CN106850599B - A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID - Google Patents

A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID Download PDF

Info

Publication number
CN106850599B
CN106850599B CN201710037609.XA CN201710037609A CN106850599B CN 106850599 B CN106850599 B CN 106850599B CN 201710037609 A CN201710037609 A CN 201710037609A CN 106850599 B CN106850599 B CN 106850599B
Authority
CN
China
Prior art keywords
host
tuple
flow
user
nat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710037609.XA
Other languages
Chinese (zh)
Other versions
CN106850599A (en
Inventor
管洋洋
苟高鹏
石俊峥
熊刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710037609.XA priority Critical patent/CN106850599B/en
Publication of CN106850599A publication Critical patent/CN106850599A/en
Application granted granted Critical
Publication of CN106850599B publication Critical patent/CN106850599B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2571NAT traversal for identification, e.g. for authentication or billing 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of NAT detection methods based on fusion user behavior and sudden peal of thunder ID.The method include the steps that 1) flow processing platform extracts User-Agent, Cookie ID and sudden peal of thunder id information from the network flow of capture, and the information extracted is spliced into JSON string;2) JSON string load balancing corresponding server into flow processing platform is handled according to the five-tuple of network flow;3) server classifies to data according to five-tuple, at the end of judging the corresponding TCP flow of a certain five-tuple;Online processing is carried out to the TCP flow;Wherein, on-line processing method are as follows: host out-degree, the host in-degree that client ip is calculated according to five-tuple determine the NAT attribute of the client ip, and calculate the host scale of the client ip.The present invention can demarcate a large amount of IP attributes and precisely be judged NAT scale.

Description

A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID
Technical field
The invention belongs to the analysis of internet passive flux and NAT detection technique fields, are related to a kind of based on fusion user's row For the NAT detection method with sudden peal of thunder ID.
Background technique
NAT (Network Address Translation, network address translation) technical application slows down IP address space Exhaustion, realize the mapping relations between private network IP address and public network IP address so that tertiary-structure network comes, from And all computers in local area network are hidden and protected, it can not be accessed by public network, effectively guard against and come from The various rogue attacks of public network.Therefore, NAT technology also provides new thinking for the development of firewall technology.Nowadays, absolutely NAT technology is all integrated in most of routers, this provides safely certain guarantee for private network.
However, NAT technology equally also has negative as many other technologies in history.On the one hand, multiple users share The mode of online occupies a large amount of Internet resources, operator's increased costs;On the other hand, NAT technology is increased using passive Flow carries out the difficulty of personalized network service and illegal user's tracking.
Existing NAT method for recognizing flux is typically all to use passive detection method, and passive detection method is by passive Monitor the data traffic in network, the stem or content information of detection data packet, the body of the source IP address of Lai Jinhang data packet in ground Part judgement.According to the different characteristics of various recognition methods, existing NAT passive detection method can be generally divided into two big Classification, be respectively as follows: the recognition methods based on ICP/IP protocol feature field, the recognition methods based on application layer message.
1) one: User-Agent method of identification of prior art related to the present invention
User-Agent is the special read-only string head that user browser uses, whenever user browses some net When standing, just comprising the User-Agent value in the user agent's head for the HTTP request data packet that browser is sent.Web server is logical Cross the User-Agent value, can know operating system that user uses and what version is, what browser and version be, What etc. cpu type be.And due to the operating system and version, browser and version of the different hosts in the same network, very It is all not quite similar as the patch beaten, therefore by statisticalling analyze in all HTTP request data packets that the same IP address issues User-Agent field, can determine normal hosts or NAT device, if it is NAT device, can also be used to distinguish Identify NAT.
2) two: Cookie ID method of identification of prior art related to the present invention
In http protocol, in order to effectively be transmitted between User-Agent (generally browser) and Web server Status information distinguishes the identity of user convenient for website, defines a Cookie data value.When user browses some websites, Web server by generate one include the information such as User ID, Time of Day Cookie value, and by the Cookie value together with The corresponding contents of family access return to the browser requested access to together, and browser is then stored in the terminal of user local In.When next time, the user browsed the same website again, last time can be stored in local Cookie value and sent together by user, Website can obtain user information by the Cookie value.Under normal circumstances, for accessing the user of the website for the first time, A validity period can be arranged in Web server in Cookie value.Before the deadline, user different under the same website User ID in Cookie value is different.Operator be frequently utilized that the Cookie ID of some well-known websites come to DynamicHost, NAT host is identified, so do it is some to network measure, the relevant work such as optimization service.
However, User-Agent method of identification is largely surfed the Internet the restriction of habit by user, it is some operating systems, clear Look at the service condition of device, such as same host, which opens two different browsers, can all make its generate erroneous judgement, and due to User- Agent field can be modifiable by the user easily, and the detection effect of this method does not ensure.Cookie ID method of identification very great Cheng Surfed the Internet the restriction of habit on degree by user, it is difficult to ensure that in the time detected at same different user all access it is identical Website.Moreover, some users can clear up the cookie information in the machine at any time, these factors all will be so that Cookie ID be identified The detection error of method is relatively large.
To solve the above-mentioned problems, the present invention is from known NAT detection method, by fusion user network behavior and Sudden peal of thunder ID feature identifies NAT host, and compared with based on User-Agent, Cookie ID recognition methods, NAT judgement can be improved Accuracy rate, so that can not only carry out identifying and capable of determining NAT scale to NAT attribute.
Summary of the invention
For the technical problems in the prior art, the purpose of the present invention is to provide one kind based on fusion user behavior With the NAT detection method of sudden peal of thunder ID.
The technical solution of the present invention is as follows:
A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID, the steps include:
1) flow processing platform extracts User-Agent, Cookie ID and sudden peal of thunder ID letter from the network flow of capture Breath, and the information extracted is spliced into JSON string;
2) according to the five-tuple of network flow by JSON string load balancing into flow processing platform corresponding server into Row processing;The five-tuple includes source IP, source port, destination IP, destination port and agreement;
3) server classifies to data according to five-tuple, when judging that the corresponding TCP flow of a certain five-tuple terminates When;Online processing is carried out to the TCP flow;Wherein, on-line processing method are as follows: gone out according to the host that five-tuple calculates client ip Degree, host in-degree, determine the NAT attribute of the client ip, and calculate the host scale of the client ip.
Further, the host out-degree are as follows: the TCP connection number that host is issued to other hosts;The host in-degree are as follows: Host receives the TCP connection number of other hosts.
Further, determine the method for the NAT attribute of the client ip are as follows: when continuous active degree > 4 of host are small, and Total active degree > 8 hour of the host within continuous 24 hours since the flow processing platform detects the host, and When host out-degree/in-degree ratio > 1.4, which is labeled as NAT host.
Further, the method for the host scale of the client ip is calculated are as follows: go here and there and calculate according to the JSON of the client ip With the data volume size N1 of User-Agent and Cookie ID Macintosh;It will be put into the JSON of identical User-Agent string Same Cookie ID set E traverses set E, finds out the User- of Cookie ID having the same under different User-Agent Agent scale N2;It is the sudden peal of thunder ID quantity N3 that Key calculates duplicate removal in Json string with sudden peal of thunder ID;Host scale is calculated as N1-N2+ N3。
Further, in step 3), the server cleans the data received, filters out no User- The TCP connection data of Agent, Cookie ID and sudden peal of thunder ID feature, the data for belonging to same five-tuple are concentrated.
Further, the flow processing platform is that a time-out time is arranged in the corresponding TCP flow data of each five-tuple, When a certain five-tuple is not updated in the time-out time, then determine that the corresponding TCP flow of the five-tuple terminates.
Further, JSON string load balancing is taken accordingly into flow processing platform according to the five-tuple of network flow The method that is handled of business device are as follows: be calculated an index value index for five-tuple as the key of hash function, it is each Index value index corresponds to a different server;JSON is gone here and there into load balancing to corresponding server according to index value index, Realize load balancing.
Compared with prior art, the positive effect of the present invention are as follows:
By can see to the introduction of existing recognition methods, several recognition methods based on application layer protocol characteristic field Compare similar, is all some special field of application layer protocol of placing one's entire reliance upon, can know generally by the restriction of the special field The quality of other effect depends entirely on the field, once the data of the field cannot be met the requirements or the field itself is repaired Change, these methods just will be entirely ineffective.And such methods are also generally by the restriction from different operating system, and Recognition methods based on application layer message then generally receives the restriction of user's online habit, and detection effect is filled with uncertain Property, as shown in table 1.
Table 1 is to influence under different condition on detection feature.
Classification | effect | method Based on User-Agent Based on Cookie ID Merge sudden peal of thunder ID
Whether protocol layer is depended on It is It is It is no
Operating system restricts It is It is It is no
User, which surfs the Internet, to be accustomed to It is It is It is no
Now, as more and more NAT device all have the function of special field in modification data packet, existing side The use scope of method becomes more and more narrow, is much unable to satisfy demand.Therefore, a certain spy will not excessively be relied on by finding one kind Field is levied, independent of operating system, user operation habits, which also influence lesser method on it just, seems extremely urgent.The present invention Based on the method that network behavior is combined with web content mining, wide range of traffic detection, energy mainly are carried out to application layer message It is enough that a large amount of IP attributes demarcate and precisely judged NAT scale.
Detailed description of the invention
Fig. 1 is front end flow process flow diagram;
Fig. 2 is rear end fusion calculation platform processes flow chart.
Specific embodiment
The present invention is explained in further detail with reference to the accompanying drawing.
● term is explained
NAT (Network Address Translation): network address translation;
Host out-degree: refer to the quantity for the four-tuple connection that host is issued to other hosts;Four-tuple connection refers to: source IP+source Port+destination IP+destination port is equivalent to " connection number of TCP ".
Host in-degree: refer to that host receives the quantity of the four-tuple connection of other hosts;
ISP (Internet Service Provider): Internet Service Provider;
● a kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID
It cannot be guaranteed the accurate of NAT detection based on single User-Agent recognition methods or Cookie ID recognition methods Rate, the present invention propose a kind of hybrid detection identified based on user behavior and sudden peal of thunder P2P ID on the basis of both methods Method.These four methods are mutually proved, and are guaranteed the NAT identified and are determined the accuracy of NAT scale.Below to both sides Method is introduced:
1) host goes out in-degree method of identification
In order to preferably describe and understand, " degree ", " in-degree " and " out-degree " definition: degree: the connection number of TCP is given below: Source IP address-source port-destination IP- destination port numbers;Out-degree: the TCP connection number that host is issued to other hosts;Enter Degree: host receives the TCP connection number of other hosts.The going out of computer network abnormal behaviour and host, there are certain mathematics for in-degree Rule.It is found through experiments that, certain Network Abnormals and goes out, is implicitly present in certain mathematical law between in-degree, as shown in table 2:
Table 2 is Network Abnormal and goes out, mathematical law between in-degree
This host starts to count continuous 24 are detected when continuous active degree > 4 of host are small, on the flow platform of front end Total active degree > 8 hour within hour, when and host out-degree/in-degree ratio > 1.4, meeting above three condition can will The host is labeled as NAT.This method is by that accurate can carry out attribute to extensive NAT and sentence to NAT user's behaviors analysis It is fixed.
2) sudden peal of thunder ID method of identification
A sudden peal of thunder mainly uses P2P agreement to carry out file download, the host for possessing private IP address after NAT device Between establish P2P connection, must just try every possible means across NAT.The customized transport protocol of a sudden peal of thunder passes through NAT device, by a sudden peal of thunder The identification of agreement, discovery can be as follows comprising information such as sudden peal of thunder ID number and IP address of internal network in the flow of transmission:
By front-end platform, sudden peal of thunder relevant information is extracted from flow.Found in analysis, sudden peal of thunder ID be it is unique, The corresponding user account information of one ID, while also corresponding to the Intranet IP of a NAT host in NAT network.
It being capable of accurate identification NAT scale and to NAT by the identification to the associated sudden peal of thunder P2P ID feature of host Host is accurately positioned.Sudden peal of thunder ID number and NAT host are one-to-one relationship.
NAT detection system process flow is divided into front end flow platform processes and rear end fusion calculation platform processes two streams Journey, front end flow process flow is as shown in Figure 1, rear end fusion calculation platform processes process is as shown in Figure 2.
NAT detection system handles process flow description are as follows:
1) front-end server of flow processing platform captures network flow, network of the application layer plug-in unit from capture from gateway The information such as User-Agent, Cookie ID and sudden peal of thunder ID are extracted in flow;
2) information extracted is spliced into JSON string, by five-tuple source IP+source port+destination IP+destination port+agreement Key as hash function carries out that an index value index (each index does the different server of correspondence) is calculated, incites somebody to action JSON string load balancing handled to corresponding back-end server, realization load balancing, process flow in the form of UDP packet or Program processing in rear end is sent to data relay by third-party activeMQ message-oriented middleware form;
3) journal receiver receives UDP packet in an asynchronous manner, and level-one Redis database completes data cleansing, and cleaning does not have There are the TCP connection data of User-Agent, Cookie ID and sudden peal of thunder ID feature, the data for belonging to same five-tuple are collected In, and issue the key of time-out;The present invention for it is each with five-tuple be the TCP flow data of key, when being both configured to a time-out Between, indicate that corresponding TCP flow terminates when a certain key does not obtain updating in setting time-out time;
4) log reclaimer receives the key of time-out, and single flow complete information is carried out online processing, is sent to second level Redis is calculated;Wherein, on-line processing method are as follows: the host by being calculated client ip with five-tuple key information is gone out, entered Degree determines the NAT attribute of host;To the string information of JSON corresponding to same client ip, comprising: ser-Agent, CookieID, The information such as sudden peal of thunder ID:
2-1) calculate with the data volume size N1 of User-Agent and Cookie ID Macintosh;
Be 2-2) Key with User-Agent, by Json go here and there in the corresponding Cookie ID of identical User-Agent be put into together One set, the corresponding Cookie ID of different User-Agent form a set E;
Set E 2-3) is traversed, the User-Agent scale of Cookie ID having the same under different User-Agent is found out N2;
The xunlei_uid quantity N3 of duplicate removal in Json string 2-4) is calculated for Key with sudden peal of thunder ID;
2-5) host scale is calculated as N1-N2+N3.
5) host that second level Redis mainly calculates client ip goes out in-degree, OS, Cookie ID and sudden peal of thunder ID quantity, complete Determine at NAT Attribute Recognition and scale.

Claims (6)

1. a kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID, the steps include:
1) flow processing platform extracts User-Agent, Cookie ID and sudden peal of thunder id information from the network flow of capture, and The information extracted is spliced into JSON string;
2) according to the five-tuple of network flow by JSON string load balancing into flow processing platform at corresponding server Reason;The five-tuple includes source IP, source port, destination IP, destination port and agreement;
3) server classifies to data according to five-tuple, at the end of judging the corresponding TCP flow of a certain five-tuple;It is right The TCP flow carries out online processing;Wherein, on-line processing method are as follows: host out-degree, the host of client ip are calculated according to five-tuple In-degree, determines the NAT attribute of the client ip, and calculates the host scale of the client ip;Calculate the host of the client ip The method of scale are as follows: calculated according to the JSON of client ip string with the data volume of User-Agent and Cookie ID Macintosh Size N1;It will be put into same Cookie ID set E with the JSON of identical User-Agent string, traverses set E, find out difference The User-Agent scale N2 of Cookie ID having the same under User-Agent;It is that Key is calculated in Json string with sudden peal of thunder ID The sudden peal of thunder ID quantity N3 of weight;Host scale is calculated as N1-N2+N3.
2. the method as described in claim 1, which is characterized in that the host out-degree are as follows: the TCP that host is issued to other hosts Connection number;The host in-degree are as follows: host receives the TCP connection number of other hosts.
3. method according to claim 2, which is characterized in that determine the method for the NAT attribute of the client ip are as follows: work as host Continuous active degree > 4 hour, and the host within continuous 24 hours since the flow processing platform detects the host The host when and host out-degree/in-degree ratio > 1.4, is labeled as NAT host by total active degree > 8 hour.
4. the method as described in claim 1, which is characterized in that in step 3), the server carries out the data received clear It washes, filters out the TCP connection data of no User-Agent, Cookie ID and sudden peal of thunder ID feature, same five-tuple will be belonged to Data concentrated.
5. the method as described in claim 1, which is characterized in that the flow processing platform is the corresponding TCP of each five-tuple A time-out time is arranged in flow data, when a certain five-tuple is not updated in the time-out time, then determines the five-tuple Corresponding TCP flow terminates.
6. the method as described in claim 1, which is characterized in that arrived JSON string load balancing according to the five-tuple of network flow The method that corresponding server is handled in flow processing platform are as follows: calculated five-tuple as the key of hash function Obtain a corresponding different server of index value index, each index value index;JSON is gone here and there according to index value index and is born Load is balanced to corresponding server, realizes load balancing.
CN201710037609.XA 2017-01-18 2017-01-18 A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID Active CN106850599B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710037609.XA CN106850599B (en) 2017-01-18 2017-01-18 A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710037609.XA CN106850599B (en) 2017-01-18 2017-01-18 A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID

Publications (2)

Publication Number Publication Date
CN106850599A CN106850599A (en) 2017-06-13
CN106850599B true CN106850599B (en) 2019-12-03

Family

ID=59123770

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710037609.XA Active CN106850599B (en) 2017-01-18 2017-01-18 A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID

Country Status (1)

Country Link
CN (1) CN106850599B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107634942B (en) * 2017-09-08 2020-07-31 北京京东尚科信息技术有限公司 Method and device for identifying malicious request
CN107948088B (en) * 2018-01-05 2021-10-01 宝牧科技(天津)有限公司 Method for balancing network application layer load
CN110049147B (en) * 2019-03-28 2020-07-31 中国科学院计算技术研究所 Method for detecting number of hosts after NAT
CN111866216B (en) * 2020-08-03 2022-10-28 深圳市联软科技股份有限公司 NAT equipment detection method and system based on wireless network access point

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035031A (en) * 2007-04-03 2007-09-12 华为技术有限公司 Method and device for detecting the number of the shared access host
CN102307123A (en) * 2011-09-06 2012-01-04 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN102984003A (en) * 2012-11-30 2013-03-20 深圳中兴网信科技有限公司 Network access detection system and network access detection method
CN104135474A (en) * 2014-07-18 2014-11-05 国家计算机网络与信息安全管理中心 Network anomaly behavior detection method based on out-degree and in-degree of host
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN105915396A (en) * 2016-06-20 2016-08-31 中国联合网络通信集团有限公司 Home network traffic recognition system and method
CN106126746A (en) * 2016-07-14 2016-11-16 长江大学 High-quality node detecting method and system in a kind of social networks

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9451036B2 (en) * 2008-01-15 2016-09-20 Alcatel Lucent Method and apparatus for fingerprinting systems and operating systems in a network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035031A (en) * 2007-04-03 2007-09-12 华为技术有限公司 Method and device for detecting the number of the shared access host
CN102307123A (en) * 2011-09-06 2012-01-04 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN102984003A (en) * 2012-11-30 2013-03-20 深圳中兴网信科技有限公司 Network access detection system and network access detection method
CN104135474A (en) * 2014-07-18 2014-11-05 国家计算机网络与信息安全管理中心 Network anomaly behavior detection method based on out-degree and in-degree of host
CN105430011A (en) * 2015-12-25 2016-03-23 杭州朗和科技有限公司 Method and device for detecting distributed denial of service attack
CN105915396A (en) * 2016-06-20 2016-08-31 中国联合网络通信集团有限公司 Home network traffic recognition system and method
CN106126746A (en) * 2016-07-14 2016-11-16 长江大学 High-quality node detecting method and system in a kind of social networks

Also Published As

Publication number Publication date
CN106850599A (en) 2017-06-13

Similar Documents

Publication Publication Date Title
CN106850599B (en) A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID
US10452843B2 (en) Self-adaptive application programming interface level security monitoring
CN106663169B (en) System and method for high speed threat intelligence management using unsupervised machine learning and priority algorithms
CN112636924B (en) Network asset identification method and device, storage medium and electronic equipment
US8180892B2 (en) Apparatus and method for multi-user NAT session identification and tracking
RU2607229C2 (en) Systems and methods of dynamic indicators aggregation to detect network fraud
CN108334758B (en) Method, device and equipment for detecting user unauthorized behavior
US8150779B1 (en) Validating the detection of spam based entities in social networking contexts
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
CN103970752B (en) Independent access person's quantity survey (surveying) method and system
CN105491055B (en) A kind of network host accident detection method based on mobile agent
CN111600865B (en) Abnormal communication detection method and device, electronic equipment and storage medium
CN110943884B (en) Data processing method and device
US10805327B1 (en) Spatial cosine similarity based anomaly detection
WO2022042194A1 (en) Block detection method and apparatus for login device, server, and storage medium
CN113454621A (en) Method, apparatus and computer program for collecting data from multiple domains
CN109981415A (en) Condition judgement method, electronic equipment, system and medium
US7299276B1 (en) Technique for monitoring health of network device using data format verification
WO2019114246A1 (en) Identity authentication method, server and client device
CN107231383B (en) CC attack detection method and device
US20080267193A1 (en) Technique for enabling network statistics on software partitions
CN107426136A (en) A kind of recognition methods of network attack and device
CN110599278B (en) Method, apparatus, and computer storage medium for aggregating device identifiers
CN117176482B (en) Big data network safety protection method and system
Ogawa et al. Malware originated http traffic detection utilizing cluster appearance ratio

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant