CN106850599B - A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID - Google Patents
A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID Download PDFInfo
- Publication number
- CN106850599B CN106850599B CN201710037609.XA CN201710037609A CN106850599B CN 106850599 B CN106850599 B CN 106850599B CN 201710037609 A CN201710037609 A CN 201710037609A CN 106850599 B CN106850599 B CN 106850599B
- Authority
- CN
- China
- Prior art keywords
- host
- tuple
- flow
- user
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2571—NAT traversal for identification, e.g. for authentication or billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of NAT detection methods based on fusion user behavior and sudden peal of thunder ID.The method include the steps that 1) flow processing platform extracts User-Agent, Cookie ID and sudden peal of thunder id information from the network flow of capture, and the information extracted is spliced into JSON string;2) JSON string load balancing corresponding server into flow processing platform is handled according to the five-tuple of network flow;3) server classifies to data according to five-tuple, at the end of judging the corresponding TCP flow of a certain five-tuple;Online processing is carried out to the TCP flow;Wherein, on-line processing method are as follows: host out-degree, the host in-degree that client ip is calculated according to five-tuple determine the NAT attribute of the client ip, and calculate the host scale of the client ip.The present invention can demarcate a large amount of IP attributes and precisely be judged NAT scale.
Description
Technical field
The invention belongs to the analysis of internet passive flux and NAT detection technique fields, are related to a kind of based on fusion user's row
For the NAT detection method with sudden peal of thunder ID.
Background technique
NAT (Network Address Translation, network address translation) technical application slows down IP address space
Exhaustion, realize the mapping relations between private network IP address and public network IP address so that tertiary-structure network comes, from
And all computers in local area network are hidden and protected, it can not be accessed by public network, effectively guard against and come from
The various rogue attacks of public network.Therefore, NAT technology also provides new thinking for the development of firewall technology.Nowadays, absolutely
NAT technology is all integrated in most of routers, this provides safely certain guarantee for private network.
However, NAT technology equally also has negative as many other technologies in history.On the one hand, multiple users share
The mode of online occupies a large amount of Internet resources, operator's increased costs;On the other hand, NAT technology is increased using passive
Flow carries out the difficulty of personalized network service and illegal user's tracking.
Existing NAT method for recognizing flux is typically all to use passive detection method, and passive detection method is by passive
Monitor the data traffic in network, the stem or content information of detection data packet, the body of the source IP address of Lai Jinhang data packet in ground
Part judgement.According to the different characteristics of various recognition methods, existing NAT passive detection method can be generally divided into two big
Classification, be respectively as follows: the recognition methods based on ICP/IP protocol feature field, the recognition methods based on application layer message.
1) one: User-Agent method of identification of prior art related to the present invention
User-Agent is the special read-only string head that user browser uses, whenever user browses some net
When standing, just comprising the User-Agent value in the user agent's head for the HTTP request data packet that browser is sent.Web server is logical
Cross the User-Agent value, can know operating system that user uses and what version is, what browser and version be,
What etc. cpu type be.And due to the operating system and version, browser and version of the different hosts in the same network, very
It is all not quite similar as the patch beaten, therefore by statisticalling analyze in all HTTP request data packets that the same IP address issues
User-Agent field, can determine normal hosts or NAT device, if it is NAT device, can also be used to distinguish
Identify NAT.
2) two: Cookie ID method of identification of prior art related to the present invention
In http protocol, in order to effectively be transmitted between User-Agent (generally browser) and Web server
Status information distinguishes the identity of user convenient for website, defines a Cookie data value.When user browses some websites,
Web server by generate one include the information such as User ID, Time of Day Cookie value, and by the Cookie value together with
The corresponding contents of family access return to the browser requested access to together, and browser is then stored in the terminal of user local
In.When next time, the user browsed the same website again, last time can be stored in local Cookie value and sent together by user,
Website can obtain user information by the Cookie value.Under normal circumstances, for accessing the user of the website for the first time,
A validity period can be arranged in Web server in Cookie value.Before the deadline, user different under the same website
User ID in Cookie value is different.Operator be frequently utilized that the Cookie ID of some well-known websites come to DynamicHost,
NAT host is identified, so do it is some to network measure, the relevant work such as optimization service.
However, User-Agent method of identification is largely surfed the Internet the restriction of habit by user, it is some operating systems, clear
Look at the service condition of device, such as same host, which opens two different browsers, can all make its generate erroneous judgement, and due to User-
Agent field can be modifiable by the user easily, and the detection effect of this method does not ensure.Cookie ID method of identification very great Cheng
Surfed the Internet the restriction of habit on degree by user, it is difficult to ensure that in the time detected at same different user all access it is identical
Website.Moreover, some users can clear up the cookie information in the machine at any time, these factors all will be so that Cookie ID be identified
The detection error of method is relatively large.
To solve the above-mentioned problems, the present invention is from known NAT detection method, by fusion user network behavior and
Sudden peal of thunder ID feature identifies NAT host, and compared with based on User-Agent, Cookie ID recognition methods, NAT judgement can be improved
Accuracy rate, so that can not only carry out identifying and capable of determining NAT scale to NAT attribute.
Summary of the invention
For the technical problems in the prior art, the purpose of the present invention is to provide one kind based on fusion user behavior
With the NAT detection method of sudden peal of thunder ID.
The technical solution of the present invention is as follows:
A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID, the steps include:
1) flow processing platform extracts User-Agent, Cookie ID and sudden peal of thunder ID letter from the network flow of capture
Breath, and the information extracted is spliced into JSON string;
2) according to the five-tuple of network flow by JSON string load balancing into flow processing platform corresponding server into
Row processing;The five-tuple includes source IP, source port, destination IP, destination port and agreement;
3) server classifies to data according to five-tuple, when judging that the corresponding TCP flow of a certain five-tuple terminates
When;Online processing is carried out to the TCP flow;Wherein, on-line processing method are as follows: gone out according to the host that five-tuple calculates client ip
Degree, host in-degree, determine the NAT attribute of the client ip, and calculate the host scale of the client ip.
Further, the host out-degree are as follows: the TCP connection number that host is issued to other hosts;The host in-degree are as follows:
Host receives the TCP connection number of other hosts.
Further, determine the method for the NAT attribute of the client ip are as follows: when continuous active degree > 4 of host are small, and
Total active degree > 8 hour of the host within continuous 24 hours since the flow processing platform detects the host, and
When host out-degree/in-degree ratio > 1.4, which is labeled as NAT host.
Further, the method for the host scale of the client ip is calculated are as follows: go here and there and calculate according to the JSON of the client ip
With the data volume size N1 of User-Agent and Cookie ID Macintosh;It will be put into the JSON of identical User-Agent string
Same Cookie ID set E traverses set E, finds out the User- of Cookie ID having the same under different User-Agent
Agent scale N2;It is the sudden peal of thunder ID quantity N3 that Key calculates duplicate removal in Json string with sudden peal of thunder ID;Host scale is calculated as N1-N2+
N3。
Further, in step 3), the server cleans the data received, filters out no User-
The TCP connection data of Agent, Cookie ID and sudden peal of thunder ID feature, the data for belonging to same five-tuple are concentrated.
Further, the flow processing platform is that a time-out time is arranged in the corresponding TCP flow data of each five-tuple,
When a certain five-tuple is not updated in the time-out time, then determine that the corresponding TCP flow of the five-tuple terminates.
Further, JSON string load balancing is taken accordingly into flow processing platform according to the five-tuple of network flow
The method that is handled of business device are as follows: be calculated an index value index for five-tuple as the key of hash function, it is each
Index value index corresponds to a different server;JSON is gone here and there into load balancing to corresponding server according to index value index,
Realize load balancing.
Compared with prior art, the positive effect of the present invention are as follows:
By can see to the introduction of existing recognition methods, several recognition methods based on application layer protocol characteristic field
Compare similar, is all some special field of application layer protocol of placing one's entire reliance upon, can know generally by the restriction of the special field
The quality of other effect depends entirely on the field, once the data of the field cannot be met the requirements or the field itself is repaired
Change, these methods just will be entirely ineffective.And such methods are also generally by the restriction from different operating system, and
Recognition methods based on application layer message then generally receives the restriction of user's online habit, and detection effect is filled with uncertain
Property, as shown in table 1.
Table 1 is to influence under different condition on detection feature.
Classification | effect | method | Based on User-Agent | Based on Cookie ID | Merge sudden peal of thunder ID |
Whether protocol layer is depended on | It is | It is | It is no |
Operating system restricts | It is | It is | It is no |
User, which surfs the Internet, to be accustomed to | It is | It is | It is no |
Now, as more and more NAT device all have the function of special field in modification data packet, existing side
The use scope of method becomes more and more narrow, is much unable to satisfy demand.Therefore, a certain spy will not excessively be relied on by finding one kind
Field is levied, independent of operating system, user operation habits, which also influence lesser method on it just, seems extremely urgent.The present invention
Based on the method that network behavior is combined with web content mining, wide range of traffic detection, energy mainly are carried out to application layer message
It is enough that a large amount of IP attributes demarcate and precisely judged NAT scale.
Detailed description of the invention
Fig. 1 is front end flow process flow diagram;
Fig. 2 is rear end fusion calculation platform processes flow chart.
Specific embodiment
The present invention is explained in further detail with reference to the accompanying drawing.
● term is explained
NAT (Network Address Translation): network address translation;
Host out-degree: refer to the quantity for the four-tuple connection that host is issued to other hosts;Four-tuple connection refers to: source IP+source
Port+destination IP+destination port is equivalent to " connection number of TCP ".
Host in-degree: refer to that host receives the quantity of the four-tuple connection of other hosts;
ISP (Internet Service Provider): Internet Service Provider;
● a kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID
It cannot be guaranteed the accurate of NAT detection based on single User-Agent recognition methods or Cookie ID recognition methods
Rate, the present invention propose a kind of hybrid detection identified based on user behavior and sudden peal of thunder P2P ID on the basis of both methods
Method.These four methods are mutually proved, and are guaranteed the NAT identified and are determined the accuracy of NAT scale.Below to both sides
Method is introduced:
1) host goes out in-degree method of identification
In order to preferably describe and understand, " degree ", " in-degree " and " out-degree " definition: degree: the connection number of TCP is given below:
Source IP address-source port-destination IP- destination port numbers;Out-degree: the TCP connection number that host is issued to other hosts;Enter
Degree: host receives the TCP connection number of other hosts.The going out of computer network abnormal behaviour and host, there are certain mathematics for in-degree
Rule.It is found through experiments that, certain Network Abnormals and goes out, is implicitly present in certain mathematical law between in-degree, as shown in table 2:
Table 2 is Network Abnormal and goes out, mathematical law between in-degree
This host starts to count continuous 24 are detected when continuous active degree > 4 of host are small, on the flow platform of front end
Total active degree > 8 hour within hour, when and host out-degree/in-degree ratio > 1.4, meeting above three condition can will
The host is labeled as NAT.This method is by that accurate can carry out attribute to extensive NAT and sentence to NAT user's behaviors analysis
It is fixed.
2) sudden peal of thunder ID method of identification
A sudden peal of thunder mainly uses P2P agreement to carry out file download, the host for possessing private IP address after NAT device
Between establish P2P connection, must just try every possible means across NAT.The customized transport protocol of a sudden peal of thunder passes through NAT device, by a sudden peal of thunder
The identification of agreement, discovery can be as follows comprising information such as sudden peal of thunder ID number and IP address of internal network in the flow of transmission:
By front-end platform, sudden peal of thunder relevant information is extracted from flow.Found in analysis, sudden peal of thunder ID be it is unique,
The corresponding user account information of one ID, while also corresponding to the Intranet IP of a NAT host in NAT network.
It being capable of accurate identification NAT scale and to NAT by the identification to the associated sudden peal of thunder P2P ID feature of host
Host is accurately positioned.Sudden peal of thunder ID number and NAT host are one-to-one relationship.
NAT detection system process flow is divided into front end flow platform processes and rear end fusion calculation platform processes two streams
Journey, front end flow process flow is as shown in Figure 1, rear end fusion calculation platform processes process is as shown in Figure 2.
NAT detection system handles process flow description are as follows:
1) front-end server of flow processing platform captures network flow, network of the application layer plug-in unit from capture from gateway
The information such as User-Agent, Cookie ID and sudden peal of thunder ID are extracted in flow;
2) information extracted is spliced into JSON string, by five-tuple source IP+source port+destination IP+destination port+agreement
Key as hash function carries out that an index value index (each index does the different server of correspondence) is calculated, incites somebody to action
JSON string load balancing handled to corresponding back-end server, realization load balancing, process flow in the form of UDP packet or
Program processing in rear end is sent to data relay by third-party activeMQ message-oriented middleware form;
3) journal receiver receives UDP packet in an asynchronous manner, and level-one Redis database completes data cleansing, and cleaning does not have
There are the TCP connection data of User-Agent, Cookie ID and sudden peal of thunder ID feature, the data for belonging to same five-tuple are collected
In, and issue the key of time-out;The present invention for it is each with five-tuple be the TCP flow data of key, when being both configured to a time-out
Between, indicate that corresponding TCP flow terminates when a certain key does not obtain updating in setting time-out time;
4) log reclaimer receives the key of time-out, and single flow complete information is carried out online processing, is sent to second level
Redis is calculated;Wherein, on-line processing method are as follows: the host by being calculated client ip with five-tuple key information is gone out, entered
Degree determines the NAT attribute of host;To the string information of JSON corresponding to same client ip, comprising: ser-Agent, CookieID,
The information such as sudden peal of thunder ID:
2-1) calculate with the data volume size N1 of User-Agent and Cookie ID Macintosh;
Be 2-2) Key with User-Agent, by Json go here and there in the corresponding Cookie ID of identical User-Agent be put into together
One set, the corresponding Cookie ID of different User-Agent form a set E;
Set E 2-3) is traversed, the User-Agent scale of Cookie ID having the same under different User-Agent is found out
N2;
The xunlei_uid quantity N3 of duplicate removal in Json string 2-4) is calculated for Key with sudden peal of thunder ID;
2-5) host scale is calculated as N1-N2+N3.
5) host that second level Redis mainly calculates client ip goes out in-degree, OS, Cookie ID and sudden peal of thunder ID quantity, complete
Determine at NAT Attribute Recognition and scale.
Claims (6)
1. a kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID, the steps include:
1) flow processing platform extracts User-Agent, Cookie ID and sudden peal of thunder id information from the network flow of capture, and
The information extracted is spliced into JSON string;
2) according to the five-tuple of network flow by JSON string load balancing into flow processing platform at corresponding server
Reason;The five-tuple includes source IP, source port, destination IP, destination port and agreement;
3) server classifies to data according to five-tuple, at the end of judging the corresponding TCP flow of a certain five-tuple;It is right
The TCP flow carries out online processing;Wherein, on-line processing method are as follows: host out-degree, the host of client ip are calculated according to five-tuple
In-degree, determines the NAT attribute of the client ip, and calculates the host scale of the client ip;Calculate the host of the client ip
The method of scale are as follows: calculated according to the JSON of client ip string with the data volume of User-Agent and Cookie ID Macintosh
Size N1;It will be put into same Cookie ID set E with the JSON of identical User-Agent string, traverses set E, find out difference
The User-Agent scale N2 of Cookie ID having the same under User-Agent;It is that Key is calculated in Json string with sudden peal of thunder ID
The sudden peal of thunder ID quantity N3 of weight;Host scale is calculated as N1-N2+N3.
2. the method as described in claim 1, which is characterized in that the host out-degree are as follows: the TCP that host is issued to other hosts
Connection number;The host in-degree are as follows: host receives the TCP connection number of other hosts.
3. method according to claim 2, which is characterized in that determine the method for the NAT attribute of the client ip are as follows: work as host
Continuous active degree > 4 hour, and the host within continuous 24 hours since the flow processing platform detects the host
The host when and host out-degree/in-degree ratio > 1.4, is labeled as NAT host by total active degree > 8 hour.
4. the method as described in claim 1, which is characterized in that in step 3), the server carries out the data received clear
It washes, filters out the TCP connection data of no User-Agent, Cookie ID and sudden peal of thunder ID feature, same five-tuple will be belonged to
Data concentrated.
5. the method as described in claim 1, which is characterized in that the flow processing platform is the corresponding TCP of each five-tuple
A time-out time is arranged in flow data, when a certain five-tuple is not updated in the time-out time, then determines the five-tuple
Corresponding TCP flow terminates.
6. the method as described in claim 1, which is characterized in that arrived JSON string load balancing according to the five-tuple of network flow
The method that corresponding server is handled in flow processing platform are as follows: calculated five-tuple as the key of hash function
Obtain a corresponding different server of index value index, each index value index;JSON is gone here and there according to index value index and is born
Load is balanced to corresponding server, realizes load balancing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710037609.XA CN106850599B (en) | 2017-01-18 | 2017-01-18 | A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710037609.XA CN106850599B (en) | 2017-01-18 | 2017-01-18 | A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106850599A CN106850599A (en) | 2017-06-13 |
CN106850599B true CN106850599B (en) | 2019-12-03 |
Family
ID=59123770
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710037609.XA Active CN106850599B (en) | 2017-01-18 | 2017-01-18 | A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106850599B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107634942B (en) * | 2017-09-08 | 2020-07-31 | 北京京东尚科信息技术有限公司 | Method and device for identifying malicious request |
CN107948088B (en) * | 2018-01-05 | 2021-10-01 | 宝牧科技(天津)有限公司 | Method for balancing network application layer load |
CN110049147B (en) * | 2019-03-28 | 2020-07-31 | 中国科学院计算技术研究所 | Method for detecting number of hosts after NAT |
CN111866216B (en) * | 2020-08-03 | 2022-10-28 | 深圳市联软科技股份有限公司 | NAT equipment detection method and system based on wireless network access point |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
CN102307123A (en) * | 2011-09-06 | 2012-01-04 | 电子科技大学 | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic |
CN102984003A (en) * | 2012-11-30 | 2013-03-20 | 深圳中兴网信科技有限公司 | Network access detection system and network access detection method |
CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
CN105430011A (en) * | 2015-12-25 | 2016-03-23 | 杭州朗和科技有限公司 | Method and device for detecting distributed denial of service attack |
CN105915396A (en) * | 2016-06-20 | 2016-08-31 | 中国联合网络通信集团有限公司 | Home network traffic recognition system and method |
CN106126746A (en) * | 2016-07-14 | 2016-11-16 | 长江大学 | High-quality node detecting method and system in a kind of social networks |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9451036B2 (en) * | 2008-01-15 | 2016-09-20 | Alcatel Lucent | Method and apparatus for fingerprinting systems and operating systems in a network |
-
2017
- 2017-01-18 CN CN201710037609.XA patent/CN106850599B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101035031A (en) * | 2007-04-03 | 2007-09-12 | 华为技术有限公司 | Method and device for detecting the number of the shared access host |
CN102307123A (en) * | 2011-09-06 | 2012-01-04 | 电子科技大学 | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic |
CN102984003A (en) * | 2012-11-30 | 2013-03-20 | 深圳中兴网信科技有限公司 | Network access detection system and network access detection method |
CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
CN105430011A (en) * | 2015-12-25 | 2016-03-23 | 杭州朗和科技有限公司 | Method and device for detecting distributed denial of service attack |
CN105915396A (en) * | 2016-06-20 | 2016-08-31 | 中国联合网络通信集团有限公司 | Home network traffic recognition system and method |
CN106126746A (en) * | 2016-07-14 | 2016-11-16 | 长江大学 | High-quality node detecting method and system in a kind of social networks |
Also Published As
Publication number | Publication date |
---|---|
CN106850599A (en) | 2017-06-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106850599B (en) | A kind of NAT detection method based on fusion user behavior and sudden peal of thunder ID | |
US10452843B2 (en) | Self-adaptive application programming interface level security monitoring | |
CN106663169B (en) | System and method for high speed threat intelligence management using unsupervised machine learning and priority algorithms | |
CN112636924B (en) | Network asset identification method and device, storage medium and electronic equipment | |
US8180892B2 (en) | Apparatus and method for multi-user NAT session identification and tracking | |
RU2607229C2 (en) | Systems and methods of dynamic indicators aggregation to detect network fraud | |
CN108334758B (en) | Method, device and equipment for detecting user unauthorized behavior | |
US8150779B1 (en) | Validating the detection of spam based entities in social networking contexts | |
JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
CN103970752B (en) | Independent access person's quantity survey (surveying) method and system | |
CN105491055B (en) | A kind of network host accident detection method based on mobile agent | |
CN111600865B (en) | Abnormal communication detection method and device, electronic equipment and storage medium | |
CN110943884B (en) | Data processing method and device | |
US10805327B1 (en) | Spatial cosine similarity based anomaly detection | |
WO2022042194A1 (en) | Block detection method and apparatus for login device, server, and storage medium | |
CN113454621A (en) | Method, apparatus and computer program for collecting data from multiple domains | |
CN109981415A (en) | Condition judgement method, electronic equipment, system and medium | |
US7299276B1 (en) | Technique for monitoring health of network device using data format verification | |
WO2019114246A1 (en) | Identity authentication method, server and client device | |
CN107231383B (en) | CC attack detection method and device | |
US20080267193A1 (en) | Technique for enabling network statistics on software partitions | |
CN107426136A (en) | A kind of recognition methods of network attack and device | |
CN110599278B (en) | Method, apparatus, and computer storage medium for aggregating device identifiers | |
CN117176482B (en) | Big data network safety protection method and system | |
Ogawa et al. | Malware originated http traffic detection utilizing cluster appearance ratio |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |