CN102340416A - Time slice-based method and device for event statistics - Google Patents

Time slice-based method and device for event statistics Download PDF

Info

Publication number
CN102340416A
CN102340416A CN201110193578XA CN201110193578A CN102340416A CN 102340416 A CN102340416 A CN 102340416A CN 201110193578X A CN201110193578X A CN 201110193578XA CN 201110193578 A CN201110193578 A CN 201110193578A CN 102340416 A CN102340416 A CN 102340416A
Authority
CN
China
Prior art keywords
incident
time
isochronous surface
window
isochronous
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201110193578XA
Other languages
Chinese (zh)
Other versions
CN102340416B (en
Inventor
王承志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201110193578.XA priority Critical patent/CN102340416B/en
Publication of CN102340416A publication Critical patent/CN102340416A/en
Application granted granted Critical
Publication of CN102340416B publication Critical patent/CN102340416B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Image Analysis (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method for event statistics based on a cycle time window with a plurality of time slices. The method comprises the following steps of: acquiring an event from outside and placing in an event queue within a predetermined time period; aiming at each event extracted from the event queue, traversing and emptying the time slice directed by a head pointer to the time slice directed by a tail pointer in the cycle time window; and determining that the event is counted in the time slice or the next time slice based on a time difference between the occurrence time of the currently extracted event and the processed time of the time slice directed by the tail pointer, wherein, in the process of traversing, if a difference between the occurrence time of the currently extracted event and the time of any time slice in the time slices exceeds the size of a time window, the time slice is emptied. By using the method, an event which satisfies the occurrence frequency and exists in numerous events of a network can be found out within a short period of time, and the method has the advantages of small occupation storage space, high speed and high efficiency.

Description

Carry out the method and the device of incident statistics based on isochronous surface
Technical field
The present invention relates to network information process field, more particularly, relate to the method and the device that carry out the incident statistics based on isochronous surface.
Background technology
Growing along with network technology comes transmission information becoming a kind of trend through network, carries out online payment such as people through network, transmits such as the various information of confidential information or individual privacy information etc.In practical application, network hacker often utilizes trojan horse program to trespass the private network space and steals personal information, is obtained by hacker or other people malice in order to prevent these information, on network, is equipped with all kinds of safety systems usually and guarantees network security.When using, these safety systems can produce a large amount of security alarm incidents usually and report to the police to the user.For example, when adopting systems such as system for monitoring intrusion, vulnerability scanning, audit, can realize that any one behavior that safety is constituted a threat to reports to the police, promptly generate security incident as safety monitoring system.
Because present safety monitoring system is of a great variety; Even and identical safety monitoring system; There is not unified standard between the different production manufacturer yet; Therefore when taking place to attack in the network, safety monitoring system often sends a large amount of repetition security logs, thereby makes the keeper be difficult to from the security log that is received, extract valuable information.
The statistics of incident is to assist an important evidence that whether has risk in keeper's phase-split network when analyzing; If server can be handled 10000/ second packet; The server per second receives that the packet that distinct device sends is 8000 so; Then do not think to attack, and think it to be that network was busier at that time.But, in case the received packet of per second surpasses 10000, then must notify the keeper, inform in the network to have attack, need the keeper further to investigate and handle.Yet; This method is also inapplicable under some situations; Such as under the situation of typical ddos attack, ddos attack is through utilizing rational services request to take too much Service Source, thereby the instruction that makes server can't handle validated user realizes.In this case; Because event number is very many, it is unpractical only rely on the keeper to observe discerning ddos attack, therefore; Need realize above-mentioned incident statistical function through a kind of algorithm or method, and this algorithm or method are wanted efficient and are saved memory space.
To above-mentioned, adopt the mode of time window to carry out the incident statistics usually.The function of time window is meant in statistical unit whether have the incident that satisfies occurrence frequency in the time, and what the unit interval here referred to is exactly the total time of needs statistics, and this time is generally very long or unlimited.At present, mainly comprise following dual mode based on the incident of time window statistics: time-based event stochastic method and based on the event stochastic method of quantity.
Time-based event stochastic method is a kind of superseded algorithm, in the method, eliminates the incident of overtime scope.For example, satisfy 3 seconds incidents of 10, under this method, then only need to preserve all incidents that began before 3 seconds from current, and the incident before 3 seconds is deleted all if add up in 1 hour.Yet the shortcoming of this method is that the incident number in 3 seconds is uncontrollable, thereby may cause the internal memory when storing to overflow.In addition, in this method,, thereby need create and destroy memory space in large quantities, cause inefficiency thus because the incident of need carrying out is continually preserved and the incident deletion.In addition, when the incident quantity that will add up was too much, the performance of traversal was also lower.
Event stochastic method based on quantity also is a kind of superseded algorithm, in the method, only preserves the incident of the maximum quantity that will add up, deletes for the incident that exceeds this maximum quantity.For example, satisfy 3 seconds incidents of 10, under this method, then only need to preserve 10 up-to-date incidents, and whether maximum time and the minimum time difference of judging these 10 incidents be in 3 seconds if add up in 1 hour.If within 3 seconds, then add up, otherwise do not add up.In this method, though the incident controllable number, if when maximum quantity is very big; The memory space of creating and destroying is still very big; Especially in more than data volume, even the frequency that will destroy than time-based event stochastic method is also high, thus inefficiency.
Summary of the invention
In view of above-mentioned; The invention provides a kind of event stochastic method and device based on isochronous surface; In the method, create window and time window is divided into a plurality of isochronous surfaces circulation timei, based on the Time To Event that has write down in the time of origin of the current incident that will add up and each isochronous surface; Each isochronous surface is carried out stores processor, thus completion incident statistics.Utilize this method, can only need create storage overhead once, and after establishment, recycle, and not need frequently to create and destroy, can save storage overhead thus, improve statistical efficiency, speed up processing simultaneously greatly.
According to an aspect of the present invention; A kind of method of carrying out the incident statistics based on window circulation timei with a plurality of isochronous surfaces is provided; Comprise: a kind ofly carry out the method for incident statistics, comprising: at the fixed time in the section, obtain incident from the outside and put into the event queue based on window circulation timei with a plurality of isochronous surfaces; Wherein, said incident comprises incident quantity information and Time To Event information at least; According to the sequencing of the incident in the said event queue, from said event queue, take out incident one by one; To each incident of from said event queue, taking out; Travel through the isochronous surface that isochronous surface that the head pointer in said circulation timei of the window points to points to tail pointer, if the difference of the time of the arbitrary isochronous surface in the Time To Event of the incident of current taking-up and each isochronous surface more than or equal to said circulation timei window big or small, then empty this isochronous surface; Simultaneously; If head pointer and tail pointer do not point to section at the same time, then head pointer is pointed to next isochronous surface of this isochronous surface, otherwise keep pointer position constant; Wherein, Said isochronous surface comprises temporal information and quantity information at least, and the time of said isochronous surface is the Time To Event of first incident of in this isochronous surface, adding up, and the quantity of said isochronous surface is the quantity of the incident of in this isochronous surface, adding up; The isochronous surface that said head pointer points to is meant that first statistics has the isochronous surface of incident, and the isochronous surface that said tail pointer points to is meant that last statistics has the isochronous surface of incident; And calculate this current taking-up incident Time To Event and through in each isochronous surface after the traversal by the time difference between time of the isochronous surface that points to of tail pointer of said circulation timei of window; When the time difference that is calculated is not more than this isochronous surface big or small; With the incident of this current taking-up statistics in by the isochronous surface that points to of tail pointer of said circulation timei of window and the quantity merging of the quantity of incident that will this current taking-up and this isochronous surface as the quantity information of this isochronous surface; And in time difference that is calculated during greater than this isochronous surface big or small; With the incident of this current taking-up statistics in by next isochronous surface of pointing to of tail pointer of said circulation timei of window and the incident quantity information of incident that will this current taking-up and Time To Event information as the quantity information and the temporal information of this next isochronous surface, simultaneously tail pointer is moved to this next isochronous surface of sensing.
In addition, in one or more examples, said window circulation timei with a plurality of isochronous surfaces can be created in advance.
In addition, in one or more examples, before obtaining incident from the outside, said method can also comprise creates window circulation timei with a plurality of isochronous surfaces.
In addition, in one or more examples, the size of said a plurality of isochronous surfaces can be identical or different.
In addition, in one or more examples, said method can also comprise: when the statistics in this time window satisfied the scheduled event occurrence frequency, record was used to indicate the state information that satisfies the scheduled event occurrence frequency and empties this time window.
In addition, in one or more examples, said method can also comprise: if the statistics in this time window does not also satisfy the scheduled event occurrence frequency after arriving the longest polymerization time, then delete this time window.
According to a further aspect in the invention; A kind of incident statistic device that carries out the incident statistics based on window circulation timei with a plurality of isochronous surfaces is provided; Comprise: the incident receiving element; Be used at the fixed time in the section, obtain incident from the outside and put into the event queue, said incident comprises incident quantity information and Time To Event information at least; The incident retrieval unit is used for the sequencing according to the incident of said event queue, from said event queue, takes out incident one by one; The traversal unit; Be used for to each incident of taking out from said event queue; Travel through the isochronous surface that isochronous surface that the head pointer in said circulation timei of the window points to points to tail pointer, if the difference of the time of the arbitrary isochronous surface in the Time To Event of the incident of current taking-up and each isochronous surface more than or equal to said circulation timei window big or small, then empty this isochronous surface; Simultaneously; If head pointer and tail pointer do not point to section at the same time, then head pointer is pointed to next isochronous surface of this isochronous surface, otherwise keep pointer position constant; Wherein, Said isochronous surface comprises temporal information and quantity information at least, and the time of said isochronous surface is the Time To Event of first incident of in this isochronous surface, adding up, and the quantity of said isochronous surface is the quantity of the incident of in this isochronous surface, adding up; The isochronous surface that said head pointer points to is meant that first statistics has the isochronous surface of incident, and the isochronous surface that said tail pointer points to is meant that last statistics has the isochronous surface of incident; First computing unit; Be used for calculating said current taking-up incident Time To Event and through each isochronous surface after the traversal by the time difference between time of the isochronous surface that points to of tail pointer of said circulation timei of window; First comparing unit, the time difference that is used for first computing unit is calculated and the size of this isochronous surface compare; Statistic unit; Be used for when the time difference that first computing unit is calculated is not more than this isochronous surface big or small; With the incident of this current taking-up statistics in the isochronous surface that points to of tail pointer by said circulation timei of window; And in time difference that first computing unit is calculated during greater than this isochronous surface big or small, with the incident statistics of this current taking-up in next isochronous surface of pointing to of tail pointer by said circulation timei of window; The isochronous surface information updating unit; Be used for the incident of said current taking-up statistics by said circulation timei window tail pointer point to isochronous surface the time; The quantity of the incident of this current taking-up and the quantity of this isochronous surface are merged the quantity information as this isochronous surface; And with the incident of said current taking-up statistics in by next isochronous surface of the isochronous surface that points to of tail pointer of said circulation timei of window the time, with the incident quantity information of this incident and Time To Event information quantity information and temporal information as this next isochronous surface; And tail pointer mobile unit; Be used for time difference that first computing unit is calculated greater than by said circulation timei window the isochronous surface that points to of tail pointer big or small the time, tail pointer is moved on to sensing next isochronous surface of the isochronous surface that points to of tail pointer by said circulation timei of window.
In addition; In one or more examples; Said traversal unit further comprises: second computing unit is used for calculating Time To Event and time difference between time of each isochronous surface of the isochronous surface that points to tail pointer of the isochronous surface of pointed from the beginning of the incident of current taking-up; Second comparing unit, the time difference that is used for second computing unit is calculated and the size of this time window compare; Empty the unit,, then empty this isochronous surface if be used for time difference that said second computing unit calculates size greater than this time window; And the head pointer mobile unit, be used for emptying after the unit empties isochronous surface said, if head pointer and tail pointer do not point to section at the same time, then head pointer is moved on to next isochronous surface that points to this isochronous surface that is cleared.
In addition, in one or more examples, said incident statistic device can also comprise the establishment unit, is used for before obtaining incident from the outside, creates window circulation timei with a plurality of isochronous surfaces.
In addition; In one or more examples; Said incident statistic device can also comprise record cell, is used for when the statistics of this time window satisfies the scheduled event occurrence frequency, and record is used to indicate the state information that satisfies the scheduled event occurrence frequency; And after this state information of record, the said unit that empties empties this time window.
In addition, in one or more examples, said incident statistic device can also comprise delete cells, is used for when the statistics of this time window behind the longest polymerization time of arrival does not also satisfy the scheduled event occurrence frequency, deleting this time window.
In order to realize above-mentioned and relevant purpose, one or more aspects of the present invention comprise the characteristic that the back will specify and in claim, particularly point out.Following explanation and accompanying drawing have specified some illustrative aspects of the present invention.Yet, the indication of these aspects only be some modes that can use in the variety of way of principle of the present invention.In addition, the present invention is intended to comprise all these aspects and their equivalent.
Description of drawings
According to following detailed description of carrying out with reference to accompanying drawing, above-mentioned and other purposes, feature and advantage of the present invention will become more obvious.In the accompanying drawings:
Fig. 1 shows the flow chart that carries out the method for incident statistics according to window circulation timei based on having a plurality of isochronous surfaces of the embodiment of the invention;
Fig. 2 shows the flow chart that the traversal shown in Fig. 1 empties processing;
Fig. 3 show according to of the present invention have a plurality of isochronous surfaces circulation timei window the diagrammatic sketch of an example;
Fig. 4 shows according to an example of the present invention, received list of thing and circulation timei window diagrammatic sketch;
Fig. 5 A shows the diagrammatic sketch of each incident statistics in time window in the list of thing shown in Fig. 4 to 5C; With
Fig. 6 shows the block diagram that carries out the incident statistic device of incident statistics according to an embodiment of the invention based on window circulation timei with a plurality of isochronous surfaces.
Identical label is indicated similar or corresponding feature or function in institute's drawings attached.
Embodiment
Various aspects of the present disclosure are described below.Should be understood that the instruction of this paper can be with varied form imbody, and disclosed in this article any concrete structure, function or both only are representational.Based on the instruction of this paper, those skilled in the art should be understood that an aspect disclosed herein can be independent of any others and realize, and the two or more aspects in these aspects can make up according to variety of way.For example, can use aspect, implement device or the hands-on approach of any number that this paper sets forth.In addition, can use other structure, function or except one or more aspects that this paper set forth or be not the 26S Proteasome Structure and Function of one or more aspects that this paper set forth, realize this device or put into practice this method.In addition, any aspect described herein can comprise at least one element of claim.
Each embodiment of the present invention is described below with reference to accompanying drawings.
Fig. 1 shows the flow chart that carries out the method for incident statistics according to window circulation timei based on having a plurality of isochronous surfaces of the embodiment of the invention.
When window circulation timei that has a plurality of isochronous surfaces in utilization carries out the incident statistics; As shown in Figure 1; At first in step S110, create window circulation timei with a plurality of isochronous surfaces, said circulation timei, window had head pointer and the tail pointer that is used in reference to isochronous surface; The isochronous surface that said head pointer points to is meant that first statistics has the isochronous surface of incident, and the isochronous surface that said tail pointer points to is meant that last statistics has the isochronous surface of incident.Here, the size of isochronous surface can be specified arbitrarily, and can adjust according to actual needs.The value of isochronous surface size is more little, and the expression statistical accuracy is high more, and needed memory space is big more.Otherwise the value of isochronous surface size is big more, and the expression statistical accuracy is low more, and needed memory space is more little.In addition, the size of each isochronous surface can be identical or different.When the creation-time window, under the big or small identical situation of each isochronous surface, can create with big or small two parameters of isochronous surface through specifying the limiting time size of window (that is, circulation timei).In this case, the isochronous surface number can go out through above-mentioned two calculation of parameter, that is, isochronous surface number=limiting time/isochronous surface size, wherein the unit of limiting time is second.In aforementioned calculation,, then need keep 3 decimals (for being converted into millisecond second), and round up if indivisible.Under the situation about varying in size of each isochronous surface, then need specify the size of each isochronous surface and the index of each isochronous surface.In addition, comprise temporal information and quantity information at least in each isochronous surface.The Time To Event of first incident of adding up in this isochronous surface of temporal information indication of isochronous surface.The quantity of the incident that the quantity information indication of isochronous surface is added up in this isochronous surface.
As above creating the circulation timei behind the window with a plurality of isochronous surfaces, the arrival of waiting event formation.After event comes is arranged, in step S120, in the section (for example, 1 hour), to obtain incident from the outside and the incident of being obtained is put into event queue at the fixed time, the incident of being obtained comprises incident quantity information and Time To Event information at least.
After obtaining incident from the outside and putting into event queue, at step S130,, from said event queue, take out incident one by one, promptly each head of the queue incident of from event queue, taking out in the event queue according to the sequencing of the incident in the said event queue.For example, if after having taken out an incident in this event queue, then this moment this incident next event be located in the head of the queue of this event queue, just get this next event next time when taking out.
Then, in step S140, to each incident of from said event queue, taking out; Travel through the isochronous surface that isochronous surface that the head pointer in said circulation timei of the window points to points to tail pointer, wherein, when traveling through; If the difference of the time of the arbitrary isochronous surface in the Time To Event of the incident of current taking-up and each isochronous surface is more than or equal to the time window size; Then empty this isochronous surface, simultaneously, if head pointer and tail pointer do not point to section at the same time; Then with circulation timei window head pointer move on to next isochronous surface that points to this isochronous surface, otherwise keep pointer position constant.
Fig. 2 shows the flow chart that the traversal shown in Fig. 1 empties an example of processing, in Fig. 2, and the index of n express time section; N cuts into slices index value maximum time (promptly; The number of isochronous surface), it is the tail pointer rear of said circulation timei of window, i.e. N=rear.
To the incident of each current taking-up to circulation timei window travel through and empty when handling, at first,, index n is carried out initialization at step S141, i.e. n=head, head is the head pointer of window circulation timei.Then, at step S 142, index n and maximum index value N are compared.If n is greater than N, then flow process finishes.If n is not more than N, then proceed to step S143.
At step S143, calculate the time difference between time of the indicated isochronous surface of Time To Event and the index value n of incident of current taking-up.Subsequently, at step S144, judge that this time difference is whether more than or equal to the size of time window.If less than, then flow process finishes.If should the time difference more than or equal to the size of this time window, then proceed to step S145.At step S145, empty this isochronous surface, simultaneously,, then head pointer is moved on to next isochronous surface that points to this isochronous surface if head pointer and tail pointer do not point to section at the same time, proceed to step S146 then.
At step S146, n increases progressively 1 with index, turns back to step S142 then.
As above provided a example according to traversal of the present invention.Obviously, traversal of the present invention is not limited thereto, and can also adopt alternate manner well-known to those skilled in the art to realize.
After as above each isochronous surface of time window being carried out traversal; At step S150, calculate this current taking-up incident Time To Event and through in each isochronous surface after the traversal by the time difference between time of the isochronous surface that points to of tail pointer of said circulation timei of window.
Then, at step S160, with the time difference that is calculated among the step S150 with should by said circulation timei window the size of the isochronous surface that points to of tail pointer compare.If should the time difference greater than the size of this isochronous surface, then proceed to step S170, otherwise, proceed to step S180.
At step S170, with the incident of this current taking-up statistics in next isochronous surface of this isochronous surface and the incident quantity information of incident that will this current taking-up and Time To Event information as the quantity information and the temporal information of this next isochronous surface.Then, flow process proceeds to step S190.
At step S180, with the incident of this current taking-up statistics in this isochronous surface and the quantity merging of quantity that will this current incident and this isochronous surface as the quantity information of this isochronous surface.Then, flow process proceeds to step S190.
At step S190, judge whether to have carried out above-mentioned processing to all incidents in the said list of thing.If all carried out above-mentioned processing, then flow process finishes.Otherwise flow process turns back to step S130, in step S130, takes out the next event that is positioned at the event queue head of the queue this moment, and as above handles to this next event.
As above see figures.1.and.2 to have described and carry out the method for incident statistics based on time window with a plurality of isochronous surfaces according to the embodiment of the invention.But above-mentioned only is an example of the present invention.Can also revise as follows the foregoing description.
In another example of the present invention, can also comprise according to the method for the invention: after step S170 or S180, judge whether the statistics in this time window satisfies the scheduled event occurrence frequency.When the statistics in this time window satisfied the scheduled event occurrence frequency, record was used to indicate the state information that satisfies the scheduled event occurrence frequency, stopped to carry out the incident statistics, and emptied this time window.Then, flow process finishes.When not satisfying the incident occurrence frequency, proceed to step S190.Said incident occurrence frequency refers to event number, i.e. incident occurrence frequency=event number/limiting time in the unit interval.
In addition, in another example of the present invention, can also comprise according to the method for the invention: behind step S190, judge whether the statistics in this time window satisfies the scheduled event occurrence frequency.If the statistics after arriving the longest polymerization time in this time window does not also satisfy the scheduled event occurrence frequency, then delete this time window.The longest said polymerization time refers to the predetermined time period that is used for the incident statistics (that is, above-mentioned predetermined amount of time).
In addition, in another embodiment of the present invention, step S110 can also needn't be comprised.Time window with a plurality of isochronous surfaces can also be created before carrying out this flow process in advance.
Below with occurrence frequency be 10/3 second be example, specifically describe with reference to Fig. 3, Fig. 4 and Fig. 5 A-5C, the predetermined amount of time that is used to receive event queue is 1 hour.
Fig. 3 show according to of the present invention have a plurality of isochronous surfaces circulation timei window the diagrammatic sketch of an example.In Fig. 3, circulation timei, window had head pointer head and tail pointer rear, and the number of isochronous surface is 3, and the size of isochronous surface all is 1 second.The size of time window is 3 seconds.When initial creation, the temporal information time of all isochronous surfaces is 0, and quantity information count is 0.
Incident arrives in a certain order, and the incident of hypothesis arrival here is similar incident.According to the present invention, at the fixed time in the section, receive incident and put in the event queue (that is list of thing) according to arrival order.Fig. 4 shows according to an example of the present invention, the list of thing of received incident (event list) and circulation timei window diagrammatic sketch.
Then, from event queue, take out incident in order one by one, and event sequence is added up in time window according to the method shown in Fig. 1.Fig. 5 A shows the diagrammatic sketch of each incident statistics in time window in the list of thing shown in Fig. 4 to 5C.
Shown in Fig. 5 A, for first incident in the list of thing { time [0.125], count [1] }, promptly Time To Event is 0.125 second, and incident quantity is 1, because all isochronous surfaces in the time window all are empty.Therefore, this first incident is directly put into the indicated isochronous surface of current pointer rear.At this moment, the temporal information of this isochronous surface is 0.125 second, and quantity information is 1.Subsequently, for second incident { time [0.435], count [1] }; Because 0.435-0.125=0.31 is less than 1 second, thus with this second incident statistics in current time section (that is, identical isochronous surface) with first incident; At this moment; The temporal information of current time section is constant, and quantity information is the quantity sum of first incident and second incident, and promptly 2.Equally, according to above-mentioned, third and fourth incident is added up in current time section (that is, the isochronous surface identical with first incident), and the quantity information of this isochronous surface becomes 5.
For the 5th incident and the 6th incident, shown in Fig. 5 B, because 1.235-0.125=1.11,1.785-0.125=1.66 is greater than the size of isochronous surface, and therefore, the 5th can not add up in the isochronous surface identical with first incident with the 6th incident.At this moment, move on to next isochronous surface behind the isochronous surface pointer rear, then, the 5th and the 6th incident is put into this next isochronous surface.The temporal information of this next isochronous surface is 1.235, and quantity information is 2.
For the 7th and the 8th incident, shown in Fig. 5 C, because 3.125-0.125=3 and 3.565-0.125=3.44 are more than or equal to the size of time window 3 seconds; So empty when handling traveling through; Empty the isochronous surface at head pointer place, move down an isochronous surface with being about to head pointer, and; The the 7th and the 8th incident is added up in next isochronous surface that tail pointer points to, and tail pointer is moved down an isochronous surface.
As above the method for carrying out the incident statistics based on the time window with a plurality of isochronous surfaces according to of the present invention has been described referring to figs. 1 through Fig. 5 C.Of the present inventionly above-mentionedly carry out the method for incident statistics, can adopt software to realize, also can adopt hardware to realize, or adopt the mode of software and hardware combination to realize based on time window with a plurality of isochronous surfaces.
Fig. 6 shows the block diagram that carries out the incident statistic device 600 of incident statistics according to an embodiment of the invention based on window circulation timei with a plurality of isochronous surfaces.
As shown in Figure 6, incident statistic device 600 comprises incident receiving element 610, incident retrieval unit 620, traversal unit 630, first computing unit 640, first comparing unit 650, statistic unit 660, isochronous surface information updating unit 670 and tail pointer mobile unit 680.
Incident receiving element 610 is used at the fixed time obtaining incident from the outside and putting into event queue in the section, and said incident comprises incident quantity information and Time To Event information at least.Incident retrieval unit 620 is used for the sequencing according to the incident of said event queue, from said event queue, takes out incident one by one.Traversal unit 630 is used for to each incident of taking out from said event queue; Travel through isochronous surface that the head pointer in said circulation timei of the window points to isochronous surface to the tail pointer sensing; Said isochronous surface comprises temporal information and quantity information at least, and the time of said isochronous surface is the Time To Event of first incident of in this isochronous surface, adding up.If the difference of the time of the arbitrary isochronous surface in the Time To Event of the incident of current taking-up and each isochronous surface is more than or equal to said circulation timei of window size; Then empty this isochronous surface; And if head pointer and tail pointer do not point to section at the same time; Then head pointer is moved on to next isochronous surface that points to this isochronous surface, otherwise keep pointer position constant.
First computing unit 640 be used for calculating current taking-up incident Time To Event and through each isochronous surface after the traversal by the time difference between time of the isochronous surface that points to of tail pointer of said circulation timei of window.The size that first comparing unit 650 is used for time difference that first computing unit is calculated and the isochronous surface that is pointed to by tail pointer compares.Statistic unit 660 is used for when the time difference that first computing unit is calculated is not more than the isochronous surface that pointed to by tail pointer big or small; The incident of current taking-up is added up in this isochronous surface that is pointed to by tail pointer; And in time difference that first computing unit is calculated during greater than this isochronous surface that points to by tail pointer big or small, with the incident statistics of this current taking-up in next isochronous surface of this isochronous surface that points to by tail pointer.Isochronous surface information updating unit 670 is used for when the incident of current taking-up being added up at the isochronous surface that is pointed to by tail pointer; The quantity of the incident of this current taking-up and the quantity of this isochronous surface are merged the quantity information as this isochronous surface; And with the incident of current taking-up statistics in next isochronous surface of this isochronous surface that points to by tail pointer the time, with the incident quantity information of the incident of this current taking-up and Time To Event information quantity information and temporal information as this next isochronous surface.Tail pointer mobile unit 680 be used for time difference that first computing unit is calculated greater than by said circulation timei window the isochronous surface that points to of tail pointer big or small the time, tail pointer is moved on to next isochronous surface that points to this isochronous surface that points to by tail pointer.
In an example of the present invention, said traversal unit 630 can comprise the second computing unit (not shown), is used in when traversal, calculates the time difference between time of Time To Event and the arbitrary isochronous surface in each isochronous surface of incident of current taking-up; The second comparing unit (not shown), the time difference that is used for second computing unit is calculated and the size of this time window compare; Empty the unit (not shown),, then empty this isochronous surface if be used for time difference that said second computing unit calculates size greater than this time window; And the head pointer mobile unit, be used for emptying after the unit empties isochronous surface said, if head pointer and tail pointer do not point to section at the same time, then head pointer is moved on to next isochronous surface that points to this isochronous surface that is cleared.Here being noted that above only is a realization example of traversal of the present invention unit, rather than traversal of the present invention unit is limited to this.Those skilled in the art can also adopt alternate manner to realize above-mentioned traversal unit.Such as, the size that replaces time difference and time window compares, but the time of Time To Event and isochronous surface and the big or small sum of time window are compared, to determine whether and need empty.
In addition, in one or more other examples of the present invention, incident statistic device 600 can also comprise creates the unit (not shown), is used for externally obtaining before the incident, creates window circulation timei with a plurality of isochronous surfaces.
In addition; In one or more other examples of the present invention; Incident statistic device 600 can also comprise the record cell (not shown), is used for when the statistics of this time window satisfies the scheduled event occurrence frequency, and record is used to indicate the state information that satisfies the scheduled event occurrence frequency; And after this state information of record, the said unit that empties empties this time window.
In addition; In one or more other examples of the present invention; Incident statistic device 600 can also comprise the delete cells (not shown), is used for when the statistics of this time window behind the longest polymerization time of arrival does not also satisfy the scheduled event occurrence frequency, deleting this time window.
In addition, in an embodiment of the present invention, though first computing unit 640 and second computing unit are shown as independently element, in alternative embodiment, they also can utilize same computing unit or computing module to realize.Equally, first comparing unit 650 and second comparing unit also can adopt same comparing unit or comparison module to realize.Head pointer mobile unit and tail pointer mobile unit also can adopt same pointer movement unit or module to realize.
In addition, can also be implemented as the computer program of carrying out by CPU according to the method for the invention.When this computer program is carried out by CPU, carry out the above-mentioned functions that limits in the method for the present invention.
Utilize method of the present invention; Carry out the incident statistics circulation timei that has a plurality of isochronous surfaces through utilization, can excavate the incident that whether has existence to satisfy occurrence frequency in the magnanimity incident in network at short notice; And shared memory space is very little; Do not have the internal memory spillover, and speed is fast, efficient is high.
Those skilled in the art will also understand is that, may be implemented as electronic hardware, computer software or both combinations in conjunction with the described various illustrative logical blocks of disclosure herein, module, circuit and algorithm steps.For this interchangeability of hardware and software clearly is described, it has been carried out general description with regard to the function of various exemplary components, square, module, circuit and step.This function is implemented as software or is implemented as hardware and depends on concrete application and the design constraint that imposes on whole system.Those skilled in the art can realize described function in every way to every kind of concrete application, but this realization determines should not be interpreted as to cause departing from the scope of the present invention.
Can utilize the following parts that are designed to carry out function described here to realize or carry out in conjunction with the described various illustrative logical blocks of disclosure herein, module and circuit: general processor, digital signal processor (DSP), application-specific integrated circuit (ASIC) (ASIC), field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete nextport hardware component NextPort or any combination of these parts.General processor can be a microprocessor, but replacedly, processor can be any conventional processors, controller, microcontroller or state machine.Processor also may be implemented as the combination of computing equipment, and for example, the combination of DSP and microprocessor, a plurality of microprocessor, one or more microprocessor combine DSP nuclear or any other this configuration.
In the software module that can directly be included in the hardware, carry out by processor in conjunction with the step of described method of disclosure herein or algorithm or in the two the combination.Software module can reside in the storage medium of RAM memory, flash memory, ROM memory, eprom memory, eeprom memory, register, hard disk, removable dish, CD-ROM or any other form known in the art.Exemplary storage medium is coupled to processor, makes processor can from this storage medium, read information or to this storage medium writing information.In an alternative, said storage medium can be integral to the processor together.Processor and storage medium can reside among the ASIC.ASIC can reside in the user terminal.In an alternative, processor and storage medium can be used as discrete assembly and reside in the user terminal.
In one or more exemplary design, said function can realize in hardware, software, firmware or its combination in any.If in software, realize, then can said function be transmitted on computer-readable medium or through computer-readable medium as one or more instructions or code storage.Computer-readable medium comprises computer-readable storage medium and communication media, and this communication media includes any medium that helps computer program is sent to from a position another position.Storage medium can be can be by any usable medium general or the special-purpose computer visit.As an example and nonrestrictive; This computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM or other optical disc memory apparatus, disk storage device or other magnetic storage apparatus, or can be used to carry or file layout is the required program code of instruction or data structure and can be by general or special-purpose computer or any other medium general or the application specific processor visit.In addition, any connection can suitably be called computer-readable medium.For example; If use coaxial cable, optical fiber cable, twisted-pair feeder, Digital Subscriber Line or such as the wireless technology of infrared ray, radio and microwave come from the website, server or other remote source send software, then above-mentioned coaxial cable, optical fiber cable, twisted-pair feeder, DSL or include the definition at medium such as the wireless technology of infrared first, radio and microwave.As used herein, disk and CD comprise compact disk (CD), laser disk, CD, digital versatile disc (DVD), floppy disk, Blu-ray disc, and wherein disk magnetically reproduces data usually, and cd-rom using laser optics ground reproduces data.The combination of foregoing also should be included in the scope of computer-readable medium.
Although the disclosed content in front shows exemplary embodiment of the present invention, should be noted that under the prerequisite of the scope of the present invention that does not deviate from the claim qualification, can carry out multiple change and modification.Function, step and/or action according to the claim to a method of inventive embodiments described herein do not need to carry out with any particular order.In addition, although element of the present invention can be with individual formal description or requirement, also it is contemplated that a plurality of, only if clearly be restricted to odd number.
Be described though as above described each embodiment according to the present invention, it will be appreciated by those skilled in the art that each embodiment that the invention described above is proposed, can also on the basis that does not break away from content of the present invention, make various improvement with reference to figure.Therefore, protection scope of the present invention should be confirmed by the content of appending claims.

Claims (11)

1. one kind is carried out the method for incident statistics based on window circulation timei with a plurality of isochronous surfaces, comprising:
In the section, obtain incident from the outside and put into the event queue at the fixed time, wherein, said incident comprises incident quantity information and Time To Event information at least;
According to the sequencing of the incident in the said event queue, from said event queue, take out incident one by one;
To each incident of from said event queue, taking out,
Travel through isochronous surface that the head pointer in said circulation timei of the window points to isochronous surface to the tail pointer sensing; If the difference of the time of the arbitrary isochronous surface in the Time To Event of the incident of current taking-up and each isochronous surface is more than or equal to said circulation timei of window size; Then empty this isochronous surface, simultaneously, if head pointer and tail pointer do not point to section at the same time; Then head pointer is pointed to next isochronous surface of this isochronous surface; Otherwise keep pointer position constant, wherein, said isochronous surface comprises temporal information and quantity information at least; The time of said isochronous surface is the Time To Event of first incident of in this isochronous surface, adding up; The quantity of said isochronous surface is the quantity of the incident of in this isochronous surface, adding up, and the isochronous surface that said head pointer points to is meant that first statistics has the isochronous surface of incident, and the isochronous surface that said tail pointer points to is meant that last statistics has the isochronous surface of incident; And
Calculate this current taking-up incident Time To Event and through in each isochronous surface after the traversal by the time difference between time of the isochronous surface that points to of tail pointer of said circulation timei of window;
When the time difference that is calculated is not more than this isochronous surface big or small; With the incident of this current taking-up statistics in by the isochronous surface that points to of tail pointer of said circulation timei of window and the quantity merging of the quantity of incident that will this current taking-up and this isochronous surface as the quantity information of this isochronous surface, and
In time difference that is calculated during greater than this isochronous surface big or small; With the incident of this current taking-up statistics in by next isochronous surface of pointing to of tail pointer of said circulation timei of window and the incident quantity information of incident that will this current taking-up and Time To Event information as the quantity information and the temporal information of this next isochronous surface, simultaneously tail pointer is moved to this next isochronous surface of sensing.
2. the method for claim 1, wherein said window circulation timei with a plurality of isochronous surfaces is created in advance.
3. the method for claim 1, before obtaining incident from the outside, said method also comprises:
Establishment has window circulation timei of a plurality of isochronous surfaces.
4. like claim 2 or 3 described methods, wherein, said a plurality of isochronous surfaces big or small identical or different.
5. the method for claim 1 also comprises:
When the statistics in this time window satisfied the scheduled event occurrence frequency, record was used to indicate the state information that satisfies the scheduled event occurrence frequency and empties this time window.
6. the method for claim 1 also comprises:
If the statistics after arriving the longest polymerization time in this time window does not also satisfy the scheduled event occurrence frequency, then delete this time window.
7. one kind is carried out the incident statistic device of incident statistics based on window circulation timei with a plurality of isochronous surfaces, comprising:
The incident receiving element is used at the fixed time in the section, obtains incident from the outside and puts into the event queue, and said incident comprises incident quantity information and Time To Event information at least;
The incident retrieval unit is used for the sequencing according to the incident of said event queue, from said event queue, takes out incident one by one;
The traversal unit; Be used for to each incident of taking out from said event queue; Travel through the isochronous surface that isochronous surface that the head pointer in said circulation timei of the window points to points to tail pointer, if the difference of the time of the arbitrary isochronous surface in the Time To Event of the incident of current taking-up and each isochronous surface more than or equal to said circulation timei window big or small, then empty this isochronous surface; Simultaneously; If head pointer and tail pointer do not point to section at the same time, then head pointer is pointed to next isochronous surface of this isochronous surface, otherwise keep pointer position constant; Wherein, Said isochronous surface comprises temporal information and quantity information at least, and the time of said isochronous surface is the Time To Event of first incident of in this isochronous surface, adding up, and the quantity of said isochronous surface is the quantity of the incident of in this isochronous surface, adding up; The isochronous surface that said head pointer points to is meant that first statistics has the isochronous surface of incident, and the isochronous surface that said tail pointer points to is meant that last statistics has the isochronous surface of incident;
First computing unit, be used for calculating said current taking-up incident Time To Event and through each isochronous surface after the traversal by the time difference between time of the isochronous surface that points to of tail pointer of said circulation timei of window,
First comparing unit, the time difference that is used for first computing unit is calculated and the size of this isochronous surface compare;
Statistic unit; Be used for when the time difference that first computing unit is calculated is not more than this isochronous surface big or small; With the incident of this current taking-up statistics in the isochronous surface that points to of tail pointer by said circulation timei of window; And in time difference that first computing unit is calculated during greater than this isochronous surface big or small, with the incident statistics of this current taking-up in next isochronous surface of pointing to of tail pointer by said circulation timei of window;
The isochronous surface information updating unit; Be used for the incident of said current taking-up statistics by said circulation timei window tail pointer point to isochronous surface the time; The quantity of the incident of this current taking-up and the quantity of this isochronous surface are merged the quantity information as this isochronous surface; And with the incident of said current taking-up statistics in by next isochronous surface of the isochronous surface that points to of tail pointer of said circulation timei of window the time, with the incident quantity information of this incident and Time To Event information quantity information and temporal information as this next isochronous surface; And
The tail pointer mobile unit; Be used for time difference that first computing unit is calculated greater than by said circulation timei window the isochronous surface that points to of tail pointer big or small the time, tail pointer is moved on to sensing next isochronous surface of the isochronous surface that points to of tail pointer by said circulation timei of window.
8. incident statistic device as claimed in claim 7, wherein, said traversal unit also comprises:
Second computing unit is used for calculating Time To Event and time difference between time of each isochronous surface of the isochronous surface that points to tail pointer of the isochronous surface of pointed from the beginning of the incident of current taking-up;
Second comparing unit, the time difference that is used for second computing unit is calculated and the size of this time window compare;
Empty the unit,, then empty this isochronous surface if be used for time difference that said second computing unit calculates size greater than this time window; And
The head pointer mobile unit is used for emptying after the unit empties isochronous surface said, if head pointer and tail pointer do not point to section at the same time, then head pointer is moved on to next isochronous surface that points to this isochronous surface that is cleared.
9. incident statistic device as claimed in claim 7 also comprises:
Create the unit, be used for before obtaining incident, create window circulation timei with a plurality of isochronous surfaces from the outside.
10. incident statistic device as claimed in claim 7 also comprises:
Record cell is used for when the statistics of this time window satisfies the scheduled event occurrence frequency, and record is used to indicate the state information that satisfies the scheduled event occurrence frequency, and
After this state information of record, the said unit that empties empties this time window.
11. incident statistic device as claimed in claim 7 also comprises:
Delete cells is used for when the statistics of this time window behind the longest polymerization time of arrival does not also satisfy the scheduled event occurrence frequency, deleting this time window.
CN201110193578.XA 2011-07-08 2011-07-08 Time slice-based method and device for event statistics Active CN102340416B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110193578.XA CN102340416B (en) 2011-07-08 2011-07-08 Time slice-based method and device for event statistics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110193578.XA CN102340416B (en) 2011-07-08 2011-07-08 Time slice-based method and device for event statistics

Publications (2)

Publication Number Publication Date
CN102340416A true CN102340416A (en) 2012-02-01
CN102340416B CN102340416B (en) 2014-03-19

Family

ID=45515924

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110193578.XA Active CN102340416B (en) 2011-07-08 2011-07-08 Time slice-based method and device for event statistics

Country Status (1)

Country Link
CN (1) CN102340416B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140258787A1 (en) * 2013-03-08 2014-09-11 Insyde Software Corp. Method and device to perform event thresholding in a firmware environment utilizing a scalable sliding time-window
CN109343789A (en) * 2018-06-05 2019-02-15 深圳市木浪云数据有限公司 A kind of reading accelerated method, device and electronic equipment based on IO scene Recognition
CN109948007A (en) * 2019-03-21 2019-06-28 浙江邦盛科技有限公司 A kind of clock synchronization ordinal number maximum processing method for being increased continuously number and number of increments according to statistics
CN110008544A (en) * 2019-03-21 2019-07-12 浙江邦盛科技有限公司 A kind of processing method of clock synchronization ordinal number number of increments and reduced degree according to statistics
CN110019367A (en) * 2017-12-28 2019-07-16 北京京东尚科信息技术有限公司 A kind of method and apparatus of statistical data feature
CN112732469A (en) * 2021-01-05 2021-04-30 卓望数码技术(深圳)有限公司 Event pressure value detection method and system, electronic equipment and storage medium
CN116633664A (en) * 2023-06-20 2023-08-22 广东网安科技有限公司 Evaluation system for network security monitoring

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004055673A1 (en) * 2002-12-17 2004-07-01 Thomson Licensing S.A. Devices and method for recording and analyzing temporal events
CN1866250A (en) * 2005-10-12 2006-11-22 华为技术有限公司 Method and system for managing system data
CN101060679A (en) * 2007-06-06 2007-10-24 中兴通讯股份有限公司 Event insertion method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004055673A1 (en) * 2002-12-17 2004-07-01 Thomson Licensing S.A. Devices and method for recording and analyzing temporal events
CN1866250A (en) * 2005-10-12 2006-11-22 华为技术有限公司 Method and system for managing system data
CN101060679A (en) * 2007-06-06 2007-10-24 中兴通讯股份有限公司 Event insertion method

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140258787A1 (en) * 2013-03-08 2014-09-11 Insyde Software Corp. Method and device to perform event thresholding in a firmware environment utilizing a scalable sliding time-window
US10353765B2 (en) * 2013-03-08 2019-07-16 Insyde Software Corp. Method and device to perform event thresholding in a firmware environment utilizing a scalable sliding time-window
CN110019367A (en) * 2017-12-28 2019-07-16 北京京东尚科信息技术有限公司 A kind of method and apparatus of statistical data feature
CN110019367B (en) * 2017-12-28 2022-04-12 北京京东尚科信息技术有限公司 Method and device for counting data characteristics
CN109343789A (en) * 2018-06-05 2019-02-15 深圳市木浪云数据有限公司 A kind of reading accelerated method, device and electronic equipment based on IO scene Recognition
CN109948007A (en) * 2019-03-21 2019-06-28 浙江邦盛科技有限公司 A kind of clock synchronization ordinal number maximum processing method for being increased continuously number and number of increments according to statistics
CN110008544A (en) * 2019-03-21 2019-07-12 浙江邦盛科技有限公司 A kind of processing method of clock synchronization ordinal number number of increments and reduced degree according to statistics
CN109948007B (en) * 2019-03-21 2020-07-14 浙江邦盛科技有限公司 Processing method for inquiring maximum continuous increasing times and decreasing times of time sequence data statistics
CN112732469A (en) * 2021-01-05 2021-04-30 卓望数码技术(深圳)有限公司 Event pressure value detection method and system, electronic equipment and storage medium
CN112732469B (en) * 2021-01-05 2024-05-24 卓望数码技术(深圳)有限公司 Event pressure value detection method, system, electronic device and storage medium
CN116633664A (en) * 2023-06-20 2023-08-22 广东网安科技有限公司 Evaluation system for network security monitoring
CN116633664B (en) * 2023-06-20 2023-11-03 广东网安科技有限公司 Evaluation system for network security monitoring

Also Published As

Publication number Publication date
CN102340416B (en) 2014-03-19

Similar Documents

Publication Publication Date Title
CN102340416A (en) Time slice-based method and device for event statistics
US10911467B2 (en) Targeted attack protection from malicious links in messages using predictive sandboxing
US11030311B1 (en) Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise
KR102047782B1 (en) Method and apparatus for recognizing cyber threats using correlational analytics
AU2017202818B2 (en) Volumetric event forecasting system
CN110213226B (en) Network attack scene reconstruction method and system based on risk full-factor identification association
JP6528448B2 (en) Network attack monitoring device, network attack monitoring method, and program
EP4080368A1 (en) Alarm information generation method and apparatus, electronic device, and storage medium
CN102523223B (en) Trojan detection method and apparatus thereof
CN109409113B (en) Power grid data safety protection method and distributed power grid data safety protection system
US10129280B2 (en) Modular event pipeline
CN114020735A (en) Method, device and equipment for reducing noise of safety alarm log and storage medium
CN114091704B (en) Alarm suppression method and device
CN113225356B (en) TTP-based network security threat hunting method and network equipment
CN106446720B (en) The optimization system and optimization method of IDS rule
CN103501300A (en) Method, terminal and server for detecting phishing attack
CN108351940B (en) System and method for high frequency heuristic data acquisition and analysis of information security events
CN107623677B (en) Method and device for determining data security
CN110489611B (en) Intelligent clue analysis method and system
CN113032774B (en) Training method, device and equipment of anomaly detection model and computer storage medium
CN114726623A (en) Advanced threat attack evaluation method and device, electronic equipment and storage medium
CN105488404B (en) A kind of method and system for preventing data from being stolen by back door
CN108243142A (en) Recognition methods and device and anti-spam content system
CN117792745A (en) APT attack detection method and system based on ATT & CK model
CN112261006A (en) Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant