[go: up one dir, main page]

TWI913616B - Detection method and detection device for abnormal network traffic - Google Patents

Detection method and detection device for abnormal network traffic

Info

Publication number
TWI913616B
TWI913616B TW112146511A TW112146511A TWI913616B TW I913616 B TWI913616 B TW I913616B TW 112146511 A TW112146511 A TW 112146511A TW 112146511 A TW112146511 A TW 112146511A TW I913616 B TWI913616 B TW I913616B
Authority
TW
Taiwan
Prior art keywords
connection
decision condition
network traffic
time range
abnormal network
Prior art date
Application number
TW112146511A
Other languages
Chinese (zh)
Other versions
TW202524889A (en
Inventor
黃瓊瑩
陳威安
李輝堂
陳乙逢
高志嘉
孫孟瑋
賈昊承
Original Assignee
安碁資訊股份有限公司
Filing date
Publication date
Application filed by 安碁資訊股份有限公司 filed Critical 安碁資訊股份有限公司
Priority to TW112146511A priority Critical patent/TWI913616B/en
Publication of TW202524889A publication Critical patent/TW202524889A/en
Application granted granted Critical
Publication of TWI913616B publication Critical patent/TWI913616B/en

Links

Abstract

A detection method and a detection device for abnormal network traffic are disclosed. The method includes: determining a first time range according to system time of an electronic device; extracting first connection data from connection log data of the electronic device according to the first time range; analyzing the first connection data to obtain connection count information and connection target information related to a first internet protocol address during the first time range; establishing a first decision condition according to the connection count information; establishing a second decision condition according to the connection target information; extracting second connection data from the connection log data according to a second time range; and analyzing the second connection data according to the first decision condition and the second decision condition to detect the abnormal network traffic of the electronic device.

Description

異常網路流量的偵測方法與偵測裝置Methods and devices for detecting abnormal network traffic

本發明是有關於一種異常網路流量的偵測技術,且特別是有關於一種異常網路流量的偵測方法與偵測裝置。This invention relates to a technique for detecting abnormal network traffic, and more particularly to a method and device for detecting abnormal network traffic.

傳統上,異常網路流量的偵測技術主要是透過偵測短時間內大量發生的網路流量,來嘗試偵測並防禦網路惡意攻能。一般來說,一個流量上限可透過經驗法則來制定。一旦發現到電子裝置在特定時間範圍內的網路流量超過這個流量上限,即可視為發生異常網路流量。然而,對於同時對上百台甚至上千台的伺服器主機進行管理的大型安控平台而言,每一台伺服器主機的工作型態與服務類型都不相同,故每一台伺服器主機所適用的流量上限也各不相同。因此,需要提出一種新的方法來針對伺服器主機各別制定客製化的異常網路流量偵測機制。Traditionally, abnormal network traffic detection technology primarily attempts to detect and defend against malicious network attacks by detecting large amounts of network traffic occurring within a short period. Generally, a traffic limit can be established using empirical rules. Once an electronic device's network traffic exceeds this limit within a specific time frame, it is considered abnormal network traffic. However, for large security platforms managing hundreds or even thousands of server hosts simultaneously, each server host has a different operating mode and service type, resulting in different applicable traffic limits for each server host. Therefore, a new method is needed to develop customized abnormal network traffic detection mechanisms for each server host.

本發明提供一種異常網路流量的偵測方法與偵測裝置,可針對電子裝置建立客制化的決策條件,進而提高對電子裝置的異常網路流量的偵測效率。This invention provides a method and device for detecting abnormal network traffic, which can establish customized decision conditions for electronic devices, thereby improving the detection efficiency of abnormal network traffic of electronic devices.

本發明的實施例提供一種異常網路流量的偵測方法,其包括:根據電子裝置的系統時間決定第一時間範圍;根據所述第一時間範圍從所述電子裝置的連線日誌資料中篩選出第一連線資料;分析所述第一連線資料以獲得在所述第一時間範圍內與第一網際網路協議位址有關的連線次數資訊與連線目標資訊;根據所述連線次數資訊建立第一決策條件;根據所述連線目標資訊建立第二決策條件;根據第二時間範圍從所述連線日誌資料中篩選出第二連線資料,其中所述第一時間範圍不同於所述第二時間範圍;以及根據所述第一決策條件與所述第二決策條件來分析所述第二連線資料,以偵測所述電子裝置的異常網路流量。Embodiments of the present invention provide a method for detecting abnormal network traffic, comprising: determining a first time range based on the system time of an electronic device; filtering first connection data from connection log data of the electronic device according to the first time range; analyzing the first connection data to obtain connection frequency information and connection target information related to a first Internet Protocol address within the first time range; establishing a first decision condition based on the connection frequency information; establishing a second decision condition based on the connection target information; filtering second connection data from the connection log data according to a second time range, wherein the first time range is different from the second time range; and analyzing the second connection data according to the first decision condition and the second decision condition to detect abnormal network traffic of the electronic device.

本發明的實施例另提供一種異常網路流量的偵測裝置,其包括儲存電路與處理器。所述儲存電路用以儲存電子裝置的連線日誌資料。所述處理器耦接至所述儲存電路。所述處理器用以:根據所述電子裝置的系統時間決定第一時間範圍;根據所述第一時間範圍從所述連線日誌資料中篩選出第一連線資料;分析所述第一連線資料以獲得在所述第一時間範圍內與第一網際網路協議位址有關的連線次數資訊與連線目標資訊;根據所述連線次數資訊建立第一決策條件;根據所述連線目標資訊建立第二決策條件;根據第二時間範圍從所述連線日誌資料中篩選出第二連線資料,其中所述第一時間範圍不同於所述第二時間範圍;以及根據所述第一決策條件與所述第二決策條件來分析所述第二連線資料,以偵測所述電子裝置的異常網路流量。Embodiments of the present invention also provide an abnormal network traffic detection device, which includes a storage circuit and a processor. The storage circuit is used to store connection log data of an electronic device. The processor is coupled to the storage circuit. The processor is configured to: determine a first time range based on the system time of the electronic device; filter first connection data from the connection log data based on the first time range; analyze the first connection data to obtain connection count information and connection target information related to a first Internet Protocol address within the first time range; establish a first decision condition based on the connection count information; establish a second decision condition based on the connection target information; filter second connection data from the connection log data based on a second time range, wherein the first time range is different from the second time range; and analyze the second connection data based on the first decision condition and the second decision condition to detect abnormal network traffic of the electronic device.

基於上述,在根據電子裝置的系統時間決定第一時間範圍後,第一連線資料可根據第一時間範圍從電子裝置的連線日誌資料中篩選出來。透過分析第一連線資料,在第一時間範圍內與第一網際網路協議位址有關的連線次數資訊與連線目標資訊可被獲得。同時,多個客製化的決策條件可根據連線次數資訊與連線目標資訊而分別建立。爾後,此些決策條件可用於偵測電子裝置在第二時間範圍內的異常網路流量。藉此,透過對電子裝置建立客制化的決策條件,可提高對電子裝置的異常網路流量的偵測效率。Based on the above, after determining the first time range according to the system time of the electronic device, the first connection data can be filtered from the connection log data of the electronic device according to the first time range. By analyzing the first connection data, connection frequency information and connection target information related to the first Internet Protocol address within the first time range can be obtained. Simultaneously, multiple customized decision conditions can be established separately based on the connection frequency information and connection target information. These decision conditions can then be used to detect abnormal network traffic of the electronic device within a second time range. Therefore, by establishing customized decision conditions for the electronic device, the detection efficiency of abnormal network traffic of the electronic device can be improved.

圖1是根據本發明的實施例所繪示的偵測裝置的示意圖。Figure 1 is a schematic diagram of a detection device according to an embodiment of the present invention.

請參照圖1,偵測裝置11可用以偵測電子裝置12的異常網路流量。在一實施例中,偵測裝置11是獨立於電子裝置12外。例如,偵測裝置11可實作於智慧型手機、筆記型電腦、桌上型電腦、伺服器主機或其他類型的電腦裝置中。電子裝置12同樣可包括慧型手機、筆記型電腦、桌上型電腦、伺服器主機或其他類型的電腦裝置。本發明不限制偵測裝置11與電子裝置12的類型。在一實施例中,偵測裝置11亦可藉由軟體或硬體的型式設置於電子裝置12內部。Referring to Figure 1, the detection device 11 can be used to detect abnormal network traffic of the electronic device 12. In one embodiment, the detection device 11 is independent of the electronic device 12. For example, the detection device 11 can be implemented in a smartphone, laptop, desktop computer, server, or other type of computer device. The electronic device 12 can also include a smartphone, laptop, desktop computer, server, or other type of computer device. This invention does not limit the types of detection device 11 and electronic device 12. In one embodiment, the detection device 11 can also be installed inside the electronic device 12 in the form of software or hardware.

在一實施例中,電子裝置12可經由網際網路(Internet)10連接至伺服器13(1)~13(n)的至少其中之一。例如,電子裝置12可根據伺服器13(i)的網域名稱(Domain Name)或網際網路協議(Internet Protocol, IP)位址,來發送網路封包至伺服器13(i)及/或從伺服器13(i)接收網路封包。In one embodiment, electronic device 12 may be connected to at least one of servers 13(1) to 13(n) via Internet 10. For example, electronic device 12 may send network packets to and/or receive network packets from server 13(i) based on the domain name or Internet Protocol (IP) address of server 13(i).

在一實施例中,偵測裝置11包括網路介面111、儲存電路112及處理器113。網路介面111可用以連接至電子裝置12。例如,網路介面111可包括網路介面卡或其他類型的通訊介面電路。In one embodiment, the detection device 11 includes a network interface 111, storage circuitry 112, and a processor 113. The network interface 111 can be used to connect to an electronic device 12. For example, the network interface 111 may include a network interface card or other types of communication interface circuitry.

儲存電路112用以儲存資料。例如,儲存電路112可包括揮發性儲存電路與非揮發性儲存電路。揮發性儲存電路用以揮發性地儲存資料。例如,揮發性儲存電路可包括隨機存取記憶體(Random Access Memory, RAM)或類似的揮發性儲存媒體。非揮發性儲存電路用以非揮發性地儲存資料。例如,非揮發性儲存電路可包括唯讀記憶體(Read Only Memory, ROM)、固態硬碟(solid state disk, SSD)、傳統硬碟(Hard disk drive, HDD)或類似的非揮發性儲存媒體。Storage circuit 112 is used to store data. For example, storage circuit 112 may include volatile storage circuitry and non-volatile storage circuitry. Volatile storage circuitry is used to store data volatilely. For example, volatile storage circuitry may include random access memory (RAM) or similar volatile storage media. Non-volatile storage circuitry is used to store data non-volatilely. For example, non-volatile storage circuitry may include read-only memory (ROM), solid-state disk (SSD), hard disk drive (HDD), or similar non-volatile storage media.

處理器113耦接至網路介面111與儲存電路112。處理器113用以負責偵測裝置11的整體或部分運作。例如,處理器113可包括中央處理單元(CPU)、或是其他可程式化之一般用途或特殊用途的微處理器、數位訊號處理器(Digital Signal Processor, DSP)、可程式化控制器、特殊應用積體電路(Application Specific Integrated Circuits, ASIC)、可程式化邏輯裝置(Programmable Logic Device, PLD)或其他類似裝置或這些裝置的組合。Processor 113 is coupled to network interface 111 and storage circuit 112. Processor 113 is used to perform overall or partial operation of detection device 11. For example, processor 113 may include central processing unit (CPU), or other programmable general-purpose or special-purpose microprocessor, digital signal processor (DSP), programmable controller, application-specific integrated circuit (ASIC), programmable logic device (PLD), or other similar device or combination of these devices.

在一實施例中,處理器113可經由網路介面111獲得電子裝置12的連線日誌(log)資料101。處理器113可將連線日誌資料101儲存於儲存電路112中。例如,連線日誌資料101中可記載與一或多筆連線相關的來源網際網路協議位址、目的網際網路協議位址、來源網際網路協議通訊埠、目的網際網路協議通訊埠、所採用的傳輸協議及連線時間等網路連線資料。特別是,連線日誌資料101中可記載與電子裝置12的網際網路協議位址(亦稱為第一網際網路協議位址)有關的網路連線資料。In one embodiment, processor 113 can obtain connection log data 101 of electronic device 12 via network interface 111. Processor 113 can store connection log data 101 in storage circuit 112. For example, connection log data 101 may record network connection data associated with one or more connections, such as source Internet Protocol address, destination Internet Protocol address, source Internet Protocol port, destination Internet Protocol port, transmission protocol used, and connection time. In particular, the connection log data 101 may record network connection data related to the Internet Protocol address (also known as the first Internet Protocol address) of the electronic device 12.

在一實施例中,處理器113可使用封包側錄工具(例如Zeek)監測電子裝置12的網路連線行為並將所監測到的網路連線行為的相關資訊記載於連線日誌資料101中。在一實施例中,處理器113亦可直接從電子裝置12的記憶體或其他儲存空間取得電子裝置12的連線日誌資料101。In one embodiment, processor 113 may use a packet sniffing tool (such as Zeek) to monitor the network connection behavior of electronic device 12 and record relevant information about the monitored network connection behavior in connection log data 101. In another embodiment, processor 113 may also directly obtain the connection log data 101 of electronic device 12 from the memory or other storage space of electronic device 12.

在一實施例中,處理器113可根據電子裝置12的系統時間決定一個時間範圍(亦稱為第一時間範圍)。例如,電子裝置12的系統時間可反映一個特定的時間點(例如2022年2月1日)。在以下實施例中,為了說明方便,皆是以一天(即24小時)當成一個時間單位,且第一時間範圍包括多個時間單位(亦稱為第一時間單位)。然而,在一實施例中,一個時間單位的時間長度還可以更長(例如多天)或更短(例如6小時或12小時等),本發明不加以限制。In one embodiment, processor 113 may determine a time range (also referred to as a first time range) based on the system time of electronic device 12. For example, the system time of electronic device 12 may reflect a specific point in time (e.g., February 1, 2022). In the following embodiments, for ease of explanation, a day (i.e., 24 hours) is used as a unit of time, and the first time range includes multiple units of time (also referred to as first time units). However, in one embodiment, the duration of a unit of time may be longer (e.g., multiple days) or shorter (e.g., 6 hours or 12 hours), and the present invention does not impose any limitations on this.

在一實施例中,處理器113可根據電子裝置12的系統時間的前N個時間單位,設定第一時間範圍。例如,假設電子裝置12的系統時間反映出的時間點(亦稱為目標時間)為2022年2月1日且N為30,則處理器113可將2022年2月1日往前推30天的時間範圍(即2022年1月1日至2022年1月30日)設定為第一時間範圍。此外,N的數值可以根據實務需求調整,本發明不加以限制。In one embodiment, processor 113 can set a first time range based on the first N time units of the system time of electronic device 12. For example, assuming the time point reflected by the system time of electronic device 12 (also known as the target time) is February 1, 2022 and N is 30, then processor 113 can set the time range of 30 days prior to February 1, 2022 (i.e., January 1, 2022 to January 30, 2022) as the first time range. Furthermore, the value of N can be adjusted according to practical needs, and the present invention is not limited thereto.

在一實施例中,處理器113可根據第一時間範圍從連線日誌資料101中篩選出符合條件的資料(亦稱為第一連線資料)。例如,第一連線資料可反映出電子裝置12在第一時間範圍內的網路連線行為。In one embodiment, processor 113 may filter data (also known as first connection data) that meet certain conditions from connection log data 101 based on a first time range. For example, the first connection data may reflect the network connection behavior of electronic device 12 within a first time range.

在一實施例中,處理器113可分析第一連線資料以獲得在第一時間範圍內與電子裝置12的網際網路協議位址(即第一網際網路協議位址)有關的連線次數資訊與連線目標資訊。此連線次數資訊可反映第一網際網路協議位址分別在所述多個第一時間單位中的連線次數。此外,此連線目標資訊可反映第一網際網路協議位址分別在所述多個第一時間單位中所連接的(不同的)網際網路協議位址(亦稱為第二網際網路協議位址)的總數。In one embodiment, processor 113 may analyze the first connection data to obtain connection count information and connection target information related to the Internet Protocol address (IPA) of electronic device 12 (i.e., the first IPA) within a first time period. This connection count information may reflect the number of connections made by the first IPA in the plurality of first time units. Furthermore, this connection target information may reflect the total number of (different) IPA addresses (also referred to as second IPA addresses) connected by the first IPA in the plurality of first time units.

圖2是根據本發明的實施例所繪示的連線次數資訊的示意圖。圖3是根據本發明的實施例所繪示的連線目標資訊的示意圖。Figure 2 is a schematic diagram illustrating the number of connections according to an embodiment of the present invention. Figure 3 is a schematic diagram illustrating the connection target information according to an embodiment of the present invention.

請參照圖2,假設第一時間範圍R(1)為2022年1月1日至2022年1月30日。透過分析第一連線資料,所獲得的連線次數資訊可反映出第一網際網路協議位址分別在2022年1月1日至2022年1月30日中的每一天的連線次數。例如,在圖2中,每一個箭頭的長度可用來表示第一網際網路協議位址在特定日期所對應的(總)連線次數。或者,從另一角度而言,此連線次數資訊可反映出電子裝置12在第一時間範圍R(1)內每一天的對外連線次數。Referring to Figure 2, assume the first time period R(1) is from January 1, 2022 to January 30, 2022. By analyzing the first connection data, the obtained connection count information can reflect the number of connections of the first Internet Protocol address on each day from January 1, 2022 to January 30, 2022. For example, in Figure 2, the length of each arrow can be used to represent the (total) number of connections corresponding to the first Internet Protocol address on a specific date. Alternatively, from another perspective, this connection count information can reflect the number of outbound connections of the electronic device 12 on each day within the first time period R(1).

請參照圖3,透過分析第一連線資料,所獲得的連線目標資訊可反映出第一網際網路協議位址分別在2022年1月1日至2022年1月30日中的每一天所連接的不重複的網際網路協議位址(即第二網際網路協議位址)的總數。例如,在圖3中,每一個箭頭的長度可用來表示第一網際網路協議位址在特定日期所對應的對外連接的不同的IP數量。或者,從另一角度而言,此連線目標資訊可反映出電子裝置12在第一時間範圍R(1)內每一天對外連接的不同的外部IP數量。Referring to Figure 3, by analyzing the first connection data, the obtained connection target information can reflect the total number of non-repeating Internet Protocol addresses (i.e., second Internet Protocol addresses) connected to the first Internet Protocol address on each day from January 1, 2022 to January 30, 2022. For example, in Figure 3, the length of each arrow can be used to represent the number of different IPs connected to the first Internet Protocol address on a specific date. Alternatively, from another perspective, this connection target information can reflect the number of different external IPs connected to by the electronic device 12 on each day within the first time range R(1).

在一實施例中,處理器113可根據所述連線次數資訊建立一個決策條件(亦稱為第一決策條件)。第一決策條件可用以偵測電子裝置12的異常網路流量。In one embodiment, processor 113 may establish a decision condition (also referred to as a first decision condition) based on the connection count information. The first decision condition may be used to detect abnormal network traffic of electronic device 12.

在一實施例中,第一決策條件包括一或多個臨界值(亦稱為第一臨界值)。處理器113可對所述連線次數資訊執行邏輯運算(亦稱為第一邏輯運算),以決定第一臨界值。例如,第一邏輯運算可包括對連線次數資訊執行取平均及/或計算標準差等邏輯運算。以圖2為例,第一臨界值可反映第一網際網路協議位址分別在2022年1月1日至2022年1月30日之間的這30天內每一天的平均連線次數、此平均連線次數之倍數(例如1.5倍、2倍或3倍等)、此平均連線次數的標準差及/或此標準差之倍數(例如1.5倍、2倍或3倍等)。爾後,第一臨界值即可用來偵測電子裝置12的異常網路流量。In one embodiment, the first decision condition includes one or more critical values (also referred to as first critical values). The processor 113 may perform logical operations (also referred to as first logical operations) on the connection count information to determine the first critical value. For example, the first logical operations may include performing logical operations such as averaging and/or calculating the standard deviation on the connection count information. Taking Figure 2 as an example, the first critical value can reflect the average number of connections per day for each of the 30 days from January 1, 2022 to January 30, 2022 for the first Internet Protocol address, a multiple of this average number of connections (e.g., 1.5 times, 2 times, or 3 times), the standard deviation of this average number of connections, and/or a multiple of this standard deviation (e.g., 1.5 times, 2 times, or 3 times). Subsequently, the first critical value can be used to detect abnormal network traffic of the electronic device 12.

在一實施例中,處理器113可根據所述連線目標資訊建立另一個決策條件(亦稱為第二決策條件)。第二決策條件同樣可用以偵測電子裝置12的異常網路流量。In one embodiment, processor 113 may establish another decision condition (also referred to as a second decision condition) based on the connection target information. The second decision condition may also be used to detect abnormal network traffic of electronic device 12.

在一實施例中,第二決策條件包括一或多個臨界值(亦稱為第二臨界值)。處理器113可對所述連線目標資訊執行邏輯運算(亦稱為第二邏輯運算),以決定第二臨界值。例如,第二邏輯運算可包括對連線目標資訊執行取平均及/或計算標準差等邏輯運算。以圖3為例,第二臨界值可反映第一網際網路協議位址分別在2022年1月1日至2022年1月30日之間的這30天內每一天的對外連接的平均IP(即第二網際網路協議位址)數量、此平均IP數量之倍數(例如1.5倍、2倍或3倍等)、此平均IP數量的標準差及/或此標準差之倍數(例如1.5倍、2倍或3倍等)。爾後,第二臨界值即可用來偵測電子裝置12的異常網路流量。In one embodiment, the second decision condition includes one or more critical values (also referred to as second critical values). The processor 113 may perform logical operations (also referred to as second logical operations) on the connected target information to determine the second critical value. For example, the second logical operations may include performing logical operations such as averaging and/or calculating the standard deviation on the connected target information. Taking Figure 3 as an example, the second critical value can reflect the average number of outbound IPs (i.e., the second Internet Protocol address) for each day during the 30 days from January 1, 2022 to January 30, 2022, the multiple of this average number of IPs (e.g., 1.5 times, 2 times, or 3 times), the standard deviation of this average number of IPs, and/or the multiple of this standard deviation (e.g., 1.5 times, 2 times, or 3 times). Subsequently, the second critical value can be used to detect abnormal network traffic of electronic device 12.

在一實施例中,處理器113可根據另一個時間範圍(亦稱為第二時間範圍)從連線日誌資料101中篩選出符合條件的連線資料(亦稱為第二連線資料)。特別是,第一時間範圍不同於第二時間範圍。以圖2與圖3為例,假設第一時間範圍R(1)為2022年1月1日至2022年1月30日,則第二時間範圍R(2)可為2022年2月1日。第二時間範圍R(2)所對應的系統時間(例如2022年2月1日)晚於第一時間範圍R(1)所對應的系統時間(例如2022年1月1日至2022年1月30日)。此外,第二連線資料可反映出電子裝置12在第二時間範圍內的網路連線行為。In one embodiment, processor 113 may filter connection data (also known as second connection data) that meet certain conditions from connection log data 101 based on another time range (also known as a second time range). In particular, the first time range is different from the second time range. Taking Figures 2 and 3 as examples, assuming that the first time range R(1) is from January 1, 2022 to January 30, 2022, then the second time range R(2) may be February 1, 2022. The system time corresponding to the second time range R(2) (e.g., February 1, 2022) is later than the system time corresponding to the first time range R(1) (e.g., from January 1, 2022 to January 30, 2022). In addition, the second connection data can reflect the network connection behavior of the electronic device 12 within a second time range.

在一實施例中,處理器113可根據第一決策條件與第二決策條件來分析第二連線資料,以偵測電子裝置12的異常網路流量。例如,處理器113可分析第二連線資料以獲得第一評估值與第二評估值。第一評估值可反映第一網際網路協議位址在第二時間單位中的(總)連線次數。第二評估值可反映第一網際網路協議位址在第二時間單位中所連接的(不同或不重複的)網際網路協議位址(亦稱為第三網際網路協議位址)的總數。然後,處理器113可根據第一評估值、第二評估值、第一決策條件及第二決策條件,偵測電子裝置12的異常網路流量。In one embodiment, processor 113 may analyze second connection data based on a first decision condition and a second decision condition to detect abnormal network traffic of electronic device 12. For example, processor 113 may analyze the second connection data to obtain a first evaluation value and a second evaluation value. The first evaluation value may reflect the (total) number of connections made by the first Internet Protocol address in a second time unit. The second evaluation value may reflect the total number of (different or non-repeating) Internet Protocol addresses (also referred to as third Internet Protocol addresses) connected to the first Internet Protocol address in the second time unit. Then, processor 113 may detect abnormal network traffic of electronic device 12 based on the first evaluation value, the second evaluation value, the first decision condition, and the second decision condition.

以圖2與圖3為例,假設第二時間範圍R(2)為2022年2月1日。第一評估值可反映第一網際網路協議位址在2022年2月1日當天(即一個時間單位內)的總連線次數。第二評估值可反映第一網際網路協議位址在2022年2月1日當天(即一個時間單位內)所對外連接的不同的IP數量。Taking Figures 2 and 3 as examples, assume the second time range R(2) is February 1, 2022. The first evaluation value reflects the total number of connections made by the first Internet Protocol address on February 1, 2022 (i.e., within one time unit). The second evaluation value reflects the number of different IPs connected to by the first Internet Protocol address on February 1, 2022 (i.e., within one time unit).

在一實施例中,處理器113可將第一評估值與第一決策條件進行比對並將第二評估值與第二決策條件進行比對。然後,處理器113可根據比對結果偵測電子裝置12的異常網路流量。例如,響應於第一評估值大於所設定的第一臨界值及/或第二評估值大於所設定的第二臨界值,處理器113可判定在第二時間範圍內有偵測到與電子裝置12有關的異常網路流量。或者,若於第一評估值不大於所設定的第一臨界值及/或第二評估值不大於所設定的第二臨界值,則處理器113可判定在第二時間範圍內未偵測到與電子裝置12有關的異常網路流量。In one embodiment, processor 113 may compare a first evaluation value with a first decision condition and a second evaluation value with a second decision condition. Then, processor 113 may detect abnormal network traffic of electronic device 12 based on the comparison results. For example, in response to a first evaluation value being greater than a set first threshold and/or a second evaluation value being greater than a set second threshold, processor 113 may determine that abnormal network traffic related to electronic device 12 has been detected within a second time period. Alternatively, if the first evaluation value is not greater than the set first threshold and/or the second evaluation value is not greater than the set second threshold, processor 113 may determine that no abnormal network traffic related to electronic device 12 has been detected within the second time period.

以圖2與圖3為例,假設第一臨界值包括第一網際網路協議位址分別在2022年1月1日至2022年1月30日之間的這30天內每一天的平均連線次數的4倍標準差與2倍平均值,且第二臨界值為第一網際網路協議位址分別在2022年1月1日至2022年1月30日之間的這30天內每一天的平均對外連接IP數的4倍標準差與2倍平均值。若第一評估值大於平均連線次數的4倍標準差、第一評估值大於平均連線次數的2倍平均值、第二評估值大於平均對外連接IP數的4倍標準差、及/或第二評估值大於平均對外連接IP數的2倍平均值,表示電子裝置12在2022年2月1日出現超出合理範圍的連線行為,故處理器113可判定有偵測到電子裝置12在2022年2月1日的異常網路流量。反之,處理器113可判定未偵測到電子裝置12在2022年2月1日的異常網路流量。Taking Figures 2 and 3 as examples, assume that the first critical value includes four times the standard deviation and two times the average number of connections per day for the first Internet Protocol address during the 30 days from January 1, 2022 to January 30, 2022, and the second critical value is four times the standard deviation and two times the average number of outgoing IP connections per day for the first Internet Protocol address during the 30 days from January 1, 2022 to January 30, 2022. If the first assessment value is greater than 4 times the standard deviation of the average number of connections, the first assessment value is greater than 2 times the average number of connections, the second assessment value is greater than 4 times the standard deviation of the average number of outgoing IPs, and/or the second assessment value is greater than 2 times the average number of outgoing IPs, it indicates that the electronic device 12 exhibited connection behavior exceeding a reasonable range on February 1, 2022. Therefore, the processor 113 can determine that abnormal network traffic of the electronic device 12 was detected on February 1, 2022. Conversely, the processor 113 can determine that abnormal network traffic of the electronic device 12 was not detected on February 1, 2022.

在一實施例中,儲存電路112中還可儲存預測模型102。預測模型102可包括經過訓練的人工智慧模型、機器學習模型及/或深度學習模型。在獲得第一臨界值與第二臨界值後,處理器113可根據第一臨界值與第二臨界值來更新預測模型102中對應的決策參數。爾後,處理器113可將第一評估值與第二評估值輸入預測模型102。經過預測模型102的判斷後,處理器113可根據預測模型102的輸出來決定是否偵測到電子裝置12的異常網路流量。在預測模型102的訓練方便,處理器113可使用大量的訓練資料來訓練預測模型102並使用相應的驗證資料來對預測模型102的預測結果進行驗證,以提高預測模型102的預設準確率。In one embodiment, the storage circuit 112 may also store a prediction model 102. The prediction model 102 may include a trained artificial intelligence model, a machine learning model, and/or a deep learning model. After obtaining a first critical value and a second critical value, the processor 113 may update the corresponding decision parameters in the prediction model 102 based on the first critical value and the second critical value. Then, the processor 113 may input the first evaluation value and the second evaluation value into the prediction model 102. After the prediction model 102 makes its judgment, the processor 113 may determine whether to detect abnormal network traffic of the electronic device 12 based on the output of the prediction model 102. In terms of training the prediction model 102, the processor 113 can use a large amount of training data to train the prediction model 102 and use corresponding validation data to validate the prediction results of the prediction model 102, so as to improve the default accuracy of the prediction model 102.

在一實施例中,在偵測到電子裝置12的異常網路流量後,處理器113可產生對應的檢測報告。例如,此檢測報告可帶有與電子裝置12的網際網路協議位址(即第一網際網路協議位址)及檢測到異常網路流量的時間(例如第二時間範圍)有關之資訊。管理人員可根據此檢測報告即時發現電子裝置12出現異常網路流量並執行相關處理。In one embodiment, after detecting abnormal network traffic on electronic device 12, processor 113 can generate a corresponding detection report. For example, this detection report may include information related to the Internet Protocol address (IPA) of electronic device 12 (i.e., a first IPA) and the time (e.g., a second time range) when the abnormal network traffic was detected. Administrators can use this detection report to immediately detect abnormal network traffic on electronic device 12 and perform relevant processing.

在一實施例中,第一時間範圍與第二時間範圍所包含的時間(例如日期)皆會隨著時間的推移而改變。這樣的改變會導致後續計算出的第一決策條件(例如第一臨界值)與第二決策條件(例如第二臨界值)發生變化,以符合電子裝置12最新的網路連線行為或網路連線習慣。此外,前述實施例中所使用的各項參數,諸如第一時間範圍、第二時間範圍、第一臨界值、第二臨界值、第一評估值及第二評估值的決定或設定皆可根據實務需求調整,本發明不加以限制。In one embodiment, the times (e.g., dates) included in both the first and second time ranges change over time. This change causes subsequent calculations of the first decision condition (e.g., the first critical value) and the second decision condition (e.g., the second critical value) to adapt to the latest network connection behavior or habits of the electronic device 12. Furthermore, the determination or setting of various parameters used in the aforementioned embodiments, such as the first time range, the second time range, the first critical value, the second critical value, the first evaluation value, and the second evaluation value, can be adjusted according to practical needs, and this invention does not impose any limitations on this.

圖4是根據本發明的實施例所繪示的異常網路流量的偵測方法的流程圖。Figure 4 is a flowchart illustrating a method for detecting abnormal network traffic according to an embodiment of the present invention.

請參照圖4,在步驟S401中,根據電子裝置的系統時間決定第一時間範圍。在步驟S402中,根據第一時間範圍從電子裝置的連線日誌資料中篩選出第一連線資料。在步驟S403中,分析第一連線資料以獲得在第一時間範圍內與第一網際網路協議位址有關的連線次數資訊與連線目標資訊。在步驟S404中,根據連線次數資訊建立第一決策條件。在步驟S405中,根據連線目標資訊建立第二決策條件。在步驟S406中,根據第二時間範圍從連線日誌資料中篩選出第二連線資料,其中第一時間範圍不同於第二時間範圍。在步驟S407中,根據第一決策條件與第二決策條件來分析第二連線資料,以偵測電子裝置的異常網路流量。Referring to Figure 4, in step S401, a first time range is determined based on the system time of the electronic device. In step S402, first connection data is filtered from the connection log data of the electronic device based on the first time range. In step S403, the first connection data is analyzed to obtain connection frequency information and connection target information related to the first Internet Protocol address within the first time range. In step S404, a first decision condition is established based on the connection frequency information. In step S405, a second decision condition is established based on the connection target information. In step S406, second connection data is filtered from the connection log data based on the second time range, wherein the first time range is different from the second time range. In step S407, the second connection data is analyzed based on the first decision condition and the second decision condition to detect abnormal network traffic of the electronic device.

綜上所述,相較於傳統上採用固定的決策條件,本發明的實施例透過動態調整第一決策條件與第二決策條件,可有效提升對電子裝置的異常網路流量的偵測準確度。In summary, compared to the traditional use of fixed decision conditions, the embodiments of the present invention can effectively improve the detection accuracy of abnormal network traffic of electronic devices by dynamically adjusting the first and second decision conditions.

雖然本案已以實施例揭露如上,然其並非用以限定本案,任何所屬技術領域中具有通常知識者,在不脫離本案的精神和範圍內,當可作些許的更動與潤飾,故本案的保護範圍當視後附的申請專利範圍所界定者為準。Although the above-disclosed examples are provided in this case, they are not intended to limit the scope of this case. Anyone with ordinary knowledge in the relevant technical field may make some modifications and embellishments without departing from the spirit and scope of this case. Therefore, the scope of protection of this case shall be determined by the scope of the attached patent application.

10:網際網路 11:偵測裝置 111:網路介面 112:儲存電路 113:處理器 12:電子裝置 13(1)~13(n):伺服器 101:連線日誌資料 102:預測模型 R(1):第一時間範圍 R(2):第二時間範圍 S401~S407:步驟 10: Internet 11: Detection device 111: Network interface 112: Storage circuit 113: Processor 12: Electronic device 13(1)~13(n): Server 101: Connection log data 102: Prediction model R(1): First time range R(2): Second time range S401~S407: Steps

圖1是根據本發明的實施例所繪示的偵測裝置的示意圖。 圖2是根據本發明的實施例所繪示的連線次數資訊的示意圖。 圖3是根據本發明的實施例所繪示的連線目標資訊的示意圖。 圖4是根據本發明的實施例所繪示的異常網路流量的偵測方法的流程圖。 Figure 1 is a schematic diagram of a detection device according to an embodiment of the present invention. Figure 2 is a schematic diagram of connection count information according to an embodiment of the present invention. Figure 3 is a schematic diagram of connection target information according to an embodiment of the present invention. Figure 4 is a flowchart of a method for detecting abnormal network traffic according to an embodiment of the present invention.

S401~S407:步驟 S401~S407: Steps

Claims (14)

一種異常網路流量的偵測方法,包括: 根據電子裝置的系統時間決定第一時間範圍與第二時間範圍,其中該第一時間範圍不同於該第二時間範圍; 根據該第一時間範圍從該電子裝置的連線日誌資料中篩選出第一連線資料; 分析該第一連線資料以獲得在該第一時間範圍內與第一網際網路協議位址有關的連線次數資訊與連線目標資訊; 根據該連線次數資訊建立第一決策條件; 根據該連線目標資訊建立第二決策條件; 根據該第二時間範圍從該連線日誌資料中篩選出第二連線資料;以及 根據該第一決策條件與該第二決策條件來分析該第二連線資料,以偵測該電子裝置的異常網路流量。A method for detecting abnormal network traffic includes: determining a first time range and a second time range based on the system time of an electronic device, wherein the first time range is different from the second time range; filtering first connection data from connection log data of the electronic device based on the first time range; analyzing the first connection data to obtain connection frequency information and connection target information related to a first Internet Protocol address within the first time range; establishing a first decision condition based on the connection frequency information; establishing a second decision condition based on the connection target information; filtering second connection data from the connection log data based on the second time range; and The second connection data is analyzed based on the first decision condition and the second decision condition to detect abnormal network traffic of the electronic device. 如請求項1所述的異常網路流量的偵測方法,其中根據該電子裝置的該系統時間決定該第一時間範圍的步驟包括: 根據該系統時間的前N個時間單位,設定該第一時間範圍,其中N是正整數。The method for detecting abnormal network traffic as described in claim 1, wherein the step of determining the first time range based on the system time of the electronic device includes: setting the first time range based on the first N time units of the system time, where N is a positive integer. 如請求項1所述的異常網路流量的偵測方法,其中該第一時間範圍包括多個第一時間單位,該連線次數資訊反映該第一網際網路協議位址分別在該多個第一時間單位中的連線次數,且該連線目標資訊反映該第一網際網路協議位址分別在該多個第一時間單位中所連接的第二網際網路協議位址的總數。The abnormal network traffic detection method as described in claim 1, wherein the first time range includes multiple first time units, the connection count information reflects the number of connections made by the first Internet Protocol address in the multiple first time units, and the connection target information reflects the total number of second Internet Protocol addresses connected by the first Internet Protocol address in the multiple first time units. 如請求項3所述的異常網路流量的偵測方法,其中該第一決策條件包括第一臨界值,且根據該連線次數資訊建立該第一決策條件的步驟包括: 對該連線次數資訊執行第一邏輯運算,以決定該第一臨界值。The abnormal network traffic detection method as described in claim 3, wherein the first decision condition includes a first critical value, and the step of establishing the first decision condition based on the connection count information includes: performing a first logical operation on the connection count information to determine the first critical value. 如請求項3所述的異常網路流量的偵測方法,其中該第二決策條件包括第二臨界值,且根據該連線目標資訊建立該第二決策條件的步驟包括: 對該連線目標資訊執行第二邏輯運算,以決定該第二臨界值。The abnormal network traffic detection method as described in claim 3, wherein the second decision condition includes a second critical value, and the step of establishing the second decision condition based on the connection target information includes: performing a second logical operation on the connection target information to determine the second critical value. 如請求項1所述的異常網路流量的偵測方法,其中該第二時間範圍包括第二時間單位,且根據該第一決策條件與該第二決策條件來分析該第二連線資料,以偵測該電子裝置的該異常網路流量的步驟包括: 分析該第二連線資料以獲得第一評估值與第二評估值,其中該第一評估值反映該第一網際網路協議位址在該第二時間單位中的連線次數,且該第二評估值反映該第一網際網路協議位址在該第二時間單位中所連接的第三網際網路協議位址的總數;以及 根據該第一評估值、該第二評估值、該第一決策條件及該第二決策條件,偵測該電子裝置的該異常網路流量。The method for detecting abnormal network traffic as described in claim 1, wherein the second time range includes a second time unit, and the step of analyzing the second connection data according to the first decision condition and the second decision condition to detect the abnormal network traffic of the electronic device includes: analyzing the second connection data to obtain a first evaluation value and a second evaluation value, wherein the first evaluation value reflects the number of connections of the first Internet Protocol address in the second time unit, and the second evaluation value reflects the total number of third Internet Protocol addresses connected to the first Internet Protocol address in the second time unit; and detecting the abnormal network traffic of the electronic device according to the first evaluation value, the second evaluation value, the first decision condition, and the second decision condition. 如請求項6所述的異常網路流量的偵測方法,其中根據該第一評估值、該第二評估值、該第一決策條件及該第二決策條件,偵測該電子裝置的該異常網路流量的步驟包括: 將該第一評估值與該第一決策條件進行比對; 將該第二評估值與該第二決策條件進行比對;以及 根據比對結果,偵測該電子裝置的該異常網路流量。The method for detecting abnormal network traffic as described in claim 6, wherein the step of detecting the abnormal network traffic of the electronic device based on the first assessment value, the second assessment value, the first decision condition, and the second decision condition includes: comparing the first assessment value with the first decision condition; comparing the second assessment value with the second decision condition; and detecting the abnormal network traffic of the electronic device based on the comparison result. 一種異常網路流量的偵測裝置,包括: 儲存電路,用以儲存電子裝置的連線日誌資料;以及 處理器,耦接至該儲存電路, 其中該處理器用以:   根據該電子裝置的系統時間決定第一時間範圍與第二時間範圍,其中該第一時間範圍不同於該第二時間範圍;   根據該第一時間範圍從該連線日誌資料中篩選出第一連線資料;   分析該第一連線資料以獲得在該第一時間範圍內與第一網際網路協議位址有關的連線次數資訊與連線目標資訊;   根據該連線次數資訊建立第一決策條件;   根據該連線目標資訊建立第二決策條件;   根據該第二時間範圍從該連線日誌資料中篩選出第二連線資料;以及   根據該第一決策條件與該第二決策條件來分析該第二連線資料,以偵測該電子裝置的異常網路流量。An abnormal network traffic detection device includes: a storage circuit for storing connection log data of an electronic device; and a processor coupled to the storage circuit, wherein the processor is configured to: determine a first time range and a second time range based on the system time of the electronic device, wherein the first time range is different from the second time range; filter first connection data from the connection log data based on the first time range; analyze the first connection data to obtain connection frequency information and connection target information related to a first Internet Protocol address within the first time range; establish a first decision condition based on the connection frequency information; and establish a second decision condition based on the connection target information. Filter second connection data from the connection log data according to the second time range; and analyze the second connection data according to the first decision condition and the second decision condition to detect abnormal network traffic of the electronic device. 如請求項8所述的異常網路流量的偵測裝置,其中該處理器根據該電子裝置的該系統時間決定該第一時間範圍的操作包括: 根據該系統時間的前N個時間單位,設定該第一時間範圍,其中N是正整數。The abnormal network traffic detection device as described in claim 8, wherein the operation of the processor determining the first time range based on the system time of the electronic device includes: setting the first time range based on the first N time units of the system time, where N is a positive integer. 如請求項8所述的異常網路流量的偵測裝置,其中該第一時間範圍包括多個第一時間單位,該連線次數資訊反映該第一網際網路協議位址分別在該多個第一時間單位中的連線次數,且該連線目標資訊反映該第一網際網路協議位址分別在該多個第一時間單位中所連接的第二網際網路協議位址的總數。The abnormal network traffic detection device as described in claim 8, wherein the first time range includes multiple first time units, the connection count information reflects the number of connections made by the first Internet Protocol address in the multiple first time units, and the connection target information reflects the total number of second Internet Protocol addresses connected by the first Internet Protocol address in the multiple first time units. 如請求項10所述的異常網路流量的偵測裝置,其中該第一決策條件包括第一臨界值,且該處理器根據該連線次數資訊建立該第一決策條件的操作包括: 對該連線次數資訊執行第一邏輯運算,以決定該第一臨界值。The abnormal network traffic detection device as described in claim 10, wherein the first decision condition includes a first critical value, and the operation of the processor to establish the first decision condition based on the connection count information includes: performing a first logical operation on the connection count information to determine the first critical value. 如請求項10所述的異常網路流量的偵測裝置,其中該第二決策條件包括第二臨界值,且該處理器根據該連線目標資訊建立該第二決策條件的操作包括: 對該連線目標資訊執行第二邏輯運算,以決定該第二臨界值。The abnormal network traffic detection device as described in claim 10, wherein the second decision condition includes a second critical value, and the operation of the processor to establish the second decision condition based on the connection target information includes: performing a second logical operation on the connection target information to determine the second critical value. 如請求項8所述的異常網路流量的偵測裝置,其中該第二時間範圍包括第二時間單位,且該處理器根據該第一決策條件與該第二決策條件來分析該第二連線資料,以偵測該電子裝置的該異常網路流量的操作包括: 分析該第二連線資料以獲得第一評估值與第二評估值,其中該第一評估值反映該第一網際網路協議位址在該第二時間單位中的連線次數,且該第二評估值反映該第一網際網路協議位址在該第二時間單位中所連接的第三網際網路協議位址的總數;以及 根據該第一評估值、該第二評估值、該第一決策條件及該第二決策條件,偵測該電子裝置的該異常網路流量。The abnormal network traffic detection device as described in claim 8, wherein the second time range includes a second time unit, and the processor analyzes the second connection data according to the first decision condition and the second decision condition to detect the abnormal network traffic of the electronic device, the operation of which includes: analyzing the second connection data to obtain a first evaluation value and a second evaluation value, wherein the first evaluation value reflects the number of connections of the first Internet Protocol address in the second time unit, and the second evaluation value reflects the total number of third Internet Protocol addresses connected to the first Internet Protocol address in the second time unit; and detecting the abnormal network traffic of the electronic device according to the first evaluation value, the second evaluation value, the first decision condition, and the second decision condition. 如請求項13所述的異常網路流量的偵測裝置,其中該處理器根據該第一評估值、該第二評估值、該第一決策條件及該第二決策條件,偵測該電子裝置的該異常網路流量的操作包括: 將該第一評估值與該第一決策條件進行比對; 將該第二評估值與該第二決策條件進行比對;以及 根據比對結果,偵測該電子裝置的該異常網路流量。The abnormal network traffic detection device as described in claim 13, wherein the processor's operation of detecting the abnormal network traffic of the electronic device based on the first evaluation value, the second evaluation value, the first decision condition, and the second decision condition includes: comparing the first evaluation value with the first decision condition; comparing the second evaluation value with the second decision condition; and detecting the abnormal network traffic of the electronic device based on the comparison result.
TW112146511A 2023-11-30 Detection method and detection device for abnormal network traffic TWI913616B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112146511A TWI913616B (en) 2023-11-30 Detection method and detection device for abnormal network traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112146511A TWI913616B (en) 2023-11-30 Detection method and detection device for abnormal network traffic

Publications (2)

Publication Number Publication Date
TW202524889A TW202524889A (en) 2025-06-16
TWI913616B true TWI913616B (en) 2026-02-01

Family

ID=

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110545292A (en) 2019-09-29 2019-12-06 秒针信息技术有限公司 Abnormal flow monitoring method and device
US20210126931A1 (en) 2019-10-25 2021-04-29 Cognizant Technology Solutions India Pvt. Ltd System and a method for detecting anomalous patterns in a network
CN113765881A (en) 2021-07-20 2021-12-07 奇安信科技集团股份有限公司 Detection method, device, electronic device and storage medium for abnormal network security behavior
TWI779245B (en) 2019-10-31 2022-10-01 安碁資訊股份有限公司 Abnormal traffic detection method and abnormal traffic detection device
TW202249459A (en) 2021-06-11 2022-12-16 安碁資訊股份有限公司 Information leakage detection method and device using the same
CN116032526A (en) 2022-11-07 2023-04-28 焦点科技股份有限公司 An abnormal network traffic detection method based on machine learning model optimization

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110545292A (en) 2019-09-29 2019-12-06 秒针信息技术有限公司 Abnormal flow monitoring method and device
US20210126931A1 (en) 2019-10-25 2021-04-29 Cognizant Technology Solutions India Pvt. Ltd System and a method for detecting anomalous patterns in a network
TWI779245B (en) 2019-10-31 2022-10-01 安碁資訊股份有限公司 Abnormal traffic detection method and abnormal traffic detection device
TW202249459A (en) 2021-06-11 2022-12-16 安碁資訊股份有限公司 Information leakage detection method and device using the same
CN113765881A (en) 2021-07-20 2021-12-07 奇安信科技集团股份有限公司 Detection method, device, electronic device and storage medium for abnormal network security behavior
CN116032526A (en) 2022-11-07 2023-04-28 焦点科技股份有限公司 An abnormal network traffic detection method based on machine learning model optimization

Similar Documents

Publication Publication Date Title
US11070569B2 (en) Detecting outlier pairs of scanned ports
US11770397B2 (en) Malicious port scan detection using source profiles
JP5242775B2 (en) Method and system for identifying corporate network hosts infected with slow and / or distributed scanning malware
US11711389B2 (en) Scanner probe detection
US8375445B2 (en) Malware detecting apparatus, monitoring apparatus, malware detecting program, and malware detecting method
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
US11770396B2 (en) Port scan detection using destination profiles
US12542789B2 (en) Malicious port scan detection using port profiles
CN111585845A (en) Method, device and equipment for detecting network card node performance and readable medium
CN110830470A (en) Method, device and equipment for detecting defect-losing host and readable storage medium
TW201703465A (en) Network anomaly detection
TW201738797A (en) Botnet detection system and method thereof
CN113678419B (en) port scan detection
TWI677209B (en) Domain name filtering method
TWI913616B (en) Detection method and detection device for abnormal network traffic
CN112104523B (en) Detection method, device, equipment and storage medium for traffic transparent transmission
TW202524889A (en) Detection method and detection device for abnormal network traffic
TW201928747A (en) Server and monitoring method thereof
CN110049147B (en) A method for detecting the number of hosts behind NAT
JP6629174B2 (en) Communication monitoring device, communication monitoring method, and communication monitoring program
CN114465764B (en) Port scanning identification method, system and device based on flow data
CN115580439A (en) Detection method, device and equipment for password spray attack and storage medium