CN116346774A - Network flow data query system based on DNS (Domain name System) route - Google Patents
Network flow data query system based on DNS (Domain name System) route Download PDFInfo
- Publication number
- CN116346774A CN116346774A CN202310124282.5A CN202310124282A CN116346774A CN 116346774 A CN116346774 A CN 116346774A CN 202310124282 A CN202310124282 A CN 202310124282A CN 116346774 A CN116346774 A CN 116346774A
- Authority
- CN
- China
- Prior art keywords
- route
- data
- dns
- analysis
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 claims abstract description 78
- 230000002159 abnormal effect Effects 0.000 claims abstract description 76
- 238000005070 sampling Methods 0.000 claims abstract description 30
- 238000007405 data analysis Methods 0.000 claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000005206 flow analysis Methods 0.000 claims abstract description 8
- 238000012550 audit Methods 0.000 claims description 17
- 238000007689 inspection Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000013507 mapping Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention relates to a network traffic data query system based on DNS route, especially relates to the technical field of Internet service, comprising a traffic data acquisition module for acquiring network traffic data returned by a first DNS route and a second DNS route under the triggering preset condition; the flow data analysis module is connected with the flow data acquisition module and used for analyzing abnormal network flow data under the condition that the network flow data returned in the DNS route triggers an abnormal condition; the route control module is connected with the flow analysis module and used for determining the processing mode of the DNS route according to the analysis result of the flow data analysis module; the preset condition is that the first DNS route receives a website sent by a browser. The invention adopts sampling analysis and data packet analysis for all DNS, and the analysis process has diversity, thereby ensuring the accuracy of DNS data analysis.
Description
Technical Field
The invention relates to the technical field of internet service, in particular to a network traffic data query system based on DNS routing.
Background
The DNS is used as an internet service, the DNS is arranged in a route, so that the internet access process is safer and more convenient, and in view of the importance of the DNS network, the acquisition of a statistical index by monitoring the DNS traffic is very necessary for grasping the daily running condition of the DNS network, in particular to timely find out abnormal DNS traffic. The existing monitoring mode mainly comprises the steps of sampling and analyzing each DNS server in a packet grabbing or log recording mode to obtain corresponding statistical indexes.
Chinese patent publication No.: CN115250264a discloses a method for controlling network traffic associated with domain names based on DNSIP mapping. Some examples relate to controlling network traffic associated with a domain name based on a domain name system internet protocol address (DNSIP) map. One example includes: in a cloud computing system, receiving, from a respective Access Point (AP) in a Virtual Local Area Network (VLAN), a local DNSIP map for a domain name and geographic information of the respective AP; in the cloud computing system, generating a global DNSIP mapping database comprising local DNSIP mappings for domain names received from respective APs in the VLAN and geographic information of the respective APs; determining an appropriate AP to assign a global DNSIP map based on the location information of the corresponding AP; it can be seen that the control of network traffic related to domain names based on DNSIP mapping has a problem that the internet service process for multiple DNS routes cannot be controlled accurately, so that the security and access efficiency of the network access process are reduced.
Disclosure of Invention
Therefore, the invention provides a network flow data query system based on DNS (Domain name System) route, which is used for solving the problem that the security and the access efficiency of a network access process are reduced because the internet service process of multiple DNS routes cannot be accurately controlled in the prior art.
To achieve the above object, the present invention provides a DNS route-based network traffic data query system, including:
the flow data acquisition module is used for acquiring network flow data returned by the first DNS route and the second DNS route under the triggering preset condition;
the flow data analysis module is connected with the flow data acquisition module and used for analyzing abnormal network flow data under the condition that the network flow data returned in the DNS route triggers an abnormal condition;
the route control module is connected with the flow analysis module and used for determining the processing mode of the DNS route according to the analysis result of the flow data analysis module;
and the preset condition is that the first DNS route receives a website sent by a browser.
Further, the traffic data analysis module includes an abnormal traffic analysis unit, where the abnormal traffic analysis unit is configured to compare the backhaul time of the network traffic data with a backhaul time standard and a backhaul traffic and backhaul traffic standard, and if the backhaul time and the backhaul traffic both exceed the standards, the abnormal traffic analysis unit determines that the network traffic data triggers the abnormal condition, and if the backhaul time and/or the backhaul traffic do not exceed the standards, the abnormal traffic analysis unit determines that the network traffic data is normal.
Further, the traffic data analysis module further comprises a route auditing determination unit, and the route auditing determination unit determines whether the network traffic data passes through the first DNS route and/or the second DNS route auditing under the triggering abnormal condition so as to determine an analysis mode of the abnormal data according to the auditing result.
Further, the flow data analysis module further comprises a data packet analysis unit, if the route auditing unit determines that the network flow data does not pass through the first DNS route and/or the second DNS route audit, the data packet analysis unit determines an analysis mode of the data packet according to a comparison result of an abnormal proportion W of abnormal data and an abnormal proportion standard, wherein the abnormal proportion standard comprises a first standard W1 and a second standard W2, W1 is less than W2,
if W is less than or equal to W1, the data packet analysis unit determines to analyze the abnormal data in a first analysis mode;
if W1 is more than W and less than or equal to W2, the data packet analysis unit determines to analyze the abnormal data in a second analysis mode;
if W is more than W2, the data packet analysis unit determines to analyze the abnormal data in a third analysis mode;
the first analysis mode is to perform sampling inspection on a plurality of data packets of the network traffic data to determine the abnormal rate of the network traffic data, and the second analysis mode is to perform partial decoding analysis on the network traffic data; and the third analysis mode is to perform full decoding analysis on the network flow data.
Further, if the route auditing unit determines that the network traffic data passes through the first DNS route and/or the second DNS route for auditing, the packet analyzing unit determines to analyze the abnormal data in a first analysis manner so as to determine an auditing rate P of the route, and determines a sampling rate when sampling a plurality of packets of the network traffic data according to a comparison result of the auditing rate P and an auditing rate standard.
Further, the data packet analysis unit is provided with a first auditing rate standard P1, a second auditing rate standard P2, a first sampling rate proportion B1, a second sampling rate proportion B2 and a third sampling rate proportion B3, P1 is smaller than P2, B1 is smaller than B2 and smaller than B3,
if P is less than or equal to P1, the data packet analysis unit determines that the sampling rate is B1;
if P1 is more than P and less than or equal to P2, the data packet analysis unit determines that the sampling rate is B2;
if P is more than P2, the data packet analysis unit determines that the sampling rate is B3.
Further, the traffic data analysis module further comprises an abnormal data analysis unit for extracting abnormal data in the decoded data packet to compare the key field of the data packet to be acquired corresponding to the data sent by the browser with the abnormal data in the decoded data packet to determine the similarity D between the data packet to be acquired and the decoded data packet, the route control module compares the similarity D with a similarity standard Db to determine the processing mode of the route,
if D is less than or equal to Db, the route control module determines to process the route in a first processing mode;
if D > Db, the route control module determines to process the route in a second processing mode;
the first processing mode is to increase the alternative receiving paths of the first DNS route and the second DNS route, and the second processing mode is to adjust the auditing period interval of the first DNS route and the second DNS route.
Further, the route control module is further configured to calculate a similarity difference C between the similarity D and the similarity criterion Db, set c= |d-db|, and determine the number of paths of the alternative receiving paths in the first processing manner according to the comparison result between the similarity difference and the similarity difference criterion, where the route control module is provided with a first similarity difference criterion C1, a second similarity difference criterion C2, a first number of paths A1, a second number of paths A2, and a third number of paths A3, set C1 < C2, A1 < A2 < A3,
if C is less than or equal to C1, the route control module sets the number of paths to be A1;
if C1 is more than C and less than or equal to C2, the route control module sets the number of paths to be A2;
if C > C2, the route control module sets the number of paths to A3.
Further, the routing control module is also used for determining the adjustment mode of the auditing period interval according to the comparison result of the similarity difference value and the similarity difference value standard,
if C is less than or equal to C1, the routing control module determines to adjust the auditing period interval by adopting a first adjustment mode;
if C1 is more than C and less than or equal to C2, the routing control module determines to adjust the auditing period interval by adopting a second adjustment mode;
if C is more than C2, the routing control module determines to adjust the audit period interval by adopting a third adjustment mode.
Further, the first adjustment mode is that the routing control module adopts a first adjustment coefficient K1 to adjust the auditing period interval, the second adjustment mode is that the routing control module adopts a second adjustment coefficient K2 to adjust the auditing period interval, and the third adjustment mode is that the routing control module adopts a third adjustment coefficient K3 to adjust the auditing period interval, and K3 is more than 0.5 and less than K2 and less than K1.
Compared with the prior art, the method has the advantages that sampling analysis and data packet analysis are adopted for all DNS, the analysis process has diversity, and the accuracy of DNS data analysis is ensured; the invention adopts multithreading to analyze the DNS data packet, thereby ensuring the timeliness of DNS data analysis.
Further, the invention analyzes the return time and the return flow of the abnormal flow data to determine whether the return network flow data is normal in time and flow, thereby ensuring the accuracy of data return, analyzing the returned abnormal data, improving the accuracy of the access process and further improving the access efficiency.
Furthermore, the invention determines whether the abnormal data passes through the DNS route audit and the DNS route audit rate so as to ensure the accuracy of identifying the abnormal data, determines the analysis mode of the abnormal data according to the audit result, and further improves the accuracy of the access process and the access efficiency by setting the abnormal proportion standard of the abnormal data to determine the analysis mode of the abnormal data.
Furthermore, the invention determines the examination rate of the DNS route to determine the proportion of the spot check when the spot check is carried out on the abnormal data which is examined by the DNS route, so as to ensure the high efficiency of the analysis of the abnormal data.
Further, in the invention, when the abnormal data is analyzed, the similarity of the abnormal data of the data packet and the key field of the data packet to be acquired is analyzed, and the processing mode of the route is determined according to the similarity, so that the accuracy of controlling the access process is improved, and the access efficiency is further improved.
Drawings
Fig. 1 is a schematic structural diagram of a network traffic data query system based on DNS routing according to the present invention;
fig. 2 is a schematic diagram of a flow data analysis module of the DNS routing-based network flow data query system according to the present invention.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
It should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic structural diagram of a network traffic data query system based on DNS routing according to the present invention; fig. 2 is a schematic diagram of a flow data analysis module of the DNS routing-based network flow data query system according to the present invention.
The invention provides a network flow data query system based on DNS route, comprising:
the flow data acquisition module is used for acquiring network flow data returned by the first DNS route and the second DNS route under the triggering preset condition;
the flow data analysis module is connected with the flow data acquisition module and used for analyzing abnormal network flow data under the condition that the network flow data returned in the DNS route triggers an abnormal condition;
the route control module is connected with the flow analysis module and used for determining the processing mode of the DNS route according to the analysis result of the flow data analysis module;
and the preset condition is that the first DNS route receives a website sent by a browser.
Specifically, the flow data analysis module includes an abnormal flow analysis unit, where the abnormal flow analysis unit is configured to compare the return time of the network flow data with a return time standard and a return flow standard, and if both the return time and the return flow exceed the standards, the abnormal flow analysis unit determines that the network flow data triggers the abnormal condition, and if the return time and/or the return flow do not exceed the standards, the abnormal flow analysis unit determines that the network flow data is normal.
Specifically, the traffic data analysis module further comprises a route auditing determination unit, and the route auditing determination unit determines whether the network traffic data passes through the first DNS route and/or the second DNS route auditing under the triggering abnormal condition so as to determine the analysis mode of the abnormal data according to the auditing result.
Specifically, the flow data analysis module further comprises a data packet analysis unit, if the route auditing unit determines that the network flow data does not pass through the first DNS route and/or the second DNS route audit, the data packet analysis unit determines an analysis mode of the data packet according to a comparison result of an abnormal proportion W of abnormal data and an abnormal proportion standard, wherein the abnormal proportion standard comprises a first standard W1 and a second standard W2, W1 is less than W2,
if W is less than or equal to W1, the data packet analysis unit determines to analyze the abnormal data in a first analysis mode;
if W1 is more than W and less than or equal to W2, the data packet analysis unit determines to analyze the abnormal data in a second analysis mode;
if W is more than W2, the data packet analysis unit determines to analyze the abnormal data in a third analysis mode; the first analysis mode is to perform sampling inspection on a plurality of data packets of the network traffic data to determine the abnormal rate of the network traffic data, and the second analysis mode is to perform partial decoding analysis on the network traffic data; and the third analysis mode is to perform full decoding analysis on the network flow data.
Specifically, if the route auditing unit determines that the network traffic data passes through the first DNS route and/or the second DNS route for auditing, the packet analyzing unit determines that the abnormal data is analyzed by adopting a first analysis mode to determine an auditing rate P of the route, and determines a sampling rate when sampling a plurality of packets of the network traffic data according to a comparison result of the auditing rate P and an auditing rate standard. Specifically, the data packet analysis unit is provided with a first auditing rate standard P1, a second auditing rate standard P2, a first sampling rate proportion B1, a second sampling rate proportion B2 and a third sampling rate proportion B3, P1 is smaller than P2, B1 is smaller than B2 and smaller than B3,
if P is less than or equal to P1, the data packet analysis unit determines that the sampling rate is B1;
if P1 is more than P and less than or equal to P2, the data packet analysis unit determines that the sampling rate is B2;
if P is more than P2, the data packet analysis unit determines that the sampling rate is B3.
Specifically, the traffic data analysis module further includes an abnormal data analysis unit, where the abnormal data analysis unit is configured to extract abnormal data in the decoded data packet, so as to compare a key field of the data packet to be acquired corresponding to the data sent by the browser with the abnormal data in the decoded data packet, so as to determine a similarity D between the data packet to be acquired and the decoded data packet, and the routing control module compares the similarity D with a similarity criterion Db to determine a processing manner of the route, and if D is less than or equal to Db, the routing control module determines that the route is processed in a first processing manner;
if D > Db, the route control module determines to process the route in a second processing mode;
the first processing mode is to increase alternative receiving paths of the first DNS route and the second DNS route, and the second processing mode is to adjust audit period intervals of the first DNS route and the second DNS route.
In the embodiment of the invention, the key field of the data packet to be acquired is the field of the keyword associated with the website input by the user.
Specifically, the route control module is further configured to calculate a similarity difference C between the similarity D and the similarity standard Db, set c= |d-db|, and determine the number of paths of the alternative receiving paths in the first processing manner according to the comparison result between the similarity difference and the similarity difference standard, where the route control module is provided with a first similarity difference standard C1, a second similarity difference standard C2, a first number of paths A1, a second number of paths A2, and a third number of paths A3, set C1 < C2, A1 < A2 < A3,
if C is less than or equal to C1, the route control module sets the number of paths to be A1;
if C1 is more than C and less than or equal to C2, the route control module sets the number of paths to be A2;
if C > C2, the route control module sets the number of paths to A3.
In the embodiment of the present invention, a person skilled in the art may set a specific setting of the number of paths according to actual needs, and the present invention is not limited herein.
In particular, the routing control module is also used for determining the adjustment mode of the auditing period interval according to the comparison result of the similarity difference value and the similarity difference value standard,
if C is less than or equal to C1, the routing control module determines to adjust the auditing period interval by adopting a first adjustment mode;
if C1 is more than C and less than or equal to C2, the routing control module determines to adjust the auditing period interval by adopting a second adjustment mode;
if C is more than C2, the routing control module determines to adjust the audit period interval by adopting a third adjustment mode.
Specifically, the first adjustment mode is that the routing control module adopts a first adjustment coefficient K1 to adjust the auditing period interval, the second adjustment mode is that the routing control module adopts a second adjustment coefficient K2 to adjust the auditing period interval, and the third adjustment mode is that the routing control module adopts a third adjustment coefficient K3 to adjust the auditing period interval, and K3 is more than 0.5 and less than K2 and less than K1.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the invention and is not intended to limit the invention; various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A DNS routing-based network traffic data query system, comprising:
the flow data acquisition module is used for acquiring network flow data returned by the first DNS route and the second DNS route under the triggering preset condition;
the flow data analysis module is connected with the flow data acquisition module and used for analyzing abnormal network flow data under the condition that the network flow data returned in the DNS route triggers an abnormal condition;
the route control module is connected with the flow analysis module and used for determining the processing mode of the DNS route according to the analysis result of the flow data analysis module;
and the preset condition is that the first DNS route receives a website sent by a browser.
2. The DNS route-based network traffic data query system according to claim 1, wherein the traffic data analysis module includes an abnormal traffic analysis unit configured to compare the backhaul time of the network traffic data with a backhaul time standard and a backhaul traffic and backhaul traffic standard, respectively, and if the backhaul time and the backhaul traffic both exceed the standards, the abnormal traffic analysis unit determines that the network traffic data triggers the abnormal condition, and if the backhaul time and/or the backhaul traffic do not exceed the standards, the abnormal traffic analysis unit determines that the network traffic data is normal.
3. The DNS route-based network traffic data query system according to claim 2, wherein the traffic data analysis module further includes a route audit determination unit that determines whether the network traffic data passes through the first DNS route and/or the second DNS route audit in case of triggering an anomaly condition, so as to determine an analysis manner of the anomaly data according to the audit result.
4. The DNS route-based network traffic data query system according to claim 3, wherein said traffic data analysis module further comprises a packet analysis unit, if said route auditing unit determines that said network traffic data does not pass said first DNS route and/or said second DNS route audit, said packet analysis unit determines a manner of analyzing said packet based on a comparison of an abnormal proportion W of abnormal data to an abnormal proportion standard, wherein said abnormal proportion standard comprises a first standard W1 and a second standard W2, W1 < W2 is set,
if W is less than or equal to W1, the data packet analysis unit determines to analyze the abnormal data in a first analysis mode; if W1 is more than W and less than or equal to W2, the data packet analysis unit determines to analyze the abnormal data in a second analysis mode;
if W is more than W2, the data packet analysis unit determines to analyze the abnormal data in a third analysis mode; the first analysis mode is to perform sampling inspection on a plurality of data packets of the network traffic data to determine the abnormal rate of the network traffic data, and the second analysis mode is to perform partial decoding analysis on the network traffic data; and the third analysis mode is to perform full decoding analysis on the network flow data.
5. The DNS route-based network traffic data query system according to claim 4, wherein if the route auditing unit determines that the network traffic data passes through the first DNS route and/or the second DNS route for auditing, the packet analyzing unit determines to analyze the abnormal data in a first analysis manner, so as to determine an auditing rate P of the route, and determines a sampling rate when sampling a plurality of packets of the network traffic data according to a comparison result of the auditing rate P and an auditing rate standard.
6. The DNS routing-based network traffic data query system of claim 5, wherein the packet resolution unit is provided with a first auditing rate standard P1, a second auditing rate standard P2, a first sampling rate B1, a second sampling rate B2 and a third sampling rate B3, P1 < P2, B1 < B2 < B3 are set,
if P is less than or equal to P1, the data packet analysis unit determines that the sampling rate is B1;
if P1 is more than P and less than or equal to P2, the data packet analysis unit determines that the sampling rate is B2;
if P is more than P2, the data packet analysis unit determines that the sampling rate is B3.
7. The DNS route-based network traffic data query system according to claim 6, wherein the traffic data analysis module further includes an abnormal data analysis unit configured to extract abnormal data in the decoded data packet to compare a key field of a data packet to be acquired corresponding to the data sent by the browser with the abnormal data in the decoded data packet to determine a similarity D between the data packet to be acquired and the decoded data packet, the route control module compares the similarity D with a similarity criterion Db to determine a processing manner of the route,
if D is less than or equal to Db, the route control module determines to process the route in a first processing mode;
if D > Db, the route control module determines to process the route in a second processing mode;
the first processing mode is to increase the alternative receiving paths of the first DNS route and the second DNS route, and the second processing mode is to adjust the auditing period interval of the first DNS route and the second DNS route.
8. The DNS route-based network traffic data query system according to claim 7, wherein the route control module is further configured to calculate a similarity difference C between the similarity D and the similarity criterion Db, set c= |d-db|, and determine the number of paths of the alternative receiving path in the first processing manner according to the comparison result between the similarity difference and the similarity difference criterion, wherein the route control module is provided with a first similarity difference criterion C1, a second similarity difference criterion C2, a first number of paths A1, a second number of paths A2, and a third number of paths A3, and set C1 < C2, A1 < A2 < A3,
if C is less than or equal to C1, the route control module sets the number of paths to be A1;
if C1 is more than C and less than or equal to C2, the route control module sets the number of paths to be A2;
if C > C2, the route control module sets the number of paths to A3.
9. The DNS routing-based network traffic data query system of claim 8, wherein said routing control module is further configured to determine a manner of adjustment of the audit period interval based on a comparison of said similarity difference to a similarity difference criterion,
if C is less than or equal to C1, the routing control module determines to adjust the auditing period interval by adopting a first adjustment mode;
if C1 is more than C and less than or equal to C2, the routing control module determines to adjust the auditing period interval by adopting a second adjustment mode;
if C is more than C2, the routing control module determines to adjust the audit period interval by adopting a third adjustment mode.
10. The DNS route-based network traffic data query system according to claim 9, wherein the first adjustment mode is that the route control module adjusts the audit period interval by using a first adjustment coefficient K1, the second adjustment mode is that the route control module adjusts the audit period interval by using a second adjustment coefficient K2, and the third adjustment mode is that the route control module adjusts the audit period interval by using a third adjustment coefficient K3, and 0.5 < K3 < K2 < K1 is set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310124282.5A CN116346774A (en) | 2023-02-16 | 2023-02-16 | Network flow data query system based on DNS (Domain name System) route |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310124282.5A CN116346774A (en) | 2023-02-16 | 2023-02-16 | Network flow data query system based on DNS (Domain name System) route |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116346774A true CN116346774A (en) | 2023-06-27 |
Family
ID=86886673
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310124282.5A Pending CN116346774A (en) | 2023-02-16 | 2023-02-16 | Network flow data query system based on DNS (Domain name System) route |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116346774A (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640666A (en) * | 2008-08-01 | 2010-02-03 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
CN101841435A (en) * | 2010-01-18 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow |
US20130145010A1 (en) * | 2011-12-06 | 2013-06-06 | Seven Networks, Inc. | Mobile Device And Method To Utilize The Failover Mechanism For Fault Tolerance Provided For Mobile Traffic Management And Network/Device Resource |
US20140269339A1 (en) * | 2013-03-13 | 2014-09-18 | Telekom Malaysia Berhad | System for analysing network traffic and a method thereof |
CN104954864A (en) * | 2015-06-19 | 2015-09-30 | 中国人民解放军信息工程大学 | Two-way set top box intrusion detection system and detection method thereof |
CN107566320A (en) * | 2016-06-30 | 2018-01-09 | 中国电信股份有限公司 | A kind of network kidnaps detection method, device and network system |
CN110489431A (en) * | 2019-07-05 | 2019-11-22 | 深圳壹账通智能科技有限公司 | Method for detecting abnormality, device, computer equipment and storage medium |
EP3622677A1 (en) * | 2017-05-09 | 2020-03-18 | Cisco Technology, Inc. | Routing network traffic based on dns |
CN111935136A (en) * | 2020-08-07 | 2020-11-13 | 哈尔滨工业大学 | Domain name query and analysis abnormity detection system and method based on DNS data analysis |
CN114785565A (en) * | 2022-04-01 | 2022-07-22 | 北京国信网联科技有限公司 | Data security exchange system based on network boundary |
-
2023
- 2023-02-16 CN CN202310124282.5A patent/CN116346774A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640666A (en) * | 2008-08-01 | 2010-02-03 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
CN101841435A (en) * | 2010-01-18 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow |
US20130145010A1 (en) * | 2011-12-06 | 2013-06-06 | Seven Networks, Inc. | Mobile Device And Method To Utilize The Failover Mechanism For Fault Tolerance Provided For Mobile Traffic Management And Network/Device Resource |
US20140269339A1 (en) * | 2013-03-13 | 2014-09-18 | Telekom Malaysia Berhad | System for analysing network traffic and a method thereof |
CN104954864A (en) * | 2015-06-19 | 2015-09-30 | 中国人民解放军信息工程大学 | Two-way set top box intrusion detection system and detection method thereof |
CN107566320A (en) * | 2016-06-30 | 2018-01-09 | 中国电信股份有限公司 | A kind of network kidnaps detection method, device and network system |
EP3622677A1 (en) * | 2017-05-09 | 2020-03-18 | Cisco Technology, Inc. | Routing network traffic based on dns |
CN110489431A (en) * | 2019-07-05 | 2019-11-22 | 深圳壹账通智能科技有限公司 | Method for detecting abnormality, device, computer equipment and storage medium |
CN111935136A (en) * | 2020-08-07 | 2020-11-13 | 哈尔滨工业大学 | Domain name query and analysis abnormity detection system and method based on DNS data analysis |
CN114785565A (en) * | 2022-04-01 | 2022-07-22 | 北京国信网联科技有限公司 | Data security exchange system based on network boundary |
Non-Patent Citations (2)
Title |
---|
左靖;王海龙;杨奔全;: "基于WSDM的校园网流量监测系统设计与实现", 电子技术应用, no. 06 * |
罗志强;沈军;金华敏;: "分布式DNS反射DDoS攻击检测及控制技术", 电信科学, no. 10 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101239401B1 (en) | Log analysys system of the security system and method thereof | |
US20100220619A1 (en) | Abnormal traffic detection apparatus, abnormal traffic detection method and abnormal traffic detection program | |
CN101754253B (en) | General packet radio service (GPRS) end-to-end performance analysis method and system | |
US7801985B1 (en) | Data transfer for network interaction fraudulence detection | |
US6473400B1 (en) | Computation of traffic flow by scaling sample packet data | |
CN109996284A (en) | Mobile communication Trouble call worksheet method, apparatus, equipment and medium | |
CN111683097B (en) | Cloud network flow monitoring system based on two-stage architecture | |
US20020177910A1 (en) | Performance measurement system for large computer network | |
CN107612740A (en) | A kind of daily record monitoring system and method under distributed environment | |
US9729563B2 (en) | Data transfer for network interaction fraudulence detection | |
CN104836694B (en) | Method for monitoring network and device | |
CN1652519A (en) | Communication measuring system and its communication analyzing method | |
US8504673B2 (en) | Traffic like NXDomains | |
EP3771152B1 (en) | Network analysis program, network analysis device, and network analysis method | |
CN110324327B (en) | User and server IP address calibration device and method based on specific enterprise domain name data | |
CN107450087B (en) | It is a kind of for sharing the quality of data server-side analysis method of bicycle high accuracy positioning | |
EP1906590B1 (en) | System and method for network analysis | |
US8140671B2 (en) | Apparatus and method for sampling security events based on contents of the security events | |
CN113438332B (en) | DoH service identification method and device | |
CN116346774A (en) | Network flow data query system based on DNS (Domain name System) route | |
CN111865951A (en) | Network data flow abnormity detection method based on data packet feature extraction | |
CN113037551A (en) | Quick identification and positioning method for sensitive-related services based on traffic slice | |
CN102891781A (en) | Network sharing detection system and network sharing detection method | |
CN109995731A (en) | It improves the method, apparatus of caching discharge flow, calculate equipment and storage medium | |
CN100505648C (en) | Method and device for detecting and blocking unauthorized access |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |