CN102946320B - Distributed supervision method and system for user behavior log forecasting network - Google Patents

Abstract

The invention discloses a distributed user behavior log prediction network supervision method, the method comprising: data packet collection and policy prefetching server PCPP captures network access request data packets initiated by network users, extracts access logs, and uploads them to the log collection and Analysis server LCA; LCA stores the access log, calculates network service popularity according to the access log; LCA obtains k network service identifiers corresponding to the network service popularity according to the access log; and returns to the PCPP ; PCPP performs policy prefetching from a preset policy library according to the k network service identifiers and user attribute information in the access log, and supervises and disposes network user access requests according to the prefetched policy. The invention can realize fast, efficient and accurate network supervision and disposal in the process of mass network users requesting network service access.

Description

A Distributed User Behavior Log Prediction Network Supervision Method and System

technical field

The invention relates to the technical field of network monitoring, in particular to a network monitoring method and system for predicting distributed user behavior logs.

Background technique

With the rapid development of the Internet, network services have become diverse and colorful. Since the Internet has been based on the principle of openness and freedom since its inception, more and more new network services have been continuously developed and connected to the Internet for global users to access and access. Network services have become diverse and colorful, and information exchange between people has become more convenient. The content-rich network service has brought great convenience to people's life, but it has also become a hotbed of discordant information dissemination. Therefore, network supervision has become a very important research topic.

The purpose of network supervision is to collect, analyze and process network information and user operation behavior, and to identify and extract specific activity characteristics hidden in network service information and user behavior. Its core lies in the early detection and early warning functions. Countries around the world have always attached great importance to research on network supervision, and have begun to establish monitoring infrastructure for government, finance, and key industries. For example, the FBI of the United States proposed the "Carnivore" plan as early as 2001, the French Ministry of Defense established the "Frenchelon" system in 2004, the European ERCIM organization proposed a network monitoring conference plan in 2007, and the British Government Communications Headquarters also launched a plan in 2009. The MTI program was launched in 2009. Various network equipment vendors, enterprises, and scientific researchers are also actively conducting related research, developing various network behavior analysis products, and proposing many network monitoring solutions. In terms of network management, some literatures have proposed autonomous network management systems and policy-based network management methods for heterogeneous networks. The concepts of "self-management" and "trust management" have also been widely used in network management methods.

Logging plays an important role in the supervisory system, therefore, weblogs are paid more and more attention to by research. The monitoring of a large number of network users and information determines that the operation of the network monitoring system requires a large amount of data, and will also generate a large number of log records. The current network supervision framework generally adopts a single log server structure. The relevant research work on predicting streaming media access behavior based on user operation logs proposes a centralized log collection server, which realizes the prediction of streaming media access by collecting and analyzing a large number of user operation records.

In response to the needs of domestic network information security supervision, corresponding network supervision systems and key technologies have been continuously proposed. However, in the process of realizing the present invention, the inventor finds that the prior art has at least the following problems:

The granularity of the existing regulatory methods is not precise enough, and there is no access control for specific users to specific network service content. The current processing techniques for illegal services or users generally include: a) domain name hijacking; b) IP address blocking; c) specific port blocking; d) SSL connection blocking; e) keyword filtering blocking, etc.

Existing access logs generally adopt a single structure. The single-structured log server has a certain bottleneck when processing a large amount of data. The reasons are: a) When large-scale network service requests are requested, the system extracts, analyzes and processes data. Poor scalability and robustness; d) easy to become the key target of attacks, etc.

The capability of a single terminal is limited, and when a large-scale network service is requested, the system processing delay increases, which cannot meet the real-time requirements of network supervision. There is no access control for specific users to specific web service content. Large-capacity network access data storage will inevitably cause system storage space to become a performance bottleneck. Poor scalability. Obviously, this single client/server (Client/Server, C/S) structure cannot meet the requirements of efficient, fast and accurate network supervision in terms of scale and function.

Contents of the invention

In order to solve the problems in the prior art, an embodiment of the present invention provides a distributed user behavior log prediction network monitoring method and system. Described technical scheme is as follows:

A distributed user behavior log prediction network supervision method, the method comprising:

The data packet collection and policy prefetching server PCPP captures the network access request data packets initiated by network users, extracts access logs, and uploads them to the log collection and analysis server LCA;

The LCA stores the access log, and calculates the network service popularity according to the access log;

The LCA acquires k network service identifiers corresponding to the network service popularity according to the access log; and returns to the PCPP;

PCPP performs policy prefetching from a preset policy library according to the k network service identifiers and user attribute information in the access log, and supervises and handles network user access requests according to the prefetched policy.

The PCPP captures the network access request data packet initiated by the network user from the network data forwarding device by way of bypass monitoring.

The access log is stored in the form of a quaternion, including the identifier CNID of the network where the network user is located, the IP address DIP of the network user's access target, the port address DPort of the network user's access target, and the network service identification URL.

The LCA stores the access logs, including:

The LCA extracts <CNID, DIP, DPort> and performs hash calculation to obtain the key value;

According to the key value, the LCA obtains the successor node LCA stored in the access log, and distributes the user access log to the successor node;

After receiving the distributed access log, the successor node LCA stores the access log in its network service access log library.

The calculation of network service popularity according to the network log includes:

The LCA stores the access log in a network log storage table, and establishes a network service popularity storage table;

Circularly compare the network log storage table and the network service popularity storage table, if the i-th item record in the network log storage table and the j-th item record in the network service popularity storage table CNID, DIP, DPort and URL Identical, then LCA sets the corresponding network service popularity in the network service popularity storage table Perform the plus 1 operation, and at the same time, delete the record item in the network log storage table;

If the i-th item record in the network log storage table is different from the CNID, DIP, DPort or URL of the j-th item record in the network service popularity storage table, then LCA will increase the corresponding new value in the network service popularity storage table. Record items and set the corresponding network service popularity is "1", and at the same time, delete the record item in the network log storage table.

The access logs that have not been updated within the set period of time in the network service popularity storage table will be deleted.

The method also includes:

When the difference between the current system time of the LCA and the last network service access popularity calculation time of the LCA is equal to τ, the LCA starts a new round of network service popularity calculation.

The LCA acquires k network service identifiers corresponding to the network service popularity according to the access log, including:

Described LCA utilizes CNID, DIP, DPort to obtain all relevant URL bar numbers in network service popularity storage table;

Obtain the top k URLs of network service popularity according to the preset k value;

If there are more than k network services with the same network service popularity, extract the URLs of the network service popularity ranking the top k items with the most access time.

The method also includes:

The user attribute information in the access log is extracted from the network log by PCPP; the preset policy library is set according to the policy of network supervision;

The supervising and handling of network user access requests according to the prefetched strategy includes:

Acquiring supervision policies between the network user and the k network services from the policy library;

When the network user requests the next access, it is judged whether it is for the k network services, and if so, it is directly subjected to network supervision and treatment according to the prefetching strategy; otherwise, the network user request access data packet is extracted to generate a network User access logs.

A distributed user behavior log prediction network monitoring system, the system includes PCPP and LCA, wherein,

The PCPP is used to capture the network access request packet initiated by the network user, extract the access log, and upload it to the LCA; obtain the popularity of the network service, and obtain the network supervision policy according to the preset policy library, and control the network of the network user. access requests for regulatory disposition;

The LCA is used for distributing and storing the access log, and calculating the network service popularity according to the access log and sending it to the PCPP.

The system includes several LCAs, and the LCAs form a distributed hash table DHT network;

The LCA performs hash calculation on the received access log through a distributed hash algorithm to obtain a key value, and according to the key value, the LCA obtains the successor node LCA stored in the access log, and distributes the user access log to the successor node .

The beneficial effects brought by the technical solution provided by the embodiments of the present invention are:

By collecting, storing and analyzing network user operation log records in a distributed manner, calculating the network service popularity based on the access log, and then predicting the network service that the user's next access to the network behavior may target according to the network service popularity, so as to prefetch The governance policy required for the next network access. Combining the attributes of network services and user attributes, and invoking corresponding preprocessing strategies, in order to realize the rapid, efficient and accurate network supervision and disposal in the process of mass network users' access requests to network services.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

FIG. 1 is a flow chart of a distributed user behavior log prediction network supervision method provided by Embodiment 1 of the present invention;

FIG. 2 is a schematic diagram of the PCPP query user access network ID provided by Embodiment 1 of the present invention;

FIG. 3 is a schematic structural diagram of a distributed user behavior log prediction network supervision system provided by Embodiment 2 of the present invention.

Detailed ways

In order to make the object, technical solution and advantages of the present invention clearer, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

The operation of the network information security supervision system requires a large amount of data, and will also generate a large number of data records. Because of the limited capability of a single terminal, the real-time nature of network service supervision requires collaboration among multiple nodes to improve system performance and stability. Therefore, based on Distributed Hash Table (DHT), we propose a network monitoring model (DUHP) based on distributed user behavior log prediction. Advantages of log sharing, scalability, low cost, and load balancing. DUHP is characterized by distributing and storing user access network service logs in a distributed manner, calculating network service access popularity (hot), based on user natural attributes (such as age, hobbies, regions, etc.) and combining log analysis results to predict the user's future Access behavior, based on which, user dynamic attributes (such as black and white lists) are matched with network service attributes (such as domain names, black and white lists, etc.) to achieve policy prefetching and fast and efficient supervision.

The solutions of the embodiments of the present invention aim at the problems existing in related network monitoring solutions/technologies, and propose a novel network monitoring system based on distributed behavior log prediction. Its features are as follows: 1) Predict the user's future access behavior based on the user operation log. This feature is used to solve the low-latency and efficient supervision during the process of user requests to access network services. 2) Match access rights based on user attributes and network service attributes. This feature is used to realize the access control of specific users to specific service content, solve the existing coarse-grained supervision problems based on IP addresses (ports), and achieve more fine-grained "user-service" matching supervision. 3) Use peer-to-peer network (Peer-to-Peer, P2P) to construct the distribution, calculation and storage structure of distributed "user-service" operation log. The purpose of this feature is to solve the bottleneck problem of a single node and provide a solution for large-scale logging calculation and storage. The purpose of the embodiments of the present invention is to meet the needs of network service diversity and support for efficient supervision of network services in a large-scale environment.

Embodiment one

As shown in Figure 1, the flow chart of the distributed user behavior log prediction network supervision method provided by the embodiment of the present invention is as follows:

In step 10, the PCPP captures the network access request data packet initiated by the network user, extracts the access log, and uploads it to the LCA.

When a network user initiates a network access request, the data packet collection and policy prefetching server (PCPP) captures the data packet and extracts the access log according to a given rule. When the access log is extracted, PCPP will perform two tasks: 1) query the IP address rule base (IPRD) according to the source (user) IP address in the access log and obtain the access network ID (CNID) used by the user; 2) Upload the access log to the log collection and analysis server (LCA) connected to it. Further, according to the key information (such as URL) in the access log, request the access popularity of the network service to the connected LCA

Specific steps are as follows:

Assuming that user SIP(i) initiates an access request to the website WebSite _i , PCPP(p) captures data packets from network data forwarding devices (such as routers, switches, etc.) in a certain way (such as bypass monitoring) and extracts the user's IP address Source IP(i).

PCPP(p) queries IPRD for the CNID used by the user by virtue of the Source IP(i). (CNID can be any unambiguous character defined by the user. For the convenience of description, a positive integer is used to represent CNID in this solution, such as "1" for education network, "2" for telecommunication network, etc.)

IPRD inquires according to certain rules (for example, in accordance with the longest matching method) and returns the CNID to the PCPP(p) which sends the inquiry request to it. As shown in FIG. 2 , it is a schematic diagram of the access network ID used by the PCPP query user. Wherein, the IP address library includes the IP address range, the corresponding access network type and the access network ID. PCPP(p) obtains the source IP address of the user, queries the IP address rule base IPRD, matches according to the longest matching rule, and returns the access network ID to PCPP(p).

PCPP(p) uses deep packet inspection (DPI) technology to extract network service identifiers (such as URLs), and creates user access logs with four-tuple <CNID, DIP, DPort, URL>.

PCPP(p) uploads the created user access log to its connected LCA. At this point, the access log is uploaded to the LCA.

Step 20, the LCA stores the access log, and calculates the popularity of the network service according to the access log.

When the user access log uploaded by PCPP arrives, LCA extracts <CNID, DIP, DPort> and performs hash calculation to obtain the key value. The hash calculation here may be a hash calculation commonly used in the prior art. According to the key value, LCA obtains the successor node Successor (key) where the user access log is stored and distributes the user access log to the successor node. After the subsequent node receives the distributed access log, it stores the access log in its network service access log library.

After other LCAs in the DHT network distribute user access logs, LCA(k) will store the user access logs in its network service access log library (WARD) according to the storage structure shown in Table 1.

Table I

Wherein, DIP represents the destination IP address. DPort represents the destination port. WebService represents a network service identifier such as URL (Uniform Resource Locator). In this embodiment, for the convenience of description, we only use URL instead of WebService for illustration.

Here, the storage of the access log by the LCA is completed. In fact, the distributed user behavior prediction proposed in this embodiment is based on distributed storage. The LCA here builds a network structure based on the distributed network, and the distributed network established by multiple LCAs completes the storage of all access logs.

Further, LCA needs to calculate the popularity of network services according to the obtained access logs. Network service popularity is an index that identifies the popularity of a specific network service. The more users accessing a network service, the higher the popularity of the network service is, and the higher the network service popularity index of the network service is. The purpose of calculating the popularity of network services is to use this indicator to obtain the probability of the network service that the user may visit next, so as to predict the network service point of the user's next visit to the network.

In order to reduce the pressure of LCA, the network service popularity calculation should not be frequent. For this reason, this embodiment sets a period threshold value τ, that is, when the difference between the current system time of the LCA and the last network service access popularity calculation time performed by the LCA is equal to τ, the LCA will start a new round of network service popularity calculation. Table 2 shows the storage structure of network service popularity.

Table II

Among them, CNID, DIP, DPort and URL have the same meanings as those in Table 1. Indicates the popularity of network services. LastAccessTime indicates the last time the URL was accessed.

In order to facilitate the description of the network service popularity calculation scheme, this embodiment defines some vocabulary and corresponding notes, as shown in Table 3.

Table three

Each LCA in the DHT network performs the calculation process of network service popularity. Take LCA(k) as an example. Proceed as follows:

When the local network service popularity calculation period τ arrives, the LCA (k) cycle compares Table 1 "User Access Log Storage Table" (hereinafter referred to as "Table 1") and Table 2 "Network Service Popularity Storage Table" (hereinafter referred to as " Table 2") each record item.

If the i-th record in Table 1 has the same CNID, DIP, DPort and URL as the j-th record in Table 2, then LCA(k) sets the Perform the plus 1 operation, and delete the record item in Table 1 at the same time.

If the i-th record in Table 1 is different from the CNID, DIP, DPort or URL of the j-th record in Table 2, then LCA(k) will add a corresponding new record in Table 2 and set the corresponding is "1", and at the same time, delete the entry in Table 1.

That is to say, compare the network log storage table and the network service popularity storage table cyclically. Identical, then LCA sets the corresponding network service popularity in the network service popularity storage table Carry out the operation of adding 1, and at the same time, delete the record item in the network log storage table; if the i-th record in the network log storage table is different from the CNID, DIP, DPort or URL of the j-th record in the network service popularity storage table , then LCA adds a corresponding new record item in the network service popularity storage table, and sets the corresponding network service popularity is "1", and at the same time, delete the record item in the network log storage table.

Furthermore, in order to reduce the load of LCA and improve the accuracy of prediction, user access logs that have not been updated for a long time will be deleted regularly. For this reason, the following formula gives a metric value for periodically deleting redundant access logs to judge Which user access logs will be deleted.

timerange=CurrentTime-LastAccessTime

Among them, CurrentTime represents the current system time of the LCA, and LastAccessTime represents the time when the network service was last accessed. Timerange is the time interval between the current system time of the LCA and the time when the network service was last accessed. When Timerange is equal to or greater than the set delete operation threshold, outdated user access logs will be deleted to improve prediction accuracy and efficiency.

Step 30, the LCA obtains k network service identifiers corresponding to the popularity of the network service according to the access log; and returns it to the PCPP.

LCA uses CNID, DIP, and DPort to obtain the number of all relevant URLs in the network service popularity storage table; according to the preset k value, obtain the URLs with the top k items in network service popularity; if there are more than k If the network services have the same network service popularity, the URLs of the network service popularity ranking the top k items with the most access time are extracted.

When a user access record such as record(i)PCPP(p) arrives at LCA(k). Then LCA(k) will be triggered to execute the following workflow to achieve accurate and efficient support for network supervision policy prefetching:

LCA(k) uses the triple <CNID, DIP, DPort> to obtain the number of all relevant URLs (denoted as CountExisting) in Table 2 "Network Service Popularity Storage Table".

LCA(k) queries the number of URLs set by the system administrator (recorded as CountSpecified).

LCA(k) calculates the k value, and obtains the URLs of the top k items (including the kth item) in terms of network service popularity through this value. LCA(k) composes these URLs and the source (user) IP in the corresponding user access log to form a replying message and sends it to PCPP(p).

If there are more than k network services with the same popularity, then LCA(k) will extract the URLs of the network service with the highest access time and ranking the top k items (including the kth item) in terms of popularity. And these URLs and the source (user) IP in the corresponding user access log form a replying message and send it to PCPP(p).

Step 40: PCPP performs policy prefetching from a preset policy library according to the k network service identifiers and user attribute information in the access log, and supervises and handles network user access requests according to the prefetched policy.

Obtain the supervision strategy between the network user and k network services from the policy library; when the network user requests the next visit, judge whether it is for k network services, and if so, directly perform network supervision on it according to the prefetched strategy Disposal; otherwise, extract the network user request access data packet, and generate the network user access log.

When the reply message reaches PCPP(p), PCPP(p) prefetches the policy in the policy library according to the corresponding user attribute information and the k URLs in the reply. In this way, when the user initiates the next network service request, the PCPP(p) that intercepts the request data packet can implement monitoring methods and technologies such as release, filter, and block through the prefetching strategy. That is to say, the policy prefetching here is actually to prefetch the policy for the user's next access to the network service, pre-judge the possible network service for the user's next visit, and pre-acquire the supervision strategy between the user and the network service , so that when users make network service requests, targeted supervision and control are carried out.

The user attribute information here includes the relevant information filled in when the user registers. When the user access log is uploaded, PCPP uses the source IP address to send a user information query request (Source IP(i)) to the user information database (UID), and the UID is based on the attribute information (such as ethnicity, hobbies, age, etc.) ) gives its user label, and returns the corresponding user label to the PCPP that initiates the user information query request. PCPP caches this user tag.

Example 2

As shown in Figure 3, an embodiment of the present invention provides a distributed user behavior log prediction network monitoring system, including PCPP and LCA, wherein,

PCPP is used to capture network access request packets initiated by network users, extract access logs, and upload them to LCA; obtain network service popularity, and obtain network supervision policies according to a preset policy library, and supervise network user network access requests disposal;

LCA is used to distribute and store access logs, calculate network service popularity based on access logs and send them to PCPP.

Specifically, the system includes several LCAs, which form a distributed hash table DHT network;

The LCA performs hash calculation on the received access log through the distributed hash algorithm to obtain the key value. According to the key value, the LCA obtains the successor node LCA where the access log is stored, and distributes the user access log to the successor node.

Specifically, the structural functions of the various components of this embodiment are as follows:

DHT network: DHT network is composed of log collection and analysis server (LCA) according to a certain logical structure (such as Chord), its functions are: 1) distribute and store user behavior logs; 2) calculate the popularity of network service access; 3) when LCA leaves or joins the network, and DHT does self-renewal.

Log collection and analysis server (LCA): The function of LCA is to: 1) receive user access logs sent from the data packet collection and policy prefetch server (PCPP); 2) analyze user access logs and periodically calculate network service access popularity Spend 3) Sharing network service access popularity to the DHT network; 4) query and forward the network service access popularity information.

Packet Collection and Policy Prefetching Server (PCPP): The function of PCPP is to: 1) capture data packets from network data forwarding devices (such as routers, switches, etc.); 2) extract data packet information according to given requirements and upload to other Connected LCA; 3) Send a network service access popularity information request to the connected LCA, and predict the network service that the user may visit in the future according to the returned popularity information, and prefetch it from the policy library in combination with the user dynamic attribute and the network service dynamic attribute processing strategy.

It should be noted that when the distributed user behavior log prediction network supervision system provided by the above-mentioned embodiments supervises the network, it only uses the division of the above-mentioned functional modules as an example. In practical applications, the above-mentioned functions can be assigned by different The functional modules are completed, that is, the internal structure of the system equipment is divided into different functional modules to complete all or part of the functions described above. In addition, the distributed user behavior log prediction network supervision system provided by the above embodiments and the method embodiments belong to the same concept, and its specific implementation process is detailed in the method embodiments, and will not be repeated here.

The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

In summary, the embodiment of the present invention collects, stores and analyzes network user operation log records in a distributed manner, calculates network service popularity according to the access log, and then predicts the behavior of the user's next access to the network according to the network service popularity. Targeted network services, so as to prefetch the regulatory policies required for the next network access. Combining the attributes of network services and user attributes, and invoking corresponding preprocessing strategies, in order to realize the rapid, efficient and accurate network supervision and disposal in the process of mass network users' access requests to network services.

Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (8)

1. A distributed user behavior log prediction network supervision method is characterized by comprising the following steps:

the method comprises the following steps that a data packet acquisition and strategy pre-fetching server PCPP captures a network access request data packet initiated by a network user, extracts an access log and uploads the access log to a log collection and analysis server LCA;

the LCA stores the access log and calculates the popularity of the network service according to the access log; wherein:

the access log is stored in a four-tuple form and comprises an identifier CNID of a network where the network user is located, an IP address DIP of a network user access target, a port address DPort of the network user access target and a network service identifier URL;

the LCA extracts < CNID, DIP, DPort > and carries out hash calculation to obtain a key value;

according to the key value, the LCA obtains a successor node LCA stored by the access log, and distributes the user access log to the successor node;

after receiving the distributed access log, the LCA of the subsequent node stores the access log into a network service access log library;

the LCA stores the access log in a network log storage table and establishes a network service popularity storage table;

circularly comparing the weblog storage table with the web service popularity storage table, and if the CNID, DIP, DPort and URL of the ith record in the weblog storage table and the jth record in the web service popularity storage table are the same, setting the corresponding web service popularity in the web service popularity storage table by the LCAAdding 1, and deleting the record item in the weblog storage table;

if the CNID, DIP, DPort or URL of the ith record in the weblog storage table is different from the CNID, DIP, DPort or URL of the jth record in the web service popularity storage table, the LCA adds a corresponding new record item in the web service popularity storage table and sets corresponding web service popularityThe number is 1, and meanwhile, the record item in the weblog storage table is deleted;

the LCA acquires k network service identifications corresponding to the popularity of the network service according to the access log; and returns to the PCPP;

and the PCPP performs strategy prefetching to a preset strategy library according to the k network service identifiers and the user attribute information in the access log, and performs supervision and treatment on the network user access request according to the prefetched strategy.

2. The method of claim 1, wherein the PCPP captures network user initiated network access request packets from a network data forwarding device using bypass listening.

3. The method of claim 1,

and deleting the access logs which are not updated within the set time length in the network service popularity storage table.

4. The method of claim 3, wherein the method further comprises:

and when the difference between the current system time of the LCA and the last time of the LCA for performing network service access popularity calculation is equal to tau, the LCA starts a new round of network service popularity calculation.

5. The method of claim 3, wherein the LCA obtains k network service identifications corresponding to the popularity of the network service according to the access log, comprising:

the LCA obtains all relevant URL numbers in a network service popularity storage table by using CNID, DIP and DPort;

according to a preset k value, acquiring URLs of k items with the network service popularity ranking;

if more than k pieces of network services have the same network service popularity, the URL with the network service popularity ranked k items most ahead in the accessed time is extracted.

6. The method of claim 1, wherein the method further comprises:

user attribute information in the access log is extracted from the network log by the PCPP; the preset strategy base is set according to the strategy of network supervision;

the supervision and treatment of the network user access request according to the pre-fetched strategy comprises the following steps:

acquiring supervision strategies between the network users and the k network services from the strategy library;

when the network user accesses the request next time, judging whether the network user aims at the k network services, if so, directly carrying out network supervision and treatment on the network user according to a pre-fetching strategy; otherwise, extracting the data packet requested to be accessed by the network user, and generating the access log of the network user.

7. A distributed user behavior log prediction network supervision system, characterized in that the system comprises PCPP and LCA, wherein,

the PCPP is used for capturing a network access request data packet initiated by a network user, extracting an access log and uploading the access log to the LCA; acquiring popularity of network service, acquiring a network supervision policy according to a preset policy library, and supervising and handling a network access request of the network user; wherein,

the access log is stored in a four-tuple form and comprises an identifier CNID of a network where the network user is located, an IP address DIP of a network user access target, a port address DPort of the network user access target and a network service identifier URL;

the LCA extracts < CNID, DIP, DPort > and carries out hash calculation to obtain a key value;

according to the key value, the LCA obtains a successor node LCA stored by the access log, and distributes the user access log to the successor node;

after receiving the distributed access log, the LCA of the subsequent node stores the access log into a network service access log library;

the LCA stores the access log in a network log storage table and establishes a network service popularity storage table;

circularly comparing the weblog storage table with the web service popularity storage table, and if the ith record in the weblog storage table is the same as the ith record in the web service popularity storage tableIf the CNID, DIP, DPort and URL of j records are the same, the LCA sets the corresponding network service popularity in the network service popularity storage tableAdding 1, and deleting the record item in the weblog storage table;

if the CNID, DIP, DPort or URL of the ith record in the weblog storage table is different from the CNID, DIP, DPort or URL of the jth record in the web service popularity storage table, the LCA adds a corresponding new record item in the web service popularity storage table and sets corresponding web service popularityThe number is 1, and meanwhile, the record item in the weblog storage table is deleted;

the LCA is used for distributing and storing the access log, calculating the popularity of the network service according to the access log and issuing the popularity to the PCPP.

8. The system of claim 7, wherein the system comprises a number of LCAs, the LCAs comprising a distributed hash table, DHT, network;

the LCA performs hash calculation on the received access log through a distributed hash algorithm to obtain a key value, obtains a successor node LCA stored in the access log according to the key value, and distributes the user access log to the successor node.