CN105530219A - Method and device for connection detection - Google Patents

Method and device for connection detection Download PDF

Info

Publication number
CN105530219A
CN105530219A CN201410509942.2A CN201410509942A CN105530219A CN 105530219 A CN105530219 A CN 105530219A CN 201410509942 A CN201410509942 A CN 201410509942A CN 105530219 A CN105530219 A CN 105530219A
Authority
CN
China
Prior art keywords
traffic characteristic
server
client
characteristic data
time point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410509942.2A
Other languages
Chinese (zh)
Other versions
CN105530219B (en
Inventor
陈曦
周志彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201410509942.2A priority Critical patent/CN105530219B/en
Publication of CN105530219A publication Critical patent/CN105530219A/en
Application granted granted Critical
Publication of CN105530219B publication Critical patent/CN105530219B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a method and a device for connection detection, which is applied to the technical field of communication. In the method of the embodiment, mainly through traffic feature data for communication between a client and a server, a fluctuation range for the traffic features for communication between the client and the server at a certain time point is obtained, and whether the connection between the client and the server is malicious connection is determined through the fluctuation range. In comparison with a method of determining whether the connection between the client and the server is malicious connection according to a traffic baseline between time and traffic data in the prior art, the acquired traffic feature value corresponding to a certain time point in the method of the embodiment of the invention is not a fixed value but a fluctuation range, and an actually complicated network condition can be reflected more.

Description

A kind of connection detection method and device
Technical field
The present invention relates to communication technical field, particularly connect detection method and device.
Background technology
When detecting the network between client and server, a kind of existing method is that the data on flows by communicating between client with server obtains flow baseline, then judge whether the connection between client and server is that malice connects according to flow baseline, thus these malice connections can be disconnected with the safety ensureing equipment.
Wherein, existing a kind of flow baseline method for building up, mainly the function that function of time matching obtains a time and data on flows is carried out to the data on flows gathered in the certain hour cycle, namely the curve of this time and data on flows is flow baseline, makes to go up sometime the data on flows that correspondence is determined.But in actual application, in existing network, constitution is very complicated, single flow baseline can not reflect the network condition of actual complex.
Summary of the invention
The embodiment of the present invention provides and connects detection method and device, makes the foundation connecting detection more can reflect the network condition of actual complex.
The embodiment of the present invention provides a kind of and connects detection method, comprising:
Obtain client and the traffic characteristic data communicated between server;
According to the described traffic characteristic data obtained, obtain at least one time point, the waving interval of described client and the traffic characteristic communicated between server;
If the traffic characteristic communicated between client with server described in current time, inconsistent with the waving interval of corresponding traffic characteristic, then determine that described client and server are that malice connects in the connection of current time.
The embodiment of the present invention provides a kind of and connects checkout gear, comprising:
Data capture unit, for obtaining the traffic characteristic data communicated between client with server;
Interval acquiring unit, for the described traffic characteristic data obtained according to described data capture unit, obtains at least one time point, the waving interval of described client and the traffic characteristic communicated between server;
Malice determining unit, if the traffic characteristic for communicating between client with server described in current time, inconsistent with the waving interval of corresponding traffic characteristic, then determine that described client and server are that malice connects in the connection of current time.
Visible, in the present embodiment, mainly through the traffic characteristic data communicated between client with server, put sometime, the waving interval of the traffic characteristic communicated between client with server, to determine by waving interval whether the connection between client and server is that malice connects.Determine whether the connection between client with server is compared with malice connects with prior art according to time and the flow baseline of data on flows, what obtain in the method in the embodiment of the present invention puts corresponding traffic characteristic value sometime, it is not a fixing value, but a waving interval, so more can reflect the network condition of actual complex.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the connection detection method provided in the embodiment of the present invention;
Fig. 2 is the structural representation of the connection checkout gear provided in the embodiment of the present invention;
Fig. 3 is the structural representation of the net control device that the connection detection method provided in the embodiment of the present invention is applied to.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Term " first ", " second ", " the 3rd " " 4th " etc. (if existence) in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and need not be used for describing specific order or precedence.Should be appreciated that the data used like this can be exchanged in the appropriate case, so as embodiments of the invention described herein such as can with except here diagram or describe those except order implement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, such as, contain those steps or unit that the process of series of steps or unit, method, system, product or equipment is not necessarily limited to clearly list, but can comprise clearly do not list or for intrinsic other step of these processes, method, product or equipment or unit.
The embodiment of the present invention provides a kind of and connects detection method, the method mainly detected the connection communicated between client with server by the net control device disposed in network, and flow chart as shown in Figure 1, comprising:
Step 101, obtains client and the traffic characteristic data communicated between server, and traffic characteristic data refer to flow attribution between client and server and flow attribution value, such as bag amount, uninterrupted, average packet size and average inter-packet gap etc. here.
Be appreciated that, after connecting between client and server, can be communicated by the connection of setting up, net control device can according to certain cycle, client and the traffic characteristic data communicated between server are gathered in sampling instant, can be specifically a flow attribution and flow attribution value, also can be the value obtained after flow attribution value corresponding to multiple flow attribution carries out COMPREHENSIVE CALCULATING (calculating such as weighted value addition of such as each flow attribution value).The traffic characteristic data that then net control device obtains in this step can be included in a period of time, the traffic characteristic data that each sampling instant gathers.
Step 102, according to the traffic characteristic data obtained, obtain at least one time point, the waving interval of the traffic characteristic communicated between client with server, waving interval refers to the scope at the value place of traffic characteristic here.
Particularly, in acquisition sometime, during the waving interval of the traffic characteristic communicated between client with server, can according to but be not limited to following mode obtain:
(1) expectation and variance of the traffic characteristic data on this time point that the traffic characteristic data calculating acquisition in above-mentioned steps 101 comprise; Then expect according to the accuracy of this time upper traffic characteristic, and the expectation and variance calculated, calculate the waving interval of confidential interval as the traffic characteristic that this time point communicates between client and server.
Such as, net control device obtain continuous three week the morning on Friday 10:00 traffic characteristic data, calculate the expectation and variance of these traffic characteristic data, and suppose the accuracy of traffic characteristic on this time point expects to be 98.8%, then calculate according to the expectation of normal distribution, on this time point, the waving interval of traffic characteristic is [δ-3 ε, δ+3 ε], wherein, δ is for expecting, ε is variance, and the coefficient of variance is according to coming of accurately regularly hoping.The implication of the waving interval calculated is: on this time point, and the probability that the value of the traffic characteristic communicated between client with server drops on this waving interval is 98.8%.
(2) mean value of the traffic characteristic data on this time point of comprising of calculated flow rate characteristic, using the waving interval of the interval of the preset value that fluctuates up and down at mean value as the traffic characteristic communicated between client and server on this time point.
Such as, net control device obtain continuous three week the morning on Friday 10:00 traffic characteristic data, calculate the mean value a of these traffic characteristic data, then on this time point, the waving interval of traffic characteristic is [a-b, a+b], and wherein b is preset value.
Whether step 103, judges current time client and the traffic characteristic communicated between server, consistent with the waving interval of corresponding traffic characteristic, if unanimously, then process ends, if inconsistent, then performs step 104.When specifically judging, net control device can obtain the value of current time client and the traffic characteristic communicated between server, and compares with corresponding waving interval, if the value obtained is not in this waving interval, then inconsistent, otherwise unanimously.
Step 104, determines that client and server connect for malice in the connection of current time, can disconnect this connection.Wherein, malice connection refers to by client or simulant-client initiation, the connection queue of attempt blocking server, or the connection pushing hash etc. by setting up sky connection.
It should be noted that, in order to the convenience of calculation in above-mentioned steps 102, net control device, after acquisition above-mentioned steps 101, also needs the traffic characteristic data to obtaining to be normalized, the step 102 to 104 after then just performing the data after normalized.
Visible, in the present embodiment, mainly through the traffic characteristic data communicated between client with server, put sometime, the waving interval of the traffic characteristic communicated between client with server, to determine by waving interval whether the connection between client and server is that malice connects.Determine whether the connection between client with server is compared with malice connects with prior art according to time and the flow baseline of data on flows, what obtain in the method in the embodiment of the present invention puts corresponding traffic characteristic value sometime, it is not a fixing value, but a waving interval, so more can reflect the network condition of actual complex.
The embodiment of the present invention also provides a kind of and connects checkout gear, namely above-mentioned net control device, and its structural representation as shown in Figure 2, comprising:
Data capture unit 10, for obtaining the traffic characteristic data communicated between client with server.
Further, in order to make the calculating of interval acquiring unit 11 more convenient, this data capture unit 10 is also for being normalized described traffic characteristic data.
Interval acquiring unit 11, for the described traffic characteristic data obtained according to described data capture unit 10, obtains at least one time point, the waving interval of described client and the traffic characteristic communicated between server.
Particularly, in one case, interval acquiring unit 11 is specifically for the expectation and variance of the traffic characteristic data on the described time point that calculates described traffic characteristic data and comprise; According to the described time, the accuracy of upper traffic characteristic is expected, and the described expectation and variance calculated, and calculates the waving interval of confidential interval as the traffic characteristic communicated between client and server described on described time point.In another kind of situation, interval acquiring unit 11 is specifically for the mean value of the traffic characteristic data on the described time point that calculates described traffic characteristic data and comprise; Using the waving interval of the interval of the preset value that fluctuates up and down at described mean value as the traffic characteristic communicated between described client and server on described time point.
Malice determining unit 12, if for the traffic characteristic communicated between client with server described in current time, the waving interval of the corresponding traffic characteristic obtained with interval acquiring unit 11 is inconsistent, then determine that described client and server are that malice connects in the connection of current time.
Visible, in the present embodiment, connect the traffic characteristic data of interval acquiring unit 11 mainly through communicating between client with server in checkout gear, put sometime, the waving interval of the traffic characteristic communicated between client with server, and determine whether the connection between client and server is that malice connects by malice determining unit 12 by waving interval.Determine whether the connection between client with server is compared with malice connects with prior art according to time and the flow baseline of data on flows, what the connection checkout gear in the embodiment of the present invention obtained puts corresponding traffic characteristic value sometime, it is not a fixing value, but a waving interval, so more can reflect the network condition of actual complex.
A kind of net control device is provided, and structural representation as shown in Figure 3, this net control device can produce larger difference because of configuration or performance difference, one or more central processing units (centralprocessingunits can be comprised, CPU) 20 (such as, one or more processors) and memory 21, one or more store the storage medium 22 (such as one or more mass memory units) of application program 221 or data 222.Wherein, memory 21 and storage medium 22 can be of short duration storages or store lastingly.The program being stored in storage medium 22 can comprise one or more modules (diagram does not mark), and each module can comprise a series of command operatings in net control device.Further, central processing unit 20 can be set to communicate with storage medium 22, and net control device performs a series of command operatings in storage medium 22.
Net control device can also comprise one or more power supplys 23, one or more wired or wireless network interfaces 24, one or more input/output interfaces 25, and/or, one or more operating system 223, such as WindowsServerTM, MacOSXTM, UnixTM, LinuxTM, FreeBSDTM etc.
The step performed by net control device described in said method embodiment can based on the net control device structure shown in this Fig. 3.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is that the hardware that can carry out instruction relevant by program has come, this program can be stored in a computer-readable recording medium, and storage medium can comprise: read-only memory (ROM), random access memory (RAM), disk or CD etc.
Above to data transmission method, system and relevant device that the embodiment of the present invention provides, wherein network node comprises subscriber equipment and server, be described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (10)

1. connect a detection method, it is characterized in that, comprising:
Obtain client and the traffic characteristic data communicated between server;
According to the described traffic characteristic data obtained, obtain at least one time point, the waving interval of described client and the traffic characteristic communicated between server;
If the traffic characteristic communicated between client with server described in current time, inconsistent with the waving interval of corresponding traffic characteristic, then determine that described client and server are that malice connects in the connection of current time.
2. the method for claim 1, is characterized in that, described traffic characteristic data specifically comprise: a flow attribution and flow attribution value, or flow attribution value corresponding to multiple flow attribution carry out COMPREHENSIVE CALCULATING after the value that obtains.
3. method as claimed in claim 1 or 2, is characterized in that, according to the described traffic characteristic data obtained, obtain at least one time point described on a time point, described client and the waving interval of the traffic characteristic communicated between server, specifically comprise:
Calculate the expectation and variance of the traffic characteristic data on described time point that described traffic characteristic data comprise;
According to the described time, the accuracy of upper traffic characteristic is expected, and the described expectation and variance calculated, and calculates the waving interval of confidential interval as the traffic characteristic communicated between client and server described on described time point.
4. method as claimed in claim 1 or 2, is characterized in that, according to the described traffic characteristic data obtained, obtain at least one time point described on a time point, described client and the waving interval of the traffic characteristic communicated between server, specifically comprise:
Calculate the mean value of the traffic characteristic data on described time point that described traffic characteristic data comprise;
Using the waving interval of the interval of the preset value that fluctuates up and down at described mean value as the traffic characteristic communicated between described client and server on described time point.
5. method as claimed in claim 1 or 2, it is characterized in that, described acquisition client, with after the traffic characteristic data communicated between server, also comprises:
Described traffic characteristic data are normalized.
6. connect a checkout gear, it is characterized in that, comprising:
Data capture unit, for obtaining the traffic characteristic data communicated between client with server;
Interval acquiring unit, for the described traffic characteristic data obtained according to described data capture unit, obtains at least one time point, the waving interval of described client and the traffic characteristic communicated between server;
Malice determining unit, if the traffic characteristic for communicating between client with server described in current time, inconsistent with the waving interval of corresponding traffic characteristic, then determine that described client and server are that malice connects in the connection of current time.
7. device as claimed in claim 6, it is characterized in that, the described traffic characteristic data that described data capture unit obtains specifically comprise: a flow attribution and flow attribution value, or flow attribution value corresponding to multiple flow attribution carry out COMPREHENSIVE CALCULATING after the value that obtains.
8. device as claimed in claims 6 or 7, is characterized in that,
Described interval acquiring unit, specifically for calculating the expectation and variance of the traffic characteristic data on described time point that described traffic characteristic data comprise; According to the described time, the accuracy of upper traffic characteristic is expected, and the described expectation and variance calculated, and calculates the waving interval of confidential interval as the traffic characteristic communicated between client and server described on described time point.
9. device as claimed in claims 6 or 7, is characterized in that,
Described interval acquiring unit, specifically for calculating the mean value of the traffic characteristic data on described time point that described traffic characteristic data comprise; Using the waving interval of the interval of the preset value that fluctuates up and down at described mean value as the traffic characteristic communicated between described client and server on described time point.
10. device as claimed in claims 6 or 7, is characterized in that, described data capture unit, also for being normalized described traffic characteristic data.
CN201410509942.2A 2014-09-28 2014-09-28 Connection detection method and device Active CN105530219B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410509942.2A CN105530219B (en) 2014-09-28 2014-09-28 Connection detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410509942.2A CN105530219B (en) 2014-09-28 2014-09-28 Connection detection method and device

Publications (2)

Publication Number Publication Date
CN105530219A true CN105530219A (en) 2016-04-27
CN105530219B CN105530219B (en) 2019-12-10

Family

ID=55772207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410509942.2A Active CN105530219B (en) 2014-09-28 2014-09-28 Connection detection method and device

Country Status (1)

Country Link
CN (1) CN105530219B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357474A (en) * 2016-08-30 2017-01-25 成都科来软件有限公司 Data flow baseline acquisition method and device based on link
CN109039833A (en) * 2018-09-30 2018-12-18 网宿科技股份有限公司 A kind of method and apparatus monitoring bandwidth status
CN110198298A (en) * 2018-10-11 2019-09-03 腾讯科技(深圳)有限公司 A kind of information processing method, device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104182A (en) * 1997-10-15 2000-08-15 Siemens Ag Method of deriving a signal indicating an oscillation in an electric power supply system
CN101355463A (en) * 2008-08-27 2009-01-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for judging network attack
CN102882895A (en) * 2012-10-31 2013-01-16 杭州迪普科技有限公司 Method and device for identifying message attack
CN103580905A (en) * 2012-08-09 2014-02-12 中兴通讯股份有限公司 Method and system for flow forecasting and method and system for flow monitoring

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104182A (en) * 1997-10-15 2000-08-15 Siemens Ag Method of deriving a signal indicating an oscillation in an electric power supply system
CN101355463A (en) * 2008-08-27 2009-01-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for judging network attack
CN103580905A (en) * 2012-08-09 2014-02-12 中兴通讯股份有限公司 Method and system for flow forecasting and method and system for flow monitoring
CN102882895A (en) * 2012-10-31 2013-01-16 杭州迪普科技有限公司 Method and device for identifying message attack

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106357474A (en) * 2016-08-30 2017-01-25 成都科来软件有限公司 Data flow baseline acquisition method and device based on link
CN109039833A (en) * 2018-09-30 2018-12-18 网宿科技股份有限公司 A kind of method and apparatus monitoring bandwidth status
US10965565B2 (en) 2018-09-30 2021-03-30 Wangsu Science & Technology Co., Ltd. Method and apparatus for monitoring bandwidth condition
CN109039833B (en) * 2018-09-30 2022-11-22 网宿科技股份有限公司 Method and device for monitoring bandwidth state
CN110198298A (en) * 2018-10-11 2019-09-03 腾讯科技(深圳)有限公司 A kind of information processing method, device and storage medium
CN110198298B (en) * 2018-10-11 2021-08-27 腾讯科技(深圳)有限公司 Information processing method, device and storage medium

Also Published As

Publication number Publication date
CN105530219B (en) 2019-12-10

Similar Documents

Publication Publication Date Title
US10854059B2 (en) Wireless sensor network
CN108141385B (en) Cloud-based system and method for managing test configuration of cable test equipment
CN103532774B (en) A kind of Intelligent speed-measuring client and Intelligent speed-measuring method thereof
CN107770263A (en) A kind of internet-of-things terminal safety access method and system based on edge calculations
US10038401B2 (en) Systems and methods for fault detection
CN109889512B (en) Charging pile CAN message abnormity detection method and device
CN104270609A (en) Method, system and device for remote monitoring
CN109005528A (en) A kind of bluetooth mesh gateway data polymerization report method
CN105912448A (en) Intelligent method for calibrating battery capacity
WO2015039430A1 (en) Optical power data processing method, device and computer storage medium
CN105530219A (en) Method and device for connection detection
CN111181930A (en) DDoS attack detection method, device, computer equipment and storage medium
CN110213734A (en) A kind of dynamic data packet communication method and system based on intelligent building Internet of Things
CN113676534A (en) AI algorithm flow and service all-in-one machine based on edge calculation
CN116980958A (en) Radio equipment electric fault monitoring method and system based on data identification
CN106227641A (en) A kind of hardware performance monitoring method and system
CN104185195A (en) Mobile web performance measuring method, device and system
JP7149387B2 (en) A self-adaptive calibration response method to the load of an electrical equipment level load frequency control system
CN107453786B (en) Method and device for establishing electric power communication network model
CN106066415B (en) Method and device for detecting fraud in an electrical power supply network, storage means
CN105843211A (en) System and method for monitoring test on power battery management system
CN109800079B (en) Node adjusting method in medical insurance system and related device
CN115712529A (en) Edge intelligent equipment testing method, device, equipment and storage medium
CN112383942B (en) Method, system and equipment for testing online efficiency of communication module
CN114745616A (en) Underground heat information remote monitoring and early warning system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant