, and/or encryption characteristics of the resources to be counted within a preset time period; the large model outputs a security investigation result for the client to be checked; based on the security investigation result, security measures are executed for subsequent resource requests of the client to be checked. The system includes a cloud server. The solution of the present invention can use the existing large model based on network security to identify network fraud, malicious traffic and disguised attack data streams for the deceptive data of the client, thereby improving the value of the statistical results of the traffic data analysis and avoiding delays and blockages in cloud resource services.

Description

Flow data statistical analysis method and system based on large model
Technical Field
The invention belongs to the technical field of computer network security and data analysis, and particularly relates to a flow data statistical analysis method and system based on a large model, a computer readable storage medium, a computer program product and electronic equipment for realizing the method.
Background
With the continuous expansion of internet scale, network security issues are also facing greater pressures and challenges. The diversity of network environments is also increasing, and the appearance of new network environments such as cloud computing, internet of things and edge computing is a new challenge for increasingly severe network security situations.
As an important active network security policy, network traffic anomaly detection technology has been gradually applied to network security protection. The network flow anomaly detection technology judges abnormal flow instances in the network by researching and analyzing flow data in the network, timely discovers attack behaviors in the network, and provides real-time decision basis for network management staff, so that the overall safety and stability of the network are improved. For example, chinese patent publication (CN 117749426 a) proposes an abnormal traffic detection method based on a graph neural network, which can generate a security alarm or provide decision support based on the detection result of abnormal network traffic, help network security manager respond to potential network security problems quickly, and make a coping strategy.
However, as network traffic load is fully densified, the encryption transmission technology has become one of methods for malicious traffic evasion detection, and for encrypted transmitted client requests, the traditional abnormal traffic monitoring method has too little sample size and low accuracy, in addition, the abnormal traffic detection has the index of 'high-speed traffic characteristic', but the current network data attack has a new trend, namely low-speed attack, by generating low-speed attack traffic which can be hidden in a normal transmission control protocol, and simultaneously utilizing an adaptive mechanism of the network protocol, false congestion is caused in the network, and the connection quality of a client and a server is damaged, so that the server cannot provide normal service for users, and the attack is more hidden and difficult to detect, because the server uses the low-speed attack traffic which is enough to occupy key resources of a target system but is insufficient to trigger the traditional abnormal traffic detection mechanism, and particularly under the cloud computing environment, if the attack ends are hidden in a plurality of client clusters, the characteristic of sharing resources in the cloud computing environment can be utilized, and the shared resources are occupied to cause obvious delay and blockage of the resource service.
Disclosure of Invention
Aiming at the technical problems, the technical scheme of the invention can identify network fraud, malicious traffic and disguised attack data streams aiming at deceptive data of the client by utilizing the existing large network security-based model, thereby improving the value of statistical results of traffic data analysis and avoiding delay and blockage of cloud resource services.
In a first aspect of the present invention, a traffic data statistical analysis method based on a large model is provided, the method is applied to a cloud server, and the cloud server remotely communicates with N clients { R 1,R2,…,RN }, N >1;
the method applied to the cloud server comprises the following steps S100-S500:
S100, acquiring a resource set S i with i=1, 2, which is currently requested by a client R i, wherein the resource set S i comprises at least one request resource;
And S200, when the resource sets currently requested by the client exceeding the preset proportion T all contain at least one common request resource, the common request resource is used as the resource to be counted, and the preset proportion T is more than or equal to 50%.
S300, analyzing flow transmission characteristics, network text characteristics and/or encryption characteristics of the resources to be counted in a preset time period;
s400, inputting the flow transmission characteristics, the network text characteristics and/or the encryption characteristics as data of a large network security-based model, wherein the large network security-based model outputs security check results for each client exceeding a preset proportion;
And S500, based on the security check result, the cloud server executes security measures for the subsequent resource requests of each of the clients exceeding the preset proportion, wherein the security measures comprise current limiting, service interruption or service maintenance.
The requested resources in step S100 include a combination of at least two of the following resources:
CPU resource, GPU resource, memory resource, storage resource, uploading channel resource and downloading channel resource.
The step S300 specifically includes:
For each resource to be counted, the following analysis process is performed:
s301, judging whether a client request for requesting the resource to be counted is encrypted or not;
if yes, go to step S303, otherwise, go to step S302;
S302, acquiring flow transmission characteristics and network text characteristics of the resources to be counted in a preset time period;
S303, acquiring the flow transmission characteristics and the encryption characteristics of the resources to be counted in a preset time period.
In a second aspect of the present invention, a traffic data statistical analysis method based on a large model is provided, the method is applied to N request clients { R 1,R2,…,RN }, the N request clients { R 1,R2,…,RN } are in remote communication with a cloud server, the method includes the following steps:
The method comprises the following steps of SS100, a client R i sends a client request to the cloud server, wherein the client request is used for scheduling request resources to the cloud server, and the request resources comprise at least two of CPU resources, GPU resources, memory resources, storage resources, uploading channel resources and downloading channel resources;
The SS200 is used for counting a resource set S i currently requested by each client R i by the cloud server;
SS300, when the resource sets currently requested by the clients exceeding the predetermined proportion T all contain at least one common request resource, taking the common request resource as a resource to be counted, and taking the clients exceeding the predetermined proportion T as clients to be checked;
The cloud server analyzes the flow transmission characteristics, the network text characteristics and/or the encryption characteristics of the resources to be counted within a preset duration;
SS500, inputting the traffic transmission feature, the web text feature, and/or the encryption feature as data of a large network security-based model, wherein the large network security-based model outputs a security check result for each of the clients to be checked;
And SS600, based on the security check result, the cloud server executes security measures for the subsequent resource request of each of the clients to be checked, wherein the security measures comprise current limiting, service interruption or service maintenance.
The encryption features in the step SS400 include encryption methods, encryption lengths, and/or expected decryption times;
The outputting, by the network security-based large model in step SS500, a security check result for each of the clients to be checked, specifically includes:
SS501 determines whether the data input of the large model includes the encryption feature,
If yes, the large model calls a deep learning module integrating the convolutional neural network, the cyclic neural network and the encoder to execute the safety check, otherwise, the step SS502 is entered;
And SS502, the large model calls a flow threshold interception module, and the security check is executed based on the flow transmission characteristics and the network text characteristics.
Some or all of the steps of the flow data statistical analysis method based on the large model according to the first or second aspect can be realized through various forms of electronic equipment and automation through computer program instructions, and the computer program instructions can be stored in different forms of storage media and loaded into the computer electronic equipment for execution.
Thus, in a third aspect of the invention, there is also provided a computer readable storage medium storing computer instructions that, when run on an electronic device, cause the electronic device to perform a large model based traffic data statistical analysis method as described in the first or second aspect.
In a fourth aspect of the present invention, there is also provided an electronic device, the electronic device including a processor and a memory, the memory being configured to store instructions, the processor being configured to invoke the instructions in the memory, so that the electronic device performs the large model based traffic data statistical analysis method according to the first or second aspect.
In a fifth aspect of the present invention, there is also provided a computer program product comprising a computer program which, when executed, implements the large model based traffic data statistical analysis method of the first or second aspect.
Corresponding to the technical scheme of the method, in order to execute the method, in a sixth aspect of the invention, a flow data statistical analysis system based on a large model is provided, wherein the system comprises a client request acquisition unit, a resource identification unit to be counted, a feature acquisition unit, a security check unit, a security measure execution unit and a cloud server, and the cloud server is connected with the large model based on network security;
The client request acquisition unit is used for acquiring a resource set S i, i=1, 2, & gt, N, which is currently requested by the client R i, wherein the resource set S i contains at least one request resource;
the resource identification unit to be counted is used for counting a resource set S i currently requested by each client R i, and when the resource sets currently requested by the clients exceeding a preset proportion T all contain at least one common request resource, the common request resource is used as a resource to be counted;
the feature acquisition unit is used for acquiring the flow transmission feature, the network text feature and/or the encryption feature of the resource to be counted in the preset duration;
The security check unit is used for inputting the flow transmission characteristics, the network text characteristics and/or the encryption characteristics as data of a large network security-based model, and the large network security-based model outputs a security check result for each client to be checked;
The security measure execution unit is configured to execute, based on the security check result, a security measure for a subsequent resource request of each of the clients to be checked by the cloud server, where the security measure includes a current limit, an interrupt service, or a hold service.
The encryption features include encryption method, encryption length, and expected decryption time.
The large model based on network security comprises a deep learning module and a flow threshold interception module, wherein the deep learning module integrates a convolutional neural network, a cyclic neural network and an encoder;
the large network security-based model outputs a security check result for each of the clients to be checked, and specifically includes:
If the data input of the large model comprises the encryption feature, the large model calls a deep learning module integrating a convolutional neural network, a cyclic neural network and an encoder to execute the security check;
otherwise, the large model calls a flow threshold interception module, and the security check is executed based on the flow transmission characteristics and the network text characteristics.
The scheme of the invention can identify network fraud, malicious traffic and disguised attack data streams aiming at deceptive data of the client by utilizing the existing large model based on network security, thereby improving the value of the statistical result of traffic data analysis and avoiding delay and blockage of cloud resource service.
Further advantages of the invention will be further elaborated in the description section of the embodiments in connection with the drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of one embodiment of the present invention
FIG. 2 is a schematic flow chart of a flow data statistical analysis method based on a large model according to an embodiment of the invention
FIG. 3 is a main flow chart of a flow data statistical analysis method based on a large model according to still another embodiment of the present invention
FIG. 4 is a schematic diagram showing the functional block composition of a large model-based flow data statistical analysis system according to an embodiment of the present invention
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations identical to the present application. Rather, they are merely examples of apparatus and methods that are identical to some aspects of the present application as detailed in the appended claims.
In the present embodiment, the term "module" or "unit" refers to a computer program or a part of a computer program having a predetermined function and working together with other relevant parts to achieve a predetermined object, and may be implemented in whole or in part by using software, hardware (such as a processing circuit or a memory), or a combination thereof. Also, a processor (or multiple processors or memories) may be used to implement one or more modules or units. Furthermore, each module or unit may be part of an overall module or unit that incorporates the functionality of the module or unit.
Meanwhile, in the specific embodiment of the present application, if related data of a user is involved, when the embodiment of the present application is applied to a specific product or technology, user permission or consent needs to be obtained, and the collection, use and processing of related data need to comply with related laws and regulations and standards of related countries and regions.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
Referring to fig. 1, fig. 1 shows a schematic diagram of a specific scenario in which an embodiment of the present invention is applied.
In fig. 1, a plurality of clients are shown, including mobile clients, desktop clients, and other types of user clients, including virtual machines, servers, physical hosts, etc., which are in remote communication with a cloud computing environment, and when a user makes a request, corresponding resource support is obtained from the cloud server to complete a corresponding task operation.
As an example, the current user's client needs to perform software development and code editing, and thus needs to integrate IDE application programs of development environments, the functions of which are generally divided into two major parts, engineering management and code editing, wherein engineering management includes functions of engineering creation, opening, closing, compiling, packaging, and the like, and code editing includes functions of text editing, automatic code filling, code highlighting, and the like. The IDE integrates multiple functions in the software development process, so that developers can develop the software more quickly and conveniently.
However, the conventional IDE development tool often needs to spend a lot of manpower and material resources in the construction process. With the continuous development of cloud technology, more and more cloud platform companies begin to migrate IDE tools to the cloud, and provide page (Web) versions of IDEs for users to use, so that users can directly develop software on Web pages without installing any application program. The Web IDE system mainly comprises a client and a background cloud server, a user sends out access to the cloud server through a Web page on the client, and the server dispatches corresponding request resources according to the request of the user and returns the corresponding cloud server and the page.
For convenience of description, the plurality of user clients are referred to as N request clients { R 1,R2,…,RN }, where the N request clients { R 1,R2,…,RN } are in remote communication with the cloud server;
Taking a certain client R i as an example, a certain client R i sends a client request to the cloud server, wherein the client request is used for scheduling request resources to the cloud server, and the request resources comprise at least two of a combination of a CPU resource, a GPU resource, a memory resource, a storage resource, an uploading channel resource and a downloading channel resource;
Taking the above IDE development product as an example, after receiving the initializing page access request of the target user sent by the client, the background IDE cloud server allocates a target container for the target user to process the code editing request of the target user through the container platform under normal conditions, so that each user can be allocated to an independent background server, thereby alleviating the problem of resource preemption, reducing the phenomenon of blocking, and improving the use security of the user.
However, in practical applications, due to the openness of cloud resources (especially for public cloud), malicious network attack, abnormal traffic attack and disguised request data can also be disguised as that a normal client sends a resource request, which causes impact to normal cloud resource service.
In the prior art, the abnormal traffic instance in the network traffic abnormality detection technology can be judged by the network traffic abnormality detection technology mentioned in the background art, and the attack behavior in the network can be found in time.
However, with the advent of new network environments such as cloud computing environments, internet of things, edge computing, and the like, network attacks, traffic attacks and disguised request data are not characterized by "peak traffic" but generally represent low-rate attacks, by generating low-rate attack traffic that can be hidden in a normal transmission control protocol, and at the same time, by utilizing an adaptive mechanism of the network protocol, false congestion is caused in the network, and the connection quality of clients and servers is damaged, so that the servers cannot provide normal services for users, and such attacks are more hidden and difficult to detect, because they use low-rate attack traffic, which is enough to occupy key resources of a target system but insufficient to trigger a traditional abnormal traffic detection mechanism, and particularly in cloud computing environments, if such attack ends are hidden in a plurality of client clusters, the characteristics of shared resources in the cloud computing environment are utilized, and influence is caused to a plurality of tenants or users by occupying the shared resources, resulting in obvious delay and blocking of cloud resource services.
For this reason, the technical solution of fig. 1 introduces a large model based on network security as an aid, identifies resources to be counted and clients to be examined after traffic data statistics analysis for the above situations, and further adopts corresponding security measures, and identifies network fraud, malicious traffic and disguised attack data streams for deceptive data of the clients by using the existing large model based on network security, thereby improving the value of the statistics results of traffic data analysis and avoiding delay and blockage of cloud resource services.
Before describing the following specific embodiments of the present invention, the meaning of the large model based on network security in the embodiments of the present invention will be described first.
Firstly, it should be clear that the "large model based on network security" in the embodiment of the present invention is not a place where the technical scheme of the present invention needs to be improved, and as can be seen from the subsequent embodiment, the technical scheme of the present invention focuses on how to identify the resources to be counted and the clients to be examined in a targeted manner, and then execute the corresponding examining operation by using the existing large model based on network security.
In the art (computer network security related art), there are many existing (open source or commercialized) large models of network security, and table 1 lists the names of the large models based in part on network security and their principles as follows:
TABLE 1
Preferably, the large network security-based model in the application comprises a deep learning module and a flow threshold interception module.
In addition, the large model can learn common code structures and modes such as grammar rules, naming convention, function call and the like of codes by pre-training in a large-scale code library. The malicious software and the vulnerability exploitation which are frequently used in the APT attack mostly depend on code writing, so that a large model can be utilized to identify common code structures, design modes, vulnerability modes and the like and correlate with the existing knowledge, and the meaning of the malicious software and the vulnerability exploitation can be quickly understood and possible safety problems can be found when similar code structures are encountered;
In addition, the deep learning module may integrate a stacked integrated countermeasure defense method of the encrypted malicious traffic detection model.
The traffic threshold interception module is used for detecting data attacks through traffic anomalies based on the prior art (such as the network traffic anomaly detection technology mentioned in the background art), and identifying the anomalies by camouflaging the anomalies in the time domain and the frequency domain of the low-rate attack traffic hidden in the normal transmission control protocol generated by the low-rate attack, and classifying and detecting by improving the Stacki ng algorithm, so that the data attacks can be accurately learned, and the capability of detecting the low-rate attack traffic is provided.
The above description of the large model based on network security refers to the prior art, which is not specifically expanded in this embodiment, and the following prior art may be referred to as follows:
[1] Chen Ruilong, hu Tao, bo Youjun, etc. stacking integration challenge defense method towards encrypted malicious traffic detection model [ J/OL ]. Computer application, 1-12.
[2]A stati st ical mechani sm based on behavioral ana lys i s for DDoS attack countermeasure.I EEE Transactions on Information Forens ics and Secur ity,2022,17:2732;
[3]Sequence al ignment detection of TCP-targeted synchronous l ow-rate DoS attacks.Computer Networks,2019,152:64
[4] A low-rate denial-of-service attack detection method based on TCP time-frequency domain features (J. University of Sichuan university report (Nature science edition), 2024,61 (03): 178-187.
The above prior art, while proposing various large models based on network security, has applications for single or small number of client environments. However, in a cloud computing environment, the number of access clients faced is typically hundreds or even tens of thousands, and the number of peak concurrency periods is still higher. At this time, if indiscriminate clients for all accesses execute abnormal fluency detection by adopting the above large models based on network security, normal service of the cloud end will be affected.
For this purpose, reference is first made to the embodiment of fig. 2. Fig. 2 is a schematic flow chart of a flow data statistical analysis method based on a large model according to an embodiment of the present invention. The method is applied to a cloud server, wherein the cloud server is in remote communication with N clients { R 1,R2,…,RN }, and N is greater than 1;
The method comprises the following steps:
S100, acquiring a resource set S i with i=1, 2, which is currently requested by a client R i, wherein the resource set S i comprises at least one request resource;
S200, when resource sets currently requested by clients exceeding a preset proportion T all contain at least one common request resource, taking the common request resource as a resource to be counted;
S300, analyzing flow transmission characteristics, network text characteristics and/or encryption characteristics of the resources to be counted in a preset time period;
s400, inputting the flow transmission characteristics, the network text characteristics and/or the encryption characteristics as data of a large network security-based model, wherein the large network security-based model outputs security check results for each client exceeding a preset proportion;
And S500, based on the security check result, the cloud server executes security measures for the subsequent resource requests of each of the clients exceeding the preset proportion, wherein the security measures comprise current limiting, service interruption or service maintenance.
The requested resources in step S100 include a combination of at least two of the following resources:
CPU resource, GPU resource, memory resource, storage resource, uploading channel resource and downloading channel resource.
Further, in the aforementioned IDE example, the requested resource further comprises a target container allocation request.
The client sends a container allocation request to a container platform of the cloud server, wherein the container allocation request is used for requesting the container platform to allocate a target container for a target user of the client.
Preferably, the predetermined ratio T is not less than 50%.
In the step S200, if more than halfWhen the resource sets currently requested by the client side all contain at least one common request resource, the common request resource is used as a resource to be counted;
for example, when n=500, if the request resources of more than 250 clients all include GPU resources and uploading channel resources, the { GPU resources, uploading channel resources } are used as the resources to be counted;
the step S300 specifically includes:
For each resource to be counted, the following analysis process is performed:
s301, judging whether a client request for requesting the resource to be counted is encrypted or not;
if yes, go to step S303, otherwise, go to step S302;
S302, acquiring flow transmission characteristics and network text characteristics of the resources to be counted in a preset time period;
S303, acquiring the flow transmission characteristics and the encryption characteristics of the resources to be counted in a preset time period;
In the step, if the client request for the resource to be counted is not encrypted, the stacking integration countermeasure method of the encrypted malicious traffic detection model integrated in the deep learning module is not required to be called, and the next security check process can be performed directly based on the existing traffic transmission characteristics and the network text characteristics.
Specifically, the traffic transmission characteristic is characterized as an abnormal characteristic of low-rate attack traffic in a time domain and a frequency domain within a preset time period, and the network text characteristic is a characteristic used by a content-based abnormal detection method and comprises a code structure, a design mode, a vulnerability mode and the like.
In another aspect, if the client request for the resource to be counted is encrypted, a stacked integration countermeasure method of an encrypted malicious traffic detection model integrated in the deep learning module needs to be invoked, where the encryption characteristics include an encryption method, an encryption length, and/or an expected decryption time. The encryption method refers to an encryption method used by the resource request message, such as HASH encryption, character encryption, etc., the encryption length refers to the number of encryption bits used by the encryption method, such as 64-bit encryption, 256-bit encryption, etc., and the expected decryption time refers to the time required to decrypt the message without a key. In practical applications, the encryption features generally used include an encryption method and an encryption length. The embodiment of the application also takes the encryption method and the encryption length as early sample characteristics of model training.
At this time, the flow transmission characteristics and the encryption characteristics of the resources to be counted in the preset time period are obtained.
The large network security-based model outputs a security check result for each of the clients to be checked, and specifically includes:
SS501 determines whether the data input of the large model includes the encryption feature,
If yes, the large model calls a deep learning module integrating the convolutional neural network, the cyclic neural network and the encoder to execute the safety check, otherwise, the step SS502 is entered;
The integrated convolutional neural network, cyclic neural network and encoder deep learning module herein can be found in the aforementioned prior art document [1].
And SS502, the large model calls a flow threshold interception module, and the security check is executed based on the flow transmission characteristics and the network text characteristics.
The specific implementation method of the flow threshold interception module can be seen in the foregoing documents [2] to [4].
The traffic transmission feature, web text feature, and/or encryption feature are then entered as data of a web-security-based large model that outputs security check results for each of the above-predetermined-proportion clients, based on which the cloud server performs security measures including throttling, interrupting service, or maintaining service for subsequent resource requests of each of the above-predetermined-proportion clients.
It can be seen that in the above process, the investigation is not required for all N clients { R 1,R2,…,RN } (because the resources requested by the N clients are different in practical situations), but once the set of resources currently requested by the client exceeding the predetermined proportion T all includes at least one common request resource, the common request resource is used as the resource to be counted, so that the disguised low-speed attack data stream is maximally identified, thereby improving the value of the statistical result of the traffic data analysis, and avoiding delay and blockage of cloud resource service.
Of course, the setting of the predetermined ratio T also determines that the number of clients examined in the above-described process is limited.
To further reduce the number of checks while ensuring complete accuracy, the method of FIG. 2 is further modified as follows:
After the step S300, before the step S400, the method further includes:
S310, when the traffic transmission characteristics, the network text characteristics and/or the encryption characteristics of a certain client within a preset time period are identified to be abnormal, the client is taken as a client to be checked;
at this time, the step S400 is correspondingly modified as follows:
S400, inputting the flow transmission characteristics, the network text characteristics and/or the encryption characteristics as data of a large network security-based model, wherein the large network security-based model outputs a security check result for each client to be checked;
The step S500 corresponds to modification as:
and S500, based on the security check result, the cloud server executes security measures aiming at the subsequent resource request of each of the clients to be checked, wherein the security measures comprise current limiting, service interruption or service maintenance.
Fig. 3 is a schematic flow chart of a flow data statistical analysis method based on a large model according to still another embodiment of the present invention. The method of fig. 3 is applied to N request clients { R 1,R2,…,RN }, where the N request clients { R 1,R2,…,RN } are in remote communication with a cloud server, and the method includes the steps of:
The method comprises the following steps of SS100, a client R i sends a client request to the cloud server, wherein the client request is used for scheduling request resources to the cloud server, and the request resources comprise at least two of CPU resources, GPU resources, memory resources, storage resources, uploading channel resources and downloading channel resources;
The SS200 is used for counting a resource set S i currently requested by each client R i by the cloud server;
SS300, when the resource sets currently requested by the clients exceeding the predetermined proportion T all contain at least one common request resource, taking the common request resource as a resource to be counted, and taking the clients exceeding the predetermined proportion T as clients to be checked;
The cloud server analyzes the flow transmission characteristics, the network text characteristics and/or the encryption characteristics of the resources to be counted within a preset duration;
SS500, inputting the traffic transmission feature, the web text feature, and/or the encryption feature as data of a large network security-based model, wherein the large network security-based model outputs a security check result for each of the clients to be checked;
And SS600, based on the security check result, the cloud server executes security measures for the subsequent resource request of each of the clients to be checked, wherein the security measures comprise current limiting, service interruption or service maintenance.
The encryption feature in the step SS400 includes an encryption method, an encryption length, and an expected decryption time;
The outputting, by the network security-based large model in step SS500, a security check result for each of the clients to be checked, specifically includes:
SS501 determines whether the data input of the large model includes the encryption feature,
If yes, the large model calls a deep learning module integrating the convolutional neural network, the cyclic neural network and the encoder to execute the safety check, otherwise, the step SS502 is entered;
And SS502, the large model calls a flow threshold interception module, and the security check is executed based on the flow transmission characteristics and the network text characteristics.
Corresponding to the modified method of steps S300-500 of FIG. 2, steps SS300-SS600 of the embodiment of FIG. 3 are modified as follows:
SS300, when the resource sets currently requested by the clients exceeding the predetermined ratio T all contain at least one common request resource, taking the common request resource as the resource to be counted;
The cloud server analyzes the flow transmission characteristics, the network text characteristics and/or the encryption characteristics of the resources to be counted within a preset duration;
when the abnormality of the flow transmission characteristics, the network text characteristics and/or the encryption characteristics of a certain client within a preset time period is identified, the client is used as a client to be examined;
SS500, inputting the traffic transmission feature, the web text feature, and/or the encryption feature as data of a large network security-based model, wherein the large network security-based model outputs a security check result for each of the clients to be checked;
And SS600, based on the security check result, the cloud server executes security measures for the subsequent resource request of each of the clients to be checked, wherein the security measures comprise current limiting, service interruption or service maintenance.
On the basis of the method embodiment, the system embodiment of fig. 4 is further described as follows, and fig. 4 is a schematic diagram of functional module composition of a flow data statistical analysis system based on a large model according to an embodiment of the present invention.
In fig. 4, the system includes a client request acquisition unit, a resource identification unit to be counted, a feature acquisition unit, a security check unit, a security measure execution unit, and a cloud server, wherein the cloud server is connected with a large model based on network security;
The client request acquisition unit is used for acquiring a resource set S i, i=1, 2, & gt, N, which is currently requested by the client R i, wherein the resource set S i contains at least one request resource;
The resource identification unit to be counted is used for counting a resource set S i currently requested by each client R i, and when the resource sets currently requested by the clients exceeding a preset proportion T all contain at least one common request resource, the common request resource is used as a resource to be counted;
the feature acquisition unit is used for acquiring the flow transmission feature, the network text feature and/or the encryption feature of the resource to be counted in the preset duration;
The security check unit is used for inputting the flow transmission characteristics, the network text characteristics and/or the encryption characteristics as data of a large network security-based model, and the large network security-based model outputs a security check result for each client to be checked;
The security measure execution unit is configured to execute, based on the security check result, a security measure for a subsequent resource request of each of the clients to be checked by the cloud server, where the security measure includes a current limit, an interrupt service, or a hold service.
The encryption features include encryption method, encryption length, and expected decryption time.
The large model based on network security comprises a deep learning module and a flow threshold interception module, wherein the deep learning module integrates a convolutional neural network, a cyclic neural network and an encoder;
the large network security-based model outputs a security check result for each of the clients to be checked, and specifically includes:
If the data input of the large model comprises the encryption feature, the large model calls a deep learning module integrating a convolutional neural network, a cyclic neural network and an encoder to execute the security check;
otherwise, the large model calls a flow threshold interception module, and the security check is executed based on the flow transmission characteristics and the network text characteristics.
In one embodiment, the to-be-counted resource identification unit takes the client exceeding the preset proportion T as the client to be examined;
in another embodiment, the feature acquiring unit takes a client as the client to be checked when it acquires that the traffic transmission feature, the web text feature and/or the encryption feature of the client are abnormal within a preset time period.
Taking the above-mentioned user terminal as an example for requesting IDE service after security check, if the security measure for a certain client to be checked is a maintenance service, the IDE server allocates a container for the user to process the user's page access request when receiving the user's initializing page access request;
In order to further improve the rationality of resource allocation, in this embodiment, multiple users may share a background server to process the project management request, and each user processes the code editing request through the container allocated to the user, that is, the IDE server may be used as the background server for project management to process the project management request of the user, and the container allocated to the user is specifically used to process the code editing request of the user.
If the security measure for a certain client to be checked is interrupt service, after receiving the initialization page access request, the server feeds back that the user is abnormal, and the user is required to send a resource request again and carry more user login information (such as account number + password + host ID and the like) in the resource request for secondary identity verification;
If the security measures aiming at a certain client to be checked are limited flow service, the server feeds back that the user has the current limit after receiving the initialization page access request;
at this time, if the resource request of the user itself contains the resource application amount D, multiplying the resource application amount D by the predetermined ratio T to obtain a resource allocation amount, and temporarily creating, by the container platform server, a container according to the resource allocation amount to obtain a target container, and sending the target container to the user client;
If the resource request of the user does not contain the resource application amount D, the container platform server temporarily creates a basic container as a target container to be sent to the user client when the idle container resource exists, wherein the resource amount of the basic container is equal to the default basic value of the system.
The scheme of the invention can identify network fraud, malicious traffic and disguised attack data flow aiming at fraudulent data of the client by utilizing the existing large model based on network security, thereby improving the value of the statistical result of traffic data analysis, avoiding delay and blockage of cloud resource service, and particularly aiming at multi-user request in IDE environment, the scheme can also relieve the problem of resource preemption, reduce the phenomenon of blocking and improve the use security of legal users.
The invention provides a plurality of embodiments, each of which can form an independent technical scheme and possibly contribute to the prior art and solve corresponding technical problems. It should be noted that different embodiments may be combined with each other without violating logic, and that each embodiment may solve at least one technical problem, but that each individual embodiment is not required to solve multiple or all technical problems.
Other techniques, principles, algorithms or models of the application not specifically developed may be found in the prior art.
While the method embodiments and systems of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations may be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1.一种基于大模型的流量数据统计分析方法,所述方法应用于云端服务器,所述云端服务器与N个客户端{R1,R2,…,RN}远程通信,N>1;1. A traffic data statistical analysis method based on a large model, the method is applied to a cloud server, the cloud server remotely communicates with N clients {R 1 , R 2 , …, R N }, N>1; 其特征在于,所述方法包括如下步骤:Characterized in that the method comprises the following steps: S100:获取客户端Ri当前请求的资源集Si,i=1,2,…,N;资源集Si中包含至少一种请求资源;S100: Obtain the resource set S i currently requested by the client R i , i=1, 2, ..., N; the resource set S i includes at least one requested resource; S200:当超过预定比例T的客户端当前请求的资源集均包含至少一种共同请求资源时,将所述共同请求资源作为待统计资源;S200: When the resource sets currently requested by clients exceeding a predetermined proportion T all contain at least one commonly requested resource, the commonly requested resource is used as a resource to be counted; S300:分析所述待统计资源在预设时长内的流量传输特征、网络文本特征、和/或加密特征;S300: Analyze the traffic transmission characteristics, network text characteristics, and/or encryption characteristics of the resource to be counted within a preset time period; S400:将所述流量传输特征、网络文本特征、和/或加密特征作为基于网络安全的大模型的数据输入,所述基于网络安全的大模型针对所述超过预定比例的客户端中的每一个输出安全排查结果;S400: using the traffic transmission feature, network text feature, and/or encryption feature as data input of a large model based on network security, and the large model based on network security outputs a security screening result for each of the clients exceeding the predetermined ratio; S500:基于所述安全排查结果,所述云端服务器针对所述超过预定比例的客户端中的每一个的后续资源请求执行安全措施,所述安全措施包括限流、中断服务或者保持服务。S500: Based on the security check result, the cloud server executes security measures for subsequent resource requests from each of the clients exceeding the predetermined proportion, and the security measures include current limiting, interrupting service, or maintaining service. 2.如权利要求1所述的一种基于大模型的流量数据统计分析方法,其特征在于:2. A traffic data statistical analysis method based on a large model as claimed in claim 1, characterized in that: 所述步骤S100中所述请求资源包括如下资源中的至少两种的组合:The requested resource in step S100 includes a combination of at least two of the following resources: CPU资源、GPU资源、内存资源、存储资源、上传通道资源、下载通道资源。CPU resources, GPU resources, memory resources, storage resources, upload channel resources, and download channel resources. 3.如权利要求1所述的一种基于大模型的流量数据统计分析方法,其特征在于:3. The method for statistical analysis of traffic data based on a large model as claimed in claim 1, characterized in that: 所述预定比例T≥50%。The predetermined ratio T≥50%. 4.如权利要求1所述的一种基于大模型的流量数据统计分析方法,其特征在于:4. The method for statistical analysis of traffic data based on a large model as claimed in claim 1, characterized in that: 所述步骤S300具体包括:The step S300 specifically includes: 针对每一种待统计资源,执行如下分析过程:For each resource to be counted, perform the following analysis process: S301:判断请求该待统计资源的客户端请求是否加密;S301: Determine whether the client request for the resource to be counted is encrypted; 如果是,则进入步骤S303,否则,进入步骤S302;If yes, proceed to step S303, otherwise, proceed to step S302; S302:获取所述待统计资源在预设时长内的流量传输特征以及网络文本特征;S302: Obtaining traffic transmission characteristics and network text characteristics of the resource to be counted within a preset time period; S303:获取所述待统计资源在预设时长内的流量传输特征以及加密特征。S303: Obtain traffic transmission characteristics and encryption characteristics of the resource to be counted within a preset time period. 5.一种基于大模型的流量数据统计分析方法,所述方法应用于N个请求客户端{R1,R2,…,RN},所述N个请求客户端{R1,R2,…,RN}与云端服务器远程通信,其特征在于,所述方法包括如下步骤:5. A traffic data statistical analysis method based on a large model, the method is applied to N requesting clients {R 1 , R 2 , ..., R N }, the N requesting clients {R 1 , R 2 , ..., R N } remotely communicate with a cloud server, characterized in that the method comprises the following steps: SS100:客户端Ri向所述云端服务器发送客户端请求,所述客户端请求用于向所述云端服务器调度请求资源;所述请求资源包括如下资源中的至少两种的组合:CPU资源、GPU资源、内存资源、存储资源、上传通道资源、下载通道资源;i=1,2,…,N;SS100: The client R i sends a client request to the cloud server, where the client request is used to schedule a request resource to the cloud server; the request resource includes a combination of at least two of the following resources: CPU resources, GPU resources, memory resources, storage resources, upload channel resources, and download channel resources; i=1, 2, ..., N; SS200:所述云端服务器统计每个客户端Ri当前请求的资源集SiSS200: The cloud server counts the resource set S i currently requested by each client R i ; SS300:当超过预定比例T的客户端当前请求的资源集均包含至少一种共同请求资源时,将所述共同请求资源作为待统计资源,将所述超过预定比例T的客户端作为待排查客户端;SS300: When the resource sets currently requested by clients exceeding a predetermined ratio T all contain at least one commonly requested resource, the commonly requested resource is used as a resource to be counted, and the clients exceeding the predetermined ratio T are used as clients to be checked; SS400:所述云端服务器分析所述待统计资源在预设时长内的流量传输特征、网络文本特征、和/或加密特征;SS400: the cloud server analyzes the traffic transmission characteristics, network text characteristics, and/or encryption characteristics of the resources to be counted within a preset time period; SS500:将所述流量传输特征、网络文本特征、和/或加密特征作为基于网络安全的大模型的数据输入,所述基于网络安全的大模型针对所述待排查客户端中的每一个输出安全排查结果;SS500: using the traffic transmission feature, network text feature, and/or encryption feature as data input of a large model based on network security, and the large model based on network security outputs a security screening result for each of the clients to be screened; SS600:基于所述安全排查结果,所述云端服务器针对所述待排查客户端中的每一个的后续资源请求执行安全措施,所述安全措施包括限流、中断服务或者保持服务。SS600: Based on the security check result, the cloud server executes security measures for subsequent resource requests of each of the clients to be checked, and the security measures include current limiting, interrupting service, or maintaining service. 6.如权利要求5所述的一种基于大模型的流量数据统计分析方法,其特征在于,6. A traffic data statistical analysis method based on a large model as claimed in claim 5, characterized in that: 所述步骤SS400中所述加密特征包括加密方法、加密长度和/或预计解密时间;The encryption characteristics in step SS400 include encryption method, encryption length and/or estimated decryption time; 所述步骤SS500中所述基于网络安全的大模型针对所述待排查客户端中的每一个输出安全排查结果,具体包括:The large model based on network security in step SS500 outputs a security check result for each of the clients to be checked, specifically including: SS501:判断所述大模型的数据输入是否包括所述加密特征,SS501: Determine whether the data input of the large model includes the encryption feature, 若是,则所述大模型调用集成卷积神经网络、循环神经网络和编码器的深度学习模块执行所述安全排查;若否,则进入步骤SS502;If yes, the large model calls a deep learning module integrating a convolutional neural network, a recurrent neural network and an encoder to perform the security check; if no, proceed to step SS502; SS502:所述大模型调用流量阈值拦截模块,基于所述流量传输特征、网络文本特征执行所述安全排查。SS502: The large model calls the traffic threshold interception module to perform the security check based on the traffic transmission characteristics and network text characteristics. 7.一种基于大模型的流量数据统计分析系统,所述系统包括云端服务器,所述云端服务器连接基于网络安全的大模型,其特征在于,所述系统还包括:7. A traffic data statistical analysis system based on a large model, the system comprising a cloud server, the cloud server connected to a large model based on network security, characterized in that the system further comprises: 客户端请求获取单元,用于获取客户端Ri当前请求的资源集Si,i=1,2,…,N;资源集Si中包含至少一种请求资源;N>1;The client request acquisition unit is used to acquire the resource set S i currently requested by the client R i , i=1, 2, ..., N; the resource set S i includes at least one requested resource; N>1; 待统计资源识别单元,用于统计每个客户端Ri当前请求的资源集Si;当超过预定比例T的客户端当前请求的资源集均包含至少一种共同请求资源时,将所述共同请求资源作为待统计资源;将所述超过预定比例T的客户端作为待排查客户端;The resource identification unit to be counted is used to count the resource set S i currently requested by each client R i ; when the resource sets currently requested by clients exceeding a predetermined proportion T all contain at least one commonly requested resource, the commonly requested resource is used as a resource to be counted; and the clients exceeding the predetermined proportion T are used as clients to be checked; 特征获取单元,用于获取所述待统计资源在预设时长内的流量传输特征、网络文本特征、和/或加密特征;A feature acquisition unit, used to acquire traffic transmission features, network text features, and/or encryption features of the resource to be counted within a preset time period; 安全排查单元,用于将所述流量传输特征、网络文本特征、和/或加密特征作为基于网络安全的大模型的数据输入,所述基于网络安全的大模型针对所述待排查客户端中的每一个输出安全排查结果;A security investigation unit, configured to use the traffic transmission feature, network text feature, and/or encryption feature as data input of a large model based on network security, wherein the large model based on network security outputs a security investigation result for each of the clients to be investigated; 安全措施执行单元,用于基于所述安全排查结果,所述云端服务器针对所述待排查客户端中的每一个的后续资源请求执行安全措施,所述安全措施包括限流、中断服务或者保持服务。A security measure execution unit is used to execute security measures on the subsequent resource requests of each of the clients to be checked based on the security check result, wherein the security measures include current limiting, interrupting service or maintaining service. 8.如权利要求7所述的一种基于大模型的流量数据统计分析系统,其特征在于,所述加密特征包括加密方法、加密长度以及预计解密时间。8. A traffic data statistical analysis system based on a large model as described in claim 7, characterized in that the encryption features include encryption method, encryption length and estimated decryption time. 9.如权利要求8所述的一种基于大模型的流量数据统计分析系统,其特征在于,所述基于网络安全的大模型包括集成卷积神经网络、循环神经网络和编码器的深度学习模块与流量阈值拦截模块;9. A traffic data statistical analysis system based on a large model as claimed in claim 8, characterized in that the large model based on network security includes a deep learning module integrating a convolutional neural network, a recurrent neural network and an encoder, and a traffic threshold interception module; 所述基于网络安全的大模型针对所述待排查客户端中的每一个输出安全排查结果,具体包括:The network security-based large model outputs a security screening result for each of the clients to be screened, specifically including: 若所述大模型的数据输入包括所述加密特征,则所述大模型调用集成卷积神经网络、循环神经网络和编码器的深度学习模块执行所述安全排查;If the data input of the large model includes the encryption feature, the large model calls a deep learning module integrating a convolutional neural network, a recurrent neural network and an encoder to perform the security check; 否则,所述大模型调用流量阈值拦截模块,基于所述流量传输特征、网络文本特征执行所述安全排查。Otherwise, the large model calls the traffic threshold interception module to perform the security check based on the traffic transmission characteristics and network text characteristics. 10.一种计算机程序产品,包括计算机程序,其特征在于,所述计算机程序被处理器执行时用于实现如上述权利要求1-4或者5-6任一项所述的一种基于大模型的流量数据统计分析方法。10. A computer program product, comprising a computer program, characterized in that when the computer program is executed by a processor, it is used to implement a traffic data statistical analysis method based on a large model as described in any one of claims 1-4 or 5-6 above.
CN202411418271.9A 2024-10-11 2024-10-11 Traffic data statistical analysis method and system based on large model Active CN119583095B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411418271.9A CN119583095B (en) 2024-10-11 2024-10-11 Traffic data statistical analysis method and system based on large model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411418271.9A CN119583095B (en) 2024-10-11 2024-10-11 Traffic data statistical analysis method and system based on large model

Publications (2)

Publication Number Publication Date
CN119583095A true CN119583095A (en) 2025-03-07
CN119583095B CN119583095B (en) 2025-10-03

Family

ID=94805518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411418271.9A Active CN119583095B (en) 2024-10-11 2024-10-11 Traffic data statistical analysis method and system based on large model

Country Status (1)

Country Link
CN (1) CN119583095B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9038184B1 (en) * 2010-02-17 2015-05-19 Symantec Corporation Detection of malicious script operations using statistical analysis
CN108259462A (en) * 2017-11-29 2018-07-06 国网吉林省电力有限公司信息通信公司 Big data Safety Analysis System based on mass network monitoring data
CN114257452A (en) * 2021-12-24 2022-03-29 中国人民解放军战略支援部队信息工程大学 A method to discover unknown UDP reflection amplification attacks based on traffic analysis
CN118074951A (en) * 2024-01-08 2024-05-24 武汉佰思特信息科技有限公司 Efficient network security protection method, system and storage medium
CN118101498A (en) * 2024-04-29 2024-05-28 深圳市海域达赫科技有限公司 Network traffic prediction method, device, system and storage medium based on big data

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9038184B1 (en) * 2010-02-17 2015-05-19 Symantec Corporation Detection of malicious script operations using statistical analysis
CN108259462A (en) * 2017-11-29 2018-07-06 国网吉林省电力有限公司信息通信公司 Big data Safety Analysis System based on mass network monitoring data
CN114257452A (en) * 2021-12-24 2022-03-29 中国人民解放军战略支援部队信息工程大学 A method to discover unknown UDP reflection amplification attacks based on traffic analysis
CN118074951A (en) * 2024-01-08 2024-05-24 武汉佰思特信息科技有限公司 Efficient network security protection method, system and storage medium
CN118101498A (en) * 2024-04-29 2024-05-28 深圳市海域达赫科技有限公司 Network traffic prediction method, device, system and storage medium based on big data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PENG XU,SHU LUAN: "Text Mining Based on Web Crawler Technology to Analyze the"Reacting Force" of Film Reviews on Films", 2022 4TH INTERNATIONAL CONFERENCE ON APPLIED MACHINE LEARNING, 31 December 2022 (2022-12-31) *
张辉,高博,刘伟伟: "基于自注意力卷积循环神经网络的隧道化匿名网络流量承载服务识别方法", 网络空间安全科学学报, vol. 1, no. 3, 31 December 2023 (2023-12-31) *

Also Published As

Publication number Publication date
CN119583095B (en) 2025-10-03

Similar Documents

Publication Publication Date Title
US12095803B2 (en) Peer device protection
Chapman et al. Automated black-box detection of side-channel vulnerabilities in web applications
Cai et al. A systematic approach to developing and evaluating website fingerprinting defenses
US9111029B2 (en) Intelligent performance monitoring based on user transactions
Borders et al. Quantifying information leaks in outbound web traffic
US20020184362A1 (en) System and method for extending server security through monitored load management
CN103238308B (en) The method and system of propagating source identification information
JP2007507763A (en) High performance network content analysis platform
CN107733834B (en) Method and device for preventing data leakage
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
CN110855649A (en) A method and device for detecting abnormal processes in a server
Li et al. A stochastic model for quantitative security analyses of networked systems
WO2020257428A1 (en) Dynamically controlling access to linked content in electronic communications
Buchyk et al. Devising a method of protection against zero-day attacks based on an analytical model of changing the state of the network sandbox
CN109948335B (en) System and method for detecting malicious activity in a computer system
RU2638001C1 (en) System and method of antivirus server productivity reserve part isolation for anti-virus scanning of web-page
Praseed et al. Fuzzy request set modelling for detecting multiplexed asymmetric DDoS attacks on HTTP/2 servers
CN109120626A (en) Security threat processing method, system, safety perception server and storage medium
Eggert et al. The complexity of intransitive noninterference
CN119583095B (en) Traffic data statistical analysis method and system based on large model
Chung et al. A Hot Query Bank approach to improve detection performance against SQL injection attacks
CN115065537B (en) Defending system and dynamic defending method aiming at WEB application automatic attack behaviors
Demoulin et al. Automated detection and mitigation of application-level asymmetric dos attacks
Wang et al. Petri net modeling and vulnerability analysis of the Heartbleed
Yang et al. Docker's Security Analysis of Using Control Group to Enhance Container Resistance to Pressure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant