CN106059854B - Rete mirabile flow breakthrough detection method and system - Google Patents
Rete mirabile flow breakthrough detection method and system Download PDFInfo
- Publication number
- CN106059854B CN106059854B CN201610370862.2A CN201610370862A CN106059854B CN 106059854 B CN106059854 B CN 106059854B CN 201610370862 A CN201610370862 A CN 201610370862A CN 106059854 B CN106059854 B CN 106059854B
- Authority
- CN
- China
- Prior art keywords
- packet
- flow
- rete mirabile
- probe end
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/022—Capturing of monitoring data by sampling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Rete mirabile flow breakthrough detection method provided by the invention and system, for rete mirabile flow penetration phenomenon, the data packet penetrated by comparing normal access with abnormal flow, identification feature difference penetrates behavior as judging whether to belong to abnormal flow;This system penetrates recognition accuracy height for rete mirabile flow, avoids identifying the risk that mistake blocks bring customer complaint and logout.
Description
Technical field
The invention belongs to computer network transmission technique field more particularly to rete mirabile flow breakthrough detection method and systems.
Background technique
Since the resource that domestic different operators have is not identical, user's net there are no in Home Network in access process
There is the case where related resource in outer operator.Data exchange and transmission for convenience between each operator, passes through end of opening up to each other
The mode that mouth interconnects realizes user's unaware outgoing access.Currently, interconnecting between Domestic Carriers mainly has three
Kind mode: first is that direct connection between backbone network accesses second is that being interconnected by NAP point third is that passing through third party.But no matter any side
Formula will generate inter-network settlement.It is provided according to Ministry of Industry and Information, for the backbone network for compensating China Telecom and connection, settlement on networks mode
It is other operators to their unidirectional clearing, to make up construction network and provide the cost of service.
In recent years, there is rete mirabile flow penetration phenomenon, and increasingly severe.So-called " penetration flow access " refer to due to
There are fixing the price and market price price difference, some companies to resell and transport to weak tendency after operator B purchase bandwidth for Internet bandwidth
The behavior of quotient A is sought, this paths is referred to as " flow penetrates ".Operator A penetrates access using flow, enters in some way
Operator B gets around the resource that operator B is directly accessed in the gateway to interconnect, as shown in Figure 1.On the one hand this mode is given
The operation maintenance of operator B is made troubles, and is on the other hand violated normal operation process and is caused the economic loss of operator B.
Summary of the invention
The technical problem to be solved by the present invention is to provide rete mirabile flow for the defects of aforementioned background art and deficiency
Breakthrough detection method and system, by the data packet for comparing normal access and abnormal flow penetrates, identification feature difference as
Judge whether that belonging to abnormal flow penetrates behavior, this method and system identification accuracy rate are high, avoid identifying that mistake blocks bring
The risk of customer complaint and logout.
Rete mirabile flow breakthrough detection method provided by the invention the following steps are included:
Detecting module is arranged in the gateway of certain operator to be measured in step 1, and the equipment with the detecting module is referred to as
Probe end, and probe end is configured;
Step 2, starts the probe end, and probe end starts the characteristic accessed according to the policing rule of configuration user
It is extracted according to packet, and the data packet of extraction is uploaded to database;
Step 3, data statistic analysis module compare user's HTTP request number according to the key message in the data packet
Whether matched according to the path URL in packet with dns resolution information, judges whether that belonging to rete mirabile flow penetrates mode.
In step 1, the probe end is configured by configuration module, the configuration module includes exploration policy version
Block, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement.
The step 2 specifically includes:
Step 2.1, the strategy come into force column be responsible for different probe end allocation strategies and start come into force;
Step 2.2, the probe end extracts satisfactory data packet according to the exploration policy set;The data packet
The packet information of request packet and dns resolution including HTTP;
Step 2.3, the probe end has extracted and related data is uploaded to database purchase after data.
The step 3 specifically includes:
Step 3.1, it is pre-processed first to by initial data in database, several data item of HTTP request packet is torn open
Divide and extracts the path URL;
Step 3.2, secondly, whether URL information matches with DNS information in analysis HTTP request packet, the table if successful match
Behavior is asked in the bright frequentation that is positive;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;
Step 3.3, the specifying information that rete mirabile flow penetrates is inquired by way of conditional filtering, is understood convenient for manager detailed
Feelings and decision.
Rete mirabile flow penetration-detection system, including detecting module, data statistic analysis module, configuration module and equipment management
Module;
The gateway setting detecting module of certain operator to be measured is arranged in the detecting module, claims to have the detecting module
Equipment be probe end;
The data statistic analysis module is pre-processed to by initial data in database, by the several of HTTP request packet
Data item fractionation extracts the path URL;Whether URL information matches with DNS information in analysis HTTP request packet, if successful match
It is shown to be normal access behavior;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;And by way of conditional filtering
The specifying information that inquiry rete mirabile flow penetrates understands details and decision convenient for manager;
The configuration module configures the probe end;
The record that the device management module feeds back the probe end equipment performance and service operation status real time monitor.
The configuration module includes that exploration policy column, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement;
The strategy come into force column be responsible for different probe end allocation strategies and start come into force.
The performance state includes CPU, memory, storage parameter progress periodical information acquisition;
The service operation state include position topology diagram, operating status, execution probe policy information.
The invention adopts the above technical scheme compared with prior art, has following technical effect that
By way of extracting data packet, whether the path URL and dns resolution information are compared in user's HTTP request data packet
Matching is to determine whether belong to normal access behavior.It is considered as normal access behavior if successful match, is determined if it fails to match
Behavior is penetrated for rete mirabile flow.System greatlys improve the recognition accuracy that rete mirabile flow penetrates by this judgment rule.
System have flexible configuration strategy, can support whole day uninterruptedly monitor and also for data on flows packet it is more
Period sampling Detection.It can utmostly find that existing rete mirabile flow penetrates behavior using whole day mode;Using emphasis
The form of period sampling, can save memory space and promote treatment effeciency.
No matter which kind of mode is taken, an all specific common advantage is exactly to identify that the accuracy rate that rete mirabile flow penetrates is high,
Close to 100%.
Detailed description of the invention
Fig. 1 be outgoing access normally and improper approach schematic diagram;
Fig. 2 is the functional block diagram of rete mirabile flow penetration-detection system;
Fig. 3 is the flow chart of rete mirabile flow breakthrough detection method.
Specific embodiment
The present invention provides rete mirabile flow breakthrough detection method and system, to make the purpose of the present invention, technical solution and effect
It is clearer, it is clear, and referring to attached drawing and give an actual example that the present invention is described in more detail.It should be appreciated that described herein
Specific implementation only to explain the present invention, be not intended to limit the present invention.
If user accesses website by normal mode, the destination address of website is obtained after dns resolution success first, then
Connection is established with web server.Sending the url data in HTTP request packet to destination address website at this time will believe with dns resolution
Cease successful match.The url data of i.e. each HTTP request packet will be corresponded with every dns resolution information, if there is URL number
It is mismatched according to dns resolution information, then there are abnormal access for this request packet, that is, rete mirabile flow occur and penetrate behavior.
Since normal website visiting has the characteristics that dns resolution information is corresponding with the URL of HTTP request packet matching, it is based on
This feature our company has developed rete mirabile flow penetration-detection system.Module possessed by this system mainly includes detecting module, data
Statistical analysis module, configuration module and device management module, as shown in Figure 2.
System has 4 modules: detecting module, data statistic analysis module, configuration module and device management module.Detect mould
The gateway setting detecting module of certain operator to be measured is arranged in block, and the equipment with detecting module is referred to as probe end;Data system
Meter analysis module is pre-processed to by initial data in database, and several data item fractionation of HTTP request packet is extracted
The path URL;Whether URL information matches with DNS information in analysis HTTP request packet, and normal access row is shown to be if successful match
For;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;And it inquires rete mirabile flow by way of conditional filtering to penetrate
Specifying information, understand details and decision convenient for manager;Configuration module configures the probe end;Device management module
The record that the probe end equipment performance and service operation status real time monitor are fed back.
Wherein, configuration module includes that exploration policy column, strategy come into force column;Exploration policy column is responsible for setting configuration,
Have in configuration: extraction time extracts frequency, data package size, Packet Filtering requirement;The strategy column that comes into force is responsible for not
Same probe end allocation strategy and starting comes into force.
Performance state includes CPU, memory, storage parameter progress periodical information acquisition;Service operation state includes position
Topology diagram, operating status, execution probe policy information.
The detecting module of this system will be mounted on probe end, and probe end can be multiple, and be distributed in different zones position.
Deployed position is at the home gateway of operator B.Other modules are installed concentratedly in the application server for analyzing and configuring pipe
Reason etc..
According to this deployment scheme, the operation workflow of system is as described in Figure 3, mainly are as follows:
Step 1: detecting module is set in the gateway of certain operator to be measured, the equipment with the detecting module is referred to as
Probe end, and probe end is configured.The strategy configuration column of configuration module was configured including probe time cycle, probe
The conditions such as frequency, data package size, screening.If being not provided with, it is defaulted as whole day and extracts all data patterns.
Step 2: the tactful column that comes into force is responsible for different probe end allocation strategies and starting comes into force.Start the probe
End, probe end starts to extract the characteristic packet that user accesses according to the policing rule of configuration, and by the data of extraction
It wraps and reaches database.Strategy comes into force column to different probe end allocation strategies in configuration module and starting comes into force.One spy
Needle end can have multiple probe strategies, as long as ensuring not conflict, probe end meets according to the exploration policy extraction set
It is required that data packet;The data packet includes the request packet of HTTP and the packet information of dns resolution.Start probe device to support
Separate unit is opened or batch device is opened.After unlatching, probe end starts the offer work that data packet is carried out according to corresponding strategies rule.
Step 3: data statistic analysis module compares user's HTTP request number according to the key message in the data packet
Whether matched according to the path URL in packet with dns resolution information, judges whether that belonging to rete mirabile flow penetrates mode.
It is pre-processed first to by initial data in database, several data item fractionation of HTTP request packet is extracted
The path URL;Secondly, whether URL information matches with DNS information in analysis HTTP request packet, it is shown to be normal if successful match
Access behavior;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;Rete mirabile flow is inquired by way of conditional filtering to wear
Saturating specifying information understands details and decision convenient for manager.
In addition to above-mentioned business processing flow, system also has the function of condition monitoring, including transports to equipment performance and business
Capable monitoring on both side.Wherein device performance data can be checked performance information module in device management module.Business fortune
Row state can be checked in the service operation module of equipment management.
Claims (6)
1. rete mirabile flow breakthrough detection method, which is characterized in that method includes the following steps:
Detecting module is arranged in the gateway of certain operator to be measured in step 1, and the equipment with the detecting module is referred to as probe
End, and probe end is configured;
Step 2, starts the probe end, and probe end starts the characteristic packet accessed according to the policing rule of configuration user
It extracts, and the characteristic of extraction is wrapped and reaches database;
Step 2.1, the strategy come into force column be responsible for different probe end allocation strategies and start come into force;
Step 2.2, the probe end extracts satisfactory characteristic packet according to the exploration policy set;The characteristic
The packet information of request packet and dns resolution according to packet including HTTP;
Step 2.3, the probe end has extracted and related data is uploaded to database purchase after data;
Step 3, data statistic analysis module compare user's HTTP request number according to the key message in the characteristic packet
Whether matched according to the path URL in packet with information in the data packet of dns resolution, judges whether that belonging to rete mirabile flow penetrates mode.
2. rete mirabile flow breakthrough detection method according to claim 1, which is characterized in that in step 1, by configuration mould
Block configures the probe end, and the configuration module includes that exploration policy column, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement.
3. rete mirabile flow breakthrough detection method according to claim 1, which is characterized in that the step 3 specifically includes:
Step 3.1, it is pre-processed first to by the characteristic packet in database, several data item of HTTP request packet is torn open
Divide and extracts the path URL;
Step 3.2, secondly, whether URL information matches with information in the data packet of dns resolution in analysis HTTP request packet, if
Normal access behavior is then shown to be with success;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;
Step 3.3, the specifying information that rete mirabile flow penetrates is inquired by way of conditional filtering, convenient for manager understand details and
Decision.
4. rete mirabile flow penetration-detection system, which is characterized in that the system includes detecting module, data statistic analysis module, matches
Set module and device management module;
The gateway setting detecting module of certain operator to be measured is arranged in the detecting module, claims setting with the detecting module
Standby is probe end;
The data statistic analysis module is pre-processed to by characteristic packet in database, by several numbers of HTTP request packet
The path URL is extracted according to item fractionation;Whether URL information matches with information in the data packet of dns resolution in analysis HTTP request packet,
Normal access behavior is shown to be if successful match;If it fails to match, it is shown to be rete mirabile flow and penetrates mode;And pass through item
The mode of part screening inquires the specifying information that rete mirabile flow penetrates, and understands details and decision convenient for manager;
The configuration module configures the probe end;
The record that the device management module feeds back the probe end equipment performance and service operation status real time monitor.
5. rete mirabile flow penetration-detection system according to claim 4, which is characterized in that
The configuration module includes that exploration policy column, strategy come into force column;
The exploration policy column is responsible for setting configuration, and the content of configuration includes:
Extraction time extracts frequency, data package size, Packet Filtering requirement;
The strategy come into force column be responsible for different probe end allocation strategies and start come into force.
6. rete mirabile flow penetration-detection system according to claim 4, which is characterized in that the performance state include CPU,
Memory, storage parameter carry out periodical information acquisition;
The service operation state include position topology diagram, operating status, execution probe policy information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610370862.2A CN106059854B (en) | 2016-05-30 | 2016-05-30 | Rete mirabile flow breakthrough detection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610370862.2A CN106059854B (en) | 2016-05-30 | 2016-05-30 | Rete mirabile flow breakthrough detection method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106059854A CN106059854A (en) | 2016-10-26 |
CN106059854B true CN106059854B (en) | 2019-05-07 |
Family
ID=57172186
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610370862.2A Active CN106059854B (en) | 2016-05-30 | 2016-05-30 | Rete mirabile flow breakthrough detection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106059854B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI674777B (en) * | 2018-11-09 | 2019-10-11 | 財團法人資訊工業策進會 | Abnormal flow detection device and abnormal flow detection method thereof |
CN110474912A (en) * | 2019-08-19 | 2019-11-19 | 赛尔网络有限公司 | Monitoring method, electronic equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102118313A (en) * | 2011-01-28 | 2011-07-06 | 杭州华三通信技术有限公司 | Method and device for detecting internet protocol (IP) address |
CN103036733A (en) * | 2011-10-09 | 2013-04-10 | 上海城际互通通信有限公司 | Unconventional network access behavior monitoring system and monitoring method |
CN103532789A (en) * | 2013-10-25 | 2014-01-22 | 北京直真科技股份有限公司 | Inter-network transparent transmission detecting system |
CN104125118A (en) * | 2014-08-08 | 2014-10-29 | 福建富士通信息软件有限公司 | Method and system for monitoring and alarming heterogeneous network routing |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030200455A1 (en) * | 2002-04-18 | 2003-10-23 | Chi-Kai Wu | Method applicable to wireless lan for security control and attack detection |
-
2016
- 2016-05-30 CN CN201610370862.2A patent/CN106059854B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102118313A (en) * | 2011-01-28 | 2011-07-06 | 杭州华三通信技术有限公司 | Method and device for detecting internet protocol (IP) address |
CN103036733A (en) * | 2011-10-09 | 2013-04-10 | 上海城际互通通信有限公司 | Unconventional network access behavior monitoring system and monitoring method |
CN103532789A (en) * | 2013-10-25 | 2014-01-22 | 北京直真科技股份有限公司 | Inter-network transparent transmission detecting system |
CN104125118A (en) * | 2014-08-08 | 2014-10-29 | 福建富士通信息软件有限公司 | Method and system for monitoring and alarming heterogeneous network routing |
Also Published As
Publication number | Publication date |
---|---|
CN106059854A (en) | 2016-10-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10452843B2 (en) | Self-adaptive application programming interface level security monitoring | |
CN103209174B (en) | A kind of data prevention method, Apparatus and system | |
CN102239673B (en) | Method and system for profiling data traffic in telecommunications networks | |
CN109120428B (en) | Method and system for wind control analysis | |
CN106663166A (en) | Detection device, detection method and detection program | |
CN109639631A (en) | A kind of network security cruising inspection system and method for inspecting | |
CN106708700A (en) | Operation and maintenance monitoring method and device applied to server side | |
KR20100118422A (en) | System and method for tracing signature security information | |
CN106059854B (en) | Rete mirabile flow breakthrough detection method and system | |
CN108601023A (en) | Home-network linkups authentication method, device, electronic equipment and storage medium | |
CN107979489A (en) | Integrated access equipment configuration monitoring method | |
CN106372513A (en) | Software fingerprint database-based software identification method and apparatus | |
CN105678193A (en) | Tamper-proof processing method and device | |
CN104717226B (en) | A kind of detection method and device for network address | |
CN108574681B (en) | Intelligent server scanning method and device | |
CN105159806A (en) | Terminal compatibility test system and operating method therefor | |
CN107819758A (en) | A kind of IP Camera leak remote detecting method and device | |
CN103036746B (en) | Passive measurement method and passive measurement system of web page responding time based on network intermediate point | |
CN105530137A (en) | Traffic data analysis method and traffic data analysis system | |
CN109446807A (en) | The method, apparatus and electronic equipment of malicious robot are intercepted for identification | |
CN109906462A (en) | The technology of analysis data collection for the policy control in large scale system | |
CN111865724B (en) | Information acquisition control implementation method for video monitoring equipment | |
CN100461712C (en) | A network signalling test method | |
CN108566380A (en) | A kind of proxy surfing Activity recognition and detection method | |
CN105592053B (en) | A kind of matching process and device of matching rule |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |