CN101227318A - Method for overtrick real-time detection of high speed network flow quantity - Google Patents

Method for overtrick real-time detection of high speed network flow quantity Download PDF

Info

Publication number
CN101227318A
CN101227318A CNA2007101910358A CN200710191035A CN101227318A CN 101227318 A CN101227318 A CN 101227318A CN A2007101910358 A CNA2007101910358 A CN A2007101910358A CN 200710191035 A CN200710191035 A CN 200710191035A CN 101227318 A CN101227318 A CN 101227318A
Authority
CN
China
Prior art keywords
overtrick
bloom filter
message
information
data structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101910358A
Other languages
Chinese (zh)
Other versions
CN101227318B (en
Inventor
程光
龚俭
江洁欣
强士卿
丁伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haian Changzhou University Technology Transfer Center Co., Ltd.
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN2007101910358A priority Critical patent/CN101227318B/en
Publication of CN101227318A publication Critical patent/CN101227318A/en
Application granted granted Critical
Publication of CN101227318B publication Critical patent/CN101227318B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

A method for checking overtricks of high speed network flow in time comprises: arranging three data structures and three processes, wherein the three data structures are respectively a Bloom Filter data structure, a counting-type Bloom Filter data structure and a hash link-table data structure. The Bloom Filter data structure can be used to record information which is existed in the flow, the counting type Bloom Filter data structure is used to record fluxion information of aggregation points, the hash link-table data structure is used to record overtrick marks and overtrick fluxion information, the three processes are respectively a new-flow checking process which is based on Bloom Filter, an overtrick checking process which is based on counting type Bloom Filter and an overtrick information recording process which is based on a hash link-table. When message reaches to a measurer, firstly, looking up if the message is a new flow or not in the Bloom Filter data structure, looking up if an aggregation point of the new flow is the overtrick or not in the counting type Bloom Filter data structure if the message is the new flow, and recording mark information and fluxion information of the overtrick in the hash link-table data structure if the new flow is the overtrick. The invention can directly check out the overtrick information in time, saves the consumption of measuring resources, and increases the checking preciseness of the overtrick fluxion.

Description

The overtrick real-time detection method of high-speed network flow
Technical field
The present invention relates to be used for the fluxion detection method of network traffics, especially a kind of in the high speed large scale network based on the overtrick real-time detection method of the high-speed network flow of Bloom Filter.
Background technology
Network traffics are made of message one by one, the message that transmits in the network has the field of some invariant features in transmission course, as source IP, place IP etc., in the Measuring Time scope, the some messages that have the same stream sign in these messages constitute stream, this message set with same field is called network flow, define according to the message field (MFLD) five-tuple as network flow commonly used, be source IP, place IP, source port, place port and protocol field, the message set that will have identical five-tuple field is called a network flow, and the field combination that recognition network is flowed is called traffic identifier, for the network flow according to the five-tuple Field Definition, its traffic identifier is { source IP, place IP, source port, place port and protocol }.Network flow set according to the some fields in the network flow sign or certain several Field Definition is called aggregated flow, and the stream with same polymeric point identification constitutes the stream formation congruent point of congruent point sign.As according to source IP polymerization or according to place IP polymerization, its corresponding field is a congruent point so, and as the network flow according to source IP polymerization, its source IP is defined as congruent point.Overtrick is the congruent point that fluxion has surpassed a predefined threshold values.The present invention is exactly in order to detect overtrick.
The problem that often need detect the source IP (place IP) of a large amount of place IP of link (source IP) in the internet security belongs to overtrick and detects problem, and here the face overtrick is defined as source IP or the place IP that number of links surpasses a definition threshold values.Overtrick detection problem is exemplified below: establish a data flow
P={(A.B)(B.A)(D.B)(B.D)(F.A)(C.B)(E.A)(C.B)(B.A)(E.B)(C.A)(B.A)(E.A)(E.B)(A.C)(B.D)(C.D)(B.A)(A.B)(B.C)(D.A)(C.B)}
One has 20 elements in this set, the element here is exactly each message of our correspondence, each element comprises 1 letter behind preceding 1 letter of decimal point and the decimal point, the letter definition of the last position of decimal point is the source IP sign of message correspondence, the place IP sign that a letter definition of decimal point back is the message correspondence.We condense together and are exactly if will have the number of identical sourcesink IP sign
F={(A.B)(B.A)(D.B)(B.D)(F.A)(C.B)(E.A)(E.B)(C.A)(A.C)(C.D)(B.C)(D.A)}
Have 13 elements, these elements are exactly the stream of our definition, and each stream includes one or more messages, if carry out polymerization according to the identical letter in decimal point front, writes down the quantity of containing element in the polymerization simultaneously, just becomes
S={(A,2)(B,3)(D,2)(F,1)(C,3)(E,2)}
These 6 elements of comprising just are called congruent point information in this set, comprise two information in each element, and first letter is exactly the congruent point sign, and second number is exactly the fluxion that belongs to this congruent point, are that the stream of B has 3 as (B, 3) expressive notation.If we define the overtrick detection threshold is 3, promptly Liu quantity surpasses or equals 3 congruent point and is defined as overtrick, and therefore in this example, congruent point B and C are exactly the overtrick that we will detect.Task of the present invention is exactly to provide a kind ofly efficiently to detect the method that threshold values is 3 overtricks from data flow S, just detects overtrick B and C, and their fluxion.
The overtrick problem has important use and is worth in network security.(1) detect network worm: a worm main frame sends to a large amount of addresses, place surveys flow, and this worm main frame can be regarded a super stream main frame as.(2) detect in the DDoS/DoS:DDoS/DoS attack process, a large amount of main frames/IP address sends a large amount of flows to a destination address, and this destination host of being attacked also can be regarded a super stream main frame as.(3) detection port scanning attack: a main frame exists in order to find pregnable object, initiates a large amount of links to different IP addresses with different ports, and this source IP also can be regarded as super stream IP.(4) super flow problem can also be used in the P2P distributed network, and main frame centering may produce a large amount of links, and super stream IP is considered to focus IP, helps to carry out load balancing to improve networks efficiency by the super stream of real-time detection IP.
In order to detect the overtrick in the network traffics, measuring system needs to safeguard the information record of each stream and the information record of each congruent point in internal memory how to safeguard in internal memory that therefore stream recorded information and congruent point information become the key point of overtrick detection method.Traditional method is directly to safeguard all stream informations and congruent point information all to be to use this method as Snort and FlowScan in internal memory, and its shortcoming is to need to consume a large amount of memory headrooms, and this method can only be handled the flow in the low-speed local area network.In order to detect the overtrick in the express network, Venkataraman proposes two kinds of overtrick IP detection techniques based on the stream sampling, but remaining, this method to safeguard the stream information that all are sampled and the information of congruent point, it is as broad as long that the essence of this method and direct use Hash table are stored all stream informations, also need to consume a large amount of memory headrooms, be difficult to be used for the high-speed network flow overtrick and detect.Zhao proposes a kind of use bit vectors and safeguards the stream information record, this method is owing to safeguard that the information of each stream only needs a bit, can save a large amount of measurement resources aspect the maintenance stream recorded information, but the method for Zhao directly uses a hash function to be mapped in the bit vectors, the probability that is mapped on the same bit position of various flows is very big, caused the conflict of stream mapping, it is bigger to make fluxion estimate to go up error; Second shortcoming of this method is exactly still to need the congruent point maintenance record information that measures for all, and this also will waste the consumption of a large amount of memory sources.At these two shortcomings, Zhao has proposed second solution, define a bit matrix, the congruent point sign is mapped to the X-axis of matrix, traffic identifier is mapped to the Y-axis of matrix, stream information and congruent point fluxion are recorded in the matrix, and it is high that relative first kind of scheme precision of the advantage of this method wanted, and the major defect of this method is: safeguard that this matrix needs a large amount of memory sources; Do not know that owing to this method which congruent point may be an overtrick during measuring in addition, so the sign of all congruent points all needs record; Bit matrix has in fact only write down the fluxion information of congruent point, so this method also needs to waste the identification information that a large amount of memory sources write down all congruent points.
Bloom Filter is that Burton Bloom proposed in the seventies in 20th century, and Bloom Filter is widely used in spell check and the Database Systems.Recent two decades comes, and along with development of internet technology, Bloom Filter obtains to use widely in network field, and various Bloom Filter mutation and new application constantly occur.Bloom Filter is the very high random data structure of a kind of space efficiency, and it utilizes bit array to represent a set very compactly, and can judge whether an element belongs to this set.Bloom Filter this efficiently has certain cost: when judging whether an element belongs to certain set, might not think the element that belongs to this set by mistake to belong to this set (falsepositive).
During initial condition, Bloom Filter is a bit array that comprises the m position, and each all is changed to 0.When Fig. 1 was initial condition, Bloom Filter was a bit array that comprises the m position, and each all is changed to 0.
In order to express S={x 1, x 2..., x nThe set of such n element, Bloom Filter uses k separate hash function (Hash Function), each element map during they will gathers respectively arrive 1 ..., in the scope of m}.To any one element x, the position hi (x) of i hash function mapping will be changed to 1 (1≤i≤k).If a position repeatedly is changed to 1, to have only so and can work for the first time, the back several times will be without any effect.In Fig. 2, k=3, and have two hash functions to choose same position.
When judging whether y belongs to this set, use hash function k time, if all h i(y) position all is 1 (1≤i≤k), so just think that y is the element in the set, otherwise just think that y is not the element in the set.
Bloom Filter judge an element whether belong to its expression set the time have certain error rate (falsepositive rate), suppose that kn<m and each hash function are completely randoms, as S set={ x 1, x 2..., x nAll elements when all being mapped in the bit array of m position by k hash function, in this bit array a certain position still 0 probability be: p=(1-1/m) Kn≈ e -kn/m
Wherein 1/m represents that any one hash function chooses this probability, and (1-1/m) the expression Hash is not once chosen this probability.To be mapped completely to S in the bit array, need be Hash kn time.A certain position still 0 means that kn Hash all do not choose it, so this probability is exactly the kn power of (1-1/m).
Make that ρ is 0 ratio in the bit array, then the mathematic expectaion E of ρ (ρ)=p.Under the known situation of ρ, the error rate of requirement (false positive rate) is:
f=(1-ρ) k≈(1-p) k=(1-(1-1/m) kn) k≈(1-e -kn/m) k
(1-ρ) is 1 ratio in the bit array, (1-ρ) kJust represent that k Hash all just choose 1 zone, i.e. falsepositive rate.
Bloom Filter will lean on a plurality of hash functions that set is mapped in the bit array, does error rate in the time of should selecting several hash functions just can make the element inquiry so drop to minimum? if the number of hash function is many, it is just big to obtain 0 probability so when the element that does not belong to set to is inquired about; But then, if the number of hash function is few, 0 in the bit array is just many so.In order to obtain optimum hash function number, need calculate according to the error rate formula.
F=exp (k ln (1-e -kn/m)), make g=k ln (1-e -kn/m), as long as allow g get minimum, f also gets minimum naturally.Because p=e -kn/m, g can be write as g=-m/nln (p) ln (1-p), can be easy to find out and work as p=1/2 that just during k=ln2 (m/n), g obtains minimum value according to the symmetry rule.Therefore minimal error rate f equals (1/2) k≈ (0.6185) M/n
The difference of attribute Bloom Filter and Bloom Filter structure is that Bloom Filter is provided with a bit space for each position, and attribute Bloom Filter is provided with a counter C (i) for each position, the initial value of counter is 0, when increasing an element, and C[h i(d)]=C[h i(d)]+1, (i=1 ... k)
Summary of the invention
In order to solve two subject matters that have certainty of measurement in the above-mentioned overtrick method of measurement and measure the consumption of resource, we utilize Bloom Filter structure recorded stream information and attribute Bloom Filter structure record congruent point information.BloomFilter is the very high random data structure of a kind of space efficiency, and it utilizes bit array to represent a set very compactly, and can judge whether an element belongs to this set.Therefore we use Bloom Filter structural maintenance stream to have information, each stream record only needs to consume the memory headroom of 1-3 bit like this, and Bloom Filter structure is to adopt a plurality of hash functions to shine upon, reduce the collision probability between the various flows greatly, improve the accuracy of detection of stream.Adopt attribute Bloom Filter structural maintenance congruent point information to have the function of two aspects, an aspect is that attribute BloomFilter structure has the function of Bloom Filter, can safeguard the information that exists of congruent point, another aspect is that in fact attribute Bloom Filter becomes an overtrick filter, have only the fluxion of a congruent point among the attribute Bloom Filter to surpass a threshold values, this congruent point is detected as overtrick so, we will write down the identification information and the fluxion information of this overtrick, and the details of this overtrick are exactly the needed results of our overtrick detection methods.
The present invention proposes a kind of overtrick real-time detection method of the high-speed network flow based on Bloom Filter, can realize the high speed detection of overtrick and the control in overtrick record buffer space.Compare this method with present method and only write down the details that are identified as overtrick, and do not need to write down the details of all streams and congruent point, so this method can be saved the consumption of memory source; Another aspect has improved the accuracy of detection of stream and congruent point owing to adopted the data structure of Bloom Filter, has reduced the collision probability between the stream, therefore can improve fluxion certainty of measurement and overtrick accuracy of detection again.Its technical scheme is as follows:
A kind of overtrick real-time detection method of high-speed network flow is characterized in that this method based on Bloom Filter data structure, adopts Bloom Filter technical filter newly to flow, and adopts attribute Bloom Filter technical filter overtrick; Comprise three data structures and three processes of being provided with, three data structures are respectively a Bloom Filter data structure, an attribute Bloom Filter data structure and a ltsh chain table data structure.Bloom Filter data structure is used for recorded stream and has information, and attribute Bloom Filter data structure is used to write down the fluxion information of congruent point, and the ltsh chain table structure is used to write down overtrick sign and overtrick fluxion information; Three processes are based on the new stream testing process of Bloom Filter respectively, based on the overtrick testing process of attribute Bloom Filter with based on the overtrick information recording process of ltsh chain table.
Testing process is specially: when a message arrives measuring appliance, at first in Bloom Filter data structure, search this message and whether belong to a new stream, if measuring appliance is found the stream under this message and exist that then measuring appliance stops to handle this message, continue to handle the next message that arrives; If it is to belong to a new stream that measuring appliance is found newly arrived message, then should be recorded in this Bloom Filter data structure by new stream information, and changes and handle by attribute Bloom Filter overtrick testing process; Whether attribute Bloom Filter overtrick testing process is searched attribute Bloom Filter data structure is an overtrick with the congruent point of judging this new stream, if this should the pairing congruent point of new stream not be an overtrick, then should be recorded in the attribute Bloom Filter data structure by new stream information, stop to handle this message, continue to handle the next message that arrives; If the pairing congruent point of this new stream is an overtrick, then fluxion information is not made an amendment in the attribute Bloom Filter structure, and this new stream information is changeed by the overtrick process processing based on ltsh chain table; If in the ltsh chain table structure, find the pairing overtrick information of this message, then directly the fluxion information of this overtrick is added up, the overtrick of this message correspondence does not have record in the ltsh chain table data structure else if, then increase this overtrick information in the ltsh chain table data structure, the initial value of its fluxion is set to super stream detection threshold and adds 1; Measuring Time after finishing is exported the overtrick information in the ltsh chain table.
Concrete technical step is as follows:
The 1st step: parameter is set
The hash function number that needs among the Bloom Filter to use is set is k, a Dui Ying k hash function is h respectively 1(), h 2() ..., h k(), the input of this k hash function are the network flow signs, and output is a cryptographic Hash that length is n bit; Bloom Filter bit vectors size m, wherein m=2 are set n, n is the bit length of hash function output cryptographic Hash;
The hash function number that needs among the attribute Bloom Filter to use is set is b, a Dui Ying b hash function is h ' respectively 1(), h ' 2() ..., h ' b(), the input of this b hash function are the congruent point signs, and output is a cryptographic Hash that length is d bit; Attribute Bloom Filter bit vectors size a, wherein a=2 are set d, d be attribute Bloom Filter the bit length of corresponding b hash function output cryptographic Hash; Each position of attribute Bloom Filter vector is set is e bit, it is r that the overtrick decision threshold is set, and wherein the threshold values r of She Zhiing need be less than 2 e, e is each a bit number in the attribute Bloom Filter vector;
Be provided with that the employed hash function of array of pointers is h in the overtrick ltsh chain table structure " (), hash function h " () be input as the overtrick sign, be output as the cryptographic Hash of q bit length; An array of pointers size of pointing to the overtrick node is set is w, wherein w=2 qThe overtrick node is set to be made of overtrick sign, overtrick fluxion and three fields such as pointer of pointing to next overtrick node;
Be provided with and measure time started begintime and measure concluding time endtime;
The 2nd step: each structure initial value is set
All m position initial values that are provided with in the Bloom Filter bit vectors are 0;
The initial value that all a position in the attribute Bloom Filter bit vectors is set is 0;
It is null pointer that all w position initial values that point to the array of pointers of overtrick structure in the overtrick ltsh chain table structure are set;
The 3rd step: Measuring Time finishes to judge
Measure concluding time endtime if present clock has been equal to or greater than, then the overtrick node information in the ltsh chain table is exported; Otherwise, wait for that message arrives measuring appliance, if a message arrives measuring appliance, entered for the 4th step;
The 4th step: the new stream based on Bloom Filter is judged
If the pairing network flow of this message is designated A, use the cryptographic Hash of pairing k hash function computing network traffic identifier of Bloom Filter A, h 1(A), h 2(A) ..., h k(A), if the value in the Bloom Filter structure of this k cryptographic Hash correspondence is 1, then the stream of this message was recorded, and got back to for the 3rd step; If it is 0 that the value in the Bloom Filter structure of this k cryptographic Hash correspondence has at least on 1 position, then the stream of this message is a new stream, is 1 with the whole assignment of value in the Bloom Filter structure of this k cryptographic Hash correspondence, enters into for the 5th step;
The 5th step: the overtrick based on attribute Bloom Filter is judged
If the pairing congruent point of this message is designated B, pairing b hash function of usage count type Bloom Filter calculates the cryptographic Hash of congruent point sign B, h ' 1(B), h ' 2(B) ..., h ' k(B), search the minimum value in the attribute Bloom Filter structure of this b cryptographic Hash correspondence position, if this minimum value is less than the threshold values of overtrick definition, the value that then equals minimum value in the attribute Bloom Filter structure with this b cryptographic Hash correspondence position adds up 1, gets back to for the 3rd step; If this minimum value is equal to or greater than the threshold values of overtrick definition, entered into for the 6th step;
The 6th step: based on the overtrick information record of ltsh chain table
If the pairing overtrick of this message is designated B, use the pairing hash function of ltsh chain table to calculate the cryptographic Hash of overtrick sign B; h " (B), search the pointer of cryptographic Hash correspondence position array of pointers, if find the node record of this overtrick in the chained list of this pointed, then the streaming digital segment value in this overtrick node record is added up 1, got back to for the 3rd step; If the node record of this overtrick not in this pointed chained list then entered for the 7th step;
The 7th step: generate new overtrick node record
In internal memory, distribute a node space for the overtrick structure, content comprises the fluxion of this overtrick sign, overtrick and points to the pointer of next overtrick in this node space, the overtrick identification field that this overtrick node is set is the overtrick sign, the initial value of its fluxion field is set to super stream detection threshold and adds 1, and the pointer that the next node of sensing in the overtrick node is set is set to sky; With this overtrick cryptographic Hash this new overtrick node of pointed of last node in the overtrick node chained list of corresponding ltsh chain table array of pointers; Got back to for the 3rd step.
Relevant nominal definition, the message that transmits in the network has the field of some invariant features in transmission course, as source IP, place IP etc., in the Measuring Time scope, message set with same field is called network flow, define according to the message field (MFLD) five-tuple as network flow commonly used, be source IP, place IP, source port, place port and protocol field, the message set that will have identical five-tuple field is called a network flow, and the field combination that recognition network is flowed is called traffic identifier, for the network flow according to the five-tuple Field Definition, its traffic identifier is { source IP, place IP, source port, place port and protocol }.Network flow set according to the some fields in the network flow sign or certain several Field Definition is called aggregated flow, as according to source IP polymerization or according to place IP polymerization, its corresponding field is a congruent point so, and as the network flow according to source IP polymerization, its source IP is defined as congruent point.Overtrick is the congruent point that the fluxion amount has surpassed a predefined threshold values, and purpose of the present invention is wanted to carry out overtrick in real time exactly and detected.
Bloom Filter is the very high random data structure of a kind of space efficiency, and it utilizes bit array to represent a set very compactly, and can judge whether an element belongs to this set.Attribute Bloom Filter is the Bloom Filter of a counter of each set positions, the difference of attribute Bloom Filter and Bloom Filter is that Bloom Filter is provided with a bit for each position, therefore 0 or 1 two value can only be write down in each position, and attribute Bloom Filter is provided with a counter for each position, and the information of a plurality of values can be write down in each position.
The ltsh chain table structure is the structure that an array of pointers adds chained list, ltsh chain table is an array of pointers in the time of initial, all positions in the array are made as null pointer, when measuring appliance will write down a new overtrick information, system distributes a node space for this overtrick, content comprises the fluxion of this overtrick sign, overtrick and points to the pointer of next overtrick in this node space, adopt hash function to shine upon the position that overtrick is identified to array of pointers, this position indicator pointer is pointed to the overtrick node of this distribution; If the pointer of this position has pointed to other overtrick node, then with the newly assigned overtrick node of pointed of last node of this position indicator pointer chained list; If this overtrick information is recorded, then upgrade the fluxion information in this overtrick in ltsh chain table;
Compared with prior art, the present invention has following advantage and beneficial effect:
(1) this method is handled message information successively by newly stream detects, overtrick detects and three processes of overtrick record, has only the message that detects by new stream, just can enter into the overtrick testing process, therefore having only first message can newly be flowed testing process in all messages of same stream handles, thereby reduce the burden of the processing flow of measuring appliance greatly, improve the disposal ability of measuring appliance.
(2) this method surpasses records not of the congruent point identification information of threshold values and flow identification information for fluxion, in whole overtrick testing process, only preserve the identification information and the fluxion information of overtrick, can directly detect overtrick information in real time, thereby save the consumption of measuring resource greatly.
(3) this method has adopted a plurality of hash functions to identify mapping in new stream detection and overtrick testing process, reduces the collision probability between the various flows greatly, improves the accuracy of detection of overtrick fluxion.
Description of drawings
Fig. 1 is the initial condition of a Bloom Filter data structure;
Fig. 2 is a state behind the Bloom Filter record data;
Fig. 3 is the ltsh chain table data structure of a record overtrick identification information and fluxion information;
Fig. 4 is the overtrick detection method procedure chart that the present invention is based on Bloom Filter;
Fig. 5 is three process schematic diagrames in the overtrick detection method of the present invention, and this method is divided into three parts: Bloom Filter newly flows testing process; Attribute Bloom Filter overtrick testing process, overtrick ltsh chain table overtrick information recording process;
Fig. 6 is the overtrick detection method flow chart that the present invention is based on Bloom Filter;
Fig. 7 is the state diagram after each data structure measurement finishes in the example of the present invention;
Embodiment
Fig. 1, Fig. 2, Fig. 3 are existing Bloom Filter data structure and ltsh chain table data structure schematic diagram, Fig. 4, Fig. 5, Fig. 6 are procedure chart, schematic diagram and the flow charts that the present invention is correlated with, and Fig. 7 is the state diagram after each data structure measurement finishes in the example of the present invention.Referring to Fig. 4-7, provide an embodiment:
If message flow
P={(A.B)(B.A)(D.B)(B.D)(F.A)(C.B)(E.A)(C.B)(B.A)(B.E)(A.C)(B.E)(B.A)(E.B)(E.B)}
One has 15 elements in this set, the element here is exactly each message of our correspondence, each element comprises 1 letter behind preceding 1 letter of decimal point and the decimal point, the letter definition of the last position of decimal point is the source IP sign of message correspondence, the place IP sign that a letter definition of decimal point back is the message correspondence.
1 (the 1st step): parameter is set
It is 3 that the hash function number that needs among the Bloom Filter to use is set, and Dui Ying 3 hash functions are h respectively 1(), h 2(), h 3(), the input of these 3 hash functions are network flow signs, and output is a cryptographic Hash that length is 5 bits; Bloom Filter bit vectors size 32 is set, wherein 32=2 5, the 5th, the bit length of hash function output cryptographic Hash;
10 network flows signs (A.B) in the corresponding instance (B.A) (D.B) (B.D) (F.A) (C.B) (E.A) (E.B) (B.E) (A.C), 3 hash function h 1(), h 2(), h 3() corresponding output is respectively:
h 1(A.B)=7,?h 2(A.B)=10,h 3(A.B)=13
h 1(B.A)=27,h 2(B.A)=24,h 3(B.A)=1
h 1(D.B)=27,h 2(D.B)=1,?h 3(D.B)=4
h 1(B.D)=31,h 2(B.D)=5,?h 3(B.D)=8
h 1(F.A)=18,h 2(F.A)=31,h 3(F.A)=5
h 1(C.B)=7,?h 2(C.B)=1,?h 3(C.B)=14
h 1(E.A)=2,?h 2(E.A)=26,h 3(E.A)=23
h 1(E.B)=25,h 2(E.B)=15,h 3(E.B)=11
h 1(B.E)=12,h 2(C.A)=7,?h 3(C.A)=29
h 1(A.C)=10,h 2(A.C)=0,?h 3(A.C)=8
It is 3 that the hash function number that needs among the attribute Bloom Filter to use is set, and Dui Ying 3 hash functions are h ' respectively 1(), h ' 2(), h ' 3(), the input of these 3 hash functions are congruent point signs, and first letter that is provided with in this example in the set element identifies for congruent point, the congruent point in this example be designated A B C D E F}, output is a cryptographic Hash that length is 4 bits; Attribute Bloom Filter bit vectors size 16 is set, wherein 16=2 4, the 4th, attribute Bloom Filter the bit length of corresponding 3 hash functions output cryptographic Hash; It is 2 bits that each position of attribute BloomFilter vector is set, and it is 2 that the overtrick decision threshold is set, and wherein the threshold values 2 of She Zhiing need be less than 2 2, 2 is each bit number in the attribute Bloom Filter vector;
6 congruent point sign A B C D E F in the corresponding instance, 3 hash function h ' 1(), h ' 2(), h ' 3() corresponding output is respectively:
h’ 1(A)=1,h’ 2(A)=11,h’ 3(A)=12
h’ 1(B)=7,h’ 2(B)=13,h’ 3(B)=9
h’ 1(C)=5,h’ 2(C)=15,h’ 3(C)=3
h’ 1(D)=0,h’ 2(D)=1,?h’ 3(D)=0
h’ 1(E)=3,h’ 2(E)=12,h’ 3(E)=8
h’ 1(F)=5,h’ 2(F)=2,?h’ 3(F)=15
Be provided with that the employed hash function of array of pointers is h in the overtrick ltsh chain table structure " (), hash function h " () be input as the overtrick sign, be output as the cryptographic Hash of 2 bit lengths; It is 4 that an array of pointers size of pointing to the overtrick structure is set, wherein 4=2 2The overtrick structure is set to be made of overtrick sign, overtrick fluxion amount and the pointer that points to next overtrick;
6 congruent points sign A B C D E F in the corresponding instance, hash function h " () corresponding output is respectively:
h”(A)=3 h”(B)=1 h”(C)=1 h”(D)=0
h”(E)=3 h”(F)=1
Be provided with and measure time started 0 and measurement concluding time 10;
Entered for 2 (the 2nd steps);
2 (the 2nd steps): each structure initial value is set
All 32 position initial values that are provided with in the Bloom Filter bit vectors are 0;
The initial value that all 16 positions in the attribute Bloom Filter bit vectors are set is 0;
It is null pointer that all 4 position initial values that point to the array of pointers of overtrick structure in the overtrick ltsh chain table structure are set;
Entered for 3 (the 3rd steps);
3 (the 3rd steps): Measuring Time finishes to judge
The time of present clock is 0, less than measuring the concluding time 10, waits for that message arrives measuring appliance, and message (A.B) arrives measuring appliance, enters for 4 (the 4th steps);
4 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (A.B) is designated (A.B), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (A.B) 1(A.B)=7, h 2(A.B)=10, h 3(A.B)=13, the value in the Bloom Filter structure of these 3 Hash position correspondences is 0, and the stream of this message is a new stream, is 1 with the whole assignment of value in the Bloom Filter structure of these 3 Hash position correspondences, enters into for 5 (the 5th steps);
5 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (A.B) is designated A, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign A, h ' 1(A)=1, h ' 2(A)=11, h ' 3(A)=12, search the minimum value in the Bloom Filter structure of these 3 cryptographic Hash correspondence positions, all these 3 values are minimum value 0, this minimum value 0 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with these 3 cryptographic Hash correspondence positions adds up 1, gets back to for 6 (the 3rd steps);
6 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 1, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (B.A) arrives measuring appliance, enters for 7 (the 4th steps);
7 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (B.A) is designated (B.A), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (B.A) 1(B.A)=27, h 2(B.A)=24, h 3(B.A)=1, the value in the Bloom Filter structure of these 3 Hash position correspondences is 0, and the stream of this message is a new stream, is 1 with the whole assignment of value in the Bloom Filter structure of these 3 Hash position correspondences, enters into for 8 (the 5th steps);
8 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (A.B) is designated B, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign B, h ' 1(B)=7, h ' 2(B)=13, h ' 3(B)=9, search the minimum value in the Bloom Filter structure of 7,13,9 correspondence positions, all these 3 values are minimum value 0, this minimum value 0 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with these 3 cryptographic Hash correspondence positions adds up 1, gets back to for 9 (the 3rd steps);
9 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 2, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (B.A) arrives measuring appliance, enters for 10 (the 4th steps);
10 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (D.B) is designated (D.B), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (D.B) 1(D.B)=27, h 2(D.B)=1, h 3(D.B)=4, the value in the Bloom Filter structure of these 3 Hash position correspondences, wherein the 4th position is 0, the stream of this message is a new stream, is 1 with the 4th positional value assignment in the BloomFilter structure, enters into for 11 (the 5th steps);
11 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (D.B) is designated D, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign D, h ' 1(D)=0, h ' 2(D)=1, h ' 3(D)=0, search the minimum value in the Bloom Filter structure of 0,1 correspondence position, the minimum value of the 0th value is 0, this minimum value 0 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with this cryptographic Hash correspondence position adds up 1, gets back to for 12 (the 3rd steps);
12 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 3, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (B.D) arrives measuring appliance, enters for 13 (the 4th steps);
13 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (B.D) is designated (B.D), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (B.D) 1(B.D)=31, h 2(B.D)=5, h 3(B.D)=8, the value in the Bloom Filter structure of these 3 Hash position correspondences is 0, and the stream of this message is a new stream, is 1 with the whole assignment of value in the Bloom Filter structure of these 3 Hash position correspondences, enters into for 14 (the 5th steps);
14 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (B.D) is designated B, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign D, h ' 1(B)=7, h ' 2(B)=13, h ' 3(B)=9, search the minimum value in the Bloom Filter structure of 7,9,13 correspondence positions, the minimum value of these 3 values is 1, this minimum value 1 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with this cryptographic Hash correspondence position adds up 1, gets back to for 15 (the 3rd steps);
15 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 4, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (F.A) arrives measuring appliance, enters for 16 (the 4th steps);
16 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (F.A) is designated (F.A), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (F.A) 1(F.A)=18, h 2(F.A)=31, h 3(F.A)=5, the value of the 18th position is 0 in the Bloom Filter structure, and the stream of this message is a new stream, is 1 with the value assignment in the Bloom Filter structure of this Hash position correspondence, enters into for 17 (the 5th steps);
17 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (F.A) is designated F, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign F, h ' 1(F)=5, h ' 2(F)=2, h ' 3(F)=15, search the minimum value in the Bloom Filter structure of 2,5,15 correspondence positions, the minimum value of these 3 values is 0, this minimum value 0 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with this cryptographic Hash correspondence position adds up 1, gets back to for 18 (the 3rd steps);
18 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 5, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (C.B) arrives measuring appliance, enters for 19 (the 4th steps);
19 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (C.B) is designated (C.B), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (C.B) 1(C.B)=7, h 2(C.B)=1, h 3(C.B)=14, the value of the 14th position is 0 in the Bloom Filter structure, and the stream of this message is a new stream, is 1 with the value assignment in the Bloom Filter structure of this Hash position correspondence, enters into for 20 (the 5th steps);
20 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (C.B) is designated C, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign C, h ' 1(C)=5, h ' 2(C)=15, h ' 3(C)=3, search the minimum value in the Bloom Filter structure of 3,5,15 correspondence positions, the minimum value of the 3rd position is 0, this minimum value 0 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with this cryptographic Hash correspondence position adds up 1, gets back to for 21 (the 3rd steps);
21 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 6, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (E.A) arrives measuring appliance, enters for 22 (the 4th steps);
22 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (E.A) is designated (E.A), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (E.A) 1(E.A)=2, h 2(E.A)=26, h 3(E.A)=23, the value in the Bloom Filter structure of these 3 Hash position correspondences is 0, and the stream of this message is a new stream, is 1 with the whole assignment of value in the Bloom Filter structure of these 3 Hash position correspondences, enters into for 23 (the 5th steps);
23 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (E.A) is designated E, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign E, h ' 1(E)=3, h ' 2(E)=12, h ' 3(E)=8, search the minimum value in the Bloom Filter structure of 3,8,12 correspondence positions, the minimum value of the 8th position is 0, this minimum value 0 is less than the threshold values 2 of overtrick definition, the value that equals minimum value in the attribute Bloom Filter structure with this cryptographic Hash correspondence position adds up 1, gets back to for 24 (the 3rd steps);
24 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 7, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (C.B) arrives measuring appliance, enters for 25 (the 4th steps);
25 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (C.B) is designated (C.B), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (C.B) 1(C.B)=7, h 2(C.B)=1, h 3(C.B)=14, the value in the Bloom Filter structure of these 3 Hash position correspondences is 1, and the value in the Bloom Filter structure of these 3 Hash position correspondences is 1, and then the stream of this message was recorded, and gets back to for 26 (the 3rd steps);
26 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 8, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (B.A) arrives measuring appliance, enters for 27 (the 4th steps);
27 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (B.A) is designated (B.A), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (B.A) 1(B.A)=27, h 2(B.A)=24, h 3(B.A)=1, the value in the Bloom Filter structure of these 3 Hash position correspondences is 1, and the value in the Bloom Filter structure of these 3 Hash position correspondences is 1, and then the stream of this message was recorded, to 28 (the 3rd steps);
28 (the 3rd steps): Measuring Time finishes to judge
Current measuring appliance clock equals 9, less than in measuring the concluding time 10, waits for that message arrives measuring appliance, and message (A.C) arrives measuring appliance, enters for 29 (the 4th steps);
29 (the 4th steps): the new stream based on Bloom Filter is judged
The pairing network flow of message (B.E) is designated (B.E), uses the cryptographic Hash h of Bloom pairing 3 the hash function computing network traffic identifier of Filter (B.E) 1(B.E)=12, h 2(C.A)=7, h 3(C.A)=29, the value in the Bloom Filter structure of this 12nd, 29 Hash position correspondence is 0, and the stream of this message is a new stream, is 1 with the value assignment in the Bloom Filter structure of the 12nd, 29 Hash position correspondence, enters into for 30 (the 5th steps);
30 (the 5th steps): the overtrick based on attribute Bloom Filter is judged
The pairing congruent point of message (B.E) is designated B, and pairing 3 hash functions of usage count type Bloom Filter calculate the cryptographic Hash of congruent point sign B, h ' 1(B)=7, h ' 2(B)=13, h ' 3(B)=9, search the minimum value in the Bloom Filter structure of 7,9,13 correspondence positions, its minimum value is 2, and this minimum value 2 equals the threshold values greater than the overtrick definition, enters into for 31 (the 6th steps);
31 (the 6th steps): based on the overtrick information record of ltsh chain table
If the pairing overtrick of this message is designated B, use the pairing hash function of ltsh chain table to calculate the cryptographic Hash of overtrick sign B; h " (B)=1, search the pointer of cryptographic Hash correspondence position array of pointers, the node record of this overtrick not in this pointed chained list then entered for 32 (the 7th steps);
32 (the 7th steps): generate new overtrick node record
In internal memory, distribute a node space for the overtrick structure, the overtrick identification field that this overtrick node is set is that overtrick is designated B, the initial value of its fluxion field is set to super stream detection threshold and adds 1, the fluxion initial value equals 3, and the pointer that the next node of sensing in the overtrick node is set is set to sky; With this overtrick cryptographic Hash this new overtrick node of pointed of last node in the overtrick node chained list of corresponding ltsh chain table array of pointers; Entered for 33 (the 3rd steps).
33 (the 3rd steps): Measuring Time finishes to judge
Present clock is 10, has equaled to measure the concluding time 10, then the overtrick information in the ltsh chain table is exported; The information of output is:
Overtrick B, the fluxion of overtrick B is 3.
After example Measuring Time of the present invention finished, the state of three data structures was seen Fig. 7.

Claims (3)

1. the overtrick real-time detection method of a high-speed network flow is characterized in that this method based on Bloom Filter data structure, adopts Bloom Filter technical filter newly to flow, and adopts attribute Bloom Filter technical filter overtrick; Comprise three data structures and three processes of being provided with, three data structures are respectively Bloom Filter data structure, attribute BloomFilter data structure and ltsh chain table data structure.Bloom Filter data structure is used for recorded stream and has information, and attribute Bloom Filter data structure is used to write down the fluxion information of congruent point, and the ltsh chain table structure is used to write down overtrick sign and overtrick fluxion information; Three processes are based on the new stream testing process of Bloom Filter respectively, based on the overtrick testing process of attribute Bloom Filter with based on the overtrick information recording process of ltsh chain table.
2. according to the described overtrick real-time detection method of claim 1 based on Bloom Filter, it is characterized in that arriving measuring appliance when a message, at first in Bloom Filter data structure, search this message and whether belong to a new stream, if measuring appliance is found the stream under this message and is existed, then measuring appliance stops to handle this message, continues to handle the next message that arrives; If it is to belong to a new stream that measuring appliance is found newly arrived message, then should be recorded in this Bloom Filter data structure by new stream information, and changes and handle by attribute Bloom Filter overtrick testing process; Whether attribute Bloom Filter overtrick testing process is searched attribute Bloom Filter data structure is an overtrick with the congruent point of judging this new stream, if this should the pairing congruent point of new stream not be an overtrick, then should be recorded in the attribute Bloom Filter data structure by new stream information, stop to handle this message, continue to handle the next message that arrives; If the pairing congruent point of this new stream is an overtrick, then fluxion information is not made an amendment in the attribute Bloom Filter structure, and this new stream information is changeed by the overtrick process processing based on ltsh chain table; If in the ltsh chain table structure, find the pairing overtrick information of this message, then directly the fluxion information of this overtrick is added up, the overtrick of this message correspondence does not have record in the ltsh chain table data structure else if, then increase this overtrick information in the ltsh chain table data structure, the initial value of its fluxion is set to super stream detection threshold and adds 1; Measuring Time after finishing is exported the overtrick information in the ltsh chain table.
3. according to claim 1 or 2 described overtrick real-time detection methods, it is characterized in that concrete technical step is as follows based on Bloom Filter:
The 1st step: parameter is set
The hash function number that needs among the Bloom Filter to use is set is k, a Dui Ying k hash function is h respectively 1(), h 2() ..., h k(), the input of this k hash function are the network flow signs, and output is a cryptographic Hash that length is n bit; Bloom Filter bit vectors size m, wherein m=2 are set n, n is the bit length of hash function output cryptographic Hash;
The hash function number that needs among the attribute Bloom Filter to use is set is b, a Dui Ying b hash function is h ' respectively 1(), h ' 2() ..., h ' b(), the input of this b hash function are the congruent point signs, and output is a cryptographic Hash that length is d bit; Attribute Bloom Filter bit vectors size a, wherein a=2 are set d, d be attribute Bloom Filter the bit length of corresponding b hash function output cryptographic Hash; Each position of attribute Bloom Filter vector is set is e bit, it is r that the overtrick decision threshold is set, and wherein the threshold values r of She Zhiing need be less than 2 e, e is each a bit number in the attribute Bloom Filter vector;
Be provided with that the employed hash function of array of pointers is h in the overtrick ltsh chain table structure " (), hash function h " () be input as the overtrick sign, be output as the cryptographic Hash of q bit length; An array of pointers size of pointing to the overtrick node is set is w, wherein w=2 qThe overtrick node is set to be made of overtrick sign, overtrick fluxion and three fields such as pointer of pointing to next overtrick node;
Be provided with and measure time started begintime and measure concluding time endtime;
The 2nd step: each structure initial value is set
All m position initial values that are provided with in the Bloom Filter bit vectors are 0;
The initial value that all a position in the attribute Bloom Filter bit vectors is set is 0;
It is null pointer that all w position initial values that point to the array of pointers of overtrick structure in the overtrick ltsh chain table structure are set;
The 3rd step: Measuring Time finishes to judge
Measure concluding time endtime if present clock has been equal to or greater than, then the overtrick node information in the ltsh chain table is exported; Otherwise, wait for that message arrives measuring appliance, if a message arrives measuring appliance, entered for the 4th step;
The 4th step: the new stream based on Bloom Filter is judged
If the pairing network flow of this message is designated A, use the cryptographic Hash of pairing k hash function computing network traffic identifier of Bloom Filter A, h 1(A), h 2(A) ..., h k(A), if the value in the Bloom Filter structure of this k cryptographic Hash correspondence is 1, then the stream of this message was recorded, and got back to for the 3rd step; If it is 0 that the value in the Bloom Filter structure of this k cryptographic Hash correspondence has at least on 1 position, then the stream of this message is a new stream, is 1 with the whole assignment of value in the Bloom Filter structure of this k cryptographic Hash correspondence, enters into for the 5th step;
The 5th step: the overtrick based on attribute Bloom Filter is judged
If the pairing congruent point of this message is designated B, pairing b hash function of usage count type Bloom Filter calculates the cryptographic Hash of congruent point sign B, h ' 1(B), h ' 2(B) ..., h ' k(B), search the minimum value in the attribute Bloom Filter structure of this b cryptographic Hash correspondence position, if this minimum value is less than the threshold values of overtrick definition, the value that then equals minimum value in the attribute Bloom Filter structure with this b cryptographic Hash correspondence position adds up 1, gets back to for the 3rd step; If this minimum value is equal to or greater than the threshold values of overtrick definition, entered into for the 6th step;
The 6th step: based on the overtrick information record of ltsh chain table
If the pairing overtrick of this message is designated B, use the pairing hash function of ltsh chain table to calculate the cryptographic Hash of overtrick sign B; h " (B), search the pointer of cryptographic Hash correspondence position array of pointers, if find the node record of this overtrick in the chained list of this pointed, then the streaming digital segment value in this overtrick node record is added up 1, got back to for the 3rd step; If the node record of this overtrick not in this pointed chained list then entered for the 7th step;
The 7th step: generate new overtrick node record
In internal memory, distribute a node space for the overtrick structure, content comprises the fluxion of this overtrick sign, overtrick and points to the pointer of next overtrick in this node space, the overtrick identification field that this overtrick node is set is the overtrick sign, the initial value of its fluxion field is set to super stream detection threshold and adds 1, and the pointer that the next node of sensing in the overtrick node is set is set to sky; With this overtrick cryptographic Hash this new overtrick node of pointed of last node in the overtrick node chained list of corresponding ltsh chain table array of pointers; Got back to for the 3rd step.
CN2007101910358A 2007-12-04 2007-12-04 Method for overtrick real-time detection of high speed network flow quantity Expired - Fee Related CN101227318B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101910358A CN101227318B (en) 2007-12-04 2007-12-04 Method for overtrick real-time detection of high speed network flow quantity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101910358A CN101227318B (en) 2007-12-04 2007-12-04 Method for overtrick real-time detection of high speed network flow quantity

Publications (2)

Publication Number Publication Date
CN101227318A true CN101227318A (en) 2008-07-23
CN101227318B CN101227318B (en) 2011-05-11

Family

ID=39859087

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101910358A Expired - Fee Related CN101227318B (en) 2007-12-04 2007-12-04 Method for overtrick real-time detection of high speed network flow quantity

Country Status (1)

Country Link
CN (1) CN101227318B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011029212A1 (en) * 2009-09-08 2011-03-17 中国科学院计算技术研究所 Hash method and hash device based on double-counting bloom filters
CN102075435A (en) * 2011-02-09 2011-05-25 杭州华三通信技术有限公司 Routing issuing method and device
CN102447596A (en) * 2011-12-27 2012-05-09 成都众询科技有限公司 High-speed network flow monitoring system
CN104734990A (en) * 2015-03-19 2015-06-24 华为技术有限公司 Method for confirming mass-flow message and device
CN104794193A (en) * 2015-04-17 2015-07-22 南京大学 Webpage increment capture method for valid link acquisition
CN105100072A (en) * 2015-06-30 2015-11-25 东软集团股份有限公司 Method and device for monitoring network node
CN107329903A (en) * 2017-06-28 2017-11-07 郑州云海信息技术有限公司 A kind of internal memory rubbish recovering method and system
CN108319473A (en) * 2017-01-16 2018-07-24 深圳兆日科技股份有限公司 Terminal system starts method and apparatus
CN108809764A (en) * 2018-06-15 2018-11-13 东南大学 The network based on GPU accesses overtrick and connects number evaluation method under sliding window
CN108874803A (en) * 2017-05-09 2018-11-23 腾讯科技(深圳)有限公司 Date storage method, device and storage medium
WO2020020098A1 (en) * 2018-07-27 2020-01-30 华为技术有限公司 Network flow measurement method, network measurement device and control plane device
CN111581489A (en) * 2020-05-22 2020-08-25 哈尔滨工程大学 Storage space optimized sampling method based on shared counting tree
CN112714040A (en) * 2020-12-11 2021-04-27 深圳供电局有限公司 Holographic message detection method, device, equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1494278A (en) * 2002-11-02 2004-05-05 华为技术有限公司 Data stream classifying method

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011029212A1 (en) * 2009-09-08 2011-03-17 中国科学院计算技术研究所 Hash method and hash device based on double-counting bloom filters
CN102075435A (en) * 2011-02-09 2011-05-25 杭州华三通信技术有限公司 Routing issuing method and device
CN102447596A (en) * 2011-12-27 2012-05-09 成都众询科技有限公司 High-speed network flow monitoring system
CN104734990A (en) * 2015-03-19 2015-06-24 华为技术有限公司 Method for confirming mass-flow message and device
CN104794193A (en) * 2015-04-17 2015-07-22 南京大学 Webpage increment capture method for valid link acquisition
CN104794193B (en) * 2015-04-17 2018-04-03 南京大学 The webpage increment grasping means that a kind of valid link obtains
CN105100072A (en) * 2015-06-30 2015-11-25 东软集团股份有限公司 Method and device for monitoring network node
CN108319473A (en) * 2017-01-16 2018-07-24 深圳兆日科技股份有限公司 Terminal system starts method and apparatus
CN108874803A (en) * 2017-05-09 2018-11-23 腾讯科技(深圳)有限公司 Date storage method, device and storage medium
CN108874803B (en) * 2017-05-09 2023-05-12 腾讯科技(深圳)有限公司 Data storage method, device and storage medium
CN107329903A (en) * 2017-06-28 2017-11-07 郑州云海信息技术有限公司 A kind of internal memory rubbish recovering method and system
CN107329903B (en) * 2017-06-28 2021-03-02 苏州浪潮智能科技有限公司 Memory garbage recycling method and system
CN108809764A (en) * 2018-06-15 2018-11-13 东南大学 The network based on GPU accesses overtrick and connects number evaluation method under sliding window
CN108809764B (en) * 2018-06-15 2021-11-02 东南大学 GPU-based network access over-point connection number estimation method under sliding window
WO2020020098A1 (en) * 2018-07-27 2020-01-30 华为技术有限公司 Network flow measurement method, network measurement device and control plane device
CN110768856A (en) * 2018-07-27 2020-02-07 华为技术有限公司 Network flow measuring method, network measuring equipment and control plane equipment
CN110768856B (en) * 2018-07-27 2022-01-14 华为技术有限公司 Network flow measuring method, network measuring equipment and control plane equipment
US11706114B2 (en) 2018-07-27 2023-07-18 Huawei Technologies Co., Ltd. Network flow measurement method, network measurement device, and control plane device
CN111581489A (en) * 2020-05-22 2020-08-25 哈尔滨工程大学 Storage space optimized sampling method based on shared counting tree
CN112714040A (en) * 2020-12-11 2021-04-27 深圳供电局有限公司 Holographic message detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN101227318B (en) 2011-05-11

Similar Documents

Publication Publication Date Title
CN101227318B (en) Method for overtrick real-time detection of high speed network flow quantity
CN109741060B (en) Information inquiry system, method, device, electronic equipment and storage medium
US10044583B2 (en) Fast detection and identification of lost packets
Liu et al. Detection of superpoints using a vector bloom filter
CN102025563A (en) Network flow identification method based on Hash collision compensation
Yang et al. A generic technique for sketches to adapt to different counting ranges
CN105162646A (en) Multi-protocol interface test system and method
CN110049061A (en) Lightweight ddos attack detection device and detection method on high speed network
CN103685224A (en) A network invasion detection method
CN109257390A (en) Detection method, device and the electronic equipment of CC attack
Hua et al. A multi-attribute data structure with parallel bloom filters for network services
CN106649344B (en) Weblog compression method and device
CN100558058C (en) Packet measuring method based on stream aggregation arbitrary sampling
CN101741743B (en) Network address sort-based bidirectional stream combining method
CN102523286B (en) Method and device for obtaining credit degree of service
CN102546293B (en) High speed network flow network address measuring method based on Hash bit string multiplexing
CN106533955B (en) A kind of sequence number recognition methods based on network message
CN102098346B (en) Method for identifying flow of P2P (peer-to-peer) stream media in unknown flow
Matsumoto et al. Adaptive Bloom filter: A space-efficient counting algorithm for unpredictable network traffic
CN105812204A (en) Recursion domain name server online identification method based on connectivity estimation
CN108141372A (en) For the system and method based on network flow detection to the attack of mobile ad hoc networks
CN114020471A (en) Sketch-based lightweight elephant flow detection method and platform
CN114978725A (en) Message processing method and device, electronic equipment and medium
CN101848091A (en) Method and system for processing data search
CN104408142A (en) Detection method for complex events in mass disordered data streams of Internet of Things Manufacturing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: HAIAN CHANGDA TECHNOLOGY TRANSFER CENTER CO., LTD.

Free format text: FORMER OWNER: SOWTHEAST UNIV.

Effective date: 20131018

Owner name: SOWTHEAST UNIV.

Effective date: 20131018

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 210096 NANJING, JIANGSU PROVINCE TO: 226600 NANTONG, JIANGSU PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20131018

Address after: 226600 No. 8 Yingbin Road, software park, Haian County, Jiangsu Province

Patentee after: Haian Changzhou University Technology Transfer Center Co., Ltd.

Patentee after: Southeast University

Address before: 210096 Jiangsu city Nanjing Province four pailou No. 2

Patentee before: Southeast University

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110511

Termination date: 20161204

CF01 Termination of patent right due to non-payment of annual fee