CN104009888A - Comprehensive message and flow two-dimensional network active node measuring method - Google Patents
Comprehensive message and flow two-dimensional network active node measuring method Download PDFInfo
- Publication number
- CN104009888A CN104009888A CN201410248167.XA CN201410248167A CN104009888A CN 104009888 A CN104009888 A CN 104009888A CN 201410248167 A CN201410248167 A CN 201410248167A CN 104009888 A CN104009888 A CN 104009888A
- Authority
- CN
- China
- Prior art keywords
- message
- address
- network flow
- network
- bit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Provided is a comprehensive message and flow two-dimensional network active node measuring method. The method includes the steps that a network flow sampling rate and a message sampling rate are set, when a message reaches a measurement device, flow information is extracted from a message header, then, network flow sampling and message sampling are performed, state information of the network flow is maintained through a bit vector B, network flow number compensation is carried out for Hash conflict existing in the bit vector B, the network flow number and the message number of sampled IPs are stored through a Hash linked list structure. After the measurement period is ended, whether the IPs are active nodes or not is judged by calculating the statistics information of each IP address. Due to the method, two different active nodes based on the message and the network flow can be measured at the same time. According to the method, the network flow and the message are respectively sampled for data flow, and the method can be applied to network active node measurement in a high-speed network environment.
Description
Technical field
The present invention relates to Network Measurement Technologies field, particularly the two-dimensional network live-vertex method of measurement of a kind of comprehensive message and stream.
Background technology
Live-vertex refers to that message number that IP produces or fluxion amount exceed source IP address or the IP address, place of threshold values.But the method that current live-vertex detects can only be counted index according to message and detected live-vertex, or detects live-vertex according to fluxion index, do not detect live-vertex taking message number as index and the fluxion live-vertex as index simultaneously.The present invention proposes a kind of while and can detect the live-vertex of message number and the live-vertex of fluxion.
The research of high-speed network flow determination and analysis and respective behavior can provide the critical management information such as performance, load and the incipient fault of current network to network manager.Along with enriching constantly of network application and improving constantly of network rate, network manager becomes and becomes increasingly conspicuous for the demand of the aspect such as network traffics and behavior monitoring.And enriching of the growth of the network bandwidth and network application makes researchers become no longer possibility for the comprehensive detection of all nodes in network and management.And find in the analysis of in the past network traffics being carried out researchers and research, a small amount of main frame has been set up a large amount of communication connection numbers in network, has sent the message data that accounts for most of network total flow simultaneously.Therefore, by these special main frames of analyzing and researching, just can catch the critical event that occurs in network and relevant network condition information, can realize preferably management and research to whole network.Generally the host node with multidimensional flow attribution such as a large amount of messages, byte and streams is called to live-vertex.
Network measure based on live-vertex and behavioral study have improved the deficiency of research method in the past aspect a lot.The quantity of live-vertex in network host node is little, and having reduced greatly researchers needs the amount of information of paying close attention to.Meanwhile, the content that the attribute of these live-vertexs comprises and information are but very abundant: relative stream records number and reflected the attention rate of user to it, and message and byte have reflected the demand of user to it.By analyzing these information, can obtain the situation such as network behavior custom feature and the distribution of Web content of user in network.
For live-vertex analysis and research, be all generally that certain the one-dimensional attribute based on host node carries out, relatively more conventional has following two kinds:
(1) the live-vertex method of measurement of message number, the message number attribute based on host node;
(2) the live-vertex method of measurement of network fluxion, the network flow number attribute based on host node.
Because present network traffics are comparatively complicated, application type is very abundant, and the distributional difference of the attribute such as fluxion, message number of the host node in current network is very large.If only select certain one-dimensional attribute of host node judge and analyze, and ignore the effect that other attributes of host node produce completely, will cause the representativeness that do not have of measurement result, cannot solve the problem that needs integrated network safety analysis.The method of measurement that the present invention is directed to message number and network flow fluxion considers the coefficient problem of host node multidimensional property, has proposed method of measurement based on host node two dimension attributes to address this problem.
Hash function is exactly the input random length, by hashing algorithm, is transformed into the output of regular length, and this output is exactly hashed value or cryptographic Hash.This conversion is a kind of compressing mapping, and namely, the space of cryptographic Hash is conventionally much smaller than the space of input, and different inputs may be hashed into identical output, and can not carry out unique definite input value from cryptographic Hash.Briefly a kind of function that the message compression of random length is arrived to the eap-message digest of a certain regular length with regard to hash function.MD5 (RFC1321) is that Rivest was in the improvement version to MD4 in 1991, MD is the abbreviation of MessageDigest, it is useful on the processor of 32 word lengths and realizes with high speed software, that bit manipulation based on 32 positional operands realizes, MD5 input is 512 groupings, and its output is the cascade of 4 32 words.
Summary of the invention
The invention provides the two-dimensional network live-vertex method of measurement of a kind of comprehensive message and stream.
The present invention adopts following technical scheme:
A two-dimensional network live-vertex method of measurement for comprehensive message and stream, is characterized in that:
Step 1, network flow is set, described each network flow is made up of the message set with identical source IP address, IP address, place, source port, egress mouth, and it is 2 that a size is set
nbit vectors B, N is greater than 1 positive integer, all 2 in bit vectors B
nthe initial value of bit is set to 0, an IP address set I is set, IP address set I is initially set to sky, in IP address set I, each element is by IP address, fluxion, the structure of message number forms, network flow fluxion fn is set, message is counted pn, initial value fn and pn are set to respectively 0, it is fs that network flow sampling rate is set, fs span is less than or equal to 1 for being greater than 0 simultaneously, it is ps that packet sampling rate is set, ps span is less than or equal to 1 for being greater than 0 simultaneously, the attribute threshold value value rate that network node is set is H, H span be greater than 0 be less than or equal to 1 simultaneously between value, arranging and measuring duration is T, T is positive integer, measuring appliance is set, and to start detection time be T0, enter step 2,
Step 2, when message arrives measuring appliance, measuring appliance is measured the arrival time stamp of current message, measuring appliance extracts source IP address from heading, IP address, place, source port, egress mouth, protocol number, if measured message is not TCP message, enters step 5, otherwise enter step 3;
Step 3, the four-tuple of utilizing the network flow methods of sampling to form the source IP address by measured message, IP address, place, source port and egress mouth are carried out network flow sampling operation, if the network flow at current measured message place is not sampled, enter step 4; Otherwise in bit vectors B, search the network flow at current measured message place, if new network flow, the network flow fluxion f that calculating makes new advances, the network flow fluxion of the source IP address in IP address set I is added to f, network flow fluxion fn is increased to f simultaneously, and the information that adds current measured message place network flow in bit vectors B, enters step 4;
Step 4, utilize packet sampling method to carry out random sampling to current measured message, if current message is sampled, the message number of the source IP address in IP address set I is added to 1/ps, message is counted pn increases 1/ps, enter step 5, otherwise get back to step 2;
Step 5, measuring appliance are measured the T1 time of advent of current message, if T1-T0<T gets back to step 2 and measures next message, otherwise, when pre-test finishes, enter step 6;
Step 6: read successively the each IP information in IP address set I, utilize network flow fluxion, the message number of IP calculate and judge whether this IP node is live-vertex, if live-vertex is exported IP address, network flow fluxion, the message of this live-vertex and is counted information.
Compared with prior art, tool of the present invention has the following advantages and effective effect:
(1) method that current live-vertex detects can only be according to the live-vertex that detects of message number, or fluxion detect live-vertex, can not be simultaneously detect live-vertex taking message number and fluxion as index, and these two kinds of different live-vertexs can not simple combination mode be realized detection simultaneously, therefore existing method can not consider in current network environment down-off type complexity, the factors such as application scenarios is very abundant, can not well comprehensively investigate the characteristic of host node from comprehensive angle, the present invention proposes the unified evaluation index that can simultaneously evaluate these two kinds of dissimilar live-vertexs, can detect two kinds of dissimilar live-vertexs of message number and fluxion simultaneously, the method of sampling and hash-collision error compensation has been proposed, realization can be more accurate, efficiently, measure objectively the live-vertex of network, can carry out the live-vertex of high speed backbone network and measure operation, its measurement result can be used in the attack of the network security such as DDoS and scanning and detects,
(2) the present invention adopts the double sampling mechanism that message and network flow are sampled respectively simultaneously, sample respectively from network flow aspect and message aspect, the message amount of actual treatment is on the one hand greatly reduced, overall time overhead and device resource expense are lowered, can improve again the estimated accuracy of network fluxion, the present invention has simultaneously proposed to adopt the stream Hash methods of sampling of traffic identifier Network Based in network flow sampling, the method can meet the randomness of the required cryptographic Hash of sampling, can realize again Hash operation at a high speed simultaneously, guarantee that algorithm can be applied in the flow measurement of high speed network environment.
Brief description of the drawings
In order to be illustrated more clearly in the technical scheme of the invention process example, will the accompanying drawing of required use in embodiment or description of the Prior Art be done to simple introduction below, apparently, the accompanying drawing in the following describes is embodiments more of the present invention.
Fig. 1: the two-dimensional network live-vertex method of measurement functional flow diagram of comprehensive message and stream.
Fig. 2: the two-dimensional network live-vertex method of measurement step schematic diagram of comprehensive message and stream.
Fig. 3: bit vectors B schematic diagram.
Embodiment
Below in conjunction with the accompanying drawing in the invention process example, the technical scheme in the invention process example is clearly and completely described, certain described embodiment is only the present invention's part embodiment, instead of whole embodiments.
Embodiment 1
A two-dimensional network live-vertex method of measurement for comprehensive message and stream,
Step 1, network flow is set, described each network flow is made up of the message set with identical source IP address, IP address, place, source port, egress mouth, and it is 2 that a size is set
nbit vectors B, N is greater than 1 positive integer, all 2 in bit vectors B
nthe initial value of bit is set to 0, an IP address set I is set, IP address set I is initially set to sky, in IP address set I, each element is by IP address, fluxion, the structure of message number forms, network flow fluxion fn is set, message is counted pn, initial value fn and pn are set to respectively 0, it is fs that network flow sampling rate is set, fs span is less than or equal to 1 for being greater than 0 simultaneously, it is ps that packet sampling rate is set, ps span is less than or equal to 1 for being greater than 0 simultaneously, the attribute threshold value value rate that network node is set is H, H span be greater than 0 be less than or equal to 1 simultaneously between value, arranging and measuring duration is T, T is positive integer, measuring appliance is set, and to start detection time be T0, enter step 2,
Step 2, when message arrives measuring appliance, measuring appliance is measured the arrival time stamp of current message, measuring appliance extracts source IP address from heading, IP address, place, source port, egress mouth, protocol number, if measured message is not TCP message, enters step 5, otherwise enter step 3;
Step 3, the four-tuple of utilizing the network flow methods of sampling to form the source IP address by measured message, IP address, place, source port and egress mouth are carried out network flow sampling operation, if the network flow at current measured message place is not sampled, enter step 4; Otherwise in bit vectors B, search the network flow at current measured message place, if new network flow, the network flow fluxion f that calculating makes new advances, the network flow fluxion of the source IP address in IP address set I is added to f, network flow fluxion fn is increased to f simultaneously, and the information that adds current measured message place network flow in bit vectors B, enters step 4;
Step 4, utilize packet sampling method to carry out random sampling to current measured message, if current message is sampled, the message number of the source IP address in IP address set I is added to 1/ps, message is counted pn increases 1/ps, enter step 5, otherwise get back to step 2;
Step 5, measuring appliance are measured the T1 time of advent of current message, if T1-T0<T gets back to step 2 and measures next message, otherwise, when pre-test finishes, enter step 6;
Step 6: read successively the each IP information in IP address set I, utilize network flow fluxion, the message number of IP calculate and judge whether this IP node is live-vertex, if live-vertex is exported IP address, network flow fluxion, the message of this live-vertex and is counted information.
The network flow methods of sampling is as follows: 16 bits of front 16 bits of front 16 bits of the source IP address to message, rear 16 bits of source IP address, IP address, place, rear 16 bits of IP address, place, source port and 16 bits of egress mouth carry out XOR calculating, generate 16 Bit Strings, calculate 10 system numerical value nten of these 16 Bit Strings, if nten<fs*65536, this network flow is sampled, otherwise this network flow is dropped.
The method of network flow of searching current measured message place in bit vectors B is as follows: with 32 bits of source IP address, 32 of IP addresses, place bit, the Bit String of 96 bits of the four-tuple that 16 bits of 16 bits of source port and egress mouth form is as the input of MD5 hash function, adopt MD5 hash function to generate the cryptographic Hash of 128 bits, therefrom take out top n Bit String, calculate 10 system numerical value bten of this N Bit String, in bit vectors B, search the bit value of bten position, if bit value corresponding to bten position is 0, the network flow that calculated is a new network flow.
In bit vectors B, add the information approach of current measured message place network flow as follows: in bit vectors B, find out the position of bten, and the locational bit value of the bten of bit vectors B to be set to 1.
Calculate and judge that whether this IP node is that the method for live-vertex is as follows: according to
calculate the liveness of IP address, fi is the network flow fluxion of current IP node, and pi is the message number of current IP node, H is the attribute threshold value value rate of network ip address, and fn is network flow fluxion, and pn is message number, if result is greater than 1, judge that current IP address is live-vertex.
The method of the network flow fluxion f that calculating makes new advances is as follows: f=2
n/ (2
n-bone) * 1/fs, 2
nfor the size of bit vectors B arranging, bone is that the bit in bit vectors B has been labeled as 1 quantity, and fs is network flow sampling rate.
Embodiment 2
A network live-vertex method of measurement based on multidimensional property,
Step 1 (1), network flow is set, described each network flow is made up of the message set with identical source IP address, IP address, place, source port, egress mouth, and it is 2 that a size is set
10bit vectors B, the initial value of all 1024 bits in bit vectors B is set to 0, an IP address set I is set, IP address set I is initially set to sky, in IP address set I, each element is by IP address, fluxion, the structure of message number forms, network flow fluxion fn is set, message is counted pn, initial value fn and pn are set to respectively 0, it is fs that network flow sampling rate is set, fs value 1/2, it is ps that packet sampling rate is set, ps value 1/2, the attribute threshold value value rate that network node is set is H, H value 1/10, arranging and measuring duration is T, T is 10, measuring appliance is set, and to start detection time be that T0 is 0, enter step 2 (2),
Step 2 (2), first message arrive measuring appliance, the time stamp that measuring appliance records current message is 0, measuring appliance extracts the source IP address sa1.sb1.sc1.sd1 of message from header, IP address, place da1.db1.dc1.dd1, source port sport1, egress mouth dport1, protocol number 17, judge that according to protocol number current message is not TCP message, enter step 5 (3);
Step 5 (3), current measured message time stamp are 0, with measurement time started T0 comparison, and 0-T0=0<10, not finish measuring period, enters step 2 (4);
Step 2 (4), second message arrive measuring appliance, the time stamp that measuring appliance records current message is 1, measuring appliance extracts the source IP address sa2.sb2.sc2.sd2 of message from header, IP address, place da2.db2.dc2.dd2, source port sport2, egress mouth dport2, protocol number 6, judge that according to protocol number current message is TCP message, enter step 3 (5);
Step 3 (5), the source IP address sa2.sb2.sc2.sd2 that utilizes current measured message, IP address, place da2.db2.dc2.dd2, source port sport2, egress mouth dport2 carry out network flow sampling operation, the network flow at current measured message place is not sampled, and enters step 4 (6);
Step 4 (6), current measured message is carried out to random sampling operation, current message is not sampled, and gets back to step 2 (7);
Step 2 (7), the 3rd message arrive measuring appliance, the time stamp that measuring appliance records current message is 2, measuring appliance extracts the source IP address sa3.sb3.sc3.sd3 of message from header, IP address, place da3.db3.dc3.dd3, source port sport3, egress mouth dport3, protocol number 6, judge that according to protocol number current message is TCP message, enter step 3 (8);
Step 3 (8), utilize the source IP address sa3.sb3.sc3.sd3 of current measured message, IP address, place da3.db3.dc3.dd3, source port sport3, egress mouth dport3 carries out network flow sampling operation, the network flow at current measured message place is sampled, utilize the four-tuple of message to inquire about in bit vectors B, do not find current network stream, be judged as new network flow, the network flow fluxion 2 that calculating makes new advances, the network flow fluxion of the source IP address in IP address set I is added to 2, network flow fluxion fn is increased to 2 simultaneously, and in bit vectors B, add the information of current measured message place network flow, enter step 4 (9),
Step 4 (9), current measured message is carried out to random sampling operation, current message is not sampled, and gets back to step 2 (10);
Step 2 (10), the 4th message arrive measuring appliance, the time stamp that measuring appliance records current message is 5, measuring appliance extracts the source IP address sa4.sb4.sc4.sd4 of message from header, IP address, place da4.db4.dc4.dd4, source port sport4, egress mouth dport4, protocol number 6, judge that according to protocol number current message is TCP message, enter step 3 (11);
Step 3 (11), utilize the source IP address sa4.sb4.sc4.sd4 of current measured message, IP address, place da4.db4.dc4.dd4, source port sport4, egress mouth dport4 carries out network flow sampling operation, the network flow at current measured message place is sampled, utilize the four-tuple of message to inquire about in bit vectors B, do not find current stream record, be judged as new network flow, the network flow fluxion 2 that calculating makes new advances, the network flow fluxion of the source IP address in IP address set I is added to 2, network flow fluxion fn is increased to 2 simultaneously, and in bit vectors B, add the information of current measured message place network flow, enter step 4 (12),
Step 4 (12), current measured message is carried out to random sampling operation, current message is sampled, and the message number of the source IP address in IP address set I is added to 2, and message is counted pn increases by 2, enters step 5 (13);
Step 5 (13), current measured message time stamp are 5, with measurement time started T0 comparison, and 5-T0=5<10, not finish measuring period, enters step 2 (14);
Step 2 (14), the 5th message arrive measuring appliance, the time stamp that measuring appliance records current message is 7, measuring appliance extracts the source IP address sa5.sb5.sc5.sd5 of message from header, IP address, place da5.db5.dc5.dd5, source port sport5, egress mouth dport5, protocol number 6, judge that according to protocol number current message is TCP message, enter step 3 (15);
Step 3 (15), utilize the source IP address sa5.sb5.sc5.sd5 of current measured message, IP address, place da5.db5.dc5.dd5, source port sport5, egress mouth dport5 carries out network flow sampling operation, the network flow at current measured message place is not sampled, and enters step 4 (16);
Step 4 (16), current measured message is carried out to random sampling operation, current message is sampled, and the message number of the source IP address in IP address set I is added to 2, and message is counted pn increases by 2, enters step 5 (17);
Step 5 (17), current measured message time stamp are 7, with measurement time started T0 comparison, and 7-T0=7<10, not finish measuring period, enters step 2 (18);
Step 2 (18), the 6th message arrive measuring appliance, the time stamp that measuring appliance records current message is 8, measuring appliance extracts the source IP address sa4.sb4.sc4.sd4 of message from header, IP address, place da4.db4.dc4.dd4, source port sport4, egress mouth dport4, protocol number 6, judge that according to protocol number current message is TCP message, enter step 3 (19);
Step 3 (19), utilize the source IP address sa4.sb4.sc4.sd4 of current measured message, IP address, place da4.db4.dc4.dd4, source port sport4, egress mouth dport4 flows record sampling operation, the stream record at current measured message place is sampled, and utilizes the four-tuple of message to inquire about in bit vectors B, finds current network stream, be judged as the network flow that is not new, enter step 4 (20);
Step 4 (20), current measured message is carried out to random sampling operation, current message is sampled, and the message number of the source IP address in IP address set I is added to 2, and message is counted pn increases by 2, enters step 5 (21);
Step 5 (21), current measured message time stamp are 8, with measurement time started T0 comparison, and 8-T0=8<10, not finish measuring period, enters step 2 (22);
Step 2 (22), the 7th message arrive measuring appliance, the time stamp that measuring appliance records current message is 10, measuring appliance extracts the source IP address sa6.sb6.sc6.sd6 of message from header, IP address, place da6.db6.dc6.dd6, source port sport6, egress mouth dport6, protocol number 17, judge that according to protocol number current message is not TCP message, enter step 5 (23);
Step 5 (23), current measured message time stamp are 8, with measurement time started T0 comparison, and 10-T0=10=10, finish current measuring period, enters step 6 (24);
The data that before step 6 (24), basis, statistics obtains, network fluxion fn is 4, and it is 6 that message is counted pn, and the attribute threshold value value rate H of network node is 1/10, reads successively the each IP information in IP address set I, according to
calculate the liveness of IP address, fi is the fluxion of current IP node, and pi is the message number of current IP node, H is the attribute threshold value value rate of network node, and fn is fluxion, and pn is message number, if result is greater than 1, judge that present node is live-vertex, through calculating, find in this measurement, live-vertex has sa3.sb3.sc3.sd3, sa4.sb4.sc4.sd4, sa5.sb5.sc5.sd5
Output rusults is:
Sa3.sb3.sc3.sd3, network fluxion 2, message number 0
Sa4.sb4.sc4.sd4, network fluxion 2, message number 4
Sa5.sb5.sc5.sd5, network fluxion 0, message number 2
Method finishes.
Claims (6)
1. a two-dimensional network live-vertex method of measurement for comprehensive message and stream, is characterized in that:
Step 1, network flow is set, described each network flow is made up of the message set with identical source IP address, IP address, place, source port, egress mouth, and it is 2 that a size is set
nbit vectors B, N is greater than 1 positive integer, all 2 in bit vectors B
nthe initial value of bit is set to 0, an IP address set I is set, IP address set I is initially set to sky, in IP address set I, each element is by IP address, fluxion, the structure of message number forms, network flow fluxion fn is set, message is counted pn, initial value fn and pn are set to respectively 0, it is fs that network flow sampling rate is set, fs span is less than or equal to 1 for being greater than 0 simultaneously, it is ps that packet sampling rate is set, ps span is less than or equal to 1 for being greater than 0 simultaneously, the attribute threshold value value rate that network node is set is H, H span be greater than 0 be less than or equal to 1 simultaneously between value, arranging and measuring duration is T, T is positive integer, measuring appliance is set, and to start detection time be T0, enter step 2,
Step 2, when message arrives measuring appliance, measuring appliance is measured the arrival time stamp of current message, measuring appliance extracts source IP address from heading, IP address, place, source port, egress mouth, protocol number, if measured message is not TCP message, enters step 5, otherwise enter step 3;
Step 3, the four-tuple of utilizing the network flow methods of sampling to form the source IP address by measured message, IP address, place, source port and egress mouth are carried out network flow sampling operation, if the network flow at current measured message place is not sampled, enter step 4; Otherwise in bit vectors B, search the network flow at current measured message place, if new network flow, the network flow fluxion f that calculating makes new advances, the network flow fluxion of the source IP address in IP address set I is added to f, network flow fluxion fn is increased to f simultaneously, and the information that adds current measured message place network flow in bit vectors B, enters step 4;
Step 4, utilize packet sampling method to carry out random sampling to current measured message, if current message is sampled, the message number of the source IP address in IP address set I is added to 1/ps, message is counted pn increases 1/ps, enter step 5, otherwise get back to step 2;
Step 5, measuring appliance are measured the T1 time of advent of current message, if T1-T0<T gets back to step 2 and measures next message, otherwise, when pre-test finishes, enter step 6;
Step 6: read successively the each IP information in IP address set I, utilize network flow fluxion, the message number of IP calculate and judge whether this IP node is live-vertex, if live-vertex is exported IP address, network flow fluxion, the message of this live-vertex and is counted information.
2. the two-dimensional network live-vertex method of measurement of comprehensive message according to claim 1 and stream, it is characterized in that, the network flow methods of sampling is as follows: front 16 bits of the source IP address to message, rear 16 bits of source IP address, front 16 bits of IP address, place, rear 16 bits of IP address, place, 16 bits of source port and 16 bits of egress mouth carry out XOR calculating, generate 16 Bit Strings, calculate 10 system numerical value nten of these 16 Bit Strings, if nten<fs*65536, this network flow is sampled, otherwise this network flow is dropped.
3. the two-dimensional network live-vertex method of measurement of comprehensive message according to claim 1 and stream, it is characterized in that, the method of network flow of searching current measured message place in bit vectors B is as follows: with 32 bits of source IP address, 32 of IP addresses, place bit, the Bit String of 96 bits of the four-tuple that 16 bits of 16 bits of source port and egress mouth form is as the input of MD5 hash function, adopt MD5 hash function to generate the cryptographic Hash of 128 bits, therefrom take out top n Bit String, calculate 10 system numerical value bten of this N Bit String, in bit vectors B, search the bit value of bten position, if bit value corresponding to bten position is 0, the network flow that calculated is a new network flow.
4. the two-dimensional network live-vertex method of measurement of comprehensive message according to claim 1 and stream, it is characterized in that, in bit vectors B, add the information approach of current measured message place network flow as follows: in bit vectors B, find out the position of bten, and the locational bit value of the bten of bit vectors B to be set to 1.
5. the two-dimensional network live-vertex method of measurement of comprehensive message according to claim 1 and stream, is characterized in that, calculates and judges that whether this IP node is that the method for live-vertex is as follows: according to
calculate the liveness of IP address, fi is the network flow fluxion of current IP node, and pi is the message number of current IP node, H is the attribute threshold value value rate of network ip address, and fn is network flow fluxion, and pn is message number, if result is greater than 1, judge that current IP address is live-vertex.
6. the two-dimensional network live-vertex method of measurement of comprehensive message according to claim 1 and stream, is characterized in that, the method for calculating the network flow fluxion f making new advances is as follows: f=2
n/ (2
n-bone) * 1/fs, 2
nfor the size of bit vectors B arranging, bone is that the bit in bit vectors B has been labeled as 1 quantity, and fs is network flow sampling rate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410248167.XA CN104009888B (en) | 2014-06-05 | 2014-06-05 | The two-dimensional network live-vertex measuring method of comprehensive message and stream |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410248167.XA CN104009888B (en) | 2014-06-05 | 2014-06-05 | The two-dimensional network live-vertex measuring method of comprehensive message and stream |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104009888A true CN104009888A (en) | 2014-08-27 |
| CN104009888B CN104009888B (en) | 2017-06-16 |
Family
ID=51370384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410248167.XA Expired - Fee Related CN104009888B (en) | 2014-06-05 | 2014-06-05 | The two-dimensional network live-vertex measuring method of comprehensive message and stream |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104009888B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107357843A (en) * | 2017-06-23 | 2017-11-17 | 东南大学 | Mass network data search method based on data flow architecture |
| CN107368527A (en) * | 2017-06-09 | 2017-11-21 | 东南大学 | More property index methods based on data flow |
| CN111865823A (en) * | 2020-06-24 | 2020-10-30 | 东南大学 | Light-weight Ether house encrypted flow identification method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102801624A (en) * | 2012-08-16 | 2012-11-28 | 中国人民解放军信息工程大学 | Sampling method and device of network data stream |
-
2014
- 2014-06-05 CN CN201410248167.XA patent/CN104009888B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102801624A (en) * | 2012-08-16 | 2012-11-28 | 中国人民解放军信息工程大学 | Sampling method and device of network data stream |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107368527A (en) * | 2017-06-09 | 2017-11-21 | 东南大学 | More property index methods based on data flow |
| CN107368527B (en) * | 2017-06-09 | 2020-06-30 | 东南大学 | Multi-attribute index method based on data stream |
| CN107357843A (en) * | 2017-06-23 | 2017-11-17 | 东南大学 | Mass network data search method based on data flow architecture |
| CN107357843B (en) * | 2017-06-23 | 2020-06-16 | 东南大学 | Massive network data searching method based on data stream structure |
| CN111865823A (en) * | 2020-06-24 | 2020-10-30 | 东南大学 | Light-weight Ether house encrypted flow identification method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104009888B (en) | 2017-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103532940B (en) | network security detection method and device | |
| RU2014124009A (en) | METHOD AND SYSTEM OF STREAMING DATA TRANSFER FOR PROCESSING NETWORK METADATA | |
| CN104579974A (en) | Hash Bloom filter (HBF) for name lookup in NDN and data forwarding method | |
| CN107465690B (en) | A kind of passive type abnormal real-time detection method and system based on flow analysis | |
| TWI583152B (en) | Anomaly prediction method and system for heterogeneous network architecture | |
| CN102571946B (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN106330584A (en) | Identification method and identification device of business flow | |
| CN108846275A (en) | Unknown Method of Detecting Operating System based on RIPPER algorithm | |
| CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
| CN104009888A (en) | Comprehensive message and flow two-dimensional network active node measuring method | |
| CN102437959B (en) | Stream forming method based on dual overtime network message | |
| WO2020121294A1 (en) | A system and a method for monitoring traffic flows in a communications network | |
| CN112055007B (en) | Programmable node-based software and hardware combined threat situation awareness method | |
| KR100608541B1 (en) | An apparatus for capturing Internet ProtocolIP packet with sampling and signature searching function, and a method thereof | |
| Oudah et al. | A novel features set for internet traffic classification using burstiness | |
| CN102098346B (en) | Method for identifying flow of P2P (peer-to-peer) stream media in unknown flow | |
| Cheng et al. | Line speed accurate superspreader identification using dynamic error compensation | |
| CN101510843A (en) | Method for real time separation of P2P flow based on NetFlow flow | |
| CN106161339B (en) | Obtain the method and device of IP access relations | |
| CN103269337A (en) | Data processing method and device | |
| Guan et al. | A new data streaming method for locating hosts with large connection degree | |
| CN102413007B (en) | Deep packet inspection method and equipment | |
| Kong et al. | A method of detecting the abnormal encrypted traffic based on machine learning and Behavior characteristics | |
| Wang et al. | FastKeeper: A Fast Algorithm for Identifying Top-k Real-time Large Flows | |
| Liu et al. | DRPSD: An novel method of identifying SSL/TLS traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170616 Termination date: 20200605 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |