CN104579851A - Evidence obtaining system for large-scale mobile internet core network - Google Patents
Evidence obtaining system for large-scale mobile internet core network Download PDFInfo
- Publication number
- CN104579851A CN104579851A CN201510043170.2A CN201510043170A CN104579851A CN 104579851 A CN104579851 A CN 104579851A CN 201510043170 A CN201510043170 A CN 201510043170A CN 104579851 A CN104579851 A CN 104579851A
- Authority
- CN
- China
- Prior art keywords
- processing unit
- evidence
- module
- message
- core network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses an evidence obtaining system for a large-scale mobile internet core network. The system comprises a first grade processing unit, a second grade processing unit and a control exchange unit, wherein the first grade processing unit is used for collecting evidence messages in the large-scale mobile internet core network and conducting preprocessing to obtain original evidence messages, the second grade processing unit is used for conducting reduction processing for the original evidence messages, and the first grade processing unit is connected with the second grade processing unit through the control exchange unit; the original evidence messages obtained by the first grade processing unit are sent to the second grade processing unit through the control exchange unit, and the second grade processing unit conducts reduction processing for the obtained original evidence messages and retransmits the messages to corresponding terminals through the first grade processing unit. The evidence obtaining system for the large-scale mobile internet core network has the advantages that evidence obtaining in the large-scale mobile internet core network can be achieved, and the system is high in the evidence obtaining efficiency and flexible in the application.
Description
Technical field
The present invention relates to the interconnected core network technical field of Large-scale Mobile, particularly relate to a kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile.
Background technology
Along with internet worldwide flourish, how to ensure network safe and reliable be the emphasis of the outer associated mechanisms research of Present Domestic.And along with the fast development of mobile Internet, make we need faced by the security threat being not only traditional fixed network, the potential safety hazard from mobile Internet also just constantly challenges to us.In mobile Internet field, along with constantly popularizing of mobile terminal, many the security incidents occurred in fixed network and Internet network in the past just constantly spread in mobile internet, and the attack means for mobile interchange network users is just presenting the trend emerged in an endless stream.Therefore internet security mechanism both domestic and external sets up special intruding detection system (Intrusion Detection System one after another on mobile core network link, IDS) detection of user network behavior is carried out, to finding attack fast.
The Internet evidence obtaining is collected evidence to internet information and filters, and on harm national security, issues information affect social stability and block and record, to the network control processing of accessing dangerous website overseas and blocking.But along with the development of Internet Transmission and optical communication technique, the growth of mobile phone users brings many difficult problems to network forensics.First be that the swift and violent increase of link bandwidth brings huge challenge to network forensics, issue statistics display according to market research agency Chetan Sharma Consulting at the beginning of 2012, China mobile user will break through 1,000,000,000 high pointes March 3; The flow attack that when next is peak period, network forensics equipment bears is increasing, may bear the flow attack of more than 10Gbps according to data display.And along with the development of domestic mobile internet and operator are for the upgrading of core network link, above-mentioned link bandwidth and flow attack data certainly will also can increase further.Simultaneously because the more general backbone link of message structure of mobile core network packet domain link is more complicated, this also further adds the difficulty of network forensics.
Mobile Internet link has distinctive PPP (Point-to-PointProtocol, point-to-point protocol) message escape form, PPP access user and BAS Broadband Access Server all need to carry out decapsulation to PPP message, for PPP access user, because bandwidth is general less, so PPP decapsulation is little on terminal capabilities impact, but because BAS Broadband Access Server has converged all data flow of user, it must by each PPP message overhaul process, namely PPP escape and reversion justice all need to scan whole message, therefore time overhead is huge, once user is a lot, when data packet number is very large, then decapsulation speed just needs very fast.
For Network Forensic System, large quantifier elimination and realization are carried out both at home and abroad.But wherein the node disposed of most equipment can only towards less the Internet scope, and the handling property of system itself is limited to comparatively single pure CPU process structure, and performance is not enough to tackle fairly large internet environment.In traditional TCP/IP fixed network field, according to the description of gill moral (Gilder) law, the speed sustainable growth that the network bandwidth will double with every 6 months, the rate of rise of the CPU frequency predicted according to Moore's Law is then doubled for every 18 months, and thus traditional Network Forensic System mainly exists following problem:
1) due to the deficiency of data capture and analysis ability, bulk information can be caused to lose, evidence obtaining effect is not as people's will;
2) owing to being the pure software processes structure based on CPU, thus performance bottleneck will be run under mass rapid traffic environment, the network bandwidth growing under cannot bearing high-speed backbone link on the one hand, the data processing task of CPU frequency, cannot complete the PPP message decapsulation in mobile interchange core network fast, the bulky traffic also cannot tackling backbone network impacts; On the other hand, can only application deployment in Intranet system among a small circle, object-oriented is single, flexibility is not enough;
Summary of the invention
The technical problem to be solved in the present invention is just: the technical problem existed for prior art, the invention provides a kind of simple and compact for structure, evidence obtaining in the interconnected core network of Large-scale Mobile can be realized and evidence obtaining efficiency is high and the evidence-obtaining system for the interconnected core network of Large-scale Mobile of applying flexible.
For solving the problems of the technologies described above, the technical scheme that the present invention proposes is:
A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile, comprise the evidence message for gathering in the interconnected core network of Large-scale Mobile and carry out preliminary treatment obtain original evidence message first order processing unit, for described original evidence message is carried out reduction treatment second level processing unit and control crosspoint, described first order processing unit by control crosspoint connect described second level processing unit; The original evidence message that described first order processing unit obtains is sent to described second level processing unit by described control crosspoint, and the evidence message that the processing unit reduction treatment of the described second level obtains is forwarded to counterpart terminal by described control crosspoint, described first order processing unit again.
As a further improvement on the present invention: described first order processing unit comprises the acquisition module, high speed pretreatment module and the rule match forwarding module that connect successively, described acquisition module, for gathering the evidence message in large-scale internetwork, exports described high speed pretreatment module to; Described high speed pretreatment module adopts FPGA that the described evidence message collected is carried out preliminary treatment, obtains original evidence message; Described rule match forwarding module is used for described original evidence message to be forwarded to according to preset rules to control crosspoint or counterpart terminal.
As a further improvement on the present invention: described second level processing unit comprises detection discrimination module and advanced treating module, the original evidence message that described detection discrimination module sends for receiving described control crosspoint, and judge that described original evidence message is the need of direct output, if yes, directly described original evidence message is exported back described control crosspoint, if NO, described original evidence message is sent to advanced treating module and carries out reduction treatment, obtain the evidence message after reducing and send it back described control crosspoint.
As a further improvement on the present invention: described advanced treating module adopts polycaryon processor chip.
As a further improvement on the present invention: described advanced treating module comprises reduction message module and abnormality detection module for carrying out reduction treatment to original evidence message; Described abnormality detection module is used for carrying out abnormal traffic detection to described original evidence message, output abnormality testing result.
As a further improvement on the present invention: also comprise and resume processing unit, processing unit is resumed described in and first order processing unit is connected in parallel; Resume processing unit described in starting when abnormal flow controls during needs are to network and disconnect described first order processing unit, evidence message in processing unit access Large-scale Mobile internet is resumed by described, and according to specify resume rule to access described evidence message mate, then according to matching result control access evidence message perform resume or block, deterioration.
As a further improvement on the present invention: described control crosspoint comprises main control module and Switching Module, described main control module is for receiving control command and controlling described first order processing unit, second level processing unit according to described control command; Described Switching Module is for carrying out the data retransmission between described first order processing unit, second level processing unit.
Compared with prior art, the invention has the advantages that:
1) the present invention is directed to the feature of the interconnected core network of Large-scale Mobile, linear speed collection and the preliminary treatment of data evidence message is carried out by first order processing unit, second level processing unit carries out packets restores, and carry out forwarding control by control crosspoint, thus will deal with simple but the collection that repetition rate is high and pretreatment operation are assigned on first order processing unit, complexity will be dealt with but the low restoring operation of repetition rate is assigned on the processing unit of the second level simultaneously, the entirety of system evidence obtaining performance is improved greatly, the evidence obtaining demand under mould mobile interchange core network can be met, realize evidence obtaining efficiently simultaneously.
2) the present invention is directed to mobile interchange core net message distinctive PPP message escape form, realize adopting FPGA in first order processing unit further, take full advantage of the feature that FPGA efficiently processes streamlined and carry out high speed preliminary treatment, compare and traditional greatly can improve treatment effeciency based on CPU processing method.
3) the present invention comprises further and resumes processing unit, coordinates the abnormal traffic detection functional realiey of second level processing unit to the blocking-up of Abnormal network traffic and cleaning under the tandem mode of equipment, thus the normal operation of protecting network environment.
Accompanying drawing explanation
Fig. 1 is the realization flow schematic diagram of a kind of evidence-obtaining system for large scale network of the present embodiment.
Fig. 2 be in the present embodiment first order processing unit realize principle schematic.
Fig. 3 is the structural principle schematic diagram of second level processing unit in the present embodiment.
Fig. 4 be resume processing unit in the present embodiment realize principle schematic.
Fig. 5 is the structural principle schematic diagram controlling crosspoint in the present embodiment.
Fig. 6 is the access principle schematic that in the present embodiment, evidence-obtaining system adopts tandem.
Fig. 7 is that in the present embodiment, evidence-obtaining system adopts and connects the access principle schematic of mode.
Marginal data
1, first order processing unit; 11, acquisition module; 12, high speed pretreatment module; 13, rule match forwarding module; 2, second level processing unit; 21, discrimination module is detected; 22, advanced treating module; 3, crosspoint is controlled; 31, main control module; 32, Switching Module; 4, processing unit is resumed.
Embodiment
Below in conjunction with Figure of description and concrete preferred embodiment, the invention will be further described, but protection range not thereby limiting the invention.
As shown in Figure 1, a kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile in the present embodiment, comprise the evidence message for gathering in the interconnected core network of Large-scale Mobile and carry out preliminary treatment obtain original evidence message first order processing unit 1, for carrying out the second level processing unit 2 of reduction treatment to original evidence message and controlling crosspoint 3, first order processing unit 1 connects second level processing unit 2 by controlling crosspoint 3; The original evidence message that first order processing unit 1 obtains is sent to second level processing unit 2 by controlling crosspoint 3, and the evidence message that second level processing unit 2 reduction treatment obtains is forwarded to counterpart terminal by control crosspoint 3, first order processing unit 1 again.
The present embodiment is for the feature of the interconnected core network of Large-scale Mobile, linear speed collection and the preliminary treatment of data evidence message is carried out by first order processing unit 1, second level processing unit 2 carries out packets restores, and carry out forwarding control by control crosspoint 3, thus will deal with simple but the collection that repetition rate is high and pretreatment operation are assigned on first order processing unit 1, complexity will be dealt with but the low restoring operation of repetition rate is assigned on second level processing unit 2 simultaneously, the entirety of system evidence obtaining performance is improved greatly, the evidence obtaining demand under mould mobile interchange core network can be met, realize evidence obtaining efficiently simultaneously.
In the present embodiment, first order processing unit 1 comprises the acquisition module 11, high speed pretreatment module 12 and the rule match forwarding module 13 that connect successively, acquisition module 11, for gathering the evidence message in large-scale internetwork, exports high speed pretreatment module 12 to; High speed pretreatment module 12 adopts FPGA that the described evidence message collected is carried out preliminary treatment, obtains original evidence message; Rule match forwarding module 13 controls crosspoint 3 or counterpart terminal for being forwarded to according to preset rules by original evidence message.In the present embodiment, preset rules specifically adopts five-tuple matched rule.
As shown in Figure 2, first order processing unit 1 gathers the evidence message from the interconnected core network of Large-scale Mobile, first the value of specific field in the message territory of evidence message is extracted, rule match forwarding module 13 obtains the five-tuple rule of main control module 31 configuration controlling crosspoint 3, and the value of specific field is carried out to the coupling of five-tuple rule, then will perform the evidence message repeating of rule to counterpart terminal; First order processing unit 1 receives the reduction evidence message from controlling crosspoint 3 simultaneously, after the value that rule match forwarding module 13 extracts specific field in the message territory of reduction evidence message carries out the coupling of five-tuple rule, the message performing rule is exported to the Analysis server of rear end.
In the present embodiment, first order processing unit 1 specifically adopts based on field programmable gate array FPGA, make full use of the feature that FPGA efficiently processes streamlined and high speed preliminary treatment is carried out to the evidence message in Large-scale Mobile core network, compare traditional processing method based on CPU and greatly can improve treatment effeciency, thus there is the excellent properties of line-speed processing mass rapid link packet, can realize complete machine time delay lower than 25us, and single-pass process ability is not less than 40Gbps.
The present embodiment first order processing unit 1 is for realizing evidence message collection in large scale network and preliminary treatment, and first order processing unit 1 also can realize following functions:
1. 10,000,000,000 POS/ ether processing capacities
Export and designated port output for the convergence of 10,000,000,000 POS links, polynary group of filtration, grouping divergence, multicast, and realize and connect flow collection or serial connection traffic filtering.
2. ten thousand mbit ethernet processing capacities
Realize and connect flow collection or serial connection traffic filtering, exporting and designated port output for the convergence of ten thousand mbit ethernet links, polynary group of filtration, grouping divergence, multicast.
3. 100G high speed flow processing capacity
Support the various application such as filtration, shunting, load balancing distribution to incoming message, realize the input of 100G link, polynary group of filtration, exchange and grouping divergence, multicast export and regularly specify output.
In the present embodiment, second level processing unit 2 comprises detection discrimination module 21 and advanced treating module 22, detect discrimination module 21 for receiving the original evidence message controlling crosspoint 3 and send, and judge that original evidence message is the need of direct output, if yes, directly export original evidence message and return control crosspoint 3, if NO, original evidence message is sent to advanced treating module 22 and carries out reduction treatment, obtain the evidence message after reducing and send it back controlling crosspoint 3.
In the present embodiment, advanced treating module 22 comprises reduction message module and abnormality detection module for carrying out reduction treatment to original evidence message, and abnormality detection module is used for carrying out abnormal traffic detection to original evidence message, output abnormality testing result.Abnormal flow on-line checkingi under mass rapid internet environment and cleaning is realized by abnormality detection module.
As shown in Figure 3, when second level processing unit 2 receives the original evidence message from control crosspoint 3, first determine that original evidence message directly exports or deliver to advanced treating module 22 to detect by detection discrimination module 21, if directly exported, then according to the rule controlling to arrange in crosspoint 3, directly original evidence message is exported back and control in crosspoint 3 to forward; If need to export advanced treating module 22 to detect, then carry out message abnormality detection, information filtering and reduction treatment by advanced treating module 22 pairs of evidence messages, the message abandoned is needed after directly abandoning abnormality detection and information filtering process, all the other rules needing the message being forwarded to external server then to arrange by controlling crosspoint 3 export back in first order processing unit 1, export out terminal (being originally embodied as external server) to by the rule match forwarding module 13 of first order processing unit 1.
In the present embodiment, advanced treating module 22 specifically adopts polycaryon processor chip NPU, realize deep message by polycaryon processor chip NPU to detect, the various demands such as traffic policing in backbone network, flow analysis, content analysis and the process of 3G/LTE flow can be met, realize large scale network abnormality detection and content detection two functions.Advanced treating module 22 can also realize following functions:
1. message content processing capacity is supported: the decompression specifically comprising matching regular expressions, polynary group of filtration, VJ (Van Jacobson, compression-tcp agreement) data message;
2. third generation mobile Internet (3G) and Long Term Evolution (Long Term Evolution is supported, LTE) the Message processing function of core net: specifically comprise GRE (Generic Routing Encapsulation, Generic Routing Encapsulation), the various data message of GTP (GPRS Tunnel Protocol, GPRS Tunnel Protocol) protocol encapsulation and signaling message process.
3. abnormality detection: emphasis is attacked for the DDos flow attacking of network layer and Abnormal Packet and carried out detecting and cleaning.
In the present embodiment, also comprise and resume processing unit 4, resume processing unit 4 and be connected in parallel with first order processing unit 1; Start when abnormal flow controls during needs are to network and resume processing unit 4 and disconnect first order processing unit 1, evidence message in Large-scale Mobile internet is accessed by resuming processing unit 4, and according to specify resume rule to access evidence message mate, then according to matching result control access evidence message perform resume or block, deterioration.The present embodiment resumes rule and specifically arranges according to the feedback of the reduction treatment result of the second processing unit 2.
As shown in Figure 4, resume the value that first processing unit 4 extracts specific field in the message territory of evidence message, the value of specific field is resumed to the coupling of rule, if coupling stream rule, then perform the action that stream rule is corresponding, otherwise judge whether to mate and extremely import rule, if yes, then perform network blocking-up, deterioration, otherwise directly resume.Resuming processing unit 4 coordinates the abnormal traffic detection module of second level processing unit 2 to realize under tandem mode the blocking-up of Abnormal network traffic and cleaning according to resuming rule; thus the normal operation of protecting network environment; namely can carry out pro rata forwarding according to rule to the flow of process or abandon, to reach degradation effects in various degree.The five-tuple rule resuming regular Sum fanction coupling forwarding module 13 specifically directly can be configured by the main control module 31 controlling crosspoint 3, resuming rule to be configured according to feedback when performing content detection by the advanced treating module 22 in second level processing unit 2, will directly resume in random default situations down-off.
In the present embodiment, control crosspoint 3 and comprise main control module 31 and Switching Module 32, main control module 31 is for receiving control command and controlling first order processing unit 1, second level processing unit 2 according to control command; Switching Module 32 is for carrying out the data retransmission between first order processing unit 1, second level processing unit 2.Main control module 31 specifically can adopt arm processor to realize.
The present embodiment main control module 31 specifically provides the interface of user and system interaction, supports order line function and the Web Interface Control of control desk and telnet; Switching Module 32 completes the message repeating between first order processing unit 1, second level processing unit 2, and self also has output function.Control crosspoint 3 and can also realize following functions:
1. dynamic programming controlling functions (Remote Configuration Protocol, RCP) is realized
Message is issued to first order processing unit 1 in the control of dynamic programming, and rule is specifically made up of pattern and action, and wherein pattern is the description whether test packet or stream meet certain feature; Process to message when action then refers to and mates associative mode.In the present embodiment, rule specifically comprises resuming and to resume in rule and rule match forwarding module 13 five-tuple rule in processing unit 4, and abnormality detection rule in advanced treating module 22 and content detection regular.
2. realize cascade Mach-Zehnder interferometer, namely the system of multiple same architecture can be connected by cascade port, thus expands the accessible number of links of whole system.
As shown in Figure 5, in the present embodiment, main control module 31 is responsible for receiving the control command that the rule from Web, Telnet, Console control desk and the self-defined communication interface of RCP issues, and these control commands to be delivered in respective modules and to receive feedback, the module accepting control command specifically comprises first order processing unit 1, second level processing unit 2, resumes processing unit 4 and Switching Module 32; Switching Module 32 is responsible for receiving the original evidence message from first order processing unit 1, and forward it in the advanced treating module 22 of second level processing unit 2 according to the rule that main control module 31 configures, be reduced to after reduction evidence is paid a debt of gratitude through advanced treating module 22 and be forwarded in first order processing unit 1 by Switching Module 32.
In the present embodiment, above-mentioned evidence-obtaining system can be adopted to access in large-scale internetwork in two ways and obtain evidence message, and two kinds of modes are specially: tandem and and connect mode, the data on flows of access way different then evidence-obtaining system access is also different.Be illustrated in figure 6 tandem, by above-mentioned evidence-obtaining system (this enforcement specifically adopts and controls or anacom) is directly connected in series in Internetwork link the acquisition realized network traffics, by first order processing unit 1, simple Preprocessing is carried out to the flow obtained, by resuming processing unit 4 by flow shunt on back-end analysis server, to perform deterioration to network traffics and to block; Back-end analysis server and second level processing unit 2 carry out detection to the flow received and analyze, thus determine the process action to evidence message in tandem.Be illustrated in figure 7 and connect mode, by the backbone links of above-mentioned evidence-obtaining system by optical splitter accessing Internet, with to network traffics execution monitoring, simple Preprocessing is carried out by first order processing unit 1 pair of flow, and be distributed to rear end in the mode labelled, further reduced by back-end analysis server and second level processing unit 2, analyze and put in storage again after data mining.
See Fig. 1, in tandem, the data traffic received respectively in the concrete access network uplink downlink of inlet flow rate of first order processing unit 1 input, the flow of rule match forwarding module 13 output network uplink downlink; And connect in mode, the inlet flow rate of first order processing unit 1 then specifically accesses the data traffic received from link optical splitter, and rule match forwarding module 13 exports the flow of external control or anacom (server).
The present embodiment evidence-obtaining system can be used for realizing evidence obtaining in the interconnected core network of Large-scale Mobile, also can be applied in other internet and realize evidence obtaining, or be applied to according to the actual requirements in network and realize mass data collection and extensive abnormality detection in real time etc., its operation principle is consistent with above-mentioned, no longer repeats.
Above-mentioned just preferred embodiment of the present invention, not does any pro forma restriction to the present invention.Although the present invention discloses as above with preferred embodiment, but and be not used to limit the present invention.Therefore, every content not departing from technical solution of the present invention, according to the technology of the present invention essence to any simple modification made for any of the above embodiments, equivalent variations and modification, all should drop in the scope of technical solution of the present invention protection.
Claims (7)
1. the evidence-obtaining system for the interconnected core network of Large-scale Mobile, it is characterized in that: comprise the evidence message for gathering in the interconnected core network of Large-scale Mobile and carry out preliminary treatment obtain original evidence message first order processing unit (1), for described original evidence message is carried out reduction treatment second level processing unit (2) and control crosspoint (3), described first order processing unit (1) by control crosspoint (3) connect described second level processing unit (2); The original evidence message that described first order processing unit (1) obtains is sent to described second level processing unit (2) by described control crosspoint (3), and the evidence message that processing unit (2) reduction treatment of the described second level obtains is forwarded to counterpart terminal by described control crosspoint (3), described first order processing unit (1) again.
2. the evidence-obtaining system for the interconnected core network of Large-scale Mobile according to claim 1, it is characterized in that: described first order processing unit (1) comprises the acquisition module (11), high speed pretreatment module (12) and the rule match forwarding module (13) that connect successively, described acquisition module (11), for gathering the evidence message in large-scale internetwork, exports described high speed pretreatment module (12) to; Described high speed pretreatment module (12) adopts FPGA that the described evidence message collected is carried out preliminary treatment, obtains original evidence message; Described rule match forwarding module (13) controls crosspoint (3) or counterpart terminal for being forwarded to according to preset rules by described original evidence message.
3. the evidence-obtaining system for the interconnected core network of Large-scale Mobile according to claim 2, it is characterized in that: described second level processing unit (2) comprises detects discrimination module (21) and advanced treating module (22), the original evidence message that described detection discrimination module (21) sends for receiving described control crosspoint (3), and judge that described original evidence message is the need of direct output, if yes, directly described original evidence message is exported back described control crosspoint (3), if NO, described original evidence message is sent to advanced treating module (22) and carries out reduction treatment, obtain the evidence message after reducing and send it back described control crosspoint (3).
4. the evidence-obtaining system for the interconnected core network of Large-scale Mobile according to claim 3, is characterized in that: described advanced treating module (22) adopts polycaryon processor chip.
5. the evidence-obtaining system for the interconnected core network of Large-scale Mobile according to claim 4, is characterized in that: described advanced treating module (22) comprises reduction message module and abnormality detection module for carrying out reduction treatment to original evidence message; Described abnormality detection module is used for carrying out abnormal traffic detection to described original evidence message, output abnormality testing result.
6. according to the evidence-obtaining system for the interconnected core network of Large-scale Mobile in Claims 1 to 5 described in any one, it is characterized in that: also comprise and resume processing unit (4), described in resume processing unit (4) and first order processing unit (1) and be connected in parallel; Resume processing unit (4) described in starting when abnormal flow controls during needs are to network and disconnect described first order processing unit (1), evidence message in processing unit (4) access Large-scale Mobile internet is resumed by described, and according to specify resume rule to access described evidence message mate, then according to matching result control access evidence message perform resume or block, deterioration.
7. the evidence-obtaining system for the interconnected core network of Large-scale Mobile according to claim 6, it is characterized in that: described control crosspoint (3) comprises main control module (31) and Switching Module (32), described main control module (31) is for receiving control command and controlling described first order processing unit (1), second level processing unit (2) according to described control command; Described Switching Module (32) is for carrying out the data retransmission between described first order processing unit (1), second level processing unit (2).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510043170.2A CN104579851B (en) | 2015-01-28 | 2015-01-28 | A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510043170.2A CN104579851B (en) | 2015-01-28 | 2015-01-28 | A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104579851A true CN104579851A (en) | 2015-04-29 |
| CN104579851B CN104579851B (en) | 2016-03-09 |
Family
ID=53095115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510043170.2A Active CN104579851B (en) | 2015-01-28 | 2015-01-28 | A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104579851B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109302406A (en) * | 2018-10-31 | 2019-02-01 | 法信公证云(厦门)科技有限公司 | A kind of method and system of distribution webpage evidence obtaining |
| CN110245020A (en) * | 2019-06-21 | 2019-09-17 | 真相网络科技(北京)有限公司 | Handset content evidence collecting method and system based on multiple evidence taking equipments |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101184002A (en) * | 2007-12-14 | 2008-05-21 | 国家广播电影电视总局广播科学研究院 | Point-to-point flux deepness monitoring method and equipment |
| CN101572633A (en) * | 2009-05-05 | 2009-11-04 | 北京系统工程研究所 | Network forensics method and system |
-
2015
- 2015-01-28 CN CN201510043170.2A patent/CN104579851B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101184002A (en) * | 2007-12-14 | 2008-05-21 | 国家广播电影电视总局广播科学研究院 | Point-to-point flux deepness monitoring method and equipment |
| CN101572633A (en) * | 2009-05-05 | 2009-11-04 | 北京系统工程研究所 | Network forensics method and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109302406A (en) * | 2018-10-31 | 2019-02-01 | 法信公证云(厦门)科技有限公司 | A kind of method and system of distribution webpage evidence obtaining |
| CN110245020A (en) * | 2019-06-21 | 2019-09-17 | 真相网络科技(北京)有限公司 | Handset content evidence collecting method and system based on multiple evidence taking equipments |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104579851B (en) | 2016-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180316719A1 (en) | Method for mitigation of cyber attacks on industrial control systems | |
| US9565120B2 (en) | Method and system for performing distributed deep-packet inspection | |
| CN101599963B (en) | Suspected network threat information screener and screening and processing method | |
| CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
| CN107645398A (en) | A kind of method and apparatus of diagnostic network performance and failure | |
| CN107835199A (en) | Suitable for solving the method for work of the SDN systems of network security | |
| CN104683346A (en) | P2P botnet detection device and method based on flow analysis | |
| CN103067218B (en) | A kind of express network packet content analytical equipment | |
| CN111049843A (en) | Intelligent substation network abnormal flow analysis method | |
| CN101483649A (en) | Network safe content processing card based on FPGA | |
| CN103731482A (en) | Cluster load balancing system and achieving method thereof | |
| CN104579851B (en) | A kind of evidence-obtaining system for the interconnected core network of Large-scale Mobile | |
| CN103618720B (en) | A kind of Trojan network communication detects and evidence collecting method and system | |
| CN102215125B (en) | Network service control system | |
| CN101141323A (en) | Method, system and equipment for controlling connectivity detection | |
| Liu et al. | Next generation internet traffic monitoring system based on netflow | |
| CN202488476U (en) | Network feature extraction apparatus | |
| CN204425393U (en) | A kind of device explaining network traffic information | |
| CN103338183A (en) | Linkage method of intrusion detection system and firewall | |
| CN208890823U (en) | It supports to realize the device for carrying out Network Isolation properties of product testing and control | |
| Farhady et al. | TagFlow: Efficient flow classification in SDN | |
| Xia et al. | Cids: Adapting legacy intrusion detection systems to the cloud with hybrid sampling | |
| Zhao et al. | A high-speed network data acquisition system based on big data platform | |
| Gilbert et al. | An approach towards anomaly based detection and profiling covert TCP/IP channels | |
| Alaidaros et al. | From Packet-based Towards Hybrid Packet-based and Flow-based Monitoring for Efficient Intrusion Detection: An overview |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |