CN105227348A - A kind of Hash storage means based on IP five-tuple - Google Patents
A kind of Hash storage means based on IP five-tuple Download PDFInfo
- Publication number
- CN105227348A CN105227348A CN201510528651.2A CN201510528651A CN105227348A CN 105227348 A CN105227348 A CN 105227348A CN 201510528651 A CN201510528651 A CN 201510528651A CN 105227348 A CN105227348 A CN 105227348A
- Authority
- CN
- China
- Prior art keywords
- memory cell
- hash
- session
- session memory
- hash array
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
Landscapes
- Physics & Mathematics (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of Hash storage means based on IP five-tuple.Its method comprises: receive session information inquiry request; According to the IP five-tuple in described session information inquiry request, the first module mark of the first Hash array is determined based on the first hash function, the second unit mark of the second Hash array is determined based on the second hash function, wherein, each unit in described first Hash array is for storing described second Hash array; Current second Hash array is determined according to described first module mark and second unit mark; Travel through all session memory cell that described current second Hash array is pointed to, search the session memory cell corresponding with described IP five-tuple; Session information is obtained from described session memory cell.The invention solves the Hash skewness of IP five-tuple Hash storage means in prior art, the newly-increased problem that speed is slow and seek rate is slow.
Description
Technical field
The present invention relates to BlueDrama statistical analysis field, particularly relate to a kind of Hash storage means based on IP five-tuple.
Background technology
Denial of Service attack (DoS, DenialofService) refers to and utilizes various service request to exhaust by the system resource of attacking network, thus makes the request that cannot be processed validated user by attacking network.And along with the rise of Botnet, simultaneously because attack method is simple, impact is comparatively large, be difficult to features such as tracing, make again distributed denial of service attack (DDoS, DistributedDenialofService) obtain growing fast and day by day spreading unchecked.The Botnet of thousands of main frame composition is that ddos attack provides required bandwidth sum main frame, defines huge attack and network traffics, causes great harm to by attacking network.
Improving constantly and developing along with ddos attack technology, ISP (ISP, InternetServiceProvider), ICP (ICP, InternetContentProvider), Internet data center (IDC, etc. InternetDataCenter) safety that faces of operator and operation challenge are also on the increase, operator must before DDoS threat affects key business and application, detection carried out to flow and is cleaned, guaranteeing the operation of network normal table and normally carrying out of business.Meanwhile, a kind of value-added service that operator provides for user can also be become, to obtain better user satisfaction to the detection of ddos attack flow and cleaning.
At ISP, under the large discharge network environment of the operators such as IDC, current network state to be judged rapidly and accurately, one of technology that session statistical analysis is most crucial just, connection session establishments all in flow is got up and analyzes its various data transmitted, can obtain a lot about the information of current network state, Timeliness coverage ddos attack is had very great help, and connect, need the IP five-tuple information in data message and source address, destination address, source port, target port and IP agreement, the efficiency using which kind of method storing IP five-tuple information will analyze session connection has crucial effect.
Current IP five-tuple Hash storage means is the most conventional, but IP five-tuple Hash storage means of the prior art has a lot of shortcomings.Mainly contain following shortcoming:
1, Hash skewness: the Hash memory location that the hash function that a lot of method uses calculates is average not, causes the hash-collision degree of depth larger.
2, newly-increased speed is slow: because skewness, and the conflict degree of depth of Hash is large, and often can travel through whole chain when newly-increased and consume a large amount of time when a lot of method uses chain technique to manage conflict.
3, seek rate is slow: along with the value stored gets more and more, the memory location that the degree of depth is greater than 1 also gets more and more, often much search the value of many number of times not in the stem of memory location, often need traversal chained list could obtain for several times when searching these values, this wherein consumes again a large amount of time.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of Hash storage method based on IP five-tuple, to solve Hash skewness in prior art, and the newly-increased problem very slow with seek rate.
Embodiments provide a kind of Hash storage method based on IP five-tuple, comprising:
Receive session information inquiry request;
According to the IP five-tuple in described session information inquiry request, the first module mark of the first Hash array is determined based on the first hash function, the second unit mark of the second Hash array is determined based on the second hash function, wherein, each unit in described first Hash array is for storing described second Hash array;
Current second Hash array is determined according to described first module mark and second unit mark;
Travel through all session memory cell that described current second Hash array is pointed to, search the session memory cell corresponding with described IP five-tuple;
Session information is obtained from described session memory cell.
The invention has the beneficial effects as follows: a kind of Hash storage means based on IP five-tuple provided by the invention, use CRC32 algorithm and XOR two computings to combine as hash function and draw final Hash memory location, make Hash storage and distribution very even.The data that two strings are different, the value probability all equally calculated through two functions is very little, so in conjunction with two hash functions, the end value that can different pieces of information string be made to greatest extent to calculate is different, thus reduces hash-collision.By above measure, solve Hash skewness in prior art, the newly-increased problem very slow with seek rate, improves the Hash storage efficiency of IP five-tuple on the whole greatly.
Accompanying drawing explanation
By reading the detailed description done non-limiting example done with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:
Fig. 1 is the schematic flow sheet of a kind of Hash storage means based on IP five-tuple of the embodiment of the present invention one;
Fig. 2 is the schematic flow sheet of a kind of Hash storage means based on IP five-tuple of the embodiment of the present invention three;
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.Be understandable that, specific embodiment described herein is only for explaining the present invention, but not limitation of the invention.It also should be noted that, for convenience of description, illustrate only part related to the present invention in accompanying drawing but not full content.
Embodiment one
Fig. 1 is the schematic flow sheet that embodiment one provides a kind of Hash storage means based on IP five-tuple.Under the method is applicable to large discharge network environment, convert larger data message to less data information memory, be convenient to the situation of access and statistical analysis.The method is performed by the device of the Hash storage means based on IP five-tuple, and this device can be arranged in the terminal, and the form of software and/or hardware can be adopted to realize.Such as ISP (ISP, InternetServiceProvider), ICP (ICP, InternetContentProvider), Internet data center (IDC, etc. InternetDataCenter) operator can carry out detection to flow and is cleaned by adopting said method, guarantees the operation of network normal table and normally carrying out of business.
As shown in Figure 1, the method comprises:
S110, reception session information inquiry request.
Device based on the Hash storage means of IP five-tuple receives the session inquiry request containing IP five-tuple information, goes to the memory location determining session information, thus have access to session information with IP five-tuple.
S120, according to the IP five-tuple in described session information inquiry request, the first module mark of the first Hash array is determined based on the first hash function, the second unit mark of the second Hash array is determined based on the second hash function, wherein, each unit in described first Hash array is for storing described second Hash array.
IP five-tuple information link comprises source address sip, destination address dip, source port sport, target port dport and IP protocol number protocol.First set up the first Hash array and the second hash function group, each unit in the first Hash array is again a second Hash array.Each unit of the second hash function is a pointer, points to each storage element.Calculate first module by the first hash function to identify, show that second unit identifies by the second hash function.
Further, the length of the first Hash array is greater than the second Hash array.
Further, the first hash function is F=CRC_32 (M->link) %A.
Wherein, F is the first module mark in the first Hash array, and CRC_32 is the cyclic redundancy check (CRC) algorithmic function of 32, and M->link is the IP five-tuple information in session memory cell, and A is the length of the first Hash array.
Second hash function is f=(sip^dip^ ((sport<<16)+dport)) %a.
Wherein, f is the second unit mark in the second Hash array, and a is the length of the second Hash array.
First a string data was after the CRC function of 32 was calculated, the value obtained is the more uniform of basic distribution, if still there to be conflict, also have second IP five-tuple XOR hash function, the data that two strings are different, through the value probability all equally that two functions calculate, are very little, so in conjunction with two hash functions, the end value that can different pieces of information string be made to greatest extent to calculate is different.Greatly reduce hash-collision like this.
S130, determine current second Hash array according to described first module mark and second unit mark.
First module mark determines the position of the first hash function group, and second unit mark determines the position of the second Hash array.Because each unit is a second Hash array in the first Hash array, so first module mark and second unit mark finally determine a current second Hash array, the second current Hash array is the combination of the first Hash array and the second Hash array.
S140, travel through described current second Hash array point to all session memory cell, search the session memory cell corresponding with described IP five-tuple.
If calculate the same session memory cell in a lot of memory locations with hash function, namely current second Hash array points to a lot of session memory cell.These session memory cell just need to couple together with chained list, and the length of this chained list also can be understood as the conflict degree of depth.Just need to travel through all session memory cell that current second hash function group is pointed to when searching the session memory cell corresponding with affiliated IP five-tuple.
Further, described session memory cell M comprises:
IP five-tuple information link;
A upper Storage Unit Pointer prev;
Next Storage Unit Pointer next;
Search counting count, searched number of times for recording conversation memory cell.
S150, from described session memory cell, obtain session information.
Further, if described session memory cell is the first memory cell that described current second Hash array is pointed to, then described session information is returned;
If described session memory cell is not the first memory cell that described current second Hash array is pointed to, then according to described upper one Storage Unit Pointer obtain a upper session memory cell search counting, more described session memory cell search whether counting be greater than a session memory cell search counting, if, then exchange the position of two session memory cell, upgrade corresponding pointer, and return described session information; If not, then described session information is directly returned.
In prior art, along with session memory cell gets more and more, the memory location that the degree of depth is greater than 1 also gets more and more, often much search the memory cell of many number of times not at the head of memory location, often need traversal chained list could obtain for several times when searching these memory cell, this wherein consumes again a large amount of time.In the present embodiment, the session memory cell on same chained list is exchanged by the size of searching counting, make to be searched more session memory cell and be always positioned at chained list head, the session memory cell be in like this under same chained list arranges by by the descending head from chained list of number of times searched to afterbody.Greatly reduce the time owing to traveling through chained list when searching element, effectively improve the efficiency of storage.
A kind of Hash storage means based on IP five-tuple that the embodiment of the present invention one provides, to combine as hash function by using CRC32 algorithm and XOR two computings and draws final Hash memory location.The data that two strings are different, the value probability all equally calculated through two functions is very little, so in conjunction with two hash functions, the end value that can different pieces of information string be made to greatest extent to calculate is different, reduces hash-collision.By above measure, solve Hash skewness in prior art, the newly-increased problem very slow with seek rate, improves the Hash storage efficiency of IP five-tuple on the whole greatly.
Embodiment two
The present embodiment, based on embodiment one, further in all session memory cell that the described current second Hash array of traversal is pointed to, after searching the session memory cell corresponding with described IP five-tuple, also performs following operation:
If do not find the session memory cell that described IP five-tuple is corresponding, in memory space, then apply for new session memory cell, described IP five-tuple information is stored in described new session memory cell, utilize the first module mark that calculates according to the first hash function and the second hash function and second unit to identify to determine the second Hash array that final, described the second Hash array is finally used in reference to new session memory cell.
Further, if the session memory cell that described the second Hash array finally is not pointed to, then directly make described the second Hash array finally point to described new session memory cell, then return the session information of described new session memory cell;
If described the second Hash array finally has the session memory cell of sensing, then first allow already present session memory cell in the second Hash array final described in the pointed of the next memory cell of the sensing in described new session memory cell structure, then session memory cell new described in the pointed of the upper memory cell of sensing of described already present session memory cell, the first session memory cell allowing described the second Hash array finally point to is described new session memory cell, finally returns the session information of described new session memory cell.
Use chain technique to manage conflict in prior art often travel through whole chain when newly-increased session memory cell and consume a large amount of time.When chain adding in the present embodiment new session memory cell, adopt to insert instead of afterbody insertion at head, head inserts only to be needed once-through operation and not to need to travel through whole chain, saves the time while reducing device workload, improves storage efficiency.
The present embodiment two on the basis of embodiment one traversal described current second Hash array point to all session memory cell, after searching the session memory cell corresponding with described IP five-tuple, do not find respective session memory cell, set up new session cell stores session information, and new session memory cell is added in the head of chained list.While Hash is evenly distributed, inserts at head and do not need to travel through whole chain, improving storage efficiency.
Embodiment three
Fig. 2 is the schematic flow sheet that embodiment three provides a kind of Hash storage means based on IP five-tuple.Whole scheme, on the basis of above-described embodiment, is specialized by the present embodiment, carries out complete description, is convenient to understand.The present embodiment only describes the Hash storage means based on IP five-tuple but does not limit its method.
First, setting the first hash function in the present embodiment is F, and the second hash function is f.The length of the first Hash array H is A, and the length of the second Hash array h is a.Setting memory cell structure M{link [sip, dip, sport, dport, protocol], prev, next, count} are for preserving IP five-tuple information.
As shown in Figure 2, the method comprises:
S210, search session according to IP five-tuple.
S220, calculate Hash position H [h] by function F sum functions f.
Obtain first module mark and second unit mark respectively by the first hash function F and the second hash function f, namely the position H of the first Hash array and the position h of the second Hash array, finally obtains Hash position H [h].
S230, traversal H [h], find session memory cell M.If M can be found, then perform S240; Otherwise, perform S250.
All session memory cell that traversal H [h] is pointed to, find the session memory cell M corresponding with IP five-tuple.
S240, M search counting count and add 1.
Further, after S240, the method also comprises:
Whether S2410, M are header element i.e. first session memory cell that H [h] points to.If so, then S260 is performed; Otherwise, then S2420 is performed.
S2420, judge whether M->count>M->pr ev->count.If so, then S2430 is performed; Otherwise, perform S260.
M->count be M search counting, M->prev->count be the previous session memory cell of M search counting.Judge whether M->count>M->pr ev->count then for comparing the size of searching counting of M session memory cell previous with it.Object is the head by being moved on to whole chained list by the session memory cell of searching often.The session memory cell be in like this under same chained list arranges by by the descending head from chained list of number of times searched to afterbody.
The position of S2430, exchange M and M->prev, then performs S260.
Be the position exchanging the chained list that M session memory cell previous with it forms in the session memory cell that H [h] points to.
S250, application session memory cell M, be stored in M IP five-tuple information.
Further, after S250, the method also comprises:
S2510, judge that whether H [h] is empty.If it is empty, then S260 is performed; Otherwise, perform S2520.
S2520, M->next point to H [h] current sessions N.The next session Storage Unit Pointer of sensing of M points to H [h] current existing session memory cell.
S2530, H [h] current sessions N->prev points to M.The upper session Storage Unit Pointer of sensing of current sessions memory cell N points to new application session memory cell M.
S2540、H[h]=M。The session memory cell being the head of the session memory cell chained list that H [h] is pointed to is the session memory cell M of new application.Then S260 is performed.
S260, return session memory cell M.
The embodiment of the present invention three provides a kind of Hash storage means based on IP five-tuple specifically based on above-described embodiment.The IP five-tuple Hash storage means that the present invention proposes, use CRC32 algorithm and XOR as hash function, not only fast but also distribute very evenly, be inserted in chained list stem when solving hash-collision by chain technique and increase newly not need to travel through whole chain, and by searching counting adjustment linked list element position, greatly can improve the newly-increased of Hash element and seek rate, by above measure, greatly improve the Hash storage efficiency of IP five-tuple on the whole.
Note, above are only preferred embodiment of the present invention and institute's application technology principle.Skilled person in the art will appreciate that and the invention is not restricted to specific embodiment described here, various obvious change can be carried out for a person skilled in the art, readjust and substitute and can not protection scope of the present invention be departed from.Therefore, although be described in further detail invention has been by above embodiment, the present invention is not limited only to above embodiment, when not departing from the present invention's design, can also comprise other Equivalent embodiments more, and scope of the present invention is determined by appended right.
Claims (7)
1., based on a Hash storage means for IP five-tuple, it is characterized in that, comprising:
Receive session information inquiry request;
According to the IP five-tuple in described session information inquiry request, the first module mark of the first Hash array is determined based on the first hash function, the second unit mark of the second Hash array is determined based on the second hash function, wherein, each unit in described first Hash array is for storing described second Hash array;
Current second Hash array is determined according to described first module mark and second unit mark;
Travel through all session memory cell that described current second Hash array is pointed to, search the session memory cell corresponding with described IP five-tuple;
Session information is obtained from described session memory cell.
2. method according to claim 1, is characterized in that:
Described first Hash array length is greater than the length of described second Hash array.
3. method according to claim 1, is characterized in that, described session memory cell M comprises:
IP five-tuple information link, comprising source address sip, destination address dip, source port sport, target port dport and IP protocol number protocol;
A upper Storage Unit Pointer prev;
Next Storage Unit Pointer next;
Search counting count, searched number of times for recording conversation memory cell.
4. method according to claim 3, is characterized in that:
First hash function is F=CRC_32 (M->link) %A;
Wherein, F is the first module mark in the first Hash array, and CRC_32 is the cyclic redundancy check (CRC) algorithmic function of 32, and M->link is the IP five-tuple information in session memory cell, and A is the length of the first Hash array;
Second hash function is f=(sip^dip^ ((sport<<16)+dport)) %a;
Wherein, f is the second unit mark in the second Hash array, and a is the length of the second Hash array.
5. method according to claim 3, is characterized in that, obtains session information, comprising from described session memory cell:
If described session memory cell is the first memory cell that described current second Hash array is pointed to, then return described session information;
If described session memory cell is not the first memory cell that described current second Hash array is pointed to, then according to described upper one Storage Unit Pointer obtain a upper session memory cell search counting, more described session memory cell search whether counting be greater than a session memory cell search counting, if, then exchange the position of two session memory cell, upgrade corresponding pointer, and return described session information; If not, then described session information is directly returned.
6. method according to claim 3, is characterized in that, travels through all session memory cell that described current second Hash array is pointed to, after searching the session memory cell corresponding with described IP five-tuple, also comprises:
If do not find the session memory cell that described IP five-tuple is corresponding, in memory space, then apply for new session memory cell, described IP five-tuple information is stored in described new session memory cell, utilize the first module mark that calculates according to the first hash function and the second hash function and second unit to identify to determine the second Hash array that final, described the second Hash array is finally used in reference to new session memory cell.
7. method according to claim 6, it is characterized in that, the first module mark that described utilization calculates according to the first hash function and the second hash function and second unit identify determines a final second Hash array, described the second Hash array is finally used in reference to after new session memory cell, also comprises:
If the session memory cell that described the second Hash array finally is not pointed to, then directly make described the second Hash array finally point to described new session memory cell, then return the session information of described new session memory cell;
If described the second Hash array finally has the session memory cell of sensing, then first allow already present session memory cell in the second Hash array final described in the pointed of the next memory cell of the sensing in described new session memory cell structure, then session memory cell new described in the pointed of the upper memory cell of sensing of described already present session memory cell, the first session memory cell allowing described the second Hash array finally point to is described new session memory cell, finally returns the session information of described new session memory cell.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510528651.2A CN105227348B (en) | 2015-08-25 | 2015-08-25 | A kind of Hash storage method based on IP five-tuple |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510528651.2A CN105227348B (en) | 2015-08-25 | 2015-08-25 | A kind of Hash storage method based on IP five-tuple |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105227348A true CN105227348A (en) | 2016-01-06 |
| CN105227348B CN105227348B (en) | 2019-01-11 |
Family
ID=54996059
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510528651.2A Active CN105227348B (en) | 2015-08-25 | 2015-08-25 | A kind of Hash storage method based on IP five-tuple |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105227348B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248939A (en) * | 2017-05-26 | 2017-10-13 | 中国人民解放军理工大学 | Network flow high-speed associative method based on hash memories |
| CN107770114A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of the distributed monitoring of optimization |
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
| CN111526225A (en) * | 2020-04-28 | 2020-08-11 | 杭州迪普科技股份有限公司 | Session management method and device |
| CN112612670A (en) * | 2020-12-02 | 2021-04-06 | 北京东土军悦科技有限公司 | Session information statistical method, device, exchange equipment and storage medium |
| CN114221847A (en) * | 2021-12-10 | 2022-03-22 | 北京天融信网络安全技术有限公司 | Network session management method, device and equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102123090A (en) * | 2011-02-23 | 2011-07-13 | 中国人民解放军国防科学技术大学 | IP (Internet protocol) fragment processing method based on two-level table storage and transport layer information inquiry |
| CN103179109A (en) * | 2013-02-04 | 2013-06-26 | 上海恒为信息科技有限公司 | Secondary session query function based filtering and distribution device and method thereof |
| CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
| CN104378263A (en) * | 2014-11-27 | 2015-02-25 | 盛科网络(苏州)有限公司 | Network flow monitoring method and device based on TCP session and message processing chip |
| CN104683255A (en) * | 2013-11-29 | 2015-06-03 | 华为技术有限公司 | Load sharing balance method and device for physical ports, and link aggregation system |
| CN104780178A (en) * | 2015-04-29 | 2015-07-15 | 北京邮电大学 | Connection management method for preventing TCP attack |
-
2015
- 2015-08-25 CN CN201510528651.2A patent/CN105227348B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102123090A (en) * | 2011-02-23 | 2011-07-13 | 中国人民解放军国防科学技术大学 | IP (Internet protocol) fragment processing method based on two-level table storage and transport layer information inquiry |
| CN103179109A (en) * | 2013-02-04 | 2013-06-26 | 上海恒为信息科技有限公司 | Secondary session query function based filtering and distribution device and method thereof |
| CN104683255A (en) * | 2013-11-29 | 2015-06-03 | 华为技术有限公司 | Load sharing balance method and device for physical ports, and link aggregation system |
| CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
| CN104378263A (en) * | 2014-11-27 | 2015-02-25 | 盛科网络(苏州)有限公司 | Network flow monitoring method and device based on TCP session and message processing chip |
| CN104780178A (en) * | 2015-04-29 | 2015-07-15 | 北京邮电大学 | Connection management method for preventing TCP attack |
Non-Patent Citations (1)
| Title |
|---|
| 车佳敏: "IPFIX双向流生成系统的研究与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107770114A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of the distributed monitoring of optimization |
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
| CN107248939A (en) * | 2017-05-26 | 2017-10-13 | 中国人民解放军理工大学 | Network flow high-speed associative method based on hash memories |
| CN107248939B (en) * | 2017-05-26 | 2020-07-31 | 中国人民解放军理工大学 | Network flow high-speed correlation method based on hash memory |
| CN111526225A (en) * | 2020-04-28 | 2020-08-11 | 杭州迪普科技股份有限公司 | Session management method and device |
| CN111526225B (en) * | 2020-04-28 | 2022-07-01 | 杭州迪普科技股份有限公司 | Session management method and device |
| CN112612670A (en) * | 2020-12-02 | 2021-04-06 | 北京东土军悦科技有限公司 | Session information statistical method, device, exchange equipment and storage medium |
| CN112612670B (en) * | 2020-12-02 | 2023-04-11 | 北京东土军悦科技有限公司 | Session information statistical method, device, exchange equipment and storage medium |
| CN114221847A (en) * | 2021-12-10 | 2022-03-22 | 北京天融信网络安全技术有限公司 | Network session management method, device and equipment and storage medium |
| CN114221847B (en) * | 2021-12-10 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Network session management method, device and equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105227348B (en) | 2019-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105227348A (en) | A kind of Hash storage means based on IP five-tuple | |
| US9537887B2 (en) | Method and system for network connection chain traceback using network flow data | |
| US8510830B2 (en) | Method and apparatus for efficient netflow data analysis | |
| Zdonik et al. | SpringerBriefs in Computer Science | |
| US8817792B2 (en) | Data forwarding method, data processing method, system and relevant devices | |
| KR20140030307A (en) | A generalized dual-mode data forwarding plane for information-centric network | |
| Xu et al. | ELDA: Towards efficient and lightweight detection of cache pollution attacks in NDN | |
| US8953600B2 (en) | Telemetry data routing | |
| Zhou et al. | Persistent spread measurement for big network data based on register intersection | |
| CN104821924A (en) | Network data packet processing method and apparatus, and network processing device | |
| Basat et al. | Routing oblivious measurement analytics | |
| Yang et al. | Adaptive measurements using one elastic sketch | |
| CN107070851B (en) | System and method for connecting fingerprint generation and stepping stone tracing based on network flow | |
| Li et al. | A case study of ipv6 network performance: Packet delay, loss, and reordering | |
| CN110300085B (en) | Evidence obtaining method, device and system for network attack, statistical cluster and computing cluster | |
| CN101854366B (en) | Peer-to-peer network flow-rate identification method and device | |
| Yang | Hybrid single‐packet IP traceback with low storage and high accuracy | |
| CN105099799B (en) | Botnet detection method and controller | |
| Shi et al. | On capturing DDoS traffic footprints on the Internet | |
| Kong et al. | Time-out bloom filter: A new sampling method for recording more flows | |
| Gao et al. | Protecting router cache privacy in named data networking | |
| Bhattacharjee et al. | Congestion control and caching in CANES | |
| Kwon et al. | Use of Cuckoo filters with FD. Io VPP for software IPv6 routing lookup | |
| US20210281503A1 (en) | Udping - continuous one-way monitoring of multiple network links | |
| Shahzad et al. | Accurate and efficient per-flow latency measurement without probing and time stamping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 705-708, room two, No. 121, north south of the Five Ridges Avenue, Chancheng District, Guangdong, Foshan, 528000 Applicant after: GUANGDONG RUIJIANG CLOUD COMPUTING CO., LTD. Address before: Chancheng District of Guangdong city of Foshan province south of the Five Ridges 528000 Avenue North 121 East International A District Office 7-8 Applicant before: Guangdong Efly Network Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |