CN106059854B - Rete mirabile flow breakthrough detection method and system - Google Patents

Rete mirabile flow breakthrough detection method and system Download PDF

Info

Publication number
CN106059854B
CN106059854B CN201610370862.2A CN201610370862A CN106059854B CN 106059854 B CN106059854 B CN 106059854B CN 201610370862 A CN201610370862 A CN 201610370862A CN 106059854 B CN106059854 B CN 106059854B
Authority
CN
China
Prior art keywords
packet
flow
rete mirabile
probe end
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610370862.2A
Other languages
Chinese (zh)
Other versions
CN106059854A (en
Inventor
黄韬
吴兴利
戴云伟
林金印
孙庆冲
唐天龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NANJING USPEED NETWORK TECHNOLOGY Co Ltd
Original Assignee
NANJING USPEED NETWORK TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NANJING USPEED NETWORK TECHNOLOGY Co Ltd filed Critical NANJING USPEED NETWORK TECHNOLOGY Co Ltd
Priority to CN201610370862.2A priority Critical patent/CN106059854B/en
Publication of CN106059854A publication Critical patent/CN106059854A/en
Application granted granted Critical
Publication of CN106059854B publication Critical patent/CN106059854B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/022Capturing of monitoring data by sampling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Rete mirabile flow breakthrough detection method provided by the invention and system, for rete mirabile flow penetration phenomenon, the data packet penetrated by comparing normal access with abnormal flow, identification feature difference penetrates behavior as judging whether to belong to abnormal flow;This system penetrates recognition accuracy height for rete mirabile flow, avoids identifying the risk that mistake blocks bring customer complaint and logout.

Description

Rete mirabile flow breakthrough detection method and system
Technical field
The invention belongs to computer network transmission technique field more particularly to rete mirabile flow breakthrough detection method and systems.
Background technique
Since the resource that domestic different operators have is not identical, user's net there are no in Home Network in access process There is the case where related resource in outer operator.Data exchange and transmission for convenience between each operator, passes through end of opening up to each other The mode that mouth interconnects realizes user's unaware outgoing access.Currently, interconnecting between Domestic Carriers mainly has three Kind mode: first is that direct connection between backbone network accesses second is that being interconnected by NAP point third is that passing through third party.But no matter any side Formula will generate inter-network settlement.It is provided according to Ministry of Industry and Information, for the backbone network for compensating China Telecom and connection, settlement on networks mode It is other operators to their unidirectional clearing, to make up construction network and provide the cost of service.
In recent years, there is rete mirabile flow penetration phenomenon, and increasingly severe.So-called " penetration flow access " refer to due to There are fixing the price and market price price difference, some companies to resell and transport to weak tendency after operator B purchase bandwidth for Internet bandwidth The behavior of quotient A is sought, this paths is referred to as " flow penetrates ".Operator A penetrates access using flow, enters in some way Operator B gets around the resource that operator B is directly accessed in the gateway to interconnect, as shown in Figure 1.On the one hand this mode is given The operation maintenance of operator B is made troubles, and is on the other hand violated normal operation process and is caused the economic loss of operator B.
Summary of the invention
The technical problem to be solved by the present invention is to provide rete mirabile flow for the defects of aforementioned background art and deficiency Breakthrough detection method and system, by the data packet for comparing normal access and abnormal flow penetrates, identification feature difference as Judge whether that belonging to abnormal flow penetrates behavior, this method and system identification accuracy rate are high, avoid identifying that mistake blocks bring The risk of customer complaint and logout.
Rete mirabile flow breakthrough detection method provided by the invention the following steps are included:
Detecting module is arranged in the gateway of certain operator to be measured in step 1, and the equipment with the detecting module is referred to as Probe end, and probe end is configured;
Step 2, starts the probe end, and probe end starts the characteristic accessed according to the policing rule of configuration user It is extracted according to packet, and the data packet of extraction is uploaded to database;
Step 3, data statistic analysis module compare user's HTTP request number according to the key message in the data packet Whether matched according to the path URL in packet with dns resolution information, judges whether that belonging to rete mirabile flow penetrates mode.
In step 1, the probe end is configured by configuration module, the configuration module includes exploration policy version Block, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement.
The step 2 specifically includes:
Step 2.1, the strategy come into force column be responsible for different probe end allocation strategies and start come into force;
Step 2.2, the probe end extracts satisfactory data packet according to the exploration policy set;The data packet The packet information of request packet and dns resolution including HTTP;
Step 2.3, the probe end has extracted and related data is uploaded to database purchase after data.
The step 3 specifically includes:
Step 3.1, it is pre-processed first to by initial data in database, several data item of HTTP request packet is torn open Divide and extracts the path URL;
Step 3.2, secondly, whether URL information matches with DNS information in analysis HTTP request packet, the table if successful match Behavior is asked in the bright frequentation that is positive;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;
Step 3.3, the specifying information that rete mirabile flow penetrates is inquired by way of conditional filtering, is understood convenient for manager detailed Feelings and decision.
Rete mirabile flow penetration-detection system, including detecting module, data statistic analysis module, configuration module and equipment management Module;
The gateway setting detecting module of certain operator to be measured is arranged in the detecting module, claims to have the detecting module Equipment be probe end;
The data statistic analysis module is pre-processed to by initial data in database, by the several of HTTP request packet Data item fractionation extracts the path URL;Whether URL information matches with DNS information in analysis HTTP request packet, if successful match It is shown to be normal access behavior;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;And by way of conditional filtering The specifying information that inquiry rete mirabile flow penetrates understands details and decision convenient for manager;
The configuration module configures the probe end;
The record that the device management module feeds back the probe end equipment performance and service operation status real time monitor.
The configuration module includes that exploration policy column, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement;
The strategy come into force column be responsible for different probe end allocation strategies and start come into force.
The performance state includes CPU, memory, storage parameter progress periodical information acquisition;
The service operation state include position topology diagram, operating status, execution probe policy information.
The invention adopts the above technical scheme compared with prior art, has following technical effect that
By way of extracting data packet, whether the path URL and dns resolution information are compared in user's HTTP request data packet Matching is to determine whether belong to normal access behavior.It is considered as normal access behavior if successful match, is determined if it fails to match Behavior is penetrated for rete mirabile flow.System greatlys improve the recognition accuracy that rete mirabile flow penetrates by this judgment rule.
System have flexible configuration strategy, can support whole day uninterruptedly monitor and also for data on flows packet it is more Period sampling Detection.It can utmostly find that existing rete mirabile flow penetrates behavior using whole day mode;Using emphasis The form of period sampling, can save memory space and promote treatment effeciency.
No matter which kind of mode is taken, an all specific common advantage is exactly to identify that the accuracy rate that rete mirabile flow penetrates is high, Close to 100%.
Detailed description of the invention
Fig. 1 be outgoing access normally and improper approach schematic diagram;
Fig. 2 is the functional block diagram of rete mirabile flow penetration-detection system;
Fig. 3 is the flow chart of rete mirabile flow breakthrough detection method.
Specific embodiment
The present invention provides rete mirabile flow breakthrough detection method and system, to make the purpose of the present invention, technical solution and effect It is clearer, it is clear, and referring to attached drawing and give an actual example that the present invention is described in more detail.It should be appreciated that described herein Specific implementation only to explain the present invention, be not intended to limit the present invention.
If user accesses website by normal mode, the destination address of website is obtained after dns resolution success first, then Connection is established with web server.Sending the url data in HTTP request packet to destination address website at this time will believe with dns resolution Cease successful match.The url data of i.e. each HTTP request packet will be corresponded with every dns resolution information, if there is URL number It is mismatched according to dns resolution information, then there are abnormal access for this request packet, that is, rete mirabile flow occur and penetrate behavior.
Since normal website visiting has the characteristics that dns resolution information is corresponding with the URL of HTTP request packet matching, it is based on This feature our company has developed rete mirabile flow penetration-detection system.Module possessed by this system mainly includes detecting module, data Statistical analysis module, configuration module and device management module, as shown in Figure 2.
System has 4 modules: detecting module, data statistic analysis module, configuration module and device management module.Detect mould The gateway setting detecting module of certain operator to be measured is arranged in block, and the equipment with detecting module is referred to as probe end;Data system Meter analysis module is pre-processed to by initial data in database, and several data item fractionation of HTTP request packet is extracted The path URL;Whether URL information matches with DNS information in analysis HTTP request packet, and normal access row is shown to be if successful match For;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;And it inquires rete mirabile flow by way of conditional filtering to penetrate Specifying information, understand details and decision convenient for manager;Configuration module configures the probe end;Device management module The record that the probe end equipment performance and service operation status real time monitor are fed back.
Wherein, configuration module includes that exploration policy column, strategy come into force column;Exploration policy column is responsible for setting configuration, Have in configuration: extraction time extracts frequency, data package size, Packet Filtering requirement;The strategy column that comes into force is responsible for not Same probe end allocation strategy and starting comes into force.
Performance state includes CPU, memory, storage parameter progress periodical information acquisition;Service operation state includes position Topology diagram, operating status, execution probe policy information.
The detecting module of this system will be mounted on probe end, and probe end can be multiple, and be distributed in different zones position. Deployed position is at the home gateway of operator B.Other modules are installed concentratedly in the application server for analyzing and configuring pipe Reason etc..
According to this deployment scheme, the operation workflow of system is as described in Figure 3, mainly are as follows:
Step 1: detecting module is set in the gateway of certain operator to be measured, the equipment with the detecting module is referred to as Probe end, and probe end is configured.The strategy configuration column of configuration module was configured including probe time cycle, probe The conditions such as frequency, data package size, screening.If being not provided with, it is defaulted as whole day and extracts all data patterns.
Step 2: the tactful column that comes into force is responsible for different probe end allocation strategies and starting comes into force.Start the probe End, probe end starts to extract the characteristic packet that user accesses according to the policing rule of configuration, and by the data of extraction It wraps and reaches database.Strategy comes into force column to different probe end allocation strategies in configuration module and starting comes into force.One spy Needle end can have multiple probe strategies, as long as ensuring not conflict, probe end meets according to the exploration policy extraction set It is required that data packet;The data packet includes the request packet of HTTP and the packet information of dns resolution.Start probe device to support Separate unit is opened or batch device is opened.After unlatching, probe end starts the offer work that data packet is carried out according to corresponding strategies rule.
Step 3: data statistic analysis module compares user's HTTP request number according to the key message in the data packet Whether matched according to the path URL in packet with dns resolution information, judges whether that belonging to rete mirabile flow penetrates mode.
It is pre-processed first to by initial data in database, several data item fractionation of HTTP request packet is extracted The path URL;Secondly, whether URL information matches with DNS information in analysis HTTP request packet, it is shown to be normal if successful match Access behavior;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;Rete mirabile flow is inquired by way of conditional filtering to wear Saturating specifying information understands details and decision convenient for manager.
In addition to above-mentioned business processing flow, system also has the function of condition monitoring, including transports to equipment performance and business Capable monitoring on both side.Wherein device performance data can be checked performance information module in device management module.Business fortune Row state can be checked in the service operation module of equipment management.

Claims (6)

1. rete mirabile flow breakthrough detection method, which is characterized in that method includes the following steps:
Detecting module is arranged in the gateway of certain operator to be measured in step 1, and the equipment with the detecting module is referred to as probe End, and probe end is configured;
Step 2, starts the probe end, and probe end starts the characteristic packet accessed according to the policing rule of configuration user It extracts, and the characteristic of extraction is wrapped and reaches database;
Step 2.1, the strategy come into force column be responsible for different probe end allocation strategies and start come into force;
Step 2.2, the probe end extracts satisfactory characteristic packet according to the exploration policy set;The characteristic The packet information of request packet and dns resolution according to packet including HTTP;
Step 2.3, the probe end has extracted and related data is uploaded to database purchase after data;
Step 3, data statistic analysis module compare user's HTTP request number according to the key message in the characteristic packet Whether matched according to the path URL in packet with information in the data packet of dns resolution, judges whether that belonging to rete mirabile flow penetrates mode.
2. rete mirabile flow breakthrough detection method according to claim 1, which is characterized in that in step 1, by configuration mould Block configures the probe end, and the configuration module includes that exploration policy column, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement.
3. rete mirabile flow breakthrough detection method according to claim 1, which is characterized in that the step 3 specifically includes:
Step 3.1, it is pre-processed first to by the characteristic packet in database, several data item of HTTP request packet is torn open Divide and extracts the path URL;
Step 3.2, secondly, whether URL information matches with information in the data packet of dns resolution in analysis HTTP request packet, if Normal access behavior is then shown to be with success;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;
Step 3.3, the specifying information that rete mirabile flow penetrates is inquired by way of conditional filtering, convenient for manager understand details and Decision.
4. rete mirabile flow penetration-detection system, which is characterized in that the system includes detecting module, data statistic analysis module, matches Set module and device management module;
The gateway setting detecting module of certain operator to be measured is arranged in the detecting module, claims setting with the detecting module Standby is probe end;
The data statistic analysis module is pre-processed to by characteristic packet in database, by several numbers of HTTP request packet The path URL is extracted according to item fractionation;Whether URL information matches with information in the data packet of dns resolution in analysis HTTP request packet, Normal access behavior is shown to be if successful match;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;And pass through item The mode of part screening inquires the specifying information that rete mirabile flow penetrates, and understands details and decision convenient for manager;
The configuration module configures the probe end;
The record that the device management module feeds back the probe end equipment performance and service operation status real time monitor.
5. rete mirabile flow penetration-detection system according to claim 4, which is characterized in that
The configuration module includes that exploration policy column, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement;
The strategy come into force column be responsible for different probe end allocation strategies and start come into force.
6. rete mirabile flow penetration-detection system according to claim 4, which is characterized in that the performance state include CPU, Memory, storage parameter carry out periodical information acquisition;
The service operation state include position topology diagram, operating status, execution probe policy information.
CN201610370862.2A 2016-05-30 2016-05-30 Rete mirabile flow breakthrough detection method and system Active CN106059854B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610370862.2A CN106059854B (en) 2016-05-30 2016-05-30 Rete mirabile flow breakthrough detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610370862.2A CN106059854B (en) 2016-05-30 2016-05-30 Rete mirabile flow breakthrough detection method and system

Publications (2)

Publication Number Publication Date
CN106059854A CN106059854A (en) 2016-10-26
CN106059854B true CN106059854B (en) 2019-05-07

Family

ID=57172186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610370862.2A Active CN106059854B (en) 2016-05-30 2016-05-30 Rete mirabile flow breakthrough detection method and system

Country Status (1)

Country Link
CN (1) CN106059854B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI674777B (en) * 2018-11-09 2019-10-11 財團法人資訊工業策進會 Abnormal flow detection device and abnormal flow detection method thereof
CN110474912A (en) * 2019-08-19 2019-11-19 赛尔网络有限公司 Monitoring method, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118313A (en) * 2011-01-28 2011-07-06 杭州华三通信技术有限公司 Method and device for detecting internet protocol (IP) address
CN103036733A (en) * 2011-10-09 2013-04-10 上海城际互通通信有限公司 Unconventional network access behavior monitoring system and monitoring method
CN103532789A (en) * 2013-10-25 2014-01-22 北京直真科技股份有限公司 Inter-network transparent transmission detecting system
CN104125118A (en) * 2014-08-08 2014-10-29 福建富士通信息软件有限公司 Method and system for monitoring and alarming heterogeneous network routing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030200455A1 (en) * 2002-04-18 2003-10-23 Chi-Kai Wu Method applicable to wireless lan for security control and attack detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118313A (en) * 2011-01-28 2011-07-06 杭州华三通信技术有限公司 Method and device for detecting internet protocol (IP) address
CN103036733A (en) * 2011-10-09 2013-04-10 上海城际互通通信有限公司 Unconventional network access behavior monitoring system and monitoring method
CN103532789A (en) * 2013-10-25 2014-01-22 北京直真科技股份有限公司 Inter-network transparent transmission detecting system
CN104125118A (en) * 2014-08-08 2014-10-29 福建富士通信息软件有限公司 Method and system for monitoring and alarming heterogeneous network routing

Also Published As

Publication number Publication date
CN106059854A (en) 2016-10-26

Similar Documents

Publication Publication Date Title
US10452843B2 (en) Self-adaptive application programming interface level security monitoring
CN103209174B (en) A kind of data prevention method, Apparatus and system
CN102239673B (en) Method and system for profiling data traffic in telecommunications networks
CN109120428B (en) Method and system for wind control analysis
CN106663166A (en) Detection device, detection method and detection program
CN109639631A (en) A kind of network security cruising inspection system and method for inspecting
CN106708700A (en) Operation and maintenance monitoring method and device applied to server side
KR20100118422A (en) System and method for tracing signature security information
CN106059854B (en) Rete mirabile flow breakthrough detection method and system
CN108601023A (en) Home-network linkups authentication method, device, electronic equipment and storage medium
CN107979489A (en) Integrated access equipment configuration monitoring method
CN106372513A (en) Software fingerprint database-based software identification method and apparatus
CN105678193A (en) Tamper-proof processing method and device
CN104717226B (en) A kind of detection method and device for network address
CN108574681B (en) Intelligent server scanning method and device
CN105159806A (en) Terminal compatibility test system and operating method therefor
CN107819758A (en) A kind of IP Camera leak remote detecting method and device
CN103036746B (en) Passive measurement method and passive measurement system of web page responding time based on network intermediate point
CN105530137A (en) Traffic data analysis method and traffic data analysis system
CN109446807A (en) The method, apparatus and electronic equipment of malicious robot are intercepted for identification
CN109906462A (en) The technology of analysis data collection for the policy control in large scale system
CN111865724B (en) Information acquisition control implementation method for video monitoring equipment
CN100461712C (en) A network signalling test method
CN108566380A (en) A kind of proxy surfing Activity recognition and detection method
CN105592053B (en) A kind of matching process and device of matching rule

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant