CN108696446B - Method and device for updating flow characteristic information and central node server - Google Patents

Method and device for updating flow characteristic information and central node server Download PDF

Info

Publication number
CN108696446B
CN108696446B CN201810852702.0A CN201810852702A CN108696446B CN 108696446 B CN108696446 B CN 108696446B CN 201810852702 A CN201810852702 A CN 201810852702A CN 108696446 B CN108696446 B CN 108696446B
Authority
CN
China
Prior art keywords
field
traffic
threshold
interval threshold
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810852702.0A
Other languages
Chinese (zh)
Other versions
CN108696446A (en
Inventor
黄志晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201810852702.0A priority Critical patent/CN108696446B/en
Publication of CN108696446A publication Critical patent/CN108696446A/en
Application granted granted Critical
Publication of CN108696446B publication Critical patent/CN108696446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2416Real-time traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/29Flow control; Congestion control using a combination of thresholds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/80Actions related to the user profile or the type of traffic
    • H04L47/801Real time traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/80Actions related to the user profile or the type of traffic
    • H04L47/803Application aware

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for updating flow characteristic information and a central node server, wherein the method comprises the following steps: receiving traffic characteristics reported by traffic identification equipment, and inquiring characteristic information associated with the traffic characteristics; the characteristic information at least comprises a first field for recording a time node which passes the latest verification of the flow characteristic and a second field for recording an alarm duration interval threshold; calculating a time difference between the time node receiving the traffic characteristic and the time node recorded in the first field; and if the time difference is larger than the alarm time interval threshold recorded in the second field, replacing the alarm time interval threshold in the second field with the time difference, and updating the content of the first field. The technical scheme provided by the application can improve the judgment precision of whether the flow characteristic is invalid or not.

Description

Method and device for updating flow characteristic information and central node server
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method and an apparatus for updating traffic characteristic information, and a central node server.
Background
At present, applications are various, and a user may generate corresponding network traffic when using the applications. The traffic characteristics contained in the generated network traffic of different applications are identifiable, and the traffic characteristics can be used for identifying that the network traffic is sent by a certain application, and specifically, the traffic characteristics can include, but are not limited to, name information, specific operation identifiers, specific message field information and the like of the application.
In the prior art, the identification of an application program to which network traffic belongs based on traffic characteristics has been widely used, especially in terms of network acceleration services. For example, the game-class application generally has a high requirement on the network communication quality, and after identifying that the network traffic belongs to the network traffic generated by the game-class application, the network operator or the third-party acceleration platform may allocate the network traffic to the network node with the good network communication quality, so as to ensure the smoothness of the network game.
In practical applications, these traffic characteristics and corresponding information are often stored in a database in a centralized manner for maintenance, and with the reasons of updating and upgrading of application programs, the characteristics of generated network traffic may also change, so that the existing traffic characteristics may lose effectiveness. Currently, in order to determine whether an existing flow characteristic is still valid, a fixed detection period is usually set, and if data of a certain flow characteristic is not received in the fixed detection period, the flow characteristic is determined to be invalid.
However, the frequency of use of unused applications is so different that some traffic features may remain inactive for a long time but do not represent that the traffic feature has failed. Therefore, the conventional method for judging whether the flow characteristics fail often causes erroneous judgment.
Disclosure of Invention
The application aims to provide a method and a device for updating traffic characteristic information and a central node server, which can improve the accuracy of judging whether traffic characteristics fail.
In order to achieve the above object, an aspect of the present application provides a method for updating traffic characteristic information, where the method includes: receiving traffic characteristics reported by traffic identification equipment, and inquiring characteristic information associated with the traffic characteristics; the characteristic information at least comprises a first field for recording a time node which passes the latest verification of the flow characteristic and a second field for recording an alarm duration interval threshold; calculating a time difference between the time node receiving the traffic characteristic and the time node recorded in the first field; and if the time difference is larger than the alarm time interval threshold recorded in the second field, replacing the alarm time interval threshold in the second field with the time difference, and updating the content of the first field.
In order to achieve the above object, another aspect of the present application further provides a central node server, where an update system of traffic characteristic information is run on the central node server, and the system executes the above method.
In order to achieve the above object, another aspect of the present application further provides an apparatus for updating traffic characteristic information, where the apparatus includes a management server, a central node server, and at least one traffic identification device, where: the management server is used for issuing flow characteristic data to the central node server and each flow identification device; the traffic identification device is used for identifying locally received user traffic based on the traffic characteristic data, and reporting matched traffic characteristics to the central node server when the identification is successful; and the central node server is used for analyzing the traffic characteristics reported by the traffic characteristic data and updating the characteristic information associated with the traffic characteristics according to the analysis result.
As can be seen from the above, according to the technical solution provided by the present application, after the network traffic of the application reaches the traffic identification device, the traffic identification device can identify the traffic characteristics matched with the network traffic according to the traffic characteristic data sent by the management server, and report the traffic characteristics to the central node server. And after receiving the traffic characteristics reported by the traffic identification equipment, the central node server indicates that the traffic characteristics are still in an effective state. At this point, the central node server may query feature information associated with the traffic features. The characteristic information at least comprises a first field for recording a time node when the traffic characteristic passes the last verification and a second field for recording an alarm duration interval threshold. Then, the central node server may calculate a time difference between the time node receiving the traffic feature and the time node recorded in the first field, and if the time difference is greater than the alarm duration interval threshold recorded in the second field, it indicates that the alarm duration interval threshold recorded in the second field is not applicable to the current network traffic, so that the possibility of erroneous determination may be caused. At this time, the central node server may replace the alarm duration interval threshold in the second field with the calculated time difference, and then may use the calculated time difference as a criterion for judging whether the traffic characteristic is invalid, and then may update the content of the first field according to the verification process of this time. Therefore, the technical scheme provided by the application can flexibly update the initially set judgment threshold according to the actual situation of the flow characteristic, so that many misjudgments are avoided, and the judgment precision of whether the flow characteristic is invalid is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a network architecture in an embodiment of the invention;
fig. 2 is a flowchart of a method for updating traffic characteristic information according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for updating traffic characteristic information according to an embodiment of the present invention;
FIG. 4 is a functional block diagram of a central node server in an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer terminal in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Example one
The application provides an updating method of flow characteristic information, which can be applied to a central node server. Referring to fig. 1, a network architecture according to the present disclosure may include a management server, a central node server (referred to as a central node), a traffic identification device, and a user client.
The management server may store traffic characteristics of network traffic of the application program, and different traffic characteristics may correspond to network traffic from different application programs. In the management server, for network traffic of different applications, corresponding traffic characteristics may be collected in advance, and a characteristic identifier may be assigned to each traffic characteristic. The signature can uniquely characterize the corresponding flow characteristic. Thus, the association relationship between the flow characteristics and the characteristic identification can be established. The combination of the application, the traffic characteristics and the corresponding characteristic identifier may be used as traffic characteristic data stored in the management server.
In practical application, the management server may issue the traffic characteristic data to the central node server and each traffic identification device in advance, so that both the central node server and the traffic identification device may identify the traffic characteristic or the corresponding characteristic identifier.
The user client may run various applications, and during the running process, the applications may generate corresponding network traffic, and the network traffic may be received by the traffic identification device, and may be identified by the traffic identification device as corresponding traffic characteristics. Specifically, the traffic identification device may receive traffic feature data sent by the management server, and then, for a current network traffic sent by the user client, may match traffic features included in the current network traffic with each traffic feature in the traffic feature data, and may use the matched traffic features as traffic features corresponding to the current network traffic.
The traffic identification device may be, for example, a DPI (Deep Packet Inspection) device or other devices with a traffic identification function. The traffic characteristics identified by the traffic identification device may be uploaded to a central node for management of the traffic characteristics by the central node.
Referring to fig. 2, the method for updating traffic characteristic information provided by the present application may include the following steps.
S1: receiving traffic characteristics reported by traffic identification equipment, and inquiring characteristic information associated with the traffic characteristics; the characteristic information at least comprises a first field for recording a time node when the traffic characteristic passes the last verification and a second field for recording an alarm duration interval threshold.
In this embodiment, the traffic identification device may receive traffic feature data sent by the management server, and then, for a current network traffic sent by the user client, may match traffic features included in the current network traffic with each traffic feature in the traffic feature data, and may use the matched traffic features as traffic features corresponding to the current network traffic. Specifically, the traffic characteristics may include, but are not limited to, a network protocol type, a length of a specific byte of a data packet, application name information of a specific field, and the like. After the traffic identification device matches the traffic characteristics of the network traffic, the traffic characteristics or the corresponding characteristic identifier may be uploaded to the central node server.
In the present embodiment, for the flow rate characteristics, characteristic information may be constructed, and some information that can represent the flow rate characteristics may be recorded in the characteristic information. The characteristic information of each traffic characteristic can be associated with the characteristic identifier and stored in the central node server.
In practical applications, a plurality of fields may be included in the feature information. Specifically, referring to table 1, the characteristic information may include a first field for recording a time node at which the traffic characteristic passes the last verification and a second field for recording an alarm duration interval threshold.
TABLE 1 characteristic information schematic table
Figure BDA0001747814080000051
Further, the feature information further includes a third field for characterizing whether to use a preset alarm duration interval threshold, a fourth field for recording a backup threshold, and a fifth field for characterizing whether the target traffic is valid.
Of course, in practical applications, more fields may be added or some fields may be reduced according to specific requirements, which is not limited in this application.
In this embodiment, after receiving the traffic characteristics uploaded by the traffic identification device, the central node may read the characteristic information associated with the traffic characteristics, and may analyze the content currently recorded in each field in the characteristic information.
In this embodiment, the feature information may be initialized with the contents recorded in each field at the beginning of the construction.
Specifically, for the first field, the time node at which the feature information is constructed may be taken as the time node at which the last verification passes.
For the second field, an empirical value may be used as the preset alarm duration interval threshold, and the empirical value may be an average duration of the network traffic triggered by the application program. For example, the empirical value may be set to 7 days, indicating that the application will trigger network traffic at least once within an average 7 day period.
For the third field, the initial content may be set as "using a preset alarm duration interval threshold", which indicates that the current content in the second field is a preset initial value, and the preset alarm duration interval threshold is used as a reference for evaluation.
For the fourth field, the initial content may be empty, into which one or more spare thresholds may be gradually written subsequently.
For the fifth field, the initial content may be set to "valid".
It should be noted that the content expression form in each field can be adjusted according to actual requirements, and may be other contents such as numbers, matches, letters, etc., and is not limited to the above-mentioned characters. The contents of the fields may be updated in real time as subsequent steps are expanded.
S3: calculating a time difference between the time node receiving the traffic characteristic and the time node recorded in the first field.
S5: and if the time difference is larger than the alarm time interval threshold recorded in the second field, replacing the alarm time interval threshold in the second field with the time difference, and updating the content of the first field.
In this embodiment, the central node may calculate a time difference between the time node receiving the traffic characteristic and the time node recorded in the first field, where the time difference may represent a time span when the traffic characteristic is active twice before and after. At this time, if the time difference is greater than the alarm duration interval threshold recorded in the second field, which indicates that the central node does not receive the reported information of the traffic characteristic in the duration exceeding the interval threshold since the last matching is successful, and if the validity is determined according to the scheme in the prior art, the traffic characteristic will be erroneously determined as invalid or determined as invalid.
In fact, since the central node can receive the reported information of the traffic characteristics, it indicates that the traffic characteristics are still valid, but are used infrequently. In this case, it can be stated that only the alarm duration interval threshold in the second field is not applicable to the current application, and therefore, the alarm duration interval threshold in the second field may be replaced by the time difference, and the time difference may be used as a determination criterion when performing the timeliness detection. Of course, the central node continuously updates the content in the second field according to the time node actually receiving the traffic feature, so that the threshold recorded in the second field can be more matched with the actual situation of the traffic feature.
In this embodiment, after receiving the traffic characteristic, the central node indicates that the traffic characteristic is still valid currently, and therefore, the time node that passes the last verification recorded in the first field may be updated. Specifically, the central node may update the content in the first field to be the time node when the traffic characteristic is received. Such an update method enables the content of the first field to be easily updated.
However, in some scenarios, the time node at which the central node receives the traffic characteristics may not be consistent with the time node at which the traffic characteristics are reported by the traffic identification device.
For example, after the traffic identification device reports the traffic characteristics, the reporting request may be affected by network conditions, and a certain delay is caused, so that the time node when the central node receives the traffic characteristics is later than the time node when the traffic identification device reports the traffic characteristics. At this time, when the traffic identification device reports the traffic characteristics, the time node reporting the traffic characteristics may also be carried in the reported information. In order to improve the accuracy of the content in the first field, after receiving the information reported by the traffic identification device, the central node may extract a time node from which the traffic identification device reports the traffic characteristics, and update the content in the first field to the time node when the traffic identification device reports the traffic characteristics.
In some other scenarios, after matching the corresponding traffic characteristics according to the local traffic characteristic data, the traffic identification device may not report the corresponding traffic characteristics to the central node immediately, but may report each matched traffic characteristic uniformly according to a periodic time interval. In this case, when the traffic identification device reports the traffic characteristics, the time node successfully matched with the traffic characteristics may be carried in the reported information. In this way, in order to improve the accuracy of the content in the first field, the central node may extract a matching time node successfully matched with the traffic characteristics from the information reported by the traffic identification device, and update the content in the first field as the matching time node.
In addition, since the traffic characteristic is triggered normally, it indicates that the traffic characteristic is not invalid, and at this time, the central node may further set the content in the fifth field as the content that characterizes that the traffic characteristic is currently valid.
In one embodiment, the initial content in the third field indicates that the preset alarm duration interval threshold is used, but if the content in the second field is updated, the preset alarm duration interval threshold is not used any more. Therefore, after replacing the alarm duration interval threshold in the second field with the time difference, the central node may further update the content in the third field to be content that characterizes not using the preset alarm duration interval threshold.
In an embodiment, if the content in the third field indicates that the preset alarm duration interval threshold is not used, and the calculated time difference is less than or equal to the alarm duration interval threshold recorded in the second field, it indicates that the alarm duration interval threshold in the second field is not set too small, at this time, the alarm duration interval threshold in the second field may be kept unchanged, and the content in the first field may be updated in the manner described above.
However, in some scenarios, the alarm duration interval threshold initially set in the second field may be too large, which may result in that the failure of the traffic characteristic cannot be timely discovered when the validity of the traffic characteristic is determined according to the too large preset threshold.
In order to solve the problem, in an embodiment, when the calculated time difference is smaller than or equal to an initially set alarm duration interval threshold, the content in the third field may be checked, and if the third field indicates that the preset alarm duration interval threshold is currently used, the calculated time difference may be written into the fourth field as a standby threshold. The number of spare thresholds recorded in the fourth field increases with time. Each backup threshold recorded in the fourth field is obtained by subtracting the time node which passes the last verification from the time node when the feature identifier is received, so that the backup threshold can better reflect the actual characteristics of the target traffic. Subsequently, the excessive initial threshold value can be corrected through the standby threshold value in the fourth field, so that the judgment precision of the effectiveness of the flow characteristic is further improved.
In this embodiment, the central node may start an aging timing detection task in advance, the aging timing detection task being aimed at checking at a specified time interval. And after the aging timing detection task is started, the running state is entered. In the operating state, the central node may perform the aging detection task at specified time intervals. The specified time interval may be set according to actual needs, and may be set to 1 second, for example. Thus, after the timing detection task is started, the central node can execute the timing detection task every 1 second.
Referring to fig. 3, in the present embodiment, when performing an aging detection task for a current traffic characteristic, a central node may first detect content recorded in a fifth field of characteristic information. If the content recorded in the fifth field indicates that the current flow characteristic is invalid, the central node may not perform any processing, thereby ending the aging detection task of this time and waiting for the next time of execution of the aging detection task.
If the content recorded in the fifth field indicates that the traffic feature is still valid currently, the central node may determine a time difference between the time node when the aging detection task is executed and the time node recorded in the first field, and the longer the time difference is, the higher the possibility that the traffic feature is in a failure state is.
In view of this, the time difference may be compared with the alarm duration interval threshold recorded in the second field, and if the time difference is greater than the alarm duration interval threshold recorded in the second field, it indicates that the flow characteristic has been in an un-triggered state for a long time, and the flow characteristic may have failed. At this point, the central node may issue a failure warning directed to the traffic signature so that the traffic signature may be further examined subsequently based on the failure warning. Meanwhile, the central node may set the content in the fifth field as the content representing the current failure of the target traffic.
As shown in fig. 3, in the present embodiment, the alarm duration interval threshold recorded in the second field may be adjusted according to actual situations. The initial value in the second field is a preset alarm duration interval threshold, which is set according to the average trigger period of the existing application program and may not be in accordance with the actual condition of the target flow, so that the value recorded in the second field can be changed according to the actual condition.
Specifically, the content in the second field may be detected by setting a threshold timing detection task, and the threshold timing detection task may be executed at specified time intervals during the running process. When the threshold detection task is executed, if the content in the third field indicates that the preset alarm duration interval threshold is currently used, the duration of the start of the threshold timing detection task can be further considered. The threshold timing detection task can be performed simultaneously with the aging timing detection task or can be set independently. And the starting time of the threshold timing detection task is when the central node sets the initial values for the fields.
Specifically, if the duration of the start of the threshold timing detection task is greater than or equal to the preset alarm duration interval threshold, it indicates that the threshold timing detection task has been continuously started for a considerable period of time, and in this period of time, the central node writes the standby threshold into the fourth field continuously. Each backup threshold recorded in the fourth field is obtained by subtracting the time node which passes the last verification from the time node when the feature identifier is received, so that the backup threshold can better reflect the actual characteristics of the target traffic.
In view of this, in the case that the third field indicates that the preset alarm duration interval threshold is currently used, and the duration for which the threshold timing detection task has been started is greater than or equal to the preset alarm duration interval threshold, the longest time difference may be read from the standby threshold recorded in the fourth field, and the longest time difference may be used as a new reference threshold, to replace the preset alarm duration interval threshold recorded in the second field, and to update the content of the third field to indicate that the preset alarm duration is not currently used. When the next time aging detection task is executed, whether the flow characteristics are invalid or not can be judged by using the new reference threshold value. In this way, by updating the threshold in the second field, the determination result of the flow characteristic can be closer to the actual situation of the flow characteristic.
In an embodiment, if the third field indicates that the preset alarm duration interval threshold is not used currently, or the duration of the start of the threshold timing detection task is less than the preset alarm duration interval threshold, the threshold in the second field indicating the traffic characteristic does not need to be updated using the standby threshold, and the central node may close the threshold timing detection task of the traffic characteristic.
Through the processing steps, the content of each field in the characteristic information of the network traffic can be updated according to the actual situation. And whether the network traffic is in a valid state can be judged by reading the content currently recorded in each field. When the network traffic is determined to be in the failure state, a failure warning may be issued for the network traffic, and then further validity check may be performed for the network traffic that issued the failure warning, and for the network traffic that is in the valid state, validity check is not required, thereby saving a large amount of time.
Furthermore, the threshold value is updated based on the data reported by the traffic identification device, so that the central node can judge the timeliness of the current traffic characteristics more accurately.
Example two
The present application further provides a central node server, where the central node server may be one server or a server cluster formed by a plurality of servers, and the present application does not limit this. The central node server runs an updating system of the traffic characteristic information, and the updating system of the traffic characteristic information can execute the updating method of the traffic characteristic information.
Referring to fig. 1, the present application further provides an apparatus for updating traffic characteristic information, where the apparatus includes a management server, a central node server, and at least one traffic identification device, where:
the management server is used for issuing flow characteristic data to the central node server and each flow identification device;
the traffic identification device is used for identifying locally received user traffic based on the traffic characteristic data, and reporting matched traffic characteristics to the central node server when the identification is successful;
and the central node server is used for analyzing the traffic characteristics reported by the traffic characteristic data and updating the characteristic information associated with the traffic characteristics according to the analysis result and the updating method.
Referring to fig. 4, in one embodiment, the central node server includes:
the characteristic information query unit is used for receiving the traffic characteristics reported by the traffic identification equipment and querying the characteristic information associated with the traffic characteristics; the characteristic information at least comprises a first field for recording a time node which passes the latest verification of the flow characteristic and a second field for recording an alarm duration interval threshold;
a time difference calculation unit, configured to calculate a time difference between the time node that receives the traffic feature and the time node recorded in the first field;
and the information updating unit is used for replacing the alarm duration interval threshold value in the second field with the time difference and updating the content of the first field if the time difference is greater than the alarm duration interval threshold value recorded in the second field.
In one embodiment, the initial value recorded in the second field is a preset alarm duration interval threshold, and the feature information further includes a third field for characterizing whether to use the preset alarm duration interval threshold; correspondingly, the central node server further comprises:
and the third field updating unit is used for updating the content in the third field into the content which is characterized by not using the preset alarm duration interval threshold.
In an embodiment, the information updating unit is further configured to, if the time difference is smaller than or equal to an alarm duration interval threshold recorded in the second field, keep the alarm duration interval threshold in the second field unchanged, and update the content of the first field.
In one embodiment, the feature information further includes a fourth field for recording a spare threshold; correspondingly, the central node server further comprises:
and the fourth field updating unit is used for checking the content in the third field, and writing the calculated time difference into the fourth field if the third field indicates that the preset alarm time interval threshold is currently used.
In one embodiment, the central node server further comprises:
the threshold value checking task executing unit is used for starting a threshold value timing detection task, and the threshold value timing detection task executes the threshold value detection task according to a specified time interval in the running process;
a waiting execution unit, configured to, when the threshold detection task is executed for the traffic feature, close the threshold timing detection task corresponding to the traffic feature if the third field indicates that the preset alarm duration interval threshold is not used currently, or the duration for which the threshold timing detection task has been started is less than the preset alarm duration interval threshold;
and a threshold replacing unit, configured to, if the third field indicates that the preset alarm time interval threshold is currently used, and the duration for which the threshold timing detection task has been started is greater than or equal to the preset alarm time interval threshold, read a longest time difference from the fourth field, replace the preset alarm time interval threshold recorded in the second field with the longest time difference, and update the content in the third field to a content indicating that the preset alarm time interval threshold is not used.
In one embodiment, the feature information further includes a fifth field for characterizing whether the traffic feature is valid; correspondingly, the central node server further comprises:
the system comprises an aging task starting unit, an aging task processing unit and a timing control unit, wherein the aging task starting unit is used for starting an aging timing detection task, and the aging timing detection task executes the aging detection task according to a specified time interval in the running process;
a time difference determining unit, configured to determine a time difference between a time node when the aging detection task is executed and a time node recorded in the first field;
and the failure warning initiating unit is used for sending a failure warning pointing to the flow characteristic if the determined time difference is greater than the warning time interval threshold recorded in the second field, and updating the content in the fifth field into the content representing the failure of the flow characteristic.
Referring to fig. 5, in the present application, the technical solution in the above embodiment can be applied to the computer terminal 10 shown in fig. 5. The computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
The memory 104 may be used to store software programs and modules of application software, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
As can be seen from the above, according to the technical solution provided by the present application, after the network traffic of the application reaches the traffic identification device, the traffic identification device can identify the traffic characteristics matched with the network traffic according to the traffic characteristic data sent by the management server, and report the traffic characteristics to the central node server. And after receiving the traffic characteristics reported by the traffic identification equipment, the central node server indicates that the traffic characteristics are still in an effective state. At this point, the central node server may query feature information associated with the traffic features. The characteristic information at least comprises a first field for recording a time node when the traffic characteristic passes the last verification and a second field for recording an alarm duration interval threshold. Then, the central node server may calculate a time difference between the time node receiving the traffic feature and the time node recorded in the first field, and if the time difference is greater than the alarm duration interval threshold recorded in the second field, it indicates that the alarm duration interval threshold recorded in the second field is not applicable to the current network traffic, so that the possibility of erroneous determination may be caused. At this time, the central node server may replace the alarm duration interval threshold in the second field with the calculated time difference, and then may use the calculated time difference as a criterion for judging whether the traffic characteristic is invalid, and then may update the content of the first field according to the verification process of this time. Therefore, the technical scheme provided by the application can flexibly update the initially set judgment threshold according to the actual situation of the flow characteristic, so that many misjudgments are avoided, and the judgment precision of whether the flow characteristic is invalid is improved.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (15)

1. A method for updating traffic characteristic information, the method comprising:
receiving traffic characteristics reported by traffic identification equipment, and inquiring characteristic information associated with the traffic characteristics; the characteristic information at least comprises a first field for recording a time node which passes the latest verification of the flow characteristic and a second field for recording an alarm duration interval threshold;
calculating a time difference between the time node receiving the traffic characteristic and the time node recorded in the first field;
and if the time difference is larger than the alarm time interval threshold recorded in the second field, replacing the alarm time interval threshold in the second field with the time difference, and updating the content of the first field.
2. The method according to claim 1, wherein the initial value recorded in the second field is a preset alarm duration interval threshold, and the characteristic information further includes a third field for characterizing whether to use the preset alarm duration interval threshold; accordingly, after replacing the alert duration interval threshold in the second field with the time difference and updating the content of the first field, the method further comprises:
and updating the content in the third field into the content which is characterized by not using the preset alarm duration interval threshold.
3. The method of claim 2, further comprising:
if the time difference is smaller than or equal to the alarm time interval threshold recorded in the second field, keeping the alarm time interval threshold in the second field unchanged, and updating the content of the first field.
4. The method according to claim 3, wherein the feature information further comprises a fourth field for recording a spare threshold; accordingly, after keeping the alarm duration interval threshold in the second field unchanged and updating the content of the first field, the method further comprises:
and checking the content in the third field, and writing the calculated time difference into the fourth field if the third field represents that the preset alarm duration interval threshold is currently used.
5. The method of claim 4, further comprising:
starting a threshold timing detection task, wherein the threshold timing detection task executes the threshold detection task according to a specified time interval in the running process;
when the threshold detection task is executed according to the flow characteristics, if the third field indicates that the preset alarm time interval threshold is not used currently, or the started duration of the threshold timing detection task is less than the preset alarm time interval threshold, the threshold timing detection task corresponding to the flow characteristics is closed.
6. The method of claim 5, further comprising:
if the third field represents that the preset alarm time interval threshold is used currently, and the duration of the starting of the threshold timing detection task is greater than or equal to the preset alarm time interval threshold, reading the longest time difference from the fourth field, and replacing the longest time difference with the preset alarm time interval threshold recorded in the second field;
and updating the content in the third field into the content which is characterized by not using the preset alarm duration interval threshold.
7. The method according to claim 1, wherein the feature information further includes a fifth field for characterizing whether the traffic feature is valid; accordingly, the method further comprises:
starting an aging timing detection task, wherein the aging timing detection task executes the aging detection task according to a specified time interval in the running process
Determining a time difference between a time node when the aging detection task is executed and the time node recorded in the first field;
and if the determined time difference is larger than the alarm time interval threshold recorded in the second field, sending out a failure alarm pointing to the flow characteristic, and updating the content in the fifth field into the content representing the failure of the flow characteristic.
8. The method of claim 7, wherein prior to determining a time difference between a time node when the aging detection task was executed and a time node recorded in the first field, the method further comprises:
detecting the content recorded in the fifth field; and if the content recorded in the fifth field represents that the traffic characteristic is currently valid, determining a time difference between a time node when the aging detection task is executed and the time node recorded in the first field.
9. A central node server, wherein the central node server runs an update system for traffic characteristic information, and the system performs the method of any one of claims 1 to 8.
10. An apparatus for updating traffic characteristic information, the apparatus comprising a management server, a central node server and at least one traffic identification device, wherein:
the management server is used for issuing flow characteristic data to the central node server and each flow identification device;
the traffic identification device is used for identifying locally received user traffic based on the traffic characteristic data, and reporting matched traffic characteristics to the central node server when the identification is successful;
the central node server is used for analyzing the traffic characteristics reported by the traffic characteristic data and updating the characteristic information associated with the traffic characteristics according to the analysis result;
wherein the central node server comprises: the characteristic information query unit is used for receiving the traffic characteristics reported by the traffic identification equipment and querying the characteristic information associated with the traffic characteristics; the characteristic information at least comprises a first field for recording a time node which passes the latest verification of the flow characteristic and a second field for recording an alarm duration interval threshold; a time difference calculation unit, configured to calculate a time difference between the time node that receives the traffic feature and the time node recorded in the first field; and the information updating unit is used for replacing the alarm duration interval threshold value in the second field with the time difference and updating the content of the first field if the time difference is greater than the alarm duration interval threshold value recorded in the second field.
11. The apparatus according to claim 10, wherein the initial value recorded in the second field is a preset alarm duration interval threshold, and the characteristic information further includes a third field for characterizing whether to use the preset alarm duration interval threshold; correspondingly, the central node server further comprises:
and the third field updating unit is used for updating the content in the third field into the content which is characterized by not using the preset alarm duration interval threshold.
12. The apparatus according to claim 11, wherein the information updating unit is further configured to, if the time difference is smaller than or equal to an alarm duration interval threshold recorded in the second field, keep the alarm duration interval threshold in the second field unchanged, and update the content of the first field.
13. The apparatus of claim 12, wherein the feature information further comprises a fourth field for recording a spare threshold; correspondingly, the central node server further comprises:
and the fourth field updating unit is used for checking the content in the third field, and writing the calculated time difference into the fourth field if the third field indicates that the preset alarm time interval threshold is currently used.
14. The apparatus of claim 13, wherein the central node server further comprises:
the threshold value checking task executing unit is used for starting a threshold value timing detection task, and the threshold value timing detection task executes the threshold value detection task according to a specified time interval in the running process;
a waiting execution unit, configured to, when the threshold detection task is executed for the traffic feature, close the threshold timing detection task corresponding to the traffic feature if the third field indicates that the preset alarm duration interval threshold is not used currently, or the duration for which the threshold timing detection task has been started is less than the preset alarm duration interval threshold;
and a threshold replacing unit, configured to, if the third field indicates that the preset alarm time interval threshold is currently used, and the duration for which the threshold timing detection task has been started is greater than or equal to the preset alarm time interval threshold, read a longest time difference from the fourth field, replace the preset alarm time interval threshold recorded in the second field with the longest time difference, and update the content in the third field to a content indicating that the preset alarm time interval threshold is not used.
15. The apparatus according to claim 10, wherein the characteristic information further includes a fifth field for characterizing whether the traffic characteristic is valid; correspondingly, the central node server further comprises:
the system comprises an aging task starting unit, an aging task processing unit and a timing control unit, wherein the aging task starting unit is used for starting an aging timing detection task, and the aging timing detection task executes the aging detection task according to a specified time interval in the running process;
a time difference determining unit, configured to determine a time difference between a time node when the aging detection task is executed and a time node recorded in the first field;
and the failure warning initiating unit is used for sending a failure warning pointing to the flow characteristic if the determined time difference is greater than the warning time interval threshold recorded in the second field, and updating the content in the fifth field into the content representing the failure of the flow characteristic.
CN201810852702.0A 2018-07-30 2018-07-30 Method and device for updating flow characteristic information and central node server Active CN108696446B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810852702.0A CN108696446B (en) 2018-07-30 2018-07-30 Method and device for updating flow characteristic information and central node server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810852702.0A CN108696446B (en) 2018-07-30 2018-07-30 Method and device for updating flow characteristic information and central node server

Publications (2)

Publication Number Publication Date
CN108696446A CN108696446A (en) 2018-10-23
CN108696446B true CN108696446B (en) 2022-01-25

Family

ID=63851858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810852702.0A Active CN108696446B (en) 2018-07-30 2018-07-30 Method and device for updating flow characteristic information and central node server

Country Status (1)

Country Link
CN (1) CN108696446B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109858632B (en) * 2019-02-15 2021-06-04 网宿科技股份有限公司 Method and device for determining threshold
CN112615794B (en) * 2020-12-08 2022-07-29 四川迅游网络科技股份有限公司 Intelligent acceleration system and method for service flow characteristics

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023801A (en) * 2012-12-03 2013-04-03 复旦大学 Network intermediate node cache optimization method based on flow characteristic analysis
CN103428224A (en) * 2013-08-29 2013-12-04 中国科学院计算技术研究所 Method and device for intelligently defending DDoS attacks
CN103457803A (en) * 2013-09-10 2013-12-18 杭州华三通信技术有限公司 Device and method for recognizing P2P flow
CN106453130A (en) * 2016-09-30 2017-02-22 杭州电子科技大学 Flow scheduling system and method based on accurate elephant flow identification
CN107070700A (en) * 2017-03-07 2017-08-18 浙江工商大学 A kind of network service provider method of identity-based automatic identification
CN107426059A (en) * 2017-08-28 2017-12-01 上海国云信息科技有限公司 DPI equipment feature databases automatic update method, system, DPI equipment and cloud server
US9894100B2 (en) * 2014-12-30 2018-02-13 Fortinet, Inc. Dynamically optimized security policy management

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023801A (en) * 2012-12-03 2013-04-03 复旦大学 Network intermediate node cache optimization method based on flow characteristic analysis
CN103428224A (en) * 2013-08-29 2013-12-04 中国科学院计算技术研究所 Method and device for intelligently defending DDoS attacks
CN103457803A (en) * 2013-09-10 2013-12-18 杭州华三通信技术有限公司 Device and method for recognizing P2P flow
US9894100B2 (en) * 2014-12-30 2018-02-13 Fortinet, Inc. Dynamically optimized security policy management
CN106453130A (en) * 2016-09-30 2017-02-22 杭州电子科技大学 Flow scheduling system and method based on accurate elephant flow identification
CN107070700A (en) * 2017-03-07 2017-08-18 浙江工商大学 A kind of network service provider method of identity-based automatic identification
CN107426059A (en) * 2017-08-28 2017-12-01 上海国云信息科技有限公司 DPI equipment feature databases automatic update method, system, DPI equipment and cloud server

Also Published As

Publication number Publication date
CN108696446A (en) 2018-10-23

Similar Documents

Publication Publication Date Title
CN108696446B (en) Method and device for updating flow characteristic information and central node server
CN112434039A (en) Data storage method, device, storage medium and electronic device
CN108259426B (en) DDoS attack detection method and device
CN113472607A (en) Application program network environment detection method, device, equipment and storage medium
CN107220181B (en) Abnormal process positioning method, device and system
CN112751726A (en) Data processing method and device, electronic equipment and storage medium
CN111585837B (en) Internet of things data link monitoring method and device, computer equipment and storage medium
CN110781605A (en) Advertisement putting model testing method and device, computer equipment and storage medium
CN110674149B (en) Service data processing method and device, computer equipment and storage medium
CN105357069A (en) Distributed node service state monitoring method, device and system
US20150350809A1 (en) Terminal peripheral management method and m2m gateway
CN111901176A (en) Fault determination method, device, equipment and storage medium
CN108880913B (en) traffic characteristic management method and device and central node server
CN111432039A (en) Data request method, device and equipment in CDN and CDN node
CN111526109B (en) Method and device for automatically detecting running state of web threat recognition defense system
CN111309696A (en) Log processing method and device, electronic equipment and readable medium
CN109246234B (en) Image file downloading method and device, electronic equipment and storage medium
CN107707395B (en) Data transmission method, device and system
CN105893150B (en) Interface calling frequency control method and device and interface calling request processing method and device
CN110177075B (en) Abnormal access interception method, device, computer equipment and storage medium
CN115378841B (en) Method and device for detecting state of equipment accessing cloud platform, storage medium and terminal
CN115001774A (en) Method, device and equipment for analyzing association of alarm event
CN110706033B (en) Method, system and medium for analyzing internet advertisement abnormal equipment
CN115333917A (en) CDN anomaly detection method and device
CN113448747A (en) Data transmission method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant